Spamcheetah spam filter/mail security gateway manual


Published on

This presentation takes you through the installation and configuration of SpamCheetah spam filter from Gayatri Hitech

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Spamcheetah spam filter/mail security gateway manual

  1. 1. SpamCheetah manual SpamCheetah is the spam control technique from Gayatri Hitech. SpamCheetah achieves spam control by way of employing an SMTP proxy which invokes various virus scanning, spam control and other header checks to enforce standards compliance and to combat the evil of Internet spam. In so doing SpamCheetah also implements several other features that an e-mail security gateway product offers in the market. It also comes with rich documentation inline which can be invoked by clicking at the swimming ring icon given at the top which gives page level help as well as panel level help given by the little info icon provided at the top right corner of each panel. This document serves as a detailed technical manual without being too verbose as the purpose of the product is to make things easy and less laborious. So this document is also purposely kept short and to the point. E-mail server level spam control is one of the most challenging problems faced by IT systems administrators as well as business owners since nobody likes to see unwanted commercial e-mail in the UCE an UBE category in their mailboxes. To combat the evolving threat of Internet spam SpamCheetah resorts to several techniques including Vipul's razor, ClamAV virus scanning, Bayesian probability based statistical filtering and allied techniques. SpamCheetah also implements firewall level network denial of service protection against DdoS attacks which is a common form of spam sending in which the mail server protected by SpamCheetah never sees the full TCP connection but the half open TCP connections tend to slow down your network. By implementing protection against botnets we can ignore mails originating from known Bogons and other sources of spam. SpamCheetah in addition to stopping spam and viruses also gives additional facilities in dropping mails from certain senders, to certain recipients, mails that contain a certain pattern etc. You can also inspect a quarantine database from time to time to feed spam to the internal database of SpamCheetah in order to improve its spam detection accuracy and also to guard yourself against false positives. Typically quarantine mailers are sent weekly or daily depending upon the administrator's preference but individual users can also access their web interface and tune this parameter. SpamCheetah also gives a user web interface
  2. 2. using which users can clear their quarantine from time to time. There is also a quarantine expiry period when all mails in the quarantine are automatically deleted. All of the configurations in SpamCheetah are performed using a web panel provided not only for setting things up but also for monitoring, tuning and performing maintenance tasks. This document shall therefore focus mainly on the web panel since everything in SpamCheetah is done using the web panel although the nCurses based interface is used to configure the IP address, network mask and gateway before the web panel can be used for further configuration. You also install SpamCheetah from the LiveCD medium using nCurses. But after you boot off the hard disk SpamCheetah performs all its functions using the web panel. Here is the login screen provided by SpamCheetah on accessing the URL given by the nCurses display.
  3. 3. Once the administrator logins with the username admin and password as provided by the nCurses UI, the user gets to see the dashboard as given below. After the dashboard is loaded you can view the vital parameters of the machine/VM in which SpamCheetah is running. This is updated every minute automatically by the browser. After that you are supposed to click at the “Base Setup” -> “Installation” menu item which throws up the screen as given below.
  4. 4. Using this screen you can modify the IP address or network mask or gateway if desired and also setup SpamCheetah to perform e-mail proxying using the parameters given in the panels below in the same screen. You can give the mail server's IP address and domain here. The moment you specify that the installation of SpamCheetah in your network is complete. After that you may add valid users for quarantine mailing by clicking at the next menu item “Base Install” -> “Valid user table”. It looks like this.
  5. 5. You can either add valid users for SpamCheetah one by one or by importing a text file in the format user,Display name,password in each line. You can also inspect the quarantine user and password creation in SpamCheetah's database by logging out of SpamCheetah admin view and by attempting a login to SpamCheetah quarantine view. The quarantine view looks like this.
  6. 6. Now you can go back to the admin view by logging out and logging in as admin again. You can set the admin password by clicking at the top right corner of the page to change admin password. Please do this as quickly as you can since the default password set by SpamCheetah should be changed quickly in order to prevent abuse. The next screen is the Licensing menu item which shows you the details about the license status of SpamCheetah. This is the screen you have to use for loading the license file after purchase of SpamCheetah.
  7. 7. Then you have the Time menu in which you can change the time manually or set the time zone according to your geographical location.
  8. 8. The SMTP Controls menu item comes next. Here you can test against an LDAP server for importing users from LDAP into the valid user table. You can also specify the extra RFC compliance checks and other checks to further tighten SpamCheetah's spam detection methods. The mail server to domain mapping can be defined here to relay mails for domains served by SpamCheetah's mail server. The screen looks like this.
  9. 9. Next in line is the Rate controls menu. You can perform some firewall level mail rate limiting using this page. You can also tweak the TCP state machine for some low level manipulations but these changes can cause trouble if values are off. SpamCheetah comes with some protection against TCP level attacks which can be mitigated by these settings. The page shows up like this. Then you have the Notifications menu item. You can set e-mail notifications/alerts sent on virus sending/receiving, attachment blocking etc. You can also globally control the enabling and disabling of notification feature. The page looks like this.
  10. 10. You then have the E-mail disclaimers page. Using this feature you can set a mail footer for every mail transiting SpamCheetah. You could enforce corporate policy this way. You can also set exception Mail Ids for those special mail users that should not have this feature enabled. You could also globally enable and disable disclaimer sending. Then you have to click at “Quarantine” -> “View/Manage quarantine” menu item. This page shows the list of all quarantined mails stored within the SpamCheetah's quarantine database. You can perform some bulk actions on them by selecting all and deleting, releasing or training for spam. The page looks like this.
  11. 11. Then you have the Search quarantine menu item. A separate page is provided for this for clarity. You can just inspect the quarantine and optionally export the whole database in MS Excel, PDF or HTML formats. The page looks like this.
  12. 12. You can configure the quarantine mailer frequency and set user specific quarantine frequencies that are over ridden by the global setting. You can also configure the username and mail ID under which the quarantine mailer will be despatched. The screen Quarantine settings looks like this.
  13. 13. You can then access the Feed spam menu. This is a very simple menu item using which users can feed spam back to SpamCheetah to tune the spam filtering subsystem in SpamCheetah. You can save the mail content to a text file and load it using the file upload menu. The filtering policy menu item looks like this. Using this menu we can set therefore global defaults for SpamCheetah to pass, quarantine or reject virus mails, spams and banned attachments.
  14. 14. Now we move on to the “System internals” -> “Mail arrival” screen. You can view the mail traffic patterns live as well as a bar graph display of the mail load handled by SpamCheetah. There is nothing to configure here as it is a read only display which looks like this.
  15. 15. Then we have the longest screen in SpamCheetah the feature rich “System internals” menu item. This gives a very deep insight into the inner workings of SpamCheetah as well as furnish information on spam control, various statistics of interest in a graphical display as well as give you tools to ping, trace route, figure out the MX record, do a load test on a mail server and so on. The screen looks like this.
  16. 16. You can view the live SMTP handshake using the SMTP handshake menu. You can view the SMTP proxying done by SpamCheetah, spams getting rejected, mails passing thro' if you observe this screen for a while. Next we have the Graphs menu. This shows the time series data of the spam ratios, mails received by month, by year and also by hour.
  17. 17. You then have the reporting screen in which all the vital statistics of interest are shown in a tabular form. This is also a view only screen. Following that you have the Mail history menu. Here you get to see all the mails that SpamCheetah passed without rejecting as spam and without quarantining them. You can run queries and also also export to MS Excel, PDF or HTML.
  18. 18. Then you have the SMTP Proxy Logs menu. You can download the Proxy logs in full for offline viewing here. All the subsequent menus after this are for later log viewing. Here is the screenshot. Then you have the SMTP log which contains only the SMTP handshake log which most industry standard mail servers give out for figuring out mail issues with the SMTP protocol.
  19. 19. Then you have the Web logs which shows the screens clicked by the admin for editing SpamCheetah.This can be useful for figuring out which configuration screens were accessed in case you make some mistake. It looks like this. You can also optionally download the Syslogs from the Syslogs menu. This is the UNIX syslogs which give you information about the appliance as a whole.
  20. 20. Then you have the Engines -> Virus Engines menu. You can view statistics related to the virus filtering subsystem of SpamCheetah.
  21. 21. You then have the Updates menu. Using this screen you can upgrade SpamCheetah when new releases are made depending on license validity.
  22. 22. Then you have the Mail control menu. This is a very impotant menu item since you can do some very sophisticated mail filtering using this menu.
  23. 23. Then you have the Monitor SpamCheetah menu item. Using this you can raise alerts on various conditions and have SpamCheetah send you mails on extra CPU use, swap use etc.
  24. 24. Then you have the Console -> Web Interface settings menu. Using this menu you can set the theme of SpamCheetah UI, upload your logo and also reset all configuration values to default values should something go wrong.
  25. 25. Next you have the Backup menu item. You can take rsnapshot incremental backups and backup of the internal databases and restore manually if needed.
  26. 26. Then you have the OS ghosting menu. Instead of a part by part backup you can completely “ghost” the SpamCheetah appliance using this menu by uploading to an FTP server either using anonymous FTP or by using a username and password.
  27. 27. You can also configure hosts for UDP syslog server to upload the various logs exported by SpamCheetah. Make sure they are in the same LAN.
  28. 28. You can than configure some of the SNMP parameters for the SNMP agent running within SpamCheetah. You then have the Shutdown menu item using which you can turn down SpamCheetah or reboot if for maintenance purposes. Remember that SpamCheetah is a highly critical component of your network mail infrastructure and if you wish to shutdown we recommend that you cluster SpamCheetah and leave at least one instance running.
  29. 29. You can view the SNMP parameters exported by SpamCheetah using a local SNMP manager running inside SpamCheetah.
  30. 30. Then you have the countrywise view to figure out which countries are sending mail to the domains protected by SpamCheetah. The top 50 countries originating mail are shown in a choropleth view in which the dark green tones stand for countries sending you more mails than the others shown in lighter tones. The numbers and percentages are also shown in the table below.
  31. 31. Finally you have the Cluster -> clustering menu using which you can trivially setup SpamCheetah clustering for 100% uptime guarantee and also for load sharing using a separate node to redirect traffic in front of SpamCheetah. You will have to setup a CARP virtual IP address and a VHID parameter which you can leave unchanged in case you have only one cluster in your network.
  32. 32. SpamCheetah is a very versatile spam control product with easy clustering ability and a very attractive price tag. You also have user quarantine web panels as well as quarantine mailers sent to each of the users for managing their own quarantine. Gayatri Hitech provides very good quality support by phone, e-mail or chat.