uk.comp.os.linux
[Top] [All Lists]

Re: Spam / Procmail filter help

Subject: Re: Spam / Procmail filter help
From: Nigel Wade
Date: Mon, 16 Jul 2007 14:34:56 +0100
Newsgroups: uk.comp.os.linux

Justin C wrote:

> I'm getting spam which is defeating SpamAssassin, I think it's because
> *@[ourdomain].com is whitelisted in /etc/local.cf. The problem
> messages appear to come from me, the From and Reply-To addresses are:
> 
> Brandy Lugo <justin@[ourdomain].com>
> 
> the email address is mine, the user name is not.
> 
> I'm reluctant to remove '*@[ourdomain].com' from the local spamassassin
> file, I don't want spamassassin wasting it's time scanning local
> originating messages, but I would like to catch messages like the above.
> As Exim hasn't managed to reject it, and spamassassin sees it as
> whitelisted, I can only think of procmail to catch these. I've only used
> procmail to sort legitimate mail, or send spam (already identified by
> sa-exim) to /dev/null. I don't have a clue where to start with this one.
> 
> Thank you for any help you can give.
> 
>       Justin.
> 

Don't base your whitelisting on the easily forged envelope sender, or FromL
header, domain. Instead set your rules in Exim to scan incoming (i.e. SMTP)
messages from external IPs, and don't scan messages originating from your LAN.

The method I use is in the DATA ACL. If the originating IP is part of the
hostlist which is allowed to relay messages then I don't scan for SPAM:

  # don't spam filter locally generated messages
  accept
        hosts = +relay_from_hosts

Any other IP and the message is scanned, and if it scores over 15 it's rejected
outright:

  # Reject spam messages with score > SPAM_REJECT_SCORE/10
  # (spam_score_int is the score * 10).
  deny
        message = Message rejected. Classified as spam (score $spam_score)
        spam = nobody
        condition = ${if and { \
                        { <{$message_size}{SPAM_MAX_CHECK}} \
                        { >{$spam_score_int}{SPAM_REJECT_SCORE}} \
                        } {1}{0} \
                    }

A score of less than 15 is accepted for delivery. If the user doesn't have their
own SA settings then it will be delivered into their Inbox if the score is less
than 5.5, otherwise it is stored in the Spam folder so the recipient can check
for false positives. 

If the recipient has a .spamassassin/user_prefs then the messages is scanned
again, this time with the recipients preferences. If it scores more than their
limit the message is stored in their Spam folder, otherwise it is added to
their Inbox. Rejection at this time isn't possible, the data ACL has already
accepted the message and moved on. The only possible action would be to
generate a bounce message, but that's not sensible with spam as the sender is
almost certainly forged.

-- 
Nigel Wade

<Prev in Thread] Current Thread [Next in Thread>