Fighting Spam and Viruses

Email is incredibly easy to use, and practically cost-free. That's why it's so popular with people. Unfortunately, those same factors are the reasons our mailboxes are inundated every day with dozens, or hundreds, of anonymous messages begging us to refinance our homes, buy various drugs, and enhance the body parts of our choice.

Email is also the favorite mechanism of spreading assorted attacks on our computers and networks through worms, Trojan horses, viruses, and other malware.

Technology columnists, politicians, and ordinary users declare the death of email in the face of this attack. What can we do? Keep trying to fight the battle.

SUSE Linux 9.2 introduced a new antispam wizard that works with your email client to remove unwanted email before it even sullies your mailbox.

Several open source projects aiming to battle spam have sprouted up, and each has its fans: SpamAssassin, Bogofilter, SpamBayes, Assistance-Filter, and GMX are the best known.

KMail and Mozilla Thunderbird both include antispam tools. Thunderbird's is built in, and KMail creates filters to work with the previously mentioned antispam tools.

Finally, there are the old-school methods, using Procmail.

Antispam Tools

Modern antispam tools use Bayesian filtering to identify words and patterns that are typical in spam messages. They work with MTAs to scan incoming mail and filter it according to its rules.

The biggest problem with these filters is when they pick up false positives, good mail (also called Ham) tossed as spam. Some will also still miss a good deal of spam in the bargain. They are trainable, in different ways, so that they improve their detection capabilities as you correct their mistakes.

While you are training your filter, make sure that detected spam gets sent to its own folder and is not deleted immediately. There's no telling how many false positives might be lost otherwise.

To train your filter, create two new folders in your mail client: Not Spam for your false positives and Missed Spam for your false negatives. As new spam comes in, move it manually into your Missed Spam folder. As often as possible (preferably weekly), go through the Spam folder and move Ham into the Not Spam folder. Then run the training tool, which will vary depending on what you're using.

One visit you will want to make is to the Apache SpamAssassin Project at http://spamassassin.apahce.org. This is an open-source software solution (a set of Perl scripts) that runs on the server and stops spam before it ever enters your network. It accomplishes this daunting task using a number of different techniques, including utilizing DNS blocklists, analyzing the header and text, and some statistical methodology.

Using more than one technique to identify spam, this tool has the ability to weed out a vast majority of the spam currently floating about. It is highly recommended that you download the latest build and install it on your servers.

Note

One of the worst nightmares that can happen to an administrator is to find that his or her servers have been turned into spam gateways literally passing spam along at breakneck speed. Many companies are currently offering software products that act as Anti-Spam Gateways, which eliminate spam, phishing attempts, and many viruses before they move beyond the server. The primary benefit that most of these products offer is that they come preconfigured with very little for the administrator to do other than tweak a few settings during installation. Aside from this simplification, they offer little that is not available in SpamAssassin, and it is highly recommended that you investigate this open-source solution and its possibilities before purchasing a similar product.

Client-Side Spam Filters

The Mozilla Thunderbird team is rightly proud of the Junk filters it has produced. It is easily trained and almost never creates a false positive. Possibly as a result of that mindset, it leaves a lot of false negatives in your box. Fortunately, selecting a message and pressing the J key promptly marks a message as Junk.

The Junk filtering function is not turned on by default. Go to Tools, Junk Mail Controls to turn them on and configure them. You'll see Figure 15.1.

Use this dialog box to automatically whitelist everyone in your address book and tell Thunderbird where to put messages identified as junk. At first, send messages to the Junk folder. When you become confident that there are no false positives (which should not take long), you can change the setting.

Procmail

Procmail filters (processes) each user's mail as it comes from the server. You can configure it yourself or help one of the other antispam tools work with it. See the README and example files in /usr/share/doc/packages/procmail for more details.

Antivirus Tools

Conventional wisdom is that Linux is virtually virus-proof. This is true, for the most part, but perhaps not forever. Virus writers, from the script kiddies to the more professional criminal types, like to use Outlook as a transmission vector for their tools. Some have even called Outlook a virus-spreading mechanism that also delivers email.

As more people use Linux to get their everyday work done, the evil ones will try to rise to the challenge. How well they succeed depends on how ready for them Linux users (and developers) are when they arrive.

No antivirus tools are installed by default with SUSE Linux. You can configure fetchmail to work with the Mail Delivery Agent called AmaViSd, which will, in turn, work with most antivirus tools.

The most prominent open source antivirus is ClamAV, and several commercial tools are also available for Linux, including F-Prot and Sophos.