Copfilter is primarily a traffic filtering tool. Traffic types that are filtered include inbound and outbound email, web and file downloads via HTTP and FTP. Traffic is filtered for spam, viruses and various network security risks such as executable files. Lists can be built to block specific traffic sources or locations, as well as allow or block email traffic from specific domains.
A useful feature of Copfilter is that it can be configured to email notifications and reports to an administrator. Specify the email address to send to, plus an SMTP server address and user id/password if authentication is required in the email configuration page, and Copfilter will send email notifications of status and issues.
Email notifications are a useful feature for a small network without the resources to continuously monitor servers and network traffic. For example, I received email from Copfilter with notifications when it successfully updating the anti-virus database.
POP3 traffic, which is inbound email to PCs on the LAN, is filtered for viruses and spam. To see that Copfilter is doing its job, text messages can be inserted into the email header showing that Copfilter detected and scanned that message, as well as into the email body itself. If IPCop and Copfilter are your first foray into open source network tools, having a message in your emails showing the system is functioning is nice feedback.
Turning on these text messages is done by selecting on from a drop down in the web GUI for the two features shown in Figure 3.
Figure 3: Enabling email alerts and header, body inserts
Adding Copfilter Comments to an email header, as shown in the first line of Figure 3, puts text into the message source information of each email. This text (example below) can be seen in Microsoft Outlook by opening an email and clicking on View-Options, or in Mozilla Thunderbird by opening an email and clicking on View-Message Source.
X-Copfilter: Client is part of local network, skipped Spamassassin
X-Copfilter: Sender is in whitelist, skipped SpamAssassin
X-Filtered-With-Copfilter: Version 0.84beta3a (ProxSMTP 1.6)
Adding a disclaimer to each email, as shown in the second line of Figure 3, is an even more obvious notification that the received email has been scanned. If enabled, all incoming mail will have a line at the end similar to “Scanned with Copfilter Version 0.84beta3a (P3Scan 2.2.1)”, confirming that Copfilter's anti-virus scanner is on line.
The “X-Copfilter: Sender is in whitelist, skipped SpamAssassin” message header mentioned above points to the spam filtering functionality in Copfilter. Copfilter uses whitelist/blacklist spam filtering for defining acceptable and unacceptable email sources and destinations. Note that email from addresses in Copfilter's whitelist will not be scanned for spam, but will be scanned for viruses. Email from addresses in the Copfilter's blacklist will be rejected.
The whitelist / blacklist functionality has both an automatic and manual capability. If a client on the LAN side of IPCop sends an email to a destination email address and then receives a reply, the original destination email address will automatically be added to the whitelist.
Copfilter's whitelist / blacklist is a single list. It can be manually updated by clicking on the Whitelist keyword shown in the bottom right of Figure 3 and adding either entire email addresses, or just domain names.
The * wild card can also be used in the whitelist / blacklist for greater flexibility. Selecting Accept or Discard for each email address or domain defines whether the email will be passed (whitelist) or rejected (blacklist), as illustrated in Figure 4 below.
Figure 4: Whitelist / blacklist
Beyond the simple automatic and manual email spam whitelist / blacklist, Copfilter checks email for various conditions defined by the open source anti-spam engine SpamAssassin. SpamAssassin is a Perl program comprised of multiple algorithms and rules performing various header, text and character analyses to detect spam .
SpamAssassin can also be configured to check incoming emails against the Razor and DCC external spam databases, in addition to its own. SpamAssassin can also be enabled to check incoming emails against up to eight different DNS Black Lists (DNSBLs).
Copfilter's configuration page warns that enabling the Razor, DCC, and DNSBL functionality “improves recognition, decreases performance.” But the nice thing about Copfilter is that you control processing power. Improving processor power on an off-the-shelf router is typically not an option. But since IPCop / Copfilter runs on a PC platform, upgrading the processor and memory is simple.
Messages matching conditions in a SpamAssassin algorithm, one of the external databases, or from an email address found in a DNSBLs can be quarantined or tagged with a message. The default tag of ***SPAM*** is added to the subject line of emails as shown in the email in Figure 5. Most email clients have the ability to construct a rule to look for a specific tag and move tagged emails to a folder or delete them.
Figure 5: Email with subject line SPAM tag added
Another key element to incoming mail filtering is virus control. Copfilter leverages the open source ClamAV anti-virus engine along with the open source P3Scan tool to filter POP3 traffic on both port 110 and 995. This is a strength over subscription-based products that filter traffic only on port 110. With the P3Scan tool enabled in the Copfilter-POP3 Filter menu, the ClamAV and F-Prot anti-virus engines will be applied to incoming email.
Copfilter includes a nice test tool to check that the anti-virus functionality is running. Under the Tests & Logs menu, there is a button to Send Test Virus Email. Clicking this button will send an email with an innocuous virus to the address entered in the Copfilter email configuration page. I tried this and received the test email shown in Figure 6.
Figure 6: Email virus test result
In addition to filtering inbound email, Copfilter filters outbound email. I enabled the disclaimer option on outgoing email as I did for incoming email, which adds “Scanned with Copfilter Version 0.84beta3a (ProxSMTP 1.6)” to each email sent. I always appreciate seeing messages like this on received email.