The SA RBL checks make quite a difference to the amount of spam I catch,
so I wrote some code in my filter to perform the checks, score them the
same as SA would (given both Bayes and networking enabled), and then
modify the SA $report to reflect the tests. I suppose a better way than
what I do below would be to read /usr/share/spamassassin/20_dnsrbl.cf and
50_scores.cf on the fly, but this stuff hasn't seemed to change too
frequently with the last few SA releases.
Realize this WILL slow down your processing, but we do about 30K inbound
mails/day and it hasn't been a problem. Use at your own risk. So here is
my filter_end....
[BTW I had to delete the last line of my report as set in my
/etc/mail/spamassassin/sa-mimedefang.cf and I add it after I get done
adding RBL hits to the report. I also tolerate a blank line between the
report as generated by the call to spam_assassin_check and the RBL checks
I do in my code. I am lazy and didn't feel like writing code to make it
look identical just for asthetics.]
sub filter_end ($) {
use Socket;
my($entity) = @_;
# If you want quarantine reports, uncomment next line
# send_quarantine_notifications();
# IMPORTANT NOTE: YOU MUST CALL send_quarantine_notifications() AFTER
# ANY PARTS HAVE BEEN QUARANTINED. SO IF YOU MODIFY THIS FILTER TO
# QUARANTINE SPAM, REWORK THE LOGIC TO CALL send_quarantine_notifications()
# AT THE END!!!
# No sense doing any extra work
return if message_rejected();
# Spam checks if SpamAssassin is installed
if ($Features{"SpamAssassin"}) {
if (-s "./INPUTMSG" < 200*1024) {
# Only scan messages smaller than 200kB. Larger messages
# are extremely unlikely to be spam, and SpamAssassin is
# dreadfully slow on very large messages.
my($hits, $req, $names, $report) = spam_assassin_check();
# check RBLs and add to $hits
# this code emulates what spamass would do with net checks
# when both net and bayes are enabled
my($result);
if ($result = (relay_is_blacklisted($RelayAddr, "dnsbl.njabl.org"))) {
$result = inet_ntoa($result);
# RCVD_IN_NJABL
$hits = $hits + 0.100;
$names = $names . ",RCVD_IN_NJABL";
$report = $report . " 0.1 RCVD_IN_NJABL\tReceived via a relay in
dnsbl.njabl.org\n";
if ($result eq '127.0.0.2') {
# RCVD_IN_NJABL_RELAY
$hits = $hits + 0.001;
$names = $names . ",RCVD_IN_NJABL_RELAY";
$report = $report . " 0.0 RCVD_IN_NJABL_RELAY\tNJABL: sender is
confirmed open relay\n";
} elsif ($result eq '127.0.0.3') {
# RCVD_IN_NJABL_DIALUP
$hits = $hits + 3.536;
$names = $names . ",RCVD_IN_NJABL_DIALUP";
$report = $report . " 3.5 RCVD_IN_NJABL_DIALUP\tNJABL: dialup
sender did non-local SMTP\n";
} elsif ($result eq '127.0.0.4') {
# RCVD_IN_NJABL_SPAM
$hits = $hits + 1.206;
$names = $names . ",RCVD_IN_NJABL_SPAM";
$report = $report . " 1.2 RCVD_IN_NJABL_SPAM\tNJABL: sender is
confirmed spam source\n";
} elsif ($result eq '127.0.0.5') {
# RCVD_IN_NJABL_MULTI
$hits = $hits + 0.001;
$names = $names . ",RCVD_IN_NJABL_MULTI";
$report = $report . " 0.0 RCVD_IN_NJABL_MULTI\tNJABL: sent through
multi-stage open relay\n"
} elsif ($result eq '127.0.0.8') {
# RCVD_IN_NJABL_CGI
$hits = $hits + 0;
$names = $names . ",RCVD_IN_NJABL_CGI";
$report = $report . " 0 RCVD_IN_NJABL_CGI\tNJABL: sender is an
open formmail\n";
} elsif ($result eq '127.0.0.9') {
# RCVD_IN_NJABL_PROXY
$hits = $hits + 0.500;
$names = $names . ",RCVD_IN_NJABL_PROXY";
$report = $report . " 0.5 RCVD_IN_NJABL_PROXY\tNJABL: sender is an
open proxy\n";
}
}
if ($result = (relay_is_blacklisted($RelayAddr, "dnsbl.sorbs.net"))) {
$result = inet_ntoa($result);
# RCVD_IN_SORBS
$hits = $hits + 0.100;
$names = $names . ",RCVD_IN_SORBS";
$report = $report . " 0.1 RCVD_IN_SORBS\tSORBS: sender is listed in
SORBS\n";
if ($result eq '127.0.0.2') {
# RCVD_IN_SORBS_HTTP
$hits = $hits + 1.101;
$names = $names . ",RCVD_IN_SORBS_HTTP";
$report = $report . " 1.1 RCVD_IN_SORBS_HTTP\tSORBS: sender is
open HTTP proxy server\n"
} elsif ($result eq '127.0.0.3') {
# RCVD_IN_SORBS_SOCKS
$hits = $hits + 1.204;
$names = $names . ",RCVD_IN_SORBS_SOCKS";
$report = $report . " 1.2 RCVD_IN_SORBS_SOCKS\tSORBS: sender is
open SOCKS proxy server\n";
} elsif ($result eq '127.0.0.4') {
# RCVD_IN_SORBS_MISC
$hits = $hits + 0.687;
$names = $names . ",RCVD_IN_SORBS_MISC";
$report = $report . " 0.7 RCVD_IN_SORBS_MISC\tSORBS: sender is
open proxy server\n";
} elsif ($result eq '127.0.0.5') {
# RCVD_IN_SORBS_SMTP
$hits = $hits + 2.700;
$names = $names . ",RCVD_IN_SORBS_SMTP";
$report = $report . " 2.7 RCVD_IN_SORBS_SMTP\tSORBS: sender is
open SMTP relay\n";
} elsif ($result eq '127.0.0.6') {
# RCVD_IN_SORBS_SPAM
$hits = $hits + 0;
$names = $names . ",RCVD_IN_SORBS_SPAM";
$report = $report . " 0 RCVD_IN_SORBS_SPAM\tSORBS: spam source or
spam-supporting ISP\n";
} elsif ($result eq '127.0.0.7') {
# RCVD_IN_SORBS_WEB
$hits = $hits + 0;
$names = $names . ",RCVD_IN_SORBS_WEB";
$report = $report . " 0 RCVD_IN_SORBS_WEB\tSORBS: sender is a
abuseable web server\n";
} elsif ($result eq '127.0.0.8') {
# RCVD_IN_SORBS_BLOCK
$hits = $hits + 0;
$names = $names . ",RCVD_IN_SORBS_BLOCK";
$report = $report . " 0 RCVD_IN_SORBS_BLOCK\tSORBS: sender demands
to never be tested\n";
} elsif ($result eq '127.0.0.9') {
# RCVD_IN_SORBS_ZOMBIE
$hits = $hits + 2.599;
$names = $names . ",RCVD_IN_SORBS_ZOMBIE";
$report = $report . " 2.6 RCVD_IN_SORBS_ZOMBIE\tSORBS: sender is
on a hijacked network\n";
} elsif ($result eq '127.0.0.10') {
# RCVD_IN_DYNABLOCK
$hits = $hits + 2.599;
$names = $names . ",RCVD_IN_DYNABLOCK";
$report = $report . " 2.6 RCVD_IN_DYNABLOCK\tSent directly from
dynamic IP address\n";
}
}
if ($result = (relay_is_blacklisted($RelayAddr, "opm.blitzed.org"))) {
$result = inet_ntoa($result);
# RCVD_IN_OPM
$hits = $hits + 1.001;
$names = $names . ",RCVD_IN_OPM";
$report = $report . " 1.0 RCVD_IN_OPM\tReceived via a relay in
opm.blitzed.org\n";
if ($result eq '1') {
# RCVD_IN_OPM_WINGATE
$hits = $hits + 2.700;
$names = $names . ",RCVD_IN_OPM_WINGATE";
$report = $report . " 2.7 RCVD_IN_OPM_WINGATE\tOPM: sender is open
WinGate proxy\n";
} elsif ($result eq '2') {
# RCVD_IN_OPM_SOCKS
$hits = $hits + 1.257;
$names = $names . ",RCVD_IN_OPM_SOCKS";
$report = $report . " 1.3 RCVD_IN_OPM_SOCKS\tOPM: sender is open
SOCKS proxy\n";
} elsif ($result eq '4') {
# RCVD_IN_OPM_HTTP
$hits = $hits + 1.101;
$names = $names . ",RCVD_IN_OPM_HTTP";
$report = $report . " 1.1 RCVD_IN_OPM_HTTP\tOPM: sender is open
HTTP CONNECT proxy\n";
} elsif ($result eq '8') {
# RCVD_IN_OPM_ROUTER
$hits = $hits + 0;
$names = $names . ",RCVD_IN_OPM_ROUTER";
$report = $report . " 0 RCVD_IN_OPM_ROUTER\tOPM: sender is open
router proxy\n";
} elsif ($result eq '16') {
# RCVD_IN_OPM_HTTP_POST
$hits = $hits + 1.001;
$names = $names . ",RCVD_IN_OPM_HTTP_POST";
$report = $report . " 1.0 RCVD_IN_OPM_HTTP_POST\tOPM: sender is
open HTTP POST proxy\n";
}
}
if ($result = (relay_is_blacklisted($RelayAddr, "list.dsbl.org"))) {
$result = inet_ntoa($result);
# RCVD_IN_DSBL
$hits = $hits + 0.706;
$names = $names . ",RCVD_IN_DSBL";
$report = $report . " 0.7 RCVD_IN_DSBL\tReceived via a relay in
list.dsbl.org\n";
}
if ($result = (relay_is_blacklisted($RelayAddr,
"ipwhois.rfc-ignorant.org"))) {
$result = inet_ntoa($result);
# RCVD_IN_RFCI
$hits = $hits + 0.100;
$names = $names . ",RCVD_IN_RFCI";
$report = $report . " 0.1 RCVD_IN_RFCI\tSent via a relay in
ipwhois.rfc-ignorant.org\n";
}
# if ($result = (relay_is_blacklisted($RelayAddr, "dsn.rfc-ignorant.org"))) {
# $result = inet_ntoa($result);
# DNS_FROM_RFCI_DSN
# $hits = $hits + 0;
# $names = $names . ",DNS_FROM_RFCI_DSN";
# $report = $report . " 0 DNS_FROM_RFCI_DSN\tFrom: sender listed in
dsn.rfc-ignorant.org\n";
# }
if ($result = (relay_is_blacklisted($RelayAddr, "sa-hil.habeas.com"))) {
$result = inet_ntoa($result);
# HABEAS_VIOLATOR
$hits = $hits + 16;
$names = $names . ",HABEAS_VIOLATOR";
$report = $report . " 16 HABEAS_VIOLATOR\tHas Habeas warrant mark and
on Infringer List\n";
}
if ($result = (relay_is_blacklisted($RelayAddr,
"sa-trusted.bondedsender.org"))) {
$result = inet_ntoa($result);
# RCVD_IN_BSP_TRUSTED
$hits = $hits - 4.3;
$names = $names . ",RCVD_IN_BSP_TRUSTED";
$report = $report . " -4.3 RCVD_IN_BSP_TRUSTED\tSender is in Bonded
Sender Program (trusted relay)\n";
}
if ($result = (relay_is_blacklisted($RelayAddr,
"sa-other.bondedsender.org"))) {
$result = inet_ntoa($result);
# RCVD_IN_BSP_OTHER
$hits = $hits - 0.1;
$names = $names . ",RCVD_IN_BSP_OTHER";
$report = $report . " -0.1 RCVD_IN_BSP_OTHER\tSender is in Bonded
Sender Program (other relay)\n";
}
if ($result = (relay_is_blacklisted($RelayAddr, "bl.spamcop.net"))) {
$result = inet_ntoa($result);
# RCVD_IN_BL_SPAMCOP_NET
$hits = $hits + 1.50;
$names = $names . ",RCVD_IN_BL_SPAMCOP_NET";
$report = $report . " 1.5 RCVD_IN_BL_SPAMCOP_NET\tReceived via a relay
in bl.spamcop.net\n";
}
$report =~ s/[0-9]+\.[0-9]+ hits/$hits hits/;
$report = $report . ": -------------------- End of Spam Details
-----------------------------";
my($score);
if ($hits < 40) {
$score = "*" x int($hits);
} else {
$score = "*" x 40;
}
if ($hits >= $req) {
# just drop obnoxiously high messages
if ($hits > 10) {
md_graphdefang_log('discarded spam', $hits, $RelayAddr);
action_discard();
} else {
action_change_header("Subject", "\*\*\*\*\*SPAM\*\*\*\*\*
$Subject");
# If you find the SA report useful, add it, I guess...
action_add_part($entity, "text/plain", "-suggest",
"$report\n",
"SpamAssassinReport.txt", "inline");
md_graphdefang_log('spam', $hits, $RelayAddr);
}
} else {
md_graphdefang_log('clean', $hits, $RelayAddr);
}
# We add a header which looks like this:
# X-Spam-Score: 6.8 (******) NAME_OF_TEST,NAME_OF_TEST
# The number of asterisks in parens is the integer part
# of the spam score clamped to a maximum of 40.
# MUA filters can easily be written to trigger on a
# minimum number of asterisks...
action_change_header("X-Spam-Score", "$hits ($score) $names");
} else {
md_graphdefang_log('clean', '0', $RelayAddr);
}
}
}
--
Matthew S. Cramer <[EMAIL PROTECTED]> Office: 717-396-5032
Infrastructure Security Analyst Fax: 717-396-5590
Armstrong World Industries, Inc. Cell: 717-917-7099
_______________________________________________
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
