Thursday, April 29, 2010

Spam Control using badip control file

IndiMail has many methods to help deal with spam. For detecting spam, IndiMail uses bogofilter a fast bayesian spam filter. IndiMail's qmail-smtpd which provides SMTP protocol is neatly integrated with bogofilter. When bogofilter detects spam, qmail-smtpd prints the X-Bogosity header as part of SMTP transaction log
% grep "X-Bogosity, Yes" /var/log/svc/smtpd.25/current
@400000004bc8183f01fcbc54 qmail-smtpd: pid 16158 from ::ffff:88.191.35.203 HELO X-Bogosity: Yes, spamicity=0.999616, cutoff=9.90e-01, ham_cutoff=0.00e+00, queueID=6cs66604wfk,


The value "Yes" in X-Bogosity indicates spam. You can tell qmail-smtpd to reject such mails at SMTP just by doing
# echo 1 > /service/qmail-smtpd.25/variables/REJECTSPAM
# svc -
d /service/qmail-smtpd.25
# svc -
u /service/qmail-smtpd.25


SMTP clients which tries to send a spam mail will get the following error at the end of the SMTP transaction
554 SPAM or junk mail threshold exceeded (#5.7.1)
The mail will get bounced. In some cases you would want to issue temporary error to such clients. In the above SMTP transaction log, the IP address of the client was 88.191.35.203. To put such client's into IndiMail's SPAM blacklist, you just need to put the IP address in the control file /etc/indimail/control/badip
# echo 88.191.35.203 >> /etc/indimail/control/badip


For turning on the BADIP functionality, you need to set the BADIPCHECK or the BADIP environment variable. i.e.
# echo badip > /service/qmail-smtpd.25/variables/BADIP
# svc -d /service/qmail-smtpd.25
# svc -u /service/qmail-smtpd.25

Clients whose IP match an entry in badip will be greeted as below
421 indimail.org sorry, your IP (::ffff:88.191.35.203) is temporarily denied (#4.7.1)
Also the client will not be able to carry out any SMTP transactions like ehlo, MAIL FROM, RCPT TO, etc
A large ISP can run the following command every day once in cron
grep "X-Bogosity, Yes" /var/log/svc/qmail.smtpd.25/current > /etc/indimail/control/badip


If your badip files becomes very large, you can also take advantage of IndiMail's ability to use cdb (or you could use MySQL too)

% sudo /usr/bin/qmail-cdb badip



3 comments:

Mark said...

Reviews says that Indimail spam blacklist service was really 5 star in terms of catching spam in emails. Thanks for the nice review.


Regards,
Mark
Spam Blacklist

Chetanneo said...

I am little confuse in following 2 commands

1. echo 88.191.35.203 >> /var/indimail/control/badip

This is entering only single IP in badip control file

2. grep "X-Bogosity: Yes" /var/log/indimail/smtpd.25/current >> /var/indimail/control/badip

and this enters complete line which I grep as following.

"@400000004d40f76f31149534 qmail-smtpd: pid 22177 from ::ffff:98.139.91.224 HELO MAIL from RCPT AUTH Size: 5257 X-Bogosity: Yes, spamicity=0.999914, cutoff=9.90e-01, ham_cutoff=0.00e+00, queueID=UNKNOWN, msgID=<429025.78852.qm@web80009.mail.sp1.yahoo.com>, ipaddr=98.139.91.61"

Which one is right method
1. entering only IP per line in badip control file
or
2. all data which I did grep

Regards
Chetan

Cprogrammer said...

You should have just IP addreses in each line of badip control file.

The grep command is just to help you find lines in the logfile which are spam. You need to extract the IP from the line yourself by using awk command

IndiMail Queue Mechanism

Indimail has the ability of configuring multiple local and remote queues. A queue is a location on your hard disk where email are deposited ...