Using linux as a SPAM filter

Discussion in 'Other Operating Systems' started by yohan, Feb 21, 2005.

  1. yohan

    yohan Member

    Joined:
    Jan 11, 2002
    Messages:
    67
    Location:
    London
    was wondering if anyone has had any luck running linux as a spam filter. have seen various sites dedicated to providing this feature and am interested in setting something up. anyone with answers to the following is much appreciated.

    what software do you recommend and running on what distro?
    anything similar to MailMarshal? (providing reports, etc)

    Cheers
     
  2. stevenx

    stevenx Member

    Joined:
    May 2, 2002
    Messages:
    2,267
    Location:
    Fai oh see fo.
    I run Mailscanner with SpamAssassin on FreeBSD with Sendmail. I'm looking at switching to Postfix, though, but I'm having issues getting everything working. The existing setup does a good job of filtering mail for spam and viruses.

    There's a tool providing graphical representations of what's happening available for Mailscanner, but I can't remember the name and the Mailscanner website appears to be down at the moment.
     
  3. maddhatter

    maddhatter Member

    Joined:
    Jun 27, 2001
    Messages:
    4,798
    Location:
    Mackay, QLD.
  4. ConundruM

    ConundruM Member

    Joined:
    Jun 27, 2001
    Messages:
    910
  5. maddhatter

    maddhatter Member

    Joined:
    Jun 27, 2001
    Messages:
    4,798
    Location:
    Mackay, QLD.
    Holy shite that looks like a nice package.

    I may have to impliment this one at work me thinks :)
     
  6. OP
    OP
    yohan

    yohan Member

    Joined:
    Jan 11, 2002
    Messages:
    67
    Location:
    London
    cheers for that guys...what distro do you recommend on running these on. am a relative newbie to linux so was going to install fedora core 3 as wanted to check that out as well
     
  7. mpot

    mpot Member

    Joined:
    Jun 27, 2001
    Messages:
    5,372
    Location:
    Perth, WA
    I run qmail + qmailscanner + spamassassin + clamav, and it does a very good job at filtering spam.

    I still get a few false negatives, and am tuning my rules to try to eliminate those, but haven't had a false positive for months.

    Cheers,
    Martin.
     
  8. stalin

    stalin (Taking a Break)

    Joined:
    Jun 26, 2001
    Messages:
    4,581
    Location:
    On the move
    I run sendmail + mailscanner + spamassassin + clamav + spamcop (which is one line added to postfix or sendmail) has spam and un-spam (ham) training.
     
  9. rtscts

    rtscts Member

    Joined:
    Jun 28, 2001
    Messages:
    2,946
    Location:
    Sydney
    RBL/RDNS checking takes care of most of my spam (200+ per day), so SpamAssassin doesn't have much work to do here.
     
  10. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    35,324
    Location:
    Brisbane
    Running sendmail + clamav + spamassassin/spamass-milter on Debian using the debian provided clamav-milter. Works a treat. Client side it all gets fed into a cyrus/imap mail box.

    There's very little useful reporting other than normal day-to-day log files, but the client was more interested in "getting rid of annoying things in my inbox" than actually working out how much of everything there was. I think all those snazzy "CEO dazzling graphs" would be wasted on these guys. :)

    They where getting up to 50% spam/virus mail on their worst days. As little as 10% best case. It was very disruptive to their business where email communication is vital, so the new setup had eased many greivances.

    At first there was the odd, very rare false postive/negative, but some quick spam/ham training via "sa-learn" and whitelist modification has fixed all that up.

    This was my first corporate-level spam filter, and it was surprisingly easy to set up and have running with accurate results in just minutes.

    Hark! Is that the Perpetual Linux Distro Thread I see?
     
    Last edited: Feb 22, 2005
  11. vivian

    vivian Member

    Joined:
    Aug 22, 2001
    Messages:
    299
    Location:
    Munich
    I´m running postfix with an exclusion list, and that blocks about 95% of the spam. (The mail server basically refuses to accept mails with "pen1s" or "p1lls" in the subject line.. )

    the header check file looks like this:

    #anti nimda and friends
    /^Content-Type: multipart\/related;.*type=\"multipart\/alternative\";.*boundary=\"====_ABC1234567890DEF_====\".*$/ REJECT You have a virus

    #anti spammer robots
    /^X-Mailer: .*(PSS Bulk Mailer|ccMail Link|IXO-Mail|MMailer|K-ML|GoldMine|MAGIC|bomber|expeditor|Brooklyn North|Broadcast|DMailer|Extractor|EMailing List Pro|News Br
    eaker|dbMail|Unity|PG-MAILINGLIST PRO|Dynamic| Splio|Sarbacane|sMailing|Broadc@st|WorkZ|ABMailer|QuickSender).*$/ DISCARD

    #mplayer ml
    /^Received:.*mail.mplayerhq.hu.*$/ REJECT I'm not subscribed
    #anonymizers
    /^Received: .*(barbarella\.super\.nu|cameleon.org|remailer\.privacy\.at).*$/ REJECT

    #Spamming domains (stupid companies)
    /^Received: .*avoska\.net.*$/ REJECT You are banned due to stupid spamming habits
    /^Received: .*yourwebsite\.com.*$/ REJECT You are banned due to stupid spamming habits
    /^Received: .*gastone\.it.*$/ REJECT You are banned due to stupid spamming habits
    /^Received: .*waloa\.com.*$/ REJECT You are banned due to stupid spamming habits
    /^Received: .*cornut\.fr.*$/ REJECT You are banned due to stupid spamming habits
    /^Received: .*microtronique\.com.*$/ REJECT You are banned due to stupid spamming habits
    /^Received: .*caminarsoftware\.com.*$/ REJECT You are banned due to stupid spamming habits
    /^Received: .*\.lk.*$/ REJECT You are banned due to stupid spamming habits
    /^Received: .*\.quik\.com.*$/ REJECT You are banned due to stupid spamming habits
    /^Received: .*rootsystems\.net.*$/ REJECT You are banned due to stupid spamming habits
    /^Received: .*webhostingtalk\.com.*$/ REJECT You are banned due to stupid spamming habits
    /^Received: .*mail\.liekki\.com.*$/ REJECT You are banned due to stupid spamming habits
    /^Received: .*h8h\.com.*$/ REJECT You are banned due to stupid spamming habits
    /^Received: .*port\.net.*$/ REJECT You are banned due to stupid spamming habits
    /^Received: .*\.eth\.net.*$/ REJECT You are banned due to stupid spamming habits
    /^Received: .*hamilton\.net.*$/ REJECT You are banned due to stupid spamming habits
    /^Received: .*indiatimes\.com.*$/ REJECT bouncetime.com
    /^Received: .*e-newsletters.*$/ REJECT newsletters forbidden
    /^Received: .*usbid\.com.*$/ REJECT
    /^Received: .*\.ixo\.com.*$/ REJECT
    /^Received: .*dsl.brasiltelecom.net.br.*$/ REJECT

    #Spamming domains using multiple smtp servers
    /^From: .*uol\.com\.co.*$/ REJECT You are banned due to stupid spamming habits
    /^From: .*clubsurf\.com.*$/ REJECT You are banned due to stupid spamming habits
    /^From: .*ecplaza\.net.*$/ REJECT You are banned due to stupid spamming habits
    /^From: .*advancenet\.net.*$/ REJECT You are banned due to stupid spamming habits
    /^From: .*pc-look\.com.*$/ REJECT Shut up stupid spammer
    /^From: .*pc-zone\.com.*$/ REJECT Shut up stupid spammer
    /^From: .*zone pc.*$/ REJECT Shut up stupid spammer
    /^From: .*fabricehalimi@aol\.com.*$/ REJECT Go spam elsewhere
    #/^From: .*yahoo.com\.*$/ REJECT Sorry, too much spam from yahoo, find another email address to mail me.
    /^From: .*aufeminin\.com.*$/ REJECT No mail allowed from aufeminin.com, stop spamming me please
    /^From: .*fullpromote.*$/ REJECT Welcome to fullreject.com
    /^From: .*@eyou\.com.*$/ REJECT enothing
    /^From: .*noxservices\.com.*$/ REJECT Shut up stupid spammer
    #Typical spam Subjects
    /^Subject: .*penis.*enlargement.*$/ REJECT My sexual life is ok, thanks for bothering
    /^Subject: .*penis.*growth.*$/ REJECT My sexual life is ok, thanks for bothering
    /^Subject: .*viagra.*$/ REJECT My sexual life is ok, thanks for bothering
    /^Subject: .*sex.*free.*$/ REJECT My sexual life is ok, thanks for bothering
    /^Subject: .*free.*sex.*$/ REJECT My sexual life is ok, thanks for bothering
    /^Subject: (ADV:|AD:|ADV |AD ).*$/ REJECT You are not the contents of your wallet
    /^Subject: .*special offer.*$/ REJECT special bounce
    /^Subject: .*need money.*$/ REJECT no
    /^Subject: .*Phentermine.*$/ REJECT I'm not fat
    /^Subject: .*Video.*botschaft.*$/ REJECT fuck off
    /^Subject: .*penis.*$/ REJECT NO
    /^Subject: .*member.*pill.*$/ REJECT o0o

    #Spam often have many spaces to hide a reference at the end
    /^Subject: .* .*/ REJECT Mail detected as spam - hint, change subject

    #American, Canadian and people using dollars as your currency,
    #you could get false positives here !
    /^Subject: .* \$.*$/ REJECT Don't mail with dollars in subject, it makes your mail a spam.

    #People I don't like
    /^From: .*Sunpai@gmx\.net.*$/ REJECT I do not like you
    /^From: .*ESoft@gmx\.fr.*$/ REJECT I do not like you
    /^From: .*charles.*gepner.*$/ REJECT I do not like you
    /^From: .*gepner.*$/ REJECT I do not like you
    /^From: .*sunyx@gmx.net.*$/ REJECT I do not like you
    /^From: .*labl@skynet\.be.*$/ REJECT Stick your vinyls up where i think
    /^From: .*hermantom@dunasoft\.com.*$/ REJECT u R not on 1rc
    /^From: .*amiltrader@runbox\.com.*$/ REJECT fuck off
    #Strange From: and To: headers
    /^To: .*ndisclosed.*$/ REJECT My name isn't Undisclosed Recipients.
    /^To: $/ REJECT I have a name
    #/^From: $/ REJECT I am sure you have a name
    /^From: .*bons-plans@voyages-sncf\.com.*$/ REJECT j'aime pas le train
    /^From: .*@photo-de-classe.com.*$/ REJECT trop de spam, merci
    /^From: .*@copainsdavant\.com.*$/ REJECT Je me suis desinscrit

    #attachments
    /^(.*)name=\"(.*)\.(exe|lnk|dll|shs|vbe|hta|com|vbs|vbe|js|jse|bat|cmd|vxd|scr|shm|pif|chm)\"$/ REJECT Your attachment looks like a virus to me.
    /^(.*)name=(.*)\.(exe|lnk|dll|eml|shs|vbe|hta|com|vbs|vbe|js|jse|bat|cmd|vxd|scr|shm|pif|chm)$/ REJECT Your attachment looks like a virus to me.
    #stupid charsets
    /^Content-Type:.*charset="iso-2022-jp".*$/ REJECT I don't speak japanese

    #false Originating-IP
    /^X-Originating-IP:..[a-z].*$/ REJECT ip
    /^X-Originating-IP:.*IP.*$/ REJECT ip
    #known spam
    /^X-Spam-Level: \*\*\*\*\*\*\*\*/ REJECT Spam

    #virus-alerts

    /^Subject: virus alert/ REJECT Message Rejected, Invalid Anti-Viral Notification Message

    /^Subject: RAV AntiVirus scan results/ REJECT Message Rejected, Invalid Anti-Viral Notification Message

    /^Subject: Norton AntiVirus detected a virus in a message you sent/ REJECT Message Rejected, Invalid Anti-Viral Notification Message

    /^Subject: Norton AntiVirus detected and quarantined a virus in a message/ REJECT Message Rejected, Invalid Anti-Viral Notification Message

    /^Subject: Security Alert - ScanMail for Lotus Notes/ REJECT Message Rejected, Invalid Anti-Viral Notification Message

    /^Subject: Virus Detected by Network Associates, Inc. Webshield SMTP / REJECT Message Rejected, Invalid Anti-Viral Notification Message

    /^Subject: Network Associates Webshield - e-mail Content Alert/ REJECT Message Rejected, Invalid Anti-Viral Notification Message

    /^Subject: InterScan NT Alert/ REJECT Message Rejected, Invalid Anti-Viral Notification Message


    and so forth. You can basically block anything. If a new virus comes, I´d just have to add the subject line / fileextension to the list, and it gets blocked.

    you just have to add a line to the main.cf of postfix

    header_checks = regexp:/etc/postfix/header_checks

    while you´re at it, you can add the following too:

    #anti-spam
    smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient,
    smtpd_data_restrictions = reject_unauth_pipelining,

    #realtime blocklists
    reject_rbl_client = relays.ordb.org,
    reject_rbl_client = du1.dnsb1.sorbs.net,
    reject_rhsbl_sender = rhsb1.sorbs.net,
    reject_rhsbl_client = rhsb1.sorbs.net,
    reject_rbl_client = cbl.abuseat.org,
    reject_rbl_client = proxies.blackholes.wirehub.net,
    reject_rbl_client = bl.spamcop.net,
    reject_rbl_client = opm.blitzed.org,
    reject_rbl_client = dnsbl.njabl.org,
    reject_rbl_client = list.dsbl.org,
    reject_rbl_client = multihop.dsbl.org,
    reject_rbl_client = sbl-xbl.spamhaus.org,

    Spam mails have dropped to 1 a week, from a 3000+ a day. :D

    The lists and configuration help can be found in google. there a quite a few good pages on this.
     
  12. Shrike

    Shrike Member

    Joined:
    Jan 9, 2002
    Messages:
    25
    Location:
    Melbourne - Ascot Vale
    If you wont be running a mail server on your box (eg you're just a normal person wanting to filter at home from isp or other POP servers) then try POPFile.

    http://popfile.sourceforge.net/

    After training, mine runs at around 99.5% accuracy
     
  13. jbman

    jbman Member

    Joined:
    Feb 1, 2002
    Messages:
    442
    Location:
    Perth, WA
    cheers for that i was about to post what can i use in this situation.
     
  14. tin

    tin Member

    Joined:
    Jul 31, 2001
    Messages:
    6,411
    Location:
    Narrabri NSW
    My dad's using popfile. He likes it.

    I run mailscanner+sendmail+clamav at one of the companies I do work for. I dont do any spam filtering because 95% of what they were calling spam was actually email worms.
    One of their users gets one or 2 messages an hour of spam, but since it's only one user, I added a filter to their email client to dump it to a spam folder.

    Im going to add real spam filtering in the next few weeks when they get a new server and I move them to using Debian.
     
  15. MWP

    MWP Member

    Joined:
    Jun 27, 2001
    Messages:
    4,633
    Location:
    Adelaide
    I do this, but use fetchmail, procmail and spamassassin (bayes).
    A cron job checks for mail every 5mins on 4 different pop3 accounts, filters for spam, filters for mailing lists, etc, then i read it with mutt.
    Works very well.

    BTW, lots of poeple say spamassassin is crap compared to dspam, etc... its not.
    Its just they dont know how to set it up with good rules.
     
    Last edited: Feb 23, 2005

Share This Page