Title: Module 11
1Module 11
2SpamAssassin
Spam Assassin
ClamAV
Apache
ProFTP
OpenLDAP
Cyrus IMAP
AMaViS
Postfix
SCO OpenServer
3SpamAssassin
- SpamAssassin uses numerous tests
- SpamAssassin is configured in
- /opt/insight/etc/mail/local.cf
- /opt/insight/share/spamassassin/.cf
- Do not modify files in share/spamassassin
- After modifying configuration files, run
- spamassassin --lint
- /opt/insight/etc/rc/amavisd restart
4SpamAssassin
- Every SpamAssassin administrator should know
- required_hits
- report_contact
- report_safe
- Whitelisting
- Blacklisting
5SpamAssassin
- Customizing headers
- SpamAssassin headers begin X-Spam
- X-Spam-Checker-Version is mandatory
- Modify headers with
- remove_header
- clear_headers
- add_header
6SpamAssassin
Report message
Spam detection software, running on the system
"_HOSTNAME_", has identified this incoming email
as possible spam. The original message has been
attached to this so you can view it (if it isn't
spam) or block similar future email. If you have
any questions, see _CONTACTADDRESS_ for
details. Content preview _PREVIEW_ Content
analysis details (_HITS_ points, _REQD_
required) " pts rule name description"
---- --- ------------------ ----------------------
---------------------- _SUMMARY_
7SpamAssassin
Spamtrap message
Subject this address is no longer
availablethis message has been automatically
generatedPlease note that this address is no
longer in use, and nowadaysreceives nothing but
unsolicited commercial mail. Accordingly,any
mail sent to it is added to several spam-tracking
databases,then automatically deleted.If you
genuinely want to contact the owner of the
address, pleasere-check your contact lists, or
search the web, to find theircurrent e-mail
address.The mail you sent is reproduced in full
below, for resending tothe correct address.
Sorry for the inconvenience!-- Signed the
SpamAssassin mail filter
8SpamAssassin
Unsafe_report message
- The original message was not completely plain
text, and may be unsafe to - open with some email clients in particular, it
may contain a virus, - or confirm that your address can receive spam.
If you wish to view - it, it may be safer to save it to a file and open
it with an editor.
9SpamAssassin
- Areas tested
- header
- body
- rawbody
- full
- uri
10SpamAssassin
Header test example
Perl regex operator
Name of rule
header NO_REAL_NAME From
/"\s\lt?\S\_at_\S\gt?\s/
Header to match
Perl regularexpression
11SpamAssassin
- Header test definitions only define the test
- Header test definitions dont define
- The tests description
- The tests score
- 20_head_tests.cf specifies
- 50_scores.cf specifies
header NO_REAL_NAME From
/"\s\lt?\S\_at_\S\gt?\s/ describe NO_REAL_NAME
From does not include a real name
SCOoffice uses this score
score NO_REAL_NAME 0.339 0.285 0.339 0.160
12SpamAssassin
- Meta-match (boolean expression)
body CLICK_BELOW_CAPS /CLICK\s.0,30(?HEREBELOW
)/s describe CLICK_BELOW_CAPS Asks you to click
below (in capital letters) body
__CLICK_BELOW /click\s.0,30(?herebelow)/is met
a CLICK_BELOW (__CLICK_BELOW
!CLICK_BELOW_CAPS) describe CLICK_BELOW Asks you
to click below
13SpamAssassin
- Meta-match (boolean arithmetic expression)
body __NIGERIAN_CODE_CONDUCT /\bcode of
conduct\b/i body __NIGERIAN_CIV_SERVICE /\bcivil
service\b/i body __NIGERIAN_TOP_SECRET /\btop
secret\b/I body __NIGERIAN_HONESTY /\btransparent
honesty\b/i meta NIGERIAN_BODY_GOVT ((__NIGERIAN
_CODE_CONDUCT __NIGERIAN_CIV_SERVICE
__NIGERIAN_TOP_SECRET __NIGERIAN_HON
ESTY) gt 2) describe NIGERIAN_BODY_GOVT Message
body has many indications of nigerian
scam score NIGERIAN_BODY_GOVT 2.900 2.800
2.800 2.700
14Quaranting Viruses and Spam
- By default, SCOoffice Server
- Quarantines messages containing viruses
- Does not quarantine messages containing spam
15Quaranting Viruses and Spam
- Messages containing viruses are quarantined by
AMaViS.
16Quaranting Viruses and Spam
- Headers added to messages containing spam
- X-Virus-Scanned
- X-Spam-Status
- X-Spam-Level
- X-Spam-Flag
- Subject
17Quaranting Viruses and Spam
- AMaViS can be configured to quarantine spam
- Configured in amavisd.conf
- final_spam_destiny
- QUARANTINEDIR
- spam_quarantine_to
18Quaranting Viruses and Spam
- To quarantine spam to a directory, configure
amavisd.conf
final_spam_destiny D_PASS QUARANTINEDIR
/opt/insight/var/virusmails spam_quarantine_to
spam-quarantine
19Header Checks
To block emails based on headers In
/opt/insight/etc/postfix/main.cf header_checks
pcre/opt/insight/etc/postfix/header_checks In
/opt/insight/etc/postfix/header_checks /subject
known_message_subject/ REJECT
20Blocking Attachments by Extension
To block emails containing .exe, .bat, etc.
attachments In /opt/insight/etc/postfix/main.cf
header_checks pcre/opt/insight/etc/postfix/hea
der_checks In /opt/insight/etc/postfix/header_che
cks /content-type.namespace.\.(exeba
t)/REJECT Rejected file extension 1