r_svoren
asked on
Anti spam solution for Sendmail
Hi
I would like to get some recommendations regarding an antispam solution for an sendmail/RHEL4 server running some 15000 users with about 500 virtual domains.
Today i am using some free RBL's to stomp spam but users are complaining about some legitimate email not being relayed through the server. I have checked these cases and found that they have been stopped by one of the RBL's configured.
What i am looking for is an antispam software that i can install on my mailserver which contains anti virus & anti spam filters which can be controlled by
an webinterface, for example if one user recives an email which is suspected to be spam he/she gets an email and the user can log into an webinterface and check some quarantine.
I am open to any suggestions, for the moment i have a huge amount of spam in some important mailboxes, for example the registry@...
I would also get some advice to enhance my sendmail configuration, this is my sendmail.mc:
include(`/usr/share/sendma il-cf/m4/c f.m4')dnl
VERSIONID(`setup for Red Hat Linux')dnl
OSTYPE(`linux')dnl
dnl define(`confLOG_LEVEL', `9')dnl
define(`confDEF_USER_ID',` `8:12'')dn l
undefine(`UUCP_RELAY')dnl
undefine(`BITNET_RELAY')dn l
dnl define(`confAUTO_REBUILD') dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LI ST',true)d nl
define(`confDONT_PROBE_INT ERFACES',t rue)dnl
define(`PROCMAIL_MAILER_PA TH',`/usr/ bin/procma il')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics' )dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS' , `authwarnings,novrfy,noexp n,restrict qrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
dnl #
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN ', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
FEATURE(delay_checks)dnl
FEATURE(`no_default_msa',` dnl')dnl
FEATURE(`smrsh',`/usr/sbin /smrsh')dn l
FEATURE(`mailertable',`has h -o /etc/mail/mailertable.db') dnl
FEATURE(`virtusertable',`h ash -o /etc/mail/virtuser.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain) dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
dnl define(`confMAX_DAEMON_CHI LDREN', 12)dnl
dnl define(`confCONNECTION_RAT E_THROTTLE ', 3)dnl
FEATURE(local_procmail,`', `procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipie nts')dnl
FEATURE(`enhdnsbl', `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}')dnl
FEATURE(`enhdnsbl', `sbl.spamhaus.org',`"550 Mail From " $`'&{client_addr}" refused - see http://www.spamhaus.org/sbl/"')dnl
FEATURE(`enhdnsbl', `list.dsbl.org',`"550 Mail From " $`'&{client_addr}" refused - see http://www.dsbl.org/"')dnl
dnl FEATURE(`enhdnsbl',`dnsbl. sorbs.net' ,`"554 Mail From " $&{client_addr}" refused see: http://www.dnsbl.sorbs.net/"')dnl
FEATURE(`enhdnsbl', `relays.ordb.org',`"550 Mail From " $`'&{client_addr}" refused - see http://www.ordb.org/faq/\#why_rejected"')dnl
define(`confCONNECTION_RAT E_THROTTLE ', `10')
define(`confTO_IDENT', `0')
define(`confMAX_RCPTS_PER_ MESSAGE', `30')dnl
define(`confBAD_RCPT_THROT TLE',`2')d nl
define(`MAX_MESSAGE_SIZE', `10000000')dnl
FEATURE(`conncontrol', `nodelay', `terminate')dnl
FEATURE(`ratecontrol', `nodelay', `terminate')dnl
FEATURE(`greet_pause', `2000')dnl
EXPOSED_USER(`root')dnl
DAEMON_OPTIONS(`Port=smtp, Addr=192.1 68.84.4, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtp, Addr=127.0 .0.1, Name=MTA')dnl
dnl INPUT_MAIL_FILTER(`clmilte r',`S=loca l:/var/cla mav/clmilt er.sock, F=, T=S:4m;R:4m')dnl
INPUT_MAIL_FILTER(`mimedef ang', `S=unix:/var/spool/MIMEDef ang/mimede fang.sock, F=T, T=S:360s;R:360s;E:15m')
define(`confINPUT_MAIL_FIL TERS', `mimedefang')dnl
HACK(`popauth')dnl
dnl define(`confINPUT_MAIL_FIL TERS', `clmilter')
dnl FEATURE(`accept_unresolvab le_domains ')dnl
dnl FEATURE(`relay_based_on_MX ')dnl
LOCAL_DOMAIN(`localhost.lo caldomain' )dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
I am running pop-before-smtp, the spam problem has not been worse after i started using it. It's about the same as before..
Best Regards, Rickard
I would like to get some recommendations regarding an antispam solution for an sendmail/RHEL4 server running some 15000 users with about 500 virtual domains.
Today i am using some free RBL's to stomp spam but users are complaining about some legitimate email not being relayed through the server. I have checked these cases and found that they have been stopped by one of the RBL's configured.
What i am looking for is an antispam software that i can install on my mailserver which contains anti virus & anti spam filters which can be controlled by
an webinterface, for example if one user recives an email which is suspected to be spam he/she gets an email and the user can log into an webinterface and check some quarantine.
I am open to any suggestions, for the moment i have a huge amount of spam in some important mailboxes, for example the registry@...
I would also get some advice to enhance my sendmail configuration, this is my sendmail.mc:
include(`/usr/share/sendma
VERSIONID(`setup for Red Hat Linux')dnl
OSTYPE(`linux')dnl
dnl define(`confLOG_LEVEL', `9')dnl
define(`confDEF_USER_ID',`
undefine(`UUCP_RELAY')dnl
undefine(`BITNET_RELAY')dn
dnl define(`confAUTO_REBUILD')
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LI
define(`confDONT_PROBE_INT
define(`PROCMAIL_MAILER_PA
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics'
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS'
define(`confAUTH_OPTIONS',
dnl #
dnl define(`confTO_QUEUEWARN',
dnl define(`confTO_QUEUERETURN
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
FEATURE(delay_checks)dnl
FEATURE(`no_default_msa',`
FEATURE(`smrsh',`/usr/sbin
FEATURE(`mailertable',`has
FEATURE(`virtusertable',`h
FEATURE(redirect)dnl
FEATURE(always_add_domain)
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
dnl define(`confMAX_DAEMON_CHI
dnl define(`confCONNECTION_RAT
FEATURE(local_procmail,`',
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipie
FEATURE(`enhdnsbl', `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}')dnl
FEATURE(`enhdnsbl', `sbl.spamhaus.org',`"550 Mail From " $`'&{client_addr}" refused - see http://www.spamhaus.org/sbl/"')dnl
FEATURE(`enhdnsbl', `list.dsbl.org',`"550 Mail From " $`'&{client_addr}" refused - see http://www.dsbl.org/"')dnl
dnl FEATURE(`enhdnsbl',`dnsbl.
FEATURE(`enhdnsbl', `relays.ordb.org',`"550 Mail From " $`'&{client_addr}" refused - see http://www.ordb.org/faq/\#why_rejected"')dnl
define(`confCONNECTION_RAT
define(`confTO_IDENT', `0')
define(`confMAX_RCPTS_PER_
define(`confBAD_RCPT_THROT
define(`MAX_MESSAGE_SIZE',
FEATURE(`conncontrol', `nodelay', `terminate')dnl
FEATURE(`ratecontrol', `nodelay', `terminate')dnl
FEATURE(`greet_pause', `2000')dnl
EXPOSED_USER(`root')dnl
DAEMON_OPTIONS(`Port=smtp,
DAEMON_OPTIONS(`Port=smtp,
dnl INPUT_MAIL_FILTER(`clmilte
INPUT_MAIL_FILTER(`mimedef
define(`confINPUT_MAIL_FIL
HACK(`popauth')dnl
dnl define(`confINPUT_MAIL_FIL
dnl FEATURE(`accept_unresolvab
dnl FEATURE(`relay_based_on_MX
LOCAL_DOMAIN(`localhost.lo
MAILER(smtp)dnl
MAILER(procmail)dnl
I am running pop-before-smtp, the spam problem has not been worse after i started using it. It's about the same as before..
Best Regards, Rickard
My first suggestion would be to stop using dnsbl.sorbs.net. It is a very aggressive list and often legit servers get placed on it. I had to stop using it because many hotmail, yahoo, and rr.com mail servers were getting listed. Instead you could use just their dynamic IP list dul.dnsbl.sorbs.net.
You might want to think about something like greylisting. It rejects all incoming mail *the first time* with a tempfail 40x error, forcing the sending server to retry. Nearly all legit servers will retry, while spammers do not. Once the message is resent the sender (ip and email) are whitelisted and stored for a period of time. I'm on the research stage of implementing that now on my servers.
You might want to think about something like greylisting. It rejects all incoming mail *the first time* with a tempfail 40x error, forcing the sending server to retry. Nearly all legit servers will retry, while spammers do not. Once the message is resent the sender (ip and email) are whitelisted and stored for a period of time. I'm on the research stage of implementing that now on my servers.
Actually, there's been some chatter recently on the MIMEDefang mailing list, specifically about how SPAMmers are on to greylisting and are starting to retry when TEMPFAILed. I'm not saying that greylisting is a bad idea or that it won't help, but it seems to be less effective than it once was.
I agree with PsiCop about clmilter line in your mc file (now u are processing mail twice) mimedefang should do all the jobs (antivirus and antispam).
Probably u don't need procmail (comment out...).
Popauth (pop befor smtp) don't change nothing about spam...
DSPAM is a possible solution to the quarantice check
It has a quarantine folder so gives the user the ability to identify the occasional false positive and re-learn them as innocent emails, when your antispam is working well disable agressive rbl so u don loose mail.
http://dspam.nuclearelephant.com/
_GAS_
Probably u don't need procmail (comment out...).
Popauth (pop befor smtp) don't change nothing about spam...
DSPAM is a possible solution to the quarantice check
It has a quarantine folder so gives the user the ability to identify the occasional false positive and re-learn them as innocent emails, when your antispam is working well disable agressive rbl so u don loose mail.
http://dspam.nuclearelephant.com/
_GAS_
try to add cbl.anti-spam.org.cn
ASKER
DSPAM looks nice, are you using the software ?
I'm using it in some productions site because amavis-new has the dspam support, now usually my mail servers are sendmail +clamv+bitdefender +spamassasin+dspam whith central quarantine, but I need quarantine per user. Probably in the next month I'll start to testing, something putting it behind of a standard installation.
Production site (not really produtcion is my mail server) (MTA,amavis-new,clamv,bitd efender,sp amassassin ) ->forward all the mail to Test Site (MTA,clamv,bitdefender,Dsp am native) and looking the differential mail passed and switch the test as frontend ... I need know very well before it to deploy my customers.
My idea is also to try amavis a ligth spamassassin (tuned not aggresive) with central quarantine (nobody ask me for that mails) and dspam as local delivery agent with user quarantine.
I think DSPAM is interesting and emerging antispam software.
_GAS_
Production site (not really produtcion is my mail server) (MTA,amavis-new,clamv,bitd
My idea is also to try amavis a ligth spamassassin (tuned not aggresive) with central quarantine (nobody ask me for that mails) and dspam as local delivery agent with user quarantine.
I think DSPAM is interesting and emerging antispam software.
_GAS_
It is worth thinking a little about the configuration you've asked for. Your plan is to replace every spam message a user receives with a new email that informs them a spam message has been caught. Most users will then log in to the website to look at the message and determine if they want to delete it or not. This takes three times as long as actually deleting the message itself and seems worthless to me. It helps if you can include the sender and subject line on the alert email they get but still, they are receiving the same number of messages before and it is just as big a nuisance for most users. In environments I've been in where management asks for this feature, users have complained and eventually we stop sending the emails and users can just log in to check the web site for caught mail once a week or as often as they wish to or ignore it completely unless something they were expecting didn't get through.
I agree with jar3817 about not using that particular RBL. I encounter a ton of these things built by people who don't have to support business critical installations where you can't get away with blocking all mail from AOL, etc. Most companies would find this disastrous.
There is another spam solution worth looking at and that is offloading the workload to a third party. Fighting spam takes up a lot of your time. Postini provides a very good service that does everything you've mentioned and you don't have to futz with it constantly. Unless you want to, in which case there are plenty of options discussed above.
I agree with jar3817 about not using that particular RBL. I encounter a ton of these things built by people who don't have to support business critical installations where you can't get away with blocking all mail from AOL, etc. Most companies would find this disastrous.
There is another spam solution worth looking at and that is offloading the workload to a third party. Fighting spam takes up a lot of your time. Postini provides a very good service that does everything you've mentioned and you don't have to futz with it constantly. Unless you want to, in which case there are plenty of options discussed above.
ASKER
Are you actually using Postini ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I'll have some more info for you when I have a chance to sit down and write it. In the mean time, see if you also have Clam Anti-Virus (ClamAV, http://www.clamav.net). It may be used via MIMEDefang, and so would not show up in the sendmail configuration.
Finally, before you go twiddling with your sendmail configuration, take some time to sit down and understand what it currently does, and document it. For some guideposts, see the Practical Modern sendmail Configuration article at --> http://dave.trianglenug.org, especially the sample sendmail.mc file in the Resources section.