ClamAV SpamAssasin Microsoft Exchange

This post is more of an follow-up of the previous SpamAssain post so I suggest you read that one first.

For improving the spam and virus detection I decided to add an extra antivirus detection agent to our exchange server. The choice of antivirus software was quite trivial as it had to be a open one so ClamAV was the choice. I did not find a transport agent for exchange but I found quite a few plugins for SpamAssasin.

ClamAV installation is quite simple. Download the 64bit msi and install it. Go to C:\Program Files\ClamAV\conf_examples copy the files to the main folder, rename them to clamd.conf and freshclam.cong. Open them, change some settings and don’t forget to remove the “Example” line at the start. Start flashclam.exe and after that clam.exe

While setting up stuff it is nice to have the daemon working in command line to see the incoming connections. After that use the “clamd.exe –install-service” command to install the service

To improve the detection results some extra definition were also needed. I found a nice post here that explains how to add Sanesecurity definitions with the sigupdate tool.

I won’t bore you with all the implementations, testing, tweaking and will only tell you about the final solution. So as the core plugin I chose the one from bigio but also used some features from the one from pmeulen. Here is my modified fork

Both solutions also require File::Scan::ClamAV plugin or ClamAV::Client. The ClamAV::Client didn’t work as it uses the deprecated STREAM and not INSTREAM function. As I am not fluent in pearl I didn’t bother to fix it and used the other working one. The File::Scan::ClamAV plugin is a bit newer and works great. Here is the version from GitHub I used.

For File::Scan::ClamAV installation just copy the file to your spamassasin folder like this

For the ClamAV plugin installation copy the 3 needed files into here

To check if the configuration is OK use “spamassassin.exe –lint” command. If you get a error you need to fix something.

I also suggest that you disable your spamd service and run “spamd.exe -D” so you get some debug info. Here you will be able to see if the plugins load and work correctly.

If you did everything correctly you will start getting emails like this

Do note that every email gets a antivirus tag so you will be able to make some custom rules, specially for testing in your ecp. The example above got this tag “X-Spam-Virus: Yes (Sanesecurity.Jurlbl.b21234.UNOFFICIAL)”

There is also a nice way of adding some custom scores to the output. The Article describes it by using the X-Spam-Virus header that is always present in the header but in the plugin used here we have a way of doing this with adding some parameters to check_clamav(). I suggest you take a look at the code as it is nicely described there.

Spam Filter for Microsoft Exchange

I was looking for a spam filter improvement for our on premise exchange server. The integrated spam protection is not really the best and Microsoft has a solution in form of its cloud services. If you don’t want that the only other solutions are other paid solutions or some kind of SMTP spam proxies.

None of those solutions were acceptable in my case. On github I found quite a few years old solution. It is exactly what I was looking for a Spammassasin agent for exchange. Basically it is a open source spam filter.

I forked the solution, added the required Microsoft.Exchange.Data.Common.dll and Microsoft.Exchange.Data.Transport.dll from my exchange edge server. I had 15.1.2507.6.

The new dlls that were added required framework 4.6.2. After that the project compiled without any errors.

On the repositor main page is also a link to install instructions but it is dead. While browsing trough all the files I found out that the author of the code has even made an power shell script for installation.

I made some changes to the installation script later. Added the new exchange version, added srvany-ng (which is requiered by the spamassassin daemon)

I noticed that the windows precompiled version of spamassasin gets downloaded from a commercial spam provided solution that uses it 😉

Had to make some to the spamassasin config as it was not adding the X-Spam-Score tag but was using the X-Spam-Level tag.

These 2 lines to local.cf fixed the issue

add_header all Score _SCORE_
remove_header all Level

The only other thing I changed was in the SpamassasinConfig.xml.

The RejectTreshold value of 10 was a bit low for my taste.

<SpamassassinSettings>
	<SpamassassinPath>C:\Program Files (x86)\SpamAssassin\spamc.exe</SpamassassinPath>
	<SpamassassinArgs></SpamassassinArgs>
	<RejectThreshold>20</RejectThreshold>
	<LogLevel>4</LogLevel>	
	<MaxMessageSize>104857600</MaxMessageSize>
	<SkipRecievedHeaders>1</SkipRecievedHeaders>
</SpamassassinSettings>

This is how an example header looks like

X-Spam-Checker-Version: SpamAssassin 3.4.4 (svnunknown) on your.server
X-Spam-Flag: YES
X-Spam-Status: Yes, score=7.5 required=5.0 tests=HTML_MESSAGE,MIME_HTML_ONLY,
	NO_RECEIVED,NO_RELAYS,SPF_FAIL,SUBJ_ALL_CAPS,URIBL_ABUSE_SURBL,
	URIBL_BLOCKED,URIBL_DBL_BLOCKED_OPENDNS,URIBL_ZEN_BLOCKED_OPENDNS,
	URI_PHISH autolearn=no autolearn_force=no version=3.4.4
X-Spam-Discard: YES
X-Spam-Score: 7.5

You can see that X-Spam-Discard: YES tag is added by the agent when the score is larger than 2. In the config that is 20. Based on those headers you are able to make some nice mail flow rules. If you want to add some more custom tags check the spamassasin configuration manual

this one moves the detected spam mails to the spam folder if your server is so configured

Now you have a nice spam filter agent which is nicely configurable. One of the best features of spamassasin is also the DKIM signature validation ability. A feature that is on a stale branch of the otherwise excellent Exchange DKIM Signer

X-Spam-Status: No, score=1.0 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,KHOP_HELO_FCRDNS,MIME_HTML_ONLY,
	PDS_RDNS_DYNAMIC_FP,RDNS_DYNAMIC,SPF_HELO_NONE,URIBL_BLOCKED,
	URI_TRUNCATED autolearn=no autolearn_force=no version=3.4.4
X-Spam-Score: 1.0

This is an example of a failed dkim test

Here is the link to my github fork. I added all the changes described above in it and some more. I plan to add new versions to github when I upgrade my edge server. Maybe if I find the time I will write an agent for virus scanning or modify this one 😉