[Postfixbuch-users] double-bounce/reject von Postfix und Amavis

Michael Nausch michael at nausch.org
Mi Jul 8 15:43:38 CEST 2009


HI,

sorry, mein egrep über die amavisd.conf war nicht optimal, daher  
findet ihr nachfolgend die ganze Konfig.

======================== schnippldieschnapp =========================
[root at nss ~]# egrep -v '(^#|^$)' /etc/amavisd.conf
use strict;
$max_servers = 5;            # num of pre-forked children (2..30 is  
common), -m
$daemon_user  = "amavis";     # (no default;  customary: vscan or amavis), -u
$daemon_group = "amavis";     # (no default;  customary: vscan or amavis), -g
$myhostname = 'amavis.nausch.org'; # hostname
$mydomain = 'nausch.org';   # a convenient default for other settings
$MYHOME = '/var/amavis';   # a convenient default for other settings, -H
$TEMPBASE = "$MYHOME/tmp";   # working directory, needs to exist, -T
$ENV{TMPDIR} = $TEMPBASE;    # environment variable TMPDIR, used by SA, etc.
$QUARANTINEDIR = "/var/virusmails";
$db_home   = "$MYHOME/db";      # dir for bdb nanny/cache/snmp databases, -D
$helpers_home = "$MYHOME/var";  # working directory for SpamAssassin, -S
$lock_file = "$MYHOME/var/amavisd.lock";  # -L
$pid_file  = "$MYHOME/var/amavisd.pid";   # -P
$log_level = 3;              # verbosity 0..5, -d
$log_recip_templ = undef;    # disable by-recipient level-0 log entries
$DO_SYSLOG = 1;              # log via syslogd (preferred)
$syslog_facility = 'mail';   # Syslog facility as a string
            # e.g.: mail, daemon, user, local0, ... local7
$syslog_priority = 'debug';  # Syslog base (minimal) priority as a string,
            # choose from: emerg, alert, crit, err, warning, notice,  
info, debug
$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1;    # enable use of libdb-based cache if $enable_db=1
$nanny_details_level = 2;    # nanny verbosity: 1: traditional, 2: detailed
@local_domains_maps = ( [".$mydomain"] );  # list of all local domains
@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
                   10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 );
$unix_socketname = "$MYHOME/amavisd.sock";  # amavisd-release or amavis-milter
                # option(s) -p overrides $inet_socket_port and $unix_socketname
$inet_socket_port = 10024;   # listen on this local TCP port(s)
$policy_bank{'MYNETS'} = {   # mail originating from @mynetworks
   originating => 1,  # is true in MYNETS by default, but let's make  
it explicit
   os_fingerprint_method => undef,  # don't query p0f for internal clients
};
$interface_policy{'10026'} = 'ORIGINATING';
$policy_bank{'ORIGINATING'} = {  # mail supposedly originating from our users
   originating => 1,  # declare that mail was submitted by our smtp client
   allow_disclaimers => 1,  # enables disclaimer insertion if available
   # notify administrator of locally originating malware
   virus_admin_maps => ["virusalert\@$mydomain"],
   spam_admin_maps  => ["virusalert\@$mydomain"],
   warnbadhsender   => 0,
   # forward to a smtpd service providing DKIM signing service
   forward_method => 'smtp:[127.0.0.1]:10027',
   # force MTA conversion to 7-bit (e.g. before DKIM signing)
   smtpd_discard_ehlo_keywords => ['8BITMIME'],
   bypass_banned_checks_maps => [1],  # allow sending any file names and types
   terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS option
};
$interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # only applies with  
$unix_socketname
$policy_bank{'AM.PDP-SOCK'} = {
   protocol => 'AM.PDP',
   auth_required_release => 0,  # do not require secret_id for amavisd-release
};
$sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above  
that level
$sa_tag2_level_deflt = 6.31;  # add 'spam detected' headers at that level
$sa_kill_level_deflt = 6.31;  # triggers spam evasive actions (e.g.  
blocks mail)
$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent
$penpals_bonus_score = 8;    # (no effect without a @storage_sql_dsn database)
$penpals_threshold_high = $sa_kill_level_deflt;  # don't waste time on hi spam
$sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail  
is larger
$sa_local_tests_only = 0;    # only tests which do not require  
internet access?
$virus_admin               = "virusalert\@$mydomain";  # notifications recip.
$mailfrom_notify_admin     = "virusalert\@$mydomain";  # notifications sender
$mailfrom_notify_recip     = "virusalert\@$mydomain";  # notifications sender
$mailfrom_notify_spamadmin = "spam.police\@$mydomain"; # notifications sender
$mailfrom_to_quarantine = ''; # null return path; uses original sender  
if undef
@addr_extension_virus_maps      = ('virus');
@addr_extension_banned_maps     = ('banned');
@addr_extension_spam_maps       = ('spam');
@addr_extension_bad_header_maps = ('badh');
$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
$MAXLEVELS = 14;
$MAXFILES = 1500;
$MIN_EXPANSION_QUOTA =      100*1024;  # bytes  (default undef, not enforced)
$MAX_EXPANSION_QUOTA = 300*1024*1024;  # bytes  (default undef, not enforced)
$sa_spam_subject_tag = '***SPAM*** ';
$defang_virus  = 1;  # MIME-wrap passed infected mail
$defang_banned = 1;  # MIME-wrap passed mail containing banned name
$defang_by_ccat{+CC_BADH.",3"} = 1;  # NUL or CR character in header
$defang_by_ccat{+CC_BADH.",5"} = 1;  # header line longer than 998 characters
$defang_by_ccat{+CC_BADH.",6"} = 1;  # header field syntax error
$final_virus_destiny      = D_REJECT;
$final_banned_destiny     = D_REJECT;
$final_spam_destiny       = D_REJECT;
$virus_quarantine_to = undef;
$banned_quarantine_to = undef;
$spam_quarantine_to = undef;
$bad_header_quarantine_to = undef;
@keep_decoded_original_maps = (new_RE(
   qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains  
undecipherables
   qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
));
$banned_filename_re = new_RE(
   qr'^\.(exe-ms|dll)$',                   # banned file(1) types, rudimentary
   [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives
   qr'.\.(pif|scr)$'i,                     # banned extensions - rudimentary
   qr'^application/x-msdownload$'i,        # block these MIME types
   qr'^application/x-msdos-program$'i,
   qr'^application/hta$'i,
   # block certain double extensions in filenames
    
qr'\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,
   qr'.\.(exe|vbs|pif|scr|cpl)$'i,             # banned extension - basic
);
@score_sender_maps = ({ # a by-recipient hash lookup table,
                         # results from all matching recipient tables  
are summed
   ## site-wide opinions about senders (the '.' matches any recipient)
   '.' => [  # the _first_ matching sender determines the score boost
    new_RE(  # regexp-type lookup table, just happens to be all soft-blacklist
     [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i         => 5.0],
     [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
     [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
     [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i   => 5.0],
     [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i  => 5.0],
     [qr'^(your_friend|greatoffers)@'i                                => 5.0],
     [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i                    => 5.0],
    ),
    { # a hash-type lookup table (associative array)
      'nobody at cert.org'                        => -3.0,
      'cert-advisory at us-cert.gov'              => -3.0,
      'owner-alert at iss.net'                    => -3.0,
      'slashdot at slashdot.org'                  => -3.0,
      'securityfocus.com'                      => -3.0,
      'ntbugtraq at listserv.ntbugtraq.com'       => -3.0,
      'security-alerts at linuxsecurity.com'      => -3.0,
      'mailman-announce-admin at python.org'      => -3.0,
      'amavis-user-admin at lists.sourceforge.net'=> -3.0,
      'amavis-user-bounces at lists.sourceforge.net' => -3.0,
      'spamassassin.apache.org'                => -3.0,
      'notification-return at lists.sophos.com'   => -3.0,
      'owner-postfix-users at postfix.org'        => -3.0,
      'owner-postfix-announce at postfix.org'     => -3.0,
      'owner-sendmail-announce at lists.sendmail.org'   => -3.0,
      'sendmail-announce-request at lists.sendmail.org' => -3.0,
      'donotreply at sendmail.org'                => -3.0,
      'ca+envelope at sendmail.org'               => -3.0,
      'noreply at freshmeat.net'                  => -3.0,
      'owner-technews at postel.acm.org'          => -3.0,
      'ietf-123-owner at loki.ietf.org'           => -3.0,
      'cvs-commits-list-admin at gnome.org'       => -3.0,
      'rt-users-admin at lists.fsck.com'          => -3.0,
      'clp-request at comp.nus.edu.sg'            => -3.0,
      'surveys-errors at lists.nua.ie'            => -3.0,
      'emailnews at genomeweb.com'                => -5.0,
      'yahoo-dev-null at yahoo-inc.com'           => -3.0,
      'returns.groups.yahoo.com'               => -3.0,
      'clusternews at linuxnetworx.com'           => -3.0,
      lc('lvs-users-admin at LinuxVirtualServer.org')    => -3.0,
      lc('owner-textbreakingnews at CNNIMAIL12.CNN.COM') => -5.0,
      # soft-blacklisting (positive score)
      'sender at example.net'                     =>  3.0,
      '.example.net'                           =>  1.0,
    },
   ],  # end of site-wide tables
});
@decoders = (
   ['mail', \&do_mime_decode],
   ['asc',  \&do_ascii],
   ['uue',  \&do_ascii],
   ['hqx',  \&do_ascii],
   ['ync',  \&do_ascii],
   ['F',    \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ],
   ['Z',    \&do_uncompress, ['uncompress','gzip -d','zcat'] ],
   ['gz',   \&do_uncompress,  'gzip -d'],
   ['gz',   \&do_gunzip],
   ['bz2',  \&do_uncompress,  'bzip2 -d'],
   ['lzo',  \&do_uncompress,  'lzop -d'],
   ['rpm',  \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ],
   ['cpio', \&do_pax_cpio,   ['pax','gcpio','cpio'] ],
   ['tar',  \&do_pax_cpio,   ['pax','gcpio','cpio'] ],
   ['deb',  \&do_ar,          'ar'],
   ['zip',  \&do_unzip],
   ['7z',   \&do_7zip,       ['7zr','7za','7z'] ],
   ['rar',  \&do_unrar,      ['rar','unrar'] ],
   ['arj',  \&do_unarj,      ['arj','unarj'] ],
   ['arc',  \&do_arc,        ['nomarch','arc'] ],
   ['zoo',  \&do_zoo,        ['zoo','unzoo'] ],
   ['lha',  \&do_lha,         'lha'],
   ['cab',  \&do_cabextract,  'cabextract'],
   ['tnef', \&do_tnef_ext,    'tnef'],
   ['tnef', \&do_tnef],
   ['exe',  \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ],
);
@av_scanners = (
['ClamAV-clamd',
   \&ask_daemon, ["CONTSCAN {}\n", "/tmp/clamd.socket"],
   qr/\bOK$/, qr/\bFOUND$/,
   qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
   ### http://www.kaspersky.com/  (kav4mailservers)
   ['KasperskyLab AVP - aveclient',
     ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient',
      '/opt/kav/5.5/kav4mailservers/bin/aveclient','aveclient'],
     '-p /var/run/aveserver -s {}/*',
     [0,3,6,8], qr/\b(INFECTED|SUSPICION|SUSPICIOUS)\b/,
     qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/,
   ],
   # NOTE: one may prefer [0],[2,3,4,5], depending on how suspicious,
   # currupted or protected archives are to be handled
   ### http://www.kaspersky.com/
   ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'],
     '-* -P -B -Y -O- {}', [0,3,6,8], [2,4],    # any use for -A -K   ?
     qr/infected: (.+)/,
     sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"},
     sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
   ],
   ### The kavdaemon and AVPDaemonClient have been removed from Kasperky
   ### products and replaced by aveserver and aveclient
   ['KasperskyLab AVPDaemonClient',
     [ '/opt/AVP/kavdaemon',       'kavdaemon',
       '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient',
       '/opt/AVP/AvpTeamDream',    'AvpTeamDream',
       '/opt/AVP/avpdc', 'avpdc' ],
     "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/ ],
     # change the startup-script in /etc/init.d/kavd to:
     #   DPARMS="-* -Y -dl -f=/var/amavis /var/amavis"
     #   (or perhaps:   DPARMS="-I0 -Y -* /var/amavis" )
     # adjusting /var/amavis above to match your $TEMPBASE.
     # The '-f=/var/amavis' is needed if not running it as root, so it
     # can find, read, and write its pid file, etc., see 'man kavdaemon'.
     # defUnix.prf: there must be an entry "*/var/amavis" (or whatever
     #   directory $TEMPBASE specifies) in the 'Names=' section.
     # cd /opt/AVP/DaemonClients; configure; cd Sample; make
     # cp AvpDaemonClient /opt/AVP/
     # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}"
   ### http://www.centralcommand.com/
   ['CentralCommand Vexira (new) vascan',
     ['vascan','/usr/lib/Vexira/vascan'],
     "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ".
     "--log=/var/log/vascan.log {}",
     [0,3], [1,2,5],
     qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\  
( [^\]\s']+ )\ \.\.\.\ / ],
     # Adjust the path of the binary and the virus database as needed.
     # 'vascan' does not allow to have the temp directory to be the same as
     # the quarantine directory, and the quarantine option can not be disabled.
     # If $QUARANTINEDIR is not used, then another directory must be specified
     # to appease 'vascan'. Move status 3 to the second list if password
     # protected files are to be considered infected.
   ### http://www.avira.com/
   ### Avira AntiVir (formerly H+BEDV) or (old) CentralCommand Vexira Antivirus
   ['Avira AntiVir', ['antivir','vexira'],
     '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/,
     qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |
          (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ],
     # NOTE: if you only have a demo version, remove -z and add 214, as in:
     #  '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/,
   ### http://www.commandsoftware.com/
   ['Command AntiVirus for Linux', 'csav',
     '-all -archive -packed {}', [50], [51,52,53],
     qr/Infection: (.+)/ ],
   ### http://www.symantec.com/
   ['Symantec CarrierScan via Symantec CommandLineScanner',
     'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}',
     qr/^Files Infected:\s+0$/, qr/^Infected\b/,
     qr/^(?:Info|Virus Name):\s+(.+)/ ],
   ### http://www.symantec.com/
   ['Symantec AntiVirus Scan Engine',
     'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details  
-verbose {}',
     [0], qr/^Infected\b/,
     qr/^(?:Info|Virus Name):\s+(.+)/ ],
     # NOTE: check options and patterns to see which entry better applies
   ### http://www.f-secure.com/products/anti-virus/  version 5.52
    ['F-Secure Antivirus for Linux servers',
     ['/opt/f-secure/fsav/bin/fsav', 'fsav'],
     '--virus-action1=report --archive=yes --auto=yes '.
     '--dumb=yes --list=no --mime=yes {}', [0], [3,4,6,8],
     qr/(?:infection|Infected|Suspected|Riskware): (.+)/ ],
     # NOTE: internal archive handling may be switched off by '--archive=no'
     #   to prevent fsav from exiting with status 9 on broken archives
   ['CAI InoculateIT', 'inocucmd',  # retired product
     '-sec -nex {}', [0], [100],
     qr/was infected by virus (.+)/ ],
   # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html
   ### http://www3.ca.com/Solutions/Product.asp?ID=156  (ex InoculateIT)
   ['CAI eTrust Antivirus', 'etrust-wrapper',
     '-arc -nex -spm h {}', [0], [101],
     qr/is infected by virus: (.+)/ ],
     # NOTE: requires suid wrapper around inocmd32; consider flag:  
-mod reviewer
     # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783
   ### http://mks.com.pl/english.html
   ['MkS_Vir for Linux (beta)', ['mks32','mks'],
     '-s {}/*', [0], [1,2],
     qr/--[ \t]*(.+)/ ],
   ### http://mks.com.pl/english.html
   ['MkS_Vir daemon', 'mksscan',
     '-s -q {}', [0], [1..7],
     qr/^... (\S+)/ ],
   ### http://www.eset.com/, version v2.7
   ['ESET NOD32 Linux Mail Server - command line interface',
     ['/usr/bin/nod32cli', '/opt/eset/nod32/bin/nod32cli', 'nod32cli'],
     '--subdir {}', [0,3], [1,2], qr/virus="([^"]+)"/ ],
   ## http://www.nod32.com/,  NOD32LFS version 2.5 and above
   ['ESET NOD32 for Linux File servers',
     ['/opt/eset/nod32/sbin/nod32','nod32'],
     '--files -z --mail --sfx --rtp --adware --unsafe --pattern --heur '.
     '-w -a --action=1 -b {}',
     [0], [1,10], qr/^object=.*, virus="(.*?)",/ ],
   ### http://www.norman.com/products_nvc.shtml
   ['Norman Virus Control v5 / Linux', 'nvcc',
     '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14],
     qr/(?i).* virus in .* -> \'(.+)\'/ ],
   ### http://www.pandasoftware.com/
   ['Panda CommandLineSecure 9 for Linux',
     ['/opt/pavcl/usr/bin/pavcl','pavcl'],
     '-auto -aex -heu -cmp -nbr -nor -nos -eng -nob {}',
     qr/Number of files infected[ .]*: 0+(?!\d)/,
     qr/Number of files infected[ .]*: 0*[1-9]/,
     qr/Found virus :\s*(\S+)/ ],
   # NOTE: for efficiency, start the Panda in resident mode with 'pavcl -tsr'
   # before starting amavisd - the bases are then loaded only once at startup.
   # To reload bases in a signature update script:
   #   /opt/pavcl/usr/bin/pavcl -tsr -ulr; /opt/pavcl/usr/bin/pavcl -tsr
   # Please review other options of pavcl, for example:
   #  -nomalw, -nojoke, -nodial, -nohackt, -nospyw, -nocookies
   ### http://www.nai.com/
   ['NAI McAfee AntiVirus (uvscan)', 'uvscan',
     '--secure -rv --mime --summary --noboot - {}', [0], [13],
     qr/(?x) Found (?:
         \ the\ (.+)\ (?:virus|trojan)  |
         \ (?:virus|trojan)\ or\ variant\ ([^ ]+)  |
         :\ (.+)\ NOT\ a\ virus)/,
   # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'},
   # sub {delete $ENV{LD_PRELOAD}},
   ],
   # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before
   # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6
   # and then clear it when finished to avoid confusing anything else.
   # NOTE2: to treat encrypted files as viruses replace the [13] with:
   #  qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/
   ### http://www.virusbuster.hu/en/
   ['VirusBuster', ['vbuster', 'vbengcl'],
     "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1],
     qr/: '(.*)' - Virus/ ],
   # VirusBuster Ltd. does not support the daemon version for the workstation
   # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of
   # binaries, some parameters AND return codes have changed (from 3 to 1).
   # See also the new Vexira entry 'vascan' which is possibly related.
   ### http://www.cyber.com/
   ['CyberSoft VFind', 'vfind',
     '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/,
   # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'},
   ],
   ### http://www.avast.com/
   ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'],
     '-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/ ],
   ### http://www.ikarus-software.com/
   ['Ikarus AntiVirus for Linux', 'ikarus',
     '{}', [0], [40], qr/Signature (.+) found/ ],
   ### http://www.bitdefender.com/
   ['BitDefender', 'bdscan',  # new version
     '--action=ignore --no-list {}', qr/^Infected files *:0+(?!\d)/,
     qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/,
     qr/(?:suspected|infected): (.*)(?:\033|$)/ ],
   ### http://www.bitdefender.com/
   ['BitDefender', 'bdc',  # old version
     '--arc --mail {}', qr/^Infected files *:0+(?!\d)/,
     qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/,
     qr/(?:suspected|infected): (.*)(?:\033|$)/ ],
   # consider also: --all --nowarn --alev=15 --flev=15.  The --all argument may
   # not apply to your version of bdc, check documentation and see 'bdc --help'
   ### ArcaVir for Linux and Unix http://www.arcabit.pl/
   ['ArcaVir for Linux', ['arcacmd','arcacmd.static'],
     '-v 1 -summary 0 -s {}', [0], [1,2],
     qr/(?:VIR|WIR):[ \t]*(.+)/ ],
);
@av_scanners_backup = (
   ### http://www.clamav.net/   - backs up clamd or Mail::ClamAV
   ['ClamAV-clamscan', 'clamscan',
     "--stdout --no-summary -r --tempdir=$TEMPBASE {}",
     [0], qr/:.*\sFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
   ### http://www.f-prot.com/   - backs up F-Prot Daemon, V6
   ['F-PROT Antivirus for UNIX', ['fpscan'],
     '--report --mount --adware {}',  # consider: --applications -s 4  
-u 3 -z 10
     [0,8,64],  [1,2,3, 4+1,4+2,4+3, 8+1,8+2,8+3, 12+1,12+2,12+3],
     qr/^\[Found\s+[^\]]*\]\s+<([^ \t(>]*)/ ],
   ### http://www.f-prot.com/   - backs up F-Prot Daemon (old)
   ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
     '-dumb -archive -packed {}', [0,8], [3,6],   # or: [0], [3,6,8],
     qr/(?:Infection:|security risk named) (.+)|\s+contains\s+(.+)$/ ],
   ### http://www.trendmicro.com/   - backs up Trophie
   ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],
     '-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ],
   ### http://www.sald.com/, http://drweb.imshop.de/   - backs up DrWebD
   ['drweb - DrWeb Antivirus',  # security LHA hole in Dr.Web 4.33 and earlier
     ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'],
     '-path={} -al -go -ot -cn -upn -ok-',
     [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'],
    ### http://www.kaspersky.com/
    ['Kaspersky Antivirus v5.5',
      ['/opt/kaspersky/kav4fs/bin/kav4fs-kavscanner',
       '/opt/kav/5.5/kav4unix/bin/kavscanner',
       '/opt/kav/5.5/kav4mailservers/bin/kavscanner', 'kavscanner'],
      '-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25],
      qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/ ,
    ],
);
1;  # insure a defined return
======================== schnippldieschnapp =========================

Ciao,
       Django
-- 
"Bonnie & Clyde der Postmaster-Szene!" approved by Postfix-God

http://wetterstation-pliening.info
http://dokuwiki.nausch.org





Mehr Informationen über die Mailingliste Postfixbuch-users