Mailing List CGatePro@mail.stalker.com Message #92106
From: Chaminda Indrajith <indrajith@adm.sltidc.lk>
Subject: Re: PDF Spam
Date: Thu, 09 Aug 2007 17:13:50 +0530
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: CommuniGate Pro WebUser v5.1.11
Dear All,

I have applied the Sanesecurity phishing/scam signatures for ClamAV running on our mail gateway. It works really well and catches hug amount  of spams.

But I have another problem. Although I have a Mail Gateway in front of our CGPro Server which scans all the incoming mails to CGPro server, some smart spammers deliver spam mails directly to the CGPro Server. As en extra defense, McAfee Anti-Virus plugin and MailShell SpamCatcher plugin are running in CGPro server. But still spam mails are coming to mailboxes.

Is there a way blocking these direct spammers? I cannot block the SMTP connections to the CGPro Server from outside, since our customers are sending mails to outside using e-mail clients through the CGPro Server.

Regards
Chaminda Indrajith
internet Data center
Sri Lanka Telecom


On Thu, 09 Aug 2007 01:46:06 -0700
 John Rudd <jrudd@ucsc.edu> wrote:
Graeme Fowler wrote:
On Thu, 2007-08-09 at 19:00 +1200, Martin Miller wrote:
Other than spam catcher what anti spam mechanisms are you using?
I use spamassassin, spf and domain keys verify and RBL's to mark
likely suspects.
You can also use a plugin
from http://www.niversoft.com/products/cgscripts/pro#find_attachments to identify PDF and perhaps filter them more closely

Alternatively, use ClamAV with the SaneSecurity signatures -
http://www.sanesecurity.org/ - as they contain many hashes for PDF
spams.


Yup.  Sanesecurity catches a huge bulk of them.

What I do at home is (the helpers all run during synchronous rules, so the various rejections all happen during the SMTP session):

1) 5 second greet-delay/greet-pause
2) zen.spamhaus.org and list.dsbl.org
3) a helper that sort of works like the sendmail access file (reject by return-path, reject by ip, reject by recipient, whitelist by ip, whitelist by return-path, whitelist by recipient)
4) a helper to reject attachments via regular expressions (*\.exe$ for example), or add headers for all other attachments
5) a helper using clamav with sigs from clamav, sanesecurity, msrbl, and mbl
6) and a spamasssassin helper that rejects spam with a score >= 10, or marks it as spam if >=5


I'm in the middle of deploying the same set up at work, as well. Plus we may add CGP's Sophos and Cloudmark plugins as an extra line of defense.

(the current work system is mimedefang based, but otherwise similar in structure to the above; before adding sanesecurity, msrbl, and mbl, we rejected maybe 3000 messages a day, out of a million, for containing viruses ... now we reject 30,000 to 50,000 messages per day via clamav; 90%+ are caught by sanesecurity signatures)


#############################################################
This message is sent to you because you are subscribed to
 the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to  <CGatePro-request@mail.stalker.com>

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster