exim: dropping spam based on score threshold?

jnagro

Active Member
Jun 28, 2003
33
0
156
I've made exim servers deny spam based on a score threshold, ie if the score is above X dont accept the message (deny) or :fail: it. I've poked around the cpanel config and its perl functions but i'm having a hard time adding it. Does anyone know where/how i can do that? I'm assuming ClamAV also won't accept malware? (deny? or :fail:?)
 

jnagro

Active Member
Jun 28, 2003
33
0
156
figured it out...

i added this to the 'check_message' acl:

Code:
deny message = Spam score too high ($spam_score)
    spam = mailnull:true/defer_ok
    condition = ${if >{$spam_score_int}{150}{1}{0}}
which will deny any mail with a spam score of 15 or higher (fyi: exim will do something like score * 10 = 150, hence the 150)
 

mickalo

Well-Known Member
Apr 16, 2002
782
5
318
N.W. Iowa
i added this to the 'check_message' acl:

Code:
deny message = Spam score too high ($spam_score)
    spam = mailnull:true/defer_ok
    condition = ${if >{$spam_score_int}{150}{1}{0}}
which will deny any mail with a spam score of 15 or higher (fyi: exim will do something like score * 10 = 150, hence the 150)
very handy :) Added it through the Exim Editor and watched the log file. seems to work quiet nicely:
Code:
tail -f /var/log/exim_rejectlog | grep "Spam score too high"

2006-12-05 15:45:56 1Gri6o-0006Os-Qa H=(dsl85-98-16622.ttnet.net.tr) [85.98.64.238] F=<[email protected]> rejected after DATA: Spam score too high (17.0)
2006-12-05 15:47:12 1Gri7z-0006Rg-I5 H=foreaud.classcom.pl [195.150.77.145] F=<[email protected]> rejected after DATA: Spam score too high (17.8)
2006-12-05 15:47:36 1Gri8M-0006T5-03 H=foreaud.classcom.pl [195.150.77.145] F=<[email protected]> rejected after DATA: Spam score too high (22.2)
Thx's
Mickalo
 

alan-tor

Active Member
Dec 7, 2004
28
0
151
Does :fail: work when specified in cPanel's "E-mail Filtering"?

I've created mail filters in cPanel's "E-mail Filtering", called "Filter Maintenance" once you're on that page. I set spam above a certain score to "Discard", but I wonder if :fail: would work there.

Actually, I'm wondering how this can work or how the original poster's idea can work. Presumably mail must first be received at the server in order to be scanned by SpamAssassin. So how can it be set to :fail: when it has already been received?
 
Last edited:

nxds

Well-Known Member
Jan 6, 2006
53
0
156
i added this to the 'check_message' acl:

Code:
deny message = Spam score too high ($spam_score)
    spam = mailnull:true/defer_ok
    condition = ${if >{$spam_score_int}{150}{1}{0}}
which will deny any mail with a spam score of 15 or higher (fyi: exim will do something like score * 10 = 150, hence the 150)
That rocks my world. :) Thx
 

mctDarren

Well-Known Member
Jan 6, 2004
665
4
168
New Jersey
cPanel Access Level
Root Administrator
Be sure you add this through the Exim configuration editor in WHM. Adding this by editing the exim.conf file directly will cause cPanel to overwrite it the next time it updates.
 

alan-tor

Active Member
Dec 7, 2004
28
0
151
Can someone please explain how this works?

Presumably mail must first be received at the server in order to be scanned by SpamAssassin. So how can it be set to :fail: when it has already been received? :confused:
 

nxds

Well-Known Member
Jan 6, 2006
53
0
156
Can someone please explain how this works?

Presumably mail must first be received at the server in order to be scanned by SpamAssassin. So how can it be set to :fail: when it has already been received? :confused:
The SMTP conversation isn't completed until the DATA verb is OK'd by the receiving server. In this test, the SA score is calculated after receiving the DATA section, and if too high the message is rejected, if not it is accepted into the queue for delivery. Rejecting the mail during any part of the SMTP conversation is a :fail: action and the sending server is responsible for any NDR, not yours.
 

alan-tor

Active Member
Dec 7, 2004
28
0
151
Since SpamAssassin will scan the message and the message will be :fail:ed before being actually received, is it then possible to do this also for cPanel mail forwarders? I'd love to be able to have SpamAssassin work on mail forwarders rather than just on mail accounts.
 

delsurf

Registered
Apr 17, 2002
3
0
301
Nice add!! I just installed it and it seems to be working great... I lowered the threshold to 80 though. Hopefully someone can find a way to do this for emails with forwarders.

Thanks again for the script config!
 

sds1az

Registered
Oct 27, 2006
2
0
151
Yes indeed, very impressive, I put this in last night and checked my logs this morning and was stunned at how effective this is working. I highly recommend everyone to add this to their exim config, thanks for the tip jnagro!
 

alan-tor

Active Member
Dec 7, 2004
28
0
151
Has anyone discovered whether this also works for cPanel mail forwarders?

Since SpamAssassin will scan the message and the message will be :fail:ed before being actually received, then it would seem that it should work for mail forwarders.

I'd love to be able to have SpamAssassin work on mail forwarders as well as on mail accounts.
 

sparek-3

Well-Known Member
Aug 10, 2002
1,983
218
343
cPanel Access Level
Root Administrator
This should work for e-mail forwarders and also for mail sent out through the server. I did also run some tests and this does appear to be the case (although very limited tests). This is because any e-mail that comes into the server (whether it is being sent out or being received from another SMTP server) would be checked for spam. After the DATA command and after the message is completed, the message is scanned for spam. If the SpamAssassin score is above the limit, then the message is rejected and not accepted. This means that if a user sends a message with their e-mail client through the server and it is detected as spam, the user should receive an error stating that the message did not get sent. Likewise, in the case of an e-mail forwarder, the message is rejected before it is accepted on the server and forwarded on to the forwarded address.

I can see where this would have real promise in helping with e-mail forwarder spam as well as sending spam and just generally any spam. I haven't yet implemented this, I am still running some tests and I am keeping an eye on this thread for user experience.
 

innsites

Well-Known Member
Nov 30, 2005
57
0
156
Absolutely BEAUTIFUL coding! Great success.

:)

Am very pleased with the results.

Just to clarify.......my ACL edit looks like this below. I learned I had to move the accept line below the new addition and then it worked like a charm!

deny message = Spam score too high ($spam_score)
spam = mailnull:true/defer_ok
condition = ${if >{$spam_score_int}{150}{1}{0}}
accept
 

nxds

Well-Known Member
Jan 6, 2006
53
0
156
I have been running this for a while, mostly with great success. However, I have noticed on a few servers that the spamd process can end up consuming a very large amount of memory resulting in high loads and bad response times.

One strange thing was that this jump in memory consumption was only happening on 2 out of 6 servers even though they are all identically configured. I didn't get to the bottom of this, but I've just noticed that another server has gotten the memory problem so I think it may be triggered by specific message content.

Does anyone have any more information on what causes spamd to eat so much memory and how to fix it?

In the meantime, as a workaround, I am running a cron job every 2 minutes to check the memory consumption of spamd. If the total is above 300MB I send a sighup to force new children to be started. Here's the code:


Code:
#!/bin/sh
#Restart spamd if sum of process sizes > 300MB
ps aux | awk '/[s]pamd/ {sum += $5} END {if (sum > 300000) {exit 1}};' || pkill -HUP spamd
 

innsites

Well-Known Member
Nov 30, 2005
57
0
156
Does increase load.......but....still good

I notice that my load average doubled with this code in use, but it has denied 6,870 pieces of "too high" (greater than 15 score) mails in a 12 hour period.

Thanks for that workaround tip. I may put it into action.