Re: [exim] Spam Detection

Top Pagina
Delete this message
Reply to this message
Auteur: Graeme Fowler
Datum:  
Aan: exim-users
Onderwerp: Re: [exim] Spam Detection
Hi

Please keep replies on-list.

On Thu, 2008-02-21 at 23:31 +0000, Steve Dobson wrote:
> > I have to ask: standard *how*?
>
> Exim is the ETA with SpamAssassin doing the checking (via spamc) and the
> following transport:
> spamassassin_delivery:
>   driver                = pipe
>   command               = /usr/sbin/exim4 -oMr spam-scanned -bS
>   use_bsmtp
>   transport_filter      = /usr/bin/spamc


Ah - that too is an "old-fashioned" way of handling spam, since it means
you have to deal with it once it's tagged. How you do so is up to you,
whether dropping in the bitbucket, putting in a folder, or leaving the
choice to your users.

> What do you mean by "realtime rejection"? I don't want to reject spams
> so return them the "sender" as this is probably a second target and
> unlikely to be the spammer. IMHO spam should be destroyed at the first
> opportunity rather than rejected. There's too much spam as it is
> without adding to the problem.


By "realtime rejection" I mean running SA from an ACL rather than a
router/transport pair, so you can reject the message. Rejection (with a
5xx message) is *not* the same as bouncing, since it pushes the error
handling back onto the sending MTA. In the case of spam farms, trojans,
botnets and so on this is a good thing since it means you're not
accepting the message - more modern botnets such as Storm are rumoured
to have additional code to handle rejections, which then result in you
getting less rubbish thrown at your machines.

> > Additionally, look up the "headers_remove" option for your routers:
> >
> > http://www.exim.org/exim-html-4.66/doc/html/spec_html/ch44.html#SECTheadersaddrem
>
> I don't see any need to do this if I am using a "personal" header name.


Because SA might score things down, or ignore them completely if they
come in with a set of headers that instance would add after scanning. I
can't comment on your SA setup, but some do.

To flesh out the ACL approach - in your DATA ACL, have something like
this:

warn message   = X-local-SpamScore: $spam_score ($spam_bar)
     condition = ${if <={$message_size}{500K}}
     spam      = exim:true
warn message   = X-local-SpamReport: $spam_report
     condition = ${if <={$message_size}{500K}}
     spam      = exim:true
warn message   = X-local-Spam-Flag: ${if \
                 >{$spam_score_int}{58}{Yes}\
                 {${if >{$spam_score_int}{55}{Maybe1}\
                 {${if >{$spam_score_int}{50}{Maybe2}{Not}}}}}}
     spam      = exim
deny message   = Rejected due to spam score $spam_score, which exceeds
threshold.
     condition = ${if <={$message_size}{500K}}
     spam      = exim:true
     condition = ${if >{$spam_score_int}{60}{1}{0}}


That doesn't scan if the message is over 500KB, marks it with a sequence
of words according to score, and rejects if the score is over 6.

Graeme