Re: popsneaker vs. bandwidth consumption [was:Re: Virus emails]

2003-09-25 Thread Jochen Voss 
Hello,

On Sat, Sep 20, 2003 at 03:41:36PM +0200, Paul Seelig wrote:
  snip -
 Package: popsneaker
 Status: install ok installed
 Priority: optional
 Section: mail
 Installed-Size: 159
 Maintainer: Stefan Baehre [EMAIL PROTECTED]
 Version: 0.6.2-1
 Depends: libc6 (= 2.3.2-1), libgcc1 (= 1:3.3.1-1), libstdc++5 (= 
 1:3.3.1-1), libtcp4u3, logrotate
 Recommends: fetchmail | popclient
 Conffiles:
  /etc/popsneakerrc 40cc5a1635d4bc41678d3dccc7f21e73
  /etc/logrotate.d/popsneaker af45e2150e4dc61758c7b605de491e3d
 Description: Flexible spam filter for POP3 email accounts.
  popsneaker is a flexible email filter. It can delete spam mails without
  downloading them to the local host.
  snip -

I found the appended patch useful.  It implements a new
minsize N rule, which lets all mails smaller than N
bytes pass.  So you can receive your usual (smaller than
the virus) mails without risk of loosing them, and filter
the large mails quite radically.

Note the the patch is only very little teste, but it
workes for me.

With the patch I can use the following home-grown ruleset:

# accept all mails up to 1 bytes
minsize 1

# some white-listing here

deny ^From: .*msn\.com
deny ^From: .*msdn\.com
deny ^From: (MS |Microsoft)

deny ^Subject: (Abort|failure|error) 
(Advice|Announcement|Letter|Message|Notice|Report)$
deny -case ^SUBJECT: $
deny ^Subject: (current|last|new|newest) .* (update|upgrade|pack)$

minsize 5
# for large mails filter even more

deny ^Subject: (current|last|new|newest) .* patch$
deny ^Subject: internet .* (update|upgrade|pack|patch)$
deny ^Subject: I (choose|chose) life

minsize 10
# for huge mails filter even much more

deny ^Subject: $
deny ^Subject: (Advice|Announcement|Letter|Message|Notice|Report)$
deny ^Subject: (undelivered|undeliverable|returned) (mail|message)
deny ^Subject: (message|mail)( |: )(returned to sender|returned to 
mailer|user unknown)
deny ^Subject: bug (Advice|Announcement|Letter|Message|Notice|Report)$

I hope this helps,
Jochen
diff -ur popsneaker-0.6.2.orig/popsneaker/parser.cpp 
popsneaker-0.6.2/popsneaker/parser.cpp
--- popsneaker-0.6.2.orig/popsneaker/parser.cpp 2002-10-22 18:37:36.0 
+0200
+++ popsneaker-0.6.2/popsneaker/parser.cpp  2003-09-23 03:04:50.0 
+0200
@@ -48,6 +48,7 @@
   case t_scoreeval:   scoreeval();   break;
   case t_score:   score();   break;
   case t_maxsize: maxsize();  break;
+  case t_minsize: minsize();  break;
   case t_dupcheck:dupcheck();break;
   case t_semicolon:
   case t_nl:  eoc(); break;
@@ -351,6 +352,28 @@
eoc();
 }
 
+void Parser::minsize(void){
+   Rule* rule = new Rule;
+   chkptr(rule);
+
+   scanner.nextToken();
+
+   while(scanner.getToken() == t_dash) {
+   roption(rule);
+   }
+
+   if(scanner.getToken() == t_numeric) {
+   rule-set_minsize(scanner.getNumeric());
+   } else {
+   parse_error(size expected);
+   }
+
+   rp.add(rule);
+
+   scanner.nextToken();
+   eoc();
+}
+
 void Parser::dupcheck(void){
int mode = DUP_MODE_STRICT;
 
diff -ur popsneaker-0.6.2.orig/popsneaker/parser.h 
popsneaker-0.6.2/popsneaker/parser.h
--- popsneaker-0.6.2.orig/popsneaker/parser.h   2002-10-22 18:37:36.0 
+0200
+++ popsneaker-0.6.2/popsneaker/parser.h2003-09-23 02:38:18.0 
+0200
@@ -67,6 +67,7 @@
   void scorereset(void);
   void soption(Rule*);
   void maxsize(void);
+  void minsize(void);
   void eoc(void);
   void dupcheck(void);
   int  doption(void);
diff -ur popsneaker-0.6.2.orig/popsneaker/rule.cpp 
popsneaker-0.6.2/popsneaker/rule.cpp
--- popsneaker-0.6.2.orig/popsneaker/rule.cpp   2002-10-22 18:38:31.0 
+0200
+++ popsneaker-0.6.2/popsneaker/rule.cpp2003-09-23 02:40:30.0 
+0200
@@ -46,6 +46,13 @@
 }
 
 
+/** Setup a minsize rule */
+void Rule::set_minsize(unsigned long size){
+   type = RT_MINSIZE;
+   minsize = size;
+}
+
+
 /** Setup an accept rule */
 void Rule::set_accept(const char* expr){
type = RT_ACCEPT;
@@ -133,6 +140,10 @@
 action = applyMaxsize(header);
 break;
 
+  case RT_MINSIZE:
+action = applyMinsize(header);
+break;
+
   case RT_SCORE:
 action = applyScore(header);
 break;
@@ -245,6 +256,20 @@
 }
 
 
+/** Apply the minsize rule on a mailheader */
+mailaction Rule::applyMinsize(MailHeader* header){
+  if(header-size = minsize) {
+char buffer[64];
+sprintf(buffer, mail (%10.2fKB) is smaller than %10.2fKB, \
+   header-size / 1024.0, minsize / 1024.0);
+header-reason = buffer;
+return MA_KEEP;
+  } else {
+return MA_NONE;
+  }
+}
+
+
 /** Apply the regular expression on a mailheader */
 bool Rule::applyRE(MailHeader* header){

Re: popsneaker vs. bandwidth consumption

2003-09-24 Thread Joerg Jaspert 
Paul Seelig [EMAIL PROTECTED] writes:

 Of those packages in the archive, mailfilter is the best IMHO. However, I 
 ended up *not* using it because it doesn't support ANDing of conditions 
 AFAICT (size  100k AND header spelling SUBJECT:).
 Then maybe you should have a look at popsneaker. With popsneaker you
 can filter your mail by assigning scores. Here's the relevant portion
 of /usr/share/doc/popsneaker/index-3.html:

Naa, mailfilter can use scores too. (The one in unstable and testing,
not in stable, thats too old.)
(See man 5 mailfilterrc for details :) ).

Ah, and a fast fix for the actual worm is to set MAXSIZE_ALLOW to
something smaller than 140k.

 popsneaker is Free Software (GPL'ed) according to the DFSG and is
 freely available at http://www.ixtools.de/popsneaker;.

Package it and ask -mentors for a sponsor.

-- 
bye Joerg
maxx Aqua mach mal man brain
Aquariophile maxx: schon probiert das gibts ned


pgp1NtI9cejUZ.pgp
Description: PGP signature

Re: popsneaker vs. bandwidth consumption

2003-09-24 Thread Joerg Jaspert 
Joerg Jaspert [EMAIL PROTECTED] writes:

 Ah, and a fast fix for the actual worm is to set MAXSIZE_ALLOW to
 something smaller than 140k.

Erm. Its MAXSIZE_DENY for this, except one defines the virus senders
with some ALLOW rule before. Brrr. :)

-- 
bye Joerg
2.5 million B.C.: OOG the Open Source Caveman develops the axe and
releases it under the GPL. The axe quickly gains popularity as a means
of crushing moderators heads.


pgpVyw0tvMEu2.pgp
Description: PGP signature

Re: popsneaker vs. bandwidth consumption

2003-09-22 Thread Paul Seelig 
[EMAIL PROTECTED] (Richard Atterer) writes:

 Of those packages in the archive, mailfilter is the best IMHO. However, I 
 ended up *not* using it because it doesn't support ANDing of conditions 
 AFAICT (size  100k AND header spelling SUBJECT:).
 
Then maybe you should have a look at popsneaker. With popsneaker you
can filter your mail by assigning scores. Here's the relevant portion
of /usr/share/doc/popsneaker/index-3.html:

--- snip ---
The score filter rule changes the current score of a message by a given value
if the rule matches.

score -10 ^subject: .*for free


The score_reset instruction sets the score value back to 0. This can be
useful, if you have more than one block of independant score rules.

And the score_eval instruction makes a decision based upon the score value.
The condition is set via options, possible settings are:

-lt value  True if the score is less than value.
-le value  True if the score is less or equal value.
-gt value  True if the score is greater than value.
-ge value  True if the score is greater or equal value.
 

A short example:

score_reset
score +10 ^References: .*mydomain\.net
score +10 ^In-Reply-To: .*mydomain\.net
score -5  ^Content-Type: text/html
score -5  ^Message-ID: [EMAIL PROTECTED]
score -10 ^(to|cc): .*,.*,.*,.*,.*,
score_eval -gt 0 accept
score_eval -lt 0 deny

score_reset
score -10 -case ^Subject: .*FREE
score -10 -case ^Subject: .*BUY
score -10 -case ^Subject: .*CASH
score -5  -case ^Subject: .*free
score -5  -case ^Subject: .*buy
score -5  -case ^Subject: .*cash
score_eval -lt 5 deny
--- snip ---

popsneaker is Free Software (GPL'ed) according to the DFSG and is
freely available at http://www.ixtools.de/popsneaker;.