Table of Contents
ze-filter is a mail filtering software using sendmail milter API. ze-filter is compatible with UNIX based mailservers running sendmail or postfix.
Developpement of this filter begun around 2001, with the name j-chkmail. The filter was renamed in 2017 when the author changed its position in the organization at which he was employed.
The goal of ze-filter is to be able to filter as much messages as possible, as fast as possible and as well as possible. Originally, it's intended to be use in large and heterogeneous communities such as university campus, but not only.
It's a complete and integrated solution including both behavioural filtering (connection rate control, detection of suspicious behaviour, greylisting , …) and content filtering (statistical/bayesian content filtering, pattern matching, URL filtering and heuristic filtering). ze-filter detects virus by looking for suspicious attached files (defined by their filename extensions or by some regular expression). An external message scanner such as Clamd (from ClamAV) can also be called during message handling.
Some command line tools are included allowing mail admins to get real time information about the filter (counters, statistics, …) without needing to grep log files (which is also available). Modification of many configuration options is possible without stop/starting the filter.
Most viruses today use electronic mail to propagate and are embedded within attached executable files. Most viruses make use of default mail reader configuration, and automatically open received attached files without asking for user permission.
So the idea is to detect messages with these kind of attached files. This is much faster than the usual virus scanning, produces very few false positives, and detects new viruses as soon as they appear. Also, the need for periodic maintenance (signatures database update) is eliminated.
When the filter blocks this kind of message, sender and recipients will receive a replacement message (instead of the original message), stating the reason for why the email was rejected.
You can get more information about unsafe files from Microsoft web site
But if you really want to use a real virus scanner, ze-filter may be be coupled with some external scanners : ClamAV, McAfee, and f-prot.
ze-filter is intended to detect spam at large sites, handling many hundreds of thousands messages a day, with users of very different profiles. This is usually a problem as most filters are optimized to handle a homogeneous flow.
ze-filter does a series of checks (behaviour and content) on messages and connections : connection rate, greylisting, pattern matching, URL filtering and bayesian filtering.
At the first level, the behaviour of gateways are checked. This allows the filter to protect the server against some kind of attacks, and to block a number of trivial spam. These kind of checks usually results in message rejection. This is a “coarse filtering”. Some of evaluations done here are : detection of address harvesting, evaluation of connection rate and globally the contribution of each client to the global load of the filter.
Other filtering methods based on message contents are used to remove remaining spam. This category of messages are usually tagged as being potential spam. Spam detection checks range from pattern matching, URL matching and message conformity to linguistic analysis.
Some latter features added to ze-filter was adaptive greylisting and bayesian filtering. ze-filter implementation of greylisting was done in a way to optimize it when in use to handle huge trafic and to prevent attacks to servers using these filtering method.
The last main feature added to ze-filter is a linear discriminator classifier coupled with active learning. This is the result of a PhD thesis. This classifier provides a much better efficiency over bayesian classifier.
The main goal of ze-filter is to handle spam for a large and heterogeneous community, such as an university campus, where message handling must be done well and fast.
Filter Monitoring and Control
Monitoring and control is an important part of ze-filter. It allows administrators to check how their mail server behaves, to evaluate its performance and filtering results, and to control filter behaviour. All of this in real-time ! You can do queries on the filter in different ways to know its activity, without doing greps on long log files. This is also available, but more for looking at precise information than to do real time monitoring.
Other than command line queries, you also have graphical monitoring of the filter activity.
ze-filter checks, all the time, the state of the filter and of the server. This way it can detect abnormal SMTP client behaviours, change filtering policies depending on the server load, and even selectively reject connections when necessary. This feature allows the mail server to survive even during heavy attacks.
- License ze-filter is free (no strings attached) software, distributed under a license similar to GPL. The difference is related to distribution. To redistribute ze-filter or any derived product, including services, you shall explicitly mention that the product is derived from ze-filter.
What do you need to run ze-filter
- Operating Systems - ze-filter is running on many UNIX flavors, but it's more extensively tested under SunOS, FreeBSD and Linux, Tru64.
- Sendmail - ze-filter uses sendmail libmilter, so it must be installed on a mail server running sendmail version 8.12.0 or newer.
- Postfix - Postfix release 2.4 fully implements server side libmilter code.