mailscanner in ISP

R Wahyudi rwahyudi at gmail.com
Mon Sep 1 17:22:29 IST 2008


Scott Silva wrote:
> on 8-8-2008 2:52 AM ram spake the following:
>> On Thu, 2008-08-07 at 15:06 +0100, Paulo Roncon wrote:
>>> Hello all,
>>>
>>> I work in a ISP and we want to install mailscanner to stop OUTBOUND 
>>> spam as its becoming a bottleneck...
>>> I dont have any network metrics, as the guy in charge in out. I'm 
>>> thinking 1000000 plus messages/day.
>>>
>>> Questions:
>>> -Anyone has ideias of the kind of HW solution nedeed?
Use dedicated outgoing mail servers that handle just outgoing mail -  
dont mix outgoing with incomming mail server.
I would go with clusters of less powerfull hardware and do load 
balancing instead of having just one or two powerfull hardware.
This will provide high availability and allows you to stop server that 
saturated with spam without affecting your service.
>>> -OUTBOUND filtering: Its gonna be *->*. Do you see any problems
block all outgoing port 25 except to your mail server and ask user to 
use SMTP auth if they want to connect to external mail.
This will reduce A LOT of spam coming out of your user. Most worms send 
email directly to the internet from the infected host.

I've written auto-blacklist that will block IP address that send more 
than 4 spam/virus within 5 minutes, ban the IP for 30 minutes, and 
automatically remove it after 30 minutes.
If users get blocked they will get SMTP error message which redirect 
them to a website where they can see the reason they get blocked and 
also display offending email header as evidence.. and at the same time 
allows you to upsell
your security product.  You can view the rough example here : 
http://mailwatch.sourceforge.net/doku.php?id=mailwatch:tipandtricks:postfix_auto_blacklist

Tips configuring lightweight SA for outgoing mail :
- Remove most of the body checking & reverse IP checking .. most of the 
time they give false positive and this will speed up SA
- Skip bayes
- use Surbl and increase its scoring highly ..
- Do not use dynamic ip blacklist - most of your user will be on dynamic IP
- use razor/pyzor and dcc & increase their score

MTA tips:
- Rate limit is a must - try policyd if you use postfix
- Monitor your deferred queue, setup nagios to beep if you see a spike

Regards,
Rianto Wahyudi




More information about the MailScanner mailing list