[LINK] Spam & Virus filtering: SpamAssassin, Anomy Sanitizer, Courier Maildrop
& Postfix
Robin Whittle
rw@firstpr.com.au
Sun, 20 Oct 2002 20:51:27 +1000
I have documented how I run SpamAssassin and then Anomy Sanitizer on
the emails which are not filtered out as part of my extensive mailing
list (26 or so) filtering system using Courier Maildrop. But it would
be easy to filter all mail as well.
http://www.firstpr.com.au/web-mail/Postfix-SA-Anomy-Maildrop/
Courier Maildrop is a replacement for the widely used Procmail. I use
it with Courier IMAP and Postfix, which is a secure, fast, easier to
configure replacement for the very old and overgrown Sendmail. All
these programs are open source. The Courier software is written by Sam
Varshavchik:
http://www.inter7.com/courierimap/
http://www.flounder.net/~mrsam/maildrop/
Its easy to run SpamAssassin and Anomy Sanitizer from Maildrop, as it
would be from Procmail.
SpamAssassin is a widely used, widely respected and actively developed
system for detecting spam in a variety of ways. It looks at the message
itself and can link with remote services (paid and free) which provide
IP address blacklists and methods of recognising spam by the
characteristics of its message and where it came from. This last
approach sounds like the best way to beat the spammers at their
cat-and-mouse game. I am not using any remote services at present. I
have just set it up and will see how it all goes.
http://spamassassin.org/
Anomy Sanitizer does a variety of things to HTML emails and MIME headers
to protect insecure programs like MS Outlook (Express) from attack. I
understand it can defang Javascript ("Active Scripting") and get rid of
web bugs too. The main reason I want it is for detecting all attached
files which look like they are executable. It drops the file and
replaces it with something shorter, with a different name which is not
executable. I use Maildrop to look for such messages.
http://mailtools.anomy.net/
The result is that it detects quite a lot of spams and viruses - and I
just got 30 viruses in the last 24 hours and 30 or so spams in the last
48 hours. The detected spams are copied to a spam pit mailbox and also
sent to the Inbox, tagged for deletion, with a subject header [SPAM] so
I can see what is coming in and run my eye over them to see that there
are no false positives. Likewise, Anomy Sanitizer defangs suspect
things in HTML emails and drops all executable files. The mails with
dropped files are found by my Maildrop filtering rules and likewise sent
to a virus pit, as well as being sent to the Inbox, labelled as [VIRIII]
and tagged for deletion.
This won't get everything, but it will reduce the number of things I
have to manually select and deal with.
One or two a day was OK, but now its getting to be several an hour - and
this is going to grow and go on forever, as far as I can tell.
I now run:
Red Hat 7.2
Postfix
Courier Maildrop, with my mods for delivering to a mailbox
tagged for deletion, and with [XYZ] Subject prefixes - and now
with calling SpamAssassin and Anomy Sanitizer.
Courier IMAPD.
Postman Web mail. (Though I usually use Netscape 4.77's Messenger.)
My site documents all this and lists a lot of open-source web mail
programs.
This new filtering scheme is in its early hours of operation at present,
but it is going well. I think this is simpler and better than the
approach for running SpamAssassin and Anomy Sanitizer from a script
which runs as part of Postfix's smtp command, as documented at:
http://advosys.ca/papers/postfix-filtering.html
With that approach, in order to make it stop filtering outgoing mail,
they suggest running two instances of Postfix and making one of them not
filter, and accept local client's outgoing messages on a separate IP
address. But it is this page which got me started.
- Robin
----------
For Link list information see http://sunsite.anu.edu.au/link/