AW: Spam issues and how to overcome them
Andrea Soliva
andrea.soliva at comcept.ch
Sat Aug 6 10:08:24 CEST 2016
Hi
What I can recommend based on CentOS 6 is postscreen which is really nice "postscreen" is only available as a pity with CentOS 7 because "postscreen" is only supported up to version 2.8. Use postscreen only on port 25 and disable tls etc. There are also different technolgogies available which prevents spam as most as possible and I'm fully satisfied. Below you see some of them and how to implement and it is only a part of all the stuff you can do but are form e the most important ones.
Keep please in mind do not implemented everything at ones. Do step by step implementations because every installation is different. If you implement some restrictions in postfix use the restriction in first step with "warn_if_reject" which means: Restrictions is used but no rejects happens instead log is generated. This means also if you use HELO restrictions you can use following:
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_hostname,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
warn_if_reject reject_unknown_helo_hostname
If you would do so your clients can not anymore login and would be rejected because HELO is rejecting "reject_non_fqdn_hostname" because if a Outlook client is connecting it can be that the client is delivering not the FQDN of the IP oft he provider instead the HOSTNAME oft he client itself is deliered. To not run into this you can use:
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_non_fqdn_hostname,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
warn_if_reject reject_unknown_helo_hostname
This means also go step by step.....use " warn_if_reject" to analyse the stuff to find out if it will break something! Every installation is a little bit different etc.
STEP 1 POSTSCREEN FOR POSTFIX ON PORT 25 ONLY
Look that you have defined within main.cf you local network that postscreen is not used for "mynetwork" (permit_mynetworks):
# mkdir /var/spool/postfix/data
# chown postfix:root /var/spool/postfix/data
# chmod 700 /var/spool/postfix/data
# vi /etc/postfix/postscreen_white-blacklist
--------------- /etc/postfix/postscreen_white-blacklist
---------------
# Use following to whitelist/blacklist based on cidr
#
#xxx.xxx.xxx.xxx/xx permit # don't do any further
postscreen tests
#xxx.xxx.xxx.xxx/xx dunno # don't to anything and
proceed to next stage
#xxx.xxx.xxx.xxx/xx reject # launch action based
on postscreen_blacklist_action
--------------- /etc/postfix/postscreen_white-blacklist
---------------
# vi /etc/postfix/postscreen_dnsbl_reply
--------------- /etc/postfix/postscreen_dnsbl_reply
---------------
############################################################################
# Secret DNSBL name in postscreen(8) replies
#
#<individueller-spamhaus-lizenzkey>.zen.spamhaus.org
zen.spamhaus.org
--------------- /etc/postfix/postscreen_dnsbl_reply
---------------
# vi /etc/postfix/main.cf
--------------- /etc/postfix/main.cf ---------------
# USE POSTSCREEN for postfix 2.8 and higher
#
# http://www.postfix.org/POSTSCREEN_README.html
# http://www.postfix.org/postscreen.8.html
# The Postfix postscreen(8) daemon provides additional protection
# against mail server overload. One postscreen(8) process handles
# multiple inbound SMTP connections, and decides which clients may
# talk to a Postfix SMTP server process. By keeping spambots away,
# postscreen(8) leaves more SMTP server processes available for
# legitimate clients, and delays the onset of server overload
# conditions.
#
# To activate postscreen deactivate within master.cf default
# entry for "smtp inet n - n - - smtpd" and activate postscreen:
#
# #smtp inet n - n - - smtpd
#
# # To be used for postscreen
# smtp inet n - n - 1
postscreen
# smtpd pass - - n - - smtpd
# #tlsproxy unix - - n - 0
tlsproxy
# dnsblog unix - - n - 0
dnsblog
#
postscreen_access_list =
permit_mynetworks,
cidr:/etc/postfix/postscreen_white-blacklist
# When postscreen(8) listens on both primary and backup MX addresses, the
# postscreen_whitelist_interfaces parameter can be configured to give the
# temporary whitelist status only when a client connects to a primary MX
# address. Once a client is whitelisted it can talk to a Postfix SMTP
# server on any address. Thus, clients that connect only to backup MX
# addresses will never become whitelisted, and will never be allowed to
# talk to a Postfix SMTP server process.
#
postscreen_whitelist_interfaces = static:all
# prevent not correct working clients as mynetworks to be rejected
#
postscreen_bare_newline_action = ignore
postscreen_bare_newline_enable = no
postscreen_bare_newline_ttl = 30d
postscreen_blacklist_action = ignore
postscreen_cache_cleanup_interval = 12h
postscreen_cache_map =
btree:/var/spool/postfix/data/postscreen_cache
postscreen_cache_retention_time = 7d
postscreen_client_connection_count_limit = $smtpd_client_connection_count_limit
postscreen_command_count_limit = 20
postscreen_command_filter =
postscreen_command_time_limit = ${stress?10}${stress:300}s
postscreen_disable_vrfy_command = $disable_vrfy_command
postscreen_discard_ehlo_keyword_address_maps = $smtpd_discard_ehlo_keyword_address_maps
postscreen_discard_ehlo_keywords = $smtpd_discard_ehlo_keywords
# default settings for postscreen
#
postscreen_expansion_filter = $smtpd_expansion_filter
postscreen_forbidden_commands = $smtpd_forbidden_commands
postscreen_greet_action = ignore
postscreen_greet_banner = $smtpd_banner
postscreen_greet_ttl = 1d
postscreen_greet_wait = ${stress?2}${stress:6}s
postscreen_helo_required = $smtpd_helo_required
postscreen_non_smtp_command_action = drop
postscreen_non_smtp_command_enable = no
postscreen_non_smtp_command_ttl = 30d
postscreen_pipelining_action = enforce
postscreen_pipelining_enable = no
postscreen_pipelining_ttl = 30d
postscreen_post_queue_limit = $default_process_limit
postscreen_pre_queue_limit = $default_process_limit
postscreen_reject_footer = $smtpd_reject_footer
#postscreen_enforce_tls = $smtpd_enforce_tls
#postscreen_use_tls = $smtpd_use_tls
#postscreen_tls_security_level = $smtpd_tls_security_level
postscreen_watchdog_timeout = 10s
#proxy_write_maps = $smtp_sasl_auth_cache_name $lmtp_sasl_auth_cache_name $address_verify_map $postscreen_cache_map
#postscreen_upstream_proxy_protocol =
#postscreen_upstream_proxy_timeout = 5s
# The minimal value to reject a sender is defined with "postscreen_dnsbl_threshold".
# If if a value 3 is reached sender will be rejected (default) but whitlisting will
# be considered too with negative score. This means sender will be rejected if positiv
# score minus negativ score is over defined score for "postscreen_dnsbl_threshold".
#
# This will be logged as: "DNSBL rank [score] for [IPv4 Address]:[Source Port]
#
# To enable specific key/secret/answer for dnsbl service use:
#
#postscreen_dnsbl_reply_map =
texthash:/etc/postfix/postscreen_dnsbl_reply
postscreen_dnsbl_action = enforce
postscreen_dnsbl_ttl = 1h
#postscreen_dnsbl_min_ttl = 60s
#postscreen_dnsbl_max_ttl = 1h
postscreen_dnsbl_whitelist_threshold = 0
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_sites =
# DNSBL Blacklisting
zen.spamhaus.org*3,
bl.mailspike.net*3,
b.barracudacentral.org*2,
bl.spameatingmonkey.net,
bl.spamcop.net,
spamtrap.trblspam.com,
dnsbl.sorbs.net=127.0.0.[2;3;6;7;10],
ix.dnsbl.manitu.net,
bl.blocklist.de,
# DNSBL Whitelisting
list.dnswl.org=127.0.[0..255].0*-1,
list.dnswl.org=127.0.[0..255].1*-2,
list.dnswl.org=127.0.[0..255].[2..3]*-3,
iadb.isipp.com=127.0.[0..255].[0..255]*-2,
iadb.isipp.com=127.3.100.[6..200]*-2,
wl.mailspike.net=127.0.0.[17;18]*-1,
wl.mailspike.net=127.0.0.[19;20]*-2
--------------- /etc/postfix/main.cf ---------------
# vi /etc/postfix/master.cf
--------------- /etc/postfix/master.cf ---------------
#smtp inet n - n -
- smtpd
# To be used for postscreen for postfix 2.8 and higher
smtp inet n - n - 1
postscreen
smtpd pass - - n - -
smtpd
dnsblog unix - - n - 0
dnsblog
#tlsproxy unix - - n - 0
tlsproxy
--------------- /etc/postfix/master.cf ---------------
Danach muss der Service von "postfix" neu gestartet werden:
# systemctl restart postfix.service
STEP 2 USE SPF FOR POSTFIX
Use within DNS a spf record. There are different possibilities have a look below
mydomain.ch. IN TXT "v=spf1 mx
ip4:[Public IPv4 Adress of the Mail Server which sends mail out]/32 -all"
This means:
v=spf1 (SPF Record)
mx (MX DNS Einträge)
ipv4 (IPv4 CIDR)
-all (Fail)
For testing you should use in first stage "~all" and change afterwards do "-all"
"+" Pass
"-" Fail
"~" SoftFail
"?" Neutral
Below the most useable parmeter for the dns record:
all = "all"
include = "include" ":" domain-spec
A = "a" [ ":" domain-spec ] [
dual-cidr-length ]
MX = "mx" [ ":" domain-spec ] [
dual-cidr-length ]
PTR = "ptr" [ ":" domain-spec ]
IP4 = "ip4" ":" ip4-network [ ip4-cidr-length
]
IP6 = "ip6" ":" ip6-network [ ip6-cidr-length
]
exists = "exists" ":" domain-spec
http://www.openspf.org/SPF_Record_Syntax
http://www.openspf.org/RFC_4408#examples
You can do such records also over a wizard availab on some sites:
http://www.spfwizard.net/
http://www.mailradar.com/spf/
http://www.mtgsy.net/dns/spfwizard.php
https://www.dynu.com/NetworkTools/SPFGenerator
If you have your entrie and all is up and running within dns you can check the stuff with below sites:
http://www.kitterman.com/spf/validate.html
https://www.port25.com/authentication-checker/
Even in first stage "sfp" check will be done over "spf" check in spamassassin conf meaning local.cf what you have regarding "spf". The score is not hard and should be also not hard because is anyway only used in second stage:
# vi /etc/mail/spamassassin/local.cf
--------------- /etc/mail/spamassassin/local.cf ---------------
## SPF score
#
score SPF_NONE 0
score SPF_HELO_NONE 0
score SPF_PASS -0.001
score SPF_HELO_PASS -0.001
score SPF_FAIL 0 0.919 0 0.001
score SPF_HELO_FAIL 0 0.001 0 0.001
score SPF_HELO_NEUTRAL 0 0.001 0 0.112
score SPF_HELO_SOFTFAIL 0 0.896 0 0.732
score SPF_NEUTRAL 0 0.652 0 0.779
score SPF_SOFTFAIL 0 0.972 0 0.665
score ENV_AND_HDR_SPF_MATCH -0.5
score USER_IN_SPF_WHITELIST -100.000
score USER_IN_DEF_SPF_WL -7.500
--------------- /etc/mail/spamassassin/local.cf ---------------
The Plug-In for spf for spamassassin is already in place on CentOS meaning was installed as dependency:
--> Processing Dependency: perl(Mail::SPF) for package:
amavisd-new-2.10.1-4.el7.noarch
Install "spf" from scratch with a perl script:
# mkdir /root/spf
# cd /root/spf
# wget
http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.007.tar.gz
# gzip -dc postfix-policyd-spf-perl-2.007.tar.gz | tar xvf -
# cd /root/spf/postfix-policyd-spf-perl-2.007
Copy the script to "/usr/libexec/postfix/" and adjust the rights that "nobody" can reach it:
# cp -p
/root/spf/postfix-policyd-spf-perl-2.007/postfix-policyd-spf-perl
/usr/libexec/postfix/
# chown root:root /usr/libexec/postfix/postfix-policyd-spf-perl
# chmod 755 /usr/libexec/postfix/postfix-policyd-spf-perl
Check within the script that the binary perl shows the right binary
# which perl
# /usr/bin/perl
# vi /usr/libexec/postfix/postfix-policyd-spf-perl
--------------- /usr/libexec/postfix/postfix-policyd-spf-perl
---------------
#!/usr/bin/perl
--------------- /usr/libexec/postfix/postfix-policyd-spf-perl
---------------
At the end of the master file add following:
# vi /etc/postfix/master.cf
--------------- /etc/postfix/master.cf ---------------
policy unix - n n - -
spawn
user=nobody argv=/usr/bin/perl /usr/libexec/postfix/postfix-policyd-spf-perl
--------------- /etc/postfix/master.cf ---------------
Now add to the master a "unix/policy" which means to the "smtpd_recipient_restrictions". Be careful that you defined this policy AFTER the entry "reject_unauth_destination" (Very important). If you do not so you have the danger of a open relay:
# vi /etc/postfix/main.cf
--------------- /etc/postfix/main.cf---------------
smtpd_recipient_restrictions =
permit_mynetworks,
check_sender_access hash:/etc/postfix/sender_access,
reject_unauth_pipelining,
reject_rbl_client zen.spamhaus.org,
reject_non_fqdn_recipient,
reject_invalid_helo_hostname,
reject_unknown_recipient_domain,
reject_unauth_destination,
check_policy_service unix:private/policy,
check_policy_service unix:private/recipient_policy_incoming,
check_recipient_access
hash:/etc/postfix/greylist_sender_exceptions,
check_client_access
cidr:/etc/postfix/cidr_greylist_network_exceptions,
check_client_access regexp:/etc/postfix/check_client_fqdn,
permit
policy_time_limit = 3600
--------------- /etc/postfix/main.cf---------------
# systemctl restart postfix.service
Check you "postfix" log:
# tail -f /var/log/postfix/postfix
--------------- /var/log/postfix/postfix ---------------
Jul 21 22:43:00 kolab postfix/smtpd[4768]: connect from mx3.also.com[194.115.88.35]
Jul 21 22:43:01 kolab postfix/policy-spf[4775]: : SPF pass (Mechanism 'mx' matched): Envelope-from: andrea.soliva at also.com
Jul 21 22:43:01 kolab postfix/policy-spf[4775]: handler
sender_policy_framework: is decisive.
Jul 21 22:43:01 kolab postfix/policy-spf[4775]: : Policy action=PREPEND Received-SPF: pass (also.com: 194.115.88.35 is authorized to use 'andrea.soliva at also.com' in 'mfrom' identity (mechanism 'mx'
matched)) receiver=dns1; identity=mailfrom; envelope-
from="andrea.soliva at also.com"; helo=mx3.also.com;
client-ip=194.115.88.35
Jul 21 22:43:01 kolab postfix/smtpd[4768]: 7E94B21285D0:
client=mx3.also.com[194.115.88.35]
Jul 21 22:43:01 kolab postfix/cleanup[4790]: 7E94B21285D0:
message-id=<7C210310-5A72-4DE9-A52A-90239B1AF198 at also.com>
Jul 21 22:43:01 kolab postfix/qmgr[4758]: 7E94B21285D0:
from=<andrea.soliva at also.com>, size=2218, nrcpt=1 (queue active)
--------------- /var/log/postfix/postfix ---------------
Below a short description how spf is working:
This version of the policy server always checks HELO before Mail From (older
versions just checked HELO if Mail From was null). It will reject mail that
fails either Mail From or HELO SPF checks. It will defer mail if there is a
temporary SPF error and the message would othersise be permitted
(DEFER_IF_PERMIT). If the HELO check produces a REJECT/DEFER result, Mail From
will not be checked.
If the message is not rejected or deferred, the policy server will PREPEND the
appropriate SPF Received header. If Mail From is anything other than completely
empty (i.e. <>) then the Mail From result will be used for SPF Received (e.g.
Mail From None even if HELO is Pass).
The policy server skips SPF checks for connections from the localhost (127.) and
instead prepends and logs 'SPF skipped - localhost is always allowed.' If you
have relays that you want to skip SPF checks for, you can add them to
relay_addresses on line 78 using standard CIDR notation in a space separated
list. For these addresses, 'X-Comment: SPF skipped for whitelisted relay' is
prepended and logged. IPv6 localhost is also skipped.
Error conditions within the policy server (that don't result in a
crash) or from
Mail::SPF will return DUNNO.
Each time a Postfix SMTP server process is started it connects to the policy
service socket, and Postfix runs one instance of this Perl script. By
default, a Postfix SMTP server process terminates after 100 seconds of idle
time, or after serving 100 clients. Thus, the cost of starting this Perl
script is smoothed out over time.
The default policy_time_limit is 1000 seconds. This may be too short for some
SMTP transactions to complete. As recommended in SMTPD_POLICY_README, this
should be extended to 3600 seconds. To do so, set "policy_time_limit = 3600"
in /etc/postfix/main.cf.
You can test also local in following way. Test which would not match:
# /usr/libexec/postfix/postfix-policyd-spf-perl
request=smtpd_access_policy
protocol_state=RCPT
protocol_name=SMTP
helo_name=host.example.com
queue_id=
instance=71b0.45e2f5f1.d4da1.0
sender=user at comcept.ch
recipient=soliva at comcept.ch
client_address=1.2.3.4
client_name=host.example.com
[Do not enter here something and use only ENTER]
action=550 Please see
http://www.openspf.net/Why?s=mfrom;id=user%40comcept.ch;ip=1.2.3.4;r=kolab.comcept.ch
Test which would not match:
# /usr/libexec/postfix/postfix-policyd-spf-perl
request=smtpd_access_policy
protocol_state=RCPT
protocol_name=SMTP
helo_name=kolab.comcept.ch
queue_id=
instance=71b0.45e2f5f1.d4da1.0
sender=user at comcept.ch
recipient=soliva at comcept.ch
client_address=192.168.100.116
client_name=kolab.comcept.ch
[Leere Zeile und schliesse ab mit ENTER]
action=PREPEND Received-SPF: pass (comcept.ch: 192.168.100.116 is
authorized to use 'user at comcept.ch' in 'mfrom' identity (mechanism 'mx'
matched)) receiver=kolab.comcept.ch; identity=mailfrom;
envelope-from="user at comcept.ch"; helo=kolab.comcept.ch;
client-ip=192.168.100.116
STEP 3 USE HEADER CHECKS WITHIN POSTFIX FOR BOUNCES
# vi /etc/postfix/header_checks
---------------- /etc/postfix/header_checks ----------------
#############################################################################
# Allowing null-sender SMTP traffic just fine; it detects bounces
in Postfix
# if they arrive via SMTP in RFC-3464 format, and bounces that
slip past are
# then dealt with in a more CPU-intensive manner using the
SpamAssassin
# VBounce ruleset which is part of the SpamAssassin 3.2.0!
#
# This increases the load, since some bounces cannot be rejected
at MAIL FROM
# time now, and instead we have to wait until DATA but CPU hasn't
been a
# problem recently, so this is ok.
#
/^Content-Type: multipart\/report; report-type=delivery-status\;/
REJECT no third-party DSNs
/^Content-Type: message\/delivery-status; / REJECT no
third-party DSNs
---------------- /etc/postfix/header_checks ----------------
# vi /etc/postfix/main.cf
---------------- /etc/postfix/main.cf ----------------
# JUNK MAIL CONTROLS
#
# The controls listed here are only a very small subset. The file
# SMTPD_ACCESS_README provides an overview.
# The header_checks parameter specifies an optional table with
patterns
# that each logical message header is matched against, including
# headers that span multiple physical lines.
#
# By default, these patterns also apply to MIME headers and to
the
# headers of attached messages. With older Postfix versions, MIME
and
# attached message headers were treated as body text.
#
# For details, see "man header_checks".
#
header_checks = regexp:/etc/postfix/header_checks
---------------- /etc/postfix/main.cf ----------------
Check that you have in "spamassassin" also activated this function for a
second step if first one fails etc.:
# vi /etc/mail/spamassassin/v320.pre
---------------- /etc/mail/spamassassin/v320.pre ----------------
# VBounce - anti-bounce-message rules, see rules/20_vbounce.cf
#
loadplugin Mail::SpamAssassin::Plugin::VBounce
---------------- /etc/mail/spamassassin/v320.pre ----------------
# vi /etc/mail/spamassassin/local.cf
---------------- /etc/mail/spamassassin/local.cf ----------------
## VBounce - Spamassassin plugin to lookup for legitimeate bounce
messages
#
# Define the hostname of the relay (or relays) that you send your
outbound
# mail through. This is used to 'rescue' legitimate bounce
messages that were
# generated in response to mail you really *did* send. If a
bounce message
# is found, and it contains one of these hostnames in a
'Received' header
# in the bounced message, it will not be marked as a blowback
virus-bounce.
#
# Note: If you do not add this line, the *BOUNCE_MESSAGE rules
will never
# fire! You have to specify at least one whitelisted relay for it
to operate.
#
whitelist_bounce_relays [Defin all your outgoing servers with
there FQDN name]
---------------- /etc/mail/spamassassin/local.cf ----------------
# systemctl restart postfix.service
# systemctl restart amavisd.service
If the header_check will bi hit you see in the logs of postfix:
REJECT no third-party DSNs
If the plug-in of spamassassin VBounce hits you see:
Wird die Nachricht resp. Bounce über das Plug-In "VBounce" erkannt
erscheint im entsprechenden Report der folgende Hinweis und Score:
0.1 BOUNCE_MESSAGE MTA bounce message
0.1 ANY_BOUNCE_MESSAGE Message is some kind of bounce message
STEP 4 USE POSTGREY FOR POSTFIX
Following perl modul must be installed which should be already the case
for CentOS 6/7:
• Perl (version ≥ 5.6.0)
• Net::Server
• IO::Multiplex
• BerkeleyDB (Perl module)
• Berkeley DB (Library, version ≥ 4.1)
# yum install postgrey
If you use CentOS 6 postgrey is not available over yum if you do not use
RepoForge Repository. You can get the package manual over:
http://pkgs.repoforge.org
# wget
http://pkgs.repoforge.org/postgrey/postgrey-1.34-1.el6.rf.noarch.rpm
# rpm -ivh postgrey-1.34-1.el6.rf.noarch.rpm
Following files will be installed:
/usr/sbin/postgreyreport
/usr/sbin/postgrey
/usr/share/man/man8/postgrey.8.gz
/usr/share/selinux/devel/include/services/postgrey.if
/usr/share/selinux/targeted/postgrey.pp.bz2
/usr/share/doc/postgrey-1.34
/export/kolab/spool/postfix/postgrey
/etc/rc.d/rc3.d/K31postgrey
/etc/rc.d/rc2.d/K31postgrey
/etc/rc.d/rc4.d/K31postgrey
/etc/rc.d/rc5.d/K31postgrey
/etc/rc.d/rc0.d/K31postgrey
/etc/rc.d/rc6.d/K31postgrey
/etc/rc.d/init.d/postgrey
/etc/rc.d/rc1.d/K31postgrey
/etc/postfix/postgrey_whitelist_recipients
/etc/postfix/postgrey_whitelist_clients
/etc/postfix/postgrey_whitelist_clients.local
/etc/selinux/targeted/modules/active/modules/postgrey.pp
It will be added following user and group to the system:
# cat /etc/passwd | grep postgrey
postgrey:x:409:408::/var/spool/postfix/postgrey:/sbin/nologin
# cat /etc/group | grep postgrey
postgrey:x:408:
Define the start option within the "/etc/sysconfig/postgrey" file:
# vi /etc/sysconfig/postgrey
--------------- /etc/sysconfig/postgrey ---------------
OPTIONS="--inet=127.0.0.1:60000 -d
--pidfile=/export/kolab/spool/postfix/postgrey/postgrey.pid
--hostname=kolab --user=postgrey --group=postgrey
--dbdir=/var/spool/postfix/postgrey --greylist-action=450
--whitelist-clients=/etc/postfix/postgrey_whitelist_clients
--whitelist-recipients=/etc/postfix/postgrey_whitelist_recipients
--delay=600 --max-age=40 --lookup-by-host --auto-whitelist-clients=0
--greylist-text='Policy restrictions; try later' --retry-window=48h
--x-greylist-header='X-Greylist: delayed %t seconds by greylist at %h;
%d'"
--------------- /etc/sysconfig/postgrey ---------------
# chown root:root /etc/sysconfig/postgrey
# chmod 644 /etc/sysconfig/postgrey
Within this config file it will be defined "--inet" which means NOT
"socket" which I do not use. From this point of view you have to comment
out within the start script the socket variant that we can use "--inet":
# vi /etc/init.d/postgrey
--------------- /etc/init.d/postgrey ---------------
prog=postgrey
postgrey=/usr/sbin/$prog
DBPATH=/var/spool/postfix/postgrey
#SOCKET=$DBPATH/socket
#OPTIONS="--unix=$SOCKET"
OPTIONS=""
--------------- /etc/init.d/postgrey ---------------
In the below file there are already some exceptions defined like
outlook.com which are doing not in a correct way SMTP by RFC greylisting
etc. Look that you copy the file to the correct place that you have also
this exceptions and of course you can add new one which I do not do and
which is not neccessary. You can get the newest file over the original
page/source of postgrey:
http://postgrey.schweikert.ch
# cp -p /etc/postfix/postgrey_whitelist_clients
/etc/postfix/postgrey_whitelist_clients.orig
# cp -p postgrey_whitelist_clients
/etc/postfix/postgrey_whitelist_clients
# chown root:root /etc/postfix/postgrey_whitelist_clients
# chmod 644 /etc/postfix/postgrey_whitelist_clients
For exceptions etc. you have to create following files:
check_recipient_access
hash:/etc/postfix/greylist_sender_exceptions,
check_client_access
cidr:/etc/postfix/cidr_greylist_network_exceptions,
check_client_access regexp:/etc/postfix/check_client_fqdn
• greylist_sender_exceptions = Exception for Greylist
Sender!
• cidr_greylist_network_exceptions = Exception based on
Subnet Masks CIDR!
• check_client_fqdn = With this file the
sender will be checked by FQDN Sender with RegEx or Dynamic IP etc. and
if match postgrey will be don!
For template use the access file which is by standard empty to create
the " greylist_sender_exceptions":
# cp -p /etc/postfix/access
/etc/postfix/greylist_sender_exceptions
# chown root:root /etc/postfix/access
/etc/postfix/greylist_sender_exceptions
# chmod 644 /etc/postfix/access
/etc/postfix/greylist_sender_exceptions
Define in the below file all you local networks as the public IP's you
are probably using and comunicating with the kolab server over port 25
# vi /etc/postfix/cidr_greylist_network_exceptions
--------------- /etc/postfix/cidr_greylist_network_exceptions
---------------
# Whitlist Netowrks
# 192.168.0.0/16 OK
192.168.100.0/24 OK
--------------- /etc/postfix/cidr_greylist_network_exceptions
---------------
# chown root:root /etc/postfix/cidr_greylist_network_exceptions
# chmod 644 /etc/postfix/cidr_greylist_network_exceptions
As mentioned only if the RegEx is matching postgrey will be done. This
means if a MX Server is delivering a message with a FQDN etc. this will
never match and no postgrey will be done:
# vi /etc/postfix/check_client_fqdn
--------------- /etc/postfix/check_client_fqdn ---------------
/^unknown$/ check_greylist
/^[^\.]*[0-9][^0-9\.]+[0-9]/ check_greylist
/^[^\.]*[0-9]{5}/ check_greylist
/^([^\.]+\.)?[0-9][^\.]*\.[^\.]+\..+\.[a-z]/ check_greylist
/^[^\.]*[0-9]\.[^\.]*[0-9]-[0-9]/ check_greylist
/^[^\.]*[0-9]\.[^\.]*[0-9]\.[^\.]+\..+\./ check_greylist
/^(dhcp|dialup|ppp|adsl)[^\.]*[0-9]/ check_greylist
--------------- /etc/postfix/check_client_fqdn ---------------
# chown root:root /etc/postfix/cidr_greylist_network_exceptions
# chmod 644 /etc/postfix/cidr_greylist_network_exceptions
Create and the end of the main.cf a "smtpd_restriction_classes" as
"check_greylist" and define this class "check_greylist"
# /usr/sbin/postconf -ve "smtpd_restriction_classes =
check_greylist"
# /usr/sbin/postconf -ve "check_greylist = check_policy_service
inet:127.0.0.1:60000"
With this commands following will be added at the end of the main.cf:
# vi /etc/postfix/main.cf
--------------- /etc/postfix/main.cf ---------------
smtpd_restriction_classes = check_greylist
check_greylist = check_policy_service inet:127.0.0.1:60000
--------------- /etc/postfix/main.cf ---------------
The below file is a hash file from this point of view write the
information of the file to a hash:
# /usr/sbin/postmap -v /etc/postfix/greylist_sender_exceptions
Check the RC levers for stop/start:
# /sbin/chkconfig --list | grep postgrey
postgrey 0:off 1:off 2:off 3:off 4:off 5:off
6:off
# /sbin/chkconfig postgrey on
# /sbin/chkconfig --list | grep postgrey
postgrey 0:off 1:off 2:on 3:on 4:on 5:on
6:off
Now add the postgrey files to the "smtpd_recipient_restrictions":
# vi /etc/postfix/main.cf
--------------- /etc/postfix/main.cf ---------------
smtpd_recipient_restrictions =
permit_mynetworks,
check_sender_access hash:/etc/postfix/sender_access,
reject_unauth_pipelining,
reject_rbl_client zen.spamhaus.org,
reject_non_fqdn_recipient,
reject_invalid_helo_hostname,
reject_unknown_recipient_domain,
reject_unauth_destination,
check_policy_service unix:private/recipient_policy_incoming,
check_recipient_access
hash:/etc/postfix/greylist_sender_exceptions,
check_client_access
cidr:/etc/postfix/cidr_greylist_network_exceptions,
check_client_access regexp:/etc/postfix/check_client_fqdn,
permit
--------------- /etc/postfix/main.cf ---------------
Nun kann "postgrey" das erste Mal gestaret werden:
# systemctl start postgrey.service
Check your log for any errors/warning in case of:
# tail -f /var/log/postfix/postfix.log
Check if postgrey is running on (--inet):
# netstat -an | grep 6000
tcp 0 0 127.0.0.1:60000 0.0.0.0:*
LISTEN
If postgrey is started a BerkleydB will be automatically created:
# ls -la /var/spool/postfix/postgrey
total 264
drwxr-xr-x 2 postgrey postgrey 4096 Jun 12 11:19 .
drwxr-xr-x. 17 root root 4096 Jun 12 11:18 ..
-rw------- 1 postgrey postgrey 24576 Jun 12 11:19 __db.001
-rw------- 1 postgrey postgrey 163840 Jun 12 11:19 __db.002
-rw------- 1 postgrey postgrey 270336 Jun 12 11:19 __db.003
-rw------- 1 postgrey postgrey 98304 Jun 12 11:19 __db.004
-rw------- 1 postgrey postgrey 49152 Jun 12 11:19 __db.005
-rw------- 1 postgrey postgrey 10485760 Jun 12 11:19
log.0000000001
-rw------- 1 postgrey postgrey 8192 Jun 12 11:19
postgrey.db
-rw------- 1 postgrey postgrey 0 Jun 12 11:19
postgrey.lock
-rw-r--r-- 1 postgrey postgrey 6 Jun 12 11:19
postgrey.pid
If no errors/warning etc. you can no restart postfix:
# systemctl restart postfix.service
Be aware that within main.cf of postfix the "mynetworks" is very
important which means define all your local networks as your public IP's
which are comunicating with your Kolab server. To test you can also
deactivate the mynetwork and leaving only 127.0.0.0/8 to see how
postgrey is working for overall but do not forgett to activate
mynetworks again :-)
# vi /etc/postfix/main.cf
--------------- /etc/postfix/main.cf ---------------
#mynetworks = 192.168.100.0/24, 127.0.0.0/8
mynetworks = 127.0.0.0/8
--------------- /etc/postfix/main.cf ---------------
# systemctl restart postfix.service
If postgrey is used following will be shown within postfix log
==> /var/log/postfix/postfix.log <==
Jun 12 10:43:43 kolab postgrey[17527]: action=greylist,
reason=new, client_name=helios.comcept.ch,
client_address=192.168.100.123, sender=andrea.soliva at also.com,
recipient=andrea.soliva at comcept.ch
Jun 12 10:43:43 kolab postfix/smtpd[17540]: NOQUEUE: reject: RCPT
from helios.comcept.ch[192.168.100.123]: 450 4.2.0
<andrea.soliva at comcept.ch>: Recipient address rejected: Policy
restrictions; try later; from=<andrea.soliva at also.com>
to=<andrea.soliva at comcept.ch> proto=ESMTP helo=<helios.comcept.ch>
Jun 12 10:43:43 kolab postfix/smtpd[17540]: disconnect from
helios.comcept.ch[192.168.100.123]
STEP 5 USE PYZOR FOR SPAMASSASSIN
Razor is already installed on CentOS 6/7. Pyzor is also a good tool and
no issue to install. Keep in mind that pyzor is comunicating to outside
world with port Port 24441 UDP from this point of view check your
firewall. Additional DO NOT USE "spamd" which means "spamd" is not
useable and amavisd does the better job with more functions as "spamd.
From this point of view deactivate "spamd" completly with "chkconfig"
and never start again. No more adjustings have to be done to deactivate
"spamd". Install pyzor from yum:
yum install pyzor
Loaded plugins: fastestmirror, priorities
Setting up Install Process
Loading mirror speeds from cached hostfile
epel/metalink | 16 kB 00:00
* base: mirror.switch.ch
* epel: mirror.23media.de
* extras: mirror.switch.ch
* updates: mirror.switch.ch
Kolab_3.4 | 1.2 kB 00:00
Kolab_3.4_Updates | 1.2 kB 00:00
base | 3.7 kB 00:00
epel | 4.3 kB 00:00
http://mirror.23media.de/epel/6/i386/repodata/repomd.xml: [Errno
-1] repomd.xml does not match metalink for epel
Trying other mirror.
epel | 4.3 kB 00:00
epel/primary_db | 5.0 MB 00:01
extras | 3.4 kB 00:00
updates | 3.4 kB 00:00
106 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package pyzor.noarch 0:0.5.0-3.el6 will be installed
--> Finished Dependency Resolution
Following will be installed:
/usr/bin/pyzor
/usr/bin/pyzord
/usr/lib/python2.6/site-packages/pyzor
/usr/lib/python2.6/site-packages/pyzor/__init__.pyc
/usr/lib/python2.6/site-packages/pyzor/server.pyc
/usr/lib/python2.6/site-packages/pyzor/client.pyc
/usr/lib/python2.6/site-packages/pyzor/__init__.py
/usr/lib/python2.6/site-packages/pyzor/__init__.pyo
/usr/lib/python2.6/site-packages/pyzor/client.pyo
/usr/lib/python2.6/site-packages/pyzor/client.py
/usr/lib/python2.6/site-packages/pyzor/server.py
/usr/lib/python2.6/site-packages/pyzor/server.pyo
/usr/share/doc/pyzor-0.5.0
/usr/share/doc/pyzor-0.5.0/COPYING
/usr/share/doc/pyzor-0.5.0/UPGRADING
/usr/share/doc/pyzor-0.5.0/PKG-INFO
/usr/share/doc/pyzor-0.5.0/NEWS
/usr/share/doc/pyzor-0.5.0/THANKS
/usr/share/doc/pyzor-0.5.0/README
/usr/share/doc/pyzor-0.5.0/usage.html
Check rights and adjust:
# ls -la /usr/bin/pyzor
-rwxr-xr-x 1 root root 96 Mar 9 2011 /usr/bin/pyzor
# ls -la /usr/bin/pyzord
-rwxr-xr-x 1 root root 2926 Mar 9 2011 /usr/bin/pyzord
# ls -la /usr/share/doc/pyzor-0.5.0
total 80
drwxr-xr-x 2 root root 4096 May 15 09:13 .
drwxr-xr-x 233 root root 12288 May 15 09:13 ..
-rw-r--r-- 1 root root 18007 Apr 29 2009 COPYING
-rw-r--r-- 1 root root 5962 Apr 29 2009 NEWS
-rw-r--r-- 1 root root 361 Apr 29 2009 PKG-INFO
-rw-r--r-- 1 root root 228 Apr 29 2009 README
-rw-r--r-- 1 root root 495 Apr 29 2009 THANKS
-rw-r--r-- 1 root root 270 Apr 29 2009 UPGRADING
-rw-r--r-- 1 root root 14869 Apr 29 2009 usage.html
# chmod -R a+rX /usr/share/doc/pyzor-0.5.0 /usr/bin/pyzor
/usr/bin/pyzord
# chmod -R a+rX /usr/lib/python2.6/site-packages/pyzor
Home dir for amavisd/spamassassin is:
# ls -la /var/spool/amavisd/
total 72
drwxr-x---. 7 amavis amavis 4096 May 15 05:17 .
drwxr-xr-x. 6 root root 4096 Jun 30 2015 ..
srwxr-x--- 1 amavis amavis 0 May 15 05:17 amavisd.sock
srw-rw-rw- 1 amavis amavis 0 May 15 05:16 clamd.sock
drwxr-x---. 2 amavis amavis 4096 May 15 05:17 db
drwxr-x---. 2 amavis amavis 36864 May 15 08:09 quarantine
drwxr-x---. 2 amavis amavis 4096 Jul 13 2015 .razor
-rwx------ 1 amavis amavis 801 Jan 11 21:50 sa-learn.sh
drwx------. 2 amavis amavis 4096 May 15 04:59 .spamassassin
drwxr-x---. 5 amavis amavis 4096 May 15 10:48 tmp
Look that you use also for pyzor this dir:
# mkdir /var/spool/amavisd/.pyzor
# chown amavis:amavis /var /spool/amavisd/.pyzor
# chmod 755 /var /spool/amavisd/.pyzor
Activate pyzor in corresponding config files:
# vi /etc/mail/spamassassin/v310.pre
--------------- /etc/mail/spamassassin/v310.pre ---------------
# Pyzor - perform Pyzor message checks.
#
loadplugin Mail::SpamAssassin::Plugin::Pyzor
use_pyzor 1
pyzor_path /usr/bin/pyzor
pyzor_options --homedir /var/spool/amavisd/.pyzor
pyzor_timeout 10
--------------- /etc/mail/spamassassin/v310.pre ---------------
# vi /etc/mail/spamassassin/local.cf
--------------- /etc/mail/spamassassin/v310.pre ---------------
score RAZOR2_CHECK 2.500
score PYZOR_CHECK 2.500
--------------- /etc/mail/spamassassin/v310.pre ---------------
If you like to debug amavisd activate following:
# vi /etc/amavisd/amavisd.conf
--------------- /etc/amavisd/amavisd.conf ---------------
# Turn on SpamAssassin debugging (output to STDERR, use with
'amavisd debug')
$sa_debug = '1'; # defaults to false
--------------- /etc/amavisd/amavisd.conf ---------------
# systemctl restart amavisd.service
Check your logs:
# tail -f /var/log/amavisd/amavis.log
--------------- /var/log/amavisd/amavis.log ---------------
May 15 09:39:59 kolab.comcept.ch /usr/sbin/amavisd[5602]: SA dbg:
pyzor: pyzor is available: /usr/bin/pyzor
May 15 09:39:59 kolab.comcept.ch /usr/sbin/amavisd[5602]: SA dbg:
dns: entering helper-app run mode
May 15 09:39:59 kolab.comcept.ch /usr/sbin/amavisd[5602]: SA dbg:
pyzor: opening pipe: /usr/bin/pyzor --homedir /var/spool/amavisd/.pyzor
check > /export/kolab/spool/amavisd/tmp/.spamassassin5602HOauo5tmp
May 15 09:39:59 kolab.comcept.ch /usr/sbin/amavisd[5606]: SA dbg:
util: setuid: ruid=1000 euid=1000
May 15 09:40:01 kolab.comcept.ch /usr/sbin/amavisd[5602]: SA dbg:
pyzor: [5606] finished: exit 1
May 15 09:40:01 kolab.comcept.ch /usr/sbin/amavisd[5602]: SA dbg:
pyzor: got response: downloading servers from
http://pyzor.sourceforge.net/cgi-bin/inform-servers-0-3-x\\npublic.pyzor.org:24441
(200, 'OK') 0 0
May 15 09:40:01 kolab.comcept.ch /usr/sbin/amavisd[5602]: SA dbg:
dns: leaving helper-app run mode
May 15 09:40:01 kolab.comcept.ch /usr/sbin/amavisd[5602]: SA dbg:
pyzor: failure to parse response "downloading servers from
http://pyzor.sourceforge.net/cgi-bin/inform-servers-0-3-x"
--------------- /var/log/amavisd/amavis.log ---------------
Information for pyzor was downloaded check the information:
# cat /var/spool/amavisd/.pyzor/servers
public.pyzor.org:24441
Restart amavisd again:
# systemctl restart amavisd.service
Check again the logs:
# tail -f /var/log/amavisd/amavis.log
--------------- /var/log/amavisd/amavis.log ---------------
May 15 09:42:26 kolab.comcept.ch /usr/sbin/amavisd[5616]: SA dbg:
pyzor: pyzor is available: /usr/bin/pyzor
May 15 09:42:26 kolab.comcept.ch /usr/sbin/amavisd[5616]: SA dbg:
dns: entering helper-app run mode
May 15 09:42:26 kolab.comcept.ch /usr/sbin/amavisd[5616]: SA dbg:
pyzor: opening pipe: /usr/bin/pyzor --homedir /var/spool/amavisd/.pyzor
check < /export/amavis/tmp/.spamassassin56160Z3vLttmp
May 15 09:42:26 kolab.comcept.ch /usr/sbin/amavisd[5620]: SA dbg:
util: setuid: ruid=1000 euid=1000
May 15 09:42:26 kolab.comcept.ch /usr/sbin/amavisd[5616]: SA dbg:
pyzor: [5620] finished: exit 1
May 15 09:42:26 kolab.comcept.ch /usr/sbin/amavisd[5616]: SA dbg:
pyzor: got response: public.pyzor.org:24441 (200, 'OK') 0 0
May 15 09:42:26 kolab.comcept.ch /usr/sbin/amavisd[5616]: SA dbg:
dns: leaving helper-app run mode
May 15 09:42:26 kolab.comcept.ch /usr/sbin/amavisd[5616]: SA dbg:
check: tagrun - tag PYZOR is now ready, value: Reported 0 times.
--------------- /var/log/amavisd/amavis.log ---------------
Do not forgett to deactivate the debug mode:
Um den Debug Mode für "amavisd" zu beenden führe folgendes aus:
# vi /etc/amavisd/amavisd.conf
--------------- /etc/amavisd/amavisd.conf ---------------
# Turn on SpamAssassin debugging (output to STDERR, use with
'amavisd debug')
#$sa_debug = '1'; # defaults to false
--------------- /etc/amavisd/amavisd.conf ---------------
# systemctl restart amavisd.service
STEP 6 USE BOTNET FOR SPAMASSASIN
This is a addtional perl modul which checks the FQDN name etc. of a
sender regarding BOTNET etc. There is a small possiblity of false
positive which by the way I never had :-)
https://wiki.apache.org/spamassassin/CustomPlugins
https://github.com/eilandert/Botnet.pm
Datei:Botnet.pm-master.zip
# unzip Botnet.pm-master.zip
Copy "Botnet.cf" qw "Botnet.pm" to the spamassin dir
"/etc/mail/spamassassin":
# cd Botnet.pm-master
# cp Botnet.pm /etc/mail/spamassassin/
# cp Botnet.cf /etc/mail/spamassassin/
Check rights:
# chown root:root /etc/mail/spamassassin/Botnet.pm
# chmod 644 /etc/mail/spamassassin/Botnet.cf
Deactivate the warnings for the file "Botnet.pm"
# vi /etc/mail/spamassassin/Botnet.pm
--------------- /etc/mail/spamassassin/Botnet.pm ---------------
# Botnet - perform DNS validations on the first untrusted relay
# looking for signs of a Botnet infected host, such as no
reverse
# DNS, a hostname that would indicate an ISP client or domain
# workstation, or other hosts that aren't intended to be
acting as
# a direct mail submitter outside of their own domain.
use Socket;
use Net::DNS;
use Mail::SpamAssassin::Plugin;
use strict;
#use warnings;
use vars qw(@ISA);
@ISA = qw(Mail::SpamAssassin::Plugin);
my $VERSION = 0.9;
--------------- /etc/mail/spamassassin/Botnet.pm ---------------
You have the possibility to pre-load such things in avamvisd if you want
which is not really neccessary you can preload everything in amavisd.
Add the modul:
# vi /etc/amavisd/amavisd.conf
--------------- /etc/amavisd/amavisd.conf ---------------
@additional_perl_modules = qw(
/etc/mail/spamassassin/Botnet.pm
);
--------------- /etc/amavisd/amavisd.conf ---------------
All modules which you like to pre-load you can add here. If you start
amavisd check your logs and you will see a message like "loading
additional modules". Every module can be pre-loaded that amavisd has it
already and must not load everytime the stuff. On my installation it
looks like following:
--------------- /etc/amavisd/amavisd.conf ---------------
@additional_perl_modules = qw(
/usr/lib/perl5/auto/NetAddr/IP/Util/inet_n2dx.al
/usr/lib/perl5/auto/NetAddr/IP/Util/ipv6_n2d.al
/usr/lib/perl5/auto/NetAddr/IP/Util/ipv6_n2x.al
/usr/share/perl5/Net/libnet.cfg
/etc/mail/spamassassin/Botnet.pm
IP/Country/Fast.pm
Mail/SpamAssassin/Plugin/FreeMail.pm
Mail/SpamAssassin/Plugin/SpamCop.pm
Net/Cmd.pm
Net/Config.pm
Net/SMTP.pm
Convert/UUlib.pm
unicore/lib/gc_sc/Digit.pl
unicore/lib/gc_sc/SpacePer.pl
unicore/lib/gc_sc/Alnum.pl
);
--------------- /etc/amavisd/amavisd.conf ---------------
Now define the Botnet Module within spamassassin:
# vi /etc/mail/spamassassin/local.cf
--------------- /etc/mail/spamassassin/local.cf ---------------
## Botnet - perform DNS validations on the first untrusted relay
# looking for signs of a Botnet infected host, such as no
reverse
# DNS, a hostname that would indicate an ISP client or domain
# workstation, or other hosts that aren't intended to be acting
as
# a direct mail submitter outside of their own domain.
#
# https://github.com/eilandert/Botnet.pm
#
loadplugin Mail::SpamAssassin::Plugin::Botnet
/etc/mail/spamassassin/Botnet.pm
ifplugin Mail::SpamAssassin::Plugin::Botnet
describe BOTNET Relay might be a spambot
or virusbot
header BOTNET eval:botnet()
score BOTNET 1.0
describe BOTNET_SOHO Relay might be a SOHO
mail server
header BOTNET_SOHO eval:botnet_soho()
score BOTNET_SOHO -0.01
describe BOTNET_NORDNS Relay's IP address has no
PTR record
header BOTNET_NORDNS eval:botnet_nordns()
score BOTNET_NORDNS 0.1
describe BOTNET_BADDNS Relay doesn't have full
circle DNS
header BOTNET_BADDNS eval:botnet_baddns()
score BOTNET_BADDNS 0.1
describe BOTNET_CLIENT Relay has a client-like
hostname
header BOTNET_CLIENT eval:botnet_client()
score BOTNET_CLIENT 0.1
describe BOTNET_IPINHOSTNAME Hostname contains its own
IP address
header BOTNET_IPINHOSTNAME
eval:botnet_ipinhostname()
score BOTNET_IPINHOSTNAME 0.1
describe BOTNET_CLIENTWORDS Hostname contains
client-like substrings
header BOTNET_CLIENTWORDS eval:botnet_clientwords()
score BOTNET_CLIENTWORDS 0.01
describe BOTNET_SERVERWORDS Hostname contains
server-like substrings
header BOTNET_SERVERWORDS eval:botnet_serverwords()
score BOTNET_SERVERWORDS -0.1
endif
--------------- /etc/mail/spamassassin/local.cf ---------------
As mentioned there is a small possibility for false positiv from this
point of view do not define a higher score. Test the configuration
meaning activate debug for amavisd:
# vi /etc/amavisd/amavisd.conf
--------------- /etc/amavisd/amavisd.conf ---------------
# Turn on SpamAssassin debugging (output to STDERR, use with
'amavisd debug')
$sa_debug = '1'; # defaults to false
--------------- /etc/amavisd/amavisd.conf ---------------
# systemctl restart amavisd.service
Check the logs:
# tail -f /var/log/amavisd/amavis.log
--------------- /var/log/amavisd/amavis.log ---------------
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: setting botnet_pass_auth to 0
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: setting botnet_pass_trusted to public
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: adding ^127\\.0\\.0\\.1$ to botnet_skip_ip
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: adding ^10\\..*$ to botnet_skip_ip
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: setting botnet_pass_auth to 0
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: setting botnet_pass_trusted to public
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: adding ^127\\.0\\.0\\.1$ to botnet_skip_ip
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: adding ^10\\..*$ to botnet_skip_ip
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: adding ^172\\.1[6789]\\..*$ to botnet_skip_ip
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: adding ^172\\.2[0-9]\\..*$ to botnet_skip_ip
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: adding ^172\\.3[01]\\..*$ to botnet_skip_ip
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: adding ^192\\.168\\..*$ to botnet_skip_ip
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: adding ^128\\.223\\.98\\.16$ to botnet_pass_ip
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: adding (\\.|\\A)amazon\\.com$ to botnet_pass_domains
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: adding (\\.|\\A)apple\\.com$ to botnet_pass_domains
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: adding (\\.|\\A)ebay\\.com$ to botnet_pass_domains
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: adding (\\b|\\d).*dsl.*(\\b|\\d) to botnet_clientwords
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: adding (\\b|\\d)cable(\\b|\\d) to botnet_clientwords
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: adding (\\b|\\d)catv(\\b|\\d) to botnet_clientwords
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: adding (\\b|\\d)ddns(\\b|\\d) to botnet_clientwords
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: adding (\\b|\\d)dhcp(\\b|\\d) to botnet_clientwords
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: adding (\\b|\\d)dial(-?up)?(\\b|\\d) to botnet_clientwords
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: adding (\\b|\\d)dip(\\b|\\d) to botnet_clientwords
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: adding (\\b|\\d)docsis(\\b|\\d) to botnet_clientwords
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: adding (\\b|\\d)dyn(amic)?(ip)?(\\b|\\d) to botnet_clientwords
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: adding (\\b|\\d)modem(\\b|\\d) to botnet_clientwords
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: adding (\\b|\\d)ppp(oe)?(\\b|\\d) to botnet_clientwords
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: adding (\\b|\\d)res(net|ident(ial)?)?(\\b|\\d) to
botnet_clientwords
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: adding (\\b|\\d)bredband(\\b|\\d) to botnet_clientwords
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: adding (\\b|\\d)client(\\b|\\d) to botnet_clientwords
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: adding (\\b|\\d)fixed(\\b|\\d) to botnet_clientwords
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: adding (\\b|\\d)ip(\\b|\\d) to botnet_clientwords
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: adding (\\b|\\d)pool(\\b|\\d) to botnet_clientwords
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: adding (\\b|\\d)static(\\b|\\d) to botnet_clientwords
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: adding (\\b|\\d)user(\\b|\\d) to botnet_clientwords
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: adding (\\b|\\d)e?mail(out)?(\\b|\\d) to botnet_serverwords
Jul 3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg:
Botnet: adding (\\b|\\d)mta(\\b|\\d) to botnet_serverwords
--------------- /var/log/amavisd/amavis.log ---------------
Do not forgett to deactivate the debug again:
--------------- /etc/amavisd/amavisd.conf ---------------
# Turn on SpamAssassin debugging (output to STDERR, use with
'amavisd debug')
#$sa_debug = '1'; # defaults to false
--------------- /etc/amavisd/amavisd.conf ---------------
# systemctl restart amavisd.service
STEP 7 USE MORE RBL/URBL/VIRBL WITHI SPAMASSASSIN
Spamassasin comes with already some preconfigured RBL etc. from this
point of view if you add some please check if this ones are not already
used. Addtional many of the RBLs etc. are free of charge if you do not
use more as 100k requests per day. Also absolut neccessary is a really
nice working dns server local on 127.0.0.1 or a dns caching server. This
is fundamental to have no timeouts etc. specially if you have higher
volumes of messages delivered etc. Add the addtional RBLs etc. to
local.cf and keep following link in mind:
https://wiki.apache.org/spamassassin/DnsBlocklists
PLEASE NOTE: If you want to deactivate one you can do following within
loca.cf:
## NOTE: As from SpamAssassin version 3.4 you may disable
queries for any
# DNSBL, URIBL etc. by adding below "dns_query_restriction" or
set the
# score of corresponding rule to "0":
#
#dns_query_restriction deny bl.domain
# vi /etc/mail/spamassassin/local.cf
--------------- /etc/mail/spamassassin/local.cf ---------------
## NOTE: As from SpamAssassin version 3.4 you may disable
queries for any
# DNSBL, URIBL etc. by adding below "dns_query_restriction" or
set the
# score of corresponding rule to "0":
#
#dns_query_restriction deny bl.domain
## Additional DNSBL Servers
#
# inps.de-DNSBL (inps.de-DNS-IP-BLACKLIST) dnsbl.inps.de
#
header RCVD_IN_DNSBL_INPS_DE
eval:check_rbl('inps-de','dnsbl.inps.de.')
describe RCVD_IN_DNSBL_INPS_DE Received via a relay in inps.de
DNSBL
tflags RCVD_IN_DNSBL_INPS_DE net
score RCVD_IN_DNSBL_INPS_DE 3.0
## Additional DNSBL Servers
#
# allinone.bl.blocklist.de (Amavis/Spamassassin only
(127.0.0.2)) http://www.blocklist.de
#
header RCVD_IN_DNSBL_Blocklist_de
eval:check_rbl('127.0.0.2','allinone.bl.blocklist.de')
describe RCVD_IN_DNSBL_Blocklist_de Sender listed on Blocklist
DNSBL
tflags RCVD_IN_DNSBL_Blocklist_de net
score RCVD_IN_DNSBL_Blocklist_de 3.0
## Additional DNSBL Servers
#
# justspam.org (email reputation system) http://www.justspam.org
#
header RCVD_IN_JUSTSPAM
eval:check_rbl('justspam.org','dnsbl.justspam.org.')
describe RCVD_IN_JUSTSPAM Listed in dnsbl.justspam.org.
tflags RCVD_IN_JUSTSPAM net
score RCVD_IN_JUSTSPAM 0.5
## Additional DNSBL Servers
#
# spam.dnsbl.anonmails.de
#
header RCVD_IN_ANONMAILS
eval:check_rbl('anonmails-lastexternal', 'spam.dnsbl.anonmails.de.')
describe RCVD_IN_ANONMAILS Relay is listed in
spam.dnsbl.anonmails.de
tflags RCVD_IN_ANONMAILS net
score RCVD_IN_ANONMAILS 2.0
## Additional DNSBL Servers
#
# http://www.uceprotect.net/de/index.php
#
# uceprotect1 (open relays/proxys/dialups)
# uceprotect2 (open relays/proxys/dialups)
# uceprotect3 (bad networks)
#
header RCVD_IN_UCEPROTECT1
eval:check_rbl_txt('uceprotect1-lastexternal',
'dnsbl-1.uceprotect.net.')
describe RCVD_IN_UCEPROTECT1 Listed in dnsbl-1.uceprotect.net
tflags RCVD_IN_UCEPROTECT1 net
score RCVD_IN_UCEPROTECT1 2.0
header RCVD_IN_UCEPROTECT2
eval:check_rbl_txt('uceprotect2-lastexternal',
'dnsbl-2.uceprotect.net.')
describe RCVD_IN_UCEPROTECT2 Network listed in
dnsbl-2.uceprotect.net
tflags RCVD_IN_UCEPROTECT2 net
score RCVD_IN_UCEPROTECT2 1.0
header RCVD_IN_UCEPROTECT3
eval:check_rbl_txt('uceprotect3-lastexternal',
'dnsbl-3.uceprotect.net.')
describe RCVD_IN_UCEPROTECT3 Network listed in
dnsbl-3.uceprotect.net
tflags RCVD_IN_UCEPROTECT3 net
score RCVD_IN_UCEPROTECT3 0.5
## Additional DNSBL Servers
#
# spameatingmonkey.com (real time IP and domain blacklists)
http://spameatingmonkey.com
#
header RCVD_IN_SEMBACKSCATTER
eval:check_rbl('sembackscatter-lastexternal',
'backscatter.spameatingmonkey.net')
tflags RCVD_IN_SEMBACKSCATTER net
describe RCVD_IN_SEMBACKSCATTER Received from an IP listed
by SEM-BACKSCATTER
score RCVD_IN_SEMBACKSCATTER 0.5
header RCVD_IN_SEMBLACK
eval:check_rbl('semblack-lastexternal', 'bl.spameatingmonkey.net')
tflags RCVD_IN_SEMBLACK net
describe RCVD_IN_SEMBLACK Received from an IP listed by
SEM-BLACK
score RCVD_IN_SEMBLACK 2.0
urirhssub SEM_URI uribl.spameatingmonkey.net. A 2
body SEM_URI eval:check_uridnsbl('SEM_URI')
describe SEM_URI Contains a URI listed by SEM-URI
tflags SEM_URI net
score SEM_URI 0.5
urirhssub SEM_URIRED urired.spameatingmonkey.net. A 2
body SEM_URIRED eval:check_uridnsbl('SEM_URIRED')
describe SEM_URIRED Contains a URI listed by SEM-URIRED
tflags SEM_URIRED net
score SEM_URIRED 0.5
urirhssub SEM_FRESH fresh.spameatingmonkey.net. A 2
body SEM_FRESH eval:check_uridnsbl('SEM_FRESH')
describe SEM_FRESH Contains a domain registered less than 5
days ago
tflags SEM_FRESH net
score SEM_FRESH 0.5
## Additional DNSBL Servers
#
# junkemailfilter.com http://www.junkemailfilter.com
#
header __RCVD_IN_HOSTKARMA
eval:check_rbl('HOSTKARMA-lastexternal','hostkarma.junkemailfilter.com.')
describe __RCVD_IN_HOSTKARMA Sender listed in JunkEmailFilter
tflags __RCVD_IN_HOSTKARMA net
header RCVD_IN_HOSTKARMA_W
eval:check_rbl_sub('HOSTKARMA-lastexternal', '127.0.0.1')
describe RCVD_IN_HOSTKARMA_W Sender listed in HOSTKARMA-WHITE
tflags RCVD_IN_HOSTKARMA_W net nice
score RCVD_IN_HOSTKARMA_W -1.0
header RCVD_IN_HOSTKARMA_BL
eval:check_rbl_sub('HOSTKARMA-lastexternal', '127.0.0.2')
describe RCVD_IN_HOSTKARMA_BL Sender listed in HOSTKARMA-BLACK
tflags RCVD_IN_HOSTKARMA_BL net
score RCVD_IN_HOSTKARMA_BL 3.0
header RCVD_IN_HOSTKARMA_BR
eval:check_rbl_sub('HOSTKARMA-lastexternal', '127.0.0.4')
describe RCVD_IN_HOSTKARMA_BR Sender listed in HOSTKARMA-BROWN
tflags RCVD_IN_HOSTKARMA_BR net
score RCVD_IN_HOSTKARMA_BR 1.0
## Additional RBL Servers
#
# blockedservers.com https://www.blockedservers.com/
#
header RCVD_IN_BLKSRV
eval:check_rbl('blockedservers-lastexternal', 'rbl.blockedservers.com.')
describe RCVD_IN_BLKSRV Listed in rbl.blockedservers.com
tflags RCVD_IN_BLKSRV net
score RCVD_IN_BLKSRV 2.0
## Additional DNSBL Servers
#
# blockedservers.com https://www.blockedservers.com/
#
header RCVD_IN_BLKSRV
eval:check_rbl('blockedservers-lastexternal', 'rbl.blockedservers.com.')
describe RCVD_IN_BLKSRV Listed in rbl.blockedservers.com
tflags RCVD_IN_BLKSRV net
score RCVD_IN_BLKSRV 2.0
## Additional DNSBL Servers
#
# wpbl.info (Weighted Private Block List) http://wpbl.info/
#
header RCVD_IN_WPBL
eval:check_rbl('wpbl-lastexternal','db.wpbl.info.','127.0.0.2')
describe RCVD_IN_WPBL Listed in db.wpbl.info
tflags RCVD_IN_WPBL net
score RCVD_IN_WPBL 2.0
## Additional DNSBL Servers
#
# sorbs-spam (Spam and Open Relay Blocking System)
http://www.sorbs.net/
#
header RCVD_IN_SORBS_SPAM eval:check_rbl_sub('sorbs',
'127.0.0.6')
describe RCVD_IN_SORBS_SPAM SORBS: sender is a spam source
tflags RCVD_IN_SORBS_SPAM net
score RCVD_IN_SORBS_SPAM 0 2.0 0 2.0
## Additional DNSBL Servers
#
# dnsbl.manitu.net http://www.dnsbl.manitu.net/
#
header RCVD_IN_NIX_SPAM
eval:check_rbl('nix-spam-lastexternal','ix.dnsbl.manitu.net.')
describe RCVD_IN_NIX_SPAM Listed in NIX-SPAM DNSBL
tflags RCVD_IN_NIX_SPAM net
score RCVD_IN_NIX_SPAM 2.0
## Additional DNSBL/URIBL Servers
#
# http://antispam.imp.ch/01-wasistspam.html?lng=1
#
# Swinog URIBL is a realtime blacklist built from spamtrap
sources. URLs are extracted,
# compared against a big whitelist and then added to the
blacklist.
#
header RCVD_IN_SWINOG_SPAM eval:check_rbl('swinog',
'dnsrbl.swinog.ch.', '127.0.0.3')
describe RCVD_IN_SWINOG_SPAM Listed in dnsrbl.swinog.ch.
tflags RCVD_IN_SWINOG_SPAM net
score RCVD_IN_SWINOG_SPAM 2.500
urirhsbl URIBL_SC_SWINOG uribl.swinog.ch. A
body URIBL_SC_SWINOG
eval:check_uridnsbl('URIBL_SC_SWINOG')
describe URIBL_SC_SWINOG URI's listed in uribl.swinog.ch.
tflags URIBL_SC_SWINOG net
score URIBL_SC_SWINOG 0 0.900 0 1.500
## Additional VIRBL Servers
#
# virbl (virus sender blacklist) http://virbl.bit.nl
#
header RCVD_IN_VIRBL eval:check_rbl_txt('virbl',
'virbl.dnsbl.bit.nl')
describe RCVD_IN_VIRBL Listed in virbl.dnsbl.bit.nl
tflags RCVD_IN_VIRBL net
score RCVD_IN_VIRBL 0 2.0 0 2.0
## Extra Scoring DNSBL Servers
#
# Extra scoring rules if a sender ip is listed in more than 3
# configured DNSBL's.
#
meta CUSTOM_MANY_BL (RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SBL
+ RCVD_IN_XBL + RCVD_IN_PBL + RCVD_IN_VIRBL + RCVD_IN_UCEPROTECT1 +
RCVD_IN_WPBL + RCVD_IN_BLKSRV + RCVD_IN_ANONMAILS +
RCVD_IN_DNSBL_INPS_DE + RCVD_IN_NIX_SPAM + RCVD_IN_SEMBLACK +
RCVD_IN_HOSTKARMA_BL + RCVD_IN_JUSTSPAM + RCVD_IN_PSBL +
RCVD_IN_SORBS_SPAM + RCVD_IN_SORBS_DUL + RCVD_IN_SORBS_HTTP +
RCVD_IN_SWINOG_SPAM) > 3
describe CUSTOM_MANY_BL Message received in more than 3 RBLs
score CUSTOM_MANY_BL 5.0
meta CUSTOM_MANY_URIBL (URIBL_BLACK + URIBL_JP_SURBL +
URIBL_WS_SURBL + URIBL_PH_SURBL + URIBL_MW_SURBL + URIBL_AB_SURBL +
URIBL_DBL_SPAM + URIBL_DBL_PHISH + URIBL_DBL_MALWARE +
URIBL_DBL_BOTNETCC + URIBL_SBL + URIBL_SBL_A + SEM_URI + SEM_FRESH +
SEM_URIRED + URIBL_SC_SWINOG) > 3
describe CUSTOM_MANY_URIBL Message received in more than 3
URIBL
score CUSTOM_MANY_URIBL 5.0
--------------- /etc/mail/spamassassin/local.cf ---------------
Restart amavisd:
# systemctl restart amavisd.service
STEP 8 USE CLAMAV ADDTIONAL SIGNATURE
This is one of the best which fights again spam etc. if you use clamav
without this sigs it is not very useful but with this sigs absolutly
nice cool very good stuff well done guys :-)
http://sanesecurity.com/
There are also some scripts available on sanesecurity but I do not like
them to complicate too less transparent from this point of view I use my
own with rsync:
# yum install rsync
# mkdir /opt/scripts
# chown root:root /opt/scripts
# chmod 700 /opt/scripts
# touch /opt/scripts/UpdateSaneSecurity.sh
# chmod 700 /opt/scripts/UpdateSaneSecurity.sh
Create the script to download the stuff and for different database check
the following site:
http://sanesecurity.co.uk/usage/signatures/
# vi /opt/scripts/UpdateSaneSecurity.sh
--------------- /opt/scripts/UpdateSaneSecurity.sh
---------------
#!/bin/sh
#
# Updates SaneSecurity Files on hourly based (cron)
#
# http://sanesecurity.co.uk/usage/signatures/
#
# Update additional virusdefiniton db for clamav CentOS 7
# 15
0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23 * * *
/opt/scripts/UpdateSaneSecurity.sh > /dev/null 2>&1 ; /bin/systemctl
reload clamd.amavisd.service > /dev/null
#
# Update additional virusdefiniton db for clamav CentOS 6
# 15
0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23 * * *
/opt/scripts/UpdateSaneSecurity.sh > /dev/null 2>&1 ; /sbin/service
clamd.amavisd reload > /dev/null
#
# Setting Programm and Dir Variable
# Adjust as neccessary
CLAM_DB_DIR=/var/lib/clamav
SANESECURITY_LOG=/var/log/clamav/UpdateSaneSecurity.log
CHOWN=/bin/chown
CHMOD=/bin/chmod
RSYNC=/usr/bin/rsync
# RSYNC Options
#
# -a (archive)
# -v (verbose use -vvv to be more verbose)
# -z (compress)
# -u (update; transfer only if file is newer)
#
# Download Sanesecurity SigWhitelist
#
SIGWHITELIST=sigwhitelist.ign2
$RSYNC -avvvzu --timeout=180
rsync://rsync.sanesecurity.net/sanesecurity/$SIGWHITELIST $CLAM_DB_DIR
>> $SANESECURITY_LOG
# If neccessary extract File and set permission
#
$CHOWN clam:clam $CLAM_DB_DIR/$SIGWHITELIST >> $SANESECURITY_LOG
$CHMOD 644 $CLAM_DB_DIR/$SIGWHITELIST >> $SANESECURITY_LOG
#
# Download Sanesecurity Message File
#
SANEMESSAGE=sanesecurity.ftm
$RSYNC -avvvzu --timeout=180
rsync://rsync.sanesecurity.net/sanesecurity/$SANEMESSAGE $CLAM_DB_DIR >>
$SANESECURITY_LOG
# If neccessary extract File and set permission
#
$CHOWN clam:clam $CLAM_DB_DIR/$SANEMESSAGE >> $SANESECURITY_LOG
$CHMOD 644 $CLAM_DB_DIR/$SANEMESSAGE >> $SANESECURITY_LOG
#
# Download Sanesecurity DB's
#
SANES=*.?db
$RSYNC -avvvzu --timeout=180
rsync://rsync.sanesecurity.net/sanesecurity/$SANES $CLAM_DB_DIR >>
$SANESECURITY_LOG
# If neccessary extract File and set permission
#
$CHOWN clam:clam $CLAM_DB_DIR/$SANES >> $SANESECURITY_LOG
$CHMOD 644 $CLAM_DB_DIR/$SANES >> $SANESECURITY_LOG
#
# Download MALWAREHASH DB's
#
MALWAREHASH=malwarehash.hsb
$RSYNC -avvvzu --timeout=180
rsync://rsync.sanesecurity.net/sanesecurity/$MALWAREHASH $CLAM_DB_DIR >>
$SANESECURITY_LOG
# If neccessary extract File and set permission
#
$CHOWN clam:clam $CLAM_DB_DIR/$MALWAREHASH >> $SANESECURITY_LOG
$CHMOD 644 $CLAM_DB_DIR/$MALWAREHASH >> $SANESECURITY_LOG
#
# Download ROGUE DB's
#
ROGUE=rogue.hdb
$RSYNC -avvvzu --timeout=180
rsync://rsync.sanesecurity.net/sanesecurity/$ROGUE $CLAM_DB_DIR >>
$SANESECURITY_LOG
# If neccessary extract File and set permission
#
$CHOWN clam:clam $CLAM_DB_DIR/$ROGUE >> $SANESECURITY_LOG
$CHMOD 644 $CLAM_DB_DIR/$ROGUE >> $SANESECURITY_LOG
#
# Download Hackingteam DB
#
HACKINGTEAM=hackingteam.hsb
$RSYNC -avvvzu --timeout=180
rsync://rsync.sanesecurity.net/sanesecurity/$HACKINGTEAM $CLAM_DB_DIR >>
$SANESECURITY_LOG
# If neccessary extract File and set permission
#
$CHOWN clam:clam $CLAM_DB_DIR/$HACKINGTEAM >> $SANESECURITY_LOG
$CHMOD 644 $CLAM_DB_DIR/$HACKINGTEAM >> $SANESECURITY_LOG
#
# Download Yara DB's
#
YARA=*.yara
$RSYNC -avvvzu --timeout=180
rsync://rsync.sanesecurity.net/sanesecurity/$YARA $CLAM_DB_DIR >>
$SANESECURITY_LOG
# If neccessary extract File and set permission
#
$CHOWN clam:clam $CLAM_DB_DIR/$YARA >> $SANESECURITY_LOG
$CHMOD 644 $CLAM_DB_DIR/$YARA >> $SANESECURITY_LOG
#
# Download MSRBL DB's
#
# HDB=MSRBL-Images.hdb
# NDB=MSRBL-SPAM.ndb
# $RSYNC -avvvzu --timeout=180
rsync://rsync.mirror.msrbl.com/msrbl/$HDB $CLAM_DB_DIR >>
$SANESECURITY_LOG
# $RSYNC -avvvzu --timeout=180
rsync://rsync.mirror.msrbl.com/msrbl/$NDB $CLAM_DB_DIR >>
$SANESECURITY_LOG
# If neccessary extract File and set permission
#
# $CHOWN clam:clam $CLAM_DB_DIR/$HDB >> $SANESECURITY_LOG
# $CHMOD 644 $CLAM_DB_DIR/$HDB >> $SANESECURITY_LOG
#
# $CHOWN clam:clam $CLAM_DB_DIR/$NDB >> $SANESECURITY_LOG
# $CHMOD 644 $CLAM_DB_DIR/$NDB >> $SANESECURITY_LOG
# Remove none supported ndb's
#
rm -rf $CLAM_DB_DIR/INetMsg-SpamDomains-*
# The two databases winnow_phish_complete.ndb and
winnow_phish_complete_url.ndb shouldn't be used together.
#
rm -rf winnow_phish_complete.ndb
# exit
--------------- /opt/scripts/UpdateSaneSecurity.sh
---------------
Test the script:
# sh -x /opt/scripts/UpdateSaneSecurity.sh
The rights used for the sig is absolutly fundamental which means you
have really to adjust to the right user/group. This is done by the
script but check if all is ok:
# chown clamupdate:clamupdate /var/lib/clamav
# chmod 755 /var/lib/clamav
# chown clamupdate:clamupdate /var/lib/clamav/[Signaturen]
# chmod 644 /var/lib/clamav/[Signaturen]
For CentOS 6 the user is different to CentOS 7:
# chown clam:clam /var/lib/clamav
# chmod 755 /var/lib/clamav
# chown clamu:clam /var/lib/clamav/[Signaturen]
# chmod 644 /var/lib/clamav/[Signaturen]
If all rights are ok you have following sigs:
# ls -la /var/lib/clamav/
total 192200
drw-r--r-- 2 clamupdate clamupdate 4096 Jun 12 11:19 .
drwxr-xr-x. 33 root root 4096 Jun 12 03:40 ..
-rw-r--r-- 1 clamupdate clamupdate 82868 Jun 12 10:52
blurl.ndb
-rw-r--r-- 1 clamupdate clamupdate 3455748 Jun 12 10:48
bofhland_cracked_URL.ndb
-rw-r--r-- 1 clamupdate clamupdate 90764 Jun 12 10:48
bofhland_malware_attach.hdb
-rw-r--r-- 1 clamupdate clamupdate 838 Jun 12 10:48
bofhland_malware_URL.ndb
-rw-r--r-- 1 clamupdate clamupdate 14822 Jun 12 10:48
bofhland_phishing_URL.ndb
-rw-r--r-- 1 clamupdate clamupdate 449536 Jun 11 21:00
bytecode.cld
-rw-r--r-- 1 clamupdate clamupdate 370884 Jun 12 10:48
crdfam.clamav.hdb
-rw-r--r-- 1 clamupdate clamupdate 91127296 Jun 12 00:00
daily.cld
-rw-r--r-- 1 clamupdate clamupdate 65 Jul 26 2013
doppelstern.hdb
-rw-r--r-- 1 clamupdate clamupdate 185 Jul 26 2013
doppelstern.ndb
-rw-r--r-- 1 clamupdate clamupdate 309 Apr 17 2012
doppelstern-phishtank.ndb
-rw-r--r-- 1 clamupdate clamupdate 8231 Apr 24 08:51
foxhole_all.cdb
-rw-r--r-- 1 clamupdate clamupdate 1913 Sep 19 2014
foxhole_filename.cdb
-rw-r--r-- 1 clamupdate clamupdate 40244 Apr 24 08:51
foxhole_generic.cdb
-rw-r--r-- 1 clamupdate clamupdate 6345046 Jun 11 15:53
junk.ndb
-rw-r--r-- 1 clamupdate clamupdate 236844 Jun 12 10:51
jurlbla.ndb
-rw-r--r-- 1 clamupdate clamupdate 440575 Jun 12 10:51
jurlbl.ndb
-rw-r--r-- 1 clamupdate clamupdate 244719 Oct 1 2014
lott.ndb
-rw-r--r-- 1 clamupdate clamupdate 64720632 Sep 27 2013
main.cvd
-rw------- 1 clamupdate clamupdate 104 Jun 12 09:00
mirrors.dat
-rw-r--r-- 1 clamupdate clamupdate 3738316 Jun 12 10:51
phish.ndb
-rw-r--r-- 1 clamupdate clamupdate 4338113 Jun 12 10:45
phishtank.ndb
-rw-r--r-- 1 clamupdate clamupdate 272672 Jun 12 10:45
porcupine.ndb
-rw-r--r-- 1 clamupdate clamupdate 271576 Jun 12 05:52
rogue.hdb
-rw-r--r-- 1 clamupdate clamupdate 13423230 Jun 12 10:45
scamnailer.ndb
-rw-r--r-- 1 clamupdate clamupdate 1869470 Jun 11 15:53
scam.ndb
-rw-r--r-- 1 clamupdate clamupdate 1602 Nov 21 2014
spamattach.hdb
-rw-r--r-- 1 clamupdate clamupdate 98 May 19 16:54
spamimg.hdb
-rw-r--r-- 1 clamupdate clamupdate 282 Jun 6 19:51
spam.ldb
-rw-r--r-- 1 clamupdate clamupdate 71222 Jun 12 10:51
spearl.ndb
-rw-r--r-- 1 clamupdate clamupdate 2023137 Jun 12 00:50
spear.ndb
-rw-r--r-- 1 clamupdate clamupdate 103385 Jun 12 10:45
winnow.attachments.hdb
-rw-r--r-- 1 clamupdate clamupdate 259649 Jun 12 10:45
winnow_bad_cw.hdb
-rw-r--r-- 1 clamupdate clamupdate 660 Jun 12 10:45
winnow.complex.patterns.ldb
-rw-r--r-- 1 clamupdate clamupdate 204173 Jun 12 10:45
winnow_extended_malware.hdb
-rw-r--r-- 1 clamupdate clamupdate 159 Jun 12 10:45
winnow_extended_malware_links.ndb
-rw-r--r-- 1 clamupdate clamupdate 117066 Jun 12 10:45
winnow_malware.hdb
-rw-r--r-- 1 clamupdate clamupdate 732995 Jun 12 10:45
winnow_malware_links.ndb
-rw-r--r-- 1 clamupdate clamupdate 731122 Jun 12 10:45
winnow_phish_complete.ndb
-rw-r--r-- 1 clamupdate clamupdate 731041 Jun 12 10:45
winnow_phish_complete_url.ndb
-rw-r--r-- 1 clamupdate clamupdate 186210 Jun 12 10:45
winnow_spam_complete.ndb
Restart the service for clamav which has dependencies to amavisd from
this point of view do not restart clamav itself:
# systemctl stop clamd at amavisd.service
# systemctl start clamd at amavisd.service
Check the logs:
==> /var/log/clamav/clamd.log <==
Fri Jun 12 11:45:39 2015 -> +++ Started at Fri Jun 12 11:45:39
2015
Fri Jun 12 11:45:39 2015 -> clamd daemon 0.98.7 (OS: linux-gnu,
ARCH: x86_64, CPU: x86_64)
Fri Jun 12 11:45:39 2015 -> Running as user amavis (UID 411, GID
411)
Fri Jun 12 11:45:39 2015 -> Log file size limited to 2097152
bytes.
Fri Jun 12 11:45:39 2015 -> Reading databases from
/var/lib/clamav
Fri Jun 12 11:45:39 2015 -> Not loading PUA signatures.
Fri Jun 12 11:45:39 2015 -> Bytecode: Security mode set to
"TrustSigned".
Fri Jun 12 11:45:51 2015 -> Loaded 4102710 signatures.
Fri Jun 12 11:45:52 2015 -> LOCAL: Unix socket file
/var/run/clamd.amavisd/clamd.sock
Fri Jun 12 11:45:52 2015 -> LOCAL: Setting connection queue
length to 30
Fri Jun 12 11:45:52 2015 -> Limits: Global size limit set to
104857600 bytes.
Fri Jun 12 11:45:52 2015 -> Limits: File size limit set to
31457280 bytes.
Fri Jun 12 11:45:52 2015 -> Limits: Recursion level limit set to
10.
Fri Jun 12 11:45:52 2015 -> Limits: Files limit set to 15000.
Fri Jun 12 11:45:52 2015 -> Limits: Core-dump limit is 0.
Fri Jun 12 11:45:52 2015 -> Limits: MaxEmbeddedPE limit set to
10485760 bytes.
Fri Jun 12 11:45:52 2015 -> Limits: MaxHTMLNormalize limit set to
10485760 bytes.
Fri Jun 12 11:45:52 2015 -> Limits: MaxHTMLNoTags limit set to
2097152 bytes.
Fri Jun 12 11:45:52 2015 -> Limits: MaxScriptNormalize limit set
to 5242880 bytes.
Fri Jun 12 11:45:52 2015 -> Limits: MaxZipTypeRcg limit set to
1048576 bytes.
Fri Jun 12 11:45:52 2015 -> Limits: MaxPartitions limit set to
50.
Fri Jun 12 11:45:52 2015 -> Limits: MaxIconsPE limit set to 100.
Fri Jun 12 11:45:52 2015 -> Archive support enabled.
Fri Jun 12 11:45:52 2015 -> Algorithmic detection enabled.
Fri Jun 12 11:45:52 2015 -> Portable Executable support enabled.
Fri Jun 12 11:45:52 2015 -> ELF support enabled.
Fri Jun 12 11:45:52 2015 -> Detection of broken executables
enabled.
Fri Jun 12 11:45:52 2015 -> Mail files support enabled.
Fri Jun 12 11:45:52 2015 -> OLE2 support enabled.
Fri Jun 12 11:45:52 2015 -> PDF support enabled.
Fri Jun 12 11:45:52 2015 -> SWF support enabled.
Fri Jun 12 11:45:52 2015 -> HTML support enabled.
Fri Jun 12 11:45:52 2015 -> Self checking every 600 seconds.
Fri Jun 12 11:45:52 2015 -> Listening daemon: PID: 5131
Fri Jun 12 11:45:52 2015 -> MaxQueue set to: 100
As within the script already mentioned use crontab to keep sigs up to
date:
# crontab -e
--------------- crontab -e ---------------
#
# Update additional virusdefiniton db for clamav CentOS 7
15 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23
* * * /opt/scripts/UpdateSaneSecurity.sh > /dev/null 2>&1 ;
/bin/systemctl reload clamd.amavisd.service > /dev/null
#
# Update additional virusdefiniton db for clamav CentOS 6
15 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23
* * * /opt/scripts/UpdateSaneSecurity.sh > /dev/null 2>&1 ;
/sbin/service clamd.amavisd reload > /dev/null
--------------- crontab -e ---------------
The sigs update can be monitored over following log used within the
script:
# chown clamupdate:clamupdate
/var/log/clamav/UpdateSaneSecurity.log
# chmod 600 /var/log/clamav/UpdateSaneSecurity.log
For CentOS 6 use:
# chown clam:clam /var/log/clamav/UpdateSaneSecurity.log
# chmod 600 /var/log/clamav/UpdateSaneSecurity.log
Now this sigs are already configured in amavisd which means:
# vi /etc/amavisd/amavisd.conf
--------------- /etc/amavisd/amavisd.conf ---------------
## ANTI-VIRUS AND INVALID/FORBIDDEN CONTENTS CONTROLS
@virus_name_to_spam_score_maps =
(new_RE( # the order matters, first match wins
[ qr'^Structured\.(SSN|CreditCardNumber)\b' => 0.1
],
[ qr'^(Heuristics\.)?Phishing\.' => 0.1
],
[ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)' => 0.1
],
[ qr'^Sanesecurity\.(Malware|Rogue|Trojan)\.' => undef ],# keep
as infected
[ qr'^Sanesecurity\.Foxhole\.Zip_exe' => 0.1
], # F.P.
[ qr'^Sanesecurity\.Foxhole\.' => undef ],# keep
as infected
[ qr'^Sanesecurity\.' => 0.1
],
[ qr'^Sanesecurity_PhishBar_' => 0
],
[ qr'^Sanesecurity.TestSig_' => 0
],
[ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.' => 0
],
[ qr'^Email\.Spammail\b' => 0.1
],
[ qr'^MSRBL-(Images|SPAM)\b' => 0.1
],
[ qr'^VX\.Honeypot-SecuriteInfo\.com\.Joke' => 0.1
],
[ qr'^VX\.not-virus_(Hoax|Joke)\..*-SecuriteInfo\.com(\.|\z)'
=> 0.1 ],
[ qr'^Email\.Spam.*-SecuriteInfo\.com(\.|\z)' => 0.1
],
[ qr'^Safebrowsing\.' => 0.1
],
[ qr'^winnow\.(phish|spam)\.' => 0.1
],
[ qr'^INetMsg\.SpamDomain' => 0.1
],
[ qr'^Doppelstern\.(Spam|Scam|Phishing|Junk|Lott|Loan)'=> 0.1
],
[ qr'^Bofhland\.Phishing' => 0.1
],
[ qr'^ScamNailer\.' => 0.1
],
[ qr'^HTML/Bankish' => 0.1
], # F-Prot
[ qr'^PORCUPINE_JUNK' => 0.1
],
[ qr'^PORCUPINE_PHISHING' => 0.1
],
[ qr'^Porcupine\.Junk' => 0.1
],
[ qr'^PhishTank\.Phishing\.' => 0.1
],
[ qr'-SecuriteInfo\.com(\.|\z)' => undef ], # keep as
infected
[ qr'^MBL_NA\.UNOFFICIAL' => 0.1 ], # false
positives
[ qr'^MBL_' => undef ], # keep as
infected
));
--------------- /etc/amavisd/amavisd.conf ---------------
We actually do not use this configuration which means: for some sigs if
clamav finds something it will be rejected as virus found instead the
stuff is converted to spam found with a specific score. This means if
clamav founds a spam sig it will be not rejected instaed clamav gives a
spam score and spamassassin works ahead with his checks etc. For this
use within local.cf of spamassassin following:
# vi /etc/mail/spamassassin/local.cf
--------------- /etc/mail/spamassassin/local.cf ---------------
# Deal with "X-Amavis-AV-Status" related to
# the amavisd.conf entry "@virus_name_to_spam_score_maps
header L_AV_Phish X-Amavis-AV-Status =~
m{\bAV:(Email|HTML)\.Phishing\.}i
header L_AV_Scam X-Amavis-AV-Status =~
m{\bAV:ScamNailer\.Phish\.}i
header L_AV_Spam X-Amavis-AV-Status =~
m{\bAV:Email\.Spammail}i
header L_AV_PhishHeur X-Amavis-AV-Status =~
m{\bAV:Phishing\.Heuristics\.}i
header L_AV_DS_Phish X-Amavis-AV-Status =~
m{\bAV:Doppelstern\.Phishing\.}i
header L_AV_DS_Scam X-Amavis-AV-Status =~
m{\bAV:Doppelstern\.Scam}i
header L_AV_DS_Junk X-Amavis-AV-Status =~
m{\bAV:Doppelstern\.Junk\.}i
header L_AV_SS_PhishBar X-Amavis-AV-Status =~
m{\bAV:Sanesecurity_PhishBar_}
header L_AV_SS_Phish X-Amavis-AV-Status =~
m{\bAV:Sanesecurity\.Phishing\.}
header L_AV_SS_TestSig X-Amavis-AV-Status =~
m{\bAV:Sanesecurity\.TestSig_}
header L_AV_SS_Spear X-Amavis-AV-Status =~
m{\bAV:Sanesecurity\.Spear}
header L_AV_SS_Malware X-Amavis-AV-Status =~
m{\bAV:Sanesecurity\.(Malware|Rogue|Trojan)\.}
header L_AV_SS_Scam X-Amavis-AV-Status =~
m{\bAV:Sanesecurity\.(Scam[A-Za-z0-9]?)}
header L_AV_SS_Spam X-Amavis-AV-Status =~
m{\bAV:Sanesecurity\.(Bou|Cred|Dipl|Job|Loan|Lott|Porn|Spam[A-Za-z0-9]?|Stk|Junk)\.}
header L_AV_SS_Hdr X-Amavis-AV-Status =~
m{\bAV:Sanesecurity\.Hdr\.}
header L_AV_SS_Img X-Amavis-AV-Status =~
m{\bAV:Sanesecurity\.(Img|ImgO|SpamImg)\.}
header L_AV_SpamDomain X-Amavis-AV-Status =~
m{^INetMsg\.SpamDomain\b}
header L_AV_SS_Bounce X-Amavis-AV-Status =~
m{\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\b}
header __L_AV_SS X-Amavis-AV-Status =~
m{\bAV:Sanesecurity\.}
meta L_AV_SS_other __L_AV_SS && !(L_AV_SS_PhishBar||
L_AV_SS_Phish || L_AV_SS_TestSig || L_AV_SS_Spear || L_AV_SS_Scam ||
L_AV_SS_Spam || L_AV_SS_Malware || L_AV_SS_Hdr || L_AV_SS_Img ||
L_AV_SS_Bounce)
header L_AV_MSRBL_Img X-Amavis-AV-Status =~
m{\bAV:MSRBL-Images\b}
header L_AV_MSRBL_Spam X-Amavis-AV-Status =~
m{\bAV:MSRBL-SPAM\.}
header L_AV_MBL X-Amavis-AV-Status =~
m{\bAV:MBL_(?!NA\.UNOFFICIAL)}
header L_AV_SecInf X-Amavis-AV-Status =~
m{-SecuriteInfo\.com\b}
header L_AV_Any X-Amavis-AV-Status =~ m{\bAV:}
describe L_AV_Phish Email|HTML.Phishing
describe L_AV_Scam ScamNailer.Phish
describe L_AV_Spam Email.Spammail
describe L_AV_PhishHeur Phishing.Heuristics
describe L_AV_DS_Phish Doppelstern.Phishing
describe L_AV_DS_Scam Doppelstern.Scam
describe L_AV_DS_Junk Doppelstern.Junk
describe L_AV_SS_PhishBar Sanesecurity_PhishBar
describe L_AV_SS_Phish Sanesecurity.Phishing
describe L_AV_SS_TestSig Sanesecurity.TestSig
describe L_AV_SS_Spear Sanesecurity.Spear
describe L_AV_SS_Malware Sanesecurity.(Malware|Rogue|Trojan)
describe L_AV_SS_Scam Sanesecurity.(Scam[A-Za-z0-9])
describe L_AV_SS_Spam
Sanesecurity.Bou|Cred|Dipl|Job|Loan|Lott|Porn|Spam[A-Za-z0-9]?|Stk|Junk)
describe L_AV_SS_Hdr Sanesecurity.Hdr
describe L_AV_SS_Img Sanesecurity.(Img|ImgO|SpamImg)
describe L_AV_SpamDomain INetMsg.SpamDomain
describe L_AV_SS_Bounce Spam.Bounce.Sanesecurity
describe __L_AV_SS Sanesecurity
describe L_AV_MSRBL_Img MSRBL-Images
describe L_AV_MSRBL_Spam MSRBL-SPAM
describe L_AV_MBL MBL_.UNOFFICIAL
describe L_AV_SecInf SecuriteInfo.com
describe L_AV_Any Any SaneSecurity & MSRBL Signatures
score L_AV_Phish 14
score L_AV_Scam 10
score L_AV_Spam 5
score L_AV_SpamDomain 6
score L_AV_PhishHeur 5
score L_AV_DS_Phish 14
score L_AV_DS_Scam 10
score L_AV_DS_Junk 8
score L_AV_SS_Phish 5
score L_AV_SS_PhishBar 0.5
score L_AV_SS_TestSig 0.123
score L_AV_SS_Spear 4
score L_AV_SS_Scam 8
score L_AV_SS_Spam 8
score L_AV_SS_Hdr 6
score L_AV_SS_Img 3.5
score L_AV_SS_Bounce 0.1
score L_AV_SS_other 1
score L_AV_SS_Malware 14
score L_AV_MBL 14
score L_AV_MSRBL_Img 3.5
score L_AV_MSRBL_Spam 6
score L_AV_SecInf 8
score L_AV_Any 2
--------------- /etc/mail/spamassassin/local.cf ---------------
Restart amavisd:
# systemctl restart amavisd.service
At least I have to say: Yes you can do this stuff over Kolab but makes
it really sense to do this for every Kolab installation again and again!
Yes you can do it but I preffer to use MX gateways for all domains which
means Kolab is only over Port 25 accessable for this MX gateways and not
for public world. The MX gateways are for incoming only and not for
outgoing. This is something Kolab itself does etc. I use not a high
performance server instead I use a small server but with minimal
packages, memory inensive stuff etc. etc.
Architecture: i686
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 4
On-line CPU(s) list: 0-3
Thread(s) per core: 2
Core(s) per socket: 2
Socket(s): 1
Vendor ID: GenuineIntel
CPU family: 6
Model: 28
Stepping: 10
CPU MHz: 1666.693
BogoMIPS: 3333.38
L1d cache: 24K
L1i cache: 32K
L2 cache: 512K
On this server I run approx 16 domains with about 300 email address and
apporx 2500 message per day. I use 32 bit systems because for perl etc.
64 bit is not neccessary and not performance advantage! As mentioned
here my configuration and pleas again be careful nothing to copy/paste
you have to understand wha you add. Specially the for amavisd.conf I
have to say addtional following: There will be not message TAGGED within
the subject instead everything will be quarantined locally and report
will be send to virusalert at mydomain.ch as spamalert at mydomain.ch for
analyse and to have the information for false positiv which actually I
do not have :-) such a report is looking in following way (this report
is from MX gateway but based on the same config which I have for testing
purpose also activated on Kolab):
Content type: Spam
Internal reference code for the message is 18101-03/Z8rISpQdNtGp
First upstream SMTP client IP address: [217.112.35.101]:41368
mx25.valuehost.ru
Received trace: ESMTP://[217.112.35.101]:41368 < ESMTP://127.0.0.1 <
ESMTPA://64.137.238.13
Return-Path: <postmaster at mypitbike.ru>
From: "DON LUIS ALBERT"<postmaster at mypitbike.ru>
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
Subject: Ref Nº OYI/2551256003/16
The message has been quarantined as: spam-Z8rISpQdNtGp.gz
The message WAS NOT relayed to:
<info at mydomain.ch>:
250 2.7.0 ok, discarded, id=18101-03 - spam
Spam scanner report:
AV scanner ClamAV-clamd reported spam (not infection):
Porcupine.Junk.36046.UNOFFICIAL
Spam detection software, running on the system "stratos.comcept.ch", has
identified this incoming email as possible spam.
If you have any questions, contact postmaster at comcept.ch for any further
information.
Content preview: C/SAN PEZ ANCATARA 24. 08905 BARCELONA - SPAIN
TELE:0034-602-657-019
EMAIL: lottointer at europe.com 03/08/16 OFFIZIELLE MITTEILUNG VON SITZ
DES
VIZEPRASIDENTEN INTERNATIONALE PROMOTIOM-GEWINNZUTEILUNG OFFIZIELLE
GEWINNBENACHRITIGUNG
Wir sind erfreut ihnen mitteilen zu konnen, das die gewinnliste
LOTERIAL
NACIONAL an 29/07/2016 erschienen ist.Dir offizielle liste der
gewinner erschien
am 03/08/2016 Ihr name wurde auf dem los mit dir nummer:
025.11464992.750
und mit der seriennummer:2113-06, Ref Nє OYI/2551256003/16 und
stapel nє:
Gr/14/117/1pd registried. Die glucksnummer: 10-16-25-41-46, haben in
der
3. Kategorie gewonnen. [...]
Content analysis details: (87.8 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/,
low
trust
[217.112.35.101 listed in list.dnswl.org]
2.0 RCVD_IN_NIX_SPAM RBL: Listed in NIX-SPAM DNSBL
[217.112.35.101 listed in
ix.dnsbl.manitu.net]
3.0 RCVD_IN_DNSBL_Blocklist_de RBL: Sender listed on Blocklist DNSBL
[64.137.238.13 listed in
allinone.bl.blocklist.de]
0.8 RCVD_IN_SORBS_WEB RBL: SORBS: sender is an abusable web server
[64.137.238.13 listed in dnsbl.sorbs.net]
4.5 HS_BODY_655 BODY: Heinlein Support Spamschutz Body-655
0.0 FSL_CTYPE_WIN1251 Content-Type only seen in 419 spam
2.0 RELAYCOUNTRY_BAD Relayed through spamy country at some point
CN RU LI
UA RO HK UZ KR VN JP TW TH IN
-1.0 RELAYCOUNTRY_GOOD Relayed through trusted country CH DE AT FR
US CA
2.0 L_AV_Any Any SaneSecurity & MSRBL Signatures
0.0 NSL_RCVD_FROM_USER Received from User
-1.0 L_P0F_Unix Remote system is running Unix, not Linux
-0.1 BOTNET_SERVERWORDS Hostname contains server-like substrings
[botnet_serverwords,ip=217.112.35.101,rdns=mx25.valuehost.ru]
-0.0 BOTNET_SOHO Relay might be a SOHO mail server
[botnet_soho,ip=217.112.35.101,maildomain=mypitbike.ru,helo=mx25.valuehost.ru]
1.0 MISSING_HEADERS Missing To: header
0.2 TW_NF BODY: Odd Letter Triples with NF
0.2 TW_ZN BODY: Odd Letter Triples with ZN
0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.5023]
4.0 DCC_CHECK Detected as bulk mail by DCC
(dcc-servers.net)
1.0 ZMIde_OutlookExpress Outlook Express should not be used anymore
0.5 MISSING_MID Missing Message-Id: header
4.0 ZMIde_LOTTERYHARD1 lottery fake, 1+ hits
8.0 ZMIde_LOTTERYHARD3 lottery fake, 3+ hits
0.0 FROM_MISSP_MSFT From misspaced + supposed Microsoft tool
1.9 ZMIde_LOTTERY1 lottery fake, 1+ hit
0.0 FSL_NEW_HELO_USER Spam's using Helo and User
8.0 ZMIde_LOTTERYHARD2 lottery fake, 2+ hits
1.0 RELAYCOUNTRY_ALL Relayed through any country
2.9 ZMIde_LOTTERY2 lottery fake, 2+ hits
0.0 FROM_MISSP_USER From misspaced, from "User"
20 ZMIde_LOTTERY4 lottery fake, 6+ hits
0.0 FROM_MISSP_XPRIO Misspaced FROM + X-Priority
1.1 AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait
7.0 ZMIde_LOTTERY3 lottery fake, 4+ hits
0.0 TO_NO_BRKTS_FROM_MSSP Multiple header formatting problems
0.0 FROM_MISSPACED From: missing whitespace
0.0 T_FROM_MISSP_DKIM From misspaced, DKIM dependable
8.0 ZMIde_LOTTERY_OL lottery fake sent via Outlook Express
2.0 LOTTO_DEPT Claims Department
1.9 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
2.5 TO_NO_BRKTS_MSFT To: lacks brackets and supposed Microsoft
tool
0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal
information
0.0 T_FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)
1.0 FORM_FRAUD Fill a form and a fraud phrase
-0.8 TXREP TXREP: Score normalizing based on sender's
reputation
==============================================================================
last-external-host = mx25.valuehost.ru [217.112.35.101]
HELO=mx25.valuehost.ru
possible-languages = de
ASN-relayed-countries = RU ** CA [AS30943 AS1239 AS6453 AS3216]
217.112.35.0/24
dkim-sign-identities =
dkim-sign-domains =
pyzor = Reported 3 times.
RBL = <dns:13.238.137.64.dnsbl.sorbs.net> [127.0.0.7]
<dns:101.35.112.217.list.dnswl.org> [127.0.5.1]
<dns:101.35.112.217.ix.dnsbl.manitu.net> [127.0.0.2]
<dns:101.35.112.217.hostkarma.junkemailfilter.com> [127.0.0.5]
<dns:mypitbike.ru?type=MX> [100 mx25.valuehost.ru.] <dns:mypitbike.ru>
[217.112.35.77] <dns:13.238.137.64.allinone.bl.blocklist.de>
[127.0.0.13] <dns:13.238.137.64.zen.spamhaus.org> [127.0.0.4]
DCC-brand = INFN-TO
DCC-result = stratos.comcept.ch 1233; Body=many Fuz1=many
bayes-score = 0.5023
bayes-token-summary = Tokens: new, 200; hammy, 52; neutral, 197;
spammy, 98.
bayes-token-spam-count = 98
bayes-token-ham-count = 52
bayes-token-spam = H*r:User, H*RU:User, sk:GEWINNB, MADRID,
gewinnliste, reibunglosen, sk:gewinna, garantiet, ausgewahlt,
GLUCKWUNSCH, seguros, SEGUROS, GLUCKWUNSCH!!!, glucksnummer,
Hx-spam-relays-external:User, 1016254146
bayes-token-ham = SICH, ZUR, Bezeichnung, ganz, werden, 117,
sk:bearbei, UD:Alle, bankdaten, sitz, informiert, mitteilen,
verarbeitung, acht, Verarbeitung, nacional
bayes-auto-learned = spam autolearn_force=no 88.264
==============================================================================
Hope this helps...have fun.
Kind regards
Andrea Soliva
andrea.soliva at comcept.ch
-----Ursprüngliche Nachricht-----
Von: users-bounces at lists.kolab.org
[mailto:users-bounces at lists.kolab.org] Im Auftrag von Carpenter, Troy
Gesendet: Freitag, 5. August 2016 23:27
An: users at lists.kolab.org
Betreff: Re: Spam issues and how to overcome them
On 2016-06-14 04:00 PM, Lance Charette wrote:
> On 6/13/2016 11:17 AM, Philip Trickett (List) wrote:
>> Hi Homer,
>>
>> I have taken a similar route to you, but I found the things I
>> implemented that reduced spam the most were:
>>
>> Greylisting using Postgrey: http://postgrey.schweikert.ch/
>> https://www.howtoforge.com/greylisting_postfix_postgrey
>>
>> Implementing DKIM and SPF for postfix: http://www.opendkim.org/ There
>> are some good howtos out there as well.
>>
>> I am using Kolab on Centos 7, but it should be fairly simple to
>> implement, the most frustrating part is waiting for the DNS updates
>> for DKIM.
>>
>>
>> Hope that helps,
>>
>>
>> Phil
>
> Thanks a bunch Phil and Nathanael for your replies.
>
> I too had been using greylisting and spf which helped considerably
> however it wasn't near enough for the amount of spam our accounts are
> getting.
>
> I was hoping to find some information on how I could set up black &
> white lists that could be contributed to by each email user within the
> Roundcube mail client but haven't seen anything yet. As I indicated
> in the beginning of this tread, I owned and operated an ISP for over
> 15 years and have used a wide variety of email servers and separate
> anti-spam servers as well, all set up and configured within so I have
> a pretty good handle on the do's and don'ts and have done so on both
> Windows based and Linux based platforms. This is the first time
> however where I have used an 'environment' that takes so many tools
> that are independently otherwise off the shelf and tries to meld them
> all into one. It's a far cry different than just using an email
> server and a separate anti-spam package... i.e. like spamassassin on
> it's own.
>
> In the Kolab environment you have Kolab wrapped around everything,
> amavis wrapped about spamassissin and so on and so on and it's the
> lack of a well documented 'strategy' that makes it difficult to know
> (understand) how one affects the other, etc. A solid block diagram of
> how all the pieces fit into the puzzle would be a great start. Solid
> examples of actual configuration files for a particular Kolab version
> would also help a lot.
>
> I understand that this is a 'community' effort but one HAS to believe
> that the primary retail side of Kolab has already worked these issues
> out and could reciprocate in the reverse direction given they benefit
> from the community as they do.
>
> Once satisfied with a working environment... and one that doesn't
> require administration on a daily basis... I will post my examples for
> others in 'our boat' to have something to start from. I have set up
> two dedicated ScrollOutF1 vm servers, each on the same vm server the
> Kolab resides on respectively and have setup virtual networking within
> for the ScrollOutF1 to talk directly to the Kolab environment
> eliminating the additional load on the physical network. That's
> working very well. Also, as ScrollOutF1 is using many of the same
> tools already embedded in Kolab, I'm actually hoping to take the
> settings once defined to our satisfaction in ScrollOutF1 and migrate
> them to the Kolab equivalents and ultimately take ScrollOutF1 out of
> the picture.
>
> Again, thanks everyone and I will continue to push on and contribute
> as it becomes apparent I have a well working environment... which I
> hope to be soon. I have users that may exterminate me if I don't.
>
> hdokes
> users at lists.kolab.org
I'm a little late to this thread...but according to my logs, the
following smtpd_recipient_restrictions line in my postfix main.cf goes a
long way to stopping quite a bit of SPAM:
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_invalid_hostname,
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_invalid_helo_hostname,
check_policy_service
unix:private/recipient_policy_incoming,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client dbsbl.sorbs.net,
reject_rbl_client bl.spamcop.net,
reject_rbl_client rhsbl.sorbs.net,
permit
Obviously the reject_rbl_client is the section that does the most. I
haven't updated that in a while, so I make no claims as to which of
those services work except for zen.spamhaus.org and bl.spamcop.net, both
of which I've seen in my recent logs as being used to block.
For items that get through that, spamassassin still catches quite a bit.
It tags and a sieve script moves the email to the Spam directory if
the score is low enough; otherwise if the score is high, Amavisd shunts
it to a quarantine database with a web interface for users to release if
necessary.
The only thing I don't have a good handle on is training the Bayesian
database...but I only have about 10 users on the system right now.
Troy
_______________________________________________
users mailing list
users at lists.kolab.org
https://lists.kolab.org/mailman/listinfo/users
ComCept Net Disclaimer: The information contained in this message is intended
only for use of the individual(s) named above and may contain confidential,
proprietary or legally privileged information. No confidentiality or privilege
is waived or lost by any mistransmission. If you are not the intended recipient
of this message you are hereby notified that you must not use, disseminate, copy
it in any form or take any action in reliance of it. If you have received this
message in error please delete it and any copies of it and notify the sender
immediately.
More information about the users
mailing list