Enable Amavisd, ClamAV, SpamAssassin
First off, let’s start with the basics, antivirus and antispam via the well known ClamAV and SpamAssassin. Enabling this is easy, if you haven’t already done so you should really think about it. Read the knowledgebase article for help.
Knowledgebase article: How do Anti-virus and Anti-Spam products work with the Insight Server?
Further reading:
· Amavisd website: http://www.ijs.si/software/amavisd/
· ClamAV website: http://www.clamav.net/support/
· SpamAssassin website: http://spamassassin.apache.org/
Enable Bayesian Filtering and Autolearn in SpamAssassin
Enabling autolearn in SpamAssassin is like giving a robot a brain. Teach your installation of SpamAssassin the difference between right and wrong by teaching it the difference between spam and ham. The autolearn feature uses Bayesian statistical analysis to compare incoming mail to examples previously marked as spam or ham in order to determine the good from the bad. The older and more mature it gets the smarter it gets. For optimal results the teaching should be an ongoing process… kind of like raising a child.
For information on setting up the auto-learn feature for SpamAssassin, read the following knowledgebase article.
How can I set up sa-learn (auto-learn) for SpamAssassin
Further reading on this topic:
· http://spamassassin.apache.org/full/3.0.x/dist/doc/sa-learn.html
· http://spamassassinbook.packtpub.com/chapter9_preview.htm
PDFInfo and Sane Security Plugins
File attachments are one of the latest trends that spammers are using to pollute your inbox. Luckily the anti-spammers are on top of their game and have provided us with two very nifty tools to help combat this nuisance. The first tool mentioned below is PDFInfo which helps eliminate spam ads in the form of PDF attachments that you may be noticing more of lately. The second tool is a special set of ClamAV signatures for detecting phishing and scamming attempts by spammers.
PDFInfo
Download both PDFInfo.pm and pdfinfo.cf and place PDFInfo.pm in the SpamAssassin Plugin directory and pdfinfo.cf into the local SpamAssassin config directory. If you aren’t sure where your Plugin directory is then try:
# find / -name SPF.pm
Place the config file in the SpamAssassin config directory:
# cd /opt/insight/etc/mail/spamassassin
# wget http://www.rulesemporium.com/plugins/pdfinfo.cf
Place PDFInfo.pm in the plugin directory: (the path where you found SPF.pm)
# cd /opt/insight/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/
# wget http://www.rulesemporium.com/plugins/PDFInfo.pm
Edit init.pre, and add the loadplugin line.
The init.pre file can be found at /opt/insight/etc/spamassassin/init.pre
loadplugin Mail::SpamAssassin::Plugin::PDFInfo
Restart amavisd:
# /opt/insight/etc/rc/amavisd restart
Check that the PDFInfo plug-in is loading properly by the following.
# /opt/insight/bin/spamassassin --lint -D
Within the output you should find:
dbg: plugin: loading Mail::SpamAssassin::Plugin::PDFInfo from @INC
dbg: plugin: registered Mail::SpamAssassin::Plugin::PDFInfo=HASH(0x8ff9ed0)
By this point, PDFInfo should be running properly.
Modify the config file to your specific needs.
For more information on the PDFInfo plugin, visit: http://www.rulesemporium.com/plugins.htm
SaneSecurity plugins for ClamAV
Visit the SaneSecurity website; download the script of your choice, and open it in a text editor. For this example we used Script 1 by Rick Cooper.
http://www.sanesecurity.co.uk/clamav/UpdateSaneSecurity.txt
Find the following settings and modify them to match as shown below.
SYSLOG_ON=1
PATH=/bin:/usr/bin:/usr/local/bin:/opt/insight/bin/
CLAM_USER="amavis"
CLAM_GROUP="amavis"
The SYSLOG setting is optional. Setting it to zero will disable the script from logging to syslog.
Place the script in “/opt/insight/etc/”, rename it and run it for the first time.
# chmod 755
# mv UpdateSaneSecurity.txt UpdateSaneSecurity.sh
# /opt/insight/etc/UpdateSaneSecurity.sh debug
To test whether or not the new signatures are working, visit the SaneSecurity website for instructions. The URL is listed below.
Once the script has successfully finished running, add a Crontab entry to execute the script automatically (without the debug setting) for periodic updates. Do not set it to run more than once per hour to prevent the server from being subject to unnecessary load.
For more information visit the SaneSecurity website: http://www.sanesecurity.co.uk/clamav/usage.htm
Greylisting
If it acts like a spam server, it probably is. Greylisting temporarily rejects mail from unknown senders. Since most legit mail servers are setup to resend after a specified period of time whereas many spam servers do not, greylisting serves as a very effective antispam implementation.
Setting up greylisting on Insight Server is easy. Just follow the steps in the knowledgebase article.
Greylisting with gld (greylisting daemon)
Razor-agents
Sometimes it’s good to rely on the help of others. In fact, with such an ugly task as fighting spam, it would be stupid not to. Vipul’s Razor is described on its website as a “distributed, collaborative, spam detection and filtering network.” It maintains a catalogue of spam that is constantly updated by its users. Basically Razor is kind of like the auto-learn feature of SpamAssassin on steroids. Instead of learning from your own situation, you gain the benefit of learning from others as well. And it’s free! I know it almost sounds too good to be true. But it gets even better. If you’re running Insight Server then you already have it installed and with the help of the knowledgebase article, enabling it requires only several minutes of your time.
UCE Controls
There’s a section under the Postfix configuration area of Insight Server for Unsolicited Commercial Email (UCE) Controls. While there are many of them we only discuss a select few. It’s in your best interest to try and get the most out of these settings. Doing so will help to block spam before it gets a chance to enter the door and as a result, will reduce the toll it has on your server and bandwidth.
Login to Insight Server. Go to ‘Configuration’ -> ‘Services’ -> ‘Postfix’ then scroll down to ‘UCE Controls (Spam)’
We selected for mentioning: Header Checks, SMTP Sender Restrictions, and DNSBL’s.
Further reading can be found at:
http://www.akadia.com/services/postfix_uce.html
http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
Header checks
Look under the ‘UCE Controls (Spam)’ section and place a check mark on ‘header_Checks’. In the open field, add the path to the map that will be used as the header check file, such as regexp:/opt/insight/etc/postfix/header_checks. (Use a text editor to modify the Header Check file.)
Latest version of the header checks file can be downloaded from:
http://www.posluns.com/files/header_checks
Read the knowledgebase article:
How can I setup Insight Server to reject mail based on a subject line so I can stop Virus or Spam messages?
Further reading:
http://www.posluns.com/guides/hedchek.html
SMTP Sender Restrictions
Locate smtpd_sender_restrictions under UCE Controls. Place a check in the box and replace the field with:
reject_authenticated_sender_login_mismatch,
permit_sasl_authenticated,permit_mynetworks,
reject_non_fqdn_sender, reject_unknown_sender_domain,
This adds permission to everything listed in mynetworks, rejects senders from non fully qualified domain names, and rejects mail from senders with malformed or probably non-existent email addresses.
DNS Block Lists
DNSBL’s are lists of IP addresses known to be sources of spam. Once enabled, your mail server will no longer accept mail from IP addresses in the list. Be cautious of which list that you use. Some may be too stringent and give you more than you bargained for by blocking some of your important emails as well. We’ve had a positive experience using the list offered by spamhaus.org
To enable this feature read the knowledge base article and in the proper field enter one or more DNS Block List URL’s such as: zen.spamhaus.org
For more information, please consult the knowledgebase article:
How do I configure Insight Server to use RBL's?
Further reading:
· http://www.posluns.com/guides/rbl.html
· http://www.spamhaus.org/
