Debian iTOps Tube

Tuesday, November 22, 2011

Spamassassin

Spamassassin

Once sendmail receives an e-mail message, it hands the message over to procmail, which is the application that actually places the e-mail in user mailboxes on the mail server. You can make procmail temporarily hand over control to another program, such as a spam filter. The most commonly used filter is spamassassin.


spamassassin doesn't delete spam, it merely adds the word "spam" to the beginning of the subject line of suspected spam e-mails. You can then configure the e-mail filter rules in Outlook Express or any other mail client to either delete the suspect message or store it in a special Spam folder.


Downloading And Installing Spamassassin

Most RedHat and Fedora Linux software product packages are available in the RPM format, whereas Debian and Ubuntu Linux use DEB format installation files. When searching for these packages remember that the filename usually starts with the software package name and is followed by a version number, as in spamassassin-2.60-2.i386.rpm. (For help downloading, see Chapter 6, "Installing RPM Software").


Starting Spamassassin

The methodologies vary depending on the variant of Linux you are using as you'll see next.


Fedora / CentOS / RedHat With these flavors of Linux you can use the chkconfig command to get spamassassin configured to start at boot:


[root@bigboy tmp]# chkconfig spamassassin on


To start, stop, and restart spamassassin after booting use the service command:


[root@bigboy tmp]# service spamassassin start
[root@bigboy tmp]# service spamassassin stop
[root@bigboy tmp]# service spamassassin restart

To determine whether spamassassin is running you can issue either of these two commands. The first will give a status message. The second will return the process ID numbers of the spamassassin daemons.


[root@bigboy tmp]# service spamassassin status
[root@bigboy tmp]# pgrep spam

Note: Remember to run the chkconfig command at least once to ensure spamassassin starts automatically on your next reboot.

Ubuntu / Debian

With these flavors of Linux the commands are different. Try installing the sysv-rc-conf and sysvinit-utils DEB packages as they provide commands that simplify the process. (For help on downloading and installing the packages, see Chapter 6, Installing Linux Software).) You can use the sysv-rc-conf command to get spamassassin configured to start at boot:


user@ubuntu:~$ sudo sysv-rc-conf spamassassin on


To start, stop, and restart spamassassin after booting the service command is the same:


user@ubuntu:~$ sudo service spamassassin start
user@ubuntu:~$ sudo service spamassassin stop
user@ubuntu:~$ sudo service spamassassin restart

To determine whether spamassassin is running you can issue either of these two commands. The first will give a status message. The second will return the process ID numbers of the spamassassin daemons.


user@ubuntu:~$ sudo service spamassassin status
user@ubuntu:~$ pgrep spam

Note: Remember to run the sysv-rc-conf command at least once to ensure spamassassin starts automatically on your next reboot.

Configuring procmail for spamassassin

The /etc/procmailrc file is used by procmail to determine the procmail helper programs that should be used to filter mail. This file isn't created by default.

spamassassin has a template you can use called /etc/mail/spamassassin/spamassassin-spamc.rc. Copy the template to the /etc directory.


[root@bigboy tmp]# cp /etc/mail/spamassassin/spamassassin-spamc.rc /etc/procmailrc


This will activate spamassassin for all your mail users.

Configuring Spamassassin

The spamassassin configuration file is named /etc/mail/spamassassin/local.cf. A full listing of all the options available in the local.cf file can be found in the Linux man pages using the following command:


[root@bigboy tmp]# man Mail::SpamAssassin::Conf


You can customize this fully commented sample configuration file to meet your needs.


###################################################################
# See 'perldoc Mail::SpamAssassin::Conf' for
# details of what can be adjusted.
###################################################################
 
#
# These values can be overridden by editing
# ~/.spamassassin/user_prefs.cf (see spamassassin(1) for details)
#
 
# How many hits before a message is considered spam. The lower the
# number the more sensitive it is.
 
required_hits           5.0
 
 
# Whether to change the subject of suspected spam (1=Yes, 0=No)
rewrite_subject         1
 
 
# Text to prepend to subject if rewrite_subject is used
subject_tag             *****SPAM*****
 
 
# Encapsulate spam in an attachment (1=Yes, 0=No)
report_safe             1
 
 
# Use terse version of the spam report (1=Yes, 0=No)
use_terse_report        0
 
 
# Enable the Bayes system (1=Yes, 0=No)
use_bayes               1
 
 
# Enable Bayes auto-learning (1=Yes, 0=No)
auto_learn              1
 
 
# Enable or disable network checks (1=Yes, 0=No)
skip_rbl_checks         0
use_razor2              1
use_dcc                 1
use_pyzor               1
 
 
# Mail using languages used in these country codes will not be marked
# as being possibly spam in a foreign language.
# - english
 
ok_languages            en
 
 
# Mail using locales used in these country codes will not be marked
# as being possibly spam in a foreign language.
 
ok_locales              en

Note: Be sure to run the activate-sendmail.sh script from the beginning of the chapter for these changes to take effect.

Testing spamassassin

You can test the validity of your local.cf file by using the spamassassin command with the --lint option. This will list any syntax problems that may exist. In this example two errors were found and corrected before the command was run again.


[root@bigboy tmp]# spamassassin -d --lint
Created user preferences file: /root/.spamassassin/user_prefs
config: SpamAssassin failed to parse line, skipping: use_terse_report        0
config: SpamAssassin failed to parse line, skipping: auto_learn              1
lint: 2 issues detected.  please rerun with debug enabled for more information.
[root@bigboy tmp]# vi /etc/mail/spamassassin/local.cf
...
...
...
[root@bigboy tmp]# spamassassin -d --lint
[root@bigboy tmp]


Startup spamassassin

The final steps are to configure spamassassin to start on booting and then to start it.


[root@bigboy tmp]# chkconfig spamassassin on
[root@bigboy tmp]# service spamassassin start
Starting spamd: [  OK  ]
[root@bigboy tmp]#

Tuning spamassassin

You can tune the sensitivity of spamassassin to the type of spam you receive by adjusting the required_hits value in the local.cf file. This can be made easier by viewing the score spamassassin assigns a message in its header. In most GUI based email clients this can be done by looking at the email's properties. In this case, a Nigerian email scam spam was detected and given a score of 20.1 and marked as spam.


X-Spam-Status: Yes, score=20.1 required=2.1 tests=DEAR_FRIEND,
DNS_FROM_RFC_POST,FROM_ENDS_IN_NUMS,MSGID_FROM_MTA_HEADER,NA_DOLLARS,
NIGERIAN_BODY1,NIGERIAN_BODY2,NIGERIAN_BODY3,NIGERIAN_BODY4,
RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_SBL,RISK_FREE,SARE_FRAUD_X3,
SARE_FRAUD_X4,SARE_FRAUD_X5,US_DOLLARS_3 autolearn=failed 
version=3.0.4
X-Spam-Report: 
*  0.5 FROM_ENDS_IN_NUMS From: ends in numbers
*  0.2 RISK_FREE BODY: Risk free.  Suuurreeee....
*  0.4 US_DOLLARS_3 BODY: Mentions millions of $ ($NN,NNN,NNN.NN)
*  0.8 DEAR_FRIEND BODY: Dear Friend? That's not very dear!
*  2.2 NA_DOLLARS BODY: Talks about a million North American dollars
*  1.8 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
*      [Blocked - see <http://www.spamcop.net/bl.shtml?213.185.106.3>]
*  1.1 RCVD_IN_SBL RBL: Received via a relay in Spamhaus SBL
*      [213.185.106.3 listed in sbl-xbl.spamhaus.org]
*  1.4 DNS_FROM_RFC_POST RBL: Envelope sender in postmaster.rfc-ignorant.org
*  1.9 NIGERIAN_BODY3 Message body looks like a Nigerian spam message 3+
*  2.9 NIGERIAN_BODY1 Message body looks like a Nigerian spam message 1+
*  1.4 NIGERIAN_BODY4 Message body looks like a Nigerian spam message 4+
*  1.7 SARE_FRAUD_X5 Matches 5+ phrases commonly used in fraud spam
*  0.5 NIGERIAN_BODY2 Message body looks like a Nigerian spam message 2+
*  1.7 SARE_FRAUD_X3 Matches 3+ phrases commonly used in fraud spam
*  1.7 SARE_FRAUD_X4 Matches 4+ phrases commonly used in fraud spam
*  0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay

If SPAM slips through your spamassassin system, you can use this method to adjust your rules to reduce the risk in future.


Updating Spamassassin's Built-in Rules

The spamassassin package comes with a file, /etc/cron.d/sa-update, which updates the rule files in the /etc/mail/spamassassin/ directory each day. This makes the administration of your system much easier.

Limiting your spam fighting efforts to the required_hits value isn't usually adequate. You will probably need additional spamassassin tools to be more selective and accurate in your tests. This will be covered next.

No comments:

Post a Comment