## This is usually edited under -*- indented-text -*- on Emacs # $Id: sample.conf,v 1.13 2005/03/16 22:13:23 lem Exp $ # This file contains a sample config file for the acompanying software. # # Please be sure to read through it and modify according to your # specific needs. This is specially true since this file might # contain nonsense, as its purpose is to document each and every # configuration entry. # # YOU HAVE BEEN WARNED ## The config begins here... ## # These are the flags for the POP3 reader ## # The following ones are actually easy to figure out. pop3 server: pop.yourdomain.com pop3 username: abuse pop3 password: Sp@mH@73r # If you want the reader to delete each fetched message, set # this one to a true value. Otherwise comment it or set it to # a false value pop3 delete: 1 # Uncomment the next line to produce a lot of debugging messages # pop3 debug: 1 ## # These are the flags for the Google(tm) Groups reader ## # A regexp to look for in the NANAS articles. Articles that match are # considered as reports. google groups search: usually.your.organization.top.level.domain # Which server to connect to. Defaults ro groups.google.com. google groups server: groups.google.com # If your organization requires a proxy server, say so below google groups proxy: your.proxy.server # How much time to look back in history. Only matching articles that are # this age or younger will be considered. google groups oldest message: 5 days ago # If you need debug info, toggle this google groups debug: 0 # Limit in the number of articles to consider. Only this number of # articles will be returned. You should tune this to suit your # organization. If this number is set too high, you might crawl the # whole Google(tm) archive, which does not seem like a bright idea, so set # this to a rather small number. google groups max messages: 3 ## # These flags control the Log incident parser ## # When trying to parse generic logs, you can tell the module to look # at a non-default number of contiguous lines. The default is 5. log lines: 3 # You can also set debugging for the Log parser # log debug: 1 ## # These flags control the Received: header parser ## # Sets the debug output for the Received: header parser # debug received: 1 ## # These are the flags for the Time filter ## # Use this to configure the point in time before which you will not # consider an incident. If left unspecified, the module will assume # that you do not care about incidents after 96 hours have elapsed. filter before: 96 hours ago # This can be used to specify a default timestamp to use when # interpreting dates. It defaults to UTC filter local timezone: UTC # If you want to see some debug messages, uncomment the line below # debug time filter: 1 ## # These flags control the IP filter ## # The line below specifies the address range for which you're # responsable. It should always be specified in order to ignore # incidents for which you most likely care very little. See # NetAddr::IP for the formats you can use to specify a subnet. source ip within: 10.0.0.0/24, 10.0.1.0/24 # Sometimes, your address space is not easily described with a # contiguous netblock. For these cases, you can use the following line # to add "holes" to the space you care about. source ip outside: 10.0.0.0/27 ## # These flags control the Store processor, which you can use to # convert a report into an intermediate structure that hopefully, can # be used by other utilities ## # You can specify where to store the tree with the serialized reports # by setting the value for the following key. Commenting it, you # default to the current directory, which may or may not be a good # idea... store root path: /var/spool/spam-reports # As customary, this module can output some debugging information # depending on the value of the following key... # debug store: 1 ## # These flags control the Mailer processor, which can provide an # auto-answer to the affected users regarding their report. ## # The customary debug flag. You should be already familiar with it. #debug mailer: 1 # The mailer type used to send email. Please see Mail::Mailer for the # accepted values for this flag. This defaults to "mail", which uses # a local command in your system for delivery. This is probably the most # reliable mode of operation on *nix hosts, as mail will be queued by the # mail system in case of error. mailer type: mail # The from address to include in the headers. Now, this might not work on # your email configuration if the MTA or MUA changes it. This argument is # mandatory. Here, we produce a sensible default. mailer from: abuse # The address that should be used by recipients of the receipt to reply. # We use this default so as to discourage replying, as your auto-response # should be detailed enough so as to not require further explanations :) mailer reply to: please-do-not-reply-to-this # The address that will be collecting the delivery errors associated with # the receipts produced by this module. Depending on your workload, this # might be a real account or a bit bucket. We chose the later. mailer errors to: nobody # For testing purposes, you could force ::Mailer to always send the # response to a given address, such as in this example. mailer forced to: testme@my.own.domain # The subject to place in your responses mailer subject: Your funky subject line # This contains the name of a file to use as a template response whenever # the abuse report does not end up with any incidents. This should contain # an absolute path to a file, but we specify it here like this, to give you # a hint about where to look at for a template. mailer fail message: etc/fail.template # Conversely, this contains the name of the message template to use when # the abuse report can be properly analyzed and ends up with at least, # one incident. mailer success message: etc/success.template ## # These flags control the Score processor, which can help priorize # your incident-response processes by assigning scores to the abuse # reports. Those scores can be used later to trim out "noise" reports. ## # The customary debug flag. You should be already familiar with it. #debug score: 1 # In this example, we use the incident scoring method to assign more # weight to SpamCop/MyNetWatchman abuse reports. score incident type: 2 ^(spam/SpamCop|mynetwatchman/) # Here, since we know of a user that submits fake abuse reports, we # will be getting rid of this... score report text: -99999999 ^From:\s+Some\sSaboteur ## ...and ends here.