[Postfixbuch-users] [OT] Spam-Tagging bei amavis
Sascha Bendix
scrubb at localroot.de
Do Jul 17 20:07:27 CEST 2008
Hallo,
bei eine meiner Installationen ist mir aufgefallen, dass das Tagging
von Spam nicht erfolgt, obwohl es definitiv Spam ist.
Kurz das Grundsetup:
* Gentoo Linux x86_64
* Postfix nimmt die Mails an und leitet sie per smtpd_proxy_filter an
amavis weiter
* amavis nutzt clamav und spamassassin und lehnt spam/viren bei nicht
gewhitelisteten Empfängern ab
* postmaster@ und abuse@ stehen in der Whitelist
So weit funktioniert das Setup auch und Mails an
postmaster@$hauptdomain werden auch getaggt (der Server steht in
$hauptdomain). Nur wenn Spam für postmaster@$andereDomain kommt erfolgt
kein Tagging, auch wenn in der amavis.conf Domain/Hostname auf
$andereDomain gesetzt wird.
Kann mir jemand von euch eventuell weiterhelfen?
Hier meine amavis.conf:
use strict;
$MYHOME = '/var/amavis'; # (default is '/var/amavis')
$mydomain = 'hauptdomain.de'; # (no useful default)
$myhostname = 'mail.hauptdomain.de'; # fqdn of this host, default
by uname(3) $daemon_user = 'amavis'; # (no default; customary:
vscan or amavis) $daemon_group = 'amavis'; # (no default; customary:
vscan or amavis or sweep) $TEMPBASE = "$MYHOME/tmp"; # prefer to
keep home dir /var/amavis clean? $ENV{TMPDIR} = $TEMPBASE; # wise
to set TMPDIR, but not obligatory $enable_db = 1; # enable
use of BerkeleyDB/libdb (SNMP and nanny) $enable_global_cache = 1; #
enable use of libdb-based cache if $enable_db=1 $forward_method =
'smtp:[127.0.0.1]:10025'; # where to forward checked mail
$notify_method = $forward_method; # where to submit
notifications $max_servers = 2; # number of pre-forked
children (default 2) $max_requests = 20; # retire a child
after that many accepts (default 10) $child_timeout=5*60; # abort
child if it does not complete its processing in $smtpd_timeout = 120; #
disconnect session if client is idle for too long @local_domains_maps =
( read_hash("$MYHOME/local_domains") ); # using hash
$insert_received_line = 1; # behave like MTA: insert 'Received:'
header $unix_socketname = undef; # disable listening on a unix
socket $inet_socket_port = 10024; # accept SMTP on this local
TCP port $inet_socket_bind = '127.0.0.1'; # limit socket bind to
loopback interface @inet_acl = qw(127.0.0.1 [::1]); # allow SMTP
access only from localhost IP $DO_SYSLOG = 1; #
(defaults to 0) $syslog_ident = 'amavis'; # Syslog ident string
(defaults to 'amavis') $syslog_facility = 'mail'; # Syslog facility
as a string $syslog_priority = 'debug'; # Syslog base (minimal)
priority as a string, $LOGFILE = "$MYHOME/amavis.log"; # (defaults to
empty, no log) $log_level = 0; # (defaults to 0)
$log_recip_templ = undef; # undef disables by-recipient level-0 log
entries $final_virus_destiny = D_REJECT; # (data not lost, see
virus quarantine) $final_banned_destiny = D_REJECT; # D_REJECT
when front-end MTA $final_spam_destiny = D_REJECT;
$final_bad_header_destiny = D_PASS; # False-positive prone (for
spam) @viruses_that_fake_sender_maps =
(new_RE( qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i,
qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i,
qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i,
qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i,
qr'@mm|@MM', # mass mailing viruses as labeled by f-prot and uvscan
qr'Worm'i, # worms as labeled by ClamAV, Kaspersky, etc [qr/^/ =>
1], # true by default (remove or comment-out if undesired) ));
$mailfrom_notify_admin = "virusalert\@$mydomain";
$mailfrom_notify_recip = "virusalert\@$mydomain";
$mailfrom_notify_spamadmin = "spam.police\@$mydomain";
$mailfrom_to_quarantine = ''; # override sender address with null
return path $QUARANTINEDIR = "$MYHOME/quarantine"; $virus_quarantine_to
= undef; # no quarantine $banned_quarantine_to =
undef; # local quarantine $bad_header_quarantine_to = undef; #
local quarantine $spam_quarantine_to = undef; # local
quarantine $X_HEADER_TAG = 'X-Virus-Scanned'; # (default:
'X-Virus-Scanned') $defang_virus = 0; # default is false: don't
modify mail body $defang_banned = 0; # default is false: don't modify
mail body $remove_existing_x_scanned_headers = 0; # leave existing
X-Virus-Scanned alone $remove_existing_spam_headers = 1; # remove
existing spam headers if @keep_decoded_original_maps = (new_RE(
qr'^MAIL-UNDECIPHERABLE$', # retain full mail if it contains
undecipherables qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
));
$banned_filename_re = new_RE(
qr'\.[^./]*[A-Za-z][^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,
qr'^application/x-msdownload$'i, # block these MIME
types qr'^application/x-msdos-program$'i,
qr'^application/hta$'i,
[ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type
archives qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension
- basic qr'^\.(exe-ms)$', # banned file(1) types
);
$banned_namepath_re = new_RE(
qr'(?#NO X-MSDOWNLOAD) ^(.*\t)? M=application/x-msdownload
(\t.*)? $'xmi, qr'(?#NO X-MSDOS-PROGRAM)^(.*\t)?
M=application/x-msdos-program(\t.*)? $'xmi, qr'(?#NO HTA)
^(.*\t)? M=application/hta (\t.*)? $'xmi, [ qr'(?#rule-4) ^
(.*\t)? T=(tar|rpm|cpio) (\t.*)? $'xmi => 0 ], # allow qr'(?# BLOCK
DOUBLE-EXTENSIONS ) ^ (.*\t)? N= [^\t\n]* \. [^./\t\n]* [A-Za-z]
[^./\t\n]* \. (exe|vbs|pif|scr|bat|cmd|com|cpl|dll) \.? (\t.*)? $'xmi,
qr'(?# BLOCK COMMON NAME EXENSIONS )
^ (.*\t)? N= [^\t\n]* \. (exe|vbs|pif|scr|bat|com|cpl) (\t.*)?
$'xmi, [ qr'(?# BLOCK EMPTY MIME PART APPLICATION/OCTET-STREAM )
^ (.*\t)? M=application/octet-stream \t(.*\t)* T=empty (\t.*)?
$'xmi => 'DISCARD' ],
qr'(?# BLOCK Microsoft EXECUTABLES )
^ (.*\t)? T=exe-ms (\t.*)? $'xm, # banned file(1) type
);
$banned_namepath_re = undef; # to disable new-style
%banned_rules = (
'MYNETS-DEFAULT' => new_RE( # permissive set of rules for internal
hosts [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any name/type in Unix
archives qr'.\.(vbs|pif|scr)$'i, # banned extension - rudimentary
),
'DEFAULT' => $banned_filename_re,
);
@spam_lovers_maps = (
{ 'postmaster@' => 1,
'abuse@'=> 1,
},
);
$sql_select_white_black_list = undef; # undef disables SQL
white/blacklisting $localpart_is_case_sensitive = 0; # (default
is false) @score_sender_maps = ({ # a by-recipient hash lookup table
'.' => [ # the _first_ matching sender determines the score boost
new_RE( # regexp-type lookup table, just happens to be all
soft-blacklist
[qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i =>
5.0],
[qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=>
5.0],
[qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=>
5.0], [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i
=> 5.0],
[qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i =>
5.0], [qr'^(your_friend|greatoffers)@'i
=> 5.0],
[qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i =>
5.0], ), { # a hash-type lookup table (associative array)
'nobody at cert.org' => -3.0,
'cert-advisory at us-cert.gov' => -3.0,
'owner-alert at iss.net' => -3.0,
'slashdot at slashdot.org' => -3.0,
'bugtraq at securityfocus.com' => -3.0,
'ntbugtraq at listserv.ntbugtraq.com' => -3.0,
'security-alerts at linuxsecurity.com' => -3.0,
'mailman-announce-admin at python.org' => -3.0,
'amavis-user-admin at lists.sourceforge.net'=> -3.0,
'spamassassin.apache.org' => -3.0,
'notification-return at lists.sophos.com' => -3.0,
'owner-postfix-users at postfix.org' => -3.0,
'owner-postfix-announce at postfix.org' => -3.0,
'owner-sendmail-announce at lists.sendmail.org' => -3.0,
'sendmail-announce-request at lists.sendmail.org' => -3.0,
'donotreply at sendmail.org' => -3.0,
'ca+envelope at sendmail.org' => -3.0,
'noreply at freshmeat.net' => -3.0,
'owner-technews at postel.acm.org' => -3.0,
'ietf-123-owner at loki.ietf.org' => -3.0,
'cvs-commits-list-admin at gnome.org' => -3.0,
'rt-users-admin at lists.fsck.com' => -3.0,
'clp-request at comp.nus.edu.sg' => -3.0,
'surveys-errors at lists.nua.ie' => -3.0,
'emailnews at genomeweb.com' => -5.0,
'yahoo-dev-null at yahoo-inc.com' => -3.0,
'returns.groups.yahoo.com' => -3.0,
'clusternews at linuxnetworx.com' => -3.0,
lc('lvs-users-admin at LinuxVirtualServer.org') => -3.0,
lc('owner-textbreakingnews at CNNIMAIL12.CNN.COM') => -5.0,
'sender at example.net' => 3.0,
'.example.net' => 1.0, }, ], # end of
site-wide tables }); @blacklist_sender_maps =
( new_RE( qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou|greatcasino)@'i,
qr'^(investments|lose_weight_today|market\.alert|money2you|MyGreenCard)@'i,
qr'^(new\.tld\.registry|opt-out|opt-in|optin|saveonlsmoking2002k)@'i,
qr'^(specialoffer|specialoffers|stockalert|stopsnoring|wantsome)@'i,
qr'^(workathome|yesitsfree|your_friend|greatoffers)@'i,
qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i, ));
$MAXLEVELS = 14; # (default is undef, no limit)
$MAXFILES = 1500; # (default is undef, no limit)
$MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not
enforced) $MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default
undef, not enforced) $MIN_EXPANSION_FACTOR = 5; # times original
mail size (default is 5) $MAX_EXPANSION_FACTOR = 500; # times
original mail size (default is 500) $virus_check_negative_ttl= 3*60;
# time to remember that mail was not infected
$virus_check_positive_ttl= 15*60; # time to remember that mail was
infected $spam_check_negative_ttl = 15*60; # time to remember that mail
was not spam $spam_check_positive_ttl = 15*60; # time to remember that
mail was spam $path =
'/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin:/opt/bin';
$file = 'file'; # file(1) utility; use 3.41 or later to avoid
vulnerability $dspam = 'dspam'; @decoders = ( ['mail',
\&do_mime_decode], ['asc', \&do_ascii],
['uue', \&do_ascii],
['hqx', \&do_ascii],
['ync', \&do_ascii],
['F', \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ],
['Z', \&do_uncompress, ['uncompress','gzip -d','zcat'] ],
['gz', \&do_gunzip],
['gz', \&do_uncompress, 'gzip -d'],
['bz2', \&do_uncompress, 'bzip2 -d'],
['lzo', \&do_uncompress, 'lzop -d'],
['rpm', \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ],
['cpio', \&do_pax_cpio, ['pax','gcpio','cpio'] ],
['tar', \&do_pax_cpio, ['pax','gcpio','cpio'] ],
['tar', \&do_tar],
['deb', \&do_ar, 'ar'],
['zip', \&do_unzip],
['rar', \&do_unrar, ['rar','unrar'] ],
['arj', \&do_unarj, ['arj','unarj'] ],
['arc', \&do_arc, ['nomarch','arc'] ],
['zoo', \&do_zoo, 'zoo'],
['lha', \&do_lha, 'lha'],
['cab', \&do_cabextract, 'cabextract'],
['tnef', \&do_tnef_ext, 'tnef'],
['tnef', \&do_tnef],
['exe', \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ],
);
$sa_local_tests_only = 0; # only tests which do not require internet
access? $sa_mail_body_size_limit = 200*1024; # don't waste time on SA
if mail is larger $sa_tag_level_deflt = undef; # add spam info headers
if at, or above that level; $sa_tag2_level_deflt = 5.0; # add 'spam
detected' headers at that level to $sa_kill_level_deflt =
$sa_tag2_level_deflt; # triggers spam evasive actions
$sa_dsn_cutoff_level = undef; # spam level beyond which a DSN is not
sent, @av_scanners = ( ['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
);
@av_scanners_backup = (
['BitDefender', 'bdc',
'--arc --mail {}', qr/^Infected files *:0+(?!\d)/,
qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/,
qr/(?:suspected|infected): (.*)(?:\033|$)/ ],
);
1; # insure a defined return
Mit freundlichen Grüßen
Sascha
Mehr Informationen über die Mailingliste Postfixbuch-users