Amavisd Not Scoring from Soft blacklist
jason hirsh
hirshj at att.net
Mon Jun 20 01:39:23 CEST 2011
On Jun 19, 2011, at 3:30 PM, Gary V wrote:
> On 6/19/11, jason hirsh wrote:
>> I am running
>>
>>> amavisd-new 2.6.4_10.1
>>> Postfix 2.9
>>> Mysql server 5..5
>> Freebsd 8.1
>>
>>
>> I am trying to find a way to blacklist specified domains and email address..
>>
>>
>> Mu current effort was tp try to block one of my own webmail accounts
>> captcurrent at hotmail.com
>>
>>
>> This is what I put in amavisd.conf
>>
>> @score_sender_maps = ({ # a by-recipient hash lookup table
>>
>> # # per-recipient personal tables (NOTE: positive: black, negative: white)
>> # 'user1 at example.com' => [{'bla-mobile.press at example.com' => 10.0}],
>> # 'user3 at example.com' => [{'.ebay.com' => -3.0}],
>> # 'user4 at example.com' => [{'cleargreen at cleargreen.com' => -7.0,
>> # '.cleargreen.com' => -5.0}],
>>
>> # site-wide opinions about senders (the '.' matches any recipient)
>> '.' => [ # the _first_ matching sender determines the score boost
>>
>> new_RE( # regexp-type lookup table, just happens to be all
>> soft-blacklist
>> [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i =>
>> 5.0],
>> [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=>
>> 5.0],
>> [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=>
>> 5.0],
>> [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i =>
>> 5.0],
>> [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i =>
>> 5.0],
>> [qr'^(your_friend|greatoffers)@'i =>
>> 5.0],
>> [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i =>
>> 5.0],
>> ),
>>
>> # read_hash("/var/amavis/sender_scores_sitewide"),
>>
>> { # a hash-type lookup table (associative array)
>> 'nobody at cert.org' => -3.0,
>> 'cert-advisory at us-cert.gov' => -3.0,
>> 'owner-alert at iss.net' => -3.0,
>> 'slashdot at slashdot.org' => -3.0,
>> 'securityfocus.com' => -3.0,
>> 'ntbugtraq at listserv.ntbugtraq.com' => -3.0,
>> 'security-alerts at linuxsecurity.com' => -3.0,
>> 'mailman-announce-admin at python.org' => -3.0,
>> 'amavis-user-admin at lists.sourceforge.net'=> -3.0,
>> 'amavis-user-bounces at lists.sourceforge.net' => -3.0,
>> 'spamassassin.apache.org' => -3.0,
>> 'notification-return at lists.sophos.com' => -3.0,
>> 'owner-postfix-users at postfix.org' => -3.0,
>> 'owner-postfix-announce at postfix.org' => -3.0,
>> 'owner-sendmail-announce at lists.sendmail.org' => -3.0,
>> 'sendmail-announce-request at lists.sendmail.org' => -3.0,
>> 'donotreply at sendmail.org' => -3.0,
>> 'ca+envelope at sendmail.org' => -3.0,
>> 'noreply at freshmeat.net' => -3.0,
>> 'owner-technews at postel.acm.org' => -3.0,
>> 'ietf-123-owner at loki.ietf.org' => -3.0,
>> 'cvs-commits-list-admin at gnome.org' => -3.0,
>> 'rt-users-admin at lists.fsck.com' => -3.0,
>> 'clp-request at comp.nus.edu.sg' => -3.0,
>> 'surveys-errors at lists.nua.ie' => -3.0,
>> 'emailnews at genomeweb.com' => -5.0,
>> 'yahoo-dev-null at yahoo-inc.com' => -3.0,
>> 'returns.groups.yahoo.com' => -3.0,
>> 'clusternews at linuxnetworx.com' => -3.0,
>> lc('lvs-users-admin at LinuxVirtualServer.org') => -3.0,
>> lc('owner-textbreakingnews at CNNIMAIL12.CNN.COM') => -5.0,
>> #blacklist test
>> # soft-blacklisting (positive score)
>> 'captcurrent at hotmail.com' => 4.0,
>> '.example.net' => 1.0,
>>
>> },
>> ], # end of site-wide tables
>> });
>>
>> I went this approach to try to keep me from messing up to far
>>
>> with the other checks this should be anough an email from this address into
>> spam
>> but the score remains at 2.092
>>
>> i can any one tell from this info what I am doing wrong?
>
> Did you remember to reload amavisd-new? I would look at the headers of
> the message to see what rules did hit. I would also set:
> $sa_tag_level_deflt = undef;
> so that all messages address to local domaions will have the X-Spam
> headers inserted, which can be useful when trying to debug which rules
> hit.
>
> You may also choose to set:
>
> # If sender matches ACL, turn debugging fully up, just for this one message
> @debug_sender_maps = ( ['captcurrent at hotmail.com'] );
the maillog showed this whihc lloks like it found the address but didn't total the score
Jun 19 19:35:43 tuna amavis[84064]: (84064-01) lookup [whitelist_sender<captcurrent at hotmail.com>,whitelist_sender] => undef, "captcurrent at hotmail.com" does not match
Jun 19 19:35:43 tuna amavis[84064]: (84064-01) lookup_re("captcurrent at hotmail.com"), no matches
Jun 19 19:35:43 tuna amavis[84064]: (84064-01) query_keys: captcurrent at hotmail.com, captcurrent@, hotmail.com, .hotmail.com, .com, .
Jun 19 19:35:43 tuna amavis[84064]: (84064-01) lookup_hash(captcurrent at hotmail.com) matches key "captcurrent at hotmail.com", result=4
Jun 19 19:35:43 tuna amavis[84064]: (84064-01) lookup [score_sender<captcurrent at hotmail.com>] => true, "captcurrent at hotmail.com" matches, result="4", matching_key="captcurrent at hotmail.com"
Jun 19 19:35:43 tuna amavis[84064]: (84064-01) wbl: soft-blacklisted (4) sender <captcurrent at hotmail.com> => <jason at kasdivi.com>, recip_key="."
Jun 19 19:35:44 tuna amavis[84064]: (84064-01) SPAM-TAG, <captcurrent at hotmail.com> -> <jason at kasdivi.com>, No, score=2.092 required=6.31 tests=[AM:BOOST=4, BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Jun 19 19:35:44 tuna amavis[84064]: (84064-01) (about to connect to [127.0.0.1]:10025) FWD via SMTP: <captcurrent at hotmail.com> -> <jason at kasdivi.com>
Jun 19 19:35:44 tuna amavis[84064]: (84064-01) smtp cmd> MAIL FROM:<captcurrent at hotmail.com> BODY=7BIT
Jun 19 19:35:44 tuna amavis[84064]: (84064-01) rw_loop sent 113> MAIL FROM:<captcurrent at hotmail.com> BODY=7BIT\r\nRCPT TO:<jason at kasdivi.com> ORCPT=rfc822;jason at kasdivi.com\r\nDATA\r\n
Jun 19 19:35:44 tuna postfix/qmgr[76930]: 4E09C5C23: from=<captcurrent at hotmail.com>, size=2151, nrcpt=1 (queue active)
Jun 19 19:35:44 tuna amavis[84064]: (84064-01) FWD via SMTP: <captcurrent at hotmail.com> -> <jason at kasdivi.com>,BODY=7BIT 250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4E09C5C23
Jun 19 19:35:44 tuna amavis[84064]: (84064-01) DSN: sender NOT credible, SA: -1.908, <captcurrent at hotmail.com>
Jun 19 19:35:44 tuna amavis[84064]: (84064-01) query_keys: captcurrent at hotmail.com, captcurrent@, hotmail.com, .hotmail.com, .com, .
Jun 19 19:35:44 tuna amavis[84064]: (84064-01) lookup_hash(captcurrent at hotmail.com) matches key "captcurrent at hotmail.com", result=8
Jun 19 19:35:44 tuna amavis[84064]: (84064-01) lookup [spam_dsn_cutoff_level_bysender] => true, "captcurrent at hotmail.com" matches, result="8", matching_key="captcurrent at hotmail.com"
Jun 19 19:35:44 tuna amavis[84064]: (84064-01) dsn: from MTA 250 NonBlocking:CleanTag <captcurrent at hotmail.com> -> <jason at kasdivi.com>: on_succ=0, on_dly=1, on_fail=1, never=0, warn_sender=, DSN_passed_on=1, mta_resp: "250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4E09C5C23"
Jun 19 19:35:44 tuna amavis[84064]: (84064-01) DSN: SUCC from MTA 250 NonBlocking:CleanTag, no DSN requested: <captcurrent at hotmail.com> -> <jason at kasdivi.com>
Jun 19 19:35:44 tuna amavis[84064]: (84064-01) one_response_for_all <captcurrent at hotmail.com>: success, r=0,b=0,d=0, ndn_needed=0, '250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4E09C5C23'
Jun 19 19:35:44 tuna amavis[84064]: (84064-01) Passed CLEAN, [65.55.90.36] [65.55.90.8] <captcurrent at hotmail.com> -> <jason at kasdivi.com>, Message-ID: <SNT134-W5CB717938EADFCA9F5039A06F0 at phx.gbl>, mail_id: Nh1SDVuRLjDk, Hits: 2.092, size: 1396, queued_as: 4E09C5C23, 896 ms
Last lines of /var/log/maillog Only show lines with text
>
> so you get full debugging for a message sent from captcurrent at hotmail.com.
>
> --
> Gary V
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20110619/d1e75a12/attachment.html>
More information about the amavis-users
mailing list