You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Dan Mahoney, System Admin" <da...@prime.gushi.org> on 2006/12/14 17:59:26 UTC
Way to skip scanning per-user?
Hey all,
I'm looking for an easy way to override ALL scanning (NOT scoring) for a
specific user.
This is NOT the same as just setting required_score to 1000 -- basically
what I want instead is some special way that SA will say "nope, not even
testing" and "short circuit".
This shouldn't be a difficult feature to implement at all -- I'd imagine
about three lines of code :)
There are several uses for this, either when a user is using some
alternate engine (so why eat CPU on the scanning system?), or under the
situation that you have a user who has SUCH a volume of spam that it's
under constant attack and you just want to "opt them out" of the system
for diagnostic purposes.
Any ideas on how to do this?
-Dan
--
"Long live little fat girls!"
-Recent Taco Bell Ad Slogan, Literally Translated. (Viva Gorditas)
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
Re: Way to skip scanning per-user?
Posted by "Dan Mahoney, System Admin" <da...@prime.gushi.org>.
On Thu, 14 Dec 2006, Theo Van Dinter wrote:
As an aside, part of this is why I had asked for (a while back) a way to
specify the "domain" portion of the -u argument, i.e. so it could be done
per-calling server (i.e. it is assumed that if shell server A and shell
server B, each with a distinct user-base are sharing a spamd machine, then
their user bases will have prefnames derived from the hostnames of A and
B.) -- regardless of the email address used.
i.e. localusername @ suffix (where the suffix is supplied to spamc in some
global config file, and the localusername is automatic). Knowing how to
do this (get the current username) in procmail (without firing up perl or
even SED -- I could call a binary like "whoami" but that's a bit less
universal) would also make THIS mostly unnecessary.
Again, this is not at all based on email address (except in the case of
emails like mine, where my address accurately reflects the FQDN of the
calling server -- but then I've always been the exception rather than the
rule), but on UID and HOSTNAME.
The servers in question have 400 uids each, two hostnames, and potentially
MILLIONS of email addresses, especially in a dictionary attack, where the
user has a catch-all account. Which does it make sense to modify stats
by?
--
"I am a professional drinker, and I know that that was NOT Jose Cuervo!"
"Well, what was it then?"
"I think it was some mixture of Rubbing Alcohol, and Desenex(TM) Foot
Powder, because my feet feel okay, and my back doesn't hurt, but my
stomach is killing me!"
-Dan Mahoney, Costa Rica, August 12th, 1994
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
Re: [sa-list] Re: [sa-list] Re: Way to skip scanning per-user?
Posted by Theo Van Dinter <fe...@apache.org>.
On Thu, Dec 14, 2006 at 12:26:54PM -0500, Dan Mahoney, System Admin wrote:
> I'm running procmail with dropprivs=yes. There's no easy procmail thing
> for (getpwnam($<)) and I do NOT feel like firing up perl on every message
> to evaluate that just to figure out if I should fire up the C program that
> I use so I don't have to fire up perl.
There are environment variables with this kind of info. Look at LOGNAME, for
instance. Worst case, you could run "id -un" and get the information that
way.
--
Randomly Selected Tagline:
"To the engineer, the world is a toy box full of sub-optimized and
feature-poor toys." - Scott Adams
Re: [sa-list] Re: [sa-list] Re: Way to skip scanning per-user?
Posted by "Dan Mahoney, System Admin" <da...@prime.gushi.org>.
On Thu, 14 Dec 2006, Theo Van Dinter wrote:
> On Thu, Dec 14, 2006 at 12:11:11PM -0500, Dan Mahoney, System Admin wrote:
>> At the moment, that's a hack in the system-wide procmailrc that I don't
>> know how to do, since the only thing procmail knows about userspace is
>> "dropprivs="yes"", and there's no translation for an easy way to equate
>> that to email address (i.e. it allows me to do it per *domain* not per
>> user, i.e. *@mydomain.com, but if a user has two domains, then I'd have to
>> do them each separately).
>
> If you're using procmail, you could look at the X-Original-To (or similar)
> header to figure out who the mail is going to. Otherwise, you could modify
> your setup to pass information in to procmail from the MTA.
>
>> Presuming we're looking for the value of the "user" based on the email
>> address, yes, I understand, but can't you check the value of -u before you
>> even do that? (i.e. at the earliest point)
>
> Ah, there you're talking about spamc/spamd which is a different beasty all
> together. If you want to skip checks based on how you're calling spamc, then
> check the value you're going to use for the username and don't call spamc if
> you don't want the mail scanned.
I'm running procmail with dropprivs=yes. There's no easy procmail thing
for (getpwnam($<)) and I do NOT feel like firing up perl on every message
to evaluate that just to figure out if I should fire up the C program that
I use so I don't have to fire up perl.
I see procmail macros for the email address, and for the _TO thing, but
NOTHING that just gives you the goddamned login.
I don't need -u on spamc, spamc just picks up that username and runs with
it. If I'm running spamc as danm, spamd grabs danm's prefs.
When I said -u, I was asking how spamd would recognize the implied value
of -u, not the actual command line flag.
If that makes sense?
-Dan
--
"It would be bad."
-Egon Spengler, "Ghostbusters"
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
Re: [sa-list] Re: [sa-list] Re: Way to skip scanning per-user?
Posted by "Dan Mahoney, System Admin" <da...@prime.gushi.org>.
One of my users just started getting slammed. This one user, out of 400+
is getting a dictionary attack that's overwhelming all my spamd process
slots.
Doing this on the spamd side would make simply stopping this really simple
-- even programmatically (i.e. automatically). Manually, even with the
best .procmailrc in the world I don't have a way.
Just my 0.02
-Dan
--
"We are basically...'Bandwidth Pimps'...Hrmmm...But that's cool man! You see these gold chains? It's all good!"
-Ali Dhoon
03/03/2003, 7PM
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
Re: [sa-list] Re: Way to skip scanning per-user?
Posted by "John D. Hardin" <jh...@impsec.org>.
On Thu, 14 Dec 2006, Theo Van Dinter wrote:
> On Thu, Dec 14, 2006 at 12:11:11PM -0500, Dan Mahoney, System Admin wrote:
> > At the moment, that's a hack in the system-wide procmailrc that I don't
> > know how to do, since the only thing procmail knows about userspace is
> > "dropprivs="yes"", and there's no translation for an easy way to equate
> > that to email address (i.e. it allows me to do it per *domain* not per
> > user, i.e. *@mydomain.com, but if a user has two domains, then I'd have to
> > do them each separately).
>
> If you're using procmail, you could look at the X-Original-To (or
> similar) header to figure out who the mail is going to.
> Otherwise, you could modify your setup to pass information in to
> procmail from the MTA.
Try looking at $LOGNAME. Procmail knows who it's delivering the
message to - it's a *delivery agent* after all.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
It is not the business of government to make men virtuous or
religious, or to preserve the fool from the consequences of his own
folly. -- Henry George
-----------------------------------------------------------------------
Tomorrow: Bill of Rights day
Re: [sa-list] Re: Way to skip scanning per-user?
Posted by Theo Van Dinter <fe...@apache.org>.
On Thu, Dec 14, 2006 at 12:11:11PM -0500, Dan Mahoney, System Admin wrote:
> At the moment, that's a hack in the system-wide procmailrc that I don't
> know how to do, since the only thing procmail knows about userspace is
> "dropprivs="yes"", and there's no translation for an easy way to equate
> that to email address (i.e. it allows me to do it per *domain* not per
> user, i.e. *@mydomain.com, but if a user has two domains, then I'd have to
> do them each separately).
If you're using procmail, you could look at the X-Original-To (or similar)
header to figure out who the mail is going to. Otherwise, you could modify
your setup to pass information in to procmail from the MTA.
> Presuming we're looking for the value of the "user" based on the email
> address, yes, I understand, but can't you check the value of -u before you
> even do that? (i.e. at the earliest point)
Ah, there you're talking about spamc/spamd which is a different beasty all
together. If you want to skip checks based on how you're calling spamc, then
check the value you're going to use for the username and don't call spamc if
you don't want the mail scanned.
--
Randomly Selected Tagline:
Every man has the freedom to jump as high as his own penis.
Re: [sa-list] Re: Way to skip scanning per-user?
Posted by "Dan Mahoney, System Admin" <da...@prime.gushi.org>.
On Thu, 14 Dec 2006, Theo Van Dinter wrote:
> On Thu, Dec 14, 2006 at 11:59:26AM -0500, Dan Mahoney, System Admin wrote:
>> I'm looking for an easy way to override ALL scanning (NOT scoring) for a
>> specific user.
>
> Don't send mails for that user to SA.
At the moment, that's a hack in the system-wide procmailrc that I don't
know how to do, since the only thing procmail knows about userspace is
"dropprivs="yes"", and there's no translation for an easy way to equate
that to email address (i.e. it allows me to do it per *domain* not per
user, i.e. *@mydomain.com, but if a user has two domains, then I'd have to
do them each separately).
>> what I want instead is some special way that SA will say "nope, not even
>> testing" and "short circuit".
>
> At the moment, you can't do that.
>> This shouldn't be a difficult feature to implement at all -- I'd imagine
>> about three lines of code :)
>
> There's code in 3.2 to do it, but it's still the most efficient to just not
> call SA for mails you don't want scanned (SA will still need to do all the
> processing to start looking at the mail, until it realizes that the mail is
> whitelisted or whatever, and then stop processing).
Presuming we're looking for the value of the "user" based on the email
address, yes, I understand, but can't you check the value of -u before you
even do that? (i.e. at the earliest point)
-Dan
--
"A mother can be an inspiration to her little son, change his thoughts,
his mind, his life, just with her gentle hum."
-No Doubt, "Different People", from "Tragic Kingdom"
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
Re: Way to skip scanning per-user?
Posted by Theo Van Dinter <fe...@apache.org>.
On Thu, Dec 14, 2006 at 11:59:26AM -0500, Dan Mahoney, System Admin wrote:
> I'm looking for an easy way to override ALL scanning (NOT scoring) for a
> specific user.
Don't send mails for that user to SA.
> what I want instead is some special way that SA will say "nope, not even
> testing" and "short circuit".
At the moment, you can't do that.
> This shouldn't be a difficult feature to implement at all -- I'd imagine
> about three lines of code :)
There's code in 3.2 to do it, but it's still the most efficient to just not
call SA for mails you don't want scanned (SA will still need to do all the
processing to start looking at the mail, until it realizes that the mail is
whitelisted or whatever, and then stop processing).
--
Randomly Selected Tagline:
Does killing time damage eternity?
Re: [sa-list] RE: Way to skip scanning per-user?
Posted by "John D. Hardin" <jh...@impsec.org>.
On Thu, 14 Dec 2006, Dan Mahoney, System Admin wrote:
> > Dan Mahoney, System Admin wrote:
> >> I'm looking for an easy way to override ALL scanning (NOT scoring)
> >> for a specific user.
>
> See my previous message. I don't see an easy macro in procmail for the
> current effective UID, nor do I know an easy way to say:
> If you can supply a snippet of code that does it, I'd love it.
http://www.impsec.org/~jhardin/antispam/spamassassin.procmail
Drop it in your /etc/procmail/ directory and INCLUDERC it from your
/etc/procmailrc file. Hack to fit.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
It is not the business of government to make men virtuous or
religious, or to preserve the fool from the consequences of his own
folly. -- Henry George
-----------------------------------------------------------------------
Tomorrow: Bill of Rights day
Re: [sa-list] RE: Way to skip scanning per-user?
Posted by "Dan Mahoney, System Admin" <da...@prime.gushi.org>.
On Thu, 14 Dec 2006, Coffey, Neal wrote:
> Dan Mahoney, System Admin wrote:
>> I'm looking for an easy way to override ALL scanning (NOT scoring)
>> for a specific user.
>
> This needs to be done in whatever you're using to call SpamAssassin
> (postfix, exim, sendmail, etc).
>
>> This shouldn't be a difficult feature to implement at all -- I'd
>> imagine about three lines of code :)
>
> How do you handle messages with multiple recipients? Not to mention
> that the envelope "to" address(s) (who the mail is *actually* delivered
> to) don't have to match the headers that SA sees.
I said per-user, not per email address. Spamd knows which local user is
doing the calling before it ever reads the first line of the message.
With spamassassin proper (assuming SQL prefs are in play), check $< or $>
-- with spamc/spamd, it's being communicated.
> Since SA needs to be called by another program, and that program will be
> aware of all of this, that's really the place to do the exemption.
See my previous message. I don't see an easy macro in procmail for the
current effective UID, nor do I know an easy way to say:
if (**my uid is any of these) {
}
else {
call spamassassin
}
Where as a bonus ** is generated dynamically.
If you can supply a snippet of code that does it, I'd love it. If I was
only doing scanning FOR a few select users this might make a bit more
sense, but it makes sense to me that this be a user_prefable item, as
opposed to my users asking me to edit /etc/procmailrc
-Dan
--
"SOY BOMB!"
-The Chest of the nameless streaker of the 1998 Grammy Awards' Bob Dylan
Performance.
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
RE: Way to skip scanning per-user?
Posted by "Coffey, Neal" <nc...@langeveld.com>.
Dan Mahoney, System Admin wrote:
> I'm looking for an easy way to override ALL scanning (NOT scoring)
> for a specific user.
This needs to be done in whatever you're using to call SpamAssassin
(postfix, exim, sendmail, etc).
> This shouldn't be a difficult feature to implement at all -- I'd
> imagine about three lines of code :)
How do you handle messages with multiple recipients? Not to mention
that the envelope "to" address(s) (who the mail is *actually* delivered
to) don't have to match the headers that SA sees.
Since SA needs to be called by another program, and that program will be
aware of all of this, that's really the place to do the exemption.
> Any ideas on how to do this?
amavisd-new is the only solution I've seen that sanely handles
multiple-recipient emails where one recipient is excluded, without
requiring a large amount of work or awkward mail path configurations.