spam report with original message attached

Sergey serdemo at mail.ru
Thu Apr 5 21:23:12 CEST 2012


Hello colleagues!

I am receiving spam reports with attachment which is supposed to contain the
original message. But the attachment contains only the head of the message
with information (From/To/Subject) - no body of the original message.
Please advise how to configure so that I get the complete original message
attached with the spam report?

Version: amavisd-new-2.6.4

### Config adapted from internet ###

use strict;
$max_servers = 2;            # num of pre-forked children (2..15 is common),
-m
$daemon_user  = 'vscan';     # (no default;  customary: vscan or amavis), -u
$daemon_group = 'vscan';     # (no default;  customary: vscan or amavis), -g
$mydomain = 'my.internet.domain';   # a convenient default for other
settings
$MYHOME = '/var/amavis';
$TEMPBASE = "$MYHOME/tmp";   # working directory, needs to exist, -T
$ENV{TMPDIR} = $TEMPBASE;    # environment variable TMPDIR, used by SA, etc.
$QUARANTINEDIR = '/var/virusmails';  # -Q $spam_quarantine_to =
"quarantine.mailbox\@$mydomain"; $virus_quarantine_to =
"quarantine.mailbox\@$mydomain"; $banned_quarantine_to =
"quarantine.mailbox\@$mydomain"; $bad_header_quarantine_to =
"quarantine.mailbox\@$mydomain"; $spam_admin = "my.mailbox\@$mydomain";
$log_level = 0;              # verbosity 0..5, -d
$log_recip_templ = undef;    # disable by-recipient level-0 log entries
$DO_SYSLOG = 1;              # log via syslogd (preferred)
$syslog_facility = 'mail';   # Syslog facility as a string
           # e.g.: mail, daemon, user, local0, ... local7 $syslog_priority =
'debug';  # Syslog base (minimal) priority as a string,
           # choose from: emerg, alert, crit, err, warning, notice, info,
debug
$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and
nanny)
$enable_global_cache = 1;    # enable use of libdb-based cache if
$enable_db=1
$enable_dkim_verification = 0;
$nanny_details_level = 2;    # nanny verbosity: 1: traditional, 2: detailed
$interface_policy{'SOCK'} = 'AM.PDP';
$policy_bank{'AM.PDP'} = {protocol=>'AM.PDP'};
$unix_socketname='/var/amavis/amavisd.sock';
read_hash(\%whitelist_sender, '/var/amavis/whitelist');
read_hash(\%blacklist_sender, '/var/amavis/blacklist');

@local_domains_maps = ( [".$mydomain"] );  # list of all local domains
@mynetworks = qw( 127.0.0.0/8 10.0.0.0/8 );
               # option(s) -p overrides $inet_socket_port and
$unix_socketname
$inet_socket_port = 10024;   # listen on this local TCP port(s)
$policy_bank{'MYNETS'} = {   # mail originating from @mynetworks
  originating => 1,  # is true in MYNETS by default, but let's make it
explicit
  os_fingerprint_method => undef,  # don't query p0f for internal clients };
$interface_policy{'10026'} = 'ORIGINATING'; $policy_bank{'ORIGINATING'} = {
# mail supposedly originating from our users
  originating => 1,  # declare that mail was submitted by our smtp client
  allow_disclaimers => 1,  # enables disclaimer insertion if available
  # notify administrator of locally originating malware
  virus_admin_maps => ["my.mailbox\@$mydomain"],
  spam_admin_maps  => ["my.mailbox\@$mydomain"],
  warnbadhsender   => 1,
  # forward to a smtpd service providing DKIM signing service
  forward_method => 'smtp:[127.0.0.1]:10027',
  # force MTA conversion to 7-bit (e.g. before DKIM signing)
  smtpd_discard_ehlo_keywords => ['8BITMIME'],
  bypass_banned_checks_maps => [1],  # allow sending any file names and
types
  terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS
option }; $interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # only applies with
$unix_socketname $policy_bank{'AM.PDP-SOCK'} = {
  protocol => 'AM.PDP',
  auth_required_release => 0,  # do not require secret_id for
amavisd-release }; $sa_tag_level_deflt  = 4.0;  # add spam info headers if
at, or above that level $sa_tag2_level_deflt = 6.2;  # add 'spam detected'
headers at that level $sa_kill_level_deflt = 6.9;  # triggers spam evasive
actions (e.g. blocks mail)
$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent
$penpals_bonus_score = 8;    # (no effect without a @storage_sql_dsn
database)
$penpals_threshold_high = $sa_kill_level_deflt;  # don't waste time on hi
spam $sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail
is larger
$sa_local_tests_only = 0;    # only tests which do not require internet
access?
$virus_admin               = "my.mailbox\@$mydomain";  # notifications
recip.
$mailfrom_notify_admin     = "quarantine.mailbox\@$mydomain";  #
notifications sender
$mailfrom_notify_recip     = "quarantine.mailbox\@$mydomain";  #
notifications sender
$mailfrom_notify_spamadmin = "quarantine.mailbox\@$mydomain"; #
notifications sender $mailfrom_to_quarantine = ''; # null return path; uses
original sender if undef
@addr_extension_virus_maps      = ('virus');
@addr_extension_banned_maps     = ('banned');
@addr_extension_spam_maps       = ('spam');
@addr_extension_bad_header_maps = ('badh'); $path =
'/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
$MAXLEVELS = 14;
$MAXFILES = 1500;
$MIN_EXPANSION_QUOTA =      100*1024;  # bytes  (default undef, not
enforced)
$MAX_EXPANSION_QUOTA = 300*1024*1024;  # bytes  (default undef, not
enforced) $sa_spam_subject_tag = '**SPAM** '; $defang_virus  = 1;  #
MIME-wrap passed infected mail $defang_banned = 1;  # MIME-wrap passed mail
containing banned name
$defang_bad_header     = 1;  # default is false: don't modify mail body
# $defang_undecipherable = 1;  # default is false: don't modify mail body
$defang_spam = 1;  # default is false: don't modify mail body

$defang_by_ccat{+CC_BADH.",3"} = 1;  # NUL or CR character in header
$defang_by_ccat{+CC_BADH.",5"} = 1;  # header line longer than 998
characters $defang_by_ccat{+CC_BADH.",6"} = 1;  # header field syntax error
$myhostname = 'my.internet.domain';  # must be a fully-qualified domain
name!
$notify_method  = 'smtp:[127.0.0.1]:10025'; $forward_method =
'smtp:[127.0.0.1]:10025';  # set to undef with milter!
$final_virus_destiny      = D_DISCARD;
$final_banned_destiny     = D_DISCARD;
$final_spam_destiny       = D_DISCARD;
$final_bad_header_destiny = D_PASS;
@keep_decoded_original_maps = (new_RE(
  qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains
undecipherables
  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
));
$banned_filename_re = new_RE(
  [ qr'^\.(exe-ms|dll)$'	=>0 ],                   # "[" = allow,
banned file(1) types, rudimentary
  [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives
  qr'.\.(pif|scr)$'i,                     # banned extensions - rudimentary
  qr'^application/x-msdownload$'i,        # block these MIME types
  qr'^application/x-msdos-program$'i,
  qr'^application/hta$'i,
  # block certain double extensions in filenames
  qr'\.[^./]*[A-Za-z][^./]*\.\s*(vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,
  qr'.\.(vbs|pif|scr|cpl)$'i,             # banned extension - basic
);
@score_sender_maps = ({ # a by-recipient hash lookup table,
                        # results from all matching recipient tables are
summed
  ## site-wide opinions about senders (the '.' matches any recipient)
  '.' => [  # the _first_ matching sender determines the score boost
   new_RE(  # regexp-type lookup table, just happens to be all
soft-blacklist
    [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i         =>
5.0],
    [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=>
5.0],
    [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=>
5.0],
    [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i   =>
5.0],
    [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i  =>
5.0],
    [qr'^(your_friend|greatoffers)@'i                                =>
5.0],
    [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i                    =>
5.0],
   ),
   { # a hash-type lookup table (associative array)
     'nobody at cert.org'                        => -3.0,
     'cert-advisory at us-cert.gov'              => -3.0,
     'owner-alert at iss.net'                    => -3.0,
     'slashdot at slashdot.org'                  => -3.0,
     'securityfocus.com'                      => -3.0,
     'ntbugtraq at listserv.ntbugtraq.com'       => -3.0,
     'security-alerts at linuxsecurity.com'      => -3.0,
     'mailman-announce-admin at python.org'      => -3.0,
     'amavis-user-admin at lists.sourceforge.net'=> -3.0,
     'amavis-user-bounces at lists.sourceforge.net' => -3.0,
     'spamassassin.apache.org'                => -3.0,
     'notification-return at lists.sophos.com'   => -3.0,
     'owner-postfix-users at postfix.org'        => -3.0,
     'owner-postfix-announce at postfix.org'     => -3.0,
     'owner-sendmail-announce at lists.sendmail.org'   => -3.0,
     'sendmail-announce-request at lists.sendmail.org' => -3.0,
     'donotreply at sendmail.org'                => -3.0,
     'ca+envelope at sendmail.org'               => -3.0,
     'noreply at freshmeat.net'                  => -3.0,
     'owner-technews at postel.acm.org'          => -3.0,
     'ietf-123-owner at loki.ietf.org'           => -3.0,
     'cvs-commits-list-admin at gnome.org'       => -3.0,
     'rt-users-admin at lists.fsck.com'          => -3.0,
     'clp-request at comp.nus.edu.sg'            => -3.0,
     'surveys-errors at lists.nua.ie'            => -3.0,
     'emailnews at genomeweb.com'                => -5.0,
     'yahoo-dev-null at yahoo-inc.com'           => -3.0,
     'returns.groups.yahoo.com'               => -3.0,
     'clusternews at linuxnetworx.com'           => -3.0,
     lc('lvs-users-admin at LinuxVirtualServer.org')    => -3.0,
     lc('owner-textbreakingnews at CNNIMAIL12.CNN.COM') => -5.0,
     # soft-blacklisting (positive score)
     'sender at example.net'                     =>  3.0,
     '.example.net'                           =>  1.0,
   },
  ],  # end of site-wide tables
});
@decoders = (
  ['mail', \&do_mime_decode],
  ['asc',  \&do_ascii],
  ['uue',  \&do_ascii],
  ['hqx',  \&do_ascii],
  ['ync',  \&do_ascii],
  ['F',    \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ],
  ['Z',    \&do_uncompress, ['uncompress','gzip -d','zcat'] ],
  ['gz',   \&do_uncompress,  'gzip -d'],
  ['gz',   \&do_gunzip],
  ['bz2',  \&do_uncompress,  'bzip2 -d'],
  ['lzo',  \&do_uncompress,  'lzop -d'],
  ['rpm',  \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ],
  ['cpio', \&do_pax_cpio,   ['pax','gcpio','cpio'] ],
  ['tar',  \&do_pax_cpio,   ['pax','gcpio','cpio'] ],
  ['deb',  \&do_ar,          'ar'],
  ['zip',  \&do_unzip],
  ['7z',   \&do_7zip,       ['7zr','7za','7z'] ],
  ['rar',  \&do_unrar,      ['rar','unrar'] ],
  ['arj',  \&do_unarj,      ['arj','unarj'] ],
  ['arc',  \&do_arc,        ['nomarch','arc'] ],
  ['zoo',  \&do_zoo,        ['zoo','unzoo'] ],
  ['lha',  \&do_lha,         'lha'],
  ['cab',  \&do_cabextract,  'cabextract'],
  ['tnef', \&do_tnef_ext,    'tnef'],
  ['tnef', \&do_tnef],
  ['exe',  \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ], );
@av_scanners = (  ['ClamAV-clamd',
   \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],
   qr/\bOK$/, qr/\bFOUND$/,
   qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ] ); @av_scanners_backup = (
  ### http://www.clamav.net/   - backs up clamd or Mail::ClamAV
  ['ClamAV-clamscan', 'clamscan',
    "--stdout --no-summary -r --tempdir=$TEMPBASE {}",
    [0], qr/:.*\sFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ] ); 1;
# insure a defined return

### END OF CONFIG ###

Sergey



More information about the amavis-users mailing list