Antivirus / SPAM Filter recomendations

[les]

I guess, if you are installing it from scratch, the first time IS complicated, but once you get it right you have a recipe for next time and next time etc.

You're assuming that we all keep excellent documentation while implementing new software.

Richard

Well, i do......maybe i'm just different

[RSisco]

I usually take the approach of "get a bigger hammer" and by the time I'm done, I forget which "hammers" I've used.

Richard

[SidebandSamurai]

Thanks for everyone's comments.

What about the implementation of a spam filter from the Scalix Wiki. As an Example there is an implementation script at:

Code: Select all

 http://www.scalix.com/wiki/index.php?title=Scalix/Sendmail_%26_Amavisd-New_HOWTO

How about using set of instructions?

How about setting up a sandbox and having my production Scalix server forward E-mail's to test my setup. Can that be done also?

Sincerely,

Sideband Samurai

[BaldBoy]

Hello Everyone,

I want to look at installing anti virus / SPAM filter for Scalix,

First: What are the recommendations?

Second: there is a real feeling inside the company that they might miss important email's from clients because an email was accidentally flagged as "Spam" is there anyway of recovering mis-classified messages?

Third: can I control "roll out" on a per user basis, in other words can I turn it on for one user while keeping it off for all the rest (while I test this).

forth: can e-mail messages classified as spam be placed in the users Junk Email folder so the end user can see or catch miss-classified e-mail on outlook?

Thanks a lot for all your help.

Sincerely,

Sideband Samurai

I am a little bit late but I think my two cents may help someone. I was concerned too about an easy (to setup and mantain), affordable, scalable and possibly free antivirus/antispam solution for my Scalix boxes. In addition I did not want to mangle with milters and, above all, I wanted to limit Scalix's configurations to be as limited as possible. Eventually I had it all: ASSP + Clamav

• ASSP (http://assp.sourceforge.net/) is an easy to deploy and maintain Anti Spam Smtp Proxy: that means it listen for incoming SMTP conversations on port 25 and does it's filtering job.
• Basically it is a single script in perl: all you have to do is to install perl on your linux server and some additional modules (there is a script that does the job)
• It's lightweight and fast: in an environment where we receive an average of 85k smtp connections per day it never reaches more than 2%~3% of CPU load.
• All you have to do on Scalix is to switch SMTP listen port from 25 to whatever you want (modify smtpd.cfg file). Then configure ASSP to listen on 25 and proxy messages to Scalix's new SMTP port. A proper implementation would not require more than 30 minutes and has the great advantage it does not require any restart either of Scalix or of the server itself.
• You can easily configure it to live within the same scalix box or on an independent server-
• It can store ham/spam emails for a predetermined time
• Users can receive SPAM mails with a tag in subject or in headers so they can create their own rules to manage them.
• You can configure ASSP to carbon copy each spam message on some account or public folder: if someone feels some important email has been blocked by the spam filter ... well you can recover it.
• It has an email interface: users can send emails to predefined non-existent addresses and receive back a lot of information about what has been filtered/blocked. Evantually they can ask ASSP to resend messages that has been improperly blocked
• It works smoothly with clamav installed
• It can detect spoofing and validate recipients before the message is accepted (http://www.scalix.com/forums/viewtopic.php?p=47492&sid=776f214596d3d1c98f39017813b47baf)
• It can be configured in "Test Mode" (mainly during the learning phase - which creates bayesian data) so users wont miss a single message.
• You can configure SPAMLOVER addresses which never get filtered. Alternatively you can define special SPAMLOVERS : for example you may want some users to not filter their mail on bayesian criteria but block emails from IPs which are listed in DSBLs.
• ... and a lot more.

[dougp23]

If you REALLY want to go easy, I really recommend Postini (now part of Google).

Google Message Filtering is $3 per user per year. Maybe 1 or 2 false positives a month for 20,000 emails.

I've tried spamassassin...I don't want to diss it, but you will be spending a fair amount of time keeping up with it. Written in Perl, it often requires new Perl modules, that must be downloaded. You should update spamassassin at least daily, there is a script to do it.

Again for me, I let Google/Postini do all that stuff. It's also a lot less work for my mailserver! The domain gets hit with about 8,000 messages a day, only about 800 are forwarded to my mailserver to deal with.

Of course, YMMV.

[SidebandSamurai]

@baldboy - No you are not late to the party, I am still attempting to develop a strategy that will allow me to implement this with out loosing every single email because I misconfigured some setting (like as an example forgot a semi colon somewhere). Thanks for the suggestion, that is definitely an option. but I think I will stick with what was in the Wiki, it looks pretty well documented. (see my previous post for the exact link)

@dougp23 - Hmmm "Postini", also an interesting suggestion. Again I was thinking that I would stick with the Scalix Wiki Solution. See my previous post for that link if you want to look at it.
---------------------------------
Q: Is it possible to forward messages to a sandbox server so that I can test my implementation?

Q: Is it also true that I will NOT be able to roll this out on a user by user basis? I guess that implementing this on a per user basis would be more trouble than what its worth.

I can control the SPAM to the junk boxes by creating a rule that places suspected messages into that folder for review. (Yea! )

Q: Can all messages be "Tagged" and not deleted automatically and let the Spam rule for each user sort it all out.?
That way the users still get all messages addressed to them but now the junk messages go to the junk folder and the good messages stay in the inbox. Later on I would like to reconfigure the SPAM filters to automatically delete the SPAM messages after everyone feels confident that most messages it is catching are spam and can be deleted safely.

Thanks again and keep all the feed back coming!

Sincerely,

SidebandSamurai

[mxx]

I am a little bit late but I think my two cents may help someone. I was concerned too about an easy (to setup and mantain), affordable, scalable and possibly free antivirus/antispam solution for my Scalix boxes. In addition I did not want to mangle with milters and, above all, I wanted to limit Scalix's configurations to be as limited as possible. Eventually I had it all: ASSP + Clamav

• ASSP (http://assp.sourceforge.net/) is an easy to deploy and maintain Anti Spam Smtp Proxy: that means it listen for incoming SMTP conversations on port 25 and does it's filtering job.
• Basically it is a single script in perl: all you have to do is to install perl on your linux server and some additional modules (there is a script that does the job)
• It's lightweight and fast: in an environment where we receive an average of 85k smtp connections per day it never reaches more than 2%~3% of CPU load.
• All you have to do on Scalix is to switch SMTP listen port from 25 to whatever you want (modify smtpd.cfg file). Then configure ASSP to listen on 25 and proxy messages to Scalix's new SMTP port. A proper implementation would not require more than 30 minutes and has the great advantage it does not require any restart either of Scalix or of the server itself.
• You can easily configure it to live within the same scalix box or on an independent server-
• It can store ham/spam emails for a predetermined time
• Users can receive SPAM mails with a tag in subject or in headers so they can create their own rules to manage them.
• You can configure ASSP to carbon copy each spam message on some account or public folder: if someone feels some important email has been blocked by the spam filter ... well you can recover it.
• It has an email interface: users can send emails to predefined non-existent addresses and receive back a lot of information about what has been filtered/blocked. Evantually they can ask ASSP to resend messages that has been improperly blocked
• It works smoothly with clamav installed
• It can detect spoofing and validate recipients before the message is accepted (http://www.scalix.com/forums/viewtopic.php?p=47492&sid=776f214596d3d1c98f39017813b47baf)
• It can be configured in "Test Mode" (mainly during the learning phase - which creates bayesian data) so users wont miss a single message.
• You can configure SPAMLOVER addresses which never get filtered. Alternatively you can define special SPAMLOVERS : for example you may want some users to not filter their mail on bayesian criteria but block emails from IPs which are listed in DSBLs.
• ... and a lot more.

I have to second that!
ASSP+ClamAV. Excellent!

Running exactly that combo since a year. It's rock solid, ASSP -especially v2 or even the dev version- has so many great features and is completely painless to install.
It ocrs PDFs or pictures to extract even more info for the bayesian filter, everything can be stored in numerous db formats, multiple ASSPs can be linked to share all the info...
V2 even supports per user white/black lists.

Like BaldBoy mentioned, those customizable Blockreports is also a feature I really love.
I do it like that: set ASSP to automatically block spam caught by filters I think are extremely unlikely to produce false positives (for example listed in more than 3 rbl + uribl + forged helos +... maybe notify the senders if you like) and just forward the rest tagged for mailbox rule filtering.
Then I periodically send out "block reports" of the last x days to all users notifying them about their blocked mails. This is one large mail with one blocked mail=one line. If they find something of interest, they simply click on an entry in this html mail and get the blocked mail sent directly to their inbox. Of course they can request those reports themselves whenever they like.

Great tool!