[SA-exim] Re: feedback: SpamAssassin at SMTP time in local_scan

dman dman at dman.ddts.net
Wed, 8 May 2002 22:42:33 -0500


---------------------- multipart/signed attachment
On Wed, May 08, 2002 at 07:06:29PM -0700, Marc MERLIN wrote:
| On Wed, May 08, 2002 at 09:06:56PM -0500, dman wrote:
| > | I'll make another version tonight with  your mail save idea, and thin=
k about
| > | what  I can  reasonably add  to  do simple  matching on  the body  (a=
nything
| > | matching in the headers can be done with "condition" in the exim ACLs)
| >=20
| > Hmm, that's an idea.  I reread the ACL part of the spec, and it seems
| > that the system filter can be redone as an acl almost identically,
| > though it makes the text harder to read.  I converted most of it to an
| > acl, but didn't test it yet.
| =20
| Can you scan the mail body with condition?

Untested so far (busy working on a practical joke tonight :-)) :

    deny    condition =3D ${if match {"$message_body $message_body_end"} {"=
(?:Content-.*audio/x-wav.*\.(?:pif|exe))|(?:Content-.*audio/x-mid.*\.(?:scr=
|exe))|(?:<iframe.*</iframe>)"
            log_message =3D "klez (sender: $sender_address) (From: $h_From:=
)"
            message =3D "This message has been rejected because the body co=
ntains\ntext that appears to be MIME Content-Type: headers used by KLEZ.\nI=
f you intended to send the data then please gzip it and resend it."

| > Anyways, one of  the reasons for having the  more general external-proc=
ess
| > interface  is to  put all  of that  logic into  a separate  program.  T=
his
| > eliminates the  need to rebuild and  re-install exim for each  change, =
and
| > allows the tests to be written in a higher-level language than C.
|  =20
| Yep, but you're probably not going to be happy with the overhead.

Maybe.  Right now I have substituted /usr/local/bin/mailscanner.py as
the "spamc" command.  It is=20

#!/usr/bin/python2.2
import sys , os
sys.exit( os.system( "/usr/bin/spamc"  ) )

Thus it provides the overhead of running python without any additional
results.  Thus far it really hasn't hurt performance noticeably.  The
scans are taking between 0 and 4 seconds most of the time and I see no more
than 7 seconds right now (though I should make a script to count it).

It will all depend on how efficiently the more advanced parsing and
logic executes.  That can't be determined without a profiler.

One of the things this more advanced scanner would do is differentiate
between klez and a message on exim-user asking about it.  The problem
with the match above is it doesn't differentiate between mime headers
and the body of the message.  I haven't really thought of any features
beyond that, but like the flexibility it would provide.

| What we really need is for exim to dynamically load a local_scan.so

Yes.  I'd rather keep the local_scan() simple and put the complexity
in a higher-level language.  (my preference is python; use perl if you
prefer)

| As for your  wish to do more serious modifications,  we probably need/wan=
t a
| second hook, after the mail has been accepted, as you mentionned earlier.

Yeah, that would be where general-purpose mangling (or de-mangling) of
messages would fit in best.

| I think we should wait for Philip to come back, and discuss this with him.
  =20
Sure.

| > PS.  I'm not getting any messages from the list, only the Cc'd copy.
|=20
| 2002-05-08 18:57:33 175dBT-0002IM-00 =3D> dman@dman.ddts.net F=3D<sa-exim=
-bounces+dm
| an=3Ddman.ddts.net@merlins.org> R=3Dlookuphost T=3Dremote_smtp S=3D5623 H=
=3Ddman.ddts.net=20
| [65.107.69.216] C=3D"250 OK id=3D175dKk-0005bg-00"

That's the first one that came through.  Looks like whatever the
problem was it's gone now (maybe because I tried to subscribe again).

-D

--=20

Who can say, "I have kept my heart pure;
I am clean and without sin"?
        Proverbs 20:9
=20
GnuPG key : http://dman.ddts.net/~dman/public_key.gpg


---------------------- multipart/signed attachment
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
Url : http://lists.merlins.org/archives/sa-exim/attachments/ee4ac1bd/attachment.bin

---------------------- multipart/signed attachment--