Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » How to add a spam filter in this way? (How to add a spam filter in this way?)
  •  
ayao

Messages: 9
Karma: 0
Send a private message to this user
Hi there,

We are going to add a spam filter (Symantec Messaging Gateway) to Kerio Connect.
Below I call Kerio server "mail", and spam filter "filter".
We don't have a LDAP server and hope for minimum setup change.

We will list "filter" in MX record as main mail server, and take "mail" out from MX record.

"filter" will relay incoming email to "mail" in private network behind a firewall.

We will still open SMTP port to "mail" so employees from internet can send email from an email client. (authentication required)

Now the problem is, a spammer can also send spam to "mail" since SMTP port is still open.
How do we prevent this?
Is there any setting in Kerio Connect to block unauthorized users to deliver email to local domain?
(This is different from "SMTP relay options", which Kerio supported.)

Thanks,
-Andrew
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Block port 25 traffic from anything but "filter", and make your users relay (SMTP Authenticate) only on port 587. This is the traditional way to handle a setup like yours (which is quite common).

A word of advice though: unless you have some way of rejecting mail to non-existant users on "mail", you will start sending out backscatter in short order and may subsequently be blocked. I.e. if I start getting bounces on mail I didn't send, I won't even bother to investigate before I drop your IP in the firewall. Don't take it personally though Wink
  •  
ayao

Messages: 9
Karma: 0
Send a private message to this user
Thank you for the quick response, Tor!
This is exact what I need, and extra information on backscatter I never think of.

-Can I open port 465 instead of 587 on "mail" ?

-"mail" does reject email to non-existant users, but "filter" does not. I need to experiment on how they interact.

-Symantec Messaging Gateway still missed some spam messages. Do you know any other good spam filter we can host on site?
  •  
MacLab

Messages: 216
Karma: 15
Send a private message to this user
The smtp port might be open, but if the mx records don't point there, then why would they be sending spam unless it is random spam to the mail server. Make sure none of the records point there, no backup mx, etc.

[Updated on: Fri, 11 May 2012 17:50]


MacLab, Inc.
Kerio Certified Partner, Reseller, Hosting Provider, Kerio Connect Certified.
http://maclaboratory.com
  •  
BudDurland

Messages: 348

Karma: 10
Send a private message to this user
ayao wrote on Fri, 11 May 2012 11:12
-Can I open port 465 instead of 587 on "mail" ?


As long as the mail client knows to connect via that port when sending mail, yes

Quote:
-"mail" does reject email to non-existant users, but "filter" does not. I need to experiment on how they interact.

-Symantec Messaging Gateway still missed some spam messages. Do you know any other good spam filter we can host on site?


First, let me qualify this by saying that no single mail filter will catch all spam. That said, we installed a Sophos E-mail security appliance on our VMWare server and it is working very well. One of it's features is "downstream e-mail verification"; basically, when 'filter' gets a request to accept mail, it checks with 'mail' to see if the address is valid. If not, it simply refuses the connection. No backscatter. It can also get e-mail addresses and aliases from Active Directory, and lets users manage their own spam quarantine.

More info here: http://www.sophos.com/en-us/products/email.aspx


Good is better than evil because it's nicer
--Mammy Yokum
  •  
MacLab

Messages: 216
Karma: 15
Send a private message to this user
That's an interesting point on the backscatter. Has anyone seen Postini cause backscatter? I haven't, but considering it can't verify the users on Kerio's end it seems possible.

MacLab, Inc.
Kerio Certified Partner, Reseller, Hosting Provider, Kerio Connect Certified.
http://maclaboratory.com
  •  
ayao

Messages: 9
Karma: 0
Send a private message to this user
MacLab- Good point. I'll make sure to clean up MX record first, and tighten up security if spammer has my IP address in cache.

BudDurland- Thanks for the info on Sophos' downstream verification feature. That's smart. I'll check on it.

Also I will update to Kerio Connect 7.4 to try on the spam filter update. Hopefully we don't need to put extra filter at all.
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
MacLab wrote on Fri, 11 May 2012 20:23
That's an interesting point on the backscatter. Has anyone seen Postini cause backscatter?

Postini (or Google, really) uses a well known technique called VERP to avoid bounces from non-existing users.

In practice, it detects what would be backscatter on its way out and stops it.
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
BudDurland wrote on Fri, 11 May 2012 19:33
ayao wrote on Fri, 11 May 2012 11:12
-Can I open port 465 instead of 587 on "mail" ?


As long as the mail client knows to connect via that port when sending mail, yes

This is technically correct and would work, but port 465 is not supposed to be used for anything mail-related anymore. If you have (very) old Outlook clients, port 465 may be your only choice though. Avoid port 465 if you can.
  •  
MacLab

Messages: 216
Karma: 15
Send a private message to this user
TorW wrote on Mon, 14 May 2012 04:24

Postini (or Google, really) uses a well known technique called VERP to avoid bounces from non-existing users.

In practice, it detects what would be backscatter on its way out and stops it.


Interesting, although VERP appears to require inbound and outbound Postini services. If using incoming only, it looks like the best practice would be to bounce any non-existent addresses at the Postini level, rather than let them pass through to Kerio for a bounce.

MacLab, Inc.
Kerio Certified Partner, Reseller, Hosting Provider, Kerio Connect Certified.
http://maclaboratory.com
  •  
ayao

Messages: 9
Karma: 0
Send a private message to this user
Thank you all for the helpful responses!
Just want to report that we upgraded to Kerio Connect 7.4 and its SpamAssassin seems to do a better job than before.

  •  
Waco1

Messages: 89
Karma: 0
Send a private message to this user
The Baracuda public blocklist b.barracudacentral.org is quite good. SpamCop bl.spamcop.net is also good.

Ask directly. This causes DNS lookup warning messages in the logs (???) but it's effective.
  •  
Waco1

Messages: 89
Karma: 0
Send a private message to this user
If you're running on Linux, have ipset/iptables, and only do US domestic email, then the following script will provide decent blocking of a few million addresses in Ukraine, Russia, China, India, Indonesia, Brazil, etc: places where spamming is m/l tolerated.

NOTE: I disclaimed that pretty thoroughly, you'll notice.

Unlike total blocks, this shouldn't break web browsing.

#!/bin/sh

# Countries to block (see http://www.ipdeny.com/ipblocks/ for list)

# Delete any existing IPTABLES rule-set
# (fails if the rules don't exist eg, post-reboot)
iptables -D INPUT -m multiport -p tcp --destination-port 21:587 -m set --set countries src -j DROP > /dev/null 2>&1
iptables -D INPUT -m multiport -p tcp --destination-port 21:587 -m set --set countries2 src -j DROP > /dev/null 2>&1

# Delete the existing set
ipset -X countries > /dev/null 2>&1
ipset -X countries2 > /dev/null 2>&1

# Re-create the set
ipset -N countries nethash || (echo "ipset is broken" && exit 1)
ipset -N countries2 nethash || (echo "ipset is broken" && exit 1)

# Create a new set of country-specific CIDRs
for IP in `wget -O - http://www.ipdeny.com/ipblocks/data/countries/{\
ae,af,al,as,ad,ao,an,bd,by,sa,pk,cn,br,hk,id,il,in,ir,is,co,vi,kr,ru,ua,ro\
,at,az,bs,bh,be,bz.bj,bt,bo,ba,bw,io,bg,bi,kh,cm,cf,cl,cd,ck,cr,hr\
}.zone 2>/dev/null`
do
        ipset -A countries $IP || (echo "ipset failed with `ipset -L countries | wc -l` entries" && exit 1)
done
# Create a new set of country-specific CIDRs
for IP in `wget -O - http://www.ipdeny.com/ipblocks/data/countries/{\
,cu,cy,cz,dk,dj,ec,eg,sv,ee,et,fj,fi,fr,gf,pf,ge,de,gh,gr,gt,th,tw,vn,vu\
,za,zm,zw,uy,ve,uz,ug,lk,pe,pt,qa,rw,ws,es\
}.zone 2>/dev/null`
do
        ipset -A countries2 $IP || (echo "ipset failed with `ipset -L countries
| wc -l` entries" && exit 1)
done

# Create rules from the set of CIDRs
# Drop connections from the set of CIDRs to ports 21-587
iptables -A INPUT -m multiport -p tcp --destination-port 21:587 -m set --set countries src -j DROP
iptables -A INPUT -m multiport -p tcp --destination-port 21:587 -m set --set countries2 src -j DROP

echo "Set 1 contains `ipset -L countries | wc -l` entries"
echo "Set 2 contains `ipset -L countries2 | wc -l` entries"

exit $?

[Updated on: Wed, 16 May 2012 21:16]

  •  
Petr Dobry (Kerio)

Messages: 782
Karma: 61
Send a private message to this user
Waco1 wrote on Wed, 16 May 2012 21:14
If you're running on Linux, have ipset/iptables, and only do US domestic email, then the following script will provide decent blocking of a few million addresses in Ukraine, Russia, China, India, Indonesia, Brazil, etc: places where spamming is m/l tolerated.

NOTE: I disclaimed that pretty thoroughly, you'll notice.

Unlike total blocks, this shouldn't break web browsing.



I would not do that. You're blocking CZ country for example where majority of Kerio servers is located. You won't be able to receive any email from us (or this forum server) anymore.

Also if you look on the stats there are other countries in top 5 spammers - http://www.spamhaus.org/statistics/countries/, http://nakedsecurity.sophos.com/2012/04/23/india-becomes-the -king-of-the-spammers-stealing-americas-crown/

[Updated on: Wed, 16 May 2012 23:17]


Petr Dobry
Product Development Manager | Kerio
Waco1

Messages: 89
Karma: 0
Send a private message to this user
Petr Dobry (Kerio) wrote on Wed, 16 May 2012 17:15
Waco1 wrote on Wed, 16 May 2012 21:14
If you're running on Linux, have ipset/iptables, and only do US domestic email, then the following script will provide decent blocking of a few million addresses in Ukraine, Russia, China, India, Indonesia, Brazil, etc: places where spamming is m/l tolerated.

NOTE: I disclaimed that pretty thoroughly, you'll notice.

Unlike total blocks, this shouldn't break web browsing.



I would not do that. You're blocking CZ country for example where majority of Kerio servers is located. You won't be able to receive any email from us (or this forum server) anymore.

Also if you look on the stats there are other countries in top 5 spammers - http://www.spamhaus.org/statistics/countries/, http://nakedsecurity.sophos.com/2012/04/23/india-becomes-the -king-of-the-spammers-stealing-americas-crown/


I agree. There are LOTS of reasons to NOT do this.

That said, our REJECTED SMTP traffic dropped by 60% as a result, from 720 rejections per hour to about 250 per hour. Most of these were relay attempts, or (I assume) botnet infected PCs since they don't wait out the 20 second Spam Repellent penalty that we impose.

The fail2ban lockouts on our other servers were almost eliminated.

We only have a 20/20 connection, and I'm not interested in donating a large chunk of that to infected PCs in places where we do no business.

This is simply an elegant way to dynamically block HUGE numbers of addresses, especially when used on a firewall like pfSense or Untangle, for people who have a need for that.

I turn it off when I expect email from Kerio. Besides, it's one of these new-fangled *editable* scripts that everyone is talking about. Razz
Previous Topic: change inbox to german posteingang
Next Topic: Suggestion about Archiving
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Aug 22 14:57:24 CEST 2017

Total time taken to generate the page: 0.00535 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.