I have been a long time user of GFI software, relevant to this post is their Mail Essentials for Exchange package. I find it to be a very powerful and easily setup anti-spam system for Exchange. I have had very little trouble with it, and it is packed with useful features. However, recently I had some configuration issues with my spam setup, with rollernet really, not even an issue with Mail Essentials, but it got me thinking about my spam filtration system.
I am now on a quest to find an open source anti-spam solution for Exchange. I’m open to Linux based solutions as a gateway of sorts, but would prefer something that resides on the Exchange server running under Windows. Don’t get me wrong, I have a great respect for SpamAssassin and other gateway type spam fitlers, but it gives the end user a much better experience if the anti-spam software can interact with the user, especially if it integrates with Outlook.
Surely there must be some kind of solution out there I could try. At the very least I might install a few different packages under Linux and route incoming mail through them, and from there go to Exchange for evaluation. I can use server virtualization to allow for an easy evaluation of various types of configurations. ASSP I hear is very good and there was one other package that I found last night that sounds promising. I think it could be beneficial to have an additional layer of spam protection at the gateway level before GFI gets the messages and does its thing. My only concern is false positives. Lots of services and companies on the internet today do NOT have the proper DNS/MX confiugration and even at a more basic level don’t have their network setup right. All these network issues can have a major impact on e-mail deliverability. Its always a risk then when dealing with spam filters that you may block legitimate messages. I am always watching spam logs to ensure that I keep an eye on how the system is doing. If web services and companies would do a little work to get their sytems in compliance with RFS’s for SMTP and DNS, and setup the proper network configuration and mail server options, it would be a much better world for mail delivery without false positives.
Over the weekend I got an e-mail from Dennis Heidner who wrote SPAMLOGS for NoSpamToday. In version 3 of NST, the log parser “spamlogs” quit outputting the subject line of messages in the parsed log output. Dennis has corrected this in an updated version which should be available soon on the byteplant contributions area on their website. I have tested the new version and found that it fixes the problem. Dennis has also added some functionality to check for AUTH Attacks. SPAMLOGS conveniently checks for AUTH attacks and outputs the number of attacks per IP at the end (last column) of the spamlogs csv output.
SPAMLOGS is a must have for parsing the NST spamassassin log file, it turns the jumbled and confusing log file output from NST/SA into a readable and useful .CSV format. Combine his software with the automation utility or scheduled task, and it makes managing the mail logs much easier.
I found this page on the spamassassin website today, which is going to be very helpful to me. It lists all the tests SA 3.1.X uses and shows all the default score values along with a link to a Wiki on each test to find out more about what it does.
I’ve been using SpamAssassin for some time now, personally and at work. I’ve been working with SpamAssassin rules to deal with spam that comes through the other filters and makes it to user mailboxes. I’ve been writing these rules in a very static way and they are not very effective as spammers frequently change their spelling. I did a search online and found a few good resources for figuring out how to write better spamassassin rules, but nothing really complete, or written for beginners in plan english. Spamassassin is written in PERL, so it uses PERL RegEx in its configuration. For me, since I am using a version of Spamassassin compiled for use on Windows in the NoSpamToday product, I am editing the local.cf file in my NST installation folder. This is where I add my custom keyword filters.
Before we get started, keep in mind, that I’ll be constantly updating this post with the most recent information.
First, I’ll assume you at least know what Spamassassin is, whether or not you are using NST (NoSpamToday for future referece). In using custom keyword filters, you basically have 3 lines of text for each word, the actual line telling SA (Spamassassin for future reference) where to look (i.e. body, subject, etc). The second line is the description telling basically what the filter is doing. The last line is the score, that SA uses to assign to a message matching the first line of code. I’m going to post the actual conetent of this post as an extended entry, so the main body won’t take up your entire screen. Click the title of this post to read more.
Read the rest of this entry
Today, a revelation has occurred to me regarding custom keyword filters! I use a product called NoSpamToday and was trying to find better ways to write custom SpamAssassin keyword filters (or rules). Normally I can filter for specific words or phrases, but spammers often change their spelling. This could increase or decrease the number of characters in a word depending on what junk filler letters they throw in the mix. I just studied up on PERL RegEx (Regular Expressions), and found that PERL uses a . as a wild card character. This was important, since I’ve tried the & and * with no success. Knowledge of this, enables a whole new level of keyword filtering I can do in NST. For example, yesterday, I received 325 messages with the word pharmacy in them, just spelled 325 different ways. It was always a PHA(three lower case letters randomlyinserted here)RMACY. I can now add a single keyword filter for PHA.*RMACY and filter all of them out with only a single keyword filter. It won’t matter how many letters they put in. And if I find they change the format of that type of slepping, I can simply adapt my rule or add new rules for other forms of spelling. Now I can go through the custom keyword filter and tweak other instances of keywords and make them infinantly more effective!