HOWTO: An EXIM + Spamassassin Mail Filter

The office was experiencing more spam, with a disproportionate effect on mobile phones. The existing spam catching gauntlet was operating well for desktop clients, but mobile phone users weren’t benefiting because most scanning and removal ocurred after the messages got into the inbox. This meant that, often, spam was forwarded to the mobile phone before it got detected.

My abatement strategy was to filter mail before the message got to the mail server. One option is an external mail filter, like Postini. My choice, described below, was to set up Spamassassin anti spam software on an in-house Linux box.

The outsourcing solution was pretty inexpensive ($25 per address per year) but a DIY solution was more flexible, and had no up-front cost.

Instructions

First, you need a Linux box. An older Pentium 3 system with around 512MB or more is fine. Rescue it from the waste-stream before it’s sent to ewaste.

I used Ubuntu as the operating system. To install the necessary apps:

sudo apt-get install sa-exim
sudo apt-get install spamassassin

Then run “sudo dpkg-reconfigure exim4-config” and set it up as an internet machine, answering the questions like this (this requires some refinement):

Type of server: internet
System mail name: (your domain)
IP address to listen on: (all interfaces)
Other domains to accept mail for: (nothing)
Allow relays for: (your domain)
Addresses to relay mail for: (the gateway or firewall ip address, and 127.0.0.1)

This sets up the server to accept email from the internet, and forward mail for only your domain. (I think you also need to let it do a split config so sa-exim integration works.)

You need to add a few lines to the file /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt at around line 173, after the line “verify = recipient”

  # Require that the relay domain's addresses are also
  # real email addresses.
  require
    message = relay to nonexistent address not permitted
    verify = recipient/callout=10s,defer_ok

What this block of code does is check that the recipient really exists on the recipient server. If the address is invalid, the sender gets a 550 error.

If you don’t add this code, this server will accept all messages for the domain. When the address is invalid, it generates a bounce message. Normally, the bounce will go back to the sender. Unfortunately, most mail is spam with forged headers, so, the bounce messages end up routed to fake addresses, or, worse, to legitimate addresses. Because the message contains spam, it usually gets blocked, and sits in your outgoing queue for a while, resending periodically. The nonstop bouncing of this spam will cause some ISPs to block all the mail from your IP address.

So, it’s critical to add that code.

The sa-exim package automatically integrates Spamassassin. There’s some criticism about sa-exim, indicating that it’s buggy. This may be true, however, it works for me. The package causes exim to scan and reject the mail as the message is being transferred via SMTP, not after it’s been received. This way, the sending server automatically gets an error message if they send spam. There’s no need to generate a bounce message, saving on resources.

I’ll look into the sa-exim more in the future.

The default configuration of Spamassassin works okay. The main configuration file is /etc/spamassassin/local.cf. I set the spam threshold to 9, and then worked the value downward as it showed that it identified spam correctly.

I also added some local rules, like this:

header ORGNAME_BADADDR To =~ /bbadaddr/
score ORGNAME_BADADDR 1

This causes email sent to bad addresses to raise the spam detection score by one. These are addresses that belong to people no longer at the organization.

So far, this mail filter has reduced spam volume by 2/3.

The next phase is to create a system to train the Bayesian filter. Our environment uses Outlook, so, it’s going to be tricky building up a database of good and bad email. It’ll be covered in another article.

Other related articles

Advanced Spam Filtering…. How to get sa-exim to reject lower-scored spam. Exim Spamassassin ClamAV. Exim as an Exchange Email Hub.