[Mimedefang] Re: Spam filtered twice
Yizhar Hurwitz
yizhar at mail.com
Tue Jan 30 15:57:48 EST 2007
HI.
Some important information is still missing, so I will try to complete
the picture
by reading between the lines.
Please correct me if I get anything wrong...
> I have a Linux box which is used as a web server and mail server. It
> is directly on the web and it serves roughly 60 different domains for
> web and mail.
So I guess that you probably:
have webmail service for users to read+send mail.
let users get mail via pop3 and/or imap.
allow users to send outgoing mail (relay) from their clients, via your
smtp server,
probably using SMTP AUTH.
Please confirm, am I right?
> I am using clamav 0.88.4, Spamassassin 3.1.4, Mimedefang 2.57 and
> sendmail 8.13.7. All on a slackware 2.4.32
Unrelated to the issue - I think you should try to keep up at least with
latest clamav version.
> The mimedefang-filter is quite standard as far as setup, nothing
> really special.
> Local mail is delivered through the standard procmail setup, and the
> Spam is delivered to the spam box by one of the recipes. That works
So procmail is looking for the X-Spam-Score header to process the
incoming mail.
> fine. But for outgoing mail, procmail is not used, so I need a way to
> filter the outgoing mail and put it in a specific folder if it's
> declared as spam.
OK, let's see what we can do, or give you some tips and ides:
* You should have a definition of what is considered by you as
unacceptable spam.
If one of your users sends a monthly newsletter to 200 customers, how do
you define if it is spam or not?
This policy should be delivered to your users - they should better know
what is wrong and what is right,
or at least you can feel that you did a good effort to let them know...
* I would try to minimize end-users use of your smtp server for sending
outgoing mail.
It is best to instruct them to use their local ISP SMTP servers for that,
unless they have a reason not to, or unless they are using your webmail.
* Your users are assumed innocent by default, unless proven otherwise.
Which means - you can allow them to send whatever they send, and you can
decide that you only monitor that,
so that if MD finds an outgoing message with a spam score higher then,
let say 8, you will get a notification.
How to do that?
You can modify mimedefang-filter, so that if any mail comes from SMTP
AUTH user, or from 127.0.0.1,
and gets a spam score higher then X, it will write something to the
logfile (using md_graphdefang_log function),
and if you like you can use md_quarantine_entire_message in such case
for diagnostic and further investigation.
You can parse the logs (/var/log/maillog) on a daily basis looking the
information that MD is writing to it.
(And as mentioned above, you can configure MD to write whatever you
think to those logs).
You can scan the MD-Quarantine folder on a daily basis, if you have
decided to use that method.
* You can instruct MD to reject high scoring mail during SMTP session
(either incoming or outgoing mail),
this is one of the special things that you can do with MD because it
scans during the delivery (it is a milter).
This is done with:
action_bounce...
* You should read:
man mimedefang-filter
and also practice your perl skills.
Using MD without basic perl knowledge is like going to a fancy
restaurant and ordering bread and butter for 50$.
(Well, I couldn't find a better example - other people are invited to
give their own)
* Mail sent from webmail can be easily identified, because the
$RelayAddr is probably 127.0.0.1 .
You can use that info in your filter if you wish.
Mail submitted via SMTP AUTH can also be identified using sendmail macros.
search the list archives and look on MD WIKI pages for more info about that.
Mail submitted via regular SMTP should be inbound only, so isn't related
to your question.
Please note that I'm trying to give you tips and ideas, not exact
instructions,
so you can pick whatever suites your needs, and ignore the rest.
>
> I noticed that there is a procedure to dump the mail if it contains a
> virus. That seems to work for both incoming and outgoing mail. I need
> some
You should simply learn perl basics, with patients and practice on
regular scripts (print "hello world", etc),
then when you feel confident enough you should start modifying
mimedefang-filter to fit your own custom needs.
Start here:
perldoc.perl.org
Then you will see that it is quite simple and powerful.
BTW, did you read -
The MIMEDefang HOWTO:
http://www.mickeyhill.com/mimedefang-howto/
Good luck
Yizhar Hurwitz
http://yizhar.mvps.org
More information about the MIMEDefang
mailing list