Re: Support for alz and egg archives

[@lbutlr]

On 23 Apr 2019, at 11:36, Sim Sum  wrote:
> in times of malware and phishing some senders use exotic compression methods.

Are you getting legitimate emails containing these archive types?


-- 
Moving into the universe
And she's drifting this way and that
Not touching the ground at all
And she's up above the yard

Re: reload or restart after spamassassin/local.cf change?

[@lbutlr]

On 17 Apr 2019, at 03:47, Dominic Raferd  wrote:
> (technically, perl Mail::SpamAssassin) for each mail it wants to check - and 
> I would expect that SA loads its parameters *each time* from its config files.

That would be insanely inefficient. SA is not reloaded for each mail.


-- 
Oh, he's just like any other man, only more so.

Re: Email WhiteListing Attachments with Amavis and Microsoft Files

[@lbutlr]

On 9 Nov 2018, at 10:56, Johnny Time  wrote:
> [ qr'^application/doc|docx|ppt|pdf|xls|vsd$'i => 0 ],

This syntax is broken an will allow application/document binary/pptx and 
virusload.exe/pptanythinggoeshere

You either need to put a $ at the end of all of those

[ qr'^application/(doc$|docx$|ppt$|pdf$|xls$|vsd$)'i => 0 ],

NB the addition of parens.

Or better, what Hoyer suggested (which also adds the critical parens you are 
missing).



-- 
Of course, there were various groups seeking his overthrow, and this was
right and proper and the sign of a vigorous and healthy society. No-one
could call him unreasonable about the matter. Why, hadn't he founded
most of them himself? And what was so beautiful was the way they spent
nearly all their time bickering with one another. Human nature, the
Patrician always said, was a marvelous thing. Once you understood where
its levers were. --Guards! Guards!

Re: Is amavisd-new still being maintained?

[@lbutlr]

On 07 Oct 2018, at 15:35, Dave McGuire  wrote:
> Still works fine here.  Personally I rather like it when a piece of
> infrastructure software stops being a "moving target".

When ut us supposed to be dealing with the constantly movie target of malicious 
emails, no, I don’t like to see it stop updating.

Besides that, there are some pretty serious bugs in amavis-new that have not 
been addressed.

In fact, I do not currently have it installed.



-- 
"...and that's not incense”

Re: Is amavisd-new still being maintained?

[@lbutlr]

On 04 Oct 2018, at 12:22, Ralph Seichter  wrote:
> Does anybody here know if Mark Martinec (or anybody else) is actively
> maintaining amavisd-new? https://www.ijs.si/software/amavisd/ has last
> been updated more than two years ago, with the 2.11.0 release. The link
> to the "Freshmeat project page" [1] points to information which is even
> more outdated.

This does seem like a good question.

If amavisd-new is not being maintained is there something similar that is? 
Preferably not written in Perl?

(Sorry perl lovers, but perl is pretty damn taxing on my machines)

-- 
The other cats just think he's a tosser. --Neil Gaiman

Re: Block ..rar files in amavisd

[@lbutlr]

On 23 Jan 2018, at 00:20, Dominic Raferd <domi...@timedicer.co.uk> wrote:
> 
> 
> On 22 January 2018 at 22:28, @lbutlr <krem...@kreme.com> wrote:
> I have a file mime_headers.pcre in postfix:
> /^\s*Content-(Disposition|Type).*name\s*=\s*"?(.*\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ops|pcd|pif|prf|reg|scf|scr\??|sct|shb|shs|shm|swf|vb[esx]?|vxd|wsc|wsf|wsh))(\?=)?"?\s*(;|$)/x
>  REJECT Attachment name "$2" may not end with ".$3”
> 
> I do this too, but ​I ​use the exact example at 
> http://www.postfix.org/header_checks.5.html - is there a reason why yours is 
> subtly different?

That config files is about 15 years old, so I have no idea why it's  different. 
However, basically no one ever sends those attachment type anymore anyway. 

-- 
Love is strange and you have to learn to take the crunchy with the
smooth I suppose

Re: /var/virusmails expiry?

[@lbutlr]

On 21 Jan 2018, at 15:01, Patrick Ben Koetter  wrote:
> Actually I do believe there is a cron job that expires mails after 30 days.
> Maybe you just need to adjust that.

OK, I looked again and found that. Oops.

-- 
'He's mad, isn't he?' 'No, mad's when you froth at the mouth,' said
Gaspode. ' He's insane. That's when you froth at the brain.'

Re: Block ..rar files in amavisd

[@lbutlr]

On 12 Jan 2018, at 06:24, Jonathan Sélea  wrote:
> I want to block .rar files on my server:

I do this during the SMTP transaction phase so the mail server never even 
receives files on my restricted list

I have a file mime_headers.pcre in postfix:
/^\s*Content-(Disposition|Type).*name\s*=\s*"?(.*\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ops|pcd|pif|prf|reg|scf|scr\??|sct|shb|shs|shm|swf|vb[esx]?|vxd|wsc|wsf|wsh))(\?=)?"?\s*(;|$)/x
 REJECT Attachment name "$2" may not end with ".$3” 

main.cf:
mime_header_checks = pcre:$config_directory/mime_headers.pcre

(My list is a lot shorter than yours, but that’s not the point)

-- 
I've never seen religious faith move mountains, but I've seen what it does
to skyscrapers.

/var/virusmails expiry?

[@lbutlr]

The files in /var/virusmail appear to be expiring after 30 days, but I can’t 
find a setting in the amavisd.conf for that other than the $maxfiles setting. 
How can I set this to, for example, 7 days?

Or should I just setup a crontask for

find /var/virusmails/ -ctime +7 --delete?

-- 
'Why is it all Mr Dibbler's films are set against the background of a
world gone mad?' said the dwarf. Soll's eyes narrowed. 'Because Mr
Dibbler,' he growled, 'is a very observant man.' --Moving Pictures

Re: unsubscribe

[@lbutlr]

On 25 Nov 2017, at 12:17, traced  wrote:
> unsubscribe

Your improper request failed.

This is in the headers of every single post to the group:

List-Id: "General support and discussion mailing list for AMaViS
 \(amavisd-new\)" 
List-Unsubscribe: 
, 
 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: 
, 
 

-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Re: amavisd-new cpu always 100%

[@lbutlr]

On 2017-02-23 (22:05 MST), Asif Iqbal  wrote:
> 
> I am using postfix 2.6.6 

Do you think it is wise to use a version of postfix from… 2010?

Do you think it is wise to have not at least updated to the latest version of 
2.6 (released in 2013)?

-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Re: amavisd-release does not work with SQL quarantine (missing quar_type = "Q")

[@lbutlr]

On 2017-02-20 (06:16 MST), Dino Edwards  wrote:
> 
> $QUARANTINEDIR = "/some/mountpoint/with/plenty/of/space";
> $virus_quarantine_method = 'local:virus/%m';
> $spam_quarantine_method = 'local:spam/%m';
> $banned_files_quarantine_method = 'local:banned/%m';
> $bad_header_quarantine_method = 'local:bad_header/%m';
> $clean_quarantine_method = 'local:clean/%m';

I'm puzzled, only the first exists in amavisd.conf

The only (non commented) lines with quarantine:

$QUARANTINEDIR = '/var/virusmails';  # -Q
$sa_quarantine_cutoff_level = 12; # spam level beyond which quarantine is off
$mailfrom_to_quarantine = ''; # null return path; uses original sender if undef
"-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ".

-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Re: Multiple infections not passed to amavis

[@lbutlr]

On Feb 2, 2017, at 2:49 AM, Levente Birta  wrote:
> OK, the problem was in the amavisd.conf at the @av_scanners section: don't 
> know why, but missed the /m (Treat string as multiple lines) option
> 
> ['ClamAV-clamd',
>  \_daemon, ["CONTSCAN {}\n", "/var/run/clamd.amavisd/clamd.sock"],
>  qr/\bOK$/m, qr/\bFOUND$/m,
>  qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],

Isn’t that the default?

That’s what my amavisd.conf has, and I’m pretty sure I haven’t changed it.

-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Re: Moving to new password scheme

[@lbutlr]

On 24 Jan 2017, at 06:45, @lbutlr <krem...@kreme.com> wrote:
> dovecot is setup

Sorry. Wrong list, obviously.

-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Moving to new password scheme

[@lbutlr]

dovecot is setup on a system with MD5-CRYPT password scheme for all users, and 
I would like to update this to something that is secure, probably 
SSHA256-CRYPT, but I want to do this seamlessly without the users having to 
jump through any hoops.

The users are in mySQL (managed via postfixadmin) and the mailbox record simply 
stores the hash in the password field. Users access their accounts though IMAP 
MUAs or Roundcube.

How would I setup my system so that if a user logs in and still has a $1$ 
password (MD5-CRYPT) their password will be encoded to the new SHCEME and then 
the SQL row updated with the $5$ password instead? Something where they are 
redirected after authentication to a page that forces them to renter their 
password (or choose a new one) is acceptable.

And, while I am here, is it worthwhile to set the -r flag to a large number 
(like something over 1000)?

-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Re: Flashlight spam (and others)

[@lbutlr]

> On Dec 17, 2016, at 10:40 AM, Dino Edwards  
> wrote:
> 
> Am I looking at this right? Does BAYES_00 assign a score of -4 on these 
> messages?

Yes. BAYES_00 is normally extremely effective at passing ham.

But note that the spam passed even WITHOUT BAYES_00

> X-Spam-Status: No, score=0.3 required=5.0 
> tests=BAYES_00,DCC_CHECK,DKIM_SIGNED,
>   HTML_IMAGE_ONLY_24,HTML_MESSAGE,MIME_HEADER_CTYPE_ONLY,RDNS_NONE,
>   T_DKIM_INVALID,T_REMOTE_IMAGE autolearn=no autolearn_force=no 
> version=3.4.1

Re: Amavisd and Bayes (again...)

[@lbutlr]

> On Nov 24, 2016, at 7:09 AM, Dominic Raferd  wrote:
> 
> Maybe this can help: 
> https://www.nerd-quickies.net/2015/10/02/spamassassin-bayes_00-1-90-although-sa-learn-runs-daily/

Spamassasin and babes work perfectly well when I run mail through SA myself. It 
is when amavis does it that bates doesn’t work.

I have the root bayes files linked to mavin’s home directory and have 
permissions set so they are readable. Still doesn’t work.

Re: Amavisd and Bayes (again...)

[@lbutlr]

On Nov 24, 2016, at 2:09 AM, Alex Masidlover  wrote:
> Any help would be appreciated before I drown in spam...

I’ve posted a couple of times about the same exact issue with amavisnot using 
bases and so far no one has been able to provide any guidance as to why.

For now, I’ve given up. AMavis still catches a lot os spam without bases, and 
then I manually run received mail through SA again. It’s ugly, but it works.

Re: Spam tagging g in subject doubled up?

[@lbutlr]

On Nov 8, 2016, at 2:49 AM, Tilman Schmidt  wrote:
> On 02.11.2016 10:46, Indunil Jayasooriya wrote:
>> 
>> pls try below command with less
>> 
>> 
>> less /etc/amavisd.conf |grep -i sa_spam_subject_tag
> 
> Argh. Useless use of less is even worse than useless use of cat.
> Just do
> 
> grep -i sa_spam_subject_tag /etc/amavisd.conf

It is much easier to change the grep terms if you use

cat  | grep 

(up arrow, ^w, type new term)

I have no idea why anyone would use less there though.

Re: Spam tagging g in subject doubled up?

[@lbutlr]

Anyone?

On Oct 29, 2016, at 10:05 AM, @lbutlr <krem...@kreme.com> wrote:
> I can’t find where that *Spam* Subject tag is set; I’ve searched every file 
> in and under /usr/local/etc/ & /etc and the only match is in 
> amavisd.cong.sample and that is “***Spam***”.
> 
> I also cannot find where amavisd’s bayes files are. 
> 
> (I’ve been told they are in /var/spool/amavis/.spamassassin, but these files 
> do not get updated). The user vscan that runs amavis has a home folder at 
> /var/maiad/ but that .spamassassin folder is empty.

…

Spam tagging g in subject doubled up?

[@lbutlr]

I have:

$sa_spam_subject_tag = '(Spam _SCORE(00)_) ‘;

and I get spam tagging like this:

(Spam? 05.1) *Spam* 5.196:Recent CNN-Report… 


The string “*Spam” does not appear in my amavisd.conf

There are no uncommented lines in /var/spool/amavis/.spamassassin/local.cf

Not sure where else to look (and the bases files in 
/var/spool/amavis/.spamassassin/ are not being updated)

Re: Formatting of SA score in Subject?

[@lbutlr]

On Wed Sep 28 2016 00:54:12 Jeff Morris <jeffm...@nullmodem.org> said:
> 
> On 9/18/2016 8:32 AM, @lbutlr wrote:
>> On Fri Sep 16 2016 01:22:20 Jeff Morris  <jeffm...@nullmodem.org> said:
>>> On 9/12/2016 4:15 PM, Jeff Morris wrote:
>>>> On 9/4/2016 7:22 AM, @lbutlr wrote:
>>>> Thank you! I'm not sure how I missed that when I looked for it, but 
>>>> indeed, that works like a charm.
>>> Sigh. Well, it would appear that I spoke too soon. I *thought* it was 
>>> working like a charm; turns out I was looking at already delivered spam on 
>>> which I had already run a search and replace on the spam tag to make it 
>>> sortable. When I went back and looked at my spam folder again today I 
>>> realized that on new incoming spam, Amavisd is actually tagging with the 
>>> literal string "_SCORE(0)_". So for some reason, Amavisd doesn't recognize 
>>> this padded version of score for me. Was this a feature only added recently 
>>> perhaps? I'm running Centos7, using the amavisd-new-2.10.1-5 rpm. Any other 
>>> way to do this?
>> The _SCORE(PAD)_ is a spamassassin setting, not an amavis setting. Where are 
>> you setting it?
> 
> In amavisd.conf. The following was from my original question, looks like it 
> got snipped from the quotes above, sorry. I thought that things like this had 
> to be set in amavisd.conf, because amavis' config would override 
> spamassassin's own?


It’s my impression that the user_conf file would do this, but I cannot get 
amavisd to tag any messages (or even insert headers), though it does reject 
mail with high scores, so don’t really on me on that score.

Re: spam connection failing

[@lbutlr]

On Fri Sep 16 2016 01:46:51 Tom Hendrikx<t...@whyscream.net> said:
> 
> spamc is ran by something else (not amavis). It fails because you don't
> have spamd running, which is not necessary for amavis.

OK.

Now, why does amavis not add spam assassin headers to any messages? As I said 
upthread I have it set to add them to anything the scores over a 2.0

On Wed Sep 14 2016 15:59:11 @lbutlr <@lbutlr> said:
> I have $sa_tag_level_deflt  = 2.0; but X-Spam headers are not getting added 
> to any emails that I can find.

Re: Formatting of SA score in Subject?

[@lbutlr]

On Fri Sep 16 2016 01:22:20 Jeff Morris <jeffm...@nullmodem.org> said:
> 
> On 9/12/2016 4:15 PM, Jeff Morris wrote:
>> On 9/4/2016 7:22 AM, @lbutlr wrote:
>>> On 01 Sep 2016, at 13:18, Jeff Morris <jeffm...@nullmodem.org> wrote:
>>>>$sa_spam_subject_tag = sprintf( "[SPAM: %06.3f]", _SCORE_ );
>>>> 
>>>> Or is there a better way to do what I want? Maybe there's a token like 
>>>> _ZSCORE_ ? :-)
>>> Close.
>>> 
>>> _SCORE(PAD)_  message score, if PAD is included and is either 
>>> spaces or
>>>   zeroes, then pad scores with that many spaces or 
>>> zeroes
>>>   (default, none)  ie: _SCORE(0)_ makes 2.4 become 
>>> 02.4,
>>>   _SCORE(00)_ is 002.4.  12.3 would be 12.3 and 
>>> 012.3
>>>   respectively.
>>> 
>>> _SCORE(0)_ will pad with 0’s and _SCORE( )_ will pad with spaces
>> 
>> Thank you! I'm not sure how I missed that when I looked for it, but indeed, 
>> that works like a charm.
> 
> Sigh. Well, it would appear that I spoke too soon. I *thought* it was working 
> like a charm; turns out I was looking at already delivered spam on which I 
> had already run a search and replace on the spam tag to make it sortable. 
> When I went back and looked at my spam folder again today I realized that on 
> new incoming spam, Amavisd is actually tagging with the literal string 
> "_SCORE(0)_". So for some reason, Amavisd doesn't recognize this padded 
> version of score for me. Was this a feature only added recently perhaps? I'm 
> running Centos7, using the amavisd-new-2.10.1-5 rpm. Any other way to do this?

The _SCORE(PAD)_ is a spamassassin setting, not an amavis setting. Where are 
you setting it?

Re: List issues?

[@lbutlr]

On Fri Sep 16 2016 01:27:41 amavis-us...@list-post.mks-mail.de  
<amavis-us...@list-post.mks-mail.de> said:
> 
> 15.09.2016, 11:05 +0200 @lbutlr:
> 
>> I sent a message to the list yesterday (15:59 -0600) and it has not
>> shown up, nor have I gotten any sort of notification that it was not
>> posted or was rejected for some reason.
> 
> Your message has shown up and it's in the list archive:
> <https://lists.amavis.org/pipermail/amavis-users/2016-September/004458.html>


It took nearly a full day of the message that I posted to show up in my mail 
box from the list. People ho posted replies to the message say the replies 
never showed up, or showed up very later.

Return-Path: <amavis-users-bounces+kremels=kreme@amavis.org>
X-Original-To: krem...@covisp.net
Delivered-To: krem...@covisp.net
Received: from mail.covisp.net (localhost [127.0.0.1])
by mail.covisp.net (Postfix) with ESMTP id 3sZm9P6R2Jz1Gxvp;
Thu, 15 Sep 2016 11:48:25 -0600 (MDT)

15 Sep at 11:48

Received: from de.postfix.org (localhost [127.0.0.1])
by de.postfix.org (Postfix) with ESMTP
for <krem...@kreme.com>; Thu, 15 Sep 2016 19:47:27 +0200 (CEST)

Received: from localhost (localhost [127.0.0.1])
 by de.postfix.org (Postfix) with ESMTP id 44BBD3DD4D
 for <amavis-users@amavis.org>; Thu, 15 Sep 2016 00:06:16 +0200 (CEST)

19 hour and 41 minute delays between these two received events.

Date: Wed, 14 Sep 2016 15:59:11 -0600

So, it took about 6 minute for my message to get to postfix.org and then 19 
hours for it to get back to me.

The other message has similar headers:

Received: from postfix.charite.de (postfix.charite.de [141.42.206.35])
(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by mail.covisp.net (Postfix) with ESMTPS id 3sb9MX1tFMz1GxHF
for <krem...@kreme.com>; Fri, 16 Sep 2016 03:43:36 -0600 (MDT)

Received: from de.postfix.org ([127.0.0.1])
by localhost (de.postfix.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id QyWNj_LTx_EA for <krem...@kreme.com>;
Fri, 16 Sep 2016 11:43:11 +0200 (CEST)

Received: from mail.covisp.net (mail.covisp.net [65.121.55.42])
 by de.postfix.org (Postfix) with ESMTPS
 for <amavis-users@amavis.org>; Thu, 15 Sep 2016 11:05:47 +0200 (CEST)

Date: Thu, 15 Sep 2016 03:05:34 -0600

But this one has a delay of over 24 hours.

List issues worse

[@lbutlr]

A message I sent two days ago has still not shown up on the list (for me).

From: "@lbutlr" <krem...@kreme.com>
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 10.0 \(3226\))
Subject: Re: List issues?
X-Universally-Unique-Identifier: BA3CF105-2118-4E6E-B670-F849F0BA7373
Date: Sun, 18 Sep 2016 09:30:48 -0600
References: <cec8bfb6-89df-4f0b-96f1-5f188ced0...@kreme.com>
 <3e9f5607-b245-66f2-27e2-4c334afcd...@list-post.mks-mail.de>
To: amavis-users@amavis.org

It is now Tuesday at 14:12, so that message is nearly 53 hours old.

Re: List issues?

[@lbutlr]

On Sat Sep 17 2016 01:38:46 Hoyer-Reuther, Christian
 said:
> 
> It seems the problem is when we reply then the e-mail is not addressed to 
> amavis-users@amavis.org but to the sender of the last mail.

That is not the source of the delays I am seeing.

List issues?

[@lbutlr]

I sent a message to the list yesterday (15:59 -0600) and it has not shown up, 
nor have I gotten any sort of notification that it was not posted or was 
rejected for some reason.

Re: Formatting of SA score in Subject?

[@lbutlr]

On 01 Sep 2016, at 13:18, Jeff Morris  wrote:
> 
>$sa_spam_subject_tag = sprintf( "[SPAM: %06.3f]", _SCORE_ );
> 
> Or is there a better way to do what I want? Maybe there's a token like 
> _ZSCORE_ ? :-)

Close.

_SCORE(PAD)_  message score, if PAD is included and is either 
spaces or
  zeroes, then pad scores with that many spaces or 
zeroes
  (default, none)  ie: _SCORE(0)_ makes 2.4 become 02.4,
  _SCORE(00)_ is 002.4.  12.3 would be 12.3 and 012.3
  respectively.

_SCORE(0)_ will pad with 0’s and _SCORE( )_ will pad with spaces

Re: ClamAV via Amavis and logs?

[@lbutlr]

On May 21, 2016, at 2:32 PM, Patrick Ben Koetter  wrote:
> clamav has its own independent logging. You can control it in clamd.conf. None
> of that makes it into amavis.

It does not appear that any information about specific messages and tests gets 
logged to the clamd.log file though. All it contains is lines telling me the 
database status is OK and the occasional message that the signatures were 
reloaded without error.

-- 
'It is always useful to face an enemy who is prepared to die for his
country,' he read. 'This means that both you and he have exactly the
same aim in mind.'

ClamAV via Amavis and logs?

[@lbutlr]

I have amavisd running clamav, but nothing from clamav appears in any logs.

The only thing I do see is lines like this:

May 21 13:57:29 mail amavis[89288]: (89288-01) Passed SPAM 
{RelayedTaggedInbound,RelayedOpenRelay,Quarantined}, [127.0.0.1] [96.84.245.98] 
 -> <*munged*@covisp.net>,, 
quarantine: spam-HQ5gUZA4rXw5.gz, Message-ID: 
<20160521135753.53cc3bf.11e6...@eflyermarketing.com>, mail_id: HQ5gUZA4rXw5, 
Hits: 12.244, size: 7392, queued_as: 3rBwZK26fmzpL6q/3rBwZK2BmyzpLTW, 4180 ms

And an ever-expanding archive of quarantined emails in /var/virusemails/

Is there anyway to enable some more logging? Should I be doing anything with 
the quarantine other than hanging on to the messages for a while in case 
something is an FP?

-- 
I'm Luke Skywalker, I'm here to rescue you.

Re: handling unknown recipients

[@lbutlr]

On Apr 26, 2016, at 8:07 AM, Tilman Schmidt  wrote:
> Running Postfix with amavisd-new and quarantining attachments seems to
> produce an unfortunate interaction when mail with a banned attachment
> arrives for an unknown recipient:

WHya re you ever accepting mail for a user that doesn’t exist?

> Is there a way to validate the recipient address before bothering with
> the content of the mail?

Yes, have postfix check for valid users first before passing the message to 
amavis.


-- 
Humans are always slightly lost. It's a basic characteristic. It
explains a lot about them.

Re: subject line not prefixed

[@lbutlr]

On Apr 26, 2016, at 5:42 AM, Michael H  wrote:
> Could you amend the configuration for the mailing list to include
> something in the subject line, like maybe [amavis-users]?

Please do NOT do this. Ever.

> This is the only mailing list I'm on where my filters have difficulty
> pinning all of the messages and it's a nuisance.

Filter better.

List-Id: "General support and discussion mailing list for AMaViS
 \(amavisd-new\)" 

(That is the header you should filter list mail on).


-- 
'What can I do? I'm only human,' he said aloud. Someone said, Not all
of you. --Pyramids

Re: From address spoofing my domain

[@lbutlr]

On Mar 19, 2016, at 4:24 PM, Benny Pedersen  wrote:
> sender did not add @ in from header, if you remove @forged domain you see 
> something about mortgage

This amavisd adding the domain and why is it generating an error that stops the 
spam from being quarantined and/or tagged?

-- 
> I miss the old days. I haven't killed anyone in years.

That's sad.

Re: From address spoofing my domain

[@lbutlr]

On Mar 19, 2016, at 3:47 PM, @lbutlr <krem...@kreme.com> wrote:
> A user has been getting a lot of spam with headers that look something like 
> this:
> 
> From: bos...@covisp.net, h...@covisp.net, restorat...@covisp.net

One other detail, these are emails that SHOULD be getting quarantined. Here is 
one to that same user from a couple of days ago:

Mar 17 08:24:16 mail amavis[32815]: (32815-11) Passed SPAM 
{RelayedOpenRelay,Quarantined}, [127.0.0.1] [92.63.96.246] 
<cont...@aspmx3.incrustment.com> -> 
<bac...@southgaylord.com>,<us...@sqldomain.tld>, quarantine: 
spam-lNjPXhL4sHt2.gz, Message-ID: <4045e937a81af6f206d718e539ed1...@gmx.com>, 
mail_id: lNjPXhL4sHt2, Hits: 7.534, size: 2178, queued_as: 3qQrFr5PjgzpKv0, 
1081 ms

Could it be the always_bcc setting in postfix that is causing Amavisd to error 
out? If so, how do I keep both the backup bcc and amavisd happy?

-- 
The Germans wore gray, you wore blue.

Re: Meaning of ".asc" in BANNED messages

[@lbutlr]

On Mar 8, 2016, at 11:21 AM, Tom Hendrikx <t...@whyscream.net> wrote:
> On 08-03-16 19:15, @lbutlr wrote:
>> On Mar 8, 2016, at 10:31 AM, Tom Hendrikx <t...@whyscream.net> wrote:
>>> On 08-03-16 16:58, @lbutlr wrote:
>>>> What is “.asc” since that is not a banned attachment.
>>> 
>>> A pgp signature, this message has one
>> 
>> There is no way that every one of these javascript-containing
>> messages has a pgp signature.
>> 
> 
> It's probably an evil javascript simply trying to mask as a pgp sig.

No. *EVERY* message that hits BANNED has the same pattern,

.asc,.js

100%. No exceptions.

Considering I can count on one hand with not all the fingers the number of spam 
messages I’ve ever seen with faked PGP sig, this is something else.

-- 
CURSIVE WRITING DOES NOT MEAN WHAT I THINK IT DOES Bart chalkboard Ep.
2F11

Re: Meaning of ".asc" in BANNED messages

[@lbutlr]

On Mar 8, 2016, at 10:31 AM, Tom Hendrikx <t...@whyscream.net> wrote:
> On 08-03-16 16:58, @lbutlr wrote:
>> What is “.asc” since that is not a banned attachment.
> 
> A pgp signature, this message has one

There is no way that every one of these javascript-containing messages has a 
pgp signature.

-- 
Get in there you big furry oaf! I don't care what you smell!

Re: Virus notification

[@lbutlr]

> On Mar 8, 2016, at 10:14 AM, Tom Hendrikx <t...@whyscream.net> wrote:
> 
> 
> On 08-03-16 16:56, @lbutlr wrote:
>> before I duplicate work, I thought I’d check if someone else has
>> already done something like this.
>> 
>> Currently, amavis sends a notification to the virusal...@mydomain.tld
>> address when it catches something with a forbidden (BANNED)
>> attachment.
>> 
>> I’d like to create a notification email for the original user that
>> says something like “an email from  was blocked
>> because it had an attachment of type $TLX" where $TLX is the
>> attachment extension that was caught by amavisd.
>> 
> 
> Seeing that most of the stuff that I catch with a virus scanner on
> incoming mail is sent by a bad guy (or a botnet on behalf of a bad guy),
> and not by an innocent person with a PC that generates macro-infected
> office documents (for instance).
> 
> The mail from the bad guy is never sent from a valid address, so you'll
> be generating backscatter when you inform the envelope sender

No, I want to notify the intended recipient (well, *AN* intended recipient).

> It's way better to scrub the attachment and send the message along, in
> that way the recipient can at least see the original message contents
> (without the attachment).

How do you do that? (Isn’t mimedefang kind of dead?)

-- 
By the way, I think you might be the prettiest girl I've ever seen
outside the pages of a really filthy magazine

Virus notification

[@lbutlr]

before I duplicate work, I thought I’d check if someone else has already done 
something like this.

Currently, amavis sends a notification to the virusal...@mydomain.tld address 
when it catches something with a forbidden (BANNED) attachment.

I’d like to create a notification email for the original user that says 
something like “an email from  was blocked because it had an 
attachment of type $TLX" where $TLX is the attachment extension that was caught 
by amavisd.



-- 
'I warn you, dragon, the human spirit is-' They never found out what it
was, or at least what he thought it was, although possibly in the dark
hours of a sleepless night some of them might have remembered the
subsequent events and formed a pretty good and gut-churning insight, to
whit, that one of the things sometimes forgotten about the human spirit
is that while it is, in the right conditions, noble and brave and
wonderful, it is also, when you get right down to it, only human.

Re: Use X-Amavis-Alert header to influence Spam Assassin Scoring

[@lbutlr]

On 7 Mar 2016, at 12:13, Josh Hamell  wrote:
> 
> Amavis headers are injected in immediately before delivery, and
> therefore aren't available for SA to analyze.

This is my understanding, amavis headers aren't there until after SA

-- 
This is my signature. There are many like it, but this one is mine.

Re: help on bulkmail , offers - amavisd.conf file

[@lbutlr]

On Wed Mar 02 2016 22:16:05 Indunil Jayasooriya  said:
> 
>   [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0],


> bulkm...@anydomain1.com 
> bulkm...@anydomain2.com

Yes. This is the section that starts with the comment:

# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING

@score_sender_maps = ({

> or any username having word bulkmail , offers 
> 
> *bulkmail*@anydomain1.com 
> *bulkmail*@anydomain1.com 

No. The match is anchored (start and @ are the anchors), so 
4bulkmai...@yaho.tld would not match.

> they get Positive 5. (Also case insensitive due to  "@i " ) 

Yes.

> Subject or body containing words such as bulkmail , offers and so on listed 
> there? 

No, this is only looking at the sender.

-- 
He'd never felt really at home with swords, but a cleaver was a different
matter. A cleaver had weight. It had purpose. A sword might have a certain
nobility about it, unless it was the one belonging for example to Nobby, which
relied on rust to hold it together, but what a cleaver had was a tremendous
ability to cut things up.

Re: js in zip attachment of e-mail

[@lbutlr]

On Thu Mar 03 2016 08:19:21 Thomas Spuhler  <thomas.spuh...@btspuhler.com> 
said:
> 
> On Wednesday, March 02, 2016 04:34:39 PM @lbutlr wrote:
>> On Wed Mar 02 2016 07:32:48 Dino Edwards <dino.edwa...@mydirectmail.net> 
>> said:
>>> Like this:
>>> 
>>> [qr'.\.(js)$'ix => 1]
>> 
>> And where would I put that? And what sort of config is that? I’ve never seen
>> any config file that put things inside square brackets…
> 
> 
> I changed this line in /etc/amavisd/amavisd.conf in section 
> $banned_filename_re = new_RE(  

Thanks.

I went with:

 
qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|inf|ini|ins|isp|js|jse|lib|lnk|mda|mdb|mde|mdt|mdw|mdz|msc|msi|msp|mst|ocx|ops|pcd|pif|prg|reg|scr|sct|shb|shs|sys|vb|vbe|vbs|vxd|wmf|wsc|wsf|wsh)$'ix,
  # banned extensions - long 
  qr'.\.(ani|cur|ico)$'i, # banned cursors and icons filename
  qr'^\.ani$',# banned animated cursor file(1) type
  qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,  # banned extension - WinZip 
vulnerable.

Considering adding the MS-Office extensions as well, but I think postfix 
already bans those.

-- 
'Winners never talk about glorious victories. That's because they're the
ones who see what the battlefield looks like afterwards. It's only the
losers who have glorious victories.' --Small Gods

Re: js in zip attachment of e-mail

[@lbutlr]

On Wed Mar 02 2016 07:32:48 Dino Edwards 
said:
> 
> Like this:
> 
> [qr'.\.(js)$'ix => 1]

And where would I put that? And what sort of config is that? I’ve never seen 
any config file that put things inside square brackets…


-- 
Blatant mistakes are the best kind. — John W Baxter

Re: js in zip attachment of e-mail

[@lbutlr]

On Mar 1, 2016, at 3:05 PM, Jakob Curdes  wrote:
> Am 01.03.2016 um 22:38 schrieb Thomas Spuhler:
>> There are a lot of e-mails on the lose with subject "Unpaid invoice # "
>> containing a zipped js (Java Script) I got about 10 of them today.
>> Is there a way to filter them out using amavisd?
> 
> We just banned .js as mail attachments everwhere, no sane human would 
> probably send .js files as a mail attachment over a public mail server!?

I’m new to amavisd, how exactly would I add .js to the blacklist and will that 
work for .js files inside zips?


-- 
No matter how fast light travels it finds the darkness has always got
there first, and is waiting for it.

Re: Amavis and ClamAV and YARA

[@lbutlr]

On Fri Feb 26 2016 03:39:51 Olivier Nicole   
said:
> 
> I installed YARA and YARA-rules (from
> https://github.com/Yara-Rules/rules0 and I have been quite disappointed.

That URL doe not load.

-- 
He felt as if he'd been shipwrecked on the Titanic but in the nick of
time had been rescued. By the Lusitania.

virusalert emails

[@lbutlr]

I have a email sitting in my mailq directed at a local user 
virusalert@$mydomain which appears to have been caught by amavis/clamav.

While I am, of course, happy that this email was not delivered to the intended 
mailbox, I also don’t want it cluttering up my mailq, and while I find it 
unlikely, I suppose it is possible that something might be caught that is not a 
virus, so I should probably be able to recover the emails in the exceedingly 
unlikely case of a false positive.

So, what should i have setup on my system for this?

A local alias? A quarantine that is somehow available to the intended 
recipient? Forward all these alerts to the admin user where they can collect 
dust on the off chance someone needs to check on them?

And what do I do with the copies of all the spam and badh virus mails that are 
collecting in /var/virusalert?


-- 
"I know she's in there," said Verence, holding his crown in his hands in
the famous Ai-Señor-Mexican-Bandits-Have-Raided-Our-Village position

Re: Upcoming Release: feature Request

[@lbutlr]

On Feb 16, 2016, at 3:31 AM, Patrick Ben Koetter <p...@sys4.de> wrote:
> * @lbutlr <krem...@kreme.com>:
>> On Feb 15, 2016, at 1:53 PM, A. Schulze <s...@andreasschulze.de> wrote:
>>> Feature Request: Amavisd-new should recognise A-R header and use/trust them.
>>> Assumption: the A-R header aren't present in an incoming message but really 
>>> added by a local milter.
>> 
>> How would amavis know if the headers were added by the local server or faked 
>> by the spammer?
> 
> One could remove any existing headers, add ones own and then trust them.

How does amavis know if you removed the spammer headers and added your own?


-- 
'Charity ain't giving people what you wants to give, it's giving people
what they need to get.'

Re: Upcoming Release: feature Request

[@lbutlr]

On Feb 15, 2016, at 1:53 PM, A. Schulze  wrote:
> Feature Request: Amavisd-new should recognise A-R header and use/trust them.
> Assumption: the A-R header aren't present in an incoming message but really 
> added by a local milter.

How would amavis know if the headers were added by the local server or faked by 
the spammer?

-- 
'We'll all be killed.' 'Think of it as the lesser of two evils.' 'What's
the other one?' Vimes drew his sword. 'Me.' --Jingo

Re: Mail from own host is recognized as spam

[@lbutlr]

On Feb 15, 2016, at 7:51 AM, Catscrash  wrote:
> I have a problem with mail being marked as SPAM, although being
> transmitted between virtual domains on the same hosts.

Why are you sending mail between local domains to amavis?

-- 
I WILL NOT PLEDGE ALLEGIANCE TO BART Bart chalkboard Ep. 7F09

Re: The amavisd daemon is apparently not running, no PID file (OSX 10.11.x)

[@lbutlr]

On Sat Feb 13 2016 02:59:24 Roland Schmid   
 said:
> 
>> Be that as it may, changing the setting behind the Server app’s back is 
>> likely to result in much wailing and gnashing of teeth.
> 
>> No one is required to user the Server app on OS X, but if one does use it, 
>> don’t go mucking about, simply use it.
> 
> the Server app does not allow all configuration options as needed for our 
> purpose of mail delivery
> so I had to configure it using command line
> Unfortunately our CEO decided to use it, it was not my choice

Well, pick one. Either use the server app or, if it doesn’t do what you need, 
don’t use the server app.

Using the server app AND changing things manually will break. Guaranteed.


-- 
In the words of one of the founding Igors: 'We belong dead? Ecthcuthe
me? Where doeth it thay "we"?'

Re: The amavisd daemon is apparently not running, no PID file (OSX 10.11.x)

[@lbutlr]

On Feb 11, 2016, at 7:35 AM, Roland Schmid 
 wrote:
>> Manage these parameters via the Server.app application. It works fine this
>> way.
>> 
>> If you go in the "Mail" section and enable junk mail filtering, it enables
>> Amavisd.
> 
> the Server App is unreliable. That's what my experience is.

Be that as it may, changing the setting behind the Server app’s back is likely 
to result in much wailing and gnashing of teeth.

No one is required to user the Server app on OS X, but if one does use it, 
don’t go mucking about, simply use it.

-- 
AUDITORS OF REALITY. THEY THINK OF LIFE AS A STAIN ON THE UNIVERSE. A
PESTILENCE. MESSY. GETTING IN THE WAY. 'In the way of what?' THE
EFFICIENT RUNNING OF THE UNIVERSE.

Re: Spamassassin local rules not accessed?

[@lbutlr]

On Thu Feb 04 2016 01:17:37 Vicki Brown  said:
> 
> I thought Spamassassin local.cf was supposed to be accessed. However, 
> evidence implies otherwise.
> There is no indication that our local rules are ever triggered.

That is the case here as well.

-- 
I intend to live forever -- so far, so good!

Re: Training Amavis

[@lbutlr]

On Feb 1, 2016, at 6:43 AM, btb  wrote:
> you must train the database that is used during message evaluation. that is 
> to say, whatever using is running amazes

Thank you.

-- 

Re: Subject tag

[@lbutlr]

On 31 Jan 2016, at 04:16, Marius Gologan  wrote:
> $sa_spam_subject_tag = 'Spam (_REQD_) _SCORE_: ‘

Thanks, I will give that a shot (well, without the _REQD_ field).

-- 
You have severe reading comprehension problems that I can not be held 
responsible for.

Re: Training Amavis

[@lbutlr]

> On Jan 31, 2016, at 9:49 PM, listsb-ama...@bitrate.net wrote:
> 
> 
>> On Jan 31, 2016, at 23.07, @lbutlr <krem...@kreme.com> wrote:
>> 
>> I get daily mails from wordpress verifying backups and these are all tagged 
>> as spam (at a very high score in the 7-13 range).
>> 
>> How do I train amavis? Do i just run  normal sa-learn as root? As the user? 
>> as the scan user?
> 
> you don't train amavis.  you train spamassassin.  they are two different 
> pieces of software, which work well together.  while training spamassassin is 
> good to do regardless of if you are having a problem or not, blindly training 
> it to solve a specific problem is not a sensible approach.

I ma not blindling trainmen it. i wam training false positives as ham.

What I need to know is what user to train them as so that amavis will use the 
bases database that I am training to.

They all hit BAYES_99 and BAYES_999, some hit other rules as well.

X-Spam-Status: Yes, score=10.2 required=5.0 tests=BAYES_99,BAYES_999,

HEADER_FROM_DIFFERENT_DOMAINS,NO_RELAYS,TVD_SPACE_RATIO,TVD_SPACE_RATIO_MINFP
autolearn=no autolearn_force=no version=3.4.1


> instead, look at the *actual* scoring the message was given [X-Spam-Status 
> header], and see which rule[s] are the ones which significantly contributed 
> to the score.

Yes, that’s what I’ve done.

> then you can determine the right way to solve the problem.

Training falsely classified mail is *always* a good idea.

The question still remains, do I train SA as root, as the user (which is a 
problem for most of the users since they are virtual users in a database) or as 
the vscan user?

That is to say:

sa-learn -u *WHAT* --ham /path/to/ham

 

-- 
Stone circles were common enough everywhere in the mountains. Druids
built them as weather computers, and since it was always cheaper to
build a new 33-Megalith circle than to upgrade an old slow one, there
were generally plenty of ancient ones around --Lords and Ladies

Re: Training Amavis

[@lbutlr]

On Feb 1, 2016, at 12:32 AM, @lbutlr <krem...@kreme.com> wrote:
> I ma not blindling trainmen it. i wam training false positives as ham.

Wow. I have no idea how that happened.

I am not blindly training it, I am training false positives as ham.

-- 
"We're philosophers. We think, therefore we am."

Training Amavis

[@lbutlr]

I get daily mails from wordpress verifying backups and these are all tagged as 
spam (at a very high score in the 7-13 range).

How do I train amavis? Do i just run  normal sa-learn as root? As the user? as 
the scan user?

-- 
'The only reason we're still alive now is that we're more fun alive than
dead,' said Granny's voice behind her. --Lords and Ladies

Subject tag

[@lbutlr]

Is it possible to put the score into the subject tag for spam instead of just 
***Spam***? I didn’t see anything obvious in the conf file.

-- 
"A politician is a man who approaches every problem with an open mouth."