Domain: mimedefang.org
Stories and comments across the archive that link to mimedefang.org.
Comments · 18
-
Re:This is a losing proposition.
I run a very profitable company that started out as a Linux consulting shop.
I started my company back in 1999 when Linux really wasn't on business's radar. The keys to success were:
- Promote Linux where it makes sense. I set up plenty of firewalls, file servers, mail servers, web servers, etc. for my small business clients.
- But don't be religious. I certainly didn't waste my breath trying to convert them away from Windows on the desktop.
- But on the third had, do have some religion. There's no way I would have installed a Windows server for anyone. I would have politely declined their business, stating that my specialty is Linux. No-one ever actually asked me to do that... I made it clear up front I was a Linux guy willing to coexist with Windows machines, but not actually work on them.
- Keep your ears open and figure out what your clients want. Back in 2000, one of my clients wanted mail filtering, from which was born MIMEDefang and eventually my commercial anti-spam company that has a dozen or so employees (and, btw, that runs completely on Linux, including servers, desktops, phone system, and even my Nokia N900.)
For me, it has been a terrific 14 year ride with a great future ahead. Not a losing proposition by a long shot.
-
We run DNS-based lists
... though they are not publicly-accessible; only accessible to our customers. Here's how they work:
Using our reputation-collection protocol, we receive a constant stream of events from our customers. An "event" is something like "IPv4 address x.y.z.w sent to a nonexistent recipient" or "IPv6 address abcd::1234 sent something that a human voted as spam"
Currently, we have a database of just under two billion events. Once an hour, we go through our database and categorize IP addresses as:
- Greylist Stumblers: Machines that seem to have trouble passing the greylist hurdle.
- Dictionary Attackers: Machines that seem to send to a lot of nonexistent addresses.
- Spam Sources: Machines that send a lot of spam.
- Mixed: Machines that send a lot of spam, but also a lot of ham (think Yahoo's servers, for example.)
- Good: Machines that aren't on any of the other four lists and that seem to send a lot of ham
The whole system is 99.99% automated. The only manual intervention is when some requests delisting. If it seems that someone was the victim of a compromise and has now cleaned up his/her machine, we delist it for 45 days which is long enough for all events from that IP to expire. Then it goes back into consideration for automatic listing.
This system works really well. We have about 3.75 million IPv4 and 3300 IPv6 addresses on our lists; those are machines for which we have confidence that there's enough data to categorize them.
-
Re:Hospital management at fault, not employee
Indeed, it gives one great pause since that computer *should* have been running anti-virus software to check each download and executable as it was opened, and, presumably, would have caught this installation. Through professional contacts, I'm passingly familiar with the IT environment in a Big University Hospital and the hoops that my colleagues have to jump through to put a PC on the hospital network are near onerous. Those machines are sterile, or as close to sterile as humanly possible.
Don't be a shithead. E-Mail is not a replacement for a file system. Nor should hospitals be using systems that are even remotely succeptible to malware. Pretending otherwise or, worse, blaming the user for defective products is an M$ attitude. There are two underlying problems hidden:
1) How the hell was it possible for a hospital unit to have Windows on any of their computers in the first place? HIPAA compliance has been mandatory for many years now and there has been more than enough time to phase out Windows. Did you read the dozen EULAs for the Windows box and all its software and server hooks? For all service packs and CALs? Thought not. Neither did the hospital management. The woman is not at fault, the hospital management who signed of on the purchase or deployment of the Windows machines is the sole group to blame (excepting the sender of course).
2) Any self-respecting milter can strip ALL attachments automatically and delete them. MIMEDefang is a good example, but one of many. The stripping of attachments can even include a non-looping auto-reply to the sender including instructions on the correct way to transfer files.
Dear SgtChaireBourne, Your comments are well founded, however in the UK most hospitals use Windows as does the DWP (Department for Work and Pensions) along with other government agencies and Police. The National Health Service is also open to attack despite spending over 4 billion pounds on an new IT system which is totally foobar. Maybe this should be another story for another slashdot, if a user wants to digg a little deeper and google "The Big Opt Out". But otherwise I have to concur with your comments. All the best, NSN
-
Hospital management at fault, not employee
Indeed, it gives one great pause since that computer *should* have been running anti-virus software to check each download and executable as it was opened, and, presumably, would have caught this installation. Through professional contacts, I'm passingly familiar with the IT environment in a Big University Hospital and the hoops that my colleagues have to jump through to put a PC on the hospital network are near onerous. Those machines are sterile, or as close to sterile as humanly possible.
Don't be a shithead. E-Mail is not a replacement for a file system. Nor should hospitals be using systems that are even remotely succeptible to malware. Pretending otherwise or, worse, blaming the user for defective products is an M$ attitude. There are two underlying problems hidden:
1) How the hell was it possible for a hospital unit to have Windows on any of their computers in the first place? HIPAA compliance has been mandatory for many years now and there has been more than enough time to phase out Windows. Did you read the dozen EULAs for the Windows box and all its software and server hooks? For all service packs and CALs? Thought not. Neither did the hospital management. The woman is not at fault, the hospital management who signed of on the purchase or deployment of the Windows machines is the sole group to blame (excepting the sender of course).
2) Any self-respecting milter can strip ALL attachments automatically and delete them. MIMEDefang is a good example, but one of many. The stripping of attachments can even include a non-looping auto-reply to the sender including instructions on the correct way to transfer files.
-
Reject *during* SMTP dialog
This is exactly why you use spam filters like MIMEDefang (or his commercial big brother CanIt). They actually do all of the spam filtering *during* the actual SMTP dialog. Ie, DSNs are not sent to forged senders. The server sending the spam does not have the opportunity to get rid of its message before the message is identified as spam. RFC 2821 permits the issuing of 4xx or 5xx error codes right up until the final 221 QUIT message. A rejection before the QUIT forces the sending MTA to handle the bounce to the envelope from.
-
Re:ClamAV still does make a great second AV test
To go along with your statement I'll throw in an simple OSS tool that hooks into Sendmail and does just what you said (and so much more). MIMEDefang is the tool I'm referring to. My last check of the config script listed about 20 AV clients it supported out of the tarball and a number of Perl addons that also help identify malicious crap like Anomy::HTMLCleaner and File::Scan. MIMEDefang has been rolled up into a commercial app which I highly recommend as well called CanIt. There are a number of CanIt options including CanIt-Pro which has a kickass GUI. They also make a SMB appliance and a full-size appliance. They also include the source. I highly recommend it. I use CanIt-Pro myself. It makes the Barracuda products look like the worthless pieces of junk that they are. CanIt also installs Clam out of the box.
-
Those that provide an alternative to closed sourceThe big winners (to me) are those projects who provide a viable or better alternative to available closed source software and those that you'd put into a business and trust to "just work". To find them you need to test, test and test some more. My winners, those that spring to mind immediately as being trusted not to embarrass me, are
- mOnOwall - firewalling
- IPCop - firewalling
- Metadot - CMS
- Apache - web server
- Bind - Name Server
- asterisk - telephony/voip
- Sendmail - cussed but stable MTA
- SpamAssassin - spam filtering
- MIME-Defang - email content filtering/manipulation
- ClamAV - Virus filtering
- Freebsd - the best OS since sliced bread (IMHO)
- Centos - Not to shabby an OS either
- ...
-
Re:We need a really big lawsuit against Microsoft
Take a look at MIMEDefang, which can do the e-mail part of that (it runs ClamAV and SpamAssassin for you as well). Fully configurable with some Perl hacking.
-
Re:Studying the Jedi. . .
5. Do not allow attachments into your life.
That can be fairly easily done with a Postfix header check (see other story) or MimeDefang. -
This is no more than an ad.All these are commercial products. ZDNet has a long reputation of discussing commercial solutions without any regard to completely viable OSS solutions like
-
Cost of spam and AV
Once you decide to set up a mail server, you'll probably want to add spam and virus scanning. Both are CPU- and memory-intensive. A consumer router probably won't have the horsepower for that. (I'm using MIMEDefang (a sendmail milter), SpamAssassin, and ClamAV on my box.
-
Re:Is there such a thing as a reputable blacklist?
MIMEDefang does this very thing WITH SpamAssassin. So does half a dozen or more other Milters. Where've you been?
:) -
Re:Gandi.net
I'd LOVE to be able to block by registrar.
I'm sure you could add some lines of perl in mimedefang to extract domains from email, do a whois lookup and search for gandi in the results.
I doubt it will be an effective spam blocking technique, though. -
Barely felt it at all here
I'm running sendmail with Mimedefang calling spamassassin and uvscan. This server sits in front of 4 exchange servers and handles incoming and outgoing mail for about 10,000 users. Spamassassin was marking the messages as spam right off the bat. An updated dat file for uvscan came out around 11PM Monday and my cronjob auto-updated it. From around 11PM Monday to 7AM Tuesday we were averaging around 200 per hour. At about 8AM until now that has jumped to about 500 per hour. For a point of reference, we average about 400 rejected spam messages and 200 tagged-and-sent spam messages per hour. So far there has been no effect on the load of the machine at all. The big virus in September (what was the name of it again...sobig?...) had a much greater effect (although the load on the linux box was still pretty low).
-
Re:SPF is good fro the PHBs...
That last point is particularly good, since the PHB types freak if their email isn't exactly the way that they're used to... and they also freak when implementing new technologies.
I don't know about that. Ever since I installed SpamAssassin & MIMEDefang on our incoming relays, there doesn't seem to be anything I want for stopping spam that the PHB's won't let me have. They bought me seven more IBM x335 machines just for handling mail relaying. They're ecstatic that all I want is more hardware, and not an expensive license and software maintenance contract from NAI or some outfit like that.
We just reached a milestone of having 12 million spams rejected in a month (with score >= 10.0). That's about 400 per minute, and it doesn't count emails rejected by sendmail (sender domain must resolve, access_db entries, malformed address, etc.)
Only about 1.5 million emails a month are legit messages that an employee wanted to receive. Do the math folks: 7 out of 8 emails presented to us for delivery are spam. -
Neat, but even simple measures aren't usedThis would be a neat way to watch for nasties on the wire. But most ISPs still don't use even the simplest form of filtering on their mail servers that would stop all viruses cold. The goddamn software is free; why can't ISPs use it? For filtering out viruses at mail servers:
-
Re:It's viewed as promotion
One of my clients is an ISP - and they *want* the bounces to go out for the simple reason that it broadcasts to the world that "your mail is safe with us".
Messages like that have the opposite effect on me. They broadcast, "We don't understand the concept of mass-mailing viruses that forge their sender addresses, so here's some junk mail for you."
Of course, I'm also of the opinion that virus scanning ought to be a standard feature offered by ISPs (especially with excellent free software like MIMEDefang available to help), so advertisements of an ISP's virus scanning aren't going to impress me whole lot.
-
Developer backlash has begun
Maybe I'm a bit late to the show, but I noticed MIMEDefang version 2.34-BETA-5 includes a new "--enable-running-on-scummy-sco" option.
I wonder how many SCO admins will actually use this option. :)