[Mimedefang] Bayes and forward account - Clarification

mfaurot at atww.org mfaurot at atww.org
Mon Aug 25 12:21:00 EDT 2003 

In article <3753.67.64.138.203.1061821797.squirrel at mail.lucidnetworks.net> you wrote:
> This account would be setup for users to forward untagged spam to for
> learning.

I've done something along these lines.  Several thoughts on this:

1)	Use MIMEDefang to protect the report addresses.  For example,
	if all the users that should be allowed to forward messages
	to these addresses are within a certain netblock, don't accept
	messages to your report addresses from outside that netblock.
	The idea here is that you don't want to allow anyone to use
	these addresses to poison the learning system.

2)	You should have the users forward the messages to be learned
	as attachments.  Many mailers will do this and then set the
	type to be "message/rfc822".  In this way, the users are
	forwarding the message in tact, as they've received it.

3)	On the receiving/learning end, you'll need a system to extract
	the message/rfc822 type content and then pump that into the
	learning system (e.g., sa-learn).  You may also want to have
	that system strip out things like the "X-Scanned-By: MIMEDefang
	2.36" header, which would have been added locally, before it's
	sent to sa-learn.  It should also have logic to reject messages
	that don't have the proper attachment type and perhaps to send
	confirmation messages back to the user that sent in the report.

4)	Log what gets reported, so you can identify anyone trying to
	poison the system.  This can be done via procmail.

5)	If MIMEDefang runs as user "defang" you can set up aliases and
	a .procmailrc system to handle the report addresses.  For
	example you might create these aliases in Sendmail's aliases
	file:

		learn-spam:	defang
		learn-ham:	defang

	And then in user defang's .procmailrc, appropriate logic to deal
	with the reports:

	# Learn/Log message as spam
	:0
	* ^TO.*learn-spam at your.domain
	{
		# Log the messages that are being reported
		:0 c
		$HOME/spam.log

		# Parse/extract the report and then send it to the
		# learning system.
		:0
		| /path/to/message/rfc822/parser/learner learn-spam
	}

	# Learn/Log message as ham
	:0
	* ^TO.*learn-ham at your.domain
	{
		# Log the messages that are being reported
		:0 c
		$HOME/ham.log

		# Parse/extract the report and then send it to the
		# learning system.
		:0
		| /path/to/message/rfc822/parser/learner learn-ham
	}

	You may also find it helpful to enable logging in user defang's
	.procmailrc:

		LOGFILE=$HOME/procmail.log

More information about the MIMEDefang mailing list