Karmasphere and Exim4, on Debian
I've rambled on about Karmasphere in the past, but I've not actually done anything with it since mentioning it.
Sadly today was the day when spam started getting through my crazy system. This clearly was a signal from the gods themselves; to take the next step. The dreaded DNSBL. You might be surprised, but I don't like DNSBLs. In the past they've made my life hard at work - especially when we've inherited an IP that was previously used by spammers, in some way, shape or form. You see the thing is that some are actually on the ball and will check out and change their lists easily. Others won't. The problem is that maintaining your knowledge of the good ‘uns and the bad ‘uns is… well boring.
Karmasphere is supposed to take this hassle and make it easier; you can aggregate results from multiple sources, not just DNSBLs, and let Karmasphere decide for you. So if one or two don't keep up.. well that won't matter so much. In theory.
At the moment I'm adding headers to my mails and not rejecting, just to see how things fare, however in the future (assuming all goes well) I'd actually like to see this in real use. Perhaps even at work, in conjunction with our other spam filtering solutions.
So how did I do it (remember this is just logging, not actively rejecting)? Pretty easily, it must be said (I'm not going into detail);Installed the Karmasphere client:
perl -MCPAN -e 'install Mail::Karmasphere::Client'
#! /bin/sh
#
# Starts KarmaSphere Daemon
#
set -e
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
NAME=karmad-exim
DAEMON=/usr/local/bin/$NAME
DESC="KarmaSphere Daemon"
KUSR=INSERT YOUR USERNAME HERE
KPWD=INSERT YOUR PASSWORD HERE
SCRIPTNAME=/etc/init.d/$NAME
# Gracefully exit if the package has been removed.
test -x $DAEMON || exit 0
case "$1" in
start)
echo -n "Starting $DESC: $NAME"
nohup $DAEMON --feedset=karmasphere.email-sender-ip --username=$KUSR --password=$KPWD --socketuser=Debian-exim 2>/dev/null 1>/dev/null &
echo "."
;;
stop)
echo "Stopping $DESC: $NAME."
killall -9 $NAME &> /dev/null
;;
restart)
echo "Restarting $DESC: $NAME."
$0 stop && sleep 1
$0 start
;;
*)
echo "Usage: $SCRIPTNAME {start|stop|restart}" >&2
exit 1
;;
esac
exit 0
(and then created the relevant symlinks using update-rc.d)Created and added the following to /etc/exim4/conf.d/acl/10_karmad-exim (which is pretty much line for line what you can find on Karmasphere's website):
karma_rcpt_acl:
# Check envelope sender
warn set acl_m9 = ${readsocket{/tmp/karmad}\
{ip=$sender_host_address\nhelo=$sender_helo_name\
\nsender=$sender_address\n\n}{20s}{\n}{socket failure}}
# Continue quietly on socket error
accept condition = ${if eq{$acl_m9}{socket failure}{yes}{no}}
message = Cannot connect to karmad
# Prepare answer and get results
warn set acl_m9 = ${sg{$acl_m9}{\N=(.*)\n\N}{=\"\$1\" }}
set acl_m8 = ${extract{value}{$acl_m9}{$value}{unknown}}
set acl_m7 = ${extract{data}{$acl_m9}{$value}{}}
# Check for fail
# Once happy with testing, replace with deny & condition - or perhaps do filtering into Junk as part of ~/.forward?
warn message = X-Karma: $acl_m8: $acl_m7
accept
deny !acl = karma_rcpt_acl
If you're not aware of what's going on here, then I'd suggest reading the Debian Exim4 split config documentation, and also the Karmasphere docs - you could break your mail server.
What this will now do is mark all of my mails, if it can talk to karmad, with X-Karma: 0: Comment. The lower the number, the more likely it is to be spam. -1000 to 1000 is the range, with it defaulting to 0 for neutral/unknown.
The only thing that would need to be altered is to add my whitelisting acl, if I do go live with it, and to decide whether or not I do filtering in ~/.forward or during SMTP rejection.