left header graphic
The Network People Banner
right header graphic
    

web this site

Message Filtering (AV & Spam)

Q: How Do I implement mail filtering on my toaster?

A: There's many ways to do so. I will present a few methods. These methods assume you will process mail using SpamAssassin or a similar package that tags the message as spam, viral, or otherwise evil. Then read the section at the bottom regarding QmailScanner.

Step 1: Run "toaster_setup -s filter".

This will install maildrop, procmail, SpamAssassin, ClamAV, and other mail processing utilities as configured in your toaster-watcher.conf file.

Step 2: Choose one of the following methods:

Single user(s) using: PROCMAIL or MAILDROP

Single domain using: MAILDROP

Entire server using: MAILDROP

Q: How do I add mail filtering for a user using Procmail?

A: Run "toaster_setup -s filter".

cd ~vpopmail/domains/example.net/user
fetch -o procmailrc http://www.tnpi.biz/internet/mail/toaster/etc/procmailrc
fetch -o .qmail http://www.tnpi.biz/internet/mail/toaster/etc/procmail-qmail
chown vpopmail:vchkpw procmailrc .qmail
Edit the procmailrc file to taste.

Q: How do I add mail filtering for a user using maildrop?

cd ~vpopmail/domains/example.net/user
fetch -o mailfilter http://www.tnpi.biz/internet/mail/toaster/etc/mailfilter-user
fetch -o .qmail http://www.tnpi.biz/internet/mail/toaster/etc/maildrop-qmail
chown vpopmail:vchkpw mailfilter .qmail; chmod 600  mailfilter
Optional: Edit the mailfilter to taste.

Q: How do I add mail filtering for an entire site using maildrop?

Upgrade qmailadmin to 1.0.21 or higher.
Enable the spam sections (via the toaster_setup.pl script) and now users have a little checkbox in their qmailadmin control panel.

Optional: Write a script that adds a .qmail file to the virtual user home directory of every user on your system. An example: ~vpopmail/domains/cadillac.net/matt/.qmail contains "| /usr/local/bin/maildrop /usr/local/etc/mail/mailfilter". I personally believe you should require users to log into qmailadmin and enable it themselves.

Optional: Edit /usr/local/etc/mail/mailfilter to taste.

A consequence of using maildrop this way is that mail destined to aliases will not get filtered. A workkaround is using forwards instead of aliases. This also will not work for addresses that don't exist (ie, catch all addresses). I don't consider this a problem as I don't ever use catch-alls.

Q: How do I add mail filtering for a domain using maildrop?

cd ~vpopmail/domains/example.com
fetch -o mailfilter http://www.tnpi.biz/internet/mail/toaster/etc/mailfilter-domain
echo "| /usr/local/bin/maildrop mailfilter" > .qmail
chown vpopmail:vchkpw mailfilter .qmail; chmod 600  mailfilter
Optional: Edit mailfilter to taste.

Q: How does QmailScanner decide what emails to process?

A: Based on the QMAILQUEUE environment variable. You must set this in some fashion, the most forward of which is to edit /service/smtp/run and add these two lines:

QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"
export QMAILQUEUE

Don't forget to restart qmail-smtpd after editing that file. (svc -t /service/smtp)

You can override that for specific IP's by editing the file ~vpopmail/etc/tcp.smtp and adding 'QMAILQUEUE="/var/qmail/bin/qmail-queue"' to the IP(s) that you want to bypass with qmail-scanner. Newer version of Mail::Toaster add QMAILQUEUE to your smtp/run based on your settings in toaster-watcher.conf.

Q: How do I tell if it's working?

A: The best method is watching the logs. Use "tail -F /var/log/mail/maildrop.log" to watch the maildrop logs. Make sure there are no errors in there.

A: Another is reading the headers on messages that have arrived in your m ailbox. The following logs are the ones that will interest you most:

/var/log/maillog (general mail logs)
/var/log/mail/maildrop.log (maildrop)
/var/log/mail/send/current (qmail-send)

In there you'll find spamd's log entries (from SpamAssassin) as well as qmailscanners's logging. If you are using mail filtering via maildrop using one of my maildrop configs, then you'll also have a log file with all of it's activity.

Here's an example of message headers from a message recieved on my mail server. I use qmailscanner as suggested above and qmailscanner processes all messages using ClamAV for virus scanning. My personal mailbox has the Mail::Toaster default spam filtering via maildrop enabled.

Sample Ham

From: hiddenuser@michweb.net
Subject: FW: Winter
Date: February 2, 2004 2:51:01 PM EST
To: matt@cadillac.net and 5 more... Received: (qmail 37806 invoked by uid 1000); 2 Feb 2004 19:49:19 -0000
Received: (qmail 37802 invoked by uid 1068); 2 Feb 2004 19:49:19 -0000
Received: from deadend@michweb.net by cadillac.mi.us by uid 89 with qmail-scanner-1.20rc4 (clamscan: 0.60. Clear:RC:0:. Processed in 1.558058 secs); 02 Feb 2004 19:49:19 -0000
Received: from unknown (HELO out8.mx.nwbl.wi.voyager.net) (169.207.3.117) by matt-serv2.cdlc.mi.voyager.net with SMTP; 2 Feb 2004 19:49:17 -0000
Received: from mail3.mx.voyager.net (mail3.mx.voyager.net [216.93.66.202]) by out8.mx.voyager.net (Postfix) with ESMTP id 2813340FD5; Mon, 2 Feb 2004 13:49:16 -0600 (CST)
Received: from a0a2c6.michweb.net (d140.as0.cdlc.mi.voyager.net [207.89.240.161]) by mail3.mx.voyager.net (8.12.9/8.10.2) with ESMTP id i12Jmg7d009051; Mon, 2 Feb 2004 14:48:50 -0500 (EST)
Delivered-To: matt@www.cadillac.net
Message-Id: <6.0.1.1.0.20040202145053.0282ceb0@pop.michweb.net>
X-Sender: hiddenuser@pop.michweb.net
X-Mailer: QUALCOMM Windows Eudora Version 6.0.1.1
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=====================_18957473==_"
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on cadillac.mi.us
X-Spam-Pyzor: Reported 0 times.
X-Spam-Dcc: Servercave: cadillac.mi.us 1183; Body=1 Fuz1=1 Fuz2=1
X-Spam-Status: No, hits=0.6 required=6.0 tests=AWL,HTML_20_30,HTML_MESSAGE, RCVD_IN_SORBS autolearn=no version=2.63

Sample Spam

From: k.castlewc@ties.itu.ch
Subject: Cheapest Phentermine on the Internet!
Date: February 2, 2004 3:02:30 PM EST
To: matt@cadillac.net
Received: from localhost by cadillac.mi.us with SpamAssassin (2.63 2004-01-11); Mon, 02 Feb 2004 15:04:20 -0500
Message-Id: <58bf01c3e9c7$7be04eda$43729c0d@040brd1>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on cadillac.mi.us
X-Spam-Pyzor: Reported 44118 times.
X-Spam-Dcc: Servercave: cadillac.mi.us 1183; Body=1 Fuz1=1 Fuz2=many
X-Spam-Status: Yes, hits=7.4 required=6.0 tests=DCC_CHECK,HTML_60_70, PYZOR_CHECK, autolearn=no version=2.63
X-Spam-Level: *******
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_401EAD44.DCEBCAD7"

Spam detection software, running on the system "cadillac.mi.us", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or block
similar future email. If you have any questions, see
matt@cadillac.net for details.

Content preview: URI:http://www.mnbgtefv.com
URI:http://www.toolkyytg.com/v9.gif [...]

Content analysis details: (7.4 points, 6.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.1 HTML_60_70 BODY: Message is 60% to 70% HTML
0.0 HTML_MESSAGE BODY: HTML included in message
0.3 HTML_TAG_BALANCE_BODY BODY: HTML has unbalanced "body" tags
2.2 HTML_IMAGE_ONLY_02 BODY: HTML: images with 0-200 bytes of words
1.8 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
0.3 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS
[82.64.149.148 listed in dnsbl.sorbs.net]
2.5 RCVD_IN_DYNABLOCK RBL: Sent directly from dynamic IP address
[82.64.149.148 listed in dnsbl.sorbs.net]

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.