Re: email scannering / filtering

[Grant Taylor via NANOG <nanog () nanog org>]

On 12/14/18 4:30 AM, David Funderburk wrote:
> What open source email filtering system is working well for you?

 - Sendmail
 - SpamAssassin
 - ClamAV
 - OpenDKIM
 - OpenDMARC
 - SPFmilter
 - NoListing (a variant of Grey Listing that has worked exceedingly 
well for me.)
 - Junk Email Filter MX tricks (also works very well for me)
 - Reverse Path route filters

Most of this is fairly stock configuration.  I have put some custom 
rules in SpamAssassin for various reasons.  Email me directly if you 
want particulars.



On 12/14/18 10:36 AM, Rich Kulawiec wrote:
> I've been studying email abuse for a very long time, and am writing a 
> book about defending against it with open-source tools.

I'll be interested to learn more about your book.

Will you share any details so that I can keep an eye out for it?

 - Title
 - Release date
 - Publisher

> One of the things that I've learned over those decades is that while 
> some measures make sense for everyone, one size does not fit all, 
> and that it's critical to understand the mail stream that's being 
> presented before trying to design and build systems to deal with it. 
> Everyone's legitimate email looks different.  Everyone's abusive email 
> looks different.  It's not possible to figure out how to cope with these 
> things until you measure them.
>
> Nor is it possible until you understand the operational requirements, 
> which again, are different for everyone.  Joe's Donuts in Dubuque 
> probably isn't going to be receiving messages at its "orders" address 
> from Peru or Pakistan, for example, so any incoming traffic like that is 
> almost certainly misdirected (at best) or abusive.  On the other hand, 
> Michigan State University will probably receive legitimate traffic from 
> all the world, including Peru and Pakistan.

I largely agree with both of those statements.

> So while I could answer your question by telling you what I use, that 
> doesn't mean that it would work for you.  It *might*, and after a fashion, 
> it probably would -- but it's highly unlikely that it's anything close 
> to optimal for your environment.  There's a fair amount of homework that 
> needs to be done to figure that out.

Sure.  But sharing what you're using and your perceived Pros and Cons do 
provide data for someone to consume while pontificating what will likely 
suit them the best.

> One more thing.  There are a number of things that some people do in their 
> email systems which are worst practices -- things that exacerbate the 
> problem.  For example, "quarantines" or "spam folders" are a profoundly 
> horrible idea that should never be deployed.  (Ask RSA how that's working 
> out for them.)  Avoid these.

I think that there is a time and a place for both quarantining and spam 
folders.  I use quarantining to gate email into and out of a lab / 
sandbox environment.  I know that nothing will flow without me releasing 
a quarantine.  This allows me to feel comfortable testing various MTAs 
without worrying that email will flow when I have not approved it. 
Devices on either side speak SMTP just like they want to and believe 
that the messages are the responsibility of an intermediate server. 
IMHO it works great.

I also think that spam folders do have a use.  They provide a way for 
messages that seem spammy to be isolated from the main inbox while still 
making them available to end users.  (I'm talking about mail boxes 
accessed via IMAP where it's easy to see both Inbox and Junk.)



--
Grant. . . .
unix || die

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature