Page 1 of 1

How to get notified when outbound spam is detected?

Posted: 10 Feb 2012, 02:02
by bmett
Hi there,

We had some issues recently with compromised mail accounts (mostly due to silly clients with silly passwords). These accounts then started to send out mass spam. This of course caused our server to be blacklisted...

The situation is now under control and we have done a major security overhaul/check of our mail servers. One measurement we did was to configure the Mailscanner to scan outgoing mails as well.

I'm now looking for a way to get notified about outgoing spam. Obviously I don't want to get notified of incoming spam :)

Anyone an idea on how to achieve this?

Thanks,
Bjorn

Re: How to get notified when outbound spam is detected?

Posted: 23 Feb 2012, 10:51
by Sarah
1. If you are scanning outbound messages for spam, you should be sure that you are using appropriate spam actions for them. It will be difficult (probably impossible) to control the settings for this type of scanning using the MailScanner Front-End if you are using that, as you will need to make manual changes to the rules files and configuration files that would be overwritten by the MSFE back-end scripts. For instance, you might want to delete *outbound* high-scoring spam but mark and deliver incoming high-scoring spam. You also might want to *not* change the subject line in outbound spam but change it on inbound spam (the reason is that there may be false positives, and do you really want to mark as {spam?} legitimate mail that is being sent from your server?). So you'll have different rules for incoming and outgoing mail, in the same ruleset file. All of this can be done via rulesets for the appropriate settings in the MailScanner configuration, but some of the rulesets will be overwritten by the MSFE scripts if you manually edit them.

2. I am not aware of a way in MailScanner to send a notification email to a system administrator when outbound spam is detected. You could use the forward option in the Spam Actions and High Scoring Spam actions and forward a copy of all such mail to a specific email address. Again you'd need to do this with a ruleset and would probably need to stop using the MailScanner Front-End if you are using it, since the MSFE scripts would over-write your manual changes in those specific rulesets (spam.action.rules and spamhigh.action.rules).

If you are using MSFE, I would recommend doing some testing to determine what manual changes you can make to the ruleset files so that they will not be overwritten by the back-end scripts.

Regards,
Sarah

Re: How to get notified when outbound spam is detected?

Posted: 24 Feb 2012, 04:49
by bmett
Hi Sarah,

Thanks for the detailed reply.

The points you made for 2 separate spam action for outgoing and incoming spam make sense, but I hope that we can avoid using separate actions.

We delete high-scoring spam and deliver low-scoring. We don't change the subject line at all. Can you think of any other reason why incoming spam should be treated differently than outgoing?

Regards & Thanks again,
Björn

Re: How to get notified when outbound spam is detected?

Posted: 02 Mar 2012, 06:46
by Sarah
If the subject line is not modified (i.e. MailScanner is configured to *not* modify the subject of an email detected as spam) then that lessens the problems associated with scanning outgoing spam. The main thing is how you would know if a user is sending out a lot of spam. There are other ways besides MailScanner that would be better at doing this, csf's RELAY alerts being one of them.

Regards,
Sarah