Exim SpamAssassin at SMTP time

What's that?

mail from: merlin@gandalf
250 OK
rcpt to: merlin@gandalf
250 Accepted
data
354 Enter message, ending with "." on a line by itself
From: merlin@gandalf
To: merlin@gandalf
Subject: $$$ Make Money Fast $$$ !!!

viagra 100% GARANTEE AMAZING FULL REFUND 
This is not spam
.
550 Rejected
(logs would show something like this: 2004-03-10 08:27:18 1B16Y8-0001UP-4R SA: Action: permanently rejected message: hits=14.8 required=7.0 trigger=11.0 ( scanned in 2/2 secs | Message-Id: CCQPVENACPQBFLTRLICXWQVEK@gandalf). From (host=gandalf [127.0.0.1]) for merlin@gandalf)

An example of teergrube would return this instead

data
354 Enter message, ending with "." on a line by itself
(...)
body     SEE_FOR_YOURSELF       /See (?:for|it) yourself\b/i
describe SEE_FOR_YOURSELF       See for yourself

body ORDER_NOW                  /\border (?:now|soon|fast|quickly|while)\b/i
describe ORDER_NOW              Encourages you to waste no time in ordering

.
451- wait for more output
451- wait for more output
451- wait for more output
(... one line every 10 secs, 15 minutes elapse ...)
450 Please try again later
The idea here is to stall and waste the resources of the remote sender (BTW teergrube comes from german, and means tar-pitting, or stopping someone in his tracks)

Unmaintained

As indicated in sa-exim list message, I haven't maintained sa-exim since 2006. It does work as shipped in Debian and is still used by people, including myself, but I just don't have time to spend on it anymore.

Why?

SpamAssassin can be run inside exim after the mail has been accepted, as shown here, but if you're not going to use my patch and you just want to run SA as an exim transport, this version is recommended

Now, while this will work, we can do better, hence the reason for my code (just to make things clear, you do not want to run both my code, and dman's transports. It'd work, but you'd be scanning the message twice)

The reason why I wanted SpamAssassin in local scan is that I don't want to accept the damn spam in the first place.

Note that you can also use this code to simply run SA on all your mails (or portion thereof as configured with SAEximRunCond) without having to configure SA in your exim.conf. In other words, this code can be configured to not reject any mails.

SpamAssassin? What's that?

Ah, you need to visit this page first then

How does it work, what knobs are there?

You need to configure spamassassin to flags mails as spam after a certain threshold (7 for instance). After that, this code can be configured to You can also (and probably should :-)) use the new greylisting support for even better spam control

For more details, you should look at the self-documented config file and you can see some sample rejects and what you get in the logs

Greylisting you say?

While when sa-exim first came out, its strongest point was being one of the first programs (if not the first) that let you reject Spam at SMTP time, its coolest feature now is adaptive greylisting support
In a nutshell, you get the advantages of greylisting without the disadvantages: This method is the best combination I've seen out there so far, and while I've been talking about it for a while, I don't yet know of other programs that implement this method (if you do, please let me know so that I can acknowledge them)
For more details on how this works, check out the greylisting README

Ok, where's the code? / Downloads

As explained in the archive, you can either copy sa-exim.c over exim's src/local_scan.c You need to copy local_scan in src in the exim source tree and rebuild it, or you can build sa-exim as a loadable module (you need to patch exim to support loadable modules though)

You can also browse all my exim files here

Mailing list

You should probably subscribe to this low traffic mailing list if you download the code to keep apprised of bug fixes and enhancements

Integration with Exim 4

This code works without anything in the exim conf, but you probably want to use some knobs to disable scanning for some users (like setting X-SA-Do-Not-Rej or X-SA-Do-Not-Run in the rcpt ACL and removing those headers in the right places).
See my exim4 conf tree and more specifically the exim4.conf file

You can look at the README for more integration details.

Changelog/Download

  • 2006/01/09 - v4.2.1 (sa-exim.tar.gz or local_scan only)
    Security update (reported by Chris Morris)
  • 2005/01/17 - v4.2 (sa-exim.tar.gz or local_scan only)
    Do not use, greylistclean is insecure, use 4.2.1 instead
  • 2004/08/16 - v4.1 (sa-exim.tar.gz or local_scan only) Please see the mailing list, or use the CVS version if you are compiling sa-exim inside your exim tree (there is a small mistake in the source which will prevent proper building) / You also need CVS if you are using SA 3.0
  • 2004/03/16 - v4.0 (sa-exim.tar.gz or local_scan only)
  • 2003/08/18 - v3.1 (sa-exim tar.gz or local_scan only)
  • 2003/04/30 - v3.0 (sa-exim tar.gz or local_scan only)
  • 2002/10/28 - v2.2 (sa-exim tar.gz or local_scan only)
  • 2002/10/13 - v2.1 (buggy) (sa-exim tar.gz or local_scan only)
  • 2002/07/07 - v2.0.1 (sa-exim tar.gz or local_scan only)
  • 2002/06/14 - v2.0 (sa-exim tar.gz or local_scan only)
  • 2002/06/01 - v2.0b1
    This is how 1.0 would have been if I had done it right :-)
  • 2002/05/21 - v1.3
  • 2002/05/17 - v1.2.2
  • 2002/05/13 - v1.2.1
  • 2002/05/12 - v1.2 (unreleased)
  • 2002/05/08 - v1.1.1
  • 2002/05/07 - v1.1
  • 2002/05/06 - v1.0.1
  • 2002/05/05 - v1.0
  • 2002/04/17 - v0.9.1
  • 2002/04/16 - v0.9

    More generally, all the files can also be found here

    Feedback is appreciated (but please prefer the use of the sa-exim list)

    Acknowledgements

    While I wrote SA-Exim after realizing that I didn't want to accept Spam in the first place, this package would not have been put together without the help and contributions of the following people:


    [ms free site] SourceForge.net Logo Email
    Link to Home Page