spam report with original message attached
Sergey
serdemo at mail.ru
Thu Apr 5 21:23:12 CEST 2012
Hello colleagues!
I am receiving spam reports with attachment which is supposed to contain the
original message. But the attachment contains only the head of the message
with information (From/To/Subject) - no body of the original message.
Please advise how to configure so that I get the complete original message
attached with the spam report?
Version: amavisd-new-2.6.4
### Config adapted from internet ###
use strict;
$max_servers = 2; # num of pre-forked children (2..15 is common),
-m
$daemon_user = 'vscan'; # (no default; customary: vscan or amavis), -u
$daemon_group = 'vscan'; # (no default; customary: vscan or amavis), -g
$mydomain = 'my.internet.domain'; # a convenient default for other
settings
$MYHOME = '/var/amavis';
$TEMPBASE = "$MYHOME/tmp"; # working directory, needs to exist, -T
$ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR, used by SA, etc.
$QUARANTINEDIR = '/var/virusmails'; # -Q $spam_quarantine_to =
"quarantine.mailbox\@$mydomain"; $virus_quarantine_to =
"quarantine.mailbox\@$mydomain"; $banned_quarantine_to =
"quarantine.mailbox\@$mydomain"; $bad_header_quarantine_to =
"quarantine.mailbox\@$mydomain"; $spam_admin = "my.mailbox\@$mydomain";
$log_level = 0; # verbosity 0..5, -d
$log_recip_templ = undef; # disable by-recipient level-0 log entries
$DO_SYSLOG = 1; # log via syslogd (preferred)
$syslog_facility = 'mail'; # Syslog facility as a string
# e.g.: mail, daemon, user, local0, ... local7 $syslog_priority =
'debug'; # Syslog base (minimal) priority as a string,
# choose from: emerg, alert, crit, err, warning, notice, info,
debug
$enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and
nanny)
$enable_global_cache = 1; # enable use of libdb-based cache if
$enable_db=1
$enable_dkim_verification = 0;
$nanny_details_level = 2; # nanny verbosity: 1: traditional, 2: detailed
$interface_policy{'SOCK'} = 'AM.PDP';
$policy_bank{'AM.PDP'} = {protocol=>'AM.PDP'};
$unix_socketname='/var/amavis/amavisd.sock';
read_hash(\%whitelist_sender, '/var/amavis/whitelist');
read_hash(\%blacklist_sender, '/var/amavis/blacklist');
@local_domains_maps = ( [".$mydomain"] ); # list of all local domains
@mynetworks = qw( 127.0.0.0/8 10.0.0.0/8 );
# option(s) -p overrides $inet_socket_port and
$unix_socketname
$inet_socket_port = 10024; # listen on this local TCP port(s)
$policy_bank{'MYNETS'} = { # mail originating from @mynetworks
originating => 1, # is true in MYNETS by default, but let's make it
explicit
os_fingerprint_method => undef, # don't query p0f for internal clients };
$interface_policy{'10026'} = 'ORIGINATING'; $policy_bank{'ORIGINATING'} = {
# mail supposedly originating from our users
originating => 1, # declare that mail was submitted by our smtp client
allow_disclaimers => 1, # enables disclaimer insertion if available
# notify administrator of locally originating malware
virus_admin_maps => ["my.mailbox\@$mydomain"],
spam_admin_maps => ["my.mailbox\@$mydomain"],
warnbadhsender => 1,
# forward to a smtpd service providing DKIM signing service
forward_method => 'smtp:[127.0.0.1]:10027',
# force MTA conversion to 7-bit (e.g. before DKIM signing)
smtpd_discard_ehlo_keywords => ['8BITMIME'],
bypass_banned_checks_maps => [1], # allow sending any file names and
types
terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS
option }; $interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # only applies with
$unix_socketname $policy_bank{'AM.PDP-SOCK'} = {
protocol => 'AM.PDP',
auth_required_release => 0, # do not require secret_id for
amavisd-release }; $sa_tag_level_deflt = 4.0; # add spam info headers if
at, or above that level $sa_tag2_level_deflt = 6.2; # add 'spam detected'
headers at that level $sa_kill_level_deflt = 6.9; # triggers spam evasive
actions (e.g. blocks mail)
$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
$penpals_bonus_score = 8; # (no effect without a @storage_sql_dsn
database)
$penpals_threshold_high = $sa_kill_level_deflt; # don't waste time on hi
spam $sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail
is larger
$sa_local_tests_only = 0; # only tests which do not require internet
access?
$virus_admin = "my.mailbox\@$mydomain"; # notifications
recip.
$mailfrom_notify_admin = "quarantine.mailbox\@$mydomain"; #
notifications sender
$mailfrom_notify_recip = "quarantine.mailbox\@$mydomain"; #
notifications sender
$mailfrom_notify_spamadmin = "quarantine.mailbox\@$mydomain"; #
notifications sender $mailfrom_to_quarantine = ''; # null return path; uses
original sender if undef
@addr_extension_virus_maps = ('virus');
@addr_extension_banned_maps = ('banned');
@addr_extension_spam_maps = ('spam');
@addr_extension_bad_header_maps = ('badh'); $path =
'/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
$MAXLEVELS = 14;
$MAXFILES = 1500;
$MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not
enforced)
$MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not
enforced) $sa_spam_subject_tag = '**SPAM** '; $defang_virus = 1; #
MIME-wrap passed infected mail $defang_banned = 1; # MIME-wrap passed mail
containing banned name
$defang_bad_header = 1; # default is false: don't modify mail body
# $defang_undecipherable = 1; # default is false: don't modify mail body
$defang_spam = 1; # default is false: don't modify mail body
$defang_by_ccat{+CC_BADH.",3"} = 1; # NUL or CR character in header
$defang_by_ccat{+CC_BADH.",5"} = 1; # header line longer than 998
characters $defang_by_ccat{+CC_BADH.",6"} = 1; # header field syntax error
$myhostname = 'my.internet.domain'; # must be a fully-qualified domain
name!
$notify_method = 'smtp:[127.0.0.1]:10025'; $forward_method =
'smtp:[127.0.0.1]:10025'; # set to undef with milter!
$final_virus_destiny = D_DISCARD;
$final_banned_destiny = D_DISCARD;
$final_spam_destiny = D_DISCARD;
$final_bad_header_destiny = D_PASS;
@keep_decoded_original_maps = (new_RE(
qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains
undecipherables
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
));
$banned_filename_re = new_RE(
[ qr'^\.(exe-ms|dll)$' =>0 ], # "[" = allow,
banned file(1) types, rudimentary
[ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives
qr'.\.(pif|scr)$'i, # banned extensions - rudimentary
qr'^application/x-msdownload$'i, # block these MIME types
qr'^application/x-msdos-program$'i,
qr'^application/hta$'i,
# block certain double extensions in filenames
qr'\.[^./]*[A-Za-z][^./]*\.\s*(vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,
qr'.\.(vbs|pif|scr|cpl)$'i, # banned extension - basic
);
@score_sender_maps = ({ # a by-recipient hash lookup table,
# results from all matching recipient tables are
summed
## site-wide opinions about senders (the '.' matches any recipient)
'.' => [ # the _first_ matching sender determines the score boost
new_RE( # regexp-type lookup table, just happens to be all
soft-blacklist
[qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i =>
5.0],
[qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=>
5.0],
[qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=>
5.0],
[qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i =>
5.0],
[qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i =>
5.0],
[qr'^(your_friend|greatoffers)@'i =>
5.0],
[qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i =>
5.0],
),
{ # a hash-type lookup table (associative array)
'nobody at cert.org' => -3.0,
'cert-advisory at us-cert.gov' => -3.0,
'owner-alert at iss.net' => -3.0,
'slashdot at slashdot.org' => -3.0,
'securityfocus.com' => -3.0,
'ntbugtraq at listserv.ntbugtraq.com' => -3.0,
'security-alerts at linuxsecurity.com' => -3.0,
'mailman-announce-admin at python.org' => -3.0,
'amavis-user-admin at lists.sourceforge.net'=> -3.0,
'amavis-user-bounces at lists.sourceforge.net' => -3.0,
'spamassassin.apache.org' => -3.0,
'notification-return at lists.sophos.com' => -3.0,
'owner-postfix-users at postfix.org' => -3.0,
'owner-postfix-announce at postfix.org' => -3.0,
'owner-sendmail-announce at lists.sendmail.org' => -3.0,
'sendmail-announce-request at lists.sendmail.org' => -3.0,
'donotreply at sendmail.org' => -3.0,
'ca+envelope at sendmail.org' => -3.0,
'noreply at freshmeat.net' => -3.0,
'owner-technews at postel.acm.org' => -3.0,
'ietf-123-owner at loki.ietf.org' => -3.0,
'cvs-commits-list-admin at gnome.org' => -3.0,
'rt-users-admin at lists.fsck.com' => -3.0,
'clp-request at comp.nus.edu.sg' => -3.0,
'surveys-errors at lists.nua.ie' => -3.0,
'emailnews at genomeweb.com' => -5.0,
'yahoo-dev-null at yahoo-inc.com' => -3.0,
'returns.groups.yahoo.com' => -3.0,
'clusternews at linuxnetworx.com' => -3.0,
lc('lvs-users-admin at LinuxVirtualServer.org') => -3.0,
lc('owner-textbreakingnews at CNNIMAIL12.CNN.COM') => -5.0,
# soft-blacklisting (positive score)
'sender at example.net' => 3.0,
'.example.net' => 1.0,
},
], # end of site-wide tables
});
@decoders = (
['mail', \&do_mime_decode],
['asc', \&do_ascii],
['uue', \&do_ascii],
['hqx', \&do_ascii],
['ync', \&do_ascii],
['F', \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ],
['Z', \&do_uncompress, ['uncompress','gzip -d','zcat'] ],
['gz', \&do_uncompress, 'gzip -d'],
['gz', \&do_gunzip],
['bz2', \&do_uncompress, 'bzip2 -d'],
['lzo', \&do_uncompress, 'lzop -d'],
['rpm', \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ],
['cpio', \&do_pax_cpio, ['pax','gcpio','cpio'] ],
['tar', \&do_pax_cpio, ['pax','gcpio','cpio'] ],
['deb', \&do_ar, 'ar'],
['zip', \&do_unzip],
['7z', \&do_7zip, ['7zr','7za','7z'] ],
['rar', \&do_unrar, ['rar','unrar'] ],
['arj', \&do_unarj, ['arj','unarj'] ],
['arc', \&do_arc, ['nomarch','arc'] ],
['zoo', \&do_zoo, ['zoo','unzoo'] ],
['lha', \&do_lha, 'lha'],
['cab', \&do_cabextract, 'cabextract'],
['tnef', \&do_tnef_ext, 'tnef'],
['tnef', \&do_tnef],
['exe', \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ], );
@av_scanners = ( ['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ] ); @av_scanners_backup = (
### http://www.clamav.net/ - backs up clamd or Mail::ClamAV
['ClamAV-clamscan', 'clamscan',
"--stdout --no-summary -r --tempdir=$TEMPBASE {}",
[0], qr/:.*\sFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ] ); 1;
# insure a defined return
### END OF CONFIG ###
Sergey
More information about the amavis-users
mailing list