[Mimedefang] Re: A little confusered

Ellen Clary ellen at frap.org
Fri Jun 21 13:33:42 EDT 2002 

[Side note, thanks to David for such a great program.]

Hi Weyland,

You've chosen quite a task for yourself, however if you're comfortable with
sendmail this will be a relative piece of cake. (Though there are many
pieces to this puzzle - to mix metaphors a bit.)

Regarding Perl:  The short tutorial at the beginning of Learning Perl is a
good introduction and Programming Perl is great, however I've noticed that
the book I reach for more often is the "Learning Perl in [somenumber] of
Days" as it has a ton of examples (I just bookmark those pages I like to
refer to with postits.)

It's important to convince your management to take this as a multistep process.
We only recently started putting MimeDefang into production, so we're still
experimenting - they have to allow time for this.  If they want a turn-key
system they should get the checkbook out.  You're taking the
roll-up-your-sleeves approach which is excellent for maximum control (and
you'll learn some valuable skills in the process), but things like this
don't happen overnight.

The first step is to make sure that MimeDefang is stopping viruses and
other banned attachments at the door as that's really the most important
job it does.  At this point, you can invoke spamassassin to scan and mark,
but don't have it do anything past that just yet.

In the meantime, look at ways you can spread the filter job out as
SpamAssassin can potentially create a bottleneck. Do you know about
sendmail's "access" file?  If you have specific users or domains that you
never want to hear from ever (we have a list of about 30 or so.), then just
add them to the /etc/mail/access file:

e.g.

randbad.com                             DISCARD
okmembership.com                        DISCARD
evilspammer at somewhereintheworld.com     DISCARD
annoyingperson at wrealemailaddress.com    REJECT
annoyingperson2 at realemailaddress.com    550 Sorry, blacklisted user


Then restart sendmail:  service sendmail restart

And you can also block specific IPs or ranges of IPs at your router (though
that's a whole different subject), before it even gets to your firewall.


Once your sure MimeDefang's working (keep an eye on /var/log/maillog), then
you can start tweaking /etc/mail/mimedefang-filter (or the multiplexer
version).  Currently we just have it mark the mail with the score and the
X-Spam-Warning and then have Netscape message filters or procmail (another
highly valuable learning curve to climb) do the filtering at the user's end.

Here's a portion of our current work-in-progress filter file,  I've left in
the commented out portions.  If you get large emails like we sometimes do,
you really should put in the file size limitation.  Also, we're currently
marking every message with a Spam score, so we can see if we need to raise
or lower the default cutoff of 5 (the $ref variable).  (You'll have to
learn how perl returns values from a subroutine.)


sub filter_begin {
    # ALWAYS drop messages with suspicious chars in headers or body
    if ($SuspiciousCharsInHeaders || $SuspiciousCharsInBody) {
        action_quarantine_entire_message();
        # Took out notify since quarantine generates a message anyway
        #if ($SuspiciousCharsInHeaders) {
        #   action_notify_administrator("Message quarantined because of
suspicious characters in headers");
        #} else {
        #    action_notify_administrator("Message quarantined because of
suspicious characters in body");
        #}
        # Do NOT allow message to reach recipient(s)
        action_discard();
    }
    # Only run SpamAssassin against messages under 200k
    if ((-s "./INPUTMSG") <= (200 * 1024)) {
      # The simple yes/no method
      # These routines are in mimedefang.pl
      #if (spam_assassin_is_spam()) {
      #    action_add_header("X-Spam-Warning", "SpamAssassin says this is Spam");
      #}
      # Bit more complex, call the spam checker directly and get the 
      #  number of hits and print that in the header
      my ($hits, $req, $names, $report) = spam_assassin_check();
      if ($hits >= $req) {
        action_add_header("X-Spam-Warning", "SpamAssassin says this is Spam");
        action_add_header("X-Spam-Level", $hits);
      } else {
        action_add_header("X-Spam-Level", "Score=$hits (Less than $req ok)");
      }
    }
}


One last note is that if you have a list of banned words/phrases (be really
careful about this), you may wish to have procmail (another very cool
program) do that scanning job on your mail server rather than burden your firewall.


Good luck,

Ellen Clary
Senior System Administrator
Dynamic Graphics
ellen at dgi.com


 
> Message: 14
> From: Weyland <nw2linux at varangiankindred.org>
> To: mimedefang at lists.roaringpenguin.com
> Subject: Re: [Mimedefang] A little confusered
> Date: Thu, 20 Jun 2002 22:15:57 -0400
> Reply-To: mimedefang at lists.roaringpenguin.com
> 
> On Thursday 20 June 2002 03:11 pm, you wrote:
> 
> > By default, MIMEDefang/SpamAssassin doesn't reject mail.  It merely
> > adds headers reporting the spam "status" of the message.
> 
> Ahhhhh... okay.
> 
> > It's
> > usually not difficult to configure mail clients to filter mail based
> > on these headers, which leaves the decision about whether or not to
> > drop mail in the hands of the end user.
> 
> Yeah, but we wanna get it before that.
> 
> > If you do eventually decide that you want to reject spam at the SMTP
> > level, it's quite easy to configure MIMEDefang to do so.
> 
> Okay, good.
> This is what I've been tasked to do.
> 
> > However,
> > you'll probably want to study the issue for a while--determine what
> > score you should use to eliminate false positives, figure out whether
> > there are any mailing lists or senders/recipients who should be
> > whitelisted, etc.
> 
> Well, I've been told to immediately kill anything with pen at s, brea$t, etc...
> We've got quite a file of other words they want killed immediately as well.
> *Especially* anything with "chicken soup for the soul" ~! LOL~!
> 
> > SpamAssassin is never going to be 100% effective,
> > so making the decision to reject mail based on its criteria shouldn't
> > be done lightly.
> 
> Understood.
> 
> > Well, once you've figured out exactly what you want to do, there are
> > probably many people on this list who could help you out with code
> > fragments.  As I said above, it's not complicated to do, but some
> > planning should be involved. :-)
> 
> I appreciate that.
> Once I get learning, I'll probably ask for
> examples of how to do things, if that's okay.
> Usually, a point in the right direction is all I need,
> but be forewarned - I can be pretty dense sometimes.
> 
> Thanks,
> 
> Weyland

More information about the MIMEDefang mailing list