Hallo,
ich habe jetzt die Conf gefunden und geändert.
Leider mit nicht so grossem Erfolg.
Anbei sende ich euch die amavis conf. :
#
# Section V - Per-recipient and per-sender handling, whitelisting, etc.
#
# %virus_lovers, @virus_lovers_acl and $virus_lovers_re lookup tables:
# (these should be considered policy options, they do not disable checks,
# see bypas*checks for that!)
#
# Exclude certain RECIPIENTS from virus filtering by adding their lower-cased
# envelope e-mail address (or domain only) to the hash %virus_lovers, or to
# the access list @virus_lovers_acl - see README.lookups and examples.
# Make sure the appropriate form (e.g. external/internal) of address
# is used in case of virtual domains, or when mapping external to internal
# addresses, etc. - this is MTA-specific.
#
# Notifications would still be generated however (see the overall
# picture above), and infected mail (if passed) gets additional header:
# X-AMaViS-Alert: INFECTED, message contains virus: ...
# (header not inserted with milter interface!)
#
# NOTE (milter interface only): in case of multiple recipients,
# it is only possible to drop or accept the message in its entirety - for all
# recipients. If all of them are virus lovers, we'll accept mail, but if
# at least one recipient is not a virus lover, we'll discard the message.
# %bypass_virus_checks, @bypass_virus_checks_acl and $bypass_virus_checks_re
# lookup tables:
# (this is mainly a time-saving option, unlike virus_lovers* !)
#
# Similar in concept to %virus_lovers, a hash %bypass_virus_checks,
# access list @bypass_virus_checks_acl and regexp list $bypass_virus_checks_re
# are used to skip entirely the decoding, unpacking and virus checking,
# but only if ALL recipients match the lookup.
#
# %bypass_virus_checks/@bypass_virus_checks_acl/$bypass_virus_checks_re
# do NOT GUARANTEE the message will NOT be checked for viruses - this may
# still happen when there is more than one recipient for a message, and
# not all of them match these lookup tables. To guarantee virus delivery,
# a recipient must also match %virus_lovers/@virus_lovers_acl lookups
# (but see milter limitations above),
# NOTE: it would not be clever to base virus checks on SENDER address,
# since there are no guarantees that it is genuine. Many viruses
# and spam messages fake sender address. To achieve selective filtering
# based on the source of the mail (e.g. IP address, MTA port number, ...),
# use mechanisms provided by MTA if available.
# Similar to lookup tables controlling virus checking, there exist
# spam scanning, banned names/types, and headers_checks control counterparts:
# %spam_lovers, @spam_lovers_acl, $spam_lovers_re
# %banned_files_lovers, @banned_files_lovers_acl, $banned_files_lovers_re
# %bad_header_lovers, @bad_header_lovers_acl, $bad_header_lovers_re
# and:
# %bypass_spam_checks/@bypass_spam_checks_acl/$bypass_spam_checks_re
# %bypass_banned_checks/@bypass_banned_checks_acl/$bypass_banned_checks_re
# %bypass_header_checks/@bypass_header_checks_acl/$bypass_header_checks_re
# See README.lookups for details about the syntax.
# The following example disables spam checking altogether,
# since it matches any recipient e-mail address (any address
# is a subdomain of the top-level root DNS domain):
# @bypass_spam_checks_acl = qw( . );
# @bypass_header_checks_acl = qw( user@example.com );
# @bad_header_lovers_acl = qw( user@example.com );
# See README.lookups for further detail, and examples below.
# $virus_lovers{lc("postmaster\@$mydomain")} = 1;
# $virus_lovers{lc('postmaster@example.com')} = 1;
# $virus_lovers{lc('abuse@example.com')} = 1;
# $virus_lovers{lc('some.user@')} = 1; # this recipient, regardless of domain
# $virus_lovers{lc('boss@example.com')} = 0; # never, even if domain matches
# $virus_lovers{lc('example.com')} = 1; # this domain, but not its subdomains
# $virus_lovers{lc('.example.com')}= 1; # this domain, including its subdomains
#or:
# @virus_lovers_acl = qw( me@lab.xxx.com !lab.xxx.com .xxx.com yyy.org );
#
# $bypass_virus_checks{lc('some.user2@butnot.example .com')} = 1;
# @bypass_virus_checks_acl = qw( some.ddd !butnot.example.com .example.com );
# @virus_lovers_acl = qw( postmaster@example.com );
# $virus_lovers_re = new_RE( qr'(helpdesk|postmaster)@example\.com$'i );
# $spam_lovers{lc("postmaster\@$mydomain")} = 1;
# $spam_lovers{lc('postmaster@example.com')} = 1;
# $spam_lovers{lc('abuse@example.com')} = 1;
# @spam_lovers_acl = qw( !.example.com );
# $spam_lovers_re = new_RE( qr'^user@example\.com$'i );
# don't run spam check for these RECIPIENT domains:
# @bypass_spam_checks_acl = qw( d1.com .d2.com a.d3.com );
# or the other way around (bypass check for all BUT these):
# @bypass_spam_checks_acl = qw( !d1.com !.d2.com !a.d3.com . );
# a practical application: don't check outgoing mail for spam:
# @bypass_spam_checks_acl = ( "!.$mydomain", "." );
# (a downside of which is that such mail will not count as ham in SA bayes db)
# Where to find SQL server(s) and database to support SQL lookups?
# A list of triples: (dsn,user,passw). (dsn = data source name)
# Specify more than one for multiple (backup) SQL servers.
# See 'man DBI', 'man DBD::mysql', 'DBD::Pg', ... for details.
#
# @lookup_sql_dsn =
# ( ['DBI:mysql:mail:host1', 'some-username1', 'some-password1'],
# ['DBI:mysql:mail:host2', 'some-username2', 'some-password2'] );
# ('mail' in the example is the database name, choose what you like)
# With PostgreSQL the dsn (first element of the triple) may look like:
# 'DBI:Pg:host=host1;dbname=mail'
# The SQL select clause to fetch per-recipient policy settings.
# The %k will be replaced by a comma-separated list of query addresses
# (e.g. full address, domain only, catchall). Use ORDER, if there
# is a chance that multiple records will match - the first match wins.
# If field names are not unique (e.g. 'id'), the later field overwrites the
# earlier in a hash returned by lookup, which is why we use '*,users.id'.
# No need to uncomment the following assignment if the default is ok.
# $sql_select_policy = 'SELECT *,users.id FROM users,policy'.
# ' WHERE (users.policy_id=policy.id) AND (users.email IN (%k))'.
# ' ORDER BY users.priority DESC';
#
# The SQL select clause to check sender in per-recipient whitelist/blacklist
# The first SELECT argument '?' will be users.id from recipient SQL lookup,
# the %k will be sender addresses (e.g. full address, domain only, catchall).
# The default value is:
# $sql_select_white_black_list = 'SELECT wb FROM wblist,mailaddr'.
# ' WHERE (rid=?) AND (sid=mailaddr.id) AND (mailaddr.email IN (%k))'.
# ' ORDER BY mailaddr.priority DESC';
#
# To disable SQL white/black list, set to undef (otherwise comment-out
# the following statement, leaving it at the default value):
$sql_select_white_black_list = undef; # undef disables SQL white/blacklisting
# If you decide to pass viruses (or spam) to certain recipients using the
# above lookup tables or using $final_virus_destiny=1, you can set
# the variable $addr_extension_virus ($addr_extension_spam) to some
# string, and the recipient address will have this string appended
# as an address extension to the local-part of the address. This extension
# can be used by final local delivery agent to place such mail in different
# folders. Leave these two variables undefined or empty strings to prevent
# appending address extensions. Setting has no effect on recipient which will
# not be receiving viruses/spam. Recipients who do not match lookup tables
# local_domains* are not affected.
#
# LDAs usually default to stripping away address extension if no special
# handling is specified, so having this option enabled normally does no harm,
# provided the $recipients_delimiter matches the setting on the final
# MTA's LDA.
# $addr_extension_virus = 'virus'; # (default is undef, same as empty)
# $addr_extension_spam = 'spam'; # (default is undef, same as empty)
# $addr_extension_banned = 'banned'; # (default is undef, same as empty)
# Delimiter between local part of the recipient address and address extension
# (which can optionally be added, see variables $addr_extension_virus and
# $addr_extension_spam). E.g. recipient address <user@example.com> gets changed
# to <user+virus@example.com>.
#
# Delimiter should match equivalent (final) MTA delimiter setting.
# (e.g. for Postfix add 'recipient_delimiter = +' to main.cf)
# Setting it to an empty string or to undef disables this feature
# regardless of $addr_extension_virus and $addr_extension_spam settings.
$recipient_delimiter = '+'; # (default is '+')
# true: replace extension; false: append extension
# $replace_existing_extension = 1; # (default is false)
# Affects matching of localpart of e-mail addresses (left of '@')
# in lookups: true = case sensitive, false = case insensitive
$localpart_is_case_sensitive = 0; # (default is false)
# ENVELOPE SENDER WHITELISTING / BLACKLISTING - GLOBAL (RECIPIENT-INDEPENDENT)
# WHITELISTING: use ENVELOPE SENDER lookups to ENSURE DELIVERY from whitelisted
# senders even if the message is recognized as spam. Effectively, for the
# specified senders, message RECIPIENTS temporarily become 'spam_lovers', with
# further processing being the same as otherwise specified for spam lovers.
# It does not turn off inserting spam-related headers, if they are enabled.
#
# BLACKLISTING: messages from specified SENDERS are DECLARED SPAM.
# Effectively, for messages from blacklisted senders, spam level
# is artificially pushed high, and the normal spam processing applies,
# resulting in 'X-Spam-Flag: YES', high 'X-Spam-Level' bar and other usual
# reactions to spam, including possible rejection. If the message nevertheless
# still passes (e.g. for spam loving recipients), it is tagged as BLACKLISTED
# in the 'X-Spam-Status' header field, but the reported spam value and
# set of tests in this report header field (if available from SpamAssassin,
# which may have not been called) is not adjusted.
#
# A sender may be both white- and blacklisted at the same time,
# settings are independent. For example, being both white- and blacklisted,
# message is delivered to recipients, but is tagged as spam.
#
# If ALL recipients of the message either white- or blacklist the sender,
# spam scanning (calling the SpamAssassin) is bypassed, saving on time.
#
# The following variables (lookup tables) are available, with the semantics
# and syntax as specified in README.lookups:
#
# %whitelist_sender, @whitelist_sender_acl, $whitelist_sender_re
# %blacklist_sender, @blacklist_sender_acl, $blacklist_sender_re
# SOME EXAMPLES:
#
#ACL:
# @whitelist_sender_acl = qw( .example.com );
#
# @whitelist_sender_acl = ( ".$mydomain" ); # $mydomain and its subdomains
# NOTE: This is not a reliable way of turning off spam checks for
# locally-originating mail, as sender address can easily be faked.
# To reliably avoid spam-scanning outgoing mail,
# use @bypass_spam_checks_acl .
#RE:
# $whitelist_sender_re = new_RE(
# qr'^postmaster@.*\bexample\.com$'i,
# qr'^owner-[^@]*@'i, qr'-request@'i,
# qr'\.example\.com$'i );
#
$blacklist_sender_re = new_RE(
qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryo u|greatcasino)@'i,
qr'^(investments|lose_weight_today|market.alert|mo ney2you|MyGreenCard)@'i,
qr'^(new\.tld\.registry|opt-out|opt-in|optin|saveonlsmoking2002k)@'i,
qr'^(specialoffer|specialoffers|stockalert|stopsno ring|wantsome)@'i,
qr'^(workathome|yesitsfree|your_friend|greatoffers )@'i,
qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i,
);
#HASH lookup variant:
# NOTE: Perl operator qw splits its argument string by whitespace
# and produces a list. This means that addresses can not contain
# whitespace, and there is no provision for comments within the string.
# You can use the normal Perl list syntax if you have special requirements,
# e.g. map {...} ('one user@bla', '.second.com'), or use read_hash to read
# addresses from a file.
#
# a hash lookup table can be read from a file,
# one address per line, comments and empty lines are permitted:
#
# read_hash(\%whitelist_sender, '/var/amavis/whitelist_sender');
# ... or set directly:
# $whitelist_sender{''} = 1; # don't spam-check MTA bounces
map { $whitelist_sender{lc($_)}=1 } (qw(
cert-advisory-owner@cert.org
owner-alert@iss.net
slashdot@slashdot.org
bugtraq@securityfocus.com
NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
security-alerts@linuxsecurity.com
amavis-user-admin@lists.sourceforge.net
notification-return@lists.sophos.com
mailman-announce-admin@python.org
owner-postfix-users@postfix.org
owner-postfix-announce@postfix.org
owner-sendmail-announce@Lists.Sendmail.ORG
owner-technews@postel.ACM.ORG
lvs-users-admin@LinuxVirtualServer.org
ietf-123-owner@loki.ietf.org
cvs-commits-list-admin@gnome.org
rt-users-admin@lists.fsck.com
clp-request@comp.nus.edu.sg
surveys-errors@lists.nua.ie
emailNews@genomeweb.com
owner-textbreakingnews@CNNIMAIL12.CNN.COM
spamassassin-talk-admin@lists.sourceforge.net
yahoo-dev-null@yahoo-inc.com
returns.groups.yahoo.com
));
# ENVELOPE SENDER WHITELISTING / BLACKLISTING - PER-RECIPIENT
# The same semantics as for global white/blacklisting applies, but this
# time each recipient (or its domain, or subdomain, ...) can be given
# an individual lookup table for matching senders. The per-recipient lookups
# override the global lookups, which serve as a fallback default.
# Specify a two-level lookup table: the key for the outer table is recipient,
# and the result should be an inner lookup table (hash or ACL or RE),
# where the key used will be the sender.
#
#$per_recip_blacklist_sender_lookup_tables = {
# 'user1@my.example.com'=>new_RE(qr'^(inkjetplanet|marketopt|MakeMoney)\d*@' i),
# 'user2@my.example.com'=>[qw( spammer@d1.example,org .d2.example,org )],
#};
#$per_recip_whitelist_sender_lookup_tables = {
# 'user@my.example.com' => [qw( friend@example.org .other.example.org )],
# '.my1.example.com' => [qw( !foe.other.example,org .other.example,org )],
# '.my2.example.com' => read_hash('/var/amavis/my2-wl.dat'),
# 'abuse@' => { 'postmaster@'=>1,
# 'cert-advisory-owner@cert.org'=>1, 'owner-alert@iss.net'=>1 },
#};
#
# Section VI - Resource limits
#
# Sanity limit to the number of allowed recipients per SMTP transaction
# $smtpd_recipient_limit = 1000; # (default is 1000)
# Resource limitations to protect against mail bombs (e.g. 42.zip)
# Maximum recursion level for extraction/decoding (0 or undef disables limit)
$MAXLEVELS = 14; # (default is undef, no limit)
# Maximum number of extracted files (0 or undef disables the limit)
$MAXFILES = 1500; # (default is undef, no limit)
# For the cumulative total of all decoded mail parts we set max storage size
# to defend against mail bombs. Even though parts may be deleted (replaced
# by decoded text) during decoding, the size they occupied is _not_ returned
# to the quota pool.
#
# Parameters to storage quota formula for unpacking/decoding/decompressing
# Formula:
# quota = max($MIN_EXPANSION_QUOTA,
# $mail_size*$MIN_EXPANSION_FACTOR,
# min($MAX_EXPANSION_QUOTA, $mail_size*$MAX_EXPANSION_FACTOR))
# In plain words (later condition overrules previous ones):
# allow MAX_EXPANSION_FACTOR times initial mail size,
# but not more than MAX_EXPANSION_QUOTA,
# but not less than MIN_EXPANSION_FACTOR times initial mail size,
# but never less than MIN_EXPANSION_QUOTA
#
$MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced)
$MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced)
$MIN_EXPANSION_FACTOR = 5; # times original mail size (must be specified)
$MAX_EXPANSION_FACTOR = 500; # times original mail size (must be specified)
#
# Section VII - External programs, virus scanners
#
# Specify a path string, which is a colon-separated string of directories
# (no trailing slashes!) to be assigned to the environment variable PATH
# and to serve for locating external programs below.
# NOTE: if $daemon_chroot_dir is nonempty, the directories will be
# relative to the chroot directory specified;
$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
# Specify one string or a search list of strings (first match wins).
# The string (or: each string in a list) may be an absolute path,
# or just a program name, to be located via $path;
# Empty string or undef (=default) disables the use of that external program.
# Optionally command arguments may be specified - only the first substring
# up to the whitespace is used for file searching.
$file = 'file'; # file(1) utility; use 3.41 or later to avoid vulnerability
$gzip = 'gzip';
$bzip2 = 'bzip2';
$lzop = 'lzop';
$uncompress = ['uncompress', 'gzip -d', 'zcat'];
$unfreeze = ['unfreeze', 'freeze -d', 'melt', 'fcat'];
$arc = ['nomarch', 'arc'];
$unarj = ['arj', 'unarj']; # both can extract, same options
$unrar = ['rar', 'unrar']; # both can extract, same options
$zoo = 'zoo';
$lha = 'lha';
$cpio = 'cpio'; # comment out if cpio does not support GNU options
# SpamAssassin settings
# $sa_local_tests_only is passed to Mail::SpamAssassin::new as a value
# of the option local_tests_only. See Mail::SpamAssassin man page.
# If set to 1, no tests that require internet access will be performed.
#
$sa_local_tests_only = 1; # (default: false)
#$sa_auto_whitelist = 1; # turn on AWL (default: false)
$sa_mail_body_size_limit = 64*1024; # don't waste time on SA if mail is larger
# (less than 1% of spam is > 64k)
# default: undef, no limitations
# default values, can be overridden by more specific lookups, e.g. SQL
$sa_tag_level_deflt = 3.0; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 5.0;
$sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions
# at or above that level: bounce/reject/drop,
# quarantine, and adding mail address extension
#
# The $sa_tag_level_deflt, $sa_tag2_level_deflt and $sa_kill_level_deflt
# may also be hashrefs to hash lookup tables, to make static per-recipient
# settings possible without having to resort to SQL or LDAP lookups.
# a quick reference:
# tag_level controls adding the X-Spam-Status and X-Spam-Level headers,
# tag2_level controls adding 'X-Spam-Flag: YES', and editing Subject,
# kill_level controls 'evasive actions' (reject, quarantine, extensions);
# it only makes sense to maintain the relationship:
# tag_level <= tag2_level <= kill_level
# string to prepend to Subject header field when message exceeds tag2 level
#$sa_spam_subject_tag = '***SPAM*** '; # (defaults to undef, disables)
# (only seen when spam is not to be rejected
# and recipient is in local_domains*)
#$sa_spam_modifies_subj = 1; # may be a ref to a lookup table, default is true
# Example: modify Subject for all local recipients except user@example.com
#$sa_spam_modifies_subj = [qw( !user@example.com . )];
# @av_scanners is a list of n-tuples, where fields semantics is:
# 1. av scanner plain name, to be used in log and reports;
# 2. scanner program name; this string will be submitted to subroutine
# find_external_programs(), which will try to find the full program
# path name; if program is not found, this scanner is disabled.
# Besides a simple string (full program path name or just the basename
# to be looked for in PATH), this may be an array ref of alternative
# program names or full paths - the first match in the list will be used;
# As a special case for more complex scanners, this field may be
# a subroutine reference, and the whole n-tuple is passed to it as args.
# 3. command arguments to be given to the scanner program;
# a substring {} will be replaced by the directory name to be scanned,
# i.e. "$tempdir/parts"
# 4. an array ref of av scanner exit status values, or a regexp (to be
# matched against scanner output), indicating NO VIRUSES found;
# 5. an array ref of av scanner exit status values, or a regexp (to be
# matched against scanner output), indicating VIRUSES WERE FOUND;
# Note: the virus match prevails over a 'not found' match, so it is safe
# even if 4. matches for viruses too;
# 6. a regexp (to be matched against scanner output), returning a list
# of virus names found.
# 7. and 8.: (optional) subroutines to be executed before and after scanner
# (e.g. to set environment or current directory);
# see examples for these at KasperskyLab AVP and Sophos sweep.
# NOTES:
#
# - NOT DEFINING @av_scanners (e.g. setting it to empty list, or deleting the
# whole assignment) TURNS OFF LOADING AND COMPILING OF THE ANTIVIRUS CODE
# (which can be handy if all you want to do is spam scanning);
#
# - the order matters: although _all_ available entries from the list are
# always tried regardless of their verdict, scanners are run in the order
# specified: the report from the first one detecting a virus will be used
# (providing virus names and scanner output); REARRANGE THE ORDER TO WILL;
#
# - it doesn't hurt to keep an unused command line scanner entry in the list
# if the program can not be found; the path search is only performed once
# during the program startup;
#
# CORROLARY: to disable a scanner that _does_ exist on your system,
# comment out its entry or use undef or '' as its program name/path
# (second parameter). An example where this is almost a must: disable
# Sophos 'sweep' if you have its daemonized version Sophie or SAVI-Perl
# (same for Trophie/vscan, and clamd/clamscan), or if another unrelated
# program happens to have a name matching one of the entries ('sweep'
# again comes to mind);
#
# - it DOES HURT to keep unwanted entries which use INTERNAL SUBROUTINES
# for interfacing (where the second parameter starts with \&).
# Keeping such entry and not having a corresponding virus scanner daemon
# causes an unnecessary connection attempt (which eventually times out,
# but it wastes precious time). For this reason the daemonized entries
# are commented in the distribution - just remove the '#' where needed.
@av_scanners = (
# ### http://www.vanja.com/tools/sophie/
# ['Sophie',
# \&ask_daemon, ["{}/\n", '/var/run/sophie'],
# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/,
# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/ ],
# ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/
# ['Sophos SAVI', \&sophos_savi ],
# ### http://clamav.elektrapro.com/
# ['Clam Antivirus-clamd',
# \&ask_daemon, ["CONTSCAN {}\n", '/var/amavis/clamd'],
# qr/\bOK$/, qr/\bFOUND$/,
# qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
# # NOTE: run clamd under the same user as amavisd,
# # match the socket name in clamav.conf to the socket name in this entry
# ### http://www.openantivirus.org/
# ['OpenAntiVirus ScannerDaemon (OAV)',
# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:8127'],
# qr/^OK/, qr/^FOUND: /, qr/^FOUND: (.+)/ ],
# ### http://www.vanja.com/tools/trophie/
# ['Trophie',
# \&ask_daemon, ["{}/\n", '/var/run/trophie'],
# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/,
# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/ ],
# ### http://www.f-prot.com/
# ['FRISK F-Prot Daemon',
# \&ask_daemon,
# ["GET {}/*?-dumb%20-archive HTTP/1.0\r\n\r\n",
# ['127.0.0.1:10200','127.0.0.1:10201','127.0.0.1:102 02',
# '127.0.0.1:10203','127.0.0.1:10204'] ],
# qr/(?i)<summary[^>]*>clean<\/summary>/,
# qr/(?i)<summary[^>]*>infected<\/summary>/,
# qr/(?i)<name>(.+)<\/name>/ ],
# ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp','kavscanner'],
# '-* -P -B -Y -O- {}', [0,3,8], [2,4], # any use for -A -K ?
# qr/infected: (.+)/,
# sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"},
# sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
# ],
# NOTE: not sure which entry suits which kavscanner version
# ['KasperskyLab kavscanner 4.5', ['/opt/kav/bin/kavscanner','kavscanner'],
# '-i1 -xp {}', [0], [5,20,21,25],
# qr/(?:CURED|INFECTED|CUREFAILED|WARNING|SUSPICION) (.*)/ ,
# sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"},
# sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
# ],
# ['KasperskyLab AVPDaemonClient',
# [ '/opt/AVP/kavdaemon', 'kavdaemon',
# '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient',
# '/opt/AVP/AvpTeamDream', 'AvpTeamDream',
# '/opt/AVP/avpdc', 'avpdc' ],
# '{}', [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/ ],
# change the startup-script in /etc/init.d/kavd to:
# DPARMS="-I0 -Y -* /var/amavis"
# adjusting /var/amavis above to match your $TEMPBASE.
# NOTE: cd /opt/AVP/DaemonClients; configure; cd Sample; make
# cp AvpDaemonClient /opt/AVP/
### http://www.hbedv.com/ or http://www.centralcommand.com/
# ['H+BEDV AntiVir or CentralCommand Vexira Antivirus',
# ['antivir','vexira'],
# '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/,
# qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |
# (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ],
# NOTE: remove the -z if you only have a demo version
### http://www.commandsoftware.com/
# ['Command AntiVirus for Linux', 'csav',
# '-all -archive -packed {}', [50], [51,52,53],
# qr/Infection: (.+)/ ],
### http://www.symantec.com/
# ['Symantec CarrierScan via Symantec CommandLineScanner',
# ['cscmdline','savsecls'],
# '-a scan -i 1 -v -s 127.0.0.1:7777 {}',
# qr/Files Infected: 0/, qr/^Infected: /,
# qr/Info:\s+(.+)/ ],
### http://drweb.imshop.de/
# ['DrWeb Antivirus for Linux/FreeBSD/Solaris', 'drweb',
# '-al -ar -fm -go -ha -ml -ot -sd -up {}',
# [0], [1], sub {('no-name')} ],
### http://www.f-secure.com/products/anti-virus/#
# ['F-Secure Antivirus', 'fsav',
# '--dumb --archive {}', [0], [3,8],
# qr/(?:infection|Infected): (.+)/ ],
# ['CAI InoculateIT', 'inocucmd',
# '-sec -nex {}', [0], [100],
# qr/was infected by virus (.+)/ ],
# ['MkS_Vir for Linux (beta)', ['mks32','mks'],
# '-s {}/*', [0], [1,2],
# qr/--[ \t]*(.+)/ ],
['MkS_Vir daemon',
# 'mksscan', '-s -q {}', [0], [1..7],
# qr/^... (\S+)/ ],
### http://www.nod32.com/
# ['ESET Software NOD32', 'nod32',
# '-all -subdir+ {}', [0], [1,2],
# qr/^.+? - (.+?)\s*(?:backdoor|joke|trojan|virus|worm)/ ],
### http://www.nod32.com/
# ['ESET Software NOD32 - Client/Server Version', 'nod32cli',
# '-a -r -d recurse --heur standard {}', [0], [10,11],
# qr/^\S+\s+infected:\s+(.+)/ ],
### http://www.norman.com/products_nvc.shtml
['Norman Virus Control v5 / Linux', 'nvccmd',
'-c -l:0 -s -u {}', [0], [1],
qr/(?i).* virus in .* -> \'(.+)\'/ ],
### http://www.pandasoftware.com/
# ['Panda Antivirus for Linux', ['pavcl'],
# '-aut -aex -heu -cmp -nbr -nor -nso -eng {}',
# qr/Number of files infected[ \.]*: 0(?!\d)/,
# qr/Number of files infected[ \.]*: 0*[1-9]/,
# qr/Found virus :\s*(\S+)/ ],
# Check your RAV license terms before fiddling with the following two lines!
# ['GeCAD RAV AntiVirus 8', 'ravav',
# '--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/ ],
# # NOTE: the command line switches changed with scan engine 8.5 !
# # (btw, assigning stdin to /dev/null causes RAV to fail)
### http://www.nai.com/
# ['NAI McAfee AntiVirus (uvscan)', 'uvscan',
# '--secure -rv --summary --noboot {}', [0], [13],
# qr/(?x) Found (?:
# \ the\ (.+)\ (?:virus|trojan) |
# \ (?:virus|trojan)\ or\ variant\ ([^ ]+) |
# :\ (.+)\ NOT\ a\ virus)/,
# sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'},
],
# NOTE with RH9: force the dynamic linker to look at /lib/libc.so.6 before
# anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6
### http://www.virusbuster.hu/en/
['VirusBuster', ['vbuster', 'vbengcl'],
# VirusBuster Ltd. does not support the daemon version for the workstation
# engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of
# binaries, some parameters AND return codes (from 3 to 1) changed.
"{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1],
qr/: '(.*)' - Virus/ ],
# ### http://www.virusbuster.hu/en/
# ['VirusBuster (Client + Daemon)', 'vbengd',
# # HINT: for an infected file it returns always 3,
# # although the man-page tells a different story
# '-f -log scandir {}', [0], [3],
# qr/Virus found = (.*);/ ],
### http://www.cyber.com/
['CyberSoft VFind', 'vfind',
'--vexit {}', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/,
# sub {$ENV{VSTK_HOME}='/usr/lib/vstk'},
],
### http://www.ikarus-software.com/
['Ikarus AntiVirus for Linux', 'ikarus',
'{}', [0], [40], qr/Signature (.+) found/ ],
### http://www.bitdefender.com/
['BitDefender', 'bdc',
'--all --arc {}', qr/^Infected files *:0(?!\d)/,
qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/,
qr/(?:suspected|infected): (.*)\033/ ],
);
# If no virus scanners from the @av_scanners list produce 'clean' nor
# 'infected' status (e.g. they all fail to run or the list is empty),
# then _all_ scanners from the @av_scanners_backup list are tried.
# When there are both daemonized and command-line scanners available,
# it is customary to place slower command-line scanners in the
# @av_scanners_backup list. The default choice is somewhat arbitrary,
# move entries from one list to another as desired.
@av_scanners_backup = (
### http://clamav.elektrapro.com/
['Clam Antivirus - clamscan', 'clamscan',
'--stdout --disable-summary -r {}', [0], [1],
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
### http://www.f-prot.com/
['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
'-dumb -archive -packed {}', [0,8], [3,6],
qr/Infection: (.+)/ ],
### http://www.trendmicro.com/
['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],
'-a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ],
# Commented out because the name 'sweep' clashes with the Debian package of
# the same name. Make sure the correct sweep is found in the path when enabling
#
# ### http://www.sophos.com/
# ['Sophos Anti Virus (sweep)', 'sweep',
# '-nb -f -all -rec -ss -sc -archive {}',
# [0,2], qr/Virus .*? found/,
# qr/^>>> Virus(?:(?: fragment)? '?(.+?)'? found)/,
# # sub {$ENV{SAV_IDE}='/usr/local/sav'},
# ],
);
#
# Section VIII - Debugging
#
# The most useful debugging tool is to run amavisd-new non-detached
# from a terminal window: # amavisd debug
# Some more refined approaches:
# If sender matches ACL, turn debugging fully up, just for this one message
#@debug_sender_acl = ( "test-sender\@$mydomain" );
#@debug_sender_acl = qw( debug@example.com );
# May be useful along with @debug_sender_acl:
# Prevent all decoded originals being deleted (replaced by decoded part)
#$keep_decoded_original_re = new_RE( qr/.*/ );
# Turn on SpamAssassin debugging (output to STDERR, use with 'amavisd debug')
#$sa_debug = 1; # defaults to false
#-------------
1; # insure a defined return
Ebenfalls füge ich eine Teil des Maillogs an.
Mar 29 13:41:44 linux postfix/smtpd[4680]: connect from localhost[127.0.0.1]
Mar 29 13:41:44 linux postfix/smtpd[4680]: 4D5C91AA6D: client=localhost[127.0.0.1]
Mar 29 13:41:44 linux postfix/cleanup[4682]: 4D5C91AA6D: message-id=<200403291341.41060.Ulf Lange <>>
Mar 29 13:41:44 linux postfix/qmgr[4660]: 4D5C91AA6D: from=<>, size=484, nrcpt=1 (queue active)
Mar 29 13:41:44 linux amavis[3509]: (03509-02) lookup_ip_acl: key="127.0.0.1" matches "127.0.0.1", result=1
Mar 29 13:41:44 linux amavis[3509]: (03509-02) prolong_timer after new request - timer reset: remaining time = 300 s
Mar 29 13:41:44 linux amavis[3509]: (03509-02) SMTP> 220 [127.0.0.1] ESMTP amavisd-new service ready
Mar 29 13:41:44 linux amavis[3509]: (03509-02) prolong_timer after reading SMTP command: remaining time = 300 s
Mar 29 13:41:44 linux amavis[3509]: (03509-02) SMTP< EHLO linux.local\r\n
Mar 29 13:41:44 linux amavis[3509]: (03509-02) ESMTP> 250-[127.0.0.1]
Mar 29 13:41:44 linux amavis[3509]: (03509-02) ESMTP> 250-PIPELINING
Mar 29 13:41:44 linux amavis[3509]: (03509-02) ESMTP> 250-SIZE
Mar 29 13:41:44 linux amavis[3509]: (03509-02) ESMTP> 250-8BITMIME
Mar 29 13:41:44 linux amavis[3509]: (03509-02) ESMTP> 250 ENHANCEDSTATUSCODES
Mar 29 13:41:44 linux amavis[3509]: (03509-02) prolong_timer after reading SMTP command: remaining time = 300 s
Mar 29 13:41:44 linux amavis[3509]: (03509-02) ESMTP< MAIL FROM:<> SIZE=484\r\n
Mar 29 13:41:44 linux amavis[3509]: (03509-02) prolong_timer after MAIL FROM received - timer reset: remaining time = 300 s
Mar 29 13:41:44 linux amavis[3509]: (03509-03) lookup_acl: key="", no match
Mar 29 13:41:44 linux amavis[3509]: (03509-03) ESMTP> 250 2.1.0 Sender OK
Mar 29 13:41:44 linux amavis[3509]: (03509-03) prolong_timer after reading SMTP command: remaining time = 300 s
Mar 29 13:41:44 linux amavis[3509]: (03509-03) ESMTP< RCPT TO:<u303208@127.0.0.1>\r\n
Mar 29 13:41:44 linux amavis[3509]: (03509-03) ESMTP> 250 2.1.5 Recipient u303208@127.0.0.1 OK
Mar 29 13:41:44 linux amavis[3509]: (03509-03) prolong_timer after reading SMTP command: remaining time = 300 s
Mar 29 13:41:44 linux amavis[3509]: (03509-03) ESMTP< DATA\r\n
Mar 29 13:41:44 linux amavis[3509]: (03509-03) prolong_timer after DATA received - timer reset: remaining time = 300 s
Mar 29 13:41:44 linux amavis[3509]: (03509-03) ESMTP::10024 /var/spool/amavis/amavis-20040329T134144-03509: <> -> <u303208@127.0.0.1> Received: SIZE=484 from linux.local ([127.0.0.1]) by localhost (linux [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 03509-03 for <u303208@127.0.0.1>; Mon, 29 Mar 2004 13:41:44 +0200 (CEST)
Mar 29 13:41:44 linux amavis[3509]: (03509-03) ESMTP> 354 End data with <CR><LF>.<CR><LF>
Mar 29 13:41:44 linux postfix/smtpd[4680]: disconnect from localhost[127.0.0.1]
Mar 29 13:41:44 linux amavis[3509]: (03509-03) ESMTP< .\r\n
Mar 29 13:41:44 linux amavis[3509]: (03509-03) body hash: 3d4fd7c3133fc5c7210848c495227de2
Mar 29 13:41:44 linux amavis[3509]: (03509-03) Original mail size: 467; quota set to: 233500 bytes
Mar 29 13:41:44 linux amavis[3509]: (03509-03) Checking: <> -> <u303208@127.0.0.1>
Mar 29 13:41:44 linux amavis[3509]: (03509-03) lookup_acl: key="u303208@127.0.0.1", no match
Mar 29 13:41:44 linux amavis[3509]: (03509-03) lookup_acl: key="u303208@127.0.0.1", no match
Mar 29 13:41:44 linux amavis[3509]: (03509-03) Extracting mime components
Mar 29 13:41:44 linux amavis[3509]: (03509-03) Issued a new file name: part-00001
Mar 29 13:41:44 linux amavis[3509]: (03509-03) mime_decode: Content-type: text/plain, name:
Mar 29 13:41:44 linux amavis[3509]: (03509-03) Charging 11 bytes to remaining quota 233500 (out of 233500, (0%)) - by mime_decode
Mar 29 13:41:44 linux amavis[3509]: (03509-03) prolong_timer after mime_decode-1: remaining time = 300 s
Mar 29 13:41:44 linux amavis[3509]: (03509-03) Checking for banned MIME types and names
Mar 29 13:41:44 linux amavis[3509]: (03509-03) check_for_banned - mime-type: text/plain
Mar 29 13:41:44 linux amavis[3509]: (03509-03) lookup_RE: key="text/plain", no match
Mar 29 13:41:44 linux amavis[3509]: (03509-03) lookup_acl: key="u303208@127.0.0.1", no match
Mar 29 13:41:44 linux amavis[3509]: (03509-03) decode_parts: level=1, #parts=1 : part-00001
Mar 29 13:41:44 linux amavis[3509]: (03509-03) run_command: [4683] /usr/bin/file /var/spool/amavis/amavis-20040329T134144-03509/parts/part-00001 </dev/null 2>/dev/null
Mar 29 13:41:44 linux amavis[3509]: (03509-03) File-type of part-00001: ASCII text; (.asc)
Mar 29 13:41:44 linux amavis[3509]: (03509-03) lookup_acl: key="u303208@127.0.0.1", no match
Mar 29 13:41:44 linux amavis[3509]: (03509-03) Checking for banned (contents-based) file types, 1 parts
Mar 29 13:41:44 linux amavis[3509]: (03509-03) check_for_banned (part-00001) - file type: .asc
Mar 29 13:41:44 linux amavis[3509]: (03509-03) lookup_RE: key=".asc", no match
Mar 29 13:41:44 linux amavis[3509]: (03509-03) check_for_banned (part-00001) - file type: ASCII text
Mar 29 13:41:44 linux amavis[3509]: (03509-03) lookup_RE: key="ASCII text", no match
Mar 29 13:41:44 linux amavis[3509]: (03509-03) do_ascii: Decoding part part-00001 (0 items)
Mar 29 13:41:44 linux amavis[3509]: (03509-03) decompose_part: part-00001 - atomic
Mar 29 13:41:44 linux amavis[3509]: (03509-03) prolong_timer after decoding: remaining time = 300 s
Mar 29 13:41:44 linux amavis[3509]: (03509-03) WARN: all primary virus scanners failed, considering backups
Mar 29 13:41:44 linux amavis[3509]: (03509-03) prolong_timer after virus_scan: remaining time = 300 s
Mar 29 13:41:44 linux amavis[3509]: (03509-03) TROUBLE in check_mail: virus_scan FAILED: NO VIRUS SCANNERS AVAILABLE
Mar 29 13:41:44 linux amavis[3509]: (03509-03) sending SMTP response: "451 4.5.0 Error in processing, id=03509-03, virus_scan FAILED: NO VIRUS SCANNERS AVAILABLE"
Mar 29 13:41:44 linux amavis[3509]: (03509-03) timer stopped after DATA end
Mar 29 13:41:44 linux amavis[3509]: (03509-03) PRESERVING EVIDENCE in /var/spool/amavis/amavis-20040329T134144-03509
Mar 29 13:41:44 linux amavis[3509]: (03509-03) TIMING [total 78 ms] - SMTP EHLO: 3 (3%), SMTP pre-MAIL: 1 (2%), mkdir tempdir: 1 (1%), create email.txt: 1 (1%), SMTP pre-DATA-flush: 5 (6%), SMTP DATA: 36 (47%), body hash: 0 (1%), mkdir parts: 1 (1%), mime_decode: 14 (18%), get-file-type: 11 (14%), decompose_part: 2 (3%), parts: 0 (0%), rundown: 2 (3%)
Mar 29 13:41:44 linux amavis[3509]: (03509-03) ESMTP> 451 4.5.0 Error in processing, id=03509-03, virus_scan FAILED: NO VIRUS SCANNERS AVAILABLE
Mar 29 13:41:44 linux amavis[3509]: (03509-03) prolong_timer after reading SMTP command: remaining time = 0 s
Mar 29 13:41:44 linux amavis[3509]: (03509-03) ESMTP< QUIT\r\n
Mar 29 13:41:44 linux amavis[3509]: (03509-03) ESMTP> 221 2.0.0 [127.0.0.1] (amavisd) closing transmission channel
Mar 29 13:41:44 linux postfix/smtp[4665]: 4D5C91AA6D: to=<u303208@127.0.0.1>, relay=localhost[127.0.0.1], delay=0, status=deferred (host localhost[127.0.0.1] said: 451 4.5.0 Error in processing, id=03509-03, virus_scan FAILED: NO VIRUS SCANNERS AVAILABLE (in reply to end of DATA command))
Vielleicht seht Ihr ja mehr als ich.
Mfg
Ulf
Powered by vBulletin® Version 4.2.5 Copyright ©2024 Adduco Digital e.K. und vBulletin Solutions, Inc. Alle Rechte vorbehalten.