[SA-exim] Re: feedback: SpamAssassin at SMTP time in local_scan
dman
dman at dman.ddts.net
Wed, 8 May 2002 22:42:33 -0500
---------------------- multipart/signed attachment
On Wed, May 08, 2002 at 07:06:29PM -0700, Marc MERLIN wrote:
| On Wed, May 08, 2002 at 09:06:56PM -0500, dman wrote:
| > | I'll make another version tonight with your mail save idea, and thin=
k about
| > | what I can reasonably add to do simple matching on the body (a=
nything
| > | matching in the headers can be done with "condition" in the exim ACLs)
| >=20
| > Hmm, that's an idea. I reread the ACL part of the spec, and it seems
| > that the system filter can be redone as an acl almost identically,
| > though it makes the text harder to read. I converted most of it to an
| > acl, but didn't test it yet.
| =20
| Can you scan the mail body with condition?
Untested so far (busy working on a practical joke tonight :-)) :
deny condition =3D ${if match {"$message_body $message_body_end"} {"=
(?:Content-.*audio/x-wav.*\.(?:pif|exe))|(?:Content-.*audio/x-mid.*\.(?:scr=
|exe))|(?:<iframe.*</iframe>)"
log_message =3D "klez (sender: $sender_address) (From: $h_From:=
)"
message =3D "This message has been rejected because the body co=
ntains\ntext that appears to be MIME Content-Type: headers used by KLEZ.\nI=
f you intended to send the data then please gzip it and resend it."
| > Anyways, one of the reasons for having the more general external-proc=
ess
| > interface is to put all of that logic into a separate program. T=
his
| > eliminates the need to rebuild and re-install exim for each change, =
and
| > allows the tests to be written in a higher-level language than C.
| =20
| Yep, but you're probably not going to be happy with the overhead.
Maybe. Right now I have substituted /usr/local/bin/mailscanner.py as
the "spamc" command. It is=20
#!/usr/bin/python2.2
import sys , os
sys.exit( os.system( "/usr/bin/spamc" ) )
Thus it provides the overhead of running python without any additional
results. Thus far it really hasn't hurt performance noticeably. The
scans are taking between 0 and 4 seconds most of the time and I see no more
than 7 seconds right now (though I should make a script to count it).
It will all depend on how efficiently the more advanced parsing and
logic executes. That can't be determined without a profiler.
One of the things this more advanced scanner would do is differentiate
between klez and a message on exim-user asking about it. The problem
with the match above is it doesn't differentiate between mime headers
and the body of the message. I haven't really thought of any features
beyond that, but like the flexibility it would provide.
| What we really need is for exim to dynamically load a local_scan.so
Yes. I'd rather keep the local_scan() simple and put the complexity
in a higher-level language. (my preference is python; use perl if you
prefer)
| As for your wish to do more serious modifications, we probably need/wan=
t a
| second hook, after the mail has been accepted, as you mentionned earlier.
Yeah, that would be where general-purpose mangling (or de-mangling) of
messages would fit in best.
| I think we should wait for Philip to come back, and discuss this with him.
=20
Sure.
| > PS. I'm not getting any messages from the list, only the Cc'd copy.
|=20
| 2002-05-08 18:57:33 175dBT-0002IM-00 =3D> dman@dman.ddts.net F=3D<sa-exim=
-bounces+dm
| an=3Ddman.ddts.net@merlins.org> R=3Dlookuphost T=3Dremote_smtp S=3D5623 H=
=3Ddman.ddts.net=20
| [65.107.69.216] C=3D"250 OK id=3D175dKk-0005bg-00"
That's the first one that came through. Looks like whatever the
problem was it's gone now (maybe because I tried to subscribe again).
-D
--=20
Who can say, "I have kept my heart pure;
I am clean and without sin"?
Proverbs 20:9
=20
GnuPG key : http://dman.ddts.net/~dman/public_key.gpg
---------------------- multipart/signed attachment
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
Url : http://lists.merlins.org/archives/sa-exim/attachments/ee4ac1bd/attachment.bin
---------------------- multipart/signed attachment--