[Mimedefang] Frustration...

Brent J. Nordquist b-nordquist at bethel.edu
Thu Nov 4 15:02:57 EST 2004 

On Thu, Nov 04, 2004 at 02:15:20PM -0500, Lisa Casey wrote:
> I've spent most of this week on this and am just getting frustrated. I'm
> Sysadmin for an ISP. I installed MIMEDefang, Spamassassin and filter::scan

(I assume you mean File::Scan there)

> on my Red Hat Sendmail server as a way of dealing with my customers
> spam/virus (mostly the spam, it's a REAL problem).
> 
> As far as I can tell, MIMEDefang/Spamassassin are working OK. I tested
> Spamassassin when I installed it with the sample-nonspam.txt and
> sample-spam.txt included. Mimeddefang adds this header to e-mail:
> 
> X-Scanned-By: MIMEDefang 2.48 on 127.0.0.1
> 
> and Spamassassin adds a  SpamAssassinReport.txt as an attachment to each
> spam mail.

Sounds promising.

You said you wanted other people to tell you how they use MD/SA. I'll
try to give some context for what I do here.

> But I've been reading websites for two days now and can't figure
> out how to do anything else with this.

First off: What are you using for your mimedefang-filter script? The
tarball has examples/suggested-minimum-filter-for-windows-clients which
has a pretty complete framework. I used that as the basis for ours and
haven't had to change it all that much.

The mimedefang-filter manual page is worth the time to study. It explains
how mimedefang-filter works -- basically, MD will call filter_begin(),
filter(), etc. at various points in its processing. You get to fill in
those functions with your decided policies -- you have a good starting
point in the example script, but there's no getting around the fact that
you'll have to do some coding to match your decisions. Knowing how that
file works will demystify MD a lot.

> Basically I don't want spam coming
> into my users mailboxes, they don't want it. I understand there will be some
> amount of false positives, but I just want to drop (or bounce or whatever)
> the spam before it reaches the mailboxes.

My users would never allow me to unilaterally drop everything that SA
claimed was spam. I have to allow them the choice of whether they want SA
filtering, and what should be done with spam. So we rely on the X-Spam-*
headers... by default, when SA flags the mail as spam by adding the
header, as part of the Sendmail delivery process, we use procmail to
put the mail in a folder called "Blocked" which the user can review
periodically looking for false-positives. If the user wants to change
procmail so it's deleted, or disable it, that's their choice.

I'm surprised to hear someone from an ISP so confident that you can
drop it all for your users. But, if you're sure, I would say you should
look at the part of filter_end() in the example mimedefang-filter where
the "$hits >= $req" test is, and use action_discard() there instead of
adding the report.

> I'ld also like to drop, bounce, whatever mail that has certain words in the
> subject, such as [...]

When I have to, I use Sendmail to do this (write me off-list if you
want details), only because we had this capability before we started
using MD. But as documented in the man page, the "$Subject" variable
is available to the functions in mimedefang-filter like filter() -- you
can check for your trigger words, and use action_discard() there as well.

Again, I would caution you to be careful. The "v-word" might be reasonable
but will your users really be happy if they use the name of an expensive
watch or fashion hand-bag or anatomical part in the Subject: line of a
legitimate email, and you drop it for them?

The SA philosophy is "lots of evidence (tests) with little scores which,
taken together, are compelling". There's danger in a philosophy of "one
big litmus test that decides yea or nea". And you'll also have the joy
of trying to keep up with the "word of the week" (whack-a-mole) including
all the cre at t!ve ways they can be s.p.e.l.l.e.d.

> Also, I'm not sure how I'm supposed to feed it spam. I have Sendmail/Qpopper
> and most of my users pick up their mail using Outlook Express. I understand
> I can't just forward spam to a spam mailbox and run sa-learn on that as the
> forwarding will not get the original headers.

SA can be set to "auto-learn" ham or spam. You'd want to see the SA
documentation for that. So I only use sa-learn for false-negatives that
I and a few other users here identify. Our convention is to put them in
a folder just for FNs, and I run sa-learn on that directly (so it does
pick up the original headers).

Hope this helps somewhat, and hope you're successful in implementing. The
value of MD/SA is well worth the effort.

-- 
Brent J. Nordquist <b-nordquist at bethel.edu> N0BJN
Other contact information: http://kepler.its.bethel.edu/~bjn/contact.html

More information about the MIMEDefang mailing list