Problem solve Get help with specific problems with your technologies, process and projects.

Eliminating spam with SpamAssassin, DSPAM and ClamAV

James Turnbull explores the differences between three open source antispam tools and explains some best practices for using these products to secure your organization's e-mail and help stanch the flow of spam.

Security consultant James Turnbull scrutinizes every facet of Linux security in his book, Hardening Linux. Here, the author explores three open source antispam tools that can be used in conjunction to secure e-mail and ultimately stanch the flow of spam.

SpamAssassin and DSPAM are both open source antispam tools designed to filter your e-mail and weed out spam. ClamAV is an open source antivirus package which uses regularly updated signature files to detect viruses both on your host and in your e-mail. They are each standalone packages but can be used together if you wish. Indeed, you will almost certainly need to combine both an antispam package and an antivirus package. Let's look at each package individually.

SpamAssassin (SA) is a mail filter written in Perl. It can be executed via mail processors like procmail or Maildrop, integrated into your mail server, run against a remote mailbox using IMAP, or incorporated into a third-party tool like AMaViS. It uses Bayesian spam filtering to tell which e-mail is spam and which is not spam (non-spam is also called ham). It can also incorporate tools like DCC, Razor, Pyzor and black and white listing as well as heuristic rules to detect spam. It is also capable of learning from the e-mails it filters to sharpen its detection ability.

I have used SA extensively and found it powerful and effective. For a smaller environment you would probably use SA in a procmail recipe to check incoming mail for spam. In a larger environment, you can run SA as a daemon and conduct your e-mail checking as part of your Mail Transfer Agent (MTA) mail processing and delivery. SA incorporates easily into MTAs like Sendmail, Postfix and Exim. You can learn how to do this using the SA documentation that comes with the package and on the SA website.

DSPAM is written in C and claims it is designed and optimized with large-scale mail enterprise environments in mind. It also utilizes Bayesian filtering, but unlike SA, it relies on machine-learning and artificial intelligence to detect spam. It can be integrated easily into Sendmail, Postfix, Qmail, Courier and Exim or run as a Simple Mail Transfer Protocol (SMTP) pre-processing gateway to process your e-mail for spam and then relay it to your MTA. DSPAM also has a backend storage database which keeps track of spam processed and Bayesian keywords learned. This back-end can utilize a variety of database back-ends including MySQL, SQLite, PostgreSQL, Berkeley DB and others.

DSPAM setup can be slightly tricky, but most issues tend to occur around permissions and authorization. DSPAM creates a default directory which must be writeable by the user who runs your MTA (if you've integrated DSPAM with an MTA). Additionally, the dspam binary occasionally needs to be getuid or setuid root in order to function correctly. This is generally dependent on how you have configured DSPAM, and error messages will usually indicate that there is a permission or ownership problem. Lastly, DSPAM has a list of trusted users who are allowed to maintain its settings. This list of trusted users is stored in the dspam.conf file (installed into /usr/local/etc by default) and you need to ensure your MTA users and other related users are included.

ClamAV combines a virus scanning daemon, a command line scanner and a milter interface to integrate with Sendmail. It includes the ability to scan mbox, Maildir and raw e-mail and also has support for scanning inside archives and scanning executables. It can be called via mail processors like procmail and Maildrop, integrated into MTAs or called from a third-party application like AMaViS. It includes a daemon called Freshclam that regularly checks and downloads antivirus signature updates.

So which antispam package is better? It is hard to say, and it greatly depends on your requirements and how you integrate, configure and tweak each package. The best way forward with antispam packages is to test how effective each is by seeing how much spam is detected and how many false positives are erroneously trapped by the package.

Many companies use SA and DSPAM in combination (or other combinations of multiple antispam tools) and then add an antivirus scanner like ClamAV to handle virus detection. The use of two antispam packages can reduce the volume of spam you receive by increasing the chance of detection through the use of multiple different spam detection methods. Obviously this can increase the processing time taken to evaluate your e-mail and the load on your mail environment, but the additional spam detected is often worth the additional load.

James Turnbull is the author of Hardening Linux and a security consultant at the Commonwealth Bank of Australia. He is also the resident security expert for 

Dig Deeper on SAP security