Exim SpamAssassin at SMTP time

What's that?

mail from: merlin@gandalf
250 OK
rcpt to: merlin@gandalf
250 Accepted
data
354 Enter message, ending with "." on a line by itself
From: merlin@gandalf
To: merlin@gandalf
Subject: $$$ Make Money Fast $$$ !!!

viagra 100% GARANTEE AMAZING FULL REFUND 
This is not spam
.
550 Rejected

(logs would show something like this: 2004-03-10 08:27:18 1B16Y8-0001UP-4R SA: Action: permanently rejected message: hits=14.8 required=7.0 trigger=11.0 ( scanned in 2/2 secs | Message-Id: CCQPVENACPQBFLTRLICXWQVEK@gandalf). From (host=gandalf [127.0.0.1]) for merlin@gandalf)

An example of teergrube would return this instead

data
354 Enter message, ending with "." on a line by itself
(...)
body     SEE_FOR_YOURSELF       /See (?:for|it) yourself\b/i
describe SEE_FOR_YOURSELF       See for yourself

body ORDER_NOW                  /\border (?:now|soon|fast|quickly|while)\b/i
describe ORDER_NOW              Encourages you to waste no time in ordering

.
451- wait for more output
451- wait for more output
451- wait for more output
(... one line every 10 secs, 15 minutes elapse ...)
450 Please try again later

The idea here is to stall and waste the resources of the remote sender (BTW teergrube comes from german, and means tar-pitting, or stopping someone in his tracks)

Why?

SpamAssassin can be run inside exim after the mail has been accepted, as shown here, but if you're not going to use my patch and you just want to run SA as an exim transport, this version is recommended

Now, while this will work, we can do better, hence the reason for my code (just to make things clear, you do not want to run both my code, and dman's transports. It'd work, but you'd be scanning the message twice)

The reason why I wanted SpamAssassin in local scan is that I don't want to accept the damn spam in the first place.

While my code lets you do that, I don't like to send mails to the bit bucket, so you need to bounce them.
Once you accept the spam, you can't bounce it half the time, or you bounce it to an innocent whose Email was forged as an envelope sender (some spam even forges the bounce address to you)
If I refuse spam at SMTP time, it will remove the spam addresses from at least a few lists (they gotta clean their lists eventually otherwise they'd spend more time Emailing dead addresses than good ones)
I have the option of toying with spammers and stall their connections and waste their resources (see the following page for details on teergrubing

Note that you can also use this code to simply run SA on all your mails (or portion thereof as configured with SAEximRunCond) without having to configure SA in your exim.conf. In other words, this code can be configured to not reject any mails.

SpamAssassin? What's that?

Ah, you need to visit this page first then

How does it work, what knobs are there?

You need to configure spamassassin to flags mails as spam after a certain threshold (7 for instance). After that, this code can be configured to

Pretend to be processing the Email and send continuation lines to the remote server until it gives up (aka teergrubing)
Accept but not deliver mail with a high threshold (i.e. devnull the mail)
Reject mail with a lower threshold
Temporarily reject mail with a still lower threshold (you can then inspect your logs to decide if you want to tweak SA so that next time the mail is sent, you can receive it)
In all 5 cases, mail can be optionally saved to disk so that you can inspect all the mails you've rejected or /dev/nulled

You can also (and probably should

) use the new greylisting support for even better spam control

For more details, you should look at the self-documented config file and you can see some sample rejects and what you get in the logs

Greylisting you say?

While when sa-exim first came out, its strongest point was being one of the first programs (if not the first) that let you reject Spam at SMTP time, its coolest feature now is adaptive greylisting support
In a nutshell, you get the advantages of greylisting without the disadvantages:

mails with a low spam score are accepted without delay
mails with an average spam score are greylisted, and only those are delayed
mails with high spam scores are rejected regardless (no greylisting)

This method is the best combination I've seen out there so far, and while I've been talking about it for a while, I don't yet know of other programs that implement this method (if you do, please let me know so that I can acknowledge them)
For more details on how this works, check out the greylisting README

Ok, where's the code? / Downloads

The latest version is here (browsable tree or tar.gz). You can also get it from sf.net
The CVS version is here (browsable tree) and you can also get the CVS tree from sf.net
The latest config file with documentation is here
Debian packages (source and binary) are here

As explained in the archive, you can either copy sa-exim.c over exim's src/local_scan.c You need to copy local_scan in src in the exim source tree and rebuild it, or you can build sa-exim as a loadable module (you need to patch exim to support loadable modules though)

You can also browse all my exim files here

Mailing list

You should probably subscribe to this low traffic mailing list if you download the code to keep apprised of bug fixes and enhancements

Integration with Exim 4

This code works without anything in the exim conf, but you probably want to use some knobs to disable scanning for some users (like setting X-SA-Do-Not-Rej or X-SA-Do-Not-Run in the rcpt ACL and removing those headers in the right places).
See my exim4 conf tree and more specifically the exim4.conf file

You can look at the README for more integration details.

Changelog/Download

More generally, all the files can also be found here

Feedback is appreciated (but please prefer the use of the sa-exim list)

Acknowledgements

Email
Link to Home Page