Products Downloads Prices Support Company

SurgeMail Spam and Virus protection

SurgeMail offers advanced features to identify undesirable spam email, block virus infected mail and prevent abuse of your mail server by spammers. Incoming mail is scrutinised as shown in the diagram.

Open Relay database check + SPF checks

SurgeMails integrated and flexible open relay database checking (g_orbs_list) can be used enforce a servers blacklisting or whitelisting in one or more ORBS databases. In addition this can be used to mark messages with a header which can then be taken into account in the SmiteCRC"SpamDetect rating" calculation. An ORBS database is simply a DNS server that returns a positive response if a server is listed in the database. A variety of services are available online that can maintain blacklist databases. Normally you would maintain your own whitelist database that overrides the blacklist listings.

eg 1 - A simple deny mail from blacklisted servers could be achieved with:

g_orbs_list name="relays.ordb.org" action="deny"

eg 2 - A smarter setup with exceptions for certain IP ranges and a whilelist exception database, a blacklisted deny database and with useful header based tagging could be achieved as follows:

g_orbs_exception "127.0.0.*,12.34.56.*"
g_orbs_list name="mywhitedatabase.none" action="accept"
g_orbs_list name="relays.ordb.org" action="deny"
g_orbs_list name="bl.spamcop.net" action="stamp" stamp="spamcop, http://spamcop.net/w3m?action=checkblock&ip=||remoteip||"

eg 3 - To use the output of header based ORBS stamping in the Aspam SpamDetect calculation the following could be used:

g_orbs_list name="relays.ordb.org" action="stamp" stamp="open relay"
g_orbs_list name="my.dialup.databse.none" action="stamp" stamp="dialup"

These entries have the following rules in filter.rul. If you used your own stamp text you would place appropriate entries in the local.rul file.

if(rexp_case("X-ORBS-Stamp", "open relay")) then
call spamdetect(4.0, "Sender's IP was on an open relay RBL")
end if

if(rexp_case("X-ORBS-Stamp", "dialup")) then
call spamdetect(4.0, "Sender's IP was on a dialup RBL")
end if

SPF is a recent mechanism that provides for verification that the sender is actually allowed to send from the domain that they say they are sending from. This has the potental to reduce a very large amount of worldwide spam. For more information see http://netwinsite.com/spf.htm .

Sender behaviour limitation

SurgeMail has many configuration options to directly block or tarpit users or servers identified as abusing the your mailserver. The main settings are:

Virus scanner integration

SurgeMail will integrate with any external command line virus scanner that has the option to delete mail if it contains a virus or if the virus scanner can return an error code indicating a virus. However we strongly recommend you use AVAST which is more efficient and less prone to problems under load.

The following commands are available:

If your virus checker is set to automatically scan viruses as they are written to disk as a file this option can be used with the value "do_not_run". This will write the message to disk, wait for the virus checker to process it and if the file has not been deleted actually send the message.

- Surgemail send filter : "nn scan <message file> <envelope file> "

- Filter responds: "nn CLEAN comment " or "nn REJECT comment"

where: nn would be a numeric command identification, message file a file containing the email message including all headers and envelope file a three line file containing RCPT, MAIL FROM address and sender's IP address as follows:

-- start of file --
To: <marijn@destdomain.com>
From: <marijn@sourcedomain.com>
IP: 127.0.0.1
--end of file --

eg.

d:\surgemail\rav8\bin\ravdmail.exe

1 scan c:\temp\test.txt c:\temp\test.env
1 CLEAN c:\temp\test.txt that was a good message
2 scan c:\temp\test.txt c:\temp\test.env
3 REJECT c:\temp\test.txt contained a virus

 

This allows you to use most virus scanners as per the following table. For many scanners they can be integrated in one of several ways dependent on how the scanner is configured. You should double check the virus scanning documentation to check the error codes given in the examples is still up to date.

Virus Scanner Platform Scanner (surgemail.ini entry)

Avast

Recommeded!

Windows Use web admin tool to enable
Unix Available on Linux only

Comments: Highly recommended, fully integrated for ease of installation and performance. Note: "Avast! for SurgeMail" based on ALWIL Software antivirus technology.

To enable go to the Avast section of the web admin tool (see details), but first purchase the 'Avast' license option from NetWin and re-activate your registration.

ClamAV Unix

Note: we recommend avast for any serious load, it is more efficient and more reliable

The best way to run ClamAV with SurgeMail is to use the scripts provided by one of our users. Instructions and downloads can be found here for the scripts (SCAVS) http://www.inoc.net/~dev/surgemail/scavs/

Or you can use the following lines but on busy systems you could run into problems with too many channels being tied up waiting for ClamAV to finish.

Check the path below using 'whereis clamdscan' it may be /usr/bin/clamdscan

Next in /etc/clamd.conf set clamd to run as user 'mail' and then restart clamd, you will need to set the ownership of the clamd directories to 'mail' too, e.g.

chown -R mail /var/clamav
(do this for all the paths in clamd.conf)
cd /etc/init.d
./clamd stop
./calmd start

g_virus_cmd "/usr/local/bin/clamdscan --stdout --no-summary --remove $FILE$"
or
g_virus_cmd "/usr/bin/clamdscan --stdout --no-summary --remove $FILE$"

g_virus_cmd_codes "1"

Comments: Free!, opensource,supports many UNIX platforms Set up the daemon (read clamav instructions)

YOU MUST SETUP THE DAEMON FIRST, or it will still run but be very slow and cause problems for SurgeMail.

Command Antivirus Windows *
Unix g_virus_cmd "/usr/bin/csav -delete $FILE$"
Comments: We recommend avast for any serious load, it is more efficient and more reliable
F-Prot
(daemon scanning)
Windows N/A
Unix (Daemon Mode, not available for Windows)

g_virus_fprot "11200"

Comments: Full daemon support, very fast, the setting is the port the daemon runs on. You must also install the daemon for this to work, see g_virus_fprot
F-Prot
(command line scanning)
Windows

g_virus_cmd "c:\progra~1\fsi\f-prot\fpcmd.exe $FILE$ /auto /delete /archive /silent"
g_virus_cmd_codes "3,6,8"

Comments: Command line scanning, We recommend avast for any serious load, it is more efficient and more reliable
McAfee Unix

g_virus_cmd "/usr/local/uvscan/uvscan  --analyze  --mailbox --mime --program  --secure --unzip --noboot --delete $FILE$"
g_virus_cmd_codes "12,13"

Comments: instructions from a user, We recommend avast for any serious load, it is more efficient and more reliable
Norton Antivirus (demand mode)

g_virus_cmd "c:\program files\navnt\navwnt.exe /noresults $FILE$"
g_virus_cmd_sleep "3000"

(always scanning)
real time scanning
g_virus_cmd "do_not_run"
g_virus_cmd_sleep "3000"

If you have Norton's setup already and it scans files as you access them then use the real time scanning option otherwise use demand mode.

Norton is best avoided for mail servers!

We recommend avast for any serious load, it is more efficient and more reliable

Sophos Windows

g_virus_cmd "c:\programs\Sophos SWEEP for NT\sav32cli -s -nc -remove -archive $FILE$"
g_virus_cmd_codes "3"

Unix g_virus_cmd "/usr/local/bin/sweep -s -nc -remove -archive $FILE$"
g_virus_cmd_codes "3"

Comments: A very well known and respected virus checker that is available for a wide variety of platforms, is well suited for SurgeMail with its on demand scanning utility - Sweep.

We recommend avast for any serious load, it is more efficient and more reliable

TrendMicro

 

Windows g_virus_cmd "c:\sysclean\vscantm.bin /nbpm /D /Q /NM /NB FILE$"
g_virus_cmd_codes "1"

Instuctions:
Use this link to find out how to setup Trend for command line scanning.

http://kb.trendmicro.com/solutions/search/main/search/solutionDetail.asp?solutionID=17058

NOD32 Windows g_virus_cmd "do_not_run"
Unix *
Comments: We recommend avast for any serious load, it is more efficient and more reliable
RAV antivirus for DMAIL

Windows

g_virus_filter cmd="c:\surgemail\rav8\bin\ravdmail.exe"
Unix g_virus_filter cmd="/opt/rav/bin/ravdmail" type=""
Comments: RAV is no longer being sold as a product (this is here for the benefit of existing RAV users)

* This configuration has not been explicitly tested. If you have experience with a virus scanner that is not listed here please let us know so we can help others in their server configuration efforts.

Avast status warning: n MESSAGES FAILED TO BE SCANNED AND BLOCKED

If you receive this warning on the advanced status page this means that you are running Avast antivirus and an error condition has been encountered that prevented the message from being scanned. The message will have been bounced and stored as avast_failureNN.msg for analysis.

You should first check that you do not have another realtime filesystem level virus scanner installed (such as Norton Antivirus). If you do, you need to prevent the avast temp directory ("_avast4_") from getting scanned. You will find this somewhere in a Windows temp folder like c:\windows\TEMP\_avast4_.

If you have checked the above and continue to receive this error, please report this to surgemail-support@netwinsite.com such that appropriate action can be taken (ie Netwin will report the problem to Alwil software).

ASpam anti spam system

SurgeMail has built in support for Aspam. This is a message "spamminess" scoring system based on the sum of the following:

- Customisable rule database maintained by netwin staff - This is approx 60% accurate on common spam.
- Auto training database of recent messages that "look like spam" based on poly and multi symbol statistical word matching. Approx 90% effective if no local training is done, approx 99% effective if local training is done.
- Auto training database of recent messages that "look like spam" based on message parameters such as URL content. Approx 40% effective if no local training is done, approx 99.5 effective on trained data.
- Catcher addresses that should never receive genuine mail, and if mail is received on these addresses it a known a spammer.
- Optional modification of scoring based on ORBS and SPF checks.

The auto training databases consist of a base set of rules maintained at netwinsite.com combined with local training based on messages submitted by the users of your system as uncaught spam or as a false positive.

Based on this "SpamDetect score" messages can be filtered at a serverwide level or at a per user level allowing individual users to fully customise their filtering setting up a totally customised "personal antispam policy" based on their chosen level of spam 'tolerance'.

External message filtering

SurgeMail has the ability to have an external process filter messages using the g_filter_pipe command. This is particularly useful as a mechanism to integrate additional external spam detection and prevention tools.

These external tools will typically do the same as SmiteSpam - mark suspect messages and allow the user (or sysadmin) to select what to do with the messages identified as spam.

Example: Integration with Spam Assassin (on UNIX) could be achieved as follows:
g_filter_pipe "/usr/local/bin/spamassassin -P"

Advanced mail rules

Using elaborate rules customised policies can be setup for mail forwarding, archiving and filtering. Filtering will typically be used to limit mail based on content or subject matter. An alternative use for filtering is to take some form of action on messages identified as spam by SmiteSpam or external spam identification filters.

SurgeMail supports Mfilter based mail filtering, and for backward compatibility DMail filters.

Basic mfilter rules can be configured from the Spam Filter Rules link on the global settings page of the Web Admin interface. Mfilter rules can be very elaborate and in this case it is neccessary to edit the mfilter.rul file directly. See the Mfilter manual page for more information on Mfilter syntax.

eg: this could allow you to setup policies that

Friends only system

The friends only system is a challenge response system allowing users to opt to receive messages only from friends. Non friends are automatically questioned to determine if they are human. All mail from non friends is held pending on the server until the user decided what to do with it. Status reports are sent to the user on a regular basis to provide information on the Friends system and any mail pending delivery.

Further information on configuring the friends system.