|
outbound spam filtering
|
View:
New views
17 Messages
—
Rating Filter:
Alert me
|
 |
outbound spam filtering
by Alex-567
::
Rate this Message:
Hello
This is my first post on this list. I have a atypical configuration like : - an MX server for inbound mails; this server is configured virtual domains, graylisting , antivirus and antispam for all incoming mails; it is also use for my users as a pop/imap/smtp server. - all emails originating from my users (authenticated users) are relayed to another servers. On this outgoing servers I have 3 to 8 postfix instances on different ips. Each instance have a dedicated transport for servers like yahoo , hotmail etc Basically is one of my users want to send a email outside it must authenticate to the smtp server. The smtp server relay that message to one gateway server (round-robin fashion) and the gateway server send the message to the destination. What I am try to do is scan all outbound emails (I have a few situations in witch a mail account was owned by spammers and use to send spam). The scanner must be on the gateway servers not on the smtp server because he can't take any more load. About scanning software on the incoming server I use spamassassin invoke from maildrop. On gateway server I try to use something more light and I read about dspam . I have a few questions for you: - how can I use dspam or any other scanning software on my gateway servers (multiple instance configuration) ? - is dspam a good choice ? Alex Thank you |
|
|
Re: outbound spam filtering
by Ramprasad-5
::
Rate this Message:
On Thu, 2009-11-05 at 11:47 +0200, Alex wrote:
> Hello > > This is my first post on this list. I have a atypical configuration like : > - an MX server for inbound mails; this server is configured virtual > domains, graylisting , antivirus and antispam for all incoming mails; it > is also use for my users as a pop/imap/smtp server. > - all emails originating from my users (authenticated users) are relayed > to another servers. On this outgoing servers I have 3 to 8 postfix > instances on different ips. Each instance have a dedicated transport > for servers like yahoo , hotmail etc > Basically is one of my users want to send a email outside it must > authenticate to the smtp server. The smtp server relay that message to > one gateway server (round-robin fashion) and the gateway server send the > message to the destination. > What I am try to do is scan all outbound emails (I have a few > situations in witch a mail account was owned by spammers and use to send > spam). The scanner must be on the gateway servers not on the smtp server > because he can't take any more load. > About scanning software on the incoming server I use spamassassin > invoke from maildrop. On gateway server I try to use something more > light and I read about dspam . > I have a few questions for you: > - how can I use dspam or any other scanning software on my gateway > servers (multiple instance configuration) ? > - is dspam a good choice ? > > Alex > Thank you Outbound scanning is slightly different from inbound. but in general you need not scan and catch all the spam messages. Just one caught and you immediately know which account is spewing spams Dspam is not very effective ... Ofcourse thats my opinion YMMV. If you find spamassassin too heavy maybe you can trim it yourself. Remove all unnecessary cf files, especially the network DNS checks since they are all irrelevant for outbound. You could even consider some lightweight commercial plugin and remove all other rules But other than scanning , implement the basic hygiene. Allow only strong passwords , if possible block port 25 and use 587 , educate the users about phishing etc. Also register for Feedback loops and watch out for abuse complaints. All that is absolutely essential today for a outbound mail relay. |
|
|
Re: outbound spam filtering
by Egoitz Aurrekoetxea Aurre-2
::
Rate this Message:
Hi,
I think outgoing scans are a little different. You have some advantages and disadvantages respect incoming mail scanning. Advantages are that you know you're users and more or less what they do.... or you have it controlled with some scripts. So you can identify easier when a user is not behaving as always.... asumming that perhaps someone has stolen him the password or has some worm on his office network. You should be more trusting with you're users because you have accepted too to give them service and because they have signed a contract with them and because it's easier to stop the problem if someone behaves like shouldnt. So... I advise you to check theyr'e behaviour and then if you suspect from someone you should then pass them mails through a mail scanning machine and perhaps even check more concisely what they are doing.... but IMHO opinion you shouldn't scan all his mail. You should too check you're mail queues and check how is you're reputation in RBL as mail machine too.... I'm working on an utility for being used as outgoing mail controller (better said than scanner) based on what I told you. It will be ready in 3 or 4 months more :) :). Hope I have instructed you a little on how to interact with outgoing mail. Bye mate! El 05/11/2009, a las 11:26, ram escribió: > On Thu, 2009-11-05 at 11:47 +0200, Alex wrote: >> Hello >> >> This is my first post on this list. I have a atypical configuration >> like : >> - an MX server for inbound mails; this server is configured virtual >> domains, graylisting , antivirus and antispam for all incoming >> mails; it >> is also use for my users as a pop/imap/smtp server. >> - all emails originating from my users (authenticated users) are >> relayed >> to another servers. On this outgoing servers I have 3 to 8 postfix >> instances on different ips. Each instance have a dedicated >> transport >> for servers like yahoo , hotmail etc >> Basically is one of my users want to send a email outside it must >> authenticate to the smtp server. The smtp server relay that message >> to >> one gateway server (round-robin fashion) and the gateway server >> send the >> message to the destination. >> What I am try to do is scan all outbound emails (I have a few >> situations in witch a mail account was owned by spammers and use to >> send >> spam). The scanner must be on the gateway servers not on the smtp >> server >> because he can't take any more load. >> About scanning software on the incoming server I use spamassassin >> invoke from maildrop. On gateway server I try to use something more >> light and I read about dspam . >> I have a few questions for you: >> - how can I use dspam or any other scanning software on my gateway >> servers (multiple instance configuration) ? >> - is dspam a good choice ? >> >> Alex >> Thank you > > Outbound scanning is slightly different from inbound. but in general > you > need not scan and catch all the spam messages. Just one caught and you > immediately know which account is spewing spams > > Dspam is not very effective ... Ofcourse thats my opinion YMMV. > > If you find spamassassin too heavy maybe you can trim it yourself. > Remove all unnecessary cf files, especially the network DNS checks > since > they are all irrelevant for outbound. You could even consider some > lightweight commercial plugin and remove all other rules > > > > But other than scanning , implement the basic hygiene. Allow only > strong > passwords , if possible block port 25 and use 587 , educate the users > about phishing etc. Also register for Feedback loops and watch out for > abuse complaints. All that is absolutely essential today for a > outbound > mail relay. > > > > > > > > > > > > > > > > > > > > > > > |
|
|
Re: outbound spam filtering
by Alex-567
::
Rate this Message:
ram wrote:
Hi ramOn Thu, 2009-11-05 at 11:47 +0200, Alex wrote: Thanks for replaying. Dspam was mention just because I know what spamassassin can do on a busy server. I take care about abuse complains, the users are advice about their passwords, but keeping lessons about phishing to 2000 vdomains is to much. So my question was how I do this in a multiple instance environment. |
|
|
Re: outbound spam filtering
by Alex-567
::
Rate this Message:
Egoitz Aurrekoetxea Aurre wrote:
> Hi, > > I think outgoing scans are a little different. You have some > advantages and disadvantages respect incoming mail scanning. > Advantages are that you know you're users and more or less what they > do.... or you have it controlled with some scripts. So you can > identify easier when a user is not behaving as always.... asumming > that perhaps someone has stolen him the password or has some worm on > his office network. You should be more trusting with you're users > because you have accepted too to give them service and because they > have signed a contract with them and because it's easier to stop the > problem if someone behaves like shouldnt. So... I advise you to check > theyr'e behaviour and then if you suspect from someone you should then > pass them mails through a mail scanning machine and perhaps even check > more concisely what they are doing.... but IMHO opinion you shouldn't > scan all his mail. You should too check you're mail queues and check > how is you're reputation in RBL as mail machine too.... > > I'm working on an utility for being used as outgoing mail controller > (better said than scanner) based on what I told you. It will be ready > in 3 or 4 months more :) :). > > Hope I have instructed you a little on how to interact with outgoing > mail. > > Bye mate! > > > El 05/11/2009, a las 11:26, ram escribió: > >> On Thu, 2009-11-05 at 11:47 +0200, Alex wrote: >>> Hello >>> >>> This is my first post on this list. I have a atypical configuration >>> like : >>> - an MX server for inbound mails; this server is configured virtual >>> domains, graylisting , antivirus and antispam for all incoming >>> mails; it >>> is also use for my users as a pop/imap/smtp server. >>> - all emails originating from my users (authenticated users) are >>> relayed >>> to another servers. On this outgoing servers I have 3 to 8 postfix >>> instances on different ips. Each instance have a dedicated transport >>> for servers like yahoo , hotmail etc >>> Basically is one of my users want to send a email outside it must >>> authenticate to the smtp server. The smtp server relay that message to >>> one gateway server (round-robin fashion) and the gateway server send >>> the >>> message to the destination. >>> What I am try to do is scan all outbound emails (I have a few >>> situations in witch a mail account was owned by spammers and use to >>> send >>> spam). The scanner must be on the gateway servers not on the smtp >>> server >>> because he can't take any more load. >>> About scanning software on the incoming server I use spamassassin >>> invoke from maildrop. On gateway server I try to use something more >>> light and I read about dspam . >>> I have a few questions for you: >>> - how can I use dspam or any other scanning software on my gateway >>> servers (multiple instance configuration) ? >>> - is dspam a good choice ? >>> >>> Alex >>> Thank you >> >> Outbound scanning is slightly different from inbound. but in general you >> need not scan and catch all the spam messages. Just one caught and you >> immediately know which account is spewing spams >> >> Dspam is not very effective ... Ofcourse thats my opinion YMMV. >> >> If you find spamassassin too heavy maybe you can trim it yourself. >> Remove all unnecessary cf files, especially the network DNS checks since >> they are all irrelevant for outbound. You could even consider some >> lightweight commercial plugin and remove all other rules >> >> >> >> But other than scanning , implement the basic hygiene. Allow only strong >> passwords , if possible block port 25 and use 587 , educate the users >> about phishing etc. Also register for Feedback loops and watch out for >> abuse complaints. All that is absolutely essential today for a outbound >> mail relay. >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> > The trust in my own users led me to his post. The users are ignorant (not all, but..). No one care about how send , what send, where send , thei just wnat to send more and more . I don't trust anyone and my server too. I know that the outbound filtering is different. My intention is to scan all messages originating from my network and base on spam scoring to take the proper action. For the beginning let say "if spam score is > 10" HOLD. This will give time to investigate the body of that email and decide what to do (pass or reject). |
|
|
Re: outbound spam filtering
by lst_hoe02
::
Rate this Message:
Zitat von Alex <me@...>:
>> > Hi > > The trust in my own users led me to his post. The users are > ignorant (not all, but..). No one care about how send , what send, > where send , thei just wnat to send more and more . > I don't trust anyone and my server too. > I know that the outbound filtering is different. My intention is > to scan all messages originating from my network and base on spam > scoring to take the proper action. For the beginning let say "if > spam score is > 10" HOLD. This will give time to investigate the > body of that email and decide what to do (pass or reject). > Well done! As soon as you don't know personally all your users or can control what they are allowed to do like in a company network you should for sure scan the outbound mail for spam to detect spammers using your service before the complaints from others rush in. If the ISPs would do so, most of the spams would disappear. But instead even many of big mailprovider spit out spam day by day and rather spam-filter their abuse account to not get complaints. Regards Andreas |
|
|
Re: outbound spam filtering
by Egoitz Aurrekoetxea Aurre-2
::
Rate this Message:
>>>
>> > Hi > > The trust in my own users led me to his post. The users are ignorant > (not all, but..). No one care about how send , what send, where send , > thei just wnat to send more and more . > I don't trust anyone and my server too. > I know that the outbound filtering is different. My intention is to > scan all messages originating from my network and base on spam scoring > to take the proper action. For the beginning let say "if spam score is > > 10" HOLD. This will give time to investigate the body of that email and > decide what to do (pass or reject). > When I said trust I didn't want to mean that you should think you're users wont send spam. I meant, you shouldn't be relaxed because they're not going to send spam... this is not what I tried to say. Basically with the trust sentence I meant that you have an agree with them and that if they become spammers knowing what they doing they can run into serious problems... so it's not the same situation as incoming mail relay that anyone will send you mail and have nothing signed with them; just that, no that you should have a blind trust with them. Apart of this... outgoing mail is supposed to be mail generated by the need of you're customer to send a mail to another person... it's not the same as being receiving mail from everyone with any intention like in incoming relay. I think that while in mail scanning machines you should see content, in outgoing mail scanning you should only check content if you doubt from someone and how do you doubt on someone? seeing strange activity on them or seeing you're servers reputation poored or seeing lots of delays of some mails in you're queue or looking the bounces you're machine is sending. I only would use content spam checkers such as spamassassin (that would be my option in case I needed) if I suspect from someone. And too as people have commented here on you're outgoing mail machines... is nice too to set ssl forced and the usage of submission port (normally bots not talk ssl and normally try to connect to port 25). Apart of this I think human intervention (from part of you're users) would be nice too for ensuring they have not malware in they're desktops sending mails to addresses in they're addressbook. Something like... reject message with a url for you're users saying hit here (and the reason of this reject) if you want to continue sending mail because I have seen something suspect on you're activity; then if you're users don't take care of this notifications and just hit on the button located at that url for continuing sending mail... then the second attempt to hit from part of them won't be valid because they should talk to you for you to check what they're doing. I think this should be the correct behaviour and as said yesterday I will implement something for this kind of checks on outgoing mail scanning machines. Of course this is my opinion and what experience sais to me :). Bye!!!!!!!! |
|
|
Re: outbound spam filtering
by Alex-567
::
Rate this Message:
egoitz@... wrote:
Hi Let me give you an example. Let say that on 3 am one mailbox is hacked and is use to send mails with no link no click buttons just lottery scam content and a reply address. You have enforce limits on your server and you don't allow to send more then n messages per hour so that guy successfully send that n emails. One or more destinations addresses is a spam trap. Next day in the morning all you can see is that your ip(s) are listed in a bunch of rbl and queues are full with messages. What I understand from you is how to deal with this situations but what I intend to do is to prevent this situations. Thank you |
|
|
Re: outbound spam filtering
by Alex-567
::
Rate this Message:
lst_hoe02@... wrote:
> Zitat von Alex <me@...>: > >>> >> Hi >> >> The trust in my own users led me to his post. The users are >> ignorant (not all, but..). No one care about how send , what send, >> where send , thei just wnat to send more and more . >> I don't trust anyone and my server too. >> I know that the outbound filtering is different. My intention is >> to scan all messages originating from my network and base on spam >> scoring to take the proper action. For the beginning let say "if spam >> score is > 10" HOLD. This will give time to investigate the body of >> that email and decide what to do (pass or reject). >> > > Well done! As soon as you don't know personally all your users or can > control what they are allowed to do like in a company network you > should for sure scan the outbound mail for spam to detect spammers > using your service before the complaints from others rush in. If the > ISPs would do so, most of the spams would disappear. But instead even > many of big mailprovider spit out spam day by day and rather > spam-filter their abuse account to not get complaints. > > Regards > > Andreas > > Thank you all for your opinions pro or contra. Anyone have an idea how to use a spam filter into a multiple instance configuration? Alex |
|
|
Re: outbound spam filtering
by Egoitz Aurrekoetxea Aurre-2
::
Rate this Message:
> > Let me give you an example. Let say that on 3 am one mailbox is hacked > and is use to send mails with no link no click buttons just lottery scam > content and a reply address. You have enforce limits on your server and > you don't allow to send more then n messages per hour so that guy > successfully send that n emails. One or more destinations addresses is a > spam trap. > Next day in the morning all you can see is that your ip(s) are listed in > a bunch of rbl and queues are full with messages. > What I understand from you is how to deal with this situations but what I > intend to do is to prevent this situations. > > Thank you > Not really. At 3am perhaps it's a difficult moment but in the day when the user is login for retreiving mail and sending too you could know if he is login from a strange site and then you can block that user. For example : Imagine a user sends and retreives mail in Spain. There's no easy explanation (some users can do... but it's not the normal situation) on that that user want's in less than 5 minutes later send an email from... Russia for example... so could block that user and allow the user to do it later or... perhaps bypass this kind of checks for this user. But you can sure control where the user is login and so... (this algorithm in wich between others now I'm working). If I detect this activity I block it requiring his action. And you could too know how many mails a user can send normally... if a user can normally send 100 mails... there's almost no valid reason for that user to send more than those 100 mails in an hour... so you could block it too requiring it's action for allowing him. You will have sent 100 but no more. As said I'm working on this kind of algorithms to determine how to implement this but I think it's the solution for outgoing relay. Later postfix can implement sender_login_maps and several other things that can help you trapping spammers too. You could too check the connecting ip (who is trying to send mail through you're machine) in how many rbl is located... I have a script that does parallel rbl check at the same time and you could determine how trustable is that user.... there are several ways;even you could do spf check for outgoing mail... seeing if the from the user is entering is ok to be send from you're machine. And IMHO too spamassassin is less efficient and slower than this kind of checks for outgoing mail. It's my opinion as said and what I'm gonna try because I have seen this things in my working experience. I'm going to improve my ideas and develop this code and well... then we could see how this works. As I say this are my ideas... others can have different ones :). Bye!!! |
|
|
Re: outbound spam filtering
by LuKreme
::
Rate this Message:
On 6-Nov-2009, at 01:07, lst_hoe02@... wrote:
> Well done! As soon as you don't know personally all your users or > can control what they are allowed to do like in a company network > you should for sure scan the outbound mail for spam to detect > spammers using your service before the complaints from others rush > in. If the ISPs would do so, most of the spams would disappear. But > instead even many of big mailprovider spit out spam day by day and > rather spam-filter their abuse account to not get complaints. Actually, you are much better off rate-limiting outbound email than scanning. Scanning is expensive, rate-limiting is very cheap. If someone sends 100 messages in a minute, or 200 in 3 minutes, add them to a blacklist until you can take a look and see what's going on. Change the numbers to suit your users, of course. I could go with 20/100 for example, but that's too low for people who Cc a lot. -- I WAS NOT THE INSPIRATION FOR "KRAMER" Bart chalkboard Ep. 5F18 |
|
|
Re: outbound spam filtering
by Egoitz Aurrekoetxea Aurre-2
::
Rate this Message:
> lst_hoe02@... wrote:
>> Well done! As soon as you don't know personally all your users or >> can control what they are allowed to do like in a company network >> you should for sure scan the outbound mail for spam to detect >> spammers using your service before the complaints from others rush >> in. If the ISPs would do so, most of the spams would disappear. But >> instead even many of big mailprovider spit out spam day by day and >> rather spam-filter their abuse account to not get complaints. > > > Actually, you are much better off rate-limiting outbound email than > scanning. Scanning is expensive, rate-limiting is very cheap. IMHO if you check outbound mail this way or perhaps better, the way I have explained I'm working on, in previous mails, I'm pretty sure perhaps you could get a more accurate way of avoiding sending spam than scanning with spamassasin or any other content filter because they as antivirus software with viruses always go behind new behaviors of spammers in this situation (with spam filtering). My project will be ready in perhaps 2 or 3 months with BSD license. > > If someone sends 100 messages in a minute, or 200 in 3 minutes, add > them to a blacklist until you can take a look and see what's going on. > > Change the numbers to suit your users, of course. Of course, or you should too grab stats of how many each users send per day / per hour each week or so... and then adjust you're limiters. And I'd say that it's neccesary some php interface or similar in wich a user can connect (because the url has appeared in reject message) and reset the counter in cause in one day you need sending some more (human interaction)... of course a user should reset depending on why you're calling human interaction but no more than two times sure.... later sysadmins of that mail machines should take a look on what's going on. > I could go with 20/100 for example, but that's too low for people > who Cc a lot. > > -- > I WAS NOT THE INSPIRATION FOR "KRAMER" > Bart chalkboard Ep. 5F18 > |
|
|
Re: outbound spam filtering
by mouss-4
::
Rate this Message:
Alex a écrit :
> Hello > > This is my first post on this list. I have a atypical configuration like : > - an MX server for inbound mails; this server is configured virtual > domains, graylisting , antivirus and antispam for all incoming mails; it > is also use for my users as a pop/imap/smtp server. > - all emails originating from my users (authenticated users) are relayed > to another servers. On this outgoing servers I have 3 to 8 postfix > instances on different ips. Each instance have a dedicated transport > for servers like yahoo , hotmail etc > Basically is one of my users want to send a email outside it must > authenticate to the smtp server. The smtp server relay that message to > one gateway server (round-robin fashion) and the gateway server send the > message to the destination. > What I am try to do is scan all outbound emails (I have a few > situations in witch a mail account was owned by spammers and use to send > spam). The scanner must be on the gateway servers not on the smtp server > because he can't take any more load. > About scanning software on the incoming server I use spamassassin > invoke from maildrop. On gateway server I try to use something more > light and I read about dspam . > I have a few questions for you: > - how can I use dspam or any other scanning software on my gateway > servers (multiple instance configuration) ? Most statistical anti-spam filters assume an inbound model. you can use a "global" bayes setup, but then I don't think you'll benefit from dspam/bogo/... spamassassin has "heuristic" rules, which may be helpful. > - is dspam a good choice ? statistical filtering is easier for inbound mail. for outbound mail, it will cause problems. rate limiting and "anomaly detection" are a better choice. |
|
|
Re: outbound spam filtering
by Eero Volotinen-2
::
Rate this Message:
> statistical filtering is easier for inbound mail. for outbound mail, it > will cause problems. rate limiting and "anomaly detection" are a better > choice. Next question: how to implement both on postix? -- Eero |
|
|
Re: outbound spam filtering
by Egoitz Aurrekoetxea Aurre-2
::
Rate this Message:
I'm working on one project for achieving this implementation. Perhaps
in two months or probably three I'll have it ready. It will use BSD license. :) bye!!! El 06/11/2009, a las 23:58, Eero Volotinen escribió: > >> statistical filtering is easier for inbound mail. for outbound >> mail, it >> will cause problems. rate limiting and "anomaly detection" are a >> better >> choice. > > Next question: how to implement both on postix? > > -- > Eero > > |
|
|
Re: outbound spam filtering
by Phill Macey
::
Rate this Message:
2009/11/7 mouss <mouss@...>:
> Alex a écrit : >> Hello >> >> This is my first post on this list. I have a atypical configuration like : >> - an MX server for inbound mails; this server is configured virtual >> domains, graylisting , antivirus and antispam for all incoming mails; it >> is also use for my users as a pop/imap/smtp server. >> - all emails originating from my users (authenticated users) are relayed >> to another servers. On this outgoing servers I have 3 to 8 postfix >> instances on different ips. Each instance have a dedicated transport >> for servers like yahoo , hotmail etc >> Basically is one of my users want to send a email outside it must >> authenticate to the smtp server. The smtp server relay that message to >> one gateway server (round-robin fashion) and the gateway server send the >> message to the destination. >> What I am try to do is scan all outbound emails (I have a few >> situations in witch a mail account was owned by spammers and use to send >> spam). The scanner must be on the gateway servers not on the smtp server >> because he can't take any more load. >> About scanning software on the incoming server I use spamassassin >> invoke from maildrop. On gateway server I try to use something more >> light and I read about dspam . >> I have a few questions for you: >> - how can I use dspam or any other scanning software on my gateway >> servers (multiple instance configuration) ? > > Most statistical anti-spam filters assume an inbound model. you can use > a "global" bayes setup, but then I don't think you'll benefit from > dspam/bogo/... > Could you turn the outgoing mail around and make it inbound mail as well? eg. Could you make use of 'always_bcc' to copy all outgoing messages to an address on another postfix instance somewhere and then run the spam filtering over the incoming mail on that instance? Tell the spam filter to throw away all the real mail and keep all the spam - which would be nothing if all goes well. Presumably all the host/ip address based filters would be fairly useless in that set up - assuming it is doable in the first place. It wouldnt prevent the spam from going out, but would allow you to detect it easily if/when it happens again. (I suppose you could script something up to automatically add the sender to a blacklist as soon as a message appears) -- Phill |
|
|
Re: outbound spam filtering
by mouss-4
::
Rate this Message:
Phill Macey a écrit :
> 2009/11/7 mouss <mouss@...>: >> >> Most statistical anti-spam filters assume an inbound model. you can use >> a "global" bayes setup, but then I don't think you'll benefit from >> dspam/bogo/... >> > > Could you turn the outgoing mail around and make it inbound mail as > well? [snip] no, the problem is related to training. in the case of inbound mail, statistical filters use the fact that a given user (or a given set of users) receive mail which characteristics can be learned if you have a sufficient corpus (of ham and spam). you can still use this for outbound mail, with a global "dictionary" (site wide setup). but - nobody is going to feed back "false negatives" (missed spam) - who is going to feed back "false positives"? how? while feasible, this is not a simple problem. that said, you can still run spamassin and have a log parser to detect problems: some user suddenly sends a lot of mail that gets tagged as spam... etc. definitely not a simple problem... |
| Free embeddable forum powered by Nabble | Forum Help |
