Re: real time content filtering - is there hope?

To: Bruce Parkinson <bruceparkinson@gmail.com>
Cc: debian-isp@lists.debian.org
Subject: Re: real time content filtering - is there hope?
From: Craig Sanders <cas@taz.net.au>
Date: Thu, 1 Jun 2006 19:54:35 +1000
Message-id: <[🔎] 20060601095435.GA15500@taz.net.au>
In-reply-to: <ffe51e2d0605311505t232e6261i5ad6c57b7ca8ac27@mail.gmail.com>
References: <ffe51e2d0605311505t232e6261i5ad6c57b7ca8ac27@mail.gmail.com>

[ cc-ed back to debian-isp because others may find it useful ]

On Thu, Jun 01, 2006 at 10:05:34AM +1200, Bruce Parkinson wrote:
> >IMO, it is better to accept the mail into the queue, scan it with
> >amavis/clamav/spamassassin/etc and either Tag+Deliver or Discard
> >detected spams/viruses (*do not* bounce as the sender address is most
> >likely forged).

i also Hold (in the postfix queue) messages with a score between 5 & 10.  i
examine held messages with my qvmenu.pl[1] queue browser and decide whether to
unhold them or delete them.  OK to do on a little home server like mine,
but not if you have thousands of email accounts or if there are privacy
considerations.

i also use any held spams to refine my anti-spam rules. ditto for the
amavis quarantine.

[1] http://taz.net.au/postfix/scripts/

> I'm about to roll out a new Postfix and I'm hoping to do something
> _very_ similar to this - would you mind pointing me in the right
> direction to RTFM or share a config or two?  The bit I've not been
> able to get in the past is Tag+Deliver or Discard based on score, and
> have had to chose between one or the other.

the trick is to have a separate header_checks file which is used for the
re-injection smtpd (i.e the one on port 10025) which has the discard
rule for high SA scores.

you also need to be reasonably good at constructing regular expressions.

e.g. something like this:

in master.cf:

...
127.0.0.1:10025 inet n	-	n	-	-  smtpd
    -o content_filter=
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
	-o header_checks=pcre:/etc/postfix/header_checks.tiny
	-o body_checks=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o mynetworks_style=host
    -o strict_rfc821_envelopes=yes
...

and header_checks.tiny looks like this:

---header_checks.tiny---
# discard nigerian and lottery scams
# i.e some SA codes that you really dont want to see...
/^X-Spam-Status:.*(NA_DOLLARS|NIGERIAN_BODY|US_DOLLARS|MILLION_USD|URG_BIZ|RISK_FREE|SUBJ_ILLEGAL_CHARS|BAYES_99)/   DISCARD

# discard most image spams
/^X-Spam-Status:.*HTML_IMAGE_ONLY_(?:0[48]|12)/		DISCARD

# discard scores >=10.0, hold if score >= 5.0 & <10
#/^X-Spam-Status: Yes, (?:hits|score)=([1-9][0-9][0-9.]*|1[0-9][0-9][0-9.]+)/   DISCARD  SpamAssassin Score far too high ($1)
/^X-Spam-Status: Yes, (?:hits|score)=([5-9]\.\d+)/   HOLD  SpamAssassin Score too high ($1)

# discard viruses
/^X-Amavis-Alert: INFECTED/	DISCARD
---header_checks.tiny---

you could have these rules in your main header checks file, but that's just a
waste of CPU cycles - the message has alreasy passed through your main header
checks file there's no point in applying all those rules again...so have a
tiny one with just the post-amavis rules.

hope that helps.

craig

-- 
craig sanders <cas@taz.net.au>           (part time cyborg)

Reply to:

Next by Date: ScanMail Notification.
Next by thread: ScanMail Notification.
Index(es):
- Date
- Thread