Configuring Spamassassin and amavisd-new
I have SLES 9 running our email using the default postfix LDAP setup and have amavis, clamd and Spamassassin configured (using the Yast Defaults mostly). Also we are using Cyrus as our POP/IMAP agent. All seems to be well - as the admin I receive email notifications when SPAM or VIRUS emails are detected. What I would like to do now is start getting Spam Assassin to take a more active role. I have read the README in /usr/share/doc/packages/perl-spamassassin. It directed me to look for a ~/.spamassassin directory - but none of our users have this directory setup by default. Should I just create it? I would like to either: 1) Have Spamassassin put a score in the email headers that the users email agent can use for filtering. or 2) Have Spamassassin not deliver the high scoring emails. Is this possible? Can it be configured through Yast? There appears to be ample Spamassassin instructions, but much of it talks about procmail and client side filtering on Linux. As we are using Cyrus IMAP/POP I do not believe we are using procmail. Most of our users are POP users running Windows and Outlook. thank you - Richard Note: In case one did not notice, as the volume is low on suse-sles-e I am also posting to suse-linux-e - I hope this is OK.
Wed, 30 Mar 2005, by rnmixon@qwest.net:
I have SLES 9 running our email using the default postfix LDAP setup and have amavis, clamd and Spamassassin configured (using the Yast Defaults mostly). Also we are using Cyrus as our POP/IMAP agent.
All seems to be well - as the admin I receive email notifications when SPAM or VIRUS emails are detected.
What I would like to do now is start getting Spam Assassin to take a more active role. I have read the README in /usr/share/doc/packages/perl-spamassassin. It directed me to look for a ~/.spamassassin directory - but none of our users have this directory setup by default. Should I just create it?
The easiest way would be to let Postfix use amavisd-new as a content-filter, as explained in the amavisd-new Postfix.readme file. Amavisd-new then calls SA and virus-checkers if you have those installed.
I would like to either: 1) Have Spamassassin put a score in the email headers that the users email agent can use for filtering.
That's default. I wouldn't know why that doesn't "work" with you if you have SA configured as you say.
or 2) Have Spamassassin not deliver the high scoring emails.
That's up to the MDA/MUA.
Is this possible? Can it be configured through Yast? There appears to be ample Spamassassin instructions, but much of it talks about procmail and client side filtering on Linux. As we are using Cyrus IMAP/POP I do not believe we are using procmail. Most of our users are POP users running Windows and Outlook.
I'm not sure about YaSt being able to do this, but certainly in an xterm or ssh session you can do this easily too.
Note: In case one did not notice, as the volume is low on suse-sles-e I am also posting to suse-linux-e - I hope this is OK.
Ok by me. Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 26N , 4 29 47E. + ICQ: 277217131 SUSE 9.2 + Jabber: muadib@jabber.xs4all.nl Kernel 2.6.8 + See headers for PGP/GPG info.
Richard Mixon (qwest) wrote:
I have SLES 9 running our email using the default postfix LDAP setup and have amavis, clamd and Spamassassin configured (using the Yast Defaults mostly). Also we are using Cyrus as our POP/IMAP agent.
All seems to be well - as the admin I receive email notifications when SPAM or VIRUS emails are detected.
What I would like to do now is start getting Spam Assassin to take a more active role. I have read the README in /usr/share/doc/packages/perl-spamassassin. It directed me to look for a ~/.spamassassin directory - but none of our users have this directory setup by default. Should I just create it?
Such a directory would only be needed if you plan to enable individual per-user rules.
I would like to either: 1) Have Spamassassin put a score in the email headers that the users email agent can use for filtering.
That is the default. There are three headers you can use for filtering: X-Spam-Status: Yes, hits=20.929 tagged_above=0.5 required=3.5 tests=BAYES_99, DNS_FROM_RFC_POST, DRUGS_PAIN, DRUGS_PAIN_OBFU, HELO_DYNAMIC_IPADDR2, HELO_DYNAMIC_SPLIT_IP, MIME_BASE64_TEXT, RCVD_IN_NJABL_DUL, RCVD_IN_SORBS_DUL, RCVD_IN_SORBS_WEB, URIBL_OB_SURBL, URIBL_SC_SURBL X-Spam-Level: ******************** X-Spam-Flag: YES If you have Clients that can query these headers you can use the $sa_spam_subject_tag = '[suspect SPAM] '; in /etc/amavisd.conf
or 2) Have Spamassassin not deliver the high scoring emails. /etc/amavisd.conf: # The following symbolic constants can be used in *destiny settings: # # D_PASS mail will pass to recipients, regardless of bad contents; # # D_DISCARD mail will not be delivered to its recipients, sender will NOT be # notified. Effectively we lose mail (but will be quarantined # unless disabled). Losing mail is not decent for a mailer, # but might be desired. # # D_BOUNCE mail will not be delivered to its recipients, a non-delivery # notification (bounce) will be sent to the sender by amavisd-new; # Exception: bounce (DSN) will not be sent if a virus name matches # $viruses_that_fake_sender_re, or to messages from mailing lists # (Precedence: bulk|list|junk); # # D_REJECT mail will not be delivered to its recipients, sender should # preferably get a reject, e.g. SMTP permanent reject response # (e.g. with milter), or non-delivery notification from MTA # (e.g. Postfix). If this is not possible (e.g. different recipients # have different tolerances to bad mail contents and not using LMTP) # amavisd-new sends a bounce by itself (same as D_BOUNCE). # # Notes: # D_REJECT and D_BOUNCE are similar, the difference is in who is responsible # for informing the sender about non-delivery, and how informative # the notification can be (amavisd-new knows more than MTA); # With D_REJECT, MTA may reject original SMTP, or send DSN (delivery status # notification, colloquially called 'bounce') - depending on MTA; # Best suited for sendmail milter, especially for spam. # With D_BOUNCE, amavisd-new (not MTA) sends DSN (can better explain the # reason for mail non-delivery, but unable to reject the original # SMTP session). Best suited to reporting viruses, and for Postfix # and other dual-MTA setups, which can't reject original client SMTP # session, as the mail has already been enqueued.
$final_virus_destiny = D_BOUNCE; # (defaults to D_BOUNCE) $final_banned_destiny = D_BOUNCE; # (defaults to D_BOUNCE) $final_spam_destiny = D_PASS; $final_bad_header_destiny = D_PASS; # (defaults to D_PASS), D_BOUNCE suggested Just set according to your need.
Is this possible? Can it be configured through Yast? There appears to be ample Spamassassin instructions, but much of it talks about procmail and client side filtering on Linux. As we are using Cyrus IMAP/POP I do not
Yes, it is possible. procmail would be serverside filtering. Sandy
Sandy Drobic wrote:
Richard Mixon (qwest) wrote: <SNIP>
I would like to either: 1) Have Spamassassin put a score in the email headers that the users email agent can use for filtering.
That is the default. There are three headers you can use for filtering:
X-Spam-Status: Yes, hits=20.929 tagged_above=0.5 required=3.5 tests=BAYES_99, DNS_FROM_RFC_POST, DRUGS_PAIN, DRUGS_PAIN_OBFU, HELO_DYNAMIC_IPADDR2, HELO_DYNAMIC_SPLIT_IP, MIME_BASE64_TEXT, RCVD_IN_NJABL_DUL, RCVD_IN_SORBS_DUL, RCVD_IN_SORBS_WEB, URIBL_OB_SURBL, URIBL_SC_SURBL
X-Spam-Level: ********************
X-Spam-Flag: YES
If you have Clients that can query these headers you can use the $sa_spam_subject_tag = '[suspect SPAM] ';
in /etc/amavisd.conf
Sandy - thank you for the response. I would think that I should be seeing one of the above headers - as my detected SPAM messages are being directed to my admin email address as SPAM. But there is no "X-Spam..." header. For example, next are the headers from some SPAM I recently received, followed by the notification I received and further below is a snip from my /etc/amavisd.conf: **** SPAM example headers:**** Return-Path: <armstrong@myeinfomail.net> Received: from gofish.FromLtoJSoftware.com ([unix socket]) by gofish (Cyrus v2.2.3) with LMTP; Wed, 30 Mar 2005 17:29:45 -0700 X-Sieve: CMU Sieve 2.2 Received: from localhost (localhost [127.0.0.1]) by gofish.FromLtoJSoftware.com (Postfix) with ESMTP id EF471174D for <rnmixon@gofish.FromLtoJSoftware.com>; Wed, 30 Mar 2005 17:29:44 -0700 (MST) Received: from gofish.FromLtoJSoftware.com ([127.0.0.1]) by localhost (gofish [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 08941-08 for <rnmixon@gofish.FromLtoJSoftware.com>; Wed, 30 Mar 2005 17:29:44 -0700 (MST) Received: from myeinfomail.net (myeinfomail.net [209.203.195.35]) by gofish.FromLtoJSoftware.com (Postfix) with ESMTP id CD25711B6 for <rnmixon@acme.com>; Wed, 30 Mar 2005 17:29:43 -0700 (MST) From: "Armstrong Flag Company" <armstrong@myeinfomail.net> Subject: Great Flags with Complimentary Shipping To: rnmixon@acme.com Content-Type: multipart/alternative; boundary="=_NextPart_2rfkindysadvnqw3nerasdf"; charset="us-ascii" MIME-Version: 1.0 Reply-To: armstrong@myeinfomail.net Date: Wed, 30 Mar 2005 18:26:16 -0600 Message-Id: <20050331002943.CD25711B6@gofish.FromLtoJSoftware.com> X-Virus-Scanned: by amavisd-new at acme.com ****SPAM example notification to admin:**** -----Original Message----- From: rnmixon@acme.com [mailto:admin1@acme.com] Sent: Wednesday, March 30, 2005 5:30 PM To: rnmixon@acme.com Subject: SPAM FROM <armstrong@myeinfomail.net> Unsolicited bulk email from: armstrong@myeinfomail.net Subject: Great Flags with Complimentary Shipping According to the 'Received:' trace, the message originated at: myeinfomail.net (myeinfomail.net [209.203.195.35]) The message WILL BE delivered to: <rnmixon@gofish.FromLtoJSoftware.com> Not quarantined. SpamAssassin report: Spam detection software, running on the system "gofish.FromLtoJSoftware.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or block similar future email. If you have any questions, see the administrator of that system for details. Content preview: This is a multi-part message in MIME format URI:http://www.infoweb-email.com/080E001C1F1B0A1D1C3214001D1F1E061D185 C111D1F0E46414340470E43420E400E4041444B4B40420E08.aspx ARMSTRONG FLAG COMPANY March Special: Free Shipping [...] Content analysis details: (12.5 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------- ------ 2.0 MIME_BOUND_RKFINDY Spam tool pattern in MIME boundary (rfkindy) 0.6 LARGE_HEX BODY: Contains a large block of hexadecimal code 0.4 ORDER_NOW BODY: Encourages you to waste no time in ordering 1.5 HTML_IMAGE_ONLY_06 BODY: HTML: images with 400-600 bytes of words 0.2 HTML_FONT_FACE_ODD BODY: HTML font face is not a commonly used face 0.0 HTML_80_90 BODY: Message is 80% to 90% HTML 0.2 HTML_MESSAGE BODY: HTML included in message 0.3 HTML_IMAGE_RATIO_12 BODY: HTML has a low ratio of text to image area 0.3 HTML_FONT_BIG BODY: HTML has a big font 0.6 HTML_TABLE_THICK_BORD BODY: HTML table has thick border 0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.1 HTML_FONTCOLOR_RED BODY: HTML font color is red 3.7 MSGID_FROM_MTA_SHORT Message-Id was added by a relay 0.9 MIME_BOUND_NEXTPART Spam tool pattern in MIME boundary 1.1 MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME parts ------------------------- BEGIN HEADERS ----------------------------- Return-Path: <armstrong@myeinfomail.net> Received: from myeinfomail.net (myeinfomail.net [209.203.195.35]) by gofish.FromLtoJSoftware.com (Postfix) with ESMTP id CD25711B6 for <rnmixon@acme.com>; Wed, 30 Mar 2005 17:29:43 -0700 (MST) From: "Armstrong Flag Company" <armstrong@myeinfomail.net> Subject: Great Flags with Complimentary Shipping To: rnmixon@acme.com Content-Type: multipart/alternative; boundary="=_NextPart_2rfkindysadvnqw3nerasdf"; charset="us-ascii" MIME-Version: 1.0 Reply-To: armstrong@myeinfomail.net Date: Wed, 30 Mar 2005 18:26:16 -0600 Message-Id: <20050331002943.CD25711B6@gofish.FromLtoJSoftware.com> -------------------------- END HEADERS ------------------------------ Below is the amavisd.conf I am using. Any ideas on what I'm doing wrong. Thanks again - Richard ****Snipped from /etc/amavisd.conf **** # SpamAssassin settings # $sa_local_tests_only is passed to Mail::SpamAssassin::new as a value # of the option local_tests_only. See Mail::SpamAssassin man page. # If set to 1, SA tests are restricted to local tests only, i.e. no tests # that require internet access will be performed. # $sa_local_tests_only = 1; # (default: false) #$sa_auto_whitelist = 1; # turn on AWL (default: false) $sa_timeout = 30; # timeout in seconds for a call to SpamAssassin # (default is 30 seconds, undef disables it) $sa_mail_body_size_limit = 150*1024; # don't waste time on SA if mail is larger # (less than 1% of spam is > 64k) # default: undef, no limitations # default values, can be overridden by more specific lookups, e.g. SQL $sa_tag_level_deflt = 3.0; # add spam info headers if at, or above that level $sa_tag2_level_deflt = 5.0; $sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions # at or above that level: bounce/reject/drop, # quarantine, and adding mail address extension $sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent, # effectively turning D_BOUNCE into D_DISCARD; # undef disables this feature and is a default; # # The $sa_tag_level_deflt, $sa_tag2_level_deflt and $sa_kill_level_deflt # may also be hashrefs to hash lookup tables, to make static per-recipient # settings possible without having to resort to SQL or LDAP lookups. # a quick reference: # tag_level controls adding the X-Spam-Status and X-Spam-Level headers, # tag2_level controls adding 'X-Spam-Flag: YES', and editing Subject, # kill_level controls 'evasive actions' (reject, quarantine, extensions); # it only makes sense to maintain the relationship: # tag_level <= tag2_level <= kill_level < $sa_dsn_cutoff_level # string to prepend to Subject header field when message exceeds tag2 level #$sa_spam_subject_tag = '***SPAM*** '; # (defaults to undef, disabled) # (only seen when spam is not to be rejected # and recipient is in local_domains*) #$sa_spam_modifies_subj = 1; # may be a ref to a lookup table, default is true # Example: modify Subject for all local recipients except user@example.com #$sa_spam_modifies_subj = [qw( !user@example.com . )];
Richard Mixon (qwest) wrote: I would check if you really are seeing all headers. Outlook does have a message source view, at least Outlook Express has that feature.
****Snipped from /etc/amavisd.conf ****
# SpamAssassin settings
# $sa_local_tests_only is passed to Mail::SpamAssassin::new as a value # of the option local_tests_only. See Mail::SpamAssassin man page. # If set to 1, SA tests are restricted to local tests only, i.e. no tests # that require internet access will be performed. # $sa_local_tests_only = 1; # (default: false)
I would recommend to comment this out, spamassassin will then query several online databases to compare the message hash to known spam. It does enhance the detection rate.
$sa_mail_body_size_limit = 150*1024; # don't waste time on SA if mail is larger # (less than 1% of spam is > 64k) # default: undef, no limitations
I think I set the limit to 256 kBytes. Though it doesn't do much harm to leave it as it is.
# default values, can be overridden by more specific lookups, e.g. SQL $sa_tag_level_deflt = 3.0; # add spam info headers if at, or above that level $sa_tag2_level_deflt = 5.0; $sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions
if you set $sa_tag_level_deflt = -20 practically every mail will have the spam score header, so you can also see the score for normal mails.
#$sa_spam_subject_tag = '***SPAM*** '; # (defaults to undef, disabled) # (only seen when spam is not to be
That one defines the subject tag. Enable it if you want to filter for subject phrases.
#$sa_spam_modifies_subj = 1; # may be a ref to a lookup table, default is true
This is what you need to enable if you want the subject of the message to include a subject tag. Sandy
participants (3)
-
Richard Mixon (qwest) -
Sandy Drobic -
Theo v. Werkhoven