Mailing List CGatePro@mail.stalker.com Message #92103
From: John Rudd <jrudd@ucsc.edu>
Subject: Re: PDF Spam
Date: Thu, 09 Aug 2007 01:46:06 -0700
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
Graeme Fowler wrote:
On Thu, 2007-08-09 at 19:00 +1200, Martin Miller wrote:
Other than spam catcher what anti spam mechanisms are you using?
I use spamassassin, spf and domain keys verify and RBL's to mark
likely suspects.
You can also use a plugin
from http://www.niversoft.com/products/cgscripts/pro#find_attachments to identify PDF and perhaps filter them more closely

Alternatively, use ClamAV with the SaneSecurity signatures -
http://www.sanesecurity.org/ - as they contain many hashes for PDF
spams.


Yup.  Sanesecurity catches a huge bulk of them.

What I do at home is (the helpers all run during synchronous rules, so the various rejections all happen during the SMTP session):

1) 5 second greet-delay/greet-pause
2) zen.spamhaus.org and list.dsbl.org
3) a helper that sort of works like the sendmail access file (reject by return-path, reject by ip, reject by recipient, whitelist by ip, whitelist by return-path, whitelist by recipient)
4) a helper to reject attachments via regular expressions (*\.exe$ for example), or add headers for all other attachments
5) a helper using clamav with sigs from clamav, sanesecurity, msrbl, and mbl
6) and a spamasssassin helper that rejects spam with a score >= 10, or marks it as spam if >=5


I'm in the middle of deploying the same set up at work, as well.  Plus we may add CGP's Sophos and Cloudmark plugins as an extra line of defense.

(the current work system is mimedefang based, but otherwise similar in structure to the above; before adding sanesecurity, msrbl, and mbl, we rejected maybe 3000 messages a day, out of a million, for containing viruses ... now we reject 30,000 to 50,000 messages per day via clamav; 90%+ are caught by sanesecurity signatures)

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster