[BlueOnyx:02149] Re: ClamAV Spamassassin Milters

Chuck Tetlow chuck at tetlow.net
Thu Aug 20 01:06:06 -05 2009 

I agree 100% Greg.  That's how we do it too.

At one point, we had over 10 Bluequartz servers to handle the domains we host (almost all running Nuonce Mailscanner/Mailwatch).  We couldn't put more than 25-30 small domains on a server before the CPU was maxed out most of the time.  And the bigger domains (bigger = lots of users, or lots of e-mail, or lots of SPAM) could only fit one or two with about 10 small domains on a server before it was maxed.

Then we purchased a software package to act as the "front door" you speak about.  In our case, we tested different ones and elected to go with the Roaring Penguin CanIt SPAM filtering package.  Its been wonderful.  Just one feature of that software package blocks at least 99% of the SPAM.  Overall, the package has brought the percentage of SPAM hitting my Blueonyx servers down from the old 60-80% to now just 3-6%.  And instead of Mailscanner having to check 18,000-25,000 messages each day on servers with 25 domains - it only has to scan 3,000-4,000 a day on a server with 60 domains.

Its allowed us to consolidate those 12 Bluequartz servers down to two HP servers hosting about 60 domains each and a couple other small servers for specialized purposes.  And those two HPs with about 60 domains each are not maxed out.  We're still adding domains to them without any problems.

But without that CanIt server out front (or something similar) - there is no way those HPs could handle all the e-mail and SPAM for all those domains.

Oh - and let me pass along a hint! 

MOST Spammers don't use the correct MX and DNS records to send their crap.  Their scripts connect via IP address (that they've found by scanning for open TCP port 25 addresses).  So even when we put that CanIt server out front  and pointed all the domain MX records to it - there were a LOT of connections directly to the Blueonyx server.  So on each of the Blueonyx servers, I've configured the firewall rules to allow TCP Port 25 connections to it ONLY from the CanIt server and drop all other TCP Port 25 connection attempts. 

Waa'la!  With one simple change - we eliminated ALL the Spammer connections via IP address.  Now, all e-mail is forced to go thru the CanIt server which stops most of the SPAM.  And the only problem I have is keeping the Blueonyx management package from overwriting the iptables rules (as it has a bad habit of doing).  But the Spam reduction is nice!

Chuck

---------- Original Message -----------
From: Greg Kuhnert <greg.kuhnert at theanchoragesylvania.com> 
To: Phil Hamer <phil at magma-group.co.uk> 
Cc: blueonyx at blueonyx.it 
Sent: Thu, 20 Aug 2009 15:34:15 +1000 
Subject: [BlueOnyx:02148] Re: ClamAV Spamassassin Milters

> Hi Phil. 
> 
> Phil Hamer wrote: 
> > I want to use the Milters! 
> > 
> > Its mailscanner I want to avoid. 
> 
> There are lots of spam strategies that people use to manage spam. The 
> strategy that I personally like is to run milters at the "front door" to 
> get rid of the easy stuff first. On my own mailservers, 80-90% of spam 
> is blocked by a spamassassin milter. 
> 
> Blocking stuff that is "definitely" spam is easy to do at this level, 
> but, the real problem is how to manage the mail that gets through the 
> first layer? What do you do with mail that is "possibly spam"? 
> 
> Let me give you an example. An end user calls you asking about mail that 
> they did not receive. What do you do? With mailscanner/mailwatch as an 
> inner layer, you can direct your user to have a look in the mailwatch 
> database. This provides a self-service portal that shows mail that has 
> been quarantined. If they find their mail in there, they can "release" 
> the mail from the quarantine. 
> 
> Some people dont like mailscanner due to the CPU overhead it imposes. I 
> agree with this statement, but I still use it. Since most spam is 
> blocked at the front door, (before mailscanner), there is no extra CPU 
> overhead for most spam that is deleted by the milter.  Yes, there is 
> some overhead associated with this inner layer, but the results from the 
> additional policy based filtering and the self-service user interface 
> make it worthwhile in my opinion. 
> 
> -- 
> +---------------------------------------------------------------------+ 
> |   / \   Greg Kuhnert, gkuhnert at compassnetworks.com.au              | 
> | <  o  > Compass Networks - Pointing you in the right direction      | 
> |   \ /   Come see us for BlueQuartz / BlueOnyx modules & Support.    | 
> +---------------------------------------------------------------------+ 
> 
> _______________________________________________ 
> Blueonyx mailing list 
> Blueonyx at blueonyx.it 
> http://www.blueonyx.it/mailman/listinfo/blueonyx 
------- End of Original Message -------
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20090820/6c3826dc/attachment.html>

More information about the Blueonyx mailing list