[Mimedefang] How to configure?

Tilman Schmidt t.schmidt at phoenixsoftware.de
Thu Nov 5 03:43:53 EST 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 2009-11-04 22:26 schrieb TLD MimeDefang:
>    Something like:
> 
> if($hits >= 5.0) {
>    #  make a log entry
>    md_syslog('notice', "$hits ($score) $names");
>    #  reject the message
>    action_bounce('SPAM markers found');
>    #  and return true
>    action_discard();
> }

What's that combination (action_bounce + action_discard) for?
I just have
return action_bounce("Rejected: SpamAssassin score too high ($hits)");
there and haven't noticed any ill effects.

>    Though, I wouldn't recommend rejecting messages on 5.0. Maybe 9
> or 10 would be a better number.  I'd just quarantine anything over
> 5, because chances are, you'll find quite a few false positives on
> 5.

Indeed. In my experience, even 10 is too low for rejecting.
What I do is add a spam header at 5 and reject at 15.

>    Mime defang is set up to automatically use anti-virus programs
> that are supported by it.  For example, I use clamav, and the
> defang filter already handles it with the filter_begin function.

Specifically, look for the code section starting with:

	# Scan for viruses if any virus-scanners are installed
	my($code, $category, $action) = message_contains_virus();

> Nothing to do there except keep the clam databases updated.

You can change your "level of paranoia" (quote from the default
mimedefang-filter) to reject only actual virus, or "suspicious objects"
too. You may also want to replace the standard
	return action_discard();
by
	return action_bounce("Rejected: message contains $VirusName");
in order to reject infected mails during the SMTP dialog with a reason
instead of silently discarding them. That appears much more friendly in
the case of a false positive or accidental infected attachment, while
changing nothing for self-mailing worms which don't handle bounces anyway.

>> 2 bypass SA or whitelist if the sender was authenticated via smtp_auth.
> 
>    Generally, it's a good idea to maintain the filter even on
> known authenticated senders.  Supposing an authenticated user
> accidentally emails out an attachment that is infected with
> a virus?  You'd sure want the system to catch it.
> 
>    Just set your Spamassassin to give whitelisted names a negative
> score, and let the system do its job.  I give whitelisted people
> a -10 here and that's been fully sufficient to keep their emails
> flowing smoothly and without problem.

How do you access the smtp_auth identity from inside SpamAssassin?
Or what are you using as the name for the whitelisting?

- --
Tilman Schmidt
Abteilungsleiter Technik
- ------------------------------------------------------------------------
Phoenix Software GmbH                               Tel. +49 228 97199 0
Adolf-Hombitzer-Str. 12                            Fax  +49 228 97199 99
53227 Bonn, Germany                               www.phoenixsoftware.de
Geschäftsführer: W. Grießl                     Amtsgericht Bonn HRB 2934
- ------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFK8pBJ780oymN0g8MRAvO5AJ4uyVSBK0ez6UtzoSGzyg+RFBtgHgCgu+Zj
cNLROldMMeSPiUVtGYjrzC8=
=sisS
-----END PGP SIGNATURE-----

More information about the MIMEDefang mailing list