[Mimedefang] Desparate for help

Jim McCullars jim at info.uah.edu
Tue Oct 22 16:50:01 EDT 2002


On Tue, 22 Oct 2002, Link, Pete wrote:

> Additional Questions to the LIST:
> 1.  What are you setting your SPAMASSASSIN Required_hits to??? in

   I use 9.1, but I am doing spam filtering for our main campus email
gateway.  Any less, and legitimate (in the recipients' opinions, anyway)
newsletters sometimes get tagged, especially HTML newsletters.  Even at
that, I have to explicitly whitelist some sending addresses.  Even the
SpamAssassin authors say that for an ISP, a setting of less than 8-10 will
garner complaints from users.

> 2.  Are there any other script configurations that can be set to bust more
> SPAM?

In filter_relay, I do this:

  my($ip, $name, $helo) = @_;
  if ($helo =~ /info\.uah\.edu/i) {
    if ($ip ne "127.0.0.1" and
        $ip ne "146.229.5.36") {
          return(0, "Go away... $ip is not in uah.edu");
    }
  }
  return (1);

That way, if a remote MTA presents itself to me as "info.uah.edu" (my host
name), it gets booted.  Change the host name and IP address to your server
(but leave the 127.0.0.1 line in or you may reject locally-sent mail).
That is the setting for this machine.  For our main campus gateway, I had
to change the IP address check so that it checks only the first two octets
($ip !~ /^146\.229/) because a lot of user workstations will do a "helo
email.uah.edu" when a user is sending email.

  Another thing I do on this machine (which I cannot do on our main campus
server because we have a lot of foreign students that get email from home)
is reject certain foreign character sets that send me a lot of spam to
this host.  In the filter routine, I have this:

$head = $entity->head;
$charset = $head->mime_attr("content-type.charset");
if (defined($charset)) {
    $charset =~ tr/A-Z/a-z/;
    if ($charset eq "ks_c_5601-1987" or
        $charset eq "euc-kr" or
        $charset eq "koi8-r" or
        $charset eq "big5") {
        return action_bounce("Spam from Korea not accepted.");
    }
}

   Lots of the Nigerian 419 scam emails are getting through, so I added
this to my local SA rules file:

#
#  Try to tag those Nigerian scams...
#
body UAH_NIGERIAN_1      /Central Bank of Nigeria|Ministry of Petroleum/
describe UAH_NIGERIAN_1  Common organizations mentioned in Nigerian scam
score UAH_NIGERIAN_1     3.0

If they still get through, I may make those two separate checks with their
own score.

   One other thing - if you use a main and backup gateway, be sure that
you are running MD/SA on all your mail relays.  Spammers are now sometimes
targeting hosts listed as a backup MX, on the theory that its security
will not be as stringent as the main MX.

   HTH...

Jim
*-------------------------------------------------------------------------*
* James H. McCullars                 I Phone: (256) 824-2610              *
* Director of Systems & Operations   I Fax:   (256) 824-6643              *
* Computer & Network Services        I Internet: mccullj at email.uah.edu    *
* The University of Alabama          I -----------------------------------*
*    in Huntsville                   I                                    *
* Huntsville, AL 35899               I This space for rent - CHEAP!       *
*-------------------------------------------------------------------------*




More information about the MIMEDefang mailing list