Mailing List CGatePro@mail.stalker.com Message #92135
From: Urban Loesch <bind@enas.net>
Subject: Re: PDF Spam
Date: Fri, 10 Aug 2007 09:16:38 +0200
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
Hi,

we have the same setup like you and sometimes the same problem with delivering mails directly to CGPro.
We have the problem with some customers. Not to all. Closing port 25 or forcing SMTP AUTH is not an option for us.

Therefore I have implemented for each customer who has the problem a user spcific rule:
CGPro checks SPF Records on all incoming mail, but not an all outgoing or local delivered mail.
I changed the SPF setting to "Add-Header", so each incoming mail becomes a specific SPF Header until delivering
to the user mailbox.

So I activated the following rule on cutomers mailbox:

Header Field   not in   "*our.mailgate.wy"*
Header Field   in         "*Received-SPF:*"

Action
Discard

The rule discards all email which is not comming from our Mail Gateways but have "Received SPF:*" in mailheader, which indicates that the mail was coming from outside.

I have not tested if it works as a global server rule, because of no need. For us it works great. Not sure if it will work for you.

Regards
Urban

Chaminda Indrajith wrote:
Dear All,

I have applied the Sanesecurity phishing/scam signatures for ClamAV running on our mail gateway. It works really well and catches hug amount  of spams.

But I have another problem. Although I have a Mail Gateway in front of our CGPro Server which scans all the incoming mails to CGPro server, some smart spammers deliver spam mails directly to the CGPro Server. As en extra defense, McAfee Anti-Virus plugin and MailShell SpamCatcher plugin are running in CGPro server. But still spam mails are coming to mailboxes.

Is there a way blocking these direct spammers? I cannot block the SMTP connections to the CGPro Server from outside, since our customers are sending mails to outside using e-mail clients through the CGPro Server.

Regards
Chaminda Indrajith
internet Data center
Sri Lanka Telecom


On Thu, 09 Aug 2007 01:46:06 -0700
 John Rudd <jrudd@ucsc.edu> wrote:
Graeme Fowler wrote:
On Thu, 2007-08-09 at 19:00 +1200, Martin Miller wrote:
Other than spam catcher what anti spam mechanisms are you using?
I use spamassassin, spf and domain keys verify and RBL's to mark
likely suspects.
You can also use a plugin
from http://www.niversoft.com/products/cgscripts/pro#find_attachments to identify PDF and perhaps filter them more closely

Alternatively, use ClamAV with the SaneSecurity signatures -
http://www.sanesecurity.org/ - as they contain many hashes for PDF
spams.


Yup.  Sanesecurity catches a huge bulk of them.

What I do at home is (the helpers all run during synchronous rules, so the various rejections all happen during the SMTP session):

1) 5 second greet-delay/greet-pause
2) zen.spamhaus.org and list.dsbl.org
3) a helper that sort of works like the sendmail access file (reject by return-path, reject by ip, reject by recipient, whitelist by ip, whitelist by return-path, whitelist by recipient)
4) a helper to reject attachments via regular expressions (*\.exe$ for example), or add headers for all other attachments
5) a helper using clamav with sigs from clamav, sanesecurity, msrbl, and mbl
6) and a spamasssassin helper that rejects spam with a score >= 10, or marks it as spam if >=5


I'm in the middle of deploying the same set up at work, as well. Plus we may add CGP's Sophos and Cloudmark plugins as an extra line of defense.

(the current work system is mimedefang based, but otherwise similar in structure to the above; before adding sanesecurity, msrbl, and mbl, we rejected maybe 3000 messages a day, out of a million, for containing viruses ... now we reject 30,000 to 50,000 messages per day via clamav; 90%+ are caught by sanesecurity signatures)


#############################################################
This message is sent to you because you are subscribed to
 the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to  <CGatePro-request@mail.stalker.com>


#############################################################
This message is sent to you because you are subscribed to
 the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to  <CGatePro-request@mail.stalker.com>


Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster