[exim] trying to implement outbound DSPAM filtering for ISP …

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Greg Swift
Date:  
À: Exim users list
Sujet: [exim] trying to implement outbound DSPAM filtering for ISP mail server
Hi all.

1st off, i'd like to say that i've read around a bit on this, so if i
missed the answer, i apologize. Maybe i'm over complicating things, and
thats why, so i'm sorry if thats the case.

It'll take a second to get to why I am posting to this list, so here goes:

I run the systems for a medium sized ISP (roughly 25k dynamic broadband
subs). We, stereotypically, block port 25 outbound to help contain
zombie generated SPAM, but over the last 2 years the spammers have
started coding their stuph to point its way out the user's configured
outbound mail server. Currently we are on a qmail/SA setup on the
outbound, it tags SPAM and delivers. (If we see a block of blatant spam
we manually trash it, and since i'm in the server almost all day every
day, i catch quite a bit, but not all). We have a few things in place to
blacklist users if they start acting spammy, but every time we find
another rule, they change what they are doing. Its a loosing battle as
many of you know. Now it is crumbling under the load, and not tagging
things nearly as well as would be preferred.

To help alleviate the issues I've been working on a combination of DSPAM
(http://www.zdziarski.com/projects/rabl/), RABL
(http://www.zdziarski.com/projects/rabl/), and ClamAV. DSPAM scans the
msg for spam and virus(linking to clamav) and if it tags the message as
spam it sends RABL a notice about that customer's spamminess. Once the
user reaches a threshold (right now about 50 notices) RABL blacklists
them (default 6 hours). The nice thing about this concept is that its
automatic, and all the customer has to do is clean their machines and
then when 6hrs hit they are back to normal, until they get infected
again (or if they didnt suceed).

So at this point you are wondering why i won't shut up and get to the
point. This solutions was originally setup on Postfix. Its taken a long
time to get it fully to the point it is at, and in that time i've
recently decided I'd rather implement it with Exim, because I want
SMTP-AUTH. All of our users are virtual users in a mysql db. From What
i've seen from researching doing this in Exim is cake compared to
Postfix. But this still isnt the problem. The problem is that I'm not
sure how to call DSPAM from Exim in an equally efficient or similar
manner for outbound e-mail as I am doing with Postfix.

In Postfix we forward mail to dspam.sock as a content filter, and then
dspam kicks it back to a local Postfix port (10026) for delivery. This
is what postfix/master.cf looks like at that point:

smtp inet n - n - - smtpd
-o content_filter=lmtp:unix:/tmp/dspam.sock
localhost:10026 inet n - n - - smtpd
-o content_filter=

From looking through configs and docs, I'm assuming that I would have
to start with something like this befroe the dnslookup router:

scanmessage:
driver = lmtp
socket=/tmp/dspam.sock



But i don't know where to go from there, or if that is even the best way
to do that. Does anyone have any suggestions or anything?

Thanks

-Greg

--
http://www.gvtc.com
--
“While it is possible to change without improving, it is impossible to improve without changing.” -anonymous

“only he who attempts the absurd can achieve the impossible.” -anonymous