exim: dropping spam based on score threshold?

[jnagro]

I've made exim servers deny spam based on a score threshold, ie if the score is above X dont accept the message (deny) or :fail: it. I've poked around the cpanel config and its perl functions but i'm having a hard time adding it. Does anyone know where/how i can do that? I'm assuming ClamAV also won't accept malware? (deny? or :fail:?)

 

[jnagro]

figured it out...

i added this to the 'check_message' acl:

deny message = Spam score too high ($spam_score)
    spam = mailnull:true/defer_ok
    condition = ${if >{$spam_score_int}{150}{1}{0}}

which will deny any mail with a spam score of 15 or higher (fyi: exim will do something like score * 10 = 150, hence the 150)

 

[mickalo]

i added this to the 'check_message' acl:

deny message = Spam score too high ($spam_score)
    spam = mailnull:true/defer_ok
    condition = ${if >{$spam_score_int}{150}{1}{0}}

which will deny any mail with a spam score of 15 or higher (fyi: exim will do something like score * 10 = 150, hence the 150)

very handy Added it through the Exim Editor and watched the log file. seems to work quiet nicely:

tail -f /var/log/exim_rejectlog | grep "Spam score too high"

2006-12-05 15:45:56 1Gri6o-0006Os-Qa H=(dsl85-98-16622.ttnet.net.tr) [85.98.64.238] F=<[email protected]> rejected after DATA: Spam score too high (17.0)
2006-12-05 15:47:12 1Gri7z-0006Rg-I5 H=foreaud.classcom.pl [195.150.77.145] F=<[email protected]> rejected after DATA: Spam score too high (17.8)
2006-12-05 15:47:36 1Gri8M-0006T5-03 H=foreaud.classcom.pl [195.150.77.145] F=<[email protected]> rejected after DATA: Spam score too high (22.2)

Thx's
Mickalo

 

[alan-tor]

Does :fail: work when specified in cPanel's "E-mail Filtering"?

I've created mail filters in cPanel's "E-mail Filtering", called "Filter Maintenance" once you're on that page. I set spam above a certain score to "Discard", but I wonder if :fail: would work there.

Actually, I'm wondering how this can work or how the original poster's idea can work. Presumably mail must first be received at the server in order to be scanned by SpamAssassin. So how can it be set to :fail: when it has already been received?

 

[nxds]

i added this to the 'check_message' acl:

deny message = Spam score too high ($spam_score)
    spam = mailnull:true/defer_ok
    condition = ${if >{$spam_score_int}{150}{1}{0}}

which will deny any mail with a spam score of 15 or higher (fyi: exim will do something like score * 10 = 150, hence the 150)

That rocks my world. Thx

 

[mctDarren]

Be sure you add this through the Exim configuration editor in WHM. Adding this by editing the exim.conf file directly will cause cPanel to overwrite it the next time it updates.

 

[kdarray]

thanks

thanks jnagro for this short and sweet tip

 

[alwaysweb]

Simple little addin to exim config, thanks!

 

[alan-tor]

Can someone please explain how this works?

Presumably mail must first be received at the server in order to be scanned by SpamAssassin. So how can it be set to :fail: when it has already been received?

 

[nxds]

Can someone please explain how this works?

Presumably mail must first be received at the server in order to be scanned by SpamAssassin. So how can it be set to :fail: when it has already been received?

The SMTP conversation isn't completed until the DATA verb is OK'd by the receiving server. In this test, the SA score is calculated after receiving the DATA section, and if too high the message is rejected, if not it is accepted into the queue for delivery. Rejecting the mail during any part of the SMTP conversation is a :fail: action and the sending server is responsible for any NDR, not yours.

 

[alan-tor]

Since SpamAssassin will scan the message and the message will be :fail:ed before being actually received, is it then possible to do this also for cPanel mail forwarders? I'd love to be able to have SpamAssassin work on mail forwarders rather than just on mail accounts.

 

[delsurf]

Nice add!! I just installed it and it seems to be working great... I lowered the threshold to 80 though. Hopefully someone can find a way to do this for emails with forwarders.

Thanks again for the script config!

 

[sds1az]

Yes indeed, very impressive, I put this in last night and checked my logs this morning and was stunned at how effective this is working. I highly recommend everyone to add this to their exim config, thanks for the tip jnagro!

 

[simplybe]

Hi,
Trying it now
Thanks

 

[alan-tor]

Has anyone discovered whether this also works for cPanel mail forwarders?

Since SpamAssassin will scan the message and the message will be :fail:ed before being actually received, then it would seem that it should work for mail forwarders.

I'd love to be able to have SpamAssassin work on mail forwarders as well as on mail accounts.

 

[SoftDux]

How would I allow all users to edit their own score? Let''s say I create this rule as a default in cPanel, and it appears in all users' cPanel as a mail filter rule. How would I do that?

 

[sparek-3]

This should work for e-mail forwarders and also for mail sent out through the server. I did also run some tests and this does appear to be the case (although very limited tests). This is because any e-mail that comes into the server (whether it is being sent out or being received from another SMTP server) would be checked for spam. After the DATA command and after the message is completed, the message is scanned for spam. If the SpamAssassin score is above the limit, then the message is rejected and not accepted. This means that if a user sends a message with their e-mail client through the server and it is detected as spam, the user should receive an error stating that the message did not get sent. Likewise, in the case of an e-mail forwarder, the message is rejected before it is accepted on the server and forwarded on to the forwarded address.

I can see where this would have real promise in helping with e-mail forwarder spam as well as sending spam and just generally any spam. I haven't yet implemented this, I am still running some tests and I am keeping an eye on this thread for user experience.

 

[innsites]

Absolutely BEAUTIFUL coding! Great success.



Am very pleased with the results.

Just to clarify.......my ACL edit looks like this below. I learned I had to move the accept line below the new addition and then it worked like a charm!

deny message = Spam score too high ($spam_score)
spam = mailnull:true/defer_ok
condition = ${if >{$spam_score_int}{150}{1}{0}}
accept

 

[nxds]

I have been running this for a while, mostly with great success. However, I have noticed on a few servers that the spamd process can end up consuming a very large amount of memory resulting in high loads and bad response times.

One strange thing was that this jump in memory consumption was only happening on 2 out of 6 servers even though they are all identically configured. I didn't get to the bottom of this, but I've just noticed that another server has gotten the memory problem so I think it may be triggered by specific message content.

Does anyone have any more information on what causes spamd to eat so much memory and how to fix it?

In the meantime, as a workaround, I am running a cron job every 2 minutes to check the memory consumption of spamd. If the total is above 300MB I send a sighup to force new children to be started. Here's the code:

#!/bin/sh
#Restart spamd if sum of process sizes > 300MB
ps aux | awk '/[s]pamd/ {sum += $5} END {if (sum > 300000) {exit 1}};' || pkill -HUP spamd

 

[innsites]

Does increase load.......but....still good

I notice that my load average doubled with this code in use, but it has denied 6,870 pieces of "too high" (greater than 15 score) mails in a 12 hour period.

Thanks for that workaround tip. I may put it into action.