mailscanner in ISP

[Gerard]

On Thu, 07 Aug 2008 14:39:23 -0300
Leonardo Helman <mailscanner at lists.com.ar> wrote:

>On Thu, 2008-08-07 at 15:33 +0100, Julian Field wrote:
>> 
>> Paulo Roncon wrote:
>> > Hello all,
>> >
>> > I work in a ISP and we want to install mailscanner to stop
>> > OUTBOUND spam as its becoming a bottleneck... I dont have any
>> > network metrics, as the guy in charge in out. I'm thinking 1000000
>> > plus messages/day.
>> >
>> > Questions:
>> > -Anyone has ideias of the kind of HW solution nedeed?
>> > -OUTBOUND filtering: Its gonna be *->*. Do you see any problems?
>> > -Which is the fastest configuration possible?
>> > -What pieces of SW should I install (AV, Pyzor, etc,etc)?. I'm
>> > aiming to speed and to block about 85% of spam. I'm not aiming at
>> > near 100% spam free... 
>> I would start with some blacklists at your MTA, such as
>> spamhaus-ZEN. You would be better off putting this into your MTA so
>> you don't accept connections from botnet hosts in the first place.
>> ClamAV with the sanesecurity.co.uk additional signatures will be
>> fast too.
>
>The blacklists are (usually) not very effective
>for the outbound spam (IMHO).
>
>They are your own clients, they are paying for that,
>that is, if you don't have an open relay, and they can't
>send mails directly outside your outbound mta.
>or something like that, the output IP will be the output
>of your own MTA, and all your clients will have a typical
>dynamic ip address (that will eventually change between them),
>so if you blacklist by an external dynamic ip blacklist, you will
>be blacklisting (eventually) the wrong customers.
>
>Here the problem, I thing, is a legal problem, what are
>the conditions that the client paid for, and with that
>what you can do to stop them (some isp are unwilling to
>ratelimit or things like that).
>
>My first choice would be to set a rate for the outgoing
>mail, so the clients shouldn't spam enough.
>
>That's not always feasible, think big customers without
>IP/MTA, they will send all their "internal communications"
>by your MTA.
>
>So I think my order would be ratelimit, spamtraps, and a good trained
>(rules and/or bayes) spamassassin, lots of scripts to automatically add
>internal ip's to own blacklists

I would be very careful regarding the limiting your subscribers email
transmissions. If you have a know SPAMMer, simply terminate his
contract. However, if you should by accident trap a legitimate message
by a legitimate subscriber, you might very well be liable. Comcast, an
ISP in case you have not heard of them, has had numerous legal problems
with just what your propose. They just lost another case the limiting
of bandwidth to individual customers. They were scanning and refusing
to transmit messages that they arbitrarily considered SPAM. I was
involved in one such case against them. They have since did an about
face on the issue. Even blocking incoming mail can be a legal
liability. You might want to consult a legal authority before embarking
on you venture.

-- 
Gerard
gerard at seibercom.net

I'm prepared for all emergencies but
totally unprepared for everyday life.