Porn msg identification?

Kevin Spicer kevins at BMRB.CO.UK
Wed Apr 16 21:25:02 IST 2003


> I'm not sure I trust SA enough to delete messages based on a single
> SpamCheck
> code, but if I could give MS a list of codes that would be checked
> after messages
> had hit my Spam threshold, I would be just delighted. I.e., if the
> message is
> already declared spam, delete rather than re-subject if any of my list
> of
> PornCheck codes is present.

I tried something similar a while ago, just as an experiment with custom
functions.  The principal difference was that I decided to try and
differentiate hoaxes from ordinary spams.  I think I got it working (but
I'm not 100% sure - I never got it into production because the number of
SA rules which suggest hoaxes didn't seem high enough to make it
reliable).  I've attached my _untested_ code in case its any use to
you.  DON'T USE IT IN PRODUCTION WITHOUT SERIOUS TESTING!!!

Heres a brief explanation of what I did...
My approach was to create a file (/etc/MailScanner/sahoaxrules.list)
which contained lines of the form
SA_rule_name<TAB>score
(I think the score might have needed to be an integer - so you can't
just copy the SA scores)
A CustomConfig function splits the SA header into rules names that have
been matched and then checks each against those in sahoaxrules.list -
where a match occurs the score is added up, and if a threshold (2 -
hardcoded in - you should probably change this) is exceeded it returns
{HOAX??}, otherwise it returns {SPAM??}.

Then, in MailScanner.conf you specify

Spam Subject Text = &HoaxCheck

(or whatever you name it - you'll also need to change 'High Scoring Spam
Subject Text' - you may need to produce two versions of the function to
get different texts for ordinary and high scoring spam).

If you want to check the filter is working, without modifying messages,
uncomment all the lines containing HOSTLOG, make sure that path is
writeable by your MailScanner user and comment out
  if($totscore>=2) {return "{HOAX??}"};

This writes a summary of scores for messages seen into the file
specified without changing from the default.

Feel free to adapt or ignore this as you see fit, but if you get it
working please do share it back.

Kevin

[Despite the disclaimer below this code is a product of my private
endeavours and in no way the fault of my employer!]





BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.


-------------- next part --------------
#
#   MailScanner - SMTP E-Mail Virus Scanner
#   Copyright (C) 2002  Julian Field
#
#   $Id: CustomConfig.pm,v 1.2 2002/11/01 11:10:05 jkf Exp $
#
#   This program is free software; you can redistribute it and/or modify
#   it under the terms of the GNU General Public License as published by
#   the Free Software Foundation; either version 2 of the License, or
#   (at your option) any later version.
#
#   This program is distributed in the hope that it will be useful,
#   but WITHOUT ANY WARRANTY; without even the implied warranty of
#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#   GNU General Public License for more details.
#
#   You should have received a copy of the GNU General Public License
#   along with this program; if not, write to the Free Software
#   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
#
#   The author, Julian Field, can be contacted by email at
#      Jules at JulianField.net
#   or by paper mail at
#      Julian Field
#      Dept of Electronics & Computer Science
#      University of Southampton
#      Southampton
#      SO17 1BJ
#      United Kingdom
#

package MailScanner::CustomConfig;

use strict 'vars';
use strict 'refs';
no  strict 'subs'; # Allow bare words for parameter %'s

use vars qw($VERSION);

### The package version, both in 1.23 style *and* usable by MakeMaker:
$VERSION = substr q$Revision: 1.2 $, 10;

#
# These are the custom functions that you can write to produce a value
# for any configuration keyword that you want to do clever things such
# as retrieve values from a database.
#
# Your function may be passed a "message" object, and must return
# a legal value for the configuration parameter. No checking will be
# done on the result, for extra speed. If you want to find out what
# there is in a "message" object, look at Message.pm as they are all
# listed there.
#
# You must handle the case when no "message" object is passed to your
# function. In this case it should return a sensible default value.
#
# Return value: You must return the internal form of the result values.
#               For example, if you are producing a yes or no value,
#               you return 1 or 0. To find all the internal values
#               look in ConfigDefs.pl.
#
# For each function "FooValue" that you write, there needs to be a
# function "InitFooValue" which will be called when the configuration
# file is read. In the InitFooValue function, you will need to set up
# any global state such as create database connections, read more
# configuration files and so on.
#

##
## This is a trivial example function to get you started.
## You could use it in the main MailScanner configuration file like
## this:
##      VirusScanning = &ScanningValue
##
#sub InitScanningValue {
#  # No initialisation needs doing here at all.
#  MailScanner::Log::InfoLog("Initialising ScanningValue");
#}
#
#sub EndScanningValue {
#  # No shutdown code needed here at all.
#  # This function could log total stats, close databases, etc.
#  MailScanner::Log::InfoLog("Ending ScanningValue");
#}
#
## This will return 1 for all messages except those generated by this
## computer.
#sub ScanningValue {
#  my($message) = @_;
#
#  return 1 unless $message; # Default if no message passed in
#
#  return 0 if $message->{subject} =~ /jules/i;
#  return 1;
#
#  #my($IPAddress);
#  #$IPAddress = $message->{clientip};
#  #return 0 if $IPAddress eq '127.0.0.1';
#  #return 1;
#}
my(@sarules);
sub InitHoaxCheck {
  # No initialisation needs doing here at all.
  open(RULELIST, "/etc/MailScanner/sahoaxrules.list");
  while(<RULELIST>){
          push(@sarules, $_);
  }
  close(RULELIST);
  # open(HOAXLOG, ">>", "/root/hoaxlog");
  # print HOAXLOG "@sarules";
  MailScanner::Log::InfoLog("Initialising Hoax Checking");
}

sub EndHoaxCheck {
  # No shutdown code needed here at all.
  # This function could log total stats, close databases, etc.
  #close(HOAXLOG);
  MailScanner::Log::InfoLog("Ending Hoax Checking");
}
#
## This will return 1 for all messages except those generated by this
## computer.
sub HoaxCheck {
  my($message) = @_;
  my(@scored, $rname, $rscore, $totscore);
  $message->{spamreport} =~ /^spam, SpamAssassin\s*\(score=[0-9.]*,\s*required\s*\d*(.*)\)$/s;
  $message->{spamreport} = $1;
  $message->{spamreport} =~ s/\n//sg;
  push(@scored, split(/(\s+|,+)+/, $message->{spamreport}));

  foreach(@sarules){
          ($rname, $rscore) = /^(\S*)\s*(\S*)\s*.*$/;
        foreach(@scored){
                  if (/^$rname$/) {
                          $totscore += $rscore;
                  }
        }
  }
  #print HOAXLOG $totscore;
  #print HOAXLOG "\n";
  #print HOAXLOG "@sarules";
  #print HOAXLOG "\n";
  #print HOAXLOG "@scored";
  if($totscore>=2) {return "{HOAX??}"};
  return "{SPAM??}";
#
#  return 1 unless $message; # Default if no message passed in
#
#  return 0 if $message->{subject} =~ /jules/i;
#  return 1;
#
#  #my($IPAddress);
#  #$IPAddress = $message->{clientip};
#  #return 0 if $IPAddress eq '127.0.0.1';
#  #return 1;
}


1;

-------------- next part --------------
NIGERIAN_TRANSACTION_1  2
US_DOLLARS              2
US_DOLLARS_3            2
US_DOLLARS_4            2
OFFSHORE_SCAM           2
VACATION_SCAM           3
NIGERIAN_SCAM           2
PSYCHIC                 1
FRIEND_GREETINGS        2
FRIEND_GREETINGS2       2


More information about the MailScanner mailing list