MailScanner as content filter

Rose, Bobby brose at med.wayne.edu
Wed Mar 12 01:10:45 GMT 2008 

In my case, I want the rule to apply to everyone.  The high score takes care of the non-whitelisted and the SA_RULENAME/Action pair takes care of the whitelisted messages.  In my case, I had phishing emails coming to users in my domain due to email forwarding that they have on the main campus mail system which had some whitelisting criteria that I needed to stop those phishing messages from getting thru.

You can change the score to whatever you want.  Make is 0.001 or something.  So long as MailScanner sees that it's been tripped it will apply the rule action based on your mailscanner criteria.  If you don't want the SA rule to trip on everyone then make up a meta rule

Example
header	__BOBBY_TEST_SUBJ	Subject =~/bobby test of email/i
header	__BOBBY_TEST_FROM	From =~ /\@server.local.net$/i
meta		BOBBY_TEST	( __BOBBY_TEST_SUBJ && __BOBBY_TEST_FROM )
score		0.01


-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of William A. Knob
Sent: Tuesday, March 11, 2008 7:59 PM
To: MailScanner discussion
Subject: Re: MailScanner as content filter


    Ok, I got it!

    Really works, but I guess to know one last thing:

    If I create that example rule with score of  "100.0", then my "High Spam Score Action" will be invoked. And if I want to apply that rule only for one domain? Like that:

    To:       *@server.local.test         SUBJECT_TEST=>non-deliver,delete


    My SUBJECT_TEST rule have a score of "100.0".

    On this way, not only emails To "server.local.test" will be matched on that rule, but all of them!

    Did you know how can I make rules only to 1 domain or 1 email account ?

    Regards,



Rose, Bobby escreveu:
> Simple SA subject rule
>
> header          BOBBY_TEST      Subject =~ /Bobby Test of email/i
> score           BOBBY_TEST      100.0
>  
>  
>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info 
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of 
> William A. Knob
> Sent: Tuesday, March 11, 2008 6:30 PM
> To: MailScanner discussion
> Subject: Re: MailScanner as content filter
>
>
>   Hmm... interesting!
>
> But, you can explain me (or paste) your BOBBY_TEST rule?
>
> Regards,
>
> Rose, Bobby escreveu:
>   
>> I was hoping for an ruleset example but I think I found my mistake.
>>
>> Every SA_Rule=>Action needs to be on the same line in the ruleset.  I 
>> had it has one per line like this.
>> FromOrTo:       default         BOBBY_TEST=>non-deliver,delete
>> FromOrTo:       default         BOBBY_TEST2=>non-deliver,delete
>>
>> So the correct format is 
>> FromOrTo:       default         BOBBY_TEST=>non-deliver,delete,
>> BOBBY_TEST2=>non-deliver,delete, ......
>>
>> So here's what I have now
>> FromOrTo		127.0.0.1	
>> FromOrTo:       default         BOBBY_TEST=>non-deliver,delete,
>> BOBBY_TEST2=>non-deliver,delete
>>
>> But I did have a request for this action to be logged separately from 
>> the logging of non-spam so that logging of non-spam doesn't need to 
>> be turned on for it.
>>
>> Now I can start dropping those stupid phishing emails relayed to us 
>> from main campus ;-)
>>
>> -=B
>>
>>
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info
>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of 
>> Julian Field
>> Sent: Tuesday, March 11, 2008 3:20 PM
>> To: MailScanner discussion
>> Subject: Re: MailScanner as content filter
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> What happens when you try to put in a ruleset? What doesn't work?
>> Sorry if I missed this thread.
>>
>> Rose, Bobby wrote:
>>   
>>     
>>> Look at the SpamAssassin Rule Actions option.  You define your rule 
>>> in
>>>     
>>>       
>> SA and define in MailScanner what to do when it sees a message that 
>> trips that rule.
>>   
>>     
>>> Of course, I'm still waiting on someone to explain how this can be a
>>>     
>>>       
>> ruleset because I haven't been able to get it to work in a rules file.
>> But it does work if you chain the rule/action pairs on the 
>> MailScanner.conf line but that means it applies to everyone.
>>   
>>     
>>> -=B
>>>
>>> -----Original Message-----
>>> From: mailscanner-bounces at lists.mailscanner.info
>>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of 
>>> William A. Knob
>>> Sent: Tuesday, March 11, 2008 1:49 PM
>>> To: MailScanner discussion
>>> Subject: MailScanner as content filter
>>>
>>>
>>>        Hi all;
>>>
>>>     I need to make some "content filtering" on my mail server, like
>>>     
>>>       
>> create rules for some users and/or groups. For example: create a rule 
>> that says when the word "sex" appears on a Subject when the email is 
>> for the group "X", then is blocked.
>>   
>>     
>>>     I can do that?
>>>
>>>     Regards,
>>>   
>>>     
>>>       
>> Jules
>>
>> - --
>> Julian Field MEng CITP CEng
>> www.MailScanner.info
>> Buy the MailScanner book at www.MailScanner.info/store
>>
>> MailScanner customisation, or any advanced system administration help?
>> Contact me at Jules at Jules.FM
>>
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP 
>> public key: http://www.jules.fm/julesfm.asc
>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: PGP Desktop 9.8.1 (Build 2523)
>> Comment: Use Thunderbird Enigmail to verify this message
>> Charset: ISO-8859-1
>>
>> wj8DBQFH1ttdEfZZRxQVtlQRAhM8AKCbc4vXD6qiinSHb8HRYGiICvXOTwCgyRdh
>> iC8joy25Z8PyjbbQ9AhetcI=
>> =Gfn+
>> -----END PGP SIGNATURE-----
>>
>> --
>> This message has been scanned for viruses and dangerous content by 
>> MailScanner, and is believed to be clean.
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website! 
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>> Anti-Spam Raidbr Solucoes em Informatica Esta mensagem foi analisada 
>> pelo sistema de Anti-spam e Anti-Virus e esta livre de perigo.
>> www.raidbr.com.br
>> suporte at raidbr.com.br
>>
>>
>>
>>   
>>     
>
>
>   


-- 
	
*William A. Knob - Divisão Desenvolvimento* Raidbr Soluções em Informática Ltda.
Rua José Albino Reuse, 1125. Cinquentenário. Caxias do Sul - RS Fone/ Fax: (54) 3223.7074

Visite nosso site:
www.raidbr.com.br <http://www.raidbr.com.br>


--
Esta mensagem foi verificada pelo sistema de antivírus e acredita-se estar livre de perigo.

--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list