From njones at megan.vbhcs.org Mon Oct 1 00:33:58 2012 From: njones at megan.vbhcs.org (Noel Jones) Date: Sun, 30 Sep 2012 17:33:58 -0500 Subject: how to bypass spamcheck for a recipient domain / email address? In-Reply-To: <03c801cd9f11$4b4cb0b0$e1e61210$@ihlas.net.tr> References: <03c801cd9f11$4b4cb0b0$e1e61210$@ihlas.net.tr> Message-ID: <5068C8D6.4010603@megan.vbhcs.org> On 9/30/2012 8:41 AM, Bulent Malik wrote: > I want amavis to by pass spam check for a my domain in coming all mails from > outside or inside but my other domains. > For outgoing mails, there is no problem as i configured a > @whitelist_sender_maps for the domain in amavis 50-user.conf > But i can't find a describe for global white list for recipient domain. > > How can I do that ? > > Thanks > > Add the domain to @bypass_spam_checks_maps *and* to @spam_lovers_maps. If all recipients for a message are in the bypass maps, spam checks will not be done. If the mail has one or more recipients not found in the bypass maps, the spam checks will still be done, but the lovers map will keep the mail from being marked as spam. -- Noel Jones From tilman.mayer at meinestadt.de Mon Oct 1 08:48:59 2012 From: tilman.mayer at meinestadt.de (=?gb18030?Q?Tilman_Mayer?=) Date: Mon, 1 Oct 2012 08:48:59 +0200 Subject: AW: spam assassin rules update In-Reply-To: <50672A75.5080407@mjws.net> References: <50656928.8000100@noa.gr> Message-ID: We do have this issue, too. I just removed the mirror from the file /var/lib/spamassassin/3.003002/updates_spamassassin_org/MIRRORED.BY and everything runs fine again. There is an issue for this: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6838 Regards Tilman -----Urspr?ngliche Nachricht----- Von: Mike [mailto:newsbox at mjws.net] Gesendet: Samstag, 29. September 2012 19:06 An: amavis-users at amavis.org Betreff: Re: spam assassin rules update On 09/28/2012 08:02 AM, John Hinton wrote: > On 9/28/2012 8:41 AM, Nikolaos Milas wrote: >> On 28/9/2012 12:08 ??, Nikolaos Milas wrote: >> >>> # tail -f /var/log/sa-update.log >>> ./sa-update: line 12: 10: command not found >> >> It seems that this output is left from an older run (and I don't know >> how it came up). >> >> In all recent runs, it seems there is no output at all. >> >> When I run simply "/usr/bin/sa-update -D", everything seems to run >> smoothly. >> >> So, I would guess something is wrong in >> /usr/share/spamassassin/sa-update.cron which does not allow proper >> updates. >> >> Nick > I had an issue where the server contacted was not responding last > week. I was getting failed cronjob emails. It went away somewhere in > the last several days. Sorry to not have specific times, dates and > server name. Maybe you are seeing the residual from this? > I just had this yesterday: http: GEThttp://daryl.dostech.ca/sa-update/asf/1391368.tar.gz request failed: 404 Not Found: 404 Not Found

Not Found

The requested URL /sa-update/asf/1391368.tar.gz was not found on this server.

Apache/2.2.6 (Fedora) Server at daryl.dostech.ca Port 80

But I think this is a different issue. Could you just set up your own cron job to run sa-update? I'm not sure of the typical configuration on CentOS but on FreeBSD I set up a script to run weekly (your path information will differ; test with the debug first).: #!/bin/sh PATH=/usr/local/libexec/ccache:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin # Debug: #/usr/local/bin/sa-update -D /usr/local/bin/sa-update From bmalik at ihlas.net.tr Wed Oct 3 21:39:09 2012 From: bmalik at ihlas.net.tr (Bulent Malik) Date: Wed, 3 Oct 2012 22:39:09 +0300 Subject: how to disable disclaimer for reply messages ? Message-ID: <0e3b01cda19e$c206e970$4614bc50$@ihlas.net.tr> I use amavis, postfix , ubuntu12.04lts . I active disclaimer feature on amavis. It Works. I don't want amavis to send disclaimer for reply messages. How can i do that ? From watthanachai at ntt.co.th Fri Oct 5 10:57:24 2012 From: watthanachai at ntt.co.th (Watthanachai Kekhua) Date: Fri, 5 Oct 2012 08:57:24 +0000 Subject: Ask about AM.PENPAL score show wrong score. Message-ID: <9C8D5C7E0084024A8F9221D3630DBB49331DDDB8@EX-S01.int.ntt.co.th> Dear Mark and support amavisd team, I found some strange info on quarantine log with AM.PENPAL score. You could see below as correct score should say : 6.038 - 7.839 = -1.801 But in maillog show "=-1.801..6.038" and defined this email as SPAM mail. Do you have any comment for this issue or fix way for this issue ? ### Maillog ### Oct 5 15:46:03 SMTP01-IN amavis[86601]: (86601-18) header_edits_for_quar: -> , Yes, score=-1.801..6.038 tag=0 tag2=6 kill=6 tests=[AM.PENPAL=-7.839, FILL_THIS_FORM_SHORT=2.896, HTML_MESSAGE=0.001, TEST_BLOCK_BODY=0.001, TVD_SUBJ_ACC_NUM=2.199, URG_BIZ=0.941] autolearn=disabled ### App version ### amavisd-new-2.8.0,1 clamav-0.97.6 postfix-2.9.4 ### OS ### BSD 9.0 AMD 64 bit Thank you for your kindly support. Please do not hesitate to contact us , If you have any questions . Best Regards. ################################ # Watthanachai KEKHUA (Golf) # Operation And Maintenance Department (OAM) # Tel: 02-2367227 Ext. 3155 # Direct Line Tel: 02-6376195 # NTT Communications (Thailand) Co., Ltd. ################################# -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmilas at noa.gr Tue Oct 9 09:58:45 2012 From: nmilas at noa.gr (Nikolaos Milas) Date: Tue, 09 Oct 2012 10:58:45 +0300 Subject: Question about scoring with sanesecurity signatures In-Reply-To: <50479284.1090007@megan.vbhcs.org> References: <50479284.1090007@megan.vbhcs.org> Message-ID: <5073D935.2050407@noa.gr> On 5/9/2012 8:57 ??, Noel Jones wrote: > @virus_name_to_spam_score_maps = > (new_RE( # the order matters! > [ qr'^ScamNailer\.Phish' => 5.0 ], # phish scored at 5. > [ qr'^ScamNailer\.' => 4.0 ], # others scored at 4. > )); Hello, Would it be possible to force scoring to 0.0 to effectively disable a set of rules, like: @virus_name_to_spam_score_maps = (new_RE( [ qr'^ScamNailer\.' => 0.0 ] )); ...?? Also, are there any suggestions based on experience for such sanesecurity score maps, aiming at eliminating (or reducing to a very very low rate) false positives? We can stand some false negatives, but it is very important to avoid false positives. Any advice or reference would be appreciated. Best regards, Nick From njones at megan.vbhcs.org Tue Oct 9 17:18:18 2012 From: njones at megan.vbhcs.org (Noel Jones) Date: Tue, 09 Oct 2012 10:18:18 -0500 Subject: Question about scoring with sanesecurity signatures In-Reply-To: <5073D935.2050407@noa.gr> References: <50479284.1090007@megan.vbhcs.org> <5073D935.2050407@noa.gr> Message-ID: <5074403A.1020601@megan.vbhcs.org> On 10/9/2012 2:58 AM, Nikolaos Milas wrote: > On 5/9/2012 8:57 ??, Noel Jones wrote: > >> @virus_name_to_spam_score_maps = >> (new_RE( # the order matters! >> [ qr'^ScamNailer\.Phish' => 5.0 ], # phish scored at 5. >> [ qr'^ScamNailer\.' => 4.0 ], # others scored at 4. >> )); > > Hello, > > Would it be possible to force scoring to 0.0 to effectively disable > a set of rules, like: > > @virus_name_to_spam_score_maps = > (new_RE( > [ qr'^ScamNailer\.' => 0.0 ] > )); > > ...?? > I suppose that would work, but if you're not going to use an add-on signature set, don't download it. > Also, are there any suggestions based on experience for such > sanesecurity score maps, aiming at eliminating (or reducing to a > very very low rate) false positives? We can stand some false > negatives, but it is very important to avoid false positives. > > Any advice or reference would be appreciated. http://www.sanesecurity.com/databases.htm In my experience the "FP Risk" column is correct -- I can't remember the last FP from any "Low" list, I'm sure it's been months/millions of messages. HOWEVER, mileage may vary; my mail is not your mail. You'll need to come up with scores that fit your local policy. -- Noel Jones From nmilas at noa.gr Wed Oct 10 22:38:03 2012 From: nmilas at noa.gr (Nikolaos Milas) Date: Wed, 10 Oct 2012 23:38:03 +0300 Subject: Question about scoring with sanesecurity signatures In-Reply-To: <5074403A.1020601@megan.vbhcs.org> References: <50479284.1090007@megan.vbhcs.org> <5073D935.2050407@noa.gr> <5074403A.1020601@megan.vbhcs.org> Message-ID: <5075DCAB.4090906@noa.gr> On 9/10/2012 6:18 ??, Noel Jones wrote: > n my experience the "FP Risk" column is correct -- I can't remember > the last FP from any "Low" list, I'm sure it's been months/millions > of messages. HOWEVER, mileage may vary; my mail is not your mail. > You'll need to come up with scores that fit your local policy. Thank you Noel for your valuable experience. Any experience with No. of FPs from "Medium" lists ? Thanks, Nick From nmilas at noa.gr Wed Oct 10 22:49:56 2012 From: nmilas at noa.gr (Nikolaos Milas) Date: Wed, 10 Oct 2012 23:49:56 +0300 Subject: Question about scoring with sanesecurity signatures In-Reply-To: <50479284.1090007@megan.vbhcs.org> References: <50479284.1090007@megan.vbhcs.org> Message-ID: <5075DF74.8040807@noa.gr> On 5/9/2012 8:57 ??, Noel Jones wrote: > @virus_name_to_spam_score_maps = > (new_RE( # the order matters! > [ qr'^ScamNailer\.Phish' => 5.0 ], # phish scored at 5. > [ qr'^ScamNailer\.' => 4.0 ], # others scored at 4. > )); By the way, what happens with dbases which differ only in extensions? For example, "doppelstern.ndb" is medium, whereas "doppelstern.hdb" is low. How would we require scoring for doppelstern.ndb only (and blocking for doppelstern.hdb) ? Thanks and regards, Nick From njones at megan.vbhcs.org Wed Oct 10 22:58:31 2012 From: njones at megan.vbhcs.org (Noel Jones) Date: Wed, 10 Oct 2012 15:58:31 -0500 Subject: Question about scoring with sanesecurity signatures In-Reply-To: <5075DCAB.4090906@noa.gr> References: <50479284.1090007@megan.vbhcs.org> <5073D935.2050407@noa.gr> <5074403A.1020601@megan.vbhcs.org> <5075DCAB.4090906@noa.gr> Message-ID: <5075E177.4040709@megan.vbhcs.org> On 10/10/2012 3:38 PM, Nikolaos Milas wrote: > On 9/10/2012 6:18 ??, Noel Jones wrote: > >> n my experience the "FP Risk" column is correct -- I can't remember >> the last FP from any "Low" list, I'm sure it's been months/millions >> of messages. HOWEVER, mileage may vary; my mail is not your mail. >> You'll need to come up with scores that fit your local policy. > > Thank you Noel for your valuable experience. > > Any experience with No. of FPs from "Medium" lists ? > > Thanks, > Nick Occasional FPs from the scamnailer phish list, which blacklists email addresses used in phishing. Every month or so, someone one of the coworkers exchanges mail with (different people - usually at some .edu) will get their address used in phishing mails. Unfortunately, these are real people who send out real mail, so I end up adding them to the local.ign2 file. Every once in a while a marketing mail will get tagged by one of the other lists, but I don't worry/care enough about that to pay attention to which one triggered it. I will again stress that this is *my* experience, YMMV considerably. -- Noel Jones From njones at megan.vbhcs.org Wed Oct 10 23:11:43 2012 From: njones at megan.vbhcs.org (Noel Jones) Date: Wed, 10 Oct 2012 16:11:43 -0500 Subject: Question about scoring with sanesecurity signatures In-Reply-To: <5075DF74.8040807@noa.gr> References: <50479284.1090007@megan.vbhcs.org> <5075DF74.8040807@noa.gr> Message-ID: <5075E48F.8090509@megan.vbhcs.org> On 10/10/2012 3:49 PM, Nikolaos Milas wrote: > On 5/9/2012 8:57 ??, Noel Jones wrote: > >> @virus_name_to_spam_score_maps = >> (new_RE( # the order matters! >> [ qr'^ScamNailer\.Phish' => 5.0 ], # phish scored at 5. >> [ qr'^ScamNailer\.' => 4.0 ], # others scored at 4. >> )); > > By the way, what happens with dbases which differ only in extensions? > > For example, "doppelstern.ndb" is medium, whereas "doppelstern.hdb" > is low. > > How would we require scoring for doppelstern.ndb only (and blocking > for doppelstern.hdb) ? In the score maps list, it looks for a match for the name. If the name if found, the score is applied (first match wins if there are multiple matches). If the name isn't found, the mail is handled as a virus. So your expressions would need to match those you want scored, not match those you want rejected. In the case of doppelstern, you would need to be careful of the virus names used. A quick look at the files suggests this might be possible, but you'll need to check the virus names more carefully. -- Noel Jones From erikmjacobs at gmail.com Thu Oct 11 20:09:40 2012 From: erikmjacobs at gmail.com (Erik Jacobs) Date: Thu, 11 Oct 2012 14:09:40 -0400 Subject: checking mail from "any" domain, not all domains in ldap/sql, etc. Message-ID: Hi all, I've got a CentOS5 / Postfix / Amavisd-new / ClamAV / Spamassassin / Zarafa set up. It's really rather "vanilla" except for some of the virtual domain things that are going on. Essentially: Mail comes into postfix Passed to Amavis Amavis virus scans Amavis spam scans Passed back to Postfix Postfix delivers to Zarafa User receives message I have a bunch of domains whose information is available in LDAP or MySQL, with the exception of the two real domains for the machine (we'll call them domain1.com and domain2.com). * Right now my local_domains_maps is empty. It is empty in the hopes that amavis will simply process all the messages that come through it, regardless of domain. * The issue I'm seeing is that, despite a particular message being marked as SPAMMY: Oct 11 02:21:49 atlas amavis[16691]: (16691-03) Passed SPAMMY, [82.94.235.198] [161.134.57.162] -> , Message-ID: <000901cda81f$9b6e1db0$a18639a2 at mscyberclientegvo>, mail_id: v+NPmHSmscSS, Hits: 6.838, queued_as: 4FEC613C501D6, 791 ms No spam-related headers are being added that I can see (the user sent me the headers): X-Virus-Scanned: amavisd-new at jumpshipservices.co Here are the spam-related settings from amavisd.conf: $sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level $sa_tag2_level_deflt = 5; # add 'spam detected' headers at that level $sa_kill_level_deflt = 8; # triggers spam evasive actions $sa_dsn_cutoff_level = 10; I would expect with a spam score of 6.838 and a tag2 level of 5 that the header would have some kind of spam score and other information appended. This leads me to my questions: 1) If local_domains_maps is empty, is all mail considered "local"? 2) If not, is this what is causing the headers problem? 3) Is there something better I should be doing here? Relevant versions: CentOS 5.6 Amavisd-new 2.4.5-1.el5 postfix 2.3.3-2.2.el5_6 spamassassin 3.3.2-1.el5 -- Erik Jacobs www.erikjacobs.com From lists at kokelnet.de Thu Oct 11 22:17:49 2012 From: lists at kokelnet.de (Tobias Hachmer) Date: Thu, 11 Oct 2012 22:17:49 +0200 Subject: ldap attribute "amavisLocal" Message-ID: Hello list, I have a question about the ldap attribute "amavisLocal". Yeah, I have read README.ldap: ############################################################################ Special handling of optional LDAP attribute 'amavisLocal' --------------------------------------------------------- A special shorthand is provided when LDAP lookups are used: when a match for a recipient address (or domain) is found in LDAP tables (regardless of attribute values), the recipient is considered local, regardless of static @local_domains_acl or %local_domains lookup tables. This simplifies life when a large number of dynamically changing domains is hosted. To overrule this behaviour, have an explicit boolean attribute 'amavisLocal' with a value of True returned for each local domain, and False for other domains which might be present in LDAP for some reason, but are nonlocal. In general LDAP lookups are similar to SQL lookups except for the low level LDAP/SQL specific code. The overall functionality, lookup rules, etc. are identical. ############################################################################ Am I understand this right when I say: 1. recipient address is considered local if it is found in ldap and the user object doesn't have the attribute amavisLocal at all ? 2. recipient address is considered local if it is found in ldap and the user object has the attribute amavisLocal, set to 'TRUE' ? 3. Assuming in ldap DIT are user objects with attribute amavisLocal, set to FALSE, e.g. for "bad at example.com". Is the recipient address for user object "foo at example.com", which either doens't have the attribute amavisLocal at all or set to TRUE considered local, is this independent? Thanks in advance, Tobias Hachmer From nmilas at noa.gr Sat Oct 13 16:04:45 2012 From: nmilas at noa.gr (Nikolaos Milas) Date: Sat, 13 Oct 2012 17:04:45 +0300 Subject: Question about scoring with sanesecurity signatures In-Reply-To: <5075E48F.8090509@megan.vbhcs.org> References: <50479284.1090007@megan.vbhcs.org> <5075DF74.8040807@noa.gr> <5075E48F.8090509@megan.vbhcs.org> Message-ID: <507974FD.2060709@noa.gr> On 11/10/2012 12:11 ??, Noel Jones wrote: > In the case of doppelstern, you would need to be careful of the > virus names used. A quick look at the files suggests this might be > possible, but you'll need to check the virus names more carefully. Thanks Noel, How can I get a list of virus names used in each file (e.g. in "doppelstern.ndb" and in "doppelstern.hdb")? If we browse the file "doppelstern.ndb" (with a text editor), I see entries of the form: ... Doppelstern.Hoax.3:4:*:53686f636b696e6720696e666f2061626f7574206e6577204a455355532066696c6d202d20506c6561736520667764 Doppelstern.Lott.37:4:*:46726f6d3a20224555524f204d494c4c494f4e Doppelstern.Loan.14:4:*:4c6f616e204f666665722047756172616e74656564 Doppelstern.Lott.39:7:0:77652061726520706c6561736520746f20616e6e6f756e636520746f20796f75207468617420796f757220656d61696c206164647265737320656d657267656420616c6f6e6720736964652034206f746865727320617320612063617465676f727920322077696e6e6572 Doppelstern.Scam4.160:7:0:6d757475616c2062656e65666974 ... So, does this mean we can specify (in order to force scoring for these signatures): @virus_name_to_spam_score_maps = (new_RE( # the order matters! [ qr'^Doppelstern\.Hoax\.' => 5.0 ], [ qr'^Doppelstern\.Lott\.' => 5.0 ], [ qr'^Doppelstern\.Loan\.' => 5.0 ], [ qr'^Doppelstern\.Scam4\.' => 5.0 ], ... )); and the like, for other "Medium"-rated databases? Also, would you deem a value of "5.0" as a sensible *initial* value (based on experience) to avoid FPs? I have not used these rules again in the past, and I would appreciate some advice before migrating our production systems (i.e. our mail gateways) to the Postfix/Amavis/ClamAV/SpamAssassin platform. Thanks, Nick From njones at megan.vbhcs.org Sat Oct 13 18:22:06 2012 From: njones at megan.vbhcs.org (Noel Jones) Date: Sat, 13 Oct 2012 11:22:06 -0500 Subject: Question about scoring with sanesecurity signatures In-Reply-To: <507974FD.2060709@noa.gr> References: <50479284.1090007@megan.vbhcs.org> <5075DF74.8040807@noa.gr> <5075E48F.8090509@megan.vbhcs.org> <507974FD.2060709@noa.gr> Message-ID: <5079952E.2040209@megan.vbhcs.org> On 10/13/2012 9:04 AM, Nikolaos Milas wrote: > On 11/10/2012 12:11 ??, Noel Jones wrote: > >> In the case of doppelstern, you would need to be careful of the >> virus names used. A quick look at the files suggests this might be >> possible, but you'll need to check the virus names more carefully. > > Thanks Noel, > > How can I get a list of virus names used in each file (e.g. in > "doppelstern.ndb" and in "doppelstern.hdb")? > > If we browse the file "doppelstern.ndb" (with a text editor), I see > entries of the form: > ... > Doppelstern.Hoax.3:4:*:53686f636b696e6720696e666f2061626f7574206e6577204a455355532066696c6d202d20506c6561736520667764 > > Doppelstern.Lott.37:4:*:46726f6d3a20224555524f204d494c4c494f4e > Doppelstern.Loan.14:4:*:4c6f616e204f666665722047756172616e74656564 > Doppelstern.Lott.39:7:0:77652061726520706c6561736520746f20616e6e6f756e636520746f20796f75207468617420796f757220656d61696c206164647265737320656d657267656420616c6f6e6720736964652034206f746865727320617320612063617465676f727920322077696e6e6572 > > Doppelstern.Scam4.160:7:0:6d757475616c2062656e65666974 > ... > So, does this mean we can specify (in order to force scoring for > these signatures): > > @virus_name_to_spam_score_maps = > (new_RE( # the order matters! > [ qr'^Doppelstern\.Hoax\.' => 5.0 ], > [ qr'^Doppelstern\.Lott\.' => 5.0 ], > [ qr'^Doppelstern\.Loan\.' => 5.0 ], > [ qr'^Doppelstern\.Scam4\.' => 5.0 ], > ... > )); > > and the like, for other "Medium"-rated databases? Yes, that's the right way. You should make sure these names aren't used in any of the other databases; I don't know if Doppelstern has any kind of published policy regarding name separation. > Also, would you deem a value of "5.0" as a sensible *initial* value > (based on experience) to avoid FPs? I have not used these rules > again in the past, and I would appreciate some advice before > migrating our production systems (i.e. our mail gateways) to the > Postfix/Amavis/ClamAV/SpamAssassin platform. Depends on your spam cutoff score. I would suggest starting with a score 3 points or so below your spam score, so that this single rule doesn't determine something to be spam. -- Noel Jones From linus at haake-it.net Tue Oct 16 08:55:39 2012 From: linus at haake-it.net (Linus Haake) Date: Tue, 16 Oct 2012 06:55:39 +0000 Subject: Special characters in banned- filenames. Message-ID: <6108F7E667F5764D9D4B8C65B88C03CD2F4A5E57@AM2PRD0710MB350.eurprd07.prod.outlook.com> Dear List, Already searching for a while in the Internet, I still wonder whether it is possible to change the way amavisd-new is naming banned/virus mails. In detail, I'm having lots of problems with the special characters (+) sometimes appearing in the name of the gz file. Thanks a lot for any help, Linus -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmilas at noa.gr Tue Oct 16 09:33:47 2012 From: nmilas at noa.gr (Nikolaos Milas) Date: Tue, 16 Oct 2012 10:33:47 +0300 Subject: spam assassin rules update In-Reply-To: <50659AE5.7070902@noa.gr> References: <50656928.8000100@noa.gr> <50659AE5.7070902@noa.gr> Message-ID: <507D0DDB.30205@noa.gr> On 28/9/2012 3:41 ??, Nikolaos Milas wrote: > When I run simply "/usr/bin/sa-update -D", everything seems to run > smoothly. As an update, I am now using the following line in /etc/cron.d/sa-update: 10 3 * * * root /usr/bin/sa-update -D | tee -a /var/log/sa-update.log && /etc/init.d/amavisd condrestart Unfortunately nothing gets logged in sa-update.log (so I guess "| tee -a /var/log/sa-update.log" could be left-out) but at least I get an automatic email (by the cron system) with all the output of the above commands, so I know what's happening. Nick From tom at whyscream.net Tue Oct 16 10:02:17 2012 From: tom at whyscream.net (Tom Hendrikx) Date: Tue, 16 Oct 2012 10:02:17 +0200 Subject: spam assassin rules update In-Reply-To: <507D0DDB.30205@noa.gr> References: <50656928.8000100@noa.gr> <50659AE5.7070902@noa.gr> <507D0DDB.30205@noa.gr> Message-ID: <507D1489.5040301@whyscream.net> On 10/16/12 9:33 AM, Nikolaos Milas wrote: > On 28/9/2012 3:41 ??, Nikolaos Milas wrote: > >> When I run simply "/usr/bin/sa-update -D", everything seems to run >> smoothly. > > As an update, I am now using the following line in /etc/cron.d/sa-update: > > 10 3 * * * root /usr/bin/sa-update -D | tee -a /var/log/sa-update.log && > /etc/init.d/amavisd condrestart > > Unfortunately nothing gets logged in sa-update.log (so I guess "| tee -a > /var/log/sa-update.log" could be left-out) but at least I get an > automatic email (by the cron system) with all the output of the above > commands, so I know what's happening. > sa-update talks to stderr, so for the above to work, you'll need something like: /usr/bin/sa-update -D 2>&1 | tee -a /var/log/sa-update.log -- Tom From peto at halicky.sk Thu Oct 18 14:03:29 2012 From: peto at halicky.sk (=?ISO-8859-1?Q?Peter_Halick=FD?=) Date: Thu, 18 Oct 2012 14:03:29 +0200 Subject: tag levels ignored Message-ID: <507FF011.1040902@halicky.sk> Hi, I am running amavisd-new with spamassassing on Ubuntu 12.04. I have the following settings in my /etc/amavis/conf.d/50-user: $sa_tag_level_deflt = -999.0; $sa_tag2_level_deflt = 8.5; These seem to be ignored though - when headers are added to the mail, they contain this: X-Spam-Status: No, score=5.884 tagged_above=3 required=9.5 Any clues/ideas how to configure the thresholds? Thanks! Peter From peto at halicky.sk Thu Oct 18 14:25:52 2012 From: peto at halicky.sk (=?UTF-8?B?UGV0ZXIgSGFsaWNrw70=?=) Date: Thu, 18 Oct 2012 14:25:52 +0200 Subject: tag levels ignored In-Reply-To: <20121018122336.7837.46978@eucalyptus.koalabs.org> References: <20121018122336.7837.46978@eucalyptus.koalabs.org> Message-ID: <507FF550.1010904@halicky.sk> On 18. 10. 2012 14:23, Antoine Nguyen wrote: > It seems there is a conflict in your configuration. Are you sure the > other files don't contain tag definitions ? Antoine Nguyen > http://modoboa.org/ Thanks for answer. I already triple-checked that. root at mailfilter:/etc/amavis/conf.d# ls 01-debian 05-domain_id 05-node_id 15-av_scanners 15-content_filter_mode 20-debian_defaults 21-ubuntu_defaults 25-amavis_helpers 30-template_localization 40-policy_banks 50-user root at mailfilter:/etc/amavis/conf.d# grep sa_tag * 20-debian_defaults:$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level 20-debian_defaults:$sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level 50-user:$sa_tag_level_deflt = -999.0; # add spam info headers if at, or above that level 50-user:$sa_tag2_level_deflt = 8.5; # add 'spam detected' headers at that level From tonio at ngyn.org Thu Oct 18 14:23:36 2012 From: tonio at ngyn.org (Antoine Nguyen) Date: Thu, 18 Oct 2012 14:23:36 +0200 Subject: tag levels ignored Message-ID: <20121018122336.7837.46978@eucalyptus.koalabs.org> Peter Halick? wrote: >Hi, > >I am running amavisd-new with spamassassing on Ubuntu 12.04. I have the >following settings in my /etc/amavis/conf.d/50-user: > >$sa_tag_level_deflt = -999.0; >$sa_tag2_level_deflt = 8.5; > >These seem to be ignored though - when headers are added to the mail, >they contain this: > >X-Spam-Status: No, score=5.884 tagged_above=3 required=9.5 > >Any clues/ideas how to configure the thresholds? > It seems there is a conflict in your configuration. Are you sure the other files don't contain tag definitions ? Antoine Nguyen http://modoboa.org/ From matt at cipixia.com Thu Oct 18 19:06:39 2012 From: matt at cipixia.com (matt) Date: Thu, 18 Oct 2012 10:06:39 -0700 Subject: Viagra spam mail autolearned as ham, tagged score -1.64 Message-ID: <5080371F.8000300@cipixia.com> Hello all. I just received a 'male enhancement pharmacy' type spam email that amavisd-new (v2.6.6) assigned a score of (-1.64). It is possibly the best designed html spam I've seen, and I don't see how Spamassassin could have ever found it. Considering that Viagra type spam is probably the most prolific and obvious, I find it alarming that such a mail could sail through the filters (not to mention be autolearned as ham!) in this day and age. I wish to submit this mail to the list for study, but I'm not sure if that's appropriate for this list or if there exists some sort of established "send us your spam mail" outfit from Symantec or something like that. But if anyone would care to see, I uploaded the intact .eml message as saved by Thunderbird to my site at http://cipixia.com/quack.eml Is using 'sa-learn --spam' on this messsage all that's required to "unautolearn it" as ham? Thanks and best regards From tonio at ngyn.org Thu Oct 18 19:40:42 2012 From: tonio at ngyn.org (Antoine Nguyen) Date: Thu, 18 Oct 2012 19:40:42 +0200 Subject: tag levels ignored In-Reply-To: <507FF550.1010904@halicky.sk> References: <20121018122336.7837.46978@eucalyptus.koalabs.org> <507FF550.1010904@halicky.sk> Message-ID: <50803F1A.8040703@ngyn.org> Le 18/10/2012 14:25, Peter Halick? a ?crit : > On 18. 10. 2012 14:23, Antoine Nguyen wrote: >> It seems there is a conflict in your configuration. Are you sure the >> other files don't contain tag definitions ? Antoine Nguyen >> http://modoboa.org/ > Thanks for answer. I already triple-checked that. > > root at mailfilter:/etc/amavis/conf.d# ls > 01-debian 05-domain_id 05-node_id 15-av_scanners > 15-content_filter_mode 20-debian_defaults 21-ubuntu_defaults > 25-amavis_helpers 30-template_localization 40-policy_banks 50-user > root at mailfilter:/etc/amavis/conf.d# grep sa_tag * > 20-debian_defaults:$sa_tag_level_deflt = 2.0; # add spam info headers > if at, or above that level > 20-debian_defaults:$sa_tag2_level_deflt = 6.31; # add 'spam detected' > headers at that level > 50-user:$sa_tag_level_deflt = -999.0; # add spam info headers if at, > or above that level > 50-user:$sa_tag2_level_deflt = 8.5; # add 'spam detected' headers at > that level > And I guess you're not using SQL/LDAP lookups ? From peto at halicky.sk Thu Oct 18 19:43:06 2012 From: peto at halicky.sk (=?UTF-8?B?UGV0ZXIgSGFsaWNrw70=?=) Date: Thu, 18 Oct 2012 19:43:06 +0200 Subject: tag levels ignored In-Reply-To: <50803F1A.8040703@ngyn.org> References: <20121018122336.7837.46978@eucalyptus.koalabs.org> <507FF550.1010904@halicky.sk> <50803F1A.8040703@ngyn.org> Message-ID: <50803FAA.2000504@halicky.sk> OMG! That's it!!! :-) Thanks a lot! On 18. 10. 2012 19:40, Antoine Nguyen wrote: > And I guess you're not using SQL/LDAP lookups ? From tonio at ngyn.org Thu Oct 18 19:44:49 2012 From: tonio at ngyn.org (Antoine Nguyen) Date: Thu, 18 Oct 2012 19:44:49 +0200 Subject: tag levels ignored In-Reply-To: <50803FAA.2000504@halicky.sk> References: <20121018122336.7837.46978@eucalyptus.koalabs.org> <507FF550.1010904@halicky.sk> <50803F1A.8040703@ngyn.org> <50803FAA.2000504@halicky.sk> Message-ID: <50804011.9050406@ngyn.org> Le 18/10/2012 19:43, Peter Halick? a ?crit : > OMG! That's it!!! :-) > > Thanks a lot! > Welcome :) What are you using to populate your database or your directory ? Antoine From peto at halicky.sk Thu Oct 18 19:51:04 2012 From: peto at halicky.sk (=?UTF-8?B?UGV0ZXIgSGFsaWNrw70=?=) Date: Thu, 18 Oct 2012 19:51:04 +0200 Subject: tag levels ignored In-Reply-To: <50804011.9050406@ngyn.org> References: <20121018122336.7837.46978@eucalyptus.koalabs.org> <507FF550.1010904@halicky.sk> <50803F1A.8040703@ngyn.org> <50803FAA.2000504@halicky.sk> <50804011.9050406@ngyn.org> Message-ID: <50804188.5040404@halicky.sk> I'm using OpenLDAP directory and populating it with phamm. Of course, phamm contains the settings, I just completely forgot about them. Nevertheless, I disabled the LDAP lookups, I want to scan everything anyway and also I want to have system-wide settings, not per-user. Seems that there is no way to specify in LDAP to use the default value, and set some value only for some users when needed. On 18. 10. 2012 19:44, Antoine Nguyen wrote: > Welcome :) > > What are you using to populate your database or your directory ? > > Antoine From nick.rosier at gmail.com Thu Oct 18 22:05:53 2012 From: nick.rosier at gmail.com (Nick Rosier) Date: Thu, 18 Oct 2012 22:05:53 +0200 Subject: Viagra spam mail autolearned as ham, tagged score -1.64 In-Reply-To: <5080371F.8000300@cipixia.com> References: <5080371F.8000300@cipixia.com> Message-ID: <50806121.2030100@gmail.com> matt wrote: > Hello all. > > I just received a 'male enhancement pharmacy' type spam email that > amavisd-new (v2.6.6) assigned a score of (-1.64). It is possibly the > best designed html spam I've seen, and I don't see how Spamassassin > could have ever found it. > > Considering that Viagra type spam is probably the most prolific and > obvious, I find it alarming that such a mail could sail through the > filters (not to mention be autolearned as ham!) in this day and age. > > I wish to submit this mail to the list for study, but I'm not sure if > that's appropriate for this list or if there exists some sort of > established "send us your spam mail" outfit from Symantec or something > like that. > > But if anyone would care to see, I uploaded the intact .eml message as > saved by Thunderbird to my site at > http://cipixia.com/quack.eml > > Is using 'sa-learn --spam' on this messsage all that's required to > "unautolearn it" as ham? > fed your mail to spamassassin instance and it was tagged as spam: X-Spam-ASN: AS8075 65.52.0.0/14 X-Spam-Report: * 1.8 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: yreyronwuddengeg.com] * 1.7 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist * [URIs: yreyronwuddengeg.com] * 1.7 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist * [URIs: yreyronwuddengeg.com] * 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider * (jeffcola2[at]hotmail.com) * 0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit * (jeffcola2[at]hotmail.com ) * -2.1 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain * 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in * digit (jeffcola2[at]hotmail.com) * 0.0 HTML_OBFUSCATE_05_10 BODY: Message is 5% to 10% HTML obfuscation * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.0 RCVD_NOT_IN_IPREPDNS Sender not listed at * http://www.chaosreigns.com/iprep/ * 2.8 TO_NO_BRKTS_MSFT To: misformatted and supposed Microsoft tool X-Spam-Flag: YES X-Spam-Status: Yes, score=6.3 required=5.0 tests=FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,FREEMAIL_REPLYTO_END_DIGIT,HTML_MESSAGE,HTML_OBFUSCATE_05_10, RCVD_NOT_IN_IPREPDNS,RP_MATCHES_RCVD,TO_NO_BRKTS_MSFT,URIBL_BLACK, URIBL_DBL_SPAM,URIBL_WS_SURBL autolearn=spam version=3.3.2 X-Spam-Level: ****** X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mail.rkfomh.net Can you show your report? Might be that the URI was not yet in blacklists... Or you might need to enable some extra rules. N. From tom at whyscream.net Thu Oct 18 23:03:34 2012 From: tom at whyscream.net (Tom Hendrikx) Date: Thu, 18 Oct 2012 23:03:34 +0200 Subject: Viagra spam mail autolearned as ham, tagged score -1.64 In-Reply-To: <50806121.2030100@gmail.com> References: <5080371F.8000300@cipixia.com> <50806121.2030100@gmail.com> Message-ID: <50806EA6.6080303@whyscream.net> On 18/10/12 22:05, Nick Rosier wrote: > matt wrote: >> Hello all. >> >> I just received a 'male enhancement pharmacy' type spam email that >> amavisd-new (v2.6.6) assigned a score of (-1.64). It is possibly the >> best designed html spam I've seen, and I don't see how Spamassassin >> could have ever found it. >> >> Considering that Viagra type spam is probably the most prolific and >> obvious, I find it alarming that such a mail could sail through the >> filters (not to mention be autolearned as ham!) in this day and age. >> >> I wish to submit this mail to the list for study, but I'm not sure if >> that's appropriate for this list or if there exists some sort of >> established "send us your spam mail" outfit from Symantec or something >> like that. >> >> But if anyone would care to see, I uploaded the intact .eml message as >> saved by Thunderbird to my site at >> http://cipixia.com/quack.eml >> >> Is using 'sa-learn --spam' on this messsage all that's required to >> "unautolearn it" as ham? >> > fed your mail to spamassassin instance and it was tagged as spam: > > X-Spam-ASN: AS8075 65.52.0.0/14 > X-Spam-Report: > * 1.8 URIBL_BLACK Contains an URL listed in the URIBL blacklist > * [URIs: yreyronwuddengeg.com] > * 1.7 URIBL_WS_SURBL Contains an URL listed in the WS SURBL > blocklist > * [URIs: yreyronwuddengeg.com] > * 1.7 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist > * [URIs: yreyronwuddengeg.com] > * 0.0 FREEMAIL_FROM Sender email is commonly abused enduser > mail provider > * (jeffcola2[at]hotmail.com) > * 0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username > ends in digit > * (jeffcola2[at]hotmail.com > ) > * -2.1 RP_MATCHES_RCVD Envelope sender domain matches handover > relay domain > * 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail > username ends in > * digit (jeffcola2[at]hotmail.com) > * 0.0 HTML_OBFUSCATE_05_10 BODY: Message is 5% to 10% HTML > obfuscation > * 0.0 HTML_MESSAGE BODY: HTML included in message > * 0.0 RCVD_NOT_IN_IPREPDNS Sender not listed at > * http://www.chaosreigns.com/iprep/ > * 2.8 TO_NO_BRKTS_MSFT To: misformatted and supposed Microsoft > tool > X-Spam-Flag: YES > X-Spam-Status: Yes, score=6.3 required=5.0 > tests=FREEMAIL_ENVFROM_END_DIGIT, > > FREEMAIL_FROM,FREEMAIL_REPLYTO_END_DIGIT,HTML_MESSAGE,HTML_OBFUSCATE_05_10, > RCVD_NOT_IN_IPREPDNS,RP_MATCHES_RCVD,TO_NO_BRKTS_MSFT,URIBL_BLACK, > URIBL_DBL_SPAM,URIBL_WS_SURBL autolearn=spam version=3.3.2 > X-Spam-Level: ****** > X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mail.rkfomh.net > > Can you show your report? Might be that the URI was not yet in > blacklists... Or you might need to enable some extra rules. I tried the same thing quite fast after matt sent his e-mail, and I had the same result, minus the various DNSBLs. The only non-network test that hit was the TO_NO_BRKTS_MSFT rule, which was not even working/enabled on matts setup. It's still a bit icky that you're fully depending on external (DNSBL) data here... -- Tom From matt at cipixia.com Fri Oct 19 06:56:32 2012 From: matt at cipixia.com (matt) Date: Thu, 18 Oct 2012 21:56:32 -0700 Subject: Viagra spam mail autolearned as ham, tagged score -1.64 In-Reply-To: <5080DBEA.20404@cipixia.com> References: <5080DBEA.20404@cipixia.com> Message-ID: <5080DD80.10703@cipixia.com> On 10/18/2012 02:03 PM, Tom Hendrikx wrote: > On 18/10/12 22:05, Nick Rosier wrote: >> matt wrote: >>> Hello all. ##### I had to truncate my reply because mailman bounced the message as "spam", probably due to the subject nature of what was being discussed. ##### In reply to Tom Hendrikx and Nick Rosier: That's so weird! When I manually fed the message in with spamassassin -D < /var/www/html/quack.eml, I get basically the same report as you guys do: X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on cipixia.com X-Spam-Flag: YES X-Spam-Level: ****** X-Spam-Status: Yes, score=6.4 required=5.0 tests=FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,FREEMAIL_REPLYTO_END_DIGIT,HTML_MESSAGE,HTML_OBFUSCATE_05_10, RCVD_IN_DNSWL_NONE,RP_MATCHES_RCVD,TO_NO_BRKTS_MSFT,URIBL_BLACK, URIBL_DBL_SPAM,URIBL_WS_SURBL autolearn=no version=3.3.2 X-Spam-Report: * -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no * trust * [65.54.190.147 listed in list.dnswl.org] * 1.8 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: yreyronwuddengeg.com] * 1.7 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist * [URIs: yreyronwuddengeg.com] * 1.7 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist * [URIs: yreyronwuddengeg.com] * 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider * (jeffcola2[at]hotmail.com) * 0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit * (jeffcola2[at]hotmail.com ) * -2.1 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain * 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in * digit (jeffcola2[at]hotmail.com) * 0.0 HTML_OBFUSCATE_05_10 BODY: Message is 5% to 10% HTML obfuscation * 0.0 HTML_MESSAGE BODY: HTML included in message * 2.9 TO_NO_BRKTS_MSFT To: misformatted and supposed Microsoft tool X-Original-To: matt at cipixia.com ############## But when the mail originally came to me and got sifted through amavisd-new, all that was reported in the maillog was: Oct 18 14:12:24 cipixia.com amavis[2072]: (02072-19) SPAM-TAG, -> , No, score=-1.64 tagged_above=-999 required=6.2 tests=[FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-2.142, SPF_PASS=-0.001] autolearn=ham What could explain the discrepancy between amavisd-new's handling of it and spamassassin's manual invocation? It looks like amavisd-new isn't consulting the dns blacklists for some reason :/ From tom at whyscream.net Fri Oct 19 09:46:33 2012 From: tom at whyscream.net (Tom Hendrikx) Date: Fri, 19 Oct 2012 09:46:33 +0200 Subject: Viagra spam mail autolearned as ham, tagged score -1.64 In-Reply-To: <5080DD80.10703@cipixia.com> References: <5080DBEA.20404@cipixia.com> <5080DD80.10703@cipixia.com> Message-ID: <50810559.2080501@whyscream.net> On 10/19/12 6:56 AM, matt wrote: > > On 10/18/2012 02:03 PM, Tom Hendrikx wrote: >> On 18/10/12 22:05, Nick Rosier wrote: >>> matt wrote: >>>> Hello all. > > ##### > I had to truncate my reply because mailman bounced the message as > "spam", probably due to the subject nature of what was being discussed. > ##### > > In reply to Tom Hendrikx and Nick Rosier: > > That's so weird! When I manually fed the message in with spamassassin -D < > /var/www/html/quack.eml, I get basically the same report as you guys do: > > X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on cipixia.com > X-Spam-Flag: YES > X-Spam-Level: ****** > X-Spam-Status: Yes, score=6.4 required=5.0 > tests=FREEMAIL_ENVFROM_END_DIGIT, > FREEMAIL_FROM,FREEMAIL_REPLYTO_END_DIGIT,HTML_MESSAGE,HTML_OBFUSCATE_05_10, > > RCVD_IN_DNSWL_NONE,RP_MATCHES_RCVD,TO_NO_BRKTS_MSFT,URIBL_BLACK, > URIBL_DBL_SPAM,URIBL_WS_SURBL autolearn=no version=3.3.2 > X-Spam-Report: > * -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at > http://www.dnswl.org/, no > * trust > * [65.54.190.147 listed in list.dnswl.org] > * 1.8 URIBL_BLACK Contains an URL listed in the URIBL blacklist > * [URIs: yreyronwuddengeg.com] > * 1.7 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist > * [URIs: yreyronwuddengeg.com] > * 1.7 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist > * [URIs: yreyronwuddengeg.com] > * 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail > provider > * (jeffcola2[at]hotmail.com) > * 0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in > digit > * (jeffcola2[at]hotmail.com > ) > * -2.1 RP_MATCHES_RCVD Envelope sender domain matches handover relay > domain > * 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username > ends in > * digit (jeffcola2[at]hotmail.com) > * 0.0 HTML_OBFUSCATE_05_10 BODY: Message is 5% to 10% HTML obfuscation > * 0.0 HTML_MESSAGE BODY: HTML included in message > * 2.9 TO_NO_BRKTS_MSFT To: misformatted and supposed Microsoft tool > X-Original-To: matt at cipixia.com > ############## > > But when the mail originally came to me and got sifted through > amavisd-new, all that was > reported in the maillog was: > > Oct 18 14:12:24 cipixia.com amavis[2072]: (02072-19) SPAM-TAG, > -> > , No, score=-1.64 tagged_above=-999 required=6.2 > tests=[FREEMAIL_ENVFROM_END_DIGIT=0.25, > FREEMAIL_FROM=0.001, > FREEMAIL_REPLYTO_END_DIGIT=0.25, > HTML_MESSAGE=0.001, > HTML_OBFUSCATE_05_10=0.001, > RCVD_IN_DNSWL_NONE=-0.0001, > RP_MATCHES_RCVD=-2.142, > SPF_PASS=-0.001] autolearn=ham > > > What could explain the discrepancy between amavisd-new's handling of it > and spamassassin's > manual invocation? It looks like amavisd-new isn't consulting the dns > blacklists for some > reason :/ > I tested your message within an hour after you sent it to the list, and at that time there were also no URIBLs that caught it. So I had the same results as you initially had (except for the TO_NO_BRKTS_MSFT rule). The URIBLs need to be fed spam to recognize these mails (f.i. from spamtraps), so you simply received the message before the URIBLs caught up. Other differences between manual invocation and amavisd could be because you don't reload/restart after running sa-update, and possibly amavisd config (but both of these have nothing to do with the URIBL stuff from above). -- Tom From linus at haake-it.net Fri Oct 19 10:28:07 2012 From: linus at haake-it.net (Linus Haake) Date: Fri, 19 Oct 2012 08:28:07 +0000 Subject: AW: Special characters in banned- filenames. In-Reply-To: <6108F7E667F5764D9D4B8C65B88C03CD2F4A5E57@AM2PRD0710MB350.eurprd07.prod.outlook.com> References: <6108F7E667F5764D9D4B8C65B88C03CD2F4A5E57@AM2PRD0710MB350.eurprd07.prod.outlook.com> Message-ID: <6108F7E667F5764D9D4B8C65B88C03CD2F4B2022@AM2PRD0710MB350.eurprd07.prod.outlook.com> Problem solved - $banned_files_quarantine_method = 'local:banned-%i-%n'; did the job. Von: amavis-users-bounces+linus=haake-it.net at amavis.org [mailto:amavis-users-bounces+linus=haake-it.net at amavis.org] Im Auftrag von Linus Haake Gesendet: Dienstag, 16. Oktober 2012 08:56 An: amavis-users at amavis.org Betreff: Special characters in banned- filenames. Dear List, Already searching for a while in the Internet, I still wonder whether it is possible to change the way amavisd-new is naming banned/virus mails. In detail, I'm having lots of problems with the special characters (+) sometimes appearing in the name of the gz file. Thanks a lot for any help, Linus -------------- next part -------------- An HTML attachment was scrubbed... URL: From maumar at datalogica.com Fri Oct 19 12:22:00 2012 From: maumar at datalogica.com (Maurizio Marini) Date: Fri, 19 Oct 2012 12:22:00 +0200 Subject: Viagra spam mail autolearned as ham, tagged score -1.64 In-Reply-To: <50806EA6.6080303@whyscream.net> References: <5080371F.8000300@cipixia.com> <50806121.2030100@gmail.com> <50806EA6.6080303@whyscream.net> Message-ID: <20121019122200.5b936806@tikal.homenet.telecomitalia.it> On Thu, 18 Oct 2012 23:03:34 +0200 Tom Hendrikx wrote: > On 18/10/12 22:05, Nick Rosier wrote: > > matt wrote: > >> Hello all. > >> > >> I just received a 'male enhancement pharmacy' type spam email that your posts were junked with this score: -Spam-Flag: YES X-Spam-Score: 4.588 X-Spam-Level: **** X-Spam-Status: Yes, score=4.588 tagged_above=-10 required=4 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DRUGS_ERECTILE=1.994, MALE_ENHANCE=0.851, RCVD_IN_DNSWL_MED=-2.3, T_URIBL_BLACK_OVERLAP=0.01, URIBL_BLACK=2.725, URIBL_DBL_SPAM=1.7, URIBL_WS_SURBL=1.608] autolearn=no fyi -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5549 bytes Desc: not available URL: From m.blohm at digisec.de Fri Oct 19 12:56:21 2012 From: m.blohm at digisec.de (Matthias Blohm) Date: Fri, 19 Oct 2012 12:56:21 +0200 Subject: eScan integration for Amavisd Message-ID: <508131D5.7040706@digisec.de> Hi, someone here to know how to integrate the command-line-scanner from eScan ( Microworld or escanav . com ) at the av_scanners section of the amavisd.conf ?? thanks for that. Matti From m.blohm at digisec.de Fri Oct 19 13:31:20 2012 From: m.blohm at digisec.de (Matthias Blohm) Date: Fri, 19 Oct 2012 13:31:20 +0200 Subject: eScan integration for Amavisd Message-ID: <50813A08.2000700@digisec.de> Hi, someone here to know how to integrate the command-line-scanner from eScan ( Microworld or escanav . com ) at the av_scanners section of the amavisd.conf ?? thanks for that. Matti From gorgo.online at gmail.com Fri Oct 19 21:06:47 2012 From: gorgo.online at gmail.com (Georg Lindner) Date: Fri, 19 Oct 2012 21:06:47 +0200 Subject: dspam auto-learn with amavisd-new 2.8.0 In-Reply-To: References: Message-ID: <5081A4C7.6000000@gmail.com> Am 01.10.2012 17:21, schrieb Georg Lindner: > We recently upgraded from amavisd-new 2.6.1 to version 2.8.0, and are now trying to get dspam integration (including autolearn) working together with the new amavis setup. > > Our dspam entry in the amavis.conf: > > ['DSPAM', 'Amavis::SpamControl::ExtProg', 'dspamc', > [ qw(--client --stdout --deliver=innocent,spam --user), $daemon_user ], > learn_ham => [ qw(--class=innocent --source=error--user), $daemon_user ], > learn_spam => [ qw(--class=spam --source=error --user), $daemon_user ], > mail_body_size_limit => 65000, score_factor => 1.00 > ] > > According to the amavis log the auto-learn process for dspam is called: > Sep 26 23:38:33 srv1 amavis[5475]: (05475-05) DSPAM result: Spam, score=1.000, sig=506375d921989068461704 > Sep 26 23:38:36 srv1 amavis[5475]: (05475-05) SpamControl: scanner DSPAM, auto-learn as ham / 0.389 (was: spam / 1.000) > > The dspam auto-learn is based on the X-DSPAM-Signature header. But it looks like all the X-DSPAM-* headers are not passed over the the autolearn process, so the messages are not reclassified. > Neither as spam nor as ham. > > When a message is deliverd to the user later on the X-DSPAM-* headers are present. > > Is there a way to pass the "X-DSPAM-Signature" header to the auto learning? > Either in-line in the message header, or as a parameter --signature= > > Thanks in advance > Georg > As I found no resolution to the above problem I am now using a custom hook to train dspam. This works quite nice but now I am facing the next problem... How can I disable the amavis built-in autolearn mechanism for dspam? I've tried to remove learn_ham and learn_spam from the configuration, but apparently it doesn't disable anything. Any ideas? Georg From matt at cipixia.com Fri Oct 19 22:23:47 2012 From: matt at cipixia.com (matt) Date: Fri, 19 Oct 2012 13:23:47 -0700 Subject: Viagra spam mail autolearned as ham, tagged score -1.64 In-Reply-To: <50810559.2080501@whyscream.net> References: <5080DBEA.20404@cipixia.com> <5080DD80.10703@cipixia.com> <50810559.2080501@whyscream.net> Message-ID: <5081B6D3.5070108@cipixia.com> On 10/19/2012 12:46 AM, Tom Hendrikx wrote: > On 10/19/12 6:56 AM, matt wrote: >> >> On 10/18/2012 02:03 PM, Tom Hendrikx wrote: >>> On 18/10/12 22:05, Nick Rosier wrote: >>>> matt wrote: >>>>> Hello all. >> >> ##### >> I had to truncate my reply because mailman bounced the message as >> "spam", probably due to the subject nature of what was being discussed. >> ##### >> >> In reply to Tom Hendrikx and Nick Rosier: >> >> That's so weird! When I manually fed the message in with spamassassin -D < >> /var/www/html/quack.eml, I get basically the same report as you guys do: >> >> X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on cipixia.com >> X-Spam-Flag: YES >> X-Spam-Level: ****** >> X-Spam-Status: Yes, score=6.4 required=5.0 >> tests=FREEMAIL_ENVFROM_END_DIGIT, >> FREEMAIL_FROM,FREEMAIL_REPLYTO_END_DIGIT,HTML_MESSAGE,HTML_OBFUSCATE_05_10, >> >> RCVD_IN_DNSWL_NONE,RP_MATCHES_RCVD,TO_NO_BRKTS_MSFT,URIBL_BLACK, >> URIBL_DBL_SPAM,URIBL_WS_SURBL autolearn=no version=3.3.2 >> X-Spam-Report: >> * -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at >> http://www.dnswl.org/, no >> * trust >> * [65.54.190.147 listed in list.dnswl.org] >> * 1.8 URIBL_BLACK Contains an URL listed in the URIBL blacklist >> * [URIs: yreyronwuddengeg.com] >> * 1.7 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist >> * [URIs: yreyronwuddengeg.com] >> * 1.7 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist >> * [URIs: yreyronwuddengeg.com] >> * 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail >> provider >> * (jeffcola2[at]hotmail.com) >> * 0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in >> digit >> * (jeffcola2[at]hotmail.com >> ) >> * -2.1 RP_MATCHES_RCVD Envelope sender domain matches handover relay >> domain >> * 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username >> ends in >> * digit (jeffcola2[at]hotmail.com) >> * 0.0 HTML_OBFUSCATE_05_10 BODY: Message is 5% to 10% HTML obfuscation >> * 0.0 HTML_MESSAGE BODY: HTML included in message >> * 2.9 TO_NO_BRKTS_MSFT To: misformatted and supposed Microsoft tool >> X-Original-To: matt at cipixia.com >> ############## >> >> But when the mail originally came to me and got sifted through >> amavisd-new, all that was >> reported in the maillog was: >> >> Oct 18 14:12:24 cipixia.com amavis[2072]: (02072-19) SPAM-TAG, >> -> >> , No, score=-1.64 tagged_above=-999 required=6.2 >> tests=[FREEMAIL_ENVFROM_END_DIGIT=0.25, >> FREEMAIL_FROM=0.001, >> FREEMAIL_REPLYTO_END_DIGIT=0.25, >> HTML_MESSAGE=0.001, >> HTML_OBFUSCATE_05_10=0.001, >> RCVD_IN_DNSWL_NONE=-0.0001, >> RP_MATCHES_RCVD=-2.142, >> SPF_PASS=-0.001] autolearn=ham >> >> >> What could explain the discrepancy between amavisd-new's handling of it >> and spamassassin's >> manual invocation? It looks like amavisd-new isn't consulting the dns >> blacklists for some >> reason :/ >> > > I tested your message within an hour after you sent it to the list, and > at that time there were also no URIBLs that caught it. So I had the same > results as you initially had (except for the TO_NO_BRKTS_MSFT rule). The > URIBLs need to be fed spam to recognize these mails (f.i. from > spamtraps), so you simply received the message before the URIBLs caught up. > > Other differences between manual invocation and amavisd could be because > you don't reload/restart after running sa-update, and possibly amavisd > config (but both of these have nothing to do with the URIBL stuff from > above). > > -- > Tom > OK cool I feel much better now knowing there wasn't really a problem with my setup, just that the spam was too new to be blacklisted. Thanks for clearing that up :) From amavis-users at spectrumcs.net Mon Oct 22 22:20:10 2012 From: amavis-users at spectrumcs.net (Steve Scotter) Date: Mon, 22 Oct 2012 20:20:10 +0000 Subject: Requirements for upgrade from 2.7.0,1 to 2.8.0_1,1 Message-ID: Hi All, The FreeBSD ports tree was updated with amavisd-new v2.8.0 a few months ago and I vaguely remember reading in /usr/ports/UPDATING that there where some SQL DB Schema alterations I needed to make. At the time I was mid way though migrating some domains over to the servers and wanted to avoid introducing any potential problems. I've now completed the migration of all the domains and things have settled down so I've taken a second look at upgrading from 2.7.0 to 2.8.0 but I can't find any references to DB Schema updates in /usr/ports/UPDATING or in the release notes (http://www.ijs.si/software/amavisd/release-notes.txt). Was I just imagining things or are there some DB Schema updates required, or for that matter any other hoops I need to jump though to successfully upgrade to 2.8.0? Many thanks Steve DISCLAIMER This email is for the use of the intended recipient(s) only. If you have received this email in error, please notify the sender immediately and then delete it. If you are not the intended recipient, you must not keep, use, disclose, copy or distribute this email without the author?s prior permission. We have taken precautions to minimise the risk of transmitting software viruses, but we advise you to carry out your own virus checks on any attachment to this message. We cannot accept liability for any loss or damage caused by software viruses. The information contained in this communication may be confidential and may be subject to the attorney-client privilege. If you are the intended recipient and you do not wish to receive similar electronic messages from us in future then please respond to the sender to this effect. From andreas.schulze at datev.de Tue Oct 23 12:00:26 2012 From: andreas.schulze at datev.de (Andreas Schulze) Date: Tue, 23 Oct 2012 12:00:26 +0200 Subject: switch PolicyBank by Authentication-Result header ? Message-ID: <20121023100025.GA4996@spider.services.datevnet.de> Hello, all my incoming messages pass opendkim before amavis. So they contain an Authentication-Results header indication the dkim validation result. It would be nice if amavis could switch to an othe policy_bank like @author_to_policy_bank_maps do. Today (2.7.2/2.8.0) I have to enable dkim validation in amavis to switch policy_banks. That result in doing the validation twice. Thanks Andreas -- Andreas Schulze Internetdienste | P252 DATEV eG 90329 N?rnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196 E-Mail info @datev.de | Internet www.datev.de Sitz: 90429 N?rnberg, Paumgartnerstr. 6-14 | Registergericht N?rnberg, GenReg Nr.70 Vorstand Prof. Dieter Kempf (Vorsitzender) Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender) Dipl.-Kfm. Michael Leistenschneider Dipl.-Kfm. Dr. Robert Mayr J?rg Rabe v. Pappenheim Dipl.-Vw. Eckhard Schwarzer Vorsitzender des Aufsichtsrates: Reinhard Verholen From fpicabia at gmail.com Wed Oct 24 20:18:53 2012 From: fpicabia at gmail.com (francis picabia) Date: Wed, 24 Oct 2012 15:18:53 -0300 Subject: getting an amavisdconf style of dumped config variables Message-ID: This is related to the prior topic I had posted about inbound amavis not catching some of the unofficial rules from SaneSecurity. In this problem case the primary MX and SMTP have been different systems. To verify what was going on, I've switched the priority on our MX servers so that primary is on the same Debian system which handled SMTP. After two weeks running with most traffic in/out passing through one machine, there are no cases of phishing, etc. caught on outbound which came in on this new primary MX. The only few caught on outbound since the change had all come in via the new secondary MX (currently Redhat). The evidence is there is some difference between the configurations, unless 2.6.6 from Dag RPM repository breaks something which works in Debian Stable's amavisd-new-2.6.4 I'd like to make a new amavis.conf for the Redhat system based on the seemingly better one on Debian. In Clam I can run clamconf to compare the settings clam is getting on each system. Amavis does not have this kind of utility. Debian's conf.d approach and all of the commented out anti-virus lines, etc., makes it difficult to get a unified amavisd.conf out of it. I can "cat" all of the conf.d entries together, but it forms a file that doesn't diff easily with the Redhat configuration file. I need to remove all of the settings specific to the Debian way of doing this before starting it up on Redhat, especially those which can mess up things too much (e.g. .$quarantine_subdir_levels = 1;) Is there still no amavisdconf or something similar in a debug mode or likewise? From quanah at zimbra.com Sat Oct 27 01:57:03 2012 From: quanah at zimbra.com (Quanah Gibson-Mount) Date: Fri, 26 Oct 2012 16:57:03 -0700 Subject: DKIM CVE and Amavis behavior Message-ID: Hi Mark, There's been a lot of news recently about . I am curious to know if Amavis with DKIM verification enabled "does the right thing" in relation to "test" DKIM keys and DKIM keys with a small bit size (less than 1024). I know opendkim just rev'd to 2.7.0 to take care of the CVE. Among the major changes in OpenDKIM 2.7.0: o SECURITY: The library will now decline to generate a signature, or pass even a valid signature, if the signing key is comprised of too few bits, thus being insecure. The default is 1024. This can be controlled through the API, and the setting can also be adjusted in the filter via the new "MinimumKeyBits" setting. Also, there is this bit: 1) CWE-347: Improper Verification of Cryptographic Signature: DKIM information is conveyed in an email header called a DKIM-Signature header field. A Signer can indicate that a domain is testing DKIM by setting the DKIM Selector Flag (t=) flag to t=y. Some verifiers accept DKIM messages in testing mode when the messages should be treated as if they were not DKIM signed. From RFC 6376: t= Flags, represented as a colon-separated list of names (plain- text; OPTIONAL, default is no flags set). Unrecognized flags MUST be ignored. The defined flags are as follows: y This domain is testing DKIM. Verifiers MUST NOT treat messages from Signers in testing mode differently from unsigned email, even should the signature fail to verify. Thanks, Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration From fpicabia at gmail.com Mon Oct 29 15:59:15 2012 From: fpicabia at gmail.com (francis picabia) Date: Mon, 29 Oct 2012 11:59:15 -0300 Subject: Inbound doesn't catch SaneSecurity signature, Outbound does Message-ID: > On Mon, Sep 24, 2012 at 5:08 AM, Mark Martinec >> Again, it is not the same message: OK, now I have a sample case which is simply a mail forward set up on the user's Exchange account. Inbound (Redhat) was undetected, and outbound (Debian) did detect. On Oct 25 I made a new amavisd.conf for the Redhat system (mx10) which is having the problem not detecting some phishing signatures. The new config file was based on the Debian config files where the filtering has proven to be superior (smtp). clamscan run with the quarantined file on the Redhat system that missed it detects the phishing signature, and I've not updated SaneSecurity signatures since this email passed through. $ clamscan virus-wXQFj8Xeu4G2 virus-wXQFj8Xeu4G2: Doppelstern.Scam4.732.UNOFFICIAL FOUND ----------- SCAN SUMMARY ----------- Known viruses: 2160751 Engine version: 0.97.5 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.27 MB Data read: 0.20 MB (ratio 1.35:1) Time: 53.426 sec (0 m 53 s) Here are traces on inbound (not caught) and outbound (caught) 35 seconds later. Not caught: Oct 27 13:55:00 mx10 amavis[23335]: (23335-08) LMTP::10024 /var/amavis/tmp/amavis-20121027T134540-23335: -> SIZE=217278 BODY=8BITMIME Received: from mx10.example.com ([127.0.0.1]) by localhost (mx10.example.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP for ; Sat, 27 Oct 2012 13:55:00 -0300 (ADT) Oct 27 13:55:00 mx10 amavis[23335]: (23335-08) Checking: o-t83BXo4jcl [207.189.223.49] -> Oct 27 13:55:00 mx10 amavis[23335]: (23335-08) p003 1 Content-Type: multipart/mixed Oct 27 13:55:00 mx10 amavis[23335]: (23335-08) p001 1/1 Content-Type: text/plain, size: 0 B, name: Oct 27 13:55:00 mx10 amavis[23335]: (23335-08) p002 1/2 Content-Type: application/msword, size: 157500 B, name: Receipt.rtf Oct 27 13:55:02 mx10 amavis[23335]: (23335-08) SPAM-TAG, -> , Yes, score=11.137 tagged_above=0 required=6.2 tests=[MISSING_HEADERS=1.207, RCVD_IN_BL_SPAMCOP_NET=4, RCVD_IN_PSBL=2.7, RCVD_IN_RP_RNBL=1.284, REPLYTO_WITHOUT_TO_CC=1.946] autolearn=disabled Oct 27 13:55:02 mx10 amavis[23335]: (23335-08) FWD via SMTP: -> ,BODY=7BIT 250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as ABE1319CC89 Oct 27 13:55:02 mx10 amavis[23335]: (23335-08) Passed SPAMMY, [207.189.223.49] [64.95.245.102] -> , Message-ID: <2787.64.95.245.102.1351263437.squirrel at email.peakpeak.com>, mail_id: o-t83BXo4jcl, Hits: 11.137, size: 217278, queued_as: ABE1319CC89, 2461 ms Oct 27 13:55:02 mx10 amavis[23335]: (23335-08) TIMING-SA total 2114 ms - parse: 20 (0.9%), extract_message_metadata: 38 (1.8%), get_uri_detail_list: 0.31 (0.0%), tests_pri_-1000: 10 (0.5%), tests_pri_-950: 2 (0.1%), tests_pri_-900: 2 (0.1%), tests_pri_-400: 1.77 (0.1%), tests_pri_0: 920 (43.5%), check_dkim_adsp: 118 (5.6%), check_spf: 421 (19.9%), poll_dns_idle: 1417 (67.0%), check_razor2: 296 (14.0%), tests_pri_500: 1080 (51.1%), get_report: 1.62 (0.1%) Oct 27 13:55:02 mx10 amavis[23335]: (23335-08) TIMING [total 2468 ms] - SMTP greeting: 2 (0%)0, SMTP LHLO: 1 (0%)0, SMTP pre-MAIL: 1 (0%)0, SMTP pre-DATA-flush: 3 (0%)0, SMTP DATA: 55 (2%)3, check_init: 1 (0%)3, digest_hdr: 2 (0%)3, digest_body_dkim: 4 (0%)3, gen_mail_id: 1 (0%)3, mime_decode: 33 (1%)4, get-file-type1: 19 (1%)5, parts_decode: 0 (0%)5, check_header: 1 (0%)5, AV-scan-1: 99 (4%)9, spam-wb-list: 2 (0%)9, SA parse: 21 (1%)10, SA check: 2089 (85%)95, update_cache: 8 (0%)95, decide_mail_destiny: 1 (0%)95, fwd-connect: 7 (0%)95, fwd-mail-pip: 3 (0%)95, fwd-rcpt-pip: 0 (0%)95, fwd-data-chkpnt: 0 (0%)95, write-header: 2 (0%)95, fwd-data-contents: 12 (0%)96, fwd-end-chkpnt: 84 (3%)99, prepare-dsn: 1 (0%)99, main_log_entry: 10 (0%)100, update_snmp: 3 (0%)100, SMTP pre-response: 0 (0%)100, SMTP response: 0 (0%)100, unlink-2-files: 0 (0%)100, rundown: 1 (0%)100 Caught on outbound: Oct 27 13:55:36 smtp amavis[19984]: (19984-14) loaded policy bank "MYNETS" over "ORIGINATING" Oct 27 13:55:36 smtp amavis[19984]: (19984-14) LMTP::10026 /var/lib/amavis/tmp/amavis-20121027T131704-19984: -> Received: from smtp.example.com ([XXX.YYY.201.5]) by localhost (thabit.example.com [127.0.0.1]) (amavisd-new, port 10026) with LMTP for ; Sat, 27 Oct 2012 13:55:36 -0300 (ADT) Oct 27 13:55:36 smtp amavis[19984]: (19984-14) Checking: wXQFj8Xeu4G2 ORIGINATING/MYNETS [XXX.YYY.200.97] -> Oct 27 13:55:36 smtp amavis[19984]: (19984-14) p003 1 Content-Type: multipart/mixed Oct 27 13:55:36 smtp amavis[19984]: (19984-14) p001 1/1 Content-Type: text/plain, size: 0 B, name: Oct 27 13:55:36 smtp amavis[19984]: (19984-14) p002 1/2 Content-Type: application/msword, size: 157500 B, name: Receipt.rtf Oct 27 13:55:36 smtp amavis[19984]: (19984-14) run_av (ClamAV-clamd): /var/lib/amavis/tmp/amavis-20121027T131704-19984/parts INFECTED: Doppelstern.Scam4.732.UNOFFICIAL Oct 27 13:55:36 smtp amavis[19984]: (19984-14) virus_scan: (Doppelstern.Scam4.732.UNOFFICIAL), detected by 1 scanners: ClamAV-clamd Oct 27 13:55:36 smtp amavis[19984]: (19984-14) Virus Doppelstern.Scam4.732.UNOFFICIAL matches (?-xism:.*), sender addr ignored Oct 27 13:55:36 smtp amavis[19984]: (19984-14) local delivery: <> -> virus-quarantine, mbx=/var/virusmails/w/virus-wXQFj8Xeu4G2 Oct 27 13:55:36 smtp amavis[19984]: (19984-14) dkim: candidate originators: 2822.From:, 2821.mail_from: Oct 27 13:55:36 smtp amavis[19984]: (19984-14) dkim: signing (author), From: , KEY.key_ind=>0, a=>rsa-sha256, c=>relaxed/simple, d=>example.com, s=>smtp, ttl=>1814400, x=>1353171336.72979 Oct 27 13:55:37 smtp amavis[19984]: (19984-14) SEND via SMTP: -> ,ENVID=AM..20121027T165536Z at thabit.example.com 250 2.0.0 Ok, id=19984-14, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0723A1F4528 Oct 27 13:55:37 smtp amavis[19984]: (19984-14) Blocked INFECTED (Doppelstern.Scam4.732.UNOFFICIAL), ORIGINATING/MYNETS LOCAL [XXX.YYY.200.97] [64.95.245.102] -> , quarantine: w/virus-wXQFj8Xeu4G2, Message-ID: <2787.64.95.245.102.1351263437.squirrel at email.peakpeak.com>, mail_id: wXQFj8Xeu4G2, Hits: -, size: 218433, 338 ms Oct 27 13:55:37 smtp amavis[19984]: (19984-14) TIMING [total 345 ms] - SMTP greeting: 4 (1%)1, SMTP LHLO: 3 (1%)2, SMTP pre-MAIL: 3 (1%)3, SMTP pre-DATA-flush: 2 (1%)4, SMTP DATA: 63 (18%)22, check_init: 1 (0%)22, digest_hdr: 3 (1%)23, digest_body_dkim: 2 (1%)24, gen_mail_id: 1 (0%)24, mime_decode: 27 (8%)32, get-file-type1: 19 (6%)37, parts_decode: 0 (0%)37, check_header: 2 (1%)38, AV-scan-1: 51 (15%)53, read_snmp_variables: 1 (0%)53, best_try_originator: 2 (1%)54, update_cache: 1 (0%)54, decide_mail_destiny: 2 (1%)55, notif-quar: 2 (0%)55, stat-mbx: 3 (1%)56, open-mbx: 0 (0%)56, write-header: 1 (0%)56, save-to-local-mailbox: 2 (1%)57, write-header: 38 (11%)68, fwd-data-dkim: 19 (5%)73, fwd-connect: 23 (7%)80, fwd-mail-pip: 35 (10%)90, fwd-rcpt-pip: 1 (0%)90, fwd-data-chkpnt: 0 (0%)90, write-header: 1 (0%)90, fwd-data-contents: 4 (1%)92, fwd-end-chkpnt: 13 (4%)95, prepare-dsn: 1 (0%)96, main_log_entry: 8 (2%)98, update_snmp: 4 (1%)99, SMTP pre-response: 0 (0%)99, SMTP response: 1 (0%)100, unlink-2... Oct 27 13:55:37 smtp amavis[19984]: (19984-14) ...-files: 0 (0%)100, rundown: 1 (0%)100 Oct 27 13:55:37 smtp amavis[19984]: (19984-14) extra modules loaded: unicore/lib/gc_sc/Digit.pl, unicore/lib/gc_sc/SpacePer.pl Oct 27 13:57:38 smtp amavis[19984]: (19984-14) loaded policy bank "ORIGINATING" Another test I did was to reverse the roles of primary and secondary MX where the Debian system good at catching these was now primary MX. In two weeks like this, there were only 2 emails caught on the outbound with phishing signatures, and both had arrived on the Redhat system (running as secondary MX during that time). The above trace is with the Redhat system mx10 recently back to the role of primary MX. With this set up, there is more likelihood of the Debian SMTP detecting phishing signatures the inbound Redhat mx10 missed. I can only conclude that either: 1. There is a configuration difference between the two amavis instances which matters (I've tried to eliminate by building a new config for Redhat out of Debian /etc/amavis/conf.d files), or 2. There is a build difference between the two amavis binaries or their libraries. The Redhat system has amavisd-new-2.6.6 while Debian is amavisd-new-2.6.4 (20090625) The Redhat system does block between 50 to 350 Sanesecurity signatures per day, so it is generally working OK. What else can I do to trace the problem and/or improve the chances of the Redhat system actually blocking all of the signatures rather than most? From aplinux at gmail.com Mon Oct 29 20:21:11 2012 From: aplinux at gmail.com (Alexandre) Date: Mon, 29 Oct 2012 19:21:11 +0000 (UTC) Subject: Bypass amavisd-new scanning Message-ID: I do not write fluently in English, I am Brazilian and I'll try ok? I read articles on Bypass amavisd (below) and I wonder if you can get me a little doubt ........ I can use the item 8 (8. Configure particular senders to use unique settings banned files.) in both directions, ie, in emails sent by the user (sender) and the mail received by the user (from outside or inside) I need a file to be blocked in the sending and receiving of a particular user, is it possible? Thank you. From miha.valencic at gmail.com Tue Oct 30 14:40:50 2012 From: miha.valencic at gmail.com (Miha Valencic) Date: Tue, 30 Oct 2012 14:40:50 +0100 Subject: Custom hooks - feasible or not In-Reply-To: References: Message-ID: I've since added direct syslog logging as well and noticed that do_log is working fine, if I use priority 0 (otherwise no syslog output -- probably a configuration setting somewhere). The remaining question is whether it makes sense to "transform-and-forward" inside amavis via custom hooks (feels like misuse) or write a postfix content filter instead. Regards, Miha. On Tue, Oct 30, 2012 at 2:15 PM, Miha Valencic wrote: > The problem I have at the moment is that I don't know whether the > custom hooks are being executed or not, since nothing shows up in > syslog (I'm doing do_log(0, "CUSTOM: foobar") to test it). From miha.valencic at gmail.com Tue Oct 30 14:15:17 2012 From: miha.valencic at gmail.com (Miha Valencic) Date: Tue, 30 Oct 2012 14:15:17 +0100 Subject: Custom hooks - feasible or not Message-ID: Hello! I recently started working with Amavisd-new on a big project and I am currently playing with postfix-amavisd-new setup on my development box. I noticed that the documentation for custom hooks is very scarce and found a sample on Apple website[1]. This particular sample does not work with my setup (since string_to_mime_entity is not exported -- I'm using version 2.6.4) but I modified it a bit. The problem I have at the moment is that I don't know whether the custom hooks are being executed or not, since nothing shows up in syslog (I'm doing do_log(0, "CUSTOM: foobar") to test it). The other thing is that I'm still no sure if it makes sense to use it for what we need - forwarding. We need to transform certain incoming messages and forward them based on a certain criteria, for instance: [pseudo code] if (ldap_attribute == 'forward') { send_mail(ldap_attribute_recipient, subject of the message); } I'm testing this on Ubuntu 10.04. In the file 50-user, I've added: require './51-custom.conf'; and 51-custom.conf includes definition of custom hooks as per reference example. Is there anything else I should add or maybe look elsewhere for the log output? Regards, Miha. [1]: http://www.opensource.apple.com/source/amavisd/amavisd-110/amavisd/amavisd-new-2.5.0/amavisd-custom.conf From Mark.Martinec+amavis at ijs.si Tue Oct 30 15:29:16 2012 From: Mark.Martinec+amavis at ijs.si (Mark Martinec) Date: Tue, 30 Oct 2012 15:29:16 +0100 Subject: DKIM CVE and Amavis behavior In-Reply-To: References: Message-ID: <201210301529.16345.Mark.Martinec+amavis@ijs.si> Quanah, > There's been a lot of news recently about > . Yes, I've noticed. > I am curious to know if Amavis with DKIM verification enabled "does the > right thing" in relation to "test" DKIM keys and DKIM keys with a small bit > size (less than 1024). I know opendkim just rev'd to 2.7.0 to take care of > the CVE. Currently (2.8.0 and older) amavisd does not test for DKIM key size. If a sender is using a short key, it's his decision and his risk. If a recipient is accepting a valid signature for whitelisting purposes, that was his own decision when he investigated reputation of a signing domain and trustfulness of their key and explicitly and intentionally decided to use it for whitelisting purposes. > Among the major changes in OpenDKIM 2.7.0: > > o SECURITY: The library will now decline to generate a signature, or pass > even > a valid signature, if the signing key is comprised of too few bits, thus > being insecure. The default is 1024. This can be controlled through the > API, and the setting can also be adjusted in the filter via the new > "MinimumKeyBits" setting. With 2.8.1 amavis will issue a warning if someone wants to generate or use a key shorter than 1024 bits. It will also ignore a valid signature with a key below a configurable size (default 786) for purposes of loading a policy bank (DKIM-based whitelisting - @author_to_policy_bank_maps). > Also, there is this bit: > > 1) CWE-347: Improper Verification of Cryptographic Signature: DKIM > information is conveyed in an email header called a DKIM-Signature header > field. A Signer can indicate that a domain is testing DKIM by setting the > DKIM Selector Flag (t=) flag to t=y. Some verifiers accept DKIM messages in > testing mode when the messages should be treated as if they were not DKIM > signed. From RFC 6376: > > t= Flags, represented as a colon-separated list of names (plain- > text; OPTIONAL, default is no flags set). Unrecognized flags MUST > be ignored. The defined flags are as follows: > > y This domain is testing DKIM. Verifiers MUST NOT treat messages > from Signers in testing mode differently from unsigned email, > even should the signature fail to verify. If a signature fails to verify amavisd never treated it any differently that unsigned mail, regardless of the testing flag. If a signature is valid, it is silly to diregard it even when it has a testing flag. It is all up to a signer's reputation / trustfulness in the eye of a recipient when he decides to use (or not to use) their valid signature for some whitelisting purpose. Mark From quanah at zimbra.com Tue Oct 30 20:57:43 2012 From: quanah at zimbra.com (Quanah Gibson-Mount) Date: Tue, 30 Oct 2012 12:57:43 -0700 Subject: DKIM CVE and Amavis behavior In-Reply-To: <201210301529.16345.Mark.Martinec+amavis@ijs.si> References: <201210301529.16345.Mark.Martinec+amavis@ijs.si> Message-ID: --On Tuesday, October 30, 2012 3:29 PM +0100 Mark Martinec wrote: Hi Mark, > With 2.8.1 amavis will issue a warning if someone wants to generate > or use a key shorter than 1024 bits. > > It will also ignore a valid signature with a key below a configurable > size (default 786) for purposes of loading a policy bank > (DKIM-based whitelisting - @author_to_policy_bank_maps). Ok, thanks! Do you have an idea of when 2.8.1 may be released? Just so I can adjust expectations locally. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration From lists at sbt.net.au Wed Oct 31 21:46:41 2012 From: lists at sbt.net.au (lists at sbt.net.au) Date: Thu, 1 Nov 2012 07:46:41 +1100 Subject: bypass +badh delivery ? Message-ID: <0263376ef46cdb94c6032116e91a51ed.squirrel@geko.sbt.net.au> I'm using +subaddress for +spam 'sorting'; I'm getting 'badh' emails delivered to +subaddress 'user+badh' how can I NOT deliver badh to user+badh, but, to 'main' inbox ? should I just disable 'badh' checks ? thanks for any pointers amavisd -V amavisd-new-2.8.0-pre7 (20120522) grep bad_head amavisd.conf @addr_extension_bad_header_maps = ('badh'); $final_bad_header_destiny = D_PASS; $bad_header_quarantine_to = 'bad-header-quarantine'; $bad_header_quarantine_to = 'badh at sbt.net.au'; # fwd to MTA for delivery @bad_header_lovers_maps = ( read_hash("/var/amavis/bad_header_lovers"),