After looking at some of the commercial spam-fighting
products on the market, lets now take a look at the open source tools offered
to solve this problem.
A mail gateway that is configured to filter out spam and/or
redirect mail for one or more domains to the required mail server can be a very
useful tool. I have just finished configuring a new gateway for our company so
will outline the tools I have used to try and filter out spam/virus traffic.
First of all, the operating system Im using is Ubuntu; this
is a server install with no GUI installed and with root activated; for all
intents and purposes, it may as well be Debian. The MTA (Mail Transport Agent)
I have chosen is PostfixI wont make any
wild claims that Postfix beats all others. I have used qmail in the past and it
was okay; however, Postfix is very well supported and there are a multitude of
tutorials and add-on scripts floating around for it.
So thats the basic mail relay/gateway system–what do we
need to filter out spam and worms?
- A spam
- A virus
to link these into Postfix
Okay, so let’s deal with the spam filter first. By far the
most popular spam-filtering software is SpamAssassin. SpamAssassin uses a
number of different checks to score an email; this score is then taken into
account, and the administrator can set thresholds at which spam can either be
tagged as spam or discarded completely. Included in the range of checks are:
based-checks (for example, the mention of Viagra or an all-CAPS subject would
produce a positive score that is added to the tally for that particular
the mail and content against known spam).
checks (MIME integrity, etc).
The combination of rules and internet tests gives pretty
good accuracy; this will filter out a very high percentage of your spam.
On the virus/worm blocking front, my tool of choice is ClamAV. Again, like SpamAssassin, ClamAV is
free, well-maintained, and its use is widespread. The updates are free and
frequent. Freshclam is a system service that will run at defined intervals and
check/download/install new virus definition files automatically. I have noticed
ClamAV filtering will sometimes out phishing attempts, as well as classic
‘viruses,’ which can only be a good thing.
Right, so now you need something to hook these up with
Postfix (or whatever MTA you may have chosen). I have found the best way of
using the previously mentioned tools with Postfix to be the amavisd-new daemon. It’s easy to
install (try apt-get install amavisd-new on ubuntu/debian), easy to configure,
and performance is great. Okay, so you looked at the Web site, and it’s not
very impressiveno snazzy graphicsbut dont let that fool you. Take the time
to read the documentation and default config file, and you will see this is a
very powerful tool.
With the aforementioned tools you will be able to build a
pretty resilient anti-spam solution. Assuming that this machine will be acting
as a gateway and not holding mailboxes (as in my case), you may want to allow
users outside of your network to authenticate and send mail (roaming users). The
easiest way I have found of doing this is using pop-before-smtp.
It basically picks up an imap/pop login from the syslog (which is sent from
your imap server to the smtp gateway), and then holds a database of the IP
addresses used to connect. If an smtp client on a non-trusted network requests
to send mail to a non-local domain, Postfix will check the pop-before-smtp
database file and allow relay access if the IP is listed. Its not a perfect
solution, but is simple and effective. An additional spam countermeasure is greylisting. While by
itself greylisting will not save your organisation from spamits a useful
addition to your defence. I have just implemented greylisting for the first
time, and I’ve yet to see what problems it may cause. I can imagine some issues
arising with senders who retry from a different IP address; however, over time
you can identify these and add them to your whitelists. The service Ive
decided to use, postfix-gld, has a
nice feature which will allow all mail from a particular domain once x number
(defined in your config) of successful greylisted mails pass from ita nice
feature that could well save some training time.
I hope this has been a useful look at some of the freely
available tools for stopping spam from infiltrating your organisation. These
are by no means the only ones, but this overview goes to show that fighting spam
effectively does not require a large budget or deep technical knowledge.
Have you successfully implemented greylisting? It
would be great to hear how you have overcome issues associated with it and
whether or not you decided to keep the system running?