Cloudmark Authority Plug-in for SpamAssassin -- connects SA to 
locally-running Cloudmark anti-spam filtering system.

Jeremy Robin, Kent Brake, Doug McCasland
Cloudmark Inc. 2007-8


------------------------------------------------------------------
Requirements

* SpamAssassin v3+ installed and tested.

* perl version 5.8 or later.
  
* Params::Validate installed.  This is a perl module available from CPAN 
  -- visit http://search.cpan.org/dist/Params-Validate/lib/Params/Validate.pm

  IMPORTANT NOTE for Solaris 9/10 users: Params::Validate may not install 
  correctly via the CPAN shell.  In this case spamd will not load the
  Plug-in.  Please see Installation Notes below for details.

* this tar file (CMAE-SA-Integration-x-x-x-x.tar.gz).

* a Cloudmark Cartridge tar file (SpamDNA-version-x-x-x.tar.gz, where 
  version >= 3047) must be readable via a local or network path.

* a Cartridge License from Cloudmark.

* root login.

* these commands in the current PATH: gunzip, tar, make, perl


------------------------------------------------------------------
Installation

Become the root user.  The commands shown below should work in most 
cases, but some platforms may have different options for tar, etc.  

          
NOTE for Solaris only: In Solaris, the regular tar command may cause
errors during extraction of the CMAE-SA-Integration tar file, due to long
path names.  Use the GNU gtar command instead, found in /usr/sfw/bin.
For example:

	/usr/sfw/bin/gtar xfvz somename.tar.gz
          
Another approach is to use gunzip and a pipeline:

	gunzip < somename.tar.gz | tar xfv -
	
although you still may have path-length errors, depending on the tar version.


You may need to adjust the paths shown below to suit your installation.
SpamAssassin's config files are usually in /etc/mail/spamassassin (or
sometimes in /usr/local/etc/mail/spamassassin).  Cloudmark recommends
locating the Plug-in files below that directory.  However, the Plug-in
can be installed anywhere.

1.   cd to /etc/mail/spamassassin and untar the CMAE-SA-Integration 
     tar file.  (Perhaps you have already done this.)
     
     This creates a sub-directory called CMAE-SA-Integration-x-x-x-x.  

2.   For convenience, create a symlink called cmae:

          ln -s CMAE-SA-Integration-x-x-x-x cmae

     This symlink will be used below.  

3.   cd into cmae and run the install.pl script.  The script takes one 
     argument: the absolute path to the Cartridge tar file.

          ./install.pl /path-to-SpamDNA-cartridge-tar-file.tar.gz

     With some exceptions, the script installs all the components in
     sub-directories of cmae.  There are two perl modules that are written
     outside cmae, to your system's perl directories (e.g., /usr/lib/perl
     or /usr/local/lib/perl):

          * CMAE.pm is written to /perlpath/Mail/SpamAssassin/Plugin
          
          * Client.pm is written to /perlpath/Cloudmark/CMAE

     If CMAE.pm is already there from a previous install, then you'll
     be asked if it's okay to proceed.   If you say yes, then CMAE.pm is
     updated and a copy of the old version is saved in /tmp.  (This is 
     to accommodate the rare case where CMAE.pm was previously customized.)
     If the Client.pm file already exists, it is simply updated.

     Also, the install script installs the Plug-in's client config file, 
     sa_cmae_plugin.cfg, in /etc (if it's not there already). 

     If you want to install the Plug-in manually, please refer to 
     the INSTALL.manual file.

4.   The Cartridge License file is a simple text file containing two lines.
     It should be located at:

     	cmae/cloudmark/etc/license.cfg
	
     If you received the license as a text file (via an email attachment
     or download), then copy it to that location.  If you received the
     the info as two text lines, then create the file, using a text 
     editor or other means, and add the two lines of license text.

5.   Configure SpamAssassin's init.pre and local.cf files to run the 
     Cloudmark Plug-in.  These files are located in SpamAssassin's 
     system directory, such as /etc/mail/spamassassin.  Add this 
     anywhere in init.pre:

          loadplugin Mail::SpamAssassin::Plugin::CMAE

     Also add this anywhere in local.cf:

          ifplugin Mail::SpamAssassin::Plugin::CMAE
               full        CMAE_1  eval:check_msg()
               describe    CMAE_1  Cloudmark CMAE detected spam
               score       CMAE_1  10
          endif 

     For details about these settings, see Optional Configurations below.

6.   Now that the Plug-in is configured, SpamAssassin commands like
     spamd and spamasssasin will load the client side of the Plug-in
     whenever they are called.  But the client side needs to load
     a shared library named libcmaeclient.so.2.0.  It's located in
     cmae/cloudmark/lib, which is not a standard location for shared
     libraries.

     There are several ways to make the library location known to the
     spamd, spamassassin, and the Plug-in client:

	* set LD_LIBRARY_PATH, or
	* add a symlink in a standard location, or
	* add the actual location to the system's library cache

     Here is an example of setting the LD_LIBRARY_PATH environment
     variable before calling the spamd command (in bash):

	export LD_LIBRARY_PATH=/etc/mail/spamassassin/cmae/cloudmark/lib
	spamd

     The variable setting needs to be done (or in effect) every time
     you call spamd or spamassassin.

     NOTE: this LD_LIBRARY_PATH method may not work in FreeBSD, depending on
     your OS configuration.  Consult your FreeBSD dynamic linker/loader 
     documentation for more information.

     Another method is to create a symlink in /usr/lib or /usr/local/lib.
     You only do this once, when installing the Plug-in.  For example:

	cd /usr/local/lib
	ln -s /etc/mail/spamassassin/cmae/cloudmark/lib/libcmaeclient.so.2.0

     On Linux and FreeBSD, you should then run the ldconfig command
     (with no arguments); this adds the (symlinked) library to the
     current library cache.  With this approach, you can run the SA
     commands without setting LD_LIBRARY_PATH first.

     A more advanced method is to add the actual locations of the
     library to the system's library configuration.  Depending on your
     platform, you can do this by editing an ldconfig file or calling crle
     (Solaris).  Consult your system documentation for details.

     NOTE: you may need to add a second path to your library configuration
     if you get errors about libstdc++.  
     
     The libcmaeclient library depends on libstdc++.so.X, which is
     installed on many Unix systems in /usr/lib.  If the file is not
     installed, or is somehow incompatible with libcmaeclient, you will
     see warnings about libstdc++.  Cloudmark supplies the right
     libstdc++ library in cmae/cloudmark/syslib.  In this case, you need
     to configure the library path for both libcmaeclient and libstdc++.
     Here is a bash example of how to set the LD_LIBRARY_PATH variable
     for both library files.

	export LD_LIBRARY_PATH=/etc/mail/spamassassin/cmae/cloudmark/lib:\
				/etc/mail/spamassassin/cmae/cloudmark/syslib

     You can also use a symlink or other methods to expose the libstdc++ 
     library.  

     Note: spamc doesn't require any of the above settings.



NOTE:  Steps #7-10 are OPTIONAL.  You can use some of them or all of them
to speed up the Plug-in.  If you use spamd, you must restart it after making
any of the following changes.

7.   Comment out unwanted plug-ins (optional).  With the Cloudmark Plug-in 
     installed, you may want to turn off some or all other plug-ins.  
     You may find that more spam is detected, with greater accuracy 
     and throughput, when only the Cloudmark Plug-in is running.  In 
     any case, you will want to turn off the Razor2 Plug-in by 
     commenting out this line:

        ## loadplugin Mail::SpamAssassin::Plugin::Razor2

     This line can be found in v310.pre or another *.pre file.

     NOTE: in SA 3.2+, you should *not* comment out the Check plugin:

	loadplugin Mail::SpamAssassin::Plugin::Check

     or spamassassin/spamd will not start.  This line is included in the
     default SA v3.2+ installation and should be left as-is.

8.   Disable SA tests (optional).  With the Cloudmark Plug-in installed,
     you may want to disable SA's standard tests (also known as rule sets).  
     This often results in more spam being detected, at double the speed.

     The tests are .cf files in /usr/share/spamassassin.  Only one test
     is required: 10_misc.cf (in SA 3.2, this file has been renamed to 
     10_default_prefs.cf), which provides the X-headers in filtered
     messages.  Here are suggested commands to turn off the other tests
     (by simply moving them aside):

         cd /usr/share/spamassassin
	 mkdir tests-save
	 mv [2-9]*.cf tests-save
     
     If you can't find /usr/share/spamassassin, try looking for
     /usr/local/share/spamassassin.
    
9.   Turn off some SA options (optional).  By default, SpamAssassin
     checks for RBL hits via the Internet.  It also resolves sender IP
     with DNS.  With the Cloudmark Plug-in, these steps are not necessary.
     Also, SA uses Bayes analysis, which can also be turned off.
     Edit local.cf and apply these settings:

	skip_rbl_checks 1
	dns_available no
	use_bayes 0

10.  Turn on short-circuiting (optional).  In SpamAssassin v3.2 and later,
     you can configure short-circuiting.  This ends processing of a
     message if a specified test finds that it is spam -- further
     tests are not performed.  The result is faster spam-checking speed.

     If you have not disabled other tests (in Step #8 above), then
     short-circuiting can provide a substantial benefit.  The idea is
     to tell SA to call the Plug-in first (by using a very low priority
     number), then have it short-circuit if spam is detected.

     To configure short-ciruiting, add this anywhere in init.pre:

	loadplugin Mail::SpamAssassin::Plugin::Shortcircuit

     Then add this anywhere in local.cf:

	ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
		priority CMAE_1 -5000
	        shortcircuit CMAE_1 on
		endif



------------------------------------------------------------------
Installation Notes

* CMAE connects about once per minute to Cloudmark servers to get the
  latest spam fingerprint data.  Normally this is done with a direct
  http connection on port 80.  If you need the connection go through
  a proxy server, then edit the Cartridge config file, 
  cmae/cloudmark/etc/cartridge.cfg, and look for a section called

     ## KEY: http proxy

  There are three sections here related to proxying: http, http with
  basic auth, and http with NTLM auth.  Edit the section that applies
  to your installation.  
  
  Then restart the CMAE server.  You can check for proxy errors in 
  cmae/cloudmark/log/server.log.

  If cartridge.cfg does not exist, then 

     cd cmae/cloudmark/etc
     cp cartridge.cfg.sample cartridge.cfg

  and edit. 


* Solaris 9/10 and Params::Validate.  In Solaris 9/10, this perl module 
  may not install properly, due to conflicts in the CPAN configuration
  and the location of the C compiler.  Even though regular installation
  of Params::Validate in the CPAN shell may look okay, the module will
  not load properly when the SpamAssassin Plug-in is called by spamd.
  (spamd will continue to run, but without the Plug-in.)

  So install (or re-install) Params::Validate using the following steps.

  1.  As root, start the perl CPAN shell:

	perl -MCPAN -e shell
   
  2.  Use the look command to download and unwrap Params::Validate
      (the CPAN prompt may look different on your screen):

	cpan[1]> look Params::Validate

      After the download and unwrap, a sub-shell is opened in the 
      directory where the module was unwrapped.  You should see a new 
      command-shell prompt.
   
  3.  Set your execution path to include the location of the C compiler.  

      In sh, ksh or bash:

	PATH=/opt/SUNWspro/bin:/usr/ccs/bin:/usr/bin:/usr/sbin

      Or in csh:

	set path = (/opt/SUNWspro/bin /usr/ccs/bin /usr/bin /usr/sbin)

      These are typical places, but the location of your C compiler may
      be different.  (This PATH setting will go away when you exit the
      sub-shell below.)

  4.  Run the Params::Validate MakeMaker script using the "--xs" flag:

	perl Makefile.PL --xs
   
      (Ignore any output regarding the C compiler not being found.)

  5.  Build, test and install the module in the usual way:

	make
	make test
	make install
   
  6.  Exit the sub-shell, then exit the CPAN shell:

	# exit
	cpan[2]> exit

   
------------------------------------------------------------------
Running the Cloudmark Plug-in

1.   Start the CMAE server (the server side of the Plug-in) by calling

          /etc/mail/spamassassin/cmae/cloudmark/bin/cmaed start

     After 5-10 seconds, you will see "Started cmae_server."  
     
     Now check the CMAE server's log file:
     
          cmae/cloudmark/log/server.log

     for any error messages.

     A common problem with a first-time installation is a misconfigured 
     or missing license file.  The error message might look like this:

	ERROR:MICROUPDATE: Could not update signatures from network 
	(missing license file [etc/license.cfg]).     

     In this case, the CMAE server will appear to run normally and provide
     spam-checking to SpamAssassin.  But the in-memory fingerprint database 
     will never get updated and the Plug-in accuracy rate will fall.

     Verify the location and content of your license file, as described
     in Step #4 of Installation (above).  
     
     If the error message says "not enabled", "expired", or "invalid",
     please contact your Cloudmark support representative.

     Note: The cmaed script can also be called with stop and restart
     as arguments.


2.   Test the new setup with these commands:

          spamassassin -D < some-email-message

     (The -D means show debug output.)  You should see

          dbg: plugin: loading Mail::SpamAssassin::Plugin::CMAE from @INC

     in the output.  If the message is spam, you will also see 
     "tests=CMAE_1,..." in the X-Spam-Status header and possibly 

          CMAE1  Cloudmark CMAE detected spam

     in the SpamAssassin content analysis section.  


     NOTE: If you get a warning message from spamassassin or spamd like:

	warn: plugin: failed to parse plugin

     then examine the rest of that warning line and look for:

	libcmaeclient.so.2.0: cannot open shared object file

     and/or

	libstdc++.so.X: cannot open shared object file

     This means that your LD_LIBRARY_PATH (or other library configuration)
     is missing the indicated file(s).  If you ignore the warning, then
     Cloudmark filtering will be skipped when a message is scored.

     To configure the location of these library files, see Step #6 
     under Installation above.  

     Note: the cmaed script does not require any of these library settings.
     

3.   If you use spamd, then just restart it.  Then call spamc to test it:

          spamc < some-email-message

     You should see the same header results as with the spamassassin 
     command.


4.   To enable the CMAE server to restart at boot time, put the full
     pathname of the cmaed command in one of your system startup
     scripts.  If you run spamd, then its startup script (usually named
     "spamassassin") is a good place.  Insert the cmae command right 
     before the spamd lines.  For example:

       start)
         echo -n "Starting CMAE (may take 10 sec.): "
	 /etc/mail/spamassassin/cmae/cloudmark/bin/cmaed start
         echo -n "Starting spamd: "
	 export LD_LIBRARY_PATH=/etc/mail/spamassassin/cmae/cloudmark/lib
         daemon $NICELEVEL spamd $SPAMDOPTIONS -r $SPAMD_PID
	 echo "$NAME."
	 ;;

     Startup scripts vary widely.  The above is a simple example.

     NOTE: You must use the full pathname of the cmaed script when you
     call it from a system startup script.

     If, for some reason, you need to move the cmaed script itself
     outside the cmae/cloudmark/bin directory, then edit the cmaed file
     and set the CMAE_HOME variable at the top to the full cloudmark path.
     For example, CMAE_HOME=/etc/mail/spamassassin/cmae/cloudmark

     Note: The cmaed script sets its own LD_LIBRARY_PATH variable.  You
     only need to configure the library path when running the client side
     of the Plug-in.

------------------------------------------------------------------
Upgrade Notes

* When a new version of the Plug-in becomes available, you will be
  notified by email.  The email message will contain a URL to the
  downloadable software.  Upgrade instructions (very similar to Steps #1-3
  under Installation above) will be available on the same webpage.

* From time to time, a new Cartridge is issued, containing the latest
  message fingerprinting technology.  Cloudmark will send you an email
  with a URL, so you can download it.  Instructions will be available
  at the same URL.



------------------------------------------------------------------
Optional Configurations

* Change Port.  

  The CMAE server listens on port 2703.  You can change this to another 
  port by modifying the port settings in the Plug-in's server configuration 
  file and in the Plug-in's client configuration file.  Here are the paths 
  to those files:

     /etc/mail/spamassassin/cmae/cloudmark/etc/cmae_client_server.cfg
     /etc/sa_cmae_plugin.cfg

  Then restart the CMAE server with 

     /etc/mail/spamassassin/cmae/cloudmark/bin/cmaed restart

  followed by a restart of spamd (if used).


* Statistics

  The CMAE server generates statistics about its spam-filtering
  performance and periodically sends the data to Cloudmark servers.
  These statistics help Cloudmark discover the latest spam attacks
  and develop better anti-spam algorithms.  And if there's a problem
  with your installation, Cloudmark Support can analyze the stats from
  your server and make recommendations.  You can enhance this feedback
  process by adding your ID string to the cartridge config file.  This is
  usually a contact email address, but it can be your company name or
  other unique string.

  To add the ID string, edit this file:

      cmae/cloudmark/etc/cartridge.cfg
      
  and look for a section called

     ## KEY: customer id

  Add a line like this one:

     customer id = sysadm@mycompany.com

or

     customer id = My Company

  Then restart the CMAE server by calling  

          /etc/mail/spamassassin/cmae/cloudmark/bin/cmaed restart

  (If cartridge.cfg does not exist, then 

     cp cartridge.cfg.sample cartridge.cfg

  and edit.)

  Statistics are sent to Cloudmark over port 80 (the same port the CMAE
  server uses to download micro-update files).  All data are encrypted
  and never shared with anyone else.


* Score Empty Messages

  To make the Cloudmark Plug-in score empty messages as spam, edit the 
  Cartridge config file, cmae/cloudmark/etc/cartridge.cfg, and look 
  for a section called

     ## KEY: consider empty messages spam

  Add this line:

     consider empty messages spam = yes

  and restart the CMAE server.  Note that an empty message means it has 
  both empty (or whitespace) subject and body.  (If cartridge.cfg does not 
  exist, then 

     cp cartridge.cfg.sample cartridge.cfg

  and edit.)


* Report and Score Settings.  

  In the ifplugin section for CMAE in local.cf, you can change two settings.  
  The first one is:

     describe CMAE_1  Cloudmark CMAE detected spam

  The text after CMAE_1 can be whatever you like.  That text is used by 
  SpamAssassin in its spam report (which is optionally added to a 
  spammy message).

  The other setting is 

     score   CMAE_1  10

  The integer value is handed back to SA whenever the message is spammy.  
  SA then adds this value to whatever the score might be at the current 
  stage of SA's message processing.  Be careful when adjusting this 
  number.  If it's too high, then negative scoring (from whitelisting, 
  for example) will be defeated and you will get false positives.  If 
  it's too low, then you will see false negatives.

  Note that "CMAE_1" is the name of the test, from SA's point of view.  

  Restart spamd after making this change.


* Cloudmark Analysis Header.  

  If you require specific Cloudmark fingerprint information for custom
  processing, you can turn on the Analysis header.  This inserts the
  X-Spam-CMAE-Analysis header into every filtered message.  To enable this
  feature, add this line to CMAE's ifplugin section in local.cf (after 
  the score line):

     add_header all CMAE-Analysis  _CMAETAG_

  and restart spamd.  Then you will see a header like this in each
  filtered message:

	X-Spam-CMAE-Analysis: v=1.0 c=0 p=WKMssIA:10 a=v8MkrNAvrisQA:9 ...


  Note for Exim users: the add_header directive doesn't work in Exim.
  This is because Exim talks to spamd directly to collect only the SA
  score and report -- it doesn't see the message content as modified by
  spamd (which would include added headers).  So the only place to put
  the _CMAETAG_ token is in SA's report template.  Thus you must have 
  the report feature configured in SA, with report_safe set to 0 in
  local.cf (put report into headers, not in a message part).

  1. (For Exim only.)  Edit /usr/(local/)share/spamassasin/10_misc.cf.  
     (Note: in SA 3.2, this file has been renamed to 10_default_prefs.cf.)
     Locate the "report" lines.  Insert the CMAE report line as shown:

	report Spam detection software, running ....
	report identified this incoming email ....
	report has been attached to this so you ....
	report similar future email.  If you ....
	report _CONTACTADDRESS_ for details.
	report
	report CMAE Analysis: _CMAETAG_	    [<--- add this line]
	report
	report Content preview:  _PREVIEW_
	report
	report Content analysis details:   ...
	report
	report " pts rule name             ...
	report  ---- ---------------------- ...
	report _SUMMARY_

  2. Restart spamd.

  To have only the CMAE Analysis line added, comment out all the other report 
  lines in the template.  The added header will then look like:

	X-Spam-Report: v=1.0 c=0 p=maD-J2LHO2h a=fsBcwb a=Pcl-WUO ...


* Cloudmark Categories.

  If you have Cloudmark Analysis Header turned on (see above), then CMAE
  can optionally attach a category and sub-category to that header.
  Depending on the category type, the sub-category could be a name or
  other info.  For example, suppose a message contains the Bagle Worm
  in an attachment.  The category for the message would be Virus and the
  sub-category would be the name of the malware.  The resulting Analysis
  header might look like this:

	X-Spam-CMAE-Analysis: v=1.0 c=0 p=WKMssIA:10 a=v8MkrNAvrisQA:9 \
				xcat=Virus/Worm_Bagle_BL
	
  Note: every punctuation mark in the sub-category is changed to "_". 

  You could then employ filter software to read this header and divert
  the message to a quarantine area, or delete it.

  To enable the category feature, edit the Plug-in's client config file, 
  /etc/sa_cmae_plugin.cfg, and set this option:

	show categories = yes
  
  Then restart spamd.

  Categories are based on the latest Cloudmark research and data
  analysis.  The category info is part of the micro-update download.
  So for this feature to work, you must be subscribed to an enhanced
  micro-update service.  For details, please contact your Cloudmark
  sales representative or send an email message to satrial@cloudmark.com.

  Note: Currently the only category in use is Virus, but Cloudmark will be
  providing other categories in the future.


------------------------------------------------------------------
Operational Notes

* Some programs that feed messages to SpamAssassin, such as spamc, have
  a maximum-size limit.  The default for spamc is 500KB -- spamc will
  not process a message larger than that (and so it is delivered without
  any spam filtering).  You can raise the max-size limit of spamc using
  a command-line option or a spamc config file (see spamc manpage).

  Other programs truncate a larger message to some smaller size before 
  sending it to SA.  If you use such a program in combination with spamc, 
  then it should configured to truncate at less than spamc's max-size
  limit (so spamc will process it).  

  Cloudmark CMAE accepts very large messages but currently only processes 
  the first 300KB or so.  This may change in the future to a higher value.

  Since the average spam message is much smaller than 300KB, such settings
  have only a marginal effect on anti-spam accuracy.


======================================================================
Copyright (c) 2008, Cloudmark, Inc.  All rights reserved. 

Redistribution and use in source and binary forms, with or without 
modification, are permitted provided that the following conditions are 
met: 
    * Redistributions of source code must retain the above copyright 
      notice, this list of conditions and the following disclaimer. 
    * Redistributions in binary form must reproduce the above copyright 
      notice, this list of conditions and the following disclaimer in the 
      documentation and/or other materials provided with the distribution. 
    * Neither the name of Cloudmark, Inc. nor the 
      names of its contributors may be used to endorse or promote products 
      derived from this software without specific prior written permission. 
      THIS SOFTWARE IS PROVIDED BY CLOUDMARK, INC. ``AS IS'' AND ANY EXPRESS OR 
      IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 
      OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 
      IN NO EVENT SHALL CLOUDMARK, INC. BE LIABLE FOR ANY DIRECT, INDIRECT, 
      INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 
      NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 
      DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
      THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 
      (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 
      THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 

EXPORT LAWS: THIS LICENSE ADDS NO RESTRICTIONS TO THE EXPORT LAWS OF YOUR 
JURISDICTION. It is licensee's responsibility to comply with any export 
regulations applicable in licensee's jurisdiction. Under CURRENT (May 2000) 
U.S. export regulations this software is eligible for export from the U.S. and 
can be downloaded by or otherwise exported or re-exported worldwide EXCEPT to 
U.S. embargoed destinations which include Cuba, Iraq, Libya, North Korea, Iran, 
Syria, Sudan, Afghanistan and any other country to which the U.S. has embargoed 
goods and services. 
 









