Kaspersky Lab KASPERSKY ANTI-SPAM 2.0 Instructions

KASPERSKY LAB
Kaspersky Anti-Spam 2.0
Enterprise Edition / ISP Edition
ADMINISTRATOR’S GUIDE
KASPERSKY ANTI-SPAM 2.0
ENTERPRISE EDITION / ISP EDITION
© Kaspersky Lab
http://www.kaspersky.com
© Ashmanov & Partners Ltd.
http://www.ashmanov.com
Revision Date: June 2004
Contents
CHAPTER 1. KASPERSKY ANTI-SPAM 2.0 ENTERPRISE EDITION / ISP
EDITION ....................................................................................................................... 8
1.1. What's new in Kaspersky Anti-Spam 2.0 ........................................................... 10
1.2. Licensing policy ................................................................................................... 11
1.3. Hardware and software system requirements ................................................... 12
1.4. Distribution Kit...................................................................................................... 12
1.5. Services provided to registered users ................................................................ 13
1.6. Formatting conventions.......................................................................................14
CHAPTER 2. KASPERSKY ANTI-SPAM STRUCTURE AND ARCHITECTURE..... 16
CHAPTER 3. INSTALLING KASPERSKY ANTI-SPAM.............................................. 20
3.1. Preparing for the installation................................................................................ 20
3.2. Installing applications included in the Kaspersky Anti-Spam software
package.............................................................................................................. 21
3.3. Installing the license key...................................................................................... 22
3.4. Integrating Kaspersky Anti-Spam into your mail system ................................... 23
CHAPTER 4. KASPERSKY ANTI-SPAM OPERATION AND FILTERING
PHILOSOPHY ............................................................................................................ 24
4.1. Configuring filtering settings ................................................................................ 24
4.2. Data updating procedure..................................................................................... 24
4.3. Filtering philosophy.............................................................................................. 25
4.3.1. Address, headers and message size analysis ............................................ 26
4.3.2. Message content analysis – content filtering............................................... 27
4.3.3. Actions to be applied to messages .............................................................. 28
4.3.4. Filtering profiles and filtering rules application order.................................... 31
4.3.4.1. Profiles application order ....................................................................... 31
4.3.4.2. Message modification during processing.............................................. 32
4.3.4.3. Filtering results....................................................................................... 33
4.4. Preinstalled filter profiles...................................................................................... 35
4.4.1. Stages of the preinstalled filter profiles operation........................................ 35
4.4.1.1. Detection of spam attributes: analysis of message headers................ 36
4 Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition
4.4.1.2. Message evaluation............................................................................... 36
4.4.1.3. Reaction to spam................................................................................... 38
4.4.2. Setting up preinstalled filter profiles.............................................................. 39
4.4.2.1. Selecting default reaction to spam ........................................................ 40
4.4.2.2. Choosing reaction to spam for particular users .................................... 42
4.4.2.3. Selecting filtering level severity.............................................................. 43
4.4.3. Specific headers assigned by the filter......................................................... 44
CHAPTER 5. CONFIGURING FILTERING PARAMETERS....................................... 47
5.1. Starting WebConfigurator.................................................................................... 47
5.2. Working with WebConfigurator ........................................................................... 48
5.2.1. Working with common profiles. The common tab ....................................... 48
5.2.1.1. Creating a common profile .................................................................... 49
5.2.1.2. Activating common profiles.................................................................... 50
5.2.1.3. Deleting profiles ..................................................................................... 51
5.2.2. Working with personal profiles. The personal tab........................................ 52
5.2.2.1. Creating personal profiles...................................................................... 52
5.2.2.2. Activating personal profiles.................................................................... 53
5.2.3. Editing filter profiles....................................................................................... 54
5.2.3.1. Creating filtering rules ............................................................................ 55
5.2.3.2. Switching to editing an existing rule ...................................................... 56
5.2.3.3. Deleting existing rules............................................................................ 56
5.2.3.4. Controlling rule application procedures................................................. 56
5.2.3.5. Editing filter profile name, description and field of application.............. 57
5.2.3.6. Saving profiles........................................................................................ 59
5.2.4. Filtering rule editing....................................................................................... 59
5.2.4.1. Filtering rule edit page ........................................................................... 59
5.2.4.2. Setting new conditions........................................................................... 61
5.2.4.2.1. Conditions related to the IP address of the sending
mail server............................................................................ 62
5.2.4.2.2. Conditions related to the sender’s e-mail .............................. 62
5.2.4.2.3. Conditions related to recipient’s e-mail address.................... 63
5.2.4.2.4. Conditions related to message headers................................ 64
5.2.4.2.5. Condition related to content filtering results .......................... 65
5.2.4.2.6. Condition related to message size ........................................ 66
5.2.4.3. Editing conditions................................................................................... 67
5.2.4.4. Deleting conditions................................................................................. 68
Contents 5
5.2.4.5. Creating new actions .............................................................................68
5.2.4.5.1. Options and settings of the change recipient action.............. 68
5.2.4.5.2. Options and settings of the change header action ................ 69
5.2.4.6. Editing actions........................................................................................ 71
5.2.4.7. Deleting actions...................................................................................... 72
5.2.4.8. Saving rules............................................................................................ 72
5.2.5. Working with lists. The e-mails, ip addresses, dns blacklists tabs............. 73
5.2.5.1. Viewing lists............................................................................................ 74
5.2.5.2. Creating new lists................................................................................... 76
5.2.5.3. Editing lists ............................................................................................. 77
5.2.5.3.1. Creating a new list entry........................................................ 77
5.2.5.3.2. Editing list entries .................................................................. 78
5.2.5.3.3. Deleting list entries................................................................ 79
5.2.5.3.4. Editing list name and description........................................... 79
5.2.5.4. Deleting lists ........................................................................................... 80
5.2.5.5. Saving lists .............................................................................................81
5.2.6. Working with sample spam messages ........................................................ 82
5.2.6.1. Adding sample messages ..................................................................... 82
5.2.6.2. Editing sample messages ..................................................................... 83
5.2.6.3. Deleting sample messages ................................................................... 84
5.2.7. General filter settings.................................................................................... 84
5.2.7.1. Notifications of rejection sent to the original message sender ............. 85
5.2.7.2. Generating the list of licensed users .....................................................86
5.2.8. Saving Filter configuration ............................................................................ 87
CHAPTER 6. UPDATING THE CONTENT FILTERING DATABASE........................ 89
6.1. Selecting the source of the content filtering database update ........................... 90
6.2. Launching the updating process......................................................................... 90
6.2.1. Scheduled launch ......................................................................................... 91
6.2.2. Launching the content filtering database update process from the
command line................................................................................................ 91
6.3. Viewing results..................................................................................................... 92
APPENDIX A. ADDITIONAL INFORMATION ABOUT KASPERSKY ANTI-SPAM .. 93
A.1. The ap-process-server program (master process)............................................ 93
A.1.1. Starting and stopping the master process................................................... 93
A.1.2. The ap-process-server program configuration file ...................................... 94
6 Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition
A.1.3. System log (syslog) records detail levels ....................................................95
A.2. The ap-mailfilter program (filtering process) command line parameters .......... 96
A.3. Client modules for mail systems......................................................................... 98
A.3.1. Interaction of the client modules with the filtering service........................... 98
A.3.2. kas-milter (client module for Sendmail) ....................................................... 99
A.3.2.1. Operation of the kas-milter program ..................................................... 99
A.3.2.2. The kas-milter program configuration file ........................................... 100
A.3.2.3. Configuring Sendmail when using kas-milter..................................... 101
A.3.3. kas-pipe (client module for Postfix, Exim) .................................................101
A.3.3.1. kas-pipe operation............................................................................... 101
A.3.3.2. kas-pipe configuration file.................................................................... 102
A.3.3.3. Configuring Postfix when using kas-pipe............................................ 104
A.3.3.4. Configuring Exim when using kas-pipe.............................................. 105
A.3.4. kas-exim (client module for Exim).............................................................. 106
A.3.4.1. Compilation of the kas-exim program................................................. 106
A.3.4.2. kas-exim configuration parameters..................................................... 107
A.3.5. kas-qmail (client module for Qmail) ........................................................... 108
A.3.5.1. kas-qmail operation ............................................................................. 108
A.3.5.2. The kas-qmail program configuration file ........................................... 108
A.3.5.3. Configuring Qmail when using kas-qmail........................................... 110
A.3.6. kas-cgpro (client module for Communigate Pro) ......................................110
A.3.6.1. kas-cgpro operation............................................................................. 110
A.3.6.2. The kas-cgpro configuration file.......................................................... 111
A.3.6.3. Configuring Communigate Pro when using kas-cgpro...................... 112
A.4. Configuration files.............................................................................................. 113
A.4.1. Configuration files and their location in the file system ............................. 113
A.4.2. Headers of XML files.................................................................................. 113
A.4.3. Filter profiles list (profiles.xml).................................................................... 114
A.4.4. Set of e-mail addresses lists (emails.xml) ................................................. 115
A.4.5. Set of IP address lists (Iplists.xml)............................................................. 115
A.4.6. Set of DNS-based RBL service lists (dnsblacklists.xml)........................... 116
A.4.7. Filter profile ................................................................................................. 116
A.4.8. E-mail addresses list .................................................................................. 121
A.4.9. IP addresses list ......................................................................................... 121
A.4.10. DNS-based RBL service list .................................................................... 122
A.4.11. List of sample spam messages for users (samples.xml)........................ 123
Contents 7
A.4.12. User’s sample spam message ................................................................ 123
A.4.13. Advanced filter settings file (settings.xml)................................................ 124
A.4.14. List of predefined categories (catlist.xml) ................................................ 124
A.5. Updater script configuration file ........................................................................125
A.6. Updater script command line switches............................................................. 125
APPENDIX B. KASPERSKY LAB............................................................................... 126
B.1. Other Kaspersky Lab products......................................................................... 127
B.2. Contact Us......................................................................................................... 131
APPENDIX C. ASHMANOV & PARTNERS LTD....................................................... 132
APPENDIX D. INDEX .................................................................................................. 133
CHAPTER 1. KASPERSKY ANTI-
SPAM 2.0 ENTERPRISE EDITION / ISP EDITION

Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition is a software package that filters incoming e-mail messages in order to protect users against unsolicited bulk mailings or Spam.

Kaspersky Anti-Spam filters incoming e-mail messages received via SMTP protocol before the messages are delivered to the user's mailbox. Depending on the rules set by the administrator, Kaspersky Anti-Spam processes messages, namely, it can deliver a message to the recipient unaltered, block it, generate a notification on the message rejection, add or change header, etc.
Every incoming e-mail message is checked for attributes characteristic of unsolicited bulk messages (Spam).
Firstly, the program checks all possible attributes of the incoming message: sender's and recipient’s addresses (envelope), message size and its headers (including the From and To headers). In particular, the program detects the following "suspicious" situations:
presence of the sender's address in the "black list" or its absence in the "white list";
presence of the sender's IP address in the "black list" or its absence in the "white list";
presence of the sender's IP address in a DNS-based real time black hole list (RBL);
RBL (real time black hole list) – is a database of mail server IP addresses that allow uncontrolled bulk mailings. These mail servers allow receiving messages from any sender and forwarding them to any recipient.
If spam is consistently sent from an address, and the administration of the mail server does not take any preventive measures, such server may be reported to RBL as a spammer. The spammer will be included in the database and this make it possible to automatically deny message delivery from this server.
Some RBL services include free mail services and other "decent" servers in their databases. This is why their data should be used
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition 9
with caution to avoid false triggering.
absence of the sender’s server in the DNS;
matching of one of the message headers a regular expression stored by
the program;
excessively large size of the message.
For more details on e-mail message analysis, see para 4.3.1, page 26.
Secondly, content filtering is used, i.e. the message content is analyzed
(including the header Subject) and attached files.
1
Linguistic algorithms based on a comparison with sample messages and regular expressions (words and word combinations) are used.
Messages that do not match the parameters of a filtering rule or of a content filtering algorithm are sent to the recipients unaltered.
Messages that display features characteristic of spam will be processed in
accordance with the filtering rules (see para 4.3, page 25).
Profiles (sets of filtering rules), lists of addresses these rules refer to, and other Kaspersky Anti-Spam settings can be modified by the mail service administrator using the WebConfigurator program.
Kaspersky Anti-Spam is distributed with preinstalled filter profiles (sets of filtering rules) that ensure effective spam detection and provide for several options of spam processing. Before you start using the filter, make sure that you have reviewed the filtering schemes suggested (see para 4.4, page 35) and choose the scheme that suits you better.
If you wish to modify these preinstalled filter profiles or to create new profiles, please carefully read chapters of this manual describing the filter operation logic (see para 4.3, 25) and its setup using the WebConfigurator program (Chapter 5, page 47).
Pay special attention to the filter setup. An Improper setup may result in:
inefficient filter operation (most of the unsolicited messages pass through the filter)
the loss of normally allowed e-mails.
1
Plain text, HTML, Microsoft Word and RTF formats analysis is provided. For more details
see para 4.3.2, page 27.
10 Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition
Ashmanov & Partners is constantly working on the enhancement and updating of the linguistic data used for spam detection. To ensure most efficient spam protection, it is necessary to download the latest versions of these data using the updater script (see Chapter 6, page 89).
We strongly recommend that you schedule automatic data updating from cron to start at least 4-6 times per day.
We wish you trouble-free experience with Kaspersky Anti-Spam and hope that you will appreciate the important benefits it offers:
the use of Artificial Intelligence methods for message content analysis (content filtering);
integration of all filtering methods within a single module and the possibility of their combination;
centralized control of all filtering rules through the common web interface.
1.1. What's new in Kaspersky Anti­Spam 2.0
The following features present in Kaspersky Anti-Spam 2.0 have undergone extensive modifications compared to the previous version and have been extended to include:
Integration into e-mail client applications. If you choose standard
installation, Kaspersky Anti-Spam 2.0 will be integrated into the e-mail
client application installed on your computer and will operate as a filtering module. Kaspersky Anti-Spam supports the following e-mail client programs: Postfix, Sendmail, Qmail, Exim, Communigate Pro
New installer has been implemented. Kaspersky Anti-Spam 2.0 is now
distributed as a standard package: rpm, deb for Linux or tgz FreeBSD and
its installation is performed using standard Linux or FreeBSD installers.
The program now offers more user-friendly features:
the feature used for entering system events into special log
(syslog) has been upgraded. Now it allows to gather statistical data on the number of processed messages and on the spam/no spam percentage ratio using standard Unix report analysis tools.
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition 11
the feature used for labeling spam messages has become more convenient: the corresponding token is now added to the beginning of the Subject of the message.
The application operational stability has been enhanced:
problems related to the application's work under Linux Red Hat
9, Suse 9, Red Hat Enterprise Edition and other operating systems have been eliminated;
an obsolete utility used for license verification (kavuccsf) has
been removed. The new license module delivers stable performance under various versions of Linux and FreeBSD;
an obsolete http server (_httpd) has been removed.
Communication with the WebConfigurator program is ensured
via a standard thttpd server (alternatively apache server can be
used).
The efficiency of the program's operation has been doubled and communication with rbl services has been optimized - now the queries are executed considerably faster.
Spam detection quality has been improved:
improved reliability of detecting spam messages with attached
graphic files; GSG-2 technology has been introduced;
a new feature has been added that allows to look-up the IP address not only for the last mail transport (relay) agent, but also for all previous agents (based on the analysis of the Received header);
the quality of HTML-format messages analysis has been improved due to the filtering algorithms of "invisible" text, random sequences, etc.
the program can now analyze UUE-encoded messages.
OEM version of the application has been developed. Along with standard
solutions (Kaspersky Anti-Spam 2.0 Enterprise and Kaspersky Anti-Spam
2.0 ISP), SDK for integration of spam filtering feature into OEM solutions has been implemented.
1.2. Licensing policy
Kaspersky Anti-Spam 2.0 now offers two types of licensing:
12 Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition
traffic-based licensing (mail traffic filtered during a certain period of time);
based on the number of e-mail addresses processed.
The latter type of licensing provides control over the use of Kaspersky Anti-Spam based on the number of e-mail addresses that the program processes during the license period.
The list of licensed e-mail addresses is formed by the WebConfigurator program (the Settings tab) based on the data contained in the key file (see para 5.2.7.2, page 86). The total number of addresses shall not exceed the number determined by the license. E-mail messages containing addresses added in excess of the number of addresses allowed by the license or addresses not registered altogether will not be filtered (mail messages will be delivered to the user's mail box unaltered).
Please make sure that you edit the list of licensed recipients before you start using the filter!
1.3. Hardware and software system requirements
In order to ensure the proper operation of Kaspersky Anti-Spam, your system must meet the following hardware and software requirement:
Linux or FreeBSD 4.x operating system running on the Intel x86 platform;
At least 500 MHz Intel Pentium III processor;
At least 256 MB RAM;
wget and bzip2 programs installed;
one of the following e-mail client programs: Sendmail, Postfix, Exim,
Qmail, Communigate Pro.
1.4. Distribution Kit
You can purchase Kaspersky Anti-Spam from our dealers (retail box) or in one of our online stores (visit our website www.kaspersky.com link).
If you buy a boxed product, the distribution kit will include:
and follow the E-Store
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition 13
A sealed envelope with the installation disk containing the program installation files;
User’s Guide;
License key file on the installation disk;
License agreement.
Before you open the envelope with the installation disk, make sure that you have carefully read the License agreement.
If you buy Kaspersky Anti-Spam online, you will download the installation file from the Kaspersky Lab website. In this case, the distribution kit will include, along with the program, this User's Guide. The license key will be included with the distribution kit or e-mailed to you upon the receipt of your payment.
License Agreement is a legal contract between you and Kaspersky Lab Ltd. that contains terms and conditions on which you may use the product that you purchased.
Please read License Agreement carefully!
If you do not agree with the terms and conditions of the License Agreement, you may return the retail box to the Kaspersky Anti-Spam dealer you purchased it from and the money you paid for subscription will be refunded to you on the condition that the envelope with the installation disk has remained sealed.
By opening the sealed envelope with the installation disk, you accept all terms and conditions of the License Agreement.
1.5. Services provided to registered users
Kaspersky Lab Ltd. offers to all registered users of their products an extensive service package enabling registered users to boost the efficiency of Kaspersky Anti-Spam.
After you have purchased a subscription you become a registered program user and during the period of your subscription will be provided with the following services:
availability of the program upgrades;
14 Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition
support on issues related to the installation, configuration and use of the product provided by phone or via e-mail;
information about new Kaspersky Lab products and about new computer viruses throughout the world (for Kaspersky Lab Ltd. newsletter subscribers).
Kaspersky Lab does not provide support on issues related to the performance and the use of operating systems or other technologies.
1.6. Formatting conventions
Various formatting conventions are used throughout this Guide depending on the purpose of the particular part. These conventions are explained in the table below.
Convention Meaning
Bold type
Note
Attention!
In order to...,
1. Step 1.
2. …
Problem, example
Menu titles, commands, window titles, dialog elements, etc.
Additional information, notes
Critical information that requires special attention
Description of the sequence of possible actions
Problem definition or an example of using the program's capabilities
Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition 15
Convention Meaning
Solution
[switch]— function
Information message and command line text
Solution to the problem described
Command line switches
Text contained in the program configuration files, delivered via information messages or command line entries
CHAPTER 2. KASPERSKY ANTI-
SPAM STRUCTURE AND ARCHITECTURE
Since version 2.0, Kaspersky Anti-Spam is no longer a full-featured mail transport agent (MTA) able to receive, forward or deliver e-mail messages to the users' mailboxes. These functions are now performed by the server-based MTA system.
Kaspersky Anti-Spam 2.0:
1. integrates into the mail system;
2. receives messages from this system;
3. checks messages for the presence of spam attributes;
4. depending on the result of the check, modifies messages (labels and modifies headers, edits the list of recipients);
5. returns messages to the mail system for delivery.
For internal architecture of Kaspersky Anti-Spam see Figure 1. The client modules are designed to ensure integration of Kaspersky Anti-Spam
into various mail systems. Each client module is implemented so that it takes into account the peculiarities of each particular mail system and of the integration method selected.
The Kaspersky Anti-Spam distribution kit includes client modules for Sendmail, Postfix, Exim, Qmail and Communigate Pro mail systems.
As a rule, the client module is installed in the MTA as a filter and ensures receiving of messages to be processed from the mail system and returning processed messages back to the system.
Client modules are launched by the mail system. MTA can launch several client processes for the parallel processing of several messages. For more details on the client modules and methods of their integration into the mail systems see section A.3, page 98.
Kaspersky Anti-Spam Structure and Architecture 17
End users' mailboxes
INTERNET
K
ASPERSKY ANTI-SPAM
MAIL SYSTEM
(MTA)
Client
Module
FILTERING SERVER
Licensing
service
(kas-license)
Key file
List of lic ens ed mail addresses
Filtering Service
Master process
(ap-process-server)
Filtering process
(ap-mailfilter)
Automatic Internet update of the filtering database (sfupdates)
Data
Filtering database
Filter profiles and
local lists
WebTuner
Configuration scrip (ap-mft-config.cgi)
http server
(kas-thttpd)
Figure 1. Kaspersky Anti-Spam internal architecture
18 Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition
Irrespective of the peculiarities of a particular client module, the interaction between the client and the main module of Kaspersky Anti-Spam, filtering server, is implemented the same way, using internal data exchange protocol via a network or a local socket.
The filtering server responses to the clients' requests, receives messages subject to processing from them and returns results back to the clients.
If the standard installation procedure has been selected, the mail system with the integrated client module and filtering server will be installed on the same computer.
However, it is possible to install Kaspersky Anti-Spam filtering server on a separate server: in this case clients running on a different computer (server), will exchange data with the filtering server via the local area network using TCP protocol.
If the filtering server is running on a dedicated computer, it is capable of servicing several mail servers at the same time provided that this computer has sufficient power to process the combined mail traffic.
The structure of the filtering server includes:
the filtering service that checks messages;
licensing service that checks the availability and the validity of the key
file and works with the list of licensed mail addresses;
automatic filtering database download and compile script;
WebConfigurator;
auxiliary applications and scripts.
The operation of the filtering service is controlled by the master process (ap­process-server), that:
keeps track of requests for connection to the filtering process received from the clients;
if there are no free processes available, it starts new processes;
keeps track of the statuses of the running processes (free/busy);
once a signal (e.g. SIGHUP) is received, it transfers such signal to a
child process.
When the mail traffic is extensive, the number of running filtering processes may reach several dozens. When the load on the mail system decreases, free filtering processes will be stopped. The minimum and the maximum number of filtering processes running at the same time are determined by the settings specified in the master process configuration file (see para A.1.2, page 94).
Kaspersky Anti-Spam Structure and Architecture 19
When the filtering process starts, it loads filter profiles (sets of filtering rules) and opens the filtering database (set of data used for the content analysis). After the connection to the client has been established, the filtering process receives the header and the body of the message from the client, analyzes them and returns the results back to the client.
Messages will be analyzed and rules and filter profiles will be applied only if there is a valid license key installed. If the license is based on the number of mail addresses, a message will be processes only if the address of the recipient of such message is in the list of licensed mail addresses.
All checks related to licensing are performed by the licensing service (kas­license) at the request received from the filtering process.
After the message processing is complete, the filtering process does not stop and awaits a new request. The filtering process completes only after it has processed the maximum number of messages (normally about 300) allowed to be processed by one process or after it has been idle for a long time.
Automatic updater script (sfupdates) is launched according to a schedule (using crontab) and initiates downloading and compilation of the latest version of the content filtering database.
WebConfigurator is an administrator's tool that provides web interface for editing filter profiles and filtering rules, maintaining white and black lists and the list of licensed mail addresses.
CHAPTER 3. INSTALLING
KASPERSKY ANTI-SPAM
Before the installation of Kaspersky Anti-Spam, please carefully read
this chapter as well as the readme-install file that may contain the latest
recommendations on the program installation.
3.1. Preparing for the installation
Before installing Kaspersky Anti-Spam:
make sure that your system meets all hardware and software
requirements for the installation of Kaspersky Anti-Spam (see para 1.3, page 12);
make sure that you have a valid Kaspersky Ant-Spam 2.0 license key
(Enterprise or ISP Edition);
make sure that you have wget, bzip and perl programs installed;
make sure that the mail system installed on your server is functioning
properly;
backup your mail system configuration files.
We recommend that you install the application during the off-work hours or when the mail traffic is minimal!
Kaspersky Anti-Spam installation includes three steps:
1. installation of applications included into the Kaspersky Anti-Spam software package;
2. installation of the license key;
3. integration into your mail system.
Installing Kaspersky Anti-Spam 21
3.2. Installing applications included in the Kaspersky Anti-Spam software package
The installation of Kaspersky Anti-Spam should be performed by the root user.
Kaspersky Anti-Spam 2.0 is distributed:
as an rpm package for most versions of Linux OS (RedHat, SuSe, Mandrake, Fedora, ASP Linux, Alt Linux, etc.);
deb package for Debian Linux;
tgz package for FreeBSD OS;
tar.gz archive with a shell installer for operating systems that do not
include package managers (as for example, Slackware).
In order to install Kaspersky Anti-Spam using an rpm package, execute command:
rpm –i
<package_name>
In order to install Kaspersky Anti-Spam using a deb package, execute command:
dpkg –i
In order to install Kaspersky Anti-Spam using a tgz package, execute command:
pkg_add
In order to install Kaspersky Anti-Spam using a tar.gz archive, execute commands:
tar xzvf <archive_name> cd <unpacked_distribution_package_name> ./install.sh
<package_name>
<package_name>
22 Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition
The following will be performed during the installation process:
creation of a user and of the mailflt group, required for the operation of Kaspersky Anti-Spam;
installation of all applications included in the Kaspersky Anti-Spam
software package into the /usr/local/ap-mailfilter folder;
creation and installation of the filtering service launching script (ap­process-server), licensing service (kas-license) and http server (kas­thttpd) - all this performed at the operating system restart,
launching all necessary applications and services;
creation of a record in the mailflt user's crontab for the automatic
launch of the content filtering database updates download script.
As a result of the above actions, the Kaspersky Anti-Spam filtering service will be installed and launched on your server. However, in order to enable the filtering of e-mail messages, the license key must be installed and Kaspersky Anti-Spam must be integrated in your mail system.
3.3. Installing the license key
The license key attached to the license your purchased, will be supplied with the Kaspersky Anti-Spam distribution kit.
If, for any reason, you did not receive your license key, please contact
Kaspersky Lab's technical support service (support@kaspersky.com).
In order to install your license key, execute command:
/usr/local/ap-mailfilter/bin/install-key <key_file_name>
If the license key is not installed or is invalid, Kaspersky Anti-Spam will not filter e-mail messages, but the mail system will still be fully functional: all messages will be delivered to the recipient, but no checking and labeling will be performed.
It is important to remember that if the license is based on the number of registered mail addresses, checking will be provided only for the recipients whose addresses are included in the list of e-mail addresses (within the maximum number of addresses allowed by the license).
Do not forget to enter addresses into the list of licensed addresses before you start using the filter!
Installing Kaspersky Anti-Spam 23
3.4. Integrating Kaspersky Anti­Spam into your mail system
Integration of Kaspersky Anti-Spam into the mail system involves the installation of the client module in the mail system and modification of the mail system configuration files.
These actions are performed automatically by the MTA configuration script or by the configuration script of the mail system installed.
For detailed information on the client modules integration methods and about modification of the mail system configuration files refer to section A.3, page 98.
In order to integrate Kaspersky Anti-Spam into the mail system installed on your server, launch the universal MTA configuration script.
/usr/local/ap-mailfilter/bin/MTA-config.pl
In most cases, this script will determine the type of the MTA and will modify its configuration files as required.
However, in case of non-standard installation or configuration of your MTA, script
MTA-config.pl will be unable to find the configuration files. In this case, you will
have to use the configuration script of the particular e-mail application used.
In order to integrate Kaspersky Anti-Spam into the Sendmail mail system, execute command:
/usr/local/ap-mailfilter/bin/sendmail-config.pl
In order to integrate Kaspersky Anti-Spam into the Postfix mail system, execute command:
/usr/local/ap-mailfilter/bin/postfix-config.pl
In order to integrate Kaspersky Anti-Spam into the Exim mail system, execute command:
/usr/local/ap-mailfilter/bin/exim-config.pl
In order to integrate Kaspersky Anti-Spam into the Qmail mail system, execute command:
/usr/local/ap-mailfilter/bin/qmail-config.pl
Integration of Kaspersky Anti-Spam into the Communigate Pro mail system is performed using this mail system's web interface (see para A.3.6.3, page 112).
CHAPTER 4. KASPERSKY ANTI-
SPAM OPERATION AND FILTERING PHILOSOPHY
4.1. Configuring filtering settings
Kaspersky Anti-Spam provides you with powerful tools for detecting spam in the incoming e-mail traffic. Actions with suspicious messages may range from most severe (rejection) to quite moderate (e.g., adding an extra header to the message for further processing by the e-mail program). The mail service administrator decides which actions should be applied to a particular spam type.
The Kaspersky Anti-Spam distribution kit includes a set of preinstalled filter profiles that ensure effective spam filtering and provide alternative means for processing detected spam messages (for more details see para 4.4, page 35).
Filtering rules and profiles as well as the order of their application can be modified by the system administrator via WebConfigurator (see Chapter 5, page 47). In addition, the administrator can enable and disable particular profiles via WebConfigurator.
Editing of filter profiles should be performed with extreme care as even minor changes may result in serious undesirable consequences such as false filter triggering or decreased spam detection quality.
All filter operation settings are configured using a convenient web interface provided by WebConfigurator.
Description of WebConfigurator operation and filtering settings configuration are described in Chapter 5, page 47.
It is strongly recommended that you familiarize yourself with the filtering use philosophy before you start using these rules (see para 4.3, page 25).
4.2. Data updating procedure
To analyze message content, Kaspersky Anti-Spam uses the content filtering database that includes spam message examples, characteristic terms and other
Kaspersky Anti-Spam Operation and Filtering Philosophy 25
data. The linguistic laboratory of Ashmanov & Partners JSC is constantly improving and updating this database, therefore it is necessary to download the database updates regularly in order to provide effective spam detection and processing.
The updates are downloaded via the Internet by the updater script. We strongly recommend that you include this script into crontab. It is recommended to
schedule it to start at least every hour. By default the filter data updates are downloaded from
ftp://downloads1.kaspersky-labs.com/sfupdates
download location may be used. The update can be either incremental (adding new entries to the database) or
complete (complete replacement of the old database with a new version). Selection and downloading of the updates, content filtering database and the filtering service restart are performed automatically.
For more details on the content filtering database updates see Chapter 6, page 89.
; if necessary an alternative
4.3. Filtering philosophy
Processing of an e-mail message is provided by applying filtering rules to such
message.
Each filtering rule consists of an unordered set of conditions and an ordered set
of actions:
processing of an e-mail message starts with analysis; checking whether
the conditions described in a certain rule are met;
if at least one condition has not been met, processing of a message by this rule will be stopped and no actions will be performed;
if all conditions have been met, then actions defined by this rule will be applied to this message in the order prescribed by the rule.
Filtering rules grouped into filter profiles. There are two types of filter profiles:
Common profiles – for all messages, irrespective of the particular
recipient.
Personal profiles – for messages sent to a certain recipients.
26 Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition
4.3.1. Address, headers and message size analysis
Filtering rules may contain description of the following conditions (as well as their negations):
the IP address of the server from which a message was received (i.e. the relay server that sent the message) matches a specified address.
the IP address of the server from which a message was received is included in the specified list.
one of the DNS-based RBL services included in the specified list generates a message about "untrustworthiness" of the server from which a certain message arrived.
sender’s IP address is not found in the DNS.
sender’s e-mail address matches a specified address.
sender’s e-mail address is included in the specified list.
recipient’s e-mail address (or one of the recipients if there are several
recipients) matches the specified one.
recipient’s e-mail address (or one of the recipients if there are several recipients) is included in the specified list.
message has a header of the specified type (i.e. it contains a specified name).
message has a header with a specified name (e.g., From or To) that
matches specified template (regular expression).
total message size exceeds the specified limit.
the message content falls into a certain spam category (see para 4.3.2
page 27).
The lists to which filtering rules refer can be of the following types:
IP addresses lists – contain IP addresses in the aaa.bbb.ccc.ddd or aaa.bbb.ccc.ddd/nn format.
E-mail lists – contain e-mail addresses in the user@hostname.domain or @hostname.domain format. The latter format includes any user of the
specified domain.
Lists of DNS-based RBL services – contain the names of zones used to form requests to DNS to check if a certain IP address is included in the
Kaspersky Anti-Spam Operation and Filtering Philosophy 27
black list (e.g. to check IP=202.103.129.8 via zone="blackholes.mail­abuse.org" a request to DNS with the 8.129.103.202.blackholes.mail­abuse.org domain name will be formed).
E-mail recipient’s check is performed:
in common profiles – according to the full list of recipients.
In personal profiles – according to the list of those message recipients to
whom this profile is applied.
A filtering rule can simultaneously contain several conditions of different types. For example, it can block messages where a recipient belongs to list A and the sender belongs to list B (B – stands for black list for the users included in list A).
4.3.2. Message content analysis – content filtering
An e-mail message may not have any formal spam attributes – it can be forwarded to a recipient from an address that is not included in any black list – but may still contain some "suspicious" information. In order to detect and
process such messages (in the Russian or the English language) content filtering
algorithms are used.
The message content is analyzed using artificial intelligence methods (including
the Subject header). Attached files in the following formats are also processed:
Text: plain text (ASCII, not multibyte);
HTML (2.0, 3.0, 3.2, 4.0, XHTML 1.0);
Microsoft Word (versions 6.0, 95/97/2000/XP);
RTF.
The task of Kaspersky Anti-Spam is to decrease the flow of unwanted mail that blocks up user’s mailboxes. 100% detection of all unwanted mails cannot be guaranteed because excessively strict criteria would inevitably cause "filtering out" of some non-spam messages.
Two basic methods are used to detect messages with "suspicious" content:
checking against sample messages (by comparison of their lexical content);
detection of regular expressions – words and word combinations.
All data used by Kaspersky Anti-Spam – index (hierarchical category list), sample messages, regular expressions, etc. are stored in the content filtering
database,.
28 Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition
Linguistic lab of Ashmanov & Partners JSC is constantly working on the enhancement and updating of the content filtering database. Therefore, it is recommended that you regularly update the database (see Chapter 6, page 89). System administrator can also add new spam message examples to the database (see para 5.2.6, page 82).
Based on the results of the content analysis, a message may be assigned one or several index categories of the content filtering database.
Configuring filtering rules using WebConfigurator (Chapter 5, page 47), the system administrator should set up rules for processing e-mail messages related to various index categories
2
.
While configuring the program, the system administrator must give the first priority to saving all "useful" e-mail messages as the loss of just one important message may be much more harmful to the user than receiving dozens of unwanted messages. To avoid the loss of necessary data, it is recommended to apply only moderate processing actions to the messages "rejected" based on the results of the content analysis. For example:
add warning [Spam] to the Subject header;
add an extra header Keywords=... that will allow users to redirect
such messages to the special folders of their mail clients.
4.3.3. Actions to be applied to messages
If the conditions described in a filtering rule (see para 4.3.1, page 26 and
para 4.3.2 page 27), are met for a certain message, then actions described in
this rule will be applied to such message.
The actions can be:
"severe" – these actions terminate message processing;
"moderately severe" – these actions stop execution of the rule and of all
other rules of the current profile, although rules of other profiles can be applied to a message;
"moderate" – when this action is complete, other actions of the current rule will still be applied as well as other rules of the same and/or of other profiles.
2
If a message is assigned one of the index categories, it does not necessarily mean that
the message contains spam. For example, a message containing indecent vocabulary will be assigned the Obscene category. System administrator can ignore it (not specify it in the rule conditions).
Kaspersky Anti-Spam Operation and Filtering Philosophy 29
Several actions can be described in a single rule, but if any of these actions are severe or moderately severe, then message processing by this rule (as well as by all other rules of the current profile) stops and no further actions will be performed.
Actions within the same rule are arranged in strict order.
Actions of the following types can be described in filtering rules:
"Severe" actions:
reject – refuse to accept this message on the SMTP-chat level.
The filtering server returns error 550 to the sending server while receiving the message via the SMTP protocol. The text of the error message can be set using WebConfigurator (see para
5.2.7, page 84).
The personal profile provides for the execution of a combination
of the bounce + black hole actions rather than the reject action
(as a personal profile can be used only for a part of the recipients and a "partial" rejection is impossible).
black hole – delete the message (do not pass it further) without
generating a message to the sender.
Rules containing this type of actions should be applied with care because the message will be completely deleted and cannot be restored.
Message delivery is blocked for all users in the common profile while for blocking message delivery to users this personal profile is applied to a personal profile is used.
accept – forward message to the recipient (recipients) without
modifying it, i.e. as it appears after the prior processing. When such action is executed, the message is passed further without any delay and no other filtering rules will be applied to it. The rules with the accept action are used to support the use of the white lists.
In addition, the accept action is executed by default at the end of processing of any message (or a message copy), provided that no reject or black hole actions has been executed:
o at the end of the private profile for all recipients of this
private profile;
o after execution of all private profiles for all recipients who
have not been processed.
30 Kaspersky Anti-Spam 2.0 Enterprise Edition / ISP Edition
"Moderately severe" skip action – stop execution of all current filter profile rules and start execution of the next profile (if this is provided for by the profile execution procedure, see para 4.3.4, page 31).
The skip action in a personal profile is equivalent to the accept action.
"Moderate" actions:
bounce – generate a message rejection notification to the
sender’s mail server.
The original message will be attached to the notification. Notification text can be set up using WebConfigurator (see para 5.2.7, page 84). Message processing goes on and if not other rule that blocks the delivery is applied, the message will be delivered to the recipient (recipients).
change recipient – change the list of the message recipients:
o change addresses of all recipients to the address (or the
address list) specified in the rule (replace all);
o delete the specified recipient’s address (delete); o add the address (or the address list) specified in the rule
(add) to the recipients list.
The ${SMTP_FROM} macrovariable indicating the sender's
address, specified in the SMTP-envelope, can be used when generating a list of new recipients.
change header – change message header specified in the
rule:
o having deleted the old header value with the specified
name (if the message had one), add a new one as specified in the rule (replace);
o add a new value as specified in the rule (add) to the
header, leaving the old value unchanged (if it exists);
o add a new header with the specified name and value. The
header is added to the beginning of the header list; duplication of headers having the same name in the list is not monitored (create);
o delete all headers with the specified name if the message
had any (delete).
This action allows to assign attributes to the message, based on which, client software (e.g. Microsoft Outlook) will be able to filter or classify messages after they are delivered to the user’s mailbox.
Loading...
+ 103 hidden pages