Installing SpamAssassin with Sendmail
Introduction
SpamAssassin is a mail filter to identify spam by using a large rule base and a Bayesian classifier. From all the reviews I've seen and comments I've heard SpamAssassin is supposed to be the very best mail filter around with something like a 95% success rate at catching spam. This tutorial explains how to install SpamAssassin on a Debian system with the Sendmail Mail Transport Agent. It is assumed that you already have Sendmail configured and working.
Instructions
As stated above these instructions relate to installing SpamAssassin on a Debian system, but they could be easily adapted to other Linux systems. Also, is it assumed that you already have a fully working Sendmail MTA.
Installing SpamAssassin
The first thing to do is grab a copy of SpamAssassin from spamassassin.org. This can then be compiled and installed as follows:
tar xzf Mail-SpamAssassin-2.63.tar.gz
cd Mail-SpamAssassin-2.63/
perl Makefile.PL
make
make installThis will have hopefully installed the SpamAssassin daemon and client. A startup/shutdown script has been placed in /etc/init.d. Before you can start it however, we need to edit the defaults file located in /etc/default/spamassassin. You will need to edit the ENABLED line to say
ENABLED=1
You may also want to change the OPTIONS line to make SpamAssassin run as a non-root user for security
OPTIONS="-u mail"SpamAssassin rules are stored in /usr/local/share/spamassassin/ and the system-wide config file is stored in /etc/mail/spamassassin/local.cf. In here you can set things such as the score level for spam, wether or not to re-write the header, whether to send a report, etc. I edited mine to include the following:
rewrite_subject 1
report_header 0
subject_tag [SPAM]
use_terse_report 1
score MICROSOFT_EXECUTABLE 10
This basically tells SpamAssassin to rewrite headers of spam emails and tag then with [SPAM] at the front of the subject. You can then use your email client to filter emails starting with [SPAM] and do with them what you please. I have also set SpamAssassin to include a brief report for all spam emails, the spam itself is included as an attachment to the report. The final line give a score of 10 to any emails that include a MS Executable as an attachment. As the default score for spam is 5 all emails containing an executable will be marked as spam. Note that this does not mean you can stop using your virus checker!Please read the docs for more information on configuring SpamAssassin for your needs, but generally the defaults should suffice, especially if you using SpamAssassin for personal use on your own mail server. Now you can start the SpamAssassin daemon which will sit there patiently for connections and then process email messages tacking on headers and spam reports as necessary. Start it by doing:
/etc/init.d/spamassassin start
Installing the Mail Filter
The next thing to do it install the Sendmail Mail Filter API (Milter). This allows third-party programs, such as SpamAssassin, access to mail messages as they are being processed in order to filter headers and content. You can install this by doing:
apt-get install libmilter-devNow you need to install the SpamAssassin Milter Plugin. You can then compile and install as follows:
tar xzf spamass-milter-0.2.0.tar.gz
cd spamass-milter-0.2.0/
./configure
make
make install
Hopefully the SpamAssassin Milter will have compiled and installed successfully. Inside the contrib/ folder you'll find a startup/shutdown script called spamass-milter. Copy this to /etc/init.d/. Now you will need to edit some of the options at the top of the file. These are the options I'm using:
PATH=/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/local/sbin/spamass-milter
SOCKET=/var/run/sendmail/spamass.sock
DESC="Sendmail milter plugin for SpamAssassin"
Once you've done all that you can start the SpamAssassin Milter by typing:
/etc/init.d/spamass-milter start
Configuring Sendmail
All that remains now is to configure sendmail to pass all mail through the SpamAssassin mail filter. You can do this by simply adding the following line to your sendmail.mc file:
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/sendmail/spamass.sock, F=,T=C:15m;S:4m;R:4m;E:10m')dnlYou then need to rebuild the sendmail config stuff by running make in /etc/mail and finally restart sendmail by issuing:
/etc/init.d/sendmail restart
Testing
At this stage everything should have hopefully gone to plan and Sendmail will now be passing all your incoming mail through SpamAssassin. If you want to check it's working try sending youself an email such as this:
Subject: Free Instant <html> <p> THIS STUFF IS 100% FREE GUARANTEED<br/> BUY IT<br/> BUY IT, NOW </p> <img src="http://www.somewhere.com/someimage.gif"> <p>CLICK TO BE REMOVED <a href="mailto:spamer@idontcare.com">spamer@idontcare.com</a></p> </html>An email such as this is guaranteed to upset SpamAssassin and you should receive an email such as this in your inbox:
From: evil-spammer@spam.com To: me@here.com Subject: [SPAM] Free Instant Date: Mon, 12 Apr 2004 11:20:02 +0100 Mime-Version: 1.0 X-OriginalArrivalTime: 12 Apr 2004 10:20:02.0547 (UTC) FILETIME=[B786AC30:01C42077] X-Spam-Flag: YES X-Spam-Status: Yes, hits=7.9 required=5.0 tests=CLICK_BELOW,COMPLETELY_FREE, HTML_40_50,HTML_IMAGE_ONLY_02,HTML_LINK_CLICK_HERE,HTML_MESSAGE, MIME_HTML_NO_CHARSET,MIME_HTML_ONLY,SUBJ_FREE_INSTANT,SUB_FREE_OFFER, UPPERCASE_25_50 autolearn=no version=2.63 X-Spam-Level: ******* X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) This is a multi-part message in MIME format. ------------=_407A6C41.DA61AE0D Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit Spam detection software, running on the system "here.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or block similar future email. If you have any questions, see the administrator of that system for details. Content analysis details: (7.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.8 SUBJ_FREE_INSTANT Subject contains "Free Instant" 0.5 SUB_FREE_OFFER Subject starts with "Free" 0.7 COMPLETELY_FREE BODY: No such thing as a free lunch (2) 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.0 HTML_MESSAGE BODY: HTML included in message 0.5 HTML_40_50 BODY: Message is 40% to 50% HTML 0.1 HTML_LINK_CLICK_HERE BODY: HTML link text says "click here" 2.2 HTML_IMAGE_ONLY_02 BODY: HTML: images with 0-200 bytes of words 0.7 MIME_HTML_NO_CHARSET RAW: Message text in HTML without charset 0.0 CLICK_BELOW Asks you to click below 0.3 UPPERCASE_25_50 message body is 25-50% uppercase The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor. ------------=_407A6C41.DA61AE0D Content-Type: message/rfc822; x-spam-type=original Content-Description: original message before SpamAssassin Content-Disposition: attachment Content-Transfer-Encoding: 8bit From: evil-spammer@spam.com To: me@here.com Subject: Free Instant Date: Mon, 12 Apr 2004 11:20:02 +0100 <html> <p> THIS STUFF IS 100% FREE GUARANTEED<br/> BUY IT<br/> BUY IT, NOW </p> <img src="http://www.somewhere.com/someimage.gif"> <p>CLICK TO BE REMOVED <a href="mailto:spamer@idontcare.com">spamer@idontcare.com</a></p> </html> ------------=_407A6C41.DA61AE0D--
Logcheck
Those of you who run logcheck on your systems may start receiving emails with information from sendmail such as the one below:
This mail is sent by logcheck. If you do not want to receive it any more, please modify the configuration files in /etc/logcheck or deinstall logcheck. Unusual System Events =-=-=-=-=-=-=-=-=-=-= Apr 12 11:15:29 here.com sendmail[20779]: i3CAFKqP020779: Milter change: header Subject: from Free Instant to [SPAM] Free Instant Apr 12 11:15:29 here.com sendmail[20779]: i3CAFKqP020779: Milter change: header Content-Type: from text/html to multipart/mixed; boundary="----------=_407A6C41.DA61AE0D" Apr 12 11:15:29 here.com sendmail[20779]: i3CAFKqP020779: Milter message: body replaced Apr 12 11:15:29 here.com sendmail[20779]: i3CAFKqP020779: Milter change: header Subject: from Free Instant to [SPAM] Free Instant Apr 12 11:15:29 here.com sendmail[20779]: i3CAFKqP020779: Milter change: header Content-Type: from text/html to multipart/mixed; boundary="----------=_407A6C41.DA61AE0D" Apr 12 11:15:29 here.com sendmail[20779]: i3CAFKqP020779: Milter message: body replaced Apr 12 11:15:29 here.com sendmail[20779]: i3CAFKqP020779: Milter change: header Subject: from Free Instant to [SPAM] Free Instant Apr 12 11:15:29 here.com sendmail[20779]: i3CAFKqP020779: Milter change: header Content-Type: from text/html to multipart/mixed; boundary="----------=_407A6C41.DA61AE0D" Apr 12 11:15:29 here.com sendmail[20779]: i3CAFKqP020779: Milter message: body replacedTo stop receiving these emails you can add the following 2 lines to /etc/logcheck/locgcheck.ignore:
*Milter change*
*Milter message*