Fight Spam on the Cheap

St. Francis High School is a small independent school with its own Exchange server and approximately 20 active Exchange/Outlook Email users. After several relatively spam-free years of operation, deliveries of spam to our users' mailboxes escalated sharply in February 2005. Some of the most afflicted users pleaded for a suitable solution.

We’re a small school, and our IT budget is proportionally small, too. We have three servers, two with Windows 2000 Server and one with Whitebox Enterprise Linux, which among them handle various network duties quite adequately. There was really no money available for a standalone hardware solution, such as those that Barracuda and Symantec offer, or for a commercial software solution. So, I looked to open-source applications for a suitable anti-spam application.

The solution I settled on was a set of Perl scripts, the Antispam SMTP Proxy, or ASSP. Written by John Hanna, ASSP sits between the Internet and a mail server and scans each incoming message for features common to spam. Like an artificial intelligence, ASSP learns to distinguish between good Email and bad Email. The good messages are relayed to the mail server; the bad ones are stopped at the gate. As a result, our spam delivery rate has dropped to practically zero, and the load on our site-wide installation of Symantec Antivirus Corporate Edition has become minimal.

Knowing that there are more than 2,000 ASSP installations reassures me that ASSP is effective even though its free of charge. Mr. Hanna's sourceforge site displays statistics automatically forwarded by each ASSP host to the central statistics repository. Together those 2,000-plus ASSP servers have stopped more than 875,000,000 spams, an average of more than 437,500 per installation, which is a mindboggling number.

Our statistics at St. Francis' are not quite that phenomenal, but still indicative of the spam problem all organizations face. Our ASSP has been running almost continuously for more than 98 days, except for necessary Windows update restarts and one power outage. In that time, it has processed more than 27,000 messages from external sources, of which almost 60% were classified as spam. Since none of my users have complained about “good” messages being lost, I can assume that ASSP is correct in calculating that proportion. That's thousands of time-wasting messages our users do not have to read and delete. ASSP also caught 28 viruses, 224 scripts and 35 attachments that otherwise would have (probably) been intercepted by Symantec AV. In general, ASSP has been without a doubt a success for us.

ASSP is a low-impact application, tying up very little CPU time. It can run on its own server, or on the same machine as Exchange. Since installing ASSP on our Linux box would have required setting up sendmail or qmail as well – a time-consuming task – I chose to install ASSP in the single-server mode. This setup requires the administrator to change the SMTP ports that Exchange uses, as well as to create a virtual SMTP server to handle outbound mail.

Since ASSP relies on Perl, administrators must install Perl on their mail servers. We are using NumenInestPerl, but Active Perl is also a good distribution. Both are free downloads and are easy to install.

On our Pentium-4 mail server, ASSP runs in the background, intercepting incoming mail on the standard SMTP port 25, analyzing it, then sending the good mail on its way through port 26 to Exchange. Users then receive their mail as usual using Outlook, Outlook Web Access or a POP or IMAP mail client. Spam is shuttled to a separate folder and never delivered.

Hanna has designed ASSP to learn from its mistakes and to learn from mail users' own messages. Critical to this function is ASSP being able to intercept outbound mail using SMTP. Microsoft Outlook, however, sends messages directly to Exchange using the MAPI protocol, which ASSP does not understand and just ignores. The solution is to reconfigure Exchange's outbound message handling. Exchange uses an additional virtual SMTP server, listening on a new port and sending on port 25, to deliver outbound mail.

The resulting path of outbound mail is circuitous, but it enables ASSP to be trained. Let's say an Outlook user sends a message to her mother. Outlook sends this message via MAPI to Exchange, which then sends it via SMTP to ASSP. The address of this message is added to a “white-list” of legitimate addresses. Now ASSP knows that future messages from that address are “good” mail.

ASSP then relays that message to the new virtual SMTP server, which then forwards the message to the Internet on the standard SMTP port 25.

To summarize, we are using ASSP on the same machine as Exchange. A secondary SMTP server application also runs on the Exchange machine. Incoming mail first comes to ASSP, which relays it to Exchange. Outbound mail passes through Exchange, then ASSP and finally to the secondary SMTP server. (See accompanying diagrams.) This configuration has worked very well for us.

The developer advises users to run ASSP in its “learning” mode for three weeks, so that ASSP can develop a useful set of spam and not-spam databases. Messages that are considered spam are labeled as such, but are still delivered to recipients. If a message is not classified correctly, the recipient forwards that message to special “not-spam” or “spam” mailboxes (contacts in Active Directory). Additionally, all outbound mail addresses are automatically added to the “not-spam” database. After three weeks of training, ASSP's autopilot can be turned on, and spam will be blocked automatically.

ASSP can also check messages for viruses and potentially hostile scripts. ASSP uses the open-source antivirus application, ClamAV, for those tasks. A Windows batch file, set up as a scheduled task, can automatically update the ClamAV virus database. In our experience, some viruses have slipped past ASSP and ClamAV, only to be caught by Symantec AV.

Spam has become a major threat to Email users' productivity, as well as the security of their computers. To minimize these threats, network administrators should install an antispam solution to intercept spam before it reaches the mail server. We chose Antispam SMTP Proxy (ASSP), an open-source set of Perl scripts, for use on our Exchange server. To date, this configuration has been very effective and certainly very affordable.

Email:John Wheaton