Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Best practice: Spam-filtering outgoing e-mail

647 views
Skip to first unread message

Vegard Svanberg

unread,
Mar 16, 2010, 10:40:13 AM3/16/10
to
Hi,

we are trying to mitigate the impact of having infected users, brute
force hacked webmail accounts etc. sending (larging amounts of) outbound
spam.

The best idea we've come up with so far is to perform outbound spam
filtering following these rules (it's a bit more complicated than this,
but this is the big picture):

- Spam scoring (Spamassassin). If spam:
- Put the mail on hold
- Add an iptables rule rejecting the IP
- Notify postmaster/abuse

This is relatively easy to accomplish technically. However I would like
some input on what methods people out there use to combat/minimize
outbound spam.

Also, if anyone out there has implemented something similar (or not
similar :) ) to what's described above, I'd love to hear about it.

Thanks!

--
Vegard Svanberg <veg...@svanberg.no> [*Takapa@IRC (EFnet)]

ram

unread,
Mar 16, 2010, 11:43:49 AM3/16/10
to

On Tue, 2010-03-16 at 15:40 +0100, Vegard Svanberg wrote:
> Hi,
>
> we are trying to mitigate the impact of having infected users, brute
> force hacked webmail accounts etc. sending (larging amounts of) outbound
> spam.
>
> The best idea we've come up with so far is to perform outbound spam
> filtering following these rules (it's a bit more complicated than this,
> but this is the big picture):
>
> - Spam scoring (Spamassassin). If spam:
> - Put the mail on hold
> - Add an iptables rule rejecting the IP
> - Notify postmaster/abuse
>

Also,

* Implement ratelimits both inside postfix and in webmail
* Have strong password policies
* Sign up for Feedback loops and monitor the feedback address closely
* In webmail write scripts to alert you if someone adds a large
multiline signature


We tried blocking outbound spam using a commercial scanner but the FP's
are far too many to be used in production. So we just alert a human on
these spams and manually intervene if account needs to be blocked.
Ofcourse some spams do get through by the time :-(

mouss

unread,
Mar 16, 2010, 6:07:27 PM3/16/10
to
Vegard Svanberg a écrit :

> Hi,
>
> we are trying to mitigate the impact of having infected users, brute
> force hacked webmail accounts etc. sending (larging amounts of) outbound
> spam.
>
> The best idea we've come up with so far is to perform outbound spam
> filtering following these rules (it's a bit more complicated than this,
> but this is the big picture):
>
> - Spam scoring (Spamassassin). If spam:
> - Put the mail on hold
> - Add an iptables rule rejecting the IP
> - Notify postmaster/abuse
>
> This is relatively easy to accomplish technically. However I would like
> some input on what methods people out there use to combat/minimize
> outbound spam.
>
> Also, if anyone out there has implemented something similar (or not
> similar :) ) to what's described above, I'd love to hear about it.
>

running outbound mail through a "standard" spam filter is good, but it's
not enough. most "standard" spam checks are based on origin (DNSBL, ...
etc) which are useless in the case of outbound spam.

for outbound mail, you need to detect that a user/box is sending too
much mail (in short: rate limit).

mouss

unread,
Mar 16, 2010, 6:11:37 PM3/16/10
to
ram a écrit :

> On Tue, 2010-03-16 at 15:40 +0100, Vegard Svanberg wrote:
>> Hi,
>>
>> we are trying to mitigate the impact of having infected users, brute
>> force hacked webmail accounts etc. sending (larging amounts of) outbound
>> spam.
>>
>> The best idea we've come up with so far is to perform outbound spam
>> filtering following these rules (it's a bit more complicated than this,
>> but this is the big picture):
>>
>> - Spam scoring (Spamassassin). If spam:
>> - Put the mail on hold
>> - Add an iptables rule rejecting the IP
>> - Notify postmaster/abuse
>>
>
> Also,
>
> * Implement ratelimits both inside postfix and in webmail

yes

> * Have strong password policies

well, this is a lost battle...

> * Sign up for Feedback loops and monitor the feedback address closely

this too.

> * In webmail write scripts to alert you if someone adds a large
> multiline signature

an this one too.

>
>
> We tried blocking outbound spam using a commercial scanner but the FP's
> are far too many to be used in production. So we just alert a human on
> these spams and manually intervene if account needs to be blocked.

do you mean you read someone else's mail? I find this unacceptable.

> Ofcourse some spams do get through by the time :-(

it's all about volume.

Alex

unread,
Mar 17, 2010, 3:26:53 AM3/17/10
to

If you have a shared environment with a large number of virtual domains
I think that outbound spam filtering it's a must. No rate limits and
strong password will save you from being listed or banned.
Also in a virtual environment it's hard to put everyone to sign for a FBL.
If you said that it's all about volume and that is my case too, separate
the outbound from inbound use multiple outbound server (not necessary
hardware) but scan all outbound messages. For start you can hold the
messages and inspect them in order to tune you scanner.
My solution was to set multiple instance of postfix server ( as many
that is needed) on a separate machines an every instance use a content
filtering scanner (amavis-new + sa). Base on spam score and some custom
headers added by amavisd , postfix will pass/bounce/drop the message.
Let's say that we have tree levels - clear/spamy/spam. From my point of
view it's all about what you do with the spamy stuff.

0 new messages