AW: Spam issues and how to overcome them

Andrea Soliva andrea.soliva at comcept.ch
Sat Aug 6 10:08:24 CEST 2016


Hi

What I can recommend based on CentOS 6 is postscreen which is really nice "postscreen" is only available as a pity with CentOS 7 because "postscreen" is only supported up to version 2.8. Use postscreen only on port 25 and disable tls etc. There are also different technolgogies available which prevents spam as most as possible and I'm fully satisfied. Below you see some of them and how to implement and it is only a part of all the stuff you can do but are form e the most important ones.

Keep please in mind do not implemented everything at ones. Do step by step implementations because every installation is different.  If you implement some restrictions in postfix use the restriction in first step with "warn_if_reject" which means: Restrictions is used but no rejects happens instead log is generated. This means also if you use HELO restrictions you can use following:

smtpd_helo_required = yes
smtpd_helo_restrictions =
         permit_mynetworks,
         reject_non_fqdn_hostname,
         reject_invalid_helo_hostname,
         reject_non_fqdn_helo_hostname,
         warn_if_reject reject_unknown_helo_hostname

If you would do so your clients can not anymore login and would be rejected because HELO is rejecting "reject_non_fqdn_hostname" because if a Outlook client is connecting it can be that the client is delivering not the FQDN of the IP oft he provider instead the HOSTNAME oft he client itself is deliered. To not run into this you can use:

smtpd_helo_required = yes
smtpd_helo_restrictions =
         permit_sasl_authenticated,
         permit_mynetworks,
         reject_non_fqdn_hostname,
         reject_invalid_helo_hostname,
         reject_non_fqdn_helo_hostname,
         warn_if_reject reject_unknown_helo_hostname

This means also go step by step.....use " warn_if_reject" to analyse the stuff to find out if it will break something! Every installation is a little bit different etc.




STEP 1 POSTSCREEN FOR POSTFIX ON PORT 25 ONLY

Look that you have defined within main.cf you local network that postscreen is not used for "mynetwork" (permit_mynetworks):

        # mkdir /var/spool/postfix/data
        # chown postfix:root /var/spool/postfix/data
        # chmod 700 /var/spool/postfix/data

        # vi /etc/postfix/postscreen_white-blacklist

        --------------- /etc/postfix/postscreen_white-blacklist
---------------

        # Use following to whitelist/blacklist based on cidr
        #
        #xxx.xxx.xxx.xxx/xx               permit  # don't do any further 
postscreen tests
        #xxx.xxx.xxx.xxx/xx               dunno   # don't to anything and 
proceed to next stage
        #xxx.xxx.xxx.xxx/xx               reject  # launch action based 
on postscreen_blacklist_action

        --------------- /etc/postfix/postscreen_white-blacklist
---------------

        # vi /etc/postfix/postscreen_dnsbl_reply

        --------------- /etc/postfix/postscreen_dnsbl_reply
---------------

        
############################################################################
        # Secret DNSBL name in postscreen(8) replies
        #
        #<individueller-spamhaus-lizenzkey>.zen.spamhaus.org        
zen.spamhaus.org

        --------------- /etc/postfix/postscreen_dnsbl_reply
---------------

        # vi /etc/postfix/main.cf

        --------------- /etc/postfix/main.cf ---------------

        # USE POSTSCREEN for postfix 2.8 and higher
        #
        # http://www.postfix.org/POSTSCREEN_README.html
        # http://www.postfix.org/postscreen.8.html

        # The Postfix postscreen(8) daemon provides additional protection
        # against mail server overload. One postscreen(8) process handles
        # multiple inbound SMTP connections, and decides which clients may
        # talk to a Postfix SMTP server process. By keeping spambots away,
        # postscreen(8) leaves more SMTP server processes available for
        # legitimate clients, and delays the onset of server overload
        # conditions.
        #
        # To activate postscreen deactivate within master.cf default
        # entry for "smtp inet n - n - - smtpd" and activate postscreen:
        #
        #  #smtp      inet  n       -       n       -       -       smtpd
        #
        #  # To be used for postscreen
        #  smtp      inet  n       -       n       -       1       
postscreen
        #  smtpd     pass  -       -       n       -       -       smtpd
        #  #tlsproxy  unix  -       -       n       -       0       
tlsproxy
        #  dnsblog   unix  -       -       n       -       0       
dnsblog
        #
        postscreen_access_list =
                permit_mynetworks,
                cidr:/etc/postfix/postscreen_white-blacklist

        # When postscreen(8) listens on both primary and backup MX addresses, the
        # postscreen_whitelist_interfaces parameter can be configured to give the
        # temporary whitelist status only when a client connects to a primary MX
        # address. Once a client is whitelisted it can talk to a Postfix SMTP
        # server on any address. Thus, clients that connect only to backup MX
        # addresses will never become whitelisted, and will never be allowed to
        # talk to a Postfix SMTP server process.
        #
        postscreen_whitelist_interfaces = static:all

        # prevent not correct working clients as mynetworks to be rejected
        #
        postscreen_bare_newline_action = ignore
        postscreen_bare_newline_enable = no
        postscreen_bare_newline_ttl = 30d
        postscreen_blacklist_action = ignore
        postscreen_cache_cleanup_interval = 12h
        postscreen_cache_map =
btree:/var/spool/postfix/data/postscreen_cache
        postscreen_cache_retention_time = 7d
        postscreen_client_connection_count_limit = $smtpd_client_connection_count_limit
        postscreen_command_count_limit = 20
        postscreen_command_filter =
        postscreen_command_time_limit = ${stress?10}${stress:300}s
        postscreen_disable_vrfy_command = $disable_vrfy_command
        postscreen_discard_ehlo_keyword_address_maps = $smtpd_discard_ehlo_keyword_address_maps
        postscreen_discard_ehlo_keywords = $smtpd_discard_ehlo_keywords

        # default settings for postscreen
        #
        postscreen_expansion_filter = $smtpd_expansion_filter
        postscreen_forbidden_commands = $smtpd_forbidden_commands
        postscreen_greet_action = ignore
        postscreen_greet_banner = $smtpd_banner
        postscreen_greet_ttl = 1d
        postscreen_greet_wait = ${stress?2}${stress:6}s
        postscreen_helo_required = $smtpd_helo_required
        postscreen_non_smtp_command_action = drop
        postscreen_non_smtp_command_enable = no
        postscreen_non_smtp_command_ttl = 30d
        postscreen_pipelining_action = enforce
        postscreen_pipelining_enable = no
        postscreen_pipelining_ttl = 30d
        postscreen_post_queue_limit = $default_process_limit
        postscreen_pre_queue_limit = $default_process_limit
        postscreen_reject_footer = $smtpd_reject_footer
        #postscreen_enforce_tls = $smtpd_enforce_tls
        #postscreen_use_tls = $smtpd_use_tls
        #postscreen_tls_security_level = $smtpd_tls_security_level
        postscreen_watchdog_timeout = 10s
        #proxy_write_maps = $smtp_sasl_auth_cache_name $lmtp_sasl_auth_cache_name $address_verify_map $postscreen_cache_map
        #postscreen_upstream_proxy_protocol =
        #postscreen_upstream_proxy_timeout = 5s

        # The minimal value to reject a sender is defined with "postscreen_dnsbl_threshold".
        # If if a value 3 is reached sender will be rejected (default) but whitlisting will
        # be considered too with negative score. This means sender will be rejected if positiv
        # score minus negativ score is over defined score for "postscreen_dnsbl_threshold".
        #
        # This will be logged as: "DNSBL rank [score] for [IPv4 Address]:[Source Port]
        #

        # To enable specific key/secret/answer for dnsbl service use:
        #
        #postscreen_dnsbl_reply_map =
texthash:/etc/postfix/postscreen_dnsbl_reply

        postscreen_dnsbl_action = enforce
        postscreen_dnsbl_ttl = 1h
        #postscreen_dnsbl_min_ttl = 60s
        #postscreen_dnsbl_max_ttl = 1h
        postscreen_dnsbl_whitelist_threshold = 0
        postscreen_dnsbl_threshold = 3
        postscreen_dnsbl_sites =
        # DNSBL Blacklisting
           zen.spamhaus.org*3,
           bl.mailspike.net*3,
           b.barracudacentral.org*2,
           bl.spameatingmonkey.net,
           bl.spamcop.net,
           spamtrap.trblspam.com,
           dnsbl.sorbs.net=127.0.0.[2;3;6;7;10],
           ix.dnsbl.manitu.net,
           bl.blocklist.de,
        # DNSBL Whitelisting
           list.dnswl.org=127.0.[0..255].0*-1,
           list.dnswl.org=127.0.[0..255].1*-2,
           list.dnswl.org=127.0.[0..255].[2..3]*-3,
           iadb.isipp.com=127.0.[0..255].[0..255]*-2,
           iadb.isipp.com=127.3.100.[6..200]*-2,
           wl.mailspike.net=127.0.0.[17;18]*-1,
           wl.mailspike.net=127.0.0.[19;20]*-2

        --------------- /etc/postfix/main.cf ---------------

        # vi /etc/postfix/master.cf

        --------------- /etc/postfix/master.cf ---------------

        #smtp                inet        n       -       n       -       
-       smtpd

        # To be used for postscreen for postfix 2.8 and higher
        smtp               inet        n       -       n       -       1  
      postscreen
        smtpd              pass        -       -       n       -       -  
      smtpd
        dnsblog            unix        -       -       n       -       0  
      dnsblog
        #tlsproxy           unix        -       -       n       -       0 
       tlsproxy

        --------------- /etc/postfix/master.cf ---------------


Danach muss der Service von "postfix" neu gestartet werden:

        # systemctl restart postfix.service





STEP 2 USE SPF FOR POSTFIX

Use within DNS a spf record. There are different possibilities have a look below

        mydomain.ch.                     IN      TXT     "v=spf1 mx 
ip4:[Public IPv4 Adress of the Mail Server which sends mail out]/32 -all"

This means:

        v=spf1        (SPF Record)
        mx            (MX DNS Einträge)
        ipv4          (IPv4 CIDR)
        -all          (Fail)

For testing you should use in first stage "~all" and change afterwards do "-all"

        "+" Pass
        "-" Fail
        "~" SoftFail
        "?" Neutral

Below the most useable parmeter for the dns record:

        all              = "all"
        include          = "include"  ":" domain-spec
        A                = "a"      [ ":" domain-spec ] [ 
dual-cidr-length ]
        MX               = "mx"     [ ":" domain-spec ] [ 
dual-cidr-length ]
        PTR              = "ptr"    [ ":" domain-spec ]
        IP4              = "ip4"      ":" ip4-network   [ ip4-cidr-length 
]
        IP6              = "ip6"      ":" ip6-network   [ ip6-cidr-length 
]
        exists           = "exists"   ":" domain-spec


       http://www.openspf.org/SPF_Record_Syntax
        http://www.openspf.org/RFC_4408#examples

You can do such records also over a wizard availab on some sites:

        http://www.spfwizard.net/
        http://www.mailradar.com/spf/
        http://www.mtgsy.net/dns/spfwizard.php
        https://www.dynu.com/NetworkTools/SPFGenerator

If you have your entrie and all is up and running within dns you can check the stuff with below sites:

        http://www.kitterman.com/spf/validate.html
        https://www.port25.com/authentication-checker/

Even in first stage "sfp" check will be done over "spf" check in spamassassin conf meaning local.cf what you have regarding "spf". The score is not hard and should be also not hard because is anyway only used in second stage:

        # vi /etc/mail/spamassassin/local.cf

        --------------- /etc/mail/spamassassin/local.cf ---------------

        ## SPF score
        #
        score SPF_NONE 0
        score SPF_HELO_NONE 0
        score SPF_PASS -0.001
        score SPF_HELO_PASS -0.001
        score SPF_FAIL 0 0.919 0 0.001
        score SPF_HELO_FAIL 0 0.001 0 0.001
        score SPF_HELO_NEUTRAL 0 0.001 0 0.112
        score SPF_HELO_SOFTFAIL 0 0.896 0 0.732
        score SPF_NEUTRAL 0 0.652 0 0.779
        score SPF_SOFTFAIL 0 0.972 0 0.665
        score ENV_AND_HDR_SPF_MATCH -0.5
        score USER_IN_SPF_WHITELIST -100.000
        score USER_IN_DEF_SPF_WL -7.500

        --------------- /etc/mail/spamassassin/local.cf ---------------

The Plug-In for spf for spamassassin is already in place on CentOS meaning was installed as dependency:

        --> Processing Dependency: perl(Mail::SPF) for package: 
amavisd-new-2.10.1-4.el7.noarch

Install "spf" from scratch with a perl script:

        # mkdir /root/spf
        # cd /root/spf
        # wget
http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.007.tar.gz
        # gzip -dc postfix-policyd-spf-perl-2.007.tar.gz | tar xvf -
        # cd /root/spf/postfix-policyd-spf-perl-2.007

Copy the script to "/usr/libexec/postfix/" and adjust the rights that "nobody" can reach it:

        # cp -p
/root/spf/postfix-policyd-spf-perl-2.007/postfix-policyd-spf-perl
/usr/libexec/postfix/
        # chown root:root /usr/libexec/postfix/postfix-policyd-spf-perl
        # chmod 755 /usr/libexec/postfix/postfix-policyd-spf-perl

Check within the script that the binary perl shows the right binary

        # which perl
        # /usr/bin/perl

        # vi /usr/libexec/postfix/postfix-policyd-spf-perl

        --------------- /usr/libexec/postfix/postfix-policyd-spf-perl
---------------

        #!/usr/bin/perl

        --------------- /usr/libexec/postfix/postfix-policyd-spf-perl
---------------

At the end of the master file add following:

        # vi /etc/postfix/master.cf

        --------------- /etc/postfix/master.cf ---------------

        policy              unix        -       n       n       -       - 
       spawn
           user=nobody argv=/usr/bin/perl /usr/libexec/postfix/postfix-policyd-spf-perl

        --------------- /etc/postfix/master.cf ---------------

Now add to the master a "unix/policy" which means to the "smtpd_recipient_restrictions". Be careful that you defined this policy AFTER the entry "reject_unauth_destination" (Very important). If you do not so you have the danger of a open relay:

        # vi /etc/postfix/main.cf

        --------------- /etc/postfix/main.cf---------------

        smtpd_recipient_restrictions =
           permit_mynetworks,
           check_sender_access hash:/etc/postfix/sender_access,
           reject_unauth_pipelining,
           reject_rbl_client zen.spamhaus.org,
           reject_non_fqdn_recipient,
           reject_invalid_helo_hostname,
           reject_unknown_recipient_domain,
           reject_unauth_destination,
           check_policy_service unix:private/policy,
           check_policy_service unix:private/recipient_policy_incoming,
           check_recipient_access
hash:/etc/postfix/greylist_sender_exceptions,
           check_client_access
cidr:/etc/postfix/cidr_greylist_network_exceptions,
           check_client_access regexp:/etc/postfix/check_client_fqdn,
           permit

        policy_time_limit = 3600

        --------------- /etc/postfix/main.cf---------------

        # systemctl restart postfix.service

Check you "postfix" log:

        # tail -f /var/log/postfix/postfix

        --------------- /var/log/postfix/postfix ---------------

        Jul 21 22:43:00 kolab postfix/smtpd[4768]: connect from mx3.also.com[194.115.88.35]
        Jul 21 22:43:01 kolab postfix/policy-spf[4775]: : SPF pass (Mechanism 'mx' matched): Envelope-from: andrea.soliva at also.com
        Jul 21 22:43:01 kolab postfix/policy-spf[4775]: handler
sender_policy_framework: is decisive.
        Jul 21 22:43:01 kolab postfix/policy-spf[4775]: : Policy action=PREPEND Received-SPF: pass (also.com: 194.115.88.35 is authorized to use 'andrea.soliva at also.com' in 'mfrom' identity (mechanism 'mx' 
matched)) receiver=dns1; identity=mailfrom; envelope-        
from="andrea.soliva at also.com"; helo=mx3.also.com;
client-ip=194.115.88.35
        Jul 21 22:43:01 kolab postfix/smtpd[4768]: 7E94B21285D0: 
client=mx3.also.com[194.115.88.35]
        Jul 21 22:43:01 kolab postfix/cleanup[4790]: 7E94B21285D0: 
message-id=<7C210310-5A72-4DE9-A52A-90239B1AF198 at also.com>
        Jul 21 22:43:01 kolab postfix/qmgr[4758]: 7E94B21285D0: 
from=<andrea.soliva at also.com>, size=2218, nrcpt=1 (queue active)

        --------------- /var/log/postfix/postfix ---------------

Below a short description how spf is working:

        This version of the policy server always checks HELO before Mail  From (older
        versions just checked HELO if Mail From was null).  It will reject mail that
        fails either Mail From or HELO SPF checks.  It will defer mail if there is a
        temporary SPF error and the message would othersise be permitted
        (DEFER_IF_PERMIT).  If the HELO check produces a REJECT/DEFER result, Mail From
        will not be checked.

        If the message is not rejected or deferred, the policy server will PREPEND the
        appropriate SPF Received header.  If Mail From is anything other than completely
        empty (i.e. <>) then the Mail From result will be used for SPF Received (e.g.
        Mail From None even if HELO is Pass).

        The policy server skips SPF checks for connections from the localhost (127.) and
        instead prepends and logs 'SPF skipped - localhost is always allowed.'  If you
        have relays that you want to skip SPF checks for, you can add them to
        relay_addresses on line 78 using standard CIDR notation in a space separated
        list.  For these addresses, 'X-Comment: SPF skipped for whitelisted relay' is
        prepended and logged. IPv6 localhost is also skipped.

        Error conditions within the policy server (that don't result in a
crash) or from
        Mail::SPF will return DUNNO.

        Each time a Postfix SMTP server process is started it connects to the policy
        service socket, and Postfix runs one instance of this Perl script.  By
        default, a Postfix SMTP server process terminates after 100 seconds of idle
        time, or after serving 100 clients.  Thus, the cost of starting this Perl
        script is smoothed out over time.

        The default policy_time_limit is 1000 seconds.  This may be too short for some
        SMTP transactions to complete.  As recommended in SMTPD_POLICY_README, this
        should be extended to 3600 seconds.  To do so, set "policy_time_limit = 3600"
        in /etc/postfix/main.cf.

You can test also local in following way. Test which would not match:

        # /usr/libexec/postfix/postfix-policyd-spf-perl
        request=smtpd_access_policy
        protocol_state=RCPT
        protocol_name=SMTP
        helo_name=host.example.com
        queue_id=
        instance=71b0.45e2f5f1.d4da1.0
        sender=user at comcept.ch
        recipient=soliva at comcept.ch
        client_address=1.2.3.4
        client_name=host.example.com
        [Do not enter here something and use only ENTER]

        action=550 Please see
http://www.openspf.net/Why?s=mfrom;id=user%40comcept.ch;ip=1.2.3.4;r=kolab.comcept.ch


Test which would not match:

        # /usr/libexec/postfix/postfix-policyd-spf-perl
        request=smtpd_access_policy
        protocol_state=RCPT
        protocol_name=SMTP
        helo_name=kolab.comcept.ch
        queue_id=
        instance=71b0.45e2f5f1.d4da1.0
        sender=user at comcept.ch
        recipient=soliva at comcept.ch
        client_address=192.168.100.116
        client_name=kolab.comcept.ch
        [Leere Zeile und schliesse ab mit ENTER]

        action=PREPEND Received-SPF: pass (comcept.ch: 192.168.100.116 is 
authorized to use 'user at comcept.ch' in 'mfrom' identity (mechanism 'mx' 
matched)) receiver=kolab.comcept.ch; identity=mailfrom; 
envelope-from="user at comcept.ch"; helo=kolab.comcept.ch; 
client-ip=192.168.100.116





STEP 3 USE HEADER CHECKS WITHIN POSTFIX FOR BOUNCES

        # vi /etc/postfix/header_checks

        ---------------- /etc/postfix/header_checks  ----------------

        
#############################################################################
        # Allowing null-sender SMTP traffic just fine; it detects bounces 
in Postfix
        # if they arrive via SMTP in RFC-3464 format, and bounces that 
slip past are
        # then dealt with in a more CPU-intensive manner using the 
SpamAssassin
        # VBounce ruleset which is part of the SpamAssassin 3.2.0!
        #
        # This increases the load, since some bounces cannot be rejected 
at MAIL FROM
        # time now, and instead we have to wait until DATA but CPU hasn't 
been a
        # problem recently, so this is ok.
        #
        /^Content-Type: multipart\/report; report-type=delivery-status\;/ 
  REJECT no third-party DSNs
        /^Content-Type: message\/delivery-status; /     REJECT no 
third-party DSNs

        ---------------- /etc/postfix/header_checks  ----------------

        # vi /etc/postfix/main.cf

        ---------------- /etc/postfix/main.cf ----------------

        # JUNK MAIL CONTROLS
        #
        # The controls listed here are only a very small subset. The file
        # SMTPD_ACCESS_README provides an overview.

        # The header_checks parameter specifies an optional table with 
patterns
        # that each logical message header is matched against, including
        # headers that span multiple physical lines.
        #
        # By default, these patterns also apply to MIME headers and to 
the
        # headers of attached messages. With older Postfix versions, MIME 
and
        # attached message headers were treated as body text.
        #
        # For details, see "man header_checks".
        #
        header_checks = regexp:/etc/postfix/header_checks

        ---------------- /etc/postfix/main.cf ----------------

Check that you have in "spamassassin" also activated this function for a 
second step if first one fails etc.:

        # vi /etc/mail/spamassassin/v320.pre

        ---------------- /etc/mail/spamassassin/v320.pre ----------------

        # VBounce - anti-bounce-message rules, see rules/20_vbounce.cf
        #
        loadplugin Mail::SpamAssassin::Plugin::VBounce

        ---------------- /etc/mail/spamassassin/v320.pre ----------------

        # vi /etc/mail/spamassassin/local.cf

        ---------------- /etc/mail/spamassassin/local.cf ----------------

        ## VBounce - Spamassassin plugin to lookup for legitimeate bounce 
messages
        #
        # Define the hostname of the relay (or relays) that you send your 
outbound
        # mail through. This is used to 'rescue' legitimate bounce 
messages that were
        # generated in response to  mail you really *did* send. If a 
bounce message
        # is found, and it contains one of these  hostnames in a 
'Received' header
        # in the bounced message, it will not be marked as a blowback 
virus-bounce.
        #
        # Note: If you do not add this line, the *BOUNCE_MESSAGE rules 
will never
        # fire! You have to specify at least one whitelisted relay for it 
to operate.
        #
        whitelist_bounce_relays [Defin all your outgoing servers with 
there FQDN name]

        ---------------- /etc/mail/spamassassin/local.cf ----------------

        # systemctl restart postfix.service
        # systemctl restart amavisd.service

If the header_check will bi hit you see in the logs of postfix:

REJECT no third-party DSNs

If the plug-in of spamassassin VBounce hits you see:

Wird die Nachricht resp. Bounce über das Plug-In "VBounce" erkannt 
erscheint im entsprechenden Report der folgende Hinweis und Score:

        0.1 BOUNCE_MESSAGE         MTA bounce message
        0.1 ANY_BOUNCE_MESSAGE     Message is some kind of bounce message




STEP 4 USE POSTGREY FOR POSTFIX

Following perl modul must be installed which should be already the case 
for CentOS 6/7:

        • Perl (version ≥ 5.6.0)
        • Net::Server
        • IO::Multiplex
        • BerkeleyDB (Perl module)
        • Berkeley DB (Library, version ≥ 4.1)

        # yum install postgrey

If you use CentOS 6 postgrey is not available over yum if you do not use 
RepoForge Repository. You can get the package manual over:

        http://pkgs.repoforge.org

        # wget 
http://pkgs.repoforge.org/postgrey/postgrey-1.34-1.el6.rf.noarch.rpm
        # rpm -ivh postgrey-1.34-1.el6.rf.noarch.rpm

Following files will be installed:

        /usr/sbin/postgreyreport
        /usr/sbin/postgrey
        /usr/share/man/man8/postgrey.8.gz
        /usr/share/selinux/devel/include/services/postgrey.if
        /usr/share/selinux/targeted/postgrey.pp.bz2
        /usr/share/doc/postgrey-1.34
        /export/kolab/spool/postfix/postgrey
        /etc/rc.d/rc3.d/K31postgrey
        /etc/rc.d/rc2.d/K31postgrey
        /etc/rc.d/rc4.d/K31postgrey
        /etc/rc.d/rc5.d/K31postgrey
        /etc/rc.d/rc0.d/K31postgrey
        /etc/rc.d/rc6.d/K31postgrey
        /etc/rc.d/init.d/postgrey
        /etc/rc.d/rc1.d/K31postgrey
        /etc/postfix/postgrey_whitelist_recipients
        /etc/postfix/postgrey_whitelist_clients
        /etc/postfix/postgrey_whitelist_clients.local
        /etc/selinux/targeted/modules/active/modules/postgrey.pp

It will be added following user and group to the system:

        # cat /etc/passwd | grep postgrey
        postgrey:x:409:408::/var/spool/postfix/postgrey:/sbin/nologin

        # cat /etc/group | grep postgrey
        postgrey:x:408:

Define the start option within the "/etc/sysconfig/postgrey" file:

        # vi /etc/sysconfig/postgrey

        --------------- /etc/sysconfig/postgrey ---------------

        OPTIONS="--inet=127.0.0.1:60000 -d 
--pidfile=/export/kolab/spool/postfix/postgrey/postgrey.pid 
--hostname=kolab --user=postgrey --group=postgrey 
--dbdir=/var/spool/postfix/postgrey --greylist-action=450 
--whitelist-clients=/etc/postfix/postgrey_whitelist_clients 
--whitelist-recipients=/etc/postfix/postgrey_whitelist_recipients 
--delay=600 --max-age=40 --lookup-by-host --auto-whitelist-clients=0 
--greylist-text='Policy restrictions; try later' --retry-window=48h 
--x-greylist-header='X-Greylist: delayed %t seconds by greylist at %h; 
%d'"

        --------------- /etc/sysconfig/postgrey ---------------

        # chown root:root /etc/sysconfig/postgrey
        # chmod 644 /etc/sysconfig/postgrey

Within this config file it will be defined "--inet" which means NOT 
"socket" which I do not use. From this point of view you have to comment 
out within the start script the socket variant that we can use "--inet":

        # vi /etc/init.d/postgrey

        --------------- /etc/init.d/postgrey ---------------

        prog=postgrey
        postgrey=/usr/sbin/$prog
        DBPATH=/var/spool/postfix/postgrey
        #SOCKET=$DBPATH/socket
        #OPTIONS="--unix=$SOCKET"
        OPTIONS=""

        --------------- /etc/init.d/postgrey ---------------

In the below file there are already some exceptions defined like 
outlook.com which are doing not in a correct way SMTP by RFC greylisting 
etc. Look that you copy the file to the correct place that you have also 
this exceptions and of course you can add new one which I do not do and 
which is not neccessary. You can get the newest file over the original 
page/source of postgrey:

http://postgrey.schweikert.ch

        # cp -p /etc/postfix/postgrey_whitelist_clients 
/etc/postfix/postgrey_whitelist_clients.orig
        # cp -p postgrey_whitelist_clients 
/etc/postfix/postgrey_whitelist_clients
        # chown root:root /etc/postfix/postgrey_whitelist_clients
        # chmod 644 /etc/postfix/postgrey_whitelist_clients

For exceptions etc. you have to create following files:

        check_recipient_access 
hash:/etc/postfix/greylist_sender_exceptions,
        check_client_access 
cidr:/etc/postfix/cidr_greylist_network_exceptions,
        check_client_access regexp:/etc/postfix/check_client_fqdn

        • greylist_sender_exceptions           = Exception for  Greylist 
Sender!
        • cidr_greylist_network_exceptions     = Exception based on 
Subnet Masks CIDR!
        • check_client_fqdn                    = With this file the 
sender will be checked by FQDN Sender with RegEx or  Dynamic IP etc. and 
if match postgrey will be don!


For template use the access file which is by standard empty to create 
the " greylist_sender_exceptions":

        # cp -p /etc/postfix/access 
/etc/postfix/greylist_sender_exceptions

        # chown root:root /etc/postfix/access 
/etc/postfix/greylist_sender_exceptions
        # chmod 644 /etc/postfix/access 
/etc/postfix/greylist_sender_exceptions

Define in the below file all you local networks as the public IP's you 
are probably using and comunicating with the kolab server over port 25
        # vi /etc/postfix/cidr_greylist_network_exceptions

        --------------- /etc/postfix/cidr_greylist_network_exceptions 
---------------

        # Whitlist Netowrks

        # 192.168.0.0/16 OK

        192.168.100.0/24        OK

        --------------- /etc/postfix/cidr_greylist_network_exceptions 
---------------

        # chown root:root /etc/postfix/cidr_greylist_network_exceptions
        # chmod 644 /etc/postfix/cidr_greylist_network_exceptions


As mentioned only if the RegEx is matching postgrey will be done. This 
means if a MX Server is delivering a message with a FQDN etc. this will 
never match and no postgrey will be done:

        # vi /etc/postfix/check_client_fqdn

        --------------- /etc/postfix/check_client_fqdn ---------------

        /^unknown$/                                  check_greylist
        /^[^\.]*[0-9][^0-9\.]+[0-9]/                 check_greylist
        /^[^\.]*[0-9]{5}/                            check_greylist
        /^([^\.]+\.)?[0-9][^\.]*\.[^\.]+\..+\.[a-z]/ check_greylist
        /^[^\.]*[0-9]\.[^\.]*[0-9]-[0-9]/            check_greylist
        /^[^\.]*[0-9]\.[^\.]*[0-9]\.[^\.]+\..+\./    check_greylist
        /^(dhcp|dialup|ppp|adsl)[^\.]*[0-9]/         check_greylist

        --------------- /etc/postfix/check_client_fqdn ---------------

        # chown root:root /etc/postfix/cidr_greylist_network_exceptions
        # chmod 644 /etc/postfix/cidr_greylist_network_exceptions

Create and the end of the main.cf a "smtpd_restriction_classes" as 
"check_greylist" and define this class "check_greylist"

        # /usr/sbin/postconf -ve "smtpd_restriction_classes = 
check_greylist"
        # /usr/sbin/postconf -ve "check_greylist = check_policy_service 
inet:127.0.0.1:60000"

With this commands following will be added at the end of the main.cf:

        # vi /etc/postfix/main.cf

        --------------- /etc/postfix/main.cf ---------------

        smtpd_restriction_classes = check_greylist
        check_greylist = check_policy_service inet:127.0.0.1:60000

        --------------- /etc/postfix/main.cf ---------------


The below file is a hash file from this point of view write the 
information of the file to a hash:

        # /usr/sbin/postmap -v /etc/postfix/greylist_sender_exceptions


Check the RC levers for stop/start:

        # /sbin/chkconfig --list | grep postgrey
        postgrey        0:off   1:off   2:off   3:off   4:off   5:off   
6:off

        # /sbin/chkconfig postgrey on
        # /sbin/chkconfig --list | grep postgrey
        postgrey        0:off   1:off   2:on    3:on    4:on    5:on    
6:off

Now add the postgrey files to the "smtpd_recipient_restrictions":

        # vi /etc/postfix/main.cf

        --------------- /etc/postfix/main.cf ---------------

        smtpd_recipient_restrictions =
           permit_mynetworks,
           check_sender_access hash:/etc/postfix/sender_access,
           reject_unauth_pipelining,
           reject_rbl_client zen.spamhaus.org,
           reject_non_fqdn_recipient,
           reject_invalid_helo_hostname,
           reject_unknown_recipient_domain,
           reject_unauth_destination,
           check_policy_service unix:private/recipient_policy_incoming,
           check_recipient_access 
hash:/etc/postfix/greylist_sender_exceptions,
           check_client_access 
cidr:/etc/postfix/cidr_greylist_network_exceptions,
           check_client_access regexp:/etc/postfix/check_client_fqdn,
           permit

        --------------- /etc/postfix/main.cf ---------------


Nun kann "postgrey" das erste Mal gestaret werden:

        # systemctl start  postgrey.service

Check your log for any errors/warning in case of:

        # tail -f /var/log/postfix/postfix.log


Check if postgrey is running on (--inet):

        # netstat -an | grep 6000
        tcp        0      0 127.0.0.1:60000             0.0.0.0:*         
           LISTEN


If postgrey is started a BerkleydB will be automatically created:

        # ls -la /var/spool/postfix/postgrey
        total 264
        drwxr-xr-x   2 postgrey postgrey     4096 Jun 12 11:19 .
        drwxr-xr-x. 17 root     root         4096 Jun 12 11:18 ..
        -rw-------   1 postgrey postgrey    24576 Jun 12 11:19 __db.001
        -rw-------   1 postgrey postgrey   163840 Jun 12 11:19 __db.002
        -rw-------   1 postgrey postgrey   270336 Jun 12 11:19 __db.003
        -rw-------   1 postgrey postgrey    98304 Jun 12 11:19 __db.004
        -rw-------   1 postgrey postgrey    49152 Jun 12 11:19 __db.005
        -rw-------   1 postgrey postgrey 10485760 Jun 12 11:19 
log.0000000001
        -rw-------   1 postgrey postgrey     8192 Jun 12 11:19 
postgrey.db
        -rw-------   1 postgrey postgrey        0 Jun 12 11:19 
postgrey.lock
        -rw-r--r--   1 postgrey postgrey        6 Jun 12 11:19 
postgrey.pid


If no errors/warning etc. you can no restart postfix:

        # systemctl restart  postfix.service

Be aware that within main.cf of postfix the "mynetworks" is very 
important which means define all your local networks as your public IP's 
which are comunicating with your Kolab server. To test you can also 
deactivate the mynetwork and leaving only 127.0.0.0/8 to see how 
postgrey is working for overall but do not forgett to activate 
mynetworks again :-)

        # vi /etc/postfix/main.cf

        --------------- /etc/postfix/main.cf ---------------

        #mynetworks = 192.168.100.0/24, 127.0.0.0/8
        mynetworks = 127.0.0.0/8

        --------------- /etc/postfix/main.cf ---------------

        # systemctl restart  postfix.service

If postgrey is used following will be shown within postfix log

        ==> /var/log/postfix/postfix.log <==
        Jun 12 10:43:43 kolab postgrey[17527]: action=greylist, 
reason=new, client_name=helios.comcept.ch, 
client_address=192.168.100.123, sender=andrea.soliva at also.com, 
recipient=andrea.soliva at comcept.ch
        Jun 12 10:43:43 kolab postfix/smtpd[17540]: NOQUEUE: reject: RCPT 
from helios.comcept.ch[192.168.100.123]: 450 4.2.0 
<andrea.soliva at comcept.ch>: Recipient address rejected: Policy 
restrictions; try later; from=<andrea.soliva at also.com> 
to=<andrea.soliva at comcept.ch> proto=ESMTP helo=<helios.comcept.ch>
        Jun 12 10:43:43 kolab postfix/smtpd[17540]: disconnect from 
helios.comcept.ch[192.168.100.123]




STEP 5 USE PYZOR FOR SPAMASSASSIN

Razor is already installed on CentOS 6/7. Pyzor is also a good tool and 
no issue to install. Keep in mind that pyzor is comunicating to outside 
world with port Port 24441 UDP from this point of view check your 
firewall. Additional DO NOT USE "spamd" which means "spamd" is not 
useable and amavisd does the better job with more functions as "spamd. 
 From this point of view deactivate "spamd" completly with "chkconfig" 
and never start again. No more adjustings have to be done to deactivate 
"spamd". Install pyzor from yum:

yum install pyzor
        Loaded plugins: fastestmirror, priorities
        Setting up Install Process
        Loading mirror speeds from cached hostfile
        epel/metalink |  16 kB     00:00
         * base: mirror.switch.ch
         * epel: mirror.23media.de
         * extras: mirror.switch.ch
         * updates: mirror.switch.ch
        Kolab_3.4  | 1.2 kB     00:00
        Kolab_3.4_Updates | 1.2 kB     00:00
        base | 3.7 kB     00:00
        epel | 4.3 kB     00:00
        http://mirror.23media.de/epel/6/i386/repodata/repomd.xml: [Errno 
-1] repomd.xml does not match metalink for epel
        Trying other mirror.
        epel | 4.3 kB     00:00
        epel/primary_db | 5.0 MB     00:01
        extras | 3.4 kB     00:00
        updates | 3.4 kB     00:00
        106 packages excluded due to repository priority protections
        Resolving Dependencies
        --> Running transaction check
        ---> Package pyzor.noarch 0:0.5.0-3.el6 will be installed
        --> Finished Dependency Resolution

Following will be installed:

        /usr/bin/pyzor
        /usr/bin/pyzord

        /usr/lib/python2.6/site-packages/pyzor
        /usr/lib/python2.6/site-packages/pyzor/__init__.pyc
        /usr/lib/python2.6/site-packages/pyzor/server.pyc
        /usr/lib/python2.6/site-packages/pyzor/client.pyc
        /usr/lib/python2.6/site-packages/pyzor/__init__.py
        /usr/lib/python2.6/site-packages/pyzor/__init__.pyo
        /usr/lib/python2.6/site-packages/pyzor/client.pyo
        /usr/lib/python2.6/site-packages/pyzor/client.py
        /usr/lib/python2.6/site-packages/pyzor/server.py
        /usr/lib/python2.6/site-packages/pyzor/server.pyo

        /usr/share/doc/pyzor-0.5.0
        /usr/share/doc/pyzor-0.5.0/COPYING
        /usr/share/doc/pyzor-0.5.0/UPGRADING
        /usr/share/doc/pyzor-0.5.0/PKG-INFO
        /usr/share/doc/pyzor-0.5.0/NEWS
        /usr/share/doc/pyzor-0.5.0/THANKS
        /usr/share/doc/pyzor-0.5.0/README
        /usr/share/doc/pyzor-0.5.0/usage.html

Check rights and adjust:

        # ls -la /usr/bin/pyzor
        -rwxr-xr-x 1 root root 96 Mar  9  2011 /usr/bin/pyzor
        # ls -la /usr/bin/pyzord
        -rwxr-xr-x 1 root root 2926 Mar  9  2011 /usr/bin/pyzord

        # ls -la /usr/share/doc/pyzor-0.5.0
        total 80
        drwxr-xr-x   2 root root  4096 May 15 09:13 .
        drwxr-xr-x 233 root root 12288 May 15 09:13 ..
        -rw-r--r--   1 root root 18007 Apr 29  2009 COPYING
        -rw-r--r--   1 root root  5962 Apr 29  2009 NEWS
        -rw-r--r--   1 root root   361 Apr 29  2009 PKG-INFO
        -rw-r--r--   1 root root   228 Apr 29  2009 README
        -rw-r--r--   1 root root   495 Apr 29  2009 THANKS
        -rw-r--r--   1 root root   270 Apr 29  2009 UPGRADING
        -rw-r--r--   1 root root 14869 Apr 29  2009 usage.html

        # chmod -R a+rX /usr/share/doc/pyzor-0.5.0 /usr/bin/pyzor 
/usr/bin/pyzord
        # chmod -R a+rX /usr/lib/python2.6/site-packages/pyzor

Home dir for amavisd/spamassassin is:

        # ls -la /var/spool/amavisd/
        total 72
        drwxr-x---. 7 amavis amavis  4096 May 15 05:17 .
        drwxr-xr-x. 6 root   root    4096 Jun 30  2015 ..
        srwxr-x---  1 amavis amavis     0 May 15 05:17 amavisd.sock
        srw-rw-rw-  1 amavis amavis     0 May 15 05:16 clamd.sock
        drwxr-x---. 2 amavis amavis  4096 May 15 05:17 db
        drwxr-x---. 2 amavis amavis 36864 May 15 08:09 quarantine
        drwxr-x---. 2 amavis amavis  4096 Jul 13  2015 .razor
        -rwx------  1 amavis amavis   801 Jan 11 21:50 sa-learn.sh
        drwx------. 2 amavis amavis  4096 May 15 04:59 .spamassassin
        drwxr-x---. 5 amavis amavis  4096 May 15 10:48 tmp

Look that you use also for pyzor this dir:

        # mkdir /var/spool/amavisd/.pyzor
        # chown amavis:amavis /var /spool/amavisd/.pyzor
        # chmod 755 /var /spool/amavisd/.pyzor

Activate pyzor in corresponding config files:

        # vi /etc/mail/spamassassin/v310.pre

        --------------- /etc/mail/spamassassin/v310.pre ---------------

        # Pyzor - perform Pyzor message checks.
        #
        loadplugin Mail::SpamAssassin::Plugin::Pyzor
        use_pyzor 1
        pyzor_path /usr/bin/pyzor
        pyzor_options --homedir /var/spool/amavisd/.pyzor
        pyzor_timeout 10

        --------------- /etc/mail/spamassassin/v310.pre ---------------

        # vi /etc/mail/spamassassin/local.cf

        --------------- /etc/mail/spamassassin/v310.pre ---------------

        score RAZOR2_CHECK 2.500
        score PYZOR_CHECK 2.500

        --------------- /etc/mail/spamassassin/v310.pre ---------------

If you like to debug amavisd activate following:

        # vi /etc/amavisd/amavisd.conf

        --------------- /etc/amavisd/amavisd.conf ---------------

        # Turn on SpamAssassin debugging (output to STDERR, use with 
'amavisd debug')
        $sa_debug = '1';  # defaults to false

        --------------- /etc/amavisd/amavisd.conf ---------------

       # systemctl restart  amavisd.service

Check your logs:

        # tail -f /var/log/amavisd/amavis.log

        --------------- /var/log/amavisd/amavis.log ---------------

        May 15 09:39:59 kolab.comcept.ch /usr/sbin/amavisd[5602]: SA dbg: 
pyzor: pyzor is available: /usr/bin/pyzor
        May 15 09:39:59 kolab.comcept.ch /usr/sbin/amavisd[5602]: SA dbg: 
dns: entering helper-app run mode
        May 15 09:39:59 kolab.comcept.ch /usr/sbin/amavisd[5602]: SA dbg: 
pyzor: opening pipe: /usr/bin/pyzor --homedir /var/spool/amavisd/.pyzor 
check > /export/kolab/spool/amavisd/tmp/.spamassassin5602HOauo5tmp
        May 15 09:39:59 kolab.comcept.ch /usr/sbin/amavisd[5606]: SA dbg: 
util: setuid: ruid=1000 euid=1000
        May 15 09:40:01 kolab.comcept.ch /usr/sbin/amavisd[5602]: SA dbg: 
pyzor: [5606] finished: exit 1
        May 15 09:40:01 kolab.comcept.ch /usr/sbin/amavisd[5602]: SA dbg: 
pyzor: got response: downloading servers from 
http://pyzor.sourceforge.net/cgi-bin/inform-servers-0-3-x\\npublic.pyzor.org:24441 
(200, 'OK') 0 0
        May 15 09:40:01 kolab.comcept.ch /usr/sbin/amavisd[5602]: SA dbg: 
dns: leaving helper-app run mode
        May 15 09:40:01 kolab.comcept.ch /usr/sbin/amavisd[5602]: SA dbg: 
pyzor: failure to parse response "downloading servers from 
http://pyzor.sourceforge.net/cgi-bin/inform-servers-0-3-x"

        --------------- /var/log/amavisd/amavis.log ---------------

Information for pyzor was downloaded check the information:

        # cat /var/spool/amavisd/.pyzor/servers
        public.pyzor.org:24441

Restart amavisd again:

        # systemctl restart  amavisd.service

Check again the logs:

        # tail -f /var/log/amavisd/amavis.log

        --------------- /var/log/amavisd/amavis.log ---------------

        May 15 09:42:26 kolab.comcept.ch /usr/sbin/amavisd[5616]: SA dbg: 
pyzor: pyzor is available: /usr/bin/pyzor
        May 15 09:42:26 kolab.comcept.ch /usr/sbin/amavisd[5616]: SA dbg: 
dns: entering helper-app run mode
        May 15 09:42:26 kolab.comcept.ch /usr/sbin/amavisd[5616]: SA dbg: 
pyzor: opening pipe: /usr/bin/pyzor --homedir /var/spool/amavisd/.pyzor 
check < /export/amavis/tmp/.spamassassin56160Z3vLttmp
        May 15 09:42:26 kolab.comcept.ch /usr/sbin/amavisd[5620]: SA dbg: 
util: setuid: ruid=1000 euid=1000
        May 15 09:42:26 kolab.comcept.ch /usr/sbin/amavisd[5616]: SA dbg: 
pyzor: [5620] finished: exit 1
        May 15 09:42:26 kolab.comcept.ch /usr/sbin/amavisd[5616]: SA dbg: 
pyzor: got response: public.pyzor.org:24441 (200, 'OK') 0 0
        May 15 09:42:26 kolab.comcept.ch /usr/sbin/amavisd[5616]: SA dbg: 
dns: leaving helper-app run mode
        May 15 09:42:26 kolab.comcept.ch /usr/sbin/amavisd[5616]: SA dbg: 
check: tagrun - tag PYZOR is now ready, value: Reported 0 times.

        --------------- /var/log/amavisd/amavis.log ---------------

Do not forgett to deactivate the debug mode:

Um den Debug Mode für "amavisd" zu beenden führe folgendes aus:
        # vi /etc/amavisd/amavisd.conf

        --------------- /etc/amavisd/amavisd.conf ---------------

        # Turn on SpamAssassin debugging (output to STDERR, use with 
'amavisd debug')
        #$sa_debug = '1';  # defaults to false

        --------------- /etc/amavisd/amavisd.conf ---------------

        # systemctl restart  amavisd.service





STEP 6 USE BOTNET FOR SPAMASSASIN

This is a addtional perl modul which checks the FQDN name etc. of a 
sender regarding BOTNET etc. There is a small possiblity of false 
positive which by the way I never had :-)

        https://wiki.apache.org/spamassassin/CustomPlugins

        https://github.com/eilandert/Botnet.pm

        Datei:Botnet.pm-master.zip

        # unzip Botnet.pm-master.zip


Copy  "Botnet.cf" qw "Botnet.pm" to the spamassin dir 
"/etc/mail/spamassassin":

        # cd Botnet.pm-master
        # cp Botnet.pm /etc/mail/spamassassin/
        # cp Botnet.cf /etc/mail/spamassassin/

Check rights:

        # chown root:root /etc/mail/spamassassin/Botnet.pm
        # chmod 644 /etc/mail/spamassassin/Botnet.cf

Deactivate the warnings for the file "Botnet.pm"

        # vi /etc/mail/spamassassin/Botnet.pm

        --------------- /etc/mail/spamassassin/Botnet.pm ---------------

        # Botnet - perform DNS validations on the first untrusted relay
        #    looking for signs of a Botnet infected host, such as no 
reverse
        #    DNS,  a hostname that would indicate an ISP client or domain
        #    workstation, or other hosts that aren't intended to be 
acting as
        #    a direct mail submitter outside of their own domain.

        use Socket;
        use Net::DNS;
        use Mail::SpamAssassin::Plugin;
        use strict;
        #use warnings;
        use vars qw(@ISA);
        @ISA = qw(Mail::SpamAssassin::Plugin);
        my $VERSION = 0.9;

        --------------- /etc/mail/spamassassin/Botnet.pm ---------------

You have the possibility to pre-load such things in avamvisd if you want 
which is not really neccessary you can preload everything in amavisd. 
Add the modul:

        # vi /etc/amavisd/amavisd.conf

        --------------- /etc/amavisd/amavisd.conf ---------------

        @additional_perl_modules = qw(
              /etc/mail/spamassassin/Botnet.pm
        );

        --------------- /etc/amavisd/amavisd.conf ---------------

All modules which you like to pre-load you can add here. If you start 
amavisd check your logs and you will see a message like "loading 
additional modules". Every module can be pre-loaded that amavisd has it 
already and must not load everytime the stuff. On my installation it 
looks like following:

        --------------- /etc/amavisd/amavisd.conf ---------------

        @additional_perl_modules = qw(
              /usr/lib/perl5/auto/NetAddr/IP/Util/inet_n2dx.al
              /usr/lib/perl5/auto/NetAddr/IP/Util/ipv6_n2d.al
              /usr/lib/perl5/auto/NetAddr/IP/Util/ipv6_n2x.al
              /usr/share/perl5/Net/libnet.cfg
              /etc/mail/spamassassin/Botnet.pm
              IP/Country/Fast.pm
              Mail/SpamAssassin/Plugin/FreeMail.pm
              Mail/SpamAssassin/Plugin/SpamCop.pm
              Net/Cmd.pm
              Net/Config.pm
              Net/SMTP.pm
              Convert/UUlib.pm
              unicore/lib/gc_sc/Digit.pl
              unicore/lib/gc_sc/SpacePer.pl
              unicore/lib/gc_sc/Alnum.pl
        );

        --------------- /etc/amavisd/amavisd.conf ---------------

Now define the Botnet Module within spamassassin:

        # vi /etc/mail/spamassassin/local.cf

        --------------- /etc/mail/spamassassin/local.cf ---------------

        ## Botnet - perform DNS validations on the first untrusted relay
        #  looking for signs of a Botnet infected host, such as no 
reverse
        #  DNS,  a hostname that would indicate an ISP client or domain
        #  workstation, or other hosts that aren't intended to be acting 
as
        #  a direct mail submitter outside of their own domain.
        #
        #  https://github.com/eilandert/Botnet.pm
        #

        loadplugin Mail::SpamAssassin::Plugin::Botnet 
/etc/mail/spamassassin/Botnet.pm

        ifplugin Mail::SpamAssassin::Plugin::Botnet

        describe        BOTNET                  Relay might be a spambot 
or virusbot
        header          BOTNET                  eval:botnet()
        score           BOTNET                  1.0

        describe        BOTNET_SOHO             Relay might be a SOHO 
mail server
        header          BOTNET_SOHO             eval:botnet_soho()
        score           BOTNET_SOHO             -0.01

        describe        BOTNET_NORDNS           Relay's IP address has no 
PTR record
        header          BOTNET_NORDNS           eval:botnet_nordns()
        score           BOTNET_NORDNS           0.1

        describe        BOTNET_BADDNS           Relay doesn't have full 
circle DNS
        header          BOTNET_BADDNS           eval:botnet_baddns()
        score           BOTNET_BADDNS           0.1

        describe        BOTNET_CLIENT           Relay has a client-like 
hostname
        header          BOTNET_CLIENT           eval:botnet_client()
        score           BOTNET_CLIENT           0.1

        describe        BOTNET_IPINHOSTNAME     Hostname contains its own 
IP address
        header          BOTNET_IPINHOSTNAME     
eval:botnet_ipinhostname()
        score           BOTNET_IPINHOSTNAME     0.1

        describe        BOTNET_CLIENTWORDS      Hostname contains 
client-like substrings
        header          BOTNET_CLIENTWORDS      eval:botnet_clientwords()
        score           BOTNET_CLIENTWORDS      0.01

        describe        BOTNET_SERVERWORDS      Hostname contains 
server-like substrings
        header          BOTNET_SERVERWORDS      eval:botnet_serverwords()
        score           BOTNET_SERVERWORDS      -0.1

        endif

        --------------- /etc/mail/spamassassin/local.cf ---------------

As mentioned there is a small possibility for false positiv from this 
point of view do not define a higher score. Test the configuration 
meaning activate debug for amavisd:

        # vi /etc/amavisd/amavisd.conf

        --------------- /etc/amavisd/amavisd.conf ---------------

        # Turn on SpamAssassin debugging (output to STDERR, use with 
'amavisd debug')
        $sa_debug = '1';  # defaults to false

        --------------- /etc/amavisd/amavisd.conf ---------------

        # systemctl restart  amavisd.service

Check the logs:

        # tail -f /var/log/amavisd/amavis.log

        --------------- /var/log/amavisd/amavis.log ---------------

        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: setting botnet_pass_auth to 0
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: setting botnet_pass_trusted to public
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: adding ^127\\.0\\.0\\.1$ to botnet_skip_ip
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: adding ^10\\..*$ to botnet_skip_ip
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: setting botnet_pass_auth to 0
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: setting botnet_pass_trusted to public
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: adding ^127\\.0\\.0\\.1$ to botnet_skip_ip
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: adding ^10\\..*$ to botnet_skip_ip
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: adding ^172\\.1[6789]\\..*$ to botnet_skip_ip
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: adding ^172\\.2[0-9]\\..*$ to botnet_skip_ip
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: adding ^172\\.3[01]\\..*$ to botnet_skip_ip
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: adding ^192\\.168\\..*$ to botnet_skip_ip
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: adding ^128\\.223\\.98\\.16$ to botnet_pass_ip
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: adding (\\.|\\A)amazon\\.com$ to botnet_pass_domains
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: adding (\\.|\\A)apple\\.com$ to botnet_pass_domains
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: adding (\\.|\\A)ebay\\.com$ to botnet_pass_domains
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: adding (\\b|\\d).*dsl.*(\\b|\\d) to botnet_clientwords
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: adding (\\b|\\d)cable(\\b|\\d) to botnet_clientwords
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: adding (\\b|\\d)catv(\\b|\\d) to botnet_clientwords
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: adding (\\b|\\d)ddns(\\b|\\d) to botnet_clientwords
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: adding (\\b|\\d)dhcp(\\b|\\d) to botnet_clientwords
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: adding (\\b|\\d)dial(-?up)?(\\b|\\d) to botnet_clientwords
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: adding (\\b|\\d)dip(\\b|\\d) to botnet_clientwords
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: adding (\\b|\\d)docsis(\\b|\\d) to botnet_clientwords
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: adding (\\b|\\d)dyn(amic)?(ip)?(\\b|\\d) to botnet_clientwords
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: adding (\\b|\\d)modem(\\b|\\d) to botnet_clientwords
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: adding (\\b|\\d)ppp(oe)?(\\b|\\d) to botnet_clientwords
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: adding (\\b|\\d)res(net|ident(ial)?)?(\\b|\\d) to 
botnet_clientwords
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: adding (\\b|\\d)bredband(\\b|\\d) to botnet_clientwords
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: adding (\\b|\\d)client(\\b|\\d) to botnet_clientwords
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: adding (\\b|\\d)fixed(\\b|\\d) to botnet_clientwords
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: adding (\\b|\\d)ip(\\b|\\d) to botnet_clientwords
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: adding (\\b|\\d)pool(\\b|\\d) to botnet_clientwords
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: adding (\\b|\\d)static(\\b|\\d) to botnet_clientwords
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: adding (\\b|\\d)user(\\b|\\d) to botnet_clientwords
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: adding (\\b|\\d)e?mail(out)?(\\b|\\d) to botnet_serverwords
        Jul  3 10:21:40 kolab.comcept.ch /usr/sbin/amavisd[3382]: SA dbg: 
Botnet: adding (\\b|\\d)mta(\\b|\\d) to botnet_serverwords

        --------------- /var/log/amavisd/amavis.log ---------------


Do not forgett to deactivate the debug again:

        --------------- /etc/amavisd/amavisd.conf ---------------

        # Turn on SpamAssassin debugging (output to STDERR, use with 
'amavisd debug')
        #$sa_debug = '1';  # defaults to false

        --------------- /etc/amavisd/amavisd.conf ---------------

        # systemctl restart  amavisd.service


STEP 7 USE MORE RBL/URBL/VIRBL WITHI SPAMASSASSIN

Spamassasin comes with already some preconfigured RBL etc. from this 
point of view if you add some please check if this ones are not already 
used. Addtional many of the RBLs etc. are free of charge if you do not 
use more as 100k requests per day. Also absolut neccessary is a really 
nice working dns server local on 127.0.0.1 or a dns caching server. This 
is fundamental to have no timeouts etc. specially if you have higher 
volumes of messages delivered etc. Add the addtional RBLs etc. to 
local.cf and keep following link in mind:

         https://wiki.apache.org/spamassassin/DnsBlocklists

PLEASE NOTE: If you want to deactivate one you can do following within 
loca.cf:

         ## NOTE: As from SpamAssassin version 3.4 you may disable 
queries for any
         #  DNSBL, URIBL etc. by adding below "dns_query_restriction" or 
set the
         #  score of corresponding rule to "0":
         #
         #dns_query_restriction deny bl.domain


         # vi /etc/mail/spamassassin/local.cf

         --------------- /etc/mail/spamassassin/local.cf ---------------

         ## NOTE: As from SpamAssassin version 3.4 you may disable 
queries for any
         #  DNSBL, URIBL etc. by adding below "dns_query_restriction" or 
set the
         #  score of corresponding rule to "0":
         #
         #dns_query_restriction deny bl.domain

         ## Additional DNSBL Servers
         #
         # inps.de-DNSBL (inps.de-DNS-IP-BLACKLIST) dnsbl.inps.de
         #
         header   RCVD_IN_DNSBL_INPS_DE  
eval:check_rbl('inps-de','dnsbl.inps.de.')
         describe RCVD_IN_DNSBL_INPS_DE  Received via a relay in inps.de 
DNSBL
         tflags   RCVD_IN_DNSBL_INPS_DE  net
         score    RCVD_IN_DNSBL_INPS_DE  3.0

         ## Additional DNSBL Servers
         #
         # allinone.bl.blocklist.de  (Amavis/Spamassassin only 
(127.0.0.2)) http://www.blocklist.de
         #
         header   RCVD_IN_DNSBL_Blocklist_de 
eval:check_rbl('127.0.0.2','allinone.bl.blocklist.de')
         describe RCVD_IN_DNSBL_Blocklist_de Sender listed on Blocklist 
DNSBL
         tflags   RCVD_IN_DNSBL_Blocklist_de net
         score    RCVD_IN_DNSBL_Blocklist_de 3.0

         ## Additional DNSBL Servers
         #
         # justspam.org (email reputation system) http://www.justspam.org
         #
         header     RCVD_IN_JUSTSPAM   
eval:check_rbl('justspam.org','dnsbl.justspam.org.')
         describe   RCVD_IN_JUSTSPAM   Listed in dnsbl.justspam.org.
         tflags     RCVD_IN_JUSTSPAM   net
         score      RCVD_IN_JUSTSPAM   0.5

         ## Additional DNSBL Servers
         #
         # spam.dnsbl.anonmails.de
         #
         header    RCVD_IN_ANONMAILS   
eval:check_rbl('anonmails-lastexternal', 'spam.dnsbl.anonmails.de.')
         describe  RCVD_IN_ANONMAILS   Relay is listed in 
spam.dnsbl.anonmails.de
         tflags    RCVD_IN_ANONMAILS   net
         score     RCVD_IN_ANONMAILS   2.0

         ## Additional DNSBL Servers
         #
         # http://www.uceprotect.net/de/index.php
         #
         # uceprotect1 (open relays/proxys/dialups)
         # uceprotect2 (open relays/proxys/dialups)
         # uceprotect3 (bad networks)
         #
         header    RCVD_IN_UCEPROTECT1   
eval:check_rbl_txt('uceprotect1-lastexternal', 
'dnsbl-1.uceprotect.net.')
         describe  RCVD_IN_UCEPROTECT1   Listed in dnsbl-1.uceprotect.net
         tflags    RCVD_IN_UCEPROTECT1   net
         score     RCVD_IN_UCEPROTECT1   2.0

         header    RCVD_IN_UCEPROTECT2   
eval:check_rbl_txt('uceprotect2-lastexternal', 
'dnsbl-2.uceprotect.net.')
         describe  RCVD_IN_UCEPROTECT2   Network listed in 
dnsbl-2.uceprotect.net
         tflags    RCVD_IN_UCEPROTECT2   net
         score     RCVD_IN_UCEPROTECT2   1.0

         header    RCVD_IN_UCEPROTECT3   
eval:check_rbl_txt('uceprotect3-lastexternal', 
'dnsbl-3.uceprotect.net.')
         describe  RCVD_IN_UCEPROTECT3   Network listed in 
dnsbl-3.uceprotect.net
         tflags    RCVD_IN_UCEPROTECT3   net
         score     RCVD_IN_UCEPROTECT3   0.5

         ## Additional DNSBL Servers
         #
         # spameatingmonkey.com (real time IP and domain blacklists) 
http://spameatingmonkey.com
         #
         header     RCVD_IN_SEMBACKSCATTER   
eval:check_rbl('sembackscatter-lastexternal', 
'backscatter.spameatingmonkey.net')
         tflags     RCVD_IN_SEMBACKSCATTER   net
         describe   RCVD_IN_SEMBACKSCATTER   Received from an IP listed 
by SEM-BACKSCATTER
         score      RCVD_IN_SEMBACKSCATTER   0.5

         header     RCVD_IN_SEMBLACK   
eval:check_rbl('semblack-lastexternal', 'bl.spameatingmonkey.net')
         tflags     RCVD_IN_SEMBLACK   net
         describe   RCVD_IN_SEMBLACK   Received from an IP listed by 
SEM-BLACK
         score      RCVD_IN_SEMBLACK   2.0

         urirhssub  SEM_URI   uribl.spameatingmonkey.net. A 2
         body       SEM_URI   eval:check_uridnsbl('SEM_URI')
         describe   SEM_URI   Contains a URI listed by SEM-URI
         tflags     SEM_URI   net
         score      SEM_URI   0.5

         urirhssub  SEM_URIRED   urired.spameatingmonkey.net. A 2
         body       SEM_URIRED   eval:check_uridnsbl('SEM_URIRED')
         describe   SEM_URIRED   Contains a URI listed by SEM-URIRED
         tflags     SEM_URIRED   net
         score      SEM_URIRED   0.5

         urirhssub  SEM_FRESH   fresh.spameatingmonkey.net. A 2
         body       SEM_FRESH   eval:check_uridnsbl('SEM_FRESH')
         describe   SEM_FRESH   Contains a domain registered less than 5 
days ago
         tflags     SEM_FRESH   net
         score      SEM_FRESH   0.5

         ## Additional DNSBL Servers
         #
         # junkemailfilter.com http://www.junkemailfilter.com
         #
         header    __RCVD_IN_HOSTKARMA   
eval:check_rbl('HOSTKARMA-lastexternal','hostkarma.junkemailfilter.com.')
         describe  __RCVD_IN_HOSTKARMA   Sender listed in JunkEmailFilter
         tflags    __RCVD_IN_HOSTKARMA   net

         header    RCVD_IN_HOSTKARMA_W   
eval:check_rbl_sub('HOSTKARMA-lastexternal', '127.0.0.1')
         describe  RCVD_IN_HOSTKARMA_W   Sender listed in HOSTKARMA-WHITE
         tflags    RCVD_IN_HOSTKARMA_W   net nice
         score     RCVD_IN_HOSTKARMA_W   -1.0

         header    RCVD_IN_HOSTKARMA_BL  
eval:check_rbl_sub('HOSTKARMA-lastexternal', '127.0.0.2')
         describe  RCVD_IN_HOSTKARMA_BL  Sender listed in HOSTKARMA-BLACK
         tflags    RCVD_IN_HOSTKARMA_BL  net
         score     RCVD_IN_HOSTKARMA_BL  3.0

         header    RCVD_IN_HOSTKARMA_BR  
eval:check_rbl_sub('HOSTKARMA-lastexternal', '127.0.0.4')
         describe  RCVD_IN_HOSTKARMA_BR  Sender listed in HOSTKARMA-BROWN
         tflags    RCVD_IN_HOSTKARMA_BR  net
         score     RCVD_IN_HOSTKARMA_BR  1.0

         ## Additional RBL Servers
         #
         # blockedservers.com https://www.blockedservers.com/
         #
         header    RCVD_IN_BLKSRV   
eval:check_rbl('blockedservers-lastexternal', 'rbl.blockedservers.com.')
         describe  RCVD_IN_BLKSRV   Listed in rbl.blockedservers.com
         tflags    RCVD_IN_BLKSRV   net
         score     RCVD_IN_BLKSRV   2.0

         ## Additional DNSBL Servers
         #
         # blockedservers.com https://www.blockedservers.com/
         #
         header    RCVD_IN_BLKSRV   
eval:check_rbl('blockedservers-lastexternal', 'rbl.blockedservers.com.')
         describe  RCVD_IN_BLKSRV   Listed in rbl.blockedservers.com
         tflags    RCVD_IN_BLKSRV   net
         score     RCVD_IN_BLKSRV   2.0

         ## Additional DNSBL Servers
         #
         # wpbl.info (Weighted Private Block List) http://wpbl.info/
         #
         header    RCVD_IN_WPBL  
eval:check_rbl('wpbl-lastexternal','db.wpbl.info.','127.0.0.2')
         describe  RCVD_IN_WPBL  Listed in db.wpbl.info
         tflags    RCVD_IN_WPBL  net
         score     RCVD_IN_WPBL  2.0

         ## Additional DNSBL Servers
         #
         # sorbs-spam (Spam and Open Relay Blocking System) 
http://www.sorbs.net/
         #
         header    RCVD_IN_SORBS_SPAM   eval:check_rbl_sub('sorbs', 
'127.0.0.6')
         describe  RCVD_IN_SORBS_SPAM   SORBS: sender is a spam source
         tflags    RCVD_IN_SORBS_SPAM   net
         score     RCVD_IN_SORBS_SPAM   0 2.0 0 2.0

         ## Additional DNSBL Servers
         #
         # dnsbl.manitu.net http://www.dnsbl.manitu.net/
         #
         header    RCVD_IN_NIX_SPAM   
eval:check_rbl('nix-spam-lastexternal','ix.dnsbl.manitu.net.')
         describe  RCVD_IN_NIX_SPAM   Listed in NIX-SPAM DNSBL
         tflags    RCVD_IN_NIX_SPAM   net
         score     RCVD_IN_NIX_SPAM   2.0

         ## Additional DNSBL/URIBL Servers
         #
         #  http://antispam.imp.ch/01-wasistspam.html?lng=1
         #
         # Swinog URIBL is a realtime blacklist built from spamtrap 
sources. URLs are extracted,
         # compared against a big whitelist and then added to the 
blacklist.
         #
         header     RCVD_IN_SWINOG_SPAM   eval:check_rbl('swinog', 
'dnsrbl.swinog.ch.', '127.0.0.3')
         describe   RCVD_IN_SWINOG_SPAM   Listed in dnsrbl.swinog.ch.
         tflags     RCVD_IN_SWINOG_SPAM   net
         score      RCVD_IN_SWINOG_SPAM   2.500

         urirhsbl   URIBL_SC_SWINOG   uribl.swinog.ch.   A
         body       URIBL_SC_SWINOG   
eval:check_uridnsbl('URIBL_SC_SWINOG')
         describe   URIBL_SC_SWINOG   URI's listed in uribl.swinog.ch.
         tflags     URIBL_SC_SWINOG   net
         score      URIBL_SC_SWINOG   0 0.900 0 1.500

         ## Additional VIRBL Servers
         #
         # virbl (virus sender blacklist) http://virbl.bit.nl
         #
         header     RCVD_IN_VIRBL   eval:check_rbl_txt('virbl', 
'virbl.dnsbl.bit.nl')
         describe   RCVD_IN_VIRBL   Listed in virbl.dnsbl.bit.nl
         tflags     RCVD_IN_VIRBL   net
         score      RCVD_IN_VIRBL   0 2.0 0 2.0

         ## Extra Scoring DNSBL Servers
         #
         # Extra scoring rules if a sender ip is listed in more than 3
         # configured DNSBL's.
         #
         meta      CUSTOM_MANY_BL   (RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SBL 
+ RCVD_IN_XBL + RCVD_IN_PBL + RCVD_IN_VIRBL + RCVD_IN_UCEPROTECT1 + 
RCVD_IN_WPBL + RCVD_IN_BLKSRV + RCVD_IN_ANONMAILS + 
RCVD_IN_DNSBL_INPS_DE + RCVD_IN_NIX_SPAM + RCVD_IN_SEMBLACK + 
RCVD_IN_HOSTKARMA_BL + RCVD_IN_JUSTSPAM + RCVD_IN_PSBL + 
RCVD_IN_SORBS_SPAM + RCVD_IN_SORBS_DUL + RCVD_IN_SORBS_HTTP + 
RCVD_IN_SWINOG_SPAM) > 3
         describe  CUSTOM_MANY_BL   Message received in more than 3 RBLs
         score     CUSTOM_MANY_BL   5.0

         meta      CUSTOM_MANY_URIBL   (URIBL_BLACK + URIBL_JP_SURBL + 
URIBL_WS_SURBL + URIBL_PH_SURBL + URIBL_MW_SURBL + URIBL_AB_SURBL + 
URIBL_DBL_SPAM + URIBL_DBL_PHISH + URIBL_DBL_MALWARE + 
URIBL_DBL_BOTNETCC + URIBL_SBL + URIBL_SBL_A + SEM_URI + SEM_FRESH + 
SEM_URIRED + URIBL_SC_SWINOG) > 3
         describe  CUSTOM_MANY_URIBL   Message received in more than 3 
URIBL
         score     CUSTOM_MANY_URIBL   5.0

         --------------- /etc/mail/spamassassin/local.cf ---------------

Restart amavisd:

         # systemctl restart  amavisd.service






STEP 8 USE CLAMAV ADDTIONAL SIGNATURE

This is one of the best which fights again spam etc. if you use clamav 
without this sigs it is not very useful but with this sigs absolutly 
nice cool very good stuff well done guys :-)

        http://sanesecurity.com/

There are also some scripts available on sanesecurity but I do not like 
them to complicate too less transparent from this point of view I use my 
own with rsync:

        # yum install rsync

        # mkdir /opt/scripts
        # chown root:root /opt/scripts
        # chmod 700 /opt/scripts
        # touch /opt/scripts/UpdateSaneSecurity.sh
        # chmod 700 /opt/scripts/UpdateSaneSecurity.sh

Create the script to download the stuff and for different database check 
the following site:

             http://sanesecurity.co.uk/usage/signatures/


        # vi /opt/scripts/UpdateSaneSecurity.sh

        --------------- /opt/scripts/UpdateSaneSecurity.sh 
---------------

        #!/bin/sh
        #
        # Updates SaneSecurity Files on hourly based (cron)
        #
        # http://sanesecurity.co.uk/usage/signatures/
        #
        # Update additional virusdefiniton db for clamav CentOS 7
        # 15 
0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23 * * *  
/opt/scripts/UpdateSaneSecurity.sh > /dev/null 2>&1 ; /bin/systemctl 
reload clamd.amavisd.service  > /dev/null
        #
        # Update additional virusdefiniton db for clamav CentOS 6
        # 15 
0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23 * * *  
/opt/scripts/UpdateSaneSecurity.sh > /dev/null 2>&1 ; /sbin/service 
clamd.amavisd reload  > /dev/null
        #

        # Setting Programm and Dir Variable
        # Adjust as neccessary

        CLAM_DB_DIR=/var/lib/clamav
        SANESECURITY_LOG=/var/log/clamav/UpdateSaneSecurity.log

        CHOWN=/bin/chown
        CHMOD=/bin/chmod
        RSYNC=/usr/bin/rsync

        # RSYNC Options
        #
        # -a (archive)
        # -v (verbose use -vvv to be more verbose)
        # -z (compress)
        # -u (update; transfer only if file is newer)

        #
        # Download Sanesecurity SigWhitelist
        #
        SIGWHITELIST=sigwhitelist.ign2

        $RSYNC -avvvzu --timeout=180 
rsync://rsync.sanesecurity.net/sanesecurity/$SIGWHITELIST $CLAM_DB_DIR 
 >> $SANESECURITY_LOG

        # If neccessary extract File and set permission
        #
        $CHOWN clam:clam $CLAM_DB_DIR/$SIGWHITELIST >> $SANESECURITY_LOG
        $CHMOD 644 $CLAM_DB_DIR/$SIGWHITELIST >> $SANESECURITY_LOG

        #
        # Download Sanesecurity Message File
        #
        SANEMESSAGE=sanesecurity.ftm

        $RSYNC -avvvzu --timeout=180 
rsync://rsync.sanesecurity.net/sanesecurity/$SANEMESSAGE $CLAM_DB_DIR >> 
$SANESECURITY_LOG

        # If neccessary extract File and set permission
        #
        $CHOWN clam:clam $CLAM_DB_DIR/$SANEMESSAGE >> $SANESECURITY_LOG
        $CHMOD 644 $CLAM_DB_DIR/$SANEMESSAGE >> $SANESECURITY_LOG

        #
        # Download Sanesecurity DB's
        #
        SANES=*.?db

        $RSYNC -avvvzu --timeout=180 
rsync://rsync.sanesecurity.net/sanesecurity/$SANES $CLAM_DB_DIR >> 
$SANESECURITY_LOG

        # If neccessary extract File and set permission
        #
        $CHOWN clam:clam $CLAM_DB_DIR/$SANES >> $SANESECURITY_LOG
        $CHMOD 644 $CLAM_DB_DIR/$SANES >> $SANESECURITY_LOG

        #
        # Download MALWAREHASH DB's
        #
        MALWAREHASH=malwarehash.hsb

        $RSYNC -avvvzu --timeout=180 
rsync://rsync.sanesecurity.net/sanesecurity/$MALWAREHASH $CLAM_DB_DIR >> 
$SANESECURITY_LOG

        # If neccessary extract File and set permission
        #
        $CHOWN clam:clam $CLAM_DB_DIR/$MALWAREHASH >> $SANESECURITY_LOG
        $CHMOD 644 $CLAM_DB_DIR/$MALWAREHASH >> $SANESECURITY_LOG

        #
        # Download ROGUE DB's
        #
        ROGUE=rogue.hdb

        $RSYNC -avvvzu --timeout=180 
rsync://rsync.sanesecurity.net/sanesecurity/$ROGUE $CLAM_DB_DIR >> 
$SANESECURITY_LOG

        # If neccessary extract File and set permission
        #
        $CHOWN clam:clam $CLAM_DB_DIR/$ROGUE >> $SANESECURITY_LOG
        $CHMOD 644 $CLAM_DB_DIR/$ROGUE >> $SANESECURITY_LOG

        #
        # Download Hackingteam DB
        #
        HACKINGTEAM=hackingteam.hsb

        $RSYNC -avvvzu --timeout=180 
rsync://rsync.sanesecurity.net/sanesecurity/$HACKINGTEAM $CLAM_DB_DIR >> 
$SANESECURITY_LOG

        # If neccessary extract File and set permission
        #
        $CHOWN clam:clam $CLAM_DB_DIR/$HACKINGTEAM >> $SANESECURITY_LOG
        $CHMOD 644 $CLAM_DB_DIR/$HACKINGTEAM >> $SANESECURITY_LOG

        #
        # Download Yara DB's
        #
        YARA=*.yara

        $RSYNC -avvvzu --timeout=180 
rsync://rsync.sanesecurity.net/sanesecurity/$YARA $CLAM_DB_DIR >> 
$SANESECURITY_LOG

        # If neccessary extract File and set permission
        #
        $CHOWN clam:clam $CLAM_DB_DIR/$YARA >> $SANESECURITY_LOG
        $CHMOD 644 $CLAM_DB_DIR/$YARA >> $SANESECURITY_LOG

        #
        # Download MSRBL DB's
        #
        # HDB=MSRBL-Images.hdb
        # NDB=MSRBL-SPAM.ndb

        # $RSYNC -avvvzu --timeout=180 
rsync://rsync.mirror.msrbl.com/msrbl/$HDB $CLAM_DB_DIR >> 
$SANESECURITY_LOG
        # $RSYNC -avvvzu --timeout=180 
rsync://rsync.mirror.msrbl.com/msrbl/$NDB $CLAM_DB_DIR >> 
$SANESECURITY_LOG

        # If neccessary extract File and set permission
        #
        # $CHOWN clam:clam $CLAM_DB_DIR/$HDB >> $SANESECURITY_LOG
        # $CHMOD 644 $CLAM_DB_DIR/$HDB >> $SANESECURITY_LOG
        #
        # $CHOWN clam:clam $CLAM_DB_DIR/$NDB >> $SANESECURITY_LOG
        # $CHMOD 644 $CLAM_DB_DIR/$NDB >> $SANESECURITY_LOG

        # Remove none supported ndb's
        #
        rm -rf $CLAM_DB_DIR/INetMsg-SpamDomains-*

        # The two databases winnow_phish_complete.ndb and 
winnow_phish_complete_url.ndb shouldn't be used together.
        #
        rm -rf winnow_phish_complete.ndb

        # exit

        --------------- /opt/scripts/UpdateSaneSecurity.sh 
---------------


Test the script:

        # sh -x /opt/scripts/UpdateSaneSecurity.sh

The rights used for the sig is absolutly fundamental which means you 
have really to adjust to the right user/group. This is done by the 
script but check if all is ok:

        # chown clamupdate:clamupdate /var/lib/clamav
        # chmod 755 /var/lib/clamav

        # chown clamupdate:clamupdate /var/lib/clamav/[Signaturen]
        # chmod 644 /var/lib/clamav/[Signaturen]

For CentOS 6 the user is different to CentOS 7:

             # chown clam:clam /var/lib/clamav
             # chmod 755 /var/lib/clamav

             # chown clamu:clam /var/lib/clamav/[Signaturen]
             # chmod 644 /var/lib/clamav/[Signaturen]

If all rights are ok you have following sigs:

        # ls -la /var/lib/clamav/
        total 192200
        drw-r--r--   2 clamupdate clamupdate     4096 Jun 12 11:19 .
        drwxr-xr-x. 33 root       root           4096 Jun 12 03:40 ..
        -rw-r--r--   1 clamupdate clamupdate    82868 Jun 12 10:52 
blurl.ndb
        -rw-r--r--   1 clamupdate clamupdate  3455748 Jun 12 10:48 
bofhland_cracked_URL.ndb
        -rw-r--r--   1 clamupdate clamupdate    90764 Jun 12 10:48 
bofhland_malware_attach.hdb
        -rw-r--r--   1 clamupdate clamupdate      838 Jun 12 10:48 
bofhland_malware_URL.ndb
        -rw-r--r--   1 clamupdate clamupdate    14822 Jun 12 10:48 
bofhland_phishing_URL.ndb
        -rw-r--r--   1 clamupdate clamupdate   449536 Jun 11 21:00 
bytecode.cld
        -rw-r--r--   1 clamupdate clamupdate   370884 Jun 12 10:48 
crdfam.clamav.hdb
        -rw-r--r--   1 clamupdate clamupdate 91127296 Jun 12 00:00 
daily.cld
        -rw-r--r--   1 clamupdate clamupdate       65 Jul 26  2013 
doppelstern.hdb
        -rw-r--r--   1 clamupdate clamupdate      185 Jul 26  2013 
doppelstern.ndb
        -rw-r--r--   1 clamupdate clamupdate      309 Apr 17  2012 
doppelstern-phishtank.ndb
        -rw-r--r--   1 clamupdate clamupdate     8231 Apr 24 08:51 
foxhole_all.cdb
        -rw-r--r--   1 clamupdate clamupdate     1913 Sep 19  2014 
foxhole_filename.cdb
        -rw-r--r--   1 clamupdate clamupdate    40244 Apr 24 08:51 
foxhole_generic.cdb
        -rw-r--r--   1 clamupdate clamupdate  6345046 Jun 11 15:53 
junk.ndb
        -rw-r--r--   1 clamupdate clamupdate   236844 Jun 12 10:51 
jurlbla.ndb
        -rw-r--r--   1 clamupdate clamupdate   440575 Jun 12 10:51 
jurlbl.ndb
        -rw-r--r--   1 clamupdate clamupdate   244719 Oct  1  2014 
lott.ndb
        -rw-r--r--   1 clamupdate clamupdate 64720632 Sep 27  2013 
main.cvd
        -rw-------   1 clamupdate clamupdate      104 Jun 12 09:00 
mirrors.dat
        -rw-r--r--   1 clamupdate clamupdate  3738316 Jun 12 10:51 
phish.ndb
        -rw-r--r--   1 clamupdate clamupdate  4338113 Jun 12 10:45 
phishtank.ndb
        -rw-r--r--   1 clamupdate clamupdate   272672 Jun 12 10:45 
porcupine.ndb
        -rw-r--r--   1 clamupdate clamupdate   271576 Jun 12 05:52 
rogue.hdb
        -rw-r--r--   1 clamupdate clamupdate 13423230 Jun 12 10:45 
scamnailer.ndb
        -rw-r--r--   1 clamupdate clamupdate  1869470 Jun 11 15:53 
scam.ndb
        -rw-r--r--   1 clamupdate clamupdate     1602 Nov 21  2014 
spamattach.hdb
        -rw-r--r--   1 clamupdate clamupdate       98 May 19 16:54 
spamimg.hdb
        -rw-r--r--   1 clamupdate clamupdate      282 Jun  6 19:51 
spam.ldb
        -rw-r--r--   1 clamupdate clamupdate    71222 Jun 12 10:51 
spearl.ndb
        -rw-r--r--   1 clamupdate clamupdate  2023137 Jun 12 00:50 
spear.ndb
        -rw-r--r--   1 clamupdate clamupdate   103385 Jun 12 10:45 
winnow.attachments.hdb
        -rw-r--r--   1 clamupdate clamupdate   259649 Jun 12 10:45 
winnow_bad_cw.hdb
        -rw-r--r--   1 clamupdate clamupdate      660 Jun 12 10:45 
winnow.complex.patterns.ldb
        -rw-r--r--   1 clamupdate clamupdate   204173 Jun 12 10:45 
winnow_extended_malware.hdb
        -rw-r--r--   1 clamupdate clamupdate      159 Jun 12 10:45 
winnow_extended_malware_links.ndb
        -rw-r--r--   1 clamupdate clamupdate   117066 Jun 12 10:45 
winnow_malware.hdb
        -rw-r--r--   1 clamupdate clamupdate   732995 Jun 12 10:45 
winnow_malware_links.ndb
        -rw-r--r--   1 clamupdate clamupdate   731122 Jun 12 10:45 
winnow_phish_complete.ndb
        -rw-r--r--   1 clamupdate clamupdate   731041 Jun 12 10:45 
winnow_phish_complete_url.ndb
        -rw-r--r--   1 clamupdate clamupdate   186210 Jun 12 10:45 
winnow_spam_complete.ndb

Restart the service for clamav which has dependencies to amavisd from 
this point of view do not restart clamav itself:

        # systemctl stop clamd at amavisd.service
        # systemctl start clamd at amavisd.service

Check the logs:

        ==> /var/log/clamav/clamd.log <==
        Fri Jun 12 11:45:39 2015 -> +++ Started at Fri Jun 12 11:45:39 
2015
        Fri Jun 12 11:45:39 2015 -> clamd daemon 0.98.7 (OS: linux-gnu, 
ARCH: x86_64, CPU: x86_64)
        Fri Jun 12 11:45:39 2015 -> Running as user amavis (UID 411, GID 
411)
        Fri Jun 12 11:45:39 2015 -> Log file size limited to 2097152 
bytes.
        Fri Jun 12 11:45:39 2015 -> Reading databases from 
/var/lib/clamav
        Fri Jun 12 11:45:39 2015 -> Not loading PUA signatures.
        Fri Jun 12 11:45:39 2015 -> Bytecode: Security mode set to 
"TrustSigned".
        Fri Jun 12 11:45:51 2015 -> Loaded 4102710 signatures.
        Fri Jun 12 11:45:52 2015 -> LOCAL: Unix socket file 
/var/run/clamd.amavisd/clamd.sock
        Fri Jun 12 11:45:52 2015 -> LOCAL: Setting connection queue 
length to 30
        Fri Jun 12 11:45:52 2015 -> Limits: Global size limit set to 
104857600 bytes.
        Fri Jun 12 11:45:52 2015 -> Limits: File size limit set to 
31457280 bytes.
        Fri Jun 12 11:45:52 2015 -> Limits: Recursion level limit set to 
10.
        Fri Jun 12 11:45:52 2015 -> Limits: Files limit set to 15000.
        Fri Jun 12 11:45:52 2015 -> Limits: Core-dump limit is 0.
        Fri Jun 12 11:45:52 2015 -> Limits: MaxEmbeddedPE limit set to 
10485760 bytes.
        Fri Jun 12 11:45:52 2015 -> Limits: MaxHTMLNormalize limit set to 
10485760 bytes.
        Fri Jun 12 11:45:52 2015 -> Limits: MaxHTMLNoTags limit set to 
2097152 bytes.
        Fri Jun 12 11:45:52 2015 -> Limits: MaxScriptNormalize limit set 
to 5242880 bytes.
        Fri Jun 12 11:45:52 2015 -> Limits: MaxZipTypeRcg limit set to 
1048576 bytes.
        Fri Jun 12 11:45:52 2015 -> Limits: MaxPartitions limit set to 
50.
        Fri Jun 12 11:45:52 2015 -> Limits: MaxIconsPE limit set to 100.
        Fri Jun 12 11:45:52 2015 -> Archive support enabled.
        Fri Jun 12 11:45:52 2015 -> Algorithmic detection enabled.
        Fri Jun 12 11:45:52 2015 -> Portable Executable support enabled.
        Fri Jun 12 11:45:52 2015 -> ELF support enabled.
        Fri Jun 12 11:45:52 2015 -> Detection of broken executables 
enabled.
        Fri Jun 12 11:45:52 2015 -> Mail files support enabled.
        Fri Jun 12 11:45:52 2015 -> OLE2 support enabled.
        Fri Jun 12 11:45:52 2015 -> PDF support enabled.
        Fri Jun 12 11:45:52 2015 -> SWF support enabled.
        Fri Jun 12 11:45:52 2015 -> HTML support enabled.
        Fri Jun 12 11:45:52 2015 -> Self checking every 600 seconds.
        Fri Jun 12 11:45:52 2015 -> Listening daemon: PID: 5131
        Fri Jun 12 11:45:52 2015 -> MaxQueue set to: 100


As within the script already mentioned use crontab to keep sigs up to 
date:

        # crontab -e

        --------------- crontab -e ---------------

        #
        # Update additional virusdefiniton db for clamav CentOS 7
        15 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23 
* * *  /opt/scripts/UpdateSaneSecurity.sh > /dev/null 2>&1 ; 
/bin/systemctl reload clamd.amavisd.service  > /dev/null
        #
        # Update additional virusdefiniton db for clamav CentOS 6
        15 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23 
* * *  /opt/scripts/UpdateSaneSecurity.sh > /dev/null 2>&1 ; 
/sbin/service clamd.amavisd reload  > /dev/null

        --------------- crontab -e ---------------

The sigs update can be monitored over following log used within the 
script:

        # chown clamupdate:clamupdate 
/var/log/clamav/UpdateSaneSecurity.log
        # chmod 600 /var/log/clamav/UpdateSaneSecurity.log

For CentOS 6 use:

             # chown clam:clam /var/log/clamav/UpdateSaneSecurity.log
             # chmod 600 /var/log/clamav/UpdateSaneSecurity.log


Now this sigs are already configured in amavisd which means:

        # vi /etc/amavisd/amavisd.conf

        --------------- /etc/amavisd/amavisd.conf ---------------

        ## ANTI-VIRUS AND INVALID/FORBIDDEN CONTENTS CONTROLS
        @virus_name_to_spam_score_maps =
         (new_RE(  # the order matters, first match wins
          [ qr'^Structured\.(SSN|CreditCardNumber)\b'            => 0.1 
],
          [ qr'^(Heuristics\.)?Phishing\.'                       => 0.1 
],
          [ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)'      => 0.1 
],
          [ qr'^Sanesecurity\.(Malware|Rogue|Trojan)\.' => undef ],# keep 
as infected
          [ qr'^Sanesecurity\.Foxhole\.Zip_exe'                  => 0.1 
], # F.P.
          [ qr'^Sanesecurity\.Foxhole\.'                => undef ],# keep 
as infected
          [ qr'^Sanesecurity\.'                                  => 0.1 
],
          [ qr'^Sanesecurity_PhishBar_'                          => 0   
],
          [ qr'^Sanesecurity.TestSig_'                           => 0   
],
          [ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.' => 0   
],
          [ qr'^Email\.Spammail\b'                               => 0.1 
],
          [ qr'^MSRBL-(Images|SPAM)\b'                           => 0.1 
],
          [ qr'^VX\.Honeypot-SecuriteInfo\.com\.Joke'            => 0.1 
],
          [ qr'^VX\.not-virus_(Hoax|Joke)\..*-SecuriteInfo\.com(\.|\z)' 
=> 0.1 ],
          [ qr'^Email\.Spam.*-SecuriteInfo\.com(\.|\z)'          => 0.1 
],
          [ qr'^Safebrowsing\.'                                  => 0.1 
],
          [ qr'^winnow\.(phish|spam)\.'                          => 0.1 
],
          [ qr'^INetMsg\.SpamDomain'                             => 0.1 
],
          [ qr'^Doppelstern\.(Spam|Scam|Phishing|Junk|Lott|Loan)'=> 0.1 
],
          [ qr'^Bofhland\.Phishing'                              => 0.1 
],
          [ qr'^ScamNailer\.'                                    => 0.1 
],
          [ qr'^HTML/Bankish'                                    => 0.1 
],  # F-Prot
          [ qr'^PORCUPINE_JUNK'                                  => 0.1 
],
          [ qr'^PORCUPINE_PHISHING'                              => 0.1 
],
          [ qr'^Porcupine\.Junk'                                 => 0.1 
],
          [ qr'^PhishTank\.Phishing\.'                           => 0.1 
],
          [ qr'-SecuriteInfo\.com(\.|\z)'         => undef ],  # keep as 
infected
          [ qr'^MBL_NA\.UNOFFICIAL'               => 0.1 ],    # false 
positives
          [ qr'^MBL_'                             => undef ],  # keep as 
infected
        ));

        --------------- /etc/amavisd/amavisd.conf ---------------

We actually do not use this configuration which means: for some sigs if 
clamav finds something it will be rejected as virus found instead the 
stuff is converted to spam found with a specific score. This means if 
clamav founds a spam sig it will be not rejected instaed clamav gives a 
spam score and spamassassin works ahead with his checks etc.  For this 
use within local.cf of spamassassin following:

        # vi /etc/mail/spamassassin/local.cf

        --------------- /etc/mail/spamassassin/local.cf ---------------

        # Deal with "X-Amavis-AV-Status" related to
        # the amavisd.conf entry "@virus_name_to_spam_score_maps

        header L_AV_Phish       X-Amavis-AV-Status =~ 
m{\bAV:(Email|HTML)\.Phishing\.}i
        header L_AV_Scam        X-Amavis-AV-Status =~ 
m{\bAV:ScamNailer\.Phish\.}i
        header L_AV_Spam        X-Amavis-AV-Status =~ 
m{\bAV:Email\.Spammail}i
        header L_AV_PhishHeur   X-Amavis-AV-Status =~ 
m{\bAV:Phishing\.Heuristics\.}i
        header L_AV_DS_Phish    X-Amavis-AV-Status =~ 
m{\bAV:Doppelstern\.Phishing\.}i
        header L_AV_DS_Scam     X-Amavis-AV-Status =~ 
m{\bAV:Doppelstern\.Scam}i
        header L_AV_DS_Junk     X-Amavis-AV-Status =~ 
m{\bAV:Doppelstern\.Junk\.}i
        header L_AV_SS_PhishBar X-Amavis-AV-Status =~ 
m{\bAV:Sanesecurity_PhishBar_}
        header L_AV_SS_Phish    X-Amavis-AV-Status =~ 
m{\bAV:Sanesecurity\.Phishing\.}
        header L_AV_SS_TestSig  X-Amavis-AV-Status =~ 
m{\bAV:Sanesecurity\.TestSig_}
        header L_AV_SS_Spear    X-Amavis-AV-Status =~ 
m{\bAV:Sanesecurity\.Spear}
        header L_AV_SS_Malware  X-Amavis-AV-Status =~ 
m{\bAV:Sanesecurity\.(Malware|Rogue|Trojan)\.}
        header L_AV_SS_Scam     X-Amavis-AV-Status =~ 
m{\bAV:Sanesecurity\.(Scam[A-Za-z0-9]?)}
        header L_AV_SS_Spam     X-Amavis-AV-Status =~ 
m{\bAV:Sanesecurity\.(Bou|Cred|Dipl|Job|Loan|Lott|Porn|Spam[A-Za-z0-9]?|Stk|Junk)\.}
        header L_AV_SS_Hdr      X-Amavis-AV-Status =~ 
m{\bAV:Sanesecurity\.Hdr\.}
        header L_AV_SS_Img      X-Amavis-AV-Status =~ 
m{\bAV:Sanesecurity\.(Img|ImgO|SpamImg)\.}
        header L_AV_SpamDomain  X-Amavis-AV-Status =~ 
m{^INetMsg\.SpamDomain\b}
        header L_AV_SS_Bounce   X-Amavis-AV-Status =~ 
m{\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\b}
        header __L_AV_SS        X-Amavis-AV-Status =~ 
m{\bAV:Sanesecurity\.}
        meta   L_AV_SS_other    __L_AV_SS && !(L_AV_SS_PhishBar|| 
L_AV_SS_Phish || L_AV_SS_TestSig || L_AV_SS_Spear || L_AV_SS_Scam || 
L_AV_SS_Spam || L_AV_SS_Malware || L_AV_SS_Hdr || L_AV_SS_Img || 
L_AV_SS_Bounce)
        header L_AV_MSRBL_Img   X-Amavis-AV-Status =~ 
m{\bAV:MSRBL-Images\b}
        header L_AV_MSRBL_Spam  X-Amavis-AV-Status =~ 
m{\bAV:MSRBL-SPAM\.}
        header L_AV_MBL         X-Amavis-AV-Status =~ 
m{\bAV:MBL_(?!NA\.UNOFFICIAL)}
        header L_AV_SecInf      X-Amavis-AV-Status =~ 
m{-SecuriteInfo\.com\b}
        header L_AV_Any         X-Amavis-AV-Status =~ m{\bAV:}

        describe L_AV_Phish       Email|HTML.Phishing
        describe L_AV_Scam        ScamNailer.Phish
        describe L_AV_Spam        Email.Spammail
        describe L_AV_PhishHeur   Phishing.Heuristics
        describe L_AV_DS_Phish    Doppelstern.Phishing
        describe L_AV_DS_Scam     Doppelstern.Scam
        describe L_AV_DS_Junk     Doppelstern.Junk
        describe L_AV_SS_PhishBar Sanesecurity_PhishBar
        describe L_AV_SS_Phish    Sanesecurity.Phishing
        describe L_AV_SS_TestSig  Sanesecurity.TestSig
        describe L_AV_SS_Spear    Sanesecurity.Spear
        describe L_AV_SS_Malware  Sanesecurity.(Malware|Rogue|Trojan)
        describe L_AV_SS_Scam     Sanesecurity.(Scam[A-Za-z0-9])
        describe L_AV_SS_Spam     
Sanesecurity.Bou|Cred|Dipl|Job|Loan|Lott|Porn|Spam[A-Za-z0-9]?|Stk|Junk)
        describe L_AV_SS_Hdr      Sanesecurity.Hdr
        describe L_AV_SS_Img      Sanesecurity.(Img|ImgO|SpamImg)
        describe L_AV_SpamDomain  INetMsg.SpamDomain
        describe L_AV_SS_Bounce   Spam.Bounce.Sanesecurity
        describe __L_AV_SS        Sanesecurity
        describe L_AV_MSRBL_Img   MSRBL-Images
        describe L_AV_MSRBL_Spam  MSRBL-SPAM
        describe L_AV_MBL         MBL_.UNOFFICIAL
        describe L_AV_SecInf      SecuriteInfo.com
        describe L_AV_Any         Any SaneSecurity & MSRBL Signatures

        score  L_AV_Phish       14
        score  L_AV_Scam        10
        score  L_AV_Spam        5
        score  L_AV_SpamDomain  6
        score  L_AV_PhishHeur   5
        score  L_AV_DS_Phish    14
        score  L_AV_DS_Scam     10
        score  L_AV_DS_Junk     8
        score  L_AV_SS_Phish    5
        score  L_AV_SS_PhishBar 0.5
        score  L_AV_SS_TestSig  0.123
        score  L_AV_SS_Spear    4
        score  L_AV_SS_Scam     8
        score  L_AV_SS_Spam     8
        score  L_AV_SS_Hdr      6
        score  L_AV_SS_Img      3.5
        score  L_AV_SS_Bounce   0.1
        score  L_AV_SS_other    1
        score  L_AV_SS_Malware  14
        score  L_AV_MBL         14
        score  L_AV_MSRBL_Img   3.5
        score  L_AV_MSRBL_Spam  6
        score  L_AV_SecInf      8
        score  L_AV_Any         2

        --------------- /etc/mail/spamassassin/local.cf ---------------

Restart amavisd:

        # systemctl restart amavisd.service






At least I have to say: Yes you can do this stuff over Kolab but makes 
it really sense to do this for every Kolab installation again and again! 
Yes you can do it but I preffer to use MX gateways for all domains which 
means Kolab is only over Port 25 accessable for this MX gateways and not 
for public world. The MX gateways are for incoming only and not for 
outgoing. This is something Kolab itself does etc.  I use not a high 
performance server instead I use a small server but with minimal 
packages, memory inensive stuff etc. etc.

        Architecture:          i686
        CPU op-mode(s):        32-bit, 64-bit
        Byte Order:            Little Endian
        CPU(s):                4
        On-line CPU(s) list:   0-3
        Thread(s) per core:    2
        Core(s) per socket:    2
        Socket(s):             1
        Vendor ID:             GenuineIntel
        CPU family:            6
        Model:                 28
        Stepping:              10
        CPU MHz:               1666.693
        BogoMIPS:              3333.38
        L1d cache:             24K
        L1i cache:             32K
        L2 cache:              512K

On this server I run approx 16 domains with about 300 email address and 
apporx 2500 message per day. I use 32 bit systems because for perl etc. 
64 bit is not neccessary and not performance advantage! As mentioned 
here my configuration and pleas again be careful nothing to copy/paste 
you have to understand wha you add. Specially the for amavisd.conf I 
have to say addtional following: There will be not message TAGGED within 
the subject instead everything will be quarantined locally and report 
will be send to virusalert at mydomain.ch as spamalert at mydomain.ch for 
analyse and to have the information for false positiv which actually I 
do not have :-) such a report is looking in following way (this report 
is from MX gateway but based on the same config which I have for testing 
purpose also activated on Kolab):

Content type: Spam
Internal reference code for the message is 18101-03/Z8rISpQdNtGp

First upstream SMTP client IP address: [217.112.35.101]:41368
   mx25.valuehost.ru

Received trace: ESMTP://[217.112.35.101]:41368 < ESMTP://127.0.0.1 <
   ESMTPA://64.137.238.13

Return-Path: <postmaster at mypitbike.ru>
 From: "DON LUIS ALBERT"<postmaster at mypitbike.ru>
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
Subject: Ref Nº OYI/2551256003/16
The message has been quarantined as: spam-Z8rISpQdNtGp.gz

The message WAS NOT relayed to:
<info at mydomain.ch>:
    250 2.7.0 ok, discarded, id=18101-03 - spam

Spam scanner report:
AV scanner ClamAV-clamd reported spam (not infection):
Porcupine.Junk.36046.UNOFFICIAL


Spam detection software, running on the system "stratos.comcept.ch", has 
identified this incoming email as possible spam.
If you have any questions, contact postmaster at comcept.ch for any further 
information.

Content preview:  C/SAN PEZ ANCATARA 24. 08905 BARCELONA - SPAIN 
TELE:0034-602-657-019
    EMAIL: lottointer at europe.com 03/08/16 OFFIZIELLE MITTEILUNG VON SITZ 
DES
   VIZEPRASIDENTEN INTERNATIONALE PROMOTIOM-GEWINNZUTEILUNG OFFIZIELLE 
GEWINNBENACHRITIGUNG
    Wir sind erfreut ihnen mitteilen zu konnen, das die gewinnliste 
LOTERIAL
   NACIONAL an 29/07/2016 erschienen ist.Dir offizielle liste der 
gewinner erschien
    am 03/08/2016 Ihr name wurde auf dem los mit dir nummer: 
025.11464992.750
    und mit der seriennummer:2113-06, Ref Nє OYI/2551256003/16 und 
stapel nє:
    Gr/14/117/1pd registried. Die glucksnummer: 10-16-25-41-46, haben in 
der
   3. Kategorie gewonnen. [...]

Content analysis details:   (87.8 points, 5.0 required)

  pts rule name              description
---- ---------------------- 
--------------------------------------------------
-0.7 RCVD_IN_DNSWL_LOW      RBL: Sender listed at http://www.dnswl.org/, 
low
                             trust
                             [217.112.35.101 listed in list.dnswl.org]
  2.0 RCVD_IN_NIX_SPAM       RBL: Listed in NIX-SPAM DNSBL
                             [217.112.35.101 listed in 
ix.dnsbl.manitu.net]
  3.0 RCVD_IN_DNSBL_Blocklist_de RBL: Sender listed on Blocklist DNSBL
                             [64.137.238.13 listed in 
allinone.bl.blocklist.de]
  0.8 RCVD_IN_SORBS_WEB      RBL: SORBS: sender is an abusable web server
                             [64.137.238.13 listed in dnsbl.sorbs.net]
  4.5 HS_BODY_655            BODY: Heinlein Support Spamschutz Body-655
  0.0 FSL_CTYPE_WIN1251      Content-Type only seen in 419 spam
  2.0 RELAYCOUNTRY_BAD       Relayed through spamy country at some point 
CN RU LI
                              UA RO HK UZ KR VN JP TW TH IN
-1.0 RELAYCOUNTRY_GOOD      Relayed through trusted country CH DE AT FR 
US CA
  2.0 L_AV_Any               Any SaneSecurity & MSRBL Signatures
  0.0 NSL_RCVD_FROM_USER     Received from User
-1.0 L_P0F_Unix             Remote system is running Unix, not Linux
-0.1 BOTNET_SERVERWORDS     Hostname contains server-like substrings
                  
[botnet_serverwords,ip=217.112.35.101,rdns=mx25.valuehost.ru]
-0.0 BOTNET_SOHO            Relay might be a SOHO mail server
[botnet_soho,ip=217.112.35.101,maildomain=mypitbike.ru,helo=mx25.valuehost.ru]
  1.0 MISSING_HEADERS        Missing To: header
  0.2 TW_NF                  BODY: Odd Letter Triples with NF
  0.2 TW_ZN                  BODY: Odd Letter Triples with ZN
  0.8 BAYES_50               BODY: Bayes spam probability is 40 to 60%
                             [score: 0.5023]
  4.0 DCC_CHECK              Detected as bulk mail by DCC 
(dcc-servers.net)
  1.0 ZMIde_OutlookExpress   Outlook Express should not be used anymore
  0.5 MISSING_MID            Missing Message-Id: header
  4.0 ZMIde_LOTTERYHARD1     lottery fake, 1+ hits
  8.0 ZMIde_LOTTERYHARD3     lottery fake, 3+ hits
  0.0 FROM_MISSP_MSFT        From misspaced + supposed Microsoft tool
  1.9 ZMIde_LOTTERY1         lottery fake, 1+ hit
  0.0 FSL_NEW_HELO_USER      Spam's using Helo and User
  8.0 ZMIde_LOTTERYHARD2     lottery fake, 2+ hits
  1.0 RELAYCOUNTRY_ALL       Relayed through any country
  2.9 ZMIde_LOTTERY2         lottery fake, 2+ hits
  0.0 FROM_MISSP_USER        From misspaced, from "User"
   20 ZMIde_LOTTERY4         lottery fake, 6+ hits
  0.0 FROM_MISSP_XPRIO       Misspaced FROM + X-Priority
  1.1 AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait
  7.0 ZMIde_LOTTERY3         lottery fake, 4+ hits
  0.0 TO_NO_BRKTS_FROM_MSSP  Multiple header formatting problems
  0.0 FROM_MISSPACED         From: missing whitespace
  0.0 T_FROM_MISSP_DKIM      From misspaced, DKIM dependable
  8.0 ZMIde_LOTTERY_OL       lottery fake sent via Outlook Express
  2.0 LOTTO_DEPT             Claims Department
  1.9 FORGED_MUA_OUTLOOK     Forged mail pretending to be from MS Outlook
  2.5 TO_NO_BRKTS_MSFT       To: lacks brackets and supposed Microsoft 
tool
  0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal 
information
  0.0 T_FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)
  1.0 FORM_FRAUD             Fill a form and a fraud phrase
-0.8 TXREP                  TXREP: Score normalizing based on sender's 
reputation

==============================================================================
last-external-host     = mx25.valuehost.ru [217.112.35.101] 
HELO=mx25.valuehost.ru
possible-languages     = de
ASN-relayed-countries  = RU ** CA [AS30943 AS1239 AS6453 AS3216] 
217.112.35.0/24
dkim-sign-identities   =
dkim-sign-domains      =
pyzor                  = Reported 3 times.
RBL                    = <dns:13.238.137.64.dnsbl.sorbs.net> [127.0.0.7]
<dns:101.35.112.217.list.dnswl.org> [127.0.5.1] 
<dns:101.35.112.217.ix.dnsbl.manitu.net> [127.0.0.2] 
<dns:101.35.112.217.hostkarma.junkemailfilter.com> [127.0.0.5] 
<dns:mypitbike.ru?type=MX> [100 mx25.valuehost.ru.] <dns:mypitbike.ru> 
[217.112.35.77] <dns:13.238.137.64.allinone.bl.blocklist.de> 
[127.0.0.13] <dns:13.238.137.64.zen.spamhaus.org> [127.0.0.4]
DCC-brand              = INFN-TO
DCC-result             = stratos.comcept.ch 1233; Body=many Fuz1=many
bayes-score            = 0.5023
bayes-token-summary    = Tokens: new, 200; hammy, 52; neutral, 197; 
spammy, 98.
bayes-token-spam-count = 98
bayes-token-ham-count  = 52
bayes-token-spam       = H*r:User, H*RU:User, sk:GEWINNB, MADRID, 
gewinnliste, reibunglosen, sk:gewinna, garantiet, ausgewahlt, 
GLUCKWUNSCH, seguros, SEGUROS, GLUCKWUNSCH!!!, glucksnummer, 
Hx-spam-relays-external:User, 1016254146
bayes-token-ham        = SICH, ZUR, Bezeichnung, ganz, werden, 117, 
sk:bearbei, UD:Alle, bankdaten, sitz, informiert, mitteilen, 
verarbeitung, acht, Verarbeitung, nacional
bayes-auto-learned     = spam autolearn_force=no 88.264
==============================================================================

Hope this helps...have fun.

Kind regards

Andrea Soliva

andrea.soliva at comcept.ch

-----Ursprüngliche Nachricht-----
Von: users-bounces at lists.kolab.org 
[mailto:users-bounces at lists.kolab.org] Im Auftrag von Carpenter, Troy
Gesendet: Freitag, 5. August 2016 23:27
An: users at lists.kolab.org
Betreff: Re: Spam issues and how to overcome them

On 2016-06-14 04:00 PM, Lance Charette wrote:
> On 6/13/2016 11:17 AM, Philip Trickett (List) wrote:
>> Hi Homer,
>> 
>> I have taken a similar route to you, but I found the things I
>> implemented that reduced spam the most were:
>> 
>> Greylisting using Postgrey: http://postgrey.schweikert.ch/
>> https://www.howtoforge.com/greylisting_postfix_postgrey
>> 
>> Implementing DKIM and SPF for postfix: http://www.opendkim.org/ There
>> are some good howtos out there as well.
>> 
>> I am using Kolab on Centos 7, but it should be fairly simple to
>> implement, the most frustrating part is waiting for the DNS updates
>> for DKIM.
>> 
>> 
>> Hope that helps,
>> 
>> 
>> Phil
> 
> Thanks a bunch Phil and Nathanael for your replies.
> 
> I too had been using greylisting and spf which helped considerably
> however it wasn't near enough for the amount of spam our accounts are
> getting.
> 
> I was hoping to find some information on how I could set up black &
> white lists that could be contributed to by each email user within the
> Roundcube mail client but haven't seen anything yet.  As I indicated
> in the beginning of this tread, I owned and operated an ISP for over
> 15 years and have used a wide variety of email servers and separate
> anti-spam servers as well, all set up and configured within so I have
> a pretty good handle on the do's and don'ts and have done so on both
> Windows based and Linux based platforms.  This is the first time
> however where I have used an 'environment' that takes so many tools
> that are independently otherwise off the shelf and tries to meld them
> all into one.  It's a far cry different than just using an email
> server and a separate anti-spam package... i.e. like spamassassin on
> it's own.
> 
> In the Kolab environment you have Kolab wrapped around everything,
> amavis wrapped about spamassissin and so on and so on and it's the
> lack of a well documented 'strategy' that makes it difficult to know
> (understand) how one affects the other, etc.  A solid block diagram of
> how all the pieces fit into the puzzle would be a great start. Solid
> examples of actual configuration files for a particular Kolab version
> would also help a lot.
> 
> I understand that this is a 'community' effort but one HAS to believe
> that the primary retail side of Kolab has already worked these issues
> out and could reciprocate in the reverse direction given they benefit
> from the community as they do.
> 
> Once satisfied with a working environment... and one that doesn't
> require administration on a daily basis... I will post my examples for
> others in 'our boat' to have something to start from.  I have set up
> two dedicated ScrollOutF1 vm servers, each on the same vm server the
> Kolab resides on respectively and have setup virtual networking within
> for the ScrollOutF1 to talk directly to the Kolab environment
> eliminating the additional load on the physical network.  That's
> working very well.  Also, as ScrollOutF1 is using many of the same
> tools already embedded in Kolab, I'm actually hoping to take the
> settings once defined to our satisfaction in ScrollOutF1 and migrate
> them to the Kolab equivalents and ultimately take ScrollOutF1 out of
> the picture.
> 
> Again, thanks everyone and I will continue to push on and contribute
> as it becomes apparent I have a well working environment... which I
> hope to be soon.  I have users that may exterminate me if I don't.
> 
> hdokes
> users at lists.kolab.org



I'm a little late to this thread...but according to my logs, the 
following smtpd_recipient_restrictions line in my postfix main.cf goes a 
long way to stopping quite a bit of SPAM:

smtpd_recipient_restrictions = permit_mynetworks,
                                 permit_sasl_authenticated,
                                 reject_unauth_destination,
                                 reject_invalid_hostname,
                                 reject_unauth_pipelining,
                                 reject_non_fqdn_recipient,
                                 reject_unknown_recipient_domain,
                                 reject_invalid_helo_hostname,
                                 check_policy_service 
unix:private/recipient_policy_incoming,
                                 reject_rbl_client zen.spamhaus.org,
                                 reject_rbl_client dbsbl.sorbs.net,
                                 reject_rbl_client bl.spamcop.net,
                                 reject_rbl_client rhsbl.sorbs.net,
                                 permit

Obviously the reject_rbl_client is the section that does the most.  I 
haven't updated that in a while, so I make no claims as to which of 
those services work except for zen.spamhaus.org and bl.spamcop.net, both 
of which I've seen in my recent logs as being used to block.

For items that get through that, spamassassin still catches quite a bit.
   It tags and a sieve script moves the email to the Spam directory if 
the score is low enough; otherwise if the score is high, Amavisd shunts 
it to a quarantine database with a web interface for users to release if 
necessary.

The only thing I don't have a good handle on is training the Bayesian 
database...but I only have about 10 users on the system right now.

Troy
_______________________________________________
users mailing list
users at lists.kolab.org
https://lists.kolab.org/mailman/listinfo/users


ComCept Net Disclaimer: The information contained in this message is intended 
only for use of the individual(s) named above and may contain confidential, 
proprietary or legally privileged information. No confidentiality or privilege 
is waived or lost by any mistransmission. If you are not the intended recipient 
of this message you are hereby notified that you must not use, disseminate, copy 
it in any form or take any action in reliance of it. If you have received this 
message in error please delete it and any copies of it and notify the sender 
immediately.


More information about the users mailing list