[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: External AS/AV Integration



Hi Will,

I wasn't the guy who did all the work so I can't give you exact details, but we did something very similar as your choice #1.

We have IronPort generate an extra header "X-WIU-IronPort-SPAM" with a value of "positive" or "suspect" when it marks a message as SPAM.  Then in our custom spamassassin rules (/opt/zimbra/conf/spamassassin/wiulocal.cf we have these three lines at the top...

header  WIU_IRONPORT_SPAM X-WIU-IronPort-SPAM =~ /pos.*tive/
describe    WIU_IRONPORT_SPAM Identified as spam by WIU's IronPort
score   WIU_IRONPORT_SPAM 10.0 10.0 10.0 10.0

This pretty much guarantees delivery of IronPort marked SPAM into the Junk folder in Zimbra.  IronPort doesn't miss it unless it comes from a "trusted" source somewhere (i.e. some valid server had an account get compromised).

On the MTAs we disabled the spam service (amavisd) and only run the antivirus service (clamav).  Our delivery rate skyrocketed as soon as the MTAs stopped having to scan every incoming message with amavisd.  We used to have delay problems when our administration would dump messages going to 15,000+ individual recipients, but now the MTAs don't have any trouble keeping up.

We also have IronPort rewrite the subject line by appending "[Fraud Alert:  Suspected SPAM]" to the front.  Course that still doesn't prevent dumb users from opening the message from inside the JUNK folder ....clearly labeled as SPAM (hello!)...usually written with poor grammar and major speeling errors... from replying with their Username & Password & SSN & CC Info & University ID# & Rights to the First Born Child, etc...  You just can't protect some people from themselves!  :)

Hope that helps.

Thanks,
Matt Mencel
Western Illinois University


----- Original Message -----
From: "Will Froning" <wfroning@aus.edu>
To: zimbra-hied-admins@sfu.ca
Sent: Tuesday, June 9, 2009 12:52:44 PM GMT -06:00 US/Canada Central
Subject: External AS/AV Integration

Hello All,

We finally got our new AV/AS system (IronPort) and I'm trying to integrate it into Zimbra and disable SpamAssassin.  Here are some thoughts/questions to see if you guys have attempted the same.

1) I tried having the IronPort add a "X-Spam-Flag: YES" flag, but as I suspected amavisd just replaces the value with whatever it thinks is correct.  I suspect that changing the header to X-AUS-Spam-Flag on both IronPort and zimbraSpamHeader on Zimbra will result in the same thing.  I'm willing to disable amavisd if it's possible to keep clamav online, but would disabling amavisd break the filtering into the Junk folder based on the zimbraSpamHeader & zimbraSpamHeaderValue?  And can you just enable one or the other (not just setting the kill rate to 100 or some such)?

2) IronPort training accounts are publicly listed as spam@access.ironport.com and ham@access.ironport.com.  I initially considered just changing zimbraSpamIsNotSpamAccount & zimbraSpamIsSpamAccount values to match them, but now I'm wondering if just adding a forward rule to the system ham/spam accounts wouldn't be better since I can keep a local copy as a reference.  Anyone have any experience one way or another on that?

3) Finally, has anyone rolled out changing the amavisd postfix channel to an external scanner (like IronPort)?  Sometime this summer I'll end up messing with it, but wasn't sure if anyone had experience they are willing to share on the subject.

Any help on AV/AS integration is welcome. :)

Thanks,
Will

-- 
Will Froning
Sr. Systems Architect
American University of Sharjah
PO Box 26666
Sharjah, UAE

Tel:  +97165152124