Scanning outbound e-mail for spam

Hi,

I have seen a few posts about this around the Virtualmin forums but none with solutions to the problem at hand: scanning outbound e-mail for spam.

Virtualmin already supports scanning inbound e-mail for spam and viruses through the combination of Postfix, SpamAssassin, and ClamAV. This is great if you host e-mail for your Web hosting customers, but what if those customers also send e-mail from their Websites to recipients external to your Virtualmin system?

We host over 180+ WordPress Websites for our customers, and often find ourselves dealing with spammers who submit a contact form on one of those sites that contains spam. If the customer hosts their e-mail with us through Virtualmin at their domain, then the contact form submission is not delivered to them because SpamAssassin blocks the inbound spam before it can reach their local mailbox. But if the customer has their contact form submissions sent to an external e-mail address, like something at Gmail or Office365, then the e-mail is sent without being checked for spam and our Virtualmin mail server is put on a blacklist because we've effectively allowed our server to send outbound spam.

Is it already possible to set up outbound spam scanning similar to what's currently used for inbound scanning? In other words, if someone sends an e-mail from an account hosted by Virtualmin, or a contact form on a Website hosted by Virtualmin, and that e-mail is sent through the Postfix mail server, how can it be checked for spam before it is actually sent on to the recipient's external e-mail address? Can we use SpamAssassin to check outbound mail in the same way that inbound mail is checked for spam?

Note: I am aware Virtualmin already includes a feature to rate-limit outgoing e-mail. While useful, this does not solve our problem because it does not check the content of e-mails, but rather just the number of e-mails being sent per a specified time interval. If even one spammy e-mail is sent per hour, that is one e-mail too many, and rate limiting will do nothing to stop that. I am also aware that SMTP authentication can stop a large number of spam by restricting the sending of e-mail to only authenticated users, but again this does not stop cases where a WordPress Website, correctly authenticated to send from an e-mail address set up in Virtualmin, sends out a spammy contact form submission through Postfix to an external e-mail address.

Status: 
Active

Comments

Right now there is nothing in Virtualmin for scanning outbound emails, sorry. In theory this could be implemented in some cases, but if wordpress is setup to directly send email via an SMTP connection to gmail there is no place for us to hook in spam filtering.

Hi Jamie,

We actually have WordPress configured to connect to and authenticate with the Virtualmin-backed mail server running Postfix. We don't connect directly to Gmail or other service providers, but merely send through Virtualmin/Postfix to addresses at these providers. I have an account set up at each domain that is used to authenticate e-mail when sent through WordPress or other scripts. So the message is passing through our Postfix installation and then on to the intended recipient; perhaps spam scanning could be hooked in at this point when Postfix receives the outgoing e-mail and sends it along?

Ok, in that case it should be at least theoretically possible to scan outgoing email. However, it's not going to work well because most signals used by spamassassin are based on how the message was delivered (open relays, etc) which don't apply in your case. So all it can operate on is the message content, isn't a lot to go on./

Yeah there are folks who have gone through steps to make that work, and did want to use SpamAssassin for scanning outgoing messages as well as incoming.

What you described above is generally how I'd probably start -- look into a way to hook into SpamAssassin from Postfix.

We unfortunately don't have any details or steps on how to go about that as it's not what Virtualmin was designed for, it's not something we've done much testing on. You should be able to do it though. Sorry that we can't be more help!