![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
|||||
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
|
![]() |
SurgeMail Spam and Virus protection
SurgeMail offers advanced features to identify undesirable spam email, block virus infected mail and prevent abuse of your mail server by spammers. Incoming mail is scrutinised as shown in the diagram.
Open Relay database check + SPF checks
SurgeMails integrated and flexible open relay database checking (g_orbs_list) can be used enforce a servers blacklisting or whitelisting in one or more ORBS databases. In addition this can be used to mark messages with a header which can then be taken into account in the SmiteCRC"SpamDetect rating" calculation. An ORBS database is simply a DNS server that returns a positive response if a server is listed in the database. A variety of services are available online that can maintain blacklist databases. Normally you would maintain your own whitelist database that overrides the blacklist listings.
eg 1 - A simple deny mail from blacklisted servers could be achieved with:
g_orbs_list name="relays.ordb.org" action="deny"eg 2 - A smarter setup with exceptions for certain IP ranges and a whilelist exception database, a blacklisted deny database and with useful header based tagging could be achieved as follows:
g_orbs_exception "127.0.0.*,12.34.56.*"
g_orbs_list name="mywhitedatabase.none" action="accept"
g_orbs_list name="relays.ordb.org" action="deny"
g_orbs_list name="bl.spamcop.net" action="stamp" stamp="spamcop, http://spamcop.net/w3m?action=checkblock&ip=||remoteip||"
eg 3 - To use the output of header based ORBS stamping in the Aspam SpamDetect calculation the following could be used:
SPF is a recent mechanism that provides for verification that the sender is actually allowed to send from the domain that they say they are sending from. This has the potental to reduce a very large amount of worldwide spam. For more information see http://netwinsite.com/spf.htm .g_orbs_list name="relays.ordb.org" action="stamp" stamp="open relay"
g_orbs_list name="my.dialup.databse.none" action="stamp" stamp="dialup"
These entries have the following rules in filter.rul. If you used your own stamp text you would place appropriate entries in the local.rul file.
if(rexp_case("X-ORBS-Stamp", "open relay")) then
call spamdetect(4.0, "Sender's IP was on an open relay RBL")
end ifif(rexp_case("X-ORBS-Stamp", "dialup")) then
call spamdetect(4.0, "Sender's IP was on a dialup RBL")
end if
Sender behaviour limitation
SurgeMail has many configuration options to directly block or tarpit users or servers identified as abusing the your mailserver. The main settings are:
- g_deny - Deny users from some IP ranges
- g_ban_rcpt - Ban any matching RCPT TO: envelope
- g_ban_from - Ban any matching MAIL FROM: envelope
- g_ban_helo - Ban any machine that gives a matching 'helo' string
- g_tarpit_max - Max recipients per hour from one IP
- g_bomb_max - Max messages to a single address per hour
- g_max_bad_to - Max bad recipients in a row
- g_con_perip - Max simultaneous connections per IP
Virus scanner integration
SurgeMail will integrate with any external command line virus scanner that has the option to delete mail if it contains a virus or if the virus scanner can return an error code indicating a virus. However we strongly recommend you use AVAST which is more efficient and less prone to problems under load.
The following commands are available:
- g_virus_cmd - Command line virus checker to run on MIME encoded parts of the message email message. This command will run the external virus checker once for each MIME encoded part of the message and once for the whole message.
If your virus checker is set to automatically scan viruses as they are written to disk as a file this option can be used with the value "do_not_run". This will write the message to disk, wait for the virus checker to process it and if the file has not been deleted actually send the message.
- g_virus_cmd_codes This lets SurgeMail listen to the return codes from g_virus_cmd and if the return code matches one specified in this command then it will assume its a virus and reject the message. This is often more reliable than detecting only by using g_virus_cmd as some virus scanners do things a bit differently. Also a lot of scanners won't delete archives containing viruses so this is the best way if your scanner supports it.
- g_virus_filter - SurgeMails primary antivirus interface. This allows you to run one or more virus checkers or filters that takes commands on stdin and response on stdout using simple command line syntax:
- Surgemail send filter : "nn scan <message file> <envelope file> "
- Filter responds: "nn CLEAN comment " or "nn REJECT comment"
where: nn would be a numeric command identification, message file a file containing the email message including all headers and envelope file a three line file containing RCPT, MAIL FROM address and sender's IP address as follows:
-- start of file --
To: <marijn@destdomain.com>
From: <marijn@sourcedomain.com>
IP: 127.0.0.1
--end of file --eg.
d:\surgemail\rav8\bin\ravdmail.exe
1 scan c:\temp\test.txt c:\temp\test.env
1 CLEAN c:\temp\test.txt that was a good message
2 scan c:\temp\test.txt c:\temp\test.env
3 REJECT c:\temp\test.txt contained a virus
This allows you to use most virus scanners as per the following table. For many scanners they can be integrated in one of several ways dependent on how the scanner is configured. You should double check the virus scanning documentation to check the error codes given in the examples is still up to date.
Virus Scanner Platform Scanner (surgemail.ini entry) Recommeded!
Windows Use web admin tool to enable Unix Available on Linux only Comments: Highly recommended, fully integrated for ease of installation and performance. Note: "Avast! for SurgeMail" based on ALWIL Software antivirus technology.
To enable go to the Avast section of the web admin tool (see details), but first purchase the 'Avast' license option from NetWin and re-activate your registration.
ClamAV Unix Note: we recommend avast for any serious load, it is more efficient and more reliable
The best way to run ClamAV with SurgeMail is to use the scripts provided by one of our users. Instructions and downloads can be found here for the scripts (SCAVS) http://www.inoc.net/~dev/surgemail/scavs/
Or you can use the following lines but on busy systems you could run into problems with too many channels being tied up waiting for ClamAV to finish.
Check the path below using 'whereis clamdscan' it may be /usr/bin/clamdscan
Next in /etc/clamd.conf set clamd to run as user 'mail' and then restart clamd, you will need to set the ownership of the clamd directories to 'mail' too, e.g.
chown -R mail /var/clamav
(do this for all the paths in clamd.conf)
cd /etc/init.d
./clamd stop
./calmd startg_virus_cmd "/usr/local/bin/clamdscan --stdout --no-summary --remove $FILE$"
or
g_virus_cmd "/usr/bin/clamdscan --stdout --no-summary --remove $FILE$"
g_virus_cmd_codes "1"
Comments: Free!, opensource,supports many UNIX platforms Set up the daemon (read clamav instructions)
YOU MUST SETUP THE DAEMON FIRST, or it will still run but be very slow and cause problems for SurgeMail.
Command Antivirus Windows * Unix g_virus_cmd "/usr/bin/csav -delete $FILE$" Comments: We recommend avast for any serious load, it is more efficient and more reliable F-Prot
(daemon scanning)Windows N/A Unix (Daemon Mode, not available for Windows) g_virus_fprot "11200"
Comments: Full daemon support, very fast, the setting is the port the daemon runs on. You must also install the daemon for this to work, see g_virus_fprot F-Prot
(command line scanning)Windows g_virus_cmd "c:\progra~1\fsi\f-prot\fpcmd.exe $FILE$ /auto /delete /archive /silent"
g_virus_cmd_codes "3,6,8"
Comments: Command line scanning, We recommend avast for any serious load, it is more efficient and more reliable McAfee Unix g_virus_cmd "/usr/local/uvscan/uvscan --analyze --mailbox --mime --program --secure --unzip --noboot --delete $FILE$"
g_virus_cmd_codes "12,13"Comments: instructions from a user, We recommend avast for any serious load, it is more efficient and more reliable Norton Antivirus (demand mode) g_virus_cmd "c:\program files\navnt\navwnt.exe /noresults $FILE$"
g_virus_cmd_sleep "3000"
(always scanning)
real time scanning
g_virus_cmd "do_not_run"
g_virus_cmd_sleep "3000"If you have Norton's setup already and it scans files as you access them then use the real time scanning option otherwise use demand mode.
Norton is best avoided for mail servers!
We recommend avast for any serious load, it is more efficient and more reliable
Sophos Windows g_virus_cmd "c:\programs\Sophos SWEEP for NT\sav32cli -s -nc -remove -archive $FILE$"
g_virus_cmd_codes "3"Unix g_virus_cmd "/usr/local/bin/sweep -s -nc -remove -archive $FILE$"
g_virus_cmd_codes "3"Comments: A very well known and respected virus checker that is available for a wide variety of platforms, is well suited for SurgeMail with its on demand scanning utility - Sweep.
We recommend avast for any serious load, it is more efficient and more reliable
Windows g_virus_cmd "c:\sysclean\vscantm.bin /nbpm /D /Q /NM /NB FILE$"
g_virus_cmd_codes "1"Instuctions:
Use this link to find out how to setup Trend for command line scanning.http://kb.trendmicro.com/solutions/search/main/search/solutionDetail.asp?solutionID=17058
NOD32 Windows g_virus_cmd "do_not_run" Unix * Comments: We recommend avast for any serious load, it is more efficient and more reliable RAV antivirus for DMAIL Windows
g_virus_filter cmd="c:\surgemail\rav8\bin\ravdmail.exe" Unix g_virus_filter cmd="/opt/rav/bin/ravdmail" type="" Comments: RAV is no longer being sold as a product (this is here for the benefit of existing RAV users) * This configuration has not been explicitly tested. If you have experience with a virus scanner that is not listed here please let us know so we can help others in their server configuration efforts.
Avast status warning: n MESSAGES FAILED TO BE SCANNED AND BLOCKED
If you receive this warning on the advanced status page this means that you are running Avast antivirus and an error condition has been encountered that prevented the message from being scanned. The message will have been bounced and stored as avast_failureNN.msg for analysis.
You should first check that you do not have another realtime filesystem level virus scanner installed (such as Norton Antivirus). If you do, you need to prevent the avast temp directory ("_avast4_") from getting scanned. You will find this somewhere in a Windows temp folder like c:\windows\TEMP\_avast4_.
If you have checked the above and continue to receive this error, please report this to surgemail-support@netwinsite.com such that appropriate action can be taken (ie Netwin will report the problem to Alwil software).
ASpam anti spam system
SurgeMail has built in support for Aspam. This is a message "spamminess" scoring system based on the sum of the following:
- Customisable rule database maintained by netwin staff - This is approx 60% accurate on common spam.
- Auto training database of recent messages that "look like spam" based on poly and multi symbol statistical word matching. Approx 90% effective if no local training is done, approx 99% effective if local training is done.
- Auto training database of recent messages that "look like spam" based on message parameters such as URL content. Approx 40% effective if no local training is done, approx 99.5 effective on trained data.
- Catcher addresses that should never receive genuine mail, and if mail is received on these addresses it a known a spammer.
- Optional modification of scoring based on ORBS and SPF checks.The auto training databases consist of a base set of rules maintained at netwinsite.com combined with local training based on messages submitted by the users of your system as uncaught spam or as a false positive.
Based on this "SpamDetect score" messages can be filtered at a serverwide level or at a per user level allowing individual users to fully customise their filtering setting up a totally customised "personal antispam policy" based on their chosen level of spam 'tolerance'.
External message filtering
SurgeMail has the ability to have an external process filter messages using the g_filter_pipe command. This is particularly useful as a mechanism to integrate additional external spam detection and prevention tools.
These external tools will typically do the same as SmiteSpam - mark suspect messages and allow the user (or sysadmin) to select what to do with the messages identified as spam.
Example: Integration with Spam Assassin (on UNIX) could be achieved as follows:
g_filter_pipe "/usr/local/bin/spamassassin -P"Advanced mail rules
Using elaborate rules customised policies can be setup for mail forwarding, archiving and filtering. Filtering will typically be used to limit mail based on content or subject matter. An alternative use for filtering is to take some form of action on messages identified as spam by SmiteSpam or external spam identification filters.
SurgeMail supports Mfilter based mail filtering, and for backward compatibility DMail filters.
Basic mfilter rules can be configured from the Spam Filter Rules link on the global settings page of the Web Admin interface. Mfilter rules can be very elaborate and in this case it is neccessary to edit the mfilter.rul file directly. See the Mfilter manual page for more information on Mfilter syntax.
eg: this could allow you to setup policies that
- Bounce all mail with undesirable subject matter in subject line or body
- Drop or bounce mail that has been identified as almost certainly spam by a spam detection system
Friends only system
The friends only system is a challenge response system allowing users to opt to receive messages only from friends. Non friends are automatically questioned to determine if they are human. All mail from non friends is held pending on the server until the user decided what to do with it. Status reports are sent to the user on a regular basis to provide information on the Friends system and any mail pending delivery.
Further information on configuring the friends system.