[Mimedefang] MD filter_end problem with my SA checks
Justin
listuser at numbnuts.net
Thu Feb 5 19:09:49 EST 2004
I'm having a show-stopping problem with my mimedefang-filter on my new
test server. I copied the filter over from another box back when I was in
a hurry to get this box online ASAP. Recently I decided to work on my MD
filter to 1) figure out why SA checks weren't happening; 2) to utilize
SA's various network tests, AWL, and bayes; and 3) to configure MD to
strip all occurences of a number of headers inserted by MD and SA checks
done upstream.
It was at this point that I commented out a section of my filter_end that
uses a check on $RelayAddr to skip SA processing. This was used on the
box I copied the filter from to skip spam processing for outbound mail
from customers. This was when MD completely ground to a halt. Any
inbound mail delivery attempt would not get past MD and sendmail would
eventually have to temp fail the message. All inbound mail on this test
box is forwarded via procmail from another box. All connections from any
other servers are either spam or infected mail destined for the address I
use in usenet posts. Since this other server was normally excluded by the
RelayAddr check (which forces an early exit from filter_end) I decided the
the problem must have existed all along and that it must be further down
in my filter_end. I've gone through it a dozen times and can't find any
typos. mimedefang.pl -test is happy with it too. I realize that my logic
was flawed when I used action_delete_header calls liberally; it was a
futile attempt to get MD to strip out the headers from previous spam
checks. I wasn't sure exactly where I should try to strip the headers so
I eventually tried to strip them everywhere. I commented these out in
case a typo in them was the problem. Didn't help. I also commented out a
check I was doing on $hits to conditionally alter the Subject line. That
didn't help either.
This is a RH9 box running Sendmail 8.12.11, MD 2.39, and SA 2.63. I have
a devel of ClamAV running as well (20040203). F-Prot ws-4.31 is also
being used by MD.
MD was configured with: ./configure --sysconfdir=/etc/mail
--with-confsubdir=mimedefang --with-quarantinedir=/var/mail/quarantine
--with-spooldir=/var/mail/MIMEDefang/spool --localstatedir=/var
--disable-clamav
MD found the following features:
[root at perseus 0 /etc/mail/mimedefang]#> mimedefang.pl -features
MIMEDefang version 2.39
File::Scan : yes
HTML::Parser : yes
HTML::TokeParser : yes
Path:CONFDIR : yes (/etc/mail/mimedefang)
Path:QUARANTINEDIR : yes (/var/mail/quarantine)
Path:SENDMAIL : yes (/usr/sbin/sendmail)
Path:SPOOLDIR : yes (/var/mail/MIMEDefang/spool)
SpamAssassin : yes
Unix::Syslog : yes
Virus:CLAMAV : yes (/usr/local/bin/clamscan)
Virus:CLAMD : yes (/usr/local/sbin/clamd)
Virus:FPROT : yes (/usr/local/bin/f-prot)
Virus:FileScan : yes
HTMLCleaner : no
Virus:AVP : no
Virus:BDC : no
Virus:FPROTD : no
Virus:FSAV : no
Virus:HBEDV : no
Virus:NAI : no
Virus:NVCC : no
Virus:OpenAV : no
Virus:SOPHIE : no
Virus:SOPHOS : no
Virus:SymantecCSS : no
Virus:TREND : no
Virus:TROPHIE : no
Virus:VEXIRA : no
IO::Socket : Version 1.28
MIME::Tools : Version 5.411
MIME::Words : Version 5.404
Digest::SHA1 : Version 2.06
Mail::SpamAssassin : Version 2.61
Anomy::HTMLCleaner : missing
File::Scan : Version 0.76
HTML::Parser : Version 3.34
HTML::TokeParser : Version 2.28
Unix::Syslog : Version 0.99
/var/mail/MIMEDefang/spool is a tmpfs volume.
My filter_end follows:
sub filter_end ($) {
my($entity) = @_;
# If you want quarantine reports, uncomment next line
# send_quarantine_notifications();
# IMPORTANT NOTE: YOU MUST CALL send_quarantine_notifications() AFTER
# ANY PARTS HAVE BEEN QUARANTINED. SO IF YOU MODIFY THIS FILTER TO
# QUARANTINE SPAM, REWORK THE LOGIC TO CALL
send_quarantine_notifications()
# AT THE END!!!
# No sense doing any extra work
return if message_rejected();
# Spam checks if SpamAssassin is installed
if ($Features{"SpamAssassin"}) {
# List local IPs that you DO NOT want MD to run SA checks on
# This excludes maple from this bypass but lets localhost and the
/19 bypass SA.
if ($RelayAddr ne "64.71.97.14" and
$RelayAddr eq "127.0.0.1" or
$RelayAddr =~ /^64\.71\.96\./ or
$RelayAddr =~ /^64\.71\.97\./ or
$RelayAddr =~ /^64\.71\.98\./ or
$RelayAddr =~ /^64\.71\.99\./ or
$RelayAddr =~ /^64\.71\.100\./ or
$RelayAddr =~ /^64\.71\.101\./ or
$RelayAddr =~ /^64\.71\.102\./ or
$RelayAddr =~ /^64\.71\.103\./ or
$RelayAddr =~ /^64\.71\.104\./ or
$RelayAddr =~ /^64\.71\.105\./ or
$RelayAddr =~ /^64\.71\.106\./ or
$RelayAddr =~ /^64\.71\.107\./ or
$RelayAddr =~ /^64\.71\.108\./ or
$RelayAddr =~ /^64\.71\.109\./ or
$RelayAddr =~ /^64\.71\.110\./ or
$RelayAddr =~ /^64\.71\.111\./
) {
# Disabled extension checks by returning immediately.
return 0;
} else {
if (-s "./INPUTMSG" < 100*1024) {
# Only scan messages smaller than 100kB. Larger messages
# are extremely unlikely to be spam, and SpamAssassin is
# dreadfully slow on very large messages.
my($hits, $req, $names, $report) = spam_assassin_check();
my($score);
if ($hits < 40) {
$score = "*" x int($hits);
} else {
$score = "*" x 40;
} # end of $hits < 150
# We add a header which looks like this:
# X-Spam-Score: 6.8 (******) NAME_OF_TEST,NAME_OF_TEST
# The number of asterisks in parens is the integer part
# of the spam score clamped to a maximum of 40.
# MUA filters can easily be written to trigger on a
# minimum number of asterisks...
if ($hits >= $req) {
# Delete any existing X- Spam-related headers?
# action_delete_header("X-Spam-Score");
# action_delete_header("X-Spam-Report");
# action_delete_header("X-Spam-Status");
# action_delete_header("X-Scanned-By");
# my $fixed_report = $report;
# $fixed_report =~ s/\n+\z//g; # fixes for multiline
header
# $fixed_report =~ s/\n/\n\t/g; # to stop sendmail
complaining
action_change_header("X-Spam-Score", "$score ($hits)
$names");
# action_change_header("X-Spam-Report", "$fixed_report");
# action_add_header("X-Spam-Report", "$fixed_report");
md_graphdefang_log('spam', $hits, $RelayAddr);
# Change the Subject line if $hits >= 10
# if ($hits >= 10) {
# action_add_header("X-Original-Subject", "$Subject");
# action_change_header("Subject", "***SPAM*** $Subject");
# }
} else {
# Delete any existing X-Spam-Score header?
action_delete_header("X-Spam-Score");
# action_delete_header("X-Spam-Report");
# action_delete_header("X-Spam-Status");
# action_delete_header("X-Scanned-By");
} #end of $hits >= $req
} # end of size check
} # end of $RelayAddress check
} # end of Features[SpamAssassin]
# I HATE HTML MAIL! If there's a multipart/alternative with both
# text/plain and text/html parts, nuke the text/html. Thanks for
# wasting our disk space and bandwidth...
# If you don't mind HTML mail, comment out the next line.
remove_redundant_html_parts($entity);
md_graphdefang_log('mail_in');
} # sub filter_end
If anyone wants the full mimedefang-filter I'll send it separately. I
didn't want to waste the list's bandwidth if I didn't need to. I'm pretty
sure the problem is with the SA checks. I can't think of any other reason
why mail could get through when my $RelayAddr check excluded the source of
my mail from SA checks (although they weren't working) but fails as soon
as I remove that check. The only thing I haven't yet done is revert to
the example mimedefang-filter and example sa-mimedefang.cf. I'll try both
after I send this message. Any other ideas would be much appreciated.
Thanks
Justin
More information about the MIMEDefang
mailing list