Outbound spam prevention & reaction

Gottschalk, David dgottsc at emory.edu
Wed Dec 12 15:56:06 GMT 2007 

Here are the University we filter inbound & outbound email.

Filtering outbound mail is literally no different than filtering inbound mail. We actually do it on the same physical servers as our inbound filtering. This is done using a front-end load balancer that re-directs mail to a different running copy of Sendmail on a higher TCP port.

*A lot* of users here get infected with viruses that are spamming robots. Before I had mailscanner scanning all inbound and outbound messages, we were getting blacklisted very often.

I don't send users a bounce message if their message gets filtered as spam. I mainly just monitor the queues for messages that look suspicious (we have a lot of email going inbound and outbound here, I hope to automate this sooner rather than later) If someone is caught spamming, we simply block their IP on the firewall level, and notify them.

Hope that helps, good luck!

David Gottschalk
UTS Infrastructure Technology Services
david.gottschalk at emory.edu


-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Ugo Bellavance
Sent: Wednesday, December 12, 2007 10:30 AM
To: mailscanner at lists.mailscanner.info
Subject: Outbound spam prevention & reaction

Hi,

        I was wondering what you guys are doing to prevent outbound spam and
react to it.

        I relay for a few IPs but I'm a little scared about having spams sent
through my MS server that may get me listed on a DNSBL...  I could set a
separate server for outbound so that I can tweak it differently...

I thought of:
To react:

        - Using the 'bounce' setting in MailScanner so that spam senders are
notified (for false positives).  A "forward" rule could also be used to
alert someone

        - Have a second quarantine report running to show quarantined outbound
e-mails, per IP address, or something similar

However, SA is not as good at detecting spam when it is going outbound,
so I thought we should enforce a strict throttling on all outbound IPs
(connection rate & concurrent connections).

        If several spams are caught, what would be your reaction? Deny the
relay or firewall them off?  Deny relay would mean that they would get
DSNs when trying to send, and they would "loose" their e-mails"

To prevent:

Hum... I have no idea except to enforce strict firewalling and good
sysadmin practices...

Any opinions?

--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information.  If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).

More information about the MailScanner mailing list