Topic: Using Multiple Virus Engines for Email Filtering

[ghorst352]

Just inquiring if anybody has any experience with using multiple virus engines to scan incoming and outgoing email.  I see there is a trend now with using multiple engines which only makes sense if your looking to tighten up.  I currently use SME Server 7.6 Qmail for our corporate email which utilizes clam and spamassasin for malware.  Does anybody have any advice on stacking virus/malware engines for email traffic?  I am looking for an open source option and not so much with a cloud based, here again I am trying to achieve an option that's free.

**Looking for server based solutions not desktop.

Sincerely, 

[Stefano]

do you really need it?

[ghorst352]

I would answer yes because for one most infections I have ever experienced usually have entered via email.  Number 2, every virus engine out there is different so by using multiple you would have an added benefit.  I can relate to this theory just like whenever I have ever cleaned an infected station, usually I am using multiple programs such as the installed virus scanner, multiple spyware apps, a rootkit killer, etc etc etc.   Since there is not a 100% virus engine out there I would like to have multiple if possible.   I know there is the cloud option and I have used that before and there are several companies that do this well.  However, I am just seeing if anybody has ever used multiple virus engines on an email server and how.  Really, I am just shooting this question out there.  Don't really know if anybody has done this and I probably don't expect any replies but you never know.  Layered security is usually better.

[Stefano]

ok

just some thoughts (all IMVHO):
- as long as you have different AV engines on server and on the clients (i.e. clamd on SME and whatever on the clients) you are already using at least 2 different AV engines..
- 2 or more AV scans will introduce latency and possible false positives on your server
- as long as your users are not local administrator on their pc, any passing virus will not compromise anything (this is true in my personal experience.. the only limit is users' stupidity)
- a good mail "pre-processing" via antispam rules (RHBL,DNSBL etc) will reduce infected emails qty (think about mails with links..)
- use of  a "smart" email client is strongly suggested: no, outlook (in any version) has nothing to do with "smart"
- a smart ad good user training is needed.. the weakest ring of security chain is the monkey between keyboard and chair

all , I repeat, IMVVHO and based on my experience, YMMV

[ghorst352]

Stefano,


I agree with all your points, well said.  Definitely the monkey is the problem I run into constantly.  I spark this conversation out of recent spam emails that seem to be getting more and more prevalent at my company.  Like the UPS and BBB fake emails.  I have no issues at the end user level as far as infections, my problem is with infected emails getting through clamav and spamassasin. 

Your comment ->
a good mail "pre-processing" via antispam rules (RHBL,DNSBL etc) will reduce infected emails qty (think about mails with links..)

This is definitely an issue as well as emails with exe attachments.   My weakness is probably not enough "pre-processing" like you stated.  You have any advice you like to share?

[janet]

bhay3s

Enable RBL's by following advice here. I suggest you initially use the "conservative" lists, and add more one by one, as & if required.
http://wiki.contribs.org/SME_Server:Documentation:FAQ#Real-time_Blackhole_List_.28RBL.29

Blocking using this method will stop a lot of viruses & spam as you are blocking the source of these types of email messages.

Also enable executable content blocking in the Email panel. Block most/all attachment types including zip1 format files, as they are the "carrier" of many virus infections. If you are really serious, block zip2 attachments also. Use rar (WinRAR) instead of zip (WinZIP) to compress & email files. Use alternative methods such as webshare to upload & download files.

See more info here
http://wiki.contribs.org/Virus:Email_Attachment_Blocking

If you do all the above you will receive very few virus infections & spam via email.

[ghorst352]

Mary,

I have modified my Email settings as seen below:



[root@mail ~]# config show qpsmtpd
qpsmtpd=check_badrcptto=disable
    BadCountries=AC,AD,AE,AERO,AF,AG,AI,AL,AM,AN,AO,AQ,AR,AS,ASIA,AT,AU,AW,AX,AZ,BA,BB,BD,BE,BF,BG,BH,BI,BIZ,BJ,BL,BM,BN,BO,BQ,BR,BS,BT,BV,BW,BY,BZ,CC,CD,CF,CG,CH,CI,CK,CL,CMCN,CO,COM,COOP,CR,CU,CV,CW,CX,CY,CZ,DE,DJ,DK,DM,DO,DZ,EC,EDU,EE,EG,EH,ER,ES,ET,EU,FI,FJ,FK,FM,FO,FR,GA,GD,GE,GF,GG,GH,GI,GL,GM,GN,GP,GQ,GR,GS,GT,GU,GW,GY,HK,HM,HN,HR,HT,HU,ID,IE,IL,IM,IN,IQ,IO,IR,IS,IT,JE,JO,JOBS,JP,KE,KG,KH,KI,KM,KN,KP,KR,KW,KY,KZ,LA,LB,LC,LI,LK,LR,LS,LT,LU,LV,LY,MA,MC,MD,ME,MF,MG,MH,MK,MN,MO,MP,MQ,MR,MS,MT,MU,MV,MW,MX,MY,MMZ,NA,NC,NE,NF,NG,NI,NL,NO,NP,NR,NU,NZ,OM,PA,PE,PF,PG,PH,PK,PL,PM,PN,PR,PS,PT,PW,PY,QA,RE,RE,RO,RS,RU,RW,SA,SB,SC,SD,SE,SG,SH,SI,SJ,SK,SL,SM,SN,SO,SR,SS,ST,SU,SV,SX,SY,SZ,TC,TD,TF,TG,TH,TJ,TK,TL,TM,TN,TO,TP,TR,TT,TV,TW,TZ,UA,UG,UK,UM,UY,UZ,VA,VC,VE,VG,VI,VN,VU,WF,WS,XXX,YE,YT,ZA,AM,ZW
    Bcc=disabled
    BccMode=cc
    BccUser=maillog
    DNSBL=enabled
    GeoIP=enabled
    LogLevel=8
    MaxScannerSize=25000000
    RBLList=bl.spamcop.net:combined.njabl.org:dnsbl.ahbl.org:dnsbl-1.uceprotect.net:dnsbl-2.uceprotect.net:psbl.surriel.com:zen.spamhaus.org
    RHSBL=enabled
    RelayRequiresAuth=enabled
    RequireResolvableFromHost=yes
    SBLList=bogusmx.rfc-ignorant.org:multi.surbl.org:black.uribl.com:rhsbl.sorbs.net:ex.dnsbl.org
    TlsBeforeAuth=1
    access=public
    qplogsumm=disabled
    status=enabled
[root@mail ~]#


In regards to the RBLList and SBLList I would advise that there should be updated documentation since some of these sites are no longer active.   The lists I have above seem to be active but I would like to know if this list is strong enough?  Doing a quick google search there are definitely alot of sites to choose from.  If anybody has any advice on a more agressive list please reply.

I also changed my spam sensitivity to high were as before it was set to Custom spam tagging level 5 and Custom spam rejection level 6.  Not sure where to go with this but will experiment.

I have every content to block besides zip ver2.  Your advice is good but I cannot currently totally block zip files, I definitely would like to and will probably in the near future.

If anybody has any further advice on the RBLList, SBLList, or content blocking please advise.

Thanks. 

[janet]

bhay3s

You are advised to assess carefully any "aggressive" lists as these may block legitimate mail coming from some public or popular mail services.

As suggested, start with the conservative settings referred to in the wiki and then add more lists after a period of use.

There is no ideal set of lists that will best suit all users. Choose lists that do not conflict with or block mail from mail systems or mail servers you legitimately need to receive mail from. It's your decision which lists you use.

IIRC changing spam sensitivity to a higher figure means that less spam will be blocked.

Also your sme server will only perform best at blocking etc, when used in server and gateway mode behind a bridged modem, with no other firewall or filters in front of it.
Is your system configured that way ?

[ghorst352]

Thanks Mary, to answer your question, no this server is actually behind a router.  The previous admin had set it up that way and I have kept it that way since there was nothing visibly wrong.  What's funny is that he told me he had conversations with you in regards changing this server to server-gateway rather than behind the router.  I have no opinion in regards to this because I just don't know.  Can you explain or send me a link on how it's more beneficial to put our email server in server-gateway vs behind a router?  Here again, I have no opinion since I have been using this server for over a year with really no issues but if your telling me that server-gateway would produce better stats in regards to blocked content then I would investigate this a little and perhaps change the configuration.

[mmccarn]

Long ago (SME 6) I saw a post or comment saying that in 'server only' mode the mail server couldn't use all available spam blocking techniques because the connecting IP might be hidden by the network router.

I've never seen any evidence that qpsmtpd (introduced in SME 7) is affected by the presence of a router on my network any more than it was affected by any of the other 6 - 12 routers between my mail server and most sending mail servers.

[janet]

bhay3s

Can you explain or send me a link on how it's more beneficial to put our email server in server-gateway vs behind a router?

Please take the time to read available documentation eg
http://wiki.contribs.org/SME_Server:Documentation:FAQ#Server_Only

You can subscribe to the devinfo & other mailing lists & read the mail list archives
http://lists.contribs.org/mailman/listinfo/

Also read the bug reports to learn more about the functionality of sme server.
http://bugs.contribs.org/

Also look at the Developers Manual
http://wiki.contribs.org/SME_Server:Documentation:Developers_Manual