2012-04-29 10:35:59 +02:00
|
|
|
#!perl -w
|
2012-04-20 07:42:04 +02:00
|
|
|
|
|
|
|
=head1 NAME
|
|
|
|
|
|
|
|
dspam - dspam integration for qpsmtpd
|
|
|
|
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
|
2012-05-06 04:58:49 +02:00
|
|
|
qpsmtpd plugin that uses dspam to classify messages. Can use SpamAssassin to
|
2012-04-20 07:42:04 +02:00
|
|
|
train dspam.
|
|
|
|
|
2012-05-06 04:58:49 +02:00
|
|
|
Adds the X-DSPAM-Result and X-DSPAM-Signature headers to messages. The latter is essential for
|
2012-04-20 07:42:04 +02:00
|
|
|
training dspam and the former is useful to MDAs, MUAs, and humans.
|
|
|
|
|
2012-05-06 04:58:49 +02:00
|
|
|
Adds a transaction note to the qpsmtpd transaction. The notes is a hashref
|
|
|
|
with at least the 'class' field (Spam,Innocent,Whitelisted). It will normally
|
|
|
|
contain a probability and confidence ratings as well.
|
|
|
|
|
2012-04-20 07:42:04 +02:00
|
|
|
=head1 TRAINING DSPAM
|
|
|
|
|
2012-05-06 04:58:49 +02:00
|
|
|
Do not just enable dspam! Its false positive rate when untrained is high. The
|
|
|
|
good news is; dspam learns very, very fast.
|
|
|
|
|
2012-04-20 07:42:04 +02:00
|
|
|
To get dspam into a useful state, it must be trained. The best method way to
|
|
|
|
train dspam is to feed it two large equal sized corpuses of spam and ham from
|
2012-05-06 04:58:49 +02:00
|
|
|
your mail server. The dspam authors suggest avoiding public corpuses. I train
|
|
|
|
dspam as follows:
|
2012-04-20 07:42:04 +02:00
|
|
|
|
|
|
|
=over 4
|
|
|
|
|
|
|
|
=item learn from SpamAssassin
|
|
|
|
|
|
|
|
See the docs on the learn_from_sa feature in the CONFIG section.
|
|
|
|
|
2012-05-06 04:58:49 +02:00
|
|
|
=item periodic training
|
2012-04-20 07:42:04 +02:00
|
|
|
|
2012-05-06 04:58:49 +02:00
|
|
|
I have a script that searches the contents of every users maildir. Any read
|
|
|
|
messages that have changed since the last processing run are learned as ham
|
|
|
|
or spam.
|
2012-04-20 07:42:04 +02:00
|
|
|
|
|
|
|
The ham message list consists of read messages in any folder not named like
|
2012-05-06 04:58:49 +02:00
|
|
|
Spam, Junk, Trash, or Deleted. This catches messages that users have read
|
|
|
|
and left in their inbox or filed away into subfolders.
|
2012-04-20 07:42:04 +02:00
|
|
|
|
|
|
|
=item on-the-fly training
|
|
|
|
|
2012-05-06 04:58:49 +02:00
|
|
|
The dovecot IMAP server has an antispam plugin that will train dspam when
|
|
|
|
messages are moved to/from the Spam folder.
|
2012-04-20 07:42:04 +02:00
|
|
|
|
2012-05-06 04:58:49 +02:00
|
|
|
=back
|
2012-04-20 07:42:04 +02:00
|
|
|
|
|
|
|
=head1 CONFIG
|
|
|
|
|
2012-05-06 04:58:49 +02:00
|
|
|
=head2 dspam_bin
|
2012-04-20 07:42:04 +02:00
|
|
|
|
2012-05-06 04:58:49 +02:00
|
|
|
The path to the dspam binary. If yours is installed somewhere other
|
2012-04-20 07:42:04 +02:00
|
|
|
than /usr/local/bin/dspam, you'll need to set this.
|
|
|
|
|
2012-05-06 04:58:49 +02:00
|
|
|
=head2 learn_from_sa
|
2012-04-20 07:42:04 +02:00
|
|
|
|
|
|
|
Dspam can be trained by SpamAssassin. This relationship between them requires
|
|
|
|
attention to several important details:
|
|
|
|
|
|
|
|
=over 4
|
|
|
|
|
|
|
|
=item 1
|
|
|
|
|
2012-05-06 04:58:49 +02:00
|
|
|
dspam must be listed B<after> spamassassin in the config/plugins file.
|
2012-04-20 07:42:04 +02:00
|
|
|
Because SA runs first, I crank the SA reject_threshold up above 100 so that
|
|
|
|
all spam messages will be used to train dspam.
|
|
|
|
|
|
|
|
Once dspam is trained and errors are rare, I plan to run dspam first and
|
|
|
|
reduce the SA load.
|
|
|
|
|
|
|
|
=item 2
|
|
|
|
|
|
|
|
Autolearn must be enabled and configured in SpamAssassin. SA autolearn
|
|
|
|
preferences will determine whether a message is learned as spam or innocent
|
2012-05-06 04:58:49 +02:00
|
|
|
by dspam. The settings to pay careful attention to in your SA local.cf file
|
2012-04-20 07:42:04 +02:00
|
|
|
are bayes_auto_learn_threshold_spam and bayes_auto_learn_threshold_nonspam.
|
2012-05-06 04:58:49 +02:00
|
|
|
Make sure they are both set to conservative values that are certain to
|
2012-04-20 07:42:04 +02:00
|
|
|
yield no false positives.
|
|
|
|
|
|
|
|
If you are using learn_from_sa and reject, then messages that exceed the SA
|
|
|
|
threshholds will cause dspam to reject them. Again I say, make sure them SA
|
|
|
|
autolearn threshholds are set high enough to avoid false positives.
|
|
|
|
|
|
|
|
=item 3
|
|
|
|
|
|
|
|
dspam must be configured and working properly. I have modified the following
|
2012-05-06 04:58:49 +02:00
|
|
|
dspam values on my system:
|
2012-04-20 07:42:04 +02:00
|
|
|
|
|
|
|
=over 4
|
|
|
|
|
|
|
|
=item mysql storage
|
|
|
|
|
|
|
|
=item Trust smtpd
|
|
|
|
|
|
|
|
=item TrainingMode tum
|
|
|
|
|
|
|
|
=item Tokenizer osb
|
|
|
|
|
|
|
|
=item Preference "trainingMode=TOE"
|
|
|
|
|
|
|
|
=item Preference "spamAction=deliver"
|
|
|
|
|
|
|
|
=item Preference "signatureLocation=headers"
|
|
|
|
|
|
|
|
=item TrainPristine off
|
|
|
|
|
|
|
|
=item ParseToHeaders off
|
|
|
|
|
|
|
|
=back
|
|
|
|
|
|
|
|
Of those changes, the most important is the signature location. This plugin
|
|
|
|
only supports storing the signature in the headers. If you want to train dspam
|
|
|
|
after delivery (ie, users moving messages to/from spam folders), then the
|
|
|
|
dspam signature must be in the headers.
|
|
|
|
|
2012-05-06 04:58:49 +02:00
|
|
|
When using the dspam MySQL backend, use InnoDB tables. Dspam training
|
|
|
|
is dramatically slowed by MyISAM table locks and dspam requires lots
|
|
|
|
of training. InnoDB has row level locking and updates are much faster.
|
|
|
|
|
2012-04-20 07:42:04 +02:00
|
|
|
=back
|
|
|
|
|
2012-05-06 04:58:49 +02:00
|
|
|
=head2 reject
|
2012-04-20 07:42:04 +02:00
|
|
|
|
|
|
|
Set to a floating point value between 0 and 1.00 where 0 is no confidence
|
|
|
|
and 1.0 is 100% confidence.
|
|
|
|
|
2012-05-06 04:58:49 +02:00
|
|
|
If dspam's confidence is greater than or equal to this threshold, the
|
|
|
|
message will be rejected. The default is 1.00.
|
2012-04-20 07:42:04 +02:00
|
|
|
|
2012-05-06 04:58:49 +02:00
|
|
|
=head2 reject_type
|
|
|
|
|
|
|
|
reject_type [ temp | perm ]
|
2012-04-20 07:42:04 +02:00
|
|
|
|
2012-05-06 04:58:49 +02:00
|
|
|
By default, rejects are permanent (5xx). Set this to temp if you want to
|
|
|
|
defer mail instead of rejecting it with dspam.
|
2012-04-20 07:42:04 +02:00
|
|
|
|
|
|
|
=head1 MULTIPLE RECIPIENT BEHAVIOR
|
|
|
|
|
|
|
|
For messages with multiple recipients, the user that dspam is running as will
|
|
|
|
be the dspam username.
|
|
|
|
|
|
|
|
When messages have a single recipient, the recipient address is used as the
|
|
|
|
dspam username. For dspam to trust qpsmtpd with modifying the username, you
|
|
|
|
B<must> add the username that qpsmtpd is running to to the dspamd.conf file.
|
|
|
|
|
|
|
|
ie, (Trust smtpd).
|
|
|
|
|
|
|
|
=head1 CHANGES
|
|
|
|
|
2012-05-06 04:58:49 +02:00
|
|
|
=head1 AUTHOR
|
|
|
|
|
|
|
|
Matt Simerson - 2012
|
|
|
|
|
2012-04-20 07:42:04 +02:00
|
|
|
=cut
|
|
|
|
|
|
|
|
use strict;
|
2012-05-06 04:58:49 +02:00
|
|
|
use warnings;
|
2012-04-20 07:42:04 +02:00
|
|
|
|
|
|
|
use Qpsmtpd::Constants;
|
|
|
|
use Qpsmtpd::DSN;
|
|
|
|
use IO::Handle;
|
|
|
|
use Socket qw(:DEFAULT :crlf);
|
|
|
|
|
|
|
|
sub register {
|
2012-05-06 04:58:49 +02:00
|
|
|
my ($self, $qp, %args) = @_;
|
2012-04-20 07:42:04 +02:00
|
|
|
|
|
|
|
$self->log(LOGERROR, "Bad parameters for the dspam plugin") if @_ % 2;
|
|
|
|
|
2012-05-06 04:58:49 +02:00
|
|
|
$self->{_args} = { %args };
|
|
|
|
$self->{_args}{reject} = defined $args{reject} ? $args{reject} : 1;
|
|
|
|
$self->{_args}{reject_type} = $args{reject_type} || 'perm';
|
2012-04-20 07:42:04 +02:00
|
|
|
|
2012-05-06 04:58:49 +02:00
|
|
|
$self->register_hook('data_post', 'dspam_reject');
|
2012-04-20 07:42:04 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
sub hook_data_post {
|
|
|
|
my ($self, $transaction) = @_;
|
|
|
|
|
|
|
|
$self->log(LOGDEBUG, "check_dspam");
|
2012-05-06 04:58:49 +02:00
|
|
|
if ( $transaction->data_size > 500_000 ) {
|
|
|
|
$self->log(LOGINFO, "skip: message too large (" . $transaction->data_size . ")" );
|
|
|
|
return (DECLINED);
|
|
|
|
};
|
2012-04-20 07:42:04 +02:00
|
|
|
|
|
|
|
my $username = $self->select_username( $transaction );
|
|
|
|
my $message = $self->assemble_message($transaction);
|
|
|
|
my $filtercmd = $self->get_filter_cmd( $transaction, $username );
|
2012-05-06 04:58:49 +02:00
|
|
|
$self->log(LOGDEBUG, $filtercmd);
|
2012-04-20 07:42:04 +02:00
|
|
|
|
|
|
|
my $response = $self->dspam_process( $filtercmd, $message );
|
|
|
|
if ( ! $response ) {
|
2012-05-06 04:58:49 +02:00
|
|
|
$self->log(LOGWARN, "skip: no response from dspam. Check logs for errors.");
|
2012-04-20 07:42:04 +02:00
|
|
|
return (DECLINED);
|
|
|
|
};
|
|
|
|
|
|
|
|
# X-DSPAM-Result: user@example.com; result="Spam"; class="Spam"; probability=1.0000; confidence=1.00; signature=N/A
|
|
|
|
# X-DSPAM-Result: smtpd; result="Innocent"; class="Innocent"; probability=0.0023; confidence=1.00; signature=4f8dae6a446008399211546
|
|
|
|
my ($result,$prob,$conf,$sig) = $response =~ /result=\"(Spam|Innocent)\";.*?probability=([\d\.]+); confidence=([\d\.]+); signature=(.*)/;
|
|
|
|
my $header_str = "$result, probability=$prob, confidence=$conf";
|
2012-05-06 04:58:49 +02:00
|
|
|
$self->log(LOGDEBUG, $header_str);
|
|
|
|
$transaction->header->replace('X-DSPAM-Result', $header_str, 0);
|
2012-04-20 07:42:04 +02:00
|
|
|
|
2012-05-06 04:58:49 +02:00
|
|
|
# the signature header is required if you intend to train dspam later.
|
|
|
|
# In dspam.conf, set: Preference "signatureLocation=headers"
|
2012-04-20 07:42:04 +02:00
|
|
|
$transaction->header->add('X-DSPAM-Signature', $sig, 0);
|
|
|
|
|
|
|
|
return (DECLINED);
|
|
|
|
};
|
|
|
|
|
|
|
|
sub select_username {
|
|
|
|
my ($self, $transaction) = @_;
|
|
|
|
|
|
|
|
my $recipient_count = scalar $transaction->recipients;
|
|
|
|
$self->log(LOGDEBUG, "Message has $recipient_count recipients");
|
|
|
|
|
|
|
|
if ( $recipient_count > 1 ) {
|
|
|
|
$self->log(LOGINFO, "skipping user prefs, $recipient_count recipients detected.");
|
|
|
|
return getpwuid($>);
|
|
|
|
};
|
|
|
|
|
|
|
|
# use the recipients email address as username. This enables user prefs
|
|
|
|
my $username = ($transaction->recipients)[0]->address;
|
|
|
|
return lc($username);
|
|
|
|
};
|
|
|
|
|
|
|
|
sub assemble_message {
|
|
|
|
my ($self, $transaction) = @_;
|
|
|
|
|
|
|
|
$transaction->body_resetpos;
|
|
|
|
|
|
|
|
my $message = "X-Envelope-From: "
|
|
|
|
. $transaction->sender->format . "\n"
|
|
|
|
. $transaction->header->as_string . "\n\n";
|
|
|
|
|
|
|
|
while (my $line = $transaction->body_getline) { $message .= $line; };
|
|
|
|
|
|
|
|
$message = join(CRLF, split/\n/, $message);
|
|
|
|
return $message . CRLF;
|
|
|
|
};
|
|
|
|
|
|
|
|
sub dspam_process {
|
|
|
|
my ( $self, $filtercmd, $message ) = @_;
|
|
|
|
|
|
|
|
#return $self->dspam_process_open2( $filtercmd, $message );
|
|
|
|
|
|
|
|
my ($in_fh, $out_fh);
|
2012-05-06 04:58:49 +02:00
|
|
|
if (! open($in_fh, '-|')) {
|
2012-04-20 07:42:04 +02:00
|
|
|
open($out_fh, "|$filtercmd") or die "Can't run $filtercmd: $!\n";
|
|
|
|
print $out_fh $message;
|
|
|
|
close $out_fh;
|
|
|
|
exit(0);
|
|
|
|
};
|
2012-05-06 04:58:49 +02:00
|
|
|
#my $response = join('', <$in_fh>);
|
|
|
|
my $response = <$in_fh>;
|
2012-04-20 07:42:04 +02:00
|
|
|
close $in_fh;
|
|
|
|
chomp $response;
|
2012-05-06 04:58:49 +02:00
|
|
|
$self->log(LOGDEBUG, $response);
|
2012-04-20 07:42:04 +02:00
|
|
|
return $response;
|
|
|
|
};
|
|
|
|
|
|
|
|
sub dspam_process_open2 {
|
|
|
|
my ( $self, $filtercmd, $message ) = @_;
|
|
|
|
|
2012-05-06 04:58:49 +02:00
|
|
|
# not sure why, but this is not as reliable as I'd like. What's a dspam
|
2012-04-20 07:42:04 +02:00
|
|
|
# error -5 mean anyway?
|
|
|
|
use FileHandle;
|
|
|
|
use IPC::Open2;
|
|
|
|
my ($dspam_in, $dspam_out);
|
|
|
|
my $pid = open2($dspam_out, $dspam_in, $filtercmd);
|
|
|
|
print $dspam_in $message;
|
|
|
|
close $dspam_in;
|
2012-05-06 04:58:49 +02:00
|
|
|
#my $response = join('', <$dspam_out>); # get full response
|
|
|
|
my $response = <$dspam_out>; # get first line only
|
2012-04-20 07:42:04 +02:00
|
|
|
waitpid $pid, 0;
|
|
|
|
chomp $response;
|
2012-05-06 04:58:49 +02:00
|
|
|
$self->log(LOGDEBUG, $response);
|
2012-04-20 07:42:04 +02:00
|
|
|
return $response;
|
|
|
|
};
|
|
|
|
|
|
|
|
sub dspam_reject {
|
|
|
|
my ($self, $transaction) = @_;
|
|
|
|
|
2012-05-06 04:58:49 +02:00
|
|
|
my $d = $self->get_dspam_results( $transaction ) or return;
|
2012-04-20 07:42:04 +02:00
|
|
|
|
2012-05-06 04:58:49 +02:00
|
|
|
if ( ! $d->{class} ) {
|
|
|
|
$self->log(LOGWARN, "skip: no dspam class detected");
|
|
|
|
return DECLINED;
|
2012-04-20 07:42:04 +02:00
|
|
|
};
|
|
|
|
|
2012-05-06 04:58:49 +02:00
|
|
|
my $status = "$d->{class}, $d->{confidence} c.";
|
|
|
|
my $reject = $self->{_args}{reject} or do {
|
|
|
|
$self->log(LOGINFO, "skip: reject disabled ($status)");
|
|
|
|
return DECLINED;
|
|
|
|
};
|
2012-04-20 07:42:04 +02:00
|
|
|
|
2012-05-06 04:58:49 +02:00
|
|
|
if ( $reject eq 'agree' ) {
|
|
|
|
return $self->dspam_reject_agree( $transaction, $d );
|
|
|
|
};
|
|
|
|
if ( $d->{class} eq 'Innocent' ) {
|
|
|
|
$self->log(LOGINFO, "pass: $status");
|
|
|
|
return DECLINED;
|
|
|
|
};
|
|
|
|
if ( $self->qp->connection->relay_client ) {
|
|
|
|
$self->log(LOGINFO, "skip: allowing spam, user authenticated ($status)");
|
|
|
|
return DECLINED;
|
|
|
|
};
|
|
|
|
if ( $d->{probability} <= $reject ) {
|
|
|
|
$self->log(LOGINFO, "pass, $d->{class} probability is too low ($d->{probability} < $reject)");
|
|
|
|
return DECLINED;
|
|
|
|
};
|
|
|
|
if ( $d->{confidence} != 1 ) {
|
|
|
|
$self->log(LOGINFO, "pass: $d->{class} confidence is too low ($d->{confidence})");
|
|
|
|
return DECLINED;
|
2012-04-20 07:42:04 +02:00
|
|
|
};
|
|
|
|
|
2012-05-06 04:58:49 +02:00
|
|
|
# dspam is more than $reject percent sure this message is spam
|
|
|
|
$self->log(LOGINFO, "fail: $d->{class}, ($d->{confidence} confident)");
|
|
|
|
my $deny = $self->{_args}{reject_type} eq 'temp' ? DENYSOFT : DENY;
|
|
|
|
return Qpsmtpd::DSN->media_unsupported($deny,'dspam says, no spam please');
|
2012-04-20 07:42:04 +02:00
|
|
|
}
|
|
|
|
|
2012-05-06 04:58:49 +02:00
|
|
|
sub dspam_reject_agree {
|
|
|
|
my ($self, $transaction, $d ) = @_;
|
|
|
|
|
|
|
|
my $sa = $transaction->notes('spamassassin' );
|
|
|
|
|
|
|
|
my $status = "$d->{class}, $d->{confidence} c";
|
|
|
|
|
|
|
|
if ( ! $sa->{is_spam} ) {
|
|
|
|
$self->log(LOGINFO, "pass: cannot agree, SA results missing ($status)");
|
|
|
|
return DECLINED;
|
|
|
|
};
|
|
|
|
|
|
|
|
if ( $d->{class} eq 'Spam' && $sa->{is_spam} eq 'Yes' ) {
|
|
|
|
$self->log(LOGINFO, "fail: agree, $status");
|
|
|
|
return Qpsmtpd::DSN->media_unsupported(DENY,'we agree, no spam please');
|
|
|
|
};
|
|
|
|
|
|
|
|
$self->log(LOGINFO, "pass: agree, $status");
|
|
|
|
return DECLINED;
|
|
|
|
};
|
|
|
|
|
|
|
|
sub get_dspam_results {
|
|
|
|
my ( $self, $transaction ) = @_;
|
|
|
|
|
|
|
|
if ( $transaction->notes('dspam') ) {
|
|
|
|
return $transaction->notes('dspam');
|
|
|
|
};
|
|
|
|
|
|
|
|
my $string = $transaction->header->get('X-DSPAM-Result') or do {
|
|
|
|
$self->log(LOGWARN, "get_dspam_results: failed to find the header");
|
|
|
|
return;
|
|
|
|
};
|
|
|
|
|
|
|
|
my @bits = split(/,\s+/, $string); chomp @bits;
|
|
|
|
my $class = shift @bits;
|
|
|
|
my %d;
|
|
|
|
foreach (@bits) {
|
|
|
|
my ($key,$val) = split(/=/, $_);
|
|
|
|
$d{$key} = $val;
|
|
|
|
};
|
|
|
|
$d{class} = $class;
|
|
|
|
|
|
|
|
my $message = $d{class};
|
|
|
|
if ( defined $d{probability} && defined $d{confidence} ) {
|
|
|
|
$message .= ", prob: $d{probability}, conf: $d{confidence}";
|
|
|
|
};
|
|
|
|
$self->log(LOGDEBUG, $message);
|
|
|
|
$transaction->notes('dspam', \%d);
|
|
|
|
return \%d;
|
|
|
|
};
|
|
|
|
|
2012-04-20 07:42:04 +02:00
|
|
|
sub get_filter_cmd {
|
|
|
|
my ($self, $transaction, $user) = @_;
|
|
|
|
|
|
|
|
my $dspam_bin = $self->{_args}->{dspam_bin} || '/usr/local/bin/dspam';
|
|
|
|
my $default = "$dspam_bin --user $user --mode=tum --process --deliver=summary --stdout";
|
|
|
|
my $min_score = $self->{_args}->{learn_from_sa} or return $default;
|
|
|
|
|
|
|
|
#$self->log(LOGDEBUG, "attempting to learn from SA");
|
|
|
|
|
2012-05-06 04:58:49 +02:00
|
|
|
my $sa = $transaction->notes('spamassassin' );
|
|
|
|
return $default if ! $sa || ! $sa->{is_spam};
|
2012-04-20 07:42:04 +02:00
|
|
|
|
2012-05-06 04:58:49 +02:00
|
|
|
if ( $sa->{is_spam} eq 'Yes' && $sa->{score} < $min_score ) {
|
|
|
|
$self->log(LOGNOTICE, "SA score $sa->{score} < $min_score, skip autolearn");
|
2012-04-20 07:42:04 +02:00
|
|
|
return $default;
|
|
|
|
};
|
|
|
|
|
2012-05-06 04:58:49 +02:00
|
|
|
if ( $sa->{is_spam} eq 'Yes' && $sa->{autolearn} eq 'spam' ) {
|
2012-04-20 07:42:04 +02:00
|
|
|
return "$dspam_bin --user $user --mode=tum --source=corpus --class=spam --deliver=summary --stdout";
|
|
|
|
}
|
2012-05-06 04:58:49 +02:00
|
|
|
elsif ( $sa->{is_spam} eq 'No' && $sa->{autolearn} eq 'ham' ) {
|
2012-04-20 07:42:04 +02:00
|
|
|
return "$dspam_bin --user $user --mode=tum --source=corpus --class=innocent --deliver=summary --stdout";
|
|
|
|
};
|
|
|
|
|
|
|
|
return $default;
|
|
|
|
};
|
|
|
|
|
|
|
|
|