The Email Gateway we are going to be building here can be illustrated by the following diagram:\n\n[img[Overview of Email Gateway|overview.png]]\n\nNext: The_Tools
Any software or utility that is used to combat spam.
Any software or utility which is meant to combat viri. Specifically in this wiki, we are talking about anti-virus software.
!!Bayesian (http://www.paulgraham.com/spam.html)\nBayesian Learning Spam Filters are anything which uses an adaptive algorithm to “learn” what is and what isn't spam. In theory these can be highly effective spam filters over time as they improve. In practice, however, they tend to require more effort on the part of the user than is desired.\n\nThat being said, Bayesian filters can still be very effective and only add to the other components in this system, so they are included.
Expanding the system\n*[[Expanding_Spam_Filtration]]\n*[[Razor]]\n*[[DCC]]\n*[[Bayesian]]\n\n[[SpamAssassin_Scores]]\n\n[[Considerations]]\n
Configuring_Postfix\nConfiguring_SpamAssassin\nConfiguring_ClamAV\nConfiguring_Amavis\n\n[[Testing_the_system]]
Our final component to configure is Amavis. The main file we will be editing is the amavis configuration file {{{/etc/amavis/amavisd.conf}}}. This file is rather large, and there is a lot of information here. We wont go into depth on every option inside this file now, however everything is very well documented inside the file. We will touch on those settings essential for our gateway.\n\n!!!!Host configuration\nWe will want to specify the domain of our mail server first:\n{{{\n# $mydomain serves as a quick default for some other configuration settings.\n# More refined control is available with each individual setting further down.\n# $mydomain is never used directly by the program.\n$mydomain = 'example.com'; # (no useful default)\n}}}\n\nWe then want to uncomment the Postfix settings in the MTA section:\n{{{\n# MTA SETTINGS, UNCOMMENT AS APPROPRIATE,\n# both $forward_method and $notify_method default to 'smtp:127.0.0.1:10025'\n\n# POSTFIX, or SENDMAIL in dual-MTA setup, or EXIM V4\n# (set host and port number as required; host can be specified\n# as IP address or DNS name (A or CNAME, but MX is ignored)\n$forward_method = 'smtp:127.0.0.1:10025'; # where to forward checked mail\n$notify_method = $forward_method; # where to submit notifications\n}}}\n\n!!!!Spam/Viral Handling\n\nThe next section we will want to look at is {{{Section IV - Notifications/DSN, BOUNCE/REJECT/DROP/PASS destiny, quarantine}}}. Here we will find the specifics of what we want to do with each item of spam and viri. Read through the documentation in the configuration file for the full details on what each setting means.\n\n{{{\n$final_virus_destiny = D_DISCARD; # (defaults to D_BOUNCE)\n$final_banned_destiny = D_BOUNCE; # (defaults to D_BOUNCE)\n$final_spam_destiny = D_PASS; # (defaults to D_REJECT)\n$final_bad_header_destiny = D_PASS; # (defaults to D_PASS), D_BOUNCE suggested\n}}}\n\nIf we want anything to be quarantined, we will want to set the following:\n\n{{{\n# Location to put infected mail into: (applies to 'local:' quarantine method)\n# empty for not quarantining, may be a file (mailbox),\n# or a directory (no trailing slash)\n# (the default value is undef, meaning no quarantine)\n#\n#$QUARANTINEDIR = '/var/lib/amavis/virusmails';\n\n$QUARANTINEDIR = undef;\n}}}\n\nWe can also set what (if anything) we want to add to the headers of our messages for verification that they have been scanned by the system:\n\n{{{\n# Add X-Virus-Scanned header field to mail?\n$X_HEADER_TAG = 'X-Virus-Scanned'; # (default: undef)\n# Leave empty to add no header # (default: undef)\n$X_HEADER_LINE = "by Amavis-new,ClamAV at mail.samhart.net";\n}}}\n\nNow we want to set our SpamAssassin thresholds:\n{{{\n# default values, can be overridden by more specific lookups, e.g. SQL\n$sa_tag_level_deflt = -100; # add spam info headers if at, or above that level\n$sa_tag2_level_deflt = 4.1; # add 'spam detected' headers at that level\n$sa_kill_level_deflt = 4.1; # triggers spam evasive actions\n # at or above that level: bounce/reject/drop,\n # quarantine, and adding mail address extension\n#\n# The $sa_tag_level_deflt, $sa_tag2_level_deflt and $sa_kill_level_deflt\n# may also be hashrefs to hash lookup tables, to make static per-recipient\n# settings possible without having to resort to SQL or LDAP lookups.\n\n# a quick reference:\n# tag_level controls adding the X-Spam-Status and X-Spam-Level headers,\n# tag2_level controls adding 'X-Spam-Flag: YES', and editing Subject,\n# kill_level controls 'evasive actions' (reject, quarantine, extensions);\n# it only makes sense to maintain the relationship:\n# tag_level <= tag2_level <= kill_level\n}}}\n\nFinally, want to ensure that ClamAV is enabled (note that the path to the PID file has been changed to the Amavis directory since ClamAV is being controlled & run by Amavis):\n\n{{{\n### http://www.clamav.net/\n['Clam Antivirus-clamd',\n \s&ask_daemon, ["CONTSCAN {}\sn", "/var/run/amavis/clamd.ctl"],\n qr/\sbOK$/, qr/\sbFOUND$/,\n qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],\n# NOTE: run clamd under the same user as amavisd; match the socket\n# name (LocalSocket) in clamav.conf to the socket name in this entry\n# When running chrooted one may prefer: ["CONTSCAN {}\sn","$MYHOME/clamd"],\n...\n ### http://www.clamav.net/\n ['Clam Antivirus - clamscan', 'clamscan',\n "--stdout --no-summary -r --tempdir=$TEMPBASE {}", [0], [1],\n qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],\n}}}\n
ClamAV requires only minor modification. Simply {{{dpkg-reconfigure clamav-base}}} and set the following settings:\n{{{\n#Automatically Generated by clamav-base postinst\n#To reconfigure clamd run #dpkg-reconfigure clamav-base\nLocalSocket /var/run/amavis/clamd.ctl\nFixStaleSocket\nUser amavis\nAllowSupplementaryGroups\nScanMail\nScanArchive\nArchiveMaxRecursion 5\nArchiveMaxFiles 1000\nArchiveMaxFileSize 10M\nArchiveMaxCompressionRatio 250\nMaxDirectoryRecursion 20\nReadTimeout 180\nMaxThreads 2\nMaxConnectionQueueLength 15\nLogSyslog\nLogFile /var/log/clamav/clamav.log\nLogTime\nLogFileMaxSize 0\nPidFile /var/run/amavis/clamd.pid\nDatabaseDirectory /var/lib/clamav/\nSelfCheck 3600\nScanOLE2\nScanPE\nDetectBrokenExecutables\nScanHTML\nArchiveBlockMax\n}}}\n\nFreshclam should not require any configuring. We might want to take a look at {{{/etc/clamav/freshclam.conf}}} to make sure nothing is too wacky:\n{{{\n# Automatically created by the clamav-freshclam postinst\n# Comments will get lost when you reconfigure the clamav-freshclam package\n\nDatabaseOwner clamav\nUpdateLogFile /var/log/clamav/freshclam.log\nLogFileMaxSize 0\nMaxAttempts 5\n# Check for new database 24 times a day\nChecks 24\nDatabaseMirror db.local.clamav.net\nDatabaseMirror database.clamav.net\nDatabaseDirectory /var/lib/clamav/\nNotifyClamd\nDNSDatabaseInfo current.cvd.clamav.net\n}}}\n\nIf you wish to reconfigure Freshclam, do so using {{{dpkg-reconfigure clamav-freshclam}}}. Do not edit this file directly by hand, as your changes will be lost the next time Freshclam is updated.
Postfix is relatively straight forward to setup. It is also quite versatile. Configuring Postfix more generally is beyond the scope of this document. However, there are a great many resources out there to help you. Here is a small sampling of documents on Postfix configuration:\n* http://postfix.org/\n* http://www.postfix.org/documentation.html\n* http://www.postfix.org/docs.html\n* http://postfixwiki.org/\n\nBecause Postfix comes with a very workable install, we will simply modify those things we need in order to enable anti-spam and anti-viral scanning.\n\nThe configuration files for Postfix can be found in {{{/etc/postfix}}}.\n\n!!master.cf\n\n{{{/etc/postfix/master.cf}}} is the Postfix master process control file. We want to add an SMTP gateway to our Amavis filter. Add the following to the end of the file:\n\n{{{\n#\n# The amavis interface\n#\nsmtp-amavis unix - - y - 2 smtp\n -o smtp_data_done_timeout=1200\n -o disable_dns_lookups=yes\n127.0.0.1:10025 inet n - y - 2 smtpd\n -o content_filter=\n -o local_recipient_maps=\n -o relay_recipient_maps=\n -o smtpd_restriction_classes=\n -o smtpd_client_restrictions=\n -o smtpd_helo_restrictions=\n -o smtpd_sender_restrictions=\n -o smtpd_recipient_restrictions=permit_mynetworks,reject\n -o mynetworks=127.0.0.0/8\n -o strict_rfc821_envelopes=yes\n}}}\n\n!!main.cf\n\n{{{/etc/postfix/main.cf}}} is the main configuration file for Postfix. The contents of this file control the general operation of Postfix. This file can either be edited manually or updated using the {{{postconf}}} command. Once configured, this file should look something like this (note that the following configuration uses the {{{transport}}} maps which is described below and makes this server act as a true mail gateway):\n\n{{{\n# See /usr/share/postfix/main.cf.dist for a commented, more complete version\n \nsmtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)\nbiff = no\n \n# appending .domain is the MUA's job.\nappend_dot_mydomain = no\n \n# Uncomment the next line to generate "delayed mail" warnings\n#delay_warning_time = 4h\n \nmydomain = example.com\nmyhostname = host.$mydomain\nalias_maps = hash:/etc/aliases\nalias_database = hash:/etc/aliases\nmyorigin = /etc/mailname\nmydestination = $mydomain, localhost.localdomain, localhost.localdomain, localhost\nrelayhost =\nmynetworks = 127.0.0.0/8\nmailbox_command = procmail -a "$EXTENSION"\nmailbox_size_limit = 0\nrecipient_delimiter = +\ninet_interfaces = all\ncontent_filter=smtp-amavis:[127.0.0.1]:10024\ntransport_maps = hash:/etc/postfix/transport\n}}}\n\n!!Acting as a proper gateway\nIf we were really setting this system up to be an email gateway (e.g., it accepts mail from remote sources, processes it, and then passes it on to another server for delivery) we would want to modify the {{{/etc/postfix/transport}}} file.\n\nFor example, if we had a mail server that is already in use with the IP address 192.168.1.76, and we wanted this anti-spam/anti-viral gateway to transfer mail to it for local delivery, we would add the following to the {{{/etc/postfix/transport}}} file:\n{{{\n# We want to redirect all scanned mail to our main server\n* smtp:[192.168.1.76]\n}}}\n\nAfterwards, we would want to run the {{{postmap}}} command to make the .db file which Postfix will actually use:\n{{{\n# postmap /etc/postfix/transport\n}}}
The main configuration file we will concern ourself with for SpamAssassin is {{{/etc/spamassassin/local.cf}}}. By default, it should look something like this:\n{{{\n# This is the right place to customize your installation of SpamAssassin.\n#\n# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be\n# tweaked.\n#\n###########################################################################\n#\n# rewrite_header Subject *****SPAM*****\n# report_safe 1\n# trusted_networks 212.17.35.\n# lock_method flock\n}}}\n>If you want to see the documentation for what settings can be tweaked for SpamAssassin, {{{apt-get install perl-doc}}} and then type {{{perldoc Mail::SpamAssassin::Conf}}} for a full listing of the options for SpamAssasin.\n\nBy default, SpamAssassin ships with RBL checks enabled. Because we have discussed some of the things that are wrong with RBLs, we will want to disable them. So, we add the following to the {{{local.cf}}} file:\n{{{\nskip_rbl_checks 1\n}}}\n\nDepending on what we want to do with SpamAssassin, we may also add other lines here. See {{{perldoc Mail::SpamAssassin::Conf}}} for a full listing of options.
Spam and viral filtration is and always will be an imperfect science. In the war between mail administrators and spammers and mail administrators and virus writers (sometimes one in the same) there are always advances on both sides.\n\nRecently viruses have arrisen that do not distributed themselves as email attachments and yet exploit inherent vulnerabilities in Microsoft Outlook to download the virus from remote places on the web. Additionally, spammers have begun looking at adaptive filters like Bayesian and developing countermeasures to the algorithm.\n\nThe most difficult question concerning an email gateway such as this one is “What should we do with spam/viruses once we have found them?” Should the spam or virus be bounced? Dropped? Quarantined? Tagged and sent through?\n\nIf it is a virus, chances are the email headers it includes have been forged in such a way as to disguise where it came from. Thus bouncing it will only send it back to some unsuspecting user who likely is not infected with the virus. Similarly for spam, since spam is often sent with bogus return addresses, bouncing it is not very effective and can only waste bandwidth.\n\nIt is my recommendation that all viruses be quarantined on the server for perusal and deletion at the system administrator's leisure. I also recommend either quarantining the spam or tagging it and passing it through for the mail clients to sort. This way, messages falsely identified as spam can be quickly caught and rectified while normal spam does not burden the user.\nThus, even though the email gateway detailed in this document is very effective, it should not be thought of as the complete solution to the spam and viral problems. A better solution would be to use a gateway such as this in conjunction with other deterrents. Not using insecure mail programs such as Microsoft Outlook is a step in the right direction. Obfuscating email addresses on web-readable documents is another.
Originally based on Sam Hart's classnotes: http://samhart.com/cgi-bin/classnotes/wiki.pl?Setting_Up_An_Anti-SPAM_Gateway\n\nRefined in the following presentations:\n* http://files.samhart.net/archive/aspam/\n* http://files.samhart.net/bmn/docs/aspam.0.9.9/\n\nMistakes and corrections (missing main.cf section) thanks to Benjamin T. Krein, http://www.superk.org/
!!DCC (http://www.dcc-servers.net/dcc/)\nDCC (or Distributed Checksum Clearinghouse) is a system of thousands of computers and servers which collect “checksums” (a computed value which can uniquely identify something- like a digital fingerprint) of mail running through their networks. They then compare checksums with eachother. If a certain checksum comes up a large number of times, this means that it's source message is being sent through a large number of these computers to a large number of users. Thus, it is reasonable to assume it is spam (normal mail should not turn up identically thousands of times across thousands of servers).
[[Overview]]\n[[The_Tools]]\n[[Installation]]\n[[Configuration]]\n[[Conclusion]]
We next need a modular email filter which allows us to plug in anti-spam and anti-viral tools. The filter that best fits this need is Amavisd-new. Amavisd-new began its life as AMaViS, which was only an anti-viral scanner. However, it has evolved into a more general purpose email filtration system.\n\n!!Amavisd-new (http://www.ijs.si/software/amavisd/)\nAmavisd-new acts as an external scanner for Postfix. When Postfix obtains an item of mail, it hands this mail off to Amavisd-new for scanning. Amavisd-new performs whatever checks it is configured for, and determines whether the item of mail should be quarantined, bounced, dropped, or allowed to continue on to its destination. If the mail is to be passed through to the destination, Amavisd-new returns it back to Postfix, possibly with some additional email headers detailing what it did.\n\nAmavisd-new in and of itself does not do much by way of content filtration. Instead, it relies on external modules for performing the actual scanning of mail.
Right now, we are just using SpamAssassin and its tests for Spam filtration. We can actually go further and improve upon our spam filtration results quite easily due to the modular nature of SpamAssassin.\n\n[img[A modified Spam Filter|spam2.png]]
Installing_Postfix\nInstalling_SpamAssassin\nInstalling_ClamAV\nInstalling_Amavis
Finally, we will install the mail filtration framework that will make all these components work together.\n{{{\n# apt-get install amavisd-new\n}}}\nOnce again, you may get suggested packages for other compression utilities. Really, Amavis is where the decompression will take place in our system. Amavis will take any attachment, identify them, decompress them (if possible or necessary) and pass them on to ClamAV for evaluation. Install any other archival tools recommended by amavisd-new that you see fit.\n\nThe Amavis install should conclude with the creation of the Amavis user, group, as well as the Amavis home directory which will serve as its chroot environment:\n{{{\nAdding system user `amavis'...\nAdding new user `amavis' (105) with group `amavis'.\nHome directory `/var/lib/amavis' already exists.\nwarning: --update given but /var/run/amavis does not exist\nStarting amavisd: changed ownership of `/var/run/amavis' to amavis:amavis\namavisd-new.\n}}}
Now we will install ClamAV. ClamAV will need a number of different utilities:\n* {{{clamav-freshclam}}}: This is a daemon which will keep ClamAV up to date with the latest viral identities. An alternative is {{{clamav-getfiles}}}.\n* {{{clamav-testfiles}}}: These are a number of files which can be used to test the ClamAV system.\n* {{{arj}}}: This is the Open-Source version of the ARJ Archiver (see http://arj.sourceforge.net/) ClamAV will use this to get inside ARJ archives.\n* {{{unzoo}}}: This will allow ClamAV to manipulate .ZOO archives (see http://freshmeat.net/projects/unzoo/).\n{{{\n # apt-get install clamav clamav-freshclam clamav-testfiles arj unzoo clamav-daemon\n}}}\nDepending upon what you already have installed, ClamAV may also suggest any combination of the following. You may optionally install them as well for ClamAV to use:\n* {{{lha}}} : lzh archiver (this will have to come from Debian non-free)\n* {{{unrar}}} : Unarchiver for .rar files (this will have to come from Debian non-free)\n* {{{bzip2 & gzip}}} : These generally are standard for Linux installs. You should already have these.\n* {{{libarchive-zip-perl}}} : This allows you to deal with ZIP archives. Many viri are spread this way, so it is strongly recommended that you have this installed.\n\nClamAV may also suggest other archival tools. Install them at your discretion.\n\nYou want to be certain that the freshclam daemon begins. Be sure to watch for this line:\n{{{\nSetting up clamav-freshclam (0.87-1) ...\n * Starting ClamAV virus database updater: freshclam\n}}}\n
We sill start out by installing Postfix:\n{{{\n# apt-get install postfix\n}}}\n\nDuring the install, we will be presented with a number of questions for initial configuration settings by debconf. One of the first (if not the first) questions will be about general configuration starting points. You will be presented with five options.\n{{{\n No configuration\n Internet Site\n Internet with smarthost\n Satellite system\n Local only\n}}}\nWe will select "Internet Site" as it will give us a usable base to begin with. If you have other specific needs, then one of the other options may be better for you.\n\nAfter Postfix has been installed and configured with an initial setup, we will be ready for the next component.
Next, we will install SpamAssassin, which should look something like this:\n{{{\n # apt-get install spamassassin\nReading package lists... Done\nBuilding dependency tree... Done\nThe following extra packages will be installed:\n libdigest-sha1-perl libhtml-parser-perl libhtml-tagset-perl perl perl-modules spamc\nSuggested packages:\n libterm-readline-gnu-perl libterm-readline-perl-perl libnet-smtp-perl libmail-spf-query-perl razor libnet-ident-perl libio-socket-ssl-perl libdbi-perl dcc-client pyzor\nRecommended packages:\n perl-doc libnet-dns-perl\nThe following NEW packages will be installed:\n libdigest-sha1-perl libhtml-parser-perl libhtml-tagset-perl perl perl-modules spamassassin spamc\n0 upgraded, 7 newly installed, 0 to remove and 3 not upgraded.\nNeed to get 6593kB of archives.\nAfter unpacking 26.6MB of additional disk space will be used.\n}}}\nYou will notice some suggested packages. For now, we will not be installing them. However, we will return to them later on as a discussion.\n\nNear the end of the installation output, you should see something similar to the following:\n{{{\nSetting up spamassassin (3.0.4-2) ...\nSpamAssassin Mail Filter Daemon: disabled, see /etc/default/spamassassin\n}}}\n\nThis is because SpamAssassin can actually be ran in several ways. It can run as a daemon (spamd) or as a subcomponent of a seperate system. We will be running it as a subcomponent, so we will not be touching this file. However, there are variants of our setup which could use SpamAssassin in daemon mode.
The first item that is needed is a working Mail Server. Truthfully, just about any mail server will work. However, because the spam and viral scanners are so resource intensive, it helps if the mail server is fast and efficient.\n\n!!Postfix (http://www.postfix.org/)\nThe mail server which best fits this setup is the Postfix mail server by Wietse Venema. Postfix is an alternative to the widely used Sendmail. Postfix is chosen because of its qualities:\n\n* Postfix is fast and efficient. It scales very well to very large mail sites.\n* Postfix is secure “out of the box”. Unlike Sendmail, Postfix has been designed with the modern internet in mind. Postfix can run easily in a chroot environment, has built-in SMTP authentication abilities, and does not default as an Open Relay.\n* Postfix is easy to configure with intuitive and easy to read configuration files.\n* Postfix allows for content filtration plugins.\n* Postfix is intended as a “drop in” replacement for Sendmail. This means that the users and applications need not know it's even in use.
[[Overview]]\n[[The_Tools]]\n[[Installation]]\n[[Configuration]]\n[[Conclusion]]\n\n[[Credits]]\n\n© [[Sam Hart|http://www.samhart.net]] 2005\n\n\n<<newTiddler>>\n<<newJournal "DD MMM YYYY">>
This document will present you with a simple setup for a basic Anti-Spam/Anti-Viral Email Gateway.\n\n[[The_Spam_Problem]]\n[[The_Virus_Problem]]\n[[Traditional_Spam_Fighting_Techniques]]\n[[Traditional_Virus_Fighting_Techniques]]\n\nA_Better_Solution
!!Vipul's Razor (http://razor.sourceforge.net/)\nVipul's Razor is a distributive peer-to-peer (P2P) spam identity network. The intent of Vipul's Razor is to spread the news and description of a new item of spam as quickly as possible to all members of the P2P network.\n\nThe sequence pictured below illustrates the process: A new item of spam arrives at computer “A”, which is located far away from your computer, “Z”. “A” identifies the spam, and sends the spam description to the computers near it. Those computers spread that description to the computers near them. This process repeats and eventually the description is delivered to “Z”.\n\n[img[page14-1.png]][img[page14-2.png]][img[page14-3.png]][img[page14-4.png]]
See SPAM-bots
Any automated program that harvests email addresses (usually from crawling the web or mailing-list/newsgroup traffic).
A simple ASAV framework
A Modular Anti-Spam/Anti-Viral Email Gateway
http://svn.samhart.net/asav/docs/trunk/
See http://www.spamassassin.org/
[img[X: SA Score - Y: Frequency|scores.png]]
!!SpamAssassin (http://www.spamassassin.org/)\nFrom the SpamAssassin FAQ:\n>SpamAssassin is a mail filter to identify spam. It is an intelligent email filter which uses a diverse range of tests to identify unsolicited bulk email, more commonly known as Spam. These tests are applied to email headers and content to classify email using advanced statistical methods. In addition, SpamAssassin has a modular architecture that allows other technologies to be quickly wielded against spam and is designed for easy integration into virtually any email system.\n\nSpamAssassin performs a set of tests on each message it scans. Each test is assigned a numerical score[[10|http://www.spamassassin.org/tests.html]]. When a message passes a test, the test score is added to a total for that message. After all the tests have been run, the message will have a total score that determines how likely it is to be spam. The more negative the score, the less likely it is to be spam. The more positive the score, the more likely it is to be spam.\n\nThreshold scores are defined which are used to determine if an item is spam or not. For example, one could assign the threshold score of “5.4” which would mean all messages over a score of “5.4” will be tagged as spam and dropped, quarantined, or otherwise filtered.\n
We have just spent a rigourous time configuring all of the components of our gateway. Before we put the system into production, we should test it out.\n\nFirst we need to restart everything (most of these applications will now need to reread their configuration files). We also want to stop amavis so we can test the system.\n{{{\n # /etc/init.d/postfix restart\n # /etc/init.d/clamav-freshclam restart\n # /etc/init.d/clamav-daemon restart\n # /etc/init.d/amavis stop\n}}}\n\nNow, we are ready to start amavis in debugging mode. Edit the following line near the end of the {{{/etc/amavis/amavisd.conf}}} file, uncomment $sa_debug to enable debugging:\n{{{\n$sa_debug = 1; # defaults to false\n}}}\n\nWe can now start Amavis in debugging mode. Run the following in a fresh terminal (or use screen):\n{{{\n # /usr/sbin/amavisd-new debug\n}}}\n\nIn the directory {{{/usr/share/doc/spamassassin/examples}}} you will find two sample files: {{{sample-spam.txt}}} and {{{sample-nonspam.txt}}}. We want to pipe these files into {{{mail}}} and observe the output from {{{amavisd-new debug}}:\n{{{\n # cat sample-spam.txt | mail root\n # cat sample-nonspam.txt | mail root\n}}}\n\nYou should see the message get tagged in the debug display.\n\nOnce you you have verified that the system works, re-comment the $sa_debug line, and restart amavis:\n{{{\n # /etc/init.d/amavis restart\n}}}
"Unsolicited Commercial Email", UCE or Spam, as we define it is any item of mail which was sent without the recipient's permission, knowledge or involvement. The traditional Postal Mail equivalent is junk mail.\n* It has been estimated that Spam costs the U.S. Economy over $10 billion and worldwide over $20 billion per year in wasted bandwidth, storage space, and employee time. [[FN1|http://www.lexisone.com/balancing/articles/n080003d.html]]\n* In surveys, it has been revealed that Spam costs the average business more than $2.5 million per year. [[FN2|http://www.bizjournals.com/account/sign_in?uri=/charlotte/stories/2003/11/17/daily16.html]]\n\n!!But why do I get SPAM?\nTraditionally, people were sent SPAM because they were promiscuous with their email addresses. They would give out their email address haphazardly and spread it in unsafe places such as mailing lists and newsgroups. Many System Administrators who have been in the game for a while still think that this is where SPAM primarily comes from, but they would be wrong.\n\n!!!Enter SPAM-bots....\nToday, the vast majority of SPAM is sent to email addresses harvested by SPAM-bots.[[FN5|http://www.cdt.org/speech/spam/030319spamreport.shtml]]\n\nA SPAM-bot is a program that spiders its way from web-page to web-page looking for email addresses. It collects all the email addresses it finds and uses them to send SPAM to. So by having your email address on a web-page, you are inviting a SPAM-bot to harvest your email.\n\nTechniques exist to obfuscate email addresses on websites to prevent SPAM-bots from being able to read them. However, any gain from such a technique is fleeting as the SPAM-bot makers can adjust readily to them. This is not to say the techniques are useless, just that they cannot be solely relied upon.\n\n!!But everyone hates Spam, why is it still so prevalent?\n\nSpam is very easy to send. Spammers can use what are known as “Open Relays” to send their Spam anonymously. They can also use ISP dial-up and broadband accounts to send Spam practically anonymously. They can even use certain viruses to turn any Microsoft Windows machine into a spam relay point. So the entry point for a spammer is very easy and inexpensive.\n\nFurthermore, spam is one of the more profitable technology sub-industries. Like it or not, people do buy items that are sent to them as spam. Some people even enjoy getting and reading spam.[[FN6|http://online.wsj.com/article_email/0,,SB107930537384354969-IhjgINplaR3n5ypaX2HcKqDm4,00.html]]\n\n!!Spamming is illegal, can't the spammers just be sued?\nIn some states, sending Unsolicited Commercial Email is, in fact, illegal. The problem arises in trying to first determine what is spam, and then determining who is sending the spam.\n\nOpinions differ on what is and what isn't spam. Also, since spammers can send anonymously, tracking them down can be very hard.
Mail_Server\nEmail_Filter\nSpam_Filter_Subcomponent\nVirus_Filter_Subcomponent
Computer Viruses are programs that perform some malicious function and generally are installed without the user's knowledge. Most modern computer viruses are spread via email.\n* Computer viruses such as MyDoom have been so destructive that damage estimates have been as high as $250 million per incident. [[FN3|http://www.moneymag.com/2004/01/28/technology/mydoom_costs]]\n* Due to vulnerabilities in Email clients (such as Microsoft's Outlook) viruses exist which can infect computers without the user having to do anything, even open the message. [[FN4|http://www.fool.com/News/mft/2004/mft04031904.htm]]
!!Relay Blocking: Get 'Em Where They Work!\nOne of the traditional ways of fighting spam was to block those mail servers which are “open” for spammers to relay through anonymously. Mail server administrators would gather lists of known “Open Relays” and simply drop or bounce all mail coming from these relays.\n\n!!!The problems with relay blocking\nRelay blocking has a number of problems. First, since most Open Relays are located in other countries (especially Asian and South American countries) by blocking them you are effectively walling yourself off from and discriminating against a significant portion of the world. If you are running a business, this can be very bad as any potential customers from these regions will not be able to contact you.[[FN7|http://www.wired.com/news/politics/0,1283,50455,00.html]]\n\nAdditionally, there have been situations where Relay Blocking Lists are abused and contain wrong data. There have even been times where such lists go inactive and wind up blocking the entire world.[[FN8|http://slashdot.org/articles/03/08/27/0214238.shtml?tid=111&tid=126]]\n\nCombine these with appeals and corrections, or lists being used for political purposes, and you can see why they are a poor solution.[[FN9|http://samhart.com/cgi-bin/classnotes/wiki.pl?UNIX03/Realtime_Blackhole_Lists_Are_Bad]] [[FN10|http://theory.whirlycott.com/~phil/antispam/rbl-bad/rbl-bad.html]]
!!Virus Protection on the Desktop\nTraditionally, protection against viruses was the sole responsibility of desktop users. Users were expected to keep their anti-virus software up-to-date and apply all critical and security patches to their Microsoft Windows operating system.\n\n!!!Why this is an imperfect solution\nThe biggest problems with relying upon the desktop user to protect themselves (and the rest of us) from viruses stem from the fact that most desktop users are not very knowledgeable with respect to computers and technology.\n\nModern anti-virus software generally requires the user to do something to keep that software up-to-date. Norton Anti-virus ships with many computers, but comes with a limited trial offer that expires after a few months. Sophos Anti-virus generally requires the user to update their installation every month as well as install necessary critical virus identities almost daily.\n\nAdditionally, Microsoft produces several new updates and patches for their operating systems every week.
The Virus Filter is actually comprised of a number of sub-systems. Here, you could realistically have any anti-viral software on the planet that works with Amavisd-new (and there are a lot of them). However, because of the features we get, we recommend the ClamAV system.\n\n!!ClamAV (http://www.clamav.net/)\nClam Anti-Virus (or ClamAV) is a anti-viral suite consisting of a number of useful mail server tools. At present, it is not very well suited for the desktop user, who should probably be using one of the popular commercial anti-virus programs.\n\nClamAV's biggest strength is its rapidly updated and rigorously maintained viral database. There have been cases where this community driven viral database has beaten its commercial contemporaries by hours or days with respect to new viral identities.\n\nClamAV also has a daemon called “Freshclam” which keeps the local viral identities up to date.\n\nIt may also be important to add an additional repository to the APT sources.list file in order to get the latest version of ClamAV if running Debian Stable. Add the following lines to {{{/etc/apt/sources.list}}}:\n\n{{{\ndeb ftp://ftp2.de.debian.org/debian-volatile stable/volatile main\ndeb-src ftp://ftp2.de.debian.org/debian-volatile stable/volatile main\n}}}\n\nRun {{{apt-get update}}} and then either get the ClamAV packages or run {{{apt-get upgrade}}} to upgrade the already installed packages with the latest from the Debian Volatiles repository. For additional information on the Debian Volatiles repository, please see http://volatile.debian.net/.