William,
Great write-up. Exchange (or other smtp server hosted at our clients)
is exactly what I was referring to. On Imail we use Sanford's LDAP hook script
to populate Imail Aliases to block against dictionary attacks for domains we
host that are Gateway'd, i.e. no accounts on Imail, just scan for viruses/spam
and send the good stuff to their smtp server. From your post below, it seems
IMGate can do the same query and populate a good email account listing for that
type of setup, is that correct? Thanks again, appreciate the writeup
Keith________________________________ From: [EMAIL PROTECTED] on behalf of William Van Hefner Sent: Fri 9/16/2005 11:36 PM To: [email protected] Subject: RE: [IMail Forum] User configurable spam filter I'm not sure that I understand your question exactly, but the IMGate machine rejects any unauthorized relays OR mail to non-existent domains and/or accounts. It's incredibly simple to add a list of what domain names you will allow relaying to. Adding a list of allowed users is a bit trickier though. You can allegedly use LDAP, but for right now I am just periodically generating a text list from Imail of the legit users for each domain and adding them to the gateway box as needed. With a local list of "authorized recipients", you never have ANY dictionary attacks or bogus addresses hitting your main (Imail) server. This feature alone makes using an IMGate/Postfix gateway all worth it. Eventually, I will automate the "allowed" list of users. It is not a real pressing need at the moment for me though. FYI, I have made some rather extensive modifications to Len's scripts, along with tweaking the reporting tools as well. Here is a snapshot of today's traffic on the primary IMGate box. My log rolls-over at 6:30 a.m., so this is only about 13 hours or so worth of results. Below is a brief description of some of the more difficult to understand filters. 1 ACL 57 PUMP AND DUMP STOCK OFFER 1 SMTP unauthorized pipelining 1 SMTP Exceeded Hard Error Limit after END-OF-MESSAGE 1 ACL 92 OBFUSCATED WORD IN SUBJECT 1 ACL SAV: new verification in progress 1 SMTP Exceeded Hard Error Limit after MAIL 2 ACL 52 SPAMMER MAILING ADDRESS IN BODY 2 RBL dnsbl.ahbl.org 2 RBL blackhole.securitysage.com 2 ACL 96 SPAM PHRASE IN SUBJECT 3 SMTP invalid [EMAIL PROTECTED] 3 ACL to_local_recipients unknown recipient 3 ACL 91 BLACKLISTED FROM ADDRESS 3 ACL 50 SPAM PHRASE IN BODY 5 ACL 51 SPAMHAUS NAME IN BODY 5 RBL block.rhs.mailpolice.com 6 RBL list.dsbl.org 6 RBL psbl.surriel.com 7 ACL 85 MASS MAILER SPAMWARE 8 ACL header checks 9 RBL bl.spamcop.net 12 ACL 89 SPAMHAUS NETWORK (Headers) 13 RBL all.rbl.kropka.net 14 ACL to_relay_recipients unknown recipient 19 ACL unauthorized relay 21 RBL rhsbl.ahbl.org 22 RBL combined.njabl.org 26 ACL SAV: undeliverable sender address 29 ACL from_senders_regexp 35 DNS no A/MX for @sender.domain 40 DNS nxdomain for MTA PTR hostname (forged @sender.domain) 40 ACL SAV: unverifiable sender address 52 RBL dynamic.rhs.mailpolice.com 82 ACL helo_hostnames 92 ACL 55 SPAM DOMAIN IN BODY 106 RBL sbl-xbl.spamhaus.org 307 SMTP Exceeded Hard Error Limit after RCPT 373 SMTP Exceeded Hard Error Limit after DATA 614 ACL RAV: undeliverable recipient address 1221 Other 3190 TOTAL (Does not count legit traffic actually passed through) OTHER = Almost all of the "other" messages blocked were a result of Greylisting. By far, the most effective anti-spam tool there is. ACL RAV: undeliverable recipient address = Dictionary attacks, e-mail sent to non-existant addresses. The "Anvil" feature of Postfix helps to tarpit dictionary attacks. ACL 55 SPAM DOMAIN IN BODY - A list of blacklisted domains that I personally compile. Can be used in Imail, or converted for use in Postfix. Se http://www.vantekcommunications.com/spam/ for the list. Updated regularly. Usually daily. Most of the rest of the above use standard Postfix scrips, with the addition of Len's basic IMGate scripts. If you want access to a bunch of more scripts that will stop even more spam, see Postfix.Org. If you want a great book that details exactly how to set up Postfix on any Linux/FreeBSD/*Nix box to act as a gateway for Exchange (works for Imail, too). I'd highly recommend The Book of Postfix, by Ralf Hilderbrandt and Patrick Koetter. It will even show you how to automatically update your Postfix/IMGate box, so that it is updated with all of the legitimate addresses on your sysytem on a regular basis. By far, the best book I have ever read on Postfix. Easy to read. Lots of Examples. Very user-friendly. When you throw-in the ability of AMASVID-NEW, Spamassassin and its endless number of antispam tests, you should be able to reject far better than 99% of spam with a miniscule number of false postives. Anything more than .01% is simply unacceptable. My FP rate should be closer to .001% by the time I am done fine-tuning the installation. William Van Hefner Network Administrator Vantek Communications, Inc. e-mail: [EMAIL PROTECTED] -----Original Message----- From: Keith Johnson [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Friday, September 16, 2005 7:45 PM To: [email protected] Subject: RE: [IMail Forum] User configurable spam filter William, Are you purely using Len's ImGate as a virtual domain checker or do you also check on validating Gateway'd domains? Just wondering how this is accomplished using Len's ImGate as there are no physical accounts on Imail for a Gateway domain. Thanks for the aid. Keith From: [EMAIL PROTECTED] on behalf of William Van Hefner Sent: Fri 9/16/2005 1:43 PM To: [email protected] Subject: RE: [IMail Forum] User configurable spam filter It should be easy enough to set this up using Imail's rules (ver. 8.05+) without the need of Declude. Exactly what your filtering parameters are for identifying spam will dictate what rules you would be using. I concur with the other poster though. Few people ever check spam folders. However, I do not agree that sending all of the (tagged) spam through is the best way to deal with things, either. That is a tremendous waste of bandwidth, processing power, disk space, etc., and it just encourages spammers to send more e-mail, since they (rightfully?) assume that such mail is actually being delivered. Personally, I would recommend setting something up like Len's Imgate in front of your Imail box, and tie that in to your existing rules, along with something like Spamassassin to REJECT mail that is obviously spam. Using a web interface like Maya Mailguard will allow per user and per domain blacklisting, whitelisting, antivirus control and the setting of individual levels of spam filtration. You can flat-out reject high-scoring spam (the infrequent legit sender gets a bounce message explaining why their message was not delivered) and tag moderate-scoring spam on the Subject: line. SA will run a variety of tests, including RBLs, RHSBLs, heuristics, Razor, Pyzor, custom filters you create or can download off of the net, Bayesian filtering, and a ton more. Len's basic scripts will at least block the stuff that is so ridiculous as to not even be considered for delivery (spammers that forge your IP address in the HELLO should never be allowed to send you mail, and you will get hundreds of those a day). Imail does some nice stuff, but I am starting to look at it more and more as a POP3 and final destination server, rather than something I would use alone to fight spam. If nothing else, why subject your main mail server to dictionary attacks, viruses, DOS attacks, port scans, or have to expend its CPU on chewing through an increasing number of rules, or store a bunch of spam that no one really wants to see? Any old *nix box (or two) will improve your server's performance markedly, and shave as much as 50% off of your bandwidth costs. The cost is cheap. The software is free. It works significantly better and is way more stable. You will need to get your "hands dirty" an learn a little about Linux/FreeBSD and Postfix, but not much. It's certainly been worth it to me. William Van Hefner Network Administrator Vantek Communications, Inc. e-mail: [EMAIL PROTECTED] > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mike Odryna > Sent: Friday, September 16, 2005 6:50 AM > To: [email protected] > Subject: [IMail Forum] User configurable spam filter > > > I was looking through the archives for a solution where as > SPAM is sent to the SPAM folder in the users account. The > user then can periodically check that folder for false > positives and have the ability to mark the mail as good or > bad which ever the case may be. > > It was stated that Declude has this functionality already > built in. Can someone confirm that? And it does, can you > post some screen shots on how it looks when setup. > > Thanks in advance. > > Mike Odryna > Owner > LakeSpeed.Com > http://www.lakespeed.com > (603)635-8700 > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
<<winmail.dat>>
