Spam still getting through

Discussion in 'Installation/Configuration' started by Meph, Jul 7, 2009.

  1. Meph

    Meph New Member

    I am using Ubuntu Server 9.04 and used the Perfect Server ISPConfig 3 howto for my distribution.

    I have been searching far and wide for answers to my spam problems, most of the answers I have found here in this forum. Here is /etc/amavis/conf.d/20-debian_defaults:

    HTML:
    use strict;
    
    # ADMINISTRATORS:
    # Debian suggests that any changes you need to do that should never
    # be "updated" by the Debian package should be made in another file,
    # overriding the settings in this file.
    #
    # The package will *not* overwrite your settings, but by keeping
    # them separate, you will make the task of merging changes on these
    # configuration files much simpler...
    
    #   see /usr/share/doc/amavisd-new/examples/amavisd.conf-default for
    #       a list of all variables with their defaults;
    #   see /usr/share/doc/amavisd-new/examples/amavisd.conf-sample for
    #       a traditional-style commented file  
    #   [note: the above files were not converted to Debian settings!]
    #
    #   for more details see documentation in /usr/share/doc/amavisd-new
    #   and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html
    
    $QUARANTINEDIR = "$MYHOME/virusmails";
    $quarantine_subdir_levels = 1; # enable quarantine dir hashing
    
    $log_recip_templ = undef;    # disable by-recipient level-0 log entries
    $DO_SYSLOG = 1;              # log via syslogd (preferred)
    $syslog_ident = 'amavis';    # syslog ident tag, prepended to all messages
    $syslog_facility = 'mail';
    $syslog_priority = 'debug';  # switch to info to drop debug output, etc
    
    $enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)
    $enable_global_cache = 1;    # enable use of libdb-based cache if $enable_db=1
    
    $inet_socket_port = 10024;   # default listening socket
    
    $sa_spam_subject_tag = '***SPAM*** ';
    $sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that level
    $sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level
    $sa_kill_level_deflt = 6.31; # triggers spam evasive actions
    $sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent
    
    $sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger
    $sa_local_tests_only = 0;    # only tests which do not require internet access?
    
    # Quota limits to avoid bombs (like 42.zip)
    
    $MAXLEVELS = 14;
    $MAXFILES = 1500;
    $MIN_EXPANSION_QUOTA =      100*1024;  # bytes
    $MAX_EXPANSION_QUOTA = 300*1024*1024;  # bytes
    
    # You should:
    #   Use D_DISCARD to discard data (viruses)
    #   Use D_BOUNCE to generate local bounces by amavisd-new
    #   Use D_REJECT to generate local or remote bounces by the calling MTA
    #   Use D_PASS to deliver the message
    #
    # Whatever you do, *NEVER* use D_REJECT if you have other MTAs *forwarding*
    # mail to your account.  Use D_BOUNCE instead, otherwise you are delegating
    # the bounce work to your friendly forwarders, which might not like it at all.
    #
    # On dual-MTA setups, one can often D_REJECT, as this just makes your own
    # MTA generate the bounce message.  Test it first.
    #
    # Bouncing viruses is stupid, always discard them after you are sure the AV
    # is working correctly.  Bouncing real SPAM is also useless, if you cannot
    # D_REJECT it (and don't D_REJECT mail coming from your forwarders!).
    
    $final_virus_destiny      = D_DISCARD;  # (data not lost, see virus quarantine)
    $final_banned_destiny     = D_BOUNCE;   # D_REJECT when front-end MTA
    $final_spam_destiny       = D_DISCARD;
    $final_bad_header_destiny = D_DISCARD;     # False-positive prone (for spam)
    
    $virus_admin = "postmaster\@$mydomain"; # due to D_DISCARD default
    
    # Set to empty ("") to add no header
    $X_HEADER_LINE = "Debian $myproduct_name at $mydomain";
    
    # REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS
    
    #
    # DO NOT SEND VIRUS NOTIFICATIONS TO OUTSIDE OF YOUR DOMAIN. EVER.
    #
    # These days, almost all viruses fake the envelope sender and mail headers.
    # Therefore, "virus notifications" became nothing but undesired, aggravating
    # SPAM.  This holds true even inside one's domain.  We disable them all by
    # default, except for the EICAR test pattern.
    #
    
    @viruses_that_fake_sender_maps = (new_RE(
      [qr'\bEICAR\b'i => 0],            # av test pattern name
      [qr/.*/ => 1],  # true for everything else
    ));
    
    @keep_decoded_original_maps = (new_RE(
    # qr'^MAIL$',   # retain full original message for virus checking (can be slow)
      qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
      qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
    # qr'^Zip archive data',     # don't trust Archive::Zip
    ));
    
    
    # for $banned_namepath_re, a new-style of banned table, see amavisd.conf-sample
    
    $banned_filename_re = new_RE(
    # qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components
    
      # block certain double extensions anywhere in the base name
      qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,
    
      qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?$'i, # Windows Class ID CLSID, strict
    
      qr'^application/x-msdownload$'i,                  # block these MIME types
      qr'^application/x-msdos-program$'i,
      qr'^application/hta$'i,
    
    # qr'^application/x-msmetafile$'i,	# Windows Metafile MIME type
    # qr'^\.wmf$',				# Windows Metafile file(1) type
    
    # qr'^message/partial$'i, qr'^message/external-body$'i, # rfc2046 MIME types
    
    # [ qr'^\.(Z|gz|bz2)$'           => 0 ],  # allow any in Unix-compressed
    # [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives
    # [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],  # allow any within such archives
    # [ qr'^application/x-zip-compressed$'i => 0],  # allow any within such archives
    
      qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
    # qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
    #        inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
    #        ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
    #        wmf|wsc|wsf|wsh)$'ix,  # banned ext - long
    
    # qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,  # banned extension - WinZip vulnerab.
    
      qr'^\.(exe-ms)$',                       # banned file(1) types
    # qr'^\.(exe|lha|tnef|cab|dll)$',         # banned file(1) types
    );
    # See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
    # and http://www.cknow.com/vtutor/vtextensions.htm
    
    
    # ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING
    
    @score_sender_maps = ({ # a by-recipient hash lookup table,
                            # results from all matching recipient tables are summed
    
    # ## per-recipient personal tables  (NOTE: positive: black, negative: white)
    # 'user1@example.com'  => [{'bla-mobile.press@example.com' => 10.0}],
    # 'user3@example.com'  => [{'.ebay.com'                 => -3.0}],
    # 'user4@example.com'  => [{'cleargreen@cleargreen.com' => -7.0,
    #                           '.cleargreen.com'           => -5.0}],
    
      ## site-wide opinions about senders (the '.' matches any recipient)
      '.' => [  # the _first_ matching sender determines the score boost
    
       new_RE(  # regexp-type lookup table, just happens to be all soft-blacklist
        [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i         => 5.0],
        [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
        [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
        [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i   => 5.0],
        [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i  => 5.0],
        [qr'^(your_friend|greatoffers)@'i                                => 5.0],
        [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i                    => 5.0],
       ),
    
    #  read_hash("/var/amavis/sender_scores_sitewide"),
    
       { # a hash-type lookup table (associative array)
         'nobody@cert.org'                        => -3.0,
         'cert-advisory@us-cert.gov'              => -3.0,
         'owner-alert@iss.net'                    => -3.0,
         'slashdot@slashdot.org'                  => -3.0,
         'securityfocus.com'                      => -3.0,
         'ntbugtraq@listserv.ntbugtraq.com'       => -3.0,
         'security-alerts@linuxsecurity.com'      => -3.0,
         'mailman-announce-admin@python.org'      => -3.0,
         'amavis-user-admin@lists.sourceforge.net'=> -3.0,
         'amavis-user-bounces@lists.sourceforge.net' => -3.0,
         'spamassassin.apache.org'                => -3.0,
         'notification-return@lists.sophos.com'   => -3.0,
         'owner-postfix-users@postfix.org'        => -3.0,
         'owner-postfix-announce@postfix.org'     => -3.0,
         'owner-sendmail-announce@lists.sendmail.org'   => -3.0,
         'sendmail-announce-request@lists.sendmail.org' => -3.0,
         'donotreply@sendmail.org'                => -3.0,
         'ca+envelope@sendmail.org'               => -3.0,
         'noreply@freshmeat.net'                  => -3.0,
         'owner-technews@postel.acm.org'          => -3.0,
         'ietf-123-owner@loki.ietf.org'           => -3.0,
         'cvs-commits-list-admin@gnome.org'       => -3.0,
         'rt-users-admin@lists.fsck.com'          => -3.0,
         'clp-request@comp.nus.edu.sg'            => -3.0,
         'surveys-errors@lists.nua.ie'            => -3.0,
         'emailnews@genomeweb.com'                => -5.0,
         'yahoo-dev-null@yahoo-inc.com'           => -3.0,
         'returns.groups.yahoo.com'               => -3.0,
         'clusternews@linuxnetworx.com'           => -3.0,
         lc('lvs-users-admin@LinuxVirtualServer.org')    => -3.0,
         lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,
    
         # soft-blacklisting (positive score)
         'sender@example.net'                     =>  3.0,
         '.example.net'                           =>  1.0,
    
       },
      ],  # end of site-wide tables
    });
    
    1;  # ensure a defined return
    
    As you see $final_spam_destiny is set to D_DISCARD but I'm still getting spam that is being labeled but not discarded.

    here is an example header from an email that got through:

    HTML:
    Return-Path: <xxxx@xxxx.com>
    Received: from localhost (localhost [127.0.0.1])
         by host.example.com (Postfix) with ESMTP id 10E811007B8
         for <user@example.com>; Tue, 7 Jul 2009 12:59:46 +0000 (UTC)
    X-Virus-Scanned: Debian amavisd-new at host.example.com
    X-Spam-Flag: YES
    X-Spam-Score: 19.043
    X-Spam-Level: *******************
    X-Spam-Status: Yes, score=19.043 tagged_above=3 required=6
         tests=[BAYES_99=3.5, HELO_DYNAMIC_HCC=4.295, HTML_IMAGE_ONLY_20=1.546,
         HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_3=0.001, MIME_HTML_ONLY=1.457,
         RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RDNS_DYNAMIC=0.1,
         URIBL_AB_SURBL=1.86, URIBL_JP_SURBL=1.501, URIBL_OB_SURBL=1.5,
         URIBL_WS_SURBL=1.5] autolearn=spam
    Received: from host.example.com ([127.0.0.1])
         by localhost (host.example.com [127.0.0.1]) (amavisd-new, port 10024)
         with ESMTP id FEEQMtUdyjCV for <user@example.com>;
         Tue, 7 Jul 2009 12:59:39 +0000 (UTC)
    Received: from bl8-161-37.dsl.telepac.pt (bl8-161-37.dsl.telepac.pt [85.241.161.37])
         by host.example.com (Postfix) with ESMTP id 8513010075D
         for <user@example.com>; Tue, 7 Jul 2009 12:59:37 +0000 (UTC)
    From: sapmmer@spamhost.com
    To: user@example.com
    Subject: ***SPAM*** For you
    Content-Type: text/html; charset="ISO-8859-1"
    Content-Transfer-Encoding: 7bit
    MIME-Version: 1.0
    Message-Id: <20090707125938.8513010075D@host.example.com>
    Date: Tue, 7 Jul 2009 12:59:37 +0000 (UTC)
     
  2. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    You have to edit the 50-user file and not 20-debian_defaults
     

Share This Page