Message Content Protection

Introduction

The point of Message Content Protection (MCP) is to allow you to write rules for scanning the text content of email messages so you can trap messages that contain certain numbers of keywords and/or phrases that you don't want leaving your company. It could also be used to ban mail containing pornographic phrases and so on, without having to mess with Spam Actions or have custom spam rules to do it.

Basically what happens is that it is another call to SpamAssassin, but this time using a completely customised ruleset and a separate set of actions. Without any of the RBL checks, Bayes, etc of course. This means that you can create your own rules and give them whatever score you like. Then take various different actions depending on the score.

To enable MCP, you need to add some configuration options to your MailScanner.conf file. You may also want to apply 2 patches to SpamAssassin to that MCP can scan the contents of attachments such as Microsoft Word documents.

New MailScanner.conf Settings

Add the following text to your MailScanner.conf file.
# Configuration directory containing files related to MCP
# (Message Content Protection)
%mcp-dir% = /etc/MailScanner/mcp

#
# MCP (Message Content Protection)
# -----------------------------
#
# This scans text and HTML messages segments for any banned text, using
# a 2nd copy of SpamAssassin to provide the searching abilities.
# This 2nd copy has its own entire set of rules, preferences and settings.
# When used together with the patches for SpamAssassin, it can also check
# the content of attachments such as office documents.
#

MCP Checks = no

MCP Required SpamAssassin Score = 1
MCP High SpamAssassin Score = 10
MCP Error Score = 1

MCP Header = X-MailScanner-MCPCheck:
Non MCP Actions = deliver
MCP Actions = deliver
High Scoring MCP Actions = deliver

Is Definitely MCP = no
Is Definitely Not MCP = no
Definite MCP Is High Scoring = no
Always Include MCP Report = no
Detailed MCP Report = yes
Include Scores In MCP Report = no
Log MCP = yes

MCP Max SpamAssassin Timeouts = 20
MCP Max SpamAssassin Size = 100000
MCP SpamAssassin Timeout = 10

MCP SpamAssassin Prefs File = %mcp-dir%/mcp.spam.assassin.prefs.conf
MCP SpamAssassin User State Dir =
MCP SpamAssassin Local Rules Dir = %mcp-dir%
MCP SpamAssassin Default Rules Dir = %mcp-dir%
MCP SpamAssassin Install Prefix = %mcp-dir%
Recipient MCP Report = %report-dir%/recipient.mcp.report.txt
Sender MCP Report = %report-dir%/sender.mcp.report.txt

The "MCP Error Score" setting is there so that you can choose what happens if the MCP system fails for some unknown reason. Set it to 0 and failure will cause mail to be delivered as normal, but a high score would make it get stopped (assuming you set "High Scoring MCP Actions" appropriately.

languages.conf Settings

You need to ensure you have the MCP output strings set in the languages.conf for your language(s). This file can be found in /etc/MailScanner/reports/en/languages.conf (for the language "en"). Ensure the file contains the following:

# Used in MCP checks
MCP = MCP
MCPSpamAssassin = MCP-Checker
MCPnotspam = MCP-Clean
MCPspam = MCP-Trapped
MCPblacklisted = MCP-Blacklisted
MCPwhitelisted = MCP-Whitelisted
MCPsadisabled = MCP disabled
MCPsanoheaders = MCP Message had no headers
MCPsatimedout = MCP timed out

Patching SpamAssassin

There are 3 patches you need to apply to your copy of SpamAssassin for MCP to be able to examine non-text attachments such as Microsoft Word documents. Without these patches, it is only be able to examine text and HTML sections of email messages.

You need to find your copy of SpamAssassin. You can usually find it with one of these commands:

find /usr/lib -name SpamAssassin -print
find /usr/perl5 -name SpamAssassin -print

In that directory, you should find some files, including Conf.pm and PerMsgStatus.pm.

If you are not sure which version of SpamAssassin you have installed, then run this command:

perl -MMail::SpamAssassin -e 'print "You have version $Mail::SpamAssassin::VERSION\n";'

Once you know the version you have, it should be 2.63-2.64, 3.0.4 or 3.1.0. If it is less than 3.0 then I suggest you upgrade to 3.0 if you want to use this feature. If it is more than 3.1.0 then please contact me and request an update for these patches.

patch < Conf.pm.patch.2.63
patch < PerMsgStatus.pm.patch.2.63

If you are running version 3.0.0, then use these 3 commands:
patch < Conf.pm.patch.3.0.0
patch < Message.pm.patch.3.0.0
patch < PerMsgStatus.pm.patch.3.0.0

If you are running version 3.0.4, then use these 3 commands:
patch < Conf.pm.patch.3.0.4
patch < Message.pm.patch.3.0.4
patch < PerMsgStatus.pm.patch.3.0.4

If you are running version 3.1.0, then use these 3 commands:
patch < Conf.pm.patch.3.1.0
patch < Message.pm.patch.3.1.0
patch < PerMsgStatus.pm.patch.3.1.0

Once that is done, and you have stopped and restarted MailScanner, the MCP features will be able to check inside non-text attachments to messages.

Example

There is a very simple sample rule file in /etc/MailScanner/mcp/*.cf which shows you the basic syntax so you can test the system is working properly. Read the output of "man Mail::SpamAssassin::Conf" for full details of the syntax of the rules you can add. You can place rules in the /etc/MailScanner/mcp directory with any filename that ends in ".cf".


Julian Field