SpamAssassin Posted by Adel Mubarak , Saturday, October 24, 2009 at 1:54 AM, in Labels: Security

Spam is a plague on the Internet. It’s constant and unending. Some ISPs and free web mail providers offer anti-spam services but if you’re running your own mail server, accepting mail to your own domain, you have to work out your own solution.

First, some commercial pricing: want Symantec Mail Security? Depending on the number of licenses you buy you’re looking at $AUD 32 per mailbox to cull out virus e-mails; it’s then another $AUD 31 per mailbox to license the anti-spam addon; without this Symantec mail security will leave spam alone. You can’t buy it by itself. For a company with 100 mailboxes, you’re looking at $AUD 6,300 to keep spam out.

And be wary of upgrading; Symantec Mail Security version 6 supports Microsoft Exchange 2007, but the product came out after Exchange 2007; early adopters of Microsoft’s mail platform had no working Symantec option at the time of purchase.

This highlights a problem with proprietary solutions. They are locked in to specific technologies. There’s not likely to be another version of Exchange for three or four years so the company above won’t soon face any problem again with having an unsupported version, but consider that they may opt to change their mail platform in the interim – over to Lotus Domino, say. Now their Symantec Mail Security for Exchange offers no protection at all; they will need to purchase a different version which supports the new platform.

This isn’t a Symantec bash, by any means; indeed, Symantec offer good products (while their Norton line is bloated and burdensome) and they are far from alone in being a provider of commercial, licensed, anti-spam products that specifically tie in to a targeted mail server.
One philosophy that the free and open source movement has espoused, whether intentionally or not, is to promote standards-based software and this is the key to platform-free anti-spam.

Before we get onto that, a case in point about standards is the very argument used against the Firefox web browser, namely that users can find sites which do not load properly under Firefox but yet work within Internet Explorer. The reason is invariably the site has been either badly designed or it has been designed to specifically target Internet Explorer. Firefox prides itself on a very strict and complete implementation of Web Consortium standards; by contrast Internet Explorer is more accepting of coding flaws.

On the surface that sounds helpful but it is not; bad CSS renders despite incorrect or missing quotes or brackets. The web page author is not aware of problems and has no motivation to fix them. However, a growing proportion of Internet users will be unable to see their page as it was intended to be displayed – unless every other browser also receives programming modifications allowing them to tolerate the exact same flaws IE will, and with the exact same results.

Non-standard Internet Explorer extensions do nothing to help either; pages exploiting such are never going to be viewable as intended in other browsers because of the pervasive mantra within FOSS providers that standards be upheld and adhered to.
So, returning to our problem at hand, the standard for e-mail delivery is SMTP, the simple mail transfer protocol. All mail servers, no matter who the vendor, implement SMTP according to a defined and well-accepted standard known simply as “RFC 821”, which stood for almost twenty years before being updated in the form of RFC 2821.

Microsoft Exchange implements SMTP to receive mail. So does Lotus Domino. So does Sendmail. Consequently, a non-proprietary anti-spam solution can wedge itself between the Internet and your mail server, providing its own SMTP implementation and accepting mail in the first instance. It will cleanse the incoming mail of spam and then pass it on to your real mail server, giving a pure flow of clean e-mail. There’s a secondary advantage too; your e-mail server becomes one step removed from the public Internet.

Now, I have to be fair; this idea isn’t the sole domain of the open source world. Indeed, it’s the model used by services like MessageLabs who provide just this very service themselves. Your e-mail goes straight to them, they cleanse it and pass it on. It’s pure SMTP, with no regard for your operating system or mail server environment.

Yet, these services are businesses; they’re going to charge for what they do. That’s fair enough, but it can easily become depressing when your users say “We have too much spam; you must do something” but the solutions are all like taxi meters, ticking over – “you have how many mailboxes?” they ask. “How many domains do you have?”, “How many e-mail messages do you receive a day?” Every question adds up; every single item adds up.

Can open source compete? Pleasantly, the answer is definitely yes – with some impressively mature and stable products available right now. It doesn’t matter if you’re a Windows or Linux user, it doesn’t matter which mail environment you run.