Educause Security Discussion mailing list archives
Re: Outbound spam filtering
From: Rich Graves <rgraves () CARLETON EDU>
Date: Thu, 5 Jan 2012 12:53:17 -0600
What criteria do you use to filter outbound e-mail?
Rate-limiting and antivirus at the edge SMTP server. With few exceptions, all outbound email is forced through this server. SpamAssassin content filtering for outbound webmail only.
How do you handle NDR reports back to the senders?
For outbound webmail, content exceeding a very high score is silently dropped, with notice only to a mailbox I check rarely. Zimbra would retain the message for two weeks. I've never seen a message dropped in 5 years. The main reason it's scanned is that outbound email content contributes to bayes learning. For rate-limiting and antivirus, NDRs are not applicable; milters send errors inline. I would not consider a two-pass system like the Barracuda's for my network. Carleton actually had a Barracuda once, but after it stopped forwarding mail (but continued to accept it) and Barracuda tech support bricked the system and lied about it, refusing to help us retrieve 13 hours' inbound email, I was able to void the warranty, extract the postfix queue, and return the hardware. They sent me a T-shirt. Assuming that a Barracuda device is going to be used: provided that you terminate authenticated SMTP at the Barracuda or otherwise make it so that email is highly unlikely to be forged , I would support sending NDRs to your .edu only, for messages originating from your authenticated senders only. If you are unable to apply all of those constraints, please leave NDRs and "quarantine notifications" off. My users get a lot of "quarantine notifications" from low-end antispam devices (mostly not Barracudas) about obviously forged email. Don't contribute to the problem.
Do you have any published policies related to your outbound spam filtering?
Terse notes on rate-limiting only. https://wiki.carleton.edu/display/itskb/Email+Limits -- Rich Graves http://claimid.com/rcgraves Carleton.edu Sr UNIX and Security Admin CMC135: 507-222-7079 Cell: 952-292-6529
Current thread:
- Outbound spam filtering Crim, David (Jan 05)
- Re: Outbound spam filtering Rich Graves (Jan 05)
- Re: Outbound spam filtering Jesse Thompson (Jan 05)
- Re: Outbound spam filtering Kevin Halgren (Jan 06)
- <Possible follow-ups>
- Re: Outbound spam filtering Joe St Sauver (Jan 05)