[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Raq550: Need Spam Filter advice

Subject: Re: [cobalt-users] Raq550: Need Spam Filter advice
From: wcstaff <wcstaff@xxxxxxxxxxxx>
Date: Wed Aug 6 08:51:01 2003
Organization: webcoast
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

> John D. Gorena wrote:
> > I need help fighting spam and I want to install an Anti-Spam program on
> > the Raq550.  I need a program that will deny emails - not just filter
> > them to a dump account.  I want to filter by the link that is embedded
> > in the email too - not just the text.  Many of these spam messages come
> > from many different IPs and I have manually blocked hundreds.  They do
> > seem to link to the same few websites.  It is these emails that I want
> > to deny so that they get the messages back.
> >
> > Any programs that will allow me to do this?
> >
> > John
> >
>
> John,
>
> You can do this fairly easily using MailScanner plus SpamAssassin.
>
> Set MailScanner's "High Scoring Spam Actions" in
> /etc/MailScanner/MailScanner.conf to "bounce", and define new URI tests
> for SpamAssassin that will match the spamvertized web sites you're
> trying to block.  Set the corresponding scores for the URI tests to high
> values to ensure MailScanner will see the messages as high-scoring spam.
>
> Of course, bouncing the messages won't do any good; it will probably
> result in you getting a lot of bounces back.  When you get tired of
> them, just change the high-scoring spam action to "delete."
>
> Also note this will result in legitimate mail containing the URIs
> (complaints from friends, news articles about spam) getting marked as
> spam and bounced.
>
> Regards,
>
> Richard.
>
I received this information from another member, who posted it, installed it
(a bit tricky) and it works great! I would honestly say 95% of my spam is
gone. I have been running it for 2 plus weeks now and have not had one
person I know say they could not send me email. As he states below, it is a
bit tricky and you have to make sure your <TABS> are set correctly.
Thanks to Jeroen Wunnink for the code below. I am eternally thankful. Also,
I received valuable input from Dan Kriwitsky on setting up the variable.
----------------------------------------------------------
sendmail.cf entries: (BACK IT UP BEFORE TRYING ALL THIS)

#####
# Blocking Email Marketing spammer
#####
HSubject:       $>Check_Subject
D{MPat}Email Marketing
D{MMsg}This message is SPAM, it is blocked from this host.
SCheck_Subject
R${MPat} $*     $#error $: 553 ${MMsg}
RRe: ${MPat} $* $#error $: 553 ${MMsg}
RFwd: ${MPat} $*        $#error $: 553 ${MMsg}



Add this somewhere at the end of sendmail.cf, it'll block any Subject
starting with: Email Marketing
You can add some spamblocks already this way which occur often with a
specific subject start, just add it as many times as you feel suitable, this
is a nice first block..
Mind though, that above needs to be inserted with tabs on certain
locations.., the format above is like this:

#####
# Blocking Email Marketing spammer
#####
HSubject:<TAB>$>Check_Subject
D{MPat}Email Marketing
D{MMsg}This message is SPAM, it is blocked from this host.
SCheck_Subject
R${MPat} $*<TAB>$#error $: 553 ${MMsg}
RRe: ${MPat} $*<TAB>$#error $: 553 ${MMsg}
RFwd: ${MPat} $*<TAB>$#error $: 553 ${MMsg}




Second, as I wrote earlier to this list, I've also got a massive access
block list.., run this script nightly when times are quiet in /etc/mail

#!/bin/bash
# Dynamic Spam access block retreival

# Retreiving the up-to-date spamlist
wget http://basic.wirehub.nl/spamlist.txt

# Building the access file
cat access > access.new
cat spamlist.txt >> access.new
makemap hash access.db < access.new

# Cleaning up
rm -f spamlist.txt
rm -f access.new



Third, some online spamblocking techniques from sendmail.cf:

# DNS based IP address spam list relays.ordb.org
R$*                     $: $&{client_addr}
R$-.$-.$-.$-            $: <?> $(dnsbl $4.$3.$2.$1.relays.ordb.org. $: OK $)
R<?>OK                  $: OKSOFAR
R<?>$+<TMP>             $: TMPOK
R<?>$+                  $#error $@ 5.7.1 $: "550 Mail from " $&{client_addr}
" refused by blackhole site relays.ordb.org"

# DNS based IP address spam list sbl.spamhaus.org
R$*                     $: $&{client_addr}
R$-.$-.$-.$-            $: <?> $(dnsbl $4.$3.$2.$1.sbl.spamhaus.org. $: OK
$)
R<?>OK                  $: OKSOFAR
R<?>$+<TMP>             $: TMPOK
R<?>$+                  $#error $@ 5.7.1 $: "550 Mail from " $&{client_addr}
" refused by spamhaus site sbl.spamhaus.org"

# DNS based IP address spam list spews
R$*                     $: $&{client_addr}
R$-.$-.$-.$-            $: <?> $(dnsbl
$4.$3.$2.$1.spews.relays.osirusoft.com. $: OK $)
R<?>OK                  $: OKSOFAR
R<?>$+<TMP>             $: TMPOK
R<?>$+                  $#error $@ 5.7.1 $: "550 Mail from " $&{client_addr}
" refused by spews site spews.relays.osirusoft.com"

The format for these is:
# DNS based IP address spam list spews
R$*<TAB><TAB><TAB>$: $&{client_addr}
R$-.$-.$-.$-<TAB><TAB>$: <?> $(dnsbl $4.$3.$2.$1.spews.relays.osirusoft.com.
$: OK $)
R<?>OK<TAB><TAB><TAB>$: OKSOFAR
R<?>$+<TMP><TAB><TAB>$: TMPOK
R<?>$+<TAB><TAB><TAB>$#error $@ 5.7.1 $: "550 Mail from " $&{client_addr} "
refused by spews site spews.relays.osirusoft.com"

The tabs are a bit tricky, though critical to do right (sendmail's .cf is a
bitch to do modify manually at some parts)

# DNS based IP address spam list spews
R$*                     $: $&{client_addr}
R$-.$-.$-.$-            $: <?> $(dnsbl
$4.$3.$2.$1.spews.relays.osirusoft.com. $: OK $)
R<?>OK                  $: OKSOFAR
R<?>$+<TMP>             $: TMPOK
R<?>$+                  $#error $@ 5.7.1 $: "550 Mail from " $&{client_addr}
" refused by spews site spews.relays.osirusoft.com"




Then last (but certainly not least) I have for local users a Razor based
checklist.., this is an application which will make a md5 checksum out of
each mail that gets delivered locally, and check that sum to an online known
database of spam messagebodies, if it matches, it'll dump it in a seperate
mailbox..

http://razor.sourceforge.net/

Read and install the package on that site.., then add the following in
/etc/procmailrc

:0 Wc
| razor-check
:0 Wa
| /var/spool/mail/caughtspam

It'll dump all caught spam in /var/spool/mail/caughtspam

Downside to this one is that it will only work for local mailboxes, not for
off-site aliases..


These are manual additions, you can also install Mailscanner, which has a
lot of these functions built in and are easier to set up in that.., though
in my experience Mailscanner is a decent resource hogger..., so if you do a
lot of mail and are already quite loaded on the system, add these
seperately..

References:
- [cobalt-users] Raq550: Need Spam Filter advice
  - From: John D. Gorena
- Re: [cobalt-users] Raq550: Need Spam Filter advice
  - From: Richard Siddall

Prev by Date: Re: [cobalt-users] Raq550: Need Spam Filter advice
Next by Date: [cobalt-users] Restarting ftpd?
Previous by thread: Re: [cobalt-users] Raq550: Need Spam Filter advice
Next by thread: RE: [cobalt-users] Raq550: Need Spam Filter advice

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index