Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » SPAM filtering
  •  
mkerr

Messages: 36

Karma: 0
Send a private message to this user
As my custom SPAM rule set grows ever more longer, it is clear that the simple rule sets in KMS5.x aren't enough. I have a wish list of features that I would like to see in KMS6. I've not tried the beta of KWF6 yet, so perhaps some of these may already be in the new version.

1. I have to have a rule set in place so that external users bypass the SPAM filtering when they send via SMTP. Some spammers use our own domain name in the from address to get around the filtering. I'd like to remove this rule, and rather have the authenticated SMTP users bypass the SPAM filtering.
2. A display name check on the sender address, when the spammer uses your own domain name in the TO address . These typically are 'Your Pharmacy store' etc. This could be tied back with Active Directory or a list of display names to mail addresses.
3. For a directly recieved spam (i.e not relayed thru another server), a reverse DNS lookup on the IP address within the recieved header. The domain name in the header rarely resolves back to the actual IP address in the header i.e. the sending DNS name is spoofed. This would possibly also solve the problem of our server sending anti-virus messages to people who never actually sent them, ala the Netsky virus for example.
4. A challenge/response system, whereby the mail doesn't get delivered to the end user, until a verification mail is sent and replied to by the 'sender'. Since most SPAM is spoofed, this should eliminate a large percentage.
5. A boolean rule set, so that multiple conditions can be implemented in the one rule. I have a number of users who are spammed more than others via our ISP relay MX server. I'd rather place rule sets in for these users only, rather than globally for example. That is, if the mail is recieved from our ISP MX server, and it is this user, add x to the SPAM score.
6. A common technique now is to add random words at the end, to throw off the overall SPAM filter score. I'd like to see a rule where if the SPAM score reaches 'x' at an any point in the check )rather than overall), it is marked as SPAM.
7. Until Caller ID becomes more widespread, allow a manual configuration of trusted IP's that can send mail for some specific domains. This would allow me to remove a large number of rules that I have in place to not filter certain businesses we deal with.
  •  
jshaw541

Messages: 462
Karma: 0
Send a private message to this user
It is my understanding that KMS is a few versions behind with their SpamAssassin component. And thusly, way behind on the latest set of rules to filter the latest set of spam messages. Correct me if I am still wrong.

I think the best improvement they could do is keep the SpamAssassin stuff completely up-to-date. The war between the spammers and the anti-spam folks is a constant neck and neck, so it would be great if they were kept in better sync.

I'd still kill to be able to place my own rules on local.cf -- even if Kerio said "you can use it, but you're on your own". If I had this functionality, I could significantly reduce the amount of spam that gets through.

Heck, we could even start up a "custom recipes" forum! How many other regex gods are out there? :-D

PS: I would love to see a challenge/response system implemented on a per-user basis. That would be fantastic. some major ISPs are implementing this (Earthlink) and I really like it.

Kerio MailServer 6.7.1 w/AD
Windows Server 2003 SP 1
Dell PowerEdge 2850 (Dual Xeon 3.2ghz and 2 GB RAM)
~1300 users
~1000+ concurrent IMAPS connections
iPhone users
Outlook 2007 KOFF users
Apple iCal 10.5/10.6 users
  •  
jshaw541

Messages: 462
Karma: 0
Send a private message to this user
The spam problem was a *hot* topic amongst the shirts at a meeting today. It's apparent that KMS is not adequate and that we need to do more than what KMS is doing now.

So, my questions:

1. Will KMS 6 have better spam filtering? If so, what kind?

2. What's some good software to install on a forward SMTP server? I'm thinking I could install an SMTP server that all Internet-sourced messages flow through before being delivered to the KMS box. This solution sucks and costs $$$, but will not have us at the mercy of waiting for KMS releases with new features.

I'm thinking postfix, SPF filtering, SpamAssassin with local.cf?

Any suggestions, folks?

TIA

Kerio MailServer 6.7.1 w/AD
Windows Server 2003 SP 1
Dell PowerEdge 2850 (Dual Xeon 3.2ghz and 2 GB RAM)
~1300 users
~1000+ concurrent IMAPS connections
iPhone users
Outlook 2007 KOFF users
Apple iCal 10.5/10.6 users
  •  
cyberknight

Messages: 21
Karma: 0
Send a private message to this user
Unfortunately I'm not an expert in Spamassassin, but I was wondering whether the performance could be improved by adding/replacing the outdated *.cf files in the rules directory by newer version from www.spamassassin.org ?

I'm equally dissapointed by Kerio's attitude with respect to the release of KMS6. I'm using the SW for almost 2 years now, with great satisfaction, but I'm not pleased with Kerio's malcommunication on updates/upgrades.

I'm getting off topic...

P.
  •  
mkerr

Messages: 36

Karma: 0
Send a private message to this user
One of the primary reasons we purchased KMS, was for the fact that A/V and Spam filtering was integrated into one package (makes admin a lot easier). Putting an upstream spamfilter to KMS defeats this streamlining, and besides, it is up to Kerio to provide regular updates to this component, since they have integrated SpamAssassin into KMS, and won't allow you to modify the rule sets.

WRT KMS6.0, I get the feeling they want to put KWF6 to bed before they really start working heavily on that. If anything, the challenge/response system is an absolute must, especially since this is already available in the Visnetic mail server.
Interestingly enough, there seems to be more info about KWF6 on the Deerfield website than the Kerio website......
  •  
hjones0922

Messages: 3
Karma: 0
Send a private message to this user
I know this deviates from the original conversation, but I just switched to
KMS from IMail and it seems that the spam filtering in IMail was much
stronger. But, being a newbie to KMS, I figured I'd just come here for
suggestions on best practice spam control settings, so fire away.




  •  
jshaw541

Messages: 462
Karma: 0
Send a private message to this user
That was one of the primary reasons we did as well. But it was made clear to me that I have to act now, so I'm evaluating different scenarios, which again, sucks ;).

I hate to mention this on a Kerio forum, but could you email me offline about your experiences with that Visnetic product, if you have any? jshaw at sps dot lane dot edu

I took a look at it, and it looks pretty slick and pretty cheap, too.

mkerr wrote on Thu, 20 May 2004 16:59

One of the primary reasons we purchased KMS, was for the fact that A/V and Spam filtering was integrated into one package (makes admin a lot easier). Putting an upstream spamfilter to KMS defeats this streamlining, and besides, it is up to Kerio to provide regular updates to this component, since they have integrated SpamAssassin into KMS, and won't allow you to modify the rule sets.

WRT KMS6.0, I get the feeling they want to put KWF6 to bed before they really start working heavily on that. If anything, the challenge/response system is an absolute must, especially since this is already available in the Visnetic mail server.
Interestingly enough, there seems to be more info about KWF6 on the Deerfield website than the Kerio website......


Kerio MailServer 6.7.1 w/AD
Windows Server 2003 SP 1
Dell PowerEdge 2850 (Dual Xeon 3.2ghz and 2 GB RAM)
~1300 users
~1000+ concurrent IMAPS connections
iPhone users
Outlook 2007 KOFF users
Apple iCal 10.5/10.6 users
  •  
bronco

Messages: 131
Karma: 1
Send a private message to this user
Hi jshaw541,

what you could do if you only after a MTA for putting in between there is a free product called qmail running under UNIX variants and is extemely fast and reliable and can handle the Spam requirement that you looking for.

This could be a solution until someone from Kerio finally gives a defenite answer on specs and delivery.

You can find it at http://cr.yp.to/qmail.html.

Rene.
  •  
jshaw541

Messages: 462
Karma: 0
Send a private message to this user
Some more information for folks. I was browsing the comments section and related URLs for today's spam discussion on Slashdot, and found a reference to http://blackholes.us.

I decided to add a few to my KMS configuration and 20 minutes later, they're already blocking a lot of spammers.

You can add blacklists with the Admin Console, under:

Configuration->SMTP Server->Blacklists

I personally added china.blackholes.us, korea.blackholes.us, and comcast.blackholes.us and already have several hits (blocked spams) for each (after only 20 minutes).

In the meantime, I am thinking I'll add a forward SMTP server running Postfix (sorry bronco, hate qmail ;) with SpamAssassin, which will allow me to add custom rules in local.cf, which will thus, allow me to write my own rules and use the awesome rules at:

http://www.rulesemporium.com/rules.htm

Hope this helps someone out there!

PS: If only Kerio allowed the use of local.cf, we could integrate these directly *cough blatant feature request cough*

Kerio MailServer 6.7.1 w/AD
Windows Server 2003 SP 1
Dell PowerEdge 2850 (Dual Xeon 3.2ghz and 2 GB RAM)
~1300 users
~1000+ concurrent IMAPS connections
iPhone users
Outlook 2007 KOFF users
Apple iCal 10.5/10.6 users
  •  
bronco

Messages: 131
Karma: 1
Send a private message to this user
Hi jshaw541,

Did you also add the *.blackholes.us to your DNS Server or only to the DNS Suffix?

Rene.
  •  
jshaw541

Messages: 462
Karma: 0
Send a private message to this user
I simply did what I stated above. I did not modify any DNS settings or anything else.

bronco wrote on Fri, 21 May 2004 02:21

Hi jshaw541,

Did you also add the *.blackholes.us to your DNS Server or only to the DNS Suffix?

Rene.


Kerio MailServer 6.7.1 w/AD
Windows Server 2003 SP 1
Dell PowerEdge 2850 (Dual Xeon 3.2ghz and 2 GB RAM)
~1300 users
~1000+ concurrent IMAPS connections
iPhone users
Outlook 2007 KOFF users
Apple iCal 10.5/10.6 users
  •  
bperkins

Messages: 355
Karma: 0
Send a private message to this user
Thanks!! I've currently added these and I'm logging them right now to see if I get any misses before I go ahead and have them blocked. So far, so good.


> I personally added china.blackholes.us, korea.blackholes.us, and comcast.blackholes.us and already have several hits (blocked spams) for each (after only 20 minutes).



  •  
bronco

Messages: 131
Karma: 1
Send a private message to this user
Is it correct to say that this does not handle Spam when you do a Pop3 Download?

I noticed something else that I think is strange when the Pop3 Download runs and it finds one where the addressee is <> then it starts sending something to the spammer that sent it. Because it starts doing a Mail Queue injection. I know that the mailserver is not Relaying because I tested it by running thr a couple sites at http://www.linux-sec.net/Mail/openrelay.gwif.html.

Can someone let me know what is happening?

Thanks,

Rene.
  •  
jshaw541

Messages: 462
Karma: 0
Send a private message to this user
Here's a quick Perl script that I whipped up this morning to help battle spammers by IP address. If you're fluent in Perl and mail administration, you'll see the uses for this.

This script parses your mail.log file and generates a table sorted by number of occurrences with nice little ARIN links so you can easily do ARIN lookups and decide if the IP is a spammer or not for implementation of IP blocking/blackholing.

For example, I'm going through and seeing which IP addresses are coming from China/Korea/Other odd country (we should have no reason to be getting mail from these countries, so its likely spam.). You'll want to do some cross-checking with the security.log also.

Steps for use:
- Be competent in Perl
- Cut and paste into a file
- Use

#!/usr/bin/perl

# author: jshaw at sps dot lane dot edu
#
# usage:
# C:> get-mail-ips.pl > d:\mywebdir\output.htm
#
# No warranties, etc etc. Your dog may explode if you use this.

$path = 'D:\Program Files\Kerio\MailServer\store\logs\mail.log';
$mynet = "157.246.";

open LOG, "<$path" or die "Can't open $path: $!";

while(<LOG>)
{
	# For /24 results
#	if(/(\d+\.\d+\.\d+)\.\d+/)
#	{
#		#$hash{$1 . ".0"}++;
#	}

	# For /32 results
	if(/(\d+\.\d+\.\d+\.\d+)/)
	{
		$hash{$1}++;
	}
}

print "<table border=1 cellpadding=3>\n";

foreach $num ( sort { $hash{$b} <=> $hash{$a}}
	keys %hash)
{
	if( !($num =~ /$mynet\d+/))
	{
		if($hash{$num} > 10)
		{
			print "<tr><td>";
			print '<a href=http://ws.arin.net/cgi-bin/whois.pl?queryinput=';
			print "$num>$num</a></td><td>$hash{$num}</td>\n";
		}
	}
}

print "</table>\n";

Kerio MailServer 6.7.1 w/AD
Windows Server 2003 SP 1
Dell PowerEdge 2850 (Dual Xeon 3.2ghz and 2 GB RAM)
~1300 users
~1000+ concurrent IMAPS connections
iPhone users
Outlook 2007 KOFF users
Apple iCal 10.5/10.6 users
DuckFan

Messages: 10
Karma: 0
Send a private message to this user
jshaw541 wrote on Fri, 21 May 2004 09:17

Here's a quick Perl script that I whipped up this morning to help battle spammers by IP address. If you're fluent in Perl and mail administration, you'll see the uses for this.

This script parses your mail.log file and generates a table sorted by number of occurrences with nice little ARIN links so you can easily do ARIN lookups and decide if the IP is a spammer or not for implementation of IP blocking/blackholing.

...




Awesome script!

I just used this script this morning and it has already saved us a lot of spam!

I went through the top ip addresses and found out who the spammers were, and what their IP ranges were. A quick edit into the blacklist and two minutes later, we were already starting to block spam. Too bad I recently purged the mail log, so I didn't have as many entries to work with as I'd like, but I'll try it again in a few days.

A great fix until they update spamassasin, or at least let us edit local.cf! (Hint, hint!)

Thanks again for the script!

[Updated on: Mon, 24 May 2004 20:55]

Previous Topic: smtp delay
Next Topic: clustering of KMS6?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Nov 21 01:39:30 CET 2017

Total time taken to generate the page: 0.00612 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.