Spam Quarantine Work

spamass-milt-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Spam Quarantine Work

From:	Tony Shadwick
Subject:	Spam Quarantine Work
Date:	Mon, 29 Mar 2004 18:28:42 +0000 (GMT)

This isn't precisely a spamass-milt issue, but I thought I'd share as it
might interest others.

As I pointed out last week, I'm working on a spam and virus quarantine so
that messages tagged as spam but below the reject threshold are funneled
through a script and saved to a quarantine directory, and then every 6-8
hours the users will get a digest message that has a preview of each piece
of spam, and the option to recover any messages that were false positives.
This winds up being a better solution of pop3 mail servers, and I'm really
trying to mimic the functionality of the Baracuda Spam Firewall (MSRP:
~$1800)...just throught I'd look for some consutructive critism, feedback,
or for someone to point out that I'm re-inventing the wheel.

I got my inspiration for this from this document:

http://www.cs.ait.ac.th/laboratory/email/quarantine.shtml

Of course I'm making my best effort to keep procmail out of it, and use
straight Perl code. :)  Warning however, DDH ahead (DDH == Damn Dirty
Hack).

First off, I've created an alias for sendmail:

quarantine:     "| /usr/local/sbin/quarantine_spam.pl"

Ran newaliases, and then created the following script with the above name:

--- begin code ---

#!/usr/bin/perl

# The following two variables must be writable by your sendmail user.
# Probably mailnull.

# Where is the spam quarantine directory located?
$quarantine = "/path/to/quarantine";

# Log messages that for some reason mail is either not local, or undeliverable.
$log = "/path/to/logfile";

# Get the message.
# DDH - have to undefine $/ from \n to get the full message, and set it
# back so that it can be used appropriately later on.

undef $/;
$message = <ARGV>;
$/ = "\n";

# Variables needed to correctly save the file.
## PID
$pid=$$;

## Addresee
$message =~ /X-Spam-Orig-To: <(.*)>/gi;
$addressee = $1;

## Get a timestamp.
$today = time();

## Output file format.
$out = "$quarantine/$user-spam.$today.$pid";


$sendmail_output = `/usr/sbin/sendmail -bv $addressee`;

if ($sendmail_output =~ /deliverable: mailer local, user /){
        $user = $';
        chomp($user);
}
else {
        print "This message is either undeliverable, or not local.  Exiting.\n";
        open LOG, ">>$log" or die "Cannot open $log for write :$!";
        print LOG "Message bound for $addressee failed and had\nthe following 
sendmail output:\n\n$sendmail_output\n\nmThe message body 
follows:\n\n$message\n\n";
        print LOG "-----------------------------------------\n\n";
        close(LOG);
        exit();
}

open OUT, ">$out" or die "Cannot open $out for write :$!";
print OUT $message;
close(OUT);

--- end code ---

Spamass-milter has -b -i 127.0.0.0/32 and -i my.real.ip.address/32 all
passed on the command line, so that messages sent from the system to the
system won't get filtered, which will be important when people go to
recover the messages.

Here are the gotcha's I've come across so far:

I'm the only try 'local' user on the system in my company.  Everyone else
is on an exchange server, so the user accounts exist, with .forwards in
their home directories, the idea being that filtering would occur, their
user_prefs would get read, and then the message would get passed to
Exchange.  This doesn't happen apparently, as when I put this in place, it
only worked for me.  A look at the logfile and sendmail's outpt told me
right away why:

Notice: -bv may give misleading output for non-privileged user
address@hidden deliverable: mailer esmtp, host
router.stg-stl.com., user address@hidden

Sendmail is being too smart for it's own good.  When sendmail -bv gets
run, it's look at the user's .forward file. :-\.  Not to mention the fact
that spamass-milter is already resolving local users.  Perhaps you've gone
about it differently, and could add an option header like
X-Spam-Orig-To-LocalUser: ?  That way we're not doing work twice for each
spam message?

The cron'ed scripts on the aforementioned site could more or less be
dropped in at this point.  The only thing left for me to do is set this
script up to have two subroutines:  quarantine and retrieve, again
bypassing a need for procmail.  I'm not sure how to do that exactly,
either that or when sending out the digest message, have a Reply-To:
header in there and set another alias as retreive-spam: "| mynewscript"
and have that do the retrieval.

So any useful suggestions?  I wonder how baracuda handles users, since
NONE of them are local.  My wife has one at her office, and when she first
sets the box up (it's linux with spamcop, spamassassin, amavisd, and some
other optional blacklists) it has no idea what users are there, and the
first time it sends out a digest message, they're prompted to go to a web
page and bookmark it, and this page allows their user account to be
created, and to tweak SA, amavisd, and what blacklists they wish to use or
not.  They also retrieve messages from a web interface as opposed to an
e-mail response as used here, but that's really just semantics.

Any ideas?

Tony Shadwick
Manager of Internet Services
Strategic Technology Group
314-872-3000 x105

[Prev in Thread]

Current Thread

[Next in Thread]

Spam Quarantine Work, Tony Shadwick <=
- Re: Spam Quarantine Work, Tony Shadwick, 2004/03/29

Prev by Date: Re: -B address@hidden still goes to original reciepient?
Next by Date: Re: Spam Quarantine Work
Previous by thread: -B address@hidden still goes to original reciepient?
Next by thread: Re: Spam Quarantine Work
Index(es):
- Date
- Thread