Loading ...
Sorry, an error occurred while loading the content.
 

outbound spam filtering

Expand Messages
  • David Koski
    An ISP that I do work for recently had an acocunt on their CommuniGatePro server hijacked by a spammer. Of course this got them on the blacklist of AOL, Yahoo
    Message 1 of 19 , Dec 16, 2008
      An ISP that I do work for recently had an acocunt on their CommuniGatePro
      server hijacked by a spammer. Of course this got them on the blacklist of
      AOL, Yahoo and others. There are three inbound Postfix relay servers for
      blacklisting that are in front of three Barracuda spam filters. I am trying
      to come up with a way to use the inbound Postfix relay servers for
      controlling outbound email. Is there a way to limit email from a single
      sender per day or per hour with Postfix used as a relay? How effective would
      Postfix/Amavis/Clam/Spamassassin be for stopping abuse?

      Regards,
      David Koski
      dkoski@...
    • mouss
      ... you can use the throttle functionality of policyd (v1): http://www.policyd.org (there s a V2, rewritten in perl, but I never tried it, so I can t tell
      Message 2 of 19 , Dec 16, 2008
        David Koski a écrit :
        > An ISP that I do work for recently had an acocunt on their CommuniGatePro
        > server hijacked by a spammer. Of course this got them on the blacklist of
        > AOL, Yahoo and others. There are three inbound Postfix relay servers for
        > blacklisting that are in front of three Barracuda spam filters. I am trying
        > to come up with a way to use the inbound Postfix relay servers for
        > controlling outbound email. Is there a way to limit email from a single
        > sender per day or per hour with Postfix used as a relay?

        you can use the throttle functionality of policyd (v1):
        http://www.policyd.org
        (there's a V2, rewritten in perl, but I never tried it, so I can't tell
        much).

        alternatively, you can have a script that parses logs and populates an
        access map. This requires work but will be more flexible as you can mix
        multiple heuristics to detect abuse. It also doesn't interfere with the
        mail flow.


        > How effective would
        > Postfix/Amavis/Clam/Spamassassin be for stopping abuse?
        >

        - clamav would be good if you have enough resources. you can use it from
        amavisd-new or from clamsmtpd (less flexible, but it's less expensive).
        you can add non official signatures (sanesecurity, msrbl) to detect more
        junk.

        - spamassassin, besides being expensive, is developped for inbound mail
        (this is actually true for most content filters). if you use it, you'll
        need to disable such checks. for example:
        - Bayes (this is hard to use in an ISP environment, be that for inbound
        or outbound). Bayes is unusable without correct training.
        - AWL
        - most DNSBL checks
        - ...


        - You can use URIBL/SURBL via a milter:
        http://www.snertsoft.com/sendmail/milter-link/
      • Alex
        Hello This is my first post on this list. I have a atypical configuration like : - an MX server for inbound mails; this server is configured virtual domains,
        Message 3 of 19 , Nov 5 1:47 AM
          Hello

          This is my first post on this list. I have a atypical configuration like :
          - an MX server for inbound mails; this server is configured virtual
          domains, graylisting , antivirus and antispam for all incoming mails; it
          is also use for my users as a pop/imap/smtp server.
          - all emails originating from my users (authenticated users) are relayed
          to another servers. On this outgoing servers I have 3 to 8 postfix
          instances on different ips. Each instance have a dedicated transport
          for servers like yahoo , hotmail etc
          Basically is one of my users want to send a email outside it must
          authenticate to the smtp server. The smtp server relay that message to
          one gateway server (round-robin fashion) and the gateway server send the
          message to the destination.
          What I am try to do is scan all outbound emails (I have a few
          situations in witch a mail account was owned by spammers and use to send
          spam). The scanner must be on the gateway servers not on the smtp server
          because he can't take any more load.
          About scanning software on the incoming server I use spamassassin
          invoke from maildrop. On gateway server I try to use something more
          light and I read about dspam .
          I have a few questions for you:
          - how can I use dspam or any other scanning software on my gateway
          servers (multiple instance configuration) ?
          - is dspam a good choice ?

          Alex
          Thank you
        • ram
          ... Outbound scanning is slightly different from inbound. but in general you need not scan and catch all the spam messages. Just one caught and you immediately
          Message 4 of 19 , Nov 5 2:26 AM
            On Thu, 2009-11-05 at 11:47 +0200, Alex wrote:
            > Hello
            >
            > This is my first post on this list. I have a atypical configuration like :
            > - an MX server for inbound mails; this server is configured virtual
            > domains, graylisting , antivirus and antispam for all incoming mails; it
            > is also use for my users as a pop/imap/smtp server.
            > - all emails originating from my users (authenticated users) are relayed
            > to another servers. On this outgoing servers I have 3 to 8 postfix
            > instances on different ips. Each instance have a dedicated transport
            > for servers like yahoo , hotmail etc
            > Basically is one of my users want to send a email outside it must
            > authenticate to the smtp server. The smtp server relay that message to
            > one gateway server (round-robin fashion) and the gateway server send the
            > message to the destination.
            > What I am try to do is scan all outbound emails (I have a few
            > situations in witch a mail account was owned by spammers and use to send
            > spam). The scanner must be on the gateway servers not on the smtp server
            > because he can't take any more load.
            > About scanning software on the incoming server I use spamassassin
            > invoke from maildrop. On gateway server I try to use something more
            > light and I read about dspam .
            > I have a few questions for you:
            > - how can I use dspam or any other scanning software on my gateway
            > servers (multiple instance configuration) ?
            > - is dspam a good choice ?
            >
            > Alex
            > Thank you

            Outbound scanning is slightly different from inbound. but in general you
            need not scan and catch all the spam messages. Just one caught and you
            immediately know which account is spewing spams

            Dspam is not very effective ... Ofcourse thats my opinion YMMV.

            If you find spamassassin too heavy maybe you can trim it yourself.
            Remove all unnecessary cf files, especially the network DNS checks since
            they are all irrelevant for outbound. You could even consider some
            lightweight commercial plugin and remove all other rules



            But other than scanning , implement the basic hygiene. Allow only strong
            passwords , if possible block port 25 and use 587 , educate the users
            about phishing etc. Also register for Feedback loops and watch out for
            abuse complaints. All that is absolutely essential today for a outbound
            mail relay.
          • Egoitz Aurrekoetxea Aurre
            Hi, I think outgoing scans are a little different. You have some advantages and disadvantages respect incoming mail scanning. Advantages are that you know
            Message 5 of 19 , Nov 5 1:11 PM
              Hi,

              I think outgoing scans are a little different. You have some
              advantages and disadvantages respect incoming mail scanning.
              Advantages are that you know you're users and more or less what they
              do.... or you have it controlled with some scripts. So you can
              identify easier when a user is not behaving as always.... asumming
              that perhaps someone has stolen him the password or has some worm on
              his office network. You should be more trusting with you're users
              because you have accepted too to give them service and because they
              have signed a contract with them and because it's easier to stop the
              problem if someone behaves like shouldnt. So... I advise you to check
              theyr'e behaviour and then if you suspect from someone you should then
              pass them mails through a mail scanning machine and perhaps even check
              more concisely what they are doing.... but IMHO opinion you shouldn't
              scan all his mail. You should too check you're mail queues and check
              how is you're reputation in RBL as mail machine too....

              I'm working on an utility for being used as outgoing mail controller
              (better said than scanner) based on what I told you. It will be ready
              in 3 or 4 months more :) :).

              Hope I have instructed you a little on how to interact with outgoing
              mail.

              Bye mate!


              El 05/11/2009, a las 11:26, ram escribió:

              > On Thu, 2009-11-05 at 11:47 +0200, Alex wrote:
              >> Hello
              >>
              >> This is my first post on this list. I have a atypical configuration
              >> like :
              >> - an MX server for inbound mails; this server is configured virtual
              >> domains, graylisting , antivirus and antispam for all incoming
              >> mails; it
              >> is also use for my users as a pop/imap/smtp server.
              >> - all emails originating from my users (authenticated users) are
              >> relayed
              >> to another servers. On this outgoing servers I have 3 to 8 postfix
              >> instances on different ips. Each instance have a dedicated
              >> transport
              >> for servers like yahoo , hotmail etc
              >> Basically is one of my users want to send a email outside it must
              >> authenticate to the smtp server. The smtp server relay that message
              >> to
              >> one gateway server (round-robin fashion) and the gateway server
              >> send the
              >> message to the destination.
              >> What I am try to do is scan all outbound emails (I have a few
              >> situations in witch a mail account was owned by spammers and use to
              >> send
              >> spam). The scanner must be on the gateway servers not on the smtp
              >> server
              >> because he can't take any more load.
              >> About scanning software on the incoming server I use spamassassin
              >> invoke from maildrop. On gateway server I try to use something more
              >> light and I read about dspam .
              >> I have a few questions for you:
              >> - how can I use dspam or any other scanning software on my gateway
              >> servers (multiple instance configuration) ?
              >> - is dspam a good choice ?
              >>
              >> Alex
              >> Thank you
              >
              > Outbound scanning is slightly different from inbound. but in general
              > you
              > need not scan and catch all the spam messages. Just one caught and you
              > immediately know which account is spewing spams
              >
              > Dspam is not very effective ... Ofcourse thats my opinion YMMV.
              >
              > If you find spamassassin too heavy maybe you can trim it yourself.
              > Remove all unnecessary cf files, especially the network DNS checks
              > since
              > they are all irrelevant for outbound. You could even consider some
              > lightweight commercial plugin and remove all other rules
              >
              >
              >
              > But other than scanning , implement the basic hygiene. Allow only
              > strong
              > passwords , if possible block port 25 and use 587 , educate the users
              > about phishing etc. Also register for Feedback loops and watch out for
              > abuse complaints. All that is absolutely essential today for a
              > outbound
              > mail relay.
              >
              >
              >
              >
              >
              >
              >
              >
              >
              >
              >
              >
              >
              >
              >
              >
              >
              >
              >
              >
              >
              >
              >
            • Alex
              ram wrote: On Thu, 2009-11-05 at 11:47 +0200, Alex wrote: Hello This is my first post on this list. I have a atypical configuration like : - an MX server for
              Message 6 of 19 , Nov 5 11:32 PM
                ram wrote:
                On Thu, 2009-11-05 at 11:47 +0200, Alex wrote:
                  
                Hello
                
                This is my first post on this list. I have a atypical configuration like :
                - an MX server for inbound mails; this server is configured virtual 
                domains, graylisting , antivirus and antispam for all incoming mails; it 
                is also use for my users as a pop/imap/smtp server.
                - all emails originating from my users (authenticated users) are relayed 
                to another servers. On this outgoing servers I have 3 to 8 postfix 
                instances  on different ips. Each  instance have a dedicated transport 
                for servers like yahoo , hotmail etc
                Basically is one of my users want to send a email outside it must 
                authenticate to the smtp server. The smtp server relay that message to 
                one gateway server (round-robin fashion) and the gateway server send the 
                message to the destination.
                    What I am try to do is scan all outbound emails (I have a few 
                situations in witch a mail account was owned by spammers and use to send 
                spam). The scanner must be on the gateway servers not on the smtp server 
                because he can't take any more load.
                    About scanning software on the incoming server I use spamassassin 
                invoke from maildrop. On gateway server I try to use something more 
                light and  I read about dspam .
                    I have a few questions for you:
                    - how can I use dspam or any other scanning software on my gateway 
                servers (multiple instance configuration) ?
                    - is dspam a good choice ?
                
                Alex
                Thank you
                    
                Outbound scanning is slightly different from inbound. but in general you
                need not scan and catch all the spam messages. Just one caught and you
                immediately know which account is spewing spams 
                
                Dspam is not very effective ... Ofcourse thats my opinion YMMV. 
                
                If you find spamassassin too heavy maybe you can trim it yourself. 
                Remove all unnecessary cf files, especially the network DNS checks since
                they are all irrelevant for outbound. You could even consider some
                lightweight commercial plugin and remove all other rules 
                
                
                
                But other than scanning , implement the basic hygiene. Allow only strong
                passwords , if possible block port 25 and use 587 , educate the users
                about phishing etc. Also register for Feedback loops and watch out for
                abuse complaints. All that is absolutely essential today for a outbound
                mail relay. 
                
                
                
                
                
                
                
                
                
                 
                
                
                
                
                
                
                
                
                
                
                
                
                
                  
                Hi ram

                Thanks for replaying.  Dspam was mention  just because I know what spamassassin  can do on a busy server. I take care about abuse complains, the users are advice about their passwords, but keeping lessons  about phishing to 2000 vdomains is to much. So my question was how I do this in a multiple instance environment.
              • Alex
                ... Hi The trust in my own users led me to his post. The users are ignorant (not all, but..). No one care about how send , what send, where send , thei just
                Message 7 of 19 , Nov 5 11:48 PM
                  Egoitz Aurrekoetxea Aurre wrote:
                  > Hi,
                  >
                  > I think outgoing scans are a little different. You have some
                  > advantages and disadvantages respect incoming mail scanning.
                  > Advantages are that you know you're users and more or less what they
                  > do.... or you have it controlled with some scripts. So you can
                  > identify easier when a user is not behaving as always.... asumming
                  > that perhaps someone has stolen him the password or has some worm on
                  > his office network. You should be more trusting with you're users
                  > because you have accepted too to give them service and because they
                  > have signed a contract with them and because it's easier to stop the
                  > problem if someone behaves like shouldnt. So... I advise you to check
                  > theyr'e behaviour and then if you suspect from someone you should then
                  > pass them mails through a mail scanning machine and perhaps even check
                  > more concisely what they are doing.... but IMHO opinion you shouldn't
                  > scan all his mail. You should too check you're mail queues and check
                  > how is you're reputation in RBL as mail machine too....
                  >
                  > I'm working on an utility for being used as outgoing mail controller
                  > (better said than scanner) based on what I told you. It will be ready
                  > in 3 or 4 months more :) :).
                  >
                  > Hope I have instructed you a little on how to interact with outgoing
                  > mail.
                  >
                  > Bye mate!
                  >
                  >
                  > El 05/11/2009, a las 11:26, ram escribió:
                  >
                  >> On Thu, 2009-11-05 at 11:47 +0200, Alex wrote:
                  >>> Hello
                  >>>
                  >>> This is my first post on this list. I have a atypical configuration
                  >>> like :
                  >>> - an MX server for inbound mails; this server is configured virtual
                  >>> domains, graylisting , antivirus and antispam for all incoming
                  >>> mails; it
                  >>> is also use for my users as a pop/imap/smtp server.
                  >>> - all emails originating from my users (authenticated users) are
                  >>> relayed
                  >>> to another servers. On this outgoing servers I have 3 to 8 postfix
                  >>> instances on different ips. Each instance have a dedicated transport
                  >>> for servers like yahoo , hotmail etc
                  >>> Basically is one of my users want to send a email outside it must
                  >>> authenticate to the smtp server. The smtp server relay that message to
                  >>> one gateway server (round-robin fashion) and the gateway server send
                  >>> the
                  >>> message to the destination.
                  >>> What I am try to do is scan all outbound emails (I have a few
                  >>> situations in witch a mail account was owned by spammers and use to
                  >>> send
                  >>> spam). The scanner must be on the gateway servers not on the smtp
                  >>> server
                  >>> because he can't take any more load.
                  >>> About scanning software on the incoming server I use spamassassin
                  >>> invoke from maildrop. On gateway server I try to use something more
                  >>> light and I read about dspam .
                  >>> I have a few questions for you:
                  >>> - how can I use dspam or any other scanning software on my gateway
                  >>> servers (multiple instance configuration) ?
                  >>> - is dspam a good choice ?
                  >>>
                  >>> Alex
                  >>> Thank you
                  >>
                  >> Outbound scanning is slightly different from inbound. but in general you
                  >> need not scan and catch all the spam messages. Just one caught and you
                  >> immediately know which account is spewing spams
                  >>
                  >> Dspam is not very effective ... Ofcourse thats my opinion YMMV.
                  >>
                  >> If you find spamassassin too heavy maybe you can trim it yourself.
                  >> Remove all unnecessary cf files, especially the network DNS checks since
                  >> they are all irrelevant for outbound. You could even consider some
                  >> lightweight commercial plugin and remove all other rules
                  >>
                  >>
                  >>
                  >> But other than scanning , implement the basic hygiene. Allow only strong
                  >> passwords , if possible block port 25 and use 587 , educate the users
                  >> about phishing etc. Also register for Feedback loops and watch out for
                  >> abuse complaints. All that is absolutely essential today for a outbound
                  >> mail relay.
                  >>
                  >>
                  >>
                  >>
                  >>
                  >>
                  >>
                  >>
                  >>
                  >>
                  >>
                  >>
                  >>
                  >>
                  >>
                  >>
                  >>
                  >>
                  >>
                  >>
                  >>
                  >>
                  >>
                  >
                  Hi

                  The trust in my own users led me to his post. The users are ignorant
                  (not all, but..). No one care about how send , what send, where send ,
                  thei just wnat to send more and more .
                  I don't trust anyone and my server too.
                  I know that the outbound filtering is different. My intention is to
                  scan all messages originating from my network and base on spam scoring
                  to take the proper action. For the beginning let say "if spam score is >
                  10" HOLD. This will give time to investigate the body of that email and
                  decide what to do (pass or reject).
                • lst_hoe02@kwsoft.de
                  ... Well done! As soon as you don t know personally all your users or can control what they are allowed to do like in a company network you should for sure
                  Message 8 of 19 , Nov 6 12:07 AM
                    Zitat von Alex <me@...>:

                    >>
                    > Hi
                    >
                    > The trust in my own users led me to his post. The users are
                    > ignorant (not all, but..). No one care about how send , what send,
                    > where send , thei just wnat to send more and more .
                    > I don't trust anyone and my server too.
                    > I know that the outbound filtering is different. My intention is
                    > to scan all messages originating from my network and base on spam
                    > scoring to take the proper action. For the beginning let say "if
                    > spam score is > 10" HOLD. This will give time to investigate the
                    > body of that email and decide what to do (pass or reject).
                    >

                    Well done! As soon as you don't know personally all your users or can
                    control what they are allowed to do like in a company network you
                    should for sure scan the outbound mail for spam to detect spammers
                    using your service before the complaints from others rush in. If the
                    ISPs would do so, most of the spams would disappear. But instead even
                    many of big mailprovider spit out spam day by day and rather
                    spam-filter their abuse account to not get complaints.

                    Regards

                    Andreas
                  • egoitz@ramattack.net
                    ... When I said trust I didn t want to mean that you should think you re users wont send spam. I meant, you shouldn t be relaxed because they re not going to
                    Message 9 of 19 , Nov 6 1:52 AM
                      >>>
                      >>
                      > Hi
                      >
                      > The trust in my own users led me to his post. The users are ignorant
                      > (not all, but..). No one care about how send , what send, where send ,
                      > thei just wnat to send more and more .
                      > I don't trust anyone and my server too.
                      > I know that the outbound filtering is different. My intention is to
                      > scan all messages originating from my network and base on spam scoring
                      > to take the proper action. For the beginning let say "if spam score is >
                      > 10" HOLD. This will give time to investigate the body of that email and
                      > decide what to do (pass or reject).
                      >

                      When I said trust I didn't want to mean that you should think you're users
                      wont send spam. I meant, you shouldn't be relaxed because they're not
                      going to send spam... this is not what I tried to say. Basically with the
                      trust sentence I meant that you have an agree with them and that if they
                      become spammers knowing what they doing they can run into serious
                      problems... so it's not the same situation as incoming mail relay that
                      anyone will send you mail and have nothing signed with them; just that, no
                      that you should have a blind trust with them. Apart of this... outgoing
                      mail is supposed to be mail generated by the need of you're customer to
                      send a mail to another person... it's not the same as being receiving mail
                      from everyone with any intention like in incoming relay.

                      I think that while in mail scanning machines you should see content, in
                      outgoing mail scanning you should only check content if you doubt from
                      someone and how do you doubt on someone? seeing strange activity on them
                      or seeing you're servers reputation poored or seeing lots of delays of
                      some mails in you're queue or looking the bounces you're machine is
                      sending. I only would use content spam checkers such as spamassassin (that
                      would be my option in case I needed) if I suspect from someone. And too as
                      people have commented here on you're outgoing mail machines... is nice too
                      to set ssl forced and the usage of submission port (normally bots not talk
                      ssl and normally try to connect to port 25). Apart of this I think human
                      intervention (from part of you're users) would be nice too for ensuring
                      they have not malware in they're desktops sending mails to addresses in
                      they're addressbook. Something like... reject message with a url for
                      you're users saying hit here (and the reason of this reject) if you want
                      to continue sending mail because I have seen something suspect on you're
                      activity; then if you're users don't take care of this notifications and
                      just hit on the button located at that url for continuing sending mail...
                      then the second attempt to hit from part of them won't be valid because
                      they should talk to you for you to check what they're doing.

                      I think this should be the correct behaviour and as said yesterday I will
                      implement something for this kind of checks on outgoing mail scanning
                      machines.

                      Of course this is my opinion and what experience sais to me :).

                      Bye!!!!!!!!
                    • Alex
                      egoitz@ramattack.net wrote: Hi The trust in my own users led me to his post. The users are ignorant (not all, but..). No one care about how send , what send,
                      Message 10 of 19 , Nov 6 1:59 AM
                        egoitz@... wrote:
                        Hi
                        
                            The trust in my own users led me to his post. The users are ignorant
                        (not all,  but..). No one care about how send , what send, where send ,
                        thei just wnat to send more and more .
                            I don't trust anyone and my server too.
                            I know that the outbound filtering is different. My intention is to
                        scan all messages originating from my network and base on spam scoring
                        to take the proper action. For the beginning let say "if spam score is >
                        10" HOLD. This will give time to investigate the body of that email and
                        decide what to do (pass or reject).
                        
                            
                        When I said trust I didn't want to mean that you should think you're users
                        wont send spam. I meant, you shouldn't be relaxed because they're not
                        going to send spam... this is not what I tried to say. Basically with the
                        trust sentence I meant that you have an agree with them and that if they
                        become spammers knowing what they doing they can run into serious
                        problems... so it's not the same situation as incoming mail relay that
                        anyone will send you mail and have nothing signed with them; just that, no
                        that you should have a blind trust with them. Apart of this... outgoing
                        mail is supposed to be mail generated by the need of you're customer to
                        send a mail to another person... it's not the same as being receiving mail
                        from everyone with any intention like in incoming relay.
                        
                        I think that while in mail scanning machines you should see content, in
                        outgoing mail scanning you should only check content if you doubt from
                        someone and how do you doubt on someone? seeing strange activity on them
                        or seeing you're servers reputation poored or seeing lots of delays of
                        some mails in you're queue or looking the bounces you're machine is
                        sending. I only would use content spam checkers such as spamassassin (that
                        would be my option in case I needed) if I suspect from someone. And too as
                        people have commented here on you're outgoing mail machines... is nice too
                        to set ssl forced and the usage of submission port (normally bots not talk
                        ssl and normally try to connect to port 25). Apart of this I think human
                        intervention (from part of you're users) would be nice too for ensuring
                        they have not malware in they're desktops sending mails to addresses in
                        they're addressbook. Something like... reject message with a url for
                        you're users saying hit here (and the reason of this reject) if you want
                        to continue sending mail because I have seen something suspect on you're
                        activity; then if you're users don't take care of this notifications and
                        just hit on the button located at that url for continuing sending mail...
                        then the second attempt to hit from part of them won't be valid because
                        they should talk to you for you to check what they're doing.
                        
                        I think this should be the correct behaviour and as said yesterday I will
                        implement something for this kind of checks on outgoing mail scanning
                        machines.
                        
                        Of course this is my opinion and what experience sais to me :).
                        
                        Bye!!!!!!!!
                        
                          
                        Hi

                        Let me give you an example. Let say that on 3 am one mailbox is hacked and is use to send mails with no link no click buttons just lottery scam content and a reply address. You have enforce limits on your server and you don't allow to send more then n messages per hour so that guy successfully send that n emails. One or more destinations addresses is a spam trap.
                        Next day in the morning  all you can see is that your ip(s) are listed in a bunch of rbl and queues are full with messages.
                        What I understand from you is how to deal with this situations but what I intend to do is to prevent this situations.

                        Thank you
                      • Alex
                        ... Hi Thank you all for your opinions pro or contra. Anyone have an idea how to use a spam filter into a multiple instance configuration? Alex
                        Message 11 of 19 , Nov 6 2:02 AM
                          lst_hoe02@... wrote:
                          > Zitat von Alex <me@...>:
                          >
                          >>>
                          >> Hi
                          >>
                          >> The trust in my own users led me to his post. The users are
                          >> ignorant (not all, but..). No one care about how send , what send,
                          >> where send , thei just wnat to send more and more .
                          >> I don't trust anyone and my server too.
                          >> I know that the outbound filtering is different. My intention is
                          >> to scan all messages originating from my network and base on spam
                          >> scoring to take the proper action. For the beginning let say "if spam
                          >> score is > 10" HOLD. This will give time to investigate the body of
                          >> that email and decide what to do (pass or reject).
                          >>
                          >
                          > Well done! As soon as you don't know personally all your users or can
                          > control what they are allowed to do like in a company network you
                          > should for sure scan the outbound mail for spam to detect spammers
                          > using your service before the complaints from others rush in. If the
                          > ISPs would do so, most of the spams would disappear. But instead even
                          > many of big mailprovider spit out spam day by day and rather
                          > spam-filter their abuse account to not get complaints.
                          >
                          > Regards
                          >
                          > Andreas
                          >
                          >
                          Hi

                          Thank you all for your opinions pro or contra.
                          Anyone have an idea how to use a spam filter into a multiple instance
                          configuration?

                          Alex
                        • egoitz@ramattack.net
                          ... Not really. At 3am perhaps it s a difficult moment but in the day when the user is login for retreiving mail and sending too you could know if he is login
                          Message 12 of 19 , Nov 6 4:31 AM
                            >
                            > Let me give you an example. Let say that on 3 am one mailbox is hacked
                            > and is use to send mails with no link no click buttons just lottery scam
                            > content and a reply address. You have enforce limits on your server and
                            > you don't allow to send more then n messages per hour so that guy
                            > successfully send that n emails. One or more destinations addresses is a
                            > spam trap.
                            > Next day in the morning all you can see is that your ip(s) are listed in
                            > a bunch of rbl and queues are full with messages.
                            > What I understand from you is how to deal with this situations but what I
                            > intend to do is to prevent this situations.
                            >
                            > Thank you
                            >

                            Not really. At 3am perhaps it's a difficult moment but in the day when the
                            user is login for retreiving mail and sending too you could know if he is
                            login from a strange site and then you can block that user. For example :
                            Imagine a user sends and retreives mail in Spain. There's no easy
                            explanation (some users can do... but it's not the normal situation) on
                            that that user want's in less than 5 minutes later send an email from...
                            Russia for example... so could block that user and allow the user to do it
                            later or... perhaps bypass this kind of checks for this user. But you can
                            sure control where the user is login and so... (this algorithm in wich
                            between others now I'm working). If I detect this activity I block it
                            requiring his action. And you could too know how many mails a user can
                            send normally... if a user can normally send 100 mails... there's almost
                            no valid reason for that user to send more than those 100 mails in an
                            hour... so you could block it too requiring it's action for allowing him.
                            You will have sent 100 but no more.

                            As said I'm working on this kind of algorithms to determine how to
                            implement this but I think it's the solution for outgoing relay. Later
                            postfix can implement sender_login_maps and several other things that can
                            help you trapping spammers too. You could too check the connecting ip
                            (who is trying to send mail through you're machine) in how many rbl is
                            located... I have a script that does parallel rbl check at the same time
                            and you could determine how trustable is that user.... there are several
                            ways;even you could do spf check for outgoing mail... seeing if the from
                            the user is entering is ok to be send from you're machine. And IMHO too
                            spamassassin is less efficient and slower than this kind of checks for
                            outgoing mail.

                            It's my opinion as said and what I'm gonna try because I have seen this
                            things in my working experience. I'm going to improve my ideas and develop
                            this code and well... then we could see how this works. As I say this are
                            my ideas... others can have different ones :).

                            Bye!!!
                          • LuKreme
                            ... Actually, you are much better off rate-limiting outbound email than scanning. Scanning is expensive, rate-limiting is very cheap. If someone sends 100
                            Message 13 of 19 , Nov 6 7:06 AM
                              On 6-Nov-2009, at 01:07, lst_hoe02@... wrote:
                              > Well done! As soon as you don't know personally all your users or
                              > can control what they are allowed to do like in a company network
                              > you should for sure scan the outbound mail for spam to detect
                              > spammers using your service before the complaints from others rush
                              > in. If the ISPs would do so, most of the spams would disappear. But
                              > instead even many of big mailprovider spit out spam day by day and
                              > rather spam-filter their abuse account to not get complaints.


                              Actually, you are much better off rate-limiting outbound email than
                              scanning. Scanning is expensive, rate-limiting is very cheap.

                              If someone sends 100 messages in a minute, or 200 in 3 minutes, add
                              them to a blacklist until you can take a look and see what's going on.

                              Change the numbers to suit your users, of course. I could go with
                              20/100 for example, but that's too low for people who Cc a lot.

                              --
                              I WAS NOT THE INSPIRATION FOR "KRAMER"
                              Bart chalkboard Ep. 5F18
                            • Egoitz Aurrekoetxea Aurre
                              ... IMHO if you check outbound mail this way or perhaps better, the way I have explained I m working on, in previous mails, I m pretty sure perhaps you could
                              Message 14 of 19 , Nov 6 1:13 PM
                                > lst_hoe02@... wrote:
                                >> Well done! As soon as you don't know personally all your users or
                                >> can control what they are allowed to do like in a company network
                                >> you should for sure scan the outbound mail for spam to detect
                                >> spammers using your service before the complaints from others rush
                                >> in. If the ISPs would do so, most of the spams would disappear. But
                                >> instead even many of big mailprovider spit out spam day by day and
                                >> rather spam-filter their abuse account to not get complaints.
                                >
                                >
                                > Actually, you are much better off rate-limiting outbound email than
                                > scanning. Scanning is expensive, rate-limiting is very cheap.

                                IMHO if you check outbound mail this way or perhaps better, the way I
                                have explained I'm working on, in previous mails, I'm pretty sure
                                perhaps you could get a more accurate way of avoiding sending spam
                                than scanning with spamassasin or any other content filter because
                                they as antivirus software with viruses always go behind new behaviors
                                of spammers in this situation (with spam filtering). My project will
                                be ready in perhaps 2 or 3 months with BSD license.
                                >
                                > If someone sends 100 messages in a minute, or 200 in 3 minutes, add
                                > them to a blacklist until you can take a look and see what's going on.
                                >
                                > Change the numbers to suit your users, of course.

                                Of course, or you should too grab stats of how many each users send
                                per day / per hour each week or so... and then adjust you're limiters.
                                And I'd say that it's neccesary some php interface or similar in wich
                                a user can connect (because the url has appeared in reject message)
                                and reset the counter in cause in one day you need sending some more
                                (human interaction)... of course a user should reset depending on why
                                you're calling human interaction but no more than two times sure....
                                later sysadmins of that mail machines should take a look on what's
                                going on.

                                > I could go with 20/100 for example, but that's too low for people
                                > who Cc a lot.
                                >
                                > --
                                > I WAS NOT THE INSPIRATION FOR "KRAMER"
                                > Bart chalkboard Ep. 5F18
                                >
                              • mouss
                                ... Most statistical anti-spam filters assume an inbound model. you can use a global bayes setup, but then I don t think you ll benefit from dspam/bogo/...
                                Message 15 of 19 , Nov 6 2:50 PM
                                  Alex a écrit :
                                  > Hello
                                  >
                                  > This is my first post on this list. I have a atypical configuration like :
                                  > - an MX server for inbound mails; this server is configured virtual
                                  > domains, graylisting , antivirus and antispam for all incoming mails; it
                                  > is also use for my users as a pop/imap/smtp server.
                                  > - all emails originating from my users (authenticated users) are relayed
                                  > to another servers. On this outgoing servers I have 3 to 8 postfix
                                  > instances on different ips. Each instance have a dedicated transport
                                  > for servers like yahoo , hotmail etc
                                  > Basically is one of my users want to send a email outside it must
                                  > authenticate to the smtp server. The smtp server relay that message to
                                  > one gateway server (round-robin fashion) and the gateway server send the
                                  > message to the destination.
                                  > What I am try to do is scan all outbound emails (I have a few
                                  > situations in witch a mail account was owned by spammers and use to send
                                  > spam). The scanner must be on the gateway servers not on the smtp server
                                  > because he can't take any more load.
                                  > About scanning software on the incoming server I use spamassassin
                                  > invoke from maildrop. On gateway server I try to use something more
                                  > light and I read about dspam .
                                  > I have a few questions for you:
                                  > - how can I use dspam or any other scanning software on my gateway
                                  > servers (multiple instance configuration) ?

                                  Most statistical anti-spam filters assume an inbound model. you can use
                                  a "global" bayes setup, but then I don't think you'll benefit from
                                  dspam/bogo/...

                                  spamassassin has "heuristic" rules, which may be helpful.



                                  > - is dspam a good choice ?

                                  statistical filtering is easier for inbound mail. for outbound mail, it
                                  will cause problems. rate limiting and "anomaly detection" are a better
                                  choice.
                                • Eero Volotinen
                                  ... Next question: how to implement both on postix? -- Eero
                                  Message 16 of 19 , Nov 6 2:58 PM
                                    > statistical filtering is easier for inbound mail. for outbound mail, it
                                    > will cause problems. rate limiting and "anomaly detection" are a better
                                    > choice.

                                    Next question: how to implement both on postix?

                                    --
                                    Eero
                                  • Egoitz Aurrekoetxea Aurre
                                    I m working on one project for achieving this implementation. Perhaps in two months or probably three I ll have it ready. It will use BSD license.
                                    Message 17 of 19 , Nov 6 3:01 PM
                                      I'm working on one project for achieving this implementation. Perhaps
                                      in two months or probably three I'll have it ready. It will use BSD
                                      license.

                                      :) bye!!!
                                      El 06/11/2009, a las 23:58, Eero Volotinen escribió:

                                      >
                                      >> statistical filtering is easier for inbound mail. for outbound
                                      >> mail, it
                                      >> will cause problems. rate limiting and "anomaly detection" are a
                                      >> better
                                      >> choice.
                                      >
                                      > Next question: how to implement both on postix?
                                      >
                                      > --
                                      > Eero
                                      >
                                      >
                                    • Phill Macey
                                      ... Could you turn the outgoing mail around and make it inbound mail as well? eg. Could you make use of always_bcc to copy all outgoing messages to an
                                      Message 18 of 19 , Nov 7 3:44 PM
                                        2009/11/7 mouss <mouss@...>:
                                        > Alex a écrit :
                                        >> Hello
                                        >>
                                        >> This is my first post on this list. I have a atypical configuration like :
                                        >> - an MX server for inbound mails; this server is configured virtual
                                        >> domains, graylisting , antivirus and antispam for all incoming mails; it
                                        >> is also use for my users as a pop/imap/smtp server.
                                        >> - all emails originating from my users (authenticated users) are relayed
                                        >> to another servers. On this outgoing servers I have 3 to 8 postfix
                                        >> instances  on different ips. Each  instance have a dedicated transport
                                        >> for servers like yahoo , hotmail etc
                                        >> Basically is one of my users want to send a email outside it must
                                        >> authenticate to the smtp server. The smtp server relay that message to
                                        >> one gateway server (round-robin fashion) and the gateway server send the
                                        >> message to the destination.
                                        >>    What I am try to do is scan all outbound emails (I have a few
                                        >> situations in witch a mail account was owned by spammers and use to send
                                        >> spam). The scanner must be on the gateway servers not on the smtp server
                                        >> because he can't take any more load.
                                        >>    About scanning software on the incoming server I use spamassassin
                                        >> invoke from maildrop. On gateway server I try to use something more
                                        >> light and  I read about dspam .
                                        >>    I have a few questions for you:
                                        >>    - how can I use dspam or any other scanning software on my gateway
                                        >> servers (multiple instance configuration) ?
                                        >
                                        > Most statistical anti-spam filters assume an inbound model. you can use
                                        > a "global" bayes setup, but then I don't think you'll benefit from
                                        > dspam/bogo/...
                                        >

                                        Could you turn the outgoing mail around and make it inbound mail as
                                        well? eg. Could you make use of 'always_bcc' to copy all outgoing
                                        messages to an address on another postfix instance somewhere and then
                                        run the spam filtering over the incoming mail on that instance? Tell
                                        the spam filter to throw away all the real mail and keep all the spam
                                        - which would be nothing if all goes well. Presumably all the host/ip
                                        address based filters would be fairly useless in that set up -
                                        assuming it is doable in the first place.

                                        It wouldnt prevent the spam from going out, but would allow you to
                                        detect it easily if/when it happens again. (I suppose you could script
                                        something up to automatically add the sender to a blacklist as soon as
                                        a message appears)



                                        --
                                        Phill
                                      • mouss
                                        ... no, the problem is related to training. in the case of inbound mail, statistical filters use the fact that a given user (or a given set of users) receive
                                        Message 19 of 19 , Nov 8 1:29 AM
                                          Phill Macey a écrit :
                                          > 2009/11/7 mouss <mouss@...>:
                                          >>
                                          >> Most statistical anti-spam filters assume an inbound model. you can use
                                          >> a "global" bayes setup, but then I don't think you'll benefit from
                                          >> dspam/bogo/...
                                          >>
                                          >
                                          > Could you turn the outgoing mail around and make it inbound mail as
                                          > well? [snip]

                                          no, the problem is related to training. in the case of inbound mail,
                                          statistical filters use the fact that a given user (or a given set of
                                          users) receive mail which characteristics can be learned if you have a
                                          sufficient corpus (of ham and spam).

                                          you can still use this for outbound mail, with a global "dictionary"
                                          (site wide setup). but
                                          - nobody is going to feed back "false negatives" (missed spam)
                                          - who is going to feed back "false positives"? how? while feasible, this
                                          is not a simple problem.

                                          that said, you can still run spamassin and have a log parser to detect
                                          problems: some user suddenly sends a lot of mail that gets tagged as
                                          spam... etc.

                                          definitely not a simple problem...
                                        Your message has been successfully submitted and would be delivered to recipients shortly.