Spam Filtering For Small/Medium Business? 453
or_is_it writes "The company I work for has been growing dramatically and I've been charged with the task of being the gatekeeper for our GFI Spam filters. This involves manually inspecting the subject line/to/from for all caught messages in each filter rule folder. For a company of about 50 people, in one day the number of spam messages can exceed 2,000. Neglect it for a day and you end up with quite a task on your hands. I've made the rules lax enough so important messages can go through, along with a few stray spams, for which I get bitched at. Tighten the rules up and then maybe an important time-sensitive email never gets to its intended recipient, and I get bitched at. Manually reading through all those subject lines is supposed to prevent that, but I'm only human and genuine messages can easily get overlooked. How do larger organizations deal with the spam issue? I can't imagine having one centralized person manually inspecting everyone's junk-mail header is the optimal solution. Purchasing a different commercial mail filter product is a possibility, but I'd like to hear some anecdotal evidence before jumping ship."
Client-based? (Score:5, Informative)
Barracuda SPAM filter (Score:4, Informative)
dajones70 (Score:2, Informative)
Postini (Score:3, Informative)
For the record, Google purchased Postini in the not to distant past.
OpenBSD spamd (Score:5, Informative)
ESVA all day long (Score:3, Informative)
Inside, there is greylisting and MailScanner. Within MailScanner, there is SpamAssassin, some RBL, ClamAV and all sorts of things.
For my organization, I find that in addition to everything else "stock" I can safely filter out all countries but the U.S. since we don't do business outside of our state, let alone our country... so it's safe to assume that anything from outside the US will be spam.
It is extremely effective. I have helped to get the VM set up in environments with multiple domains and it works very well too.
One problem with it is that it is rapidly aging. The user community has made some effort to get the VM up to date in some ways, but the 2.0 version as far as anyone can tell is still in discussion and planning. The project creator and leader is a one-man-show and he seems to have a life outside of this project for some reason. The user community is frantic to get something to replace the aging 1.7.1.5 machine we all use as the reference point for our installs.
This is largely a known-solved problem (Score:5, Informative)
Meanwhile, here is some general guidance. First, do not waste your money on commercial products -- they're expensive, poorly-maintained, and in many cases (e.g. Barracuda) actually make the spam problem worse via backscatter. (There are now several thousand Barracudas on a communally-maintained blacklist, making it obvious to everyone working in this field that Barracuda is completely incompetent.) Second, do invest your money and time in open-source solutions: it is easy for anyone who possesses baseline competence in mail to craft their own, superior spam handling system using postfix or sendmail or another open-source MTA, DNSBLs, RHSBLs, judicious configuration, and other tools such as rbldnsd, mimedefang, SpamAssassin, ClamAV, and so on. Third, a little googling will reveal near-cookbook procedures for combining these pieces of software together into a useful system; which cookbook procedure is appropriate for you depends on your environment -- which brings me to the fourth point, which is that you need to perform log analysis in order to understand your particular mix of spam/not-spam. Everyone's is different, which is why one-size-fits-all solutions usually fail. Only after you have some clue about the size and shape of your problem will you be able to determine which approach(es) are likely to minimize both false negatives (FN) and false positives (FP).
As an aside, one set of highly effective anti-spam tactics involves enforcing RFC requirements that have been in place for many years: for example, all mail servers must have rDNS; that rDNS must resolve to a host which in turn resolves back to the IP; the domain of the host must exist; the host must HELO as a valid FQDN or bracketed-quad IP; the envelope-sender's domain must exist; the host must not HELO as you; the host must wait for the SMTP greeting before HELO'ing; the host must handle a multi-line SMTP greeting; the MX records for the host must point to valid IP space; and so on. Enforcement of these requirements yields differing rates of spam control (which is again why log analysis is crucial) but has the very valuable property that it can be done at low computational and bandwidth cost. Substantial experience with these suggests that enabling them and augmenting them with a few DNSBLs (especially the Spamhaus Zen zone) is enough to deal with the overwhelming majority of the spam problem at most sites, reducing what's left to a much smaller issue to be dealt with.
Combined effort is necessary (Score:4, Informative)
dnsbl/enhdnsbl is enabled for zen.spamhaus.org, bl.spamcop.net, combined.njabl.org, list.dsbl.org, dnsbl-1.uceprotect.net, dnsbl-2.uceprotect.net, dnsbl-3.uceprotect.net and sbl-xbl.spamhaus.org. With all these enabled there are very few spam messages falling through.
Adding to this I am using Mozilla Thunderbird which has a very good intelligent junk mail filter. The only disadvantage is that the junk mail filter has to learn what's junk or not.
The use of dnsbl/enhdnsbl also does bounce back to the sender with a reasonable message for the cases where a message is denied so the sender shall be informed about any messages that are denied. Of course - it isn't fool-proof, but it works for me.
Re:Frontbridge Spamshark (Score:2, Informative)
And more false posistives than you would actually like to have. I've been at the business end of one of Frontbridge's blacklists. One of the domains I admin got blacklisted a full three weeks after the hosting company screwed up and let phishers set up a paypal scam site as the "test1" user to live for all of 22 hours. Three weeks later, one of the company's main customers, who happens to be a frontbridge customer, is no longer able to receive mail from us. A an unfinished writeup is at bsdly.net [bsdly.net] - I just gave up in disgust after trying to write an article about the incident.
Re:Combined effort is necessary (Score:3, Informative)
Re:Combined effort is necessary (Score:5, Informative)
Do you generate a bounce, or do you reject with a 500 error and a proper message at spam time? You should not generate a bounce to remote mail. Ever. This is the cause of e-mail backscatter and is a significant problem. Always reject at SMTP time with a 500 error.
Re:dajones70 (Score:3, Informative)
http://www.mailscanner.info/ [mailscanner.info]
Our organisation runs 5 Linux Servers around the UK for mail services and they are all using MailScanner + Postfix + SpamAssassin + ClamAV + Bitdefender.
Great installation instructions (all-but bitdefender) here: http://www.hughesjr.com/content/view/14/ [hughesjr.com]
The mailing list for MailScanner is very well supported by the users and the devs.
ASSP is your answer (Score:3, Informative)
In a company of about 75 email accounts it has blocked 4 million spams in a little over a year.
The false negative rate is so low it might as well be zero, and the false positive rate as well.
It uses among many other things whitelists,so your people never miss an email from an established contact, redlists, so a known spammer cannot ever be accidentally added to the whitelist, does spf checking, checks headers against spoofing, has an antivirus component, can forward a copy of all spam to a spamlover address and much much more.
and its free.
For a single sbs server, you can install it on the same box and zero out of pocket costs except for your time to install it (I would personally budget 20 hours for R&D for a first time administrator to install it).
Please email me if you want more detailed information on how it works for my clients. I can also put you in contact with end users at the executive level of these companies to ask how they like it (the final litmus test)
Good luck
Re:Barracuda SPAM filter (Score:1, Informative)
As for fighting spam, the best practice is education of your users. If they want to subscribe to Victoria Secrets mailing list (which they sell) tell them to send an optout to the reseeling of their name. Let your users know how they get sucked into spam.
For a server based fight: Set-up a 450 or no response or a
Re:Barracuda SPAM filter (Score:1, Informative)
Maybe it is just stupid admins who don't know how to configure it, but some of the rules seem ridiculous.
For example I had a customer who wanted a receipt, I sent them a link to their receipt page. After they complained about not getting a response it turned out Barracuda was configured to block anything with an https link in it. There was no notification to the sender that the e-mail was blocked either.
Bottom line spam filters don't work. Your users will lose e-mail they need. I think admins who like Barracuda are fooling themselves, it seems to be blocking spam, they just don't realize how much else it is blocking.
Re:Combined effort is necessary (Score:4, Informative)
From experience: you only need Spamhaus Zen and SpamCop for connection checking.
If you parse DATA before you accept it, you should incorporate URIBL.COM it's very good, and helps catch Yahoo and Gmail spam (which will get past Spamhaus and Spamcop all the time) because it scans bodies for naughty links
dsbl.org is REDUNDANT -- incorporated in Spamhaus Xen.
Spamhaus SBL-XBL -- incorporated in Spamhaus Xen.
NJABL.org is dead and a mirror of the CBL, I believe (-- incorporated in Spamhaus Xen also)
Never send bounce notices for spam. What notices leave your server are likely going to forged From: addresses....
Re:Barracuda SPAM filter (Score:3, Informative)
Email systems that do not do this, yet do not send a bounce message "break" email. Possible to get a false positive and block a legit email with no error message back to sender. This is never a desired operation. If the message get a spam designation and the transaction is ended at smtp time, the onus returns to the sending server to create and deliver the error message back to the sender. For spam, no problem they dont do it anyway, and for ham that was false-positived, the sender gets a descriptive notice why.
Re:Combined effort is necessary (Score:2, Informative)