email scannering / filtering

• Previous message (by thread): email scannering / filtering
• Next message (by thread): email scannering / filtering
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Dec 14, 2018 at 06:30:08AM -0500, David Funderburk wrote:
> What open source email filtering system is working well for you? 

I've been studying email abuse for a very long time, and am writing
a book about defending against it with open-source tools.

One of the things that I've learned over those decades is that while
some measures make sense for everyone, one size does not fit all, and
that it's critical to understand the mail stream that's being presented
before trying to design and build systems to deal with it.  Everyone's
legitimate email looks different.  Everyone's abusive email looks different.
It's not possible to figure out how to cope with these things until
you measure them.

Nor is it possible until you understand the operational requirements,
which again, are different for everyone.  Joe's Donuts in Dubuque
probably isn't going to be receiving messages at its "orders" address
from Peru or Pakistan, for example, so any incoming traffic like that
is almost certainly misdirected (at best) or abusive.  On the other
hand, Michigan State University will probably receive legitimate
traffic from all the world, including Peru and Pakistan.

Unfortunately, lots of people skip these two steps -- especially the
first one -- because they perceive them as onerous and unnecessary.
They thus hamstring their own efforts.

One of the other things I've learned is that there's a correct order
in which to apply defensive measures, so that the probability of FP
and FN (false positive and false negative) are both simultaneously
minimized, so that each successive measure has less work to do than
the one before, and so that those measures which consume the least
resources are deployed up front.  (For example: using the DROP list
in a perimeter router, firewall or even in the MTA's configuration
is a highly efficient/low-cost/low-resource measure that should be
done before doing other things.  This is, by the way, one of the
measures that make sense for everyone, see above.)

So while I could answer your question by telling you what I use,
that doesn't mean that it would work for you.  It *might*, and
after a fashion, it probably would -- but it's highly unlikely
that it's anything close to optimal for your environment.  There's
a fair amount of homework that needs to be done to figure that out.

One more thing.  There are a number of things that some people do
in their email systems which are worst practices -- things that
exacerbate the problem.  For example, "quarantines" or "spam folders"
are a profoundly horrible idea that should never be deployed.
(Ask RSA how that's working out for them.)  Avoid these.

---rsk

• Previous message (by thread): email scannering / filtering
• Next message (by thread): email scannering / filtering
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]