Slashdot Mirror

You're bang-on with this. Reverse DNS entries and SPF are critically important. Your forward DNS should also match, eg; if you send from 1.2.3.4, you should have a PTR record for that IP to "mail.mycompany.com" and "mail.mycompany.com" should have an A record that points to 1.2.3.4.

Though as you point out, not all "business class" IP ranges are created equally. Notably, if the ISP allows many other businesses to send spam (from virus infections) in the same range as your IPs, you'll probably eventually be blacklisted as well.

This setup will get you a good outbound setup. I did something similar when I joined the company I'm at now, though took it a step further, and because we have some servers in a data center anyways, I changed our Exchange server to relay it's outbound mail (aka use the stupidly-named "smarthost" thing) to a server running postfix, when then sends to the rest of the internet. The reason I did this was two-fold: I don't really trust our cable co's IPs, and we have a secondary DSL line: if we fail-over to that, I still wanted outbound email to work. This setup allows both, since our mail always comes from an IP in our datacenter netblock. In the 2.5 years we've been using it, we've had no problems with people getting our mail.

The other side of this is inbound: personally, inbound mail on a cable modem hosted in a regular office is a recipe for disaster, eventually. In fact, one of our clients had it happen to them, their office flooded, and their ability to get email was down for several days while they tried to get a new server up and relocate it. Email was actually bouncing back to people sending to them, because nothing was responding. Since their phones were also down at first, it looked like they were out of business, except that they called us to tell us what was going on. You don't want this to happen to your business.

When I first did the email setup described above, I also got an account at dyndns using their Mailhop Forward service. Effectively, you point your MX records at their server, and then they deliver mail via SMTP to your (possibly dynamic) IP. If the office connection goes down, they spool mail for you for up to a week, and deliver it once you come back online. No mail lost, even if your connection is down. In a disaster, you can easily redirect the service to send to another mail server, without having to wait for DNS changes to propagate and all those other servers to retry sending and/or people to manually re-send.

Since then, we got tired of the spam (whatever crappy software we had that integrated with Exchange sucked), and so probably a year ago, we switched to Messagelabs, which provides a similar service to Mailhop but also does virus/spam filtering. Spam went to effectively 0. I HIGHLY recommend using an external company for this.. it costs us a few dollars per person, well worth it, and we don't have to manage anything ourselves. I see Dyndns is now offering something similar as well, I can't vouch for that service specifically but we continue to host our DNS with Dyndns and I have nothing but good things to say about them.

Interesting topic. First, there is no loss of security in publicising blacklists. It is a bit silly (or nasty) to claim this is some security breach when it simply isnt.

The problem with web filtering is that there is a market for it. People want to buy it. People are making money on it. It is not going away.

Now, what aussie govt is doing is plain wrong. But, at least, they are not doing it in secret like in the UK... On balance, UK's filter is not mandated by the government, rather it is chosen by ISPs.

Either way, the technology simply isn't there yet.

Actually, yes, we can.

There will probably always be Spam. However, I used to work for a company who had lots of problems with SPAM. After they used this service from Messagelabs. The spam dropped dramatically close to 0 messages. (see link for more info http://www.messagelabs.com/publishedcontent/publis h/services_dotcom_en/email_services/email_protect/ DA_157231.chp.html )

I can't find any major flaws(besides price etc.)This system seems to have everything withstand Spam.I was wondering if there is a opensource alternative which has the same capabilities ans quality of scanning.

A managed service is flat out the way to go. That way you don't have to mess with installing and managing software or hardware that's just going to get old and useless.

My recommendations are:
MXLogic
MessageLabs
Spam Spy


There are many others too. Postini is the most popular but I hear it kind of sucks.

Best of luck!

You still need to run internal software to be safe, but have you considered contracting with a mail scanning service like Message Labs? A significant percentage of the mail that comes to my employer's accounts contains spam or viruses, and this service has been great at filtering it out. Not only that, but whatever bandwidth it would have taken (granted, it's not that much) never comes to our network. Again, and I can't stress this enough, you still need to run something internally to be as safe as possible, but these guys are inexpensive, and their service has been great. (No, I don't work there. I'm just happy with them)

Your best bet if you want to not care if it's Exchange or anything else, go for a gateway product.

1) If you want to house on site, then use this: Trend Micro InterScan Messaging Security Suite It runs on windows, and has a really good hit rate for SPAM and it's even better with viruses.

2) If you don't mind getting someone else to do it for you: MessageLabs Spam and Virus filtering

The IMSS solution I am not going to turn around to you and say that it's the absolute best thing on the face of the planet, as quite simply I just haven't seen something out there yet, that really makes me go WOW! It is however, a really good gateway product, and works extremely well, if nothing else, it's the pick of a bad bunch. It's very configurable, and in from my experiences with it, tends not to screw up. That's a pretty important factor for me.

The MessageLabs solution is another gateway solution. It's not housed by you, so it takes up no server resources on your part, and the solution is extremely redundant. Certainly a hell of a lot more than you are going to get paying for it yourself in most instances. Their virus and spam definitions are essentially second to none, and the rates of false positives I have seen for spam are very good as well. Their interface on their web site isn't exactly feature rich, in actual fact it really is quite sparse, but then it does cover the basics, and their retention times for bad mails are good too.

So for gateway products, these are what I am recommending to customers at the moment. I am tending to not push for server based (Exchange server / Information Store) AV as hardware is cheap and if it's not on there it can't cause you any problems. All this tied in with the fact that it doesn't scale leads me to think that it's not worth it. The other suggestion would be to run Exchange on port 26 and have this on port 25. That way it can be on the same box, but it shouldn't interfere with Exchange at all.

I have no idea what your discount schedule is for resellers, so I can't even get you indicitive pricing. I also don't know where you are, so that helps me even less.

Happy hunting!

Berny

I don't see web mail ever replacing the current 'fat MTA and client' model for anything except personal mail. I myself have a Gmail account which I use for personal stuff, but like every other org with more than 10 employees. Webmail will never be acceptable for any but the smallest organisations. Just to pick one reason from the dozens, what happens when your employer gets sued over some dodgy deal and the litigant's lawyers demand access to all your internal email? "Sorry, we don't keep any mail." Whoops, go straight to jail, do not pass Go and so on. Archiving and retention of mail is increasingly mandated by standards and (these days) legislation, especially in the US. (SOX, Gram Leach et al, I think HIPAA has something to say on the subject, not to mention the voluntary certifications and standards like ISO17799, NIST, SAS-70 and the rest.

There used to be a live virus flash animation on their site where it would show you what countries worm emails was being picked up in. On the left hand side, they had a list of big worm outbreaks and would play through the outbreak and show infected regions. Very nice demo, but it looks like it's no longer - http://www.messagelabs.com/viruseye/threats/ now brings you to their home page.

As for why not whitelist? I like to know who's selling my address and to be able to have disposable addresses, and I like to have an easy, reliable way to filter incoming mail based on which of several work- volunteer-, and leisure-related hats I wear and how the people contacting me got my address (business card, web form, about box, etc.)

Our incoming spam rate, normally a clean, rising, exponential curve, dropped 20% the day CAN-SPAM went into effect. It happened again the day last month that it was announced that 4 had been indicted under the Act.?

Even after getting my ISP to filter at the server level, and running my own filters, I'm getting more spam than ever. Most of it is for viagra-like drugs, but a large percentage is some interesting porn. I reciently started using Spamcop.net to track and report spam. With the exception of one spammer on a comcast.net IP everything that gets by my filters comes from outside of this country (mainly China).

I'd like someone to post some real data regarding spam.

Looking at Data from Message Labs This CAN-SPAM act has not reduced spam. Infact April was the highest month by far. It looks like May is on track to beat April!

Nope there is not a legislative solution to spam.

One recent method used to detect email viruses is to track distribution of 'similar' messages. This is what MessageLabs does -- all the email to their customers goes through their mail servers first. Because they have so many emails going through their system they can track messages with some degree of success, and determine new email viruses simply by their inherent behaviour.

This also allows them to identify early sources for a new virus, which may be useful for tracking the author.

Try messagelabs They have graphs of recent spam/pr0n/virus activity and may have a history graph that spans the last decade.

A new email virus called MyDoom is spreading rapidly across the Internet through UNIX mail servers, bringing with it a dangerous attachment that, when opened, can give attackers access to users' computers through an electronic backdoor.

Apparently in their zeal to deflect criticism, they are ignoring, or don't read /. where a more plausible explanation as to the origin of the virus has been posted, and as to the motives behind it.

Too bad (for the site) their own readers don't fall for it

The above links are relevent to the BBC post as well.

Wrath of the geeks

If anyones anger has no measure, it is the wrath of internet zealots who believe that code should be free to all (open source).
So, it seems likely that the perpetrators of the MyDoom virus and its variants are internet vandals with a specific grudge.
SCO is the big, bad company that violates one of their sacred principles, as they would see it.
There's no proof, of course, but it must be one of the theories at the top of any investigator's list.

Interesting to see the BBC publishing this "reporting" on the heels of this

They argued that Mr Dyke, the BBC's editor-in-chief, was blameless for the "defective" system of checks which failed to expose the mistakes made by reporter Andrew Gilligan.

Mr Dyke, they argued, had a long list of extra responsibilities, from " motivating staff " to handling budgets and could not have been expected to check Mr Gilligan's story which alleged that the Government inserted bogus material into the Iraq dossier.

Although editors traditionally accepted responsibility for their journalists' shortcomings, that did not mean Mr Dyke "could or should" have had any clue about the inaccuracies in the story.

The BBC submission said its governors did not have "direct management responsibility" although they did take "ultimate responsibility for the BBC in everything it does".

And it argued, astonishingly, that the governors were never asked to treat the deluge of demands for an apology made by Alastair Campbell or the Government as "a formal complaint".

Meanwhile, in a separate legal submission, Gilligan attempted to claim that reporters should be allowed "a margin of error" to make mistakes.

And more:

On the BBC

BBC editorial system was 'defective'

BBC management failed to appreciate that Gilligan's notes did not support the most serious of his allegations

The BBC governors should have recognised the desire to protect its independence was not incompatible with investigating Mr Campbell's complaints, no matter what their tone

The BBC governors should have investigated further the differences between Gilligan's notes and his report, and that should have led them to question w

A new email virus called MyDoom is spreading rapidly across the Internet through UNIX mail servers, bringing with it a dangerous attachment that, when opened, can give attackers access to users' computers through an electronic backdoor.

Silly Messagelabs, using frames. What a treat to see the internet circa 1998. And, it doesn't work in Safari.

They recommend using a conventional anti-virus solution to catch the 2% of viruses coming into your establishment on portable media, but they'll keep your mail pretty damn clean.

I don't work for them (my partner used to work for part of the same outfit), but I have been an end user of their solution. Good stuff, and they do anti-spam as well...

Matt...

Sobig.E came out before the virus scanners had signature updates. When viruses spread so fast these days about all you can do is push your email through MessageLabs who have never let a virus through to a customer due to their custom AV scanner which uses heuristics instead of signatures.

Your point about not relying on any one point of access is well taken though - all entry points need to be protected in one way or another.

I've posted all the relevent information about this virus since 4pm on Tuesday, which beat out most of the major news outlets, except cnet. I've keep the info upto date with the list of virus vendors and latest virus news in the online media, and manual removal and automatic removal tools.

I would like to thank messagelabs, as they are always the first to notify about major virus outbreaks. Sophos is a close second and is good about notifying about everyday viruses. Mcafee's alerts are good, but usually alittle late, they only notify once it hits the news media. Symantec wants you to pay an outragous price for their virus alerts, and I doubt they give you only earlier warning than messagelabs or sophos which provide the service for FREE. Symantec is becoming the Microsoft of Virus vendors, they're trying to spread out everywhere now in the security field, buying up companies left and right. Their quality of product is going down because they don't use a google.com like motto "do one thing and do it well" which they use todo. But their automated virus removal tools are still pretty good. IMHO

If you would like to sign up to messagelabs's great early warning notification service go here.
If you want Sophos excellent everyday notification about all virus's go here.
If you would like to get McAfee's avertlabs notifications, go here.
or you can just checkout my virus posts on the security-forum.com, but I only post the major outbreaks because there are TOO MANY viruses out there to post every single one. ;)

I've posted all the relevent information about this virus since 4pm on Tuesday, which beat out most of the major news outlets, except cnet. I've keep the info upto date with the list of virus vendors and latest virus news in the online media, and manual removal and automatic removal tools.

I would like to thank messagelabs, as they are always the first to notify about major virus outbreaks. Sophos is a close second and is good about notifying about everyday viruses. Mcafee's alerts are good, but usually alittle late, they only notify once it hits the news media. Symantec wants you to pay an outragous price for their virus alerts, and I doubt they give you only earlier warning than messagelabs or sophos which provide the service for FREE. Symantec is becoming the Microsoft of Virus vendors, they're trying to spread out everywhere now in the security field, buying up companies left and right. Their quality of product is going down because they don't use a google.com like motto "do one thing and do it well" which they use todo. But their automated virus removal tools are still pretty good. IMHO

If you would like to sign up to messagelabs's great early warning notification service go here.
If you want Sophos excellent everyday notification about all virus's go here.
If you would like to get McAfee's avertlabs notifications, go here.
or you can just checkout my virus posts on the security-forum.com, but I only post the major outbreaks because there are TOO MANY viruses out there to post every single one. ;)

We use Bayes at the ISP level, and it's effective, but nowhere near as effective as when it gets per-user training. Consider that a particular group of people at your ISP may get emails that look like your spam (stock reports, HTML newsletters, asian emails, etc) and you'll see what the problem is.

There are some potential solutions to this (such as ours which is to use bayes merely as part of an overall solution), but most ISPs don't want to be storing 30M of bayes database per user - its just not sensible.

Jason Rennie gave an extremely interesting talk about this at the MIT Spam Conference this month, although he wasn't using quite as direct a method, instead he was looking at MLD - Minimum Length Description. This is a technique to discover features in corpora that allow you to describe the classification of a corpus in the minimum number of details.

Basically it's a way to discover features in emails using compression techniques, so rather than having us SpamAssassin developers have to carefully and manually examine emails to see what's new and interesting about them, MLD techniques can automatically detect these features.

Jason Rennie's web page (talk and paper available) about this is here. Please do read it as it's extremely interesting.

The one downside of it is that Jason said at the end of his talk that it's extremely slow at doing the feature detection. When asked how slow he said that on a reasonably small corpus it took 4 months (although he said it was written in Perl, so a C port is probably a good plan).

In comparison to Bayesian techniques the MLD technique presents a great deal of interest - primarily because I work for a company doing spam filtering at the internet level, and so we can't feasibly do personal training which is what makes Bayesian techniques so great (see the talk I gave at the MIT spam conference). Without the personal training Bayes is only about 90-95% effective, so it should be interesting to see where these techniques lead us.

same here only its:

Messagelabs and Network associates.
No Viruses, Viri, virii or virus from e-mail since we implemented them.

[Disclaimer: I work in AV]

If cost is even slightly an issue, I can recommend using qpsmtpd and clamav. The clamav team are pretty fast at adding new virus signatures to their database, and they catch most of the common viruses out there. I've written a qpsmtpd plugin for clamav which you can find here.

I can't honestly recommend Sophos for gateway scanning. They are better on the desktop. If you can I would go for NAI who have the best gateway scanning of the commercially available scanners (according to our live tests).

Alternatively, if a 100% guarantee appeals to you, the company I work for, MessageLabs will give you a 100% guarantee against letting through an email virus. We'll also do spam scanning for you. Yes, I'm biased.

That's what I use, it avoids problems with updating and disabled virusscanners. There are several in existance now:

MessageLabs, best known, scans domains (SMTP)
MessageFilter, a new kid on the block also scans domains (SMTP)
vSweeper scans POP3 boxes, it essentially proxies mails.

The problem is there's *nothing* Microsoft can do to stop this sort of virus, as long as they allow execution of files direct from their email client, and honestly I can't see that stopping (and neither can the people where I work, which they're quite happy about :-)

I do worry for apps like this on Linux though, as email clients become able to execute attachments. But the benefit is that Linux doesn't assume things based on file suffix, but on their actual mime type. However, that still leaves a possible vulnerability to mime type spoofing, perhaps.

Odd ... messagelabs reports an outbreak of BadTrans.b.

The only company which currently detects badtrans.b? NAI/McAfee.

Check your mailboxes on Monday morning while you're waiting for your AV vendor to catch up.

There are already mail checking laboratories that people can use if they want (they've stopped non-techie friends of mine forwarding worms accidentally). But enforcing use of this sort of centralised facility would be a deeply Bad Thing, imho-- consider the possibilities for censorship.