Spam

From Antiflux Wiki

Revision as of 18:32, 20 February 2005 by Tim (Talk | contribs)
Jump to: navigation, search

Contents

Overview

We hate spam and viruses. Our goal is to block 100% of them without blocking any legitimate email. We also realize that our goal is nearly impossible to reach in the real world. As a compromise, we attack the problem from three sides.

Conservative policy to bounce messages based on sending server address

The server uses the Spamhaus SBL and XBL to reject mail from known spammers. Messages are bounced back to the sender with a message explaining why the message was rejected. End users do not need to configure anything.

More aggressive spam analysis with user-configurable filtering

Okcomputer runs incoming mail through Spamassassin before delivering it. If Spamassassin determines that the email is spam, it tags it with a special header but it does not reject it. Users can configure their email programs to automatically delete the tagged email or sort it into a special folder. This gives users control over how they want to filter their email, by choosing thresholds and particular tests.

Virus scanning

On top of analyzing messages for spam characteristics, okcomputer also uses Amavis to scan for viruses. Like Spamassassin, Amavis inserts special headers into the messages to let the end user decide what to do with incoming viruses.

Statistics

We also keep some rough spam statistics. Image:Http://antiflux.org/mrtg/spam-day.png

Filtering tagged email

For specific directions on configuring your email program to filter mail based on header information, we suggest reading the UBC spam filtering page. Basically, Spamassassin inserts two special headers like the following.


X-Spam-Status: Yes, hits=10.7 required=5.0 tests=FROM_STARTS_WITH_NUMS,
        FROM_ENDS_IN_NUMS,NO_REAL_NAME,CLICK_BELOW,WEB_BUGS,BIG_FONT,
        CLICK_HERE_LINK,CTYPE_JUST_HTML version=2.20
X-Spam-Level: **********

You can configure your email application to check the email header (not the email body!) for either "X-Spam-Status: Yes" if you trust the system default threshold or "X-Spam-Level: ****" (adjust the number of * characters) if you want to pick your own threshold.

You can also filter based on the "tests=" section. Spamassassin performs a long list of tests on each message and tags the message with the names of the tests that indicate the message's possible spaminess. For example, if you want to filter out email from servers listed in the relays.ordb.org database, set your email program to check the X-Spam-Status header for the string " RCVD_IN_RELAYS_ORDB_ORG".

Example 1: filtering spam using procmail

Procmail is a very flexible mail processor with many uses, including sorting incoming mail into different folders. To have procmail dump email marked as spam into a special folder called "spamassassin", create (or edit) a file called .procmailrc in your home directory with the following text.

MAILDIR=$HOME/mail
:0:
* ^X-Spam-Status: Yes
spamassassin

(Optional) Create a directory called .procmail in your home directory (run "mkdir ~/.procmail" without the quotes) and add the following line to the top of your .procmailrc file to enable logging. This is useful for troubleshooting problems with procmail.

LOGFILE=$HOME/.procmail/log

Example 2: filtering viruses using procmail

Create a file called .procmailrc in your home directory, if you haven't already. Add the following to the end of your .procmailrc file to have procmail dump mail containing identified viruses to a folder called "virus".

:0:
* ^X-Amavis-Alert: INFECTED
virus

A note about "This email scanned by [...]" messages

Some systems, typically run by corporate IT departments with something to prove, like to advertise that they scan outgoing email for viruses and spam. You'll often see something like this.


Date: Fri, 5 Mar 2004 13:40:22 -0700 (MST)
From: William 'Bill' Lumbergh
To: Peter Gibbons
Subject: new cover sheets for TPS reports

Hey Peter, what's happening? Just wanted to let you know that we're putting
those new cover sheets on all TPS reports before sending them out now, so
if you can remember to do that from now on, that would be great.

Bill Lumbergh
"My other car is also a Porsche"

==================================================================
This message certified virus-free by CompuGlobal HyperScanner 2000
Enterprise Edition.
http://www.compuglobalhypermeganet.com/
==================================================================

That text at the end is worthless from a security point of view and is considered spam (i.e. advertising the scanner software/service) by some. Since it's only plain text, it would be trivial for a virus to add it to every message it sends out. Indeed, some viruses are starting to do just that. There might be some value in cryptographically signing the message so that people can verify it using a public key, but that's beyond the abilities of casual email users.

Scanning outgoing mail is essentially worthless because there's no (easy, secure) way for the recipient to trust the sender's scanner. It's up to the recipient's mail client (or mail server) to scan incoming mail. It's also nicer to add headers to the email rather than adding text to the message body since the scan message is metadata, not actual content.

Personal tools