[Mimedefang] MIMEDefang as a mail gateway...?

Lucas Albers admin at cs.montana.edu
Sat Mar 6 14:11:27 EST 2004 

Fernando Gleiser said:
> On Fri, 5 Mar 2004, Michael Sims wrote:
>
>> Another solution is to build a virtusertable db on your MX which
>> contains a
>> list of all your valid usernames and reject anyone that isn't in it with
>> an
I just run logwatch and determine top invalid recipients that don't reject
and explicitly reject them.
I have too many widespread systems to determine all the valid users.
I also found that File::Scan was too aggressive on rejecting virus's on the
quarantine,virus type detected is "suspicious", so i disable rejection on
that.
See:
 if (($action eq "quarantine") && ($VirusName eq 'suspicious')){

I'm not sure I understand not being able to train the bayesian database.
All the incoming mail gets trained on our relay, we only have one bayes
relay.
It appears to work ok, it would work better with individual user
preferences, but it catches most spam.
Looking at it I see I have around:
0.000          0       8289          0  non-token data: nspam
0.000          0      28903          0  non-token data: nham
0.000          0     251154          0  non-token data: ntokens

I've never manually trained it, if that is what you are referring to.
Just set your learn-ham/non-ham thresholds good enough.
I like to set my ham at around .5 so it catches a lot of normal user email
that might have html in it.

I Enabled pyzor/dcc/razor.

I add very few rules to the sa mix, as i would rather miss a lot of spam
on the external relay, then get a FP.

I added the following additional rules, but have not otherwise tweaked it.

header BLACKLIST_1     Received =~
/outblaze.com|hinet.net|chinanet-gd|kornet.net|above.net|level3.net|exodus.net|cw.net|interbusiness.it|outb
laze.com/i
describe BLACKLIST_1   known spammy domains,but not outright spam or
blacklisted
score BLACKLIST_1 1

#might be an improvement on this particular rule.
rawbody TINY_FONT_1  /\<.*font\-size\:[ \"]*1[^0-9]+.*\>/i
describe TINY_FONT_1 Body contains 1pt font
score TINY_FONT_1  1

rawbody TINY_FONT_0  /\<.*font\-size\:[ \"]*0[^0-9]+.*\>/i
describe TINY_FONT_0 Body contains 0pt font
score TINY_FONT_0  1

#catch bayes poison, will FP on long text.
#might fp on prose
body        RANDOMWORD_10 
/(?:\b(?!(?:from|even|more|were|with)\b)[a-z]{4,12}\s+){10}/
describe    RANDOMWORD_10   String of 10+ random words
score       RANDOMWORD_10  1
body        RANDOMWORD_15 
/(?:\b(?!(?:from|even|more|were|with)\b)[a-z]{4,12}\s+){15}/
describe    RANDOMWORD_15   String of 15+ random words
score       RANDOMWORD_15  2

body        RANDOMWORD_20 
/(?:\b(?!(?:from|even|more|were|with)\b)[a-z]{4,12}\s+){20}/
describe    RANDOMWORD_20   String of 20+ random words
score       RANDOMWORD_20 3

#normally .1
score HTML_FONTCOLOR_UNSAFE  .5
score HTML_FONTCOLOR_UNKNOWN .5
#normally .4
score HTML_FONTCOLOR_INVISIBLE 1

-- 
Luke Computer Science System Administrator
Security Administrator,College of Engineering
Montana State University-Bozeman,Montana

More information about the MIMEDefang mailing list