Helping to Block Spam

Static M.e.

Not 100% if this question should be here so feel free to move admin.

Basically I use Mailmarshal (But Im sure this applies to all email filtering solutions) to create rules that allow or deny mail based on certain criteria.

I have whitelists \ blacklists \ Approved addresses \ banned users, domains and so on.

Ive also incorporated into this Spamhaus and Spamcop which has reduced alot the amount of spam I get.

What im wondering is does anyone have any particular rules you find that helps alot or what do you do to stop spam in a corporate environment.

I find that while the solution we have is very good it also has holes in it sometimes spam gets through. My goal is to eliminate this as much as possible.

Perhaps if people could publish what they use or what they blacklist (Not sure how this would be done the list could get quite large) We could effectively pool our solutions for the benefit for everyone.

Or even if you use a resource on the net that you think works well I would like to hear about it

Anyway just an idea on this friday morning. Any thoughts?

Kali

The first and most important rule would be an allowed recipient list, the vast majority of spam is to non-existent email addresses... this should be blocked at the company's first (Internet-facing) mail gateway or smtp relay... only after that spam and av filters should be applied... this keeps resources used (both cpu and network) to an absolute minimum.

In the past I've used amavisd-new (with postfix) combined with spamassassin, razor and clamav. This has worked with over 99% effectiveness while keeping false positives to a near zero level.

I find FPs mostly ocur due to generic rules like approved senders/domains, simplistic word matching/regexps... use of RBLs (be they IP or domain based) generate a LOT of FPs and should be avoided if at all possible, they are a bad idea.. to a lesser extent so are local white and blacklists, they can tend to be almost too restrictive in what they allow/deny, to the point where they are nearly doing more harm than good.

Black Swan

Don't visit or download those naughty sites.

Static M.e.

Kali,

We have that as a first rule but I still find that I get a lot of spam, mind you this is all in the "Spam Blacklisted" and "Spam Explicit" folders. Since friday we received over 2000 messages, the problem being that I still have to go through all that spam and check for valid emails.

Now the majority of it I can delete on sight, sometimes I still pull the odd one out. Which I then have to go and figure out why it got caught and create a rule so that it doesnt happen again.

I find FPs mostly ocur due to generic rules like approved senders/domains, simplistic word matching/regexps... use of RBLs (be they IP or domain based) generate a LOT of FPs and should be avoided if at all possible, they are a bad idea.. to a lesser extent so are local white and blacklists, they can tend to be almost too restrictive in what they allow/deny, to the point where they are nearly doing more harm than good.

Now you see this is actually the opposite to what I was thinking, I have been trying to use all of the above to create the rules / lists so that the mail doesnt get caught. All the spam we get is to actual valid email addresses and would be of the format we use.

Perhaps it is quite normal to receive this much spam, considering the fact that it is all caught and moved to the two spam folders (Not getting through to the users). Where as I have been trying to eliminate the amount of spam getting through to the folders. What do you think?

I still think I should be able to reduce the amount of spam caught in the folders drastically though. It doesnt seem "right" that I should be going through that much each day. I suppose I could leave them to accumulate on a 7 day cycle and just use them when a user cant find an email that is expected but I feel that would be bad practice because you are reacting after the fact.

Is my logic flawed?

Also on your "allowed recipient list" I presume you use a generic rule ie. *@mydomain rather than actually entering everyones name + Aliases.

Kali

Static M.e. wrote:

Also on your "allowed recipient list" I presume you use a generic rule ie. *@mydomain rather than actually entering everyones name + Aliases.

No. I used a script I put together to update the allowed recipients automatically every night (basically it exported addresses from exchange and imported them into the allowed_recipients postfix file)... unfortunaly the setup you have mightn't have the luxury of being that simple. Even if that file/database grew to several thousand recipients, its still a lot quicker for the smtp relay to parse than running specific filters.

Tell me this out of the 2k mails that get dumped in your spam folders how many are actually false positives? Seriously, that is not a job for someone to do, if important mail is getting marked as spam, your filters are doing something wrong and should be looked at (or else the genuine mail contains dubious content)... its more acceptable to have the odd spam here and there go through then wasting an hour a day manually checking your spam folders.

Static M.e.

Out of the 2k Mails, all were spam but the problem is I still have to go through them. Im quite new with the company > 6 Months so most of the time its generally an alias I dont know about. Its not a common situation though. I have asked for a full email / Alias list but it hasn't arrived yet.

Because all the spam is getting blocked at the filter should I continue to actively try and minimise the amount I get to the two folders so I can reduce it even further.

Thats why I was trying to use all the rules and lists

Cake Fiend

Kali wrote:

(basically it exported addresses from exchange and imported them into the allowed_recipients postfix file)

If you're running a recent version of Exchange, you might be able to use dynamic recipient verification (also some unix-based mail servers).