E-Mail and Spam Reduction
advertisement
ECE4112 Internetwork Security
Lab XX: E-Mail and Spam Reduction
Group Number: _________
Member Names: ___________________
Date Assigned:
Date Due:
Last Edited: December 06, 2006
Authored By: John Cacavias
_______________________
David Jacobson
Please read the entire lab and any extra materials carefully before starting. Be sure to start early
enough so that you will have time to complete the lab. Answer ALL questions in the Answer Sheet
and be sure you turn in ALL materials listed in the Turn-in Checklist on or before the Date Due.
Goal: The goal of this lab is to introduce you to installing and configuring an E-mail server as
well as numerous SPAM reduction techniques and strategies.
Summary: You will install and configure an E-mail server with webmail and configure a
mail client to receive messages. You will then install both client and server side Spam software and
analyze its effects.
Equipment: Red hat WS 4.0 host machine and a Windows XP Virtual Machine
Background: E-mail has helped to revolutionize the speed of communication
between individuals and businesses. Unfortunately, ad ridden e-mail that is unsolicited soon
began to fill people’s inboxes to the point of exhaustion. Before you can understand the
principles behind how to identify and catch spam, you need to understand how it is generated
and distributed.
First, it is important to understand that most spammers are fraud and con artists.
They often use fake names, phone numbers, and addresses when registering with ISP’s in
order to conceal their identity and move quickly once the ISP finds out that they are sending
spam. Once a spammer is found by an ISP, they quickly move to another or create a new
account with more false information. With that being said, most spammers also go to great
lengths to falsify information in their emails. This is done easily enough, since the common
mail transfer protocol SMTP has no authentication or security measures built in by default.
However, some ISP’s prevent this by using SMTP-AUTH security. Another issue plaguing
SPAM is ease with which spammers can falsify the from field, essentially making spam
emails look like they are coming from whomever the spammer likes. Rest assured, if you
receive an email from Michael Jackson and he is trying to sell you hair growth products, it
probably isn’t real. This is simply a tactic to get you to open up the spam e-mail.
1
Another problem spammers face is that the IP address of the last mail server. This is
easily circumvented by spammers however, by using proxy servers or an open relay.
Basically, spammers bounce their spam around several times before sending it to your inbox,
so you don’t have any idea where it really came from. Not only does this cause problems
with tracking the spam, but it also congest network traffic when so many e-mails are being
sent at once.
Lastly, a discussion of spam would not be complete without discussing phishing.
Phishing emails are spam e-mails sent to attempt to gain vital user data by linking the user
from the email to a fraudulent internet site. These sites then collect user data usually by
mimicking a common internet login site such as a bank or eBay. The hackers then take
usernames and passwords and exploit them to their liking.
Now that you know enough about spam and how it works, you can effectively go
about attempting to reduce the amount that comes into your inbox. But before we get started
here are a few statistics:
Five countries host 99.68% of servers from which all spam is sent [1]
China is first and foremost, with 73.58% of all Spam originating from China [2]
In June of 2006, the number of spam e-mails sent per day had reached 55 billion [1]
80-85% of e-mail that reached users’ inboxes is spam [1]
Now, let’s see if we can’t figure out a way to stop this from junking up our inboxes!
Prelab Questions:
QP.1. What is the protocol most commonly used to send e-mail?
QP.2. Why is this protocol beneficial to spammers? How can these problems be
curtailed?
QP.3. How do spammers circumvent the IP address of their mail server being appended
to their spam e-mails?
Lab Scenario: For this lab you will set up a mail server and webmail client on
your Red Hat 4.0 host machine and then configure the Outlook Express e-mail client on your
Windows XP virtual machine to receive messages from the mail server you set up. You will
2
then configure SpamAssassin, a server side spam program to attempt to identify spam.
Lastly, you will configure a client side spam protection software into Outlook Express to
attempt to further prevent spam.
Section 1 – Mail Server Installation
First we will need to set up a mail server for this lab. The mail server should be able to
support POP3, IMAP, webmail and be able to implement server side email filtering.
Axigen is a linux based mail server utility that employs a collection of modules that support
the expected mail services, including POP3 and IMAP4 with support for SSL/TLS secure
connections. Axigen also includes a list server module, supporting automated list servers. Its
message-filtering module promises a great deal of power and flexibility for managing spam,
viruses and other content-based disturbances. Axigen can be found here:
www.axigen.com/mail-server/downloads.php.
Step 1 – Install Axigen
Connect to Network Attached Storage, and copy the file LabXX/axigen.i386.rpm.tar.gz to
your RedHat WS 4.0 machine.
Open a terminal and type:
mount /mnt/nas4112
cp /mnt/nas4112/LabXX/axigen.i386.rpm.tar.gz /root
cd /root
gunzip axigen.i386.rpm.tar.gz
tar –xf axigen.i386.rpm.tar
rpm –i axigen.i386.rpm
cd axigen-2.0.0
Step 2 – Axigen Setup
The next step is to set up the mail server to be used. We will want to turn on smtp, pop3,
imap and webmail. We will also set admin passwords and setup up web administration to
further configure the server.
In a terminal type:
/opt/axigen/bin/axigen-cfg-wizard
Once the configuration wizard opens you will be asked for an administrator password.
For ease of remembering use password for the password and confirm the password by typing
it again.
To navigate the setup use the tab button and enter key.
3
The next window will ask you which interface to use for webadmin interface and which port
number.
Select 57.35.6.x:9000 then Next
Figure 1.1 – WebAdmin Interface Select
Select 57.35.6.x:25 for smtp
Make sure pop, imap and webmail
Select 57.35.6.x:110 for pop3
Select 57.35.6.x:143 for imap
Select 57.35.6.x:80 for webmail
For Relay leave all checked
For Sendmail wrapper select yes
4
Figure 1.2 – Sendmail Wrapper Configuration
Congratulations you have finished the initial configuration of Axigen. To start Axigen up
type:
/etc/init.d/axigen start
Please be sure to confirm that all firewalls are off during this lab as they interfere with
computer to virtual machine communication. Each time you restart your computer
type:
/etc/init.d/iptables stop
Next we will configure the usernames and passwords for the email accounts that we are
going to setup.
Open a browser and go to http://57.35.6.x:9000 to open the webadmin interface.
Type admin for username and password for password at the signin page
Go to accounts link on left side of page. It will look something like Figure 1.3.
5
Figure 1.3 – WebAdmin Accounts Page
Click view next to local domain to view and add accounts.
Figure 1.4 – List of Accounts
Fill in blanks Account name, Password, and Confirm Password with your desired username
and password.
6
Click add new account button when finished.
The next page will look life figure 1.5. Leave setting set as so and click update.
Figure 1.5 – WebAdmin Account Add Page
Click confirm to save changes
Repeat above steps for two more account and be sure to note account names and passwords
in the boxes below.
Account Name
Account Password
1
2
3
Step 3 - Testing
Open another browser or tab and go to http://57.35.6.x
Login as the first account that you created and send an email to:
account2name@localdomain
7
Open vmware and start one of your Windows XP virtual machines so that we can check to
see if communication is working over the desired interface.
Type:
vmware &
Once in windows open a browser and go to http://57.35.6.x
Log in as the second account that you created and check your inbox to see that you have
received the email that you sent yourself.
Take a screenshot of this email being viewed.
Screenshot #1: screenshot of received email
Section 2 – Windows E-mail Client
Many people today check their e-mail not with webmail but with a computer side client that
will automatically check their e-mail for them and also has the ability to set filters and to
further organize their emails to their specifications. It also allows for the storage of e-mail
off server so as not to take up space on the server. Some of these programs for Windows
include Outlook, Outlook Express, and Mozilla Thunderbird. We will be working with
Outlook Express since it comes with the Windows Installation.
Open windows XP virtual machine in vmware
Go to Start -> Run
Type msimn
Click OK
Outlook express will open
Type in a display name and click next
Type in an account name and click next
Type in account1name@localdomain as email address and click next
Select a pop account and click next
Type in 57.35.6.x for both incoming mail and outgoing mail and click next until end of setup
To confirm setup click Tools -> Accounts
Find your account name, highlight it and click properties.
The General tab should look something like Figure 2.1 and the Servers tab should look
something like Figure 2.2
8
Figure 2.1 – Outlook Express Account General Tab
Figure 2.2 – Outlook Express Account Server Tab
Go back to your Red Hat Linux WS 4.0 machine and open browser to 57.35.6.x
Login as account 2
Send email to account1name@localdomain
9
Click Send/Receive in Microsoft Outlook Express
Verify receipt of email from account 2
Screenshot #2: screenshot of received email
Q2.1 Why would it be desirable for users to utilize a client based e-mail program as
opposed to a webmail interface?
Q2.2 What are the advantages of a webmail interface over a client based e-mail
program?
Section 3 – Server-side Spam Detection
One method of detecting spam is with server-side spam filters. These filters are usually very
complex and are now advertised more and more as a perk by ISPs. These filters usually
include a word list that they search for in emails in order to filter emails. We are going to be
using is Spamassassin. Spamassassin is uses a Bayesian filter to compute whether a message
is spam. Spamassassin can be found here: http://spamassassin.apache.org/downloads.cgi.
A Bayesian filter follows a specific formula to determine the probability of a message being
spam. The formula is the probability of finding those certain words in spam email, times the
probability that any email is spam, divided by the probability of finding those words in any
email.
Step 1 – Install SpamAssassin
Connect to Network Attached Storage, and copy the file LabXX/Mail-SpamAssassin3.1.7.tar.gz to your RedHat WS 4.0 machine.
Type:
mount /mnt/nas4112
cp /mnt/nas4112/LabXX/Mail-SpamAssassin-3.1.7.tar.gz /root
cd /root
gunzip Mail-SpamAssassin-3.1.7.tar.gz
tar –xf Mail-SpamAssassin-3.1.7.tar
cd Mail-SpamAssassin-3.1.7
Step 2 – Test SpamAssassin
10
To test if installation works type:
spamassassin –t < sample-nonspam.txt > nonspam.out
Open nonspam.out to view output from SpamAssassin
Printout #1: nonspam.out
Type:
spamassassin –t < sample-spam.txt > spam.out
Open spam.out to view output from SpamAssassin
Printout #2: spam.out
Compare the subject line of spam.out to sample-spam.txt
Step 3 – Configure Axigen With SpamAssassin
Open a browser and go to http://57.35.6.x:9000
Type in admin as login and password as password
Click filters tab on servers
Click AV/AS tab
Click Add new filter
For name type in Spam Assassin
For address type in inet://127.0.0.1:783
For protocolFile type in /var/opt/axigen/filters/spamassassin.afsl
Leave idleTimeout at 60 seconds
For actionOnMatch select pass
Leave maxConnections
Click Update
Click Commit
Click Commands
Click Save Config
Click Server
Click Filters
Click Active Filters
Click Add new filter
11
Fill in priority as 10
Select filterType Socket
Select Spam Assassin from filterName list
Leave applyOnRelay set to no
Click update
Click commit
Click Commands
Click Save Config
Step 4 – Test SpamAssassin Email Configuration
Go back to Terminal
Type /etc/init.d/spamassassin start
This command must be repeated each time the computer is reset in order for emails to
be sent from now on.
Send an email from user1 to user2name@localdomain with the contents:
The following string commonly referred to as GTUBE or Generic Test for Unsolicited Bulk
E-mail will be picked up by SpamAssassin and automatically be marked as spam. It should
be placed within the body of the e-mail.
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TESTEMAIL*C.34X
Check your email and see if your received it and if it is marked as [SPAM] in the subject
line.
Step 5 – Advanced SpamAssassin Configuration
Next we will cover editing the local.cf file to set more rules for spamassassin. We will cover
whitelisting which is allowing users to pass through without any further spam checking
because they are on a list of trusted email addresses. We will also cover blacklisting which is
putting certain mail addresses on a list that are not allowed to be received or more likely to be
set as spam no matter what. We will also cover changing the message that you receive from
spamassassin on receipt of a spam message.
First we will change the output of an email that is considered to be spam with another title
from [SPAM] subject to ***SPAM*** subject. To do this please read the appendix on
spamassassin commands.
Open the file /etc/mail/spamassassin/local.cf in a text editor to edit rules
12
Once this is completed please take a screenshot of an email received that has been marked as
***SPAM***.
Screenshot #3: test mail marked as spam
Next we will cover whitelisting on the server side. The format for this is whitelist_from
email email. Also whitelist_from *.domain to include all emails from this domain.
Blacklisting is done similarly. The format is blacklist_from email email or blacklist_from
*.domain. Blacklist one of the emails and see how it works by sending a regular non-spam
email from that account.
Reset your /etc/mail/spamassassin/local.cf file back to how it was before adding blacklisting.
Q3.1 Why would a network administrator want to install a server side spam filter such
as SpamAssassin?
Q3.2 What are some of the potential problems associated with installing a server side
spam filter?
Q3.3 What is whitelisting? What is blacklisting?
Q3.4 What are some of the advantages of using whitelisting and blacklisting?
Q3.5 Write the commands you placed in your local.cf file to correctly whitelist and
blacklist specific domains or email addresses.
Section 4 – Manual filters in Outlook Express
In this section we will cover setting up manual filters and blacklisting in outlook express.
This enables moving possible spam to folders or deleting possible spam and messages from
people without the benefit of having a server-side filter.
Step 1 – Moving Emails Marked As Spam
Go to Tools -> Message Rules -> Mail…
Click New…
In the first box check “Where the Subject line contains specific words”
In the second box check “Move it to the specified folder”
In the third box click the link for “contains specific words”
Type in the word ***SPAM*** and click Add
13
Click OK
In the third box click the link for “specified”
Click New Folder
Type Spam and click OK
Select the new Spam folder and click OK
Click OK
To test:
Login to another account and send your outlook account a spam email. See if it filters the
message marked spam into the new folder.
Step 2 – Making Word Filters
This is very similar to the previous step and involves making a word list for messages that
are moved to the spam folder. Make a list of words and put into a list for Outlook Express.
Test to make sure it works.
Step 3 – Blacklisting
Go to Tools -> Message Rules -> Blocked Senders List…
Click Add…
Type the address you want to block – lets try your 3rd email address
Select Mail Messages
Click OK
Click OK
To test:
Send your outlook express account a message from your 3rd email address. See that the
email has been blocked.
Undo your blocked email after you have tested.
Q4.1 Why is it that a user would want to set up a filter in their mail client?
Q4.2 Give one example of a filter rule in outlook express and describe what it does.
Section 5 – Client-Side Spam Filter
14
Sometimes a client-side spam filter is a good addition to your spam filtering that is more
specific to your account and the spam messages that you receive compared to the broad filter
that the server uses that might not pick up on the other spam. eTrust can be found here:
www.versiontracker.com/dyn/moreinfo/win/66748.
Step 1 – Installing eTrust
Go to the NAS file server and download the LabXX\as4_en.exe file.
Double-click the file
Install the program
Restart the computer if required
Open Outlook Express
eTrust enables you to do whitelisting, blacklisting and setup filters for what types of emails
are spam and what type are not spam.
eTrust has put a toolbar in Outlook Express. The toolbar has an approve and a block button.
These buttons correlate to whitelisting and blacklisting. If an email is blocked it will be
moved to the eTrust Anti-Spam folder. If an email is approved this address will be approved
no matter what whether it is spam or not. Try to block an email address and try to approve
an email address and see how it works.
Other options that you can do are set up a folder that has a lot of spam emails and a folder
that has good emails.
To do this:
Click on the drop down next to eTrust Anti-Spam button in the toolbar
Click options
In the new window click the Spam Score tab
15
Figure 5.1 – Training eTrust
Click Good Folders
Select a folder with only good emails in it
Click Spam Folders
Select a folder with only spam messages in it
Click Train
This will train eTrust to detect spam
eTrust also uses a Bayesian Filter so be sure to train eTrust as often as possible.
Try it out.
Q5.1. How does training effect your spam filter?
Q5.2. Why would one want to set up a client side spam program in addition to the
server side program?
Q5.3. Is it ok to delete spam above a certain spam score? Why or Why Not?
16
Appendix A: SpamAssassin Rules Configuration
DESCRIPTION
SpamAssassin is configured using traditional UNIX-style configuration files, loaded from the
/usr/share/spamassassin and /etc/mail/spamassassin directories.
The # character starts a comment, which continues until end of line. NOTE: if the #
character is to be used as part of a rule or configuration option, it must be escaped with a
backslash. i.e.: \#
Whitespace in the files is not significant, but please note that starting a line with whitespace
is deprecated, as we reserve its use for multi-line rule definitions, at some point in the future.
Currently, each rule or configuration setting must fit on one-line; multi-line settings are not
supported yet.
File and directory paths can use ~ to refer to the user's home directory, but no other shellstyle path extensions such as globing or ~user/ are supported.
Where appropriate below, default values are listed in parentheses.
USER PREFERENCES
The following options can be used in both site-wide (local.cf) and user-specific
(user_prefs) configuration files to customize how SpamAssassin handles incoming email
messages.
SCORING OPTIONS
required_score n.nn (default: 5)
Set the score required before a mail is considered spam. n.nn can be an integer or a
real number. 5.0 is the default setting, and is quite aggressive; it would be suitable for
a single-user setup, but if you're an ISP installing SpamAssassin, you should probably
set the default to be more conservative, like 8.0 or 10.0. It is not recommended to
automatically delete or discard messages marked as spam, as your users will
complain, but if you choose to do so, only delete messages with an exceptionally high
score such as 15.0 or higher. This option was previously known as required_hits
and that name is still accepted, but is deprecated.
score SYMBOLIC_TEST_NAME n.nn [ n.nn n.nn n.nn ]
17
Assign scores (the number of points for a hit) to a given test. Scores can be positive or
negative real numbers or integers. SYMBOLIC_TEST_NAME is the symbolic name used
by SpamAssassin for that test; for example, 'FROM_ENDS_IN_NUMS'.
If only one valid score is listed, then that score is always used for a test.
If four valid scores are listed, then the score that is used depends on how
SpamAssassin is being used. The first score is used when both Bayes and network
tests are disabled (score set 0). The second score is used when Bayes is disabled, but
network tests are enabled (score set 1). The third score is used when Bayes is enabled
and network tests are disabled (score set 2). The fourth score is used when Bayes is
enabled and network tests are enabled (score set 3).
Setting a rule's score to 0 will disable that rule from running.
If any of the score values are surrounded by parenthesis '()', then all of the scores in
the line are considered to be relative to the already set score. ie: '(3)' means increase
the score for this rule by 3 points in all score sets. '(3) (0) (3) (0)' means increase the
score for this rule by 3 in score sets 0 and 2 only.
If no score is given for a test by the end of the configuration, a default score is
assigned: a score of 1.0 is used for all tests, except those who names begin with 'T_'
(this is used to indicate a rule in testing) which receive 0.01.
Note that test names which begin with '__' are indirect rules used to compose metamatch rules and can also act as prerequisites to other rules. They are not scored or
listed in the 'tests hit' reports, but assigning a score of 0 to an indirect rule will disable
it from running.
WHITELIST AND BLACKLIST OPTIONS
whitelist_from add@ress.com
Used to specify addresses which send mail that is often tagged (incorrectly) as spam.
If you want to whitelist your own domain, be aware that spammers will often
impersonate the domain of the recipient. The recommended solution is to instead use
whitelist_from_rcvd as explained below.
Whitelist and blacklist addresses are now file-glob-style patterns, so
friend@somewhere.com, *@isp.com, or *.domain.net will all work. Specifically, *
and ? are allowed, but all other metacharacters are not. Regular expressions are not
used for security reasons.
Multiple addresses per line, separated by spaces, is OK. Multiple whitelist_from
lines is also OK.
18
The headers checked for whitelist addresses are as follows: if Resent-From is set, use
that; otherwise check all addresses taken from the following set of headers:
Envelope-Sender
Resent-Sender
X-Envelope-From
From
In addition, the ``envelope sender'' data, taken from the SMTP envelope data where
this is available, is looked up.
e.g.
whitelist_from joe@example.com fred@example.com
whitelist_from *@example.com
unwhitelist_from add@ress.com
Used to override a default whitelist_from entry, so for example a distribution
whitelist_from can be overridden in a local.cf file, or an individual user can override a
whitelist_from entry in their own user_prefs file. The specified email address has to
match exactly the address previously used in a whitelist_from line.
e.g.
unwhitelist_from joe@example.com fred@example.com
unwhitelist_from *@example.com
whitelist_from_rcvd addr@lists.sourceforge.net sourceforge.net
Use this to supplement the whitelist_from addresses with a check against the
Received headers. The first parameter is the address to whitelist, and the second is a
string to match the relay's rDNS.
This string is matched against the reverse DNS lookup used during the handover from
the internet to your internal network's mail exchangers. It can either be the full
hostname, or the domain component of that hostname. In other words, if the host that
connected to your MX had an IP address that mapped to
'sendinghost.spamassassin.org', you should specify
sendinghost.spamassassin.org or just spamassassin.org here.
Note that this requires that internal_networks be correct. For simple cases, it will
be, but for a complex network, or running with DNS checks off or with -L, you may
get better results by setting that parameter.
e.g.
whitelist_from_rcvd joe@example.com
whitelist_from_rcvd *@axkit.org
example.com
sergeant.org
def_whitelist_from_rcvd addr@lists.sourceforge.net sourceforge.net
19
Same as whitelist_from_rcvd, but used for the default whitelist entries in the
SpamAssassin distribution. The whitelist score is lower, because these are often
targets for spammer spoofing.
whitelist_allows_relays add@ress.com
Specify addresses which are in whitelist_from_rcvd that sometimes send through a
mail relay other than the listed ones. By default mail with a From address that is in
whitelist_from_rcvd that does not match the relay will trigger a forgery rule.
Including the address in whitelist_allows_relay prevents that.
Whitelist and blacklist addresses are now file-glob-style patterns, so
friend@somewhere.com, *@isp.com, or *.domain.net will all work. Specifically, *
and ? are allowed, but all other metacharacters are not. Regular expressions are not
used for security reasons.
Multiple addresses per line, separated by spaces, is OK. Multiple
whitelist_allows_relays lines is also OK.
The specified email address does not have to match exactly the address previously
used in a whitelist_from_rcvd line as it is compared to the address in the header.
e.g.
whitelist_allows_relays joe@example.com fred@example.com
whitelist_allows_relays *@example.com
unwhitelist_from_rcvd add@ress.com
Used to override a default whitelist_from_rcvd entry, so for example a distribution
whitelist_from_rcvd can be overridden in a local.cf file, or an individual user can
override a whitelist_from_rcvd entry in their own user_prefs file.
The specified email address has to match exactly the address previously used in a
whitelist_from_rcvd line.
e.g.
unwhitelist_from_rcvd joe@example.com fred@example.com
unwhitelist_from_rcvd *@axkit.org
blacklist_from add@ress.com
Used to specify addresses which send mail that is often tagged (incorrectly) as nonspam, but which the user doesn't want. Same format as whitelist_from.
unblacklist_from add@ress.com
Used to override a default blacklist_from entry, so for example a distribution
blacklist_from can be overridden in a local.cf file, or an individual user can override a
blacklist_from entry in their own user_prefs file. The specified email address has to
match exactly the address previously used in a blacklist_from line.
20
e.g.
unblacklist_from joe@example.com fred@example.com
unblacklist_from *@spammer.com
whitelist_to add@ress.com
If the given address appears as a recipient in the message headers (Resent-To, To, Cc,
obvious envelope recipient, etc.) the mail will be whitelisted. Useful if you're
deploying SpamAssassin system-wide, and don't want some users to have their mail
filtered. Same format as whitelist_from.
There are three levels of To-whitelisting, whitelist_to, more_spam_to and
all_spam_to. Users in the first level may still get some spammish mails blocked, but
users in all_spam_to should never get mail blocked.
The headers checked for whitelist addresses are as follows: if Resent-To or ResentCc are set, use those; otherwise check all addresses taken from the following set of
headers:
To
Cc
Apparently-To
Delivered-To
Envelope-Recipients
Apparently-Resent-To
X-Envelope-To
Envelope-To
X-Delivered-To
X-Original-To
X-Rcpt-To
X-Real-To
more_spam_to add@ress.com
See above.
all_spam_to add@ress.com
See above.
blacklist_to add@ress.com
If the given address appears as a recipient in the message headers (Resent-To, To, Cc,
obvious envelope recipient, etc.) the mail will be blacklisted. Same format as
blacklist_from.
BASIC MESSAGE TAGGING OPTIONS
rewrite_header { subject | from | to } STRING
By default, suspected spam messages will not have the Subject, From or To lines
tagged to indicate spam. By setting this option, the header will be tagged with STRING
to indicate that a message is spam. For the From or To headers, this will take the form
of an RFC 2822 comment following the address in parantheses. For the Subject
header, this will be prepended to the original subject. Note that you should only use
21
the _REQD_ and _SCORE_ tags when rewriting the Subject header if report_safe
is 0. Otherwise, you may not be able to remove the SpamAssassin markup via the
normal methods. More information about tags is explained below in the
TEMPLATE TAGS section.
Parentheses are not permitted in STRING if rewriting the From or To headers. (They
will be converted to square brackets.)
If rewrite_header subject is used, but the message being rewritten does not
already contain a Subject header, one will be created.
A null value for STRING will remove any existing rewrite for the specified header.
add_header { spam | ham | all } header_name string
Customized headers can be added to the specified type of messages (spam, ham, or
``all'' to add to either). All headers begin with X-Spam- (so a header_name Foo will
generate a header called X-Spam-Foo). header_name is restricted to the character set
[A-Za-z0-9_-].
string
can contain tags as explained below in the TEMPLATE TAGS section. You
can also use \n and \t in the header to add newlines and tabulators as desired. A
backslash has to be written as \\, any other escaped chars will be silently removed.
All headers will be folded if fold_headers is set to 1. Note: Manually adding newlines
via \n disables any further automatic wrapping (ie: long header lines are possible).
The lines will still be properly folded (marked as continuing) though.
You can customize existing headers with add_header (only the specified subset of
messages will be changed).
See also clear_headers for removing headers.
Here are some examples (these are the defaults, note that Checker-Version can not be
changed or removed):
add_header spam Flag _YESNOCAPS_
add_header all Status _YESNO_, score=_SCORE_ required=_REQD_
tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_
add_header all Level _STARS(*)_
add_header all Checker-Version SpamAssassin _VERSION_
(_SUBVERSION_) on _HOSTNAME_
remove_header { spam | ham | all } header_name
Headers can be removed from the specified type of messages (spam, ham, or ``all'' to
remove from either). All headers begin with X-Spam- (so header_name will be
appended to X-Spam-).
22
See also clear_headers for removing all the headers at once.
Note that X-Spam-Checker-Version is not removable because the version
information is needed by mail administrators and developers to debug problems.
Without at least one header, it might not even be possible to determine that
SpamAssassin is running.
clear_headers
Clear the list of headers to be added to messages. You may use this before any
add_header options to prevent the default headers from being added to the message.
Note that X-Spam-Checker-Version is not removable because the version
information is needed by mail administrators and developers to debug problems.
Without at least one header, it might not even be possible to determine that
SpamAssassin is running.
report_safe ( 0 | 1 | 2 ) (default: 1)
if this option is set to 1, if an incoming message is tagged as spam, instead of
modifying the original message, SpamAssassin will create a new report message and
attach the original message as a message/rfc822 MIME part (ensuring the original
message is completely preserved, not easily opened, and easier to recover).
If this option is set to 2, then original messages will be attached with a content type of
text/plain instead of message/rfc822. This setting may be required for safety reasons
on certain broken mail clients that automatically load attachments without any action
by the user. This setting may also make it somewhat more difficult to extract or view
the original message.
If this option is set to 0, incoming spam is only modified by adding some X-Spamheaders and no changes will be made to the body. In addition, a header named XSpam-Report will be added to spam. You can use the remove_header option to
remove that header after setting report_safe to 0.
See report_safe_copy_headers if you want to copy headers from the original mail
into tagged messages.
LANGUAGE OPTIONS
ok_locales xx [ yy zz ... ] (default: all)
This option is used to specify which locales are considered OK for incoming mail.
Mail using the character sets that are allowed by this option will not be marked as
possibly being spam in a foreign language.
23
If you receive lots of spam in foreign languages, and never get any non-spam in these
languages, this may help. Note that all ISO-8859-* character sets, and Windows code
page character sets, are always permitted by default.
Set this to all to allow all character sets. This is the default.
The rules CHARSET_FARAWAY, CHARSET_FARAWAY_BODY, and
CHARSET_FARAWAY_HEADERS are triggered based on how this is set.
Examples:
ok_locales all
ok_locales en
ok_locales en ja zh
(allow all locales)
(only allow English)
(allow English, Japanese, and Chinese)
Note: if there are multiple ok_locales lines, only the last one is used.
Select the locales to allow from the list below:
en - Western character sets in general
ja - Japanese character sets
ko - Korean character sets
ru - Cyrillic character sets
th - Thai character sets
zh - Chinese (both simplified and traditional) character sets
NETWORK TEST OPTIONS
trusted_networks ip.add.re.ss[/mask] ... (default: none)
What networks or hosts are 'trusted' in your setup. Trusted in this case means that
relay hosts on these networks are considered to not be potentially operated by
spammers, open relays, or open proxies. A trusted host could conceivably relay spam,
but will not originate it, and will not forge header data. DNS blacklist checks will
never query for hosts on these networks.
MXes for your domain(s) and internal relays should also be specified using the
internal_networks setting. When there are 'trusted' hosts that are not MXes or
internal relays for your domain(s) they should only be specified in
trusted_networks.
If a /mask is specified, it's considered a CIDR-style 'netmask', specified in bits. If it is
not specified, but less than 4 octets are specified with a trailing dot, that's considered
a mask to allow all addresses in the remaining octets. If a mask is not specified, and
there is not trailing dot, then just the single IP address specified is used, as if the mask
was /32.
24
If a network or host address is prefaced by a ! the network or host will be excluded
(or included) in a first listed match fashion.
Examples:
trusted_networks 192.168/16 127/8
and 127.*.*.*
trusted_networks 212.17.35.15
trusted_networks 127.
# all in 192.168.*.*
# just that host
# all in 127.*.*.*
Inclusion/Exclusion examples:
# include all of 10.0.1/24 except for 10.0.1.5
trusted_networks !10.0.1.5 10.0.1/24
# include all of 10.0.1/24, the !10.0.1.5 has no effect
trusted_networks 10.0.1/24 !10.0.1.5
# include all RFC1918 address space except subnet 172.16.3/24
but
# including host 172.16.3.3 within the excluded 172.16.3/24
trusted_networks 172.16.3.3 !172.16.3/24 172.16/12 10/8
192.168/16
This operates additively, so a trusted_networks line after another one will result in
all those networks becoming trusted. To clear out the existing entries, use
clear_trusted_networks.
If trusted_networks is not set and internal_networks is, the value of
internal_networks will be used for this parameter.
If you're running with DNS checks enabled, SpamAssassin includes code to infer
your trusted networks on the fly, so this may not be necessary. (Thanks to Scott
Banister and Andrew Flury for the inspiration for this algorithm.) This inference
works as follows:
if the 'from' IP address is on the same /16 network as the top Received line's 'by' host,
it's trusted
if the address of the 'from' host is in a private network range, then it's trusted
if any addresses of the 'by' host is in a private network range, then it's trusted
clear_trusted_networks
25
Empty the list of trusted networks.
internal_networks ip.add.re.ss[/mask] ... (default: none)
What networks or hosts are 'internal' in your setup. Internal means that relay hosts on
these networks are considered to be MXes for your domain(s), or internal relays. This
uses the same format as trusted_networks, above.
This value is used when checking 'dial-up' or dynamic IP address blocklists, in order
to detect direct-to-MX spamming. Trusted relays that accept mail directly from dialup connections should not be listed in internal_networks. List them only in
trusted_networks.
If trusted_networks is set and internal_networks is not, the value of
trusted_networks will be used for this parameter.
If neither trusted_networks or internal_networks is set, no addresses will be
considered local; in other words, any relays past the machine where SpamAssassin is
running will be considered external.
clear_internal_networks
Empty the list of internal networks.
always_trust_envelope_sender ( 0 | 1 ) (default: 0)
Trust the envelope sender even if the message has been passed through one or more
trusted relays.
skip_rbl_checks ( 0 | 1 ) (default: 0)
By default, SpamAssassin will run RBL checks. If your ISP already does this for you,
set this to 1.
rbl_timeout n (default: 15)
All DNS queries are made at the beginning of a check and we try to read the results at
the end. This value specifies the maximum period of time to wait for an DNS query.
If most of the DNS queries have succeeded for a particular message, then
SpamAssassin will not wait for the full period to avoid wasting time on unresponsive
server(s). For the default 15 second timeout, here is a chart of queries remaining
versus the effective timeout in seconds:
queries left
100%
90%
80%
70%
60%
50%
40%
30%
20%
10%
15
14
14
13
11
10
8
5
3
0%
timeout
15
0
In addition, whenever the effective timeout is lowered due to additional query results
returning, the remaining queries are always given at least one more second before
timing out, but the wait time will never exceed rbl_timeout.
For example, if 20 queries are made at the beginning of a message check and 16
queries have returned (leaving 20%), the remaining 4 queries must finish within 5
seconds of the beginning of the check or they will be timed out.
26
dns_available { yes | test[: name1 name2...] | no } (default: test)
By default, SpamAssassin will query some default hosts on the internet to attempt to
check if DNS is working or not. The problem is that it can introduce some delay if
your network connection is down, and in some cases it can wrongly guess that DNS is
unavailable because the test connections failed. SpamAssassin includes a default set
of 13 servers, among which 3 are picked randomly.
You can however specify your own list by specifying
dns_available test: domain1.tld domain2.tld domain3.tld
Please note, the DNS test queries for NS records.
SpamAssassin's network rules are run in parallel. This can cause overhead in terms of
the number of file descriptors required; it is recommended that the minimum limit on
file descriptors be raised to at least 256 for safety.
LEARNING OPTIONS
use_bayes ( 0 | 1 ) (default: 1)
Whether to use the naive-Bayesian-style classifier built into SpamAssassin. This is a
master on/off switch for all Bayes-related operations.
use_bayes_rules ( 0 | 1 ) (default: 1)
Whether to use rules using the naive-Bayesian-style classifier built into
SpamAssassin. This allows you to disable the rules while leaving auto and manual
learning enabled.
bayes_auto_learn ( 0 | 1 ) (default: 1)
Whether SpamAssassin should automatically feed high-scoring mails (or low-scoring
mails, for non-spam) into its learning systems. The only learning system supported
currently is a naive-Bayesian-style classifier.
See the documentation for the
Mail::SpamAssassin::Plugin::AutoLearnThreshold
plugin module for details
on how Bayes auto-learning is implemented by default.
bayes_ignore_header header_name
If you receive mail filtered by upstream mail systems, like a spam-filtering ISP or
mailing list, and that service adds new headers (as most of them do), these headers
may provide inappropriate cues to the Bayesian classifier, allowing it to take a ``short
cut''. To avoid this, list the headers using this setting. Example:
bayes_ignore_header X-Upstream-Spamfilter
bayes_ignore_header X-Upstream-SomethingElse
bayes_ignore_from add@ress.com
Bayesian classification and autolearning will not be performed on mail from the listed
addresses. Program sa-learn will also ignore the listed addresses if it is invoked
27
using the --use-ignores option. One or more addresses can be listed, see
whitelist_from.
Spam messages from certain senders may contain many words that frequently occur
in ham. For example, one might read messages from a preferred bookstore but also
get unwanted spam messages from other bookstores. If the unwanted messages are
learned as spam then any messages discussing books, including the preferred
bookstore and antiquarian messages would be in danger of being marked as spam.
The addresses of the annoying bookstores would be listed. (Assuming they were
halfway legitimate and didn't send you mail through myriad affiliates.)
Those who have pieces of spam in legitimate messages or otherwise receive ham
messages containing potentially spammy words might fear that some spam messages
might be in danger of being marked as ham. The addresses of the spam mailing lists,
correspondents, etc. would be listed.
bayes_ignore_to add@ress.com
Bayesian classification and autolearning will not be performed on mail to the listed
addresses. See bayes_ignore_from for details.
bayes_min_ham_num (Default: 200)
bayes_min_spam_num (Default: 200)
To be accurate, the Bayes system does not activate until a certain number of ham
(non-spam) and spam have been learned. The default is 200 of each ham and spam,
but you can tune these up or down with these two settings.
bayes_learn_during_report (Default: 1)
The Bayes system will, by default, learn any reported messages (spamassassin -r)
as spam. If you do not want this to happen, set this option to 0.
bayes_sql_override_username
Used by BayesStore::SQL storage implementation.
If this options is set the BayesStore::SQL module will override the set username with
the value given. This could be useful for implementing global or group bayes
databases.
bayes_use_hapaxes (default: 1)
Should the Bayesian classifier use hapaxes (words/tokens that occur only once) when
classifying? This produces significantly better hit-rates, but increases database size by
about a factor of 8 to 10.
bayes_journal_max_size (default: 102400)
SpamAssassin will opportunistically sync the journal and the database. It will do so
once a day, but will sync more often if the journal file size goes above this setting, in
bytes. If set to 0, opportunistic syncing will not occur.
bayes_expiry_max_db_size (default: 150000)
What should be the maximum size of the Bayes tokens database? When expiry
occurs, the Bayes system will keep either 75% of the maximum value, or 100,000
28
tokens, whichever has a larger value. 150,000 tokens is roughly equivalent to a 8Mb
database file.
bayes_auto_expire (default: 1)
If enabled, the Bayes system will try to automatically expire old tokens from the
database. Auto-expiry occurs when the number of tokens in the database surpasses
the bayes_expiry_max_db_size value.
bayes_learn_to_journal (default: 0)
If this option is set, whenever SpamAssassin does Bayes learning, it will put the
information into the journal instead of directly into the database. This lowers
contention for locking the database to execute an update, but will also cause more
access to the journal and cause a delay before the updates are actually committed to
the Bayes database.
MISCELLANEOUS OPTIONS
lock_method type
Select the file-locking method used to protect database files on-disk. By default,
SpamAssassin uses an NFS-safe locking method on UNIX; however, if you are sure
that the database files you'll be using for Bayes and AWL storage will never be
accessed over NFS, a non-NFS-safe locking system can be selected.
This will be quite a bit faster, but may risk file corruption if the files are ever accessed
by multiple clients at once, and one or more of them is accessing them through an
NFS filesystem.
Note that different platforms require different locking systems.
The supported locking systems for type are as follows:
nfssafe - an NFS-safe locking system
flock - simple UNIX flock() locking
win32 - Win32 locking using sysopen (..., O_CREAT|O_EXCL).
nfssafe and flock are only available on UNIX, and win32 is only available on Windows. By
default, SpamAssassin will choose either nfssafe or win32 depending on the platform in use.
fold_headers ( 0 | 1 ) (default: 1)
By default, headers added by SpamAssassin will be whitespace folded. In other
words, they will be broken up into multiple lines instead of one very long one and
each other line will have a tabulator prepended to mark it as a continuation of the
preceding one.
The automatic wrapping can be disabled here. Note that this can generate very long
lines.
29
report_safe_copy_headers header_name ...
If using report_safe, a few of the headers from the original message are copied into
the wrapper header (From, To, Cc, Subject, Date, etc.) If you want to have other
headers copied as well, you can add them using this option. You can specify multiple
headers on the same line, separated by spaces, or you can just use multiple lines.
envelope_sender_header Name-Of-Header
SpamAssassin will attempt to discover the address used in the 'MAIL FROM:' phase
of the SMTP transaction that delivered this message, if this data has been made
available by the SMTP server. This is used in the EnvelopeFrom pseudo-header, and
for various rules such as SPF checking.
By default, various MTAs will use different headers, such as the following:
X-Envelope-From
Envelope-Sender
X-Sender
Return-Path
SpamAssassin will attempt to use these, if some heuristics (such as the header
placement in the message, or the absence of fetchmail signatures) appear to indicate
that they are safe to use. However, it may choose the wrong headers in some
mailserver configurations. (More discussion of this can be found in bug 2142 in the
SpamAssassin BugZilla.)
To avoid this heuristic failure, the envelope_sender_header setting may be helpful.
Name the header that your MTA adds to messages containing the address used at the
MAIL FROM step of the SMTP transaction.
If the header in question contains < or > characters at the start and end of the email
address in the right-hand side, as in the SMTP transaction, these will be stripped.
If the header is not found in a message, or if it's value does not contain an @ sign,
SpamAssassin will fall back to its default heuristics.
(Note for MTA developers: we would prefer if the use of a single header be avoided
in future, since that precludes 'downstream' spam scanning.
http://wiki.apache.org/spamassassin/EnvelopeSenderInReceived details a
better proposal using the Received headers.)
example:
envelope_sender_header X-SA-Exim-Mail-From
describe SYMBOLIC_TEST_NAME description ...
Used to describe a test. This text is shown to users in the detailed report.
30
Note that test names which begin with '__' are reserved for meta-match sub-rules, and
are not scored or listed in the 'tests hit' reports.
Also note that by convention, rule descriptions should be limited in length to no more
than 50 characters.
report_charset CHARSET (default: unset)
Set the MIME Content-Type charset used for the text/plain report which is attached to
spam mail messages.
report ...some text for a report...
Set the report template which is attached to spam mail messages. See the 10_misc.cf
configuration file in /usr/share/spamassassin for an example.
If you change this, try to keep it under 78 columns. Each report line appends to the
existing template, so use clear_report_template to restart.
Tags can be included as explained above.
clear_report_template
Clear the report template.
report_contact ...text of contact address...
Set what _CONTACTADDRESS_ is replaced with in the above report text. By
default, this is 'the administrator of that system', since the hostname of the system the
scanner is running on is also included.
report_hostname ...hostname to use...
Set what _HOSTNAME_ is replaced with in the above report text. By default, this is
determined dynamically as whatever the host running SpamAssassin calls itself.
unsafe_report ...some text for a report...
Set the report template which is attached to spam mail messages which contain a nontext/plain part. See the 10_misc.cf configuration file in /usr/share/spamassassin
for an example.
Each unsafe-report line appends to the existing template, so use
clear_unsafe_report_template to restart.
Tags can be used in this template (see above for details).
clear_unsafe_report_template
Clear the unsafe_report template.
RULE DEFINITIONS AND PRIVILEGED SETTINGS
These settings differ from the ones above, in that they are considered 'privileged'. Only users
running spamassassin from their procmailrc's or forward files, or sysadmins editing a file in
31
/etc/mail/spamassassin,
can use them. spamd users cannot use them in their user_prefs
files, for security and efficiency reasons, unless allow_user_rules is enabled (and then,
they may only add rules from below).
allow_user_rules ( 0 | 1 ) (default: 0)
This setting allows users to create rules (and only rules) in their user_prefs files for
use with spamd. It defaults to off, because this could be a severe security hole. It may
be possible for users to gain root level access if spamd is run as root. It is NOT a good
idea, unless you have some other way of ensuring that users' tests are safe. Don't use
this unless you are certain you know what you are doing. Furthermore, this option
causes spamassassin to recompile all the tests each time it processes a message for a
user with a rule in his/her user_prefs file, which could have a significant effect on
server load. It is not recommended.
Note that it is not currently possible to use allow_user_rules to modify an existing
system rule from a user_prefs file with spamd.
redirector_pattern /pattern/modifiers
A regex pattern that matches both the redirector site portion, and the target site
portion of a URI.
Note: The target URI portion must be surrounded in parentheses and no other part of
the pattern may create a backreference.
Example: http://chkpt.zdnet.com/chkpt/whatever/spammer.domain/yo/dude
redirector_pattern
/^https?:\/\/(?:opt\.)?chkpt\.zdnet\.com\/chkpt\/\w+\/(.*)$/i
header SYMBOLIC_TEST_NAME header op /pattern/modifiers [if-unset: STRING]
Define a test. SYMBOLIC_TEST_NAME is a symbolic test name, such as
'FROM_ENDS_IN_NUMS'. header is the name of a mail header, such as 'Subject',
'To', etc.
Appending :raw to the header name will inhibit decoding of quoted-printable or base64 encoded strings.
Appending :addr to the header name will cause everything except the first email
address to be removed from the header. For example, all of the following will result
in ``example@foo'':
example@foo
example@foo (Foo Blah)
example@foo, example@bar
display: example@foo (Foo Blah), example@bar ;
Foo Blah <example@foo>
32
``Foo Blah'' <example@foo>
``'Foo Blah''' <example@foo>
Appending :name to the header name will cause everything except the first real name to be
removed from the header. For example, all of the following will result in ``Foo Blah''
example@foo (Foo Blah)
example@foo (Foo Blah), example@bar
display: example@foo (Foo Blah), example@bar ;
Foo Blah <example@foo>
``Foo Blah'' <example@foo>
``'Foo Blah''' <example@foo>
There are several special pseudo-headers that can be specified:
ALL can be used to mean the text of all the message's headers.
ToCc can be used to mean the contents of both the 'To' and 'Cc' headers.
EnvelopeFrom is the address used in the 'MAIL FROM:' phase of the SMTP
transaction that delivered this message, if this data has been made available by the
SMTP server.
MESSAGEID is a symbol meaning all Message-Id's found in the message; some mailing list
software moves the real 'Message-Id' to 'Resent-Message-Id' or 'X-Message-Id', then
uses its own one in the 'Message-Id' header. The value returned for this symbol is the
text from all 3 headers, separated by newlines.
op is either =~ (contains regular expression) or !~ (does not contain regular expression), and
pattern is a valid Perl regular expression, with modifiers as regexp modifiers in the usual
style. Note that multi-line rules are not supported, even if you use x as a modifier. Also note
that the # character must be escaped (\#) or else it will be considered to be the start of a
comment and not part of the regexp.
If the [if-unset: STRING] tag is present, then STRING will be used if the header is not
found in the mail message.
Test names must not start with a number, and must contain only alphanumerics and
underscores. It is suggested that lower-case characters not be used, and names have a length
of no more than 22 characters, as an informal convention. Dashes are not allowed.
Note that test names which begin with '__' are reserved for meta-match sub-rules, and are not
scored or listed in the 'tests hit' reports. Test names which begin with 'T_' are reserved for
tests which are undergoing QA, and these are given a very low score.
If you add or modify a test, please be sure to run a sanity check afterwards by running
spamassassin --lint. This will avoid confusing error messages, or other tests being
skipped as a side-effect.
33
header SYMBOLIC_TEST_NAME exists:name_of_header
Define a header existence test. name_of_header is the name of a header to test for
existence. This is just a very simple version of the above header tests.
header SYMBOLIC_TEST_NAME eval:name_of_eval_method([arguments])
Define a header eval test. name_of_eval_method is the name of a method on the
Mail::SpamAssassin::EvalTests object. arguments are optional arguments to the
function call.
header SYMBOLIC_TEST_NAME eval:check_rbl('set', 'zone' [, 'sub-test'])
Check a DNSBL (a DNS blacklist or whitelist). This will retrieve Received: headers
from the message, extract the IP addresses, select which ones are 'untrusted' based on
the trusted_networks logic, and query that DNSBL zone. There's a few things to
note:
duplicated or private IPs
Duplicated IPs are only queried once and reserved IPs are not queried. Private IPs are
those listed in <http://www.iana.org/assignments/ipv4-address-space>,
<http://duxcw.com/faq/network/privip.htm>,
<http://duxcw.com/faq/network/autoip.htm>, or <ftp://ftp.rfc-editor.org/innotes/rfc3330.txt> as private.
the 'set' argument
This is used as a 'zone ID'. If you want to look up a multiple-meaning zone like
NJABL or SORBS, you can then query the results from that zone using it; but all
check_rbl_sub() calls must use that zone ID.
Also, if more than one IP address gets a DNSBL hit for a particular rule, it does not
affect the score because rules only trigger once per message.
the 'zone' argument
This is the root zone of the DNSBL, ending in a period.
the 'sub-test' argument
This optional argument behaves the same as the sub-test argument in
check_rbl_sub() below.
selecting all IPs except for the originating one
This is accomplished by placing '-notfirsthop' at the end of the set name. This is
useful for querying against DNS lists which list dialup IP addresses; the first hop may
be a dialup, but as long as there is at least one more hop, via their outgoing SMTP
server, that's legitimate, and so should not gain points. If there is only one hop, that
will be queried anyway, as it should be relaying via its outgoing SMTP server instead
of sending directly to your MX (mail exchange).
selecting IPs by whether they are trusted
When checking a 'nice' DNSBL (a DNS whitelist), you cannot trust the IP addresses
in Received headers that were not added by trusted relays. To test the first IP address
that can be trusted, place '-firsttrusted' at the end of the set name. That should test the
IP address of the relay that connected to the most remote trusted relay.
34
Note that this requires that SpamAssassin know which relays are trusted. For simple
cases, SpamAssassin can make a good estimate. For complex cases, you may get
better results by setting trusted_networks manually.
In addition, you can test all untrusted IP addresses by placing '-untrusted' at the end of
the set name. Important note -- this does NOT include the IP address from the most
recent 'untrusted line', as used in '-firsttrusted' above. That's because we're talking
about the trustworthiness of the IP address data, not the source header line, here; and
in the case of the most recent header (the 'firsttrusted'), that data can be trusted. See
the Wiki page at http://wiki.apache.org/spamassassin/TrustedRelays for more
information on this.
Selecting just the last external IP
By using '-lastexternal' at the end of the set name, you can select only the external
host that connected to your internal network, or at least the last external host with a
public IP.
header SYMBOLIC_TEST_NAME eval:check_rbl_txt('set', 'zone')
Same as check_rbl(), except querying using IN TXT instead of IN A records. If the
zone supports it, it will result in a line of text describing why the IP is listed, typically
a hyperlink to a database entry.
header SYMBOLIC_TEST_NAME eval:check_rbl_sub('set', 'sub-test')
Create a sub-test for 'set'. If you want to look up a multi-meaning zone like
relays.osirusoft.com, you can then query the results from that zone using the zone ID
from the original query. The sub-test may either be an IPv4 dotted address for RBLs
that return multiple A records or a non-negative decimal number to specify a bitmask
for RBLs that return a single A record containing a bitmask of results, a SenderBase
test beginning with ``sb:'', or (if none of the preceding options seem to fit) a regular
expression.
Note: the set name must be exactly the same for as the main query rule, including
selections like '-notfirsthop' appearing at the end of the set name.
body SYMBOLIC_TEST_NAME /pattern/modifiers
Define a body pattern test. pattern is a Perl regular expression. Note: as per the
header tests, # must be escaped (\#) or else it is considered the beginning of a
comment.
The 'body' in this case is the textual parts of the message body; any non-text MIME
parts are stripped, and the message decoded from Quoted-Printable or Base-64encoded format if necessary. The message Subject header is considered part of the
body and becomes the first paragraph when running the rules. All HTML tags and
line breaks will be removed before matching.
body SYMBOLIC_TEST_NAME eval:name_of_eval_method([args])
Define a body eval test. See above.
35
uri SYMBOLIC_TEST_NAME /pattern/modifiers
Define a uri pattern test. pattern is a Perl regular expression. Note: as per the header
tests, # must be escaped (\#) or else it is considered the beginning of a comment.
The 'uri' in this case is a list of all the URIs in the body of the email, and the test will
be run on each and every one of those URIs, adjusting the score if a match is found.
Use this test instead of one of the body tests when you need to match a URI, as it is
more accurately bound to the start/end points of the URI, and will also be faster.
rawbody SYMBOLIC_TEST_NAME /pattern/modifiers
Define a raw-body pattern test. pattern is a Perl regular expression. Note: as per the
header tests, # must be escaped (\#) or else it is considered the beginning of a
comment.
The 'raw body' of a message is the raw data inside all textual parts. The text will be
decoded from base64 or quoted-printable encoding, but HTML tags and line breaks
will still be present. The pattern will be applied line-by-line.
rawbody SYMBOLIC_TEST_NAME eval:name_of_eval_method([args])
Define a raw-body eval test. See above.
full SYMBOLIC_TEST_NAME /pattern/modifiers
Define a full message pattern test. pattern is a Perl regular expression. Note: as per
the header tests, # must be escaped (\#) or else it is considered the beginning of a
comment.
The full message is the pristine message headers plus the pristine message body,
including all MIME data such as images, other attachments, MIME boundaries, etc.
full SYMBOLIC_TEST_NAME eval:name_of_eval_method([args])
Define a full message eval test. See above.
meta SYMBOLIC_TEST_NAME boolean expression
Define a boolean expression test in terms of other tests that have been hit or not hit.
For example:
meta META1 TEST1 && !(TEST2 || TEST3)
Note that English language operators (``and'', ``or'') will be treated as rule names, and
that there is no XOR operator.
meta SYMBOLIC_TEST_NAME boolean arithmetic expression
Can also define a boolean arithmetic expression in terms of other tests, with a hit test
having the value ``1'' and an unhit test having the value ``0''. For example:
meta META2 (3 * TEST1 - 2 * TEST2) > 0
36
Note that Perl builtins and functions, like abs(), can't be used, and will be treated as
rule names.
If you want to define a meta-rule, but do not want its individual sub-rules to count
towards the final score unless the entire meta-rule matches, give the sub-rules names
that start with '__' (two underscores). SpamAssassin will ignore these for scoring.
tflags SYMBOLIC_TEST_NAME [ {net|nice|learn|userconf|noautolearn} ]
Used to set flags on a test. These flags are used in the score-determination back end
system for details of the test's behaviour. Please see bayes_auto_learn for more
information about tflag interaction with those systems. The following flags can be set:
net
The test is a network test, and will not be run in the mass checking system or if -L is
used, therefore its score should not be modified.
nice
The test is intended to compensate for common false positives, and should be
assigned a negative score.
userconf
The test requires user configuration before it can be used (like language- specific
tests).
learn
The test requires training before it can be used.
noautolearn
The test will explicitly be ignored when calculating the score for learning systems.
priority SYMBOLIC_TEST_NAME n
Assign a specific priority to a test. All tests, except for DNS and Meta tests, are run in
increasing priority value order (negative priority values are run before positive
priority values). The default test priority is 0 (zero).
37
References
[1] http://en.wikipedia.org/wiki/E-mail_spam
[2] www.ftc.gov/spam
Suggested Additions:
Linux email client
Advanced filtering with SpamAssassin
Using Bogofilter for advanced spam monitoring
Server side virus scanning
Sender Policy Framework
38
ECE4112 Internetwork Security
Lab XX: E-Mail and Spam Reduction Answer Sheet
Group Number: _________
Member Names: ___________________
Date Assigned:
Date Due:
Last Edited: December 06, 2006
Authored By: John Cacavias
_______________________
David Jacobson
Prelab Questions
QP.1. What is the protocol most commonly used to send e-mail?
QP.2. Why is this protocol beneficial to spammers? How can these problems be
curtailed?
QP.3. How do spammers circumvent the IP address of their mail server being appended
to their spam e-mails?
Section 2
Q2.1 Why would it be desirable for users to utilize a client based e-mail program as
opposed to a webmail interface?
Q2.2 What are the advantages of a webmail interface over a client based e-mail
program?
39
Section 3
Q3.1 Why would a network administrator want to install a server side spam filter such
as SpamAssassin?
Q3.2 What are some of the potential problems associated with installing a server side
spam filter?
Q3.3 What is whitelisting? What is blacklisting?
Q3.4 What are some of the advantages of using whitelisting and blacklisting?
Q3.5 Write the commands you placed in your local.cf file to correctly whitelist and
blacklist specific domains or email addresses.
Section 4
Q4.1 Why is it that a user would want to set up a filter in their mail client?
Q4.2 Give one example of a filter rule in outlook express and describe what it does.
Section 5
Q5.1. How does training effect your spam filter?
40
Q5.2. Why would one want to set up a client side spam program in addition to the
server side program?
Q5.3. Is it ok to delete spam above a certain spam score? Why or Why Not?
General Questions
How long did it take you to complete this lab? Was it an appropriate length lab?
What corrections and/or improvements do you suggest for this lab? Please be very specific
and if you add new material give the exact wording and instructions you would give to future
students in the new lab handout. You may cross out and edit the text of the lab on previous
pages to make minor corrections/suggestions. General suggestions like add tool xyz to do
more capable scanning will not be awarded extras points even if the statement is totally true.
Specific text that could be cut and pasted into this lab, completed exercises, and completed
solutions may be awarded additional credit. Thus if tool xyz adds a capability or additional or
better learning experience for future students here is what you need to do. You should add
that tool to the lab by writing new detailed lab instructions on where to get the tool, how to
install it, how to run it, what exactly to do with it in our lab, example outputs, etc. You must
prove with what you turn in that you actually did the lab improvement yourself. Screen shots
and output hardcopy are a good way to demonstrate that you actually completed your
suggested enhancements. The lab addition section must start with the form “laboratory
Additions Cover Sheet”.
41
Turn-In Checklist
You need to turn in:
Non-Spam printout
Spam printout
Screenshot #1
Screenshot #2
Screenshot #3
This Lab
The Answer sheet with completed answer
Any Corrections or additions to the lab
42
