A very nice program which handles the extraction and virus and spam checking
of incoming mails. It is very customisable and has its own content checker
so far more reliable at removing dangerous content than just an antivirus
solution and something like amavis.
I like Postfix as a MTA as it can be customised very easily. It can also be
configured to save all incoming mail into a hold queue for Mailscanner to
process which means you need only 1 copy running rather that a copy for incoming
mail and a separate one for outgoing mail which makes things a lot neater.
I use the Spamhaus, Spamcop,
and NJABL RBL's in postfix to
reject the vast majority of spam before it even reaches Mailscanner/Spamassassin.
The Spamhaus service requires a data feed subscription for commercial use
and this is a good idea anyway as it speeds up DNS queries and gives you some
resilience in the event of denial of service attacks against Spamhaus's DNS
I have MailScanner on a separate box sitting infront of my mail server. With
this type of configuration you need to make sure that Postfix rejects mail
to non existent addresses otherwise it will try and forward them on and then
generate a non delivery report. Spammers exploit this so you could find yourself
blacklisted. Luckily Postfix supports recipient
verification which makes it very easy. If you are running Exchange 2003
or later make sure you have it configured to reject unknown users before accepting
mail. If you are running an older version of Exchange which does not have
this option then you can export a list of valid users automatically via LDAP
as described here.
A free antivirus scanner.
A set of additional virus definitions for ClamAV which enable it to detect
common spam images etc...
A free antivirus scanner.
UPDATE: The free version 7.0.1 has been removed from the site. Version 7.5
is available here
however it is now only free for home or personal use. Companies are required
to purchase a corporate license.
Probably the best application for detecting spam and used by Mailscanner.
I have Bayes (which is part of SpamAssassin) configured to use a mysql
database. Its not really required to have bayes use mysql for a single
server but if you get lots of mail and need more than one mail server doing
the filtering having a central database makes a lot of sense. It also avoids
problems where multiple users need to access the bayes database.
A web based application and plugin for Mailscanner which logs mail in a mysql
database. You can also use it with mysql to store blacklists on the database.
This enables individual users to manage their own blacklists and whitelists.
It also have extensive reporting features.
Part of spamassassin. You can run it to updates the standard rules to the
latest version. You can also use the instructions located at DOS
Technologies to configure it to update the SARE rules (mentioned later).
A program I wrote which monitors the mailwatch database and maintains a list
of all IP addresses which have sent email over the last 23 hours. Any IP addresses
which has only ever sent spam over a configurable threshold is added to a
block table which can be used by Postfix, Sendmail, rbldnsd, and other software
to automatically block the IP address for s set period of time.
- Standard Plugins
This list shows which of the standard plugins
I use. As you can see practically all of them are used. Domainkeys is disabled
since DKIM now includes all its functionality. ASN is also disabled since
it takes a while to run. This may be due to the DNS bug in spamassassin 3.2.2
- 3.2.4 (current).
A program to check and report a list of known spam. Users can publish known
spam emails and a fingerprint is taken and stored on a server. Future recipients
of the spam will then see that it has been reported by many people and SpamAssassin
will give it a score based on that.
Similar to Razor. The default pyzor server is not very reliably and a lot
of people are using an alternative. Edit the 'servers' file within the .pyzor
directory so that it just contains the line "188.8.131.52:24441".
A plugin which detects bulk email. Note bulk email is any email sent to lots
of recipients and therefore includes newsletters etc... It is therefore important
with this plugin that any mailing lists people are on are whitelisted.
A program which performs various manipulations on images embedded within emails
and scans them via 3rd party optical character recognition programs. Any words
found are matched against a list of words and the results fed back to SpamAssassin
to help with its scoring of the message.
The latest SVN version includes experimental code to perform OCR analysis
on PDF files. This version is also recommended for spamassassin 3.2 as it
fixes a logging issue.
FuzzyOcr can use the GOCR and Ocrad
for performing the optical character recognition and I would recommend using
I also use an updated copy of the wordlist which is available here.
I have also written a small filter for FuzzyOcr called gbpgmdiff which you
can experiment with by using it in one of your scansets. You can view more
information and download a copy here.
A plugin and various associated rules to help detect pdf spam.
A plugin which looks at the reverse DNS lookup of the sender for characteristics
that the sender is not a valid mail server. I use a slightly modified set
of rules than comes as default. You can replace the rules in the Botnet.cf
with the scores I use.
A good ruleset for spamassassin which is very regularly updated to catch the
latest spams. I have written a simple shell script which you can run once
a day to check and download a newer version of the rule if it is available.
The script displays the changes that were made and you can download a copy
- SpamAssassin Rules Emporium
A great site of additional rules. You can either manually download them, use
RulesDuJour, or use sa-update which is the preferred method. Full instructions
are on the above website.
There are a large number of rules to choose from. A list of rules which is
a good starting point and the set that I use can be see here.
- SpamAssassin Rules
Emporium Other Rules
An additional collection of rules. I use 99_FVGT_meta.cf
, mangled.cf ,
The ImageInfo plugin was first released for spamassassin 3.1 and was incorporated
as standard in version 3.2. However the version in 3.2 is a bit more conservative
and does not have the rule which matches a low body to image size ratio. This
rule I wrote adds that back in together with another rule which is similar
to the one which matches large image files but instead matches smaller files
and gives a corresponding smaller score.
An additional set of rules for the PDFInfo plugin written by AnonymousDog
on the FreeSpamFilter.org
There are a few whitelist services that you can choose to use.
- Sender Policy Framework (SPF)
Not a real whitelist but it is a way of allowing you to specify which servers
are permitted to send email from your domain names. It should help to reduce
the chance of spammers forging to appear to come from your domains as a greater
percentage will be classed as spam.
- Domain Keys Identified Mail (DKIM)
Each mail has a digital signature verifying that the senders email address
is not forged. You can pay to have a certification body create the authorised
key for you in which case any mail server supporting DKIM will give you a
nice negative score which will reduce significantly the chance of your email
being classed as spam. You can also self sign your emails but the recipient
email server will need to be instructed to trust you before you get any direct
A list of legitimate mail servers which don't get spam. You can request that
your mail server be added and after a period of monitoring it might get listed.
A commercial service which lists email senders and IP addresses.
- Sender Score
What used to be called the Bonded Sender Program.
Mailscanner & Mailwatch Patches
|A patch for Mailwatch for Mailscanner which enables postfix mail queue
|A patch for Mailwatch for Mailscanner which modifies the blacklist/whitelist
Mailscanner plugin so that it also matches mail sent to users aliases which
are defined in the filters on the user management page.
|A modified startup script for Mailscanner which correctly tries to start
Postfix even when running using the hold queue method. There are additional
options such as 'restartms' to restart mailscanner without restarting postfix