Tag Archives: Work

.exe in url and Earth day ends!

Posted on April 23, 2008 by
No comments

So now that earth day is over, where to start. Spamassassin update, we are seeing a ton of emails with URL’s that end in .exe such as

http://stalmix02.nazwa.pl/video.exe

So this one isn’t a tough one and I don’t know who wrote this originally but here is the rule to catch this:

uri EXE_FILE /\w\.exe/i
score EXE_FILE 10.0
describe EXE_FILE Potential link to executable

I’ve also had a ton of backscatter hitting the servers. I was also having trouble getting it to go away, not even sure it is gone yet. These are the things I’ve done. Of course I recommend running the latest and greatest Spamassassin currently 3.2.4. First edit your v320.pre should be located in /etc/mail/spamassassin and make sure this is on:

# VBounce – anti-bounce-message rules, see rules/20_vbounce.cf # loadplugin Mail::SpamAssassin::Plugin::VBounce

Then in your local.cf again located in /etc/mail/spamassassin and place:

whitelist_bounce_relays yourdomain.com

So I hope you had a great Earth Day, I know I did. I made my contributions today. Last night I had 15 Bean Soup and tonight I had bean burrito’s. Sometimes I contribute silently and then sometimes the world knows of my contributions.

Technorati Tags: ,,,
Categories: Nerdology | Tags: email, linux, spam, Work

Servers Gone Bad

Posted on November 8, 2007 by
No comments

So this client runs an old server. This is not just any server, it is their main server. It has a MS SQL 6.5 database on it. We have been years telling them to upgrade and they refused. Finally they give us the go ahead and we are scheduled to do it on Friday. Well Wednesday two days before the upgrade they call and say the server is making a bad noise. I believe it is the hard drive.

Categories: Nerdology | Tags: Work

Just Some Wild Stats

Posted on October 26, 2007 by
No comments

Here are some stats from one day on a single spam server. There was a total of 45,963 emails. Of these only 11,585 where Ham or good emails. With a total of 34,378 Spam emails. Now remember we don’t allow random email’s, these where all for real users. I also received no false positives or emails that where marked spam that should not have been.

Now lets talk about what these spam messages contained.

8,443 of them have an adult subject, with 2573 talking about someone’s penis
4,135 of them have a specific subjects
760 where about drugs
3863 where an We offer something type spams

But with all of these here are some better stats…

I started testing Justin Mason’s auto generated rules. I update mine every morning. I have also re scored them all to 1.5 points from the 4.7 that they default to. This same day, it caught 11,139 of the spam messages.

Categories: Nerdology | Tags: email, spam, Work

Systems Part 2

Posted on October 20, 2007 by
No comments

While last time we talked about the mail hub, this time I’m going to talk about our Spam and Virus pass through server. This server also runs qmail but has no local mailboxes. With qmail we use smtp routes to deliver mail to clients that have their own mail server. This lets us be their front end to the internet and spam and virus scan. It is like a gateway spam and virus filter. Except it is on a larger scale. It will also allows all the clients with exchange servers to take their server down, and we will hold the mail for a time.

Incoming email is handled by magic mail smtpd. With this we are able to maintain a list of valid users and keep from just accepting email for any address. Once this is done it is handed off to qmail-scanner-queue.pl. This runs ClamAV and Spamassassin on the message. We quarantine virus and mark spam in the subject.

Why do we only mark spam? Well because all email must be delivered. While on the previous server we maintain the mailbox and can create a .Spam folder that is not downloaded via pop3 we can’t do that with this server. All our servers are designed to fail open. To always give the client their email. With clients like law firms, financial institutes, and engineers we do not want to stop any email from getting to them.

Some clients are just to big to do this, or they have special circumstances and need a whole server by themselves. I also have several of these and I will in a later post go into detail as to what some of the custom setups.

I know your waiting on the configurations, and that is coming up. So hang in there.

Categories: Nerdology | Tags: email, spam, Spamassassin, Work

Systems

Posted on October 17, 2007 by
2 comments

So at work I maintain at the moment 4 Spam and Virus scanning servers. They run both ClamAV and SpamAssassin. Starting with our mail hub, i’m going to do a couple of post on what they do, what I use and why. If you have any questions feel free to email me or post a comment.

The first system is our mail hub, it runs Qmail and host mail for clients that check their E-Mail via Pop and or Imap. We use Vpopmail for this system so that we can host many domains. We have an base install of Qmail-Rocks but with some of our own changes. Currently the SMTP server is running Magic Mail but i’m wanting to switch over to John Simpsons Qmail Combined Patch Set. It does everything that Magic Mail does, but is still Qmail-Smtpd. I also like the SMTP Auth parts in his patch. This system is a hoss and does alot of work.

We do the scanning on this system at the very first part of the connection. Using valid user checking in Magic Mail we are able to drop many of the dictionary type attacks at the start. So what is a dictionary attack. Well this is when an spammer known from here on as a idiot tries to send an email to a domain using random letters, numbers, and words from a dictionary. This can also be taken care of with Jon Simpson’s validrcpto patch. Once we do this we scan using a custom mailfilter. If the user wants spam and virus checking, and not everyone does. Yea I know that is weird but we have some travel agencies that sign up for every spam sight on the internet. We link a copy of our custom mailfilter into the domain or home directory and use it to do the scanning. First using another custom script, it uses clamav to scan the message and if it finds a virus it moves it to a virus quarantine. Then it hits spamassassin and runs against it. We only mark the subject with spam and then send it either to the users inbox or to a .Spam folder.

This server handles about 100,000 emails a day on a slow day. The sad part still is that %90 of it is spam or viruses.

Next time.. settings

Categories: Nerdology | Tags: linux, spam, Spamassassin, Work
Previous Entries
Next Entries