Penguin

How to make SpamAssassin run on your local e-mail machine (with Evolution in mind)

  • get and install SpamAssassin, test that it works by piping a good email and a spam email through it
  • check that fetchmail(1) works, write a .fetchmailrc file
  • check that procmail(1) works, write a .procmailrc file
  • disable the regular pop mailboxes in Evolution
  • add a new "local delivery" mailbox to Evolution
  • write a tiny script I called getmail that does fetchmail -m procmail and make sure that it gets your email from the POP3 server correctly
  • add getmail to your crontab to run every 5 minutes
  • add a filter rule to Evolution: if specific header X-Spam-Flag = YES, drop the email in my Spam folder
.fetchmailrc:
poll mail.myisp.co.nz protocol POP3
      user "pop3user" password "secret" is user "localuser" here mda "/usr/bin/procmail";
.procmailrc:
# correct incoming messages for programs like Evolution and mail
:0 fhw
| formail -I "From " -a "From "

:0fw
| spamassassin
/bin/getmail:
#!/bin/bash
/usr/bin/fetchmail >> ~/log/fetchmail
crontab:
*/5 * * * * /home/localuser/bin/getmail

SpamAssassin's ClamAV Plugin

This plugin submits the entire email to a locally running ClamAV server for virus detection. If a virus is found, it returns a positive return code to indicate spam and sets the header X-Spam-Virus: Yes ($virusname). If you'd like to sort virus emails to a separate folder, create a rule looking for this header.

This isn't necessarily the best way to run ClamAV; for example, your MailTransferAgent, if it has a method to call SpamAssassin, probably has a method to call ClamAV too.

It requires

To install, create the files in /etc/mail/spamassassin/. You can adjust the default score of 10 in clamav.cf if you like. Restart the spamd daemon if you're using that, and you should be all set.

clamav.cf:
loadplugin ClamAV clamav.pm
full CLAMAV eval:check_clamav()
describe CLAMAV Clam AntiVirus detected a virus
score CLAMAV 10
clamav.pm:
package ClamAV;
use strict;
use warnings;

use Mail::SpamAssassin;
use Mail::SpamAssassin::Plugin;
use File::Scan::ClamAV;

our @ISA = qw(Mail::SpamAssassin::Plugin);

sub new {
    my ( $class, $mailsa ) = @_;
    my $self = $class->SUPER::new( $mailsa );
    bless( $self, $class );
    $self->register_eval_rule( "check_clamav" );
    return $self;
}

sub _set_header {
    my ( $msgstatus, $header ) = @_;
    $msgstatus->{ main }->{ conf }->{ $_ }->{ "Virus" } = $header
        for qw( headers_spam headers_ham );
}

sub check_clamav {
    my ( $self, $permsgstatus, $fulltext ) = @_;
    my $clamav = File::Scan::ClamAV->new( port => 3310 );
    my ( $code, $virus ) = $clamav->streamscan( ${ $fulltext } );
    if ( !$code ) {
        my $errstr = $clamav->errstr();
        Mail::SpamAssassin::Plugin::dbg( "ClamAV: Error scanning: $errstr" );
        _set_header( $permsgstatus, "Error ($errstr)" );
    }
    elsif ( $code eq 'OK' ) {
        Mail::SpamAssassin::Plugin::dbg( "ClamAV: No virus detected" );
        _set_header( $permsgstatus, "No" );
    }
    elsif ( $code eq 'FOUND' ) {
        Mail::SpamAssassin::Plugin::dbg( "ClamAV: Detected virus: $virus" );
        _set_header( $permsgstatus, "Yes ($virus)" );
        return 1;
    }
    else {
        Mail::SpamAssassin::Plugin::dbg( "ClamAV: Error, unknown return code: $code" );
        _set_header( $permsgstatus, "Error (Unknown return code from ClamAV: $code)" );
    }
    return;
}
1;

Inappropriate ioctl for device in your debug logs under Sarge/Hoary

debug: using "/root/.spamassassin" for user state dir
debug: lock: 29656 created /root/.spamassassin/auto-whitelist.lock.firewall.itpartners.co.nz.29656
debug: lock: 29656 trying to get lock on /root/.spamassassin/auto-whitelist with 0 retries
debug: lock: 29656 link to /root/.spamassassin/auto-whitelist.lock: link ok
debug: Tie-ing to DB file R/W in /root/.spamassassin/auto-whitelist
debug: unlock: 29656 unlink /root/.spamassassin/auto-whitelist.lock
debug: open of AWL file failed: Cannot open auto_whitelist_path /root/.spamassassin/auto-whitelist: Inappropriate ioctl for device

You're using old format database files.

The perl version change effected a change of the BDB version being used. The bayes_seen and bayes_toks fixes are BDB files and can be fixed by doing an db4.x_upgrade on them. sarge/hoary use Berkely DB 4.2, and you can install the db4.2-util package. with HTML

I'm running spamassassin from my MTA, and I get the error spam acl condition: cannot parse spamd output or similar.

This occurs if you have upgraded perl, and not restarted spamd. Try restarting spamd and see if it solves the problem. It could also be a version mismatch, in which case you'll have to upgrade whichever process is calling spamassassin

I'm running spamassassin on Debian and get this error Cannot open bayes databases /home/jimbobdobalina/.spamassassin/bayes_* R/O: tie failed: (or similar)

Fix:

apt-get install db4.3-util

Go to where you Bayes DB's lie.

db4.3_upgrade bayes_seen
db4.3_upgrade bayes_toks

Restart spamassassin, and voila!

Web based spam management

Maia Mailguard is a web-based interface and quarantine management system for amavisd-new, which allows users to manage their own spam. It has all the pitfalls of amavis, but might suit your needs.

Making Razor go

Is Razor running?

Uncomment it in /etc/spamassassin/v310.pre and you're effectively away. If you want to be able to submit, you have to create an account.

Making DCC go

Is DCC running? Have you uncommnented it in /etc/spamassassin/v310.pre?

# spamassassin -t -D < /tmp/spam
<snip>
[8407] dbg: dcc: dccifd is not available: no r/w dccifd socket found
[8407] dbg: dcc: check timed out after 5 seconds

Default Ubuntu/Debian installation, SA probably can't find the dccifd file - add to /etc/spamassassin/local.cf:

# Enable DCC
use_dcc                 1
dcc_home                /var/lib/dcc

Making Pyzor go

Is Pyzor running? Have you uncommnented it in /etc/spamassassin/v310.pre?

# spamassassin -t -D < /tmp/spam
<snip>
[8615] dbg: util: executable for pyzor was found at /usr/bin/pyzor
[8615] dbg: pyzor: pyzor is available: /usr/bin/pyzor
[8615] dbg: info: entering helper-app run mode
[8615] dbg: pyzor: opening pipe: /usr/bin/pyzor  check < /tmp/.spamassassin8615OvQ1ymtmp
[8617] dbg: util: setuid: ruid=0 euid=0
[8615] dbg: pyzor: killed stale helper [8617]
[8615] dbg: pyzor: [8617] terminated:  exit=0x000f
[8615] dbg: info: leaving helper-app run mode
[8615] dbg: pyzor: check timed out after 5 seconds

The old Pyzor server has disappeared. Locate .pyzor/servers (systemwide on Debian/Ubuntu, it's under /root/.pyzor/servers) and replace the contents with 82.94.255.100:24441. Don't run pyzor discover again, as it will overwrite the contents with the broken server. (Thanks to this Nabble post for the answer)

Graphing your SA scores

Thanks to Tom from ItPartners for this cool script. Requires gnuplot. Graphs your spam scores.

#!/bin/bash

# Generate a graph of SpamAssassin spam score frequencies.
# Needs gnuplot.

LOGFILES=/var/log/mail.log*

SCOREFILE=/tmp/spamscores
IMAGEFILE=/tmp/spamplot.gif

> $SCOREFILE
for score in `zegrep "identified spam|clean message" $LOGFILES | awk '{print $9}' | cut -d "/" -f 1 | cut -d '(' -f 2`
do
    echo $score 1 >> $SCOREFILE
done

gnuplot <<EOF
set term gif
set output "$IMAGEFILE"
plot "$SCOREFILE" smooth frequency
EOF

Systemwide filtering

SpamAssassin is normally supposed to be invoked on a per-user basis, perhaps via a procmail(1) rule, or directly in a .forward entry, that kind of thing. However, it is possible to filter all users' e-mail on a systemwide basis. The procedure for doing this with Postfix is described here.

SUSE notes

Under SuSE, spamd is configured by default not to apply any rules that require Internet access (like accessing Pyzor, blocklists etc). To fix this, edit /etc/sysconfig/spamd. Look for the line

  SPAMD_ARGS="-d -c -L"

and remove the "-L" switch.


CategoryAntiSpam
CategoryNotes