How we protected the administration of the Kaluga region from spam

As a corporate cloud provider, we offer our customers the maximum amount of services related to the storage and transmission of data - including protection against spam. In this post we want to talk about how the Cloud4Y anti-spam service based on SpamTitan for the VMware platform works on the example of one of our clients - the administration of the Kaluga region. We want to talk about the functional features and basic settings of "Spam Titan", as well as how we had to solve the licensing problem that arose at the client during the work.

Opportunities

It does not make sense in this post to list all the functionality of the system, we present only the most interesting features:

• Rapid deployment to VMware virtual machines with a ready-made virtual appliance
• it is possible to create a cluster mail gateway to optimize the load;
• convenient custom reports and notifications
• flexible access policies for users and administrators
• dual antivirus protection

Other features can be found at www.spamtitan.com/about-us/about-spamtitan
Comparison of SpamTitan with other systems cloud4y.ru/cloud-services/antispam
')

Customization

Setting up SpamTitan usually does not take much time, and consists of the following steps, which you should pay attention to:

• Deploy a virtual machine image based on a virtual client infrastructure. For the VMware platform, we used the Virtual appliance, which can be downloaded from the manufacturer’s website.
• Configuring the network settings of the virtual machine is done from the local console through the interface in the form of a text menu and should not cause any problems.

Further configuration is already going through the web interface available at http: // ip-your-server

The first thing to do after configuring the network and rebooting is to add a license key. The key can be obtained either trial (for 10 days without restrictions) or purchase commercial. This is done in the “System setup” “Licensing” section.



Then update the system to the latest version in System Updates. At the time of this writing, the current version is 6.0.4.



In the Network section, configure the Network configuration DNS Settings network.



Configure time synchronization.



We configure Mail relay for the required domain.





You must enter the domain name, the address of the SMTP server that services this domain now. Several connection modes are possible:
with checking the existence of the box and without checking the existence of the box.

On the IP CONTROLS tab, you can configure white lists and blacklists of SMTP servers and enable support for RBLs (Realtime Blackhole Lists), in our case this was not relevant, since we were behind SMTP Relay and we accept all mail from one server.

In GENERAL SETTING, you must specify the spam filter hostname, which must match the dns entry.

Content Filtering -> Viruses
Configure virus scan settings, update Clam AV, Kasperky AV databases

Content Filtering-> Spam
We include spam check and update spam lists.

Anti-Spam Engine-> Settings
Enable network tests Razor V2, Pyzor, RBLs

Anti-Spam Engine-> Domain policies / User-Policies
You can set global domain policies and policies for individual users. For example, the global domain policy defaults all spam letters, and for other users send to quarantine
Anti-Spam Engine-> Roles and permissions / Admins / Domain Groups
You can create roles for users, global administrators, and domain administrators.

Settings-> Access / Authentification
You can configure the user authentication method to the web interface quarantine
We used authentication through the Windows domain through LDAP. In this case, each of the clients gets their own quarantine section, which is accessed via the web interface, the login and password match the login credentials for the email.

Filter Rules
You can create bookmarks for global white and black lists of email addresses and domains.

Quarantine
Full list of quarantined messages.

Reporting Graphs
Report on all processed messages, detected viruses, CPU load, memory and disk system for periods 1 day, week, month, year:





Reporting History
Full log messages with the ability to sort by fields.

Logs
Raw logs from the / var / logs directory: Maillog, messages and CFMA

Cluster
Section to configure the cluster configuration.

Full SpamTitan documentation can be found here .

Problem

In the course of the work, it turned out that out of 3,500 boxes it was necessary to protect only 500 from spam, despite the fact that licenses were purchased only for 500 boxes and it was not planned to expand them.

The logic of calculating the necessary licenses is as follows: every 24 hours, the average for the last 5 working days is the number of mailboxes that received mail, minus 20% for alias (only 20% is given because, as a rule, aliases are not used with the same intensity as the main mailbox). Information about current usage is displayed in the management console.
If the number of boxes is exceeded, the system will issue a warning and the license will need to be expanded.

For example, in your organization 100 boxes, but only 50 of them you need to protect from spam. Since the system counts the total number of boxes passing through it, in case of passing 51 boxes, the system will be blocked. You will have to buy a license or use the solution described below.

Decision

As an example, we give the real part of the customer's infrastructure.

In order for SpamTitan not to be blocked, it needs to “tell” which boxes it needs to protect.
Therefore, first a list of the mailboxes that will pass through the spam filter was compiled. This list is added to the gateway, for example, SMTP Relay Postfix. After the letters pass through the Kerio Firewall firewall, they are sent to SMTP Relay, which reconciles with the list made up earlier. If the mailbox is on the list of protected - then the letter is sent to SpamTitan, if it is missing, then the letter is sent to the mail server.

An example of an ideal model for passing mail messages and modified taking into account the specifics of SpamTitan licensing:



The client wanted to leave the old firewall in the appendage to spamtitan. Spam Titan is after Kerio. During the installation process, it turned out that the client had purchased licenses for a smaller quantity than required. I had to look for a way out that does not violate the licensing conditions, but allows using the full functionality of the system.

An example of a tailored version of SpamTitan licensing:



SMTP relay was deployed to the client, where they placed the routing rules for messages based on mailbox lists. Messages for mailboxes from the list are sent to titan spam, pass through a filter and are sent to the mail server, and all others are sent directly to the mail server.

Result

In this reviewed case, Spam Titan's work allows us to filter out 24% of all emails that are classified as spam daily from the total number. At the same time, the client has a tool for flexible configuration of the list of boxes that need to be protected from spam without additional costs for the purchase of licenses.



Separately, we would like to thank the IT specialists of the Kaluga Region Administration for the professionalism shown.

Thank you for your attention and as always we welcome your comments.