Re: [Exim] Fighting fake spam headers

Inizio della pagina
Delete this message
Reply to this message
Autore: Ben Giddings
Data:  
To: exim-users
Oggetto: Re: [Exim] Fighting fake spam headers
On Jun 13, 2004, at 18:20, Lee W wrote:
> Is not the general idea to only scan messages that come from external
> servers so that any mail that originates from the localhost (and
> possibly local network) is not scanned.


That's the general idea, yeah.

> I thought that spamassassin worked by reinjecting a new message into
> the MTA which in most cases is running on the same server as
> spamassasin in which case could you not modify your routers to only
> send external messages though the spamassassin transport. In this was
> any external message would go though spamassasin regardless of if the
> faked headers are present or not.


That's what I thought I was doing. I wanted to send the message to
SpamAssassin if it hadn't yet seen it. Once the message had been
scanned, it was reinjected into the queue, and delivered to the user.

Isn't that what this should do?

# SpamAssassin
spamcheck_router:
no_verify
check_local_user
# When to scan a message :
# - it isn't already flagged as spam
# - it isn't already scanned
condition = "${if and { {!def:h_X-Spam-Status:} {!eq
{$received_protocol}{spam-scanned}}} {1}{0}}"
driver = accept
transport = spamcheck

When SpamAssassin puts the message back into the queue, it is supposed
to set the received protocol to 'spam-scanned', so the condition isn't
met, and the message isn't re-scanned.

> Here is also something that I got out of the README for spamassassin:-
>
> "Users of SpamAssassin versions earlier than 2.50 should note that the
> default tagging behavior has changed. If an incoming message is
> tagged as
> spam, instead of modifying the original message, SpamAssassin will
> create a
> new report message and attach the original message as a message/rfc822
> MIME
> part (ensuring the original message is completely preserved and easier
> to
> recover). If you do not want to modify the body of incoming spam, use
> the
> "report_safe" option."


Right, if the message is thought to be spam, a new message is created
and the original is attached to it. If the message isn't spam, a few
headers are added, giving the spam score, etc:

X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on
    colossus.infofiend.com
X-Spam-Level:
X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham
    version=2.63



Since every message that I have scanned, whether or not it is thought
to be spam, should have a header of the form

X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on
    colossus.infofiend.com


I hoped that this check would spot my hostname in that header, and know
that it had scanned the message:

condition = "${if and { {!match
{${escape:$h_X-Spam-Checker-Version:}} {'colossus.infofiend.com'}} {!eq
{$received_protocol}{spam-scanned}}} {1}{0}}"

But for some reason, this didn't work at all. Apparently my that match
never triggered, but not only that, the 'received-protocol' apparently
never matched "spam-scanned".

This seems like it should have worked, and I don't understand what I
did wrong.

Ben