You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Adam Moffett <ad...@plexicomm.net> on 2010/06/21 17:39:33 UTC
Worthwhile to scan outgoing?
My philosophy in the past has always been not to scan outgoing emails
because my users are not likely to be spamming.
However, a couple of issues recently with spambots and SMTP AUTH with
weak passwords has me reconsidering that stance.
Is anyone here currently scanning their outgoing mail with SA? Good
results? Bad results?
Re: Worthwhile to scan outgoing?
Posted by Andrzej Adam Filip <an...@gmail.com>.
Adam Moffett <ad...@plexicomm.net> wrote:
> My philosophy in the past has always been not to scan outgoing emails
> because my users are not likely to be spamming.
>
> However, a couple of issues recently with spambots and SMTP AUTH with
> weak passwords has me reconsidering that stance.
>
> Is anyone here currently scanning their outgoing mail with SA? Good
> results? Bad results?
Instead of "scanning every outgoing email" you may consider scanning
"significantly above average activity" at least with non local tests
(bulk detectors).
--
[pl>en: Andrew] Andrzej Adam Filip : anfi@onet.eu
In the facades we put on for others we demonstrate our potential;
through our children we reveal our reality.
-- Lawrence Kelemen, To Kindle A Soul p. 195
Re: Worthwhile to scan outgoing?
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> > My understanding is that the only way to avoid this, at least when
> > amavisd and postfix, is to create another instance and modifying the
> > smtpd and using policy banks, which is quite involved. Is this
> > correct?
On 22.06.10 03:03, Mark Martinec wrote:
> Depends on your mail routing topology. Often it suffices to just:
>
> $policy_bank{'MYNETS'} = {
> bypass_spam_checks_maps => [1],
> };
this weay your customers may spam other your customers, and when your
customers connect from the outside, they will get scanned even :)
(if you provide smtp auth so they can mail through your serves, of course)
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fighting for peace is like fucking for virginity...
Re: Worthwhile to scan outgoing?
Posted by Mark Martinec <Ma...@ijs.si>.
Alex,
> My understanding is that the only way to avoid this, at least when
> amavisd and postfix, is to create another instance and modifying the
> smtpd and using policy banks, which is quite involved. Is this
> correct?
Depends on your mail routing topology. Often it suffices to just:
$policy_bank{'MYNETS'} = {
bypass_spam_checks_maps => [1],
};
assuming your @mynetworks is configured correctly to cover
all your networks from which mail is being submitted, e.g.:
@mynetworks = qw(
127.0.0.0/8 [::1] 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
);
Mark
Re: Worthwhile to scan outgoing?
Posted by Alex <my...@gmail.com>.
Hi,
> in amavisd, set this in policy bank: (obviously triggered on mynetworks ip.s
> you could also trigger on auth)
> $policy_bank{'MYNETS'} = { # mail originating from @mynetworks
> originating => 1,
> # virus_name_to_spam_score_maps => undef,
> bypass_spam_checks_maps => 1,
Great info. Thanks everyone for your input.
Best,
Alex
Re: Worthwhile to scan outgoing?
Posted by Michael Scheidell <sc...@secnap.net>.
On 6/21/10 7:41 PM, Alex wrote:
> Hi,
>
>
>> by default, our appliances don't do outbound spam scanning (they scan for
>> virus, banned attachments). they have to enable outbound scanning, which has
>> more relaxed rules.
>>
> My understanding is that the only way to avoid this, at least when
> amavisd and postfix, is to create another instance and modifying the
>
in amavisd, set this in policy bank: (obviously triggered on mynetworks
ip.s you could also trigger on auth)
$policy_bank{'MYNETS'} = { # mail originating from @mynetworks
originating => 1,
# virus_name_to_spam_score_maps => undef,
bypass_spam_checks_maps => 1,
etc.
>> Or, if they enable outbound content filtering, we turn it on.
>>
> Do you mean after the point of purchase, once it's installed on their network?
>
>
yes, client has option to enable outbound content filtering, and turn on
outbound spam scanning.
>> For hosted clients, we make the VAR's get their clients to sign a special
>> agreement before we even let them send outbound. and they have to pay extra
>> for spam/content filtering.
>>
> So how would they otherwise send email, using their own ISPs servers?
>
Most of our VARS sell B2B, SMB, enterprise, etc. those clients already
have their own mail servers. In fact, only about 10% of the total user
count does outbound. Also, on the appliance side, many clients still
use their mail servers to send out directly. In the appliance side, its
a little higher, especially the clients who want to enforce TLS encryption.
The ISP's already have in place email servers and purchase a couple
appliances.
The rules are not THAT strict, but do reflect the policies and AOP of
our access providers.
It would be very bad if client a spammed, and got the outbound ip shared
with client b,c,d,e,f,g blacklisted.
--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best Anti-Spam Product 2008, Network Products Guide
* King of Spam Filters, SC Magazine 2008
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
Re: Worthwhile to scan outgoing?
Posted by Ted Mittelstaedt <te...@ipinc.net>.
On 6/21/2010 4:41 PM, Alex wrote:
> Hi,
>
>> by default, our appliances don't do outbound spam scanning (they scan for
>> virus, banned attachments). they have to enable outbound scanning, which has
>> more relaxed rules.
>
> How do you control rules based on whether it's inbound or outbound?
> Two different spamd ports?
>
We use separate servers. Not only does this make configuration
much simpler but it divides the mail load between systems. I would
strongly recommend this route. You do not need a very powerful
server for an outbound mail relay because it does not get the
mail load the inbound one does, and the clients that are
sending it mail are often doing it from slow connections. You
also do not need to load the CPU of the server down with scanning
software and you need practically nothing for disk space since
the clients don't save anything on it.
If you want to centralize auth then use PAM, and tie pam into
mysql. Then the sasl2 libraries can be compiled and configured
to query pam. Here's a link explaining how to do this with
postfix at the mta:
http://enc.com.au/myscripts/postfixmysql.html
The same instructions would work for sendmail. And on the POP3
server side of things a lot of those - like uw-imap for example -
can also be configured to use pam for authentication.
Of course, we are also using FreeBSD so setting up a server costs next
to nothing. You could for example pick up a used HP G4 with dual
Xeons and a raid5 disk array populated with 30GB disks and dual power
supplies for probably about $250, and serve at least 10,000
outbound-only mail clients with it, assuming they are hitting
the server an average of once an hour.
during it's heyday, that's what ftp.cdrom.com used and they supported
around 5,000 SIMULTANEOUS ftp transfers. Of course, this -wasn't-
on Windows. With Windows, you might be lucky to get 100 simultaneous
ftp transfers before the system melted down.
Ted
Re: Worthwhile to scan outgoing?
Posted by Alex <my...@gmail.com>.
Hi,
> by default, our appliances don't do outbound spam scanning (they scan for
> virus, banned attachments). they have to enable outbound scanning, which has
> more relaxed rules.
How do you control rules based on whether it's inbound or outbound?
Two different spamd ports?
My trouble is that I can't _not_ scan outbound email :-)
My understanding is that the only way to avoid this, at least when
amavisd and postfix, is to create another instance and modifying the
smtpd and using policy banks, which is quite involved. Is this
correct?
> Or, if they enable outbound content filtering, we turn it on.
Do you mean after the point of purchase, once it's installed on their network?
> For hosted clients, we make the VAR's get their clients to sign a special
> agreement before we even let them send outbound. and they have to pay extra
> for spam/content filtering.
So how would they otherwise send email, using their own ISPs servers?
Thanks,
Alex
Re: Worthwhile to scan outgoing?
Posted by Michael Scheidell <sc...@secnap.net>.
On 6/21/10 5:31 PM, Ted Mittelstaedt wrote:
> We do not. We inadvertently did and it wasted a lot of our time when
> our customers would periodically send mail that we would tag as spam,
> since they would call us and complain. The arguments that their mail
> would also have been tagged as spam by their recipient's mailserver
> mostly fell on deaf ears.
>
hey, what Ted said :-)
by default, our appliances don't do outbound spam scanning (they scan
for virus, banned attachments). they have to enable outbound scanning,
which has more relaxed rules.
Or, if they enable outbound content filtering, we turn it on.
For hosted clients, we make the VAR's get their clients to sign a
special agreement before we even let them send outbound. and they have
to pay extra for spam/content filtering.
the agreement says they can't use it for mass email, yada yada yada.
We encourage legit mass emails to use someone who does it for a living.
they can track bounces, unsubs, clicks and reads. and its usually really
cheap. better than the user trying to send an email to 100 people, cc
another 100 people and bcc another 100 people.
We then rate limit them so they can't do much good spamming. and if the
spambot is bad enough, the AV checker will block it anyway.
If they do spam, it will take a couple of years for the email to be
delivered :-)
>
--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best Anti-Spam Product 2008, Network Products Guide
* King of Spam Filters, SC Magazine 2008
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
Re: Worthwhile to scan outgoing?
Posted by Ted Mittelstaedt <te...@ipinc.net>.
We do not. We inadvertently did and it wasted a lot of our time when
our customers would periodically send mail that we would tag as spam,
since they would call us and complain. The arguments that their mail
would also have been tagged as spam by their recipient's mailserver
mostly fell on deaf ears.
So instead we launched a campaign to convert all users to auth-smtp
using strong passwords and have mostly succeeded. The campaign was
helped by gradually erecting port 25 blocks in strategic areas of our
network.
Note that a password of 6 chars with 1-2 of them special chars is
apparently considered very strong by spambots.
Ted
On 6/21/2010 8:39 AM, Adam Moffett wrote:
> My philosophy in the past has always been not to scan outgoing emails
> because my users are not likely to be spamming.
>
> However, a couple of issues recently with spambots and SMTP AUTH with
> weak passwords has me reconsidering that stance.
>
> Is anyone here currently scanning their outgoing mail with SA? Good
> results? Bad results?
>
Re: Worthwhile to scan outgoing?
Posted by Rick Macdougall <ri...@ummm-beer.com>.
On 21/06/2010 11:39 AM, Adam Moffett wrote:
> My philosophy in the past has always been not to scan outgoing emails
> because my users are not likely to be spamming.
>
> However, a couple of issues recently with spambots and SMTP AUTH with
> weak passwords has me reconsidering that stance.
>
> Is anyone here currently scanning their outgoing mail with SA? Good
> results? Bad results?
>
Hi,
We, a mid sized ISP, virus scan all outgoing mail and SA all non AUTH'd
outgoing mail.
Just FYI.
Regards,
Rick
Re: Worthwhile to scan outgoing?
Posted by Johann Spies <js...@sun.ac.za>.
On Mon, Jun 21, 2010 at 11:39:33AM -0400, Adam Moffett wrote:
> My philosophy in the past has always been not to scan outgoing
> emails because my users are not likely to be spamming.
>
> However, a couple of issues recently with spambots and SMTP AUTH
> with weak passwords has me reconsidering that stance.
>
> Is anyone here currently scanning their outgoing mail with SA? Good
> results? Bad results?
We are scanning both ways without problems - very low false positive
rate.
The reason: it happened once or twice that some spam came from inside
our network with the resulting risk that our domain could be
blacklisted.
We use spamassassin in combination with the following filters on smtp-level:
- clamav with sanesecurity signatures which stops a lot of spam even
before it reach spamassassin.
- spamhaus' blacklisting which also block a lot of spam at an early
stage.
- several checks in exim.
- spamassassin which only get into the action after the email has passed
the first filters.
Regards
Johann
--
Johann Spies Telefoon: 021-808 4599
Informasietegnologie, Universiteit van Stellenbosch
"What? know ye not that your body is the temple of the
Holy Ghost which is in you, which ye have of God, and
ye are not your own? For ye are bought with a price:
therefore glorify God in your body, and in your
spirit, which are God's." I Corinthians 6:19,20