Topic: spam outgoing

[ElFroggio]

Hi,

Sometimes I have people coming with laptops, they plug in the network, have an inside network IP and they send spam.

Is there a way to to use spamassassin on outgoing emails? I have found link for spamassassin for outgoing with postfix,plesk, vpopmail but not qmail & sme.

Thanks

Syv

[Brave Dave]

it's a bit past SME I suspect

You need to familiarise yourself with how spamassassin works
this comes under trusted_networks - thats a spamassassin thing

SME sets trusted networks to the local network

So the answer is;
custom template: /etc/mail/spamassassin/local.cf/10trusted_networks

and look at how it affects /etc/mail/spamassassin/local.cf

[ElFroggio]

Hi,

Me again! The plot thickens. Somebody with an external laptop was sending spam from the inside of the network. I was able to "jail" the laptop. Now that person is sending spam from her home (her home computer is also infected).

She uses her user id/password. I had to lock her account.

Is there a way of checking for spam on an outgoing email and a "valid" user?

Thanks

Syv

[ReetP]

My guess is that a lot of people will tell you that prevention is better than cure......

You may be better tackling the source of the problem and sorting out the infected computers, ensuring they are clean and the AV is up to date, and a general policy to disable any access until they are clean.

Personally I wouldn't let them near my network !

There is probably a way to check outgoing mail, but having had a brief read around I can't see one - hopefully someone will chip in and advise you.

B. Rgds
John

[Knuddi]

Spam BOTs on clients is most often coming via outdated and therefore vulnerable software (java, IE, Adobe XX, etc.). Eventually your AV software will find the BOT but in the mean time its having a blast sending out potentially millions of mails. I suggest that you install Heimdal Security (just the free version) to keep the Windows clients updated, this will you will minimize the chances of infection (assuming that you have a proper AV on the clients).

[mmccarn]

A few ideas:

1. Don't let her relay through your server
You could reconfigure the problem user to use a different outgoing SMTP server (eg Google).

2. Turn on spamassassin for local smtp connections
(caveat: I have no idea if this will have any effect)

The only difference between local and remote qpsmtpd that looks significant to me is the instruction to disable spamassassin on local connections.

Here's some code that will enable spamassassin in qpsmtpd for "local" connections using the same settings in place for remote connections :

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
cp /etc/e-smith/templates/var/service/qpsmtpd/config/peers/0/70spamassassin .
signal-event email-update

If this causes undesirable side-effects, you can un-do this with:

Code: [Select]

'rm' /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/70spamassassin
signal-event email-update


3. Be a hard ass
Change her password and refuse to tell her the new one until her computers have been disinfected...

4. Check your SMTP relay settings
I have not seen a spambot infection that knows how to authenticate with a mail server.  Usually you can defeat these by requiring authentication for all email relay.  Is there any situation in which your SME allows relay without direct SMTP authentication (pop-before-smtp, local connections, or anything else)?  If not, has the bot "snooped" the user's authentication?  The last option is that the bot is inserting spam directly into the user's email client -- which implies an outdated, infected, and/or insecure email client...

When you say "She users her userid/password", are you saying that she is authenticating via IMAPs and SMTPs, or are you saying that she is using a VPN connection?

If she is using a VPN then you probably have un-authenticated relay enabled for local networks on your SME -- if so, turn it off...