[SURBL-Discuss] SURBL independent daemon, pluggable into amavis

Yves Junqueira yves.junqueira at gmail.com
Thu Sep 23 16:54:45 CEST 2004


Hi,

for those that don't use SpamAssassin and would like to make SURBL
checks on their mail, I've adapted Devin Carraway's plugin to qpsmtp,
making a daemon that is independent, forking itself as needed. I
believe it performs well, even on high traffic mail.

Its simple usage interface, that was made with amavisd antivirus code
in mind, is possibly usable by other services. Whenever a mail comes,
one should connect to it and order it to scan the dir or file that
message is on.

# telnet 127.0.0.1 20098
SCAN /tmp/
Scanning /tmp/
Checking /tmp/filex8QBXY
Checking /tmp/ldap18775
OK. OK
Connection closed by foreign host.
# 

# echo 'http://123getnow.com' > /tmp/a

# telnet 127.0.0.1 20098
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
SCAN /tmp/
Scanning /tmp/
Checking /tmp/a

SPAMMEDURL: 123getnow.com in surblgoiano.com.br (SPAMMER 123getnow.com)
Action: deny
DENY
Connection closed by foreign host.
#

Just check for "DENY" or "OK" and you're done. In this example,
"surblgoiano.com.br" is my local RBL zone for bad URIs.

It's easy to plug it into amavis:

/etc/amavisd.conf:
 @av_scanners :
(...)
['Suri',  \&ask_daemon,
["SCAN {}/../email.txt\n", '127.0.0.1:20098'],
qr/^OK/, qr/^DENY/, qr/^SPAMMEDURL:.*[(](.+)[)]/],
(...)

The important part there is:

SCAN {}/../email.txt

As you can see, there is a problem here. In this case, all messages
with a spamvertised URI will be considered a virus, and actions will
be taken aproprietely as per amavis config. In this case, I'd
recommend using initially a non-deny "$action" setting, for seeing any
potential problems in the logs (syslog) before really applying this
"dangerous" policy. In any case, it is very recommended too that you
quarantine these "infected" messages.

This is a perl beginner's work, so please excuse any mistakes. It was
made to fit my needs, as I maintain my own suribl zone, which is
small, yet made for as little false positives as possible and with a
special attention to brazilian domains. I haven't tested it with
SURBL.org zones, yet.

I am also making a transparent SMTP proxy for using with Postfix in
servers with low traffic and/or running a local RBL daemon (rbldnsd).
It would prevent losing e-mail. Any potential false positive would be
notified by the SMTP reject code after the end of the DATA command
block. Do you think it could be useful?

You can get this plugin, that I called SURI, at
http://i-admin.blogspot.com . I'd appreciate any comments very much.
It's my first free software ever relased :-P

-- 
Yves Junqueira
nictuku - irc.freenode.net
http://www.lynx.com.br


More information about the Discuss mailing list