<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Nur Text Zchn";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
span.NurTextZchn
{mso-style-name:"Nur Text Zchn";
mso-style-priority:99;
mso-style-link:"Nur Text";
font-family:"Calibri","sans-serif";}
span.E-MailFormatvorlage20
{mso-style-type:personal-reply;
font-family:"Verdana","sans-serif";
color:black;
font-weight:normal;
font-style:normal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=DE link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:black'>Hallo Class,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:black'>bezüglich der Heinlein-Regeln könntest Du Dir selbst mal eine Testmail schicken mit einem Betreff aus diesen Regeln, um zu sehen ob sie ziehen.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:black'>Die nur niedrig eingestuften Spam-Mails enthalten evtl. Links. Hier könntest Du ansetzen, indem Du die Wertung für URIBL_DBL_* und URIBL_SBL hochsetzt. Laut Spamhaus FAQ gibt es bei DBL und SBL praktisch keine False Positives, daher gibt es eigentlich keinen Grund, Mails mit Links, die in DBL/SBL gelistet sind, anzunehmen.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:black'>Viele Grüße.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:black'>Christian<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:black'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>Von:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> Postfixbuch-users [mailto:postfixbuch-users-bounces@listen.jpberlin.de] <b>Im Auftrag von </b>Claas Goltz<br><b>Gesendet:</b> Dienstag, 18. Oktober 2016 15:05<br><b>An:</b> postfixbuch-users@listen.jpberlin.de<br><b>Betreff:</b> amavis + spamassassine "probleme" mit Erkennungsrate<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p>Hallo!<br>Ich nutze Amavis in Verbdinung mit Spamassasine und ClamAV. Also ein klassiches Setup.<br>Es wird auch spam erkannt aber ich bin der Meinung, das es noch nicht gut genug ist. Mein Tag Level habe ich auch schon auf 3.7 gestellt, was ja eigentlich schon SEHR aggresiv sein sollte, oder?<br>Nun kommen noch viele Mails rein, die für uns Menschen ganz klarer Spam sind (CASINO Gewinne, Erotik usw.) aber nur um die 1-2 Points bekommen.<br><br>Ich lasse stündlich die SA Updates via:<br>/usr/bin/sa-update --nogpg --channel spamassassin.heinlein-support.de -v &>/dev/null<br>Einspielen. Wenn ich amavis im debug mode starte, sehe ich auch, dass diese Regeln wohl geladen werden:<o:p></o:p></p><p>(...)<br>amavis[7190]: SA dbg: config: fixed relative path: /var/lib/spamassassin/3.004000/spamassassin_heinlein-support_de/20_blatspammer.cf<br>amavis[7190]: SA dbg: config: using "/var/lib/spamassassin/3.004000/spamassassin_heinlein-support_de/20_blatspammer.cf" for included file<br>amavis[7190]: SA dbg: config: read file /var/lib/spamassassin/3.004000/spamassassin_heinlein-support_de/20_blatspammer.cf<br>amavis[7190]: SA dbg: config: fixed relative path: /var/lib/spamassassin/3.004000/spamassassin_heinlein-support_de/70_HS_body.cf<br>amavis[7190]: SA dbg: config: using "/var/lib/spamassassin/3.004000/spamassassin_heinlein-support_de/70_HS_body.cf" for included file<br>(...)<o:p></o:p></p><p>Ein Typischer E-Mail Header sieht nun so aus:<o:p></o:p></p><p>X-Spam-Flag: YES<br>X-Spam-Score: 5.219<br>X-Spam-Level: *****<br>X-Spam-Status: Yes, score=5.219 tagged_above=-999 required=3.7<br> tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,<br> HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001,<br> MIME_HTML_ONLY=1.105, RAZOR2_CF_RANGE_51_100=0.365,<br> RAZOR2_CF_RANGE_E8_51_100=2.43, RAZOR2_CHECK=1.729,<br> RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.31,<br> SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no<o:p></o:p></p><p>Oder eine Mail die für uns Menschen offensichtlicher Spam ist:<o:p></o:p></p><p>X-Spam-Flag: NO<br>X-Spam-Score: 1.106<br>X-Spam-Level: *<br>X-Spam-Status: No, score=1.106 tagged_above=-999 required=3.7<br> tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1,<br> HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001,<br> MIME_HTML_ONLY=1.105, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001]<br> autolearn=no autolearn_force=no<o:p></o:p></p><p>Meint ihr, da Fehlt was? Ich hätte jetzt gedacht, da würden auch die HS_* Filter mit auftauchen.<br>Natürlich landen teilweise auch Mails mit über 10 Punkten in meiner Quarantäne. Aber auch da glaube ich, dass die Heinlein Regeln nicht ziehen:<o:p></o:p></p><p class=MsoPlainText>Content analysis details: (10.7 points, 3.7 required)<o:p></o:p></p><p class=MsoPlainText> <o:p></o:p></p><p class=MsoPlainText> pts rule name description<o:p></o:p></p><p class=MsoPlainText>---- ---------------------- --------------------------------------------------<o:p></o:p></p><p class=MsoPlainText>-0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)<o:p></o:p></p><p class=MsoPlainText> [85.25.203.149 listed in wl.mailspike.net]<o:p></o:p></p><p class=MsoPlainText> 2.7 RCVD_IN_PSBL RBL: Received via a relay in PSBL<o:p></o:p></p><p class=MsoPlainText> [85.25.203.149 listed in psbl.surriel.com]<o:p></o:p></p><p class=MsoPlainText>-0.0 SPF_HELO_PASS SPF: HELO matches SPF record<o:p></o:p></p><p class=MsoPlainText> 1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available.<o:p></o:p></p><p class=MsoPlainText> [85.25.203.149 listed in bb.barracudacentral.org]<o:p></o:p></p><p class=MsoPlainText> 1.9 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL blocklist<o:p></o:p></p><p class=MsoPlainText> [URIs: newdealeuropa.com]<o:p></o:p></p><p class=MsoPlainText> 0.8 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image area<o:p></o:p></p><p class=MsoPlainText> 0.0 HTML_MESSAGE BODY: HTML included in message<o:p></o:p></p><p class=MsoPlainText> 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid<o:p></o:p></p><p class=MsoPlainText>-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's<o:p></o:p></p><p class=MsoPlainText> domain<o:p></o:p></p><p class=MsoPlainText>-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature<o:p></o:p></p><p class=MsoPlainText> 2.0 PYZOR_CHECK Listed in Pyzor (<a href="http://pyzor.sf.net/">http://pyzor.sf.net/</a>)<o:p></o:p></p><p class=MsoPlainText> 1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist<o:p></o:p></p><p class=MsoPlainText> [URIs: newdealeuropa.com]<o:p></o:p></p><p class=MsoPlainText>-0.0 RCVD_IN_MSPIKE_WL Mailspike good senders<o:p></o:p></p><p>#########<br>Meine 50-user.conf:<br>$max_servers = 5;<br>$inet_socket_port = [10024,10025];<br>$forward_method = 'smtp:[127.0.0.1]:10035';<br>$notify_method = 'smtp:[127.0.0.1]:10035';<br>$interface_policy{'10025'} = 'SUBMISSION';<br>$policy_bank{'SUBMISSION'} = {<br> originating => 1,<br> # 7-bit Kodierung erzwingen, damit ein späteres Kodieren die DKIM-Signatur nicht zerstört<br> smtpd_discard_ehlo_keywords => ['8BITMIME'],<br> # Viren auch von auth. Sendern ablehnen<br> final_virus_destiny => D_REJECT, #D_REJECT<br> final_bad_header_destiny => D_PASS,<br> final_spam_destiny => D_PASS,<br> terminate_dsn_on_notify_success => 0,<br> warnbadhsender => 1,<br>};<br>$myhostname = "MAILSERVER";<br>$virus_admin = "postmaster\@$mydomain";<br>$spam_admin = "postmaster\@$mydomain";<br>$banned_quarantine_to = "postmaster\@$mydomain";<br>$virus_quarantine_to = "virus-quarantine";<br>$banned_quarantine_to = 'banned-quarantine';<br>@bypass_virus_checks_maps = (<br> \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);<br>@bypass_spam_checks_maps = (<br> \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);<br>$sa_spam_subject_tag = '*****SPAM*****';<br>$warnvirusrecip = 1;<br>$warnbannedrecip = 1;<br>$sa_tag_level_deflt = -999.0; # add spam info headers if at, or above that level<br>$sa_tag2_level_deflt = 3.7; # add 'spam detected' headers at that level<br>$sa_kill_level_deflt = 9.0; # triggers spam evasive actions (e.g. blocks mail)<br>$log_level = 1;<br>$sa_debug = 0;<br>$DO_SYSLOG = 1; # log via syslogd (preferred)<br>$SYSLOG_LEVEL = 'mail.debug';<br>$hdrfrom_notify_sender = "postmaster\@$mydomain";<br>read_hash(\%whitelist_sender, '/etc/amavis/conf.d/whitelist.txt');<br>########<br>spamassassine local.cf<o:p></o:p></p><p>rewrite_header Subject *****SPAM*****<br> required_score 3.7<br> use_bayes 1<br> bayes_auto_learn 1<br>ifplugin Mail::SpamAssassin::Plugin::Shortcircuit<br>use_pyzor 1<br>pyzor_path /usr/bin/pyzor<br>pyzor_timeout 20<br>endif # Mail::SpamAssassin::Plugin::Shortcircuit<o:p></o:p></p><p>#####<o:p></o:p></p><p>Danke für eure Zeit und Hilfe!<o:p></o:p></p><p>Claas Goltz<o:p></o:p></p></div></div></body></html>