[Mimedefang] Re: Frustration...

Thu Nov 4 16:09:57 EST 2004

Lisa Casey wrote:
> As far as I can tell, MIMEDefang/Spamassassin are working OK. I
> tested Spamassassin when I installed it with the sample-nonspam.txt
> and sample-spam.txt included. Mimeddefang adds this header to e-mail:
> 
> X-Scanned-By: MIMEDefang 2.48 on 127.0.0.1
> 
> and Spamassassin adds a SpamAssassinReport.txt as an attachment to
> each spam mail.

Well, to nitpick a bit, MIMEDefang adds the SpamAssassinReport.txt to
the message.  SA just does the processing that tells MD what to put in
the report.

> But I've been reading websites for two days now and
> can't figure out how to do anything else with this. Basically I don't
> want spam coming into my users mailboxes, they don't want it.

There are a couple of ways you can handle this depending on what
customers are screaming about.  Read on.

> I understand there will be some
> amount of false positives, but I just want to drop (or bounce or
> whatever) the spam before it reaches the mailboxes.

VERY bad idea unless it's something you can configure on a per-customer
basis, and it is opt-in for mail tagged as spam to be dropped.  I would
also suggest two thresholds- one for tagging, one for
bounce/reject/drop.

To reject/bounce mail "properly", you need to add calls after the
SpamAssassin check in mimedefang-filter.  In the default filter, look
for the call near the bottom to action_add_part()- this is what's adding
the SA report.  You may want to replace this with a call to
action_bounce() to reject the message with a 5xx SMTP code - read the
man page for mimedefang-filter for the details for your version of MD.

Loosly speaking, you could do something like:

my($hits, $req, $names, $report) = spam_assassin_check();
if ($hits > 10) {
  action_bounce("PTHBT!  Spam rejected!", "554", "5.7.1");
}
action_change_header("X-Spam-Score", "$hits ($score) $names");
if ($hits > $req) {
  action_change_header("Subject", "spam warning");
  action_add_header("X-Spam-Status", "Yes, hits=$hits required=$req");
}

This would reject messages scoring more than 10, and subject-tag
messages scoring over the SA threshold defined in the SA configuration
files (I've been using the default 5 without much trouble for several
years now).  It would also add a spam-score header to EVERY message that
got through, and add an X-Spam-Status header on tagged messages.

You could just as easily modify this to keep adding the SA report to
messages scoring over the SA threshold instead of just subject-tagging
them.

> I'ld also like to drop, bounce, whatever mail that has certain words
> in the subject, such as rolex, penis, viagra, etc.

*VERY*, **VERY** dangerous in an ISP environment!!  I would STRONGLY
recommend AGAINST this.  It has far too much potential to backfire on
you.

What I usually do is do a little more detailed examination of a sample
false-negative spam, and create one or more rules for SA based on that
message.  I score it between 1.5 and 3 or so, depending on how many
rules the message already hit.  I also check on SURBL hits (look up the
base domain name of any websites mentioned in the message as
domain.com.multi.surbl.org) and add domains to a local SURBL list if I
don't get any hits.

> Also, I'm not sure how I'm supposed to feed it spam. I have
> Sendmail/Qpopper and most of my users pick up their mail using
> Outlook Express. I understand I can't just forward spam to a spam
> mailbox and run sa-learn on that as the forwarding will not get the
> original headers.

This is where MIMEDefang integration gets a little tricky;  the system
I've got calling SA from MD has been set up to autolearn and I've pretty
much left it alone.  Results so far have actually been pretty good, and
I've usually received a few messages in such a way that I can feed them
into Bayes without too much trouble.  I also ask that customers forward
FPs *AS ATTACHMENTS* (any other way gets horribly ugly) so I can train
them as ham.

Outlook Express can forward like this just fine:  Right-click a message,
and click "Forward as attachment".  Save the attachment to a file, and
sa-learn it.

-kgd
-- 
Get your mouse off of there!  You don't know where that email has been!