[colug-432] in search of spam/phishing filtering that doesn't suck
Angelo McComis
angelo at mccomis.com
Tue Sep 20 11:19:12 EDT 2016
>
> On 2016-09-17 18:21, Rick Hornsby wrote:
>
>
> What are you guys doing for your email as far as spam and phishing
> filtering? Are you doing something yourself server side? Client side? I've
> found over and over again in the past (and when it is turned on by default
> and I don't realize it) that the filtering in email clients sucks, and so I
> always turn it off.
>
>
I used to run a fairly sophisticated email rig, and with sufficient time
and effort, I had zero false positives, and no spam getting through. It
used a concept of using the least amount of CPU and resources to block the
most amount of spam. Postfix did a lot at the front door, by incorporating
a fairly reliable consolidated block list, and with tweaking and tuning,
would actually turn away connections from known spam relays. If it got past
the first turn-away, the next check was a validation that the sender and
recipient were valid (again, easy checks in postfix, although validaing the
sender is not 100%), next the connection would go through greylisting. If
we had seen the sender relay before and they passed, they got a free pass
(resets with each success, is good for the next 30 days I think).
Greylisting sends them a fake error, asking them to retry in a minutes.
Most spammers don't retry, so this cuts back some of the spam. Legitimate
senders relays will queue the message and do the retry. (And once they do,
they're good for at least the next 30 days so no extra delays as long as
they send a message once every 30 days). For mail that gets past these
checks, I used MailScanner to manage the filtering which included a bunch
of public and custom rules, which included running it thorugh ClamAV,
SpamAssassin for rules scoring, and other plugins like DCC (Distributed
Checksum Clearinghouse), Fuzzy OCR (which would actually convert images in
attachments to text, and run the text through spam filter rules), and so
on. ClamAv checked for an updated database every other hour, that way I
was pretty quick on new signatures. Other rules would pull in dynamically,
which sometimes did cause problems.
The idea was that things like DCC and FuzzyOCR are rather CPU intensive, so
put them at the end of the chain, where only messages that have already not
been determined as spam have to run these checks. Sitting through a
Barracuda "Spam Firewall" (I hated that name, by the way) presentation, I
learned that they do pretty much exactly what I was doing, except they
managed the updates on a subscription model.
This ran great for a long time, but as I go to google the validity of some
of these, it seems that most people don't do any of this stuff anymore.
I suppose, like anything else, you get out of it what you put into it. But,
email is not considered the value add that it was 10 years ago, with
texting, free gmail with decent enough spam filtering for eveyrone, and so
on...
Angelo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20160920/b0013fbe/attachment.html
More information about the colug-432
mailing list