Mailing List CGatePro@mail.stalker.com Message #92105
From: John Rudd <jrudd@ucsc.edu>
Subject: Re: PDF Spam
Date: Thu, 09 Aug 2007 02:04:32 -0700
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>

Why would I do that!?   It doesn't scan for viruses until after spam, and it doesn't do the checks synchronously/during-smtp.


And, I'm glad 0.8 is going better.  I'm going to try to fix the DNS thing soon, and do a 0.9.  But the last release was supposed to be "soon" as well, and it took 6months :-}


Martin.Hepworth wrote:
John

Heh - better go back to MailScanner then ;-)

BTW botnet 0.8 seems to be much happier than the 0.7 I was running

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

-----Original Message-----
From: CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com] On
Behalf Of John Rudd
Sent: 09 August 2007 09:46
To: CommuniGate Pro Discussions
Subject: Re: PDF Spam

Graeme Fowler wrote:
On Thu, 2007-08-09 at 19:00 +1200, Martin Miller wrote:
Other than spam catcher what anti spam mechanisms are you using?
I use spamassassin, spf and domain keys verify and RBL's to mark
likely suspects.
You can also use a plugin
from http://www.niversoft.com/products/cgscripts/pro#find_attachments
to identify PDF and perhaps filter them more closely
Alternatively, use ClamAV with the SaneSecurity signatures -
http://www.sanesecurity.org/ - as they contain many hashes for PDF
spams.

Yup.  Sanesecurity catches a huge bulk of them.

What I do at home is (the helpers all run during synchronous rules, so
the various rejections all happen during the SMTP session):

1) 5 second greet-delay/greet-pause
2) zen.spamhaus.org and list.dsbl.org
3) a helper that sort of works like the sendmail access file (reject by
return-path, reject by ip, reject by recipient, whitelist by ip,
whitelist by return-path, whitelist by recipient)
4) a helper to reject attachments via regular expressions (*\.exe$ for
example), or add headers for all other attachments
5) a helper using clamav with sigs from clamav, sanesecurity, msrbl, and
mbl
6) and a spamasssassin helper that rejects spam with a score >= 10, or
marks it as spam if >=5


I'm in the middle of deploying the same set up at work, as well.  Plus
we may add CGP's Sophos and Cloudmark plugins as an extra line of defense.

(the current work system is mimedefang based, but otherwise similar in
structure to the above; before adding sanesecurity, msrbl, and mbl, we
rejected maybe 3000 messages a day, out of a million, for containing
viruses ... now we reject 30,000 to 50,000 messages per day via clamav;
90%+ are caught by sanesecurity signatures)


#############################################################
This message is sent to you because you are subscribed to
  the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to  <CGatePro-request@mail.stalker.com>




**********************************************************************
Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer.
Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer.
Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free.

Red Lion 49 Ltd T/A Solid State Logic
Registered as a limited company in England and Wales (Company No:5362730)
Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom
**********************************************************************


#############################################################
This message is sent to you because you are subscribed to
  the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to  <CGatePro-request@mail.stalker.com>
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster