Configuration

Fedele Mantuano edited this page Dec 20, 2016 · 11 revisions
Clone this wiki locally

Configuration tree

conf
├── content_types
│   ├── blacklist
│   │   └── generics.example.yml
│   ├── tika
│   │   └── generics.example.yml
│   └── virustotal
│       └── generics.example.yml
├── keywords
│   ├── subjects.example.yml
│   └── targets.example.yml
├── spamscope.example.yml
├── templates
│   └── spamscope.json
└── whitelists
    └── generic.example.yml

spamscope.example.yml

This is the main configuration file. It contains the configurations of all spout and bolts. The following example contains all the options that you can use. I will explain the main options, for the others ones you can read the inline comments.

The default path of configuration file is /etc/spamscope/spamscope.yml, but it's possible to set the environment variable SPAMSCOPE_CONF_FILE:

$ export SPAMSCOPE_CONF_FILE=/etc/spamscope/spamscope.yml

Every section in configuration file is related to bolts and spouts and they have the same component name.

files-mails

This part is related to the configuration of files-mails spout. This spout works with the mails on file system. The mails can be either on host or on a remote mount in NFS.

You can decide if remove or move mails in the post_processing section. In the last one case you must setting the where option.

In mailboxes section you can set your mails paths. I thought that you could have more mailboxes in more hosts:

  • mail_server is only a label, that it'll be in results
  • files_pattern is the pattern of file names
  • priority is the priority of elaboration. The priority number one is processed before that two.
  • path_mails is the folder of mails for this mailbox.

You can add all mailboxes that you want.

All files-mails configuration:

# Spout file on file system
files-mails:

    # Reload new mails after reload.mails analyzed
    reload.mails: 1000

    # Waiting new mails, sleep seconds
    waiting.sleep: 1

    # Post processing 
    post_processing:

        # move or remove mails?
        what: remove 

        # if move where
        where: /mnt/testing/spamscope/mails/moved

        # if failed move in where.failed
        where.failed: /mnt/testing/spamscope/mails/failed

    # Mailboxes
    mailboxes: 
        test: 
            mail_server: hostname
            # Trust string is used to get sender IP address from mail server.
            # More details: https://github.com/SpamScope/mail-parser/blob/v0.4.6/mailparser/__init__.py#L221
            trust_string: "test_trust_string"
            files_pattern: "*untroubled*"
            priority: 1
            path_mails: /path/mails1
        test1: 
            mail_server: hostname
            trust_string: "test1_trust_string"
            files_pattern: "*"
            priority: 2
            path_mails: /path/mails2

phishing

This part is related to the configuration of phishing bolt. We have two kinds of lists:

  • subjects: where you can put suspicious strings, that you can find in mail subjects
  • targets: where you can put suspicious strings grouped for targets. These strings will check all the others mail parts.

You can have more than one file for list.

Subjects format example:

# Add suspect subjects with dash -

# keywords format:

# - word1 word2
# - word3
# - word4

# It's equal to:
# (word1 AND word2) OR word3 OR word4

- conferma
- bonifico

Targets format example:

Google:
    - gmail
    - google drive

Amazon:
    - amazon

All phishing configuration:

# Phishing bolt configuration
phishing:
    lists:
        subjects: 
            # Suspect subjects
            # Example in conf/keywords/subjects.example.yml
            generic: /path/to/generic_subjects
            custom: /path/to/custom_subjects

        targets:
            # Keyword for every targets
            # Example in conf/keywords/targets.example.yml
            generic: /path/to/generic_targets
            custom: /path/to/custom_targets