PDA

View Full Version : Bouncing spam back to senders



Glocom
10-05-2003, 09:43 AM
When Spam Assassin identifies email as spam, is there an easy way to bounce it back to the sender directly?

Please note the word "easy" in my question. What with all the "fun" this past month, I don't have energy for anything that involves much time. Thanks.

FZ
10-05-2003, 10:05 AM
Use Procmail (http://www.procmail.org) for this. Make a file called .procmailrc and put it in / Here is what should go in that file:


MAILDIR=/
LOGFILE=procmail.log
#VERBOSE=YES
LOGABSTRACT=YES
SHELL=/bin/sh

:0
* ^X-Spam-Flag: YES
{
EXITCODE=67
:0i
mail/rejected
}

:0:
${DEFAULT}


If you are uploading it via FTP, upload in ASCII mode. Once you have done that, you need to chmod 644 .procmailrc

Just a quick explanation of what this does: it checks to see if the SpamAssassin header indicating the mail is spam is present in the e-mail. If it is, it tells Sendmail to bounce the e-mail. The mail/rejected part moves the e-mail to a mailbox file called rejected in the mail directory (make sure the mail directory exists). I recommend moving it here so that you can use pine to view rejected e-mail before you delete it permanently. Alternatively, if you would like to delete the mail straight away, replace mail/rejected with /dev/null - I wouldn't recommend that though as you could potentially lose legit e-mail. Also, if you find you have problems or would like to view the log file to see what mails were deleted, it will be created as procmail.log (also in /). If you find you have problems, you can uncomment out the VERBOSE=YES by removing the # in front of it and then view the log file again to see if that helps.

If using this method does something really unexpected, rename or delete the .procmailrc file immediately. Remember that this file will affect all mail accounts on your domain. Enjoy.

Glocom
10-05-2003, 06:58 PM
Thanks -- I assume Procmail is not installed, so I will need to go through some process. Does anyone with experience know about how long it should take to set this all up for someone with limited experience?

FZ
10-05-2003, 07:00 PM
Glocom,

Sorry I was unclear in my post. Procmail is already installed (configured and operational) on all WestHost servers, so all you need to do is create that file and follow my steps as above.

bnicolas
10-06-2003, 07:31 AM
Westhost should be paying you.


Your posts have provided a great deal of info I've been trying to get from westhost on many occasions over the past month and a half.

Thank you.

ccwebb
10-06-2003, 08:26 AM
Fayez:

Is there any way to take this one step further?

Can mail caught by spamassassin be bounced based on a point scale?

Example:
If mail deemed to be spam has >20 points bounce and delete it.
If mail has 20 or less points keep so we can screen it.

Charlie

REC-WH
10-06-2003, 09:39 AM
Westhost should be paying you.


Your posts have provided a great deal of info I've been trying to get from westhost on many occasions over the past month and a half.

Thank you.


I agree completely! I have learn alot from his posts! I don't understand why Westhost's staff is not provide more technical information & help.

Charlie

FZ
10-06-2003, 11:43 AM
bnicolas and REC-WH,

Thank you for the compliments! I love to help people, because in the process of doing so, I learn new things myself as well (as well as that warm fuzzy feeling I get when I know I have helped someone ;)). The fact that you guys find my posts helpful and have expressed this feeling is reward enough for me.

---

Charlie (ccweb),

That's the beauty of SpamAssassin - it is already configured to be used in so many ways! I remember seeing this exact rule set up in a global Procmail file on my 1.0 account.

The easiest way to do it is like this:

1. Use the code as above.

2. Replace:


X-Spam-Flag: YES

with


X-Spam-Level: \*\*\*\*\*\*\*

Where each star represents 1.0 "spam-level" points (in this case, mail with a score of 7.0 or higher will be bounced). Add or remove stars as necessary; just remember to escape each one with a backslash \

3. If you make no other changes to the code, this mail will be rejected and moved to mail/rejected. If you want to delete it, replace mail/rejected with /dev/null However, I cannot stress enough that you must do thorough testing before you make the move to delete mail (deletion in this case is permanent).

4. Send yourself some test mail (from an external mail account, not one off a WestHost server): I recommend sending one with "viagra" in the subject (which, by default, should not be enough to be bounced), a "normal" e-mail and then an e-mail with the following string in the message body:


XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

That last one warrants an explanation, but I'll leave it up to this page: http://www.spamassassin.org/gtube/

That's a special string that will give that particular mail a score of 1000, so it should definitely be bounced. If the first two mails come through alright and the the third is bounced, consider your mail filter successful ;)

Let me know how it goes.

ccwebb
10-06-2003, 12:08 PM
Fayez:

Thanks for the reply!

For my clarification -
Right now I have a score of 5.0 set in spamassassin.

Then I set the code as you indicated with 10 stars (*).

Then mail with >9.99 points will go to mail/rejected.

Mail with 5.0 - 9.99 points will still be coded as spam but will flow thru to my mail program (Outlook Express). Here I'll trap it and put it in a folder of my choosing.

Mail with < 5.00 points will be left alone and will flow thru per normal into Outlook Express.

Right???

Charlie

FZ
10-06-2003, 12:20 PM
Correct. Only mail with a score greater than (or exactly equal to) the number of stars is moved/deleted. Mail with less stars (i.e. a lower score) will still make it to your mail program. That was the point of sending a mail with "viagra" in the subject - it will have a score less than 7 (about 3.0, I think) so it should [i]not[i] be bounced.

ccwebb
10-06-2003, 12:24 PM
Fayez:

Thanks again!

I'll get back to you after I try this.

Charlie

FZ
10-06-2003, 12:35 PM
No problem :)

ccwebb
10-06-2003, 01:07 PM
Fayez:
Is this correct? (* ^ before X-Spam-Level)


MAILDIR=/
LOGFILE=procmail.log
#VERBOSE=YES
LOGABSTRACT=YES
SHELL=/bin/sh

:0
* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
{
EXITCODE=67
:0i
mail/rejected
}

:0:
${DEFAULT}

Exactly where do you put the mail/rejected folder? I made it /var/mail/rejected.

If this all correct then the 1000 point rule does not get caught. It does get coded as spam but it flows thru to OE.

Charlie

FZ
10-06-2003, 02:07 PM
Charlie,

That code looks fine. "rejected" is not a folder - it's a mailbox file that is automatically created (by Procmail). The "mail" is the folder that you need to create in root (/). You can remove the rejected folder from /var/mail - it's not required. However, it's weird that the filter did not catch the spam. Make the above changes and try again. If it still does not work, uncomment out the VERBOSE=YES (by removing the # before it) and then try again. Have a look at your procmail.log to see if it can give you any clue as to what is happening. Also make sure that your SpamAssassin sets the X-Spam-Level: header with stars (and with 10 or more in the case of the 1000 point e-mail). Other things to consider are that you have CHMOD 644 .procmailrc and if you uploaded it via FTP, that you uploaded it to / in ASCII mode.

FZ
10-07-2003, 12:40 PM
Glocom and Charlie (ccweb),

Have you guys had any luck getting it working?

ccwebb
10-07-2003, 02:03 PM
Fayez:

Sorry for the delay. It codes the 1000 point message as spam but it does not catch it into the mail/rejected folder.

Here is the log


procmail: Skipped "
"
procmail: [19117] Tue Oct 7 13:58:11 2003
procmail: Skipped "
"
procmail: Assigning "LOGABSTRACT=YES"
procmail: Skipped "
"
procmail: Assigning "SHELL=/bin/sh"
procmail: Skipped "
"
procmail: Skipped "
"
procmail: Skipped "
"
procmail: No match on "^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
"
procmail: Skipped "
"
procmail: Skipped "
"
procmail: Skipped "
"
procmail: Skipped "
"
procmail: Skipped "
"
procmail: Locking "
"
procmail: Assigning "LASTFOLDER=/var/spool/mail/congregationalchurch"
procmail: Opening "/var/spool/mail/congregationalchurch"
procmail: Acquiring kernel-lock
procmail: Unlocking "
"
procmail: Notified comsat: "congregationalchurch@0:/var/spool/mail/congregationalchurch"
From ccwebb@comcast.net Tue Oct 7 13:58:08 2003
Subject: **POSSIBLE SPAM** test with 1000 point spam
Folder: /var/spool/mail/congregationalchurch 3619


Charlie

FZ
10-07-2003, 03:38 PM
Hi Charlie,

With all that procmail: Skipped "... in there, it looks like there is a (syntax) error or something in your .procmailrc. Make sure you don't have any extra spaces at the ends of all the lines, and don't use more than one empty line to separate blocks of code. If this still does not work, I can e-mail you my working version and you can use that directly to see if it helps. In that case, please PM me your e-mail address.

ccwebb
10-07-2003, 06:05 PM
Fayez:

I've been in and out a lot today - I'll check out the syntax later this evening and get back to you via PM (assuming it doesn't work).

Thanks!

Charlie

Glocom
10-13-2003, 09:23 AM
Sorry for the delay, I haven't had time to actually do this. I just tried, though, and for some reason I can't FTP into my site. I've been FTPing quite often for the past month, but this time I can't access either of my sites (it says error 550, directory not found). Westhost was working on some things just now, so I'll try again.

jalal
10-13-2003, 09:33 AM
Hi Fayez

I had a go at bouncing the spam back to whence it came...

Trouble is, if the return address is a fake address, then sendmail can't deliver it, puts in a queue and tries to resend it at intervals up to five days. It keeps sending me "Postmaster notify... " messages to tell me that it can't be sent.

Did you have that problem, if so, did you find a solution?

FZ
10-13-2003, 02:29 PM
Hey Jalal,

Actually, I don't bother wasting WestHost's resources replying to the 50 spam e-mails I get each day. You're right, most of the addresses are spoofed, so it does not make that much of a difference bouncing them. But, if by "fake" you mean they are addresses that aren't even valid e-mail addresses, you could set up a regexp to check if the From: is valid. All I do is delete mail with an exceptionally high score and move mail that is marked as spam but has a lowish score so I can check it out with Pine via SSH before deleting it forever. I use Procmail to block those Worm-infested e-mails and to block mailer-daemon messages that send me mail telling me my e-mail could not be delivered because it had a virus in it (ahhh, gotta love those From: spoofing viruses).

wildjokerdesign
10-13-2003, 02:40 PM
Fayez,

I wonder if you would be willing to post the complete steps you used for what you mentioned above. It may be that you have already and I just can not find it. You are welcome to post it on my board if you like hint hint... if you think it may just get lost here. I even switched the default style back to subSilver to make it easier on folks.

http://wildjokerdesign.com/phpBB2/

Shawn

jalal
10-13-2003, 02:51 PM
Hi Fayez

Like you, I just delete them (or tag them). I thought it would be fun to try bouncing them, but it wasn't worth it and it just wastes resources and bandwidth.
By fake, I mean either domains that don't exist, or emails that have been closed down through spam reports (which can easily happen within an hour of the spam starting out).

I'm looking at setting up sendmail to check with Spamhaus RBL (or some other maybe), but don't have time this week, I'll let you know if it works out.

Maybe even post it to Shawns board :)

Glocom
10-17-2003, 09:51 AM
Fayez,
I found a procmailrc file already existing in /etc -- so rather than creating a new file, I just added the lines you suggested at the end (being careful to eliminate extra blank spaces or double line spaces). I also changed permissions to 644 (rw-r-r) as you mentioned. Anyway, I did a couple of test emails and it seems to be working perfectly. Thanks very much!

FZ
10-17-2003, 04:04 PM
I'm glad it worked ;)

JDE
10-24-2003, 05:54 PM
Jalal,
I'm glad I spotted your post, I have been looking at Spamhaus myself, their installation documentation is almost non-existant. I thought it was a filter service that could be used with spamassassin. I guess I got that impression from a post or website somewhere. If you do get time I would like to know how also. The filter I use with spamassassin took a while to build, there are over 2000 IPs and 1800 web sites in my filter and they keep changing (growing). A week ago I knocked out the last of them by blocking Yahoo.com, now I get no mail. I switched from e-mail blocks to IP blocks when my e-mail list reached 200,000, did not work anyway, spammers keep changing their addresses. There has to be a better way!

In the future I will avoid this problem by locking and encrypting all my web pages.
Johnie

jalal
10-25-2003, 01:14 AM
Spamhaus (and other RBL's) keep an up-to-date list of spammers. Therefore, if we setup sendmail (which is the program that is handling the email delivery) to check with Spamhaus everytime an email arrives, if that domain is on their block list, and then refuse the email if it is. They don't have installation documentation because they simply provide a free service, what others do with it is up to them. Its actually run and funded by a guy on a houseboat in London.

In theory, it is very simple to setup, just a couple of lines in the sendmail configuration file. The tricky part is checking that it really is working, which means monitoring the mail flow very closely for a day or two, and that is the part that I haven't had time for.

There are *many* references to the whole procedure on the web, do a search for 'sendmail rbl configuration' or 'sendmail spam blocking' for example.

HTH

brdsolutions
06-14-2004, 12:57 PM
Let me see if I am getting this right??? Make a file named .procmailrc in the root dir with this syntax:

MAILDIR=/
LOGFILE=procmail.log
VERBOSE=YES
LOGABSTRACT=YES
SHELL=/bin/sh

:0
* ^X-Spam-Flag: YES
{
EXITCODE=67
:0i
mail/rejected
}

:0:
${DEFAULT}


Is this a time sensitive change I keep seeing that people are waiting 12 to 24 hrs for this to take effect? I have done this and there seems to be no change or blocking. Is there any thing I need to do to "/etc/procmailrc" or do I need to make any directories??
Reading the form has been very helpful so far but I still feel like I am at stage one.

jalal
06-14-2004, 02:06 PM
Hi brdsolutions

The default, global procmail rules file is at /etc/procmailrc. That is applied to all accounts and mail. Take a look at it to see what is in there.

Per user procmail rules go in the users directory. If it is the default user (i.e. mydomain@mydomain.com) then it will live in /.procmailrc
Otherwise they live in /ftp/pub/username/.procmailrc

There is no delay in having the settings taken, it should be immediate.
Note that you must have spamassassin installed for the X-Spam-Flag rule to have any effect.

You can check in the log file you have specified for details on what is happening, you have it set to verbose so you should get all the detail that you need. (although, I'm not sure, but the VERBOSE flag may have to be set in the /etc/procmailrc file...)

HTH