Discover Server Security News
Fairly-Secure Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC
This entire procedure has been developed with security as a primary focus. The operating system is OpenBSD (www.openbsd.org), which is a "Secure by Default" system with an amazing track record for security. The email MTA is Postfix (www.postfix.org) which also has a good record for security and is the easier of the 2 main competitors to the troubled sendmail program. Amavisd-new (www.ijs.si/software/amavisd) is the main filter which processes email from postfix and ensures that we don't lose any mail. Amavisd-new is an huge improvement over the original amavis which was a simple virus scanner, and I think it is the best way of implementing SpamAssassin (www.spamassassin.org). SpamAssassin is the main anti-spam component which works by comparing messages to a ruleset and by using a statistical analysis that is custom built based on your email. In addition to the SpamAssassin spam detection software, we will be using 2 online SPAM databases: DCC (www.rhyolite.com/anti-spam/dcc) and Vipul's Razor (razor.sourceforge.net). These databases work by comparing hashes of our email messages with hashes of known spam. As a final security precaution, we will run all network processes in a restricted-user/chroot environment,so if an attacker were able to compromise one of the modules, the amount of damage they could do would be seriously limited.
There are many different ways to customize the handling of SPAM with this solution. At my company we debated the merits of a number of different methods. We considered using the ability of amavisd to add extensions on spam emails (so a spam email to firstname.lastname@example.org becomes email@example.com). Under this plan, we would setup a public folder on Exchange for each user and assign it that +spam email address. This way the spam would not take up space in their mailbox, and similar to Hotmail, the user could occasionally check the folder for false-positives. We could then write a VB program to clean out those public folders every 90 days. We also considered showing users how to create rules in Outlook to detect the X-SPAM header and automatically move the email to a subfolder that they would again check less frequently, or directly to their Deleted Items. In the end, we decided that a spam bouncing system made the most sense. Every other method was only a minor improvement over receiving the spam directly in the first place. By bouncing the spam back to the sender, we put the ball back in the sender's court by letting the sender know their message was rejected.
The link for this article located at Scott Vintinner is no longer available.