mailscanner in ISP
Paulo Roncon
paulo-m-roncon at ptinovacao.pt
Thu Aug 7 15:06:30 IST 2008
Hello all,
I work in a ISP and we want to install mailscanner to stop OUTBOUND spam as its becoming a bottleneck...
I dont have any network metrics, as the guy in charge in out. I'm thinking 1000000 plus messages/day.
Questions:
-Anyone has ideias of the kind of HW solution nedeed?
-OUTBOUND filtering: Its gonna be *->*. Do you see any problems?
-Which is the fastest configuration possible?
-What pieces of SW should I install (AV, Pyzor, etc,etc)?. I'm aiming to speed and to block about 85% of spam. I'm not aiming at near 100% spam free...
Thanks!
Paulo Roncon
CSO2 - Suporte operacional interno
PT Inovação - Grupo Portugal Telecom
Rua Eng. José Ferreira Pinto Basto
3810-106 Aveiro, Portugal
Tel +351 234 403 341
Tlm +351 961 781 029
http://www.ptinovacao.pt
-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of mailscanner-request at lists.mailscanner.info
Sent: quinta-feira, 7 de Agosto de 2008 12:02
To: mailscanner at lists.mailscanner.info
Subject: MailScanner Digest, Vol 32, Issue 6
Send MailScanner mailing list submissions to
mailscanner at lists.mailscanner.info
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.mailscanner.info/mailman/listinfo/mailscanner
or, via email, send a message with subject or body 'help' to
mailscanner-request at lists.mailscanner.info
You can reach the person managing the list at
mailscanner-owner at lists.mailscanner.info
When replying, please edit your Subject line so it is more specific
than "Re: Contents of MailScanner digest..."
Today's Topics:
1. quiet here (Rodney Green)
2. SANS Spamming Article You might be interested in.
(Andrews Carl 455)
3. Re: quiet here (Eduardo Casarero)
4. Re: quiet here (Erik Weber)
5. Re: quiet here (Rodney Green)
6. RE: quiet here (Declan Grady)
7. Re: quiet here (Julian Field)
8. Re: quiet here (Hugo van der Kooij)
9. Re: quiet here (Andrew MacLachlan)
10. Greetings... a current amavisd-new user, looking into
MailScanner... (Glenn Sieb)
11. Re: Greetings... a current amavisd-new user, looking into
MailScanner... (Hugo van der Kooij)
12. Re: quiet here (Gary Alexander)
13. Re: Greetings... a current amavisd-new user, looking into
MailScanner... (Andrew MacLachlan)
14. Re: Greetings... a current amavisd-new user, looking into
MailScanner... (Matt Hampton)
15. Re: Greetings... a current amavisd-new user, looking into
MailScanner... (Ronny T. Lampert)
----------------------------------------------------------------------
Message: 1
Date: Wed, 06 Aug 2008 09:52:19 -0400
From: Rodney Green <rgreen at trayerproducts.com>
Subject: quiet here
To: mailscanner at lists.mailscanner.info
Message-ID: <4899AC93.10501 at trayerproducts.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Haven't seen any messages in a while. The list archive reflects the same.
------------------------------
Message: 2
Date: Wed, 6 Aug 2008 08:57:48 -0500
From: "Andrews Carl 455" <Carl.Andrews at crackerbarrel.com>
Subject: SANS Spamming Article You might be interested in.
To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
Message-ID:
<D695CB42A59ABB428898D9FCDDE59132039A0A2A at exchange03.CBOCS.com>
Content-Type: text/plain; charset="us-ascii"
When spammers use your own e-mails
<http://isc.sans.org/diary.html?storyid=4834>
Published: 2008-08-06,
Last Updated: 2008-08-06 12:49:47 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s) <http://isc.sans.org/diary.html?storyid=4834#comment>
Some time ago, one of our readers, Mike S, sent an e-mail with an
interesting observation about how spammers used e-mails from one of his
customers (this has been actually sitting in my own inbox for way too
long).
The e-mails contained all "standard" elements such as spoofed headers
etc, but there was a very interesting thing with the body content.
As with most e-mail spammers send, these e-mails were HTML as well.
However, the interesting part was that the spammers took his clients'
e-mails and modified the HTML a bit to include their own message.
The spammers added the link they wanted to spam at the top and then
opened a <TITLE> HTML tag. After the TITLE tag came the full original
e-mail, but the tag was never actually closed. This resulted in Outlook
displaying only the spammed link, but not showing the original e-mail
content.
The raw e-mail looked like this:
--AlternativeBoundary.22222222.22222222
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
<html><center><FONT SIZE="5" COLOR="#10566D">Spammers
message</font><br><br><A HREF="http://spammers link">http://spammers
link</A>
<title><body leftmargin=5 topmargin=5 marginwidth=0 marginheight=0>
<table width=100% cellpadding=0 cellspacing=0 bgcolor=white align=center
border=0>
<tr><td style='{font-family: Verdana, sans-serif;
color=#7a929f;font-weight:700;font-size: 11px;text-transform :
capitalize;}'>
.... ORIGINAL MAIL CONTENT ...
</td></tr>
</table><p> </p>
</body>
Of course, by using the original e-mail content (which was legitimate
when the client sent it), the spammers are trying to evade Bayesian
filters, and at least in Mike's example they even managed to get
SpamAssassin decrease the final score of the e-mail.
In any case, it's an arms race between spammers and content filter
developers. Thanks Mike again for sending this interesting information
(and sorry it took so long to analyze it).
--
Bojan
Source: http://isc.sans.org/diary.html?storyid=4834
<http://isc.sans.org/diary.html?storyid=4834>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080806/79f2a0db/attachment-0001.html
------------------------------
Message: 3
Date: Wed, 6 Aug 2008 11:14:50 -0300
From: "Eduardo Casarero" <ecasarero at gmail.com>
Subject: Re: quiet here
To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
Message-ID:
<7d9b3cf20808060714m43e1c5c3p7a01551eed4ce43e at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
2008/8/6 Rodney Green <rgreen at trayerproducts.com>
> Haven't seen any messages in a while. The list archive reflects the same.
may be spammers take a holiday break? here in Argentina we are in winter
holidays :P
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080806/4dc8a422/attachment-0001.html
------------------------------
Message: 4
Date: Wed, 06 Aug 2008 16:16:57 +0200
From: Erik Weber <twiztar at gmail.com>
Subject: Re: quiet here
To: MailScanner discussion <mailscanner at lists.mailscanner.info>
Message-ID: <4899B259.9010204 at gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Rodney Green wrote:
> Haven't seen any messages in a while. The list archive reflects the same.
It just works(tm)
--
Erik
------------------------------
Message: 5
Date: Wed, 06 Aug 2008 10:58:46 -0400
From: Rodney Green <rgreen at trayerproducts.com>
Subject: Re: quiet here
To: MailScanner discussion <mailscanner at lists.mailscanner.info>
Message-ID: <4899BC26.6030702 at trayerproducts.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Erik Weber wrote:
> Rodney Green wrote:
>> Haven't seen any messages in a while. The list archive reflects the same.
>
> It just works(tm)
>
Good to see the list is still alive. :-)
------------------------------
Message: 6
Date: Wed, 6 Aug 2008 16:15:02 +0100
From: "Declan Grady" <declan.grady at nuvotem.com>
Subject: RE: quiet here
To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
Message-ID:
<1DF321991CD3084EAD65737D82C6D07E32335D at sbs1.nuvotem.local>
Content-Type: text/plain; charset="us-ascii"
Erik Weber wrote:
> Rodney Green wrote:
>> Haven't seen any messages in a while. The list archive reflects the
same.
>
> It just works(tm)
>
>Good to see the list is still alive. :-)
Guess it is holiday time
------------------------------
Message: 7
Date: Wed, 06 Aug 2008 16:19:19 +0100
From: Julian Field <MailScanner at ecs.soton.ac.uk>
Subject: Re: quiet here
To: MailScanner discussion <mailscanner at lists.mailscanner.info>
Message-ID: <4899C0F7.6070603 at ecs.soton.ac.uk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Rodney Green wrote:
>
>
> Erik Weber wrote:
>> Rodney Green wrote:
>>> Haven't seen any messages in a while. The list archive reflects the
>>> same.
>>
>> It just works(tm)
>>
>
> Good to see the list is still alive. :-)
While things are quiet, are there any outstanding bugs or feature
requests that I should be working on?
I'm aiming at a stable release at the start of September if there's
nothing else huge between now and then. The HTML::Parser protection
seems to be working okay, and hasn't had a huge speed impact (it never
ceases to amaze me quite how fast fork() is!).
Jules
--
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
------------------------------
Message: 8
Date: Wed, 06 Aug 2008 18:16:58 +0200
From: Hugo van der Kooij <hvdkooij at vanderkooij.org>
Subject: Re: quiet here
To: MailScanner discussion <mailscanner at lists.mailscanner.info>
Message-ID: <4899CE7A.6090201 at vanderkooij.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Eduardo Casarero wrote:
|
|
| 2008/8/6 Rodney Green <rgreen at trayerproducts.com
| <mailto:rgreen at trayerproducts.com>>
|
| Haven't seen any messages in a while. The list archive reflects the
| same.
|
|
| may be spammers take a holiday break? here in Argentina we are in winter
| holidays :P
I'm inclinded to think that the amount of malware in email is in fact
rapidly expanding over the last 24 to 36 hours.
Perhaps everyone tries to fill the gap left by the arrest of a botnet
owner here in the Netherlands.
Hugo.
- --
hvdkooij at vanderkooij.org http://hugo.vanderkooij.org/
PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc
A: Yes.
>Q: Are you sure?
>>A: Because it reverses the logical flow of conversation.
>>>Q: Why is top posting frowned upon?
Bored? Click on http://spamornot.org/ and rate those images.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
iD8DBQFImc55BvzDRVjxmYERAr8wAJoCGdxAS7vMKaIjaAjO0ZihImzhVgCgoPX3
f566aQxSCmgu6pUfbnK0Eqk=
=M43s
-----END PGP SIGNATURE-----
------------------------------
Message: 9
Date: Wed, 06 Aug 2008 23:00:01 +0100
From: Andrew MacLachlan <andrew at gdcon.net>
Subject: Re: quiet here
To: MailScanner discussion <mailscanner at lists.mailscanner.info>
Message-ID: <489A1EE1.8050003 at gdcon.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hugo van der Kooij wrote:
> I'm inclinded to think that the amount of malware in email is in fact
> rapidly expanding over the last 24 to 36 hours.
>
> Perhaps everyone tries to fill the gap left by the arrest of a botnet
> owner here in the Netherlands.
>
My logs are full of ssh brute-force attempts...
--
This message was scanned by ESVA and is believed to be clean.
------------------------------
Message: 10
Date: Wed, 06 Aug 2008 21:46:25 -0400
From: Glenn Sieb <ges at wingfoot.org>
Subject: Greetings... a current amavisd-new user, looking into
MailScanner...
To: mailscanner at lists.mailscanner.info
Message-ID: <489A53F1.5040904 at wingfoot.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Greetings :)
I run a FreeBSD 7.0 server, with postfix 2.5.1.
I have been using amavisd-new for a number of years, with a SQL backend.
Things have gotten kerflucked, and I'm getting tired of amavisd-new
breaking every time they do an update.
So, what I'd like to know is:
1) Does mailscanner support virtual domains?
2) Is there a way for users (virtual and non) to control quarantine
settings and personal white/blacklists?
3) Any hints, or other advice from seasoned vets here? :)
Thanks in advance! :)
Best,
--Glenn
--
...destination is merely a byproduct of the journey
--Eric Hansen
------------------------------
Message: 11
Date: Thu, 07 Aug 2008 07:12:43 +0200
From: Hugo van der Kooij <hvdkooij at vanderkooij.org>
Subject: Re: Greetings... a current amavisd-new user, looking into
MailScanner...
To: MailScanner discussion <mailscanner at lists.mailscanner.info>
Message-ID: <489A844B.8060302 at vanderkooij.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Glenn Sieb wrote:
| 1) Does mailscanner support virtual domains?
The use of virtual domains has no impact on MailScanner. It just might
make you use more rule files instead of simple lines in the main config.
| 2) Is there a way for users (virtual and non) to control quarantine
| settings and personal white/blacklists?
Not as such. But you might want to check out MailWatch as additional
software.
| 3) Any hints, or other advice from seasoned vets here? :)
The usual. Read the manual and other docs. Build a test server first.
Search the archives. Brush your hair and comb your teeth.
Hugo.
- --
hvdkooij at vanderkooij.org http://hugo.vanderkooij.org/
PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc
A: Yes.
>Q: Are you sure?
>>A: Because it reverses the logical flow of conversation.
>>>Q: Why is top posting frowned upon?
Bored? Click on http://spamornot.org/ and rate those images.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
iD8DBQFImoRJBvzDRVjxmYERAhZRAKCq7EgKI6pOwYFL3FSQbFj3wOUa9ACgudSS
oycqWqrNxD2kKi1gnSgwDks=
=FZEh
-----END PGP SIGNATURE-----
------------------------------
Message: 12
Date: Thu, 7 Aug 2008 09:02:01 +0200
From: "Gary Alexander" <garyalex at gmail.com>
Subject: Re: quiet here
To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
Message-ID:
<5489f9700808070002jd709094i875ea1e532a209fd at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
> While things are quiet, are there any outstanding bugs or feature requests
> that I should be working on?
>
> I'm aiming at a stable release at the start of September if there's nothing
> else huge between now and then. The HTML::Parser protection seems to be
> working okay, and hasn't had a huge speed impact (it never ceases to amaze
> me quite how fast fork() is!).
>
> Jules
Hi There
Speaking of feature requests ... I've noticed some users using 7zip
format for sending mails ... and executables inside getting through
... any plans for adding support for this?
The following linux app currently supports 7zip: http://p7zip.sourceforge.net/
Thanks
Gary
--
Courage is resistance to fear, mastery of fear - not absence of fear.
- Mark Twain
------------------------------
Message: 13
Date: Thu, 07 Aug 2008 09:15:07 +0100
From: Andrew MacLachlan <andrew at gdcon.net>
Subject: Re: Greetings... a current amavisd-new user, looking into
MailScanner...
To: MailScanner discussion <mailscanner at lists.mailscanner.info>
Message-ID: <489AAF0B.7060408 at gdcon.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hugo van der Kooij wrote:
>
> | 3) Any hints, or other advice from seasoned vets here? :)
>
> The usual. Read the manual and other docs. Build a test server first.
> Search the archives. Brush your hair and comb your teeth.
>
And be nice to your Mum
--
This message was scanned by ESVA and is believed to be clean.
------------------------------
Message: 14
Date: Thu, 07 Aug 2008 09:45:09 +0100
From: Matt Hampton <spamlists at coders.co.uk>
Subject: Re: Greetings... a current amavisd-new user, looking into
MailScanner...
To: MailScanner discussion <mailscanner at lists.mailscanner.info>
Message-ID: <489AB615.9030500 at coders.co.uk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Andrew MacLachlan wrote:
> Hugo van der Kooij wrote:
>>
>> | 3) Any hints, or other advice from seasoned vets here? :)
>>
>> The usual. Read the manual and other docs. Build a test server first.
>> Search the archives. Brush your hair and comb your teeth.
>>
> And be nice to your Mum
>
<joke>MailScanner causes swapping!</joke>
------------------------------
Message: 15
Date: Thu, 07 Aug 2008 11:49:28 +0200
From: "Ronny T. Lampert" <telecaadmin at gmail.com>
Subject: Re: Greetings... a current amavisd-new user, looking into
MailScanner...
To: MailScanner discussion <mailscanner at lists.mailscanner.info>
Message-ID: <489AC528.2020108 at gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On a more serious note, MailScanner was the first "system" I felt was
ready using in a production environment.
I looked into a lot of stuff and all seemed very pointless und very unclean.
MS is perfect for me when being used with postfix. Print out the manual
so you have all config options ready - you have it up in almost no time
as long as your SMTP server config is stable underneath.
Last advice: be careful with all perl updates!
Cheers,
Ronny
------------------------------
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read the Wiki (http://wiki.mailscanner.info/).
Support MailScanner development - buy the book off the website!
End of MailScanner Digest, Vol 32, Issue 6
******************************************
More information about the MailScanner
mailing list