Rodolfo,
> I'm also getting a lot of spam from forged
> addresses in my domain, most of it being stopped by DNSBL checks at
> postfix, but some high percentage of those spam messages still pass
> those checks. I use $final_spam_destiny = D_REJECT, which is supposed to
> send a 500 message back to the server, not to bounce the spam message,
> except in the case stated here:
> http://www.mail-archive.com/[email protected]/msg14060.html
Note that D_REJECT only makes sense with pre-queue content filtering setups,
like Postfix proxy or a milter setup. With a post-queue setup one should
not use a D_REJECT, as it can not benefit from some bounce suppression
techniques (cutoff levels, suppression of virus bounces).
When using amavisd with a postfix proxy setup, make sure to use a recent
version of postfix and use its '-o smtpd_proxy_options=speed_adjust'
on a smtpd service proxying mail to amavisd !!!
The coming version of amavisd will be more friendly towards a
proxy filtering setup. Among others it is offering non-disruptive
amavisd reloads.
> (multiple recipients), right? My problem is whitelisting (I had to use
> it since users sent html messages and so on). So, I'd like to have
> something like:
Yes, using a SMTP protocol it is not possible to selectively
reject by recipients *after* mail data has been received.
A switchover to a bounce occurs in this case inevitably
when some recipients consider mail as spam, while another
considers the same (multi-recipient) message a ham.
>1) If the message from my domain is dkim signed and optionally from a
> SPF allowed host, then it is passed.
>2) If it's not dkim signed or SPF allowed then it gets bad points and it
> is checked for additional spam characteristics and finally rejected.
$enable_dkim_verification = 1;
@author_to_policy_bank_maps = (
#
# when an ACL lookup is used within the @author_to_policy_bank_maps list
# and a lookup matches, a hardwired policy bank name 'AUTHOR_APPROVED' is
# automatically supplied in place of a boolean result of a lookup
{
'yourdomain.example.com' => 'STRONG_WHITELIST',
'.ebay.com' => 'STRONG_WHITELIST',
'.ebay.co.uk' => 'STRONG_WHITELIST',
'ebay.at' => 'STRONG_WHITELIST',
'ebay.ca' => 'STRONG_WHITELIST',
'ebay.de' => 'STRONG_WHITELIST',
'ebay.fr' => 'STRONG_WHITELIST',
'.paypal.com' => 'STRONG_WHITELIST',
'.paypal.de' => 'STRONG_WHITELIST',
'.paypal.co.uk' => 'STRONG_WHITELIST',
'./@paypal.com' => 'STRONG_WHITELIST',
'.linkedin.com' => 'MILD_WHITELIST',
'yousendit.com' => 'MILD_WHITELIST',
'meetup.com' => 'MILD_WHITELIST',
'[email protected]'=> 'MILD_WHITELIST',
'info.hp.com' => 'MILD_WHITELIST',
'[email protected]' => 'MILD_WHITELIST',
});
$policy_bank{'STRONG_WHITELIST'} = {
score_sender_maps => [ { '.' => [-8] } ],
};
$policy_bank{'MILD_WHITELIST'} = {
score_sender_maps => [ { '.' => [-1.5] } ],
};
Or by using a similar feature of SpamAssassin: whitelist_from_dkim
and whitelist_from_spf.
Then assign positive score points to mail from these same domain,
which will counteract the dkim or spf whitelisting for nonauthentic
mail. With SA 3.3 assigning spam points to non-DKIM validated
mail can be achieved by an 'adsp_override' directive, see
Mail::SpamAssassin::Plugin::DKIM man page, and 60_adsp_override_dkim.cf
for examples.
You may want to adjust (bump up) these scores:
score NML_ADSP_CUSTOM_LOW 0 0.7 0 0.7
score NML_ADSP_CUSTOM_MED 0 1.2 0 0.9
score NML_ADSP_CUSTOM_HIGH 0 2.6 0 2.5
> > amavisd can be configured to only bounce back if spf/dkim signed.
> > How can be this done?
amavisd-new-2.6.0 release notes:
- usually a sending address in spam messages is faked and it is desirable
to suppress most if not all bounces by keeping $sa_dsn_cutoff_level low,
but sometimes it may be possible to be more certain of the validity of
a sending address, and when such mail is considered spam, it may still be
desirable to send a non-delivery notification, knowing that a notification
will most likely be addressed to a genuine sender.
Two new settings are provided for this purpose:
@spam_crediblefrom_dsn_cutoff_level_bysender_maps and
@spam_crediblefrom_dsn_cutoff_level_maps
(with their default being $sa_crediblefrom_dsn_cutoff_level),
complementing the existing @spam_dsn_cutoff_level_bysender_maps and
@spam_dsn_cutoff_level_maps.
It is expected that $sa_crediblefrom_dsn_cutoff_level would be set somewhat
higher than $sa_dsn_cutoff_level, allowing for more bounces to be generated
for spam from likely-to-be-genuine senders (possibly false positives).
The choice between taking a cutoff value from one or the other pair of
settings depends on an attribute $msginfo->sender_credible - when it is
true (e.g. some nonempty string) the *spam_crediblefrom_* settings will
be used instead of the baseline @spam_dsn_cutoff_level_*maps.
An initial value of a sender_credible attribute as provided by amavisd
is true if either the 'originating' flag is true (e.g. mail from inside),
or if dkim_envsender_sig attribute is true, e.g. a domain of a valid
DKIM signature matches envelope sender address, otherwise it is false.
A user-provided custom hook code is free to change the value of
sender_credible attribute. An exact value does not matter (it is only
interpreted as a boolean), but serves for logging purposes. Heuristics
may be based on some tests provided by SpamAssassin, on DKIM signatures,
on p0f results, on policy banks, etc.
Here is one complete example of a custom hook, which turns on the
sender_credible attribute based on some criteria.
added to amavisd.conf:
include_config_files('/etc/amavisd-custom.conf');
/etc/amavisd-custom.conf :
package Amavis::Custom;
use strict;
sub new { my($class,$conn,$msginfo) = @_; bless {}, $class }
sub after_send {
my($self,$conn,$msginfo) = @_;
if ($msginfo->sender ne '') {
my(@cred); local($1);
my($tests) = $msginfo->supplementary_info('TESTS');
$tests = '' if !defined($tests) || $tests eq 'none';
push(@cred,'orig') if $msginfo->originating;
push(@cred,$1) if $tests =~ /\b(RCVD_IN_DNSWL_HI)\b/;
push(@cred,$1) if $tests =~ /\b(RCVD_IN_DNSWL_MED)\b/;
push(@cred,$1) if $tests =~ /\b(RP_MATCHES_RCVD)\b/;
my($os_fingerprint) = $msginfo->client_os_fingerprint;
if ($os_fingerprint !~ /^Windows XP(?![^(]*\b2000 SP)/) {
push(@cred,'dkim') if $msginfo->dkim_envsender_sig;
push(@cred,$1) if $tests =~ /\b(SPF_PASS)\b/;
}
$msginfo->sender_credible(join(",",@cred)) if @cred;
}
}
1; # insure a defined return
Mark
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
