Title: postfix spamassassin anomy sanitizer setup Subject: setup spamassassin anomy sanitizer on Mandrake 2002-11-12 3:45 login 17:20 logout http://advosys.ca/papers/postfix-filtering.html rpm -qa |grep postfix postfix-20010228-15.2mdk #Install perl modules perl -MCPAN -e shell o conf prerequisites_policy ask install MIME::Base64 install MIME::QuotedPrint <<---this was up to date install Mail::Audit quit #Create a Unix group on the server named "filter" groupadd -g 418 filter #Create a user account named "filter" useradd -u 418 -g 418 -s /bin/false -d /usr/local/anomy filter rm -rf /usr/local/anomy #Install Anomy Sanitizer by unpacking in mailserver accessable directory pushd /usr/local/ tar -zxvpf /root/SpamAssassin/anomy-sanitizer-1.56.tar.gz cd anomy/ #Create a file named anomy.conf with your rules # Read "The "real world configuration" # I downloaded their anomy.conf and coppied it into place cp /root/SpamAssassin/anomy.conf . #Tighten Security on files chown -R root:filter /usr/local/anomy chmod 0750 /usr/local/anomy #Install SpamAssassin perl -MCPAN -e shell o conf prerequisites_policy ask install Mail::SpamAssassin quit #Make changes to /etc/mail/spamassassin/local.cf required_hits 5.00 #Set number of hits before a mail considered spam subject_tag *****SPAM***** # prepend to subject line of mail considered spam rewrite_subject 1 #the subject lines of suspected spam will be tagged report_header 1 #put report in the headder instead of body use_terse_report 1 #shorter reports defang_mime 0 #SpamAssassin will not change the Content-type: Header to "text/plain", this got Lupe mad skip_rbl_checks 0 #SpamAssassin will run RBL checks. whitelist_from tek@pervasivenetwerks.com # whitelist one specific sender whitelist_from @scplumbing.com # whitelist entire domain whitelist_from @pervasivenetwerks.com whitelist_from @groovejuice.com #Configuring filtering in Postfix #put filter script in place cp /root/SpamAssassin/filter.sh /usr/local/anomy/ chmod 750 /usr/local/anomy/filter.sh chown root:filter /usr/local/anomy/filter.sh vi /usr/local/anomy/filter.sh fix this path==>> SPAMASSASSIN=/usr/bin/spamassassin #Create a temporary directory for processing files # and update filter.sh variable INSPECT_DIR= mkdir /var/spool/filter chown root:filter /var/spool/filter chmod 0770 /var/spool/filter #Backup /etc/postfix/master.cf cp /etc/postfix/master.cf /etc/postfix/master.cf.20021112.prefilter #Add single line to bottom of /etc/postfix/master.cf filter unix - n n - - pipe user=filter argv=/usr/local/anomy/filter.sh -f ${sender} -- ${recipient} #change smtp line in master.cf smtp inet n - n - - smtpd -o content_filter=filter: # Reload postfix reload # Test it: ######Darn. cant run this as root: perldoc Mail::SpamAssassin::Conf ##Test negetive worked out. The subject line did not contain a *****SPAM***** ## email scored level of 2 spamassassin -t < sample-nonspam.txt |grep SPAM SPAM_PHRASE_02_03,TO_BE_REMOVED_REPLY SPAM: -------------------- Start SpamAssassin results ---------------------- SPAM: This mail is probably spam. The original message has been altered SPAM: so you can recognise or block similar unwanted mail in future. SPAM: See http://spamassassin.org/tag/ for more details. SPAM: SPAM: Content analysis details: (0.90 hits, 5 required) SPAM: TO_BE_REMOVED_REPLY (0.4 points) BODY: Says: "to be removed, reply via email" or similar SPAM: GAPPY_TEXT (0.0 points) BODY: Contains 'G.a.p.p.y-T.e.x.t' SPAM: SPAM_PHRASE_02_03 (0.8 points) BODY: Spam phrases score is 02 to 03 (medium) SPAM: [score: 2] SPAM: LINES_OF_YELLING (0.2 points) BODY: A WHOLE LINE OF YELLING DETECTED SPAM: PGP_SIGNATURE (-0.5 points) BODY: Contains a PGP-signed message SPAM: SPAM: -------------------- End of SpamAssassin results --------------------- ## Test postitive worked out. The subject line does contain *****SPAM***** ## email scroed a level of 22 spamassassin -t < sample-spam.txt |grep 'SPAM' Subject: *****SPAM***** Home Based Business for Grownups SMTPD_IN_RCVD,SPAM_PHRASE_21_34,UNDISC_RECIPS SPAM: -------------------- Start SpamAssassin results ---------------------- SPAM: This mail is probably spam. The original message has been altered SPAM: so you can recognise or block similar unwanted mail in future. SPAM: See http://spamassassin.org/tag/ for more details. SPAM: SPAM: Content analysis details: (14.70 hits, 5 required) SPAM: INVALID_DATE (1.5 points) Invalid Date: header (not RFC 2822) SPAM: UNDISC_RECIPS (1.5 points) Valid-looking To "undisclosed-recipients" SPAM: NO_REAL_NAME (1.3 points) From: does not include a real name SPAM: SMTPD_IN_RCVD (1.2 points) Received via SMTPD32 server (SMTPD32-n.n) SPAM: MSGID_HAS_NO_AT (0.3 points) Message-Id has no @ sign SPAM: FROM_HAS_MIXED_NUMS (0.3 points) From: contains numbers mixed in with letters SPAM: ALL_CAPS_HEADER (0.2 points) Header with all capitals found SPAM: INVALID_MSGID (0.0 points) Message-Id is not valid, according to RFC 2822 SPAM: DRASTIC_REDUCED (1.9 points) BODY: Drastically Reduced SPAM: ONCE_IN_LIFETIME (1.8 points) BODY: Once in a lifetime, apparently SPAM: REMOVE_SUBJ (0.8 points) BODY: List removal information SPAM: HOME_EMPLOYMENT (0.6 points) BODY: Information on how to work at home (2) SPAM: CALL_FREE (0.2 points) BODY: Contains a tollfree number SPAM: SPAM_PHRASE_21_34 (1.9 points) BODY: Spam phrases score is 21 to 34 (high) SPAM: [score: 22] SPAM: LINES_OF_YELLING (0.2 points) BODY: A WHOLE LINE OF YELLING DETECTED SPAM: DATE_IN_PAST_24_48 (1.0 points) Date: is 24 to 48 hours before Received: date SPAM: SPAM: -------------------- End of SpamAssassin results --------------------- SPAM: -------------------- Start SpamAssassin results ---------------------- SPAM: This mail is probably spam. The original message has been altered SPAM: so you can recognise or block similar unwanted mail in future. SPAM: See http://spamassassin.org/tag/ for more details. SPAM: SPAM: Content analysis details: (14.70 hits, 5 required) SPAM: INVALID_DATE (1.5 points) Invalid Date: header (not RFC 2822) SPAM: UNDISC_RECIPS (1.5 points) Valid-looking To "undisclosed-recipients" SPAM: NO_REAL_NAME (1.3 points) From: does not include a real name SPAM: SMTPD_IN_RCVD (1.2 points) Received via SMTPD32 server (SMTPD32-n.n) SPAM: MSGID_HAS_NO_AT (0.3 points) Message-Id has no @ sign SPAM: FROM_HAS_MIXED_NUMS (0.3 points) From: contains numbers mixed in with letters SPAM: ALL_CAPS_HEADER (0.2 points) Header with all capitals found SPAM: INVALID_MSGID (0.0 points) Message-Id is not valid, according to RFC 2822 SPAM: DRASTIC_REDUCED (1.9 points) BODY: Drastically Reduced SPAM: ONCE_IN_LIFETIME (1.8 points) BODY: Once in a lifetime, apparently SPAM: REMOVE_SUBJ (0.8 points) BODY: List removal information SPAM: HOME_EMPLOYMENT (0.6 points) BODY: Information on how to work at home (2) SPAM: CALL_FREE (0.2 points) BODY: Contains a tollfree number SPAM: SPAM_PHRASE_21_34 (1.9 points) BODY: Spam phrases score is 21 to 34 (high) SPAM: [score: 22] SPAM: LINES_OF_YELLING (0.2 points) BODY: A WHOLE LINE OF YELLING DETECTED SPAM: DATE_IN_PAST_24_48 (1.0 points) Date: is 24 to 48 hours before Received: date SPAM: SPAM: -------------------- End of SpamAssassin results --------------------- ################################################################################## MY /usr/local/anomy/anomy.conf # Example configuration file for Anomy Sanitizer # # From http://advosys.ca/papers/postfix-filtering.html # Advosys Consulting Inc., Ottawa # # Works with Anomy Sanitizer revision 1.49 #20021113 john# Do not log to STDERR: feat_log_stderr = 1 # Don't insert log in the message itself: feat_log_inline = 0 # Advertisement to insert in each mail header: header_info = X-Sanitizer: Advosys mail filter header_url = 0 header_rev = 0 #20021113 john# dis-Enable filename based policy decisions: feat_files = 0 # Protect against buffer overflows and null values: feat_lengths = 1 #20021113 john# dont-Replace MIME boundaries with our own: feat_boundaries = 0 # Fix invalid and ambiguous MIME boundaries, if possible: feat_fixmime = 1 # Trust signed and/or encrypted messages: feat_trust_pgp = 1 msg_pgp_warning = WARNING: Unsanitized content follows.\n # Defang shell scripts: #20021113 john# feat_scripts = 0 # Defang active HTML: #20021113 john# feat_html = 1 # Defang UUEncoded files: #20021113 john# feat_uuencoded = 0 # Sanitize forwarded content too: #20021113 john# feat_forwards = 1 # Testing? Set to 1 for testing, 0 for production: feat_testing = 0 # # Warn user about unscanned parts, etc. #20021113 john# feat_verbose = 1 # Force all parts (except text/html parts) to # have file names. #20021113 john# feat_force_name = 1 # Disable web bugs: feat_webbugs = 1 # Disable "score" based mail discarding: score_panic = 0 score_bad = 0 msg_file_drop = \n*****\n msg_file_drop += NOTE: An attachment named %FILENAME was deleted from msg_file_drop += this message because it contained a windows executable msg_file_drop += or other potentially dangerous file type. msg_file_drop += Contact the system administrator for more information. ## ## File attachment name mangling rules: ## # Specify the Anomy temp file and quarantine directory file_name_tpl = /var/spool/filter/att-$F-$T.$$ # Number of rulesets we are defining: file_list_rules = 2 file_default_policy = defang # Delete probably nasty attachments: file_list_1 = (?i)(winmail.dat)| file_list_1 += (\.(exe|com|vb[se]|dll|ocx|cmd|bat|pif|lnk|hlp|ms[ip]|reg|sct|inf file_list_1 += |asd|cab|sh[sb]|scr|cpl|chm|ws[fhc]|hta|vcd|vcf|eml|nws))$ file_list_1_policy = drop file_list_1_scanner = 0 # Allow known "safe" file types and those that will be # scanned by the user's desktop virus scanner: file_list_2 = (?i)\. # Word processor and document formats: file_list_2 += (doc|dot|txt|rtf|pdf|ps|htm|[sp]?html? # Spreadsheets: file_list_2 += |xls|xlw|xlt|csv|wk[1-4] # Presentation applications: file_list_2 += |ppt|pps|pot # Bitmap graphic files: file_list_2 += |jpe?g|gif|png|tiff?|bmp|psd|pcx # Vector graphics and diagramming: file_list_2 += |vsd|drw|cdr|swf # Multimedia: file_list_2 += |mp3|avi|mpe?g|mov|ram?|mid|ogg # Archives: file_list_2 += |zip|g?z|rar|tgz|bz2|tar # Source code: file_list_2 += |[ch](pp|\+\+)?|s|inc|asm|patch|java|php\d?|jsp|bas) file_list_2_policy = accept file_list_2_scanner = 0 # Any file type not listed above gets renamed to prevent # ms outlook from auto-executing it. #############################################################################