Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 6th April 2011, 17:36
tomrichmond tomrichmond is offline
Junior Member
 
Join Date: Dec 2010
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default Forwarding SPAM to quarantine.

Hi

I want to forward a copy of each spam email received to a specified email address, but I'm not having any success. Incoming email is filtered correctly , and the headers are altered where they should be, but I never receive a copy of the spam message at my specified email.

I've been looking through the amavisd-new documentation but I can't find a solution.

Is there anybody here who has succeeded in forwarding spam who could explain quite how they did it?

Cheers folks.
Reply With Quote
Sponsored Links
  #2  
Old 11th April 2011, 10:24
dedeon dedeon is offline
Junior Member
 
Join Date: Jan 2011
Posts: 20
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re:

My problem same with you. I'm waiting explanation too. Somebody can help me?
Reply With Quote
  #3  
Old 11th April 2011, 15:31
Scratchpad Scratchpad is offline
Junior Member
 
Join Date: Apr 2011
Posts: 8
Thanks: 0
Thanked 2 Times in 2 Posts
Default

I used Amavisd with ClamAV for my virus scanning and have it setup so that an email gets sent to virus-alert@example.com whenever a virus is detected.

I also use Amavisd with SpamAssassin to do the same thing for SPAM.

I believe it is the following line (for originating) and I think "originating" gets changed to something else for external mail (somebody correct me on this?) in /etc/amavisd.conf that you can configure where you want the email to go:

Code:
$policy_bank{'ORIGINATING'} = {  # mail supposedly originating from our users
  originating => 1,  # declare that mail was submitted by our smtp client
  allow_disclaimers => 1,  # enables disclaimer insertion if available
  # notify administrator of locally originating malware
  virus_admin_maps => ["virusalert\@$mydomain"],
  spam_admin_maps  => ["virusalert\@$mydomain"],
  warnbadhsender   => 1,
  # forward to a smtpd service providing DKIM signing service
  forward_method => 'smtp:[127.0.0.1]:10027',
  # force MTA conversion to 7-bit (e.g. before DKIM signing)
  smtpd_discard_ehlo_keywords => ['8BITMIME'],
  bypass_banned_checks_maps => [1],  # allow sending any file names and types
  terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS option
};
And then also in the same /etc/amavisd.conf:

Code:
$virus_admin               = "virusalert\@$mydomain";  # notifications recip.

$mailfrom_notify_admin     = "virusalert\@$mydomain";  # notifications sender
$mailfrom_notify_recip     = "virusalert\@$mydomain";  # notifications sender
$mailfrom_notify_spamadmin = "spam.police\@$mydomain"; # notifications sender
$mailfrom_to_quarantine = ''; # null return path; uses original sender if undef
then again within the same config file:

Code:
$final_virus_destiny      = D_DISCARD;
$final_banned_destiny     = D_REJECT;
$final_spam_destiny       = D_BOUNCE;
$final_bad_header_destiny = D_PASS;
Make sure you change the settings to your particular needs. The above is from my test linux box so they are NOT tweaked for production use obviously.

If you don't have Amavisd running, check out any of the "Perfect Setup" tutorials on this site. There is pretty much one for every OS ... the guys are amazing!
Reply With Quote
  #4  
Old 12th April 2011, 06:27
dedeon dedeon is offline
Junior Member
 
Join Date: Jan 2011
Posts: 20
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re :

Thanks for the reply. I make sure amavisd.conf configuration like above. for the test, I change $final_spam_destination = D_PASS, and $spam_quarantine_to = spamadmin@mydomain.com. But, when I test with sample spam, log indicate detected spam and the action is DISCARD the spam. this is the log :

Apr 11 15:32:02 mail amavis[3774]: (03774-01) Blocked SPAM, <venol@localhost> -> <guest@indra.com>, quarantine: v/spam-vs9ZxfjgcD+i.gz, Message-ID: <20110411083200.GA3806@indra.com>, mail_id: vs9ZxfjgcD+i, Hits: 999.999, size: 1240, 2604 ms
Apr 11 15:32:02 mail postfix/smtp[3819]: 4185621A16: to=<guest@indra.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.7, delays=0.06/0.02/0.04/2.6, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=03774-01 - SPAM)
Apr 11 15:32:02 mail postfix/qmgr[3377]: 4185621A16: removed

spamadmin@mydomain.com not receive email quarantine spam. what's problem?
Reply With Quote
  #5  
Old 12th April 2011, 15:05
Scratchpad Scratchpad is offline
Junior Member
 
Join Date: Apr 2011
Posts: 8
Thanks: 0
Thanked 2 Times in 2 Posts
Default

Quote:
Originally Posted by dedeon View Post
Thanks for the reply. I make sure amavisd.conf configuration like above. for the test, I change $final_spam_destination = D_PASS, and $spam_quarantine_to = spamadmin@mydomain.com. But, when I test with sample spam, log indicate detected spam and the action is DISCARD the spam. this is the log :

Apr 11 15:32:02 mail amavis[3774]: (03774-01) Blocked SPAM, <venol@localhost> -> <guest@indra.com>, quarantine: v/spam-vs9ZxfjgcD+i.gz, Message-ID: <20110411083200.GA3806@indra.com>, mail_id: vs9ZxfjgcD+i, Hits: 999.999, size: 1240, 2604 ms
Apr 11 15:32:02 mail postfix/smtp[3819]: 4185621A16: to=<guest@indra.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.7, delays=0.06/0.02/0.04/2.6, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=03774-01 - SPAM)
Apr 11 15:32:02 mail postfix/qmgr[3377]: 4185621A16: removed

spamadmin@mydomain.com not receive email quarantine spam. what's problem?
Just a basic question, but, does the email account spamadmin@mydomain.com exist? Or, is it an alias to another account in /etc/aliases or in your virtual aliases table?
Reply With Quote
  #6  
Old 15th April 2011, 13:06
dedeon dedeon is offline
Junior Member
 
Join Date: Jan 2011
Posts: 20
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re:

thanks for the reply. spamadmin@mydomain.com listed on mysql_virtual_mailbox. I use MySql to store all virtual accounts. I test send message to spamadmin@mydomain.com was succesfull. But, the report about spam detected not send to spamadmin@mydomain.com, and spam message not send to destination even I set final_spam_destination to "D_PASS".

what the log do you necessary to help me?

thanks for the help.
Reply With Quote
  #7  
Old 17th April 2011, 15:59
dedeon dedeon is offline
Junior Member
 
Join Date: Jan 2011
Posts: 20
Thanks: 0
Thanked 0 Times in 0 Posts
Talking help

maybe someone can help me..
Reply With Quote
  #8  
Old 17th April 2011, 18:16
Scratchpad Scratchpad is offline
Junior Member
 
Join Date: Apr 2011
Posts: 8
Thanks: 0
Thanked 2 Times in 2 Posts
Default

Hmm, I would double check that you are not doing a reject somewhere else, and maybe post your amavisd.conf file without comments.
Reply With Quote
  #9  
Old 20th April 2011, 18:50
dedeon dedeon is offline
Junior Member
 
Join Date: Jan 2011
Posts: 20
Thanks: 0
Thanked 0 Times in 0 Posts
 
Smile my amavisd.conf

hi, this my amavisd configuration, need help.

Quote:
use strict;
$mydomain = 'fadil.com'; # (no useful default)

$myhostname = 'mail.fadil.com'; # fqdn of this host, default by uname(3)

$daemon_user = 'amavis'; # (no default; customary: vscan or amavis), -u
$daemon_group = 'amavis'; # (no default; customary: vscan or amavis), -g

$TEMPBASE = $MYHOME; # (must be set if other config vars use is), -T

$ENV{TMPDIR} = $TEMPBASE; # used for SA temporary files, by some decoders, etc.

$enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1

$enable_dkim_verification = 1; # enable DKIM signatures verification
$enable_dkim_signing = 1; # load DKIM signing code, keys defined by dkim_key

$max_servers = 2; # num of pre-forked children (2..30 is common), -m
$max_requests = 20; # retire a child after that many accepts (default 20)

$child_timeout=5*60; # abort child if it does not complete its processing in
# approximately n seconds (default: 8*60 seconds)

$smtpd_timeout = 120; # disconnect session if client is idle for too long
# (default: 8*60 seconds); should be higher than a
# Postfix setting max_idle (default 100s)

@local_domains_maps = ( [".$mydomain"] ); # $mydomain and its subdomains

$unix_socketname = "$MYHOME/amavisd.sock"; # amavis helper protocol socket

$inet_socket_port = 10024; # accept SMTP on this local TCP port

@inet_acl = qw(127.0.0.1 [::1]); # allow SMTP access only from localhost IP
# (default is qw(127.0.0.1 [::1]) )

# true (e.g. 1) => syslog; false (e.g. 0) => logging to file
$DO_SYSLOG = 1; # (defaults to 0)

$syslog_ident = 'amavis'; # Syslog ident string (defaults to 'amavis')
$syslog_facility = 'mail'; # Syslog facility as a string
# e.g.: mail, daemon, user, local0, ... local7, ...
$syslog_priority = 'debug'; # Syslog base (minimal) priority as a string,
# choose from: emerg, alert, crit, err, warning, notice, info, debug

# Log file (if not using syslog)
$LOGFILE = "$MYHOME/amavis.log"; # (defaults to empty, no log)

$log_level = 2; # (defaults to 0), -d

# $log_templ = undef; # undef disables by-message level-0 log entries
$log_recip_templ = undef; # undef disables by-recipient level-0 log entries

$final_virus_destiny = D_PASS; # (defaults to D_DISCARD)
$final_banned_destiny = D_BOUNCE; # (defaults to D_BOUNCE)
$final_spam_destiny = D_PASS;
$final_bad_header_destiny = D_PASS; # (defaults to D_PASS)

@viruses_that_fake_sender_maps = (new_RE(
qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizz er|palyh|peido|holar'i,
qr'tanatos|lentin|bridex|mimail|trojan\.dropper|du maru|parite|spaces'i,
qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|s ober|rox|val(hal)?la'i,
qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg |netsky|somefool|moodown'i,
qr'@mm|@MM', # mass mailing viruses as labeled by f-prot and uvscan
qr'Worm'i, # worms as labeled by ClamAV, Kaspersky, etc
# [qr'^(EICAR|Joke\.|Junk\.)'i => 0],
# [qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i => 0],
[qr/^/ => 1], # true by default (remove or comment-out if undesired)
));

$virus_admin = "king\@$mydomain";
$spam_admin = "king\@$mydomain";

@spam_admin_maps = ( # by-recipient maps
{'fadil.com' => 'king@fadil.com',
'.' => 'spamalert@example.com'},
# $spam_admin, # the usual default
);

$mailfrom_notify_admin = "king\@$mydomain";
$mailfrom_notify_recip = "king\@$mydomain";
$mailfrom_notify_spamadmin = "king\@$mydomain";

$mailfrom_to_quarantine = ''; # override sender address with null return path


$QUARANTINEDIR = '/var/virusmails'; # -Q
$spam_quarantine_method = 'local:spam/%m.gz';
#$banned_files_quarantine_method = 'local:banned/%m';

$virus_quarantine_to = "king\@$mydomain"; # similar
$banned_quarantine_to = 'banned-quarantine'; # local quarantine
$bad_header_quarantine_to = 'bad-header-quarantine'; # local quarantine
$spam_quarantine_to = 'king@fadil.com'; # local quarantine

# Add X-Virus-Scanned header field to mail?
$X_HEADER_TAG = 'X-Virus-Scanned'; # (default: 'X-Virus-Scanned')

$undecipherable_subject_tag = '***UNCHECKED*** '; # undef disables it

$defang_virus = 1; # default is false: don't modify mail body
$defang_banned = 1; # default is false: don't modify mail body

$remove_existing_x_scanned_headers= 1; # remove existing X-Virus-Scanned
$remove_existing_spam_headers = 0; # leave existing X-Spam* headers alone

@keep_decoded_original_maps = (new_RE(
qr'^MAIL$', # retain full original message for virus checking
qr'^MAIL-UNDECIPHERABLE$', # retain full mail if it contains undecipherables
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
# qr'^Zip archive data', # don't trust Archive::Zip
));

$banned_filename_re = new_RE(

### BLOCKED ANYWHERE
# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components
qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary
# qr'^\.(exe|lha|tnef|cab|dll)$', # banned file(1) types

### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES:
# [ qr'^\.(gz|bz2)$' => 0 ], # allow any in gzip or bzip2
[ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives

qr'.\.(pif|scr)$'i, # banned extensions - rudimentary
# qr'^\.zip$', # block zip type

### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES:
# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within these archives

qr'^application/x-msdownload$'i, # block these MIME types
qr'^application/x-msdos-program$'i,
qr'^application/hta$'i,

# qr'^message/partial$'i, # rfc2046 MIME type
# qr'^message/external-body$'i, # rfc2046 MIME type

# qr'^(application/x-msmetafile|image/x-wmf)$'i, # Windows Metafile MIME type
# qr'^\.wmf$', # Windows Metafile file(1) type

# block certain double extensions in filenames
qr'\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,

# qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Class ID CLSID, strict
# qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extension CLSID, loose

qr'.\.(exe|vbs|pif|scr|cpl)$'i, # banned extension - basic
# qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, # banned extension - basic+cmd
# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf |exe|fxp|grp|hlp|hta|
# inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc |msi|msp|mst|
# ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
# wmf|wsc|wsf|wsh)$'ix, # banned ext - long
# qr'.\.(ani|cur|ico)$'i, # banned cursors and icons filename
# qr'^\.ani$', # banned animated cursor file(1) type

# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab.
);

$banned_namepath_re = new_RE(

### BLOCKED ANYWHERE

qr'(?# BLOCK Microsoft EXECUTABLES and DLL )
^ (.*\t)? T=(exe-ms|dll) (\t.*)? $'xm, # banned file(1) types, rudimentary

# qr'(?# BLOCK ANY EXECUTABLE )
# ^ (.*\t)? T=exe (\t.*)? $'xm, # banned file(1) type

# qr'(?# BLOCK THESE TYPES )
# ^ (.*\t)? T=(exe|lha|tnef|cab|dll) (\t.*)? $'xm, # banned file(1) types


### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES:

# # within traditional gzip and bzip2 allow any name and type
# [ qr'(?#rule-3) ^ (.*\t)? T=(gz|bz2) (\t.*)? $'xmi => 0 ], # allow

# within traditional Unix archives allow any name and type
[ qr'(?#rule-4) ^ (.*\t)? T=(tar|rpm|cpio) (\t.*)? $'xmi => 0 ], # allow

# banned filename extensions (in declared names) anywhere - rudimentary
qr'(?# BLOCK COMMON NAME EXENSIONS )
^ (.*\t)? N= [^\t\n]* \. (pif|scr) (\t.*)? $'xmi,

# # block anything within a zip
# qr'(?#rule-5) ^ (.*\t)? T=zip (\t.*)? (.*\n)+ .* $'xmi,


### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES OR CRYPTED:

# # within PC archives allow any types or names at any depth
# [ qr'(?#rule-7) ^ (.*\t)? T=(zip|rar|arc|arj|zoo) (\t.*)? $'xmi => 0 ], # ok

# # within certain archives allow leaf members at any depth if crypted
# [ qr'(?# ALLOW ENCRYPTED )
# ^ (.*\t)? T=(zip|rar|arj) (.*\n)+ (.*\t)? A=C (\t.*)? \z'xmi => 0 ],

# # allow crypted leaf members regardless of their name or type
# [ qr'(?# ALLOW IF ENCRYPTED ) ^ (.*\t)? A=C (\t.*)? \z'xmi => 0 ],

# block these MIME types
qr'(?#NO X-MSDOWNLOAD) ^(.*\t)? M=application/x-msdownload (\t.*)? $'xmi,
qr'(?#NO X-MSDOS-PROGRAM)^(.*\t)? M=application/x-msdos-program(\t.*)? $'xmi,
qr'(?#NO HTA) ^(.*\t)? M=application/hta (\t.*)? $'xmi,

# # block rfc2046 MIME types
# qr'(?# BLOCK RFC2046 ) ^ (.*\t)? M=message/partial (\t.*)? $'xmi,
# qr'(?# BLOCK RFC2046 ) ^ (.*\t)? M=message/external-body (\t.*)? $'xmi,

# qr'(?#No Metafile MIME) ^(.*\t)? M=application/x-msmetafile (\t.*)? $'xmi,
# qr'(?#No Metafile MIME) ^(.*\t)? M=image/x-wmf (\t.*)? $'xmi,
# qr'(?#No Metafile file) ^(.*\t)? T=wmf (\t.*)? $'xm,
# qr'(?#No animated cursors) ^(.*\t)? T=ani (\t.*)? $'xm,

# block certain double extensions in filenames
qr'(?# BLOCK DOUBLE-EXTENSIONS )
^ (.*\t)? N= [^\t\n]* \. [^./\t\n]* [A-Za-z] [^./\t\n]* \. \ *
(exe|vbs|pif|scr|bat|cmd|com|cpl|dll) [. ]* (\t.*)? $'xmi,

[ qr'(?# BLOCK EMPTY MIME PART APPLICATION/OCTET-STREAM )
^ (.*\t)? M=application/(octet-stream|x-msdownload|x-msdos-program)
\t(.*\t)* T=empty (\t.*)? $'xmi
=> 'DISCARD' ],

# [ qr'(?# BLOCK EMPTY MIME PARTS )
# ^ (.*\t)? M= [^\t\n]+ \t(.*\t)* T=empty (\t.*)? $'xmi => 'DISCARD' ],

# # block Class ID (CLSID) extensions in filenames, strict
# qr'(?# BLOCK CLSID-EXTENSIONS )
# ^ (.*\t)? N= [^\t\n]* \{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?
# [^\t\n]* (\t.*)? $'xmi,

# # banned suggested names with three or more consecutive spaces
# qr'(?# BLOCK NAMES WITH SPACES )
# ^ (.*\t)? N= [^\t\n]* [ ]{3,} 'xmi,

# # block if any component can not be decoded (is encrypted or bad archive)
# qr'(?# BLOCK IF UNDECIPHERABLE ) ^ (.*\t)? A=U (\t.*)? \z'xmi,

# [ qr'(?# SPECIAL ALLOWANCES - MAGIC NAMES)
# \A (.*\t)? T=(rpm|cpio|tar|zip|rar|arc|arj|zoo|Z|gz|bz2)
# \t(.*\t)* N=example\d+[^\t\n]*
# (\t.*)? $'xmi => 0 ],

# banned filename extensions (in suggested names) anywhere - basic
qr'(?# BLOCK COMMON NAME EXENSIONS )
^ (.*\t)? N= [^\t\n]* \. (exe|vbs|pif|scr|cpl) (\t.*)? $'xmi,

# # banned filename extensions (in suggested names) anywhere - basic+cmd
# qr'(?# BLOCK COMMON NAME EXENSIONS )
# ^ (.*\t)? N= [^\t\n]* \. (exe|vbs|pif|scr|cpl|bat|cmd|com) (\t.*)? $'xmi,

# # banned filename extensions (in suggested names) anywhere - long
# qr'(?# BLOCK MORE NAME EXTENSIONS )
# ^ (.*\t)? N= [^\t\n]* \. (
# ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fx p|grp|hlp|hta|
# inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc |msi|msp|mst|
# ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
# wmf|wsc|wsf|wsh) (\t.*)? $'xmi,

# qr'(?# BLOCK CURSOR AND ICON NAME EXENSIONS )
# ^ (.*\t)? N= [^\t\n]* \. (ani|cur|ico) (\t.*)? $'xmi,

# # banned filename extensions anywhere - WinZip vulnerability (pre-V9)
# qr'(?# BLOCK WinZip VULNERABILITY EXENSIONS )
# ^ (.*\t)? N= [^\t\n]* \. (mim|b64|bhx|hqx|xxe|uu|uue) (\t.*)? $'xmi,

);

# use old or new style of banned lookup table; not both to avoid confusion
#
# @banned_filename_maps = (); # to disable old-style
$banned_namepath_re = undef; # to disable new-style


%banned_rules = (
'MYNETS-DEFAULT' => new_RE( # permissive set of rules for internal hosts
[ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any name/type in Unix archives
qr'.\.(vbs|pif|scr)$'i, # banned extension - rudimentary
),
'DEFAULT' => $banned_filename_re,
);


$sql_select_white_black_list = undef; # undef disables SQL white/blacklisting


$localpart_is_case_sensitive = 0; # (default is false)


@score_sender_maps = ({ # a by-recipient hash lookup table

# # per-recipient personal tables (NOTE: positive: black, negative: white)
# 'user1@example.com' => [{'bla-mobile.press@example.com' => 10.0}],
# 'user3@example.com' => [{'.ebay.com' => -3.0}],
# 'user4@example.com' => [{'cleargreen@cleargreen.com' => -7.0,
# '.cleargreen.com' => -5.0}],

# site-wide opinions about senders (the '.' matches any recipient)
'.' => [ # the _first_ matching sender determines the score boost

new_RE( # regexp-type lookup table, just happens to be all soft-blacklist
[qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryo u)@'i => 5.0],
[qr'^(greatcasino|investments|lose_weight_today|mar ket\.alert)@'i=> 5.0],
[qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
[qr'^(optin|saveonlsmoking2002k|specialoffer|specia loffers)@'i => 5.0],
[qr'^(stockalert|stopsnoring|wantsome|workathome|ye sitsfree)@'i => 5.0],
[qr'^(your_friend|greatoffers)@'i => 5.0],
[qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0],
),

# read_hash("/var/amavis/sender_scores_sitewide"),

{ # a hash-type lookup table (associative array)
'nobody@cert.org' => -3.0,
'cert-advisory@us-cert.gov' => -3.0,
'owner-alert@iss.net' => -3.0,
'slashdot@slashdot.org' => -3.0,
'securityfocus.com' => -3.0,
'ntbugtraq@listserv.ntbugtraq.com' => -3.0,
'security-alerts@linuxsecurity.com' => -3.0,
'mailman-announce-admin@python.org' => -3.0,
'amavis-user-admin@lists.sourceforge.net'=> -3.0,
'amavis-user-bounces@lists.sourceforge.net' => -3.0,
'spamassassin.apache.org' => -3.0,
'notification-return@lists.sophos.com' => -3.0,
'owner-postfix-users@postfix.org' => -3.0,
'owner-postfix-announce@postfix.org' => -3.0,
'owner-sendmail-announce@lists.sendmail.org' => -3.0,
'sendmail-announce-request@lists.sendmail.org' => -3.0,
'donotreply@sendmail.org' => -3.0,
'ca+envelope@sendmail.org' => -3.0,
'noreply@freshmeat.net' => -3.0,
'owner-technews@postel.acm.org' => -3.0,
'ietf-123-owner@loki.ietf.org' => -3.0,
'cvs-commits-list-admin@gnome.org' => -3.0,
'rt-users-admin@lists.fsck.com' => -3.0,
'clp-request@comp.nus.edu.sg' => -3.0,
'surveys-errors@lists.nua.ie' => -3.0,
'emailnews@genomeweb.com' => -5.0,
'yahoo-dev-null@yahoo-inc.com' => -3.0,
'returns.groups.yahoo.com' => -3.0,
'clusternews@linuxnetworx.com' => -3.0,
lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0,
lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,

# soft-blacklisting (positive score)
'sender@example.net' => 3.0,
'.example.net' => 1.0,

},
], # end of site-wide tables
});

# illustrates the use of regexp lookup table:

@blacklist_sender_maps = ( new_RE(
qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryo u|greatcasino)@'i,
qr'^(investments|lose_weight_today|market\.alert|m oney2you|MyGreenCard)@'i,
qr'^(new\.tld\.registry|opt-out|opt-in|optin|saveonlsmoking2002k)@'i,
qr'^(specialoffer|specialoffers|stockalert|stopsno ring|wantsome)@'i,
qr'^(workathome|yesitsfree|your_friend|greatoffers )@'i,
qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i,
));


$MAXLEVELS = 14; # (default is undef, no limit)

# Maximum number of extracted files (0 or undef disables the limit)
$MAXFILES = 1500; # (default is undef, no limit)

$MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced)
$MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced)
$MIN_EXPANSION_FACTOR = 5; # times original mail size (default is 5)
$MAX_EXPANSION_FACTOR = 500; # times original mail size (default is 500)

# expiration time of cached results: time to live in seconds
# (how long the result of a virus/spam test remains valid)
$virus_check_negative_ttl= 3*60; # time to remember that mail was not infected
$virus_check_positive_ttl= 30*60; # time to remember that mail was infected
$spam_check_negative_ttl = 10*60; # time to remember that mail was not spam
$spam_check_positive_ttl = 30*60; # time to remember that mail was spam

$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';

$file = 'file'; # file(1) utility; use 3.41 or later to avoid vulnerability
$dspam = 'dspam';

@decoders = (
['mail', \&do_mime_decode],
['asc', \&do_ascii],
['uue', \&do_ascii],
['hqx', \&do_ascii],
['ync', \&do_ascii],
['F', \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ],
['Z', \&do_uncompress, ['uncompress','gzip -d','zcat'] ],
['gz', \&do_uncompress, 'gzip -d'],
['gz', \&do_gunzip],
['bz2', \&do_uncompress, 'bzip2 -d'],
['lzo', \&do_uncompress, 'lzop -d'],
['rpm', \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ],
['cpio', \&do_pax_cpio, ['pax','gcpio','cpio'] ],
['tar', \&do_pax_cpio, ['pax','gcpio','cpio'] ],
['deb', \&do_ar, 'ar'],
# ['a', \&do_ar, 'ar'], # unpacking .a seems an overkill
['zip', \&do_unzip],
['7z', \&do_7zip, ['7zr','7za','7z'] ],
['rar', \&do_unrar, ['rar','unrar'] ],
['arj', \&do_unarj, ['arj','unarj'] ],
['arc', \&do_arc, ['nomarch','arc'] ],
['zoo', \&do_zoo, ['zoo','unzoo'] ],
['lha', \&do_lha, 'lha'],
# ['doc', \&do_ole, 'ripole'],
['cab', \&do_cabextract, 'cabextract'],
['tnef', \&do_tnef_ext, 'tnef'],
['tnef', \&do_tnef],
# ['sit', \&do_unstuff, 'unstuff'], # broken/unsafe decoder
['exe', \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ],
);


# SpamAssassin settings

# $sa_local_tests_only is passed to Mail::SpamAssassin::new as a value
# of the option local_tests_only. See Mail::SpamAssassin man page.
# If set to 1, no SA tests that require internet access will be performed.
#
$sa_local_tests_only = 0; # only tests which do not require internet access?
#$sa_auto_whitelist = 1; # turn on AWL in SA 2.63 or older (irrelevant
# for SA 3.0, its cf option is use_auto_whitelist)

$sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger
# (less than 1% of spam is > 64k)
# default: undef, no limitations

# default values, customarily used in the @spam_*_level_maps as the last entry
$sa_tag_level_deflt = 3; # add spam info headers if at, or above that level;
# undef is interpreted as lower than any spam level
$sa_tag2_level_deflt = 6.31;# add 'spam detected' headers at that level to
# passed mail, adding address extensions;
$sa_kill_level_deflt = 10; #$sa_tag2_level_deflt; # triggers spam evasive actions
# at or above that level: bounce/reject/drop,
# quarantine
$sa_dsn_cutoff_level = 9; # spam level beyond which a DSN is not sent,
# effectively turning D_BOUNCE into D_DISCARD;
# undef disables this feature and is a default;
@spam_dsn_cutoff_level_bysender_maps = (
{ # an associative array (hash) lookup table, use lowercase keys
'virgilio.it' => 7, 'mail.ru' => 7, '0451.com' => 7,
'yahoo.co.uk' => 7, 'yahoo.co.jp' => 7, 'nobody@' => 7,
'noreply@' => 0, 'no-reply@' => 0, 'donotreply@' => 0,
'opt-in@' => 0, 'opt-out@' => 0, 'yahoo-dev-null@' => 0,
'.optin-out.com' => 0, 'daily@astrocenter.com' => 0,
'spamadmin@fraunhofer.de'=> 7, # Sophos PureMessage spam bounces
},
\$sa_dsn_cutoff_level, # catchall default value
);

$sa_spam_subject_tag = '***SPAM*** '; # (defaults to undef, disabled)
# (only seen when spam is passed and recipient is
# in local_domains*)

$sa_spam_modifies_subj = 1; # in @spam_modifies_subj_maps, default is true


1; # insure a defined return value
thanks.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Help Too much SPAM!! makensy13 Installation/Configuration 4 13th January 2011 17:55
Spam Filter not functioning (revisited) Cracklefish Installation/Configuration 7 8th March 2010 12:16
Spamfilter policy - question about spam actions prisfeo Installation/Configuration 4 2nd February 2010 16:17
ISPC2 How to do spam check BEFORE forwarding emails ? radim_h Tips/Tricks/Mods 1 18th March 2009 07:51
Ubuntu 8.04 Spamsnake - all SA scores 0.00 Thomas_Powers HOWTO-Related Questions 23 24th June 2008 17:37


All times are GMT +2. The time now is 21:55.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.