[Mimedefang] What to do w/ SPAM?

Dave Shepherd Dave.Shepherd at vixel.com
Mon Sep 23 12:56:01 EDT 2002


I like this idea - but with a twist -

I like to log all rejects to a special rejected.log file and run nightly
reports on it. A
little perl script that parses the file out and sends are report to all
my users that 
contains a snip of the log that pertains only to them :)

Users would blame SA/Mimedefang for any email that seemed lost. This
reporting prevents users blame and I'll have to say they have made
some whitelist requests from sites that send them company reports that
were being rejected. :(  But - now they know and are happy.

I also log accepted spam this is tagged to another file and send it to
my self so
I can see whats getting though and blacklist sites that send pure crap
repeatedly 
that scores low in SA. Very useful !!

Here is the code that I use in filter_end to call my subroutine
filter_log

filter_end {

:
:
            #----------------------------------------------------------
            # call to &filter_log added by Aug 20th
            #----------------------------------------------------------
            if ($hits > 20) { # It's SPAM so log it & bounce it
                $bounce = "yes";
                $logfile="/etc/mail/SpamLogs/rejected.log";
                $recips = join(', ', @Recipients);
               
&filter_log($logfile,$hits,$names,$RelayHostname,$RelayAddr,$Sender,$Subject,$recips);
                syslog('err', 'Message seems to be spam, rejected');
                action_bounce("Message seems to be spam, rejected");
            }


#***********************************************************************
# filter_log to add reporting
#***********************************************************************
sub filter_log {
    my ($logfile, $hits, $names, $host,
$ip,$sender,$subject,$recipients) = @_;
    if($host =~ s/^\[//) {}
    if($host =~ s/\]$//) {}
    if($sender =~ s/^<?//) {}
    if($sender =~ s/>?$//) {}
    if($recipients =~ s/<//g) {}
    if($recipients =~ s/>//g) {}
    open(FILE, ">>$logfile");
        flock(FILE, 2);
        print FILE "**********************************************\n",
                scalar localtime,
                "\n$host\t$ip\n",
                "To: $recipients\n",
                "From: $sender\n",
                "Subject: $subject\n",
                "Hits: $hits $names\n";
    close(FILE);

} # End sub

rejected.log looks like this:
**********************************************
Thu Sep 19 05:19:56 2002
200.80.47.154   200.80.47.154
To: lski at vixel.com
From: 121amailbot1a at gmx.de
Subject: Non Smoker & Smoker Insurance for Pennies a Day
Hits: 26.7
FROM_HAS_MIXED_NUMS,DATE_MISSING,NO_REAL_NAME,INVALID_DATE,US_DOLLARS_3,CLICK_BELOW,EXCUSE_3,CLICK_TO_REMOVE_2,LINES_OF_YELLING,NORMAL_HTTP_TO_IP,WEIRD_PORT,FRONTPAGE,BIG_FONT,MAILTO_LINK,CLICK_HERE_LINK,FREQ_SPAM_PHRASE,CTYPE_JUST_HTML
**********************************************
Thu Sep 19 05:20:32 2002
200.80.47.232   200.80.47.232
To: lagg at vixel.com
From: ias1a2s at dreamwiz.com
Subject: Non Smoker & Smoker Insurance for Pennies a Day
Hits: 26.7
FROM_HAS_MIXED_NUMS,DATE_MISSING,NO_REAL_NAME,INVALID_DATE,US_DOLLARS_3,CLICK_BELOW,EXCUSE_3,CLICK_TO_REMOVE_2,LINES_OF_YELLING,NORMAL_HTTP_TO_IP,WEIRD_PORT,FRONTPAGE,BIG_FONT,MAILTO_LINK,CLICK_HERE_LINK,FREQ_SPAM_PHRASE,CTYPE_JUST_HTML
**********************************************


I role the rejected.log nightly and then run reports on them.
A cron job parses it to users (script sa-reports.pl) - I use Net::LDAP
to query my Directory
for valid users because many are rejected users/x-employees that don't
exist. I only want reports
sent to current valid users. Because I'm a small company with less then
200 employees I just
slurp up all my email addresses & and alternates ('mail',
'mailalternateaddress') into an array.

then parse the log for each user to a tmpfile and send it to the users.

If you want the code I'll send to you - about 300 lines of perl code.
Dave S.


Tony Nugent wrote:
> 
> On Sat Sep 21 2002 at 16:58, "Ashley M. Kirchner" wrote:
> 
> >     It's 11pm.  Do you know where your SPAM is?  And I'm not
> > referring to Stuff Posing As Meat.  I'm referring to email SPAM.
> 
> :-)))
> 
> >     Seriously, what do people do with this stuff?
> > action_discard()?  action_bounce()?   I don't know how well
> 
>  [ ... ]
> 
> >     What do you do?
> 
> What I do?
> 
> If it rates over 7.0 but below 9.0 (arbitary and experimental), the
> Subject line gets changed to add "[SPAM 8.3]" (8.3 being the score)
> to warn the recipient(s), the incident is syslog'ed, and the message
> is delivered as usual.
> 
> If it rates over 9.0, then the recipient list is deleted and
> replaced to end up in a "spammer" account mailbox.  The recipients
> get nothing, but it still allows collection of the spam (and also
> "dead" viruses) where they can be reviewed.
> 
> I'm toying with the idea that if it rates over, say 15 or so, then
> it will be rejected outright for delivery... nothing gets delivered,
> and the remote relay then has the problem of dealing with what to do
> with the reject.
> 
> I also have a (small) relay blacklist (and a whitelist too of
> course), I'll soon add orbs checks, and these will also all be
> bounced outright as delivery refused.  I'm also considering
> rejecting any email with text/html that has no corresponding
> text/plain part (although I want to be careful about this).
> 
> The "spammer" account idea works really well... it is a
> "multi-access" mailbox where a number of people in the office(s) it
> services have imap access to it.  Nothing is lost, and anything
> trapped that is not real spam is still recoverable.
> 
>   And I must say that the latest version of spamassassin has had NO
>   false positives since I upgraded it (although I do have a
>   whitelist that would have caught quite a few).  Very impressed.
>   In fact, a spam confidence score of 7.0 rather than my upper level
>   of 9.0 would have caught all of them with only ONE false positive
>   (and that was an email from McAfee promoting their own anti-spam
>   product!!! :-))
> 
> On one server, the spamtrap has caught over 250 email spams in less
> than a month (and around 50 or so viruses).
> 
> BTW, using syslog to record events like this is very useful... each
> night/week/whatever I run some simple greps and sed's over the
> maillog files to generate statistics on what has been happening.
> 
> I'm sure you'll get lots more ideas from others here.
> 
> Cheers
> Tony
> _______________________________________________
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Dave.Shepherd.vcf
Type: text/x-vcard
Size: 327 bytes
Desc: Card for Dave Shepherd
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20020923/cebe278c/attachment.vcf>


More information about the MIMEDefang mailing list