Stopping Spam with SpamAssassin | Fedora 6 and Red Hat Enterprise Linux Bible

Despite the fact that it is rude and antisocial , there are people who send out thousands of unsolicited e-mail messages (referred to as spam), hoping to get a few responses. Due to the economics of the Internet, spammers can send out literally millions of messages. A very small number of respondents is enough to make a profit for the spammers. Furthermore, modern spam can be dangerous, including messages designed to fool users into entering user names and passwords (called phishing ) or messages that try to exploit vulnerable systems (particularly Windows systems).

Because Linux systems are often used as mail servers, tools for scanning mail messages for spam and viruses have become quite sophisticated over the years . In this chapter, I describe how to use a tool called SpamAssassin to deal with spam and viruses on your mail server. If this doesn't meet your needs, here are a few links where you can learn about the ClamAV virus scanner and how to use it with different mail software:

ClamAV ( www.clamav.net ) - Command-line virus scanner with database update features. The clamav package is in Fedora Extras ( yum install clamav ).
Klamav ( http://klamav. sourceforge .net/klamavwiki/index.php ) - The KDE version of ClamAV.
Third-party ClamAV Apps ( www.clamav.net/3rdparty.html ) - Find links to third-party software that works with ClamAV.

Using SpamAssassin

With SpamAssassin, you can configure your incoming mail service to tag messages it believes to be spam so you and your users can deal with those messages as you choose.

There are several methods that SpamAssassin uses to identify spam:

Checking mail headers - Examining the headers of your incoming mail to look for well-known tricks used to make the e-mail look valid.
Checking mail text - Looking for text style, content, and disclaimers in message bodies that are commonly used in spam.
Checking blacklists - Checking ordb.org , and other blacklists to find e-mail sent from sites known before to relay spam. (The mail-abuse.com site provides a search tool for checking if a server at a particular IP address has been blacklisted. To use that tool, go to www.mail-abuse.com/cgi-bin/lookup .)
Checking spam signatures - Comparing e-mail signatures. Since spam often consists of the exact same message sent thousands of times, taking signatures of spam messages lets SpamAssassin compare your message to a database of known spam messages. SpamAssassin uses Vipul's Razor (see http://razor.sourceforge.net ).

Although there are many different ways to deal with spam (or rather, e-mail that might be spam), most of the experts I have consulted like to configure SpamAssassin to simply tag incoming e-mail messages that appear to be spam. Then they encourage each user of the e-mail server to create his own rules for filtering the spam.

Note

Although the procedure here describes how to use SpamAssassin from the RPM package that comes with the latest version of Fedora, many people get their version of SpamAssassin directly from the SpamAssassin.org Web site. Because anti-spam software is evolving so quickly (to keep ahead of spammers), some people like to make sure they have the very latest software.

Setting Up SpamAssassin on Your Mail Server

Here's a quick procedure for enabling SpamAssassin and having your users choose what to do with spam messages that are encountered :

Configure your mail transport agent (sendmail or postfix) to use the procmail command as its mailer. For sendmail, it is already configured as the default mailer, based on the following line in the /etc/mail/sendmail.mc file:
```
 FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl 
```
Make sure that the SpamAssassin spamd daemon is running (it should already be on for run levels 2-5), and if it isn't, start it by typing the following (as root user):
```
 #  chkconfig --list spamassassin  spamassassin 0:off 1: off 2:on 3:on 4:on 5:on 6:off #  chkconfig spamassassin on  
```
Create an /etc/procmailrc file (using any text editor, as root user). This procmailrc file example pipes all mail messages received by procmail through spamc (which is the client side of the spamd daemon turned on in the previous step):
```
 :0fw  /usr/bin/spamc 
```
If you like, you can do a lot more in the procmailrc file to deal with spam on a system-wide basis. You could, for example, create procmail recipes that take reported spam e-mail messages and sorts them into a system-wide spam folder or deletes them completely. Likewise, each user can create an individual $HOME/.procmailrc file to create personal procmail recipes. (Type man procmailex for examples of rules in a procmailrc file.)
Check the /etc/mail/spamassassin/local.cf file. This file contains rules that are used system-wide by SpamAssassin, unless they are overridden by a user's individual $HOME/.spamassassin/user_prefs file. Here are the contents of the local.cf file:
```
 required_hits 5 rewrite_subject 1 subject_tag [SPAM] report_safe 0 
```
In SpamAssassin, a scoring system is used to guess at whether a particular message is spam or not. The required_hits line shows that a score of 5 is needed to flag the message as spam. You should set that higher for a public mail server (such as 8 or 10). Setting rewrite_subject to 1 allows SpamAssassin to change the Subject line of a message. The subject tag [SPAM] line has SpamAssassin add the text [SPAM] to the Subject line of spam it finds. The report_safe 0 line ensures that only the message header is changed, while the content is intact. (Type man Mail::SpamAssassin::Conf to see other settings you can use in the local.cf file.)

Because there will almost certainly be some false-positives, you risk preventing your users from seeing an e-mail they need if you do system-wide filtering. To avoid this problem, the approach shown here lets the user decide what to do with e-mail tagged as spam. Users can even adjust their own threshold for when a message is believed to be spam.

Next, you should have the users of that mail server set up their own user preferences in their home directories. The preferences set in each user's $HOME/.spamassassin/user_prefs file help tell SpamAssassin how to behave for that user's e-mail. Here are examples of lines a user might want to have in that file:

 required_hits 3 whitelist_from jsmith@example.com bjones@example.net blacklist_from *.example.org

The required_hits line (which is on by default) sets the number of hits needed to consider the message to be spam. Hits are based on scores for matching or not matching criteria in the tests SpamAssassin performs . (See http://spamassassin.org/tests.html .)

The whitelist_from and blacklist_from lines let you set addresses for people, individual hosts , or entire domains that should not be considered as spam ( whitelist_from ) or should always be considered as spam ( blacklist_from ). For other ways to modify SpamAssassin behavior, type the following command:

  man Mail::SpamAssassin::Conf

At this point, SpamAssassin should be running and identifying spam based on input from you and the people using your e-mail server. Next, each user needs to decide what to do with the messages that are marked as spam, as described in the following section.

Tip

Techniques you can use along with SpamAssassin include services like SpamCop. SpamCop ( www.spamcop.net ) provides a service that allows you to enter spam messages you receive into a database that helps others block the same spam messages.

Setting E-mail Readers to Filter Spam

Each user can turn on filtering in his e-mail reader to decide what to do with each message tagged as spam from SpamAssassin. A common practice is to direct e-mail marked as spam to a separate folder. Because some real mail can occasionally be mistakenly marked as spam, you could check the spam folder every week or two, just to make sure you didn't miss anything.

Here's an example of how to add a filter rule from Evolution Email:

Create a folder labeled SPAM under your incoming mailbox.
Click Tools Filters.
From the Filters window, click Add. An Add Rule window appears.
Identify a rule name (such as Spam) that adds a criterion that looks for a specific header (X-Spam-Flag) containing specific text (YES). Then under Add Action, select an action (Move to Folder) and identify the folder to contain the spam messages (SPAM).

When you ask to receive mail from your mail server, all messages with the X-Spam-Flag set to yes will be sorted into your SPAM folder. As an alternative, you could check for the text [SPAM] to appear in the subject line as the criterion for sorting the spam messages.

Other mail readers (Mozilla mail, pine, Netscape mail, and others) also include features for filtering and sorting e-mail based on criteria you enter.

A fairly new feature in Evolution includes some SpamAssassin features within the Evolution framework. Evolution runs a daemonized version of SpamAssassin using the spamd daemon. The spamd daemons automatically filter your mail to find junk mail. When it finds junk mail, it automatically puts it into the Junk folder in the Evolution window. You can ignore those messages or simply scan through them quickly and delete them.