Rejecting SPAM With Spamassassin

[hci]

I am running Spamassassin and I would like to reject all high scoring SPAM of 10+ at SMTP time. That way I do not have to store it locally in the users SPAM folder and if its a false positive the sender will see a notice.

Has any done this?

One example I found is this:

http://www.timj.co.uk/uploads/Exim-SpamAndVirusScanning.pdf

deny message = This message scored $spam_score spam points.
spam = exim:true
condition = ${if >{$spam_score_int}{100}}

I just do not know how to make that work in Directadmins exim config.

 

[nobaloney]

You'll need to run each message through SpamAssassin in the data acl. SpamBlocker eixm.conf file version 4, we call that acl acl_check_message, and by default it includes commented out code for checking against ClamAV.

Additional information may be found here (exim.org).

I don't implement it by default because it takes a long time to scan every message at SMTP time, and because during that time some MTAs waiting on your scan will time-out and retry the entire message again, later, over and over again.

So I've always felt that SpamAssassin is best done afterwards. However, we've done SMTP-time scanning for Viruses for some time, so it may be time to revisit this.

However it will require a lot of thought, a lot of work, and a lot of testing, as SpamAssassin is already implemented in the DirectAdmin control panel based on running it after the email is accepted.

So I'm not going to do it anytime soon (in fact I'm not going to do it until all other perceived issues with SpamBlocker exim.conf file, version 4, are resolved).

Perhaps it's time to open a thread on open issues on SpamBlocker Version 4 and see what, if anything, still should be done with it.

Jeff

 

[DirectAdmin Support]

Hello,

I've written this proof-of-concept guide for enabling SpamAssassin at smtp time.
It's barely tested and is considered an alpha release. I did it more to see if it's possible, and it is, but didn't work on it much past that, so I can say it will likely have issues.

http://help.directadmin.com/item.php?id=362

The default options will block high scoring spam at 7.0 (70), but you can bump it up to 10.0 (100)

condition = ${if >{$spam_score_int}{[b]70[/b]}{true}{false}}

The reason why this needed a proof of concept is because DA uses per-User spam scanning with per-User options (scores, actions, etc..). The smtp-time scanning makes this very difficult to a few reasons, but the main reason is that an email can have multiple recipients, each with different domains. There is only one "DATA" section (the content of the email). We need to know which User spam preferences to use (user_prefs). This is tricky because the check_message acl isn't given any information about who the message is going to, thus the hoop jumping begins with the custom exim variables. I've worked it so that the check_recipient acl will loop a list of Users together as each one is checked, then in the check_message acl takes this list, gives it to perl to chew on, then comes back and set's a 2nd custom variable with the "best" user to use (this decision making code needs to be finished, but isn't as important for the proof-of-concept). From there we know which User to run spamd as, and can also go back to perl to grab the spam threshold to flag if a message is spam or not from the per-User specific user_prefs file.

The main "todo" bit is just in the "get_spam_user" function, but that only ever applies in the case that there are multiple recipients, each on different domain owned by a different DA User. This is likely rare, but needs to be handled. At the moment, it will use the last DA User that is a recipient... which may not even have SA enabled, so the change would be to make it pick the most strict user_prefs file (or perhaps with some other conditions)

John

 

[SeLLeRoNe]

The scan speed should be related to the server power or the line connection?
How much time each scan should take?

Do you think should be a "nice" feature, cause, i should implement with SpamBlocker4 for a test.

Regards

 

[nobaloney]

Warning: using acl_m0 is discouraged because we use it for implementing ClamAv; see this code in Version 4:

#EDIT#28:
  # warn domains = +skip_av_domains
  # set acl_m0 = $tod_epoch

or, if you've implemented ClamAv, you'll likely have those two lines without the comment mark at the beginning.

While this example is as in Version 4, it's similar in previous versions where we've included ClamAV code.

Instead use something like acl_m1, as long as you haven't used it in your own code. Note this needs to be changed everywhere used for SpamAssassin.

Jeff

 

[DirectAdmin Support]

Thanks Jeff, I'll update the guide to use different variables.

John

 

[hci]

We have setup Spamassassin to quarantine messages to users spam folder if they score over 5, will this still work with that?

 

[nobaloney]

Not the way it's written, because it's set to reject messages that SpamAssassin thinks are spam. If the messages are rejected they're never accepted by your server, so y0ur server can't do anything with them.

If you're going to want to accept messages even if they're spammy, there's no reason I can think of to spend the time running the email through SpamAssassin before accepting it; just use the default installation of SpamAssassin.

Jeff

 

[hci]

>>If you're going to want to accept messages even if they're spammy, there's no reason I can think of
>>to spend the time running the email through SpamAssassin before accepting it; just use the default
>>installation of SpamAssassin.

I would like to reject any messages that score over 10 by spamassassin and quartine(spam folder) any messages that score over 5 as we do currently. Gives users less crud to sort through in there spam folder.

 

[nobaloney]

I think you can do that now:

First, under Where do you want the spam to go? select the desired end location.

Then under What score threshold do you wish to use? select the score for email to be sorted as above.

Then under Would you like to delete high scoring spam? select Yes.

Doesn't this do what you want?

Jeff

 

[hci]

Not really. I want to reject at SMTP time when it scores over say 10 and send to spam folder when it scores over 5. That way if there is a false positive at 10+ the sender will be notified the message was not delivered rather then the message just being deleted. Its rare to have a false positive at 10+ but it does happen. I do not want to bounce after delivery because the return address on spam is frequently incorrect.

Likely asking for too much.

 

[nobaloney]

And how do you intend to do that since at SMTP time SpamAssassin hasn't run yet.

SpamAssassin is a perl script and takes a while to run. Do you really want to accept the email, run it through SpamAssassin, and then if you don't like it, tell the sending mailserver you're rejecting it, and otherwise that you're accepting it?

Generally you don't do anything with the body at SMTP time, because ACLs are generally run before you allow the server to send the body.

You can probably rewrite exim.conf to do this, but I don't know anyone who does it this way.

And since if you do it this way you're still taking all the time and resources to read and process the email, what benefit is there?

Jeff

 

[hci]

I just don't want to waste resources storing and backing up messages that scored over 10 by spamassassin. I would rather they are rejected at SMTP time like I have clamav setup to do. I know a setup like this would not be easy and might waste resources scanning twice but I am sure its possible. But like you say it might not be worth the effort. I have greylisting running and along with that IP's that are on multiple blacklists I reject at SMTP time. Then anything that scores over 5 is sent to spam folder.

Here is an implementation I found though.
http://marc.merlins.org/linux/exim/sa.html

 

[nobaloney]

I just don't want to waste resources storing and backing up messages that scored over 10 by spamassassin. I would rather they are rejected at SMTP time like I have clamav setup to do.

That makes sense. I've sone some more searching and the problem is that a lot of senders, including most spam senders, will consider an email accepted if it gets through the body stage, and wont even accept a reject by that time, so the mail won't be returned anyway. And it definitely increases serverload and can slow down email receiopt, since it keeps an exim process open far longer. So SpamAssassin generally is set up to throw away emails that score over 10 and save emails that score over 5. Same load on SpamAssassin, less on exim.

I know a setup like this would not be easy and might waste resources scanning twice but I am sure its possible.

I'm sure it's possible, too, but I'm not sure most of us would want to keep exim processes open that long. And either way, you don't waste resources storing or backing up emails scoring over ten if you set them to automatically delete.

But like you say it might not be worth the effort.

The coding seems easy enough, though I'm not sure if you need sa-exim or can just do it in exim.conf (I think you can, though I've never tried it). If it requires sa-exim, then it would need to be done w9ith support from DirectAdmin or you'd lose the ability to update exim with CustomBuild.

I have greylisting running

Is DirectAdmin's exim installation now supporting that by itself? If not, then can you point us to the changes you're using? I'm going to reconsider doing it that way in the next version of my SpamBlocker exim.conf file, but I fear it would still need to be an option as there are probably lots of servers still using DirectAdmin which wouldn't want the added resource load.

and along with that IP's that are on multiple blacklists I reject at SMTP time.

That's not in the default distributed by DirectAdmin, or in my distribution either. Would you consider sharing your code so we can consider adding it to the next offical exim.conf release?

Then anything that scores over 5 is sent to spam folder.

That's the default.

Here is an implementation I found though.
http://marc.merlins.org/linux/exim/sa.html

As I wrote above, this appears to use patches to exim. Or am I wrong? Have I read it too quickly or misunderstood something?

I wonder if anyone else is interested in this particular implementation; so far the discussion has been just you and I.

Jeff

 

[hci]

I used this grey list implementation.

https://github.com/Exim/exim/wiki/DbLessGreyListingRun

Some have stated they believe it uses to many inodes etc. I have had in place for few years and works great. I have customized quite a bit to fit my application. As far as inodes, we automatically remove messages from spam folders after 2 weeks by default. The SPAM folders contain 5 times as many files as the grey listing directory. This grey list implementation is simple and effective.