Loading ...
Sorry, an error occurred while loading the content.
 

Re: Another SPAM doubt

Expand Messages
  • mouss
    ... The first question is which filtering engine you want to use. some choices: - spamassassin. widely used. resource intensive. maintenance burden - dspam.
    Message 1 of 19 , Dec 1, 2005
      Sergio Ferreira a écrit :
      > Hi List,
      >
      > I still setting SPAM stuffs at my setup, now I have one doubt about some
      > third parts tools. I have known about integration of Postfix and Clamav,
      > Spamassassim too, instead of Postfix + Clamav + Amavis + Spamassassin.
      > Anyone had experienced boths cases for help me with the advantages and the
      > disadvantages between them?
      > Without Amavis my server will be trustworth too? My question is about should
      > I use Amavis or not? Some people says It is more easy to manage these things
      > with Amavis, It is true?
      >
      > Any conserning will be very wellcome to make things more clear.
      >

      The first question is which filtering engine you want to use. some choices:

      - spamassassin. widely used. resource intensive. maintenance burden
      - dspam. bayesian (with some variants). doc is not very clear.
      - crm114, bogofilter, ....

      so there are a lot of choices. some people daisy chain multiple engines.


      amavisd-new:
      - good interface to spamassassin. no more fork per mail + works in
      gateway mode (so can filter relayed mail if you want)
      - can block bad attachments
      - compatible with many anti-virus solutions
      - support for policies ("policy banks")
    • Kelly Sauke
      ... How about some examples of these other options?
      Message 2 of 19 , Dec 1, 2005
        Michael Katz wrote:

        > SA/Amavis is clearly the most widely deployed solution on this mailing
        > list, but there is another world that exists outside of the mailing
        > list and there are many options that integrate with Postfix that are
        > more accurate, require less administration and will perform better.


        How about some examples of these other options?
      • Chris St. Pierre
        We use Sophos PureMessage (not free), currently with Sun s JMS. We ll be moving to Postfix this summer, and taking PureMessage with us, as it integrates with
        Message 3 of 19 , Dec 1, 2005
          We use Sophos PureMessage (not free), currently with Sun's JMS. We'll
          be moving to Postfix this summer, and taking PureMessage with us, as
          it integrates with Postfix. PureMessage is a joy to administer -- it
          includes both an easy web interface and a powerful CLI, very un*x-like
          behavior (i.e., well-documented, plain-text config files), and it's
          written mostly in Perl -- a plus for us, as we're pretty proficient in
          Perl here.

          The downside is cost, which is not inconsiderable. However, we looked
          at SpamAssassin and then at PureMessage and the decision was pretty
          easy.

          Chris St. Pierre
          Unix Systems Administrator
          Nebraska Wesleyan University

          On Thu, 1 Dec 2005, Kelly Sauke wrote:

          >Michael Katz wrote:
          >
          >> SA/Amavis is clearly the most widely deployed solution on this mailing
          >> list, but there is another world that exists outside of the mailing
          >> list and there are many options that integrate with Postfix that are
          >> more accurate, require less administration and will perform better.
          >
          >
          >How about some examples of these other options?
          >
        • Sergio Ferreira
          Hi Mouss, ... I was thinking about to use Spamassassin. It worth or just is the mostly used? ... This one I doesn´t heard about It, but when I see problems
          Message 4 of 19 , Dec 1, 2005
            Hi Mouss,

            >>>>>> I still setting SPAM stuffs at my setup, now I have one
            >>>>>doubt about
            >>>>>> some third parts tools. I have known about integration
            >>>>>of Postfix and
            >>>>>> Clamav, Spamassassim too, instead of Postfix + Clamav +
            >>>>>Amavis + Spamassassin.
            >>>>>> Anyone had experienced boths cases for help me with the
            >>>>>advantages and
            >>>>>> the disadvantages between them?
            >>>>>> Without Amavis my server will be trustworth too? My
            >>>>>question is about
            >>>>>> should I use Amavis or not? Some people says It is more
            >>>>>easy to manage
            >>>>>> these things with Amavis, It is true?
            >>>>>>
            >>>>>> Any conserning will be very wellcome to make things more clear.
            >>>>>>
            >>>>>>
            >>>>>>
            >>>>>>
            >>>>>
            >>>>>The first question is which filtering engine you want to
            >>>>>use. some choices:
            >>>>>
            >>>>>- spamassassin. widely used. resource intensive. maintenance burden

            I was thinking about to use Spamassassin. It worth or just is the mostly
            used?




            >>>>>- dspam. bayesian (with some variants). doc is not very clear.

            This one I doesn´t heard about It, but when I see problems with
            documentation then I´d rather not even try. :-/



            >>>>>- crm114, bogofilter, ....

            Bogofilter... I read a little bit about, but I wasn´t able to choose for It.
            It´s similar to spamassassin? It is easy to setup and manage?

            >>>>>
            >>>>>so there are a lot of choices. some people daisy chain
            >>>>>multiple engines.

            Unless It is very recommended, I prefer only one engine. I belive It is easy
            to fix problems and administering :-)



            >>>>>
            >>>>>
            >>>>>amavisd-new:
            >>>>>- good interface to spamassassin. no more fork per mail +
            >>>>>works in gateway mode (so can filter relayed mail if you want)
            >>>>>- can block bad attachments
            >>>>>- compatible with many anti-virus solutions
            >>>>>- support for policies ("policy banks")

            It is well documented and easy to setup? I intending to adopt It.

            Bye,

            Sergio
          • Udo Rader
            ... remember: there are no slow applications, only inappropriate hardware (well, most of the time ;-) Not so long ago, the sysreqs for running a mail server
            Message 5 of 19 , Dec 1, 2005
              On Thu, 2005-12-01 at 09:14 -0500, Michael Katz wrote:
              > There are many antispam solutions for Postfix that are not Amavis
              > based. Amavis relies on SpamAssassin, one of the slowest spam analysis

              remember: there are no slow applications, only inappropriate hardware
              (well, most of the time ;-) Not so long ago, the sysreqs for running a
              mail server very low compared to other services, but nowadays with all
              the content filtering stuff you need really high performing machines.

              > engines that comes with a huge administrative burden for certain (not

              if that was a postfix related question, someone would surely say: prove
              it.

              Udo Rader

              --
              bestsolution.at EDV Systemhaus GmbH
              http://www.bestsolution.at
            • Victor Duchovni
              ... Money can buy you bandwidth, but latency is forever (John Mashey). More often these days you also need many separate machines, so that the latency of
              Message 6 of 19 , Dec 1, 2005
                On Thu, Dec 01, 2005 at 05:53:21PM +0100, Udo Rader wrote:

                > On Thu, 2005-12-01 at 09:14 -0500, Michael Katz wrote:
                > > There are many antispam solutions for Postfix that are not Amavis
                > > based. Amavis relies on SpamAssassin, one of the slowest spam analysis
                >
                > remember: there are no slow applications, only inappropriate hardware
                > (well, most of the time ;-) Not so long ago, the sysreqs for running a
                > mail server very low compared to other services, but nowadays with all
                > the content filtering stuff you need really high performing machines.
                >

                Money can buy you bandwidth, but latency is forever (John Mashey).
                More often these days you also need many separate machines, so that
                the latency of various lookups can be amortized over many parallel
                deliveries.

                --
                Viktor.

                Disclaimer: off-list followups get on-list replies or get ignored.
                Please do not ignore the "Reply-To" header.

                To unsubscribe from the postfix-users list, visit
                http://www.postfix.org/lists.html or click the link below:
                <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                If my response solves your problem, the best way to thank me is to not
                send an "it worked, thanks" follow-up. If you must respond, please put
                "It worked, thanks" in the "Subject" so I can delete these quickly.
              • Sergio Ferreira
                Hi, Chris, ... I read about It too, seems to be a good one really. But, the Boss wants 100% free software solution. Therefore, if I propose It He gonna starts
                Message 7 of 19 , Dec 1, 2005
                  Hi, Chris,

                  >>>>>-----Original Message-----
                  >>>>>From: owner-postfix-users@...
                  >>>>>[mailto:owner-postfix-users@...] On Behalf Of
                  >>>>>Chris St. Pierre
                  >>>>>Sent: Thursday, December 01, 2005 2:47 PM
                  >>>>>To: Kelly Sauke
                  >>>>>Cc: postfix-users@...
                  >>>>>Subject: Re: Another SPAM doubt
                  >>>>>
                  >>>>>We use Sophos PureMessage (not free), currently with Sun's
                  >>>>>JMS. We'll be moving to Postfix this summer, and taking
                  >>>>>PureMessage with us, as it integrates with Postfix.
                  >>>>>PureMessage is a joy to administer -- it includes both an
                  >>>>>easy web interface and a powerful CLI, very un*x-like
                  >>>>>behavior (i.e., well-documented, plain-text config files),
                  >>>>>and it's written mostly in Perl -- a plus for us, as we're
                  >>>>>pretty proficient in Perl here.
                  >>>>>
                  >>>>>The downside is cost, which is not inconsiderable.
                  >>>>>However, we looked at SpamAssassin and then at PureMessage
                  >>>>>and the decision was pretty easy.
                  >>>>>
                  >>>>>Chris St. Pierre
                  >>>>>Unix Systems Administrator
                  >>>>>Nebraska Wesleyan University
                  >>>>>

                  I read about It too, seems to be a good one really. But, the Boss wants 100%
                  free software solution. Therefore, if I propose It He gonna starts to kill
                  me very slowly. :-)



                  >>>>>On Thu, 1 Dec 2005, Kelly Sauke wrote:
                  >>>>>
                  >>>>>>Michael Katz wrote:
                  >>>>>>
                  >>>>>>> SA/Amavis is clearly the most widely deployed solution on this
                  >>>>>>> mailing list, but there is another world that exists
                  >>>>>outside of the
                  >>>>>>> mailing list and there are many options that integrate
                  >>>>>with Postfix
                  >>>>>>> that are more accurate, require less administration and
                  >>>>>will perform better.
                  >>>>>>
                  >>>>>>
                  >>>>>>How about some examples of these other options?
                  >>>>>>

                  Thanks,

                  Sergio
                • Michael Katz
                  Kelly Sauke wrote: Michael Katz wrote: SA/Amavis is clearly the most widely deployed solution on this mailing list, but there is another world that exists
                  Message 8 of 19 , Dec 1, 2005
                    Kelly Sauke wrote:
                    Michael Katz wrote:
                    
                      
                    SA/Amavis is clearly the most widely deployed solution on this mailing
                    list, but there is another world that exists outside of the mailing
                    list and there are many options that integrate with Postfix that are
                    more accurate, require less administration and will perform better. 
                        
                    
                    How about some examples of these other options?
                      
                    I am biased, but I think that MPP is a great one, http://messagepartners.com, which support multiple spam engnes including Cloudmark, Mailshell and Spamassassin.   Sophos has one, which was mentioned,  Symantec, KAV, VirusBuster are a few others. 
                    
                      

                  • Jure Pečar
                    On Thu, 01 Dec 2005 09:11:10 -0600 ... I m currently playing with dspam, which can now in version 3.6 communicate with clamAV too. It s a bit of a black magic
                    Message 9 of 19 , Dec 1, 2005
                      On Thu, 01 Dec 2005 09:11:10 -0600
                      Kelly Sauke <ksauke@...> wrote:

                      > How about some examples of these other options?

                      I'm currently playing with dspam, which can now in version 3.6 communicate
                      with clamAV too. It's a bit of a black magic and undeterministic
                      (statistics and all that ...), but can get very reliable for users'
                      specific mail patterns. Also 10x faster than Amavis/SA and once configured,
                      requires almost no administration.


                      --

                      Jure Pečar
                      http://jure.pecar.org/
                    • Covington, Chris
                      ... I d like to weigh in here. We used SpamAssassin/amavisd-new for about 2 or 3 years and the results were acceptable, the setup was fairly straightforward
                      Message 10 of 19 , Dec 1, 2005
                        On Thu, Dec 01, 2005 at 10:45:54AM -0200, Sergio Ferreira wrote:
                        > Hi List,
                        >
                        > I still setting SPAM stuffs at my setup, now I have one doubt about some
                        > third parts tools. I have known about integration of Postfix and Clamav,
                        > Spamassassim too, instead of Postfix + Clamav + Amavis + Spamassassin.
                        > Anyone had experienced boths cases for help me with the advantages and the
                        > disadvantages between them?
                        > Without Amavis my server will be trustworth too? My question is about should
                        > I use Amavis or not? Some people says It is more easy to manage these things
                        > with Amavis, It is true?
                        >
                        > Any conserning will be very wellcome to make things more clear.

                        I'd like to weigh in here. We used SpamAssassin/amavisd-new for about 2
                        or 3 years and the results were acceptable, the setup was fairly
                        straightforward and the overhead was low. It's a good beginner's setup
                        that will take care of 90-95% of your spam problems. The problem with SA
                        (and most commercial products, but I digress) is primarily that it's a
                        one-size-fits-all solution, and secondarily: it assumes English as the
                        primary language of all spam, it has a lot network test latency, it
                        primarily adapts through new versions containing new rulesets, etc.
                        (For instance, with our population medicine, nutrition & health
                        enhancement are integral parts of every day business, not spam!)
                        Network tests help SA a little in this regard, but in many ways it's a
                        static system that waits for the next release to be more effective, and
                        its efficacy drops over time until the next version, etc.

                        In the last few months we've preserved amavisd-new to do virus scanning /
                        attachment blocking, removed SpamAssassin, and we've added DSPAM which
                        does the anti-spam. DSPAM is fairly difficult to setup and understand
                        (the documentation is sparse) but it's very effective and adaptive.
                        DSPAM is also more of a resource hog: we have a 400MB or so global MySQL
                        database compared to SA's small-footprint client installation. This
                        database contains 30,000 or so messages in the spam corpus and 40,000
                        or so in the ham corpus. The message scanning times are faster, but
                        the resources required are much higher. With all that said, it's an
                        excellent solution. It's highly accurate (we're at 98.87% right now,
                        this constantly gets better): The database is specially-tailored to
                        our users' email patterns, and our users continually update it themselves
                        by forwarding false positives and negatives to training addresses.
                        So if you have the patience, skills and hardware required to use
                        DSPAM, go for it!

                        ---
                        Chris Covington
                        IT
                        Plus One Health Management
                        75 Maiden Lane Suite 801
                        NY, NY 10038
                        646-312-6269
                        http://www.plusoneactive.com

                        !DSPAM:1,438f6162289285153766755!
                      • Jorey Bump
                        ... Maybe I m missing something, but a system that requires users to continue to handle spam (if not actually read it) *and* to learn another interface to
                        Message 11 of 19 , Dec 1, 2005
                          Covington, Chris wrote:

                          > this constantly gets better): The database is specially-tailored to
                          > our users' email patterns, and our users continually update it themselves
                          > by forwarding false positives and negatives to training addresses.
                          > So if you have the patience, skills and hardware required to use
                          > DSPAM, go for it!

                          Maybe I'm missing something, but a system that requires users to
                          continue to handle spam (if not actually read it) *and* to learn another
                          interface to train the application seems like little more than a mail
                          sorting program to me.

                          I want to reject spam immediately, during the SMTP conversation. I'm
                          doing that now on a low-volume site, running SA in a before-queue
                          content filter using spampd. While it may be possible to do the same
                          with dspam, SA bootstraps its bayesian filter with a multitude of rules,
                          so no user intervention is required. For the little bit of spam that
                          gets through, I can run sa-learn, or, even better, add a local rule that
                          will improve the bayesian filter after a few rejections.
                        • Covington, Chris
                          ... You don t have to use DSPAM s quarantine interface. We use Exchange s Junk E-mail folder which is built-in: X-DSPAM-Result: Spam will move a message to
                          Message 12 of 19 , Dec 1, 2005
                            On Thu, Dec 01, 2005 at 04:07:04PM -0500, Jorey Bump wrote:
                            > Covington, Chris wrote:
                            >
                            > >this constantly gets better): The database is specially-tailored to
                            > >our users' email patterns, and our users continually update it themselves
                            > >by forwarding false positives and negatives to training addresses.
                            > >So if you have the patience, skills and hardware required to use
                            > >DSPAM, go for it!
                            >
                            > Maybe I'm missing something, but a system that requires users to
                            > continue to handle spam (if not actually read it) *and* to learn another
                            > interface to train the application seems like little more than a mail
                            > sorting program to me.

                            You don't have to use DSPAM's quarantine interface. We use Exchange's
                            "Junk E-mail" folder which is built-in: X-DSPAM-Result: Spam will move
                            a message to this folder (and all X-DSPAM* headers are removed before
                            they hit the DSPAM servers so this can't be spoofed). The "Junk E-mail"
                            folder's contents are automatically expired after 30 days. This
                            requires Exchange event sinks, BTW. Users need to forward mistakes
                            to training addresses.

                            > I want to reject spam immediately, during the SMTP conversation. I'm
                            > doing that now on a low-volume site, running SA in a before-queue
                            > content filter using spampd. While it may be possible to do the same
                            > with dspam, SA bootstraps its bayesian filter with a multitude of rules,
                            > so no user intervention is required. For the little bit of spam that
                            > gets through, I can run sa-learn, or, even better, add a local rule that
                            > will improve the bayesian filter after a few rejections.

                            That might work for a smaller site, but it doesn't scale well and it
                            places the administrative burden on you.

                            ---
                            Chris Covington
                            IT
                            Plus One Health Management
                            75 Maiden Lane Suite 801
                            NY, NY 10038
                            646-312-6269
                            http://www.plusoneactive.com

                            !DSPAM:1,438f69b3289288246520239!
                          • Robert Felber
                            ... Out of curiousity, how does dspam handle multirecipient mail? ...
                            Message 13 of 19 , Dec 1, 2005
                              On Thu, Dec 01, 2005 at 04:07:04PM -0500, Jorey Bump wrote:
                              > now on a low-volume site, running SA in a before-queue content filter using
                              > spampd.

                              Out of curiousity, how does dspam handle multirecipient mail?

                              > RCPT TO:<foo@...>
                              > RCPT TO:<foo2@...>
                              < OK
                              > DATA
                              < OK
                              > headers:
                              >
                              > body
                              > .
                              < 4xx|5xx

                              What, if foo2 doesn't want to use dspam? In that case, he would lose the mail
                              still. Or am I wrong?


                              --
                              Robert Felber (PGP: 896CF30B)
                              Munich, Germany
                            • Jorey Bump
                              ... I don t know about dspam, I m using SpamAssassin *globally* in a before-queue content filter. Yes, it rejects the entire message for all recipients, but
                              Message 14 of 19 , Dec 1, 2005
                                Robert Felber wrote:
                                > On Thu, Dec 01, 2005 at 04:07:04PM -0500, Jorey Bump wrote:
                                >
                                >>now on a low-volume site, running SA in a before-queue content filter using
                                >>spampd.
                                >
                                >
                                > Out of curiousity, how does dspam handle multirecipient mail?
                                >
                                >
                                >>RCPT TO:<foo@...>
                                >>RCPT TO:<foo2@...>
                                >
                                > < OK
                                >
                                >>DATA
                                >
                                > < OK
                                >
                                >>headers:
                                >>
                                >>body
                                >>.
                                >
                                > < 4xx|5xx
                                >
                                > What, if foo2 doesn't want to use dspam? In that case, he would lose the mail
                                > still. Or am I wrong?

                                I don't know about dspam, I'm using SpamAssassin *globally* in a
                                before-queue content filter. Yes, it rejects the entire message for all
                                recipients, but that's the point. My users don't even know their mail is
                                being filtered (and will complain about getting as many as 5-10 spam
                                messages in a week!). I use a lot of different spam-fighting techniques,
                                but *all* of them are apparent to the sender (rejections, no
                                backscatter), so I will hear about any problems that occur (rare, but it
                                does happen).

                                I used to quarantine everything, inspect it, then pass on the ham, but
                                that was a *true* administrative nightmare. This approach adds
                                complexity to configuration, and lets me enjoy my vacations a little
                                more. :)

                                Don't overlook Chris' point about scalability, which cuts both ways. I'm
                                not an ISP, and support most of my clients down to their desktops, so
                                eliminating spam and viruses can save me support calls down the line.
                                But in a large general purpose population, per-user spam categorization
                                may be mandatory.
                              • Covington, Chris
                                ... One correction - we are not using per-user databases. It s a single per-company database that people can train on mistakes. ... Chris Covington IT Plus
                                Message 15 of 19 , Dec 2, 2005
                                  On Thu, Dec 01, 2005 at 05:46:38PM -0500, Jorey Bump wrote:
                                  > Don't overlook Chris' point about scalability, which cuts both ways. I'm
                                  > not an ISP, and support most of my clients down to their desktops, so
                                  > eliminating spam and viruses can save me support calls down the line.
                                  > But in a large general purpose population, per-user spam categorization
                                  > may be mandatory.

                                  One correction - we are not using per-user databases. It's a single
                                  per-company database that people can train on mistakes.

                                  ---
                                  Chris Covington
                                  IT
                                  Plus One Health Management
                                  75 Maiden Lane Suite 801
                                  NY, NY 10038
                                  646-312-6269
                                  http://www.plusoneactive.com
                                • Covington, Chris
                                  ... No, DSPAM can be used as an LMTP content-filter, which supports per-user opt-in or opt-out enrollment. If foo@bar.com is opted-in, then that message will
                                  Message 16 of 19 , Dec 2, 2005
                                    On Thu, Dec 01, 2005 at 11:11:06PM +0100, Robert Felber wrote:
                                    > On Thu, Dec 01, 2005 at 04:07:04PM -0500, Jorey Bump wrote:
                                    > > now on a low-volume site, running SA in a before-queue content filter using
                                    > > spampd.
                                    >
                                    > Out of curiousity, how does dspam handle multirecipient mail?
                                    >
                                    > > RCPT TO:<foo@...>
                                    > > RCPT TO:<foo2@...>
                                    > < OK
                                    > > DATA
                                    > < OK
                                    > > headers:
                                    > >
                                    > > body
                                    > > .
                                    > < 4xx|5xx
                                    >
                                    > What, if foo2 doesn't want to use dspam? In that case, he would lose the mail
                                    > still. Or am I wrong?

                                    No, DSPAM can be used as an LMTP content-filter, which supports per-user
                                    opt-in or opt-out enrollment. If foo@... is opted-in, then that
                                    message will be quarantined for him and sent to foo2@.... Or it can
                                    be just tagged for foo@... and not for foo2@.... DSPAM is very
                                    flexible in how you use it.

                                    ---
                                    Chris Covington
                                    IT
                                    Plus One Health Management
                                    75 Maiden Lane Suite 801
                                    NY, NY 10038
                                    646-312-6269
                                    http://www.plusoneactive.com
                                  Your message has been successfully submitted and would be delivered to recipients shortly.