You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alans <ba...@yahoo.co.uk> on 2010/05/05 09:44:37 UTC
Scanning Outbound emails
Hi all,
Can we use spamassasin in ISP environment to scan outbound emails?
Regards,
Alans
Re: Scanning Outbound emails
Posted by Bernd Petrovitsch <be...@petrovitsch.priv.at>.
Hi!
On Mit, 2010-05-05 at 10:44 +0300, Alans wrote:
[...]
> Can we use spamassasin in ISP environment to scan outbound emails?
Yes.
Bernd
--
Bernd Petrovitsch Email : bernd@petrovitsch.priv.at
LUGA : http://www.luga.at
Re: Scanning Outbound emails
Posted by "Liam R. MacInnes" <lm...@stargate.ca>.
On 2010-05-05, at 5:09 AM, ram wrote:
>
> On Wed, 2010-05-05 at 10:44 +0300, Alans wrote:
> On my servers I just add the score header and let the mail go but send a copy to a program. If more
> than 10 occur in 30 minutes from the same customer , the customers
> account is temporarily blocked and we manually check.
>
>
> Thanks
> Ram
Are you using an off the shelf application to do this? If so what's it called?
Cheers,
Liam
Re: Scanning Outbound emails
Posted by Kris Deugau <kd...@vianet.ca>.
> On Wed, 2010-05-05 at 10:44 +0300, Alans wrote:
>> Hi all,
>>
>> Can we use spamassasin in ISP environment to scan outbound emails?
ram wrote:
> Yes. But separate out your inbound & outbound scans.
FWIW I can say with authority that this is not necessary. It may
simplify your mail system depending on your setup.
> For outbound Disable all IP based rules because they will cause FP's.
Careful configuration of the trust path options (trusted_networks,
internal_networks, msa_networks) is very important; making sure that
your glue layer feeds in a sane synthetic Received: header may help the
trust path remain coherent. We're running OK without the latter.
> And what do you plan to do with the spams ? On my servers I just add the
> score header and let the mail go but send a copy to a program. If more
> than 10 occur in 30 minutes from the same customer , the customers
> account is temporarily blocked and we manually check.
We reject at 8; with a mechanism to bump that to 10 for SMTP AUTH'ed
connections.
-kgd
Re: Scanning Outbound emails
Posted by Sanesecurity <st...@webtribe.net>.
>I'm definitely looking for other technologies to accurately filter
>outgoing spam. It's clearly a whole different problem than incomming spam.
Clamsmtp with the Sanesecurity+Third-Party signatures, would be one option
and I know a couple
of universities that have used this and got good results
http://memberwebs.com/stef/software/clamsmtp/
Hope this helps,
Cheers,
Steve
Sanesecurity
--
View this message in context: http://old.nabble.com/Scanning-Outbound-emails-tp28457702p28469965.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Scanning Outbound emails
Posted by Marc Perkel <su...@junkemailfilter.com>.
On 5/5/2010 5:38 AM, Alans wrote:
> Thanks ram,
>
> Actually we are seeking a solution to our problem which is sending spam
> through our network.
> We are about to close port 25 and tell customers to switch to our smtp relay
> and scan it with spamassasin (I still don't know if possible or no!).
>
> We want to reject all spam emails and send notification back to sender about
> his/her activity.
>
>
> Regards,
> Alans
>
I'm beginning to get into the oubound scanning business. One of the
things I'm doing is limiting the senders to specific domains so that an
IP address can only send email from a single domain. If they send as
gmail.com or yahoo.com they are blocked.
I'm definitely looking for other technologies to accurately filter
outgoing spam. It's clearly a whole different problem than incomming spam.
--
Marc Perkel - Sales/Support
support@junkemailfilter.com
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3400
RE: Scanning Outbound emails
Posted by R-Elists <li...@abbacomm.net>.
>
> In particular, I find these two paragraphs from
> Mail::SpamAssassin::Conf to be contradictory:
>
> Trusted relays that accept mail directly from
> dial-up connections
> (i.e. are also performing a role of mail submission
> agents - MSA)
> should not be listed in "internal_networks". List
> them only in
> "trusted_networks".
>
> If "trusted_networks" is set and "internal_networks"
> is not, the
> value of "trusted_networks" will be used for this parameter.
>
> So my mail server handles ALL mail, incoming and outgoing.
> According to the first paragraph, I should not list my mail
> server under 'internal_networks' because it is an MSA.
> Because I have no other MTA to list as 'internal' I have NO
> setting for 'internal_networks'.
>
> But according to the second paragraph, this makes my MSA
> 'default' to being an internal_network because its value is
> lifted from 'trusted_networks'?
>
> I don't think our dialup IP's are triggering the direct-to-mx
> rules, but that may only be because our dynamic IP's are not
> listed on the appropriate RBL's. So is the second paragraph
> *wrong* about the default usage? Or am I lucky? should I
> specify a 'not' rule for internal networks, just to preserve
> the trusted-only status of my dialups?
>
> - Charles
charles,
i seem to recall that every time i go a check about msa_networks it that it
says all connections to an MSA box must be authenticated.
the language tells me all connections to an MSA must be authenticated...
therefore, an MSA box cannot be a generic inbound smtp 25 generic no_auth MX
right?
NOTES: here is the language from the www...
http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Conf.html
msa_networks ip.add.re.ss[/mask] ... (default: none)
The networks or hosts which are acting as MSAs in your setup (but not also
as MX relays). MSA means that the relay hosts on these networks accept mail
from your own users and authenticates them appropriately. These relays will
never accept mail from hosts that aren't authenticated in some way. Examples
of authentication include, IP lists, SMTP AUTH, POP-before-SMTP, etc.
All relays found in the message headers after the MSA relay will take on the
same trusted and internal classifications as the MSA relay itself, as
defined by your trusted_networks and internal_networks configuration.
For example, if the MSA relay is trusted and internal so will all of the
relays that precede it.
When using msa_networks to identify an MSA it is recommended that you treat
that MSA as both trusted and internal. When an MSA is not included in
msa_networks you should treat the MSA as trusted but not internal, however
if the MSA is also acting as an MX or intermediate relay you must always
treat it as both trusted and internal and ensure that the MSA includes
visible auth tokens in its Received header to identify submission clients.
Warning: Never include an MSA that also acts as an MX (or is also an
intermediate relay for an MX) or otherwise accepts mail from
non-authenticated users in msa_networks. Doing so will result in unknown
external relays being trusted.
- rh
Re: Scanning Outbound emails
Posted by Charles Gregory <cg...@hwcn.org>.
On Wed, 5 May 2010, Bernd Petrovitsch wrote:
> Why shouldn't it be possible?
> SpamAssassin doesn't care where the mail comes from....
Well, actually, it DOES. The test DOS_DIRECT_TO_MX being an example.
Which brings me back to the slightly confused feeling that I still get
over 'trusted_networks' (which is what the OP should specify so that his
outbond clients do not trigger RBL rules) and internal networks.
In particular, I find these two paragraphs from Mail::SpamAssassin::Conf
to be contradictory:
Trusted relays that accept mail directly from dial-up connections
(i.e. are also performing a role of mail submission agents - MSA)
should not be listed in "internal_networks". List them only in
"trusted_networks".
If "trusted_networks" is set and "internal_networks" is not, the
value of "trusted_networks" will be used for this parameter.
So my mail server handles ALL mail, incoming and outgoing. According to
the first paragraph, I should not list my mail server under
'internal_networks' because it is an MSA. Because I have no other MTA to
list as 'internal' I have NO setting for 'internal_networks'.
But according to the second paragraph, this makes my MSA 'default' to
being an internal_network because its value is lifted from
'trusted_networks'?
I don't think our dialup IP's are triggering the direct-to-mx rules, but
that may only be because our dynamic IP's are not listed on the
appropriate RBL's. So is the second paragraph *wrong* about the default
usage? Or am I lucky? should I specify a 'not' rule for internal networks,
just to preserve the trusted-only status of my dialups?
- Charles
RE: Scanning Outbound emails
Posted by Bernd Petrovitsch <be...@petrovitsch.priv.at>.
On Mit, 2010-05-05 at 15:38 +0300, Alans wrote:
[...]
> Actually we are seeking a solution to our problem which is sending spam
> through our network.
> We are about to close port 25 and tell customers to switch to our smtp relay
> and scan it with spamassasin (I still don't know if possible or no!).
Why shouldn't it be possible?
SpamAssassin doesn't care where the mail comes from and where it will be
forwarded/sent/stored afterwards.
If an email is "incoming" or "outgoing" is only a question of your setup
(and thus MTA configuration).
> We want to reject all spam emails and send notification back to sender about
> his/her activity.
As ram said, you probably will want to use different rule sets.
Bernd
--
Bernd Petrovitsch Email : bernd@petrovitsch.priv.at
LUGA : http://www.luga.at
RE: Scanning Outbound emails
Posted by Giampaolo Tomassoni <g....@libero.it>.
> ... except, after checking their site just now, you now get a
> personalized reporting address once you've signed up. *sigh*
AFAIK, the reporting e-mail addresses are all of the form
/^submit.\w+\@spam\.spamcop\.net$/ .
Re: Scanning Outbound emails
Posted by Kris Deugau <kd...@vianet.ca>.
Jari Fredriksson wrote:
> If my SA sends an email to SpamCop with a spam as an attachment, and
> that gets rejected by my ISP and a feedback sent to me.. it would be a
> problem. To me.
*headdesk* Ah, right.
We're not keen on being a smarthost for customers already running their
own mail systems in the first place; there are a nice collection of
non-spamfilter-related problems that have come up, and most boil down to
"Fix your server config". Excluding the SpamCop reporting address from
filtering would probably be a good idea anyway though.
... except, after checking their site just now, you now get a
personalized reporting address once you've signed up. *sigh*
-kgd
Re: Scanning Outbound emails
Posted by Jari Fredriksson <ja...@iki.fi>.
On 5.5.2010 17:39, Kris Deugau wrote:
> Jari Fredriksson wrote:
>> On 5.5.2010 15:38, Alans wrote:
>>> We are about to close port 25 and tell customers to switch to our
>>> smtp relay
>>> and scan it with spamassasin (I still don't know if possible or no!).
>>>
>>> We want to reject all spam emails and send notification back to
>>> sender about
>>> his/her activity.
>>
>> There is one special group that will suffer from that decision: namely
>> SpamAssassin users within your network.
>>
>> If they do report their spam to SpamCop using SpamAssassin's own report
>> mechanism, they are screwed. SA does not AFAIK support smart host
>> configuration, but sends directly to SpamCop. And if it did, and used
>> your SMTP relay, the report might be stopped by your own SA check!
>>
>> This group is a minority, but it is where I am.
>
> *blink* *scratch head* Can you expand on the feedback cycle causing
> problems for you? It sounds like something that might cause problems
> here, but I haven't seen any indication it *has* happened.
>
?
If my SA sends an email to SpamCop with a spam as an attachment, and
that gets rejected by my ISP and a feedback sent to me.. it would be a
problem. To me.
--
http://www.iki.fi/jarif/
Civilization is the limitless multiplication of unnecessary necessities.
-- Mark Twain
Re: Scanning Outbound emails
Posted by Kris Deugau <kd...@vianet.ca>.
Jari Fredriksson wrote:
> On 5.5.2010 15:38, Alans wrote:
>> We are about to close port 25 and tell customers to switch to our smtp relay
>> and scan it with spamassasin (I still don't know if possible or no!).
>>
>> We want to reject all spam emails and send notification back to sender about
>> his/her activity.
>
> There is one special group that will suffer from that decision: namely
> SpamAssassin users within your network.
>
> If they do report their spam to SpamCop using SpamAssassin's own report
> mechanism, they are screwed. SA does not AFAIK support smart host
> configuration, but sends directly to SpamCop. And if it did, and used
> your SMTP relay, the report might be stopped by your own SA check!
>
> This group is a minority, but it is where I am.
*blink* *scratch head* Can you expand on the feedback cycle causing
problems for you? It sounds like something that might cause problems
here, but I haven't seen any indication it *has* happened.
-kgd
Re: Scanning Outbound emails
Posted by Jari Fredriksson <ja...@iki.fi>.
On 5.5.2010 17:44, Charles Gregory wrote:
> On Wed, 5 May 2010, Jari Fredriksson wrote:
>> There is one special group that will suffer from that decision: namely
>> SpamAssassin users within your network.
>> If they do report their spam to SpamCop using SpamAssassin's own report
>> mechanism, they are screwed....
>
> Why not just add a negative-scoring rule for mail sent to spamcop?
> I have to do the same for mail from this list, to avoid FP'ing on every
> post that quotes a bit of spam.... :)
Yes. One line in local.cf solves the problem, if there is no better way
to prevent SA altogether for these.
all_spam_to submit.*@spam.spamcop.net
--
http://www.iki.fi/jarif/
You will feel hungry again in another hour.
Re: Scanning Outbound emails
Posted by Charles Gregory <cg...@hwcn.org>.
On Wed, 5 May 2010, Jari Fredriksson wrote:
> There is one special group that will suffer from that decision: namely
> SpamAssassin users within your network.
> If they do report their spam to SpamCop using SpamAssassin's own report
> mechanism, they are screwed....
Why not just add a negative-scoring rule for mail sent to spamcop?
I have to do the same for mail from this list, to avoid FP'ing on every
post that quotes a bit of spam.... :)
- C
Re: Scanning Outbound emails
Posted by Jari Fredriksson <ja...@iki.fi>.
On 5.5.2010 15:38, Alans wrote:
> We are about to close port 25 and tell customers to switch to our smtp relay
> and scan it with spamassasin (I still don't know if possible or no!).
>
> We want to reject all spam emails and send notification back to sender about
> his/her activity.
There is one special group that will suffer from that decision: namely
SpamAssassin users within your network.
If they do report their spam to SpamCop using SpamAssassin's own report
mechanism, they are screwed. SA does not AFAIK support smart host
configuration, but sends directly to SpamCop. And if it did, and used
your SMTP relay, the report might be stopped by your own SA check!
This group is a minority, but it is where I am.
--
http://www.iki.fi/jarif/
Q: What do you get when you cross the Godfather with an attorney?
A: An offer you can't understand.
RE: Scanning Outbound emails
Posted by Alans <ba...@yahoo.co.uk>.
Frank, Bernd,
Thank you all.
Regards,
Alans
-----Original Message-----
From: Frank Heydlauf [mailto:fh-sa2004@lf.net]
Sent: Wednesday, May 05, 2010 4:10 PM
To: users@spamassassin.apache.org
Subject: Re: Scanning Outbound emails
Hi,
On Wed, May 05, 2010 at 03:38:01PM +0300, Alans wrote:
...
> We are about to close port 25 and tell customers to switch to our smtp
relay
> and scan it with spamassasin (I still don't know if possible or no!).
As Bernd Petrovitsch already told you: Yes, that's possible.
To close port 25 is a good idea. Use 587 with smtp-auth instead.
> We want to reject all spam emails and send notification back to sender
about
> his/her activity.
That part of the job is for your MTA, not for spamassassin.
--
Regards
Frank
__________ NOD32 5087 (20100505) Information __________
This message was checked by NOD32 antivirus system.
http://www.eset.com
Re: Scanning Outbound emails
Posted by Frank Heydlauf <fh...@lf.net>.
Hi,
On Wed, May 05, 2010 at 03:38:01PM +0300, Alans wrote:
...
> We are about to close port 25 and tell customers to switch to our smtp relay
> and scan it with spamassasin (I still don't know if possible or no!).
As Bernd Petrovitsch already told you: Yes, that's possible.
To close port 25 is a good idea. Use 587 with smtp-auth instead.
> We want to reject all spam emails and send notification back to sender about
> his/her activity.
That part of the job is for your MTA, not for spamassassin.
--
Regards
Frank
RE: Scanning Outbound emails
Posted by Alans <ba...@yahoo.co.uk>.
Thanks ram,
Actually we are seeking a solution to our problem which is sending spam
through our network.
We are about to close port 25 and tell customers to switch to our smtp relay
and scan it with spamassasin (I still don't know if possible or no!).
We want to reject all spam emails and send notification back to sender about
his/her activity.
Regards,
Alans
-----Original Message-----
From: ram [mailto:ram@netcore.co.in]
Sent: Wednesday, May 05, 2010 3:10 PM
To: Alans
Cc: users@spamassassin.apache.org
Subject: Re: Scanning Outbound emails
On Wed, 2010-05-05 at 10:44 +0300, Alans wrote:
> Hi all,
>
> Can we use spamassasin in ISP environment to scan outbound emails?
>
> Regards,
> Alans
>
Yes. But separate out your inbound & outbound scans.
For outbound Disable all IP based rules because they will cause FP's.
Also we have often seen fingerprinting methods also cause FP's
And what do you plan to do with the spams ? On my servers I just add the
score header and let the mail go but send a copy to a program. If more
than 10 occur in 30 minutes from the same customer , the customers
account is temporarily blocked and we manually check.
Thanks
Ram
__________ NOD32 5087 (20100505) Information __________
This message was checked by NOD32 antivirus system.
http://www.eset.com
Re: Scanning Outbound emails
Posted by ram <ra...@netcore.co.in>.
On Wed, 2010-05-05 at 10:44 +0300, Alans wrote:
> Hi all,
>
> Can we use spamassasin in ISP environment to scan outbound emails?
>
> Regards,
> Alans
>
Yes. But separate out your inbound & outbound scans.
For outbound Disable all IP based rules because they will cause FP's.
Also we have often seen fingerprinting methods also cause FP's
And what do you plan to do with the spams ? On my servers I just add the
score header and let the mail go but send a copy to a program. If more
than 10 occur in 30 minutes from the same customer , the customers
account is temporarily blocked and we manually check.
Thanks
Ram