Recently (March 2005) there has been an upsurge of spam to RT from one or two a day to five or more. I decided to add SpamAssassin to the mail aliases on Apollo to try and sort this out.
This guide should be applicable to any ticketing system, or anything else that works via mail aliases that pipe to programs. Some minor changes may be needed. This is for RT 2.0, changes needed for 3.4 are below.
All mail is forwarded from support@netsoc.tcd.ie to support@apollo.netsoc.tcd.ie. The relevant part of the /etc/aliases on Apollo looks like:
support: "|/opt/rt2/bin/rt-mailgate --queue support --action correspond" support-comment: "|/opt/rt2/bin/rt-mailgate --queue support --action comment" admin: "|/opt/rt2/bin/rt-mailgate --queue admin --action correspond" admin-comment: "|/opt/rt2/bin/rt-mailgate --queue admin --action comment" etc.
The first step was to install all the software required. Apollo runs Debian Woody which is a bit behind the times, so I pulled SpamAssassin 3.0.2 from backports.org. This was both to give Bayesian filtering and SURBLs, both of which are very effective for my personal spam processing. This endeavour also requires procmail.
I decided to put all the files I needed in /etc/rt. Using my own user_prefs as a base I created spamassassin_user_prefs which is shown below:
report_safe 0 rewrite_subject 0 ok_languages en required_hits 5 bayes_path /etc/rt/spamassassin_ #Want autolearn - a lot of it bayes_auto_learn 1 bayes_auto_learn_threshold_ham -1 bayes_auto_learn_threshold_spam 6 #Display bayes level add_header all Status _YESNO_, hits=_HITS_ required=_REQD_ bayes=_BAYES_ tests=_TESTS_ autolearn=_AUTOLEARN_ datescanned=_DATE_ use_dcc 0 use_pyzor 0 use_razor2 0 dns_available yes skip_rbl_checks 0 #whitelist_from *.tcd.ie whitelist_from_rcvd *@netsoc.tcd.ie matrix.netsoc.tcd.ie
I copied my own bayes database by backing it up with sa-learn --backup > tmpfile. I then scped this to Apollo and imported it with sa-learn -p /etc/rt/spamassassin_user_prefs --restore tmpfile. A direct copy didn't work, which I blame on some combination of database version incompatabilities and endianess. Finally I chowned the bayes databases to nobody.nogroup so that they could be updated (see local(8) and default_privs in main.cf if using Postfix for what user procmail/spamassassin will run as).
The best way to do fun stuff with mail is procmail, but first the mail has to get there. I altered /etc/aliases to the following:
support: "|/usr/bin/procmail -m /etc/rt/procmailrc support correspond" support-comment: "|/usr/bin/procmail -m /etc/rt/procmailrc support comment" admin: "|/usr/bin/procmail -m /etc/rt/procmailrc admin correspond" admin-comment: "|/usr/bin/procmail -m /etc/rt/procmailrc admin comment" etc.
This passes the mail onto the procmailrc, but also passes two parameters (the queue and action) to procmail where they are available as $1 and $2. The procmailrc itself is:
:0fw |/usr/bin/spamassassin -P -p /etc/rt/spamassassin_user_prefs :0 #Send spam to someone on Matrix to check * ^X-Spam-Status: Yes ! rt-spam-obfuscate-this-a-bit@netsoc.tcd.ie :0 #Send ham on to RT |/opt/rt2/bin/rt-mailgate --queue $1 --action $2
Note that all the detected spam is passed on to Matrix where it can be checked for false positives. The final stage in mail routing was setting up a mail alias on Matrix for rt-spam-obfuscate-this-a-bit@netsoc.tcd.ie to point to myself.
Also note that I use spamassassin rather than spamc. This is to avoid the permissions problems that I have experienced on Matrix with spamd. RT is pretty low volume and Apollo is usually lightly loaded so this isn't a problem for us.
We didn't receive a single piece of spam (other than a few test mails from myself) since this was setup, so I've no idea how effective this is. Its debatable whether this classifies as a success.
One suggestion for improvement is to setup an address on Apollo to send ham and spam to to train the Bayesian filter
For RT3.4 we used the Debain Sarge packages. The only changes requried were to change the path in the procmailrc to point to the new rt-mailgate and the add the --url argument to it. The line is now
|/usr/bin/rt-mailgate --queue $1 --action $2 --url http://help.netsoc.tcd.ie/
sa-learn --prefs-file=/etc/rt/spamassassin_user_prefs --spam