Re: email scannering / filtering

2018-12-20 Thread John Capo via NANOG 
On Fri, December 14, 2018 13:49, Chris Adams wrote:
> Once upon a time, Grant Taylor via NANOG  said:
>
>> - ClamAV
>>
>
> In my recent experience, ClamAV is basically useless against email
> viruses.  On one setup I run that handles around half a million messages a 
> day, ClamAV might flag
> 3-5 as viruses.  I'm dubious that that's all
> the virus messages that came through.
>
> I'd be interested in hearing of other Linux software (free or paid) that
> can catch modern email viruses.

ClamAV addons.

  
https://www.securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml

  https://sanesecurity.com/

Re: email scannering / filtering

2018-12-14 Thread Bryan Holloway 



postfix + postscreen for MTA ...

MailScanner + MailWatch for anti-.

I've heard good things about rspamd, but I haven't tried it.


On 12/14/18 5:30 AM, David Funderburk wrote:

What open source email filtering system is working well for you?


Regards,

David Funderburk
GlobalVision
864-569-0703

For Technical Support, please email gv-supp...@globalvision.net 
.



--
This message has been scanned for viruses and dangerous content by
*E.F.A. Project* , and is believed to be clean.

Re: email scannering / filtering

2018-12-14 Thread Brielle Bruns 

On 12/14/2018 1:00 PM, John Von Essen wrote:
I've used Sendmail + MIMEDefang + SpamAssassin w/clamav for over 15 
years. And on the SA side I use all the bells and whistles available 
like DCC greylisting, all the public blacklists, there are some 3rd 
party rulesets you can subscribe to, etc.,. In the end its not as good 
as gmail, but pretty darn close.


I block at SA score 4 and above, 4-8 score I dump into a separate 
quarantine account that I check every now and again for possible errors, 
and over 8 I drop - no log or bounce.




I've started using rspamd in place of SpamAssassin and have been having 
good results. Built in greylisting, support for spamassassin rules, nice 
statistics web based GUI.


Only downside is that it can be quirky during the initial setup.  It 
depends on redis for its key lookup backend.  Not a big fan of redis, 
but it works, especially if you have to support multiple rspamd 
instances on different mail servers, and want to have one main backend 
to store all the spam/ham hashes in.

--
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org/ http://www.ahbl.org

Re: email scannering / filtering

2018-12-14 Thread John Von Essen 
I've used Sendmail + MIMEDefang + SpamAssassin w/clamav for over 15 
years. And on the SA side I use all the bells and whistles available 
like DCC greylisting, all the public blacklists, there are some 3rd 
party rulesets you can subscribe to, etc.,. In the end its not as good 
as gmail, but pretty darn close.


I block at SA score 4 and above, 4-8 score I dump into a separate 
quarantine account that I check every now and again for possible errors, 
and over 8 I drop - no log or bounce.


-John

On 12/14/18 12:35 PM, Guillaume Tournat wrote:


Hello,

For MTA server, I use Postfix, with some blacklists (DNSBL).

For filtering then: SpamAssassin + Clamav works well.


Le 14/12/2018 à 12:30, David Funderburk a écrit :


What open source email filtering system is working well for you?


Regards,

David Funderburk
GlobalVision
864-569-0703

For Technical Support, please email gv-supp...@globalvision.net 
.



--
This message has been scanned for viruses and dangerous content by
*E.F.A. Project* , and is believed to be 
clean.

Re: email scannering / filtering

2018-12-14 Thread Chris Adams 
Once upon a time, Grant Taylor via NANOG  said:
>  - ClamAV

In my recent experience, ClamAV is basically useless against email
viruses.  On one setup I run that handles around half a million messages
a day, ClamAV might flag 3-5 as viruses.  I'm dubious that that's all
the virus messages that came through.

I'd be interested in hearing of other Linux software (free or paid) that
can catch modern email viruses.

-- 
Chris Adams

Re: email scannering / filtering

2018-12-14 Thread Grant Taylor via NANOG 

On 12/14/18 4:30 AM, David Funderburk wrote:

What open source email filtering system is working well for you?


 - Sendmail
 - SpamAssassin
 - ClamAV
 - OpenDKIM
 - OpenDMARC
 - SPFmilter
 - NoListing (a variant of Grey Listing that has worked exceedingly 
well for me.)

 - Junk Email Filter MX tricks (also works very well for me)
 - Reverse Path route filters

Most of this is fairly stock configuration.  I have put some custom 
rules in SpamAssassin for various reasons.  Email me directly if you 
want particulars.




On 12/14/18 10:36 AM, Rich Kulawiec wrote:
I've been studying email abuse for a very long time, and am writing a 
book about defending against it with open-source tools.


I'll be interested to learn more about your book.

Will you share any details so that I can keep an eye out for it?

 - Title
 - Release date
 - Publisher

One of the things that I've learned over those decades is that while 
some measures make sense for everyone, one size does not fit all, 
and that it's critical to understand the mail stream that's being 
presented before trying to design and build systems to deal with it. 
Everyone's legitimate email looks different.  Everyone's abusive email 
looks different.  It's not possible to figure out how to cope with these 
things until you measure them.


Nor is it possible until you understand the operational requirements, 
which again, are different for everyone.  Joe's Donuts in Dubuque 
probably isn't going to be receiving messages at its "orders" address 
from Peru or Pakistan, for example, so any incoming traffic like that is 
almost certainly misdirected (at best) or abusive.  On the other hand, 
Michigan State University will probably receive legitimate traffic from 
all the world, including Peru and Pakistan.


I largely agree with both of those statements.

So while I could answer your question by telling you what I use, that 
doesn't mean that it would work for you.  It *might*, and after a fashion, 
it probably would -- but it's highly unlikely that it's anything close 
to optimal for your environment.  There's a fair amount of homework that 
needs to be done to figure that out.


Sure.  But sharing what you're using and your perceived Pros and Cons do 
provide data for someone to consume while pontificating what will likely 
suit them the best.


One more thing.  There are a number of things that some people do in their 
email systems which are worst practices -- things that exacerbate the 
problem.  For example, "quarantines" or "spam folders" are a profoundly 
horrible idea that should never be deployed.  (Ask RSA how that's working 
out for them.)  Avoid these.


I think that there is a time and a place for both quarantining and spam 
folders.  I use quarantining to gate email into and out of a lab / 
sandbox environment.  I know that nothing will flow without me releasing 
a quarantine.  This allows me to feel comfortable testing various MTAs 
without worrying that email will flow when I have not approved it. 
Devices on either side speak SMTP just like they want to and believe 
that the messages are the responsibility of an intermediate server. 
IMHO it works great.


I also think that spam folders do have a use.  They provide a way for 
messages that seem spammy to be isolated from the main inbox while still 
making them available to end users.  (I'm talking about mail boxes 
accessed via IMAP where it's easy to see both Inbox and Junk.)




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: email scannering / filtering

2018-12-14 Thread Rich Kulawiec 
On Fri, Dec 14, 2018 at 06:30:08AM -0500, David Funderburk wrote:
> What open source email filtering system is working well for you? 

I've been studying email abuse for a very long time, and am writing
a book about defending against it with open-source tools.

One of the things that I've learned over those decades is that while
some measures make sense for everyone, one size does not fit all, and
that it's critical to understand the mail stream that's being presented
before trying to design and build systems to deal with it.  Everyone's
legitimate email looks different.  Everyone's abusive email looks different.
It's not possible to figure out how to cope with these things until
you measure them.

Nor is it possible until you understand the operational requirements,
which again, are different for everyone.  Joe's Donuts in Dubuque
probably isn't going to be receiving messages at its "orders" address
from Peru or Pakistan, for example, so any incoming traffic like that
is almost certainly misdirected (at best) or abusive.  On the other
hand, Michigan State University will probably receive legitimate
traffic from all the world, including Peru and Pakistan.

Unfortunately, lots of people skip these two steps -- especially the
first one -- because they perceive them as onerous and unnecessary.
They thus hamstring their own efforts.

One of the other things I've learned is that there's a correct order
in which to apply defensive measures, so that the probability of FP
and FN (false positive and false negative) are both simultaneously
minimized, so that each successive measure has less work to do than
the one before, and so that those measures which consume the least
resources are deployed up front.  (For example: using the DROP list
in a perimeter router, firewall or even in the MTA's configuration
is a highly efficient/low-cost/low-resource measure that should be
done before doing other things.  This is, by the way, one of the
measures that make sense for everyone, see above.)

So while I could answer your question by telling you what I use,
that doesn't mean that it would work for you.  It *might*, and
after a fashion, it probably would -- but it's highly unlikely
that it's anything close to optimal for your environment.  There's
a fair amount of homework that needs to be done to figure that out.

One more thing.  There are a number of things that some people do
in their email systems which are worst practices -- things that
exacerbate the problem.  For example, "quarantines" or "spam folders"
are a profoundly horrible idea that should never be deployed.
(Ask RSA how that's working out for them.)  Avoid these.

---rsk

Re: email scannering / filtering

2018-12-14 Thread Guillaume Tournat 

Hello,

For MTA server, I use Postfix, with some blacklists (DNSBL).

For filtering then: SpamAssassin + Clamav works well.


Le 14/12/2018 à 12:30, David Funderburk a écrit :


What open source email filtering system is working well for you?


Regards,

David Funderburk
GlobalVision
864-569-0703

For Technical Support, please email gv-supp...@globalvision.net 
.



--
This message has been scanned for viruses and dangerous content by
*E.F.A. Project* , and is believed to be 
clean.

email scannering / filtering

2018-12-14 Thread David Funderburk 
 

What open source email filtering system is working well for you? 

 Regards,

 David Funderburk
 GlobalVision
 864-569-0703

 For Technical Support, please email gv-supp...@globalvision.net. 

 

--
This message has been scanned by E.F.A. Project and is believed to be clean.