Ako fungujú spamfiltre 2

18.12.2006 10:10 | betmen

Dnes opäť sedím na riti (po pauze s nesedením z predošlej časti). Keďže aj triedenie smetí vyžaduje mať na to špeci kontajnery, riešenie spamu vyžaduje maž dosť veľký "kontajner". Preto sa dnes budem písať o content filtri v postfixe.

Ako content filter v postfixe používam amavisd-new (je to nástupca staručkého amavis filtra). Zatiaľ som neobjavil nič čo by som vedel zužitkovať lepšie.

Skratka amavis v sebe nosí "a mail virus scanner" čo je celkom jasné. Ale čas ho obdaril aj inými schopnosťami. Stále však zostáva ako démon ktorý vie volať najrôznejšie antivírové aplikácie a poriešiť tak cez ne potenciálne vírusy. Celý je napísaný v perli a pekne využíva jeho vymoženosti. Využiť ho dokáže zrejme každý opensource mailserver a je možné že aj niektoré neotvorené. Ale prejdem ja rovno k amavisd-new fičúram.
Amavis démon si spustí mástra a aj pár detičiek (ktorých počet nadefinuje adminko). Služba následne počúva na definovanom porte (keďže sa amavisd spúšťa pod neprivilegovaným userkom tak >=1024, prednastavene 10024) a využíva commandy zhodné s smtp (kuk rfc821). Mail dokáže požuť spamfiltrom (spamassassin) a rôznymi antivírákmi (aj free aj komerčnými - ja používam clamav a f-prot a neviem o tom že by clam niekedy pustil vírus ak ho freshclam drží ap tu dejt). Antivíráky sa dajú definovať ako primárne alebo sekundárne filtre (čo ak spadne clamd a podobne). Je možné definovať rôzne kritériá pre hodnotenie mailu, vytvárať whitelisty, blacklisty, rodné listy...

Inštaláciu si dovolím preskočiť. Väčšina distribúcií by ho mala obsahovať takže vyrieši závislosti etc (najrôznejšie rozbaľovacie programčoke perlovské moduly atď atď).

Konfigurácia amavisu je sústredená v jednom súbore spravidla v /etc/amavisd.conf. Vo verzii 2.4.3 (najnovšia) má 9 sekcií konfig menu. Jeho neustály vývoj spôsobuje že konfigurácia sa z verzie na verziu líši.
Ale k aktuálnej konfigurácii.

V sekcii 1 sú veci ohľadom toho kde si ukladá vecičky, definuje sa tam doména a hostname (celkom podstatné časti), časti ktoré nesú údaje o fungovaní amavisu ako takého - počet procesov, adresár kde si amavis storuje veci etc etc...

Druhá sekcia zahŕňa tzv. MTA specific záležitosti, to jest rôzne premenné podľa ktorých vie transport agent narábať s amavisom.

Sekcia 3 je o logovaní. Amavis okrem toho že si vie vytvárať vlastné logy vie používať aj syslog. Logy je možné si kompletne kástomizovať ale doteraz som túto vlastnosť nepoužil.

Štvrtá sekcia je už zaujímavejšia. Rieši narábanie s mailom podľa rôznych situácií. Koho má informovať o tom či ide o spam/vírus, čo má s takým mailom urobiť, môžme si nadefinovať vlastné templates a tak. Je to celkom pokročilá konfigurácia dokonca podľa subdomén.
Ďalej sa v tejto sekcii definuje karanténa a nejaké prefixy pre jednotlivé druhy mailov. Dokonca vie použiť aj databázu ale to som zatiaľ ešte tiež nepotreboval.
Okrem funkčných vecí si nadefinujeme pridávanie hlavičky do mailu prípadne prepísanie subjektu ak z nejakého dôvodu mail nebol skontrolovaný, ak má podozrivé skóre ale ešte nie je jednoznačne spamfilter rozhodnutý že ho má odstrániť a podobne. Nadefinovať si tu môžme aj banovanie mailov podľa príloh, či už podľa prípony súborov alebo podľa mime jednotlivých príloh.

Sekcia 5 - detailné nastavenia čo sa whitelistov/blacklistov týka prípadne politiky detailne zameranej na sendera a/alebo adresáta. Takže jednotlivým userkom môžme nadefinovať že ich spamfilter nebude chrániť alebo že dostanú aj zavírené maily. Alebo niektorí senderi môžu mať aj pri zlom-nedobrom skóre povolené maily doručiť až do mailboxu. Dajú sa tak odstaviť aj komplet domény. A z istých dôvodov sa dá nadefinovať že ak mail obsahuje konkrétne slovo tak dostane sadisticky vysoké skóre napr. :)

Sekcia 6 alebo ako si zachrániť riť. V tejto časti sa hovorí amavisu že koľko úrovní zabaleného archívu má skúšať rozbaliť na možný vírus, koľko súborov maximálne si má z veľkého archívu vycucnúť na otestovanie, sú tam limity na veľkosti, nejaké-tie hashe že zhodný mail už kontroloval a tak.

Siedma sekcia obnáša cesty k softvéru na jednotlivé druhy archívov (tzv. dekodéry), konfiguráciu spamassassinu (len letmú, komplet spamassassin sa konfiguruje klasicky), sú definované primárne a sekundárne antivíry.

Osmička je debuggovanie.

A na záver je sekcia 9 - policy banks. Toto je akási novinka kde sa robí viacero alternatív konfigurácie. Tým by sa malo dosiahnuť že amavis spustíme na viacerých portoch s rozdielnymi konfiguráciami napríklad ak máme smtp farmu a amavisy povolíme aj z našich trusted remote mašiniek.

Aby som len tak nedrístal mirnix dirnix do vetra tak sem skopírujem jeden môj konfigurák ako inšpiráciu a rozoberiem ho:

use strict;
$MYHOME = '/var/amavis';  # (default is '/var/amavis'), -H
$mydomain = 'smrdlava.rit';      # (no useful default)
$myhostname = 'rektum.smrdlava.rit';
$daemon_user  = 'amavis';  # (no default;  customary: vscan or amavis), -u
$daemon_group = 'amavis';  # (no default;  customary: vscan or amavis), -g
$TEMPBASE = "$MYHOME/tmp";    # prefer to keep home dir /var/amavis clean?
$ENV{TMPDIR} = $TEMPBASE;      # wise to set TMPDIR, but not obligatory
$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1;    # enable use of libdb-based cache if $enable_db=1
$forward_method = 'smtp:[127.0.0.1]:10025';  # where to forward checked mail
$notify_method = $forward_method;            # where to submit notifications
$max_servers  =  10;  # number of pre-forked children          (default 2), -m
$max_requests = 20;  # retire a child after that many accepts (default 10)
$child_timeout=5*60;  # abort child if it does not complete its processing in
                      # approximately n seconds (default: 8*60 seconds)
$smtpd_timeout = 120; # disconnect session if client is idle for too long
                      # (default: 8*60 seconds); should be higher than a
                      # Postfix setting max_idle (default 100s)
okrem udaju mydomain a myhostname vacsinou nie je treba nic kafrat. este tak pridat max_servers na viac
procesovych deticiek aby sme mali vacsiu performance (samozrejme si treba najst optimum aby sme zbytocne nemastili
hw) a max_requests.                     
@local_domains_maps = ( read_hash("$MYHOME/local_domains") ); # using hash
          # (does not apply to sendmail/milter)
          # (default is true)
local_domains_maps je vhodne si nadefinovat ale uplne to potrebne nie je. defaultne sa vyplna perlovske
asociativne pole ale ja tam mam subor ktory mi generuje z ldapu skript aby som pri manipulacii s mailovymi
domenami nemusel vkuse strkat prsty do amavisd.conf. a aby som nezabudol, tento parameter zabezpeci ze do hlavicky
domen ktore pozna prdne info o skore etc ak to mame neskor definovane takze userko si moze dalej filtrovat a podobne          
$unix_socketname = "$MYHOME/amavisd.sock"; # amavis helper protocol socket
                                  # (default is undef, i.e. disabled)
                                  # (usual setting is $MYHOME/amavisd.sock)
$inet_socket_port = 10024;        # accept SMTP on this local TCP port
                                  # (default is undef, i.e. disabled)
                                  # (default is '127.0.0.1')
@inet_acl = qw(127.0.0.1 [::1]);  # allow SMTP access only from localhost IP
                                  # (default is qw(127.0.0.1 [::1]) )
predosle 3 parametre tiez mozeme nechat (kym netreba tak nebastrngujeme). ako aj z default komentaru vychadza,
pravdepodobne sa donutime modifikovat len acl (access list) ak mame viacero mailovych serverov a chceme pouzivat
iba jeden filter
$DO_SYSLOG = 1;                  # (defaults to 0)
$syslog_ident = 'amavis';    # Syslog ident string (defaults to 'amavis')
$syslog_facility = 'mail';    # Syslog facility as a string
          # e.g.: mail, daemon, user, local0, ... local7, ...
$syslog_priority = 'debug';  # Syslog base (minimal) priority as a string,
          # choose from: emerg, alert, crit, err, warning, notice, info, debug
$LOGFILE = "$MYHOME/amavis.log";  # (defaults to empty, no log)
$log_level = 2;   # (defaults to 0), -d
$log_recip_templ = undef;  # undef disables by-recipient level-0 log entries
logovanie teoreticky nepotrebujeme ale vdaka nemu mozme robit grafiky a ine sracicky. kedysi existoval daky
amavis-grapher co bol skaredy zly skript ale uz som ho nepouzil zo2 roky a odvtedy si slubujem ze si vyrobim
vlastny..
ja si zapisujem do syslogu ale ako je vidiet generuje sa mi aj samostatny amavisovsky log.
$final_spam_destiny      = D_DISCARD;  # (defaults to D_BOUNCE)
$final_bad_header_destiny = D_PASS;    # (defaults to D_PASS)
z XY_destiny parametrov mam zeditovany spam_destiny (nech to rovno zahadzuje resp nech neposiela notifikaciu
senderovi) a odkomentovany bad_header_destiny kedze zle hlavicky nemusia znamenat spam lebo mame vela ludi
ktori presli procesom "teach yourself write super-trooper web php apps in 2 days" a tak nevedia co je to
posielat zo svojich web formularov korektne emaily. este je final_virus_destiny (to je default discard takze to
nemam odkomentovane a neviem preco bad header mam odkomentovane ked je tiez default) a este banned_destiny, to
nechavam default ako bounce.
$warnvirussender = 0;
$warnspamsender = 0;
$warnbannedsender = 0;
$warnbadhsender = 0;
tieto 4 parametre su relativne osemetne. mozu byt kontraproduktivne lebo keby sme ich nastavili na 1 tak posielame
realtivnemu senderovi virusu, spamu, banovaneho mailu a zlej hlavicky info o tom ze nieco nie je v poriadku, cim
sa mozme stat sami spammerom kedze posielame nevyziadanu postu (po vacsine pripadov ide pri virusoch aj tak o
fejknute adresy a pri spamoch si napr aj moje domeny spamerkovia obcas pouzivaju ako senderov a pri domenovom kosi
ma vie dost nasrat ked mi chodia taketo srackoidne maily aky som spamerko atd..)
%final_destiny_by_ccat = (
  CC_VIRUS,      D_DISCARD,
  CC_BANNED,    D_BOUNCE,
  CC_UNCHECKED,  D_PASS,
  CC_SPAM,      D_DISCARD,
  CC_BADH,      D_PASS,
  CC_OVERSIZED,  D_BOUNCE,
  CC_CLEAN,      D_PASS,
  CC_CATCHALL,  D_PASS,
);
toto netusim co riesi lebo je to asi novinka :) tak som to tam nechal ako je a amavisd sa nestazuje.
@viruses_that_fake_sender_maps = (new_RE(
  qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i,
  qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i,
  qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i,
  qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i,
  qr'@mm|@MM',    # mass mailing viruses as labeled by f-prot and uvscan
  qr'Worm'i,      # worms as labeled by ClamAV, Kaspersky, etc
  [qr/^/ => 1],  # true by default  (remove or comment-out if undesired)
));
tuto cast by som ani nepotreboval. sluzi na to ked mame zapnute virus sender notifikacie ze virusy ktore su uvedene
v tomto zozname fejkuju sendera takze im nema skusat poslat notifikaciu.
$virus_admin = "virusalert\@$mydomain";
$mailfrom_notify_admin    = "admin\@$mydomain";
$mailfrom_notify_recip    = "admin\@$mydomain";
$mailfrom_notify_spamadmin = "spam.police\@$mydomain";
$mailfrom_to_quarantine = '';  # override sender address with null return path
mailove adresy z ktorych chceme akoze posielat notifikacie a tak. pre moju konfiguraciu to nema velky efekt,
jedine ze mne chodi info o tom ze prisiel virustok daky niekomu do firmy (spam notifikacie z praktickych dovodov
XY ton spamu denne neriesim)
$QUARANTINEDIR = "$MYHOME/quarantine";
$virus_quarantine_to  = 'virus-quarantine';    # traditional local quarantine
$banned_quarantine_to    = 'banned-quarantine';    # local quarantine
$bad_header_quarantine_to = 'bad-header-quarantine'; # local quarantine
$spam_quarantine_to      = 'spam-quarantine';      # local quarantine
na zaklade tohto nam spamcok napr ulozi do /var/amavis/quarantine/spam-345fdsafda.gz
$X_HEADER_TAG = 'X-Virus-Scanned'; # (default: 'X-Virus-Scanned')
$undecipherable_subject_tag = '***UNCHECKED*** ';  # undef disables it
prida hlavicku ze bol skontrolovany amavisom pripadne ak z nejakeho dovodu nepresiel kontrolou
tak vyriesi aj subjekt.
$defang_virus  = 1;  # default is false: don't modify mail body
$defang_banned = 1;  # default is false: don't modify mail body
velmi uzitocna vec. ak povolime aj aby presiel zavireny email tak mu zmodifikuje prilohu aby
nebola hned otvoritelna napriklad nasim malo kamaratskym outlookom etc.
podobne aj s banned prilohami.
$remove_existing_x_scanned_headers = 0; # leave existing X-Virus-Scanned alone
# (defaults to false)
$remove_existing_spam_headers  = 1;    # remove existing spam headers if
# spam scanning is enabled (default)
prvy riadok poriesi ci necha info o tom ze to uz bolo nejakym skenerom pred amavisom kontrolovane a druhy
odstrani hlavicku ak tam niekto da ze napriklad to nie je spam (boli by sme malicherni keby sme mu nechavali
povodny spam tag)
@keep_decoded_original_maps = (new_RE(
  qr'^MAIL-UNDECIPHERABLE$',  # retain full mail if it contains undecipherables
  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
));
$banned_filename_re = new_RE(
  # block certain double extensions in filenames
);
$banned_namepath_re = new_RE(
  # within traditional Unix archives allow any name and type
  # banned filename extensions (in declared names) anywhere - rudimentary
  # block these MIME types
  # block certain double extensions in filenames
  # banned filename extensions (in suggested names) anywhere - basic
);
  $banned_namepath_re = undef;  # to disable new-style
%banned_rules = (
);
v keep_decoded_original_maps su o tom ze konkretny dekoder je nedoveryhodny pre urcity druh archivu. ale je to
default vec ktoru som v zivote nemodifikoval.
banned_filename_re byva natlaceny mnozstvom druhov suborov s tym ci su povolene alebo nie su. ale ja mu vzdy
cely obsah zakomentujem lebo keby som zakazal napriklad .exe a podobne by ma userkovia dokopali. a zase je jednoduchsie
to zakomentovat ako vsade menit 0 na 1 :)
banned_namepath_re podobne.
banned_rules je zhodne default s banned_filename_re takze ho mam prazdne.
$sql_select_white_black_list = undef;  # undef disables SQL white/blacklisting
$localpart_is_case_sensitive = 0; # (default is false)
whitelist neukladame do databazy a samozrejme mi je jedno ci je to @mkrvicka.sk alebo @MRKVICKA.SK
@score_sender_maps = ({  # a by-recipient hash lookup table
  # site-wide opinions about senders (the '.' matches any recipient)
  '.' => [  # the _first_ matching sender determines the score boost
  new_RE(  # regexp-type lookup table, just happens to be all soft-blacklist
    [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i        => 5.0],
    [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
    [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
    [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i  => 5.0],
    [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i  => 5.0],
    [qr'^(your_friend|greatoffers)@'i                                => 5.0],
    [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i                    => 5.0],
  ),
  { # a hash-type lookup table (associative array)
    'nobody@cert.org'                        => -3.0,
    'cert-advisory@us-cert.gov'              => -3.0,
    'owner-alert@iss.net'                    => -3.0,
    'slashdot@slashdot.org'                  => -3.0,
    'securityfocus.com'                      => -3.0,
    'ntbugtraq@listserv.ntbugtraq.com'      => -3.0,
    'security-alerts@linuxsecurity.com'      => -3.0,
    'mailman-announce-admin@python.org'      => -3.0,
    'amavis-user-admin@lists.sourceforge.net'=> -3.0,
    'amavis-user-bounces@lists.sourceforge.net' => -3.0,
    'spamassassin.apache.org'                => -3.0,
    'notification-return@lists.sophos.com'  => -3.0,
    'owner-postfix-users@postfix.org'        => -3.0,
    'owner-postfix-announce@postfix.org'    => -3.0,
    'owner-sendmail-announce@lists.sendmail.org'  => -3.0,
    'sendmail-announce-request@lists.sendmail.org' => -3.0,
    'donotreply@sendmail.org'                => -3.0,
    'ca+envelope@sendmail.org'              => -3.0,
    'noreply@freshmeat.net'                  => -3.0,
    'owner-technews@postel.acm.org'          => -3.0,
    'ietf-123-owner@loki.ietf.org'          => -3.0,
    'cvs-commits-list-admin@gnome.org'      => -3.0,
    'rt-users-admin@lists.fsck.com'          => -3.0,
    'clp-request@comp.nus.edu.sg'            => -3.0,
    'surveys-errors@lists.nua.ie'            => -3.0,
    'emailnews@genomeweb.com'                => -5.0,
    'yahoo-dev-null@yahoo-inc.com'          => -3.0,
    'returns.groups.yahoo.com'              => -3.0,
    'clusternews@linuxnetworx.com'          => -3.0,
    lc('lvs-users-admin@LinuxVirtualServer.org')    => -3.0,
    lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,
    # soft-blacklisting (positive score)
    'sender@example.net'                    =>  3.0,
    '.example.net'                          =>  1.0,
  },
  ],  # end of site-wide tables
});
@blacklist_sender_maps = ( new_RE(
    qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou|greatcasino)@'i,
    qr'^(investments|lose_weight_today|market\.alert|money2you|MyGreenCard)@'i,
    qr'^(new\.tld\.registry|opt-out|opt-in|optin|saveonlsmoking2002k)@'i,
    qr'^(specialoffer|specialoffers|stockalert|stopsnoring|wantsome)@'i,
    qr'^(workathome|yesitsfree|your_friend|greatoffers)@'i,
    qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i,
));
mozme si prednastavit skore pre maily a tym ulohcit/stazit niektorym senderom aby k nam mail
uspesne dorucili.
alebo mozme rovno zablacklistovat senderov ktori maju v maili offers etc :)
vsetko su to mimochodom default hodnoty amavisu
$MAXLEVELS = 14; # (default is undef, no limit)
$MAXFILES = 1500; # (default is undef, no limit)
$MIN_EXPANSION_QUOTA =      100*1024;  # bytes  (default undef, not enforced)
$MAX_EXPANSION_QUOTA = 300*1024*1024;  # bytes  (default undef, not enforced)
$MIN_EXPANSION_FACTOR =  5;  # times original mail size  (default is 5)
$MAX_EXPANSION_FACTOR = 500;  # times original mail size  (default is 500)
$virus_check_negative_ttl=  3*60; # time to remember that mail was not infected
$virus_check_positive_ttl= 30*60; # time to remember that mail was infected
$spam_check_negative_ttl = 10*60; # time to remember that mail was not spam
$spam_check_positive_ttl = 30*60; # time to remember that mail was spam
toto su tiez default veci. velmi ich netreba riesit. ide o zalezitosti kolko rekurzivnych archivov ma
rozbalovat atd atd...potom su tam zalezitosti ohladom cache a podobne.
$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin:/opt/bin';
$file  = 'file';  # file(1) utility; use 3.41 or later to avoid vulnerability
$dspam  = 'dspam';
cesta k file a dspam. dspam je jeden z druhov filtra ale zatial ho nepouzivam takze ho tym padom ani amavis
nenajde a neriesi.
file je jasny.
@decoders = (
  ['mail', \&do_mime_decode],
  ['asc',  \&do_ascii],
  ['uue',  \&do_ascii],
  ['hqx',  \&do_ascii],
  ['ync',  \&do_ascii],
  ['F',    \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ],
  ['Z',    \&do_uncompress, ['uncompress','gzip -d','zcat'] ],
  ['gz',  \&do_uncompress,  'gzip -d'],
  ['gz',  \&do_gunzip],
  ['bz2',  \&do_uncompress,  'bzip2 -d'],
  ['lzo',  \&do_uncompress,  'lzop -d'],
  ['rpm',  \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ],
  ['cpio', \&do_pax_cpio,  ['pax','gcpio','cpio'] ],
  ['tar',  \&do_pax_cpio,  ['pax','gcpio','cpio'] ],
  ['tar',  \&do_tar],
  ['deb',  \&do_ar,          'ar'],
  ['zip',  \&do_unzip],
  ['rar',  \&do_unrar,      ['rar','unrar'] ],
  ['arj',  \&do_unarj,      ['arj','unarj'] ],
  ['arc',  \&do_arc,        ['nomarch','arc'] ],
  ['zoo',  \&do_zoo,        ['zoo','unzoo'] ],
  ['lha',  \&do_lha,        'lha'],
  ['cab',  \&do_cabextract,  'cabextract'],
  ['tnef', \&do_tnef_ext,    'tnef'],
  ['tnef', \&do_tnef],
  ['exe',  \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ],
);
vsetky mozne dekodery archivov.
$sa_local_tests_only = 0;  # only tests which do not require internet access?
                            # for SA 3.0, its cf option is use_auto_whitelist)
$sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger
    # (less than 1% of spam is > 64k)
    # default: undef, no limitations
$sa_tag_level_deflt  = -999; # add spam info headers if at, or above that level;
    # undef is interpreted as lower than any spam level
$sa_tag2_level_deflt = 3.3;# add 'spam detected' headers at that level to
                            # passed mail, adding address extensions;
$sa_kill_level_deflt = 4.5; # triggers spam evasive actions
    # at or above that level: bounce/reject/drop,
    # quarantine
$sa_dsn_cutoff_level = 9;  # spam level beyond which a DSN is not sent,
                            # effectively turning D_BOUNCE into D_DISCARD;
                            # undef disables this feature and is a default;
vecicky tykajuce sa spamassassinu. keby sme dali local_tests_only na 1, tak nam v assassine nebudu fungovat
veci ako dcc, razor, pyzor etc... (jednoducho kolaborativne moduly assassinu)
dalej sa_tag_level_deflt davam na -999 co zaruci ze kazdy jeden mail (ci spam ci nespam) dostane do hlavicky
info o skore.
tag2_level_deflt = do tejto hodnoty to este spam nie je, nad nou ide o spam a kill_level_deflt je hodnota od ktorej
uz nema rewritovat header ale jednoducho robit so spamom co ma inde definovane (u mna discard).
dsn_cutoff_level - v pripade ze by som mal nastavene posielanie notifikacie o spame tak nad tento level to uz neposle.                           
          # when sender is known to have previously received mail from our
          # local user from this mail system; zero or undef disables penpals
          # lookups in SQL; default: undef
          # penpal bonus is halved for each halflife period from the last mail
          # sent by a local user to a current mail's sender; default: 7 days
@spam_dsn_cutoff_level_bysender_maps = (
  { # an associative array (hash) lookup table, use lowercase keys
    'virgilio.it' => 7,  'mail.ru'    => 7,  '0451.com' => 7,
    'yahoo.co.uk' => 7,  'yahoo.co.jp' => 7,  'nobody@'  => 7,
    'noreply@'    => 0,  'no-reply@'  => 0,  'donotreply@'    => 0,
    'opt-in@'    => 0,  'opt-out@'    => 0,  'yahoo-dev-null@' => 0,
    '.optin-out.com' => 0,  'daily@astrocenter.com' => 0,
    'spamadmin@fraunhofer.de'=> 7,  # Sophos PureMessage spam bounces
  },
  \$sa_dsn_cutoff_level,  # catchall default value
);
toto je default a nepouzivam.
$sa_spam_subject_tag = '***SPAM*** '; # (defaults to undef, disabled)
    # (only seen when spam is passed and recipient is
                            # in local_domains*)
    # undef or empty disables inserting X-Spam-Level
$first_infected_stops_scan = 1;  # default is false, all scanners in a section
                                  # are called
subject_tag suvisi s tag2_level_deflt kedze system ho chape ako spam ale kvoli vyssiemu kill_levelu
ho este prepusti.
first_infected_stops_scan je jasne, ked je viac priloh tak po prvej zavirenej nerobi dalej kontrolu.
kedze mame discard na virusy tak ani nie je dovod (ked niekto nieco poslal, tak sa ozve).                                 
@av_scanners = (
['ClamAV-clamd',
  \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],
  qr/\bOK$/, qr/\bFOUND$/,
  qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
  ### <a href="http://www.kaspersky.com/" title="http://www.kaspersky.com/">http://www.kaspersky.com/</a>  (kav4mailservers)
  ['KasperskyLab AVP - aveclient',
    ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient',
    '/opt/kav/5.5/kav4mailservers/bin/aveclient','aveclient'],
    '-p /var/run/aveserver -s {}/*',
    [0,3,6,8], qr/\b(INFECTED|SUSPICION|SUSPICIOUS)\b/,
    qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/,
  ],
  # NOTE: one may prefer [0],[2,3,4,5], depending on how suspicious,
  # currupted or protected archives are to be handled
  ### <a href="http://www.kaspersky.com/" title="http://www.kaspersky.com/">http://www.kaspersky.com/</a>
  ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'],
    '-* -P -B -Y -O- {}', [0,3,6,8], [2,4],    # any use for -A -K  ?
    qr/infected: (.+)/,
    sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"},
    sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
  ],
  ### The kavdaemon and AVPDaemonClient have been removed from Kasperky
  ### products and replaced by aveserver and aveclient
  ['KasperskyLab AVPDaemonClient',
    [ '/opt/AVP/kavdaemon',      'kavdaemon',
      '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient',
      '/opt/AVP/AvpTeamDream',    'AvpTeamDream',
      '/opt/AVP/avpdc', 'avpdc' ],
    "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/ ],
    # change the startup-script in /etc/init.d/kavd to:
    #  DPARMS="-* -Y -dl -f=/var/amavis /var/amavis"
    #  (or perhaps:  DPARMS="-I0 -Y -* /var/amavis" )
    # adjusting /var/amavis above to match your $TEMPBASE.
    # The '-f=/var/amavis' is needed if not running it as root, so it
    # can find, read, and write its pid file, etc., see 'man kavdaemon'.
    # defUnix.prf: there must be an entry "*/var/amavis" (or whatever
    #  directory $TEMPBASE specifies) in the 'Names=' section.
    # cd /opt/AVP/DaemonClients; configure; cd Sample; make
    # cp AvpDaemonClient /opt/AVP/
    # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}"
  ### <a href="http://www.centralcommand.com/" title="http://www.centralcommand.com/">http://www.centralcommand.com/</a>
  ['CentralCommand Vexira (new) vascan',
    ['vascan','/usr/lib/Vexira/vascan'],
    "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ".
    "--vdb=/usr/lib/Vexira/vexira8.vdb --log=/var/log/vascan.log {}",
    [0,3], [1,2,5],
    qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ / ],
    # Adjust the path of the binary and the virus database as needed.
    # 'vascan' does not allow to have the temp directory to be the same as
    # the quarantine directory, and the quarantine option can not be disabled.
    # If $QUARANTINEDIR is not used, then another directory must be specified
    # to appease 'vascan'. Move status 3 to the second list if password
    # protected files are to be considered infected.
  ### <a href="http://www.avira.com/" title="http://www.avira.com/">http://www.avira.com/</a>
  ### Avira AntiVir (formerly H+BEDV) or (old) CentralCommand Vexira Antivirus
  ['Avira AntiVir', ['antivir','vexira'],
    '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/,
    qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |
        (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ],
    # NOTE: if you only have a demo version, remove -z and add 214, as in:
    #  '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/,
  ### <a href="http://www.commandsoftware.com/" title="http://www.commandsoftware.com/">http://www.commandsoftware.com/</a>
  ['Command AntiVirus for Linux', 'csav',
    '-all -archive -packed {}', [50], [51,52,53],
    qr/Infection: (.+)/ ],
  ### <a href="http://www.symantec.com/" title="http://www.symantec.com/">http://www.symantec.com/</a>
  ['Symantec CarrierScan via Symantec CommandLineScanner',
    'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}',
    qr/^Files Infected:\s+0$/, qr/^Infected\b/,
    qr/^(?:Info|Virus Name):\s+(.+)/ ],
  ### <a href="http://www.symantec.com/" title="http://www.symantec.com/">http://www.symantec.com/</a>
  ['Symantec AntiVirus Scan Engine',
    'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}',
    [0], qr/^Infected\b/,
    qr/^(?:Info|Virus Name):\s+(.+)/ ],
    # NOTE: check options and patterns to see which entry better applies
  ### <a href="http://www.f-secure.com/products/anti-virus/" title="http://www.f-secure.com/products/anti-virus/">http://www.f-secure.com/products/anti-virus/</a>  version 4.65
  ['F-Secure Antivirus for Linux servers',
    ['/opt/f-secure/fsav/bin/fsav', 'fsav'],
    '--delete=no --disinf=no --rename=no --archive=yes --auto=yes '.
    '--dumb=yes --list=no --mime=yes {}', [0], [3,6,8],
    qr/(?:infection|Infected|Suspected): (.+)/ ],
  ['CAI InoculateIT', 'inocucmd',  # retired product
    '-sec -nex {}', [0], [100],
    qr/was infected by virus (.+)/ ],
  # see: <a href="http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html" title="http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html">http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html</a>
  ### <a href="http://www3.ca.com/Solutions/Product.asp?ID=156" title="http://www3.ca.com/Solutions/Product.asp?ID=156">http://www3.ca.com/Solutions/Product.asp?ID=156</a>  (ex InoculateIT)
  ['CAI eTrust Antivirus', 'etrust-wrapper',
    '-arc -nex -spm h {}', [0], [101],
    qr/is infected by virus: (.+)/ ],
    # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer
    # see <a href="http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783" title="http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783">http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783</a>
  ### <a href="http://mks.com.pl/english.html" title="http://mks.com.pl/english.html">http://mks.com.pl/english.html</a>
  ['MkS_Vir for Linux (beta)', ['mks32','mks'],
    '-s {}/*', [0], [1,2],
    qr/--[ \t]*(.+)/ ],
  ### <a href="http://mks.com.pl/english.html" title="http://mks.com.pl/english.html">http://mks.com.pl/english.html</a>
  ['MkS_Vir daemon', 'mksscan',
    '-s -q {}', [0], [1..7],
    qr/^... (\S+)/ ],
  ### <a href="http://www.nod32.com/" title="http://www.nod32.com/">http://www.nod32.com/</a>,  version v2.52 and above
  ['ESET NOD32 for Linux Mail servers',
    ['/opt/eset/nod32/bin/nod32cli', 'nod32cli'],
    '--subdir --files -z --sfx --rtp --adware --unsafe --pattern --heur '.
    '-w -a --action-on-infected=accept --action-on-uncleanable=accept '.
    '--action-on-notscanned=accept {}',
    [0,3], [1,2], qr/virus="([^"]+)"/ ],
  ## <a href="http://www.nod32.com/" title="http://www.nod32.com/">http://www.nod32.com/</a>,  NOD32LFS version 2.5 and above
  ['ESET NOD32 for Linux File servers',
    ['/opt/eset/nod32/sbin/nod32','nod32'],
    '--files -z --mail --sfx --rtp --adware --unsafe --pattern --heur '.
    '-w -a --action=1 -b {}',
    [0], [1,10], qr/^object=.*, virus="(.*?)",/ ],
  ### <a href="http://www.norman.com/products_nvc.shtml" title="http://www.norman.com/products_nvc.shtml">http://www.norman.com/products_nvc.shtml</a>
  ['Norman Virus Control v5 / Linux', 'nvcc',
    '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14],
    qr/(?i).* virus in .* -> \'(.+)\'/ ],
  ### <a href="http://www.pandasoftware.com/" title="http://www.pandasoftware.com/">http://www.pandasoftware.com/</a>
  ['Panda CommandLineSecure 9 for Linux',
    ['/opt/pavcl/usr/bin/pavcl','pavcl'],
    '-auto -aex -heu -cmp -nbr -nor -nos -eng -nob {}',
    qr/Number of files infected[ .]*: 0+(?!\d)/,
    qr/Number of files infected[ .]*: 0*[1-9]/,
    qr/Found virus :\s*(\S+)/ ],
  # NOTE: for efficiency, start the Panda in resident mode with 'pavcl -tsr'
  # before starting amavisd - the bases are then loaded only once at startup.
  # To reload bases in a signature update script:
  #  /opt/pavcl/usr/bin/pavcl -tsr -ulr; /opt/pavcl/usr/bin/pavcl -tsr
  # Please review other options of pavcl, for example:
  #  -nomalw, -nojoke, -nodial, -nohackt, -nospyw, -nocookies
  ### <a href="http://www.nai.com/" title="http://www.nai.com/">http://www.nai.com/</a>
  ['NAI McAfee AntiVirus (uvscan)', 'uvscan',
    '--secure -rv --mime --summary --noboot --mailbox --program --timeout 180 - {}', [0], [13],
    qr/(?x) Found (?:
        \ the\ (.+)\ (?:virus|trojan)  |
        \ (?:virus|trojan)\ or\ variant\ ([^ ]+)  |
        :\ (.+)\ NOT\ a\ virus)/,
  # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'},
  # sub {delete $ENV{LD_PRELOAD}},
  ],
  # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before
  # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6
  # and then clear it when finished to avoid confusing anything else.
  # NOTE2: to treat encrypted files as viruses replace the [13] with:
  #  qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/
  ### <a href="http://www.virusbuster.hu/en/" title="http://www.virusbuster.hu/en/">http://www.virusbuster.hu/en/</a>
  ['VirusBuster', ['vbuster', 'vbengcl'],
    "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1],
    qr/: '(.*)' - Virus/ ],
  # VirusBuster Ltd. does not support the daemon version for the workstation
  # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of
  # binaries, some parameters AND return codes have changed (from 3 to 1).
  # See also the new Vexira entry 'vascan' which is possibly related.
  ### <a href="http://www.cyber.com/" title="http://www.cyber.com/">http://www.cyber.com/</a>
  ['CyberSoft VFind', 'vfind',
    '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/,
  # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'},
  ],
  ### <a href="http://www.avast.com/" title="http://www.avast.com/">http://www.avast.com/</a>
  ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'],
    '-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/ ],
  ### <a href="http://www.ikarus-software.com/" title="http://www.ikarus-software.com/">http://www.ikarus-software.com/</a>
  ['Ikarus AntiVirus for Linux', 'ikarus',
    '{}', [0], [40], qr/Signature (.+) found/ ],
  ### <a href="http://www.bitdefender.com/" title="http://www.bitdefender.com/">http://www.bitdefender.com/</a>
  ['BitDefender', 'bdc',
    '--arc --mail {}', qr/^Infected files *:0+(?!\d)/,
    qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/,
    qr/(?:suspected|infected): (.*)(?:\033|$)/ ],
  # consider also: --all --nowarn --alev=15 --flev=15.  The --all argument may
  # not apply to your version of bdc, check documentation and see 'bdc --help'
);
@av_scanners_backup = (
  ### <a href="http://www.clamav.net/" title="http://www.clamav.net/">http://www.clamav.net/</a>  - backs up clamd or Mail::ClamAV
  ['ClamAV-clamscan', 'clamscan',
    "--stdout --no-summary -r --tempdir=$TEMPBASE {}",
    [0], qr/:.*\sFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
  ### <a href="http://www.f-prot.com/" title="http://www.f-prot.com/">http://www.f-prot.com/</a>  - backs up F-Prot Daemon
  ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
    '-dumb -ai -archive -packed -server {}', [0,8], [3,6],
    qr/Infection: (.+)|\s+contains\s+(.+)$/ ],
  ### <a href="http://www.trendmicro.com/" title="http://www.trendmicro.com/">http://www.trendmicro.com/</a>  - backs up Trophie
  ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],
    '-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ],
  ### <a href="http://www.sald.com/" title="http://www.sald.com/">http://www.sald.com/</a>, <a href="http://drweb.imshop.de/" title="http://drweb.imshop.de/">http://drweb.imshop.de/</a>  - backs up DrWebD
  ['drweb - DrWeb Antivirus',
    ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'],
    '-path={} -al -go -ot -cn -upn -ok-',
    [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'],
  ### <a href="http://www.kaspersky.com/" title="http://www.kaspersky.com/">http://www.kaspersky.com/</a>
  ['Kaspersky Antivirus v5.5',
    ['/opt/kav/5.5/kav4unix/bin/kavscanner',
      '/opt/kav/5.5/kav4mailservers/bin/kavscanner','kavscanner'],
    '-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25],
    qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/ ,
  ],
);
primarne a sekundardne filtre resp hlavne a zalozne. aj ked niektore z nich nemate, tak nie je
treba ich zakomentovat.

1; # insure a defined return

Prvý (use strict;) a posledný (1;) riadok sú perlistom jasné, ostatným stačí vedieť aby ich nevymazávali lebo
inak bude harakiri :)

A aby som na záver nezabudol, ako celý amavis dostať do postfixu:
Najskôr do main.cf postfixu pridáme riadok:
content_filter = smtp-amavis:127.0.0.1:10024

a do master.cf musíme smtp-amavis vytvoriť:

smtp-amavis    unix    -      -      n      -      2 lmtp
        -o smtp_data_done_timeout=1200
127.0.0.1:10025 inet    n      -      n      -      -      smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject

potom by za ideálneho stavu stačilo amavis spustiť (cez pekný krásny init skriptík systému) a reloadnuť postfix.

    • presne taketo article tu uz 18.12.2006 | 11:21
      Avatar patie   Návštevník

      presne taketo article tu uz dlho neboli. dakujem krymakovi za jeho cas a chut :) velmi dobre

      zivot je tazky - jeden z najtazsich
    • sagator 19.12.2006 | 00:12
      Avatar blackhole   Návštevník

      Ja na toto pouzivam sagator. Sice s amavisom som nikdy nerobil, tak neviem porovnat, ale som spokojny, myslim ze sagator dokaze vsetko co aj amavis. Je robeny v pythone, takze teoreticky aj rychlejsi :) Defaultne je v chroote, kde dokaze aj spustat vsetky antivir/antispam scannery.
      http://www.salstar.sk/sagator/