Can Comodo AntiSpam be daisychained with other anti-spam proxies?

I’m sure it’s all nice and handy to have Comodo AntiSpam (CAS) do all the configuration automatically for itself but I am very used to having manual control to configure the proxies. While I’d like to add CAS for its challenge-response (C-R) mechanism, I want that as the LAST method to eliminate spam, not the first (and perhaps only) method. I want to use passive filtering to identify spam before using C-R; see http://spamlinks.net/filter-cr.htm#issues-harmful. I want the passive filtering done first to reduce the chance of inflicting innocents with “challenge spam” (and, yes, the challenges are unsolicited by the innocents). I will not rely on C-R to filter out spam unless all responsible methods are first employed. That means I need to daisychain the proxies which means they need to let me daisychain them together.

My current anti-spam setup is:

For POP3 accounts (non-SSL):
e-mail client ← SpamPal ← POP3 server

For POP3 accounts (SSL required):
e-mail client ← Gmail POP3 server

For HTTP accounts (Yahoo):
e-mail client ← SpamPal ← YahooPOPs ← Yahoo HTTP server

I currently use SpamPal because of its DNSBLs (DNS blocklists of known spam sources) and Bayesian filter. Unfortunately, SpamPal does not support SSL connects so I cannot use it for my Gmail account unless I add the stunnel proxy after SpamPal but that’s just more to go wrong. Gmail’s spam filtering is very good but if I start seeing lots of spam coming through Gmail then I’ll have to incorporate the stunnel proxy.

For DNSBLs, I use SpamHaus SBL+XBL (which includes CBL and blitzed.org), ORDB (for relays), NJABL (for relays and open proxies), and SpamCop. I used to use SORBS but their list has some very old entries (3 months since last trap) and they employ extortion to get delisted (forcing a $50 donation to a charity). I won’t use SPEWS because they are a IP range blocking list to rate spamminess of a domain rather than identify actual spam source, were unresponsive, and are dead now. I won’t use APEWS or UCEPROTECT (same group manages both blocklists) because they intend to emulate SPEWS (which I considered a vigilante blocklist since they had no means of delisting other than their flawed automatic method). I found Spamhaus, ORDB, NJABL, and SpamCop gave me a good combination to avoid false positives but still give good coverage to identify spam sources. But DNSBLs only work for known spam sources (caught or reported) so SpamPal also gives me a Bayesian filter (although I might look into replacing it with K9, SpamBayes, or SpamAssassin). SpamPal also has its MX block filter to identify e-mails that originate from mail servers with dynamically assigned IP address (i.e., infected user hosts running trojan mailers). It is configured to use the NBABL dynamic IP list. If the e-mail doesn’t come from a static IP addressed mail host then I don’t want it. SpamPal also lets me block by country (i.e., IP addresses allocated in a region) to block mails from China, Korea, Malaysia, Argentina, Brazil, Nigeria, Turkey, or other countries where I don’t correspond with anyone there (and for those outside the USA it also includes an option to block mails from the USA). SpamPal has its logfile option that will keep a plain-text version of every spam-tagged e-mail so I have a means of getting at an e-mail that was a false positive if I configured my e-mail client to immediately delete spam-tagged mails (instead I now move them into the Junk folder and use auto-archiving to permanently delete after 3 days).

SpamPal gives me a lot of methods to detect spam that are passive without wasting more bandwidth and disk space sending out challenges which are, in effect, spam to the innocents that receive them. Also, this backscatter of “challenge spam” is reportable in the DNSBLs and can get a C-R user added to the blacklists (SpamCop, for example). So before using C-R, I want to continue using passive and responsible methods to eliminate spam. With passive filtering, spam is handled by me and I don’t end up trying to use other users as unpaid involuntary spam filterers for my mails. My non-whitelisted non-spam senders would still end up getting the challenge but I consider that an acceptable irritation for them to send me good mails (plus they’ll get added to the whitelist to not bother with the challenge again). This is for personal e-mails received at home or on my laptop and not for business use so I’m not concerned about irritating and pushing away potential customers.

In the above schemes, I can daisychain the SpamPal and YahooPOPs proxies. At the e-mail client, you specify the SpamPal proxy as the POP3 server and in the username you specify to where SpamPal will connect via “username[ [ at ] popdomain] [ at ] popserver[:port]”. Basically at the starting point which is the e-mail client, you specify enough information so each proxy can strip out what it needs to tell it where to connect. I don’t know how CAS works or if it will even operate as a cooperative proxy to daisychain with other proxies. Even if SpamPal weren’t in the mix, CAS would need to cooperate with the YahooPOPs proxy to let me continue using my freebie Yahoo Mail accounts.

SpamPal merely tags suspect mails. It is up to the user to define rules in their e-mail client as to what action to take based on which tag (header) got added by SpamPal. That’s okay when SpamPal was the only spam filter used. If CAS is added to the proxy chain (assuming it can be added), CAS needs some means of also detecting if SpamPal added its bad tag (“X-Spampal: SPAM” header) versus it good tag (“X-Spampal: PASS” header). I prefer using headers rather than marring the Subject with a “SPAM” tag string. I know that CAS has its whitelist but I don’t know on what criteria is allows for definition in that whitelist. If CAS can search all the headers and can whitelist based on the existence of the “X-Spampal: SPAM” header then that already spam-tagged e-mail will bypass CAS and get handled using rules in the e-mail client to manage the spam. That way, C-R does not get employed for e-mails that have already been identified as spam. I want C-R to the LAST method used to filter out spam and only if the mail hasn’t already been tagged as spam.

One, will CAS daisychain with other proxies?

Two, can CAS be configured to ignore mails that have specific headers so spam already tagged by upstream proxies will not generate a challenge mail? If the mail can be detected as spam then I don’t need to be sending out challenges for it.

Hmm, doesn’t look like Comodo AntiSpam (CAS) will cooperate with any other anti-spam programs. I have VMWare Server (free) in which I can test new and unknown applications. The snapshot lets me return the virtual machine back to a base (or clean) state. I don’t even have to bother uninstalling the test program but just instead revert to the snapshot. This gives me a sandbox in which to trial a program.

From what I saw, it looks like CAS operates just like a mail monitor, like Magic Mail Monitor or PopTray. It runs independently of the e-mail client, does its own mail polls (the default is every 30 minutes), and sends challenges to new messages under the presumption that the e-mail client doesn’t poll at shorter intervals. Okay, but that means the challenges are not sent when the e-mail client does a mail poll. It means that CAS doesn’t chain with any other proxies. It means that I cannot use other [reactive] anti-spam solutions with CAS. Instead CAS and other anti-spam software operate independently, can interfere with each other, and means that I cannot control CAS to send challenges only for e-mails not otherwise detected as spam.

By working independently and not knowing what the other anti-spam software already detected as spam, CAS runs blind and sends challenges to every non-whitelisted mail. That means challenges will get sent out for what could be detected as spam and without using challenges. I don’t need to send challenges for mails that can be readily identified as spam. I don’t have to do anything about that spam except permanently delete it (at the mail server or locally). Easily identifiable spam should go into a bit bucket, not generate challenges.

While CAS might someday use DNSBLs, country IP blocklists, Bayesian filtering, and blocking of dynamic IP addressed mail sources, it doesn’t do that now. Also, it really shouldn’t be a requirement that one anti-spam product provide every possible means of eliminating this ■■■■ from our mailbox. By running as a proxy that can chain with other proxies then the user can tailor just how they want to setup their anti-spam scheme. I want C-R to be the last method of eliminating spam but others might want it higher up the proxy chain.

Guess I can’t use Comodo AntiSpam. I refuse to rely solely on a challenge-response scheme. C-R is an irresponsible scheme unless other reactive (or passive) schemes are first employed to minimalize the chance of innocents getting the “challenge spam”. While I might require my good senders (who haven’t been whitelisted yet) to be irritated with the challenge, I’m not going to slam innocents with “challenge spam” for spam e-mails they never sent. Spammers never use their own e-mail address but they do use e-mail addresses of others. C-R users spewing out challenges as fast as they get spam are not helping the community to solve the problem. A solution that works for the user but assaults the community with more spam is not a good solution. Other schemes need to be employed before using challenge-response.

Okay, it now looks like maybe Comodo AntiSpam (CAS) will chain with other proxies, sort of. I had confused the server sync settings with CAS being a mail monitor rather than keeping different installs of CAS on separate hosts in sync with each other.

I configured the e-mail client (Outlook Express) to use SpamPal as the IP name for the POP3 server. Basically the proxies all use localhost (127.0.0.1) but it gets confusing using the IP address in various configurations. Instead I add SpamPal and YahooPOPs to the hosts file. That way, I can use those host names in mail configurations to know at which one I am targeting the configuration. I like using names instead of using 127.0.0.1 for all local proxies.

In the e-mail client:

POP3 server = SpamPal
(uses hosts lookup to equate to 127.0.0.1)
POP3 port = 7110
(where SpamPal listens for inbound POP3 connects)
username = “@YahooPOPs:8110”
(tells SpamPal to connect to the YahooPOPs proxy that listens on port 8110)

YahooPOPs listens on port 8110 for a connect from SpamPal which listens on port 7110 for a connect from the e-mail client. It all works. I then installed Comodo AntiSpam which picked up the account definition from Outlook Express. So, according to their web page, CAS will query SpamPal (the specified POP3 server) when OE polls for new mail. So far, so good, but then I hit the snag of how to get CAS to ignore spam-tagged e-mails.

There is no whitelist function in CAS that will work on strings in the Subject or in the headers. The “Authentication Database” which is CAS’ whitelist feature only matches on e-mail addresses and e-mail IP addresses. I see no option to whitelist based on a “**SPAM” string in the Subject or the “X-SpamPal: SPAM” header. I need to have CAS ignore any e-mails that are already marked as spam by my upstream anti-spam solution (SpamPal) or even if marked by the mail server using its filtering or by user-defined server-side rules. I do not want CAS to be sending out challenges when it is already known the mail is spam.

Have I missed something in CAS’ whitelisting function? Can it whitelist based on string matches in the Subject or headers? Actually I don’t want CAS to whitelist but rather ignore any mails with these spam tags so that my e-mail client’s rule can delete the already identified spam mails. It is stupid to be sending out challenges for mails already identified as spam. To eliminate false positives (non-spam marked as spam) merely means that I loosen the spam detect rules in the reactive anti-spam solution (SpamPal) and then use C-R as the backup scheme. I have yet to get a false positive based on the particular suite of DNSBLs that I currently employ in SpamPal. I can’t remember the last false positive that I got from the Bayesian filter (but have had plenty of false negatives). For the false negatives (spam not detected as such) not caught by the Bayesian filter and new spam not yet listed in the DNSBLs then C-R handles the rest but I end up sending far fewer challenges overall.