?
Solved

Anti spam solution for Sendmail

Posted on 2006-05-08
10
Medium Priority
?
1,177 Views
Last Modified: 2013-12-17
Hi

I would like to get some recommendations regarding an antispam solution for an sendmail/RHEL4 server running some 15000 users with about 500 virtual domains.
Today i am using some free RBL's to stomp spam but users are complaining about some legitimate email not being relayed through the server. I have checked these cases and found that they have been stopped by one of the RBL's configured.

What i am looking for is an antispam software that i can install on my mailserver which contains anti virus & anti spam filters which can be controlled by
an webinterface, for example if one user recives an email which is suspected to be spam he/she gets an email and the user can log into an webinterface and check some quarantine.

I am open to any suggestions, for the moment i have a huge amount of spam in some important mailboxes, for example the registry@...

I would also get some advice to enhance my sendmail configuration, this is my sendmail.mc:

include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for Red Hat Linux')dnl
OSTYPE(`linux')dnl
dnl define(`confLOG_LEVEL', `9')dnl
define(`confDEF_USER_ID',``8:12'')dnl
undefine(`UUCP_RELAY')dnl
undefine(`BITNET_RELAY')dnl
dnl define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
dnl #
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
FEATURE(delay_checks)dnl
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtuser.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
dnl define(`confMAX_DAEMON_CHILDREN', 12)dnl
dnl define(`confCONNECTION_RATE_THROTTLE', 3)dnl
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`enhdnsbl', `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}')dnl
FEATURE(`enhdnsbl', `sbl.spamhaus.org',`"550 Mail From " $`'&{client_addr}" refused - see http://www.spamhaus.org/sbl/"')dnl
FEATURE(`enhdnsbl', `list.dsbl.org',`"550 Mail From " $`'&{client_addr}" refused - see http://www.dsbl.org/"')dnl
dnl FEATURE(`enhdnsbl',`dnsbl.sorbs.net',`"554 Mail From " $&{client_addr}" refused see: http://www.dnsbl.sorbs.net/"')dnl
FEATURE(`enhdnsbl', `relays.ordb.org',`"550 Mail From " $`'&{client_addr}" refused - see http://www.ordb.org/faq/\#why_rejected"')dnl
define(`confCONNECTION_RATE_THROTTLE', `10')
define(`confTO_IDENT', `0')
define(`confMAX_RCPTS_PER_MESSAGE', `30')dnl
define(`confBAD_RCPT_THROTTLE',`2')dnl
define(`MAX_MESSAGE_SIZE', `10000000')dnl
FEATURE(`conncontrol', `nodelay', `terminate')dnl
FEATURE(`ratecontrol', `nodelay', `terminate')dnl
FEATURE(`greet_pause', `2000')dnl
EXPOSED_USER(`root')dnl
DAEMON_OPTIONS(`Port=smtp,Addr=192.168.84.4, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
dnl INPUT_MAIL_FILTER(`clmilter',`S=local:/var/clamav/clmilter.sock, F=, T=S:4m;R:4m')dnl
INPUT_MAIL_FILTER(`mimedefang', `S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:360s;R:360s;E:15m')
define(`confINPUT_MAIL_FILTERS', `mimedefang')dnl
HACK(`popauth')dnl
dnl define(`confINPUT_MAIL_FILTERS', `clmilter')
dnl FEATURE(`accept_unresolvable_domains')dnl
dnl FEATURE(`relay_based_on_MX')dnl
LOCAL_DOMAIN(`localhost.localdomain')dnl
MAILER(smtp)dnl
MAILER(procmail)dnl

I am running pop-before-smtp, the spam problem has not been worse after i started using it. It's about the same as before..

Best Regards, Rickard
0
Comment
Question by:r_svoren
  • 2
  • 2
  • 2
  • +3
10 Comments
 
LVL 34

Expert Comment

by:PsiCop
ID: 16629997
Well, youj already have MIMEDefang (or at least the MILTER entry for it), and that's an excellent anti-SPAM tool. Check out the MIMEDefang website (http://www.mimedefang.org), especially the wiki, for configuration tips and filter code. I've found HELO checks to be more effective than blacklists.

I'll have some more info for you when I have a chance to sit down and write it. In the mean time, see if you also have Clam Anti-Virus (ClamAV, http://www.clamav.net). It may be used via MIMEDefang, and so would not show up in the sendmail configuration.

Finally, before you go twiddling with your sendmail configuration, take some time to sit down and understand what it currently does, and document it. For some guideposts, see the Practical Modern sendmail Configuration article at --> http://dave.trianglenug.org, especially the sample sendmail.mc file in the Resources section.
0
 
LVL 26

Expert Comment

by:jar3817
ID: 16630591
My first suggestion would be to stop using dnsbl.sorbs.net. It is a very aggressive list and often legit servers get placed on it. I had to stop using it because many hotmail, yahoo, and rr.com mail servers were getting listed. Instead you could use just their dynamic IP list dul.dnsbl.sorbs.net.

You might want to think about something like greylisting. It rejects all incoming mail *the first time* with a tempfail 40x error, forcing the sending server to retry. Nearly all legit servers will retry, while spammers do not. Once the message is resent  the sender (ip and email) are whitelisted and stored for a period of time. I'm on the research stage of implementing that now on my servers.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 16635325
Actually, there's been some chatter recently on the MIMEDefang mailing list, specifically about how SPAMmers are on to greylisting and are starting to retry when TEMPFAILed. I'm not saying that greylisting is a bad idea or that it won't help, but it seems to be less effective than it once was.
0
Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

 
LVL 14

Expert Comment

by:canali
ID: 16648476
I agree with PsiCop about clmilter line in your mc file (now u are processing mail twice)  mimedefang should do all the jobs (antivirus and antispam).
Probably u don't need procmail (comment out...).
Popauth (pop befor smtp) don't change nothing about spam...

DSPAM is a possible solution to the quarantice check
It has a quarantine folder so gives the user the ability to identify the occasional false positive and re-learn them as innocent emails, when your antispam is working well disable agressive rbl so u don loose mail.

http://dspam.nuclearelephant.com/

_GAS_
0
 
LVL 3

Expert Comment

by:pcaioo
ID: 16664085
try to add cbl.anti-spam.org.cn
0
 
LVL 3

Author Comment

by:r_svoren
ID: 16665188
DSPAM looks nice, are you using the software ?
0
 
LVL 14

Expert Comment

by:canali
ID: 16671463
I'm using it in some productions site because  amavis-new has  the dspam support, now usually my mail servers are sendmail +clamv+bitdefender +spamassasin+dspam whith central quarantine, but I need quarantine per user. Probably in the next month I'll start to testing, something putting it behind of a standard installation.
Production site (not really produtcion is my mail server) (MTA,amavis-new,clamv,bitdefender,spamassassin) ->forward all the mail to Test Site (MTA,clamv,bitdefender,Dspam native) and looking the differential mail passed and switch the test as frontend ... I need know very well before it to deploy my customers.
My idea is also to try amavis a ligth spamassassin (tuned not aggresive) with central quarantine (nobody ask me for that mails) and  dspam as local delivery agent with user quarantine.    
I think DSPAM  is interesting and emerging antispam software.

_GAS_

 
0
 
LVL 7

Expert Comment

by:icky2000
ID: 16786818
It is worth thinking a little about the configuration you've asked for. Your plan is to replace every spam message a user receives with a new email that informs them a spam message has been caught. Most users will then log in to the website to look at the message and determine if they want to delete it or not. This takes three times as long as actually deleting the message itself and seems worthless to me. It helps if you can include the sender and subject line on the alert email they get but still, they are receiving the same number of messages before and it is just as big a nuisance for most users. In environments I've been in where management asks for this feature, users have complained and eventually we stop sending the emails and users can just log in to check the web site for caught mail once a week or as often as they wish to or ignore it completely unless something they were expecting didn't get through.

I agree with jar3817 about not using that particular RBL. I encounter a ton of these things built by people who don't have to support business critical installations where you can't get away with blocking all mail from AOL, etc. Most companies would find this disastrous.

There is another spam solution worth looking at and that is offloading the workload to a third party. Fighting spam takes up a lot of your time. Postini provides a very good service that does everything you've mentioned and you don't have to futz with it constantly. Unless you want to, in which case there are plenty of options discussed above.
0
 
LVL 3

Author Comment

by:r_svoren
ID: 16796056
Are you actually using Postini ?
0
 
LVL 7

Accepted Solution

by:
icky2000 earned 1500 total points
ID: 16798194
Yeah, we're using Postini. Typically t hey have been very good (I'm only a customer, no affiliation). Bad timing here, however, as they had a rough day yesterday with some rare slowdowns on their system that caused up to 30 minute delays for mail during the middle of the day. They communicated well during all of this with their customers but it still hurts. I still suspect their uptime is as good as most and as good as it would be if I were running it in-house.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses
Course of the Month14 days, 9 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question