Incoming mail with faked sender domain is being DKIM signed
Ralf Hildebrandt
Ralf.Hildebrandt at charite.de
Thu Nov 23 16:10:36 CET 2017
Incoming mail with faked sender domain is being DKIM signed
(config attached)
Log excerpt:
Nov 23 16:06:17 mail-cbf postfix/cleanup[21682]: 3yjN2134FHz20lGg: info: header From: Ingo Fietze <ingo.fietze at charite.de> from www.arschkrebs.de[213.239.204.119]; from=<root at arschkrebs.de>
to=<ralf.hildebrandt at charite.de> proto=ESMTP helo=<www.arschkrebs.de>
Nov 23 16:06:17 mail-cbf amavis[22303]: (22303-10) 2822.From: <ingo.fietze at charite.de>, 2821.Mail_From: <root at arschkrebs.de>
Nov 23 16:06:17 mail-cbf amavis[22303]: (22303-10) wbl: checking sender <root at arschkrebs.de>, <ingo.fietze at charite.de>
Nov 23 16:06:17 mail-cbf amavis[22303]: (22303-10) lookup [blacklist_sender<ingo.fietze at charite.de>,blacklist_sender] => undef, "ingo.fietze at charite.de" does not match
Nov 23 16:06:17 mail-cbf amavis[22303]: (22303-10) lookup [whitelist_sender<ingo.fietze at charite.de>,whitelist_sender] => undef, "ingo.fietze at charite.de" does not match
Nov 23 16:06:17 mail-cbf amavis[22303]: (22303-10) lookup [score_sender<ingo.fietze at charite.de>] => undef, "ingo.fietze at charite.de" does not match
Nov 23 16:06:20 mail-cbf amavis[22303]: (22303-10) dkim: candidate originators: From:<ingo.fietze at charite.de>,mail_from:<root at arschkrebs.de>
Nov 23 16:06:20 mail-cbf amavis[22303]: (22303-10) lookup[dkim_signature_options_bysender], 1 matches for "ingo.fietze at charite.de", results: "."=>{c=>"relaxed/simple",ttl=>"1814400"}
Nov 23 16:06:20 mail-cbf amavis[22303]: (22303-10) dkim: signing (author), From: <ingo.fietze at charite.de> (From:<ingo.fietze at charite.de>), KEY.key_ind=>0, a=>rsa-sha256, c=>relaxed/simple, d=>charite.de, s=>feb2017, ttl=>1814400, x=>1513263978
grepping for the IP:
Nov 23 16:06:17 mail-cbf amavis[22303]: policy protocol: client_address=213.239.204.119
Nov 23 16:06:17 mail-cbf amavis[22303]: (22303-10) lookup_ip_acl (client_ipaddr_policy) arr.obj: key="213.239.204.119", no match
Nov 23 16:06:17 mail-cbf amavis[22303]: (22303-10) lookup_ip_acl (public_nets) arr.obj: key="213.239.204.119" matches "::ffff:0:0/96", result=1
Nov 23 16:06:17 mail-cbf amavis[22303]: (22303-10) trace: AM.PDP://x < 213.239.204.119 < x
Nov 23 16:06:17 mail-cbf amavis[22303]: (22303-10) Checking: A_N-Dqt64l98 AM.PDP-SOCK [213.239.204.119] <root at arschkrebs.de> -> <ralf.hildebrandt at charite.de>
Nov 23 16:06:20 mail-cbf amavis[22303]: (22303-10) Passed CLEAN{AcceptedInternal}, AM.PDP-SOCK LOCAL [213.239.204.119] [213.239.204.119] <root at arschkrebs.de> -> <ralf.hildebrandt at charite.de>, Queue-ID: 3yjN2134FHz20lGg, Message-ID: <20171123150616.4A52BA86D3 at www.arschkrebs.de>, mail_id: A_N-Dqt64l98, Hits: -1.876, size: 587, dkim_new=feb2017:charite.de, 2937 ms
The IP "213.239.204.119" is NOT in mynetworks, so why is this mail
being signed?
Config attached
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebrandt at charite.de Campus Benjamin Franklin
https://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
-------------- next part --------------
use strict;
# a minimalistic configuration file for amavisd-new with all necessary settings
#
# (see amavisd.conf-default for a list of all variables with their defaults)
# (see amavisd.conf-sample for a traditional-style commented file)
# COMMONLY ADJUSTED SETTINGS:
# @bypass_virus_checks_maps = (1); # uncomment to DISABLE anti-virus code
# @bypass_spam_checks_maps = (1); # uncomment to DISABLE anti-spam code
$allowed_added_header_fields{lc('Received')} = 0;
$allowed_added_header_fields{lc('X-Virus-Scanned')} = 0;
$max_servers = 64; # number of pre-forked children (2..15 is common)
$daemon_user = 'amavis'; # (no default; customary: vscan or amavis)
$daemon_group = 'amavis'; # (no default; customary: vscan or amavis)
$mydomain = 'charite.de'; # a convenient default for other settings
$MYHOME = '/var/amavis'; # a convenient default for other settings
$TEMPBASE = "$MYHOME"; # working directory, needs to be created manually
$ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR
$QUARANTINEDIR = undef;
#$virus_scanners_failure_is_fatal = 1;
# $daemon_chroot_dir = $MYHOME; # chroot directory or undef
# $db_home = "$MYHOME/db";
# $helpers_home = "$MYHOME/var"; # prefer $MYHOME clean and owned by root?
$pid_file = "$MYHOME/amavisd.pid"; # after-default
# $lock_file = "$MYHOME/var/amavisd.lock";
#NOTE: create directories $MYHOME/tmp, $MYHOME/var, $MYHOME/db manually
@local_domains_maps = ( [ ".$mydomain" ], read_hash('/etc/postfix/virtual_domains.proto'), read_hash('/etc/postfix/relay_domains.proto') );
@mynetworks = qw( 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 141.42.0.0/16 193.175.72.0/24 193.175.74.0/24 193.175.75.0/24 193.175.174.0/24 194.94.4.0/23 );
$log_level = 3; # verbosity 0..5
$sa_debug = 'TxRep,auto-whitelist';
$nanny_details_level = 2;
$log_recip_templ = undef; # disable by-recipient level-0 log entries
$DO_SYSLOG = 1; # log via syslogd (preferred)
$SYSLOG_LEVEL = 'mail.debug';
$enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1
dkim_key('charite.de', 'feb2017', '/etc/ssl/private/2017.private.pem');
$enable_dkim_verification = 1; # enable DKIM signatures verification
$enable_dkim_signing = 1; # load DKIM signing code, needs keys in dkim_key()
@dkim_signature_options_bysender_maps = (
{ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
@listen_sockets = (
# Pre-Queue, MTA zu MTA
"$MYHOME/amavisd.sock"
);
# In welche Policy routen wir bestimmte IPs/Netzwerke?
@client_ipaddr_policy = (
\@mynetworks => 'MYNETS'
);
# In welche Policy routen wir die @listen_sockets?
$interface_policy{'SOCK'} = 'AM.PDP-SOCK';
# MILTER Policy für MTA zu MTA Traffic
$policy_bank{'AM.PDP-SOCK'} = {
protocol => 'AM.PDP',
notify_method => 'smtp:127.0.0.1:10027',
auth_required_release => 0,
};
$policy_bank{'MYNETS'} = { # mail originating from @mynetworks
originating => 1, # is true in MYNETS by default, but let's make it explicit
};
$mail_digest_algorithm = 'SHA256';
$mail_part_digest_algorithm = 'SHA256';
# ALT RHI 14.4.17
#$sa_tag_level_deflt = -3.0; # add spam info headers if at, or above that level
#$sa_tag2_level_deflt = 5.0; # add 'spam detected' headers at that level
#$sa_kill_level_deflt = 6.9; # triggers spam evasive actions (e.g. blocks mail)
#$sa_dsn_cutoff_level = 6.9; # spam level beyond which a DSN is not sent
#$sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid From
#$sa_quarantine_cutoff_level = 13.8; # spam level beyond which quarantine is off
$sa_tag_level_deflt = 0.0; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 3.4; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 6.8; # triggers spam evasive actions (e.g. blocks mail)
$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
$sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid From
$sa_quarantine_cutoff_level = 6.8; # spam level beyond which quarantine is off
$penpals_bonus_score = 8; # (no effect without a @storage_sql_dsn database)
$penpals_threshold_high = $sa_kill_level_deflt; # don't waste time on hi spam
$bounce_killer_score = 100; # spam score points to add for joe-jobbed bounces
#$sa_tag_level_deflt = 0.0; # add spam info headers if at, or above that level
#$sa_tag2_level_deflt = 4.5; # add 'spam detected' headers at that level
#$sa_kill_level_deflt = 18.0; # triggers spam evasive actions
#$sa_dsn_cutoff_level = 50.0; # spam level beyond which a DSN is not sent
$sa_mail_body_size_limit = 150*1024; # don't waste time on SA if mail is larger
$sa_local_tests_only = 0; # only tests which do not require internet access?
$remove_existing_x_scanned_headers= 1;
$remove_existing_spam_headers = 1;
# @lookup_sql_dsn =
# ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'],
# ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'] );
$virus_admin = ""; # notifications recip.
$bad_header_admin = ""; # notifications recip.
$mailfrom_notify_admin = "virusalert\@$mydomain"; # notifications sender
$mailfrom_notify_recip = "virusalert\@$mydomain"; # notifications sender
$mailfrom_notify_spamadmin = "postmaster\@$mydomain"; # notifications sender
$mailfrom_to_quarantine = ''; # null return path; uses original sender if undef
#$recipient_delimiter = '';
#@addr_extension_virus_maps = ('');
#@addr_extension_spam_maps = ('');
#@addr_extension_banned_maps = ('');
#@addr_extension_bad_header_maps = ('');
$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
$file = 'file'; # file(1) utility; use recent versions
# For backward compatibility the @decoders list defaults to use of legacy
# variables $gzip, $bzip2, $lzop, ... It is cleaner to explicitly assign
# a list to @decoders in amavisd.conf and directly specify program paths,
# without indirections through legacy variables $gzip, etc.
#
# $gzip = $bzip2 = $lzop = $rpm2cpio = undef;
# $uncompress = $unfreeze = $arc = $unarj = $unrar = undef;
# $zoo = $lha = $pax = $cpio = $cabextract = undef;
#
$gzip = 'gzip';
$bzip2 = 'bzip2';
$lzop = 'lzop';
$rpm2cpio = ['rpm2cpio.pl','rpm2cpio'];
$cabextract = 'cabextract';
$uncompress = ['uncompress', 'gzip -d', 'zcat'];
$unfreeze = ['unfreeze', 'freeze -d', 'melt', 'fcat'];
$arc = ['nomarch', 'arc'];
#$unarj = ['arj', 'unarj'];
$unrar = ['rar', 'unrar'];
$zoo = 'zoo';
$lha = 'lha';
$pax = 'pax';
$cpio = ['gcpio','cpio'];
$ar = 'ar';
$ripole = 'ripole';
$dspam = 'dspam';
@decoders = (
['mail', \&do_mime_decode],
# [[qw(asc uue hqx ync)], \&do_ascii], # not safe
['F', \&do_uncompress, \$unfreeze],
['Z', \&do_uncompress, \$uncompress],
['gz', \&do_uncompress, \$gunzip],
['gz', \&do_gunzip],
['bz2', \&do_uncompress, \$bunzip2],
['xz', \&do_uncompress,
['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ],
['lzma', \&do_uncompress,
['lzmadec', 'xz -dc --format=lzma',
'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ],
['lrz', \&do_uncompress,
['lrzip -q -k -d -o -', 'lrzcat -q -k'] ],
['lzo', \&do_uncompress, \$unlzop],
['rpm', \&do_uncompress, \$rpm2cpio],
[['cpio','tar'], \&do_pax_cpio, \$pax],
# ['tar', \&do_tar], # no longer supported
['deb', \&do_ar, \$ar],
# ['a', \&do_ar, \$ar], # unpacking .a seems an overkill
['rar', \&do_unrar, \$unrar],
['arj', \&do_unarj, \$unarj],
['arc', \&do_arc, \$arc],
['zoo', \&do_zoo, \$zoo],
['doc', \&do_ole, \$ripole],
['cab', \&do_cabextract, \$cabextract],
['tnef', \&do_tnef_ext, \$tnef],
['tnef', \&do_tnef],
# ['lha', \&do_lha, \$lha], # not safe, use 7z instead
# ['sit', \&do_unstuff, \$unstuff], # not safe
# [['zip','kmz'], \&do_7zip, ['7za', '7z'] ],
[['zip','kmz'], \&do_unzip],
['7z', \&do_7zip, ['7zr', '7za', '7z'] ],
[[qw(7z zip gz bz2 Z tar)],
\&do_7zip, ['7za', '7z'] ],
[[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)],
\&do_7zip, '7z' ],
['exe', \&do_executable, \$unrar, \$lha, \$unarj],
);
#$os_fingerprint_method = 'p0f:127.0.0.1:2345';
# damit redet amavisd-new mit p0f, einem passiven OS Fingerprint
# Service um herauszukriegen, was fuer ein OS die Mail eingeliefert hat
$MAXLEVELS = 30;
$MAXFILES = 6000;
$MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced)
$MAX_EXPANSION_QUOTA = 200*1024*1024; # bytes (default undef, not enforced)
$allow_preserving_evidence = 0;
$sa_spam_subject_tag = '[SPAM] ';
$allowed_added_header_fields{lc('X-Spam-Report')} = 1;
$defang_virus = 0; # MIME-wrap passed infected mail
$defang_banned = 0; # MIME-wrap passed mail containing banned name
# OTHER MORE COMMON SETTINGS (defaults may suffice):
$myhostname = 'mail-cbf.charite.de'; # must be a fully-qualified domain name!
$notify_method = 'smtp:*:10027';
$forward_method = 'smtp:*:*';
$final_virus_destiny = D_REJECT;
$final_banned_destiny = D_REJECT;
$final_spam_destiny = D_REJECT;
$final_bad_header_destiny = D_PASS;
# SOME OTHER VARIABLES WORTH CONSIDERING (see amavisd.conf-default for all)
# $warnbadhsender,
# $warnvirusrecip, $warnbannedrecip, $warnbadhrecip, (or @warn*recip_maps)
#$warnbannedrecip = 1; # (defaults to false (undef))
# lieber nicht warnen!
$notify_virus_recips_templ= read_text("/etc/notify_virus_recips.txt");
# @bypass_virus_checks_maps, @bypass_spam_checks_maps,
# @bypass_banned_checks_maps, @bypass_header_checks_maps,
#
# @virus_lovers_maps, @spam_lovers_maps,
# @banned_files_lovers_maps, @bad_header_lovers_maps,
@spam_lovers_maps = ( [ 'abuse at charite.de', 'spamtrap at charite.de', 'hamtrap at charite.de','hamtrap at mail-cbf-int.charite.de', 'spamtrap at mail-cbf-int.charite.de', 'hamtrap at mail-cbf.charite.de', 'spamtrap at mail-cbf.charite.de', 'zentraler-rechnungseingang at charite.de' ] );
@virus_lovers_maps = ( [ 'hamtrap at charite.de' ] );
@bypass_spam_checks_maps = ( [ 'abuse at charite.de', 'spamtrap at charite.de', 'hamtrap at charite.de', 'hamtrap at mail-cbf.charite.de', 'spamtrap at mail-cbf.charite.de','hamtrap at mail-cbf-int.charite.de', 'spamtrap at mail-cbf-int.charite.de' ] );
@banned_files_lovers_maps = ( [ 'copra at charite.de' ] );
# @blacklist_sender_maps, @score_sender_maps,
#
# $virus_quarantine_to, $banned_quarantine_to,
# $bad_header_quarantine_to, $spam_quarantine_to,
#
# $defang_bad_header, $defang_undecipherable, $defang_spam
#$warnbannedsender = 1;
# lieber nicht warnen!
$warn_offsite = 0;
$virus_quarantine_to = 'virus at backup.invalid';
$banned_quarantine_to = 'banned at backup.invalid';
$bad_header_quarantine_to = undef;
$spam_quarantine_to = 'spam at backup.invalid';
$undecipherable_subject_tag = undef;
$first_infected_stops_scan = 0;
# REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS
@viruses_that_fake_sender_maps = (new_RE(
[qr'\bEICAR\b'i => 0], # av test pattern name
[qr'^(WM97|OF97|Joke\.)'i => 0], # adjust names to match your AV scanner
[qr/.*/ => 1], # true for everything else
));
#@keep_decoded_original_maps = (new_RE(
# qr'^MAIL$', # retain full original message for virus checking (can be slow)
# qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
# qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
#));
# for $banned_namepath_re, a new-style of banned table, see amavisd.conf-sample
$banned_filename_re = new_RE(
### BLOCKED ANYWHERE
# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components
qr'^\.(exe-ms|dll|javascript)$', # banned file(1) types, rudimentary
qr'^\.(js|vb|bat|cmd)$', # block JS anywhere RHI 9.12.15
### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES:
[ qr'^\.(gz|bz2)$' => 0 ], # allow any in gzip or bzip2
[ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives
[ qr'^\.(7z)$' => 0 ], # allow any in 7z-archives
# qr'.\.(pif|scr)$'i, # banned extensions - rudimentary
# qr'^\.zip$', # block zip type
# block certain double extensions in filenames
qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,
### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES:
# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within these archives
# REMOVED Ralf 12.9.13 qr'^\.(exe|lha|dll)$', # banned file(1) types
# qr'^application/x-msdownload$'i, # block these MIME types
qr'^application/x-msdos-program$'i,
qr'^application/hta$'i,
qr'^application/javascript$'i,
qr'^message/partial$'i, # rfc2046 MIME type
# qr'^message/external-body$'i, # rfc2046 MIME type
# qr'^(application/x-msmetafile|image/x-wmf)$'i, # Windows Metafile MIME type
# qr'^\.wmf$', # Windows Metafile file(1) type
# qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Class ID CLSID, strict
# qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extension CLSID, loose
qr'.\.(js|386|ace|bat|chm|cpl|cmd|com|exe|hta|jse|lnk|msi|ole|pif|reg|rm|scr|shb|shm|sys|vbe|vbs|vxd|wri|wsf|xl)$'i, # banned extension - CHARITE
# qr'.\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js|
# jse|lnk|mdb|mde|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shb|shs|vb|
# vbe|vbs|wsc|wsf|wsh|
# app|fxp|prg|mdw|mdt|ops)$'ix, # banned extension - long
);
# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
# and http://www.cknow.com/vtutor/vtextensions.htm
# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING
@score_sender_maps = ({ # a by-recipient hash lookup table,
# results from all matching recipient tables are summed
# ## per-recipient personal tables (NOTE: positive: black, negative: white)
# 'user1 at example.com' => [{'bla-mobile.press at example.com' => 10.0}],
# 'user3 at example.com' => [{'.ebay.com' => -3.0}],
# 'user4 at example.com' => [{'cleargreen at cleargreen.com' => -7.0,
# '.cleargreen.com' => -5.0}],
## site-wide opinions about senders (the '.' matches any recipient)
'.' => [ # the _first_ matching sender determines the score boost
new_RE( # regexp-type lookup table, just happens to be all soft-blacklist
[qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0],
[qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
[qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
[qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0],
[qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0],
[qr'^(your_friend|greatoffers)@'i => 5.0],
[qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0],
[qr'meltwaternews.com'i => -20.0],
),
{ # a hash-type lookup table (associative array)
'do-not-reply at cedis.fu-berlin.de' => -100.0,
'OEM at s-oem13charite.de' => -20.0,
'ausleihe at ub.fu-berlin.de' => -20.0,
'www-data at ga29469prod.robartsinc.com' => -100.0,
'basware-ip at charite.de' => -10.0,
'owner-sexnet at LISTSERV.IT.NORTHWESTERN.EDU' => -5.0,
'samuel.bayer at ipu-berlin.de' => -3.0,
'karsten.schluens at charite.de' => -10.0,
'carlos.otten at minex.de' => -10.0,
'Ludwig.kramer at meduniwien.ac.at' => -3.0,
'sankt-gertrauden.de' => -3.0,
'info at net4meds.org' => -3.0,
'root at outpost.stahl.bau.tu-bs.de' => -3.0,
'nobody at cert.org' => -3.0,
'cert-advisory at us-cert.gov' => -3.0,
'owner-alert at iss.net' => -3.0,
'slashdot at slashdot.org' => -3.0,
'bugtraq at securityfocus.com' => -3.0,
'ntbugtraq at listserv.ntbugtraq.com' => -3.0,
'security-alerts at linuxsecurity.com' => -3.0,
'mailman-announce-admin at python.org' => -3.0,
'amavis-user-admin at lists.sourceforge.net'=> -3.0,
'notification-return at lists.sophos.com' => -3.0,
'owner-postfix-users at postfix.org' => -3.0,
'owner-postfix-announce at postfix.org' => -3.0,
'owner-sendmail-announce at lists.sendmail.org' => -3.0,
'sendmail-announce-request at lists.sendmail.org' => -3.0,
'donotreply at sendmail.org' => -3.0,
'ca+envelope at sendmail.org' => -3.0,
'noreply at freshmeat.net' => -3.0,
'owner-technews at postel.acm.org' => -3.0,
'ietf-123-owner at loki.ietf.org' => -3.0,
'cvs-commits-list-admin at gnome.org' => -3.0,
'rt-users-admin at lists.fsck.com' => -3.0,
'clp-request at comp.nus.edu.sg' => -3.0,
'surveys-errors at lists.nua.ie' => -3.0,
'emailnews at genomeweb.com' => -5.0,
'yahoo-dev-null at yahoo-inc.com' => -3.0,
'returns.groups.yahoo.com' => -3.0,
'clusternews at linuxnetworx.com' => -3.0,
'swr at seqtools.dk' => -5.0,
lc('lvs-users-admin at LinuxVirtualServer.org') => -3.0,
lc('owner-textbreakingnews at CNNIMAIL12.CNN.COM') => -5.0,
# soft-blacklisting (positive score)
'sender at example.net' => 3.0,
'.example.net' => 1.0,
},
], # end of site-wide tables
});
@spam_scanners = (
['SpamAssassin', 'Amavis::SpamControl::SpamAssassin'],
['CRM114', 'Amavis::SpamControl::ExtProg', 'crm',
[ qw(-u /home/crm114/.crm114 mailreaver.crm
--dontstore --report_only --stats_only
--good_threshold=8 --spam_threshold=-8) ],
learn_ham => [ qw(-u /home/crm114/.crm114 mailreaver.crm --good) ],
learn_spam => [ qw(-u /home/crm114/.crm114 mailreaver.crm --spam) ],
mail_body_size_limit => 150000,
score_factor => -0.20,
lock_file => '/var/amavis/crm114.lock',
lock_type => 'shared',
learner_lock_type => 'exclusive'
]
);
@av_scanners = (
### http://www.clamav.net/
['ClamAV-clamd',
\&ask_daemon, ["MULTISCAN {}\n", "/var/run/clamav/clamd.ctl"],
qr/\bOK$/m, qr/\bFOUND$/m,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
### http://www.grisoft.com/
# ['AVG Anti-Virus',
# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:54322'],
# qr/^200/m, qr/^403/m, qr/^403[- ].*: ([^\r\n]+)/m ],
#403 File 'file' infected: 'Virus identified EICAR_Test'
#403 File 'Vorderung nach Vertrag 12.06.2012.com' infected: 'Trojan horse Generic28.BQHZ'
# ['Avira SAVAPI',
# \&ask_daemon, ["*", 'savapi:/var/run/avmailgate/scanner', '30000'],
# qr/^(200|210)/m, qr/^(310|420|319)/m,
# qr/^(?:310|420)[,\s]*(?:.* <<< )?(.+?)(?: ; |$)/m ],
# settings for the SAVAPI3.conf: ArchiveScan=1, HeurLevel=2, MailboxScan=1
# NOTE: run clamd under the same user as amavisd, or run it under its own
# uid such as clamav, add user clamav to the amavis group, and then add
# AllowSupplementaryGroups to clamd.conf;
# NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
# this entry; when running chrooted one may prefer socket "$MYHOME/clamd".
# ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/
# ['Sophos SAVI', \&sophos_savi ],
# ### http://www.clamav.net/ and CPAN (memory-hungry! clamd is preferred)
# ['Mail::ClamAV', \&ask_clamav, "*", [0], [1], qr/^INFECTED: (.+)/],
### http://www.eset.com/, version 3.0
# ['ESET Software ESETS Command Line Interface',
# ['/usr/bin/esets_cli', 'esets_cli'],
# '--subdir {}', [0], [1,2,3],
# qr/:\s*action="(?!accepted)[^"]*"\n.*:\s*virus="([^"]*)"/m ],
### http://www.kaspersky.com/ (in the 'file server version')
# ['KasperskyLab AVP - aveclient',
# ['/opt/kav/bin/aveclient','aveclient'],
# '-p /var/amavis/aveserver -s {}/*',
# [0,3,6,8],
# qr/\bINFECTED\b/,
# qr/INFECTED (.+)/,
# ],
# ### http://www.nod32.com/
# ['ESET Software NOD32', 'nod32',
# '-all -subdir+ {}', [0], [1,2],
# qr/^.+? - (.+?)\s*(?:backdoor|joke|trojan|virus|worm)/ ],
# Experimental, based on posting from Rado Dibarbora (Dibo) on 2002-05-31
# ['ESET Software NOD32 Client/Server (NOD32SS)',
# \&ask_daemon2, # greets with 200, persistent, terminate with QUIT
# ["SCAN {}/*\r\n", '127.0.0.1:8448' ],
# qr/^200 File OK/, qr/^201 /, qr/^201 (.+)/ ],
);
@av_scanners_backup = (
### http://www.clamav.net/ - backs up clamd or Mail::ClamAV
# ['ClamAV-clamscan', 'clamscan',
# "--stdout -r --tempdir=$TEMPBASE {}", [0], [1],
# qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
# Commented out because the name 'sweep' clashes with Debian and FreeBSD
# package/port of an audio editor. Make sure the correct 'sweep' is found
# in the path when enabling.
#
# ### http://www.sophos.com/ - backs up Sophie or SAVI-Perl
# ['Sophos Anti Virus (sweep)', 'sweep',
# '-nb -f -all -rec -ss -sc -archive -cab -tnef --no-reset-atime {}',
# [0,2], qr/Virus .*? found/,
# qr/^>>> Virus(?: fragment)? '?(.*?)'? found/,
# ],
# # other options to consider: -mime -oe -idedir=/usr/local/sav
# always succeeds (uncomment to consider mail clean if all other scanners fail)
# ['always-clean', sub {0}],
);
@virus_name_to_spam_score_maps =
(new_RE( # the order matters!
[ qr'^Structured\.(SSN|CreditCardNumber)\b' => 3.5 ],
[ qr'^(Heuristics\.)?Phishing\.' => 3.5 ],
[ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)' => 3.5 ],
[ qr'^Sanesecurity\.(Malware|Rogue|Trojan)\.' => undef ],# keep as infected
[ qr'^Sanesecurity\.Junk\.' => 7.0 ],
[ qr'^Sanesecurity\.Scam' => 7.0 ],
[ qr'^Sanesecurity\.Spam\.' => 7.0 ],
[ qr'^Sanesecurity\.Spam4\.' => 7.0 ],
[ qr'^Sanesecurity\.SpamL\.' => 7.0 ],
[ qr'^Sanesecurity\.Jurlbl\.' => 7.0 ],
[ qr'^Sanesecurity\.Phishing\.' => 7.0 ],
[ qr'^Sanesecurity\.' => 3.5 ],
[ qr'^Sanesecurity_PhishBar_' => 0 ],
[ qr'^Sanesecurity.TestSig_' => 0 ],
[ qr'^Doppelstern\.(Scam4|Phishing)' => 7.0 ],
[ qr'^Doppelstern\.Hoax\.' => 7.0 ],
[ qr'^Doppelstern\.Lott\.' => 7.0 ],
[ qr'^Doppelstern\.Loan\.' => 7.0 ],
[ qr'^Doppelstern\.Junk\.' => 7.0 ],
[ qr'^Doppelstern\.' => 3.5 ],
[ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.' => 0 ],
[ qr'^Email\.Spammail\b' => 7.0 ],
[ qr'^Email\.Phishing' => 7.0 ],
[ qr'^MSRBL-(Images|SPAM)\b' => 3.5 ],
[ qr'^VX\.Honeypot-SecuriteInfo\.com\.Joke' => 3.5 ],
[ qr'^VX\.not-virus_(Hoax|Joke)\..*-SecuriteInfo\.com(\.|\z)' => 3.5 ],
[ qr'^Email\.Spam.*-SecuriteInfo\.com(\.|\z)' => 3.5 ],
[ qr'^Safebrowsing\.' => 3.5 ],
[ qr'^winnow\.(phish|spam)\.' => 7.0 ],
[ qr'^INetMsg\.SpamDomain' => 3.5 ],
[ qr'^ScamNailer\.Phish\.' => 7.0 ],
[ qr'^ScamNailer\.' => 3.5 ],
[ qr'^HTML/Bankish' => 3.5 ], # F-Prot
[ qr'-SecuriteInfo\.com(\.|\z)' => undef ], # keep as infected
[ qr'^MBL_NA\.UNOFFICIAL' => 0.1 ], # false positives
[ qr'^MBL_' => undef ], # keep as infected
));
#AV:Sanesecurity.Junk.40073.UNOFFICIAL=0.1
# Sanesecurity http://www.sanesecurity.co.uk/
# MSRBL- http://www.msrbl.com/site/contact
# MBL http://www.malware.com.br/index.shtml
# -SecuriteInfo.com http://clamav.securiteinfo.com/malwares.html
# Regeln definieren
%banned_rules = (
'RECHNUNG' => new_RE(
[qr'^\.smime$'i => 0],
[qr'\.pdf$'i => 0],
[qr'\.(txt|gif|jpg|png|bmp|vcf|p7s)$'i => 0],
[qr'^\.asc$'i => 0],
[qr'image/'i => 0],
[qr'application/pdf'i => 0],
[qr'application/pkcs7-signature'i => 0],
[qr'text/plain'i => 0],
[qr'text/html'i => 0],
[qr'text/enriched'i => 0],
qr'^'
),
'DEFAULT' => $banned_filename_re,
);
# Recipient - Regel Mapping
@banned_filename_maps = (
{
'zentraler-rechnungseingang at charite.de' => 'RECHNUNG',
'.' => 'DEFAULT',
},
);
1; # insure a defined return
More information about the amavis-users
mailing list