Need a book? Engineering books recommendations...

Return to index: [Subject] [Thread] [Date] [Author]

OT: Armor-Plated Email Server

[Subject Prev][Subject Next][Thread Prev][Thread Next]
This will probably have absolutely no interest for most of you; I'm just looking for a place to crow.

And I hope this won't be seen as "hubris" by the powers-that-be. If I'm knocked of the 'net for a considerable period of time soon, we'll know why.

As I've mentioned here, I have been a computer hobbyist for many years, starting back in college actually, when "microcomputers" were just becoming a reality. I've always loved tinkering with them, and I use the analogy that to me it's like amateur radio back years ago (if you've ever met a "Ham" you'll know what I'm talking about), except that I can also use my gradually-acquired skills for work as well as pleasure.

I set up my own Linux-based email/web/ftp server years ago, as soon as I got my first broadband connection back in 1998. That added a whole new dimension to my hobby, and I could have danced on the ceiling the day I first figured out how to put a web page online, or received the first email to my very own domain on my very own server.

Since that time, the 'net has gotten to be a more dangerous place on many levels, not the least of which is the ability for malware in its many guises to get in under your defenses and cause havoc. I've been lucky enough never to have been hit by a worm or virus (except very briefly, and I'm still not sure how it happened--which is a point in itself). Mostly I've depended on products like Norton Antivirus to keep the bad stuff at bay.

I learned early on that running a Linux server was a good idea in more ways than one. And the hardware firewalling provided by the modern-day broadband routers, etc., are a huge help as well. But still the baddies are out there trying to get us.

Like most people, I noticed over time that more and more of my email box was filled with unwanted email ("Unsolicited Buld Email" or "Spam"). Over a year ago I got the open-source spam-fighter Spamassassin up and running on my server, and was amazed at the difference. Essentially Spamassassin and similar solutions allow you to stop Spam a little further up the pipe, before it ever gets into your email box. Most email clients like Outlook/OE, Thunderbird (which I use) and Eudora now have filtering mechanisms that will put suspected Spam in a separate location for perusal, but Spamassassin and its kind will actually toss it either into a bin in the server or--if the "spam probability score is high enough"--into the bit bucket. This saves your even having to mess with it at all. I rarely get ANY Spam anymore, and from time to time when I take a look at the "holding tank" on the server I notice that there's quite a bit of stuff--about ten or twelve messages per day--that come in there, all Spam (I don't believe I've had a so-called "false positive" since I got the system tweaked and running).

Well, only a dozen or so per day doesn't sound bad--but when you check the email logs you realize that actually, HUNDREDS of messages per day TRY to come into the server but are refused/rejected due to listing on Blacklisting servers or other distributed spam-figting networks that Spamassassin employs.

I get a report once a week on how many messages are rejected and how many come in but are tossed aside as Spam. It is usually nearly 50% of the mail coming to our server, and that's about two dozen email accounts.

Spam is still a big issue for the Internet community generally, because whether it gets to you or not it's out there running around taking up bandwidth--estimates are that 50-80% of all email traffic is unsolicited bulk email! Sooner or later it's going to drag the system down with it. But at least in the meantime I don't have to handle it locally.

But there are other malware threats, and recently I was reading about the increase--though slight--in threats of Trojans or Worms even on Linux and MacOSX systems. Linux has been fortunate in that although it is fairly popular among the geeks of the world it isn't very common compared to the huge hosts of Microsoft Windows users. But that doesn't mean no one tries to target Linux systems at all.

I am constantly getting indications on my webserver logs that someone is trying to "break in" to my system via http protocol trickery, but they usually expect a Microsoft IIS site. Even though IIS isn't even as common as Apache, IIS is considered more vulnerable. So I know I'm sometimes the target of bad guys.

Today I set up a ClamAV server-side antivirus system to deal with the potential threat of ALL virus/worm/trojan means of entry. Like nearly all Linux software it is open source and free to use. Of course this sort of thing isn't for the faint of heart, and that's where my hobbyist termperament comes in. I really enjoy the challenge of trying to add to my server's capability by getting a system like this up and running. And this time I got it done in one afternoon! (Which is where the "crowing" comes in).

I did have some glitches. The ClamAV system ( has to interface with the email system in some way just as Norton AV and other Windows-based products do, but you have to do a lot of the "engineering" yourself. Linux, and all *nixes for that matter, is a modular system. You add capabilties, software, whatever, by putting together different bits sort of like an erector set.

For instance, in this case I needed to interface ClamAV with Sendmail, my Mail Transport Agent (MTA) which is the program responsible for actually delivering the mail into the inboxes of the various accounts for eventual pickup by the email client. An MTA is not the thing you use to get your mail or read it; Sendmail "talks" to other similar MTAs on various outside servers and decides what to do with what gets sent its way, or where to pass on email that is going out. It is built to take "plugins" of various kinds to add capability, and in this case ClamAV has such a plugin, called a "mail filter" or "milter" that can interface with Sendmail, where Sendmail decides "hey, this has an attachment, better let ClamAV sniff it and see if it might be malware."

Once ClamAV gets it, it refers to a local database with digital signatures of malware, which it can use to check--in under a second--to see if there's something bad in there. If there is, it sends it back to Sendmail with a red flag and Sendmail tears off the attachment and throws it in the bit bucket, then adds some information to the message telling the recipient that there was a bad thing there that didn't get through. ClamAV's database is automatically updated every night.

It's a truly slick system, and I'm looking forward to see if anything gets through. I don't get viruses in email that often but they do come through every once in awhile, and NAV takes care of them. But it would be great not to have to get a copy of NAV every time I buy a new computer--and it's also nice not to have to pay for subscription upgrades. If this works out it might save me a few dollars in the long run.

But the best thing is, ClamAV protects against ALL viruses. Since it isn't really OS-specific it has signatures for malware for ANY type of system including *nix and Mac as well as Windows, and gets rid of all of it. Therefore there is much less likelihood of my server being infected.

Oh, and it also apparently works outside of the mail system, checking on any bitstreams coming in as origins of malware. Pretty slick.

After that, I began to do some research into all sorts of other

******* ****** ******* ******** ******* ******* ******* ***
*   Read list FAQ at:
* * This email was sent to you via Structural Engineers * Association of Southern California (SEAOSC) server. To * subscribe (no fee) or UnSubscribe, please go to:
* Questions to seaint-ad(--nospam--at) Remember, any email you * send to the list is public domain and may be re-posted * without your permission. Make sure you visit our web * site at: ******* ****** ****** ****** ******* ****** ****** ********