[Mimedefang] razor2 problems
John Kennedy
jk+defang at csuchico.edu
Thu Mar 2 18:50:42 EST 2006
I see this get posted to the list periodically, but I've tried all
the solutions I've seen and think I've correctly implemented them.
I've got mimedefang-2.56 driving Mail-SpamAssassin-3.1.0, clamav-0.88,
razor-agents-2.77. It is running on a RHEL linux box, but that probably
doesn't matter too much since I've recompiled perl (-5.8.8) and added in
all the associated modules, rather than use the aged version RedHat ships.
In short:
I've added $SALocalTestsOnly = 0
I know both sa-mimedefang.cf and mimedefang-filter are being used
Standalone tests from "defang" user show razor checks
I see no evidence of razor checks added to headers/reports
I don't see the .log file in ~defang/.razor getting updated (by MD)
When I check it out by hand, I see results:
[/opt/mx/bin/spamassassin -t -D < /tmp/sample.msg 2>&1 | grep -i razor]
[23448] dbg: config: read file /opt/mx/share/spamassassin/25_razor2.cf
[23448] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC
[23448] dbg: razor2: razor2 is available, version 2.77
[23448] dbg: plugin: registered Mail::SpamAssassin::Plugin::Razor2=HASH(0xa38c44c)
[23448] dbg: plugin: registering glue method for check_razor2_range (Mail::SpamAssassin::Plugin::Razor2=HASH(0xa38c44c))
[23448] dbg: razor2: part=0 engine=4 contested=0 confidence=0
[23448] dbg: razor2: part=1 engine=4 contested=0 confidence=0
[23448] dbg: razor2: part=1 engine=8 contested=0 confidence=0
[23448] dbg: razor2: results: spam? 0
[23448] dbg: razor2: results: engine 8, highest cf score: 0
[23448] dbg: razor2: results: engine 4, highest cf score: 0
[23448] dbg: plugin: registering glue method for check_razor2 (Mail::SpamAssassin::Plugin::Razor2=HASH(0xa38c44c))
RAZOR2_CF_RANGE_51_100 1.10, RAZOR2_CHECK 1.05,
RAZOR2_CF_RANGE_51_100 1.10, RAZOR2_CHECK 1.05,
I can see the entries in .log getting updated by the done-by-hand tests:
[defang at mail3 mx]$ more ~/.razor/razor-agent.log
Feb 24 10:10:15.653080 admin[30969]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to file:/home/defang/.razor/razor-agent.log
Feb 24 10:10:15.653743 admin[30969]: [ 2] Razor-Agents v2.77 starting razor-admin --create
Mar 02 15:28:20.936598 check[23412]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to file:/home/defang/.razor/razor-agent.log
Mar 02 15:28:22.005833 check[23412]: [ 3] mail 1 is not known spam.
Mar 02 15:38:45.605939 check[23448]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to file:/home/defang/.razor/razor-agent.log
Mar 02 15:38:45.845542 check[23448]: [ 3] mail 1 is not known spam.
Configuration details, for those that have read this far.
I tracked down init.pre and made sure I had it set up:
--- Mail-SpamAssassin-3.1.0/rules/init.pre 2005-08-11 17:38:50.000000000 -0700
+++ /etc/opt/mail/spamassassin/init.pre 2006-03-02 14:46:50.000000000 -0800
@@ -5,5 +5,6 @@
#
-# This file contains plugin activation commands for plugins included
-# in SpamAssassin 3.0.x releases. It will not be installed if you
-# already have a file in place called "init.pre".
+# This file will be loaded before *all other* configuration files, including
+# the system configuration. As such, it's a good place to set things that
+# will affect how those files are parsed, like which plugins are loaded
+# etc.
#
@@ -29 +30,2 @@
+loadplugin Mail::SpamAssassin::Plugin::Razor2
The spamassassin .cf file is pretty stock, perhaps with extra bits in
it as I've tried to enable things with or without success:
--- src/mimedefang-2.56/SpamAssassin/spamassassin.cf 2003-05-28 13:55:44.000000000 -0700
+++ /etc/mail/sa-mimedefang.cf 2006-03-02 14:46:50.000000000 -0800
@@ -56,2 +56,3 @@
# report_header 1
+report_header 1
@@ -73,3 +74,3 @@
-skip_rbl_checks 1
+skip_rbl_checks 0
@@ -81 +82,22 @@
+#
+# Local mods
+#
+clear_report_template
+report ...
+
+# Enable the Bayes system
+use_bayes 1
+bayes_auto_learn 1
+
+# Enable or disable network checks
+use_razor2 1
I know it is using this .cf because of the report difference, at the
very least.
Idle note, I can't guarantee that bayes is working at this point
in time. Turned it on not too long ago, or tried to, probably doesn't
have enough ham samples yet.
The mimedefang-filter has had a bit more customization done to it. There are cosmetic
textual changes. Important thing being that the "$SALocalTestsOnly = 0;" is in there
(and I know that kicks in because I see the blackhole checks in the spam reports).
--- src/mimedefang-2.56/examples/suggested-minimum-filter-for-windows-clients 2006-02-08 14:01:24.000000000 -0800
+++ /etc/mail/mimedefang-filter 2006-03-02 14:46:50.000000000 -0800
@@ -1,2 +1,4 @@
-# -*- Perl -*-
+#
+# $Id: mimedefang-filter,v 1.6 2006/03/01 19:32:39 warlock Exp $
+#
#***********************************************************************
@@ -13,3 +15,3 @@
#
-# $Id: suggested-minimum-filter-for-windows-clients,v 1.87 2006/02/08 22:01:24 dfs Exp $
+# $Id: mimedefang-filter,v 1.6 2006/03/01 19:32:39 warlock Exp $
#***********************************************************************
@@ -21,4 +23,4 @@
#***********************************************************************
-$AdminAddress = 'postmaster at localhost';
-$AdminName = "MIMEDefang Administrator's Full Name";
+$AdminAddress = 'postmaster+mimedefang at csuchico.edu';
+$AdminName = "MIMEDefang";
@@ -30,3 +32,3 @@
#***********************************************************************
-$DaemonAddress = 'mimedefang at localhost';
+$DaemonAddress = 'postmaster+mimedefang at csuchico.edu';
@@ -64,2 +66,6 @@
+$GeneralWarning = "NOTIFICATION OF ATTACHMENT REMOVAL\n\n ... \n\n";
+
+$SALocalTestsOnly = 0;
+
#***********************************************************************
@@ -82,2 +88,3 @@
$bad_exts = '(ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|scr|sct|sh|shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh|\{[^\}]+\})';
+ $bad_exts = '(ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|scr|sct|sh|shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh|xyzzy|\{[^\}]+\})';
@@ -122,2 +129,4 @@
+ if (0)
+ {
# Copy original message into work directory as an "mbox" file for
@@ -137,2 +146,3 @@
md_graphdefang_log('virus', $VirusName, $RelayAddr);
+
md_syslog('warning', "Discarding because of virus $VirusName");
@@ -145,2 +155,3 @@
}
+ }
}
@@ -182,5 +193,25 @@
+ # Virus scan
+ my ($code, $category, $action) = entity_contains_virus($entity);
+ # If you are more paranoid, change to: if ($action eq "quarantine") {
+ if ($category eq "virus")
+ {
+# $FoundVirus = 1;
+ md_graphdefang_log('virus', $VirusName, $RelayAddr);
+ action_add_header("X-csuc-VirusScan", "Infected ($VirusName)");
+ return action_drop_with_warning("Attachment removed: $fname ($VirusName)");
+
+ #action_add_header("X-Virus-Scan", "Found and deleted $VirusName");
+ # Discard the entire message.
+ return action_discard();
+ }
+ elsif ($action eq "tempfail")
+ {
+ action_tempfail("Problem running virus-scanner");
+ md_syslog('warning', "Problem running virus scanner: code=$code, category=$category, action=$action");
+ }
+
if (filter_bad_filename($entity)) {
md_graphdefang_log('bad_filename', $fname, $type);
- return action_drop_with_warning("An attachment named $fname was removed from this document as it\nconstituted a security hazard. If you require this document, please contact\nthe sender and arrange an alternate means of receiving it.\n");
+ return action_drop_with_warning("Attachment removed: $fname (attachment type blocked)");
}
@@ -291,7 +322,7 @@
my($score);
- if ($hits < 40) {
- $score = "*" x int($hits);
- } else {
- $score = "*" x 40;
- }
+ if ($hits < 40)
+ { $score = "S" x int($hits); }
+ else
+ { $score = "S" x 40; }
+
# We add a header which looks like this:
@@ -302,14 +333,19 @@
# minimum number of asterisks...
- if ($hits >= $req) {
- action_change_header("X-Spam-Score", "$hits ($score) $names");
- md_graphdefang_log('spam', $hits, $RelayAddr);
+ action_change_header("X-csuc-MIMEDefang-SpamScore", "$hits ($score) $names");
+ md_graphdefang_log('spam', $hits, $RelayAddr);
+
+ if ($hits >= $req)
+ {
+ action_change_header("X-csuc-SpamCheck", "spam");
# If you find the SA report useful, add it, I guess...
action_add_part($entity, "text/plain", "-suggest",
- "$report\n",
- "SpamAssassinReport.txt", "inline");
- } else {
- # Delete any existing X-Spam-Score header?
- action_delete_header("X-Spam-Score");
- }
+ "$report\n", "SpamAssassinReport.txt", "inline");
+ }
+ else
+ {
+ action_change_header("X-csuc-SpamCheck", "ham");
+# # Delete any existing X-Spam-Score header?
+# action_delete_header("X-Spam-Score");
+ }
}
Software packages I've crunched locally for these packages:
Archive-Tar-1.28 Archive-Zip-1.16 Compress-Zlib-1.41
DBI-1.50 DB_File-1.814 Digest-HMAC-1.01
Digest-SHA1-2.11 File-Scan-1.43 Getopt-Long-2.35
HTML-Parser-3.50 IO-Socket-INET6-2.51 IO-Socket-SSL-0.97
IO-Zlib-1.04 IO-stringy-2.110 IP-Country-2.20
MIME-Base64-3.07 MIME-tools-5.419 Mail-SPF-Query-1.999
Mail-SpamAssassin-3.1.0 MailTools-1.73 Net-CIDR-Lite-0.20
Net-DNS-0.55 Net-IP-1.24 Net-Ident-1.20
Socket6-0.19 Sys-Hostname-Long-1.4 Test-Harness-2.56
Test-Simple-0.62 Time-HiRes-1.87 URI-1.35
Unix-Syslog-0.100 clamav-0.88 libwww-perl-5.805
mimedefang-2.56 perl-5.8.8 razor-agents-2.77
More information about the MIMEDefang
mailing list