Postfix work-in-progress

Postscreen

Postscreen is the code name for a new daemon that sits in front of Postfix and that does connection-level filtering. The program is currently available as unsupported, non-production code. There is no promise that the code works, and there is no promise of compatibility between different versions of the code.

The major goals of the program are:

• Keep the zombies away from the Postfix SMTP server. According to the 2008 annual report by MessageLabs, 81% of all email was spam, and 90% of spam was sent by botnets.

• Improve Postfix scalability by moving potentially time-consuming operations such as DNS blocklist lookups and SMTP protocol checks out of the SMTP server.

Early results for seven days of spam were presented at the 2009 Mailserver conference in Berlin:

• Anomalies in spammer SMTP client implementations. Spammers are in a hurry to send spam, and therefore they cut corners in the SMTP protocol. Postscreen currently detects SMTP clients that start talking too early (pregreeters). As spammers become smarter, Postscreen will need to examine more aspects of client SMTP behavior. This will build on the dummy SMTP protocol engine that already exists in the smtp-sink stress-test program.

• Parallel lookups from several popular DNS blocklists, and the relative proportions of client IP addresses that each list flagged as spam.

• Geolocation and time-of-day patterns for spam connections to servers in Europe and the USA. Geolocation is done off-line, based on logfile analysis.

Data were collected with help by Ralf Hildebrandt. Ralf reported that by dropping all pregreeter connections to one server, he reduced the frequency of the "all server ports busy" condition from several times a day to once a week.

There is a lengthy history of prior work in this field. For example, OpenBSD spamd, MailChannels TrafficControl, and work by Michael Tokarev in the early 2000s.