[Mimedefang] Bayes and forward account - Clarification
mfaurot at atww.org
mfaurot at atww.org
Mon Aug 25 12:21:00 EDT 2003
In article <3753.67.64.138.203.1061821797.squirrel at mail.lucidnetworks.net> you wrote:
> This account would be setup for users to forward untagged spam to for
> learning.
I've done something along these lines. Several thoughts on this:
1) Use MIMEDefang to protect the report addresses. For example,
if all the users that should be allowed to forward messages
to these addresses are within a certain netblock, don't accept
messages to your report addresses from outside that netblock.
The idea here is that you don't want to allow anyone to use
these addresses to poison the learning system.
2) You should have the users forward the messages to be learned
as attachments. Many mailers will do this and then set the
type to be "message/rfc822". In this way, the users are
forwarding the message in tact, as they've received it.
3) On the receiving/learning end, you'll need a system to extract
the message/rfc822 type content and then pump that into the
learning system (e.g., sa-learn). You may also want to have
that system strip out things like the "X-Scanned-By: MIMEDefang
2.36" header, which would have been added locally, before it's
sent to sa-learn. It should also have logic to reject messages
that don't have the proper attachment type and perhaps to send
confirmation messages back to the user that sent in the report.
4) Log what gets reported, so you can identify anyone trying to
poison the system. This can be done via procmail.
5) If MIMEDefang runs as user "defang" you can set up aliases and
a .procmailrc system to handle the report addresses. For
example you might create these aliases in Sendmail's aliases
file:
learn-spam: defang
learn-ham: defang
And then in user defang's .procmailrc, appropriate logic to deal
with the reports:
# Learn/Log message as spam
:0
* ^TO.*learn-spam at your.domain
{
# Log the messages that are being reported
:0 c
$HOME/spam.log
# Parse/extract the report and then send it to the
# learning system.
:0
| /path/to/message/rfc822/parser/learner learn-spam
}
# Learn/Log message as ham
:0
* ^TO.*learn-ham at your.domain
{
# Log the messages that are being reported
:0 c
$HOME/ham.log
# Parse/extract the report and then send it to the
# learning system.
:0
| /path/to/message/rfc822/parser/learner learn-ham
}
You may also find it helpful to enable logging in user defang's
.procmailrc:
LOGFILE=$HOME/procmail.log
More information about the MIMEDefang
mailing list