Loading ...
Sorry, an error occurred while loading the content.

Re: Another SPAM doubt

Expand Messages
  • Chris St. Pierre
    We use Sophos PureMessage (not free), currently with Sun s JMS. We ll be moving to Postfix this summer, and taking PureMessage with us, as it integrates with
    Message 1 of 19 , Dec 1, 2005
    • 0 Attachment
      We use Sophos PureMessage (not free), currently with Sun's JMS. We'll
      be moving to Postfix this summer, and taking PureMessage with us, as
      it integrates with Postfix. PureMessage is a joy to administer -- it
      includes both an easy web interface and a powerful CLI, very un*x-like
      behavior (i.e., well-documented, plain-text config files), and it's
      written mostly in Perl -- a plus for us, as we're pretty proficient in
      Perl here.

      The downside is cost, which is not inconsiderable. However, we looked
      at SpamAssassin and then at PureMessage and the decision was pretty
      easy.

      Chris St. Pierre
      Unix Systems Administrator
      Nebraska Wesleyan University

      On Thu, 1 Dec 2005, Kelly Sauke wrote:

      >Michael Katz wrote:
      >
      >> SA/Amavis is clearly the most widely deployed solution on this mailing
      >> list, but there is another world that exists outside of the mailing
      >> list and there are many options that integrate with Postfix that are
      >> more accurate, require less administration and will perform better.
      >
      >
      >How about some examples of these other options?
      >
    • Sergio Ferreira
      Hi Mouss, ... I was thinking about to use Spamassassin. It worth or just is the mostly used? ... This one I doesn´t heard about It, but when I see problems
      Message 2 of 19 , Dec 1, 2005
      • 0 Attachment
        Hi Mouss,

        >>>>>> I still setting SPAM stuffs at my setup, now I have one
        >>>>>doubt about
        >>>>>> some third parts tools. I have known about integration
        >>>>>of Postfix and
        >>>>>> Clamav, Spamassassim too, instead of Postfix + Clamav +
        >>>>>Amavis + Spamassassin.
        >>>>>> Anyone had experienced boths cases for help me with the
        >>>>>advantages and
        >>>>>> the disadvantages between them?
        >>>>>> Without Amavis my server will be trustworth too? My
        >>>>>question is about
        >>>>>> should I use Amavis or not? Some people says It is more
        >>>>>easy to manage
        >>>>>> these things with Amavis, It is true?
        >>>>>>
        >>>>>> Any conserning will be very wellcome to make things more clear.
        >>>>>>
        >>>>>>
        >>>>>>
        >>>>>>
        >>>>>
        >>>>>The first question is which filtering engine you want to
        >>>>>use. some choices:
        >>>>>
        >>>>>- spamassassin. widely used. resource intensive. maintenance burden

        I was thinking about to use Spamassassin. It worth or just is the mostly
        used?




        >>>>>- dspam. bayesian (with some variants). doc is not very clear.

        This one I doesn´t heard about It, but when I see problems with
        documentation then I´d rather not even try. :-/



        >>>>>- crm114, bogofilter, ....

        Bogofilter... I read a little bit about, but I wasn´t able to choose for It.
        It´s similar to spamassassin? It is easy to setup and manage?

        >>>>>
        >>>>>so there are a lot of choices. some people daisy chain
        >>>>>multiple engines.

        Unless It is very recommended, I prefer only one engine. I belive It is easy
        to fix problems and administering :-)



        >>>>>
        >>>>>
        >>>>>amavisd-new:
        >>>>>- good interface to spamassassin. no more fork per mail +
        >>>>>works in gateway mode (so can filter relayed mail if you want)
        >>>>>- can block bad attachments
        >>>>>- compatible with many anti-virus solutions
        >>>>>- support for policies ("policy banks")

        It is well documented and easy to setup? I intending to adopt It.

        Bye,

        Sergio
      • Sergio Ferreira
        Hi, Chris, ... I read about It too, seems to be a good one really. But, the Boss wants 100% free software solution. Therefore, if I propose It He gonna starts
        Message 3 of 19 , Dec 1, 2005
        • 0 Attachment
          Hi, Chris,

          >>>>>-----Original Message-----
          >>>>>From: owner-postfix-users@...
          >>>>>[mailto:owner-postfix-users@...] On Behalf Of
          >>>>>Chris St. Pierre
          >>>>>Sent: Thursday, December 01, 2005 2:47 PM
          >>>>>To: Kelly Sauke
          >>>>>Cc: postfix-users@...
          >>>>>Subject: Re: Another SPAM doubt
          >>>>>
          >>>>>We use Sophos PureMessage (not free), currently with Sun's
          >>>>>JMS. We'll be moving to Postfix this summer, and taking
          >>>>>PureMessage with us, as it integrates with Postfix.
          >>>>>PureMessage is a joy to administer -- it includes both an
          >>>>>easy web interface and a powerful CLI, very un*x-like
          >>>>>behavior (i.e., well-documented, plain-text config files),
          >>>>>and it's written mostly in Perl -- a plus for us, as we're
          >>>>>pretty proficient in Perl here.
          >>>>>
          >>>>>The downside is cost, which is not inconsiderable.
          >>>>>However, we looked at SpamAssassin and then at PureMessage
          >>>>>and the decision was pretty easy.
          >>>>>
          >>>>>Chris St. Pierre
          >>>>>Unix Systems Administrator
          >>>>>Nebraska Wesleyan University
          >>>>>

          I read about It too, seems to be a good one really. But, the Boss wants 100%
          free software solution. Therefore, if I propose It He gonna starts to kill
          me very slowly. :-)



          >>>>>On Thu, 1 Dec 2005, Kelly Sauke wrote:
          >>>>>
          >>>>>>Michael Katz wrote:
          >>>>>>
          >>>>>>> SA/Amavis is clearly the most widely deployed solution on this
          >>>>>>> mailing list, but there is another world that exists
          >>>>>outside of the
          >>>>>>> mailing list and there are many options that integrate
          >>>>>with Postfix
          >>>>>>> that are more accurate, require less administration and
          >>>>>will perform better.
          >>>>>>
          >>>>>>
          >>>>>>How about some examples of these other options?
          >>>>>>

          Thanks,

          Sergio
        • Michael Katz
          Kelly Sauke wrote: Michael Katz wrote: SA/Amavis is clearly the most widely deployed solution on this mailing list, but there is another world that exists
          Message 4 of 19 , Dec 1, 2005
          • 0 Attachment
            Kelly Sauke wrote:
            Michael Katz wrote:
            
              
            SA/Amavis is clearly the most widely deployed solution on this mailing
            list, but there is another world that exists outside of the mailing
            list and there are many options that integrate with Postfix that are
            more accurate, require less administration and will perform better. 
                
            
            How about some examples of these other options?
              
            I am biased, but I think that MPP is a great one, http://messagepartners.com, which support multiple spam engnes including Cloudmark, Mailshell and Spamassassin.   Sophos has one, which was mentioned,  Symantec, KAV, VirusBuster are a few others. 
            
              

          • Jure Pečar
            On Thu, 01 Dec 2005 09:11:10 -0600 ... I m currently playing with dspam, which can now in version 3.6 communicate with clamAV too. It s a bit of a black magic
            Message 5 of 19 , Dec 1, 2005
            • 0 Attachment
              On Thu, 01 Dec 2005 09:11:10 -0600
              Kelly Sauke <ksauke@...> wrote:

              > How about some examples of these other options?

              I'm currently playing with dspam, which can now in version 3.6 communicate
              with clamAV too. It's a bit of a black magic and undeterministic
              (statistics and all that ...), but can get very reliable for users'
              specific mail patterns. Also 10x faster than Amavis/SA and once configured,
              requires almost no administration.


              --

              Jure Pečar
              http://jure.pecar.org/
            • Covington, Chris
              ... I d like to weigh in here. We used SpamAssassin/amavisd-new for about 2 or 3 years and the results were acceptable, the setup was fairly straightforward
              Message 6 of 19 , Dec 1, 2005
              • 0 Attachment
                On Thu, Dec 01, 2005 at 10:45:54AM -0200, Sergio Ferreira wrote:
                > Hi List,
                >
                > I still setting SPAM stuffs at my setup, now I have one doubt about some
                > third parts tools. I have known about integration of Postfix and Clamav,
                > Spamassassim too, instead of Postfix + Clamav + Amavis + Spamassassin.
                > Anyone had experienced boths cases for help me with the advantages and the
                > disadvantages between them?
                > Without Amavis my server will be trustworth too? My question is about should
                > I use Amavis or not? Some people says It is more easy to manage these things
                > with Amavis, It is true?
                >
                > Any conserning will be very wellcome to make things more clear.

                I'd like to weigh in here. We used SpamAssassin/amavisd-new for about 2
                or 3 years and the results were acceptable, the setup was fairly
                straightforward and the overhead was low. It's a good beginner's setup
                that will take care of 90-95% of your spam problems. The problem with SA
                (and most commercial products, but I digress) is primarily that it's a
                one-size-fits-all solution, and secondarily: it assumes English as the
                primary language of all spam, it has a lot network test latency, it
                primarily adapts through new versions containing new rulesets, etc.
                (For instance, with our population medicine, nutrition & health
                enhancement are integral parts of every day business, not spam!)
                Network tests help SA a little in this regard, but in many ways it's a
                static system that waits for the next release to be more effective, and
                its efficacy drops over time until the next version, etc.

                In the last few months we've preserved amavisd-new to do virus scanning /
                attachment blocking, removed SpamAssassin, and we've added DSPAM which
                does the anti-spam. DSPAM is fairly difficult to setup and understand
                (the documentation is sparse) but it's very effective and adaptive.
                DSPAM is also more of a resource hog: we have a 400MB or so global MySQL
                database compared to SA's small-footprint client installation. This
                database contains 30,000 or so messages in the spam corpus and 40,000
                or so in the ham corpus. The message scanning times are faster, but
                the resources required are much higher. With all that said, it's an
                excellent solution. It's highly accurate (we're at 98.87% right now,
                this constantly gets better): The database is specially-tailored to
                our users' email patterns, and our users continually update it themselves
                by forwarding false positives and negatives to training addresses.
                So if you have the patience, skills and hardware required to use
                DSPAM, go for it!

                ---
                Chris Covington
                IT
                Plus One Health Management
                75 Maiden Lane Suite 801
                NY, NY 10038
                646-312-6269
                http://www.plusoneactive.com

                !DSPAM:1,438f6162289285153766755!
              • Jorey Bump
                ... Maybe I m missing something, but a system that requires users to continue to handle spam (if not actually read it) *and* to learn another interface to
                Message 7 of 19 , Dec 1, 2005
                • 0 Attachment
                  Covington, Chris wrote:

                  > this constantly gets better): The database is specially-tailored to
                  > our users' email patterns, and our users continually update it themselves
                  > by forwarding false positives and negatives to training addresses.
                  > So if you have the patience, skills and hardware required to use
                  > DSPAM, go for it!

                  Maybe I'm missing something, but a system that requires users to
                  continue to handle spam (if not actually read it) *and* to learn another
                  interface to train the application seems like little more than a mail
                  sorting program to me.

                  I want to reject spam immediately, during the SMTP conversation. I'm
                  doing that now on a low-volume site, running SA in a before-queue
                  content filter using spampd. While it may be possible to do the same
                  with dspam, SA bootstraps its bayesian filter with a multitude of rules,
                  so no user intervention is required. For the little bit of spam that
                  gets through, I can run sa-learn, or, even better, add a local rule that
                  will improve the bayesian filter after a few rejections.
                • Covington, Chris
                  ... You don t have to use DSPAM s quarantine interface. We use Exchange s Junk E-mail folder which is built-in: X-DSPAM-Result: Spam will move a message to
                  Message 8 of 19 , Dec 1, 2005
                  • 0 Attachment
                    On Thu, Dec 01, 2005 at 04:07:04PM -0500, Jorey Bump wrote:
                    > Covington, Chris wrote:
                    >
                    > >this constantly gets better): The database is specially-tailored to
                    > >our users' email patterns, and our users continually update it themselves
                    > >by forwarding false positives and negatives to training addresses.
                    > >So if you have the patience, skills and hardware required to use
                    > >DSPAM, go for it!
                    >
                    > Maybe I'm missing something, but a system that requires users to
                    > continue to handle spam (if not actually read it) *and* to learn another
                    > interface to train the application seems like little more than a mail
                    > sorting program to me.

                    You don't have to use DSPAM's quarantine interface. We use Exchange's
                    "Junk E-mail" folder which is built-in: X-DSPAM-Result: Spam will move
                    a message to this folder (and all X-DSPAM* headers are removed before
                    they hit the DSPAM servers so this can't be spoofed). The "Junk E-mail"
                    folder's contents are automatically expired after 30 days. This
                    requires Exchange event sinks, BTW. Users need to forward mistakes
                    to training addresses.

                    > I want to reject spam immediately, during the SMTP conversation. I'm
                    > doing that now on a low-volume site, running SA in a before-queue
                    > content filter using spampd. While it may be possible to do the same
                    > with dspam, SA bootstraps its bayesian filter with a multitude of rules,
                    > so no user intervention is required. For the little bit of spam that
                    > gets through, I can run sa-learn, or, even better, add a local rule that
                    > will improve the bayesian filter after a few rejections.

                    That might work for a smaller site, but it doesn't scale well and it
                    places the administrative burden on you.

                    ---
                    Chris Covington
                    IT
                    Plus One Health Management
                    75 Maiden Lane Suite 801
                    NY, NY 10038
                    646-312-6269
                    http://www.plusoneactive.com

                    !DSPAM:1,438f69b3289288246520239!
                  • Robert Felber
                    ... Out of curiousity, how does dspam handle multirecipient mail? ...
                    Message 9 of 19 , Dec 1, 2005
                    • 0 Attachment
                      On Thu, Dec 01, 2005 at 04:07:04PM -0500, Jorey Bump wrote:
                      > now on a low-volume site, running SA in a before-queue content filter using
                      > spampd.

                      Out of curiousity, how does dspam handle multirecipient mail?

                      > RCPT TO:<foo@...>
                      > RCPT TO:<foo2@...>
                      < OK
                      > DATA
                      < OK
                      > headers:
                      >
                      > body
                      > .
                      < 4xx|5xx

                      What, if foo2 doesn't want to use dspam? In that case, he would lose the mail
                      still. Or am I wrong?


                      --
                      Robert Felber (PGP: 896CF30B)
                      Munich, Germany
                    • Jorey Bump
                      ... I don t know about dspam, I m using SpamAssassin *globally* in a before-queue content filter. Yes, it rejects the entire message for all recipients, but
                      Message 10 of 19 , Dec 1, 2005
                      • 0 Attachment
                        Robert Felber wrote:
                        > On Thu, Dec 01, 2005 at 04:07:04PM -0500, Jorey Bump wrote:
                        >
                        >>now on a low-volume site, running SA in a before-queue content filter using
                        >>spampd.
                        >
                        >
                        > Out of curiousity, how does dspam handle multirecipient mail?
                        >
                        >
                        >>RCPT TO:<foo@...>
                        >>RCPT TO:<foo2@...>
                        >
                        > < OK
                        >
                        >>DATA
                        >
                        > < OK
                        >
                        >>headers:
                        >>
                        >>body
                        >>.
                        >
                        > < 4xx|5xx
                        >
                        > What, if foo2 doesn't want to use dspam? In that case, he would lose the mail
                        > still. Or am I wrong?

                        I don't know about dspam, I'm using SpamAssassin *globally* in a
                        before-queue content filter. Yes, it rejects the entire message for all
                        recipients, but that's the point. My users don't even know their mail is
                        being filtered (and will complain about getting as many as 5-10 spam
                        messages in a week!). I use a lot of different spam-fighting techniques,
                        but *all* of them are apparent to the sender (rejections, no
                        backscatter), so I will hear about any problems that occur (rare, but it
                        does happen).

                        I used to quarantine everything, inspect it, then pass on the ham, but
                        that was a *true* administrative nightmare. This approach adds
                        complexity to configuration, and lets me enjoy my vacations a little
                        more. :)

                        Don't overlook Chris' point about scalability, which cuts both ways. I'm
                        not an ISP, and support most of my clients down to their desktops, so
                        eliminating spam and viruses can save me support calls down the line.
                        But in a large general purpose population, per-user spam categorization
                        may be mandatory.
                      • Covington, Chris
                        ... One correction - we are not using per-user databases. It s a single per-company database that people can train on mistakes. ... Chris Covington IT Plus
                        Message 11 of 19 , Dec 2, 2005
                        • 0 Attachment
                          On Thu, Dec 01, 2005 at 05:46:38PM -0500, Jorey Bump wrote:
                          > Don't overlook Chris' point about scalability, which cuts both ways. I'm
                          > not an ISP, and support most of my clients down to their desktops, so
                          > eliminating spam and viruses can save me support calls down the line.
                          > But in a large general purpose population, per-user spam categorization
                          > may be mandatory.

                          One correction - we are not using per-user databases. It's a single
                          per-company database that people can train on mistakes.

                          ---
                          Chris Covington
                          IT
                          Plus One Health Management
                          75 Maiden Lane Suite 801
                          NY, NY 10038
                          646-312-6269
                          http://www.plusoneactive.com
                        • Covington, Chris
                          ... No, DSPAM can be used as an LMTP content-filter, which supports per-user opt-in or opt-out enrollment. If foo@bar.com is opted-in, then that message will
                          Message 12 of 19 , Dec 2, 2005
                          • 0 Attachment
                            On Thu, Dec 01, 2005 at 11:11:06PM +0100, Robert Felber wrote:
                            > On Thu, Dec 01, 2005 at 04:07:04PM -0500, Jorey Bump wrote:
                            > > now on a low-volume site, running SA in a before-queue content filter using
                            > > spampd.
                            >
                            > Out of curiousity, how does dspam handle multirecipient mail?
                            >
                            > > RCPT TO:<foo@...>
                            > > RCPT TO:<foo2@...>
                            > < OK
                            > > DATA
                            > < OK
                            > > headers:
                            > >
                            > > body
                            > > .
                            > < 4xx|5xx
                            >
                            > What, if foo2 doesn't want to use dspam? In that case, he would lose the mail
                            > still. Or am I wrong?

                            No, DSPAM can be used as an LMTP content-filter, which supports per-user
                            opt-in or opt-out enrollment. If foo@... is opted-in, then that
                            message will be quarantined for him and sent to foo2@.... Or it can
                            be just tagged for foo@... and not for foo2@.... DSPAM is very
                            flexible in how you use it.

                            ---
                            Chris Covington
                            IT
                            Plus One Health Management
                            75 Maiden Lane Suite 801
                            NY, NY 10038
                            646-312-6269
                            http://www.plusoneactive.com
                          Your message has been successfully submitted and would be delivered to recipients shortly.