HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   Spam still getting through (http://www.howtoforge.com/forums/showthread.php?t=37266)

Meph 7th July 2009 15:21

Spam still getting through
 
I am using Ubuntu Server 9.04 and used the Perfect Server ISPConfig 3 howto for my distribution.

I have been searching far and wide for answers to my spam problems, most of the answers I have found here in this forum. Here is /etc/amavis/conf.d/20-debian_defaults:

HTML Code:

use strict;

# ADMINISTRATORS:
# Debian suggests that any changes you need to do that should never
# be "updated" by the Debian package should be made in another file,
# overriding the settings in this file.
#
# The package will *not* overwrite your settings, but by keeping
# them separate, you will make the task of merging changes on these
# configuration files much simpler...

#  see /usr/share/doc/amavisd-new/examples/amavisd.conf-default for
#      a list of all variables with their defaults;
#  see /usr/share/doc/amavisd-new/examples/amavisd.conf-sample for
#      a traditional-style commented file 
#  [note: the above files were not converted to Debian settings!]
#
#  for more details see documentation in /usr/share/doc/amavisd-new
#  and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html

$QUARANTINEDIR = "$MYHOME/virusmails";
$quarantine_subdir_levels = 1; # enable quarantine dir hashing

$log_recip_templ = undef;    # disable by-recipient level-0 log entries
$DO_SYSLOG = 1;              # log via syslogd (preferred)
$syslog_ident = 'amavis';    # syslog ident tag, prepended to all messages
$syslog_facility = 'mail';
$syslog_priority = 'debug';  # switch to info to drop debug output, etc

$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1;    # enable use of libdb-based cache if $enable_db=1

$inet_socket_port = 10024;  # default listening socket

$sa_spam_subject_tag = '***SPAM*** ';
$sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 6.31; # triggers spam evasive actions
$sa_dsn_cutoff_level = 10;  # spam level beyond which a DSN is not sent

$sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger
$sa_local_tests_only = 0;    # only tests which do not require internet access?

# Quota limits to avoid bombs (like 42.zip)

$MAXLEVELS = 14;
$MAXFILES = 1500;
$MIN_EXPANSION_QUOTA =      100*1024;  # bytes
$MAX_EXPANSION_QUOTA = 300*1024*1024;  # bytes

# You should:
#  Use D_DISCARD to discard data (viruses)
#  Use D_BOUNCE to generate local bounces by amavisd-new
#  Use D_REJECT to generate local or remote bounces by the calling MTA
#  Use D_PASS to deliver the message
#
# Whatever you do, *NEVER* use D_REJECT if you have other MTAs *forwarding*
# mail to your account.  Use D_BOUNCE instead, otherwise you are delegating
# the bounce work to your friendly forwarders, which might not like it at all.
#
# On dual-MTA setups, one can often D_REJECT, as this just makes your own
# MTA generate the bounce message.  Test it first.
#
# Bouncing viruses is stupid, always discard them after you are sure the AV
# is working correctly.  Bouncing real SPAM is also useless, if you cannot
# D_REJECT it (and don't D_REJECT mail coming from your forwarders!).

$final_virus_destiny      = D_DISCARD;  # (data not lost, see virus quarantine)
$final_banned_destiny    = D_BOUNCE;  # D_REJECT when front-end MTA
$final_spam_destiny      = D_DISCARD;
$final_bad_header_destiny = D_DISCARD;    # False-positive prone (for spam)

$virus_admin = "postmaster\@$mydomain"; # due to D_DISCARD default

# Set to empty ("") to add no header
$X_HEADER_LINE = "Debian $myproduct_name at $mydomain";

# REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS

#
# DO NOT SEND VIRUS NOTIFICATIONS TO OUTSIDE OF YOUR DOMAIN. EVER.
#
# These days, almost all viruses fake the envelope sender and mail headers.
# Therefore, "virus notifications" became nothing but undesired, aggravating
# SPAM.  This holds true even inside one's domain.  We disable them all by
# default, except for the EICAR test pattern.
#

@viruses_that_fake_sender_maps = (new_RE(
  [qr'\bEICAR\b'i => 0],            # av test pattern name
  [qr/.*/ => 1],  # true for everything else
));

@keep_decoded_original_maps = (new_RE(
# qr'^MAIL$',  # retain full original message for virus checking (can be slow)
  qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
# qr'^Zip archive data',    # don't trust Archive::Zip
));


# for $banned_namepath_re, a new-style of banned table, see amavisd.conf-sample

$banned_filename_re = new_RE(
# qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components

  # block certain double extensions anywhere in the base name
  qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,

  qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?$'i, # Windows Class ID CLSID, strict

  qr'^application/x-msdownload$'i,                  # block these MIME types
  qr'^application/x-msdos-program$'i,
  qr'^application/hta$'i,

# qr'^application/x-msmetafile$'i,        # Windows Metafile MIME type
# qr'^\.wmf$',                                # Windows Metafile file(1) type

# qr'^message/partial$'i, qr'^message/external-body$'i, # rfc2046 MIME types

# [ qr'^\.(Z|gz|bz2)$'          => 0 ],  # allow any in Unix-compressed
# [ qr'^\.(rpm|cpio|tar)$'      => 0 ],  # allow any in Unix-type archives
# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],  # allow any within such archives
# [ qr'^application/x-zip-compressed$'i => 0],  # allow any within such archives

  qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
#        inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
#        ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
#        wmf|wsc|wsf|wsh)$'ix,  # banned ext - long

# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,  # banned extension - WinZip vulnerab.

  qr'^\.(exe-ms)$',                      # banned file(1) types
# qr'^\.(exe|lha|tnef|cab|dll)$',        # banned file(1) types
);
# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
# and http://www.cknow.com/vtutor/vtextensions.htm


# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING

@score_sender_maps = ({ # a by-recipient hash lookup table,
                        # results from all matching recipient tables are summed

# ## per-recipient personal tables  (NOTE: positive: black, negative: white)
# 'user1@example.com'  => [{'bla-mobile.press@example.com' => 10.0}],
# 'user3@example.com'  => [{'.ebay.com'                => -3.0}],
# 'user4@example.com'  => [{'cleargreen@cleargreen.com' => -7.0,
#                          '.cleargreen.com'          => -5.0}],

  ## site-wide opinions about senders (the '.' matches any recipient)
  '.' => [  # the _first_ matching sender determines the score boost

  new_RE(  # regexp-type lookup table, just happens to be all soft-blacklist
    [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i        => 5.0],
    [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
    [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
    [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i  => 5.0],
    [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i  => 5.0],
    [qr'^(your_friend|greatoffers)@'i                                => 5.0],
    [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i                    => 5.0],
  ),

#  read_hash("/var/amavis/sender_scores_sitewide"),

  { # a hash-type lookup table (associative array)
    'nobody@cert.org'                        => -3.0,
    'cert-advisory@us-cert.gov'              => -3.0,
    'owner-alert@iss.net'                    => -3.0,
    'slashdot@slashdot.org'                  => -3.0,
    'securityfocus.com'                      => -3.0,
    'ntbugtraq@listserv.ntbugtraq.com'      => -3.0,
    'security-alerts@linuxsecurity.com'      => -3.0,
    'mailman-announce-admin@python.org'      => -3.0,
    'amavis-user-admin@lists.sourceforge.net'=> -3.0,
    'amavis-user-bounces@lists.sourceforge.net' => -3.0,
    'spamassassin.apache.org'                => -3.0,
    'notification-return@lists.sophos.com'  => -3.0,
    'owner-postfix-users@postfix.org'        => -3.0,
    'owner-postfix-announce@postfix.org'    => -3.0,
    'owner-sendmail-announce@lists.sendmail.org'  => -3.0,
    'sendmail-announce-request@lists.sendmail.org' => -3.0,
    'donotreply@sendmail.org'                => -3.0,
    'ca+envelope@sendmail.org'              => -3.0,
    'noreply@freshmeat.net'                  => -3.0,
    'owner-technews@postel.acm.org'          => -3.0,
    'ietf-123-owner@loki.ietf.org'          => -3.0,
    'cvs-commits-list-admin@gnome.org'      => -3.0,
    'rt-users-admin@lists.fsck.com'          => -3.0,
    'clp-request@comp.nus.edu.sg'            => -3.0,
    'surveys-errors@lists.nua.ie'            => -3.0,
    'emailnews@genomeweb.com'                => -5.0,
    'yahoo-dev-null@yahoo-inc.com'          => -3.0,
    'returns.groups.yahoo.com'              => -3.0,
    'clusternews@linuxnetworx.com'          => -3.0,
    lc('lvs-users-admin@LinuxVirtualServer.org')    => -3.0,
    lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,

    # soft-blacklisting (positive score)
    'sender@example.net'                    =>  3.0,
    '.example.net'                          =>  1.0,

  },
  ],  # end of site-wide tables
});

1;  # ensure a defined return

As you see $final_spam_destiny is set to D_DISCARD but I'm still getting spam that is being labeled but not discarded.

here is an example header from an email that got through:

HTML Code:

Return-Path: <xxxx@xxxx.com>
Received: from localhost (localhost [127.0.0.1])
    by host.example.com (Postfix) with ESMTP id 10E811007B8
    for <user@example.com>; Tue, 7 Jul 2009 12:59:46 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at host.example.com
X-Spam-Flag: YES
X-Spam-Score: 19.043
X-Spam-Level: *******************
X-Spam-Status: Yes, score=19.043 tagged_above=3 required=6
    tests=[BAYES_99=3.5, HELO_DYNAMIC_HCC=4.295, HTML_IMAGE_ONLY_20=1.546,
    HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_3=0.001, MIME_HTML_ONLY=1.457,
    RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RDNS_DYNAMIC=0.1,
    URIBL_AB_SURBL=1.86, URIBL_JP_SURBL=1.501, URIBL_OB_SURBL=1.5,
    URIBL_WS_SURBL=1.5] autolearn=spam
Received: from host.example.com ([127.0.0.1])
    by localhost (host.example.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id FEEQMtUdyjCV for <user@example.com>;
    Tue, 7 Jul 2009 12:59:39 +0000 (UTC)
Received: from bl8-161-37.dsl.telepac.pt (bl8-161-37.dsl.telepac.pt [85.241.161.37])
    by host.example.com (Postfix) with ESMTP id 8513010075D
    for <user@example.com>; Tue, 7 Jul 2009 12:59:37 +0000 (UTC)
From: sapmmer@spamhost.com
To: user@example.com
Subject: ***SPAM*** For you
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
Message-Id: <20090707125938.8513010075D@host.example.com>
Date: Tue, 7 Jul 2009 12:59:37 +0000 (UTC)


till 8th July 2009 00:24

You have to edit the 50-user file and not 20-debian_defaults


All times are GMT +2. The time now is 01:21.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.