Prev: Need help to configure postfix to send only emails.
Next: how to increase throughput of postfix to local user?
From: egoitz on 6 Nov 2009 04:52
>>>
>>
> Hi
>
> The trust in my own users led me to his post. The users are ignorant
> (not all, but..). No one care about how send , what send, where send ,
> thei just wnat to send more and more .
> I don't trust anyone and my server too.
> I know that the outbound filtering is different. My intention is to
> scan all messages originating from my network and base on spam scoring
> to take the proper action. For the beginning let say "if spam score is >
> 10" HOLD. This will give time to investigate the body of that email and
> decide what to do (pass or reject).
>

When I said trust I didn't want to mean that you should think you're users
wont send spam. I meant, you shouldn't be relaxed because they're not
going to send spam... this is not what I tried to say. Basically with the
trust sentence I meant that you have an agree with them and that if they
become spammers knowing what they doing they can run into serious
problems... so it's not the same situation as incoming mail relay that
anyone will send you mail and have nothing signed with them; just that, no
that you should have a blind trust with them. Apart of this... outgoing
mail is supposed to be mail generated by the need of you're customer to
send a mail to another person... it's not the same as being receiving mail
from everyone with any intention like in incoming relay.

I think that while in mail scanning machines you should see content, in
outgoing mail scanning you should only check content if you doubt from
someone and how do you doubt on someone? seeing strange activity on them
or seeing you're servers reputation poored or seeing lots of delays of
some mails in you're queue or looking the bounces you're machine is
sending. I only would use content spam checkers such as spamassassin (that
would be my option in case I needed) if I suspect from someone. And too as
people have commented here on you're outgoing mail machines... is nice too
to set ssl forced and the usage of submission port (normally bots not talk
ssl and normally try to connect to port 25). Apart of this I think human
intervention (from part of you're users) would be nice too for ensuring
they have not malware in they're desktops sending mails to addresses in
they're addressbook. Something like... reject message with a url for
you're users saying hit here (and the reason of this reject) if you want
to continue sending mail because I have seen something suspect on you're
activity; then if you're users don't take care of this notifications and
just hit on the button located at that url for continuing sending mail...
then the second attempt to hit from part of them won't be valid because
they should talk to you for you to check what they're doing.

I think this should be the correct behaviour and as said yesterday I will
implement something for this kind of checks on outgoing mail scanning
machines.

Of course this is my opinion and what experience sais to me :).

Bye!!!!!!!!

From: Alex on 6 Nov 2009 05:02
lst_hoe02(a)kwsoft.de wrote:
> Zitat von Alex <me(a)deltaindigo.ro>:
>
>>>
>> Hi
>>
>> The trust in my own users led me to his post. The users are
>> ignorant (not all, but..). No one care about how send , what send,
>> where send , thei just wnat to send more and more .
>> I don't trust anyone and my server too.
>> I know that the outbound filtering is different. My intention is
>> to scan all messages originating from my network and base on spam
>> scoring to take the proper action. For the beginning let say "if spam
>> score is > 10" HOLD. This will give time to investigate the body of
>> that email and decide what to do (pass or reject).
>>
>
> Well done! As soon as you don't know personally all your users or can
> control what they are allowed to do like in a company network you
> should for sure scan the outbound mail for spam to detect spammers
> using your service before the complaints from others rush in. If the
> ISPs would do so, most of the spams would disappear. But instead even
> many of big mailprovider spit out spam day by day and rather
> spam-filter their abuse account to not get complaints.
>
> Regards
>
> Andreas
>
>
Hi

Thank you all for your opinions pro or contra.
Anyone have an idea how to use a spam filter into a multiple instance
configuration?

Alex

From: egoitz on 6 Nov 2009 07:31

>
> Let me give you an example. Let say that on 3 am one mailbox is hacked
> and is use to send mails with no link no click buttons just lottery scam
> content and a reply address. You have enforce limits on your server and
> you don't allow to send more then n messages per hour so that guy
> successfully send that n emails. One or more destinations addresses is a
> spam trap.
> Next day in the morning all you can see is that your ip(s) are listed in
> a bunch of rbl and queues are full with messages.
> What I understand from you is how to deal with this situations but what I
> intend to do is to prevent this situations.
>
> Thank you
>

Not really. At 3am perhaps it's a difficult moment but in the day when the
user is login for retreiving mail and sending too you could know if he is
login from a strange site and then you can block that user. For example :
Imagine a user sends and retreives mail in Spain. There's no easy
explanation (some users can do... but it's not the normal situation) on
that that user want's in less than 5 minutes later send an email from...
Russia for example... so could block that user and allow the user to do it
later or... perhaps bypass this kind of checks for this user. But you can
sure control where the user is login and so... (this algorithm in wich
between others now I'm working). If I detect this activity I block it
requiring his action. And you could too know how many mails a user can
send normally... if a user can normally send 100 mails... there's almost
no valid reason for that user to send more than those 100 mails in an
hour... so you could block it too requiring it's action for allowing him.
You will have sent 100 but no more.

As said I'm working on this kind of algorithms to determine how to
implement this but I think it's the solution for outgoing relay. Later
postfix can implement sender_login_maps and several other things that can
help you trapping spammers too. You could too check the connecting ip
(who is trying to send mail through you're machine) in how many rbl is
located... I have a script that does parallel rbl check at the same time
and you could determine how trustable is that user.... there are several
ways;even you could do spf check for outgoing mail... seeing if the from
the user is entering is ok to be send from you're machine. And IMHO too
spamassassin is less efficient and slower than this kind of checks for
outgoing mail.

It's my opinion as said and what I'm gonna try because I have seen this
things in my working experience. I'm going to improve my ideas and develop
this code and well... then we could see how this works. As I say this are
my ideas... others can have different ones :).

Bye!!!

From: LuKreme on 6 Nov 2009 10:06
On 6-Nov-2009, at 01:07, lst_hoe02(a)kwsoft.de wrote:
> Well done! As soon as you don't know personally all your users or
> can control what they are allowed to do like in a company network
> you should for sure scan the outbound mail for spam to detect
> spammers using your service before the complaints from others rush
> in. If the ISPs would do so, most of the spams would disappear. But
> instead even many of big mailprovider spit out spam day by day and
> rather spam-filter their abuse account to not get complaints.


Actually, you are much better off rate-limiting outbound email than
scanning. Scanning is expensive, rate-limiting is very cheap.

If someone sends 100 messages in a minute, or 200 in 3 minutes, add
them to a blacklist until you can take a look and see what's going on.

Change the numbers to suit your users, of course. I could go with
20/100 for example, but that's too low for people who Cc a lot.

--
I WAS NOT THE INSPIRATION FOR "KRAMER"
Bart chalkboard Ep. 5F18

From: Egoitz Aurrekoetxea Aurre on 6 Nov 2009 16:13
> lst_hoe02(a)kwsoft.de wrote:
>> Well done! As soon as you don't know personally all your users or
>> can control what they are allowed to do like in a company network
>> you should for sure scan the outbound mail for spam to detect
>> spammers using your service before the complaints from others rush
>> in. If the ISPs would do so, most of the spams would disappear. But
>> instead even many of big mailprovider spit out spam day by day and
>> rather spam-filter their abuse account to not get complaints.
>
>
> Actually, you are much better off rate-limiting outbound email than
> scanning. Scanning is expensive, rate-limiting is very cheap.

IMHO if you check outbound mail this way or perhaps better, the way I
have explained I'm working on, in previous mails, I'm pretty sure
perhaps you could get a more accurate way of avoiding sending spam
than scanning with spamassasin or any other content filter because
they as antivirus software with viruses always go behind new behaviors
of spammers in this situation (with spam filtering). My project will
be ready in perhaps 2 or 3 months with BSD license.
>
> If someone sends 100 messages in a minute, or 200 in 3 minutes, add
> them to a blacklist until you can take a look and see what's going on.
>
> Change the numbers to suit your users, of course.

Of course, or you should too grab stats of how many each users send
per day / per hour each week or so... and then adjust you're limiters.
And I'd say that it's neccesary some php interface or similar in wich
a user can connect (because the url has appeared in reject message)
and reset the counter in cause in one day you need sending some more
(human interaction)... of course a user should reset depending on why
you're calling human interaction but no more than two times sure....
later sysadmins of that mail machines should take a look on what's
going on.

> I could go with 20/100 for example, but that's too low for people
> who Cc a lot.
>
> --
> I WAS NOT THE INSPIRATION FOR "KRAMER"
> Bart chalkboard Ep. 5F18
>

First  |  Prev  |  Next  |  Last
Pages: 1 2 3 4
Prev: Need help to configure postfix to send only emails.
Next: how to increase throughput of postfix to local user?