Loading ...
Sorry, an error occurred while loading the content.

Re: Best practice: Spam-filtering outgoing e-mail

Expand Messages
  • Alex
    ... If you have a shared environment with a large number of virtual domains I think that outbound spam filtering it s a must. No rate limits and strong
    Message 1 of 5 , Mar 17, 2010
      mouss wrote:
      > ram a écrit :
      >> On Tue, 2010-03-16 at 15:40 +0100, Vegard Svanberg wrote:
      >>> Hi,
      >>> we are trying to mitigate the impact of having infected users, brute
      >>> force hacked webmail accounts etc. sending (larging amounts of) outbound
      >>> spam.
      >>> The best idea we've come up with so far is to perform outbound spam
      >>> filtering following these rules (it's a bit more complicated than this,
      >>> but this is the big picture):
      >>> - Spam scoring (Spamassassin). If spam:
      >>> - Put the mail on hold
      >>> - Add an iptables rule rejecting the IP
      >>> - Notify postmaster/abuse
      >> Also,
      >> * Implement ratelimits both inside postfix and in webmail
      > yes
      >> * Have strong password policies
      > well, this is a lost battle...
      >> * Sign up for Feedback loops and monitor the feedback address closely
      > this too.
      >> * In webmail write scripts to alert you if someone adds a large
      >> multiline signature
      > an this one too.
      >> We tried blocking outbound spam using a commercial scanner but the FP's
      >> are far too many to be used in production. So we just alert a human on
      >> these spams and manually intervene if account needs to be blocked.
      > do you mean you read someone else's mail? I find this unacceptable.
      >> Ofcourse some spams do get through by the time :-(
      > it's all about volume.

      If you have a shared environment with a large number of virtual domains
      I think that outbound spam filtering it's a must. No rate limits and
      strong password will save you from being listed or banned.
      Also in a virtual environment it's hard to put everyone to sign for a FBL.
      If you said that it's all about volume and that is my case too, separate
      the outbound from inbound use multiple outbound server (not necessary
      hardware) but scan all outbound messages. For start you can hold the
      messages and inspect them in order to tune you scanner.
      My solution was to set multiple instance of postfix server ( as many
      that is needed) on a separate machines an every instance use a content
      filtering scanner (amavis-new + sa). Base on spam score and some custom
      headers added by amavisd , postfix will pass/bounce/drop the message.
      Let's say that we have tree levels - clear/spamy/spam. From my point of
      view it's all about what you do with the spamy stuff.
    Your message has been successfully submitted and would be delivered to recipients shortly.