五. 测试dspam工作是否正常
随便发一封测试邮件,邮件信头有如下说明正常:
X-DSPAM-Result: Innocent
X-DSPAM-Processed: Tue Mar 31 23:10:45 2009
X-DSPAM-Confidence: 0.9899
X-DSPAM-Probability: 0.0000
X-DSPAM-Signature: 6,49d2327561612102913816
X-DSPAM-Factors: 27,
Received*mail.fanzhengyuan.18corp.cn+(Postfix, 0.01000,
Content-Type*charset="us, 0.01000,
Content-Type*charset="us, 0.01000,
equiv=Content+Type, 0.01000,
Date*Apr, 0.01000,
size=2> , 0.01000,
HEIGHT, 0.01000,
Received*Tue, 0.01000,
Return-Path*<user01, 0.01000,
Received*by+fanzhengyuan.18corp.cn), 0.01000,
X-mailer*103, 0.01000,
Received*fanzhengyuan.18corp.cn)+with, 0.01000,
Return-Path*<user01+fanzhengyuan.18corp.cn>, 0.01000,
Received*ESMTP, 0.01000,
SIZE=2>, 0.01000,
Received*(Postfix, 0.01000,
Received*31, 0.01000,
message, 0.01000,
From*"user01+fanzhengyuan.18corp.cn", 0.01000,
Date*Fri, 0.01000,
Subject*dspam, 0.01000,
Date*0800, 0.01000,
align=left+SIZE=2>, 0.01000,
style="WIDTH, 0.01000,
0px+margin, 0.01000,
0px+margin, 0.01000,
<META+content="MSHTML, 0.01000
使用25端口发送邮件会看到经过dspam信息,而是用10026端口发送邮件则无过滤信息,注意使用10026端口发送邮件需在邮件服务器发送,否则按照安全规则无权限连接。
提醒:使用webmail发送邮件不会经过dspam过滤邮件。
六. 测试 ClamAV
首先在/etc/clamav.conf文件中设置支持病毒邮件查杀确认 ScanMail yes ,重新启动clamav程序后,使用邮件客户端连接服务器发送一封带有病毒字符串的信件(包含 EICAR 病毒字符串的文件附件http://www.eicar.org/anti_virus_test_file.htm)。下面字符串用于触发病毒扫描程序在没有附加实际病毒的情况下识别已感染病毒的电子邮件:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
当前在/usr/local/dspam/etc/dspam.conf中设置:
# ClamAVResponse: //clamav响应:
# reject (reject or drop the message with a permanent failure) //拒绝通过;拒绝或丢弃此邮件同时作为永久性错误
# accept (accept the message and quietly drop the message) //接收通过;接收并丢弃此邮件
# spam (treat as spam and quarantine/tag/whatever) //判断为垃圾邮件;当做垃圾邮件条件对待,隔离、加标记等
#
ClamAVPort 3310
ClamAVHost 127.0.0.1
ClamAVResponse spam
扫描时没有发现病毒不会产生任何记录;
扫描时发现病毒邮件会直接删除,clamav会在日志中记录不反馈其他提示,/var/log/clamav/clamd.log中可以查看到类似记录:
Mon May 25 18:15:01 2009 -> stream 2015: Eicar-Test-Signature FOUND
若clamd病毒查杀程序停止工作,任何信件收发均不会受到影响,但会在当前登录终端有类似提示:
3143: [05/25/2009 18:36:05] Connection to 127.0.0.1:3310 failed: Connection refused
七. 配置maildrop根据标记分拣邮件
Postfix把dspam打分标记过的邮件传递给maildrop,通过标记判断来投递不同目录,正常邮件投递到收件箱($HOME/Maildir/.),垃圾邮件投递到垃圾邮件($HOME/Maildir/.Junk/.)
#vi /etc/maildroprc
内容如下:
#/etc/maildroprc
# Decoder for high quality key word filtering
# Author: hzqbbc <hzqbbc@hzqbbc.com> - ExtMail Dev Team
DECODER="/var/www/extsuite/extmail/tools/decode -v"
if ((/^(From|Sender|Return-Path):.*MAILER\-DAEMON/))
{
BADSENDER=1
}
# Auto deliver to Junk mailbox support if there is no custom
# mailfilter, need test command and correct PATH env
`test -f $HOME/.mailfilter && exit 1 || exit 0`
# No customize filtering rules
if ( $RETURNCODE == 0 )
{
if (/^X-Spam-Flag:.*YES/ || /^X-DSPAM-Result:.*Spam/ || /^X-DSPAM-Result:.Virus/)
{
exception {
to "$HOME/Maildir/.Junk/."
}
}
}
八. 训练识别
比如我们手头有个垃圾邮件的样本: spam01.eml,可以这样训练它
cat spam01.eml | /usr/local/bin/dspam –-mode=teft --source=corpus –-class=spam –-feature=noise –-user dspam
# –source=corpus 与 –source=error 对应的设置
# –class=spam 表示训练识别垃圾邮件,训练识别非垃圾邮件则用参数 –class=innocent
# –user dspam 训练的user,dspam会自动创建。
dspam提供了一个批量训练邮件的命令:
dspam_train [username] [spam_dir] [nonspam_dir]
username是训练用的user,spam_dir和nonspam_dir是垃圾邮件和非垃圾邮件存储的目录。目录下每个邮件一个文件。
例如:
# cd /usr/local/dspam/bin
# ./dspam_train dspam /home/spam /home/nonspam
注意:
在http://www.ccert.edu.cn/spam/sa/2005-Jun.tar.gz下载学习样本。
dspam_train spam ham/ spam/ (dspam_train username spam_dir ham_dir)
我的训练结果,如果训练过程中哪封信出现错误,直接删除掉重新训练即可。
更改垃圾邮件训练结果目录权限
chown –Rf dspam:dspam /usr/local/dspam/var/dspam/data/local/
九. 配置DSPAM Web Control界面
DSPAM Web Control 功能是让dspam识别用户设置个人参数、查看识别邮件记录,并且还可以重新训练识别错误的邮件。
登陆用户通过Apache的HTTP Auth来登录,所以要把dspam识别用户加到AuthUserFile里。(前面提到的方案1在这里会有很大的问题)
进入dspam解压缩目录将base.css和dspam-logo-small.gif拷贝到apache的dspam目录
#mkdir /var/www/extsuite/dspam
#cp -Rf webui/cgi-bin/* /var/www/extsuite/dspam
#cp webui/htdocs/base.css /var/www/extsuite/dspam
#cp webui/htdocs/dspam-logo-small.gif /var/www/extsuite/dspam
需具有网站管理身份
#chown -Rf dspam:dspam /var/www/extsuite/dspam
更改webui访问权限,特别要注意不更改可能会出现无法访问,日志文件显示
#chmod –Rf 755 /var/www/extsuite/dspam
增加apache配置文件,衔接dspam配置文件,在最后一行追加信息
#vi /etc/httpd/conf/httpd.conf
NameVirtualHost *:81
Include conf/81_*.conf
建立dspam虚拟主机配置文件
#vi /etc/httpd/conf/81_dspam.conf
Listen 81
<VirtualHost *:81>
ServerName mail.fanzhengyuan.18corp.cn
DocumentRoot /var/www/extsuite/dspam
SuexecUserGroup dspam dspam
ErrorLog /usr/local/dspam/log/dspam_error.log
CustomLog /usr//local/dspam/log/dspam_access.log common
<Directory "/var/www/extsuite/dspam/">
DirectoryIndex dspam.cgi
Options ExecCGI
Options -Indexes
AddHandler cgi-script cgi pl
Order deny,allow
Allow from all
AuthType Basic
AuthName "DSPAM Control Center"
AuthUserFile /var/www/extsuite/dspam/htpasswd
Require valid-user
</Directory>
</VirtualHost>
修改/var/www/extsuite/dspam/admins 界面管理员为dspam
echo “dspam” > admins
给dspam建立认证用户dspam及密码(前文提及到登陆dspam web control认证文件为htpasswd)
htpasswd -c /var/www/extsuite/dspam/htpasswd dspam
修改 /var/www/extsuite/dspam/configure.pl
#指定dspam安装目录
$CONFIG{’DSPAM_HOME’} = “/usr/local/dspam/var/dspam”;
$CONFIG{’DSPAM_BIN’} = “/usr/local/dspam/bin”;
#修改过滤域名标识
# Add customized settings below
$CONFIG{’LOCAL_DOMAIN’} = “fanzhengyuan.18corp.cn”;
#下面两个根据编译参数修改
#$CONFIG{’LARGE_SCALE’} = 0;
$CONFIG{’DOMAIN_SCALE’} = 1;
若无法显示dspam_webui,可以查看apache错误日志
/var/log/httpd/error.log
File does not exist: #目录权限问题
Premature end of script headers: #webui目录所属主问题
dspam webui中Performance页面会显示转发垃圾邮件汇报地址默认为spam-邮件地址,此处需要去掉“spam-”内容,修改/var/www/extsuite/dspam/templates/nav_performance.html第32行。
change:
<strong>spam-$REMOTE_USER$@yourdomain.com</strong>
to:
<strong>$REMOTE_USER$@yourdomain.com</strong>
更改后显示信息:
If you receive a message in your e-mail application that was not caught by the filter, please forward it to dspam@fanzhengyuan.18corp.cn so that it can be analyzed and learned as SPAM. This will improve the filter's accuracy in the future.
Reporting mistakes
________________________________________
Note: If you are using Maildirs and IMAP, a nice alternative way to retrain DSPAM is described here. With that setup you also do not need any signatures in the message bodies.
________________________________________
Users need a way to report spam that gets through, in order to better train Dspam. The Dspam README suggests creating a "spam" user users can mail, inserting their username into the address somehow, such as `"spam-neale@example.org"`. I just know my users are going to be confused by this, though. Far simpler would be to tell them to forward all their spam to `"spam@example.org"`.
The Dspam README suggests using `/etc/aliases` for this task. I don't like that suggestion, since Postfix will run commands specified there as nobody, and that would require setuid executables somewhere. Instead, I created a new `dspam-retrain` transport which, like the `dspam` transport, is run as the `dspam` user by Postfix. The DspamRetrainScript is described on its own page, since it can be used with other MDAs.
`/etc/postfix/master.cf`
dspam-retrain unix - n n - 10 pipe
flags=Ru user=dspam argv=/usr/local/bin/dspam-retrain $nexthop $sender $recipient
I use Postfix's transport mechanism to specify that mail to `spam@example.com` and `ham@example.com` should be routed through the `dspam-retrain` transport. With Postfix after 2.0, this will also get `spam+username@example.com` like it says in the README (or `spam-username@example.com`, depending on the value of `recipient_delimiter`.
`/etc/postfix/transport`
spam@example.com dspam-retrain:spam
ham@example.com dspam-retrain:innocent
The part after the colon ( is the `${nexthop}` specified in the new transport command above.
Now, to tell Postfix to use the transport. We also need to tell it to look in the transport file when deciding whether or not to allow mail to a certain address, and we set the `recipient_delimiter` to dash (-) to allow things like `spam-user@example.com`:
`/etc/postfix/main.cf`
transport_maps = hash:/etc/postfix/transport
local_recipient_maps = proxy:unix:passwd.byname $alias_maps $transport_maps
recipient_delimiter = -
`dspam-retrain` is described in DspamRetrainScript.
Finally, `/usr/local/bin/dspam-retrain` is a shell script I created. Since this is run as the `dspam` user for us by Postfix, there's no need for any Unix permissions magic.
安装图形显示组件
. GD
. GD-Graph3d
. GDGraph
. GDTextUtil
. CGI
Typically this can be accomplished on the commandline:
#perl -MCPAN -e 'install GD:: TextUtil'
#perl -MCPAN -e 'install GD::Graph3d'
#perl -MCPAN -e 'install GD::Graph'
#perl -MCPAN -e 'install GD’
#perl -MCPAN -e 'install CGI'
安装图形组件时会先初始化cpan程序,按照默认直接回车确定
洲区域指定下载选择 “(2) Asia”
Now we need to know where your favorite CPAN sites are located. Push a few sites onto the array (just in case the first on the array won't work). If you are mirroring CPAN to your local workstation, specify a file: URL.
First, pick a nearby continent and country (you can pick several of each, separated by spaces, or none if you just want to keep your existing selections). Then, you will be presented with a list of URLs of CPAN mirrors in the countries you selected, along with previously selected URLs. Select some of those URLs, or just keep the old list. Finally, you will be prompted for any extra URLs -- file:, ftp:, or http: -- that host a CPAN mirror.
(1) Africa
(2) Asia
(3) Central America
(4) Europe
(5) North America
(6) Oceania
(7) South America
Select your continent (or several nearby continents) []2
国家区域选择“(1) China”
Sorry! since you don't have any existing picks, you must make a geographic selection.
(1) China
(2) Hong Kong
(3) Indonesia
(4) Israel
(5) Japan
(6) Republic of Korea
(7) Russia
(8) Singapore
(9) Taiwan
(10) Thailand
(11) Turkey
(12) Viet Nam
Select your country (or several nearby countries) [] 1
指定服务器地址选择“(1) ftp://www.perl87.cn/CPAN/”
Sorry! since you don't have any existing picks, you must make a geographic selection.
(1) ftp://www.perl87.cn/CPAN/
(2) http://mirrors.xueron.com/CPAN/
Select as many URLs as you like (by number),
put them on one line, separated by blanks, e.g. '1 4 5' [] 1
安装perl使用默认选项(默认情况下相关文件安装在/root/.cpan/目录下,若安装出错请直接删除此目录并重启重新安装)
打开网页 http://192.168.0.99:81/dspam.cgi , 输入用户名口令登录。
Performance对应文件在/usr/local/dspam/var/dspam/data/local/dspam/dspam.stats ,目前权限660,所属主dspam:dspam
If you receive a message in your e-mail application that was not caught by the filter, please forward it to dspam@fanzhengyuan.18corp.cn so that it can be analyzed and learned as SPAM. This will improve the filter's accuracy in the future.
如果您收到的邮件在您的电子邮件应用程序,并没有大的过滤器,请转发给dspam@fanzhengyuan.18corp.cn ,以便它可以分析和教训为垃圾邮件。这将提高过滤器的准确度在未来。
This page lets you configure how the filter will handle your messages.
这个网页可让您配置的过滤器将如何处理您的邮件。
Alerts对应文件在/usr/local/dspam/var/dspam/data/local/dspam/dspam.alerts ,目前权限644,所属主dspam:dspam
Alerts will help you locate messages in the Quarantine list. If the text of the alert is found in a message, its row will be highlighted, helping you to identify messages that might not be SPAM.
快讯会帮助您找到邮件中的检疫名单。如果文本的警报在邮件中发现,其一行将着重突出,可帮助您确定邮件可能不为垃圾邮件。
The messages below have not been been delivered to your normal e-mail application because they are believed to be spam. Click on the Subject line to view the message or choose a sort option to change how messages are sorted. Use the checkboxes and Deliver Checked to deliver messages you want to read, or use Delete All to empty the quarantine.
下面的消息尚未被发送到您的正常电子邮件应用程序,因为它们被认为是垃圾邮件。点击主题行,以查看邮件或选择一个排序选项更改邮件排序。使用复选框,并提供检查,以传达你想阅读或使用全部删除,以空的检疫。
Graphs showing the number of messages that have been processed are shown below.
图显示的邮件数量已处理如下所示。
The messages that have been processed by the filter are shown below. The most recent messages are shown first. Use the retrain options to correct errors and deliver any false positives that are still in your quarantine
邮件已处理的过滤器如下所示。最新的消息首先显示。使用的培训办法来纠正错误,并提供任何误报率仍然在您的检疫
The following graphs and tables summarize the processing done by the filter.
下面的图表总结了处理所进行的过滤器。
User Statistics对应文件在/usr/local/dspam/var/dspam/ ,目前权限755 ,所属主dspam:dspam
The following table shows the number of messages processed for each user along with their current preference settings.
下表显示了一些信息处理的每个用户以及他们目前的偏好设置。
This page lets you edit the preferences for any user. You can also edit DSPAM's default preferences by leaving the input field empty.
这个网页可让您编辑的喜好,任何用户。您也可以编辑DSPAM的默认优惠离开输入栏为空。
默认垃圾、病毒邮件tag标题标记为[SPAM],更改标记进入webui界面 Administrative Suite > Control Center 选中Tag the Subject header with 并填入自定义标记内容,点击Submit Changes按钮提交再次接收到垃圾、病毒邮件标题变更改为自定义内容。
若中文主题有乱码,将httpd.conf的AddDefaultCharset GB2312.
DSPAM若使用Hash-db数据库清理无效数据
0 0 * * * /usr/local/dspam/bin/dspam_clean [options]
若训练垃圾邮件的时候,出现以下错误:
dspam[2380]: Signature retrieval for '2,457582a423802003310769' failed
dspam[2380]: Unable to find a valid signature. Aborting.
dspam[2380]: process_message returned error -5. dropping message.
将以下三项打开
ParseToHeaders on
ChangeModeOnParse on
ChangeUserOnParse on
MySQLUIDInSignature on //此项一定要打开
webui出问题,请查看apache的error日志,里面有提示,通常是权限的问题。:)
这个问题可能是访问权限问题,可以在本目录放置一个htm文件访问尝试,若仅是cgi文件遇到错误,注意访问设置
问题出在/usr/local/dspam/var/目录所属用户、组
解决办法chown –Rf dspam:dspam /usr/local/dspam/var/
自动白名单
Dspam跟踪完整“From:” 行,如果同一From:有10(可调)封正常邮件并且0封垃圾邮件,那么该记录被标记为白名单。一旦有用户报告来自该记录的spam,这个白名单记录将被删除。
启动白名单
dspam.conf
命令行参数
Feature whitelist
Feature tb=10
建议大家使用
三.postfix传输给dspam的配置
A.通过socket(套接字)方式传递给dspam
四.dspam检测完邮件后的投递方法配置
A.dspam以SMTP方式回传给postfix |
发表于 2009-5-22 09:38
| 
发表于 2009-5-25 14:57
| 
