Peter wrote: >> e) @viruses_that_fake_sender_maps will prevent sending of DSNs to >> virus senders (because the configuration example assumes all >> viruses use a spoofed sender address). Use at your discretion, but I >> personally recommend it.
> The provided config file shows this: > @viruses_that_fake_sender_maps = (new_RE( # [qr'\bEICAR\b'i =>> 0], # av test pattern name > # [qr'^(WM97|OF97|Joke\.)'i => 0], # adjust names to match your AV > scanner > [qr/^/ => 1], # true for everything else > )); > If I read this right, this sets up a default to tag all detected > viruses as those that spoof the envelope sender. So on the third line > I need to specify that ones that do not? Or is that the other way > around? > I looked again at my config and I found this: > $viruses_that_fake_sender_re = new_RE( > qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i, > qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i, > qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sco|mydoom'i, > [qr'^(EICAR\.COM|Joke\.|Junk\.)'i => 0], > [qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i => 0], > ); Here is a more recent one that includes more names, comment out the indicated (last) line to prevent amavis from assuming every virus comes from a spoofed sender, then it will be closer to reality (but nowadays most every virus fakes the sender's address, so assuming that it is is also close to reality). @viruses_that_fake_sender_maps = (new_RE( qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i, qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i, qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i, qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i, qr'@mm|@MM', # mass mailing viruses as labeled by f-prot and uvscan qr'Worm'i, # worms as labeled by ClamAV, Kaspersky, etc # [qr'^(EICAR|Joke\.|Junk\.)'i => 0], # [qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i => 0], [qr/^/ => 1], # true by default (remove or comment-out if undesired) )); Note: this setting only has meaning if you are using $final_virus_destiny = D_BOUNCE;. If you use $final_virus_destiny = D_DISCARD; (like I do), this setting does not get used anyway. > For the banned configuration I will try: > $banned_filename_re = new_RE( > qr'\.[^./]*[A-Za-z][^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i, > qr'^application/x-msdownload$'i, > qr'^application/x-msdos-program$'i, > qr'^application/hta$'i, > [ qr'^\.(rpm|cpio|tar)$' => 0 ], > qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, > qr'^\.(exe-ms)$', > ); Looks like the typical minimum suggested setting. This will at least detect the worst of the worst and is much better than nothing. I personally prefer to comment out the one-line # banned extension - basic and uncomment the four-line # banned ext - long qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic # qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta| # inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst| # ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs| # wmf|wsc|wsf|wsh)$'ix, # banned ext - long I suggest also explicitly setting $banned_admin, e.g.: $banned_admin = "[EMAIL PROTECTED]"; so you are notified when a banned file is detected. Note: If you were quarantining to SQL, and you wish to continue to do so, you will need to re-enable your @storage_sql_dsn (not @lookup_sql_dsn): @storage_sql_dsn = (['DBI:mysql:spamassassin:localhost','amavisd','password']); I am assuming you still have a script in place to purge old records on a regular basis. At any rate, if outgoing mail passes through this box, keeping this part of the data alive will allow you to take advantage of the new penpals soft-whitelisting feature of version 2.4.2. If neither is true, and you are not using the data for any reports or whatever, then you don't need it. Gary V Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
