Mail Filtering with Fluffy the SMTPGuardDog

Deferring Connections and Blocking Attachments
When a new server (i.e., one that hasn't connected to Fluffy recently) connects to your mail server to deliver a message, Fluffy initially denies the message by sending a "deferral" error message to the connecting mail server. By default, any properly configured Internet mail server automatically redelivers a message in approximately 15 minutes if the message wasn't rejected outright on the first delivery attempt. From my observations of Fluffy's email deferrals, I infer that spammers typically make only one pass at delivering a message and, if it isn't delivered on the first try, simply move on to the next victim on their list. In 24 hours of running Fluffy on a personal domain that has only one valid email address, I experienced more than 100 instances of servers that attempted to deliver a message to me, were deferred for 15 minutes, then never came back. That's 100 fewer spam messages I had to deal with that day—not bad, for such a simple technique!

After your first test-message attempt, the remote server should resubmit the message within 15 minutes, at which point Fluffy will recognize the server and accept the message. From now on, Fluffy will accept all mail from that server on the first connection. If Fluffy doesn't hear from a server for 16 hours, it returns the server to the deferred state the next time that server tries to send a message.

If you want to disable the deferred-connection feature or change the deferral time value, select the Connections tab and enter a new value for New contact delay, as Figure 3 shows. Setting the value to 0 disables the deferred-connection feature, causing Fluffy to automatically accept all messages on the first delivery attempt.

If you configured Fluffy to automatically block unauthorized attachments according to a predefined attachment list, you'll find this list on the Virus Scanning tab. As I mentioned earlier, this list contains all the common attachment types that you don't want your mail users to receive. You can test Fluffy's attachment-blocking feature by sending a message to yourself that contains an unauthorized attachment type. When Fluffy sees the banned attachment type, it rejects the message, causing the message to bounce back to the sender. In addition to sending the bounce, Fluffy sends a message to the intended recipient, letting him or her know that the message was dropped.

If you configured Fluffy to block attachments and Fluffy isn't blocking them, select the Virus Scanning tab, then select each attachment type you want to block and click OK. (In my testing, I found Fluffy's interface to be a bit quirky at times.) In addition to attachment blocking, Fluffy can use Grisoft's AVG Anti-Virus or Sophos Anti-Virus as a virus scanner for your inbound messages.

Blacklisting and Whitelisting
If you want to always block certain IP addresses or domain names from your network (i.e., blacklisting), you can do so on the Accept/Reject tab, which Figure 4 shows. Conversely, if you want to always allow certain mail servers or domains into your network (i.e., whitelisting) without any delay or spam processing—for example, organizations that your users communicate with regularly—you also enter those servers or domains on the Accept/Reject tab. For each server or domain you enter on the Accept/Reject tab, click the appropriate radio button to indicate whether you want to add the server or domain to the whitelist or the blacklist.

ISPs and other large mail providers commonly use DNS blacklists to filter spam. These lists, which are maintained by third-party providers, contain the IP addresses of servers known to be recent spammers and those of well-known spammers who simply won't quit. If you opted to accept the predefined list of DNS blacklist servers when you configured Fluffy, Fluffy will know which IP addresses to refuse when those servers attempt to connect and send mail. When a new inbound connection is attempted, Fluffy checks the DNS blacklists you've defined to determine whether the IP address matches one on the list. If it does, Fluffy drops the connection. By default, that server remains in Fluffy's memory for 24 hours and no further mail is accepted from it. After the default time has expired, Fluffy will again check the DNS blacklist when it receives a new connection from the server.

Fluffy includes a large set of DNS blacklists. However, none of them are enabled by default. Before you enable any of these lists on your network, I strongly recommend you research the blacklists you're considering, then test them thoroughly after you've enabled them. I've found that the DNS blacklists vary widely in their effectiveness.

To enable a blacklist in Fluffy, select the DNSBL tab, which Figure 5 shows. Highlight a blacklist to use and in the Score weighting field enter a weighted score (the higher the score, the more you trust the list), then save the change. By default, Fluffy assigns all its DNS blacklists a score weighting of 0. After you've saved the change, you should see the list name move from the Available DNSBL list into the Active DNSBL list at the top of the page. After assigning scores to the DNS blacklists you want to enable, you can choose to have Fluffy behave in various ways according to the weighted score. To do so, select the Handling tab, then adjust the parameters on the page. For example, you can tell Fluffy to block incoming connections that reach a certain cumulative weighted score, modify the subject line of messages, defer acceptance of the message, or just log that the message exceeded a scoring threshold. The last option, Flag as possible junk if total DNSBL score at least, can be helpful when you're deciding which DNS blacklists you might want to use.

   Previous  1  2  [3]  4  Next