PDA

Archiv verlassen und diese Seite im Standarddesign anzeigen : amavisd und spamassassin



jimmy0815
15.04.08, 17:43
Hallo,

ich habe mir anscheinend erfolgreich amavisd-new und spamassassin eingerichtet. Anhand der Logs kann ich auch ersehen, dass Spammails gefiltert werden. Allerdings kommen die dann nach /var/amavis/quarantine/ und zwar als tar.gz dateien.
Ich möchte jetzt aber, dass die spams in die Mailbox des jeweiligen Users kommen und zwar in den Ordner SPAM (logisch oder?).

hier meine amavis conf:

use strict;

%final_destiny_by_ccat = (
CC_VIRUS, D_DISCARD,
CC_BANNED, D_BOUNCE,
CC_UNCHECKED, D_PASS,
CC_SPAM, D_DISCARD,
CC_BADH, D_PASS,
CC_OVERSIZED, D_BOUNCE,
CC_CLEAN, D_PASS,
CC_CATCHALL, D_PASS,
);

@viruses_that_fake_sender_maps = (new_RE(
qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizz er|palyh|peido|holar'i,
qr'tanatos|lentin|bridex|mimail|trojan\.dropper|du maru|parite|spaces'i,
qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|s ober|rox|val(hal)?la'i,
qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg |netsky|somefool|moodown'i,
));

$virus_admin = "virusalert\@$mydomain";


$mailfrom_notify_admin = "virusalert\@$mydomain";
$mailfrom_notify_recip = "virusalert\@$mydomain";
$mailfrom_notify_spamadmin = "spam.police\@$mydomain";


$QUARANTINEDIR = "$MYHOME/quarantine";


@keep_decoded_original_maps = (new_RE(
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
));

$banned_filename_re = new_RE(
qr'^application/x-msdos-program$'i,
qr'^application/hta$'i,
qr'\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,
);
$banned_namepath_re = new_RE(
^ (.*\t)? N= [^\t\n]* \. (pif|scr) (\t.*)? $'xmi,

^ (.*\t)? N= [^\t\n]* \. [^./\t\n]* [A-Za-z] [^./\t\n]* \. \ *
(exe|vbs|pif|scr|bat|cmd|com|cpl|dll) [. ]* (\t.*)? $'xmi,

^ (.*\t)? M=application/(octet-stream|x-msdownload|x-msdos-program)
\t(.*\t)* T=empty (\t.*)? $'xmi
=> 'DISCARD' ],

^ (.*\t)? N= [^\t\n]* \. (exe|vbs|pif|scr|cpl) (\t.*)? $'xmi,

);



%banned_rules = (
),
'DEFAULT' => $banned_filename_re,
);

[qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryo u)@'i => 5.0],
[qr'^(greatcasino|investments|lose_weight_today|mar ket\.alert)@'i=> 5.0],
[qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
[qr'^(optin|saveonlsmoking2002k|specialoffer|specia loffers)@'i => 5.0],
[qr'^(stockalert|stopsnoring|wantsome|workathome|ye sitsfree)@'i => 5.0],
[qr'^(your_friend|greatoffers)@'i => 5.0],
[qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0],
),


'nobody@cert.org' => -3.0,
'cert-advisory@us-cert.gov' => -3.0,
'owner-alert@iss.net' => -3.0,
'slashdot@slashdot.org' => -3.0,
'securityfocus.com' => -3.0,
'ntbugtraq@listserv.ntbugtraq.com' => -3.0,
'security-alerts@linuxsecurity.com' => -3.0,
'mailman-announce-admin@python.org' => -3.0,
'amavis-user-admin@lists.sourceforge.net'=> -3.0,
'amavis-user-bounces@lists.sourceforge.net' => -3.0,
'spamassassin.apache.org' => -3.0,
'notification-return@lists.sophos.com' => -3.0,
'owner-postfix-users@postfix.org' => -3.0,
'owner-postfix-announce@postfix.org' => -3.0,
'owner-sendmail-announce@lists.sendmail.org' => -3.0,
'sendmail-announce-request@lists.sendmail.org' => -3.0,
'donotreply@sendmail.org' => -3.0,
'ca+envelope@sendmail.org' => -3.0,
'noreply@freshmeat.net' => -3.0,
'owner-technews@postel.acm.org' => -3.0,
'ietf-123-owner@loki.ietf.org' => -3.0,
'cvs-commits-list-admin@gnome.org' => -3.0,
'rt-users-admin@lists.fsck.com' => -3.0,
'clp-request@comp.nus.edu.sg' => -3.0,
'surveys-errors@lists.nua.ie' => -3.0,
'emailnews@genomeweb.com' => -5.0,
'yahoo-dev-null@yahoo-inc.com' => -3.0,
'returns.groups.yahoo.com' => -3.0,
'clusternews@linuxnetworx.com' => -3.0,
lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0,
lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,

'sender@example.net' => 3.0,
'.example.net' => 1.0,

},
});



@blacklist_sender_maps = ( new_RE(
qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryo u|greatcasino)@'i,
qr'^(investments|lose_weight_today|market\.alert|m oney2you|MyGreenCard)@'i,
qr'^(new\.tld\.registry|opt-out|opt-in|optin|saveonlsmoking2002k)@'i,
qr'^(specialoffer|specialoffers|stockalert|stopsno ring|wantsome)@'i,
qr'^(workathome|yesitsfree|your_friend|greatoffers )@'i,
qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i,
));

$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin:/opt/bin';


$dspam = 'dspam';

@decoders = (
['mail', \&do_mime_decode],
['asc', \&do_ascii],
['uue', \&do_ascii],
['hqx', \&do_ascii],
['ync', \&do_ascii],
['F', \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ],
['Z', \&do_uncompress, ['uncompress','gzip -d','zcat'] ],
['gz', \&do_uncompress, 'gzip -d'],
['gz', \&do_gunzip],
['bz2', \&do_uncompress, 'bzip2 -d'],
['lzo', \&do_uncompress, 'lzop -d'],
['rpm', \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ],
['cpio', \&do_pax_cpio, ['pax','gcpio','cpio'] ],
['tar', \&do_pax_cpio, ['pax','gcpio','cpio'] ],
['deb', \&do_ar, 'ar'],
['zip', \&do_unzip],
['7z', \&do_7zip, ['7zr','7za','7z'] ],
['rar', \&do_unrar, ['rar','unrar'] ],
['arj', \&do_unarj, ['arj','unarj'] ],
['arc', \&do_arc, ['nomarch','arc'] ],
['zoo', \&do_zoo, ['zoo','unzoo'] ],
['lha', \&do_lha, 'lha'],
['cab', \&do_cabextract, 'cabextract'],
['tnef', \&do_tnef_ext, 'tnef'],
['tnef', \&do_tnef],
['exe', \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ],
);




@spam_dsn_cutoff_level_bysender_maps = (
'virgilio.it' => 7, 'mail.ru' => 7, '0451.com' => 7,
'yahoo.co.uk' => 7, 'yahoo.co.jp' => 7, 'nobody@' => 7,
'noreply@' => 0, 'no-reply@' => 0, 'donotreply@' => 0,
'opt-in@' => 0, 'opt-out@' => 0, 'yahoo-dev-null@' => 0,
'.optin-out.com' => 0, 'daily@astrocenter.com' => 0,
},
);

@av_scanners = (
['KasperskyLab AVP - aveclient',
['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient',
'/opt/kav/5.5/kav4mailservers/bin/aveclient','aveclient'],
'-p /var/run/aveserver -s {}/*',
[0,3,6,8], qr/\b(INFECTED|SUSPICION|SUSPICIOUS)\b/,
qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/,
],

['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'],
qr/infected: (.+)/,
sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"},
sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
],

['KasperskyLab AVPDaemonClient',
[ '/opt/AVP/kavdaemon', 'kavdaemon',
'/opt/AVP/AvpDaemonClient', 'AvpDaemonClient',
'/opt/AVP/AvpTeamDream', 'AvpTeamDream',
'/opt/AVP/avpdc', 'avpdc' ],
"-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/ ],

['CentralCommand Vexira (new) vascan',
['vascan','/usr/lib/Vexira/vascan'],
"-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ".
"--log=/var/log/vascan.log {}",
[0,3], [1,2,5],
qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ / ],

['Avira AntiVir', ['antivir','vexira'],
'--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/,
qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |
(?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ],

['Command AntiVirus for Linux', 'csav',
'-all -archive -packed {}', [50], [51,52,53],
qr/Infection: (.+)/ ],

['Symantec CarrierScan via Symantec CommandLineScanner',
'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}',
qr/^Files Infected:\s+0$/, qr/^Infected\b/,
qr/^(?:Info|Virus Name):\s+(.+)/ ],

['Symantec AntiVirus Scan Engine',
'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}',
[0], qr/^Infected\b/,
qr/^(?:Info|Virus Name):\s+(.+)/ ],


['F-Secure Antivirus for Linux servers',
['/opt/f-secure/fsav/bin/fsav', 'fsav'],
'--virus-action1=report --archive=yes --auto=yes '.
'--dumb=yes --list=no --mime=yes {}', [0], [3,4,6,8],
qr/(?:infection|Infected|Suspected|Riskware): (.+)/ ],



'-sec -nex {}', [0], [100],
qr/was infected by virus (.+)/ ],

['CAI eTrust Antivirus', 'etrust-wrapper',
'-arc -nex -spm h {}', [0], [101],
qr/is infected by virus: (.+)/ ],

['MkS_Vir for Linux (beta)', ['mks32','mks'],
'-s {}/*', [0], [1,2],
qr/--[ \t]*(.+)/ ],

['MkS_Vir daemon', 'mksscan',
'-s -q {}', [0], [1..7],
qr/^... (\S+)/ ],


['ESET NOD32 Linux Mail Server - command line interface',
['/usr/bin/nod32cli', '/opt/eset/nod32/bin/nod32cli', 'nod32cli'],
'--subdir {}', [0,3], [1,2], qr/virus="([^"]+)"/ ],

['ESET NOD32 for Linux File servers',
['/opt/eset/nod32/sbin/nod32','nod32'],
'--files -z --mail --sfx --rtp --adware --unsafe --pattern --heur '.
'-w -a --action=1 -b {}',
[0], [1,10], qr/^object=.*, virus="(.*?)",/ ],


['Norman Virus Control v5 / Linux', 'nvcc',
'-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14],
qr/(?i).* virus in .* -> \'(.+)\'/ ],

['Panda CommandLineSecure 9 for Linux',
['/opt/pavcl/usr/bin/pavcl','pavcl'],
'-auto -aex -heu -cmp -nbr -nor -nos -eng -nob {}',
qr/Number of files infected[ .]*: 0+(?!\d)/,
qr/Number of files infected[ .]*: 0*[1-9]/,
qr/Found virus :\s*(\S+)/ ],



['NAI McAfee AntiVirus (uvscan)', 'uvscan',
'--secure -rv --mime --summary --noboot --mailbox --program --timeout 180 - {}', [0], [13],
qr/(?x) Found (?:
\ the\ (.+)\ (?:virus|trojan) |
\ (?:virus|trojan)\ or\ variant\ ([^ ]+) |
:\ (.+)\ NOT\ a\ virus)/,
],

['VirusBuster', ['vbuster', 'vbengcl'],
"{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1],
qr/: '(.*)' - Virus/ ],


['CyberSoft VFind', 'vfind',
],

['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'],
'-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/ ],

['Ikarus AntiVirus for Linux', 'ikarus',
'{}', [0], [40], qr/Signature (.+) found/ ],

['BitDefender', 'bdc',
'--arc --mail {}', qr/^Infected files *:0+(?!\d)/,
qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/,
qr/(?:suspected|infected): (.*)(?:\033|$)/ ],

['ArcaVir for Linux', ['arcacmd','arcacmd.static'],
'-v 1 -summary 0 -s {}', [0], [1,2],
qr/(?:VIR|WIR):[ \t]*(.+)/ ],






);



@av_scanners_backup = (

['ClamAV-clamscan', 'clamscan',
"--stdout --no-summary -r --tempdir=$TEMPBASE {}",
[0], qr/:.*\sFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
qr/(?:Infection:|security risk named) (.+)|\s+contains\s+(.+)$/ ],

['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],
'-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ],

['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'],
'-path={} -al -go -ot -cn -upn -ok-',
[0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'],

['Kaspersky Antivirus v5.5',
['/opt/kaspersky/kav4fs/bin/kav4fs-kavscanner',
'/opt/kav/5.5/kav4unix/bin/kavscanner',
'/opt/kav/5.5/kav4mailservers/bin/kavscanner', 'kavscanner'],
'-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25],
qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/ ,
],



);




hier meine spamassassin conf:


rewrite_header Subject *****SPAM*****

skip_rbl_checks 0

bayes_auto_learn 1
use_bayes 1
bayes_path /var/amavis/.spamassassin/bayes

use_razor2 1
razor_config /var/amavis/.razor/razor-agent.conf

use_pyzor 1
pyzor_path /usr/bin/pyzor


Wie stelle ich es jetzt an?

grüße
dennis

jimmy0815
16.04.08, 14:50
Niemand eine Ahnung?

grüße
dennis

Thorashh
16.04.08, 22:05
1. Du könntest Dir mal Gedanken machen, wo der Unterschied zwischen D_DISCARD und D_PASS liegt.

2a. Ganz normal zustellen und per Sieve in den SPAM-Ordner verschieben lassen.
2b. Mittels procmail in den SPAM-Ordner einsortieren lassen.

jimmy0815
17.04.08, 18:40
Hallo,

danke für deinen Post.

Wenn ich das jetzt richtig verstanden hab, muss ich die Zeile

CC_SPAM, D_DISCARD,

in

CC_SPAM, D_PASS,

umändern. Dies hat dann zur Folge, dass die Mail ins .maildir gelassen wird und auf grund des eintrages

rewrite_header Subject *****SPAM*****
als Spam gekennzeichnet wird.

Und nach der Installation von procmail muss ich dann ins home eines jedes Nutzers eine .procmail anlegen, zB mit folgendem Inhalt:

MAILDIR=/home/dennis/.maildir

:0H:
* ^Subject:.******SPAM*****
.spam



Richtig?

grüße
dennis