Home
Docu
Projects
Links
Admin
Impressum

 


 

Installing SpamAssassin with Sendmail

Installing SpamAssassin with Sendmail

Introduction

SpamAssassin is a mail filter to identify spam by using a large rule base and a Bayesian classifier. From all the reviews I've seen and comments I've heard SpamAssassin is supposed to be the very best mail filter around with something like a 95% success rate at catching spam. This tutorial explains how to install SpamAssassin on a Debian system with the Sendmail Mail Transport Agent. It is assumed that you already have Sendmail configured and working.

 

Instructions

As stated above these instructions relate to installing SpamAssassin on a Debian system, but they could be easily adapted to other Linux systems. Also, is it assumed that you already have a fully working Sendmail MTA.

 

Installing SpamAssassin

The first thing to do is grab a copy of SpamAssassin from spamassassin.org. This can then be compiled and installed as follows:
   tar xzf Mail-SpamAssassin-2.63.tar.gz
   cd Mail-SpamAssassin-2.63/
   perl Makefile.PL
   make
   make install

This will have hopefully installed the SpamAssassin daemon and client. A startup/shutdown script has been placed in /etc/init.d. Before you can start it however, we need to edit the defaults file located in /etc/default/spamassassin. You will need to edit the ENABLED line to say
   ENABLED=1
You may also want to change the OPTIONS line to make SpamAssassin run as a non-root user for security
   OPTIONS="-u mail"

SpamAssassin rules are stored in /usr/local/share/spamassassin/ and the system-wide config file is stored in /etc/mail/spamassassin/local.cf. In here you can set things such as the score level for spam, wether or not to re-write the header, whether to send a report, etc. I edited mine to include the following:
   rewrite_subject 1
   report_header 0
   subject_tag [SPAM]
   use_terse_report 1
   score MICROSOFT_EXECUTABLE 10
 This basically tells SpamAssassin to rewrite headers of spam emails and tag then with [SPAM] at the front of the subject. You can then use your email client to filter emails starting with [SPAM] and do with them what you please. I have also set SpamAssassin to include a brief report for all spam emails, the spam itself is included as an attachment to the report. The final line give a score of 10 to any emails that include a MS Executable as an attachment. As the default score for spam is 5 all emails containing an executable will be marked as spam. Note that this does not mean you can stop using your virus checker!

Please read the docs for more information on configuring SpamAssassin for your needs, but generally the defaults should suffice, especially if you using SpamAssassin for personal use on your own mail server. Now you can start the SpamAssassin daemon which will sit there patiently for connections and then process email messages tacking on headers and spam reports as necessary. Start it by doing:
   /etc/init.d/spamassassin start

 

Installing the Mail Filter

The next thing to do it install the Sendmail Mail Filter API (Milter). This allows third-party programs, such as SpamAssassin, access to mail messages as they are being processed in order to filter headers and content. You can install this by doing:
   apt-get install libmilter-dev

Now you need to install the SpamAssassin Milter Plugin. You can then compile and install as follows:
   tar xzf spamass-milter-0.2.0.tar.gz
   cd spamass-milter-0.2.0/
   ./configure
   make
   make install

Hopefully the SpamAssassin Milter will have compiled and installed successfully. Inside the contrib/ folder you'll find a startup/shutdown script called spamass-milter. Copy this to /etc/init.d/. Now you will need to edit some of the options at the top of the file. These are the options I'm using:
   PATH=/sbin:/bin:/usr/sbin:/usr/bin
   DAEMON=/usr/local/sbin/spamass-milter
   SOCKET=/var/run/sendmail/spamass.sock
   DESC="Sendmail milter plugin for SpamAssassin"

Once you've done all that you can start the SpamAssassin Milter by typing:
   /etc/init.d/spamass-milter start

 

Configuring Sendmail

All that remains now is to configure sendmail to pass all mail through the SpamAssassin mail filter. You can do this by simply adding the following line to your sendmail.mc file:
   INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/sendmail/spamass.sock, F=,T=C:15m;S:4m;R:4m;E:10m')dnl

You then need to rebuild the sendmail config stuff by running make in /etc/mail and finally restart sendmail by issuing:
   /etc/init.d/sendmail restart

 

Testing

At this stage everything should have hopefully gone to plan and Sendmail will now be passing all your incoming mail through SpamAssassin. If you want to check it's working try sending youself an email such as this: 

   Subject: Free Instant

   <html>

    <p>
    THIS STUFF IS 100% FREE GUARANTEED<br/>
    BUY IT<br/>
    BUY IT, NOW
    </p>
    <img src="http://www.somewhere.com/someimage.gif">

    <p>CLICK TO BE REMOVED <a href="mailto:spamer@idontcare.com">spamer@idontcare.com</a></p>
   </html>

An email such as this is guaranteed to upset SpamAssassin and you should receive an email such as this in your inbox: 

   From: evil-spammer@spam.com
   To: me@here.com
   Subject: [SPAM] Free Instant
   Date: Mon, 12 Apr 2004 11:20:02 +0100
   Mime-Version: 1.0
   X-OriginalArrivalTime: 12 Apr 2004 10:20:02.0547 (UTC) FILETIME=[B786AC30:01C42077]
   X-Spam-Flag: YES
   X-Spam-Status: Yes, hits=7.9 required=5.0 tests=CLICK_BELOW,COMPLETELY_FREE,
       HTML_40_50,HTML_IMAGE_ONLY_02,HTML_LINK_CLICK_HERE,HTML_MESSAGE,
       MIME_HTML_NO_CHARSET,MIME_HTML_ONLY,SUBJ_FREE_INSTANT,SUB_FREE_OFFER,
       UPPERCASE_25_50 autolearn=no version=2.63
   X-Spam-Level: *******
   X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11)

   This is a multi-part message in MIME format.

   ------------=_407A6C41.DA61AE0D
   Content-Type: text/plain
   Content-Disposition: inline
   Content-Transfer-Encoding: 8bit

   Spam detection software, running on the system "here.com", has
   identified this incoming email as possible spam.  The original message
   has been attached to this so you can view it (if it isn't spam) or block
   similar future email.  If you have any questions, see
   the administrator of that system for details.

   Content analysis details:   (7.9 points, 5.0 required)

    pts rule name              description
   ---- ---------------------- --------------------------------------------------
    2.8 SUBJ_FREE_INSTANT      Subject contains "Free Instant"
    0.5 SUB_FREE_OFFER         Subject starts with "Free"
    0.7 COMPLETELY_FREE        BODY: No such thing as a free lunch (2)
    0.1 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
    0.0 HTML_MESSAGE           BODY: HTML included in message
    0.5 HTML_40_50             BODY: Message is 40% to 50% HTML
    0.1 HTML_LINK_CLICK_HERE   BODY: HTML link text says "click here"
    2.2 HTML_IMAGE_ONLY_02     BODY: HTML: images with 0-200 bytes of words
    0.7 MIME_HTML_NO_CHARSET   RAW: Message text in HTML without charset
    0.0 CLICK_BELOW            Asks you to click below
    0.3 UPPERCASE_25_50        message body is 25-50% uppercase

   The original message was not completely plain text, and may be unsafe to
   open with some email clients; in particular, it may contain a virus,
   or confirm that your address can receive spam.  If you wish to view
   it, it may be safer to save it to a file and open it with an editor.


   ------------=_407A6C41.DA61AE0D
   Content-Type: message/rfc822; x-spam-type=original
   Content-Description: original message before SpamAssassin
   Content-Disposition: attachment
   Content-Transfer-Encoding: 8bit

   From: evil-spammer@spam.com
   To: me@here.com
   Subject: Free Instant
   Date: Mon, 12 Apr 2004 11:20:02 +0100

      <html>
       <p>
       THIS STUFF IS 100% FREE GUARANTEED<br/>
       BUY IT<br/>

       BUY IT, NOW
       </p>
       <img src="http://www.somewhere.com/someimage.gif">
       <p>CLICK TO BE REMOVED <a href="mailto:spamer@idontcare.com">spamer@idontcare.com</a></p>
      </html>

   ------------=_407A6C41.DA61AE0D--

 

Logcheck

Those of you who run logcheck on your systems may start receiving emails with information from sendmail such as the one below: 

   This mail is sent by logcheck. If you do not want to receive it any more,
   please modify the configuration files in /etc/logcheck or deinstall logcheck.

   Unusual System Events
   =-=-=-=-=-=-=-=-=-=-=
   Apr 12 11:15:29 here.com sendmail[20779]: i3CAFKqP020779: Milter change: header  Subject: from Free Instant to [SPAM] Free Instant
   Apr 12 11:15:29 here.com sendmail[20779]: i3CAFKqP020779: Milter change: header  Content-Type: from text/html to multipart/mixed; boundary="----------=_407A6C41.DA61AE0D"
   Apr 12 11:15:29 here.com sendmail[20779]: i3CAFKqP020779: Milter message: body replaced
   Apr 12 11:15:29 here.com sendmail[20779]: i3CAFKqP020779: Milter change: header  Subject: from Free Instant to [SPAM] Free Instant
   Apr 12 11:15:29 here.com sendmail[20779]: i3CAFKqP020779: Milter change: header  Content-Type: from text/html to multipart/mixed; boundary="----------=_407A6C41.DA61AE0D"
   Apr 12 11:15:29 here.com sendmail[20779]: i3CAFKqP020779: Milter message: body replaced
   Apr 12 11:15:29 here.com sendmail[20779]: i3CAFKqP020779: Milter change: header  Subject: from Free Instant to [SPAM] Free Instant
   Apr 12 11:15:29 here.com sendmail[20779]: i3CAFKqP020779: Milter change: header  Content-Type: from text/html to multipart/mixed; boundary="----------=_407A6C41.DA61AE0D"
   Apr 12 11:15:29 here.com sendmail[20779]: i3CAFKqP020779: Milter message: body replaced

To stop receiving these emails you can add the following 2 lines to /etc/logcheck/locgcheck.ignore:
   *Milter change*
   *Milter message*

Get Firefoxnotcpa