[Mimedefang] .help with getting more information on spam.

Alan Williamson alan at n-ary.com
Thu Apr 24 11:37:01 EDT 2003 

I am pulling my hair out with this ... I just haven't a clue why its not
working.

At the moment the Quarantine messages suck ... they have no useful
information in them.  I want the SA report to be on the end of it, so I can
see WHY it was marked as spam.

I have followed advice of putting: push(@Warnings, "$report\n");

but still nothing.

Here is my complete filter_end() .... what am I doing wrong?

thank you



sub filter_end ($) {
    my($entity) = @_;

    # If you want quarantine reports, uncomment next line
    send_quarantine_notifications();

    # IMPORTANT NOTE:  YOU MUST CALL send_quarantine_notifications() AFTER
    # ANY PARTS HAVE BEEN QUARANTINED.  SO IF YOU MODIFY THIS FILTER TO
    # QUARANTINE SPAM, REWORK THE LOGIC TO CALL
send_quarantine_notifications()
    # AT THE END!!!

    # No sense doing any extra work
        if (message_rejected()){
                action_quarantine_entire_message();
                return;
        }
    #return if message_rejected();

    # Spam checks if SpamAssassin is installed
    if ($Features{"SpamAssassin"}) {
        if (-s "./INPUTMSG" < 100*1024) {
            # Only scan messages smaller than 100kB.  Larger messages
            # are extremely unlikely to be spam, and SpamAssassin is
            # dreadfully slow on very large messages.
            my($hits, $req, $names, $report) = spam_assassin_check();
            action_add_header("X-Spam-Score", "$hits $names");

            if ($hits >= $req) {
                md_log('spam', $hits, $RelayAddr);
                my($score);
                if ($hits < 40) {
                    $score = "*" x int($hits);
                } else {
                    $score = "*" x 40;
                }
                # We add a header which looks like this:
                # X-Spam-Score: 6.8 (******) NAME_OF_TEST,NAME_OF_TEST
                # The number of asterisks in parens is the integer part
                # of the spam score clamped to a maximum of 40.
                # MUA filters can easily be written to trigger on a
                # minimum number of asterisks...
                action_change_header("X-Spam-Score", "$hits ($score)
$names");

                # If you find the SA report useful, add it, I guess...
                action_add_part($entity, "text/plain", "-suggest",
                                "$report\n",
                                "SpamAssassinReport.txt", "inline");

                push(@Warnings, "$report\n");
                $NotifyAdministratorSubject = "A: $subject";

                action_quarantine_entire_message("$report\n");
                action_notify_administrator("Message quarantined");
                send_quarantine_notifications();


            } else {
                # Delete any existing X-Spam-Score header?
                #action_delete_header("X-Spam-Score");
            }
        }
    }


||| -----Original Message-----
||| From: Joseph Brennan [mailto:brennan at columbia.edu] 
||| Sent: 24 April 2003 14:19
||| To: mimedefang at lists.roaringpenguin.com
||| Subject: [Mimedefang] application... jpg
||| 
||| 
||| 
||| Virusmail came with two attachments.  The one named .exe was
||| successfully removed by mimedefang.  The second one is
||| application/octet-stream but has a .jpg extension.  I have
||| appended only two lines of the encoded data.
||| 
||| The Content-Type of the whole message is multipart/alternative
||| which seems wrong for a message with one text part and two
||| application parts.
||| 
||| It make me think about testing for multipart/alternative with
||| only one text part.  In previous work, I noticed we get good
||| mail calling itself multipart/alternative but containing
||| exactly one part that is text.  Possibly, alternative could
||| really be text and image although I've never seen that.  I'm
||| wondering if any of you have tried a test like this.
||| 
||| I realize a virus checker would presumably have tossed this
||| whole message.  But maybe it could be tossed before going to
||| the virus checker.
||| 
||| Joseph Brennan          Columbia University in the City of New York
||| postmaster at columbia.edu                 Academic Technologies Group
||| 
||| 
||| 
||| 
||| This is a multi-part message in MIME format...
||| 
||| --IK974hhM0P6L8q6u9cVJ2m1CW3u4de
||| Content-Type: text/html;
||| Content-Transfer-Encoding: quoted-printable
||| Content-Disposition: inline
||| 
||| <HTML><HEAD></HEAD><BODY>
||| 
||| <FONT>This is a special  funny website<br>
||| I wish you would enjoy it.</FONT></BODY></HTML>
||| 
||| --IK974hhM0P6L8q6u9cVJ2m1CW3u4de
||| Content-Type: text/plain; name="warning.txt"
||| Content-Disposition: inline; filename="warning.txt"
||| Content-Transfer-Encoding: 7bit
||| MIME-Version: 1.0
||| X-Mailer: MIME-tools 5.411 (Entity 5.404)
||| 
||| WARNING: This message has been altered by a mail filter on
||| Columbia University's mail server, columbia.edu.
||| 
||| An attachment named HEIGHT.exe
||| was removed from this message as a possible security hazard.
||| 
||| 
||| --IK974hhM0P6L8q6u9cVJ2m1CW3u4de
||| Content-Disposition: inline
||| 
||| Content-Type: application/octet-stream;
||| 	name=078878983X.01.THUMBZZZ[1].jpg
||| Content-Transfer-Encoding: base64
||| Content-ID: <If7I3UVhWjf03I2l>
||| 
||| /9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAUDBAQEAwUEBAQFBQUGBwwIBwcH
||| Bw8LCwkMEQ8S
||| EhEPERETFhwXExQaFRERGCEYGh0dHx8fExciJCIeJBweHx7/2wBDAQUFBQcG
||| Bw4ICA4eFBEU
||| 
||| 
||| _______________________________________________
||| MIMEDefang mailing list
||| MIMEDefang at lists.roaringpenguin.com
||| http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
|||

More information about the MIMEDefang mailing list