This document describes how to setup a spam-blocking email gateway based on open source and freely available software. This procedure is designed for a small to medium sized company with a single domain (multiple domains are possible...just not described here). I will describe how to setup a new computer that is meant to run on your network's DMZ in between the Internet and a corporate email server like Lotus Notes or Microsoft Exchange.. . .
This document describes how to setup a spam-blocking email gateway based on open source and freely available software. This procedure is designed for a small to medium sized company with a single domain (multiple domains are possible...just not described here). I will describe how to setup a new computer that is meant to run on your network's DMZ in between the Internet and a corporate email server like Lotus Notes or Microsoft Exchange.

This entire procedure has been developed with security as a primary focus. The operating system is OpenBSD (www.openbsd.org), which is a "Secure by Default" system with an amazing track record for security. The email MTA is Postfix (www.postfix.org) which also has a good record for security and is the easier of the 2 main competitors to the troubled sendmail program. Amavisd-new (https://www.ijs.si/software/amavisd/) is the main filter which processes email from postfix and ensures that we don't lose any mail. Amavisd-new is an huge improvement over the original amavis which was a simple virus scanner, and I think it is the best way of implementing SpamAssassin (https://spamassassin.apache.org/404.html SpamAssassin is the main anti-spam component which works by comparing messages to a ruleset and by using a statistical analysis that is custom built based on your email. In addition to the SpamAssassin spam detection software, we will be using 2 online SPAM databases: DCC (https://www.rhyolite.com/dcc/ and Vipul's Razor (razor.sourceforge.net). These databases work by comparing hashes of our email messages with hashes of known spam. As a final security precaution, we will run all network processes in a restricted-user/chroot environment,so if an attacker were able to compromise one of the modules, the amount of damage they could do would be seriously limited.

There are many different ways to customize the handling of SPAM with this solution. At my company we debated the merits of a number of different methods. We considered using the ability of amavisd to add extensions on spam emails (so a spam email to john@domain.com becomes john+spam@domain.com). Under this plan, we would setup a public folder on Exchange for each user and assign it that +spam email address. This way the spam would not take up space in their mailbox, and similar to Hotmail, the user could occasionally check the folder for false-positives. We could then write a VB program to clean out those public folders every 90 days. We also considered showing users how to create rules in Outlook to detect the X-SPAM header and automatically move the email to a subfolder that they would again check less frequently, or directly to their Deleted Items. In the end, we decided that a spam bouncing system made the most sense. Every other method was only a minor improvement over receiving the spam directly in the first place. By bouncing the spam back to the sender, we put the ball back in the sender's court by letting the sender know their message was rejected.

The link for this article located at Scott Vintinner is no longer available.