1 2 Previous Next 10 Replies Latest reply on Nov 6, 2012 7:43 PM by DBO

    Outbound spam detection

    DBO

      We have been using Ironmail for many many years for corporate protection against inbound spam...  I am now looking for a non corporate spam detection control system...

       

      Basically, on some sites, we allow BYOD to access the internet across a dedicated link not connect to corp.  Only problem is how to control the use of SMTP but not block it.  In the past, we had a station infected that start spamming so we block smtp completely.  Now, with all those BYOD, we have a lot of pressure to reopen SMTP.

       

      So question,:

      • is there a software our there that could limit and block a station if it send 10 smtp messages in 5 minutes for example?  It have to be local since all those links are NAT and a central service would only see the NAT address so, no granulariry would be possible.

       

      Any help will be appreciated...

        • 1. Re: Outbound spam detection

          Why not filter your outgoing SMTP? There's a few software that are transparent to end users.

           

          Here's a Wikipedia article: http://en.wikipedia.org/wiki/Anti-spam_techniques#Outbound_spam_protection

          • 2. Re: Outbound spam detection
            DBO

            Yes, this is what I start looking at after my post.  MailChannel charge by the nomber of e-mail.  I am looking for a cheap, maintenance free solution.

             

            I have start looking at Antamedia, Endian and Traffic Inspector.  There is also ASSP,  ClamSMTP and Caspian I am looking at.

             

            An SMTP Transparent Proxy that would look at the rate of email and block any sender over 1 mail/min would just do it for us I think.

            • 3. Re: Outbound spam detection

              Haven't heard of MailChannels, but I know from battling this problem at a hosting company (previous $job), it's a tough one. ASSP and other open source options are (or at least were as of seven months ago) not suited for outbound spam filtering, and you'll spend months pulling your hair out and not getting anywhere. Don't kid yourself that a bit of rate limiting will fix the problem... spammers are a whole lot craftier than you could imagine... Just my $0.02 - good luck and please share your findings with us.

              • 4. Re: Outbound spam detection
                ijahnke

                Unfortunately you are going to have a tough fight on this one, however, and i say this tentatively, there is a way on the ironmail to do this. The odds are that it will cause unexpected issues, but you can set up the Anomoly Detection to block/alert based on the number of emails from the same sender within a specific timeframe. BE WARNED: If you choose to try it, then start off with a BIG number, I would say 10,000/hr, because you might be surprised at what you start blocking i.e. postmaster@dom.com, however most spambots tend to blast out as much as they can so using large numbers is typically the best approach.

                 

                This has always been a difficult issue with ironmail simply because on one hand we tell it to accept all mail as a relay from this ip address regardless of content, but on the other hand we want it to block anything with this content using severely crippled anti-spam capability from the same IP..... The ironmail will not do any RBL, spoof rejection, DSC, bayesian, etc.... lookups on ips that are listed as relays on the internal servers list.

                 

                on 11/6/12 12:44:17 AM CST
                • 5. Re: Outbound spam detection
                  DBO

                  Think of this as a free HotSpot service for our customers.  We don't control the devices and just want to limit the risk of spamming/virus going wild as it happend once before..  Investment and management time has to be minimal.  And since we have 20 site with that kind of setup, it has to be cheap!

                   

                  We manage the internal network wth multiple layers of AV,  filter block, IronMail anti-spam etc and it take time, multiple times a day to manage...  Either we will have to outsource (recurrent fee) or find a 50-75% effective, cheap solution...

                   

                  Questions:

                  • I was looking for SMTP transparent proxy but what about SMTP port redirect to a real SMTP relay?  Do you know of any that would accept any smtp connection, with and without logon, accept everything and scan/filter?

                   

                   

                  Ce message a été modifié par: DBO on 06/11/12 09:29:09 CST
                  • 6. Re: Outbound spam detection
                    ijahnke

                    Another possibility would be to upgrade to meg7.0 which would do a better job at scanning outbound mail because of the way its anti-spam engine works.

                    • 7. Re: Outbound spam detection

                      @DBO, redirecting clients to a relay (e.g. Postfix) will break many mail clients, for a few reasons: 1) Lots of corporate users have strict SSL certificate checking when they try to connect to their remote SMTP server, and your Postfix box isn't going to return the right certificate information;  2) this just pushes the problem on to the Postfix queue (in terms of having to track sender behavior); and 3) the original IP of the client machine won't be respected, so your Postfix box is going to quickly get blacklisted. How are you going to analyze the queue logs to figure out which customer has a spam bot loaded onto his machine?

                       

                      Why not grab an actual transparent SMTP proxy, load it up in a colo facility, and then use VPN tunnels to move port-25 traffic from your hot spot networks over to the central transparent proxy? You probably have VPN-capable equipment already at each of your 20 sites, so it's just a matter of redirecting the traffic into some tunnels.

                       

                      Again, my $0.02, but hopefully I can save you some pain here.

                      1 of 1 people found this helpful
                      • 8. Re: Outbound spam detection
                        DBO

                        Interesting.  I was more looking at BYOD users accessing their ISP SMTP server but who would do that instead of goins with WebMail???  Accessing Corp SMTP server is a much more likely scenario..  Any info/experience on SMTP Transparent Proxy?  Brand / software you have used / are using?

                        • 9. Re: Outbound spam detection

                          @DBO, you'd be shocked how many idiots there are sitting on networks... A friend who works at <large American telco> in their security dept. said that they routinely get complaints from users who are trying to connect to port 25. Why don't they learn about port 587, or just use webmail? Beats me...

                           

                          I wasn't directly involved in the transparent SMTP proxy set up at my old $work, but I asked a colleague there and he suggested you contact "Eleven". Ask for Guido (pronounced "ghee-dough") and mention "Frank" referred you - he ought to remember as it was a big deal for them. +49 30 52 00 56 0. Good luck!

                          1 2 Previous Next