I've been using http://www.gentoo.org/doc/en/mailfilter-guide.xml as my guide. I have everything working smoothly, except i have to be able to resend my false positive emails to my recipients. The procmail filter is setup and moving messages as it should, my problems are as follows..
1) I can't get courier-imap emerged, it gives me this error :
Linking libauthpam.la
nm: libmisc.a: File format not recognized
nm: libmisc.a: File format not recognized
/usr/lib/libshadow.a: member /usr/lib/libshadow.a(libmisc.a) in archive is not an object
collect2: ld returned 1 exit status
that's for courier-authlib
2) I have "#$defang_spam = 1; # default is false: don't modify mail body" in my /etc/amavisd.conf, yet i still get the original email as an attachment in both my spam notify email and my spamtrap@myhostname quarantine.
I need a way of extracting the original email from my quarantine, so i can mark it as ham and resend it. I can't really live with-out imap either, as i would like to be able to move messages from my .maildir/.spam-found folder to my .maildir/.resend folder ...
Any help would be greatly appreciated, if i can't get this functionality going soon... we're going to have to scrap the whole project...
Using amavisd with postfix, can't resend ham email
Message
http://bugs.gentoo.org/show_bug.cgi?id=110602torrance wrote:Anyone have any ideas about my courier-imap probs???
re-emerge shadow
Did you read my post???? NO # infront of the line is the solution!!torrance wrote:Yeah, i've tried it both ways.. with =0 and =1, same resultsIt's rem'd out now because i was hoping the default would turn it off.
Anyone have any ideas about my courier-imap probs???
Code: Select all
$defang_spam = 1; # default is false: don't modify mail bodySteveB
Yeah i wish it was that simple. I had the # taken-out and tried it with =1 and =0, no change in attachments. I decided to put the # back in as that's the default and by default, it shouldn't modify the messages. No change there either..
I've been looking @ a couple perl scripts that strip-out the attached messages and then resend the message to the original recipient. That's not going well either as the script i have doesn't completely strip all the header info that's injected from SA and amasivd. I also have no idea how the script will handle a message that say has a jpg or doc attachment.
I've been looking @ a couple perl scripts that strip-out the attached messages and then resend the message to the original recipient. That's not going well either as the script i have doesn't completely strip all the header info that's injected from SA and amasivd. I also have no idea how the script will handle a message that say has a jpg or doc attachment.
Why all this stress? Would it not be esyer to get something like DSPAM and use amavis only for virus and content filtering and add DSPAM as a content filter into Postfix?torrance wrote:Yeah i wish it was that simple. I had the # taken-out and tried it with =1 and =0, no change in attachments. I decided to put the # back in as that's the default and by default, it shouldn't modify the messages. No change there either..
I've been looking @ a couple perl scripts that strip-out the attached messages and then resend the message to the original recipient. That's not going well either as the script i have doesn't completely strip all the header info that's injected from SA and amasivd. I also have no idea how the script will handle a message that say has a jpg or doc attachment.
I currently have such a setup:
Code: Select all
--[internet]--> postfix --> amavis --> dspam --> virtual/local delivery -->I know, that I could include DSPAM into amavis. But exluding SPAM Filtering from amavis gives me greater controll of what messages to filter and what not (in my setup I do not filter local network inbound/outbound messages and I do not filter outbound messages at all).
Anyway... maybe someone with more SA experiance can help you better then me.
cheers
SteveB
Thank you for changing my mind on this. I've got Dspam and the webinterface installed. How would you suggest i run dspam? Using the "mailbox_command = /usr/bin/dspam --user ${user} --deliver=innocent" in postfix, or somehow calling it from amavisd?
This is running on a mta gateway btw, it's relaying to an exchange server.
I've still got to do a lot more reading on this program, it does look like it has lots of potential though.
This is running on a mta gateway btw, it's relaying to an exchange server.
I've still got to do a lot more reading on this program, it does look like it has lots of potential though.
I could quickly post my setup.torrance wrote:Thank you for changing my mind on this. I've got Dspam and the webinterface installed. How would you suggest i run dspam? Using the "mailbox_command = /usr/bin/dspam --user ${user} --deliver=innocent" in postfix, or somehow calling it from amavisd?
This is running on a mta gateway btw, it's relaying to an exchange server.
I've still got to do a lot more reading on this program, it does look like it has lots of potential though.
/etc/postfix/master.cf:
Code: Select all
#[STEVEB]#===================================================================
#smtp inet n - n - - smtpd
<external ip address>:smtp inet n - n - - smtpd
-o content_filter=smtp-amavis:[127.0.0.1]:10024
-o cleanup_service_name=pre-cleanup
<internal ip address>:smtp inet n - n - - smtpd
127.0.0.1:smtp inet n - n - - smtpd
#===========================================================================
#submission inet n - n - - smtpd
# -o smtpd_etrn_restrictions=reject
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps inet n - n - - smtpd
# -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#[STEVEB]#===================================================================
<external ip address>:ssmtp inet n - n - - smtpd
-o content_filter=smtp-amavis:[127.0.0.1]:10024
-o cleanup_service_name=pre-cleanup
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
<internal ip address>:ssmtp inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
127.0.0.1:ssmtp inet n - n - - smtpd
#===========================================================================
#submission inet n - n - - smtpd
# -o smtpd_etrn_restrictions=reject
# -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
#[STEVEB]#===================================================================
# We do our own cleanup service
#cleanup unix n - n - 0 cleanup
#===========================================================================
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - n - - smtp
-o fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
discard unix - - n - - discard
#[STEVEB]#===================================================================
#local unix - n n - - local
#===========================================================================
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
cyrus unix - n n - - pipe
user=cyrus argv=/usr/lib/cyrus/deliver -e -r ${sender} -m ${extension} ${user}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#[STEVEB]#===================================================================
# AV scan filter
smtp-amavis unix - - n - 2 lmtp
-o lmtp_data_done_timeout=1200
-o lmtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
# For injecting mail back into postfix from the filter
127.0.0.1:10025 inet n - n - - smtpd
-o cleanup_service_name=cleanup
-o local_recipient_maps=
-o relay_recipient_maps=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtp_send_xforward_command=yes
-o content_filter=dspam:dummy
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet n - n - - smtpd
-o local_recipient_maps=
-o relay_recipient_maps=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o mynetworks_style=host
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o content_filter=
# The first cleanup step. This do the header_checks, body_checks and mime_header_check
pre-cleanup unix n - n - 0 cleanup
-o virtual_alias_maps=
-o canonical_maps=
-o sender_canonical_maps=
-o recipient_canonical_maps=
-o masquerade_domains=
-o always_bcc=
-o sender_bcc_maps=
-o recipient_bcc_maps=
# The second cleanup step. This is used so that no header_checks, body_checks or
# mime_header_checks are performed again. Otherwise a loop is created when a spam
# is found in the checks.
cleanup unix n - n - 0 cleanup
-o mime_header_checks=
-o nested_header_checks=
-o body_checks=
-o header_checks=
-o cleanup_service_name=cleanup
local unix - n n - - local
-o content_filter=
-o myhostname=localhost
-o local_recipient_maps=
-o relay_recipient_maps=
-o mynetworks=127.0.0.0/8
-o mynetworks_style=host
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
vacation unix - n n - - pipe
flags=DRhu user=vacation:vacation argv=/var/spool/vacation/vacation_new.pl
# SPF
spf-smtpd-policy unix - n n - - spawn
user=nobody argv=/usr/bin/perl /etc/postfix/spf-smtpd-policy.pl
## DSPAM Agent :: delivering spam and innocent
#
#dspam unix - n n - - pipe
# flags=Rhq user=dspam argv=/usr/bin/dspam
# --mode=teft
# --deliver=spam,innocent,summary
# --feature=ch,no,wh,tb=5
# -i -f ${sender} -- %u --user ${recipient}
#
#dspamdel unix - n n - - pipe
# flags=Rhq user=dspam argv=/usr/bin/dspam
# --user ${nexthop}
# --class=innocent
# --source=error
# --deliver=spam,innocent,summary
# --stdout
#
#dspamadd unix - n n - - pipe
# flags=Rhq user=dspam argv=/usr/bin/dspam
# --user ${nexthop}
# --class=spam
# --source=error
# --deliver=spam,innocent,summary
# --stdout
#
#dspam-retrain unix - n n - - pipe
# flags=Rhq user=dspam argv=/usr/bin/dspam
# --user globaluser
# --class=$nexthop
# --source=error
# --deliver=spam,innocent
# --stdout
## DSPAM Agent :: delivering spam and innocent
#
#dspam unix - n n - - pipe
# flags=Rhqu user=dspam argv=/usr/bin/dspamc
# --client
# --mode=teft
# --deliver=spam,innocent
# --feature=ch,no,wh,tb=5
# --user ${recipient}
# -i -f ${sender} -- ${recipient}
#
#dspamdel unix - n n - - pipe
# flags=Rhq user=dspam argv=/usr/bin/dspamc
# --client
# --user ${nexthop}
# --class=innocent
# --source=error
# --deliver=spam,innocent
# --stdout
#
#dspamadd unix - n n - - pipe
# flags=Rhq user=dspam argv=/usr/bin/dspamc
# --client
# --user ${nexthop}
# --class=spam
# --source=error
# --deliver=spam,innocent
# --stdout
#
#dspam-retrain unix - n n - - pipe
# flags=Rhq user=dspam argv=/usr/bin/dspamc
# --user globaluser
# --class=$nexthop
# --source=error
# --deliver=spam,innocent
# --stdout
## DSPAM Agent - client/server mode :: delivering innocent
#
dspam unix - n n - - pipe
flags=Rhqu user=dspam argv=/usr/bin/dspamc
--client
--mode=teft
--deliver=innocent
--feature=ch,no,wh,tb=5
--user ${recipient}
-i -f ${sender} -- ${recipient}
dspamdel unix - n n - - pipe
flags=Rhq user=dspam argv=/usr/bin/dspamc
--client
--user ${nexthop}
--class=innocent
--source=error
--deliver=spam,innocent
--stdout
dspamadd unix - n n - - pipe
flags=Rhq user=dspam argv=/usr/bin/dspamc
--client
--user ${nexthop}
--class=spam
--source=error
--deliver=spam,innocent
--stdout
dspam-retrain unix - n n - - pipe
flags=Rhq user=dspam argv=/usr/bin/dspamc
--user globaluser
--class=$nexthop
--source=error
--deliver=spam,innocent
--stdout
#===========================================================================I did not enabled DSPAM in amavis. I like to controll DSPAM from outside and not from inside amavis. The important part in amavisd.conf is:
Code: Select all
$forward_method = 'smtp:[127.0.0.1]:10025'; # where to forward checked mail
$notify_method = 'smtp:[127.0.0.01]:10026'; # where to submit notifications
@bypass_spam_checks_maps = (1); # uncomment to DISABLE anti-spam codeWhen I started with amavis, I had all the stuff inside amavisd.conf. Now I use MySQL as data backend for amavis and I can easy configure amavis on a per user basis. If you are interessed in that part, then I could post what does need to be done for getting amavis to store policy and other stuff in MySQL.
The significant part of my main.cf:
Code: Select all
#[STEVEB]###################################################
mydomain = <domainname>
myhostname = mail.$mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain $mydomain
mynetworks_style = class
mynetworks = <external ip in CIDR notation>, 192.168.0.0/24, 127.0.0.0/8
home_mailbox = .maildir/
###########################################################
default_destination_concurrency_limit = 20
local_destination_concurrency_limit = 1
lmtp_destination_concurrency_limit = $default_destination_concurrency_limit
relay_destination_concurrency_limit = $default_destination_concurrency_limit
smtp_destination_concurrency_limit = $default_destination_concurrency_limit
virtual_destination_concurrency_limit = $default_destination_concurrency_limit
###########################################################
maildrop_destination_recipient_limit = 1
mailman_destination_recipient_limit = 1
transport_destination_recipient_limit = 1
vacation_destination_recipient_limit = 1
dspamdel_destination_recipient_limit = 1
dspamadd_destination_recipient_limit = 1
dspam_destination_recipient_limit = 1
dspam-retrain_destination_recipient_limit = 1
###########################################################
smtpd_hard_error_limit = 5
smtpd_helo_required = yes
disable_vrfy_command = yes
###########################################################
smtpd_sasl_auth_enable = yes
smtpd_sasl2_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain =
## smtp_sasl_password_maps = hash:/etc/postfix/saslpass
###########################################################
smtpd_restriction_classes =
greylist_policy
spf_policy
internal_check_service_access
from_freemail_host
smtpd_client_restrictions =
smtpd_helo_restrictions =
smtpd_sender_restrictions =
# warn_if_reject
# reject_non_fqdn_hostname
internal_check_service_access =
permit_sasl_authenticated
check_client_access cidr:/etc/postfix/vunet_private_domain_mx_records.cidr
reject
greylist_policy =
check_policy_service inet:127.0.0.1:2501
spf_policy =
check_policy_service unix:private/spf-smtpd-policy
from_freemail_host =
check_client_access pcre:/etc/postfix/freemail_access.pcre
smtpd_data_restrictions =
permit_mynetworks
reject_unauth_pipelining
permit
smtpd_recipient_restrictions =
check_recipient_access pcre:/etc/postfix/check_special_recipient_access.pcre
permit_sasl_authenticated
check_client_access hash:/etc/postfix/pop-before-smtp
permit_tls_clientcerts
permit_mynetworks
reject_invalid_hostname
warn_if_reject
reject_non_fqdn_hostname
reject_non_fqdn_sender
reject_non_fqdn_recipient
reject_unknown_sender_domain
reject_unknown_recipient_domain
check_sender_mx_access cidr:/etc/postfix/verisign_hijacked_domain.cidr
reject_unauth_destination
check_helo_access pcre:/etc/postfix/check_helo_access.pcre
check_recipient_access pcre:/etc/postfix/allow_abuse_postmaster.pcre
reject_rhsbl_client rabl.nuclearelephant.com
reject_rhsbl_sender rabl.nuclearelephant.com
reject_rhsbl_client blackhole.securitysage.com
reject_rhsbl_sender blackhole.securitysage.com
reject_rhsbl_client rhsbl.sorbs.net
reject_rhsbl_sender rhsbl.sorbs.net
reject_rbl_client sbl-xbl.spamhaus.org
reject_rbl_client list.dsbl.org
reject_rbl_client relays.ordb.org
reject_rbl_client ix.dnsbl.manitu.net
check_recipient_access pcre:/etc/postfix/check_recipient_access.pcre
check_recipient_access proxy:mysql:/etc/postfix/greylist_enabled_domain.mysql
check_recipient_access regexp:/etc/postfix/greylist_enabled_users_for_disabled_domains.regex
check_recipient_access pcre:/etc/postfix/sqlgrey_recipient_access.pcre
check_sender_access pcre:/etc/postfix/freemail_access.pcre
permit
##
#http://www.securitysage.com/antispam/hedchek.html
##
header_checks =
pcre:/etc/postfix/header_checks.pcre
###########################################################
smtpd_use_tls = yes
#smtpd_tls_ask_ccert = yes
#smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/newreq.pem
smtpd_tls_cert_file = /etc/postfix/newcert.pem
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_daemon_random_source = dev:/dev/urandom
tls_random_source = dev:/dev/urandom
###########################################################
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
###########################################################
proxy_read_maps =
$local_recipient_maps
$mydestination
$virtual_alias_maps
$virtual_alias_domains
$virtual_mailbox_maps
$virtual_mailbox_domains
$relay_recipient_maps
$relay_domains
$canonical_maps
$sender_canonical_maps
$recipient_canonical_maps
$relocated_maps
$transport_maps
$mynetworks
$virtual_mailbox_limit_maps
proxy:mysql:/etc/postfix/greylist_enabled_domain.mysql
alias_maps =
hash:/usr/local/mailman/data/aliases
hash:/etc/mail/aliases
alias_database =
hash:/usr/local/mailman/data/aliases
hash:/etc/mail/aliases
local_recipient_maps =
$alias_maps
unix:passwd.byname
virtual_alias_maps =
hash:/usr/local/mailman/data/virtual-mailman
proxy:mysql:/etc/postfix/mailman_domains.mysql
proxy:mysql:/etc/postfix/virtual_alias_maps.mysql
transport_maps =
pcre:/etc/postfix/transport.pcre
proxy:mysql:/etc/postfix/virtual_transport_maps.mysql
relay_domains =
proxy:mysql:/etc/postfix/mailman_domains.mysql
proxy:mysql:/etc/postfix/relay_domains_maps.mysql
recipient_canonical_maps =
hash:/etc/postfix/recipient_canonical_maps.hash
###########################################################
local_transport = local
virtual_transport = virtual
fallback_transport = virtual
###########################################################
##virtual_alias_domains = proxy:mysql:/etc/postfix/mailman_domains.mysql
###########################################################
virtual_gid_maps = static:1003
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/virtual_mailbox_domains.mysql
virtual_mailbox_maps = proxy:mysql:/etc/postfix/virtual_mailbox_maps.mysql
virtual_minimum_uid = 1000
virtual_uid_maps = static:1003
## [QUOTA] ################################################
virtual_mailbox_limit = 107374182400
virtual_create_maildirsize = yes
virtual_mailbox_extended = yes
virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/virtual_mailbox_limit_maps.mysql
virtual_mailbox_limit_override = yes
virtual_maildir_limit_message = Sorry, the user's maildir has overdrawn his diskspace quota, please try again later.
virtual_overquota_bounce = yes
###########################################################
masquerade_domains = $mydomain
###########################################################
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) [NO UCE, NO UBE, C=CH, L=ZU]
smtpd_delay_reject = yes
strict_rfc821_envelopes = yes
###########################################################
##content_filter = smtp-amavis:[127.0.0.1]:10024
###########################################################
##mailbox_command = /usr/bin/maildrop
###########################################################
max_use = 10
###########################################################
owner_request_special = no
recipient_delimiter = +
###########################################################
##fallback_relay = 192.168.0.120
##fallback_relay = 192.168.0.254
###########################################################
message_size_limit = 52428800
mailbox_size_limit = 0
###########################################################I use Postfix.Admin to administer my domain. The most part of the *.mysql references are descriptions for reading up the user and domain related stuff.
I have added as well some stuff to prevent the missuse of my system as a open relay or to prevent spam getting in. Mainly Greylisting and other stuff. The SPF stuff is inside the main.cf but not used, since I had very bad experiance with it (I need to forward mails to other mail servers outside my domain and SPF breaks terribly when doing this).
For Greylisting I use SQLGrey. It is a very good package and it holds about 70% to 80% of spam even getting into the system.
Some of the stuff in the *.pcre files is redundant and I did not have time to clean it up. I am anyway movint the mail server to be on another system. I will then clean up stuff. Anyway... here are the important *.pcre files:
allow_abuse_postmaster.pcre:
Code: Select all
# SQLgrey whitelist for mail recipients
# -------------------------------------
# sqlgrey_recipient_access.pcre
#
/^postmaster@\@/ OK
/^hostmaster@\@/ OK
/^abuse@\@/ OK
check_helo_access.pcre:
Code: Select all
# /etc/postfix/check_helo_access.pcre
#
/number\.number\.number\.number/ REJECT You are not xxx.xxx.xxx.xxx
/mx1\.domain\.tld/ REJECT You are not mx1.domain.tld
/mail\.domain\.tld/ REJECT You are not mail.domain.tld
/mail1\.domain\.tld/ REJECT You are not mail1.domain.tld
/domain-number\.sdsl_isp-domain\.tld/ REJECT You are not domain-number.sdsl_isp-domain.tld
#/localhost/ REJECT You are not localhost
check_recipient_access.pcre:
Code: Select all
# smtpd_recipient_restrictions = check_recipient_access check_recipient_access.pcre
#
# http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
#
/^\@/ 550 Invalid address format
/[!%\@].*\@/ 550 This server disallows weird address syntax
/^postmaster\@/ OK
/^hostmaster\@/ OK
/^abuse\@/ OK
check_sender_access_for_our_clients_using_broken_ms_software.pcre:
Code: Select all
# /etc/postfix/check_sender_access_for_our_clients_using_broken_ms_software.pcre
#
# shity Microsoft Outlook does send wrong helo command
#
/^user1\@domain\.tld$/ OK
/^user2\@domain\.tld$/ OK
/^user3\@domain\.tld$/ OK
/^user4\@domain\.tld$/ OK
check_special_recipient_access.pcre:
Code: Select all
## /etc/postfix/check_special_recipient_access.pcre
#
# Description: Only allow SASL authentificated
# users to use certain services.
#
# main.cf:
# smtpd_restriction_classes =
# internal_check_service_access
#
# internal_check_service_access =
# permit_sasl_authenticated
# reject
#
# smtpd_recipient_restrictions =
# check_recipient_access pcre:/etc/postfix/check_special_recipient_access.pcre
# ...
##
# HylaFax email to fax gateway
# -> limit the fax number to be 9 to 13 digits only and it needs
# to start with a zero.
#
/^[\w\-.%]+\@0[\d]{8,12}\.fax$/ internal_check_service_access
/^.*\.fax$/ REJECT You are not allowed to use the Fax Service!
# DSPAM SPAM-/NOTSPAM reports
# -> address needs to start with: spam, dspam, nospam or notspam
#
/^(d|no|not)*spam\-(add|del)\-([\w\-.%]+\@[\w.-]+)$/ internal_check_service_access
/^.*spam\-(add|del)\-.*\@.*$/ REJECT You are not allowed to use the Anti-SPAM Service!
dspam_recipient_access.pcre:
Code: Select all
/^dspam-add-@(.*\..*)$/ FILTER dspamadd:${1}
/^dspam-del-@(.*\..*)$/ FILTER dspamdel:${1}
freemail_access.pcre:
Code: Select all
# Stopping Forged Freemail
# -------------------------------------
# freemail_access.pcre
#
/^yahoo\.com$/ from_freemail_host
/^earthlink\.net$/ from_freemail_host
/^excite\.com$/ from_freemail_host
/^gmx\.\(de\|net\)$/ from_freemail_host
/^hotmail\.com$/ from_freemail_host
/^gmail\.com$/ from_freemail_host
freemail_hosts.pcre:
Code: Select all
# Stopping Forged Freemail
# -------------------------------------
# freemail_hosts.pcre
#
/^yahoo\.com$/ OK
/^earthlink\.net$/ OK
/^excite\.com$/ OK
/^excitenetwork\.com$/ OK
/^gmx\.\(de\|net\)$/ OK
/^hotmail\.com$/ OK
/^google\.com$/ OK
header_checks.pcre:
Code: Select all
# This is a slightly modified version of the header_checks filter file for mail.securitysage.com, published by SecuritySage Inc.
# This filter is based on the work of Jeffrey Posluns <jeff@posluns.com>
# Filter Version 20040407-1
# For more information about UCE/spam and how to stop it, please see http://www.securitysage.com/guides/postfix_uce.html
# For the latest *short* header checks file please see http://www.securitysage.com/files/header_checks.short
# For the latest *short* body checks file please see http://www.securitysage.com/files/body_checks.short
# For the latest mime header checks file please see http://www.securitysage.com/files/mime_header_checks
# If you need a copy of the old header or body checks, just change short to long in the file name.
# UPDATE: These filters are no longer being updated regularly. We intend to continue updating once or twice a month, but due to the introduction of
# new anti-spam technologies and mechanisms (see the guides in the URL above), header and body checks are nowhere near as effective as they
# used to be. We will however maintain a *short* list of header and body checks that contain anti-spam filters, but will not contain
# any of the spam-like strings.
# Please feel free to copy, use, discuss, link to, or modify this file in compliance with the rules below:
# 1. These filters (or portions thereof) may not be sold or included in a package (software or otherwise) for which fees are charged.
# 2. If you wish to sell or include these filters as part of a package for which fees are charged, please contact us to arrange for a redistribution license.
# 3. Leave this header information intact.
# 4. Do not change the SPAM-ID numbers. We use these numbers to help track false rejections.
# 5. if you modify this file, indicate such on the line below, so that people can be aware that the filter is not an original version.
# We use the header_checks file to remove some headers that we find undesirable.
# Return receipts and software versions are the most significant in this situation.
# For more information, please see http://www.securitysage.com/guides/postfix_anonym.html
#/^Received: from 127.0.0.1/ IGNORE
/^Disposition-Notification-To:/ IGNORE
# On some systems we create a custom log entry for SpamAssassin confirmed spam emails.
# If you want to drop or hold these emails, change WARN to DISCARD or HOLD respectively.
# You can also use the FILTER command to forward all spam to another process or account.
# /^X-Spam-Flag: YES/ WARN SpamAssassin Confirmed Spam Content
# These are headers used to track some spam messages.
/^Bel-Tracking: .*/ REJECT Confirmed spam. Go away.
/^Hel-Tracking: .*/ REJECT Confirmed spam. Go away.
/^Kel-Tracking: .*/ REJECT Confirmed spam. Go away.
/^BIC-Tracking: .*/ REJECT Confirmed spam. Go away.
/^Lid-Tracking: .*/ REJECT Confirmed spam. Go away.
# Following Will Block Spams With Many Spaces In The Subject.
/^Subject: .* / REJECT Your subject had too many subsequent spaces. Please change the subject and try again.
# Emails with eronious dates (or dates far in the past) will appear at the top or bottom of your mail client.
# This is a common method that spammers use to try and get your attention on their emails.
#/^Date: .* 2004/ REJECT Your computer still thinks it's 2004. Fix your system clock and try again.
#/^Date: .* 2003/ REJECT Your computer still thinks it's 2003. Fix your system clock and try again.
/^Date: .* 200[0-4]/ REJECT Your email has a date from the past. Fix your system clock and try again.
/^Date: .* 19[0-9][0-9]/ REJECT Your email has a date from the past. Fix your system clock and try again.
# This filter will block subjects that contain ISO specifications.
# If you use any languages other than English, you might need to comment this out.
# /^Subject: .*\=\?ISO/ REJECT We don't accept strange character sets.
# This will block messages that do not have an address in the From: header.
# Note: This may violate RFC, but blocks a very significant amount of spam. If you implement this, you risk getting listed in http://www.rfc-ignorant.org
#/^From: <>/ REJECT You need to specify a return address, otherwise we will not accept your email.
# Following Are Alphabetical Listings Of Subject Contents That Will Be Blocked.
# Following is a listing of known mass mailer programs.
/^X-Mailer: 0001/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.
/^X-Mailer: Avalanche/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.
/^X-Mailer: Crescent Internet Tool/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.
/^X-Mailer: DiffondiCool/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.
/^X-Mailer: E-Mail Delivery Agent/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.
/^X-Mailer: Emailer Platinum/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.
/^X-Mailer: Entity/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.
/^X-Mailer: Extractor/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.
/^X-Mailer: Floodgate/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.
/^X-Mailer: GOTO Software Sarbacane/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.
/^X-Mailer: MailWorkz/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.
/^X-Mailer: MassE-Mail/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.
/^X-Mailer: MaxBulk.Mailer/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.
/^X-Mailer: News Breaker Pro/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.
/^X-Mailer: SmartMailer/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.
/^X-Mailer: StormPort/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.
/^X-Mailer: SuperMail-2/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.
sqlgrey_recipient_access.pcre:
Code: Select all
# SQLgrey whitelist for mail recipients
# -------------------------------------
# sqlgrey_recipient_access.pcre
#
/^postmaster@\@/ OK
/^hostmaster@\@/ OK
/^abuse@\@/ OK
transport.pcre:
Code: Select all
# /etc/postfix/transport.pcre
#
##
## Training DSPAM with one master.cf entry. Signature
## needs to be present in message. Else DSPAM will
## drop the message. dspam.conf needs to have
## the following entries:
## Preference "signatureLocation=headers"
## or
## Preference "signatureLocation=message"
##
## and:
## PgSQLUIDInSignature on
## or
## MySQLSQLUIDInSignature on
##
/^spam\@(.*)$/ dspam-retrain:spam
/^notspam\@(.*)$/ dspam-retrain:innocent
/^spam-retrain-([\w\-.%]+\@[\w.-]+)$/ dspam-retrain:spam
/^notspam-retrain-([\w\-.%]+\@[\w.-]+)$/ dspam-retrain:innocent
/^dspam-add-([\w\-.%]+\@[\w.-]+)$/ dspam-retrain:spam
/^dspam-del-([\w\-.%]+\@[\w.-]+)$/ dspam-retrain:innocent
/^spam-add-([\w\-.%]+\@[\w.-]+)$/ dspam-retrain:spam
/^spam-del-([\w\-.%]+\@[\w.-]+)$/ dspam-retrain:innocent
/^(.*)\@autoreply\.vunet\.local$/ vacation:${1}
/^(.*)\@[\d]{9,14}\.fax$/ smtp:[192.168.0.150]
I have HylaFax integrated into Postfix. You probably will not need that. I have as well a vacation perl script from Postfix.Admin active for my setup. If you are interessed in the script, then go to the Postfix.Admin forum and search there for posts with my nick. I have the complete code there.
Some more files:
verisign_hijacked_domain.cidr:
Code: Select all
# /etc/postfix/verisign_hijacked_domain.cidr
#
# Netblock returned by Verisign domain hijacking
# .com and .net domains
64.94.110.0/24 REJECT Verisign hijacked domain
vunet_networks.cidr:
Code: Select all
# /etc/postfix/vunet_networks.cidr
# http://www.stahl.bau.tu-bs.de/~hildeb/postfix/postfix_restriction_classes3_en.shtml
#
nnn.nnn.nnn.nnn/nn has_our_network
192.168.0.0/24 has_our_network
127.0.0.0/8 has_our_network
vunet_private_domain_mx_records.cidr:
Code: Select all
# /etc/postfix/vunet_private_domain_mx_records.cidr
#
192.168.0.115/32 OK
192.168.0.120/32 OK
192.168.0.125/32 OK
EDIT: My post ist to big! Need to split it. Sorry
The dspam stuff is not much modified:
To get best results in DSPAM i have set up a user called globaluser and trained that user with alot of data. You can read in the DSPAM documentation how to set up a user with trained data to act as:
As you can see, I trained this user with about 40k mail messages in spam and ham. The training data (TI and TS) are fresh data and not included in the SC and IC data. The above infos are when I trained the global user with DSPAM 3.6.3. I had as well some mail from cyrillic and asian langauge. After I trained DSPAM with them, my OR, IR and SR count went down:
DSPAM 3.6.4 has now much better handling of that kind of languages and I am currently training a fresh DSPAM 3.6.4 installation with some other algorithm then I have right now. Currently I am still feeding the corpus with data.
I have around 500'000 ham messages to play with. I don't have that much spam mails collected by my self. But if you need spam messages, then go to www.spamarchive.org and download there as much you want. You only need to unpack the xxx.r2.gz and then use dspam_corpus to feed DSPAM with the spam/ham messages. If you need other ressources for spam, then read my response from the DSPAM mailing list to get more links to spam corpus.
I think that is now enought info. Do you need more info from me?
cheers
SteveB
Code: Select all
## $Id: dspam.conf.in,v 1.68 2006/02/11 20:13:14 jonz Exp $
## dspam.conf -- DSPAM configuration file
##
#
# DSPAM Home: Specifies the base directory to be used for DSPAM storage
#
Home /var/spool/dspam
#
# StorageDriver: Specifies the storage driver backend (library) to use.
# You'll only need to set this if you are using dynamic storage driver plugins.
# The default when one storage driver is specified is to statically link. Be
# sure to include the path to the library if necessary, and some systems may
# use an extension other than .so.
#
# Options include:
#
# libmysql_drv.so libpgsql_drv.so libsqlite_drv.so
# libsqlite3_drv.so libora_drv.so libdb4_drv.so
# libdb3_drv.so libhash_drv.so
#
# IMPORTANT: Switching storage drivers requires more than merely changing
# this option. If you do not wish to lose all of your data, you will need to
# migrate it to the new backend before making this change.
#
StorageDriver /usr/lib/libmysql_drv.so
#
# Trusted Delivery Agent: Specifies the local delivery agent DSPAM should call
# when delivering mail as a trusted user. Use %u to specify the user DSPAM is
# processing mail for. It is generally a good idea to allow the MTA to specify
# the pass-through arguments at run-time, but they may also be specified here.
#
# Most operating system defaults:
#TrustedDeliveryAgent "/usr/bin/procmail" # Linux
#TrustedDeliveryAgent "/usr/bin/mail" # Solaris
#TrustedDeliveryAgent "/usr/libexec/mail.local" # FreeBSD
#TrustedDeliveryAgent "/usr/bin/procmail" # Cygwin
#
# Other popular configurations:
#TrustedDeliveryAgent "/usr/cyrus/bin/deliver" # Cyrus
#TrustedDeliveryAgent "/bin/maildrop" # Maildrop
#TrustedDeliveryAgent "/usr/local/sbin/exim -oMr spam-scanned" # Exim
#
TrustedDeliveryAgent "/usr/sbin/sendmail"
#
# Untrusted Delivery Agent: Specifies the local delivery agent and arguments
# DSPAM should use when delivering mail and running in untrusted user mode.
# Because DSPAM will not allow pass-through arguments to be specified to
# untrusted users, all arguments should be specified here. Use %u to specify
# the user DSPAM is processing mail for. This configuration parameter is only
# necessary if you plan on allowing untrusted processing.
#
UntrustedDeliveryAgent "/usr/sbin/sendmail"
#
# SMTP or LMTP Delivery: Alternatively, you may wish to use SMTP or LMTP
# delivery to deliver your message to the mail server. You will need to
# configure with --enable-daemon to use host delivery, however you do not need
# to operate in daemon mode. Specify an IP address or UNIX path to a domain
# socket below as a host.
#
#DeliveryHost 127.0.0.1
#DeliveryPort 24
#DeliveryIdent localhost
#DeliveryProto LMTP
#
# Quarantine Agent: DSPAM's default behavior is to quarantine all mail it
# thinks is spam. If you wish to override this behavior, you may specify
# a quarantine agent which will be called with all messages DSPAM thinks is
# spam. Use %u to specify the user DSPAM is processing mail for.
#
#QuarantineAgent "/usr/bin/procmail -d spam"
#
# DSPAM can optionally process "plused users" (addresses in the user+detail
# form) by truncating the username just before the "+", so all internal
# processing occurs for "user", but delivery will be performed for
# "user+detail". This is only useful if the LDA can handle "plused users"
# (for example Cyrus IMAP) and when configured for LMTP delivery above
#
# NOTE: Plused detail presently only works when usernames are provided and
# not fully qualified email address (@domain).
#
#EnablePlusedDetail on
#
# Quarantine Mailbox: DSPAM's LMTP code can send spam mail using LMTP to a
# "plused" mailbox (such as user+quarantine) leaving quarantine processing
# for retraining or deletion to be performed by the LDA and the mail client.
# "plused" mailboxes are supported by Cyrus IMAP and possibly other LDAs.
# The mailbox name must have the +
#
#QuarantineMailbox +quarantine
#
# OnFail: What to do if local delivery or quarantine should fail. If set
# to "unlearn", DSPAM will unlearn the message prior to exiting with an
# un successful return code. The default option, "error" will not unlearn
# the message but return the appropriate error code. The unlearn option
# is use-ful on some systems where local delivery failures will cause the
# message to be requeued for delivery, and could result in the message
# being processed multiple times. During a very large failure, however,
# this could cause a significant load increase.
#
OnFail error
# Trusted Users: Only the users specified below will be allowed to perform
# administrative functions in DSPAM such as setting the active user and
# accessing tools. All other users attempting to run DSPAM will be restricted;
# their uids will be forced to match the active username and they will not be
# able to specify delivery agent privileges or use tools.
#
Trust root
Trust mail
Trust mailnull
Trust smmsp
Trust daemon
Trust nobody
Trust majordomo
Trust apache
Trust mailman
Trust postfix
Trust dspam
#
# Debugging: Enables debugging for some or all users. IMPORTANT: DSPAM must
# be compiled with debug support in order to use this option. DSPAM should
# never be running in production with debug active unless you are
# troubleshooting problems.
#
# DebugOpt: One or more of: process, classify, spam, fp, inoculation, corpus
# process standard message processing
# classify message classification using --classify
# spam error correction of missed spam
# fp error correction of false positives
# inoculation message inoculations (source=inoculation)
# corpus corpusfed messages (source=corpus)
#
#Debug *
#Debug bob bill
Debug me@mydomain.tld me@other.domain.tld me1@other.domain.tld me2@other.domain.tld me3@other.domain.tld
#
#DebugOpt process spam fp
DebugOpt process classify spam fp inoculation corpus
#
# ClassAlias: Alias a particular class to spam/nonspam. This is useful if
# classifying things other than spam.
#ClassAliasSpam badstuff
#ClassAliasNonspam goodstuff
#
# Training Mode: The default training mode to use for all operations, when
# one has not been specified on the commandline or in the user's preferences.
# Acceptable values are: toe, tum, teft, notrain
#
TrainingMode toe
#
# TestConditionalTraining: By default, dspam will retrain certain errors
# until the condition is no longer met. This usually accelerates learning.
# Some people argue that this can increase the risk of errors, however.
#
TestConditionalTraining on
#
# Features: Specify features to activate by default; can also be specified
# on the commandline. See the documentation for a list of available features.
# If _any_ features are specified on the commandline, these are ignored.
#
# NOTE: For standard "CRM114" Markovian weighting, use sbph
#
#Feature sbph
Feature noise
Feature chained
Feature whitelist
# Training Buffer: The training buffer waters down statistics during training.
# It is designed to prevent false positives, but can also dramatically reduce
# dspam's catch rate during initial training. This can be a number from 0
# (no buffering) to 10 (maximum buffering). If you are paranoid about false
# positives, you should probably enable this option.
Feature tb=5
#
# Algorithms: Specify the statistical algorithms to use, overriding any
# defaults configured in the build. The options are:
# naive Naive-Bayesian (All Tokens)
# graham Graham-Bayesian ("A Plan for Spam")
# burton Burton-Bayesian (SpamProbe)
# robinson Robinson's Geometric Mean Test (Obsolete)
# chi-square Fisher-Robinson's Chi-Square Algorithm
#
# You may have multiple algorithms active simultaneously, but it is strongly
# recommended that you group Bayesian algorithms with other Bayesian
# algorithms, and any use of Chi-Square remain exclusive.
#
# NOTE: For standard "CRM114" Markovian weighting, use 'naive', or consider
# using 'burton' for slightly better accuracy
#
# Don't mess with this unless you know what you're doing
#
#Algorithm chi-square
#Algorithm naive
Algorithm graham burton
#
# PValue: Specify the technique used for calculating PValues, overriding any
# defaults configured in the build. These options are:
# graham Graham's Technique ("A Plan for Spam")
# robinson Robinson's Technique
# markov Markovian Weighted Technique
#
# Unlike algorithms, you may only have one of these defined. Use of the
# chi-square algorithm automatically changes this to robinson.
#
# Don't mess with this unless you know what you're doing.
#
#PValue robinson
#PValue markov
PValue graham
#
# SupressWebStats: Enable this if you are not using the CGI, and don't want
# .stats files written.
#SupressWebStats on
#
# ImprobabilityDrive: Calculate odds-ratios for ham/spam, and add to
# X-DSPAM-Improbability headers
ImprobabilityDrive on
#
# Preferences: Specify any preferences to set by default, unless otherwise
# overridden by the user (see next section) or a default.prefs file.
# If user or default.prefs are found, the user's preferences will override any
# defaults.
#
Preference "trainingMode=TOE" # TEFT, TUM, TOE
Preference "spamAction=tag" # tag, quarantine, deliver
Preference "signatureLocation=message" # 'message' or 'headers'
Preference "spamSubject=[SPAM]"
Preference "statisticalSedation=5" # 0 to 9
Preference "enableBNR=on" # on, off
Preference "showFactors=off" # on, off
Preference "enableWhitelist=on" # on, off
Preference "whitelistThreshold=10"
#
# Overrides: Specifies the user preferences which may override configuration
# and commandline defaults. Any other preferences supplied by an untrusted user
# will be ignored.
#
AllowOverride trainingMode
AllowOverride spamAction spamSubject
AllowOverride statisticalSedation
AllowOverride enableBNR
AllowOverride enableWhitelist
AllowOverride signatureLocation
AllowOverride showFactors
AllowOverride optIn optOut
AllowOverride whitelistThreshold
# --- MySQL ---
#
# Storage driver settings: Specific to a particular storage driver. Uncomment
# the configuration specific to your installation, if applicable.
#
MySQLServer /var/run/mysqld/mysqld.sock
MySQLPort
MySQLUser dspam
MySQLPass <password>
MySQLDb dspam
MySQLCompress true
# Use this if you have the 4.1 quote bug (see doc/mysql.txt)
#MySQLSupressQuote on
# If you're running DSPAM in client/server (daemon) mode, uncomment the
# setting below to override the default connection cache size (the number
# of connections the server pools between all clients). The connection cache
# represents the maximum number of database connections *available* and should
# be set based on the maximum number of concurrent connections you're likely
# to have. Each connection may be used by only one thread at a time, so all
# other threads _will block_ until another connection becomes available.
#
MySQLConnectionCache 10
# If you're using vpopmail or some other type of virtual setup and wish to
# change the table dspam uses to perform username/uid lookups, you can over-
# ride it below
#MySQLVirtualTable dspam_virtual_uids
#MySQLVirtualUIDField uid
#MySQLVirtualUsernameField username
# UIDInSignature: MySQL supports the insertion of the user id into the DSPAM
# signature. This allows you to create one single spam or fp alias
# (pointing to some arbitrary user), and the uid in the signature will
# switch to the correct user. Result: you need only one spam alias
MySQLUIDInSignature on
# --- PostgreSQL ---
#PgSQLServer 127.0.0.1
#PgSQLPort 5432
#PgSQLUser dspam
#PgSQLPass changeme
#PgSQLDb dspam
# If you're running DSPAM in client/server (daemon) mode, uncomment the
# setting below to override the default connection cache size (the number
# of connections the server pools between all clients).
#
#PgSQLConnectionCache 3
# UIDInSignature: PgSQL supports the insertion of the user id into the DSPAM
# signature. This allows you to create one single spam or fp alias
# (pointing to some arbitrary user), and the uid in the signature will
# switch to the correct user. Result: you need only one spam alias
#PgSQLUIDInSignature on
# If you're using vpopmail or some other type of virtual setup and wish to
# change the table dspam uses to perform username/uid lookups, you can over-
# ride it below
#PgSQLVirtualTable dspam_virtual_uids
#PgSQLVirtualUIDField uid
#PgSQLVirtualUsernameField username
# --- Oracle ---
#OraServer "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=127.0.0.1)(PORT=1521))(CONNECT_DATA=(SID=PROD)))"
#OraUser dspam
#OraPass changeme
#OraSchema dspam
# --- SQLite ---
#SQLitePragma "synchronous = OFF"
# --- Hash ---
# HashRecMax: Default number of records to create in the initial segment when
# building hash files. 100,000 yields files 1.6MB in size, but can fill up
# fast, so be sure to increase this (to a million or more) if you're not using
# autoextend.
#
# Primes List:
# 53, 97, 193, 389, 769, 1543, 3079, 6151, 12289, 24593, 49157, 98317, 196613,
# 393241, 786433, 1572869, 3145739, 6291469, 12582917, 25165843, 50331653,
# 100663319, 201326611, 402653189, 805306457, 1610612741, 3221225473,
# 4294967291
#
HashRecMax 98317
# HashAutoExtend: Autoextend hash databases when they fill up. This allows
# them to continue to train by adding extents (extensions) to the file. There
# will be a small delay during the growth process, as everything needs to be
# closed and remapped.
#
HashAutoExtend on
# HashMaxExtents: The maximum number of extents that may be created in a single
# hash file. Set this to zero for unlimited
#
HashMaxExtents 0
# HashExtentSize: The record size for newly created extents. Creating this too
# small could result in many extents being created. Creating this too large
# could result in excessive disk space usage.
#
HashExtentSize 49157
# HashMaxSeek: The maximum number of records to seek to insert a new record
# before failing or adding a new extent. Setting this too high will exhaustively
# scan each segment and kill performance. Typically, a low value is acceptable
# as even older extents will continue to fill over time.
#
HashMaxSeek 100
# HashConcurrentUser: If you are using a single, stateful hash database in
# daemon mode, specifying a concurrent user will cause the user to be
# permanently mapped into memory and shared via rwlocks.
#
#HashConcurrentUser user
# HashConnectionCache: If running in daemon mode, this is the max # of
# concurrent connections that will be supported. NOTE: If you are using
# HashConcurrentUser, this option is ignored, as all connections are read-
# write locked instead of mutex locked.
HashConnectionCache 10
# LDAP: Perform various LDAP functions depending on LDAPMode variable.
# Presently, the only mode supported is 'verify', which will verify the existence
# of an unknown user in LDAP prior to creating them as a new user in the system.
# This is useful on some systems acting as gateway machines.
#
#LDAPMode verify
#LDAPHost ldaphost.mydomain.com
#LDAPFilter "(mail=%u)"
#LDAPBase ou=people,dc=domain,dc=com
# Optionally, you can specify storage profiles, and specify the server to
# use on the commandline with --profile. For example:
#
Profile Spok
MySQLServer.Spok /var/run/mysqld/mysqld.sock
MySQLPort.Spok 3306
MySQLUser.Spok dspam
MySQLPass.Spok <password>
MySQLDb.Spok dspam
MySQLCompress.Spok true
MySQLUIDInSignature.Spok on
#
#Profile DECAlpha
#MySQLServer.DECAlpha 10.0.0.1
#MySQLPort.DECAlpha 3306
#MySQLUser.DECAlpha dspam
#MySQLPass.DECAlpha changeme
#MySQLDb.DECAlpha dspam
#MySQLCompress.DECAlpha true
#
#Profile Sun420R
#MySQLServer.Sun420R 10.0.0.2
#MySQLPort.Sun420R 3306
#MySQLUser.Sun420R dspam
#MySQLPass.Sun420R changeme
#MySQLDb.Sun420R dspam
#MySQLCompress.Sun420R false
#
DefaultProfile Spok
#
# If you're using storage profiles, you can set failovers for each profile.
# Of course, if you'll be failing over to another database, that database
# must have the same information as the first. If you're using a global
# database with no training, this should be relatively simple. If you're
# configuring per-user data, however, you'll need to set up some type of
# replication between databases.
#
#Failover.DECAlpha SUN420R
#Failover.Sun420R DECAlpha
# If the storage fails, the agent will follow each profile's failover up to
# a maximum number of failover attempts. This should be set to a maximum of
# the number of profiles you have, otherwise the agent could loop and try
# the same profile multiple times (unless this is your desired behavior).
#
#FailoverAttempts 1
#
# Ignored headers: If DSPAM is behind other tools which may add a header to
# incoming emails, it may be beneficial to ignore these headers - especially
# if they are coming from another spam filter. If you are _not_ using one of
# these tools, however, leaving the appropriate headers commented out will
# allow DSPAM to use them as telltale signs of forged email.
#
IgnoreHeader X-Amavis-Alert
IgnoreHeader X-Antispam
IgnoreHeader X-AntiVirus
IgnoreHeader X-AV-Scanned
IgnoreHeader X-Greylist
IgnoreHeader X-GMX-Antispam
IgnoreHeader X-Mailer
IgnoreHeader X-MailScanner
IgnoreHeader X-MailScanner-Information
IgnoreHeader X-MailScanner-SpamCheck
IgnoreHeader X-MDaemon-Deliver-To
IgnoreHeader X-MDAV-Processed
IgnoreHeader X-MDRemoteIP
IgnoreHeader X-MIMEOLE
IgnoreHeader X-MSMail-Priority
IgnoreHeader X-purgate
IgnoreHeader X-purgate-ID
IgnoreHeader X-purgate-Ad
IgnoreHeader X-Priority
IgnoreHeader X-SA-GROUP
IgnoreHeader X-SA-RECEIPTSTATUS
IgnoreHeader X-Spam
IgnoreHeader X-Spam-Checker-Version
IgnoreHeader X-Spam-Level
IgnoreHeader X-Spam-Processed
IgnoreHeader X-Spam-Scanned
IgnoreHeader X-Spam-Status
IgnoreHeader X-Spamcount
IgnoreHeader X-Spamsensitivity
IgnoreHeader X-SpamTest-Info
IgnoreHeader X-SpamTest-Status
IgnoreHeader X-SpamTest-Version
IgnoreHeader X-Virus-Scanned
IgnoreHeader X-Virus-Scanner-Result
IgnoreHeader X-Virus-Status
#
# Lookup: Perform lookups on streamlined blackhole list servers (see
# http://www.nuclearelephant.com/projects/sbl/). The streamlined blacklist
# server is machine-automated, unsupervised blacklisting system designed to
# provide real-time and highly accurate blacklisting based on network spread.
# When performing a lookup, DSPAM will automatically learn the inbound message
# as spam if the source IP is listed. Until an official public RABL server is
# available, this feature is only useful if you are running your own
# streamlined blackhole list server for internal reporting among multiple mail
# servers. Provide the name of the lookup zone below to use.
#
# This function performs standard reverse-octet.domain lookups, and while it
# will function with many RBLs, it's strongly discouraged to use those
# maintained by humans as they're often inaccurate and could hurt filter
# learning and accuracy.
#
#Lookup "sbl.yourdomain.com"
#
# RBLInoculate: If you want to inoculate the user from RBL'd messages it would
# have otherwise missed, set this to on.
#
#RBLInoculate off
#
# Notifications: Enable the sending of notification emails to users (first
# message, quarantine full, etc.)
#
Notifications on
#
# Purge configuration: Set dspam_clean purge default options, if not otherwise
# specified on the commandline
#
#PurgeSignatures 14 # Stale signatures
#PurgeNeutral 90 # Tokens with neutralish probabilities
#PurgeUnused 90 # Unused tokens
#PurgeHapaxes 30 # Tokens with less than 5 hits (hapaxes)
#PurgeHits1S 15 # Tokens with only 1 spam hit
#PurgeHits1I 15 # Tokens with only 1 innocent hit
#
# Purge configuration for SQL-based installations using purge.sql
#
PurgeSignature off # Specified in purge.sql
PurgeNeutral 90
PurgeUnused off # Specified in purge.sql
PurgeHapaxes off # Specified in purge.sql
PurgeHits1S off # Specified in purge.sql
PurgeHits1I off # Specified in purge.sql
#
# Local Mail Exchangers: Used for source address tracking, tells DSPAM which
# mail exchangers are local and therefore should be ignored in the Received:
# header when tracking the source of an email. Note: you should use the address
# of the host as appears between brackets [ ] in the Received header.
#
LocalMX 127.0.0.1
#
# Logging: Disabling logging for users will make usage graphs unavailable to
# them. Disabling system logging will make admin graphs unavailable.
#
SystemLog on
UserLog on
#
# TrainPristine: for systems where the original message remains server side
# and can therefore be presented in pristine format for retraining. This option
# will cause DSPAM to cease all writing of signatures and DSPAM headers to the
# message, and deliver the message in as pristine format as possible. This mode
# REQUIRES that the original message in its pristine format (as of delivery)
# be presented for retraining, as in the case of webmail, imap, or other
# applications where the message is actually kept server-side during reading,
# and is preserved. DO NOT use this switch unless the original message can be
# presented for retraining with the ORIGINAL HEADERS and NO MODIFICATIONS.
#
#TrainPristine on
#
# Opt: in or out; determines DSPAM's default filtering behavior. If this value
# is set to in, users must opt-in to filtering by dropping a .dspam file in
# /var/dspam/opt-in/user.dspam (or if you have homedirs configured, a .dspam
# folder in their home directory). The default is opt-out, which means all
# users will be filtered unless a .nodspam file is dropped in
# /var/dspam/opt-out/user.nodspam
#
Opt in
#
# TrackSources: specify which (if any) source addresses to track and report
# them to syslog (mail.info). This is useful if you're running a firewall or
# blacklist and would like to use this information. Spam reporting also drops
# RABL blacklist files (see http://www.nuclearelephant.com/projects/rabl/).
#
TrackSources spam nonspam
#
# ParseToHeaders: In lieu of setting up individual aliases for each user,
# DSPAM can be configured to automatically parse the To: address for spam and
# false positive forwards. From there, it can be configured to either set the
# DSPAM user based on the username specified in the header and/or change the
# training class and source accordingly. The options below can be used to
# customize most common types of header parsing behavior to avoid the need for
# multiple aliases, or if using LMTP, aliases entirely..
#
# ParseToHeader: Parse the To: headers of an incoming message. This must be
# set to 'on' to use either of the following features.
#
# ChangeModeOnParse: Automatically change the class (to spam or innocent)
# depending on whether spam- or notspam- was specified, and change the source
# to 'error'. This is convenient if you're not using aliases at all, but
# are delivering via LMTP.
#
# ChangeUserOnParse: Automatically change the username to match that specified
# in the To: header. For example, spam-bob@domain.tld will set the username
# to bob, ignoring any --user passed in. This may not always be desirable if
# you are using virtual email addresses as usernames. Options:
# on or user take the portion before the @ sign only
# full take everything after the initial {spam,notspam}-.
#
ParseToHeaders on
ChangeModeOnParse on
ChangeUserOnParse off
#
# Broken MTA Options: Some MTAs don't support the proper functionality
# necessary. In these cases you can activate certain features in DSPAM to
# compensate. 'returnCodes' causes DSPAM to return an exit code of 99 if
# the message is spam, 0 if not, or a negative code if an error has occured.
# Specifying 'case' causes DSPAM to force the input usernames to lowercase.
# Spceifying 'lineStripping' causes DSPAM to strip ^M's from messages passed
# in.
#
#Broken returnCodes
Broken case
#Broken lineStripping
#
# MaxMessageSize: You may specify a maximum message size for DSPAM to process.
# If the message is larger than the maximum size, it will be delivered
# without processing. Value is in bytes.
#
MaxMessageSize 20971520
#
# Virus Checking: If you are running clamd, DSPAM can perform stream-based
# virus checking using TCP. Uncomment the values below to enable virus
# checking.
#
# ClamAVResponse: reject (reject or drop the message with a permanent failure)
# accept (accept the message and quietly drop the message)
# spam (treat as spam and quarantine/tag/whatever)
#
#ClamAVPort 3310
#ClamAVHost 127.0.0.1
#ClamAVResponse accept
#
# Daemonized Server: If you are running DSPAM as a daemonized server using
# --daemon, the following parameters will override the default. Use the
# ServerPass option to set up accounts for each client machine. The DSPAM
# server will process and deliver the message based on the parameters
# specified. If you want the client machine to perform delivery, use
# the --stdout option in conjunction with a local setup.
#
#ServerPort 24
ServerQueueSize 32
ServerPID /var/run/dspam/dspam.pid
#
# ServerMode specifies the type of LMTP server to start. This can be one of:
# dspam: DSPAM-proprietary DLMTP server, for communicating with dspamc
# standard: Standard LMTP server, for communicating with Postfix or other MTA
# auto: Speak both DLMTP and LMTP; auto-detect by ServerPass.IDENT
#
ServerMode auto
# If supporting DLMTP (dspam) mode, dspam clients will require authentication
# as they will be passing in parameters. The idents below will be used to
# determine which clients will be speaking DLMTP, so if you will be using
# both LMTP and DLMTP from the same host, be sure to use something other
# than the server's hostname below (which will be sent by the MTA during a
# standard LMTP LHLO).
#
#ServerPass.Relay1 "secret"
#ServerPass.Relay2 "password"
#
ServerPass.Spok "<password>"
# If supporting standard LMTP mode, server parameters will need to be specified
# here, as they will not be passed in by the mail server. The ServerIdent
# specifies the 250 response code ident sent back to connecting clients and
# should be set to the hostname of your server, or an alias.
#
# NOTE: If you specify --user in ServerParameters, the RCPT TO will be
# used only for delivery, and not set as the active user for processing.
#
ServerParameters "--deliver=innocent,spam -d %u"
ServerIdent "mail.domain.tld"
# If you wish to use a local domain socket instead of a TCP socket, uncomment
# the following. It is strongly recommended you use local domain sockets if
# you are running the client and server on the same machine, as it eliminates
# much of the bandwidth overhead.
#
ServerDomainSocketPath "/var/run/dspam/dspam.sock"
#
# Client Mode: If you are running DSPAM in client/server mode, uncomment and
# set these variables. A ClientHost beginning with a / will be treated as
# a domain socket.
#
#ClientHost /tmp/dspam.sock
#ClientIdent "secret@Relay1"
#
#ClientHost 127.0.0.1
#ClientPort 24
#ClientIdent "secret@Relay1"
# RABLQueue: Touch files in the RABL queue
# If you are a reporting streamlined blackhole list participant, you can
# touch ip addresses within the directory the rabl_client process is watching.
#
#RABLQueue /var/spool/rabl
ClientHost /var/run/dspam/dspam.sock
ClientIdent "<password>@Spok"
# DataSource: If you are using any type of data source that does not include
# email-like headers (such as documents), uncomment the line below. This
# will cause the entire input to be treated like a message "body"
#
#DataSource document
# ProcessorWordFrequency: By default, words are only counted once per message.
# If you are classifying large documents, however, you may wish to count once
# per occurrence instead.
#
#ProcessorWordFrequency occurrence
# ProcessorBias: Bias causes the filter to lean more toward 'innocent', and
# usually greatly reduces false positives. It is the default behavior of
# most Bayesian filters (including dspam).
#
# NOTE: You probably DONT want this if you're using Markovian Weighting, unless
# you are paranoid about false positives.
#
ProcessorBias on
## EOFTo get best results in DSPAM i have set up a user called globaluser and trained that user with alot of data. You can read in the DSPAM documentation how to set up a user with trained data to act as:
- shared grops
- merged groups
- classification groups
- global groups
- inoculation groups/networks
Code: Select all
TS True Positives: 78620
TI True Negatives: 77765
IM False Positives: 439
SM False Negatives: 17
SC Spam Corpusfed: 43344
IC Innocent Corpusfed: 41322
TL Training Left: 0
SR Spam Catch Rate: 99.98%
IR Innocent Catch Rate: 99.44%
OR Overall Rate/Accuracy: 99.71%Code: Select all
TP True Positives: 135267
TN True Negatives: 136203
FP False Positives: 489
FN False Negatives: 784
SC Spam Corpusfed: 43936
NC Nonspam Corpusfed: 43580
TL Training Left: 0
SHR Spam Hit Rate 99.42%
HSR Ham Strike Rate: 0.36%
OCA Overall Accuracy: 99.53%I have around 500'000 ham messages to play with. I don't have that much spam mails collected by my self. But if you need spam messages, then go to www.spamarchive.org and download there as much you want. You only need to unpack the xxx.r2.gz and then use dspam_corpus to feed DSPAM with the spam/ham messages. If you need other ressources for spam, then read my response from the DSPAM mailing list to get more links to spam corpus.
I think that is now enought info. Do you need more info from me?
cheers
SteveB
Well... I flushed my old data and restarted a fresh training with DSPAM, but this time without corpus feeding and with naive features turned on. My current DSPAM 3.6.4 stats (I am still training):
This is so far my most accurate installation of DSPAM I ever had with my training set. I have only trained about 45% of my first training set. When I am finished, then I will dump the data and restart again from fresh, but this time with the Markovian Discrimination algorithm. I want to know, wich of the available algorithms brings the best result against my training set. The 99.77% overall accurancy is not that bad. I know, that you can get up to 99.9% with DSPAM. But I am using training data and this is completly differend then using a taining set.
cheers
SteveB
Code: Select all
TP True Positives: 123148
TN True Negatives: 123677
FP False Positives: 245
FN False Negatives: 336
SC Spam Corpusfed: 245
NC Nonspam Corpusfed: 137
TL Training Left: 0
SHR Spam Hit Rate 99.73%
HSR Ham Strike Rate: 0.20%
OCA Overall Accuracy: 99.77%cheers
SteveB