[Mimedefang] razor2 problems

John Kennedy jk+defang at csuchico.edu
Thu Mar 2 18:50:42 EST 2006 

  I see this get posted to the list periodically, but I've tried all
the solutions I've seen and think I've correctly implemented them.

  I've got mimedefang-2.56 driving Mail-SpamAssassin-3.1.0, clamav-0.88,
razor-agents-2.77.  It is running on a RHEL linux box, but that probably
doesn't matter too much since I've recompiled perl (-5.8.8) and added in
all the associated modules, rather than use the aged version RedHat ships.

  In short:
	I've added $SALocalTestsOnly = 0
	I know both sa-mimedefang.cf and mimedefang-filter are being used
	Standalone tests from "defang" user show razor checks
	I see no evidence of razor checks added to headers/reports
	I don't see the .log file in ~defang/.razor getting updated (by MD)

  When I check it out by hand, I see results:

    [/opt/mx/bin/spamassassin -t -D < /tmp/sample.msg 2>&1 | grep -i razor]
	[23448] dbg: config: read file /opt/mx/share/spamassassin/25_razor2.cf
	[23448] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC
	[23448] dbg: razor2: razor2 is available, version 2.77
	[23448] dbg: plugin: registered Mail::SpamAssassin::Plugin::Razor2=HASH(0xa38c44c)
	[23448] dbg: plugin: registering glue method for check_razor2_range (Mail::SpamAssassin::Plugin::Razor2=HASH(0xa38c44c))
	[23448] dbg: razor2: part=0 engine=4 contested=0 confidence=0
	[23448] dbg: razor2: part=1 engine=4 contested=0 confidence=0
	[23448] dbg: razor2: part=1 engine=8 contested=0 confidence=0
	[23448] dbg: razor2: results: spam? 0
	[23448] dbg: razor2: results: engine 8, highest cf score: 0
	[23448] dbg: razor2: results: engine 4, highest cf score: 0
	[23448] dbg: plugin: registering glue method for check_razor2 (Mail::SpamAssassin::Plugin::Razor2=HASH(0xa38c44c))
		RAZOR2_CF_RANGE_51_100 1.10, RAZOR2_CHECK 1.05,
		RAZOR2_CF_RANGE_51_100 1.10, RAZOR2_CHECK 1.05,

  I can see the entries in .log getting updated by the done-by-hand tests:

    [defang at mail3 mx]$ more ~/.razor/razor-agent.log 
	Feb 24 10:10:15.653080 admin[30969]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to file:/home/defang/.razor/razor-agent.log
	Feb 24 10:10:15.653743 admin[30969]: [ 2]  Razor-Agents v2.77 starting razor-admin --create
	Mar 02 15:28:20.936598 check[23412]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to file:/home/defang/.razor/razor-agent.log
	Mar 02 15:28:22.005833 check[23412]: [ 3] mail 1 is not known spam.
	Mar 02 15:38:45.605939 check[23448]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to file:/home/defang/.razor/razor-agent.log
	Mar 02 15:38:45.845542 check[23448]: [ 3] mail 1 is not known spam.


  Configuration details, for those that have read this far.


  I tracked down init.pre and made sure I had it set up:

	--- Mail-SpamAssassin-3.1.0/rules/init.pre	2005-08-11 17:38:50.000000000 -0700
	+++ /etc/opt/mail/spamassassin/init.pre	2006-03-02 14:46:50.000000000 -0800
	@@ -5,5 +5,6 @@
	 #
	-# This file contains plugin activation commands for plugins included
	-# in SpamAssassin 3.0.x releases.  It will not be installed if you
	-# already have a file in place called "init.pre".
	+# This file will be loaded before *all other* configuration files, including
	+# the system configuration.  As such, it's a good place to set things that
	+# will affect how those files are parsed, like which plugins are loaded
	+# etc.
	 #
	@@ -29 +30,2 @@
	 
	+loadplugin Mail::SpamAssassin::Plugin::Razor2

  The spamassassin .cf file is pretty stock, perhaps with extra bits in
it as I've tried to enable things with or without success:

	--- src/mimedefang-2.56/SpamAssassin/spamassassin.cf	2003-05-28 13:55:44.000000000 -0700
	+++ /etc/mail/sa-mimedefang.cf	2006-03-02 14:46:50.000000000 -0800
	@@ -56,2 +56,3 @@
	 # report_header 1
	+report_header 1
	 
	@@ -73,3 +74,3 @@
	 
	-skip_rbl_checks 1
	+skip_rbl_checks 0
	 
	@@ -81 +82,22 @@
	 
	+#
	+#  Local mods
	+#
	+clear_report_template
	+report ...
	+
	+# Enable the Bayes system
	+use_bayes		1
	+bayes_auto_learn	1
	+
	+# Enable or disable network checks
	+use_razor2		1

  I know it is using this .cf because of the report difference, at the
very least.

  Idle note, I can't guarantee that bayes is working at this point
in time.  Turned it on not too long ago, or tried to, probably doesn't
have enough ham samples yet.


  The mimedefang-filter has had a bit more customization done to it.  There are cosmetic
textual changes.  Important thing being that the "$SALocalTestsOnly = 0;" is in there
(and I know that kicks in because I see the blackhole checks in the spam reports).

	--- src/mimedefang-2.56/examples/suggested-minimum-filter-for-windows-clients	2006-02-08 14:01:24.000000000 -0800
	+++ /etc/mail/mimedefang-filter	2006-03-02 14:46:50.000000000 -0800
	@@ -1,2 +1,4 @@
	-# -*- Perl -*-
	+#
	+#  $Id: mimedefang-filter,v 1.6 2006/03/01 19:32:39 warlock Exp $
	+#
	 #***********************************************************************
	@@ -13,3 +15,3 @@
	 #
	-# $Id: suggested-minimum-filter-for-windows-clients,v 1.87 2006/02/08 22:01:24 dfs Exp $
	+# $Id: mimedefang-filter,v 1.6 2006/03/01 19:32:39 warlock Exp $
	 #***********************************************************************
	@@ -21,4 +23,4 @@
	 #***********************************************************************
	-$AdminAddress = 'postmaster at localhost';
	-$AdminName = "MIMEDefang Administrator's Full Name";
	+$AdminAddress = 'postmaster+mimedefang at csuchico.edu';
	+$AdminName = "MIMEDefang";
	 
	@@ -30,3 +32,3 @@
	 #***********************************************************************
	-$DaemonAddress = 'mimedefang at localhost';
	+$DaemonAddress = 'postmaster+mimedefang at csuchico.edu';
	 
	@@ -64,2 +66,6 @@
	 
	+$GeneralWarning = "NOTIFICATION OF ATTACHMENT REMOVAL\n\n ... \n\n";
	+
	+$SALocalTestsOnly = 0;
	+
	 #***********************************************************************
	@@ -82,2 +88,3 @@
	     $bad_exts = '(ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|scr|sct|sh|shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh|\{[^\}]+\})';
	+    $bad_exts = '(ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|scr|sct|sh|shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh|xyzzy|\{[^\}]+\})';
	 
	@@ -122,2 +129,4 @@
	 
	+    if (0)
	+    {
	     # Copy original message into work directory as an "mbox" file for
	@@ -137,2 +146,3 @@
	 	md_graphdefang_log('virus', $VirusName, $RelayAddr);
	+
	 	md_syslog('warning', "Discarding because of virus $VirusName");
	@@ -145,2 +155,3 @@
	     }
	+    }
	 }
	@@ -182,5 +193,25 @@
	 
	+    # Virus scan
	+    my ($code, $category, $action) = entity_contains_virus($entity);
	+    # If you are more paranoid, change to: if ($action eq "quarantine") {
	+    if ($category eq "virus")
	+	{
	+#	$FoundVirus = 1;
	+	md_graphdefang_log('virus', $VirusName, $RelayAddr);
	+	action_add_header("X-csuc-VirusScan", "Infected ($VirusName)");
	+	return action_drop_with_warning("Attachment removed:  $fname ($VirusName)");
	+
	+	#action_add_header("X-Virus-Scan", "Found and deleted $VirusName");
	+	# Discard the entire message.
	+	return action_discard();
	+	}
	+    elsif ($action eq "tempfail")
	+	{
	+	action_tempfail("Problem running virus-scanner");
	+	md_syslog('warning', "Problem running virus scanner: code=$code, category=$category, action=$action");
	+	}
	+
	     if (filter_bad_filename($entity)) {
	         md_graphdefang_log('bad_filename', $fname, $type);
	-	return action_drop_with_warning("An attachment named $fname was removed from this document as it\nconstituted a security hazard.  If you require this document, please contact\nthe sender and arrange an alternate means of receiving it.\n");
	+	return action_drop_with_warning("Attachment removed:  $fname (attachment type blocked)");
	     }
	@@ -291,7 +322,7 @@
	 	    my($score);
	-	    if ($hits < 40) {
	-		$score = "*" x int($hits);
	-	    } else {
	-		$score = "*" x 40;
	-	    }
	+	    if ($hits < 40)
	+	    	{ $score = "S" x int($hits); }
	+	    else
	+	    	{ $score = "S" x 40; }
	+
	 	    # We add a header which looks like this:
	@@ -302,14 +333,19 @@
	 	    # minimum number of asterisks...
	-	    if ($hits >= $req) {
	-		action_change_header("X-Spam-Score", "$hits ($score) $names");
	-                md_graphdefang_log('spam', $hits, $RelayAddr);
	 
	+	    action_change_header("X-csuc-MIMEDefang-SpamScore", "$hits ($score) $names");
	+	    md_graphdefang_log('spam', $hits, $RelayAddr);
	+
	+	    if ($hits >= $req)
	+	        {
	+		action_change_header("X-csuc-SpamCheck", "spam");
	 		# If you find the SA report useful, add it, I guess...
	 		action_add_part($entity, "text/plain", "-suggest",
	-		                "$report\n",
	-				"SpamAssassinReport.txt", "inline");
	-	    } else {
	-		# Delete any existing X-Spam-Score header?
	-		action_delete_header("X-Spam-Score");
	-	    }
	+			"$report\n", "SpamAssassinReport.txt", "inline");
	+		}
	+	    else
	+		{
	+		action_change_header("X-csuc-SpamCheck", "ham");
	+#		# Delete any existing X-Spam-Score header?
	+#		action_delete_header("X-Spam-Score");
	+		}
	 	}

  Software packages I've crunched locally for these packages:

Archive-Tar-1.28	Archive-Zip-1.16	Compress-Zlib-1.41
DBI-1.50		DB_File-1.814		Digest-HMAC-1.01
Digest-SHA1-2.11	File-Scan-1.43		Getopt-Long-2.35
HTML-Parser-3.50	IO-Socket-INET6-2.51	IO-Socket-SSL-0.97
IO-Zlib-1.04		IO-stringy-2.110	IP-Country-2.20
MIME-Base64-3.07	MIME-tools-5.419	Mail-SPF-Query-1.999
Mail-SpamAssassin-3.1.0	MailTools-1.73		Net-CIDR-Lite-0.20
Net-DNS-0.55		Net-IP-1.24		Net-Ident-1.20
Socket6-0.19		Sys-Hostname-Long-1.4	Test-Harness-2.56
Test-Simple-0.62	Time-HiRes-1.87		URI-1.35
Unix-Syslog-0.100	clamav-0.88		libwww-perl-5.805
mimedefang-2.56		perl-5.8.8		razor-agents-2.77

More information about the MIMEDefang mailing list