On Thu, Nov 04, 2004 at 02:15:20PM -0500, Lisa Casey wrote: > I've spent most of this week on this and am just getting frustrated. I'm > Sysadmin for an ISP. I installed MIMEDefang, Spamassassin and filter::scan
(I assume you mean File::Scan there) > on my Red Hat Sendmail server as a way of dealing with my customers > spam/virus (mostly the spam, it's a REAL problem). > > As far as I can tell, MIMEDefang/Spamassassin are working OK. I tested > Spamassassin when I installed it with the sample-nonspam.txt and > sample-spam.txt included. Mimeddefang adds this header to e-mail: > > X-Scanned-By: MIMEDefang 2.48 on 127.0.0.1 > > and Spamassassin adds a SpamAssassinReport.txt as an attachment to each > spam mail. Sounds promising. You said you wanted other people to tell you how they use MD/SA. I'll try to give some context for what I do here. > But I've been reading websites for two days now and can't figure > out how to do anything else with this. First off: What are you using for your mimedefang-filter script? The tarball has examples/suggested-minimum-filter-for-windows-clients which has a pretty complete framework. I used that as the basis for ours and haven't had to change it all that much. The mimedefang-filter manual page is worth the time to study. It explains how mimedefang-filter works -- basically, MD will call filter_begin(), filter(), etc. at various points in its processing. You get to fill in those functions with your decided policies -- you have a good starting point in the example script, but there's no getting around the fact that you'll have to do some coding to match your decisions. Knowing how that file works will demystify MD a lot. > Basically I don't want spam coming > into my users mailboxes, they don't want it. I understand there will be some > amount of false positives, but I just want to drop (or bounce or whatever) > the spam before it reaches the mailboxes. My users would never allow me to unilaterally drop everything that SA claimed was spam. I have to allow them the choice of whether they want SA filtering, and what should be done with spam. So we rely on the X-Spam-* headers... by default, when SA flags the mail as spam by adding the header, as part of the Sendmail delivery process, we use procmail to put the mail in a folder called "Blocked" which the user can review periodically looking for false-positives. If the user wants to change procmail so it's deleted, or disable it, that's their choice. I'm surprised to hear someone from an ISP so confident that you can drop it all for your users. But, if you're sure, I would say you should look at the part of filter_end() in the example mimedefang-filter where the "$hits >= $req" test is, and use action_discard() there instead of adding the report. > I'ld also like to drop, bounce, whatever mail that has certain words in the > subject, such as [...] When I have to, I use Sendmail to do this (write me off-list if you want details), only because we had this capability before we started using MD. But as documented in the man page, the "$Subject" variable is available to the functions in mimedefang-filter like filter() -- you can check for your trigger words, and use action_discard() there as well. Again, I would caution you to be careful. The "v-word" might be reasonable but will your users really be happy if they use the name of an expensive watch or fashion hand-bag or anatomical part in the Subject: line of a legitimate email, and you drop it for them? The SA philosophy is "lots of evidence (tests) with little scores which, taken together, are compelling". There's danger in a philosophy of "one big litmus test that decides yea or nea". And you'll also have the joy of trying to keep up with the "word of the week" (whack-a-mole) including all the [EMAIL PROTECTED] ways they can be s.p.e.l.l.e.d. > Also, I'm not sure how I'm supposed to feed it spam. I have Sendmail/Qpopper > and most of my users pick up their mail using Outlook Express. I understand > I can't just forward spam to a spam mailbox and run sa-learn on that as the > forwarding will not get the original headers. SA can be set to "auto-learn" ham or spam. You'd want to see the SA documentation for that. So I only use sa-learn for false-negatives that I and a few other users here identify. Our convention is to put them in a folder just for FNs, and I run sa-learn on that directly (so it does pick up the original headers). Hope this helps somewhat, and hope you're successful in implementing. The value of MD/SA is well worth the effort. -- Brent J. Nordquist <[EMAIL PROTECTED]> N0BJN Other contact information: http://kepler.its.bethel.edu/~bjn/contact.html _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
