Educause Security Discussion mailing list archives

Re: Outbound spam filtering

From: Rich Graves <rgraves () CARLETON EDU>
Date: Thu, 5 Jan 2012 12:53:17 -0600

What criteria do you use to filter outbound e-mail?



Rate-limiting and antivirus at the edge SMTP server. With few exceptions, all outbound email is forced through this 
server. SpamAssassin content filtering for outbound webmail only.

How do you handle NDR reports back to the senders?



For outbound webmail, content exceeding a very high score is silently dropped, with notice only to a mailbox I check 
rarely. Zimbra would retain the message for two weeks. I've never seen a message dropped in 5 years. The main reason 
it's scanned is that outbound email content contributes to bayes learning. 


For rate-limiting and antivirus, NDRs are not applicable; milters send errors inline. I would not consider a two-pass 
system like the Barracuda's for my network. Carleton actually had a Barracuda once, but after it stopped forwarding 
mail (but continued to accept it) and Barracuda tech support bricked the system and lied about it, refusing to help us 
retrieve 13 hours' inbound email, I was able to void the warranty, extract the postfix queue, and return the hardware. 
They sent me a T-shirt. 




Assuming that a Barracuda device is going to be used: provided that you terminate authenticated SMTP at the Barracuda 
or otherwise make it so that email is highly unlikely to be forged , I would support sending NDRs to your .edu only, 
for messages originating from your authenticated senders only. If you are unable to apply all of those constraints, 
please leave NDRs and "quarantine notifications" off. My users get a lot of "quarantine notifications" from low-end 
antispam devices (mostly not Barracudas) about obviously forged email. Don't contribute to the problem.

Do you have any published policies related to your outbound spam filtering?


Terse notes on rate-limiting only. 

https://wiki.carleton.edu/display/itskb/Email+Limits 
-- 

Rich Graves http://claimid.com/rcgraves 
Carleton.edu Sr UNIX and Security Admin 
CMC135: 507-222-7079 Cell: 952-292-6529

Current thread:

Outbound spam filtering Crim, David (Jan 05)
- Re: Outbound spam filtering Rich Graves (Jan 05)
- Re: Outbound spam filtering Jesse Thompson (Jan 05)
- Re: Outbound spam filtering Kevin Halgren (Jan 06)
- <Possible follow-ups>
- Re: Outbound spam filtering Joe St Sauver (Jan 05)