From: Alex on
Hello

This is my first post on this list. I have a atypical configuration like :
- an MX server for inbound mails; this server is configured virtual
domains, graylisting , antivirus and antispam for all incoming mails; it
is also use for my users as a pop/imap/smtp server.
- all emails originating from my users (authenticated users) are relayed
to another servers. On this outgoing servers I have 3 to 8 postfix
instances on different ips. Each instance have a dedicated transport
for servers like yahoo , hotmail etc
Basically is one of my users want to send a email outside it must
authenticate to the smtp server. The smtp server relay that message to
one gateway server (round-robin fashion) and the gateway server send the
message to the destination.
What I am try to do is scan all outbound emails (I have a few
situations in witch a mail account was owned by spammers and use to send
spam). The scanner must be on the gateway servers not on the smtp server
because he can't take any more load.
About scanning software on the incoming server I use spamassassin
invoke from maildrop. On gateway server I try to use something more
light and I read about dspam .
I have a few questions for you:
- how can I use dspam or any other scanning software on my gateway
servers (multiple instance configuration) ?
- is dspam a good choice ?

Alex
Thank you

From: ram on
On Thu, 2009-11-05 at 11:47 +0200, Alex wrote:
> Hello
>
> This is my first post on this list. I have a atypical configuration like :
> - an MX server for inbound mails; this server is configured virtual
> domains, graylisting , antivirus and antispam for all incoming mails; it
> is also use for my users as a pop/imap/smtp server.
> - all emails originating from my users (authenticated users) are relayed
> to another servers. On this outgoing servers I have 3 to 8 postfix
> instances on different ips. Each instance have a dedicated transport
> for servers like yahoo , hotmail etc
> Basically is one of my users want to send a email outside it must
> authenticate to the smtp server. The smtp server relay that message to
> one gateway server (round-robin fashion) and the gateway server send the
> message to the destination.
> What I am try to do is scan all outbound emails (I have a few
> situations in witch a mail account was owned by spammers and use to send
> spam). The scanner must be on the gateway servers not on the smtp server
> because he can't take any more load.
> About scanning software on the incoming server I use spamassassin
> invoke from maildrop. On gateway server I try to use something more
> light and I read about dspam .
> I have a few questions for you:
> - how can I use dspam or any other scanning software on my gateway
> servers (multiple instance configuration) ?
> - is dspam a good choice ?
>
> Alex
> Thank you

Outbound scanning is slightly different from inbound. but in general you
need not scan and catch all the spam messages. Just one caught and you
immediately know which account is spewing spams

Dspam is not very effective ... Ofcourse thats my opinion YMMV.

If you find spamassassin too heavy maybe you can trim it yourself.
Remove all unnecessary cf files, especially the network DNS checks since
they are all irrelevant for outbound. You could even consider some
lightweight commercial plugin and remove all other rules



But other than scanning , implement the basic hygiene. Allow only strong
passwords , if possible block port 25 and use 587 , educate the users
about phishing etc. Also register for Feedback loops and watch out for
abuse complaints. All that is absolutely essential today for a outbound
mail relay.











From: Egoitz Aurrekoetxea Aurre on
Hi,

I think outgoing scans are a little different. You have some
advantages and disadvantages respect incoming mail scanning.
Advantages are that you know you're users and more or less what they
do.... or you have it controlled with some scripts. So you can
identify easier when a user is not behaving as always.... asumming
that perhaps someone has stolen him the password or has some worm on
his office network. You should be more trusting with you're users
because you have accepted too to give them service and because they
have signed a contract with them and because it's easier to stop the
problem if someone behaves like shouldnt. So... I advise you to check
theyr'e behaviour and then if you suspect from someone you should then
pass them mails through a mail scanning machine and perhaps even check
more concisely what they are doing.... but IMHO opinion you shouldn't
scan all his mail. You should too check you're mail queues and check
how is you're reputation in RBL as mail machine too....

I'm working on an utility for being used as outgoing mail controller
(better said than scanner) based on what I told you. It will be ready
in 3 or 4 months more :) :).

Hope I have instructed you a little on how to interact with outgoing
mail.

Bye mate!


El 05/11/2009, a las 11:26, ram escribió:

> On Thu, 2009-11-05 at 11:47 +0200, Alex wrote:
>> Hello
>>
>> This is my first post on this list. I have a atypical configuration
>> like :
>> - an MX server for inbound mails; this server is configured virtual
>> domains, graylisting , antivirus and antispam for all incoming
>> mails; it
>> is also use for my users as a pop/imap/smtp server.
>> - all emails originating from my users (authenticated users) are
>> relayed
>> to another servers. On this outgoing servers I have 3 to 8 postfix
>> instances on different ips. Each instance have a dedicated
>> transport
>> for servers like yahoo , hotmail etc
>> Basically is one of my users want to send a email outside it must
>> authenticate to the smtp server. The smtp server relay that message
>> to
>> one gateway server (round-robin fashion) and the gateway server
>> send the
>> message to the destination.
>> What I am try to do is scan all outbound emails (I have a few
>> situations in witch a mail account was owned by spammers and use to
>> send
>> spam). The scanner must be on the gateway servers not on the smtp
>> server
>> because he can't take any more load.
>> About scanning software on the incoming server I use spamassassin
>> invoke from maildrop. On gateway server I try to use something more
>> light and I read about dspam .
>> I have a few questions for you:
>> - how can I use dspam or any other scanning software on my gateway
>> servers (multiple instance configuration) ?
>> - is dspam a good choice ?
>>
>> Alex
>> Thank you
>
> Outbound scanning is slightly different from inbound. but in general
> you
> need not scan and catch all the spam messages. Just one caught and you
> immediately know which account is spewing spams
>
> Dspam is not very effective ... Ofcourse thats my opinion YMMV.
>
> If you find spamassassin too heavy maybe you can trim it yourself.
> Remove all unnecessary cf files, especially the network DNS checks
> since
> they are all irrelevant for outbound. You could even consider some
> lightweight commercial plugin and remove all other rules
>
>
>
> But other than scanning , implement the basic hygiene. Allow only
> strong
> passwords , if possible block port 25 and use 587 , educate the users
> about phishing etc. Also register for Feedback loops and watch out for
> abuse complaints. All that is absolutely essential today for a
> outbound
> mail relay.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

From: Alex on
Egoitz Aurrekoetxea Aurre wrote:
> Hi,
>
> I think outgoing scans are a little different. You have some
> advantages and disadvantages respect incoming mail scanning.
> Advantages are that you know you're users and more or less what they
> do.... or you have it controlled with some scripts. So you can
> identify easier when a user is not behaving as always.... asumming
> that perhaps someone has stolen him the password or has some worm on
> his office network. You should be more trusting with you're users
> because you have accepted too to give them service and because they
> have signed a contract with them and because it's easier to stop the
> problem if someone behaves like shouldnt. So... I advise you to check
> theyr'e behaviour and then if you suspect from someone you should then
> pass them mails through a mail scanning machine and perhaps even check
> more concisely what they are doing.... but IMHO opinion you shouldn't
> scan all his mail. You should too check you're mail queues and check
> how is you're reputation in RBL as mail machine too....
>
> I'm working on an utility for being used as outgoing mail controller
> (better said than scanner) based on what I told you. It will be ready
> in 3 or 4 months more :) :).
>
> Hope I have instructed you a little on how to interact with outgoing
> mail.
>
> Bye mate!
>
>
> El 05/11/2009, a las 11:26, ram escribió:
>
>> On Thu, 2009-11-05 at 11:47 +0200, Alex wrote:
>>> Hello
>>>
>>> This is my first post on this list. I have a atypical configuration
>>> like :
>>> - an MX server for inbound mails; this server is configured virtual
>>> domains, graylisting , antivirus and antispam for all incoming
>>> mails; it
>>> is also use for my users as a pop/imap/smtp server.
>>> - all emails originating from my users (authenticated users) are
>>> relayed
>>> to another servers. On this outgoing servers I have 3 to 8 postfix
>>> instances on different ips. Each instance have a dedicated transport
>>> for servers like yahoo , hotmail etc
>>> Basically is one of my users want to send a email outside it must
>>> authenticate to the smtp server. The smtp server relay that message to
>>> one gateway server (round-robin fashion) and the gateway server send
>>> the
>>> message to the destination.
>>> What I am try to do is scan all outbound emails (I have a few
>>> situations in witch a mail account was owned by spammers and use to
>>> send
>>> spam). The scanner must be on the gateway servers not on the smtp
>>> server
>>> because he can't take any more load.
>>> About scanning software on the incoming server I use spamassassin
>>> invoke from maildrop. On gateway server I try to use something more
>>> light and I read about dspam .
>>> I have a few questions for you:
>>> - how can I use dspam or any other scanning software on my gateway
>>> servers (multiple instance configuration) ?
>>> - is dspam a good choice ?
>>>
>>> Alex
>>> Thank you
>>
>> Outbound scanning is slightly different from inbound. but in general you
>> need not scan and catch all the spam messages. Just one caught and you
>> immediately know which account is spewing spams
>>
>> Dspam is not very effective ... Ofcourse thats my opinion YMMV.
>>
>> If you find spamassassin too heavy maybe you can trim it yourself.
>> Remove all unnecessary cf files, especially the network DNS checks since
>> they are all irrelevant for outbound. You could even consider some
>> lightweight commercial plugin and remove all other rules
>>
>>
>>
>> But other than scanning , implement the basic hygiene. Allow only strong
>> passwords , if possible block port 25 and use 587 , educate the users
>> about phishing etc. Also register for Feedback loops and watch out for
>> abuse complaints. All that is absolutely essential today for a outbound
>> mail relay.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
Hi

The trust in my own users led me to his post. The users are ignorant
(not all, but..). No one care about how send , what send, where send ,
thei just wnat to send more and more .
I don't trust anyone and my server too.
I know that the outbound filtering is different. My intention is to
scan all messages originating from my network and base on spam scoring
to take the proper action. For the beginning let say "if spam score is >
10" HOLD. This will give time to investigate the body of that email and
decide what to do (pass or reject).

From: lst_hoe02 on
Zitat von Alex <me(a)deltaindigo.ro>:

>>
> Hi
>
> The trust in my own users led me to his post. The users are
> ignorant (not all, but..). No one care about how send , what send,
> where send , thei just wnat to send more and more .
> I don't trust anyone and my server too.
> I know that the outbound filtering is different. My intention is
> to scan all messages originating from my network and base on spam
> scoring to take the proper action. For the beginning let say "if
> spam score is > 10" HOLD. This will give time to investigate the
> body of that email and decide what to do (pass or reject).
>

Well done! As soon as you don't know personally all your users or can
control what they are allowed to do like in a company network you
should for sure scan the outbound mail for spam to detect spammers
using your service before the complaints from others rush in. If the
ISPs would do so, most of the spams would disappear. But instead even
many of big mailprovider spit out spam day by day and rather
spam-filter their abuse account to not get complaints.

Regards

Andreas