Re: popsneaker vs. bandwidth consumption [was:Re: Virus emails]

[Jochen Voss <voss@seehuhn.de>]

Hello,

On Sat, Sep 20, 2003 at 03:41:36PM +0200, Paul Seelig wrote:
> ---------------- snip ---------------------
> Package: popsneaker
> Status: install ok installed
> Priority: optional
> Section: mail
> Installed-Size: 159
> Maintainer: Stefan Baehre <deb@ixtools.de>
> Version: 0.6.2-1
> Depends: libc6 (>= 2.3.2-1), libgcc1 (>= 1:3.3.1-1), libstdc++5 (>= 1:3.3.1-1), libtcp4u3, logrotate
> Recommends: fetchmail | popclient
> Conffiles:
>  /etc/popsneakerrc 40cc5a1635d4bc41678d3dccc7f21e73
>  /etc/logrotate.d/popsneaker af45e2150e4dc61758c7b605de491e3d
> Description: Flexible spam filter for POP3 email accounts.
>  popsneaker is a flexible email filter. It can delete spam mails without
>  downloading them to the local host.
> ---------------- snip ---------------------

I found the appended patch useful.  It implements a new
"minsize N" rule, which lets all mails smaller than N
bytes pass.  So you can receive your usual (smaller than
the virus) mails without risk of loosing them, and filter
the large mails quite radically.

Note the the patch is only very little teste, but it
workes for me.

With the patch I can use the following home-grown ruleset:

    # accept all mails up to 10000 bytes
    minsize 10000

    # some white-listing here

    deny "^From: .*msn\.com"
    deny "^From: .*msdn\.com"
    deny "^From: (MS |Microsoft)"

    deny "^Subject: (Abort|failure|error) (Advice|Announcement|Letter|Message|Notice|Report)$"
    deny -case "^SUBJECT: $"
    deny "^Subject: (current|last|new|newest) .* (update|upgrade|pack)$"

    minsize 50000
    # for large mails filter even more

    deny "^Subject: (current|last|new|newest) .* patch$"
    deny "^Subject: internet .* (update|upgrade|pack|patch)$"
    deny "^Subject: I (choose|chose) life"

    minsize 100000
    # for huge mails filter even much more

    deny "^Subject: $"
    deny "^Subject: (Advice|Announcement|Letter|Message|Notice|Report)$"
    deny "^Subject: (undelivered|undeliverable|returned) (mail|message)"
    deny "^Subject: (message|mail)( |: )(returned to sender|returned to mailer|user unknown)"
    deny "^Subject: bug (Advice|Announcement|Letter|Message|Notice|Report)$"

I hope this helps,
Jochen

diff -ur popsneaker-0.6.2.orig/popsneaker/parser.cpp popsneaker-0.6.2/popsneaker/parser.cpp
--- popsneaker-0.6.2.orig/popsneaker/parser.cpp	2002-10-22 18:37:36.000000000 +0200
+++ popsneaker-0.6.2/popsneaker/parser.cpp	2003-09-23 03:04:50.000000000 +0200
@@ -48,6 +48,7 @@
       case t_scoreeval:   scoreeval();   break;
       case t_score:       score();       break;
       case t_maxsize:     maxsize();	   break;
+      case t_minsize:     minsize();	   break;
       case t_dupcheck:    dupcheck();    break;
       case t_semicolon:
       case t_nl:          eoc();         break;
@@ -351,6 +352,28 @@
 	eoc();
 }
 
+void Parser::minsize(void){
+	Rule* rule = new Rule;
+	chkptr(rule);
+
+	scanner.nextToken();
+
+	while(scanner.getToken() == t_dash) {
+		roption(rule);
+	}
+
+	if(scanner.getToken() == t_numeric) {
+		rule->set_minsize(scanner.getNumeric());
+	} else {
+		parse_error("size expected");
+	}
+
+	rp.add(rule);
+
+	scanner.nextToken();
+	eoc();
+}
+
 void Parser::dupcheck(void){
 	int mode = DUP_MODE_STRICT;
 
diff -ur popsneaker-0.6.2.orig/popsneaker/parser.h popsneaker-0.6.2/popsneaker/parser.h
--- popsneaker-0.6.2.orig/popsneaker/parser.h	2002-10-22 18:37:36.000000000 +0200
+++ popsneaker-0.6.2/popsneaker/parser.h	2003-09-23 02:38:18.000000000 +0200
@@ -67,6 +67,7 @@
   void     scorereset(void);
   void     soption(Rule*);
   void     maxsize(void);
+  void     minsize(void);
   void     eoc(void);
   void     dupcheck(void);
   int      doption(void);
diff -ur popsneaker-0.6.2.orig/popsneaker/rule.cpp popsneaker-0.6.2/popsneaker/rule.cpp
--- popsneaker-0.6.2.orig/popsneaker/rule.cpp	2002-10-22 18:38:31.000000000 +0200
+++ popsneaker-0.6.2/popsneaker/rule.cpp	2003-09-23 02:40:30.000000000 +0200
@@ -46,6 +46,13 @@
 }
 
 
+/** Setup a minsize rule */
+void Rule::set_minsize(unsigned long size){
+	type = RT_MINSIZE;
+	minsize = size;
+}
+
+
 /** Setup an accept rule */
 void Rule::set_accept(const char* expr){
 	type = RT_ACCEPT;
@@ -133,6 +140,10 @@
     action = applyMaxsize(header);
     break;
 
+  case RT_MINSIZE:
+    action = applyMinsize(header);
+    break;
+
   case RT_SCORE:
     action = applyScore(header);
     break;
@@ -245,6 +256,20 @@
 }
 
 
+/** Apply the minsize rule on a mailheader */
+mailaction Rule::applyMinsize(MailHeader* header){
+  if(header->size <= minsize) {
+    char buffer[64];
+    sprintf(buffer, "mail (%10.2fKB) is smaller than %10.2fKB", \
+	    header->size / 1024.0, minsize / 1024.0);
+    header->reason = buffer;
+    return MA_KEEP;
+  } else {
+    return MA_NONE;
+  }
+}
+
+
 /** Apply the regular expression on a mailheader */
 bool Rule::applyRE(MailHeader* header){
   header->reset();
diff -ur popsneaker-0.6.2.orig/popsneaker/rule.h popsneaker-0.6.2/popsneaker/rule.h
--- popsneaker-0.6.2.orig/popsneaker/rule.h	2002-10-22 18:37:36.000000000 +0200
+++ popsneaker-0.6.2/popsneaker/rule.h	2003-09-23 02:42:39.000000000 +0200
@@ -27,7 +27,7 @@
 #include "log.h"
 
 /** The supported types of rules */
-enum ruletype {RT_NONE, RT_ACCEPT, RT_ASSUME, RT_DENY, RT_MAXSIZE, RT_SCORE, RT_SCOREEVAL, RT_SCORERESET};
+enum ruletype {RT_NONE, RT_ACCEPT, RT_ASSUME, RT_DENY, RT_MAXSIZE, RT_MINSIZE, RT_SCORE, RT_SCOREEVAL, RT_SCORERESET};
 enum cmptype {CT_LT, CT_LE, CT_GT, CT_GE};
 
 /**This class represents a single filter rule
@@ -42,6 +42,9 @@
   /** Setup a maxsize rule */
   void set_maxsize(unsigned long);
 
+  /** Setup a minsize rule */
+  void set_minsize(unsigned long);
+
   /** Setup an accept rule */
   void set_accept(const char*);
 
@@ -94,6 +97,9 @@
   /** Apply the maxsize rule on a mailheader */
   mailaction applyMaxsize(MailHeader*);
 
+  /** Apply the minsize rule on a mailheader */
+  mailaction applyMinsize(MailHeader*);
+
   /** Apply the regular expression on a mailheader */
 	bool applyRE(MailHeader*);
 
@@ -112,6 +118,7 @@
 private:
   bool          silent;       // Delete mail in silence.
   unsigned long maxsize;			// A maximum size for the mail.
+  unsigned long minsize;      // always keep mails smaller than this
   mailaction    score_action; // Action when score evaluation succeeds.
 public:
   long          score_value;  // The value for a score rule.
diff -ur popsneaker-0.6.2.orig/popsneaker/scanner.cpp popsneaker-0.6.2/popsneaker/scanner.cpp
--- popsneaker-0.6.2.orig/popsneaker/scanner.cpp	2002-10-22 18:32:36.000000000 +0200
+++ popsneaker-0.6.2/popsneaker/scanner.cpp	2003-09-23 02:36:28.000000000 +0200
@@ -35,6 +35,7 @@
   { "assume",       t_assume      },
   { "deny",         t_deny        },
   { "maxsize",      t_maxsize     },
+  { "minsize",      t_minsize     },
   { "dupcheck",     t_dupcheck    },
   { "score",        t_score       },
   { "score_eval",   t_scoreeval   },
diff -ur popsneaker-0.6.2.orig/popsneaker/scanner.h popsneaker-0.6.2/popsneaker/scanner.h
--- popsneaker-0.6.2.orig/popsneaker/scanner.h	2002-10-22 18:32:36.000000000 +0200
+++ popsneaker-0.6.2/popsneaker/scanner.h	2003-09-23 02:36:52.000000000 +0200
@@ -53,7 +53,7 @@
 
   // Rule type keywords:
   t_accept,           t_assume,           t_deny,
-  t_maxsize,          t_dupcheck,
+  t_maxsize,          t_minsize,          t_dupcheck,
   t_score,            t_scoreeval,        t_scorereset,
 
   // Rule options:

Attachment: signature.asc
Description: Digital signature