Notifications?

[Ken Anderson]

Derek Winkler wrote:
> I would definitely be interested in contributing to/writing this.
>
> I'll defer to Julian as to what would be useful in the log but a syslog-like
> format would probably be useful...
>
> Date/time hostname message-id path-to-message recipient sender subject

This looks right. I think that would give us the raw data to create
different types of ui systems that allowed customers to interact with
the quarantined spam to release, whitelist or blacklist.

> If this log could make multiple entries for each recipient it could save
> some parsing on scripts using the log.
> I'd probably attach the original message to a new message with one recipient
> in order to avoid the inadvertant sending to all recipients.

We split mail coming in using sendmail's queue groups, so we'd just cp
them from quarantine directly to /var/spool/mqueue. Attaching the
original messages would not be needed, though it would be a nice option.
How about altering the subject, prepending "released from quarantine "
or something?

> It might not be too diffcult to write two methods of
> retrieveing/whitelisting/learning these messages, one via email and the
> other via a web interface.

Everyone may do this a bit differently. We'd probably want to have a
simple 'are you sure' web interface that would be arrived at by clicking
on a link in the quarantine digest email. Others may want to use sql
logging and present users with a variety of other options at this point.
In our case, the webserver is another machine that would queue jobs for
a simple script on the mail relays that would do the cp operation with
the right permissions.

Ken
Pacific.Net


> Thanks,
>
> Derek Winkler
> Security Administrator
> Algorithmics Inc., Toronto
> Tel: (416) 217-4107
> Fax: (416) 971-6263
> www.algorithmics.com
>
>
> -----Original Message-----
> From: Julian Field [mailto:mailscanner at ecs.soton.ac.uk]
> Sent: Friday, August 08, 2003 11:36 AM
> To: MAILSCANNER at jiscmail.ac.uk
> Subject: Re: Notifications?
>
>
> If someone else wants to write it, I'll happily add some extra logging for
> them to use.
>
> At 15:49 08/08/2003, you wrote:
>
>>I think the idea to quarantine spam and allow users to release it if they
>>desire might be a nice, low-admin-overhead way of letting users search for
>>false positives on their own, but wouldn't it also require splitting
>>messages before MS sees them?  Otherwise I would expect that there may be
>>issues with one user releasing a spam expecting it to come only to him and
>>inadvertantly sending it to other recipients of the original message.  I
>>really like the idea though.
>>
>>
>>>-----Original Message-----
>>>From: Ken Anderson [mailto:ka at PACIFIC.NET]
>>>Sent: Friday, August 08, 2003 9:40 AM
>>>To: MAILSCANNER at JISCMAIL.AC.UK
>>>Subject: Re: Notifications?
>>>
>>>
>>>Julian Field wrote:
>>>
>>>
>>>>You cannot currently do this. Wouldn't it generate an
>>>
>>>/awful/ lot of mail?
>>>
>>>It would. But if it could be a daily (or configurable) digest sent to
>>>the end user of spam quarantined with a nice link to release the
>>>individual emails? That would be nice. I'm sure this has occurred to
>>>others on this list.. Anyone put any work into such a thing?
>>>
>>>Other Anti-Spam solutions have this; Postini, active-state's new
>>>anti-spam product - I saw it at linuxworld tuesday - very cool, but I
>>>can't remember the name of the product!
>>>
>>>The result would be that the end user wouldn't have to d/l
>>>50-80% {SPAM}
>>>tagged email and filter it locally. The impression by the end
>>>user would
>>>be that we were taking care of that for them. :-)
>>>
>>>This may not be a MailScanner feature, maybe an addon script or two?
>>>MailScanner could help by writing out a log of what it has quarantined
>>>when and where it has put it. I would expect this could be done with
>>>some simple logging code in MailScanner at the same points it
>>>currently
>>>logs quarantine info to the maillog.
>>>Then a perl script run from cron could read the "quarantine log" and
>>>generate emails to end users on a regular basis. Another script could
>>>handle releasing the quarantined email when an end user clicked a link
>>>in the email.
>>>
>>>Ken
>>>Pacific.Net
>>>
>>>
>>>
>>>>At 04:51 08/08/2003, you wrote:
>>>>
>>>>
>>>>>I was reading through the documentation and I stumbled
>>>
>>>across the actions
>>>
>>>>>section for SPAM.  I was playing with the settings and
>>>
>>>rules files (which
>>>
>>>>>make all of our lives easier) when I finally ended up with "store"
>>>>>being the
>>>>>action I opted for SPAM and "delete" for HIGH SPAM.
>>>>>
>>>>>This is working well, (after learning the hard way that quarantine
>>>>>directory
>>>>>has to be owned by postfix:postfix :)) exepct that I don't get
>>>>>notified when
>>>>>a message is received and "stored".  I assume this is by
>>>
>>>design, however,
>>>
>>>>>I'm curious about whether the system can notify AND store
>>>
>>>the message
>>>
>>>>>with a
>>>>>notification such as the one used to notify of "stored"
>>>
>>>messages that are
>>>
>>>>>identified as viruses/filename?
>>>>>
>>>>>I suppose I'm looking for a SPAM equilvalent for the "Stored Virus
>>>>>Message
>>>>>Report" variable that is ONLY sent to the ADMIN identified
>>>
>>>by "Notices
>>>
>>>>>To"...
>
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>