[Mimedefang] Re: Spam filtered twice

Yizhar Hurwitz yizhar at mail.com
Tue Jan 30 15:57:48 EST 2007 

HI.

Some important information is still missing, so I will try to complete 
the picture
by reading between the lines.
Please correct me if I get anything wrong...

 > I have a Linux box which is used as a web server and mail server. It 
 > is directly on the web and it serves roughly 60 different domains for 
 > web and mail.
So I guess that you probably:
have webmail service for users to read+send mail.
let users get mail via pop3 and/or imap.
allow users to send outgoing mail (relay) from their clients, via your 
smtp server,
probably using SMTP AUTH.
Please confirm, am I right?

 > I am using clamav 0.88.4, Spamassassin 3.1.4, Mimedefang 2.57 and 
 > sendmail 8.13.7. All on a slackware 2.4.32
Unrelated to the issue - I think you should try to keep up at least with 
latest clamav version.

 > The mimedefang-filter is quite standard as far as setup, nothing 
 > really special.

 > Local mail is delivered through the standard procmail setup, and the 
 > Spam is delivered to the spam box by one of the recipes. That works 
So procmail is looking for the X-Spam-Score header to process the 
incoming mail.

 > fine. But for outgoing mail, procmail is not used, so I need a way to 
 > filter the outgoing mail and put it in a specific folder if it's 
 > declared as spam.
OK, let's see what we can do, or give you some tips and ides:

* You should have a definition of what is considered by you as 
unacceptable spam.
If one of your users sends a monthly newsletter to 200 customers, how do 
you define if it is spam or not?
This policy should be delivered to your users - they should better know 
what is wrong and what is right,
or at least you can feel that you did a good effort to let them know...

* I would try to minimize end-users use of your smtp server for sending 
outgoing mail.
It is best to instruct them to use their local ISP SMTP servers for that,
unless they have a reason not to, or unless they are using your webmail.

* Your users are assumed innocent by default, unless proven otherwise.
Which means - you can allow them to send whatever they send, and you can 
decide that you only monitor that,
so that if MD finds an outgoing message with a spam score higher then, 
let say 8, you will get a notification.
How to do that?
You can modify mimedefang-filter, so that if any mail comes from SMTP 
AUTH user, or from 127.0.0.1,
and gets a spam score higher then X, it will write something to the 
logfile (using md_graphdefang_log function),
and if you like you can use md_quarantine_entire_message in such case 
for diagnostic and further investigation.

You can parse the logs (/var/log/maillog) on a daily basis looking the 
information that MD is writing to it.
(And as mentioned above, you can configure MD to write whatever you 
think to those logs).
You can scan the MD-Quarantine folder on a daily basis, if you have 
decided to use that method.

* You can instruct MD to reject high scoring mail during SMTP session 
(either incoming or outgoing mail),
this is one of the special things that you can do with MD because it 
scans during the delivery (it is a milter).
This is done with:
action_bounce...

* You should read:
man mimedefang-filter

and also practice your perl skills.
Using MD without basic perl knowledge is like going to a fancy 
restaurant and ordering bread and butter for 50$.
(Well, I couldn't find a better example - other people are invited to 
give their own)

* Mail sent from webmail can be easily identified, because the 
$RelayAddr is probably 127.0.0.1 .
You can use that info in your filter if you wish.
Mail submitted via SMTP AUTH can also be identified using sendmail macros.
search the list archives and look on MD WIKI pages for more info about that.
Mail submitted via regular SMTP should be inbound only, so isn't related 
to your question.

Please note that I'm trying to give you tips and ideas, not exact 
instructions,
so you can pick whatever suites your needs, and ignore the rest.


 >
 > I noticed that there is a procedure to dump the mail if it contains a 
 > virus. That seems to work for both incoming and outgoing mail. I need 
 > some
You should simply learn perl basics, with patients and practice on 
regular scripts (print "hello world", etc),
then when you feel confident enough you should start modifying 
mimedefang-filter to fit your own custom needs.
Start here:
perldoc.perl.org

Then you will see that it is quite simple and powerful.

BTW, did you read -
The MIMEDefang HOWTO:
http://www.mickeyhill.com/mimedefang-howto/

Good luck

Yizhar Hurwitz
http://yizhar.mvps.org

More information about the MIMEDefang mailing list