September 20, 2005

Filter spam with CanIt-PRO

Author: Joe 'Zonker' Brockmeier

Despite the the passage of the CAN-SPAM Act, email users are still subjected to vast quantities of spam and virus-laden messages. Roaring Penguin's CanIt-PRO is a Sendmail-based application that helps block spam, viruses, phishing attempts, and other nastiness. I found it to be one of the better commercial Linux email filtering packages.

Roaring Penguin makes packages for many Linux distributions, and also provides source code -- so it should be possible to run CanIt-PRO on just about any Linux distribution. I installed the product on a CentOS 4 system, using the packages for Red Hat Enterprise Linux (RHEL) 4.

Installing CanIt-PRO using the provided installation script and packages isn't difficult, but there are quite a few steps, and users should read the documentation carefully before proceeding. The CanIt-PRO installer script, install-canit, verifies whether all necessary packages are installed on the system, and prompts you to install any missing dependencies before proceeding -- or gives you the option to proceed without the missing dependencies. On the stock "Server" install of CentOS 4 that I used, there were five packages that CanIt-PRO needed. After I used Yum to grab those, the installer did its thing without a hitch.

After running the script to install the RPMs for CanIt-PRO, the next step is to set up the PostgreSQL database -- MySQL is not supported -- and edit a few Sendmail configuration files. Again, there are quite a few steps involved, but the documentation is well-done, and I didn't run into any problems following the manual for the installer. Since I have run through installations of commercial Linux products that left out important steps or glossed over some of the details, I was quite happy with the guide that Roaring Penguin provides.

After the installation

While the installation requires a lot of tweaking of text files, most of CanIt-PRO's administration can be performed through the Web interface.

After you enter the CanIt-PRO license and log in with the username and password that you set during the install, the software performs one last system check to make sure that the system is optimized for CanIt-PRO. On my system, it recommended that I change one of PostgreSQL's variables to get better performance.

After that, CanIt-PRO walks you through a Web-based wizard to configure the basic setup. It asks how you want CanIt-PRO to react to potential spam, what types of checks to do, and so forth. Again, Roaring Penguin receives high marks for giving the user plenty of information while working through the setup and making it easy to configure the software. You can even move backward and forward through the setup and approve all of the settings when the wizard is finished, and you can go back through the setup at a later date if necessary.

Plan to spend the better part of an afternoon installing and configuring CanIt-PRO. It's not a difficult setup, but there are a lot of steps and a fair amount of documentation to read.

CanIt-PRO configuration and administration

While CanIt-PRO's Web-based administration isn't difficult, neither is it intuitive. CanIt-PRO has a lot of features, and a lot of criteria that can be used to help snag spam. This also means there's a bit of complexity that seeps into the administrative interface.

The sheer number of options CanIt-PRO provides is a little bit daunting. It will take most admins a few days to get used to the software and a little longer to get everything fine-tuned.

One thing I liked about the interface is the ability to set quick links. For example, if you spend a lot of time administering users, you can set a link to the user administration page rather than needing to navigate to administration and then to users.

Catching spam

Once CanIt-PRO was installed, the next step was to evaluate its ability to catch spam. I selected spam and ham (non-spam) and used Sylpheed to redirect mail through the host with CanIt-PRO. For the first round of tests, I set CanIt-PRO up to relay to my mail server, and to reject anything that it classified as spam with an SMTP 4XX error -- in other words, to avoid even accepting mail that looked like spam, rather than putting it in the Trap.

I was pleased with the results. While CanIt-PRO missed a few messages that were spam, I didn't have any problems with false positives. While I absolutely loathe seeing spam in my inbox, I'd rather see spam than miss legitimate messages.

When CanIt-PRO is told to reject mail, and it recognizes an incoming message as spam, it issues the following error to the sending server: "451 4.3.0 Message held for human verification before permitting delivery. For help, please quote incident ID 2." The ID number will change, of course.

This is particularly useful, and polite, for administrators of other mail servers. If CanIt-PRO does identify legitimate email as spam, it means that the user on the other end is going to be wondering why his mail is being returned. A lot of times, the error that the administrator will find in their outgoing mail log isn't particularly useful. CanIt-PRO's error should provide enough information for the administrator to figure out that the email is being rejected as spam. It doesn't say why the email is being rejected as spam, but that would be giving a bit too much to the spammers.

If a legitimate email is tagged as spam, the administrator can look up the incident ID and train CanIt-PRO to accept the message as non-spam. The admin also has several options to choose from the next time the message is sent -- including whitelisting the sender or incoming domain, blacklisting the sender or domain, putting the message in quarantine, or rejecting it outright. If the message is rejected, it's rejected outright with an SMTP 554 error, which indicates the transaction has failed.

Rules and reports

You can set a staggering number of rules and conditions to filter mail using CanIt-PRO. The software can use the Sender Policy Framework (SPF) and filter by host, MIME types, filename extensions, recipients, Bayesian analysis, and more.

If there's something really specific you're trying to filter for, you can set up custom rules and filter on just about any part of a message. This can be particularly useful when there's a new email virus making the rounds.

The rules interface also allows the use of regular expressions, so a rule doesn't need to match email fields literally in order to take effect. Since I've seen many users (and more than a few admins) shoot themselves in the foot with custom mail filters, I'm happy to see that there's even a regular expression checker in the Web-based interface to allow admins and users to test their regular expressions against test strings. I do wish that there was a way to test the entire rule, and not just the regular expression, against an email in order to see whether the rule will match it.

Mail-filtering is not a one-way street. Though most discussions about mail-filtering are centered on keeping spam out, it's also sometimes desirable to filter outgoing email. With CanIt-PRO, admins can add boilerplate text to outgoing email (something I find obnoxious, but it's a popular feature for larger corporations) and filter outgoing email based on keywords.

CanIt-PRO also provides detailed statistics on the mail that it filters. Admins can see how much email has been filtered, how many emails have been accepted, how many emails contained viruses, and how many were in RBLs, among other things. Admins can view the reports as HTML or download them as CSV files. This could be useful to admins who want to know how much mail is coming into their network, and how much of it is spam.

Summary

Overall, I liked this release of CanIt-PRO, even if there are a few things I'm not crazy about. In particular, it's too bad CanIt-PRO depends on Sendmail. If given the option, I prefer to use Postfix or Exim, so putting CanIt-PRO in the mix means that I either need to switch MTAs (not likely) or throw an additional host into the mix with CanIt-PRO installed -- which is what I'd recommend.

Running CanIt-PRO introduces a bit of overhead as compared to just running Sendmail. Unless an organization is already using Sendmail, and the servers running Sendmail don't usually run a heavy load, I'd recommend that CanIt-PRO be deployed on a separate server or servers.

The CanIt-PRO manuals are fine, but it'd be nice to be able to get online help for specific pages and options in the Web administration interface. The User Guide, in PDF form, is available from the admin interface, but it's 182 pages long, and a little much to wade through for users who just want to figure out how to set SPF rules.

CanIt-PRO's per-user pricing starts at $5 (minimum $1,500) and goes down as the number of users goes up. This is more or less on the "honor system," as the version of CanIt-PRO that I evaluated didn't have a way of enforcing the number of users protected by the software. Since Roaring Penguin doesn't charge per server, organizations have some flexibility in deploying the software.

If you're looking for a spam-filtering solution for a small organization with fewer than 100 users, then CanIt-PRO is probably not for you. Roaring Penguin does offer a free version of CanIt for organizations with up to 50 users, but it doesn't offer all of the functionality that comes with CanIt-PRO.

If you're looking for anti-spam software for organizations with more than 100 users, try a test deployment of CanIt-PRO. It's not the only game in town -- Sophos PureMessage for Unix, for instance, is a nice package as well -- but it is one of the better anti-spam solutions I've tested. It works well, is relatively easy to administer for any admin who knows his way around email, and the price is reasonable for keeping the bulk of spam out of your users' inboxes.

Category:

  • Enterprise Applications
Click Here!