Re: Barracuda Spam Filter

[Information Security <infosecurity () UTPA EDU>]

Dave Koontz wrote:

> It was actually pretty easy to spot what it was via a sample message headers
> someone posted here.  Oddly enough, while flipping through the 'Network
> Computing' magazine I received today (July 21st issue) Page WC 6 says...
>
> "Barracuda Networks keeps costs low by using off-the-shelf hardware and open
> source applications on a hardened Linux kernel. "
I can't remember which licence SA uses but if it's GPL then the
Barracuda software is
presumably available.  Although they probably have independent modules
for the
quarantine vs the spam detection to limit how much source they're
obliged to give out.

Another interesting product is PMAS (for VMS and some others) which is
clearly a
Spam Assassin clone, but apparently was rewritten from scratch to avoid
release
under the GPL.  However PMAS's input files appear to be identical to SA's in
format and to a large extent in content.  That's one way of avoiding the
GPL that
I'm not morally comfortable with even though I think it probably obeys
the letter
of it.  (Although PMAS is a good product, if you're in the VMS world.  Good
quarantine interface - in fact I'm not aware of any general-purpose freeware
quarantine interface worth using - do tell me if you find one.)

My take on SA is that it's default rules and threshholds are way too
loose to
be used as-is.  In our system at UTPA, I use SA with a very high threshhold
to catch spams that I am very sure are spams (and it only catches about 10%
of the spam this way), but I feed those spams plus others from spamtrap
email
addresses into a Bayesian filter (spamprobe - I think it is better than SA's
built-in Bayesian system) as training data.  The latter brings the
recognition
up into the 99.X% level, although with greylisting and a small hand-crafted
and double-checked blacklist of corporate spam IP sources, it's now 99%
of hardly anything :-)

The one last hack we need to make it all work is a way of feeding back
corrections: I wrote a dummy IMAP module which you can drop emails on
and they can be picked up in a directory and fed to the Bayesian system.
It's a write-only IMAP server and ignores any username or password you
give it, so client configuration is minimal.

I would *love* to be able to hand out our system as a pre-packaged kit
as easy to install as an appliance.  The one piece of technology which has
been too tricky for me until now is that in order to be
configuration-free, it
has to be implemented as a transparent filter at the IP level.  I've
recently
come across OpenBSD's pf code and I think that I now know how to do that
under pf, so that project may still come off if I can negotiate enough
time at
work to do it.  (Writing spam software is not what I'm actually paid to do,
if you hadn't guessed, but I'ld written most of it before I came here
and the
University never says no to something free, especially when it actually
works as well ;-)  I would *love* to work in the antispam area rather than
just have it as an occassional hobby...)

Graham