Steve Ingraham wrote:
I am trying to figure out how I can get scores to this type of spam
bumped up so they do not get delivered to my user mailboxes. Can
anyone give me some suggestions on what I should do to stop this type
of spam from being delivered?
[...]
X-Spam-Flag: YES
X-Spam-Status: Yes, score=8.3 required=5.0 tests=BAYES_60,HTML_10_20,
HTML_MESSAGE,JV_Pharm1r_Drug,MIME_HTML_ONLY,RCVD_NUMERIC_HELO
autolearn=no version=3.1.5
You don't need to "bump up" the score; this one received an 8.3 which
exceeds your 5.0 ceiling. This result is that it's tagged as spam. SA
itself doesn't do anything other than tag likely spams. It's up to you
to decide what to do with these messages.
If the scanning machine is running a *nix OS and the mailboxes reside on
the same server, an elegant solution is to have procmail route these
messages for you. Just create or edit the file /etc/procmailrc and add
the following rule:
:0
* ^X-Spam-Flag.*YES
/path/to/some/quarantine/mailbox
That will scan every message at delivery for the Spam-Flag header and
route those with a YES to the quarantine folder. Since procmail executes
rules in /etc/procmailrc with root privileges it can write to the
quarantine mailbox even if it's owned by another user. (See "man
procmailrc" and "man procmailex" for details.)
Don't delete them, just put them in a quarantine. That way when someone
asks why they didn't get that important message that you inadvertently
scored as spam, you can give them the quarantined copy.
You might also want to add the quarantine mailbox to your log rotation
program so it doesn't just grow forever. On a RedHat-Linux-flavored box,
you can add a file to /etc/logrotate.d like this:
/path/to/some/quarantine/mailbox {
daily
rotate 30
missingok
notifempty
}
This will keep 30 days of quarantines.
If you're doing scanning on a box in front of the eventual mailbox server
(e.g., Exchange), you can't use this trick because the mail isn't being
delivered on the scanning box. You're better off using an SMTP-level
scanner like MailScanner or amavisd that can invoke SA along with any
virus scanners you might be using.
I use MailScanner (with clamav) to handle all these tasks. It
automatically prepends a string like "{Spam?}" to the subject of any
message that scores above your floor value and can also be configured to
delete, quarantine, deliver, or forward tagged messages. If tagged
messages are delivered to the recipient, he or she can write a
client-side rule to handle the spams.
Peter
