HowtoForge

The Perfect SpamSnake - Ubuntu Jeos 12.04 LTS Precise Pangolin - Page 3

8. Baruwa

Make sure links are correct for MailScanner:

ln -s /opt/MailScanner/etc /etc/MailScanner
ln -s /opt/MailScanner/lib/MailScanner/CustomFunctions /etc/MailScanner

Install and configure Rabbitmq-Server:

vi/etc/apt/sources.list

and add the following:

deb http://www.rabbitmq.com/debian/ testing main

Update sources and install key:

wget http://www.rabbitmq.com/rabbitmq-signing-key-public.asc
apt-key add rabbitmq-signing-key-public.asc
apt-get update

Install rabbitmq-server:

apt-get install rabbitmq-server -y

Add the database credentials:

rabbitmqctl add_user baruwa password
rabbitmqctl add_vhost baruwa
rabbitmqctl set_permissions -p baruwa baruwa ".*" ".*" ".*"
rabbitmqctl delete_user guest

Restart rabbitmq-server:

/etc/init.d/rabbitmq-server restart

Add sources for Baruwa 1.1.2-4 and install dependencies:

wget -O - http://apt.baruwa.org/baruwa-apt-keys.gpg | apt-key add -
vi /etc/apt/sources.list

and add the following:

#baruwa
 deb http://apt.baruwa.org/ubuntu precise main

Install Dependencies:

apt-get update
apt-get install python-django-celery python-importlib -y

Download and install Baruwa1.1.2-4sn:

mkdir /usr/src/baruwa1124 && cd /usr/src/baruwa1124
wget https://docs.google.com/uc?id=0B9cN15Q3pKnwLW1WNG9rN0dQNzg&export=download&hl=en && mv 0B9cN15Q3pKnwLW1WNG9rN0dQNzg baruwa_1.1.2-4sn_all.deb
wget https://docs.google.com/uc?id=0B9cN15Q3pKnwMHFUMFhWMW4ycU0&export=download&hl=en && mv 0B9cN15Q3pKnwMHFUMFhWMW4ycU0 baruwa-doc_1.1.2-4sn_all.deb
gdebi baruwa_1.1.2-4sn_all.deb
gdebi baruwa-doc_1.1.2-4sn_all.deb

You'll be prompted with the following, answer according to your setup:

Webserver to configure manually
Virtual Host name
Choose whether to configure mysql automatically
My Host
Database administrator name/password
Baruwa username/password/dbname
RabbitMQ host/username/password
Admin user/password/email for Baruwa Web

Fix the symlinks for settings.py:

rm –r /usr/share/pyshared/baruwa/settings.py && ln –s /etc/baruwa/settings.py /usr/share/pyshared/baruwa/
vi /etc/baruwa/settings.py

and fix the baruwa database configuration:

DATABASES = {
    'default': {
        # Add 'postgresql_psycopg2', 'postgresql', 'mysql', 'sqlite3'
        # or 'oracle'.
        'ENGINE': 'django.db.backends.mysql',
        # Or path to database file if using sqlite3.
        'NAME': 'baruwa',
        # Not used with sqlite3.
        'USER': 'baruwa',
        # Not used with sqlite3.
        'PASSWORD': 'password',
        # Set to empty string for localhost. Not used with sqlite3.
        'HOST': '',
        # Set to empty string for default. Not used with sqlite3.
        'PORT': '',
    }
}
 
QUARANTINE_REPORT_HOSTURL = 'http://baruwa-alpha.local'

Populate the database:

# baruwa-admin syncdb --noinput
# for name in $(echo "accounts messages lists reports status fixups config"); do
baruwa-admin migrate $name;
done

vi /etc/MailScanner/MailScanner.conf

change the following:

Run As Group = celeryd
Quarantine User = celeryd
Quarantine Group = celeryd
Always Looked Up Last = &BaruwaSQL
Is Definitely Not Spam = &BaruwaWhitelist
Is Definitely Spam = &BaruwaBlacklist
Required SpamAssassin Score = &BaruwaLowScore
High SpamAssassin Score = &BaruwaHighScore
vi /etc/MailScanner/conf.d/baruwa.conf

and update the following:

Quarantine User = celeryd #(Or what ever your `Run As User` is set to)
DB DSN = DBI:mysql:database=baruwa;host=localhost;port=3306 #set to valid DSN
DB Username = baruwa # your DB username
DB Password = password # your DB password
vi /etc/init.d/mailscanner

and update it changing the following:

CONFFILE=/etc/MailScanner/MailScanner.conf
PIDFILE=/var/run/MailScanner/MailScanner.pid
check_dir /var/spool/MailScanner ${user:-postfix} ${group:-celeryd}
check_dir /var/lib/MailScanner ${user:-postfix} ${group:-celeryd}
check_dir /var/run/MailScanner ${user:-postfix} ${group:-celeryd}
check_dir /var/lock/subsys/MailScanner ${user:-postfix} ${group:-celeryd}
start-stop-daemon --start --quiet --startas $STARTAS  --pidfile "$PIDFILE" --test > /dev/null \
start-stop-daemon --start --quiet --nicelevel $run_nice --chuid postfix:celeryd --exec $DAEMON  --pidfile "$PIDFILE" -- $DAEMON_ARGS \
start-stop-daemon --stop --retry=TERM/30 --pidfile "$PIDFILE"
start-stop-daemon --stop --signal 1 --quiet --pidfile "$PIDFILE"

Add celeryd user to clamav group:

usermod -a -G celeryd clamav

Change the group ownership of the quarantine folder and content:

chgrp -R celeryd /var/spool/MailScanner/quarantine

If you’re going to use signatures, initialize it by running:

baruwa-admin initconfig

Otherwise, disable the options in /etc/MailScanner/conf.d/baruwa.conf:

#Inline HTML Signature = htmlsigs.customize
#Inline Text Signature = textsigs.customize
#Signature Image Filename = sigimgfiles.customize
#Signature Image Filename = sigimgs.customize

Finally, run to create the Baruwa super user:

baruwa-admin createsuperuser

Reboot your system and enjoy Baruwa 112-4sn.

 

9. Nginx with Uwsgi

Install nginx and uwsgi:

apt-get install nginx-full uwsgi uwsgi-plugin-python -y
vi /etc/uwsgi/apps-available/baruwa.ini

with the following content:

[uwsgi]
workers = 2
chdir = /usr/share/pyshared/baruwa
env = DJANGO_SETTINGS_MODULE=baruwa.settings
module = django.core.handlers.wsgi:WSGIHandler()
vi /etc/nginx/sites-available/baruwa.conf

with the following content:

server {
listen 80;
server_name example.com;
root /usr/share/pyshared/baruwa;
autoindex on;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
location /static {
    root /usr/share/pyshared/baruwa/static/;
    }
    # static resources
    location ~* ^.+\.(html|jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js)$
    {
      expires 30d;
      break;
    }
location / {
    uwsgi_pass unix:///var/run/uwsgi/app/baruwa/socket;
    include uwsgi_params;
    }
}

*Note: Make sure to change example.com to a FQDN that matches your setup.

Create symlinks:

ln -s /etc/nginx/sites-available/baruwa.conf /etc/nginx/sites-enabled/baruwa.conf
ln -s /etc/uwsgi/apps-available/baruwa.ini /etc/uwsgi/apps-enabled/baruwa.ini
rm -r /etc/nginx/sites-enabled/default
cp /usr/share/doc/uwsgi-extra/nginx/uwsgi_params /etc/nginx/uwsgi_params

Restart both nginx and uwsgi:

/etc/init.d/nginx restart && /etc/init.d/uwsgi restart

Remove the default virtual host and copy over uwsgi_params:

rm -r /etc/nginx/sites-enabled/default
cp /usr/share/doc/uwsgi-extra/nginx/uwsgi_params /etc/nginx/uwsgi_params
ln -s /etc/nginx/sites-available/baruwa.conf /etc/nginx/sites-enabled/baruwa.conf
ln -s /etc/uwsgi/apps-available/baruwa.ini /etc/uwsgi/apps-enabled/baruwa.ini

Restart services:

/etc/init.d/uwsgi restart && /etc/init.d/nginx restart

Create a symlink to manage.py:

ln -s /usr/share/pyshared/baruwa/manage.py /usr/bin/manage.py
chmod +x /usr/bin/manage.py

Add cron jobs:

@daily  manage.py cleanquarantine &> /dev/null  #Clean quarantine
@daily  manage.py sendquarantinereports &> /dev/null  #Send quarantine reports
@monthly manage.py  dbclean &> /dev/null  #Clean maillog
@weekly  manage.py updatesarules &> /dev/null  #Update spamassassin rules
@daily  manage.py sendpdfreports &> /dev/null #Send PDF Reports

Start up MailScanner:

/etc/init.d/mailscanner start

*Note: Point your browser to http://hostname used login with admin user and password and start working. You can now use the interface to add users and process messages, etc.

Setup Instructions for Baruwa

Log into Baruwa as admin --> Settings --> Accounts --> Create Account

Once you've created the user account, you'll get two new tabs on that page, Profile Settings and Associated Addresses.

Fill out Profile Settings choosing Domain Admin and set a low score of 6 and a high score of 9 and check scan email.

Click the + sign under Associated Addresses and enter a domains for which the user is the admin of eg. domain.com. domain.com will show up under Associated Addresses.

Click on domain.com and you'll be taken into Domain Information, where you'll be able to setup SMTP delivery information. Go ahead and add the receiving smtp server, or the ip of the receiving smtp server. Select enable and if you use a non-standard port, set it, otherwise use 25. Once you've done that, you can click on the test button next to the pencil, to see if your receiving server will accept the connection.

Now, you can log out as admin, and log in as the user you just setup and mails should start flowing.

The relay_recipients, relay_domains and transports settings in /etc/postfix/main.cf will use the entries you've provided in Baruwa. Therefore, no hash file is required.  The associated queries in the mysql cf files will pull the result in the proper format and feed it to postfix for use.

However, if you'd like to use a hash for any of your config files, use the following as an example of how to setup /etc/postfix/main.cf:

relay_recipient_maps = hash:/etc/postfix/relay_recipients

Of course, you would have to create the hash file(s), populate it and postmap it for postfix to use.

*Note: If you do end up using hash for relay_recipients for specific domains, you'll have to remove that domain from /etc/postfix/access.  All other domain users can still be verified using look_ahead

Also, if you need to do mx lookups, you'll have to edit /etc/postfix/mysql-transports.cf query to look like:

concat('smtp:', mail_hosts.address, ':', port) 'transport'

The [ and ] were removed to allow MX lookups.

Enjoy Baruwa!

 

10. Install and Configure SPF

Install:

apt-get install postfix-policyd-spf-python -y
vi /etc/postfix/master.cf

and add the following stanza at the end:

policy-spf  unix  -       n       n       -       -       spawn      
	user=nobody argv=/usr/bin/policyd-spf  

*Note:  (The leading spaces before user=nobody are important so that Postfix knows that this line belongs to the previous one!)

*Note: We already added the entry for main.cf using the postfix setup script.

Then restart Postfix:

/etc/init.d/postfix restart

That's it already.

 

11. Install and Configure FuzzyOcr

FuzzyOCR has some prerequisites like ocrad and gocr that we can install like this:

apt-get install fuzzyocr netpbm gifsicle libungif-bin gocr ocrad libstring-approx-perl libmldbm-sync-perl libdigest-md5-perl libdbd-mysql-perl imagemagick tesseract-ocr -y
wget http://users.own-hero.net/~decoder/fuzzyocr/fuzzyocr-3.6.0.tar.gz && tar xvfz fuzzyocr-3.6.0.tar.gz && cd FuzzyOcr-3.6.0/

vi /etc/spamassassin/FuzzyOcr.cf

and uncomment the following lines:

focr_global_wordlist /etc/spamassassin/FuzzyOcr.words
focr_preprocessor_file /etc/spamassassin/FuzzyOcr.preps
focr_scanset_file /etc/spamassassin/FuzzyOcr.scansets
focr_enable_image_hashing 3
focr_digest_db /etc/spamassassin/FuzzyOcr.hashdb
focr_db_hash /etc/spamassassin/FuzzyOcr.db
focr_db_safe /etc/spamassassin/FuzzyOcr.safe.db
focr_bin_helper convert, tesseract

Comment out the path:

#focr_path_bin /usr/local/netpbm/bin:/usr/local/bin:/usr/bin

Enable the following lines:

focr_mysql_db FuzzyOcr
focr_mysql_hash Hash
focr_mysql_safe Safe
focr_mysql_user fuzzyocr
focr_mysql_pass fuzzyocr
focr_mysql_host localhost
focr_mysql_port 3306
focr_mysql_socket /var/run/mysqld/mysqld.sock

We will be storing the image hashes in a mysql database to improve on performance such that images that we have already scanned do not get scanned again as OCR is a resource intense activity.

Create MySQL Database:

The sql script creates the database for fuzzyocr:

mysql -p <  FuzzyOcr.mysql

Set up FuzzyOcr Database Cleaner:

vi /usr/sbin/fuzzy-cleanmysql

with the following content:

#!/usr/bin/perl
#Script to clean out mysql tables of data. Default is to leave data in Safe for 1 day and Hash for 10 days.
#Fuzzyocr-cleanmysql
use Getopt::Long;
use DBI;
use MLDBM qw(DB_File Storable);
my %Files = (
    db_hash => '/var/lib/fuzzyocr/FuzzyOcr.db',
    db_safe => '/var/lib/fuzzyocr/FuzzyOcr.safe.db',
    );
use DBI;
$database = "FuzzyOcr";
$hostname = "localhost";
$socket = "/var/run/mysqld/mysqld.sock";
$port = "3306";
$username = "fuzzyocr";
$password = 'password';
# defaults
my $cfgfile = "/etc/spamassassin/FuzzyOcr.cf";
my %App;
my %age;
$age{'age'} = 10*24;  # 10 days
$age{'hash'} = $age{'age'};
$age{'safe'} = 0;
my $help = 0;
my $verbose = 0;
GetOptions( \%age,
    'age=i',
    'config=s' => \$cfgfile,
    'hash=i',
    'help' => \$help,
    'safe=i',
    'verbose' => \$verbose,
);
if ($help) {
    print "Usage: fuzzy-cleanmysql [Options]\n";
    print "\n";
    print "Available options:\n";
    print "--age=i      Global age in hours to keep in db\n";
    print "--config=s   Specify location of FuzzyOcr.cf\n";
    print "             Default: /etc/spamassassin/FuzzyOcr.cf\n";
    print "--hash=i     Number of hours old to keep in Hash db\n";
    print "--safe=i     Number of hours old to keep in Safe db\n";
    print "--verbose    Show more informations\n";
    print "\n";
    exit 1;
}
# Convert hours to seconds
$age{'age'} *= 60 * 60;
$age{'hash'} *= 60 * 60;
$age{'safe'} *= 60 * 60;
$age{'safe'} = $age{'safe'} ? $age{'safe'} : $age{'age'};
# Read custom paths from FuzzyOcr.cf
my $app_path = q(/usr/local/netpbm/bin:/usr/local/bin:/usr/bin);
open CONFIG, "< $cfgfile" or warn "Can't read configuration file, using defaults...\n";
while () {
    chomp;
    if ($_ =~ m/^focr_bin_(\w+) (.+)/) {
        $App{$1} = $2;
        printf "Found custom path \"$2\" for application \"$1\"\n" if $verbose;
    }
    if ($_ =~ m/^focr_path_bin (.+)/) {
        $app_path = $1;
        printf "Found new path: \"$1\"\n" if $verbose;
    }
    if ($_ =~ m/^focr_enable_image_hashing (\d)/) {
        $App{hashing_type} = $1;
        printf "Found DB Hashing\n" if ($verbose and $1 == 2);
        printf "Found MySQL Hashing\n" if ($verbose and $1 == 3);
    }
    if ($_ =~ m/^focr_mysql_(\w+) (.+)/) {
        $MySQL{$1} = $2;
        printf "Found MySQL option $1 => '$2'\n" if $verbose;
    }
    if ($_ =~ m/^focr_threshold_max_hash (.+)/) {
        $App{max_hash} = $1;
        printf "Updated Thresold{max_hash} = $1\n" if $verbose;
    }
}
close CONFIG;
# make shure we have this threshold set
$App{max_hash} = 5 unless defined $App{max_hash};
# search path for bin_util unless already specified in configuration file
foreach my $app (@bin_utils) {
    next if defined $App{$app};
    foreach my $d (split(':',$app_path)) {
        if (-x "$d/$app") {
            $App{$app} = "$d/$app";
            last;
        }
    }
}
sub get_ddb {
    my %dopts = ( AutoCommit => 1 );
    my $dsn = "DBI:mysql:database=$database";
    if (defined $socket) {
        $dsn .= ";mysql_socket=$socket";
    } else {
        $dsn .= ";host=$hostname";
        $dns .= ";port=$port" unless $port == 3306;
    }
    printf "Connecting to: $dsn\n" if $verbose;
    return DBI->connect($dsn, $username, $password,\%dopts) or die("Could not connect!");
}
if ($App{hashing_type} == 3) {
 my $ddb = get_ddb();
  if ($ddb) {
    my $sql;
    foreach my $ff (sort keys %Files) {
      $ff =~ s/db_//;
      $sqlbase = "FROM $MySQL{$ff} WHERE $MySQL{$ff}.\`check\` < ?";
      my $timestamp = time;
      $timestamp = $timestamp - $age{$ff};
      $sql = "DELETE $sqlbase";
      if ( $verbose ) {
        printf "Delete from Table $MySQL{$ff}\n";
        print "$sql,  $timestamp\n";
        print "Timestamp is ", scalar(localtime($timestamp)), "\n";
        print "That's $age{$ff} seconds earlier than now.\n";
        print "\n";
      }
      $ddb->do($sql,undef,$timestamp);
    }
    $ddb->disconnect;
  }
}

Make it executable:

chmod +x /usr/sbin/fuzzy-cleanmysql

Add it to cron:

@weekly /usr/sbin/fuzzy-cleanmysql &> /dev/null  #FuzzyOcr DB cleaner

We can feed each of these emails to SpamAssassin now to see if FuzzyOCR is linked correctly into SpamAssassin.

spamassassin --debug FuzzyOcr < /usr/src/FuzzyOcr-3.6.0/samples/ocr-gif.eml > /dev/null

You should now see a lot of output, the end should look like this:

[...]
[10025] dbg: FuzzyOcr:
[10025] dbg: FuzzyOcr: Friday Augurt 4, 4:01 pm ET
[10025] dbg: FuzzyOcr: LAS VEGAS, NEVADA--(MARKET WIRE)--Aug 4, 2006 -- auantum Energy, lnc. (OTC
[10025] dbg: FuzzyOcr: BB:aEGY.oB-_-
[10025] dbg: FuzzyOcr: auantum Energy, lnc. is pleased to announce that it has applied to have its shares listed for
[10025] dbg: FuzzyOcr: trading on the Frankfurt Stock Exchange. The company has retained the services ofBaltic
[10025] dbg: FuzzyOcr: lnvestment Group of Hamburg, Germany to assist with the application.
[10025] dbg: FuzzyOcr:
[10025] dbg: FuzzyOcr: _ qEGY,OB "

 

12. Filtering PDF, XLS and Phishing Spam with ClamAV (Sanesecurity Signatures)

There is currently a lot of spam where the spam "information" is attached as .pdf or .xls files, sometimes also hidden inside a .zip file. While these spam mails are not easy to catch with e.g. SpamAssassin or a Bayes filter, the ClamAV virus scanner can catch them easily when it is fed with the correct signatures as ClamAV is built to scan mail attachments.

Create a folder for sanesecurity and download and give the script the proper permission:

apt-get install curl rsync -y
mkdir /usr/src/sanesecurity && cd /usr/src/sanesecurity
wget http://downloads.sourceforge.net/project/unofficial-sigs/clamav-unofficial-sigs-3.7.1.tar.gz
tar -zxf clamav-unofficial-sigs-3.7.1.tar.gz && cd clamav-unofficial-sigs-3.7.1
mv clamav-unofficial-sigs.sh /usr/sbin
mv clamav-unofficial-sigs.conf /etc/
chmod +x /usr/sbin/clamav-unofficial-sigs.sh

vi /etc/clamav-unofficial-sigs.conf

and change the following variables to match your installation:

clam_dbs="/var/lib/clamav"
clamd_pid="/var/run/clamav/clamd.pid"
reload_dbs="yes"
reload_opt="kill -USR2 `cat $clamd_pid`" #Signals PID to reload dbs
work_dir="/var/lib/clamav"
user_configuration_complete="yes"

Now we run the update script to check if the download works:

clamav-unofficial-sigs.sh

Add it to cron:

00 04 * * * /usr/sbin/clamav-unofficial-sigs.sh -c /etc/clamav-unofficial-sigs.conf &> /dev/null

 

13. Greylisting with Greyfix

Greyfix is a tiny greylisting daemon that works extremely well and is easy on resources.

Install:

cd /usr/src && wget http://www.kim-minh.com/pub/greyfix/greyfix-0.3.9.tar.gz
tar -xf greyfix-0.3.9.tar.gz && cd greyfix-0.3.9
./configure --localstatedir=/var
make
make install

vi /etc/postfix/master.cf

and add the following:

greyfix    unix  -        n       n       -        -       spawn
   user=nobody  argv=/usr/local/sbin/greyfix   --greylist-delay 60  -/ 24

*Note: We already added the entry for main.cf using the postfix setup script.

The Perfect SpamSnake - Ubuntu Jeos 12.04 LTS Precise Pangolin - Page 3