After looking at some of the commercial spam-fighting

products on the market, let’s now take a look at the open source tools offered

to solve this problem.

A mail gateway that is configured to filter out spam and/or

redirect mail for one or more domains to the required mail server can be a very

useful tool. I have just finished configuring a new gateway for our company so

will outline the tools I have used to try and filter out spam/virus traffic.

First of all, the operating system I’m using is Ubuntu; this

is a server install with no GUI installed and with root activated; for all

intents and purposes, it may as well be Debian. The MTA (Mail Transport Agent)

I have chosen is Postfix—I won’t make any

wild claims that Postfix beats all others. I have used qmail in the past and it

was okay; however, Postfix is very well supported and there are a multitude of

tutorials and add-on scripts floating around for it.

So that’s the basic mail relay/gateway system–what do we

need to filter out spam and worms?

  • A spam
    filter
  • A virus
    filter/scanner
  • Something
    to link these into Postfix
  • Other
    goodies

Okay, so let’s deal with the spam filter first. By far the

most popular spam-filtering software is SpamAssassin. SpamAssassin uses a

number of different checks to score an email; this score is then taken into

account, and the administrator can set thresholds at which spam can either be

tagged as spam or discarded completely. Included in the range of checks are:

  • Content/signature

    based-checks (for example, the mention of Viagra or an all-CAPS subject would

    produce a positive score that is added to the tally for that particular

    mail).

  • Internet-based

    checks with the use of pyzor, razor and dcc (these will match

    the mail and content against known spam).

  • Sanity
    checks (MIME integrity, etc).

The combination of rules and internet tests gives pretty

good accuracy; this will filter out a very high percentage of your spam.

On the virus/worm blocking front, my tool of choice is ClamAV. Again, like SpamAssassin, ClamAV is

free, well-maintained, and its use is widespread. The updates are free and

frequent. Freshclam is a system service that will run at defined intervals and

check/download/install new virus definition files automatically. I have noticed

ClamAV filtering will sometimes out phishing attempts, as well as classic

‘viruses,’ which can only be a good thing.

Right, so now you need something to hook these up with

Postfix (or whatever MTA you may have chosen). I have found the best way of

using the previously mentioned tools with Postfix to be the amavisd-new daemon. It’s easy to

install (try apt-get install amavisd-new on ubuntu/debian), easy to configure,

and performance is great. Okay, so you looked at the Web site, and it’s not

very impressive—no snazzy graphics—but don’t let that fool you. Take the time

to read the documentation and default config file, and you will see this is a

very powerful tool.

With the aforementioned tools you will be able to build a

pretty resilient anti-spam solution. Assuming that this machine will be acting

as a gateway and not holding mailboxes (as in my case), you may want to allow

users outside of your network to authenticate and send mail (roaming users). The

easiest way I have found of doing this is using pop-before-smtp.

It basically picks up an imap/pop login from the syslog (which is sent from

your imap server to the smtp gateway), and then holds a database of the IP

addresses used to connect. If an smtp client on a non-trusted network requests

to send mail to a non-local domain, Postfix will check the pop-before-smtp

database file and allow relay access if the IP is listed. It’s not a perfect

solution, but is simple and effective. An additional spam countermeasure is greylisting. While by

itself greylisting will not save your organisation from spam—it’s a useful

addition to your defence. I have just implemented greylisting for the first

time, and I’ve yet to see what problems it may cause. I can imagine some issues

arising with senders who retry from a different IP address; however, over time

you can identify these and add them to your whitelists. The service I’ve

decided to use, postfix-gld, has a

nice feature which will allow all mail from a particular domain once x number

(defined in your config) of successful greylisted mails pass from it—a nice

feature that could well save some training time.

I hope this has been a useful look at some of the freely

available tools for stopping spam from infiltrating your organisation. These

are by no means the only ones, but this overview goes to show that fighting spam

effectively does not require a large budget or deep technical knowledge.

Have you successfully implemented greylisting? It

would be great to hear how you have overcome issues associated with it and

whether or not you decided to keep the system running?