My family has demanded that I implement an anti-spam solution on our mail server. After doing some research, I decided to give the Anti-Spam-SMTP-Proxy a try. ASSP represent a lot of development work, and appears to be a mature product. It has everything I want: Baysian filtering, DNS RBL, Web customizable, a nifty email interface, and as an SMTP Proxy should require minimal configuration to use. Though ASSP reflects an important and valuable contribution to the open source community, it has some design and implementation deficiencies which make it the wrong tool for my environment. I want to document them here to help anyone else who might be investigating ASSP.
- First, it is a 9,000+ line Perl script. This lack of modularity makes it very painful to study and/or modify.
- In that huge Perl script, the web interface code is mixed with the processing code, and the default configuration file is thrown in there too. This makes it difficult to examine implementation methods because every search term will have a couple of non-implementation hits.
- Configuration files, data files, and source code files are all jumbled in the same directory. This makes it difficult to use lowest-level privileges, or to run ASSP on a read-only file system. Things like the current working directory, and the path to the configuration file, cannot be changed. This makes it hard to correct these organizational problems.
- The documentation is out of date. For example, it refers to the “Test mode” button. Unfortunately there is a whole section of test mode settings that are completely undocumented. Because the source code is obtuse, and the documentation lacking, some of the configuration settings have unexpected effects.
- ASSP does not speak TLS, so TLS connections have to bypass ASSP. This prevents users from using the email interface and complicates the auto-whitelisting.
- It also cannot relay mail directly to the Internet, so in TLS configurations two mail servers must be used: one which speaks TLS to receive mail from the user and hand it to ASSP, and one for ASSP to use to relay the mail to the Internet.
Though I can probably still get ASSP working to meet my needs, at this point the ease-of-use factor is negated. My difficulty is that there aren’t a lot of other really good anti-spam solutions. I’ve looked at both SpamAssassin and DSPAM. ASSP has some advantages over both of these solutions:
- The SMTP proxy design in theory should be easier to set up than other methods.
- I would predict that sender based auto-whitelisting and sent email automatically being added to the ham corpus would be more reliable for a small site than Baysean auto-whitelisting or receiver based auto-whitelisting.
I am considering using the knowledge and algorithms in the ASSP code base to start my own project. I could use an educational project, and there is much to learn in the ASSP scripts. Using the Twisted framework in Python would give a really big head start.
In the meantime, I’ll probably need to give one of these a try.