Re: Best practice: Spam-filtering outgoing e-mail
- mouss wrote:
> ram a écrit :If you have a shared environment with a large number of virtual domains
>> On Tue, 2010-03-16 at 15:40 +0100, Vegard Svanberg wrote:
>>> we are trying to mitigate the impact of having infected users, brute
>>> force hacked webmail accounts etc. sending (larging amounts of) outbound
>>> The best idea we've come up with so far is to perform outbound spam
>>> filtering following these rules (it's a bit more complicated than this,
>>> but this is the big picture):
>>> - Spam scoring (Spamassassin). If spam:
>>> - Put the mail on hold
>>> - Add an iptables rule rejecting the IP
>>> - Notify postmaster/abuse
>> * Implement ratelimits both inside postfix and in webmail
>> * Have strong password policies
> well, this is a lost battle...
>> * Sign up for Feedback loops and monitor the feedback address closely
> this too.
>> * In webmail write scripts to alert you if someone adds a large
>> multiline signature
> an this one too.
>> We tried blocking outbound spam using a commercial scanner but the FP's
>> are far too many to be used in production. So we just alert a human on
>> these spams and manually intervene if account needs to be blocked.
> do you mean you read someone else's mail? I find this unacceptable.
>> Ofcourse some spams do get through by the time :-(
> it's all about volume.
I think that outbound spam filtering it's a must. No rate limits and
strong password will save you from being listed or banned.
Also in a virtual environment it's hard to put everyone to sign for a FBL.
If you said that it's all about volume and that is my case too, separate
the outbound from inbound use multiple outbound server (not necessary
hardware) but scan all outbound messages. For start you can hold the
messages and inspect them in order to tune you scanner.
My solution was to set multiple instance of postfix server ( as many
that is needed) on a separate machines an every instance use a content
filtering scanner (amavis-new + sa). Base on spam score and some custom
headers added by amavisd , postfix will pass/bounce/drop the message.
Let's say that we have tree levels - clear/spamy/spam. From my point of
view it's all about what you do with the spamy stuff.