[Mimedefang] Quarantine_entire_message

Nels Lindquist nlindq at maei.ca
Tue Aug 20 13:21:01 EDT 2002 

On 19 Aug 2002 at 15:24, Rachael Stewart wrote:

> I'm new to MIMEDefang and Spam Assassin.  I'm using Mimedefang 2.17 and SA
> 2.31 on RedHat 7.2.  I want to keep a copy of all the messages that get
> tagged as spam so I can forward the false positives to the recipient.

Your filter is currently quarantining the entire message for spam 
scores >= 10 and quarantining the current entity for scores between 
$req and 10.  That's going to introduce a *lot* of administrative 
overhead for the staff examining all the trapped mail.

Depending on your requirements, you might find it easier to 
quarantine only messages exceeding 2 * $req (basically what you're 
doing) and merely add (a) header(s) to less spammy messages in order 
to allow the end users to filter themselves.  In our experience, we 
see a fair number of false positives which score < 10 (usually 
between 5 and 7) and very few false positives with a score > 10.

> Using action_quarantine_entire_message, I get the administrator alerts,
> but the email doesn't appear to get saved.  Following are my
> mimedefang-filter file and a copy of an admin alert.  

This would seem to indicate otherwise:

> The entire message was quarantined in
> /var/spool/MIMEDefang/qdir-2002-08-19-15.13.54-001/ENTIRE_MESSAGE

is the MIMEDefang/ directory accessible by the owner of the 
mimedefang process?

One thing I like to do when quarantining spam (as opposed to virus-
infected attachments) is put them in a separate folder:

if ($hits >= ($req * 2.0)) {
    #Double required spam score; quarantine & bounce.
    push(@Warnings, "$report\n");   # Add SA report to Administrator
                                    # notification
    my ($tmpQuarantineDir) = $QuarantineDir;
    $QuarantineDir = $QuarantineDir . "/spam";
    action_quarantine_entire_message();
    $QuarantineDir = $tmpQuarantineDir;
    return action_bounce("SPAM not accepted here.");
}

> ----------
> Here are the warning details:
> 
> Definitely Spam

If you append the SpamAssassin report to the @Warnings array, the 
Administrator notification looks more like this, which is a little 
more informative:

----
Here are the warning details:

SPAM: -------------------- Start SpamAssassin results ----------------
------
SPAM: This mail is probably spam.  The original message has been 
altered
SPAM: so you can recognise or block similar unwanted mail in future.
SPAM: See http://spamassassin.org/tag/ for more details.
SPAM: 
SPAM: Content analysis details:   (30.2 hits, 5 required)
SPAM: NONEXISTENT_CHARSET (4.5 points)  Character set doesn't exist
SPAM: NO_REAL_NAME       (0.5 points)  From: does not include a real 
name
SPAM: INVALID_DATE       (0.5 points)  Invalid Date: header (not RFC 
822)
SPAM: PLING              (0.1 points)  Subject has an exclamation 
mark
SPAM: HOME_EMPLOYMENT    (2.9 points)  BODY: Information on how to 
work at home (2)
SPAM: CLICK_BELOW        (1.5 points)  BODY: Asks you to click below
SPAM: ASKS_BILLING_ADDRESS (-0.2 points) BODY: Asks for a billing 
address
SPAM: REMOVE_SUBJ        (3.4 points)  BODY: List removal information
SPAM: EXCUSE_4           (2.9 points)  BODY: Claims you can be 
removed from the list
SPAM: REMOVE_IN_QUOTES   (2.6 points)  BODY: List removal information
SPAM: EXCUSE_3           (1.1 points)  BODY: Claims you can be 
removed from the list
SPAM: BIG_FONT           (2.1 points)  BODY: FONT Size +2 and up or 3 
and up
SPAM: CLICK_HERE_LINK    (0.8 points)  BODY: Tells you to click on a 
URL
SPAM: ASCII_FORM_ENTRY   (0.5 points)  BODY: Contains an ASCII-
formatted form
SPAM: MAILTO_LINK        (0.8 points)  BODY: Includes a URL link to 
send an email
SPAM: FREQ_SPAM_PHRASE   (2.4 points)  Contains phrases frequently 
found in spam
SPAM:                    [score:  24, hits: all information, cash 
flow,]
SPAM:                    [check credit, city state, click here, 
credit]
SPAM:                    [card, email address, from home, from our, 
give]
SPAM:                    [you, mailing list, our mailing, phone 
number,]
SPAM:                    [please send, remove the, removed from, 
removed]
SPAM:                    [please, right now, state zip, subject line, 
the]
SPAM:                    [remove, the subject, word remove, you want, 
your]
SPAM:                    [order]
SPAM: SPAM_PHRASES_020   (2.1 points)  spam-phrase score is over 20
SPAM: CTYPE_JUST_HTML    (1.7 points)  HTML-only mail, with no text 
version
SPAM: 
SPAM: -------------------- End of SpamAssassin results ---------------
------

----
Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.

More information about the MIMEDefang mailing list