OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: FILTER_README suggestions

From: mouss (usebsdfree.fr)
Date: Fri Sep 01 2006 - 17:39:15 CDT

Wietse Venema wrote:
> Postfix's FILTER_README was written long before backscatter became
> a problem. The first example (see below signature) has a warning
> not to reject mail:
>
> Note: in this time of mail worms and spam, it is a BAD IDEA to
> send known viruses or spam back to the sender, because that
> address is likely to be forged. It is safer to discard known
> to be bad content and to quarantine suspicious content so that
> it can be inspected by a human being.
>
> Unfortunately, the text gives no example of how one would implement
> this advice. Personally, I use no external filter so I have a hard
> time coming up with field-tested examples.
>
> What do people use:
>
> - Have the filter return a distinct exit status that says "discard"?
>
> - Have the filter insert a "badness" indicator in a message header,
> and dispose of bad mail with Postfix HOLD/DISCARD actions, maildrop
> rules, cyrus sieves, or procmail filters?
>
> - Something completely different? Maybe no-one uses the pipe+sendmail
> example and we can drop it from the documentation.
>
>

I favour tag & deliver, be that to a Junk folder or somewhere else. So I
configure the filters to tag all mail (spam or not), and use these in
maildrop to deliver to a Junk folder.

here is an example with spamassassin + courier-imap (the .folder
notation below) + maildrop 2.x

if (/^X-Spam-Flag:\s*YES/)
{
    exception {
        to "$DEFAULT/.Junk/";
    }
}

with dspam, this would be
if (/^X-DSPAM-Result: Spam/)
...

for amavisd-new banned attachments:
if (/^X-Amavis-Alert:\s*BANNED/)
...

for bogofilter, one would use
/^X-Bogosity:\s*(\S+),.*\s+spamicity=([\d\.]+)/
BOGO_STATUS="${MATCH1}"
BOGO_SCORE="${MATCH2}"

and decide based on these vars (bogofilter has "unsure" result, so the
decision here is not binary).

...

This may be either per-site (maildroprc) or per-user (.mailfilter).

PS. One can implement a "commitee" where the final disposition is a
function of the individual filter tags (if SA and bogo agree, you have
more confidence in the result, ... etc). This however needs real
measurements to get any justification...