Difference between revisions of "DSpam README"

DSPAM is an open-source, freely available anti-spam solution designed to combat unsolicited commercial email using advanced statistical analysis. In short, DSPAM filters spam by learning what spam is and isn't. It does this by learning each user's individual mail behavior. This allows DSPAM to provide highly-accurate, personalized filtering for each user on even a large system and provides an administratively maintenance free solution capable of learning each user's email behaviors with very few false positives.

DSPAM is an open-source, freely available anti-spam solution designed to combat unsolicited commercial email using advanced statistical analysis. In short, DSPAM filters spam by learning what spam is and isn't. It does this by learning each user's individual mail behavior. This allows DSPAM to provide highly-accurate, personalized filtering for each user on even a large system and provides an administratively maintenance free solution capable of learning each user's email behaviors with very few false positives.

The DSPAM package is split up into the following pieces:

The DSPAM package is split up into the following pieces:

Some basic tools which have been provided to manage dictionaries, automate corpus feeding, and perform other diagnostic operations related to DSPAM. Some of these include dspam_train, dspam_stats, and dspam_dump.

Some basic tools which have been provided to manage dictionaries, automate corpus feeding, and perform other diagnostic operations related to DSPAM. Some of these include dspam_train, dspam_stats, and dspam_dump.

== IMPLEMENTATION OPTIONS ==

== IMPLEMENTATION OPTIONS ==

  [MTA] ---> [LDA] ---> (User's Mailbox)

  [MTA] ---> [LDA] ---> (User's Mailbox)

AFTER:

AFTER:

                       \--> [Quarantine]

                       \--> [Quarantine]

         [End User] ------> [Web UI]

         [End User] ------> [Web UI]

=== As a POP3 Proxy ===

=== As a POP3 Proxy ===

                   \

                   \

                   \--> [POP3 Server]

                   \--> [POP3 Server]

=== As an SMTP Relay ===

=== As an SMTP Relay ===

             [End User] ------> [Web UI]

             [End User] ------> [Web UI]

----

----

=== UPGRADING DSPAM ===

=== UPGRADING DSPAM ===

Follow the steps sequentially from the base version you are running up to the top.

Follow the steps sequentially from the base version you are running up to the top.

==== Upgrading From 3.6 ====

==== Upgrading From 3.6 ====

5. Add "ProcessorURLContext" setting in dspam.conf ProcessorURLContext has been added to toggle whether URL specific tokens are created in the tokenizer process. The "on" value is default for previous versions of DSPAM.

5. Add "ProcessorURLContext" setting in dspam.conf ProcessorURLContext has been added to toggle whether URL specific tokens are created in the tokenizer process. The "on" value is default for previous versions of DSPAM.

==== Upgrading From 3.4 ====

==== Upgrading From 3.4 ====

Berkeley DB drivers (libdb3_drv, libdb4_drv) are deprecated and have been removed from the build. You will need to select an alternative storage driver in order to upgrade.

Berkeley DB drivers (libdb3_drv, libdb4_drv) are deprecated and have been removed from the build. You will need to select an alternative storage driver in order to upgrade.

----

----

'''PREREQUISITES'''

'''PREREQUISITES'''

You can download MySQL from http://www.mysql.com.

You can download MySQL from http://www.mysql.com.

You can download PostgreSQL from http://www.postgresql.com.

You can download PostgreSQL from http://www.postgresql.com.

You can download SQLite from http://www.sqlite.org.

You can download SQLite from http://www.sqlite.org.

==== CONFIGURATION ====

==== CONFIGURATION ====

DSPAM supports the configuration options below. Generally, the default configuration is more than acceptable, so it's a good idea not to tweak too many settings unless you know what you are doing.

DSPAM supports the configuration options below. Generally, the default configuration is more than acceptable, so it's a good idea not to tweak too many settings unless you know what you are doing.

===== PATH SWITCHES =====

===== PATH SWITCHES =====

Specify an alternative log directory. The default is $dspam_home/log. Do not set this to /var/log unless DSPAM will have permissions to write to the directory.

Specify an alternative log directory. The default is $dspam_home/log. Do not set this to /var/log unless DSPAM will have permissions to write to the directory.

===== FILESYSTEM SCALE =====

===== FILESYSTEM SCALE =====

Switch for domain-scale implementation.  When used, DSPAM expects username@domain to be passed in as the user id and user data will be stored as $HOME/data/domain.com/user and $HOME/opt-in/domain/user.dspam instead of $HOME/data/user

Switch for domain-scale implementation.  When used, DSPAM expects username@domain to be passed in as the user id and user data will be stored as $HOME/data/domain.com/user and $HOME/opt-in/domain/user.dspam instead of $HOME/data/user

===== INTEGRATION SWITCHES =====

===== INTEGRATION SWITCHES =====

  --with-storage-driver=DRIVER[,DRIVER2[...,DRIVERN]]

  --with-storage-driver=DRIVER[,DRIVER2[...,DRIVERN]]

  mysql_drv:  MySQL Drivers  

  mysql_drv:  MySQL Drivers  

This function is incompatible with most implementations of the Web UI, since it requires access to read each user's home directory. Therefore, only use this option if you will not be using the Web UI or plan on doing something asinine like running it as root.

This function is incompatible with most implementations of the Web UI, since it requires access to read each user's home directory. Therefore, only use this option if you will not be using the Web UI or plan on doing something asinine like running it as root.

Builds DSPAM with support for daemon mode, and builds associated dspamc thin client. Pthreads is required to build for daemon mode and the storage driver used must be thread-safe.

Builds DSPAM with support for daemon mode, and builds associated dspamc thin client. Pthreads is required to build for daemon mode and the storage driver used must be thread-safe.

===== DRIVER SPECIFIC CONFIGURE SWITCHES =====

===== DRIVER SPECIFIC CONFIGURE SWITCHES =====

Please see the file doc/mysql_drv.txt for more information about configuring the mysql_drv storage driver.

Please see the file doc/mysql_drv.txt for more information about configuring the mysql_drv storage driver.

Please see the file doc/pgsql_drv.txt for more information about configuring the pgsql_drv storage driver.

Please see the file doc/pgsql_drv.txt for more information about configuring the pgsql_drv storage driver.

Specify a path to the SQLite libraries

Specify a path to the SQLite libraries

===== DEBUGGING SWITCHES =====

===== DEBUGGING SWITCHES =====

  --enable-debug

  --enable-debug

When verbose debug is compiled in, DSPAM performs many additional mathematical calculations regardless of whether or not it's been activated. You shouldn't use --enable-verbose for production builds unless you have serious issues you can't resolve.

When verbose debug is compiled in, DSPAM performs many additional mathematical calculations regardless of whether or not it's been activated. You shouldn't use --enable-verbose for production builds unless you have serious issues you can't resolve.

===== FEATURE ACTIVATION =====

===== FEATURE ACTIVATION =====

Enables support for Clam Antivirus. DSPAM can interface directly with clamd to perform virus scanning and can be configured to react in different ways to viruses. See dspam.conf for more information.

Enables support for Clam Antivirus. DSPAM can interface directly with clamd to perform virus scanning and can be configured to react in different ways to viruses. See dspam.conf for more information.

===== ADDITIONAL CONFIGURATION OPTIONS =====

===== ADDITIONAL CONFIGURATION OPTIONS =====

The remainder of configuration options are located in dspam.conf, which is installed in sysconfdir (default: /usr/local/etc) upon a make install. It is generally a good idea to review dspam.conf and make any changes necessary prior to using DSPAM.

The remainder of configuration options are located in dspam.conf, which is installed in sysconfdir (default: /usr/local/etc) upon a make install. It is generally a good idea to review dspam.conf and make any changes necessary prior to using DSPAM.

==== BUILDING AND INSTALLING ====

==== BUILDING AND INSTALLING ====

If you are a developer wanting to link to the core engine of dspam, libdspam will be built during this process.  Please see the example.c file for examples of how to link to and use libdspam. Static and dynamic libraries are built in the .libs directory. Needed headers will be installed in $prefix$/include/dspam.

If you are a developer wanting to link to the core engine of dspam, libdspam will be built during this process.  Please see the example.c file for examples of how to link to and use libdspam. Static and dynamic libraries are built in the .libs directory. Needed headers will be installed in $prefix$/include/dspam.

==== PERMISSIONS ====

==== PERMISSIONS ====

The CGI User: This is the user your web server (most likely Apache) is running as. This is commonly 'nobody' or 'web'. You can find this in Apache's httpd.conf by searching for 'User'. The CGI user will need the ability to access the following components of DSPAM:

The CGI User: This is the user your web server (most likely Apache) is running as. This is commonly 'nobody' or 'web'. You can find this in Apache's httpd.conf by searching for 'User'. The CGI user will need the ability to access the following components of DSPAM:

The MTA User: This is the user your mail server software is running as when it executes DSPAM. This is usually daemon, mail, exim, etc. This is typically different from the user the MTA runs and polices itself as, to avoid security problems. Consult your MTA's documentation for more info. The MTA user will require:

The MTA User: This is the user your mail server software is running as when it executes DSPAM. This is usually daemon, mail, exim, etc. This is typically different from the user the MTA runs and polices itself as, to avoid security problems. Consult your MTA's documentation for more info. The MTA user will require:

Systems Administrators: In order to perform administrative functions, systems administratiors will require:

Systems Administrators: In order to perform administrative functions, systems administratiors will require:

If the MTA is communicating with DSPAM via LMTP (explained later), then execution permissions are not necessary.

If the MTA is communicating with DSPAM via LMTP (explained later), then execution permissions are not necessary.

FreeBSD's default MTA user is 'mailnull' FreeBSD's default delivery agent also changes its uid, and so in order to call it, dspam must be installed as setuid root to work on the commandline properly. This is done automatically on install.

FreeBSD's default MTA user is 'mailnull' FreeBSD's default delivery agent also changes its uid, and so in order to call it, dspam must be installed as setuid root to work on the commandline properly. This is done automatically on install.

A list of trusted users is maintained in dspam.conf. This file should include a list of trusted users who should be allowed to set the dspam user, passthru parameters, and other information that would be potentially dangerous for a malicious user to be able to set.  You'll need to ensure that your CGI user, MTA user, and system administrators are on the list.

A list of trusted users is maintained in dspam.conf. This file should include a list of trusted users who should be allowed to set the dspam user, passthru parameters, and other information that would be potentially dangerous for a malicious user to be able to set.  You'll need to ensure that your CGI user, MTA user, and system administrators are on the list.

==== MAIL SERVER INTEGRATION ====

==== MAIL SERVER INTEGRATION ====

As previously mentioned, there are three popular ways to implement DSPAM:

As previously mentioned, there are three popular ways to implement DSPAM:

  /bin/mail -d bob

  /bin/mail -d bob

===== ALIASES =====

===== ALIASES =====

There are essentially two different ways a user might train DSPAM. The first is by using the Web UI, which allows them to retrain via the "History" tab. This works quite well, as users must visit the Web UI occasionally to review their quarantine anyway (and reverse any false positives). We'll discuss this shortly in section 1.1.8.

There are essentially two different ways a user might train DSPAM. The first is by using the Web UI, which allows them to retrain via the "History" tab. This works quite well, as users must visit the Web UI occasionally to review their quarantine anyway (and reverse any false positives). We'll discuss this shortly in section 1.1.8.

If you are using an IMAP based system, Web-based email, or other form of email management where the original messages are stored on the server in pristine format, you can turn this signature feature off by setting "TrainPristine on" in dspam.conf. DSPAM will then use the message itself that you provide it to train, which MUST be identical to the original message in order to retrain properly.

If you are using an IMAP based system, Web-based email, or other form of email management where the original messages are stored on the server in pristine format, you can turn this signature feature off by setting "TrainPristine on" in dspam.conf. DSPAM will then use the message itself that you provide it to train, which MUST be identical to the original message in order to retrain properly.

If you are using the MySQL or PgSQL storage drivers, the original numeric user id can be embedded in the signature, requiring only one central spam alias to be necessary for the entire system. To configure this, uncomment the appropriate UIDInSignature option in dspam.conf:

If you are using the MySQL or PgSQL storage drivers, the original numeric user id can be embedded in the signature, requiring only one central spam alias to be necessary for the entire system. To configure this, uncomment the appropriate UIDInSignature option in dspam.conf:

The 'root' user represents any active dspam user. It is necessary to supply a username on the commandline or DSPAM will bail on an error, however the user will be changed internally once the signature is read.

The 'root' user represents any active dspam user. It is necessary to supply a username on the commandline or DSPAM will bail on an error, however the user will be changed internally once the signature is read.

If you're not using one of the above storage drivers, the next easiest way to configure aliases is to have DSPAM parse the 'To:' header of the message and use a catch-all subdomain to direct all mail into DSPAM for retraining. You can then instruct your users to email addresses like '[email protected]'. The ParseToHeaders option (available in dspam.conf) will parse the To: header of forwarded messages and set the username to either 'bob' or '[email protected]', depending on how it is configured. DSPAM can also set the training mode to either "learn spam" or "learn notspam" depending on whether the user specified a spam- or notspam- address in the To: header.

If you're not using one of the above storage drivers, the next easiest way to configure aliases is to have DSPAM parse the 'To:' header of the message and use a catch-all subdomain to direct all mail into DSPAM for retraining. You can then instruct your users to email addresses like '[email protected]'. The ParseToHeaders option (available in dspam.conf) will parse the To: header of forwarded messages and set the username to either 'bob' or '[email protected]', depending on how it is configured. DSPAM can also set the training mode to either "learn spam" or "learn notspam" depending on whether the user specified a spam- or notspam- address in the To: header.

If neither of the easy ways are possible, you're stuck with doing it the hard way. This means you'll need a separate spam alias (and notspam alias, if users are tagging mail) for each user. To do this, you will need to create an email address for each user, so that DSPAM can analyze and learn for that specific user.  For example:

If neither of the easy ways are possible, you're stuck with doing it the hard way. This means you'll need a separate spam alias (and notspam alias, if users are tagging mail) for each user. To do this, you will need to create an email address for each user, so that DSPAM can analyze and learn for that specific user.  For example:

You might be wondering if a user can forward a spam to another user's address, or whether a spammer can forward a spam to another user's notspam address. The answer is "no". The key to all mail-based retraining is the signature embedded in each email. The signature is stored with each user's own user id, and so not only does the incoming message have to bear a valid signature, but it also has to be stored on the system with the correct user id. This prevents any kind of alias abuse.

You might be wondering if a user can forward a spam to another user's address, or whether a spammer can forward a spam to another user's notspam address. The answer is "no". The key to all mail-based retraining is the signature embedded in each email. The signature is stored with each user's own user id, and so not only does the incoming message have to bear a valid signature, but it also has to be stored on the system with the correct user id. This prevents any kind of alias abuse.

==== NIGHTLY MAINTENANCE AND HOUSEKEEPING CRONS ====

==== NIGHTLY MAINTENANCE AND HOUSEKEEPING CRONS ====

===== Non-SQL Based Nightly Purge =====

===== Non-SQL Based Nightly Purge =====

If you are NOT running a SQL-based solution, then you should configure dspam_clean to run under cron nightly. This clean tool will read all signature databases and purge signatures that are older than 14 days (configurable), purge abandoned tokens, and remove unimportant tokens. Without this tool, old signatures will continue to pile up. Be sure the user running cleanup has full read/write permissions on the DSPAM data files.

If you are NOT running a SQL-based solution, then you should configure dspam_clean to run under cron nightly. This clean tool will read all signature databases and purge signatures that are older than 14 days (configurable), purge abandoned tokens, and remove unimportant tokens. Without this tool, old signatures will continue to pile up. Be sure the user running cleanup has full read/write permissions on the DSPAM data files.

  0 0 * * * /usr/local/bin/dspam_clean [options]

  0 0 * * * /usr/local/bin/dspam_clean [options]

''See the dspam_clean description for more information''

''See the dspam_clean description for more information''

===== SQL-Based Nightly Purge =====

===== SQL-Based Nightly Purge =====

SQL-Based solutions include a nightly SQL script to perform the same basic

SQL-Based solutions include a nightly SQL script to perform the same basic

tasks as dspam_clean, and it does it much faster and with more finesse.

tasks as dspam_clean, and it does it much faster and with more finesse.

  0 0 * * * mysql --user=[user] --pass=[pass] [db] < /path/to/purge-4.1.sql

  0 0 * * * mysql --user=[user] --pass=[pass] [db] < /path/to/purge-4.1.sql

===== Log Rotation =====

===== Log Rotation =====

The system log and user logs can fill up fairly quickly, when all that's really needed to generate graphs are the last two to three weeks of data. You can configure a nightly log cleanup using dspam_logrotate:

The system log and user logs can fill up fairly quickly, when all that's really needed to generate graphs are the last two to three weeks of data. You can configure a nightly log cleanup using dspam_logrotate:

  0 0 * * * dspam_logrotate -a 30 -d /usr/local/var/dspam/data

  0 0 * * * dspam_logrotate -a 30 -d /usr/local/var/dspam/data

==== NOTIFICATIONS ====

==== NOTIFICATIONS ====

DSPAM is capable of sending three different notifications to users:

DSPAM is capable of sending three different notifications to users:

These notifications can be activated by copying the txt/ directory from the distribution into DSPAM's home (by default /usr/local/var/dspam).  You will want to modify these templates prior to installing them to reflect the correct email addresses and URLs (look for 'configureme' and 'yourdomain').

These notifications can be activated by copying the txt/ directory from the distribution into DSPAM's home (by default /usr/local/var/dspam).  You will want to modify these templates prior to installing them to reflect the correct email addresses and URLs (look for 'configureme' and 'yourdomain').

The quarantine warning is reset when the user clicks 'Delete All', but is not reset if they use "Delete Selected".  If the user doesn't wish to receive reminders, they should use the "Delete Selected" function instead of "Delete All".

The quarantine warning is reset when the user clicks 'Delete All', but is not reset if they use "Delete Selected".  If the user doesn't wish to receive reminders, they should use the "Delete Selected" function instead of "Delete All".

You'll need to also set "Notifications" to "on" in dspam.conf.

You'll need to also set "Notifications" to "on" in dspam.conf.

==== THE WEB UI ====

==== THE WEB UI ====

The Web UI (CGI client) can be run from any executable location on a web server, and detects its user's identity from the REMOTE_USER

The Web UI (CGI client) can be run from any executable location on a web server, and detects its user's identity from the REMOTE_USER

environment variable. This means you'll need to use HTTP password authentication to access the CGI (Any type of authentication will work, so long as Apache supports the module). This is also convenient in that you can set up authentication using almost any existing system you have. The only catch is that you'll need the usernames to match the actual DSPAM usernames used the system. A copy of the shadow password file will suffice for most common installs.

environment variable. This means you'll need to use HTTP password authentication to access the CGI (Any type of authentication will work, so long as Apache supports the module). This is also convenient in that you can set up authentication using almost any existing system you have. The only catch is that you'll need the usernames to match the actual DSPAM usernames used the system. A copy of the shadow password file will suffice for most common installs.

Some authentication mechanisms are case insensitive and will authenticate the user regardless of the case they type it in.  DSPAM, on the other hand, is case sensitive and the case of the username used will need to match the case on the system.  If you suffer from this authentication problem, and are certain all of your users' usernames are in lowercase, you can add the following line of code to the CGI right after the call to &ReadParse...

Some authentication mechanisms are case insensitive and will authenticate the user regardless of the case they type it in.  DSPAM, on the other hand, is case sensitive and the case of the username used will need to match the case on the system.  If you suffer from this authentication problem, and are certain all of your users' usernames are in lowercase, you can add the following line of code to the CGI right after the call to &ReadParse...

Apache users do NOT take on the identity of the groups specified in /etc/group so you will need to specifically assign the group in httpd.conf.

Apache users do NOT take on the identity of the groups specified in /etc/group so you will need to specifically assign the group in httpd.conf.

Because the DSPAM Web UI is a CGI script, DSPAM will not retain its setuid privileges when called. If you are running procmail, this will become a problem as procmail requires root privileges to deliver. The easiest hack around this is to create a procmail.dspam binary and make it setuid root, then make it executable only by the mail group (or whatever group DSPAM and the CGI run in).

Because the DSPAM Web UI is a CGI script, DSPAM will not retain its setuid privileges when called. If you are running procmail, this will become a problem as procmail requires root privileges to deliver. The easiest hack around this is to create a procmail.dspam binary and make it setuid root, then make it executable only by the mail group (or whatever group DSPAM and the CGI run in).

The following PERL modules (http://www.perl.com/CPAN/modules/by-module/GD/):

The following PERL modules (http://www.perl.com/CPAN/modules/by-module/GD/):

   

   

Typically this can be accomplished on the commandline:

Typically this can be accomplished on the commandline:

'''Opt-In/Out'''

'''Opt-In/Out'''

  <INPUT TYPE=CHECKBOX NAME=optIn $C_OPTIN$>

  <INPUT TYPE=CHECKBOX NAME=optIn $C_OPTIN$>

  Opt into DSPAM filtering

  Opt into DSPAM filtering

  Opt out of DSPAM filtering

  Opt out of DSPAM filtering

=== TESTING ===

=== TESTING ===

If you've installed from an RPM, there's a good chance that the packager went to the trouble of testing already. If you're building from sources,however, you'll need to find a way to ensure your configuration isn't broken.

If you've installed from an RPM, there's a good chance that the packager went to the trouble of testing already. If you're building from sources,however, you'll need to find a way to ensure your configuration isn't broken.

Before running the test, you should have completed section 1.1's instructions for compiling and installing dspam as well as configured your mail server to support dspam.

Before running the test, you should have completed section 1.1's instructions for compiling and installing dspam as well as configured your mail server to support dspam.

==== 1. Create a new user account on your system ====

==== 1. Create a new user account on your system ====

It is important that this be a new account to prevent any unrelated email from being delivered during testing.  Be sure to configure a spam alias for the test account.

It is important that this be a new account to prevent any unrelated email from being delivered during testing.  Be sure to configure a spam alias for the test account.

==== 2. Send a short email ====

==== 2. Send a short email ====

Send a short email (10 words or less) to the account, and pick it up using your favorite mail client.

Send a short email (10 words or less) to the account, and pick it up using your favorite mail client.

==== 3. Run dspam_stats ====

==== 3. Run dspam_stats ====

  dspam_state [username]

  dspam_state [username]

If you receive an error such as "unable to open /usr/local/var/dspam... for reading", then the dspam agent is not configured correctly. The problem could exist in either your mail server configuration or one or more of the permissions on the directory or agent.  Check your configuration and permissions, and repeat this step until the correct results are experienced.

If you receive an error such as "unable to open /usr/local/var/dspam... for reading", then the dspam agent is not configured correctly. The problem could exist in either your mail server configuration or one or more of the permissions on the directory or agent.  Check your configuration and permissions, and repeat this step until the correct results are experienced.

==== 4. Run dspam_dump ====

==== 4. Run dspam_dump ====

  dspam_dump [username]

  dspam_dump [username]

  7717766825815048192  S: 00265  I: 00068  P: 0.7358

  7717766825815048192  S: 00265  I: 00068  P: 0.7358

==== 5. Forward the test message ====

==== 5. Forward the test message ====

Forward the test message to the spam alias you've created for the test account. Provide enough time for the message to have processed.

Forward the test message to the spam alias you've created for the test account. Provide enough time for the message to have processed.

==== 6. Run dspam_stats again ====

==== 6. Run dspam_stats again ====

  dspam_state [username]

  dspam_state [username]

If this is not the case, check the group permissions of the dspam agent as well as the permissions your MTA uses when piping to aliases.

If this is not the case, check the group permissions of the dspam agent as well as the permissions your MTA uses when piping to aliases.

    

    

==== 7. Run dspam_dump [username] again ====

==== 7. Run dspam_dump [username] again ====

dspam_dump [username]

dspam_dump [username]

If you have some tokens that do not have an S: of 1 or an I: of 0, the dspam signature was not found on the email, and this could be due to a lot of things.

If you have some tokens that do not have an S: of 1 or an I: of 0, the dspam signature was not found on the email, and this could be due to a lot of things.

=== TROUBLESHOOTING ===

=== TROUBLESHOOTING ===

''Problem:''

''Problem:''

No files are being created in the user directory

No files are being created in the user directory

Check the directory permissions of the directory.  The user directory must be writable by the user the dspam agent is running as as well as the CGI user.

Check the directory permissions of the directory.  The user directory must be writable by the user the dspam agent is running as as well as the CGI user.

''Problem:''

''Problem:''

False positives are never being delivered

False positives are never being delivered

Your CGI most likely doesn't have the privileges required by the LDA to deliver the messages.  Make sure the CGI user is in the correct group. Also consider setting the dspam agent to setuid or setgid with the correct permissions.

Your CGI most likely doesn't have the privileges required by the LDA to deliver the messages.  Make sure the CGI user is in the correct group. Also consider setting the dspam agent to setuid or setgid with the correct permissions.

''Problem:''

''Problem:''

My database is getting huge!

My database is getting huge!

''Solution:''

''Solution:''

A few useful tools have been provided to make DSPAM management a bit easier. These tools include:

A few useful tools have been provided to make DSPAM management a bit easier. These tools include:

  dspam_admin

  dspam_admin

Syntax: dspam_train [username] [spam_dir] [nonspam_dir] where username is the username of the user to apply the training to, and the two dirs represent directories containing messages in individual files (e.g. maildir/corpus format). dspam_train can be used on an existing user's database, to further improve accuracy, or to train from scratch. It also provides a solid test jig for testing the efficiency and accuracy of a test corpus against the filter.  

Syntax: dspam_train [username] [spam_dir] [nonspam_dir] where username is the username of the user to apply the training to, and the two dirs represent directories containing messages in individual files (e.g. maildir/corpus format). dspam_train can be used on an existing user's database, to further improve accuracy, or to train from scratch. It also provides a solid test jig for testing the efficiency and accuracy of a test corpus against the filter.  

dspam_train will automatically balance training of the corpus to ensure both spam and nonspam are trained based on the ratio of spam/nonspam. this means if you have twice as much spam as nonspam, two spam will be trained for every nonspam.

dspam_train will automatically balance training of the corpus to ensure both spam and nonspam are trained based on the ratio of spam/nonspam. this means if you have twice as much spam as nonspam, two spam will be trained for every nonspam.

      

      

  dspam_clean

  dspam_clean

Performs nightly housecleaning by deleting old or useless data from user data.  dspam_clean performs the following operations:

Performs nightly housecleaning by deleting old or useless data from user data.  dspam_clean performs the following operations:

1. Using the -s flag, dspam_clean will continue to perform stale signature purging.  If an age is specified, for example -s14, the age defined as the default will be overridden. Specifying an age of 0 will delete all signatures for the users processed.

1. Using the -s flag, dspam_clean will continue to perform stale signature purging.  If an age is specified, for example -s14, the age defined as the default will be overridden. Specifying an age of 0 will delete all signatures for the users processed.

                                                                                  

                                                                                  

  - Tokens which have only one spam hit

  - Tokens which have only one spam hit

  - Tokens which have only one innocent hit

  - Tokens which have only one innocent hit

Ages may be overridden by specifying a format such as -u30,15,10,10 where each number represents the respective age.  Specifying an age of zero will delete all unused tokens in the category. Defaults are set in dspam.conf.

Ages may be overridden by specifying a format such as -u30,15,10,10 where each number represents the respective age.  Specifying an age of zero will delete all unused tokens in the category. Defaults are set in dspam.conf.

                                                                                  

                                                                                  

  dspam_clean -s -p -u

  dspam_clean -s -p -u

Displays the spam statistics for one or all users on the system.

Displays the spam statistics for one or all users on the system.

Syntax: dspam_stats [username]

Syntax: dspam_stats [username]

Reads the /etc/passwd file and outputs a dspam aliases table which can be included in the master aliases table.  You may try Art Sackett's generate_dspam_aliases tool at http://www.artsackett.com/freebies/generate_dspam_aliases/ if you need some better functionality.  This will eventually be merged in as a replacement for the existing tool.

Reads the /etc/passwd file and outputs a dspam aliases table which can be included in the master aliases table.  You may try Art Sackett's generate_dspam_aliases tool at http://www.artsackett.com/freebies/generate_dspam_aliases/ if you need some better functionality.  This will eventually be merged in as a replacement for the existing tool.

Merges multiple users' dictionaries together into one user's dictionary (does not affect the merge users).  This can be used to create a seeded dictionary for a new user, or to copy a single user's dictionary to a new file.  This is great for building global dictionaries, but crunches a lot of time and disk.

Merges multiple users' dictionaries together into one user's dictionary (does not affect the merge users).  This can be used to create a seeded dictionary for a new user, or to copy a single user's dictionary to a new file.  This is great for building global dictionaries, but crunches a lot of time and disk.

=== AGENT COMMANDLINE ARGUMENTS ===

=== AGENT COMMANDLINE ARGUMENTS ===

==== Specifying a User ====

==== Specifying a User ====

The DSPAM agent (dspam) recognizes the following commandline arguments:

The DSPAM agent (dspam) recognizes the following commandline arguments:

  --user [user1 user2 ... userN]

  --user [user1 user2 ... userN]

Specifies the destination user(s) of the incoming message.  DSPAM then processes the message once for each user individually.  If the message is to be delivered, the $u (or %u) parameters of the arguments string will be interpolated for the current user being processed.

Specifies the destination user(s) of the incoming message.  DSPAM then processes the message once for each user individually.  If the message is to be delivered, the $u (or %u) parameters of the arguments string will be interpolated for the current user being processed.

<br>

<br>

==== Classification ====

==== Classification ====

  --class=[spam|innocent]

  --class=[spam|innocent]

Tells DSPAM that the message being presented has already been classified by the user.  This flag should be used when a misclassification has occurred, when the user is corpus-feeding a message, or an inoculation is being presented.  This flag must be used in conjunction with the --source flag. Providing no classification invokes the SOP of DSPAM, which is to determine the message's nature on its own.

Tells DSPAM that the message being presented has already been classified by the user.  This flag should be used when a misclassification has occurred, when the user is corpus-feeding a message, or an inoculation is being presented.  This flag must be used in conjunction with the --source flag. Providing no classification invokes the SOP of DSPAM, which is to determine the message's nature on its own.

<br>

<br>

==== Source ====

==== Source ====

  --source=[error|corpus|inoculation]

  --source=[error|corpus|inoculation]

Wherever --class is used, the source of the user-provided classification must also be provided.  The source is very important and dramatically affects DSPAM's training behavior:

Wherever --class is used, the source of the user-provided classification must also be provided.  The source is very important and dramatically affects DSPAM's training behavior:

'''error:'''<br>

'''error:'''<br>

The message being presented was a message previously misclassified by DSPAM.  When 'error' is provided as a source, DSPAM requires that the DSPAM signature be present in the message, and will use the signature to recall the original training metadata.  If the signature is not present, the message will be rejected.  In this source mode, DSPAM will also decrement each token's previous classification's count as well as the user totals.

The message being presented was a message previously misclassified by DSPAM.  When 'error' is provided as a source, DSPAM requires that the DSPAM signature be present in the message, and will use the signature to recall the original training metadata.  If the signature is not present, the message will be rejected.  In this source mode, DSPAM will also decrement each token's previous classification's count as well as the user totals.

'''corpus:'''<br>

'''corpus:'''<br>

The message being presented is from a mail corpus, and should be trained as a new message, rather than re-trained based on a signature.  The message's full headers and body will be analyzed and the correct classification will be incremented, without its opposite being decremented.

The message being presented is from a mail corpus, and should be trained as a new message, rather than re-trained based on a signature.  The message's full headers and body will be analyzed and the correct classification will be incremented, without its opposite being decremented.

'''inoculation:'''<br>

'''inoculation:'''<br>

The message being presented is in pristine form, and should be trained as an inoculation.  Inoculations are a more intense mode of training designed to cause DSPAM to train the user's metadata repeatedly on previously unknown tokens, in an attepmt to vaccinate the user from future messages similar to the one being presented.

The message being presented is in pristine form, and should be trained as an inoculation.  Inoculations are a more intense mode of training designed to cause DSPAM to train the user's metadata repeatedly on previously unknown tokens, in an attepmt to vaccinate the user from future messages similar to the one being presented.

<br>

<br>

  --deliver=[innocent,spam]

  --deliver=[innocent,spam]

Tells DSPAM to deliver the message if its result falls within the criteria specified.  For example, --deliver=innocent will cause DSPAM to only deliver the message if it classifies as innocent.  Providing --deliver=innocent,spam will cause DSPAM to deliver the message regardless of its classification.  This flag provides a significant amount of flexibility for nonstandard implementations, where false positives may not be delivered but spam is, and etcetera.

Tells DSPAM to deliver the message if its result falls within the criteria specified.  For example, --deliver=innocent will cause DSPAM to only deliver the message if it classifies as innocent.  Providing --deliver=innocent,spam will cause DSPAM to deliver the message regardless of its classification.  This flag provides a significant amount of flexibility for nonstandard implementations, where false positives may not be delivered but spam is, and etcetera.

  --stdout

  --stdout

If the message is indeed deemed "deliverable" by the --deliver flag, this flag will cause DSPAM to deliver the message to stdout, rather than the configured delivery agent.

If the message is indeed deemed "deliverable" by the --deliver flag, this flag will cause DSPAM to deliver the message to stdout, rather than the configured delivery agent.

  --process

  --process

Tells DSPAM to process the message.  This is the default behavior, and the flag is implied unless --classify is used - but is a good idea to use to avoid ambiguity.

Tells DSPAM to process the message.  This is the default behavior, and the flag is implied unless --classify is used - but is a good idea to use to avoid ambiguity.

  --classify

  --classify

Tells DSPAM only to classify the message, and not make any writes to the user's metadata or attempt to deliver/quarantine the message.

Tells DSPAM only to classify the message, and not make any writes to the user's metadata or attempt to deliver/quarantine the message.

''NOTE:''<br>

''NOTE:''<br>

The output of the classification is specific to the user, not including the output of any groups they might be affiliated with, so it is entirely possible that the message would be caught as spam by the group, even if it didn't appear in the classification.  If you want to get the classification for the GROUP, use the group name as the user instead of an individual.

The output of the classification is specific to the user, not including the output of any groups they might be affiliated with, so it is entirely possible that the message would be caught as spam by the group, even if it didn't appear in the classification.  If you want to get the classification for the GROUP, use the group name as the user instead of an individual.

<br>

<br>

==== Signatures ====

==== Signatures ====

  --signature=[signature]

  --signature=[signature]

For some implementations, the admin may wish to pass the signature in via commandline instead of allowing DSPAM to find it on its own. This is especially useful when front-ending the agent with other tools. Using this option will set the active signature and will also forego reading of stdin.

For some implementations, the admin may wish to pass the signature in via commandline instead of allowing DSPAM to find it on its own. This is especially useful when front-ending the agent with other tools. Using this option will set the active signature and will also forego reading of stdin.

<br>

<br>

==== Training Modes ====

==== Training Modes ====

    

    

  --mode=[toe|tum|teft|notrain|unlearn]

  --mode=[toe|tum|teft|notrain|unlearn]

Configures the training mode to be used for this process:

Configures the training mode to be used for this process:

<br>

<br>

===== TEFT =====

===== TEFT =====

Train-Everything.  Trains on all messages processed.  This is a very thorough training approach and should be considered the standard training approach for most users.  TEFT may, however, prove too volatile on installations with extremely high per-user traffic, or prove not very scalable on systems with extremely large user-bases.  In the event that TEFT is proving ineffective, one of the other modes is recommended.

Train-Everything.  Trains on all messages processed.  This is a very thorough training approach and should be considered the standard training approach for most users.  TEFT may, however, prove too volatile on installations with extremely high per-user traffic, or prove not very scalable on systems with extremely large user-bases.  In the event that TEFT is proving ineffective, one of the other modes is recommended.

Until a user reaches 100 innocent messages in their metadata, train-on-error will also be teft-based, even if otherwise specified on the commandline.

Until a user reaches 100 innocent messages in their metadata, train-on-error will also be teft-based, even if otherwise specified on the commandline.

===== TOE =====

===== TOE =====

Train-on-Error.  Trains only on a classification error, once the user's metadata has matured to 2500 innocent messages.  This training mode is much less resource intensive, as only occasional metadata writes are necessary.  It is also far less volatile than the TEFT mode of training.  One drawback, however, is that TOE only learns when DSPAM has made a mistake - which means the data is sometimes too static, and unable to "ease into" a different type of behavior.

Train-on-Error.  Trains only on a classification error, once the user's metadata has matured to 2500 innocent messages.  This training mode is much less resource intensive, as only occasional metadata writes are necessary.  It is also far less volatile than the TEFT mode of training.  One drawback, however, is that TOE only learns when DSPAM has made a mistake - which means the data is sometimes too static, and unable to "ease into" a different type of behavior.

===== TUM =====

===== TUM =====

Train-until-Mature.  This training mode is a hybrid between the other two training modes and provides a great balance between volatility and static metadata.  TuM will train on a per-token basis only tokens which have had fewer than 50 "hits" on them, unless an error is being retrained in which case all tokens are trained.  This training mode provides a solid core of stable tokens to keep accuracy consistent, but also allows for dynamic adaptation to any new types of email behavior a user might be experiencing. It is a balance of resources as well, as only less-than-mature tokens are written to the database. NOTE: You should corpus train before using tum.

Train-until-Mature.  This training mode is a hybrid between the other two training modes and provides a great balance between volatility and static metadata.  TuM will train on a per-token basis only tokens which have had fewer than 50 "hits" on them, unless an error is being retrained in which case all tokens are trained.  This training mode provides a solid core of stable tokens to keep accuracy consistent, but also allows for dynamic adaptation to any new types of email behavior a user might be experiencing. It is a balance of resources as well, as only less-than-mature tokens are written to the database. NOTE: You should corpus train before using tum.

===== NOTRAIN =====

===== NOTRAIN =====

No training.  Do not train the user's data, and do not keep totals. This should only be used in cases where you want to process mail for a particular user (based on a group, for example), but don't want the user to accumulate any learning data.

No training.  Do not train the user's data, and do not keep totals. This should only be used in cases where you want to process mail for a particular user (based on a group, for example), but don't want the user to accumulate any learning data.

===== UNLEARN =====

===== UNLEARN =====

Unlearn original training. Use this if you wish to unlearn a previously learned message. Be sure to specify --source=error and --class to whatever the original classification the message was learned under. If not using TrainPristine, this will require the original signature from training.

Unlearn original training. Use this if you wish to unlearn a previously learned message. Be sure to specify --source=error and --class to whatever the original classification the message was learned under. If not using TrainPristine, this will require the original signature from training.

'''RECOMMENDATIONS'''

'''RECOMMENDATIONS'''

In general, it is recommended that users begin with TEFT.  If a user is experiencing between a 75-85% spam ratio, they may benefit from Train-on-Mature mode.  If a user is experiencing over 90% spam, then Train-on-Error mode should make a noticeable improvement in accuracy. It eventually boils down to what works best for your users.  There is no reason a system could not be configured (with a script) to analyze a user's *.stats file and determine the best training mode for that user.

In general, it is recommended that users begin with TEFT.  If a user is experiencing between a 75-85% spam ratio, they may benefit from Train-on-Mature mode.  If a user is experiencing over 90% spam, then Train-on-Error mode should make a noticeable improvement in accuracy. It eventually boils down to what works best for your users.  There is no reason a system could not be configured (with a script) to analyze a user's *.stats file and determine the best training mode for that user.

==== Features ====

==== Features ====

Specifies the features that should be activated for this filter instance. The following features may be used individually or combined using a comma as a delimiter:

Specifies the features that should be activated for this filter instance. The following features may be used individually or combined using a comma as a delimiter:

Automatic whitelisting.  DSPAM will keep track of the entire "From:" line for each message received per user, and automatically whitelist messages from senders with more than 10 innocent messages and zero spams.  Once the user reports a spam from the sender, automatic whitelisting will automatically be deactivated for that sender.  Since DSPAM uses the entire "From:" line, and not just the sender's email address, automatic whitelisting is a very safe approach to improving accuracy during initial training.

Automatic whitelisting.  DSPAM will keep track of the entire "From:" line for each message received per user, and automatically whitelist messages from senders with more than 10 innocent messages and zero spams.  Once the user reports a spam from the sender, automatic whitelisting will automatically be deactivated for that sender.  Since DSPAM uses the entire "From:" line, and not just the sender's email address, automatic whitelisting is a very safe approach to improving accuracy during initial training.

None of the present features are necessary when the source is "error", because the original training data is used from the signature to retrain, instantiating whatever features (such as whitelisting) were active at the time of the initial classification.  Since BNR is only necessary when a message is being classified, the --feature flag can be safely omitted from error source calls.

None of the present features are necessary when the source is "error", because the original training data is used from the signature to retrain, instantiating whatever features (such as whitelisting) were active at the time of the initial classification.  Since BNR is only necessary when a message is being classified, the --feature flag can be safely omitted from error source calls.

<br>

<br>

  --daemon

  --daemon

Puts DSPAM in daemon mode; e.g. DSPAM acts like a server when started with this parameter. See section 2.3 for more information about daemon mode.

Puts DSPAM in daemon mode; e.g. DSPAM acts like a server when started with this parameter. See section 2.3 for more information about daemon mode.

<br>

<br>

== LINKING WITH LIBDSPAM ==

== LINKING WITH LIBDSPAM ==

----

----

   <COMMERCIAL LICENSING>

   <COMMERCIAL LICENSING>

   IF YOUR PROJECT USES THE LIBDSPAM API, A GPL-COMPATIBLE OPEN SOURCE LICENSE

   IF YOUR PROJECT USES THE LIBDSPAM API, A GPL-COMPATIBLE OPEN SOURCE LICENSE

   IS REQUIRED IN ORDER TO REDISTRIBUTE. IF YOU ARE DEVELOPING A CLOSED-SOURCE  

   IS REQUIRED IN ORDER TO REDISTRIBUTE. IF YOU ARE DEVELOPING A CLOSED-SOURCE  

   NOT REDISTRIBUTE ANY APPLICATIONS USING LIBDSPAM WITHOUT A COMMERCIAL  

   NOT REDISTRIBUTE ANY APPLICATIONS USING LIBDSPAM WITHOUT A COMMERCIAL  

   LICENSE.

   LICENSE.

   COMMERCIAL LICENSING BENEFITS:

   COMMERCIAL LICENSING BENEFITS:

   - PRIORITY DEVELOPER SUPPORT

   - PRIORITY DEVELOPER SUPPORT

   - NON-GPL REDISTRIBUTION PRIVILEGES

   - NON-GPL REDISTRIBUTION PRIVILEGES

   - BUG AND FEATURE REQUEST PRIORITY

   - BUG AND FEATURE REQUEST PRIORITY

   about commercial licensing.  

   about commercial licensing.  

   </COMMERCIAL LICENSING>

   </COMMERCIAL LICENSING>

   To link to libdspam, follow the instructions for compiling and installing  

   To link to libdspam, follow the instructions for compiling and installing  

   DSPAM. When compiled, the libdspam static and shared libraries are also  

   DSPAM. When compiled, the libdspam static and shared libraries are also  

   built. This library contains all the functions necessary to use dspam's  

   built. This library contains all the functions necessary to use dspam's  

   filtering in your application.  

   filtering in your application.  

   Your application will also need to link to the correct storage driver

   Your application will also need to link to the correct storage driver

   libraries. If you are using libdspam in a multithreaded application, you

   libraries. If you are using libdspam in a multithreaded application, you

   will need to either use a thread-safe storage driver or control access to

   will need to either use a thread-safe storage driver or control access to

   libdspam using a mutex lock.

   libdspam using a mutex lock.

   If you are using libdspam in a multithreaded environment, each thread will

   If you are using libdspam in a multithreaded environment, each thread will

   require its own DSPAM context. Fortunately, you can attach the same

   require its own DSPAM context. Fortunately, you can attach the same

   database handle to each context using dspam_attach(). See the man page for

   database handle to each context using dspam_attach(). See the man page for

   more information.

   more information.

   To build with the dspam API, you will also need the header files from

   To build with the dspam API, you will also need the header files from

   the distribution.  You can copy these to /usr/include/dspam for ease of

   the distribution.  You can copy these to /usr/include/dspam for ease of

   use, and then use -I/usr/include/dspam

   use, and then use -I/usr/include/dspam

   Please see example.c for API examples.

   Please see example.c for API examples.

   If you are interested in linking libdspam with your project and have  

   If you are interested in linking libdspam with your project and have  

   questions or concerns, please contact the dspam-dev mailing list.

   questions or concerns, please contact the dspam-dev mailing list.

=== CONFIGURING GROUPS ===

=== CONFIGURING GROUPS ===

   To create groups, you'll want to create a file with the filename 'group'  

   To create groups, you'll want to create a file with the filename 'group'  

   group.

   group.

   Classification groups allow a group of users to network their results

   Classification groups allow a group of users to network their results

   together.  If DSPAM is uncertain of whether a message is spam or nonspam for

   together.  If DSPAM is uncertain of whether a message is spam or nonspam for

   established between both parties.

   established between both parties.

   Global groups allows DSPAM to provide a "SpamAssassin type out-of-the-box

   Global groups allows DSPAM to provide a "SpamAssassin type out-of-the-box

   filtering" for all new users until they have built their own useful

   filtering" for all new users until they have built their own useful

   treated just as any other user on the system.

   treated just as any other user on the system.

   Merged groups are similar to global groups in that the entire system uses

   Merged groups are similar to global groups in that the entire system uses

   a single global user as a parent.  What's different is that the global

   a single global user as a parent.  What's different is that the global

   the group.

   the group.

   If you are running dspam_clean, be sure to set a preference for your merged

   If you are running dspam_clean, be sure to set a preference for your merged

   out your entire merged group user's dataset, since it's old).

   out your entire merged group user's dataset, since it's old).

=== EXTERNAL INOCULATION THEORY ===

=== EXTERNAL INOCULATION THEORY ===

   "Part of the problem is that spam isn't stationary, it evolves. That  

   "Part of the problem is that spam isn't stationary, it evolves. That  

   harvester bots, making them obsolete as counter-productive tools.

   harvester bots, making them obsolete as counter-productive tools.

=== CLIENT/SERVER MODE ===

=== CLIENT/SERVER MODE ===

=== LMTP ===

=== LMTP ===

   LMTP (AND SMTP) DELIVERY

   LMTP (AND SMTP) DELIVERY

   In both cases, the content provided between < > is what is actually used.

   In both cases, the content provided between < > is what is actually used.

=== DSPAM USER PREFERENCES ===

=== DSPAM USER PREFERENCES ===