Mail Protection

february 20, 2004

All done. I got Exim 4 and Clam Anti-Virus installed the other night and I finally got SpamAssassin installed and properly configured today. ClamAV and SpamAssassin are integrated with Exim by using the Exiscan patch. What does this all mean though? Exim 4 with the Exiscan patch allows for rejections to be done during the DATA phase of an SMTP connection. Usually, rejections are done only before the DATA phase where the only information that the SMTP server can work off of are incoming host and email addresses. But, with he Exiscan patch, Exim is able to receive the whole piece of mail into memory -- it never touches the disk -- and then do stuff with it before rejecting or accepting the message. This allows for the use of anti-virus and anti-spam technology on an incoming message before it even touches the disk. The difference here is how mail is handled. Before, one would have to rely on something like procmail to process a piece of email that has already been received into the system. That means that the machine sending the spam has done what it was supposed to do -- get the mail to the server and possibly to the user. Now, when an email comes to a server, it will get scanned for viruses and to be seen if it is a piece of spam. If it is determined that the mail is spam or contains a virus, the data in memory is discarded and a error is issued to the incoming SMTP server telling it that the mail is garbage. There are two benefits to this. First, this allows for nothing bad to enter the system through the disk. Second, it allows for the SMTP server to completely reject mail, forcing the other SMTP server to keep its garbage. Now, the work has to be done to train the Bayesian filter that SpamAssassin uses. That will be a process, but SpamAssassin has a built-in facility to auto-learn what is ham (not spam) and what is spam. So that will be helpful. There is also facilities that create a white list of email addresses and IP addresses that are trusted. To the user, there is no real difference. The user is transparently protected from viruses and those annoying emails. Along with these things I also added deny conditions to reject messages that contain files with common worm extensions (like .exe, .com, .pif, etc). The use of RBLs for rejection and warning is also being used. I luckily do not get too much spam, but I know there are uses on the system that do. Hopefully this will curbed the number of spam that hits users. Thanks to Ian Kluft for showing me that upgrading from Exim 3 by itself to these suite of software has so many benefits!