Quantcast

Postfix (smtp-proxy), amavisd-new, spamassassin und clamav erkennen HTML-Spams nicht richtig

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Postfix (smtp-proxy), amavisd-new, spamassassin und clamav erkennen HTML-Spams nicht richtig

arne110
Hallo zusammen,

ich stehe gerade vor eine Verständnis Problem bzgl. HTML-Spams. Diese werden nur selten mit ***SPAM*** getagt und nur schlecht vom Virenscanner (so mein Gefühl) geprüft.
Ich nutze Postfix (smtp-proxy), amavisd-new, spamassassin und clamav mit sanesecurity-listen. sa-learn ist noch nicht aktiv, will ich aber machen, da ich mit den jetztigen
Einstellungen nicht mehr weiter komme. Greylisting und SPF will ich nicht nutzen, DANE via DNSSEC ebenfalls "noch nicht", jedoch gibt es sicherlich noch Möglichkeiten an meinen Stellschrauben etwas zu optimieren. Vielleicht seht ihr noch ein paar Stellen, die nicht stimmig miteinander sind. Wäre um jede Hilfe dankbar!

Normale Mails kommen mit folgenden Headern bei mir durch. Was mir immer ins Auge springt, ist das ich mich im Scorebereich im Minus -5.yyy bis -1.yyy bei den meisten Mails mich bewege, was mich aber nicht
sonderlich stört:

Hier das postfix-Log:
################################################
Jan 27 10:17:35 my.mailgw postfix/smtpd[14199]: connect from mout.gmx.net[212.227.15.15]
Jan 27 10:17:35 my.mailgw postfix/smtpd[14199]: Anonymous TLS connection established from mout.gmx.net[212.227.15.15]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jan 27 10:17:35 my.mailgw postfix/smtpd[14199]: C99401CA04A: client=mout.gmx.net[212.227.15.15]
Jan 27 10:17:35 my.mailgw postfix/cleanup[14252]: C99401CA04A: message-id=<[hidden email]>
Jan 27 10:17:35 my.mailgw postfix/qmgr[7567]: C99401CA04A: from=<[hidden email]>, size=2702, nrcpt=1 (queue active)
Jan 27 10:17:35 my.mailgw amavis[14344]: (14344-03) LMTP :10024 /var/amavis/tmp/amavis-20170127T101557-14344-Sa5le_0Z: <[hidden email]> -> <[hidden email]> SIZE=2702 Received: from mail.my.domain.de ([127.0.0.1]) by localhost (mailgw.my.domain.de [127.0.0.1]) (amavisd-new, port 10024) with LMTP for <[hidden email]>; Fri, 27 Jan 2017 10:17:35 +0100 (CET)
Jan 27 10:17:35 my.mailgw postfix/smtpd[14199]: disconnect from mout.gmx.net[212.227.15.15] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Jan 27 10:17:35 my.mailgw amavis[14344]: (14344-03) Checking: IHjkyw8CnBIq [212.227.15.15] <[hidden email]> -> <[hidden email]>
Jan 27 10:17:36 my.mailgw amavis[14344]: (14344-03) spam-tag, <[hidden email]> -> <[hidden email]>, No, score=-5.097 required=3 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-3.199] autolearn=ham autolearn_force=no
Jan 27 10:17:36 my.mailgw postfix/smtpd[14255]: C3E0D1CA051: client=localhost[127.0.0.1], orig_queue_id=C99401CA04A, orig_client=mout.gmx.net[212.227.15.15]
Jan 27 10:17:36 my.mailgw postfix/cleanup[14252]: C3E0D1CA051: message-id=<[hidden email]>
Jan 27 10:17:36 my.mailgw postfix/smtpd[14255]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=3 mail=3 rcpt=3 data=3 noop=1 quit=1 commands=15
Jan 27 10:17:36 my.mailgw postfix/qmgr[7567]: C3E0D1CA051: from=<[hidden email]>, size=3370, nrcpt=1 (queue active)
Jan 27 10:17:36 my.mailgw amavis[14344]: (14344-03) IHjkyw8CnBIq FWD from <[hidden email]> -> <[hidden email]>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as C3E0D1CA051
Jan 27 10:17:36 my.mailgw amavis[14344]: (14344-03) Passed CLEAN {RelayedInbound}, [212.227.15.15]:64424 [88.134.178.250] <[hidden email]> -> <[hidden email]>, Queue-ID: C99401CA04A, Message-ID: <[hidden email]>, mail_id: IHjkyw8CnBIq, Hits: -5.097, size: 2702, queued_as: C3E0D1CA051, 911 ms
Jan 27 10:17:36 my.mailgw amavis[14344]: (14344-03) TIMING-SA [total 842 ms, cpu 553 ms] - parse: 1.19 (0.1%), mailct_message_metadata: 9 (1.0%), get_uri_detail_list: 0.48 (0.1%), tests_pri_-1000: 2.3 (0.3%), tests_pri_-950: 0.86 (0.1%), tests_pri_-900: 0.90 (0.1%), tests_pri_-400: 14 (1.7%), check_bayes: 13 (1.6%), b_tokenize: 4.1 (0.5%), b_tok_get_all: 3.8 (0.5%), b_comp_prob: 2.5 (0.3%), b_tok_touch_all: 0.24 (0.0%), b_finish: 0.81 (0.1%), tests_pri_0: 762 (90.5%), check_spf: 0.31 (0.0%), check_dkim_signature: 0.58 (0.1%), check_dkim_adsp: 79 (9.4%), check_razor2: 631 (74.9%), check_pyzor: 0.09 (0.0%), tests_pri_500: 2.2 (0.3%), learn: 34 (4.0%), b_learn: 32 (3.8%), b_count_change: 19 (2.3%), get_report: 0.55 (0.1%)
Jan 27 10:17:36 my.mailgw postfix/lmtp[14253]: C99401CA04A: to=<[hidden email]>, relay=127.0.0.1[127.0.0.1]:10024, delay=1, delays=0.12/0/0/0.91, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as C3E0D1CA051)
Jan 27 10:17:36 my.mailgw amavis[14344]: (14344-03) size: 2702, TIMING [total 914 ms, cpu 577 ms, AM-cpu 24 ms, SA-cpu 553 ms] - SMTP greeting: 1.6 (0%)0, SMTP LHLO: 0.6 (0%)0, SMTP pre-MAIL: 0.7 (0%)0, SMTP pre-DATA-flush: 2.2 (0%)1, SMTP DATA: 36 (4%)4, check_init: 0.4 (0%)5, digest_hdr: 0.5 (0%)5, digest_body: 0.1 (0%)5, collect_info: 2.1 (0%)5, check_header: 1.1 (0%)5, AV-scan-1: 9 (1%)6, spam-wb-list: 0.7 (0%)6, SA msg read: 0.5 (0%)6, SA parse: 1.5 (0%)6, SA check: 839 (92%)98, decide_mail_destiny: 3.5 (0%)98, notif-quar: 0.3 (0%)98, fwd-connect: 2.3 (0%)99, fwd-xforward: 0.4 (0%)99, fwd-mail-pip: 1.3 (0%)99, fwd-rcpt-pip: 0.2 (0%)99, fwd-data-chkpnt: 0.0 (0%)99, write-header: 0.6 (0%)99, fwd-data-contents: 0.1 (0%)99, fwd-end-chkpnt: 1.6 (0%)99, prepare-dsn: 0.5 (0%)99, report: 1.0 (0%)99, main_log_entry: 4.3 (0%)100, update_snmp: 1.8 (0%)100, SMTP pre-response: 0.2 (0%)100, SMTP response: 0.1 (0%)100, unlink-1-files: 0.2 (0%)100, rundown: 0.6 (0%)100
Jan 27 10:17:36 my.mailgw amavis[14344]: (14344-03) size: 2702, RUSAGE minflt=353+0, majflt=0+0, nswap=0+0, inblock=0+0, oublock=1248+0, msgsnd=0+0, msgrcv=0+0, nsignals=0+0, nvcsw=71+0, nivcsw=2+0, maxrss=87344+0, ixrss=0+0, idrss=0+0, isrss=0+0, utime=0.553+0.000, stime=0.023+0.000
Jan 27 10:17:36 my.mailgw postfix/qmgr[7567]: C99401CA04A: removed
Jan 27 10:17:36 my.mailgw postfix/smtp[14256]: C3E0D1CA051: to=<[hidden email]>, relay=192.168.YYY.ZZZ[192.168.YYY.ZZZ]:25, delay=0.06, delays=0/0/0/0.05, dsn=2.6.0, status=sent (250 2.6.0  <[hidden email]> Queued mail for delivery)
Jan 27 10:17:36 my.mailgw postfix/qmgr[7567]: C3E0D1CA051: removed

Hier eine HTML-SPAM die nicht als SPAM erkannt wurde obwohl auch jede Menge an Links in der Mail hinterlegt wurden:
################################################
Jan 27 05:23:05 my.mailgw postfix/smtpd[3403]: 2C8961CA068: client=abc4.strongsiteweb.xyz[198.167.142.163]
Jan 27 05:23:05 my.mailgw postfix/cleanup[3369]: 2C8961CA068: message-id=<[hidden email]>
Jan 27 05:23:05 my.mailgw postfix/qmgr[7567]: 2C8961CA068: from=<[hidden email]>, size=13739, nrcpt=1 (queue active)
Jan 27 05:23:05 my.mailgw postfix/smtpd[3403]: disconnect from abc4.strongsiteweb.xyz[198.167.142.163] ehlo=1 mail=4 rcpt=4 data=4 quit=1 commands=14
Jan 27 05:23:07 my.mailgw amavis[2175]: (02175-04-5) spam-tag, <[hidden email]> -> <[hidden email]>, No, score=2.66 required=3 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.886, RAZOR2_CHECK=0.922, URIBL_ABUSE_SURBL=1.25, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Jan 27 05:23:07 my.mailgw postfix/smtpd[3373]: 2826C1CA069: client=localhost[127.0.0.1], orig_queue_id=DEA6F1CA05C, orig_client=abc4.strongsiteweb.xyz[198.167.142.163]
Jan 27 05:23:07 my.mailgw postfix/cleanup[3402]: 2826C1CA069: message-id=<[hidden email]>
Jan 27 05:23:07 my.mailgw postfix/qmgr[7567]: 2826C1CA069: from=<[hidden email]>, size=33431, nrcpt=1 (queue active)
Jan 27 05:23:07 my.mailgw amavis[2175]: (02175-04-5) 1AeGxJVzpJxF FWD from <[hidden email]> -> <[hidden email]>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 2826C1CA069
Jan 27 05:23:07 my.mailgw amavis[2175]: (02175-04-5) Passed CLEAN {RelayedInbound}, [198.167.142.163]:37272 [198.167.142.163] <[hidden email]> -> <[hidden email]>, Queue-ID: DEA6F1CA05C, Message-ID: <[hidden email]>, mail_id: 1AeGxJVzpJxF, Hits: 2.66, size: 32652, queued_as: 2826C1CA069, 3756 ms
Jan 27 05:23:07 my.mailgw amavis[2175]: (02175-04-5) TIMING-SA [total 3646 ms, cpu 887 ms] - parse: 2.7 (0.1%), extract_message_metadata: 23 (0.6%), get_uri_detail_list: 8 (0.2%), tests_pri_-1000: 8 (0.2%), tests_pri_-950: 0.76 (0.0%), tests_pri_-900: 0.79 (0.0%), tests_pri_-400: 37 (1.0%), check_bayes: 36 (1.0%), b_tokenize: 17 (0.5%), b_tok_get_all: 12 (0.3%), b_comp_prob: 4.6 (0.1%), b_tok_touch_all: 0.42 (0.0%), b_finish: 0.63 (0.0%), tests_pri_0: 1314 (36.0%), check_spf: 0.23 (0.0%), check_dkim_signature: 0.87 (0.0%), check_dkim_adsp: 73 (2.0%), check_razor2: 856 (23.5%), check_pyzor: 0.14 (0.0%), tests_pri_500: 2249 (61.7%), poll_dns_idle: 2245 (61.6%), get_report: 0.80 (0.0%)
Jan 27 05:23:07 my.mailgw postfix/lmtp[3370]: DEA6F1CA05C: to=<[hidden email]>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=5, delay=14, delays=1.5/9/0/3.8, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 2826C1CA069)
Jan 27 05:23:07 my.mailgw postfix/qmgr[7567]: DEA6F1CA05C: removed



Hier meine postconf:
################################################
access_map_reject_code = 554
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
append_dot_mydomain = no
biff = no
body_checks = pcre:/etc/postfix/body_checks.pcre
bounce_queue_lifetime = 2h
bounce_template_file = /etc/postfix/bounce.cf
broken_sasl_auth_clients = no
command_directory = /usr/sbin
compatibility_level = 2
content_filter = amavislt:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix
default_rbl_reply = $rbl_code RBLTRAP: $client blocked using $rbl_domain Reason: $rbl_reason
delay_warning_time = 1h
header_checks = pcre:/etc/postfix/header_checks.pcre
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
invalid_hostname_reject_code = 501
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
lmtp_tls_protocols = !SSLv2, !SSLv3
local_recipient_maps =
local_transport = error:local mail delivery is disabled
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps_rbl_reject_code = 550
maximal_queue_lifetime = 4h
message_size_limit = 209715200
mime_header_checks = pcre:/etc/postfix/mime_header_checks.pcre
multi_recipient_bounce_reject_code = 550
mydestination = my.mailserver.local, my.domain.de
mydomain = my.domain.de
myhostname = mail.my.domain.de
mynetworks = 127.0.0.0/8, 192.168.YYY.ZZZ/32
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
non_fqdn_reject_code = 504
plaintext_reject_code = 550
queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = +
reject_code = 554
relay_domains = my.domain.de
relay_domains_reject_code = 550
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_dns_support_level = enabled
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_starttls_timeout = 60s
smtp_tls_cert_file = /etc/postfix/certs/server.pem
smtp_tls_exclude_ciphers = aNULL, MD5, DES, RC4
smtp_tls_key_file = /etc/postfix/certs/key.pem
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = permit_mynetworks, reject_invalid_hostname, check_client_access hash:/etc/postfix/smtpd_access, check_client_access hash:/etc/postfix/tld_access, reject_unknown_reverse_client_hostname, reject_rbl_client zen.spamhaus.org, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client dnsbl.inps.de, reject_multi_recipient_bounce, sleep 1, reject_unauth_pipelining, permit
smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit
smtpd_delay_reject = yes
smtpd_discard_ehlo_keyword_address_maps = cidr:/etc/postfix/esmtp_access
smtpd_error_sleep_time = 10
smtpd_hard_error_limit = 3
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_unauth_pipelining, check_helo_access hash:/etc/postfix/helo_access, reject_unknown_helo_hostname, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit_mynetworks, check_helo_access hash:/etc/postfix/sld_access, check_helo_access hash:/etc/postfix/tld_access, regexp:/etc/postfix/helo.cf, permit
smtpd_junk_command_limit = 2
smtpd_recipient_restrictions = reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit
smtpd_sasl_auth_enable = no
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous ,noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain, permit_mynetworks, check_sender_access hash:/etc/postfix/sender_access, check_sender_access hash:/etc/postfix/sld_access, check_sender_access hash:/etc/postfix/tld_access, permit
smtpd_soft_error_limit = 1
smtpd_starttls_timeout = 60s
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/certs/server.pem
smtpd_tls_ciphers = high
smtpd_tls_dh1024_param_file = /etc/postfix/certs/dh_2048.pem
smtpd_tls_dh512_param_file = /etc/postfix/certs/dh_512.pem
smtpd_tls_eecdh_grade = ultra
smtpd_tls_key_file = /etc/postfix/certs/key.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtputf8_enable = yes
soft_bounce = no
strict_rfc821_envelopes = yes
tls_eecdh_strong_curve = prime256v1
tls_eecdh_ultra_curve = secp384r1
tls_high_cipherlist = ALL:!aNULL:!eNULL:!LOW:!EXPORT:!MEDIUM!3DES:!MD5:!RC4:!EXP:!PSK:!ADH:!SEED:!SRP:!DSS:@STRENGTH
tls_preempt_cipherlist = yes
transport_maps = hash:/etc/postfix/transport
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unknown_local_recipient_reject_code = 550
unknown_relay_recipient_reject_code = 550
unknown_virtual_alias_reject_code = 550
unknown_virtual_mailbox_reject_code = 550
unverified_recipient_reject_code = 550
unverified_recipient_reject_reason = Recipient address lookup failed
unverified_sender_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual

Hier meine Postfix-master.cf:
################################################

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
#submission inet n      -       n       -       -       smtpd
#       -o smtpd_etrn_restrictions=reject
#       -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps    inet  n       -       n       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission inet n       -       n       -       -       smtpd
#  -o smtpd_etrn_restrictions=reject
#  -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
   -o canonical_classes=envelope_recipient,header_recipient
   -o canonical_maps=regexp:/etc/postfix/batv.regexp
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
        -o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix  -       n       n       -       -       pipe
  flags= user=cyrus argv=/usr/cyrus/bin/deliver -r ${sender} -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
cyrus     unix  -       n       n       -       -       pipe
  user=cyrus argv=/usr/lib/cyrus/deliver -e -r ${sender} -m ${extension} ${user}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
procmail  unix  -       n       n       -       20      pipe
  flags=R user=cyrus argv=/usr/bin/procmail -r SENDER=${sender} -t -m USER=${user} EXTENSION=${extension} /etc/procmailrc

# Amavis remote transport recive connector
amavis    unix  -       -       n       -        2      smtp
    -o smtp_send_xforward_command=yes
    -o disable_mime_output_conversion=yes
    -o smtp_generic_maps=
    -o smtp_dns_support_level=disabled

# Amavis local transport recive connector
amavislt  unix  -       -       n       -        2      lmtp
    -o lmtp_data_done_timeout=1200
    -o lmtp_send_xforward_command=yes
    -o smtp_dns_support_level=disabled
    -o max_use=20

127.0.0.1:10025 inet n  -       n       -       -       smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_delay_reject=no
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_end_of_data_restrictions=
    -o mynetworks=127.0.0.0/8
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8
    -o smtpd_tls_security_level=none
    -o smtpd_error_sleep_time=0


Hier meine amavisd config:
################################################
use strict;

# a minimalistic configuration file for amavisd-new with all necessary settings
#
#   see amavisd.conf-default for a list of all variables with their defaults;
#   for more details see documentation in INSTALL, README_FILES/*
#   and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html


# COMMONLY ADJUSTED SETTINGS:

# @bypass_virus_checks_maps = (1);  # controls running of anti-virus code
# @bypass_spam_checks_maps  = (1);  # controls running of anti-spam code
$bypass_decode_parts = 1;         # controls running of decoders&dearchivers

$max_servers = 2;            # num of pre-forked children (2..15 is common), -m
$daemon_user  = 'amavis';    # (no default;  customary: vscan or amavis), -u
$daemon_group = 'amavis';    # (no default;  customary: vscan or amavis), -g

$mydomain   = 'my.domain.de';       # a convenient default for other settings
$myhostname = 'mailgw.my.domain.de';
#$myhostname = 'my-old-hostname.local';  # must be a fully-qualified domain name!

# $MYHOME = '/var/amavis';   # a convenient default for other settings, -H
$TEMPBASE = "$MYHOME/tmp";   # working directory, needs to exist, -T
$ENV{TMPDIR} = $TEMPBASE;    # environment variable TMPDIR, used by SA, etc.
$QUARANTINEDIR = '/var/virusmails';  # -Q
# $quarantine_subdir_levels = 1;  # add level of subdirs to disperse quarantine
# $release_format = 'resend';     # 'attach', 'plain', 'resend'
# $report_format  = 'arf';        # 'attach', 'plain', 'resend', 'arf'

# $daemon_chroot_dir = $MYHOME;   # chroot directory or undef, -R

# $db_home   = "$MYHOME/db";      # dir for bdb nanny/cache/snmp databases, -D
# $helpers_home = "$MYHOME/var";  # working directory for SpamAssassin, -S
# $lock_file = "$MYHOME/var/amavisd.lock";  # -L
# $pid_file  = "$MYHOME/var/amavisd.pid";   # -P
#NOTE: create directories $MYHOME/tmp, $MYHOME/var, $MYHOME/db manually

$log_level = 2;              # verbosity 0..5, -d
$log_recip_templ = undef;    # disable by-recipient level-0 log entries
$DO_SYSLOG = 1;              # log via syslogd (preferred)
$syslog_facility = 'mail';   # Syslog facility as a string
           # e.g.: mail, daemon, user, local0, ... local7
$syslog_priority = 'debug';  # Syslog base (minimal) priority as a string,
           # choose from: emerg, alert, crit, err, warning, notice, info, debug

$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_zmq = 1;             # enable use of ZeroMQ (SNMP and nanny)
$enable_global_cache = 1;    # enable use of libdb-based cache if $enable_db=1
$nanny_details_level = 2;    # nanny verbosity: 1: traditional, 2: detailed
$enable_dkim_verification = 0;
$enable_dkim_signing = 0;

@local_domains_maps = ( ".$mydomain" );  # list of all local domains

@mynetworks = qw( 127.0.0.0/8 192.168.0.0/16 );
@inet_acl = qw( 127.0.0.1 );
$inet_socket_bind = '127.0.0.1';


$unix_socketname = "$MYHOME/amavisd.sock";  # amavisd-release or amavis-milter
               # option(s) -p overrides $inet_socket_port and $unix_socketname

$inet_socket_port = 10024;   # listen on this local TCP port(s)
# $inet_socket_port = [10024,10026];  # listen on multiple TCP ports

$policy_bank{'MYNETS'} = {   # mail originating from @mynetworks
  originating => 1,  # is true in MYNETS by default, but let's make it explicit
  os_fingerprint_method => undef,  # don't query p0f for internal clients
};

# it is up to MTA to re-route mail from authenticated roaming users or
# from internal hosts to a dedicated TCP port (such as 10026) for filtering
$interface_policy{'10026'} = 'ORIGINATING';

$policy_bank{'ORIGINATING'} = {  # mail supposedly originating from our users
  originating => 1,  # declare that mail was submitted by our smtp client
  allow_disclaimers => 1,  # enables disclaimer insertion if available
  # notify administrator of locally originating malware
  virus_admin_maps => ["virusalert\@$mydomain"],
  spam_admin_maps  => ["spamalert\@$mydomain"],
  warnbadhsender   => 1,
  # forward to a smtpd service providing DKIM signing service
  forward_method => 'smtp:[127.0.0.1]:10027',
  # force MTA conversion to 7-bit (e.g. before DKIM signing)
  smtpd_discard_ehlo_keywords => ['8BITMIME'],
  bypass_banned_checks_maps => [1],  # allow sending any file names and types
  terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS option
};

$interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # only applies with $unix_socketname

# Use with amavis-release over a socket or with Petr Rehor's amavis-milter.c
# (with amavis-milter.c from this package or old amavis.c client use 'AM.CL'):
$policy_bank{'AM.PDP-SOCK'} = {
  protocol => 'AM.PDP',
  auth_required_release => 0,  # do not require secret_id for amavisd-release
};

$sa_tag_level_deflt  = undef; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 3.0;  # add 'spam detected' headers at that level
$sa_kill_level_deflt = 6.2;  # triggers spam evasive actions (e.g. blocks mail)
$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent
$sa_quarantine_cutoff_level = 12; # spam level beyond which quarantine is off
$penpals_bonus_score = 8;    # (no effect without a @storage_sql_dsn database)
$penpals_threshold_high = $sa_kill_level_deflt;  # don't waste time on hi spam
$bounce_killer_score = 100;  # spam score points to add for joe-jobbed bounces

$sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger
$sa_local_tests_only = 0;    # only tests which do not require internet access?

# @lookup_sql_dsn =
#   ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'],
#     ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'],
#     ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] );
# @storage_sql_dsn = @lookup_sql_dsn;  # none, same, or separate database
# @storage_redis_dsn = ( {server=>'127.0.0.1:6379', db_id=>1} );
# $redis_logging_key = 'amavis-log';
# $redis_logging_queue_size_limit = 300000;  # about 250 MB / 100000

# $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is TIMESTAMP;
#   defaults to 0, which is good for non-MySQL or if msgs.time_iso is CHAR(16)

$virus_admin              = "virusalert\@$mydomain";  # notifications recip.
#$mailfrom_notify_admin    = "virusalert\@$mydomain";  # notifications sender
$mailfrom_notify_recip     = "virusalert\@$mydomain";  # notifications sender
$mailfrom_notify_spamadmin = "spam.police\@$mydomain"; # notifications sender
$mailfrom_to_quarantine = ''; # null return path; uses original sender if undef

@addr_extension_virus_maps      = ('virus');
@addr_extension_banned_maps     = ('banned');
@addr_extension_spam_maps       = ('spam');
@addr_extension_bad_header_maps = ('badh');
# $recipient_delimiter = '+';  # undef disables address extensions altogether
# when enabling addr extensions do also Postfix/main.cf: recipient_delimiter=+

$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
# $dspam = 'dspam';

$MAXLEVELS = 14;
$MAXFILES = 1500;
$MIN_EXPANSION_QUOTA =      100*1024;  # bytes  (default undef, not enforced)
$MAX_EXPANSION_QUOTA = 300*1024*1024;  # bytes  (default undef, not enforced)

$sa_spam_subject_tag = '***SPAM*** ';
$defang_virus  = 1;  # MIME-wrap passed infected mail
$defang_banned = 1;  # MIME-wrap passed mail containing banned name
# for defanging bad headers only turn on certain minor contents categories:
$defang_by_ccat{+CC_BADH.",3"} = 1;  # NUL or CR character in header
$defang_by_ccat{+CC_BADH.",5"} = 1;  # header line longer than 998 characters
$defang_by_ccat{+CC_BADH.",6"} = 1;  # header field syntax error


# OTHER MORE COMMON SETTINGS (defaults may suffice):

# $notify_method  = 'smtp:[127.0.0.1]:10025';
# $forward_method = 'smtp:[127.0.0.1]:10025';  # set to undef with milter!

$final_virus_destiny      = D_DISCARD;
$final_banned_destiny     = D_BOUNCE;
$final_spam_destiny       = D_PASS;
$final_bad_header_destiny = D_PASS;


# Notify virus sender?
$warnvirussender = 0;
# Notify spam sender?
$warnspamsender = 0;
# Notify sender of banned files?  can do it...
$warnbannedsender = 0;
# Notify sender of syntactically invalid header containing non-ASCII characters? do not!
$warnbadhsender = 0;
# Notify virus (or banned files) RECIPIENT? If you want...
$warnvirusrecip = 0;
$warnbannedrecip = 0;
$warnbadhrecip = 0;


# SOME OTHER VARIABLES WORTH CONSIDERING (see amavisd.conf-default for all)

# $warnbadhsender,
# $warnvirusrecip, $warnbannedrecip, $warnbadhrecip, (or @warn*recip_maps)
#
# @bypass_virus_checks_maps, @bypass_spam_checks_maps,
# @bypass_banned_checks_maps, @bypass_header_checks_maps,
#
# @virus_lovers_maps, @spam_lovers_maps,
# @banned_files_lovers_maps, @bad_header_lovers_maps,
#
# @blacklist_sender_maps, @score_sender_maps,
#
# $clean_quarantine_method, $virus_quarantine_to, $banned_quarantine_to,
# $bad_header_quarantine_to, $spam_quarantine_to,
#
# $defang_bad_header, $defang_undecipherable, $defang_spam


# REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS

@keep_decoded_original_maps = (new_RE(
# qr'^MAIL$',   # retain full original message for virus checking (can be slow)
  qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
# qr'^Zip archive data',     # don't trust Archive::Zip
));

@virus_name_to_spam_score_maps = (new_RE(
  [ qr'^Phishing\.'                                             => 6.1 ],
  [ qr'^Structured\.(SSN|CreditCardNumber)\b'                   => 6.1 ],
  [ qr'^(?:Email|HTML|Sanesecurity)\.(?:Phishing|SpearL?)\.'i   => 6.1 ],
  [ qr'^(?:Email|HTML|Sanesecurity)\.(?:Spam|Scam)[a-z0-9]?\.'i => 6.1 ],
  [ qr'^Sanesecurity\.(Malware|Rogue|Trojan)\.'                 => undef ],
  [ qr'^winnow\.(?:botnets?|phish|complex|mailer)\.'x           => 6.1 ],
  [ qr'^winnow\.spam(?:domain)?\.'x                             => 6.1 ],
  [ qr'^winnow\.(?:malware|trojan|compromised)\.'x              => undef ],
  [ qr'^winnow\.'x                                              => 6.1 ]
));

# for $banned_namepath_re (a new-style of banned table) see amavisd.conf-sample

$banned_filename_re = new_RE(

### BLOCKED ANYWHERE
# qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components
  qr'^\.(exe-ms|dll)$',                   # banned file(1) types, rudimentary
  qr'^\.(exe|lha|cab|dll)$',              # banned file(1) types
  qr'^\.(arj|lha|zoo)$',                  # banned old archive types
  qr'^\.(eml)$',                          # banned old Outlook Express RFC822 attachment
# qr'^\.(tnef)$',                         # banned Winmail.dat Outlook RTF

### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES:
# [ qr'^\.(gz|bz2)$'             => 0 ],  # allow any in gzip or bzip2
  [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives

  qr'.\.(pif|scr)$'i,                     # banned extensions - rudimentary
# qr'^\.zip$',                            # block zip type

### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES:
# [ qr'^\.(zip|rar|arj)$'=> 0 ],  # allow any within these archives

  qr'^application/x-msdownload$'i,        # block these MIME types
  qr'^application/x-msdos-program$'i,
  qr'^application/hta$'i,

# qr'^message/partial$'i,         # rfc2046 MIME type
# qr'^message/external-body$'i,   # rfc2046 MIME type

# qr'^(application/x-msmetafile|image/x-wmf)$'i,  # Windows Metafile MIME type
  qr'^\.wmf$',                            # Windows Metafile file(1) type

  # block certain double extensions in filenames
  qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,

# qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Class ID CLSID, strict
  qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extension CLSID, loose

# qr'.\.(exe|vbs|pif|scr|cpl)$'i,             # banned extension - basic
  qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, # banned extension - basic+cmd
  qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
         inf|ini|ins|isp|js|jse|lib|lnk|mda|mdb|mde|mdt|mdw|mdz|msc|msi|
         msp|mst|ocx|ops|pcd|pif|prg|reg|scr|sct|shb|shs|sys|vb|vbe|vbs|vxd|
         wmf|wsc|wsf|wsh)$'ix,  # banned ext - long
# qr'.\.(asd|asf|asx|url|vcs|wmd|wmz)$'i,     # consider also
  qr'.\.(ani|cur|ico)$'i,                 # banned cursors and icons filename
  qr'.\.(arj|lha|zoo)$'i,                 # banned old archive types
  qr'^\.ani$',                            # banned animated cursor file(1) type
  qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,  # banned extension - WinZip vulnerab.
  qr'.\.(docm|dotm|xltm|xlam|xlm|
         pptm|ppam|ppsm|sldm|potm|mam)$'i,    # microsoft office files with macros
);
# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
# and http://www.cknow.com/vtutor/vtextensions.htm


# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING

@score_sender_maps = ({ # a by-recipient hash lookup table,
                        # results from all matching recipient tables are summed

# ## per-recipient personal tables  (NOTE: positive: black, negative: white)
# '[hidden email]'  => [{'[hidden email]' => 10.0}],
# '[hidden email]'  => [{'.ebay.com'                 => -3.0}],
# '[hidden email]'  => [{'[hidden email]' => -7.0,
#                           '.cleargreen.com'           => -5.0}],

  ## site-wide opinions about senders (the '.' matches any recipient)
  '.' => [  # the _first_ matching sender determines the score boost

   new_RE(  # regexp-type lookup table, just happens to be all soft-blacklist
    [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i         => 5.0],
    [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
    [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
    [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i   => 5.0],
    [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i  => 5.0],
    [qr'^(your_friend|greatoffers)@'i                                => 5.0],
    [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i                    => 5.0],
   ),

#  read_hash("/var/amavis/sender_scores_sitewide"),

     { # a hash-type lookup table (associative array)
     '[hidden email]'                        => -3.0,
     '[hidden email]'              => -3.0,
     '[hidden email]'                    => -3.0,
     '[hidden email]'                  => -3.0,
     'securityfocus.com'                      => -3.0,
     '[hidden email]'       => -3.0,
     '[hidden email]'      => -3.0,
     '[hidden email]'      => -3.0,
     '[hidden email]'=> -3.0,
     '[hidden email]' => -3.0,
     'spamassassin.apache.org'                => -3.0,
     '[hidden email]'   => -3.0,
     '[hidden email]'        => -3.0,
     '[hidden email]'     => -3.0,
     '[hidden email]'   => -3.0,
     '[hidden email]' => -3.0,
     '[hidden email]'                => -3.0,
     '[hidden email]'               => -3.0,
     '[hidden email]'                  => -3.0,
     '[hidden email]'          => -3.0,
     '[hidden email]'           => -3.0,
     '[hidden email]'       => -3.0,
     '[hidden email]'          => -3.0,
     '[hidden email]'            => -3.0,
     '[hidden email]'            => -3.0,
     '[hidden email]'                => -5.0,
     '[hidden email]'           => -3.0,
     'returns.groups.yahoo.com'               => -3.0,
     '[hidden email]'           => -3.0,
     lc('[hidden email]')    => -3.0,
     lc('[hidden email]') => -5.0,

     # soft-blacklisting (positive score)
     '[hidden email]'                     =>  3.0,
     '.example.net'                           =>  1.0,

   },
  ],  # end of site-wide tables
});


#@virus_name_to_spam_score_maps =
#   (new_RE(  [ qr'^(Email|HTML)\.(Phishing|Spam|Scam[a-z0-9]?)\.'i => 0.1 ],
#             [ qr'^(Email|Html)\.Malware\.Sanesecurity\.'        => undef ],
#            [ qr'^(Email|Html)(\.[^., ]*)*\.Sanesecurity\.'     => 15.1 ],
#            [ qr'^(Email|Html)\.winnow\.(?:malware|trojan|compromised)\.'     => 15.1 ],
#   ));

@decoders = (
  ['mail', \&do_mime_decode],
# [[qw(asc uue hqx ync)], \&do_ascii],  # not safe
  ['F',    \&do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ],
  ['Z',    \&do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ],
  ['gz',   \&do_uncompress, 'gzip -d'],
  ['gz',   \&do_gunzip],
  ['bz2',  \&do_uncompress, 'bzip2 -d'],
  ['xz',   \&do_uncompress,
           ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ],
  ['lzma', \&do_uncompress,
           ['lzmadec', 'xz -dc --format=lzma',
            'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ],
  ['lrz',  \&do_uncompress,
           ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ],
  ['lzo',  \&do_uncompress, 'lzop -d'],
  ['lz4',  \&do_uncompress, ['lz4c -d'] ],
  ['rpm',  \&do_uncompress, ['rpm2cpio.pl', 'rpm2cpio'] ],
  [['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ],
           # ['/usr/local/heirloom/usr/5bin/pax', 'pax', 'gcpio', 'cpio']
  ['deb',  \&do_ar, 'ar'],
# ['a',    \&do_ar, 'ar'],  # unpacking .a seems an overkill
  ['rar',  \&do_unrar, ['unrar', 'rar'] ],
  ['arj',  \&do_unarj, ['unarj', 'arj'] ],
  ['arc',  \&do_arc,   ['nomarch', 'arc'] ],
  ['zoo',  \&do_zoo,   ['zoo', 'unzoo'] ],
  ['doc',  \&do_ole,   'ripole'],
  ['cab',  \&do_cabmailct, 'cabmailct'],
  ['tnef', \&do_tnef_ext, 'tnef'],
  ['tnef', \&do_tnef],
# ['lha',  \&do_lha,   'lha'],  # not safe, use 7z instead
# ['sit',  \&do_unstuff, 'unstuff'],  # not safe
  [['zip','kmz'], \&do_7zip,  ['7za', '7z'] ],
  [['zip','kmz'], \&do_unzip],
  ['7z',   \&do_7zip,  ['7zr', '7za', '7z'] ],
  [[qw(gz bz2 Z tar)],
           \&do_7zip,  ['7za', '7z'] ],
  [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)],
           \&do_7zip,  '7z' ],
  ['exe',  \&do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ],
);


@av_scanners = (

#       ### http://www.clamav.net/
        ['ClamAV-clamd',
  \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
        qr/\bOK$/, qr/\bFOUND$/,
         qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
        # NOTE: run clamd under the same user as amavisd, or run it under its own
        #   uid such as clamav, add user clamav to the amavis group, and then add
        #   AllowSupplementaryGroups to clamd.conf;
        # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
        #   this entry; when running chrooted one may prefer socket "$MYHOME/clamd".

  ### http://www.clamav.net/ and CPAN  (memory-hungry! clamd is preferred)
  # # note that Mail::ClamAV requires perl to be build with threading!
  # ['Mail::ClamAV', \&ask_daemon, ['{}','clamav-perl:'],
  #   [0], [1], qr/^INFECTED: (.+)/m],

  ### http://www.kaspersky.com/  (kav4mailservers)
  ['KasperskyLab AVP - aveclient',
    ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient',
     '/opt/kav/5.5/kav4mailservers/bin/aveclient','aveclient'],
    '-p /var/run/aveserver -s {}/*',
    [0,3,6,8], qr/\b(INFECTED|SUSPICION|SUSPICIOUS)\b/,
    qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/,
  ],
  # NOTE: one may prefer [0],[2,3,4,5], depending on how suspicious,
  # currupted or protected archives are to be handled

  ### http://www.avira.com/
  ### Avira AntiVir (formerly H+BEDV) or (old) CentralCommand Vexira Antivirus
  ['Avira AntiVir', ['antivir','vexira'],
    '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/,
    qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |
         (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ],
    # NOTE: if you only have a demo version, remove -z and add 214, as in:
    #  '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/,

);

@av_scanners_backup = (

  ### http://www.clamav.net/   - backs up clamd or Mail::ClamAV
  ['ClamAV-clamscan', 'clamscan',
    "--stdout --no-summary -r --tempdir=$TEMPBASE {}",
    [0], qr/:.*\sFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

  ### http://www.f-prot.com/   - backs up F-Prot Daemon
  ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
    '-dumb -archive -packed {}', [0,8], [3,6],   # or: [0], [3,6,8],
    qr/(?:Infection:|security risk named) (.+)|\s+contains\s+(.+)$/ ],

   ### http://www.kaspersky.com/
   ['Kaspersky Antivirus v5.5',
     ['/opt/kaspersky/kav4fs/bin/kav4fs-kavscanner',
      '/opt/kav/5.5/kav4unix/bin/kavscanner',
      '/opt/kav/5.5/kav4mailservers/bin/kavscanner', 'kavscanner'],
     '-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25],
     qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/ ,
#    sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"},
#    sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
   ],

# always succeeds (uncomment to consider mail clean if all other scanners fail)
# ['always-clean', sub {0}],

);

1;  # insure a defined return

Hier meine spamassassin local.cf:
################################################

#   Add *****SPAM***** to the Subject header of spam e-mails
#
# rewrite_header Subject *****SPAM*****


#   Save spam messages as a message/rfc822 MIME attachment instead of
#   modifying the original message (0: off, 2: use text/plain instead)
#
# report_safe 1


#   Set which networks or hosts are considered 'trusted' by your mail
#   server (i.e. not spammers)
#
# trusted_networks 212.17.35.


#   Set file-locking method (flock is not safe over NFS, but is faster)
#
# lock_method flock


#   Set the threshold at which a message is considered spam (default: 5.0)
#
# required_score 5.0


#   Use Bayesian classifier (default: 1)
#
# use_bayes 1


#   Bayesian classifier auto-learning (default: 1)
#
# bayes_auto_learn 1


#   Set headers which may provide inappropriate cues to the Bayesian
#   classifier
#
# bayes_ignore_header X-Bogosity
# bayes_ignore_header X-Spam-Flag
# bayes_ignore_header X-Spam-Status


#   Whether to decode non- UTF-8 and non-ASCII textual parts and recode
#   them to UTF-8 before the text is given over to rules processing.
#
# normalize_charset 1

#   Some shortcircuiting, if the plugin is enabled
#
ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
#
#   default: strongly-whitelisted mails are *really* whitelisted now, if the
#   shortcircuiting plugin is active, causing early exit to save CPU load.
#   Uncomment to turn this on
#
# shortcircuit USER_IN_WHITELIST       on
# shortcircuit USER_IN_DEF_WHITELIST   on
# shortcircuit USER_IN_ALL_SPAM_TO     on
# shortcircuit SUBJECT_IN_WHITELIST    on

#   the opposite; blacklisted mails can also save CPU
#
# shortcircuit USER_IN_BLACKLIST       on
# shortcircuit USER_IN_BLACKLIST_TO    on
# shortcircuit SUBJECT_IN_BLACKLIST    on

#   if you have taken the time to correctly specify your "trusted_networks",
#   this is another good way to save CPU
#
# shortcircuit ALL_TRUSTED             on

#   and a well-trained bayes DB can save running rules, too
#
# shortcircuit BAYES_99                spam
# shortcircuit BAYES_00                ham

endif # Mail::SpamAssassin::Plugin::Shortcircuit

Hier meine clamav-Erweiterungen:
################################################
-rw-r--r--  1 clamav clamav     58932 Jan 26 10:16 badmacro.ndb
-rw-r--r--  1 clamav clamav     99035 Jan 27 05:48 bofhland_malware_attach.hdb
-rw-r--r--  1 clamav clamav       784 Jan 27 05:48 bofhland_malware_URL.ndb
-rw-r--r--  1 clamav clamav    524800 Jan 26 22:42 bytecode.cld
-rw-r--r--  1 clamav clamav 102074880 Jan 27 08:18 daily.cld
-rw-r--r--  1 clamav clamav 109143933 May 16  2016 main.cvd
-rw-------  1 clamav clamav      1924 Jan 27 08:18 mirrors.dat
-rw-r--r--  1 clamav clamav   3920670 Jan 26 17:54 phish.ndb
-rw-r--r--  1 clamav clamav     18776 Jan 26 10:54 rogue.hdb
drwxr-xr-x  2 root   root        4096 Dec 22 10:09 test
-rw-r--r--  1 clamav clamav     46126 Jan 27 05:45 winnow_extended_malware.hdb
-rw-r--r--  1 clamav clamav    258513 Jan 27 05:45 winnow_malware.hdb
-rw-r--r--  1 clamav clamav   1350165 Jan 27 05:45 winnow_malware_links.ndb

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Postfix (smtp-proxy), amavisd-new, spamassassin und clamav erkennen HTML-Spams nicht richtig

Alex JOST
Am 27.01.2017 um 11:22 schrieb [hidden email]:
> Hallo zusammen,
>
> ich stehe gerade vor eine Verständnis Problem bzgl. HTML-Spams. Diese werden nur selten mit ***SPAM*** getagt und nur schlecht vom Virenscanner (so mein Gefühl) geprüft.
> Ich nutze Postfix (smtp-proxy), amavisd-new, spamassassin und clamav mit sanesecurity-listen. sa-learn ist noch nicht aktiv, will ich aber machen, da ich mit den jetztigen
> Einstellungen nicht mehr weiter komme. Greylisting und SPF will ich nicht nutzen, DANE via DNSSEC ebenfalls "noch nicht", jedoch gibt es sicherlich noch Möglichkeiten an meinen Stellschrauben etwas zu optimieren. Vielleicht seht ihr noch ein paar Stellen, die nicht stimmig miteinander sind. Wäre um jede Hilfe dankbar!

> Hier eine HTML-SPAM die nicht als SPAM erkannt wurde obwohl auch jede Menge an Links in der Mail hinterlegt wurden:
> Jan 27 05:23:07 my.mailgw amavis[2175]: (02175-04-5) spam-tag, <[hidden email]> -> <[hidden email]>, No, score=2.66 required=3 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.886, RAZOR2_CHECK=0.922, URIBL_ABUSE_SURBL=1.25, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no

Die Mail würde als Spam erkannt werden, wenn der Bayes-Filter den Score
nicht unter die Grenze gedrückt hätte. Deine Bayes-Datenbank ist also
nicht gut trainiert.


> Hier meine spamassassin local.cf:
> ################################################
>
> #   Use Bayesian classifier (default: 1)
> #
> # use_bayes 1
>
>
> #   Bayesian classifier auto-learning (default: 1)
> #
> # bayes_auto_learn 1

Ich würde Dir empfehlen den Wert für 'bayes_auto_learn_threshold_spam'
nach unten zu schrauben. In der Standard-Einstellung steht der ziemlich
hoch.

--
Alex JOST
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Postfix (smtp-proxy), amavisd-new, spamassassin und clamav erkennen HTML-Spams nicht richtig

Christian Boltz
In reply to this post by arne110
Hallo zusammen,

Am Freitag, 27. Januar 2017, 11:22:44 CET schrieb [hidden email]:
> Jan 27 05:23:07 my.mailgw amavis[2175]: (02175-04-5) spam-tag,
> <[hidden email]> -> <[hidden email]>, No, score=2.66
> required=3 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001,

Mails bei 3 Punkten als Spam einstufen finde ich mutig[tm].
Ich würde nicht so weit vom Standardwert abweichen.

Wenn es Dir an Punkten fehlt, setze lieber gezielt die Werte für
einzelne Regeln, die sicher auf Spam hindeuten, hoch.

> [...] URIBL_BLOCKED=0.001]

http://uribl.com/refused.shtml

Du willst vermutlich einen eigenen DNS-Server verwenden.

Danach greift mit etwas Glück URIBL_BLACK - und dafür kann man den Score
gern hochsetzen (ich habe 3.7 statt 1.7).


Andere Frage:
Die SA-Regeln von Heinlein Support [1] hast Du schon?

Apropos: Diese Regeln sind seit einer Weile GPG-signiert, nur den GPG-
Key habe ich noch nicht gefunden. Peer, gibt es den irgendwo? ;-)


Gruß

Christian Boltz

[1] http://www.heinlein-support.de/blog/news/aktuelle-spamassassin-regeln-von-heinlein-support/
--
[ACPI] Du kannst da Deinen Power-Knopf konfigurieren wie Du willst.
Du kannst den auch so konfigurieren, daß der PC anfängt zu singen ...
[Ekkard Gerlach in suse-linux]

Loading...