Spamfilter early verdicts

From Messaging Server Technical Reference Wiki
Jump to: navigation, search

Most spam/virus filter plugins base their decisions on message content. (SpamAssassin in particular acts solely based upon the message content it receives---though it attempts to make some assumptions about the message envelope based on material in the message itself.) However, as of Messaging Server 7.0 the MTA supports allowing spam/virus filters packages to return a so-called "early verdict", based upon the source IP address alone (as for instance in cases where the incoming connection is from a source IP that the spam/virus filter package considers to be a known spam source). Currently only the Brightmail and milter plugins are capable of returning such an early verdict. Early verdicts must be explicitly enabled in Brightmail; in milter, an early verdict corresponds to a message reject action taken at the SMFIC_CONNECT phase.

If the spam filter plugin is activated based on the source channel or the envelope from address, any early verdict checks are done at the start (MAIL FROM) of the SMTP transaction. However, if the spam filter plugin is activated based on destination channel or the recipient address, the check won't happen until that recipient address is communicated (RCPT TO). But in either case the rejection only occurs after the SMTP connection has been accepted by the Dispatcher and passed to the SMTP server.

In some cases it is preferable to have such checks done from the Dispatcher so that the connection itself can be refused. A mapping callout routine, mm_check_reputation, is therefore provided so this can be done from the PORT_ACCESS mapping. The callout accepts two arguments separated by a vertical bar: (1) the slot number of the spam filter plugin to use, and (2) the IP address to check. The callout succeeds if an early verdict is returned.

An example of directly using Brightmail's "early verdict string" (without any additional MTA text, as would normally be added) is:

   *|*|*|*      $:A$[,mm_check_reputation,1|$1]$N 

The $:A is used in this example to make sure this check is only done from the Dispatcher, and not the SMTP server. (In contrast, $:S would be used to ensure that the check would be done only from the SMTP server and not from the Dispatcher.)

See also: