[Mimedefang] Architecture question - Using MD/SA on external MX'es

Andy Miller amiller at covad.com
Wed Aug 28 17:06:02 EDT 2002 

All,

We are considering installing MD/SA for filtering spam
bound for our internal corporate network.  I am fishing for
comments regarding the architecture we are considering. :-)
We've just set up the systems to begin testing on but have
not started loading the apps (sendmail/MD/SA) so I do not
have any hands on experience with it, the assumptions I am
making are based on TFM's as well as browsing a couple
month's worth of SA and MD archives.

Our requirements for an anti-spam system:

1. Must not bounce spam to valid recipients , only mark in
   headers.

2. Must be configurable on a per-user basis, preferably:
   - opt-int/opt-out of filtering
   - whitelists
   - blacklists
   - spam "point" threshold

3. It must operate in a "fail stop" way.  Losing spam
   filtering is acceptable, rejecting incoming mail is not.
   (even if not out of the box, we can design this in)

4. It must scale to our volume of mail. (Approx 100k/day,
   typical uneven load).

5. The preference is that it will be able to survive a
   concentrated dictionary attack.  We have had _several_
   attacks in the last several months where a spammer will
   cause 50-100 open relays to send mail at us as fast as
   they all can, using iterative/dictionary type usernames.
   (aa@ ab@ ac@, etc.)



The first, third, and fourth points seem like they will be
no problem at all for MD/SA and our environment.

Regarding the second point, it looks like there is some good
contributed code for managing user prefs for SA via a CGI.
I have seen some feedback on this list that per-user prefs
at the MD/SA level can have unintended consequences,
specifically in the instance that there are multiple
recipients for a specific mail.  However, I have seen that
there is a way around this, by streaming the message once
per user?   Is this functionality included in MD or is it
an add-on?

Yes, it would probably be best to manage all of those things
via the setup of the outlook filters, but the majority of
our userbase is non-technical.  We were hoping to push a
rule to all clients that just filters on "X-Spam-Warning:
YES", and have the point value that causes a "YES" be
configurable server-side.  All of the other standard
X-headers will be included as well so our savvy users may
set up rules as they please.

Is SpamAssassin a cheap enough operation once MD is already
invoked to bother checking for user's whitelists and
blacklists before to call to SA?  Or just let SA with it's
userprefs patch handle it?

[Warning, may contain flawed assumptions about sendmail
behavior]

Regarding the fifth point, being agressively mailbombed --
Has anyone else experienced this kind of aggrivated attack?
If so, I am interested in how others have solved this
problem.  It is especially bad for us because our MX'es live
outside the firewall, and do not have the lists of valid
users; they accept all mail and then forward it to our
mailhub.  So rather than our MX'es rejecting the mail during
the SMTP handshake, they accept it, and then it is rejected
by the maihub.  This causes our MX'es to be responsible for
sending a bounce back to the sender.  Of course, the sender
is almost always a forged a920jidfj982 at hotmail.com address,
so this results in yet another mail sent to us, to the
postmaster because of the double bounce.

The way we are thinking we can solve this is to use an
extension of the user-prefs database idea.  We would like to
write another milter that is called right after RCPT to:.
This milter would query our userprefs database, and
immediately reject the recipient if she did not exist.  At
this point, our MX is no longer resposible for sending a
bounce, it needs only to reject the mail.   The hope is that
this is a "cheap" operation, and would keep the "expensive"
filters from having to look at mail that is not even
deliverable.

The architecture we are planning is to have our lowest value
MX'es be dedicated MD/SA hosts.  (Also we will probably have
the highest-value MX'es be aliases for these hosts as well,
to get around a sneaky trick I read about on the archives,
where a spammer will use the highest valued MX'es instead of
the lower ones to try to defeat filtering.)  Sandwiched
between the MD/SA MX values will be the 'spillover' MX'es
that are deferred to if the filtering MX'es are down.

I'd be interested to hear of other sites with similar
setups, and the experiences you have had.  THanks a lot in
advance!

-Andy

More information about the MIMEDefang mailing list