tech-pkg: Re: recommendations for virus/worm scanning software?

Subject: Re: recommendations for virus/worm scanning software?
To: Julio M. Merino Vidal <jmmv@menta.net>
From: Michael Wolfson <michael@nosflow.com>
List: tech-pkg
Date: 09/20/2003 10:52:08
On Saturday, September 20, 2003, at 10:02  AM, Julio M. Merino Vidal  
wrote:

> I'm interested in setting up spamassassin here, together with procmail,
> and having some reference files could be cool :)  Can you send me a  
> copy
> please?

In general, the defaults for spamassassin are quite good.  Changing the  
config file is easy.  Procmail is arcane and annoying to configure.

Spamassassin requires a lot of memory -- on my HP9000/433s system with  
32 MB RAM spamd kept dying.  spamd on my SPARCclassic with 72 MB RAM  
works like a champ, albeit slowly (~30s/message).  For high volume mail  
servers, make sure the system has lots of RAM and plenty of CPU.

Some handy procmail references (in addition to procmail(1)):
http://www.iki.fi/era/procmail/mini-faq.html
http://www.ii.com/internet/robots/procmail/qs/
http://www.iki.fi/era/rbl/rbl.html

spamassassin docs can be read with:
$ perldoc Mail::SpamAssassin::Conf

I've also installed pkgsrc/mail/p5-razor-agents which helps with spam  
detection.  No configuration necessary.

Hope this helps,
   -- MW


I don't have procmail turned on by default in postfix -- each user can  
set that up with a ~/.forward file.  This works with most mailers that  
support ~/.forward files.
"|/usr/pkg/bin/procmail"

I start/stop spamassassin as such:
$ /usr/pkg/bin/spamd -acdm 5 --user-config --pidfile /var/run/spamd.pid
$ kill `cat /var/run/spamd.pid`


The system-wide spamassassin prefs are in  
/usr/pkg/etc/spamassassin/local.cf

######################################################################## 
###
# Make sure you white-list your own MAILER-DAEMON!
# Whitelist and blacklist addresses are now file-glob-style patterns, so
# "friend@somewhere.com", "*@isp.com", or "*.domain.net" will all work.
# whitelist_from        someone@somewhere.com
whitelist_from  MAILER-DAEMON@my.domain.com

#report_safe
#0 only add headers
#1 attach spam as message/rfc822
#2 attach spam as text/plain
report_safe 0

#add bl.spamcop.net blackhole list
score RCVD_IN_BL_SPAMCOP_NET    3

#don't trust windows executables
score MICROSOFT_EXECUTABLE      2.5

#alternative spam clearninghouses
use_dcc 0
use_pyzor 0
use_razor1 0
use_razor2 1

#built-in bayes filter and whether it will auto-learn from high scoring  
spam
use_bayes 1
auto_learn 1
#default is -2.0
auto_learn_threshold_nonspam 0.0
#default is 15.0
auto_learn_threshold_spam 11.0

#check multiple received lines
num_check_received 3

#osirusoft is dead :(
score   RCVD_IN_OSIRUSOFT_COM   0
score   X_OSIRU_DUL             0
score   X_OSIRU_DUL_FH          0
score   X_OSIRU_OPEN_RELAY      0
score   X_OSIRU_SPAM_SRC        0
score   X_OSIRU_SPAMWARE_SITE   0



Each users' personal spamassasin prefs are in  
~/.spamassassin/user_prefs which is initially copied (if it doesn't  
exist) from /usr/pkg/etc/spamassassin/user_prefs.template .  The way I  
have it set up, it puts the tag [SPAM] in the subject line, making it  
easier for client programs to filter out spam.

######################################################################## 
###
# How many hits before a mail is considered spam.
required_hits           5.5

# Whitelist and blacklist addresses are now file-glob-style patterns, so
# "friend@somewhere.com", "*@isp.com", or "*.domain.net" will all work.
# whitelist_from        someone@somewhere.com

# Speakers of Asian languages, like Chinese, Japanese and Korean, will  
almost
# definitely want to uncomment the following lines.  They will switch  
off some
# rules that detect 8-bit characters, which commonly trigger on mails  
using CJK
# character sets, or that assume a western-style charset is in use.
#
# score HEADER_8BITS            0
# score HTML_COMMENT_8BITS      0
# score SUBJ_FULL_OF_8BITS      0
# score UPPERCASE_25_50         0
# score UPPERCASE_50_75         0
# score UPPERCASE_75_100        0

# Turn off re-write subject if you don't like [SPAM] put in your  
Subject: line.
rewrite_subject 1
subject_tag [SPAM]

#uncomment for only english messages
#ok_locales en
#ok_languages en

# following "OBFUSCATING_COMMENT"
body OBFUSCATING_COMMENT2 /(<\![[:print:]]+>).+\1.+\1.+\1.+\1/
describe OBFUSCATING_COMMENT2 HTML comments which obfuscate text
score OBFUSCATING_COMMENT2 4.0

# Add your own customised scores for some tests below.  The default  
scores are
# read from the installed spamassassin rules files, but you can  
override them
# here.  To see the list of tests and their default scores, go to
# http://spamassassin.org/tests.html .
#
# score SYMBOLIC_TEST_NAME n.nn
score OBFUSCATING_COMMENT 4.0
score HTTP_EXCESSIVE_ESCAPES 2.0
score RAZOR2_CHECK 3.5
score MIME_SUSPECT_NAME 1.0
score MIME_HTML_ONLY 0.5



Each user's procmail prefs are in ~/.procmailrc .  I've got mine set up  
to log procmail to ~/.procmail.log and dump spam into ~/mail/spambox  
and worms into ~/mail/wormbox .  It tries to dump suspected worms  
without bounces (no need to clog up the net more than it already is  
during a worm attack) and bounce spam with "user unknown" error  
messages (in the futile hope they'll give up on me).  Some of the  
chicanery in this file is for .exe files from auto-white-listed sources  
without worm-like headers will pass through.

######################################################################## 
###
SHELL=/bin/sh
VERBOSE=no
LOGFILE=$HOME/.procmail.log
SPAM=$HOME/mail/spambox
WORM=$HOME/mail/wormbox
FROM="^(From[   ]|(Old-|X-)?(Resent-)?(From|Reply-To|Sender):)(.*\<)?"
#puts a newline between log entries
LOG="
"

#silently ditch all messages purportedly coming from Microsoft
:0 H
* $ ${FROM}.*microsoft
{
   :0
   # save message in wormbox
   $WORM
}

#silently ditch all messages with dangerous attachments before  
spamassasin runs
:0 H
* ^Content-type: (multipart/(mixed|alternative))
{
     :0 B
#     * ^Content-Disposition: (attachment|inline)
      * Transfer-Encoding:
      *  
name=.*\.(asd|bat|chm|cmd|com|dll|hlp|hta|inf|js|jse|hta|lnk)(")?$
      *  
name=.*\.(ocx|pif|scr|shb|shm|shs|sys|vb|vbe|vbs|vbx|vxd|wsf|wsh)(")?$
      # save message in wormbox
      $WORM
}

#run spamassassin (with lock file and only if message is less than 200  
KB)
:0fw: spamassassin.lock
* < 200000
| spamc

#quietly dump spam over 5.0 with a .exe file (probably virus)
:0 H
* ^X-Spam-Level: \*\*\*\*\*
{
   :0 B
   * ^Content-type: (multipart/(mixed|alternative))
#  * ^Content-Disposition: (attachment|inline)
   * Transfer-Encoding
   * name=.*\.(exe)(")?$
   # save message in wormbox
   $WORM
}

#bounce spam over 5.5 and save to spambox
:0 H
* ^X-Spam-Flag: YES
#* ^X-Spam-Level: \*\*\*\*\*\*
{
     # EX_NOUSER = 67 from sysexits.h
     # bounce mail with a "user unknown" message
     EXITCODE = 67
     :0
     # also save message in spambox
     $SPAM
#    /dev/null
}

#everything else gets delivered
:0
$DEFAULT