And committing the sin of replying to myself, I'll post the cf and pm file since it looks like the list ate my formatting.
http://arcadium.org/millisa/snfilter.pm http://arcadium.org/millisa/snfilter.cf -Aaron -----Original Message----- From: Aaron Millis [mailto:[EMAIL PROTECTED] Sent: Thursday, February 03, 2005 10:54 PM To: '[email protected]' Subject: [sniffer] Simple SpamAssassin 3.x Plugin for Sniffer My first list mailing, apologies for missing any details that have been discussed earlier. We are in the process of moving away from Imail-Declude (and Win32 in general) and needed a means of running Sniffer on our Linux postfix-amavis-spamassassin-clamav systems. I followed the postfix instructions which worked, however, in our situation this wasn't the best setup. We use several front end receiving systems that then hand off the mails for their spam and virus scanning to ancilliary systems that are beefed up for that purpose. Though the sniffer before SA style had appeal, it was not practical for our overall architecture (which allows for scaling of the scan servers without having to beef up the front end receivers via LVS). The method described in the postfix setup on the website would make my front end systems be the ones running sniffer. We use Spamassassin 3.02 on the scan systems which I was unable to find a plugin for (if there is one, please point me to it, I'm sure it's better than mine). The references to the 2.6 patches at http://bugzilla.spamassassin.org/show_bug.cgi?id=2602 helped and I reused some of the pieces to make a very simple 3.x plugin (credits to vivek -at- khera.org) So, without any fanfare, support, liability, firstborn, sacrificed calf, etc . . . I have installed this on a fedora based system, however, I doubt the flavor of linux you are running will make much of a difference here. I followed the installation instructions on the website for installing the filter with postfix, so I continued to use the /var/spool/snfilter/ location for my sniffer files. Assuming you have sniffer installed in that directory and you have verified it does work from the command line using the junkmail and cleanmail test files, the following should enable sniffer for Spam Assassin 3.x: In /etc/mail/spamassassin/ (the location of your local.cf file) you will want to create two files; /etc/mail/spamsassassin/snfilter.cf for your scoring and to let spamassassin know you've got some stuff to load and /etc/mail/spamassassin/snfilter.pm (my perl module file that goes and runs the sniffer against a submitted mail). The score line in the snfilter.cf file you will want to change to a higher value at some point. I would not change it to begin with so you can verify sniffer is indeed working but is not effecting your mails. Bumping it up to '5' is probably a good bet or to '10' if you want to guarantee sniffer marked spams get marked by spamassassin as spam. Permissions: This is going to be different according to what system you are running. We use amavisd-new to call spamassassin, so I needed to make sure amavis had access to the sniffer executable and was able to write the log as well as access to the temp directory used to temporarily store the mail while sniffer check its. Running spamd, you are likely running as spamassassin. This script gives *no* feedback or logging(though you can probably get some if you run spamd interactively) (the 2.6 patch was much more suave about all this and actually would helpfully talk back to SA's debug functions) By default, the module will write its temp files to /tmp which should work (security concerns are up to you if you have other people on the system). If you see don't see SNFILTER tags being placed in your headers by this plugin when you send the junkmail sample that came with sniffer, it is more than likely a permission issue either with writing one of the files or with executing sniffer itself. Do read through the perl module, there are comments in there that explain what each piece does, so you should be able to drop in some debug print lines in if you want to see where you are hanging up. Important: You *do* need to modify the pm file to have your snfilter executable name and auth code (it should run the demo one by default). There is no header modification. All you are going to see is 'SNFILTER' in the spam tags if sniffer keyed on one of its checks, and you won't get to see *which* one. Since I use SA via Amavis, I don't get to modify headers anyways . . . this doesn't mean you can't add header changes in to the spamassassin plugin if you are using SA by itself . . . Anyways, hope this is useful to those of you wanting to use sniffer integrated into SA3+. -Aaron (hopefully the mail clients won't mangle the files below) #SA3 SNFilter plugin #snfilter.cf # put this in /etc/mail/spamassassin/ loadplugin SNFilter snfilter.pm full SNFILTER eval:snfilter_sacheck() describe SNFILTER The Message Sniffer SA3 Plugin score SNFILTER 0.01 ############################################################################ #################### # The perl module to call the sniffer, get the result and then decide if it was a positive match. #snfilter.pm # put this in /etc/mail/spamassassin/ # SNFilter SA3 Integration [EMAIL PROTECTED] 2/3/2005 # Thanks to Vivek Khera vivek -at- khera.org for earlier contributions for SA 2.6 integration # See http://bugzilla.spamassassin.org/show_bug.cgi?id=2602 for details. # This is a very simple, no debug/logging SpamAssassin 3 plugin for SortMonster's MessageSniffer # http://www.sortmonster.com/MessageSniffer/ # Scroll down to the sub snfilter_sacheck { section and modify the variables for your system package SNFilter; use strict; use Mail::SpamAssassin; use Mail::SpamAssassin::Plugin; use Mail::SpamAssassin::PerMsgStatus; # SA has temp file functions, but I had difficulty getting them to work # File::Temp is usually available in most distros, if not, get it from cpan use File::Temp qw/ tempfile tempdir /; our @ISA = qw(Mail::SpamAssassin::Plugin); sub new { my ($class, $mailsa) = @_; $class = ref($class) || $class; my $self = $class->SUPER::new($mailsa); bless ($self, $class); $self->register_eval_rule ("snfilter_sacheck"); return $self; } sub snfilter_sacheck { my ($self, $permsgstatus, $fulltext) = @_; # replace the sniffer, key and the path to sniffer # with your names and locations # below are the demo filename and key my $sniffer='snfrv2r3.exe'; my $key='xnk05x5vmipeaof7'; # The path below is based off the instructions for getting sniffer to work with postfix # This makes it convenient to try using postfix filtering before SA or to turn it off and # enable this plugin to try the sniffer within SA (assuming you are using Postfix + SA) my $path='/var/spool/snfilter/'.$sniffer; my $testscore = 0; my $response =''; my $exitvalue; # We use a ramdisk for temp files as it greatly increases performance # If not, /tmp is probably fine. my $dir = '/tmp'; my $tmpdir=$dir.'/sniffertmp'; #make sure we have a temp dir unless(-d $tmpdir){mkdir($tmpdir)}; # create our temp file, $filename will contain the full path my ($fh, $filename) = tempfile( DIR => $tmpdir ); # spew our mail into the temp file open TMPFILE, ">$filename"; print TMPFILE ${$fulltext}; close TMPFILE; # this is yanked right out of the 2.6 patch by Vivek # run the sniffer and get the result. my $pid = open(SNIFFER, join(' ', $path, $key, $filename, '2>&1', '|')) || die "$!\n"; $response = <SNIFFER>; close SNIFFER; $response ||= ''; # normally, there is no output. chomp $response; # remove the temp file, we are done with unlink($filename); #also credit to Vivek for the snippet $exitvalue = $? >> 8; my $sig = $? & 127; if ($exitvalue == 255 or $exitvalue >= 65 or $sig) { # process killed badly, or had config error. exit 0-63 is # successful run, exit 0 means non-spam, 1-63 is spam. print LOGFILE "sniffer said: $response (sig=$sig,exit=$exitvalue)\n"; die ("sniffer said: $response (sig=$sig,exit=$exitvalue)"); } #as long as we didn't barf above that means we either have a 0 (good) or 1-63 (spam!) if($exitvalue >=1 && $exitvalue <=63){ $testscore=1; }else{ $testscore=0; } #all SA cares about is whether a 0 or 1 comes back. 0 = good 1=spam. return $testscore; } 1; This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
