Posts Tagged spamassassin
Posted by mike Filed Under Spam Control with Comments Off
Adjusting Spamassassin Rules
In this example the headers from 4 emails are captured and used to help adjust rules that have allowed email that needs to be eliminated, so rule adjustments need to be made.
First do some research on what the rules mean so that you are not adjusting rules that could potentially cause you a lot of problems.
http://wiki.apache.org/spamassassin/Rules
Here are the examples of headers:
Yes, score=5.33 tagged_above=2 required=4.2 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_28=0.726, HTML_MESSAGE=0.001, RCVD_IN_BRBL_LASTEXT=1.644, RCVD_IN_RP_RNBL=1.284, URIBL_BLACK=1.775] autolearn=no
Yes, score=5.267 tagged_above=2 required=4.2 tests=[DATE_IN_PAST_12_24=0.804, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.635, MIME_HTML_ONLY=1.105, RDNS_NONE=1.274, TO_NO_BRKTS_DIRECT=1.448] autolearn=no
No, score=3.118 tagged_above=2 required=4.2 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HK_RANDOM_ENVFROM=0.626, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.504, SINGLE_HEADER_1K=0.597, SUSPICIOUS_RECIPS=2.497] autolearn=no
No, score=2.787 tagged_above=2 required=4.2 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO=2.775, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_TO_NO_BRKTS_FREEMAIL=0.01] autolearn=no
Adjusting Spamassassin Rules
RCVD_IN_BRBL_LASTEXT
This is a rule that is based on the Barracuda Reputation System which generates a list of IPs that have a reputation of sending Spam. This rule would then be a good candidated to increase the score. In fact, you may want to increase the score dramatically.
RDNS_NONE
There is no reverse DNS available for the host. If there are several relays this could mean that the first relay did not have a reverse DNS option. This is a good indication of a spammer.
SUSPICIOUS_RECIPS
This rule searches for similarities if Cc: abd Bcc: are found in the header fields. The similarities things like all of the email start with joe@. This is very likely Spam. You can see it has been given a high number modification.
Edit /etc/mail/spamassassin/local.cf and add the rule adjustments you want to implement.
##### Score Adjustments #####
score RCVD_IN_BRBL_LASTEXT 3.6
score RDNS_NONE 2.1
score SUSPICIOUS_RECIPS 4.1
##############################
Posted by mike Filed Under Spam Control with Comments Off
Global Manual Whitelist
Once you have set up Spamassassin so it is working and you have run it for some time you may want to tune it to provide automatic whitelists and blacklists. The whitelist will provide a way to insure that the mail from a particular source will never get rejected. This may be important clients, users on the system or messages from servers that do not necessarily have the right credentials for sending mail. Your company may have important clients that send email that has characteristics that put it on the edge with Spamassassin and you may want to ensure that you do not loose an email. Or you may have users who are on the system that do not always follow the best protocol for how they construct messages but you want to make sure that their mail is not rejected. An important use for whitelists is when you have servers that are sending logs, error messages, or monitoring information to a mail account and this mail does not have the format or the sender format that Spamassassin needs to see. If you are looking for documentation of this information check out our Postfix Mail Server Manual.
The whitelist will automatically reduce the spam score for a user which is listed in the whitelist. The score is reduced by 100 points so that would suggest there is very little chance of the mail being rejected.
The procedure for using a whitelist is straightforward. Use the directive whitelist_from to list any sources that you want to ensure get whitelisted.
Edit the /etc/mail/spamassassin/local.cf file to place these entries. Listed is the default contents of this file.
required_hits 5
report_safe 0
rewrite_header Subject [SPAM]
Add your whitelists to the file, save and restart Spamassassin.
whitelist_from tom@example.com
whitelist_from *.@example.com *@goodexample.com
whitelist_from mail.server@myexample.com
When you list a user or source, you will list what you see in the Resent-From, From, Envelope-Sender, Recent-Sender or X-Envelope-From headers. The wildcard “*” can be used to provide all of the users for a domain as you see in the examples above.
You can remove users that you place in the whitelist with unwhitelist_from.
unwhitelist_from tom@example.com
You may want to review the information found in 60_whitelist.cf which Spamassassin uses automatically as there may be some users listed that you want to remove.
You do have an additional option for sender whitelisting. You can use whitelist_from_rcvd which does a reverse lookup with DNS to verify the IP Address of the last trusted relay. So basically what it is doing is looking up the IP of where the mail came from to make sure it came from an IP Address on the senders network. Now, this has several problems related to it. First, you are using precious resources doing reverse DND lookups. And second, depending how the sender network is designed, you may have problems verifying the IP Address. Here is how you can use it to drop the score 100 points.
whitelist_from_rcvd tom@example.com example.com
Note that what you are requiring is that the mail sent by tom must come from a mail server on the example.com domain.
Whitelist Recipients
There are three separate levels of whitelisting you can perform for recipients. If you had a user that did not want any spam checks on their account you would use this method of checking. The whitelist_to directive can use the Resent-To, Resent-Cc, To, Apparently-To, Delivered-To, Envelope-Recipients, Apparently-Resent-To, X-Envelope-To, Envelope-To, X-Delivered-To, X-Original-To, X-Rcpt-To, X-Real-To, or Cc.
The three levels can be used like this:
whitelist_to tom@mycompany.com (lowers score by 6)
or
more_spam_to tom@mycompany.com (lowers score by 20)
or
all_spam_to tom@mycompany.com (lowers score by 100)
Posted by mike Filed Under Spam Control with Comments Off
There will be times when you have you have your Postfix Mail Server set up and Spam is under control and all of a sudden you will see a new wave of Spam hit your site. This article will help you see how you can make some small adjustments to cut down on new waves of Spam. Here is an example of the new wave of Spam I started getting. I will take you through a few steps I used to eliminate this new wave.
Prospector specializes in delivering results for brokers, lenders as well as mortgage products and services
companies nationwide. If you need to jump-start your company’s sales or originations, we can help.
We understand the industry from the inside out and are the only B2B marketer that can GUARANTEE results
with every campaign. An industry leader for almost a decade, Prospector has the largest active network of loan
producers in the nation who are actively seeking help with their businesses.
We specialize in the following areas;
* FHA, Commercial, Hard Money, Reverse, Conventional Programs
* Loan Modification Networks and Affiliates
* MTG Training and Education
* Lead Generators
* Loan Processing and Compliance
Step #1: Check Your Logs
When you check your logs you are looking for several things. One thing that is important is to see what level this particular email was rated at by Spamassassin. You can see the Hits at 6.353. Now because my set up is using Amavisd-new, the hits and what results from those hits is listed in the /etc/amavisd.conf file. The other thing I pick up from the logs is the IP Address of the mail server that is sending the Spam.
Aug 14 12:23:48 ns amavis[30026]: (30026-11) Passed SPAMMY, [64.235.53.98] [64.235.53.98] <noreply@hyperbiz1.com> -> <person@example.com>, Message-ID: <20090814122346.F1ABF27DF53440BF@hyperbiz1.com>, mail_id: OhHzJmCU7qmf, Hits: 6.353, size: 2637, queued_as: A710E207B83, 5129 ms
Aug 14 12:23:54 ns postfix/smtpd[7279]: < unknown[64.235.53.98]: EHLO hyperbiz1.com
Aug 14 12:23:54 ns postfix/smtpd[7279]: < unknown[64.235.53.98]: MAIL FROM:<noreply@hyperbiz1.com>
Aug 14 12:23:54 ns postfix/smtpd[7279]: extract_addr: input: <noreply@hyperbiz1.
Step #2: Drop Hit Levels
Here is the amavisd.conf file hit levels and you can see that the hit level above was 6.3 and the trigger to block the email is at 6.8. Now an easy solution when you start seeing new Spam is to start slowly reducing the hit level. So what I did is reduce the 6.8 down to 6.0 and then reduce the “spam detected” level from 6.2 to 5.8. This is a small adjustment but made a big difference.
$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.2; # add ‘spam detected’ headers at that level
$sa_kill_level_deflt = 6.8; # triggers spam evasive actions (e.g. blocks mail)
Be sure to reload amavisd when you are done making changes. Remember, amavisd is what controls Spamassassin in this set up.
./amavisd reload
Daemon [28054] terminated by SIGTERM, waiting for dust to settle…
becoming a new daemon…
Now one question you may ask is why not write a header check or some other check for regular expressions. The answer is that the last thing you want to do is write a lot of special rules. Try to control Spam by using general princicples that will help reduce Spam because if one wave of Spam is gettign through…another is on the way from someone else.
Posted by mike Filed Under Uncategorized with Comments Off
Install Amavisd-New on CentOS 5
Amavisd-new isn’t in the CentOS repositories, so the first thing you’ll need to do is to install the Dag Wieers/RPMForge repository into your YUM configuration. First, go to the Dag Wieers/RPMForge website.
http://dag.wieers.com/rpm/FAQ.php#B
Copy and paste the appropriate command for your Red Hat-style distro to the command-line of your local computer.
To keep the RPMForge packages from overriding official CentOS packages, install the YUM Priorities plug-in.
yum install yum-priorities
Then, open the /etc/yum/pluginconf.d/priorities.conf file, and verify that the following lines are present:
[main]
enabled = 1
Open the /etc/yum.repos.d/CentOS-Base.repo file, or whatever its equivalent it for your distro, and add the line:
priority=1
to the “base”, “addons”, “updates”, and “extras” sections of the file. Add the line:
priority=2
to the “centosplus” and “contrib” sections of the file. (Again, the section names may vary, depending on which particular distro that you’re running.)
Open the /etc/yum.repos.d/rpmforge.repo file, and add the line:
priority=11
To test your configuration, run the command,
yum check-update
When it finishes, you should see a line similar to:
818 packages excluded due to repository priority protections
ClamAV and Spamassassin Install
Before you install amavisd-new you will want to install both clamav and spamassassin as it will make it easier when you install amavisd-new.
yum install clamav clamav-milter spamassassin
You will need to edity /etc/default/spamassassin to get it to start. Change enabled to 1.
Enabled = 1
service spamassassin start
Amavisd-new Installation
This program is used to tie the scanning programs ClamAv and SpamAssassin to Postfix.
yum install amavisd-new
To start the program it is best to start it with the debug mode.
/usr/sbin/amavisd debug
Use CTRL+C to stop it.
Setup Requirements for amavisd-new
You need to add a user and group that can run the amavisd daemon.
useradd vscan
groupadd vscan
Create a directory for the program:
mkdir /var/vscan
Create these sub-directories:
mkdir /var/vscan/tmp
mkdir /var/vscan/var
mkdir /var/vscan/db
mkdir /var/vscan/home
Change ownership and permissions for the vscan.
chown -R vscan:vscan /var/vscan
chmod -R 750 /var/vscan
Edit the /etc/amavisd.conf
The key to this file is to edit the MYHOME to reflect the change to /var/vscan. Other settings are evaluated later in this document.
Each major section of the /etc/amavisd.conf file will be examined with explanations.
# COMMONLY ADJUSTED SETTINGS:
# @bypass_virus_checks_maps = (1); # controls running of anti-virus code
# @bypass_spam_checks_maps = (1); # controls running of anti-spam code
# $bypass_decode_parts = 1; # controls running of decoders&dearchivers
You have the option to bypass virus and spam checks. The primary reason for this choice would be to reduce the load on your server. If you want to bypass a check uncomment the line. When mail is processed by amavisd it follows this order:
1. virus scan
2. banned email
3. spam scan
4. invalid header scan
This process has a purpose in that the most dangerous option is evaluated first to the least dangerous. This process order may even cause greater load on the server but has been considered to be more important in the long run for the server.
Be sure that you set up a user and group for use with amavisd. Here the user and group that were created is vscan. Enter that information into this section of the conf file.
$daemon_user = ‘vscan’; # (no default; customary: vscan or amavis), -u
$daemon_group = ‘vscan’; # (no default; customary: vscan or amavis), -g
Enter the correct domain for your server.
$mydomain = ‘example.com’; # a convenient default for other settings
The $MYHOIME setting is critical to getting amavid to work correctly. The /var/vscan directory will need to be created and permissions set. Here is a list of the important files and directories that should be created in /var/vscan.
/var/vscan
total 32
drwxr-xr-x 7 vscan vscan 4096 Sep 18 06:22 .
drwxr-xr-x 22 root root 4096 Jul 12 06:06 ..
-rw-r—– 1 vscan vscan 0 Sep 18 17:21 amavisd.lock
-rw-r—– 1 vscan vscan 6 Sep 18 06:22 amavisd.pid
srwxr-x— 1 vscan vscan 0 Sep 18 06:22 amavisd.sock
drwxr-xr-x 2 vscan vscan 4096 Sep 18 06:22 db
drwxr-xr-x 2 vscan vscan 4096 Sep 29 2007 home
drwx—— 2 vscan vscan 4096 Sep 19 05:51 .spamassassin
drwxr-xr-x 7 vscan vscan 4096 Sep 19 05:51 tmp
drwxr-xr-x 2 vscan vscan 4096 Sep 29 2007 var
The quarantine directory /var/virusmails must also be created and permissions set. This directory is used to house spam or infected email for further review. The mail is compressed with .gz to save space which can be an issue over time. The number of email placed in the quarantine depends on your settings if you are saving infected email and at what level is spam being placed in a quarantine, these settings are reviewed below.
# $MYHOME = ‘/var/vscan’; # a convenient default for other settings, -H
$TEMPBASE = “$MYHOME/tmp”; # working directory, needs to exist, -T
$ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR, used by SA, etc.
$QUARANTINEDIR = ‘/var/virusmails’; # -Q
This section simply shows you the directories that are in the /var/vscan folder and what they are used for.
# $db_home = “$MYHOME/db”; # dir for bdb nanny/cache/snmp databases, -D
# $helpers_home = “$MYHOME/var”; # working directory for SpamAssassin, -S
# $lock_file = “$MYHOME/var/amavisd.lock”; # -L
# $pid_file = “$MYHOME/var/amavisd.pid”; # -P
#NOTE: create directories $MYHOME/tmp, $MYHOME/var, $MYHOME/db manually
The log level of amavisd will help you find the information that you will need. The default log level is 0. Typically on a mail server if you have just set up the system or if you need lots of information for evaluation of the mail system increase the level, level 5 is not overwhelming data. You can see that the system uses syslog. If your Linux version is not using syslog you will need to modify the setup to reflect the logging system that you are using.
$log_level = 0; # verbosity 0..5, -d
$log_recip_templ = undef; # disable by-recipient level-0 log entries
$DO_SYSLOG = 1; # log via syslogd (preferred)
$syslog_facility = ‘mail’; # Syslog facility as a string
# e.g.: mail, daemon, user, local0, … local7
$syslog_priority = ‘debug’; # Syslog base (minimal) priority as a string,
# choose from: emerg, alert, crit, err, warning, notice, info, debug
This line lists the socket port that should be listening. Note this is only on the localhost and will not allow connections from the Internet. This is the port you should have set up with Postfix.
$inet_socket_port = 10024; # listen on this local TCP port(s)
Spam levels are set within amavisd not within Spamassassin. When mail is analyzed for Spam it is evaluated by Spamassassin and given a numerical score. These scores are derived from an analysis of the entire message. Messages with a Spam score of 1.9 or less are considered safe from Spam mail and will be delivered with no restrictions. If the returned score is 2 or greater amavisd will then perform additional alterations of the email if so configured. Listed below are the default levels in which amavisd performs. The first tag will by default alert the system but pass the mail onto the user’s MUA.
The tag2 level is set at 6.2 which modifies the header with a Spam header which is determined by this setting further down in the amavisd.conf. One thought is to alter this header so that it will not be confused by any other headers set by additional programs that a user can configure. The mail is passed on to the user’s MUA which may take additional action based on this Spam header. So if mail does not arrive at the user it could be that the MUA is dumping the mail based on this header.
$sa_spam_subject_tag = ‘***SPAM*** ‘;
The kill level takes an entirely different action. Once the kill level is reached the mail is either bounced or deleted, depending on the options that you select. The DSN (delivery status notification) is set at 10, anything above that will not receive any notification. Note that there is also an option to turn off the quarantine once a message reaches a certain level, the default is 25.
$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.2; # add ‘spam detected’ headers at that level
$sa_kill_level_deflt = 6.9; # triggers spam evasive actions (e.g. blocks mail)
$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
$sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid From
# $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off
This is the reinjection port once the mail has gone through the content filter.
# $notify_method = ‘smtp:[127.0.0.1]:10025′;
# $forward_method = ‘smtp:[127.0.0.1]:10025′; # set to undef with milter!
These are the default settings for how to handle detected virus, banned mail and Spam. You can uncomment the line and modify the outcome to D_DISCARD, D_BOUNCE or D_PASS.
# $final_virus_destiny = D_DISCARD;
# $final_banned_destiny = D_BOUNCE;
# $final_spam_destiny = D_BOUNCE;
# $final_bad_header_destiny = D_PASS;
Connecting amavisd-new to Postfix
In creating a connection with Postfix it is important to not send the main back into Postfix on port 25 creating a mail loop. So it is important to create a connection to a separate port to bring back mail that has been scanned. amavisd-new uses port 10024 by default.
You must add a content filter connection to the main.cf.
content_filter = amavisd-new:[127.0.0.1]:10024
Testing the Connection for ESMTP Commands
$ telnet localhost 10024
Trying 127.0.0.1…
Connected to localhost.localdomain (127.0.0.1).
Escape character is ‘^]’.
220 [127.0.0.1] ESMTP amavisd-new service ready
EHLO mail.example.com
250-[127.0.0.1]
250-VRFY
250-PIPELINING
250-SIZE
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 XFORWARD NAME ADDR PROTO HELO
quit
221 2.0.0 [127.0.0.1] amavisd-new closing transmission channel
Connection closed by foreign host.
Now create a transport in the master.cf file.
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: “man 5 master”).
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd -v
#submission inet n - n - - smtpd
# -o smtpd_enforce_tls=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
amavisd-new unix - - n - 2 smtp
-o smtp_data_done_timeout=1200s
-o disable_dns_lookups=yes
This setup uses a copy of the typical smtp transport. The name that you list must be exactly the same as the name in the content_filter setting for main.cf. The max number of concurrent processes is set to 2 to help manage resources. This should be reviewed after the server is running for awhile. The increased timeout setting will help if amavisd-new takes an extended time so that Postfix does not give up.
Configure a Reinjection Path
This is a way for amavisd-new to send mail back into the Postfix queue without creating a loop.
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: “man 5 master”).
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd -v
#submission inet n - n - - smtpd
# -o smtpd_enforce_tls=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
amavisd-new unix - - n - 2 smtp
-o smtp_data_done_timeout=1200s
-o disable_dns_lookups=yes
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
The reason many of these smptd restrictions are set to = with nothing behind it is that Postfix has already run these checks and you want to make sure that they are not run again. Remember you are sending the output back to your queue so you do not want to repeat what you have already done and you do not want to create a loop.
Posted by mike Filed Under Virus Control with Comments Off
Install of Amavisd-New on Ubuntu 8.10
One of the most frustrating problems with setting up any mail server is the configuration required for anti-virus protection and Spam checking. Amavisd-new provides an excellent tool to help in setting that up. This is a step-by-step process in providing your mail server, the example is Ubuntu 8.10, with the ability to scan all incoming mail for viruses and Spam.
apt-get install amavisd-new
Starting Amavisd-New
In order to get amavisd-new running, execute the command below to view content in debug mode so you can see what it is doing. One thing you will notice is that by default there is no virus program attached nor any scanning for Spam as it is disabled by default. The point to note here is the modules that it is using, the ports, and the general look and fell of the program.
/etc/init.d/amavis debug
Trying to run amavisd-new in debug mode…
Jan 9 12:46:47.927 nag.example.com /usr/sbin/amavisd-new[4384]: starting. /usr/sbin/amavisd-new at nag.example.com amavisd-new-2.6.1 (20080629), Unicode aware, LANG=”en_US.UTF-8″
Jan 9 12:46:47.928 nag.example.com /usr/sbin/amavisd-new[4384]: user=, EUID: 112 (112); group=, EGID: 123 123 (123 123)
Jan 9 12:46:47.928 nag.example.com /usr/sbin/amavisd-new[4384]: Perl version 5.010000
Jan 9 12:46:47.980 nag.example.com /usr/sbin/amavisd-new[4384]: INFO: no optional modules: IO::Socket::INET6
Jan 9 12:46:47.982 nag.example.com /usr/sbin/amavisd-new[4384]: Net::Server: 2009/01/09-12:46:47 Amavis (type Net::Server::PreForkSimple) starting! pid(4384)
Jan 9 12:46:47.987 nag.example.com /usr/sbin/amavisd-new[4384]: Net::Server: Binding to UNIX socket file /var/lib/amavis/amavisd.sock using SOCK_STREAM
Jan 9 12:46:47.988 nag.example.com /usr/sbin/amavisd-new[4384]: Net::Server: Binding to TCP port 10024 on host 127.0.0.1
Jan 9 12:46:47.989 nag.example.com /usr/sbin/amavisd-new[4384]: Net::Server: Group Not Defined. Defaulting to EGID ’123 123′
Jan 9 12:46:47.989 nag.example.com /usr/sbin/amavisd-new[4384]: Net::Server: User Not Defined. Defaulting to EUID ’112′
Jan 9 12:46:47.989 nag.example.com /usr/sbin/amavisd-new[4384]: Net::Server: Setting up serialization via flock
Jan 9 12:46:47.990 nag.example.com /usr/sbin/amavisd-new[4384]: after_chroot_init: EUID: 112 (112); EGID: 123 123 (123 123)
Jan 9 12:46:47.990 nag.example.com /usr/sbin/amavisd-new[4384]: config files read: /usr/share/amavis/conf.d/10-debian_scripts, /usr/share/amavis/conf.d/20-package, /etc/amavis/conf.d/01-debian, /etc/amavis/conf.d/05-domain_id, for .tar tried: pax
Jan 9 12:46:48.037 nag.example.com /usr/sbin/amavisd-new[4384]: Found decoder for .tar at /bin/cpio
Jan 9 12:46:48.038 nag.example.com /usr/sbin/amavisd-new[4384]: Found decoder for .deb at /usr/bin/ar
—cut—
Enable Virus Checks and Spam Checks
Verify that clamav is running .
sudo /etc/init.d/clamav-daemon start
Modify this line in /etc/default/spamassassin
ENABLED=1
It is 0 by default so you must enable Spamassassin to be able to run, now start it.
sudo /etc/init.d/spamassassin start
To enable amavisd-new to work with Spamassassin and clamav you need to modify the /etc/amavis/conf.d/15-content_filter_mode. Uncomment the lines as the root user so they now look like the example and restart amavisd-new in debug mode to view the activity. Now you will see that clamav and Spamassassin are now working with amavisd-new.
15-content_filter_mode
@bypass_virus_checks_maps = (
\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
Jan 9 12:54:47.978 nag.example.com /usr/sbin/amavisd-new[4563]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan
Jan 9 12:54:47.979 nag.example.com /usr/sbin/amavisd-new[4563]: No secondary av scanner: FRISK F-Prot Antivirus
Jan 9 12:54:47.979 nag.example.com /usr/sbin/amavisd-new[4563]: No secondary av scanner: Trend Micro FileScanner
Jan 9 12:54:47.979 nag.example.com /usr/sbin/amavisd-new[4563]: No secondary av scanner: drweb – DrWeb Antivirus
Jan 9 12:54:47.980 nag.example.com /usr/sbin/amavisd-new[4563]: No secondary av scanner: KasperskyLab kavscanner
Jan 9 12:54:48.003 nag.example.com /usr/sbin/amavisd-new[4563]: SpamControl: initializing Mail::SpamAssassin
Jan 9 12:54:48.004 nag.example.com /usr/sbin/amavisd-new[4563]: SpamAssassin debug facilities: info
Jan 9 12:54:49.559 nag.example.com /usr/sbin/amavisd-new[4563]: SpamControl: init_pre_fork on SpamAssassin done
Jan 9 12:54:49.576 nag.example.com /usr/sbin/amavisd-new[4573]: SpamControl: init_child on SpamAssassin done
Finish the Amavisd-New Configuration
Create Necessary users and folders as root.
# useradd vscan
# mkdir /var/vscan
# mkdir /var/vscan/tmp
# mkdir /var/vscan/var
# mkdir /var/vscan/db
# mkdir /var/vscan/home
# chown -R vscan:vscan /var/vscan
# chmod -R 750 /var/vscan
Creating a Reinjection Port
The process that you see below shows how mail arrives at the server and is then sent to a content_filter on port 10024, on to the qmgr and then to amavisd-new which then executes the scanning with both Spamassassin and clamav. When the scanning is complete you do not want to send the scanned mail back to port 10024 because you will create a loop. So you need to create a reinjection port so that the mail that has been scanned will be recognized as complete. The reinjection port that is used is port 10025. This section will now show you how to set up those two ports and activate Spamassassin and clamav.
Edit main.cf and Add Content Filter
#Amavisd SetUp
content_filter=amavisd-new:[127.0.0.1]:10024
Edit master.cf and Add Reinjection
amavisd-new unix - - n - 2 smtp
-o smtp_data_done_timeout=1200s
-o disable_dns_lookups=yes
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
Add clamav to the group amavis
amavis:x:123:clamav
Send an email and watch the system as it runs in debug mode.
sendmail -f mike@example.com tom@example.com </etc/postfix/main.cf
Review File Contents for Amavisd-New
cd /etc/amavis/conf.d
Once you have install amavisd-new you will find a number of files that make up the configuration for amaavisd-new and how it interacts with Spamassassin and clamav. These files, at least the important parts, are listed here with a brief description.
01-debian
These are the various ways of compressing files. Do not modify.
# SETTINGS RARELY MODIFIED BY THE LOCAL ADMIN
$ENV{PATH} = $path = ‘/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin’;
$file = ‘file’;
$gzip = ‘gzip’;
$bzip2 = ‘bzip2′;
$lzop = ‘lzop’;
$rpm2cpio = ['rpm2cpio.pl','rpm2cpio'];
$cabextract = ‘cabextract’;
$uncompress = ['uncompress', 'gzip -d', 'zcat'];
#$unfreeze = ['unfreeze', 'freeze -d', 'melt', 'fcat']; #disabled (non-free, no security support)
$unfreeze = undef;
$arc = ['nomarch', 'arc'];
$unarj = ['arj', 'unarj'];
#$unrar = ['rar', 'unrar']; #disabled (non-free, no security support)
$unrar = ['unrar-free'];
$zoo = ‘zoo’;
#$lha = ‘lha’; #disabled (non-free, no security support)
$lha = undef;
$pax = ‘pax’;
$cpio = ‘cpio’;
$ar = ‘ar’;
$ripole = ‘ripole’;
$dspam = ‘dspam’;
1; # ensure a defined return
05-domain_id
# amavisd-new needs to know which email domains are to be considered local
# to the administrative domain. Only emails to “local” domains are subject
# to certain functionality, such as the addition of spam tags.
#
# Default local domains to $mydomain and all subdomains. Remember to
# override or redefine this if $mydomain is changed later in the config
# sequence.
@local_domains_acl = ( “.$mydomain” );
1; # ensure a defined return
05-node_id
If you have problems with your FQDN you can alter that manually here.
# $myhostname is used by amavisd-new for node identification, and it is
# important to get it right (e.g. for ESMTP EHLO, loop detection, and so on).
chomp($myhostname = `hostname –fqdn`);
15-av_scanners
This file holds the information required for amavisd to locate the virus scanners you may have installed on your box.
15-content_filter_mode
This file turns off by default the ability of amavisd-new to scan for virus activity or check for spam.
use strict;
# You can modify this file to re-enable SPAM checking through spamassassin
# and to re-enable antivirus checking.
#
# Default antivirus checking mode
# Uncomment the two lines below to enable it back
#
#@bypass_virus_checks_maps = (
# \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
#
# Default SPAM checking mode
# Uncomment the two lines below to enable it back
#
#@bypass_spam_checks_maps = (
# \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
1; # ensure a defined return
21-ubuntu_defaults
There are settings here that you can modify to determine the action your machine should take when it discovers either a virus email or spam.
use strict;
#
# These are Ubuntu specific defaults for amavisd-new configuration
#
# DOMAIN KEYS IDENTIFIED MAIL (DKIM)
$enable_dkim_verification = 1;
# Don’t be verbose about sending mail:
@whitelist_sender_acl = qw( .$mydomain );
$final_virus_destiny = D_DISCARD; # (defaults to D_BOUNCE)
$final_banned_destiny = D_BOUNCE; # (defaults to D_BOUNCE)
$final_spam_destiny = D_DISCARD; # (defaults to D_REJECT)
$final_bad_header_destiny = D_PASS; # (defaults to D_PASS), D_BOUNCE suggested
$warnbannedsender = 1;
$warnbadhsender = 1;
$virus_admin = undef;
$spam_admin = undef;
25-amavis_helpers
Functionality required for amavis helpers like amavis-release.
30-template_localization
read_l10n_templates(‘en_US’, ‘/etc/amavis’);
40-policy_banks
# DKIM signing domain whitelist. The domain to use is the domain after
# d= in the DKIM header.
@author_to_policy_bank_maps = ( {
# ‘friends.example.net’ => ‘WHITELIST,NOBANNEDCHECK’,
# ‘user1@cust.example.net’ => ‘WHITELIST,NOBANNEDCHECK’,
‘.ebay.com’ => ‘WHITELIST’,
‘.ebay.co.uk’ => ‘WHITELIST’,
‘ebay.at’ => ‘WHITELIST’,
‘ebay.ca’ => ‘WHITELIST’,
‘ebay.de’ => ‘WHITELIST’,
‘ebay.fr’ => ‘WHITELIST’,
‘.paypal.co.uk’ => ‘WHITELIST’,
‘.paypal.com’ => ‘WHITELIST’, # author signatures
‘./@paypal.com’ => ‘WHITELIST’, # 3rd-party sign. by paypal.com
‘alert.bankofamerica.com’ => ‘WHITELIST’,
‘amazon.com’ => ‘WHITELIST’,
‘cisco.com’ => ‘WHITELIST’,
‘.cnn.com’ => ‘WHITELIST’,
‘skype.net’ => ‘WHITELIST’,
‘welcome.skype.com’ => ‘WHITELIST’,
‘cc.yahoo-inc.com’ => ‘WHITELIST’,
‘cc.yahoo-inc.com/@yahoo-inc.com’ => ‘WHITELIST’,
# ‘google.com’ => ‘MILD_WHITELIST’,
# ‘googlemail.com’ => ‘MILD_WHITELIST’,
# ‘./@googlegroups.com’ => ‘MILD_WHITELIST’,
# ‘./@yahoogroups.com’ => ‘MILD_WHITELIST’,
# ‘./@yahoogroups.co.uk’ => ‘MILD_WHITELIST’,
# ‘./@yahoogroupes.fr’ => ‘MILD_WHITELIST’,
# ‘yousendit.com’ => ‘MILD_WHITELIST’,
# ‘meetup.com’ => ‘MILD_WHITELIST’,
# ‘dailyhoroscope@astrology.com’ => ‘MILD_WHITELIST’,
} );
50-user
# Place your configuration directives here. They will override those in
# earlier files.
#
# See /usr/share/doc/amavisd-new/ for documentation and examples of
# the directives you can use in this file
#
Posted by mike Filed Under Spam Control with 2 Comments
SpamAssassin will use tests to check mail headers, the body, IP Addresses and checksums to locate patterns that indicate SPAM. So SpamAssassin will use pattern-based scores for checking patters that are found in headers, the body or attachments and it will use network-based tests that use DNS lookups or access RBL lists.
If you look in the /usr/share/spamassassin directory you will see a list of the tests that are performed by SpamAssassin.
The tests which are used by SpamAssassin and thus amavisd are located in /usr/share/spamassassin. These consist of over 1000 tests on various parts of the email that arrives. It also includes checks for known spammers. There are thousands of rules that are set up in the /usr/share/spamassassin directory. Each test file contains a number of rules that will be performed. The test files are basically self explanatory but here is some additional information that will help. Ratware are programs that are used by spammers to send their email. These specially designed programs have signatures that will be detected. The 10_misc.cf is a file that defines the templates that are used to report spam. The 20_compensate.cf file creates negative scores for good values in mail that indicate that the mail is not spam. The 50_scores.cf is the file that contains the scores for each rule. 60_whitelist.cf is where common addresses are listed. Here is a list of the directory.
# ls /usr/share/spamassassin/
10_misc.cf 25_accessdb.cf 30_text_nl.cf
20_advance_fee.cf 25_antivirus.cf 30_text_pl.cf
20_anti_ratware.cf 25_body_tests_es.cf 30_text_pt_br.cf
20_body_tests.cf 25_body_tests_pl.cf 50_scores.cf
20_compensate.cf 25_dcc.cf 60_awl.cf
20_dnsbl_tests.cf 25_dkim.cf 60_whitelist.cf
20_drugs.cf 25_domainkeys.cf 60_whitelist_dk.cf
20_fake_helo_tests.cf 25_hashcash.cf 60_whitelist_dkim.cf
20_head_tests.cf 25_pyzor.cf 60_whitelist_spf.cf
20_html_tests.cf 25_razor2.cf 60_whitelist_subject.cf
20_meta_tests.cf 25_replace.cf languages
20_net_tests.cf 25_spf.cf sa-update-pubkey.txt
20_phrases.cf 25_textcat.cf sa-update.cron
20_porn.cf 25_uribl.cf triplets.txt
20_ratware.cf 30_text_de.cf user_prefs.template
20_uri_tests.cf 30_text_fr.cf
23_bayes.cf 30_text_it.cf
Here is an example taken from the 20_head_tests.cf file. Note that some tests require a specific version which is listed at the top. The test is listed in CAPS with underscores followed by the regular expression used to evaluate the rule that is listed. The line underneath provides a description of the rule. The score for each rule is listed in 50_scores.cf.
require_version 3.001007
header HEAD_LONG eval:check_msg_parse_flags(‘truncated_header’)
describe HEAD_LONG Message headers are very long
# partial messages; currently-theoretical attack
# unsurprisingly this hits 0/0 right now.
header FRAGMENTED_MESSAGE Content-Type =~ /\bmessage\/partial/i
describe FRAGMENTED_MESSAGE Partial message
header MISSING_HB_SEP eval:check_msg_parse_flags(‘missing_head_body_separator’)
describe MISSING_HB_SEP Missing blank line between message header and body
header UNPARSEABLE_RELAY eval:check_relays_unparseable()
tflags UNPARSEABLE_RELAY userconf
describe UNPARSEABLE_RELAY Informational: message has unparseable relay lines
Each test looks similar to what you see here. These are header test so they start with the work “header” followed by the name of the test in CAPS. The actual expression of the test is on the right hand side. The first one is a regular expression that shows that there is not real name in the header. The second line is a description of the test. The second test listed shows that the From is a blank line and tests for that with a regular expression.
header NO_REAL_NAME From =~ /^["\s]*\<?\S+\@\S+\>?\s*$/
describe NO_REAL_NAME From: does not include a real name
header FROM_BLANK_NAME From =~ /(?:\s|^)”" <\S+>/i
describe FROM_BLANK_NAME From: contains empty name
Each test has a score that is associated with it in the 50_scores.cf file which is also located in /usr/share/spamassassin. The score adds to the email total score which determines if it is Spam.
score NO_REAL_NAME 0 0.550 0 0.961
The scores have 4 fields. The first is the score added is if a matching message has both the network and Bayesian tests are not in use. In NO_REAL_NAME this is 0. The second score is when network tests are in use and Bayesian tests are not in use. The third score is when Bayesian tests are in use but network tests are not. The final score is when both network tests and Bayesian are in use.
score FROM_BLANK_NAME 1.659 1.467 0.936 1.534
Posted by mike Filed Under Spam Control with Comments Off
One way you may choose to manage the mail that comes to the Postfix server is to use the locales which is a part of Spamassassin. If you cannot read other languages there is really no need to run them through your mail system. So for example if you wanted to limit email to English you would edit the:
/etc/mail/spamassassin/local.cf
ok_locales en
This will treat any mail in character sets other than Western as spam. Here are the option that you have:
en – Western character sets in general
ja – Japanese character sets
ko – Korean character sets
ru – Cyrillic character sets
th – Thai character sets
zh – Chinese (both simplified and traditional) character sets
all – Allow all character sets
This is an easy setting to help clean up mail that you cannot read anyway.
