What open source email filtering system is working well for you? Regards, David Funderburk GlobalVision 864-569-0703 For Technical Support, please email gv-support@globalvision.net. -- This message has been scanned by E.F.A. Project and is believed to be clean.
Hello, For MTA server, I use Postfix, with some blacklists (DNSBL). For filtering then: SpamAssassin + Clamav works well. Le 14/12/2018 à 12:30, David Funderburk a écrit :
What open source email filtering system is working well for you?
Regards,
David Funderburk GlobalVision 864-569-0703
For Technical Support, please email gv-support@globalvision.net <mailto:gv-support@globalvision.net>.
-- This message has been scanned for viruses and dangerous content by *E.F.A. Project* <http://www.efa-project.org>, and is believed to be clean.
I've used Sendmail + MIMEDefang + SpamAssassin w/clamav for over 15 years. And on the SA side I use all the bells and whistles available like DCC greylisting, all the public blacklists, there are some 3rd party rulesets you can subscribe to, etc.,. In the end its not as good as gmail, but pretty darn close. I block at SA score 4 and above, 4-8 score I dump into a separate quarantine account that I check every now and again for possible errors, and over 8 I drop - no log or bounce. -John On 12/14/18 12:35 PM, Guillaume Tournat wrote:
Hello,
For MTA server, I use Postfix, with some blacklists (DNSBL).
For filtering then: SpamAssassin + Clamav works well.
Le 14/12/2018 à 12:30, David Funderburk a écrit :
What open source email filtering system is working well for you?
Regards,
David Funderburk GlobalVision 864-569-0703
For Technical Support, please email gv-support@globalvision.net <mailto:gv-support@globalvision.net>.
-- This message has been scanned for viruses and dangerous content by *E.F.A. Project* <http://www.efa-project.org>, and is believed to be clean.
On 12/14/2018 1:00 PM, John Von Essen wrote:
I've used Sendmail + MIMEDefang + SpamAssassin w/clamav for over 15 years. And on the SA side I use all the bells and whistles available like DCC greylisting, all the public blacklists, there are some 3rd party rulesets you can subscribe to, etc.,. In the end its not as good as gmail, but pretty darn close.
I block at SA score 4 and above, 4-8 score I dump into a separate quarantine account that I check every now and again for possible errors, and over 8 I drop - no log or bounce.
I've started using rspamd in place of SpamAssassin and have been having good results. Built in greylisting, support for spamassassin rules, nice statistics web based GUI. Only downside is that it can be quirky during the initial setup. It depends on redis for its key lookup backend. Not a big fan of redis, but it works, especially if you have to support multiple rspamd instances on different mail servers, and want to have one main backend to store all the spam/ham hashes in. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
On Fri, Dec 14, 2018 at 06:30:08AM -0500, David Funderburk wrote:
What open source email filtering system is working well for you?
I've been studying email abuse for a very long time, and am writing a book about defending against it with open-source tools. One of the things that I've learned over those decades is that while some measures make sense for everyone, one size does not fit all, and that it's critical to understand the mail stream that's being presented before trying to design and build systems to deal with it. Everyone's legitimate email looks different. Everyone's abusive email looks different. It's not possible to figure out how to cope with these things until you measure them. Nor is it possible until you understand the operational requirements, which again, are different for everyone. Joe's Donuts in Dubuque probably isn't going to be receiving messages at its "orders" address from Peru or Pakistan, for example, so any incoming traffic like that is almost certainly misdirected (at best) or abusive. On the other hand, Michigan State University will probably receive legitimate traffic from all the world, including Peru and Pakistan. Unfortunately, lots of people skip these two steps -- especially the first one -- because they perceive them as onerous and unnecessary. They thus hamstring their own efforts. One of the other things I've learned is that there's a correct order in which to apply defensive measures, so that the probability of FP and FN (false positive and false negative) are both simultaneously minimized, so that each successive measure has less work to do than the one before, and so that those measures which consume the least resources are deployed up front. (For example: using the DROP list in a perimeter router, firewall or even in the MTA's configuration is a highly efficient/low-cost/low-resource measure that should be done before doing other things. This is, by the way, one of the measures that make sense for everyone, see above.) So while I could answer your question by telling you what I use, that doesn't mean that it would work for you. It *might*, and after a fashion, it probably would -- but it's highly unlikely that it's anything close to optimal for your environment. There's a fair amount of homework that needs to be done to figure that out. One more thing. There are a number of things that some people do in their email systems which are worst practices -- things that exacerbate the problem. For example, "quarantines" or "spam folders" are a profoundly horrible idea that should never be deployed. (Ask RSA how that's working out for them.) Avoid these. ---rsk
On 12/14/18 4:30 AM, David Funderburk wrote:
What open source email filtering system is working well for you?
- Sendmail - SpamAssassin - ClamAV - OpenDKIM - OpenDMARC - SPFmilter - NoListing (a variant of Grey Listing that has worked exceedingly well for me.) - Junk Email Filter MX tricks (also works very well for me) - Reverse Path route filters Most of this is fairly stock configuration. I have put some custom rules in SpamAssassin for various reasons. Email me directly if you want particulars. On 12/14/18 10:36 AM, Rich Kulawiec wrote:
I've been studying email abuse for a very long time, and am writing a book about defending against it with open-source tools.
I'll be interested to learn more about your book. Will you share any details so that I can keep an eye out for it? - Title - Release date - Publisher
One of the things that I've learned over those decades is that while some measures make sense for everyone, one size does not fit all, and that it's critical to understand the mail stream that's being presented before trying to design and build systems to deal with it. Everyone's legitimate email looks different. Everyone's abusive email looks different. It's not possible to figure out how to cope with these things until you measure them.
Nor is it possible until you understand the operational requirements, which again, are different for everyone. Joe's Donuts in Dubuque probably isn't going to be receiving messages at its "orders" address from Peru or Pakistan, for example, so any incoming traffic like that is almost certainly misdirected (at best) or abusive. On the other hand, Michigan State University will probably receive legitimate traffic from all the world, including Peru and Pakistan.
I largely agree with both of those statements.
So while I could answer your question by telling you what I use, that doesn't mean that it would work for you. It *might*, and after a fashion, it probably would -- but it's highly unlikely that it's anything close to optimal for your environment. There's a fair amount of homework that needs to be done to figure that out.
Sure. But sharing what you're using and your perceived Pros and Cons do provide data for someone to consume while pontificating what will likely suit them the best.
One more thing. There are a number of things that some people do in their email systems which are worst practices -- things that exacerbate the problem. For example, "quarantines" or "spam folders" are a profoundly horrible idea that should never be deployed. (Ask RSA how that's working out for them.) Avoid these.
I think that there is a time and a place for both quarantining and spam folders. I use quarantining to gate email into and out of a lab / sandbox environment. I know that nothing will flow without me releasing a quarantine. This allows me to feel comfortable testing various MTAs without worrying that email will flow when I have not approved it. Devices on either side speak SMTP just like they want to and believe that the messages are the responsibility of an intermediate server. IMHO it works great. I also think that spam folders do have a use. They provide a way for messages that seem spammy to be isolated from the main inbox while still making them available to end users. (I'm talking about mail boxes accessed via IMAP where it's easy to see both Inbox and Junk.) -- Grant. . . . unix || die
Once upon a time, Grant Taylor via NANOG <nanog@nanog.org> said:
- ClamAV
In my recent experience, ClamAV is basically useless against email viruses. On one setup I run that handles around half a million messages a day, ClamAV might flag 3-5 as viruses. I'm dubious that that's all the virus messages that came through. I'd be interested in hearing of other Linux software (free or paid) that can catch modern email viruses. -- Chris Adams <cma@cmadams.net>
On Fri, December 14, 2018 13:49, Chris Adams wrote:
Once upon a time, Grant Taylor via NANOG <nanog@nanog.org> said:
- ClamAV
In my recent experience, ClamAV is basically useless against email viruses. On one setup I run that handles around half a million messages a day, ClamAV might flag 3-5 as viruses. I'm dubious that that's all the virus messages that came through.
I'd be interested in hearing of other Linux software (free or paid) that can catch modern email viruses.
ClamAV addons. https://www.securiteinfo.com/services/anti-spam-anti-virus/improve-detection... https://sanesecurity.com/
postfix + postscreen for MTA ... MailScanner + MailWatch for anti-____. I've heard good things about rspamd, but I haven't tried it. On 12/14/18 5:30 AM, David Funderburk wrote:
What open source email filtering system is working well for you?
Regards,
David Funderburk GlobalVision 864-569-0703
For Technical Support, please email gv-support@globalvision.net <mailto:gv-support@globalvision.net>.
-- This message has been scanned for viruses and dangerous content by *E.F.A. Project* <http://www.efa-project.org>, and is believed to be clean.
participants (9)
-
Brielle Bruns
-
Bryan Holloway
-
Chris Adams
-
David Funderburk
-
Grant Taylor
-
Guillaume Tournat
-
John Capo
-
John Von Essen
-
Rich Kulawiec