Hi list.
I've been thinking alot lately about a nice way to quarantine some mails
passing my server.
Today I relay all mails from Exim through a MAILsweeper box, which scans
for some headers (X-Spam-Flag and X-Virus-Flag) and puts it in quarantine.
One important note: I quarantine all clean mail as well, in parallell to
deliver them to their receipients.
Though MAILsweeper is really easy to use, I don't want that extra hop
any more, so the other day I started experimenting. :)
This is what I'm thinking:
- Exim accepts incoming mail, scans for spam and sets the appropriate
header.
- A: It's not spam. A system filter looking like this saves the message
in a quarantine store ('clean'):
if $h_x-spam-flag does not contain "YES"
then
unseen save /var/mail/quarantine/clean/$message_id
endif
The transport taking care of the saving is here:
quarantine_clean_mail:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add
group = www
user = mailnull
mode = 0660
no_mode_fail_narrower
batch_max = 1000
use_bsmtp
- B: It's spam. This router captures is:
spamflagged_director:
driver = accept
condition = ${if and { {def:h_X-Spam-Flag:} {!eq
{$received_protocol}{local}} } {1}{0}}
transport = spamflagged_delivery
And this transport stores it in quarantine store named 'blocked':
spamflagged_delivery:
driver = appendfile
file = /var/mail/quarantine/blocked/$message_id
I then have some cgi scripts to view/process the contents of the
quarantine, but we can take that later..
Issue 1: Spam mails with multiple recipients gets written multiple times
to the same file (named $message_id). I think I could fix that by using
filter save instead of a router, but I haven't looked into it yet.
(deliver to file?)
Issue 2: I need to preserve MAIL FROM and RCPT TO, which use_smtp takes
care of, but RCPT TO only contains <system-filter>. Solution might be to
have the filter add an extra header ( "Q-Envelope-to: $recipients" ) for
later parsing, but I'm not into modifying the mail files for that
purpose. But if there's no other way, then.. As for now, I'm reading
the contents of the latest Received header, but that only works for
single-addressed mails.
Issue 3: When releasing mail from quarantine, what do I have to think
about regarding From and Reply-to headers? I don't want it to look like
it came from the www user on the quarantine box.
Some words about the cgi. A perl script regularly indexes the mails in
quarantine ans removes mails older than x days, and another script
presents the contents for a web user, which has options as Release,
Whitelist, Train as ham/spam, Test SA scoring, Report, Forward to new
address and Delete. I'm thinking of another option; Inject in MTA, but
I'm not sure how to accomplish that.
To prevent one folder to be flooded with 300.000 files, the indexing
also distributes them over several subfolders.
So, before you start bombarding with "why invent the wheel, use this and
that instead", what's your thoughts? What are others doing/using?
And then, let the bombing begin ;)
Best regards,
Andreas
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/
