mmerlin
asked on
How to add extra RBL tests for SpamAssassin
I'm trying to add some more RBL (realtime blackhole list) tests into SpamAssassin's config.
/etc/mail/spamassassin/loc
As per instructions shown at
http://nospam.arix.com/dns.php
I have added the following (below) into my local.cf file but I'm not getting any hits with these tests (on emails that should be triggering these tests)
Besides just modifying the local.cf file, do I need to put some other setting somewhere else?
#trying to add som RBL tests
header ARIX_DF rbleval:check_rbl('arix-df
describe ARIX_DF Recent dictionary spammer
tflags ARIX_DF net
score ARIX_DF 5.0
#header ARIX_DS rbleval:check_rbl('arix-ds
#describe ARIX_DS Sender has a history of dictionary spamming
#tflags ARIX_DS net
#score ARIX_DS 0.5
header DYNABLOCK rbleval:check_rbl('dynablo
describe DYNABLOCK mm added
tflags DYNABLOCK net
score DYNABLOCK 5.0
header EASYNET rbleval:check_rbl('easynet
describe EASYNET mm added
tflags EASYNET net
score EASYNET 5.0
header ABUSEAT rbleval:check_rbl('abuseat
describe ABUSEAT mm added
tflags ABUSEAT net
score ABUSEAT 5.0
header SPAMHAUS rbleval:check_rbl('spamhau
describe SPAMHAUS mm added
tflags SPAMHAUS net
score SPAMHAUS 5.0
header BLITZED rbleval:check_rbl('blitzed
describe BLITZED mm added
tflags BLITZED net
score BLITZED 5.0
header DSBL rbleval:check_rbl('dsbl', 'list.dsbl.org.')
describe DSBL mm added
tflags DSBL net
score DSBL 5.0
--------------------------
Here is my
etc/MailScanner/spam.assas
# MailScanner
# MailScanner users, please see the comments at the bottom of this file.
# MailScanner
#
# SpamAssassin user preferences file.
#
# Format:
#
# required_hits n
# (how many hits are required to tag a mail as spam.)
#
# auto_report_threshold n
# (spams with this many hits or more, will be reported
# as spam straightaway without requiring human verification.)
#
# score SYMBOLIC_TEST_NAME n
# (if this is omitted, 1 is used as a default score.
# Set the score to 0 to ignore the test.)
#
# # starts a comment, whitespace is not significant.
#
##########################
# JKF 25/10/2002
# These next 3 lines add a local rule to SpamAssassin to help protect you
# from the friendlygreetings.com nasty-gram which will send lots of spam
# from your PC if you let it. Not really a virus, but you don't want your
# users all clicking on it.
header FRIEND_GREETINGS Subject =~ /you have an E-Card from/i
describe FRIEND_GREETINGS Nasty E-card from FriendGreetings.com
score FRIEND_GREETINGS 100.0
header FRIEND_GREETINGS2 Subject =~ /you have a greeting card from/i
describe FRIEND_GREETINGS2 Nasty E-card from FriendGreetings.com
score FRIEND_GREETINGS2 100.0
# MM 23/10/2003
body MMVIAGRA2 /viagra/i
describe MMVIAGRA2 mmrule
score MMVIAGRA2 5
body MMVICODIN2 /vicodin/i
describe MMVICODIN2 mmrule
score MMVICODIN2 5
body MMPRESCRIPTION /prescription/i
describe MMPRESCRIPTION mmrule
score MMPRESCRIPTION 3
##########################
# First of all, the generally useful stuff; thresholds and the whitelist
# of addresses which, for some reason or another, often trigger false
# positives.
# JKF 25/10/2002
# The required_hits value is now specified in the MailScanner configuration
# file, not here. Look for the word "Required" in there and you will find it.
required_hits 5
auto_report_threshold 30
# Whitelist and blacklist addresses are *not* patterns; they're just normal
# strings. one exception is that "*@isp.com" is allowed. They should be in
# lower-case. You can either add multiple addrs on one line,
# whitespace-separated, or you can use multiple lines.
#
# Monty Solomon: he posts from an ISP that has often been the source of spam
# (no fault of his own ;), and sometimes uses Bcc: when mailing.
#
#whitelist_from monty@roscom.com
# Add your blacklist entries in the same format...
#
# blacklist_from friend@public.com
# Mail using languages used in these country codes will not be marked
# as being possibly spam in a foreign language.
#
ok_locales en
# By default, the subject lines of suspected spam will be tagged.
# This can be disabled here.
#
# rewrite_subject 0
# By default, spamassassin will include its report in the body
# of suspected spam. Enabling this causes the report to go in the
# headers instead. Using 'use_terse_report' for this is recommended.
#
# report_header 1
# By default, SpamAssassin uses a fairly long report format.
# Enabling this uses a shorter format which includes all the
# information in the normal one, but without the superfluous
# explanations.
#
# use_terse_report 0
# By default, spamassassin will change the Content-type: header of
# suspected spam to "text/plain". This is a safety feature. If you
# prefer to leave the Content-type header alone, set this to 0.
#
# defang_mime 0
# By default, SpamAssassin will run RBL checks. If your ISP already
# does this, set this to 1.
#
# skip_rbl_checks 1
##########################
# Add your own customised scores for some tests below. The default scores are
# read from the installed "spamassassin.cf" file, but you can override them
# here. To see the list of tests and their default scores, go to
# http://spamassassin.taint.org/tests.html .
# MailScanner: Comment out the next line to enable DCC checking if you
# have dcc installed (optional part of SpamAssassin)
score DCC_CHECK 0.0
#
# Added for MailScanner 14/6/2002
# If you specify these scores, SpamAssassin will do RBL checks as well as
# MailScanner, which just wastes CPU power and network bandwidth. Either
# do them here by uncommenting the rules below (if you have paid for them)
# or else uncomment the "skip_rbl_checks" line above and let MailScanner
# do the checks instead.
#
#score RCVD_IN_BL_SPAMCOP_NET 4
# These next 3 will cost you money, see mailscanner.conf.
#score RCVD_IN_RBL 10
#score RCVD_IN_RSS 1
#score RCVD_IN_DUL 1
--------------------------
And here is my
etc/MailScanner/MailScanne
# Main configuration file for the MailScanner E-Mail Virus Scanner
#
# It's good practice to check through configuration files to make sure
# they fit with your system and your needs, whatever you expect them to
# contain.
#
# Note: If your directories are symlinked (soft-linked) in any way,
# please put their *real* location in here, not a path that
# includes any links. You may get some very strange error
# messages from some of the virus scanners if you don't.
#
# Note for Version 4.00 and above:
# A lot of the settings can take a ruleset as well as just simple
# values. These rulesets are files containing rules which are applied
# to the current message to calculate the value of the configuration
# option. The rules are checked in the order they appear in the ruleset.
#
# Note for Version 4.03 and above:
# As well as rulesets, you can now include your own functions in
# here. Look at the directory containing Config.pm and you will find
# CustomConfig.pm. In here, you can add your own "value" function and
# an Initvalue function to set up any global state you need such as
# database connections. Then for a setting below, you can put:
# Configuration Option = &ValueFunction
# where "ValueFunction" is the name of the function you have
# written in CustomConfig.pm.
#
#
# System settings
# ---------------
#
# How many MailScanner processes do you want to run at a time?
# There is no point increasing this figure if your MailScanner server
# is happily keeping up with your mail traffic.
# If you are running on a server with more than 1 CPU, or you have a
# high mail load (and/or slow DNS lookups) then you should see better
# performance if you increase this figure.
#
# As a rough guide, try 5 children per CPU.
Max Children = 5
# User to run as (not normally used for sendmail)
#Run As User = mail
# Group to run as (not normally used for sendmail)
#Run As Group = mail
# How often (in seconds) should each process check the incoming mail
# queue for new messages? If you have a quiet mail server, you might
# want to increase this value so it causes less load on your server, at
# the cost of slightly increasing the time taken for an average message
# to be processed.
Queue Scan Interval = 10
# Set location of incoming mail queue
#
# This can be any one of
# 1. A directory name
# Example: /var/spool/mqueue.in
# 2. A wildcard giving directory names
# Example: /var/spool/mqueue.in/*
# 3. The name of a file containing a list of directory names,
# which can in turn contain wildcards.
# Example: /etc/MailScanner/mqueue.in
#
Incoming Queue Dir = /home/spool/mqueue.in
# Set location of outgoing mail queue.
# This can also be the filename of a ruleset.
Outgoing Queue Dir = /home/spool/mqueue/q1
# Set where to unpack incoming messages before scanning them
Incoming Work Dir = /var/spool/MailScanner/inc
# Set where to store infected and message attachments (if they are kept)
# This can also be the filename of a ruleset.
Quarantine Dir = /var/spool/MailScanner/qua
# Set where to store the process id number so you can stop MailScanner
PID file = /var/run/MailScanner.pid
# To avoid resource leaks, re-start periodically
Restart Every = 14400
# Set whether to use sendmail or exim
MTA = sendmail
# Set how to invoke MTA when sending messages MailScanner has created
# (e.g. to sender/recipient saying "found a virus in your message")
# This can also be the filename of a ruleset.
Sendmail = /usr/sbin/sendmail
# Sendmail2 is provided for Exim users.
# It is the command used to attempt delivery of outgoing cleaned/disinfected
# messages.
# This is not usually required for sendmail.
# This can also be the filename of a ruleset.
#For Exim users: Sendmail2 = /usr/sbin/exim -C /etc/exim/exim_send.conf
#For sendmail users: Sendmail2 = /usr/sbin/sendmail
Sendmail2 = /usr/sbin/sendmail
#Sendmail2 = /usr/sbin/sendmail -C /etc/exim/exim_send.conf
#
# Processing Incoming Mail
# ------------------------
#
# In every batch of virus-scanning, limit the maximum
# a) number of unscanned messages to deliver
# b) number of potentially infected messages to unpack and scan
# c) total size of unscanned messages to deliver
# d) total size of potentially infected messages to unpack and scan
Max Unscanned Bytes Per Scan = 100000000
Max Unsafe Bytes Per Scan = 50000000
Max Unscanned Messages Per Scan = 100
Max Unsafe Messages Per Scan = 100
# Expand TNEF attachments using an external program (or a Perl module)?
# This should be "yes" unless the scanner you are using (Sophos, McAfee) has
# the facility built-in. However, if you set it to "no", then the filenames
# within the TNEF attachment will not be checked against the filename rules.
Expand TNEF = yes
# Some versions of Microsoft Outlook generate unparsable Rich Text
# format attachments. Do we want to deliver these bad attachments anyway?
# Setting this to yes introduces the slight risk of a virus getting through,
# but if you have a lot of troubled Outlook users you might need to do this.
# We are working on a replacement for the TNEF decoder.
# This can also be the filename of a ruleset.
Deliver Unparsable TNEF = no
# Where the MS-TNEF expander is installed.
# This is EITHER the full command (including maxsize option) that runs
# the external TNEF expander binary,
# OR the keyword "internal" which will make MailScanner use the Perl
# module that does the same job.
# They are both provided as I am unsure which one is faster and which
# one is capable of expanding more file formats (there are plenty!).
#
# The --maxsize option limits the maximum size that any expanded attachment
# may be. It helps protect against Denial Of Service attacks in TNEF files.
#TNEF Expander = internal
# This can also be the filename of a ruleset.
TNEF Expander = /usr/bin/tnef --maxsize=100000000
# The maximum length of time the TNEF Expander is allowed to run for 1 message.
# (in seconds)
TNEF Timeout = 150
#
# Virus Scanning and Vulnerability Testing
# --------------------------
#
# Do you want to scan email for viruses?
# A few people don't have a virus scanner licence and so want to disable
# all the virus scanning.
# NOTE: This switch actually switches on/off all processing of the email
# messages. If you just want to switch off actual virus scanning,
# then set "Virus Scanners = none" instead.
#
# If you want to be able to switch scanning on/off for different users or
# different domains, set this to the filename of a ruleset.
# This can also be the filename of a ruleset.
#Virus Scanning = yes
Virus Scanning = /etc/MailScanner/rules/vir
# Which Virus Scanning package to use:
# sophos from www.sophos.com, or
# mcafee from www.mcafee.com, or
# command from www.command.co.uk, or
# kaspersky from www.kaspersky.com, or
# inoculate from www.cai.com/products/inoculateit.htm, or
# inoculan from ftp.ca.com/getbbs/linux.eng/inoctar.LINUX.Z, or
# nod32 from www.nod32.com, or
# f-secure from www.f-secure.com, or
# f-prot from www.f-prot.com, or
# panda from www.pandasoftware.com, or
# rav from www.ravantivirus.com, or
# antivir from www.antivir.de, or
# clamav from clamav.elektrapro.com, or
# trend from www.trendmicro.com, or
# none (no virus scanning at all)
#
# Note for McAfee users: do not use any symlinks with McAfee at all. It is
# very strange but may not detect all viruses when
# started from a symlink or scanning a directory path
# including symlinks.
#
# Note: If you want to use multiple virus scanners, then this should be a
# space-separated list of virus scanners. For example:
# Virus Scanners = sophos f-prot mcafee
#
Virus Scanners = rav
# The maximum length of time the commercial virus scanner is allowed to run
# for 1 batch of messages (in seconds).
Virus Scanner Timeout = 300
# Should I attempt to disinfect infected attachments and then deliver
# the clean ones. "Disinfection" involves removing viruses from files
# (such as removing macro viruses from documents). "Cleaning" is the
# replacement of infected attachments with "VirusWarning.txt" text
# attachments.
# This can also be the filename of a ruleset.
Deliver Disinfected Files = yes
# Strings listed here will be searched for in the output of the virus scanners.
# It is used to list which viruses should be handled differently from other
# viruses. If a virus name is given here, then
# 1) The sender will not be warned that he sent it
# 2) No attempt at true disinfection will take place
# (but it will still be "cleaned" by removing the nasty attachments
# from the message)
# 3) The recipient will not receive the message,
# unless the "Still Deliver Silent Viruses" option is set
# This can also be the filename of a ruleset.
Silent Viruses = Klez Yaha-E Bugbear Braid-A WinEvar Sobig
# Still deliver (after cleaning) messages that contained viruses listed
# in the above option ("Silent Viruses") to the recipient?
# Setting this to "yes" is good because it shows management that MailScanner
# is protecting them, but it is bad because they have to filter/delete all
# the incoming virus warnings.
# This can also be the filename of a ruleset.
Still Deliver Silent Viruses = no
#
# Removing/Logging dangerous or potentially offensive content
# --------------------------
#
# Do you want to allow <IFrame> tags in email messages? This is not a good
# idea as it allows various Microsoft Outlook security vulnerabilities to
# remain unprotected, but if you have a load of mailing lists sending them,
# then you will want to allow them to keep your users happy.
# This can also be the filename of a ruleset, so you can allow them from
# known mailing lists but ban them from everywhere else.
Allow IFrame Tags = yes
# Banning <IFrame> tags completely is likely to break some common HTML
# mailing lists, such as Dilbert and other important things like that.
# So before you implement any restriction on them, you can log the sender
# of any message containing an <IFrame>, so that you can set the option
# above to be a ruleset allowing IFrame tags from named "From" addresses
# and banning all others.
# This can also be the filename of a ruleset.
Log IFrame Tags = no
# Do you want to allow <Object Codebase=...> tags in email messages?
# This is bad idea as it leaves you unprotected against various
# Microsoft-specific security vulnerabilities. But if your users demand
# it, you can do it.
# This can also be the filename of a ruleset, so you can allow them just
# for specific users or domains.
Allow Object Codebase Tags = no
# Do you want to convert HTML messages containing <IFrame> or
# <Object Codebase=...> tags into plain text?
# This will only apply if you are also allowing the tags to be present
# using the configuration options above. You can allow messages
# that contain the tags, but convert them to plain text. This makes
# the HTML harmless, while still allowing your users to see the text
# content of the messages.
# This can also be the filename of a ruleset, so you can make this apply
# only to specific users or domains.
Convert Dangerous HTML To Text = yes
# Do you want to convert all HTML messages into plain text?
# This is very useful for users who are children or are easily offended
# by nasty things like pornographic spam.
# This can also be the filename of a ruleset, so you can switch this
# feature on and off for particular users or domains.
Convert HTML To Text = no
#
# Attachment Filename Checking
# --------------------------
#
# Set where to find the attachment filename ruleset.
# The structure of this file is explained elsewhere, but it is used to
# accept or reject file attachments based on their name, regardless of
# whether they are infected or not.
#
# This can also point to a ruleset, but the ruleset filename must end in
# ".rules" so that MailScanner can determine if the filename given is
# a ruleset or not!
Filename Rules = /etc/MailScanner/filename.
#
# Reports and Responses
# ---------------------
#
# Do you want to store copies of the infected attachments and messages?
# This can also be the filename of a ruleset.
Quarantine Infections = yes
# Do you want to quarantine the original *entire* message as well as
# just the infected attachments?
# This can also be the filename of a ruleset.
Quarantine Whole Message = no
# When you quarantine an entire message, do you want to store it as
# raw mail queue files (so you can easily send them onto users) or
# as human-readable files (header then body in 1 file)?
Quarantine Whole Messages As Queue Files = no
# Set where to find all the strings used so they can be translated into
# your local language.
# This can also be the filename of a ruleset so you can produce different
# languages for different messages.
Language Strings = /etc/MailScanner/reports/e
# Set where to find the message text sent to users when one of their
# attachments has been deleted from a message.
# These can also be the filenames of rulesets.
Deleted Bad Filename Message Report = /etc/MailScanner/reports/e
Deleted Virus Message Report = /etc/MailScanner/reports/e
# Set where to find the message text sent to users when one of their
# attachments has been deleted from a message and stored in the quarantine.
# These can also be the filenames of rulesets.
Stored Bad Filename Message Report = /etc/MailScanner/reports/e
Stored Virus Message Report = /etc/MailScanner/reports/e
# Set where to find the message text sent to users explaining about the
# attached disinfected documents.
# This can also be the filename of a ruleset.
Disinfected Report = /etc/MailScanner/reports/e
# Set where to find the HTML and text versions that will be added to the
# end of all clean messages, if "Sign Clean Messages" is set.
# These can also be the filenames of rulesets.
Inline HTML Signature = /etc/MailScanner/reports/e
Inline Text Signature = /etc/MailScanner/reports/e
# Set where to find the HTML and text versions that will be inserted at
# the top of messages that have had viruses removed from them.
# These can also be the filenames of rulesets.
Inline HTML Warning = /etc/MailScanner/reports/e
Inline Text Warning = /etc/MailScanner/reports/e
# Set where to find the messages that are delivered to the sender, when they
# sent an email containing either an error, a banned filename or a virus
# infection.
# These can also be the filenames of rulesets.
Sender Error Report = /etc/MailScanner/reports/e
Sender Bad Filename Report = /etc/MailScanner/reports/e
Sender Virus Report = /etc/MailScanner/reports/e
# Hide the directory path from all virus scanner reports sent to users.
# The extra directory paths give away information about your setup, and
# tend to just confuse users.
# This can also be the filename of a ruleset.
Hide Incoming Work Dir = yes
#
# Changes to Message Headers
# --------------------------
#
# Add this extra header to all mail as it is processed.
# This *must* include the colon ":" at the end.
# This can also be the filename of a ruleset.
Mail Header = X-MailScanner:
# Add this extra header to all messages found to be spam.
# This can also be the filename of a ruleset.
Spam Header = X-MailScanner-SpamCheck:
# Add this extra header if "Spam Score" = yes. The header will
# contain 1 character for every point of the SpamAssassin score.
Spam Score Header = X-MailScanner-SpamScore:
# The character to use in the "Spam Score Header".
# Don't use: x as a score of 3 is "xxx" which the users will think is porn,
# # as it will cause confusion with comments in procmail as well
# as MailScanner itself,
# * as it will cause confusion with pattern matches in procmail,
# . as it will cause confusion with pattern matches in procmail,
# ? as it will cause the users to think something went wrong.
# "s" is nice and safe and stands for "spam".
Spam Score Character = s
# Set the "Mail Header" to these values for clean/infected/disinfected
# This can also be the filename of a ruleset.
Clean Header Value = Found to be clean
Infected Header Value = Found to be infected
Disinfected Header Value = Disinfected
# What to do when you get several MailScanner headers in one message,
# from multiple MailScanner servers. Values are
# "append" : Append the new data to the existing header
# "add" : Add a new header
# "replace" : Replace the old data with the new data
# Default is "append"
# This can also be the filename of a ruleset.
Multiple Headers = append
# Name of this host, or a name like "the MailScanner" if you want to hide
# the real hostname. It is used in the Help Desk note contained in the
# virus warnings sent to users.
# This can also be the filename of a ruleset.
Hostname = the MailScanner
# If this is "no", then (as far as possible) messages which have already
# been processed by another MailScanner server will not have the clean
# signature added to the message. This prevents messages getting many
# copies of the signature as they flow through your site.
# This can also be the filename of a ruleset.
Sign Messages Already Processed = no
# Add the "Inline HTML Signature" or "Inline Text Signature" to the end
# of uninfected messages?
# This can also be the filename of a ruleset.
Sign Clean Messages = no
# Add the "Inline HTML Warning" or "Inline Text Warning" to the top of
# messages that have had attachments removed from them?
# This can also be the filename of a ruleset.
Mark Infected Messages = yes
# When a message is to not be virus-scanned (which may happen depending
# upon the setting of "Virus Scanning", especially if it is a ruleset),
# do you want to add the header advising the users to get their email
# virus-scanned by you?
# Very good for advertising your MailScanning service and encouraging
# users to give you some more money and sign up to virus scanning.
# This can also be the filename of a ruleset.
Mark Unscanned Messages = no
# This is the text used by the "Mark Unscanned Messages" option above.
# This can also be the filename of a ruleset.
Unscanned Header Value = Not scanned: please contact your Internet E-Mail Service Provider for details
# Do you want to deliver messages once they have been cleaned of any
# viruses?
# By making this a ruleset, you can re-create the "Deliver From Local"
# facility of previous versions.
Deliver Cleaned Messages = yes
# Do you want to notify the people who sent you messages containing
# viruses or badly-named filenames?
# This can also be the filename of a ruleset.
Notify Senders = yes
# If you supply a space-separated list of message "precedence" settings,
# then senders of those messages will not be warned about anything you
# rejected. This is particularly suitable for mailing lists, so that any
# MailScanner responses do not get sent to the entire list.
Never Notify Senders Of Precedence = list bulk
#
# Changes to the Subject: line
# --------------------------
#
# When the message has been scanned but no other subject line changes
# have happened, do you want modify the subject line?
# This can be 1 of 3 values:
# no = Do not modify the subject line, or
# start = Add text to the start of the subject line, or
# end = Add text to the end of the subject line.
# This makes very good advertising of your MailScanning service.
# This can also be the filename of a ruleset.
Scanned Modify Subject = no # end
# This is the text to add to the start/end of the subject line if the
# "Scanned Modify Subject" option is set.
# This can also be the filename of a ruleset.
Scanned Subject Text = {Scanned}
# If the message contained a virus, do you want to modify the subject line?
# This makes filtering in Outlook very easy.
# This can also be the filename of a ruleset.
Virus Modify Subject = yes
# This is the text to add to the start of the subject if the
# "Virus Modify Subject" option is set.
# This can also be the filename of a ruleset.
Virus Subject Text = {Virus?}
# If an attachment triggered a filename check, but there was nothing
# else wrong with the message, do you want to modify the subject line?
# This makes filtering in Outlook very easy.
# This can also be the filename of a ruleset.
Filename Modify Subject = yes
# This is the text to add to the start of the subject if the
# "Filename Modify Subject" option is set.
# You might want to change this so your users can see at a glance
# whether it just was just the filename that MailScanner rejected.
# This can also be the filename of a ruleset.
Filename Subject Text = {Virus?}
# If the message is spam, do you want to modify the subject line?
# This makes filtering in Outlook very easy.
# This can also be the filename of a ruleset.
Spam Modify Subject = yes
# This is the text to add to the start of the subject if the
# "Spam Modify Subject" option is set.
# This can also be the filename of a ruleset.
Spam Subject Text = {Spam?}
# This is just like the "Spam Modify Subject" option above, except that
# it applies then the score from SpamAssassin is higher than the
# "High SpamAssassin Score" value.
High Scoring Spam Modify Subject = yes
# This is just like the "Spam Subject Text" option above, except that
# it applies then the score from SpamAssassin is higher than the
# "High SpamAssassin Score" value.
High Scoring Spam Subject Text = {Spam?}
#
# Changes to the Message Body
# --------------------------
#
# When a virus or attachment is replaced by a plain-text warning,
# should the warning be in an attachment? If "no" then it will be
# placed in-line. This can also be the filename of a ruleset.
Warning Is Attachment = yes
# When a virus or attachment is replaced by a plain-text warning,
# and that warning is an attachment, this is the filename of the
# new attachment.
# This can also be the filename of a ruleset.
Attachment Warning Filename = VirusWarning.txt
# What character set do you want to use for the attachment that
# replaces viruses (VirusWarning.txt)?
# The default is "us-ascii" but if you speak anything other than
# English, you will probably want "ISO-8859-1" instead.
# This can also be the filename of a ruleset.
Attachment Encoding Charset = us-ascii
#
# Mail Archiving and Monitoring
# --------------------------
#
# Space-separated list of email address and directory names where you want
# a copy of all mail to be forwarded or stored.
#
# If you give this option a ruleset, you can control exactly whose mail
# is archived or forwarded. If you do this, beware of the legal implications
# as this could be deemed to be illegal interception unless the police have
# asked you to do this.
#Archive Mail = /var/spool/MailScanner/arc
#
# Notices to System Administrators
# --------------------------
#
# Notify the local system administrators ("Notices To") when any infections
# are found?
# This can also be the filename of a ruleset.
Send Notices = yes
# Include the full headers of each message in the notices sent to the local
# system administrators?
# This can also be the filename of a ruleset.
Notices Include Full Headers = yes
# Hide the directory path from all the system administrator notices.
# The extra directory paths give away information about your setup, and
# tend to just confuse users but are still useful for local sys admins.
# This can also be the filename of a ruleset.
Hide Incoming Work Dir in Notices = no
# Where to send the notices.
# This can also be the filename of a ruleset.
Notices To = postmaster
# Address of the local Postmaster, which is used as the "From" address in
# virus warnings sent to users.
# This can also be the filename of a ruleset.
Local Postmaster = postmaster
#
# Spam Detection and Virus Scanner Definitions
# --------------------------
#
# This is the name of the file that translates the names of the "Spam List"
# values to the real DNS names of the spam blacklists.
Spam List Definitions = /etc/MailScanner/spam.list
# This is the name of the file that translates the names of the virus
# scanners into the commands that have to be run to do the actual scanning.
Virus Scanner Definitions = /etc/MailScanner/virus.sca
#
# Spam Detection and Spam Lists (DNS blocklists)
# --------------------------
#
# Do you want to check messages to see if they are spam?
# This can also be the filename of a ruleset.
# Spam Checks = yes
Spam Checks = /etc/MailScanner/rules/spa
# This is the list of spam blacklists (RBLs) which you are using.
# See the "Spam List Definitions" file for more information about what
# you can put here.
# This can also be the filename of a ruleset.
Spam List = ORDB-RBL Infinite-Monkeys # MAPS-RBL+ costs money (except .ac.uk)
# This is the list of spam domain blacklists which you are using
# (such as the "rfc-ignorant" domains). See the "Spam List Definitions"
# file for more information about what you can put here.
# This can also be the filename of a ruleset.
#Spam Domain List =
# If an individual "Spam List" or "Spam Domain List" check takes longer
# that this (in seconds), the check is abandoned and the timeout noted.
Spam List Timeout = 10
# The maximum number of timeouts caused by any individual "Spam List" or
# "Spam Domain List" before it is marked as "unavailable". Once marked,
# the list will be ignored until the next automatic re-start (see
# "Restart Every" for the longest time it will wait).
# This can also be the filename of a ruleset.
Max Spam List Timeouts = 15
# Spam Whitelist:
# Make this point to a ruleset, and anything in that ruleset whose value
# is "yes" will *never* be marked as spam.
# This can also be the filename of a ruleset.
#Is Definitely Not Spam = no
Is Definitely Not Spam = /etc/MailScanner/rules/spa
# Spam Blacklist:
# Make this point to a ruleset, and anything in that ruleset whose value
# is "yes" will *always* be marked as spam.
# This can also be the filename of a ruleset.
Is Definitely Spam = no
#
# SpamAssassin
# ------------
#
# Do you want to find spam using the "SpamAssassin" package?
# This can also be the filename of a ruleset.
Use SpamAssassin = yes
# SpamAssassin is not very fast when scanning huge messages, so messages
# bigger than this value will not be tested by SpamAssassin. This value
# is a good compromise as very few spam messages are bigger than this.
Max SpamAssassin Size = 50000
# This replaces the SpamAssassin configuration value 'required_hits'.
# If a message achieves a SpamAssassin score higher than this value,
# it is spam. See also the High SpamAssassin Score configuration option.
# This can also be the filename of a ruleset, so the SpamAssassin
# required_hits value can be set to different values for different messages.
Required SpamAssassin Score = 4
# If a message achieves a SpamAssassin score higher than this value,
# then the "High Scoring Spam Actions" are used. You may want to use
# this to deliver moderate scores, while deleting very high scoring messsages.
# This can also be the filename of a ruleset.
High SpamAssassin Score = 13
# Set this option to "yes" to enable the automatic whitelisting functions
# available within SpamAssassin. This will cause addresses from which you
# get real mail, to be marked so that it will never incorrectly spam-tag
# messages from those addresses.
SpamAssassin Auto Whitelist = no
# Set the location of the SpamAssassin user_prefs file. If you want to
# stop SpamAssassin doing all the RBL checks again, then you can add
# "skip_rbl_checks = 1" to this prefs file.
SpamAssassin Prefs File = /etc/MailScanner/spam.assa
# If SpamAssassin takes longer than this (in seconds), the check is
# abandoned and the timeout noted.
SpamAssassin Timeout = 60
# If SpamAssassin times out more times in a row than this, then it will be
# marked as "unavailable" until MailScanner next re-starts itself.
# This means that remote network failures causing SpamAssassin trouble will
# not mean your mail stops flowing.
Max SpamAssassin Timeouts = 20
# If the message sender is on any of the Spam Lists, do you still want
# to do the SpamAssassin checks? Setting this to "no" will reduce the load
# on your server, but will stop the High Scoring Spam Actions from ever
# happening.
# This can also be the filename of a ruleset.
Check SpamAssassin If On Spam List = yes
# Do you want to always include the Spam Report in the SpamCheck
# header, even if the message wasn't spam?
# This can also be the filename of a ruleset.
Always Include SpamAssassin Report = yes
# Do you want to include the "Spam Score" header. This shows 1 character
# (Spam Score Character) for every point of the SpamAssassin score. This
# makes it very easy for users to be able to filter their mail using
# whatever SpamAssassin threshold they want. For example, they just look
# for "sssss" for every message whose score is > 5, for example.
# This can also be the filename of a ruleset.
Spam Score = yes
#
# What to do with spam
# --------------------
#
# This is a list of actions to take when a message is spam.
# It can be any combination of the following:
# deliver - deliver the message as normal
# delete - delete the message
# store - store the message in the quarantine
# bounce - send a rejection message back to the sender
# forward user@domain.com - forward a copy of the message to user@domain.com
# striphtml - convert all in-line HTML content to plain text.
# - You need to specify "deliver" as well for the
# - message to reach the original recipient.
#
# Note that the bounce message is created in such a way as to stop it
# bouncing back to your site.
#
# This can also be the filename of a ruleset.
#Spam Actions = store forward anonymous@ecs.soton.ac.uk bounce
Spam Actions = deliver
# This is just like the "Spam Actions" option above, except that it applies
# then the score from SpamAssassin is higher than the "High SpamAssassin Score"
# value.
# deliver - deliver the message as normal
# delete - delete the message
# store - store the message in the quarantine
# bounce - send a rejection message back to the sender
# forward user@domain.com - forward a copy of the message to user@domain.com
# striphtml - convert all in-line HTML content to plain text
#
# Note that the bounce message is created in such a way as to stop it
# bouncing back to your site.
#
# This can also be the filename of a ruleset.
High Scoring Spam Actions = deliver
# Set where to find the messages that are delivered to the sender,
# when they have sent a message that was detected as spam and caused the
# "bounce" action to happen. This message is sent with its envelope
# constructed so that the message cannot bounce.
#
# There are 3 reports:
# Sender Spam Report - sent when a message triggers both a Spam
# List and SpamAssassin,
# Sender Spam List Report - sent when a message triggers a Spam List,
# Sender SpamAssassin Report - sent when a message triggers SpamAssassin.
#
# These can also be the filenames of rulesets.
Sender Spam Report = /etc/MailScanner/reports/e
Sender Spam List Report = /etc/MailScanner/reports/e
Sender SpamAssassin Report = /etc/MailScanner/reports/e
#
# Logging
# -------
#
# This is the syslog "facility" name that MailScanner uses. If you don't
# know what a syslog facility name is, then either don't change this value
# or else go and read "man syslog.conf". The default value of "mail" will
# cause the MailScanner logs to go into the same place as all your other
# mail logs.
Syslog Facility = mail
# Do you want all spam to be logged? Useful if you want to gather
# spam statistics from your logs, but can increase the system load quite
# a bit if you get a lot of spam.
Log Spam = no
# Log all the filenames that are allowed by the Filename Rules, or just
# the filenames that are denied?
# This can also be the filename of a ruleset.
Log Permitted Filenames = no
#
# Advanced Settings
# -----------------
#
# Don't bother changing anything below this unless you really know
# what you are doing, or else if MailScanner has complained about
# your "Minimum Code Status" setting.
#
# Set Debug to "yes" to stop it running as a daemon and just process
# one batch of messages and then exit.
Debug = no
# When attempting delivery of outgoing messages, should we do it in the
# background or wait for it to complete? The danger of doing it in the
# background is that the machine load goes ever upwards while all the
# slow sendmail processes run to completion. However, running it in the
# foreground may cause the mail server to run too slowly.
Deliver In Background = yes
# Attempt immediate delivery of messages, or just place them in the outgoing
# queue for the MTA to deliver when it wants to?
# batch -- attempt delivery of messages, in batches of up to 20 at once.
# queue -- just place them in the queue and let the MTA find them.
# This can also be the filename of a ruleset. For example, you could use a
# ruleset here so that messages coming to you are immediately delivered,
# while messages going to any other site are just placed in the queue in
# case the remote delivery is very slow.
Delivery Method = batch
# Where to put the virus scanning engine lock files.
# These lock files are used between MailScanner and the virus signature
# "autoupdate" scripts, to ensure that they aren't both working at the
# same time (which could cause MailScanner to let a virus through).
Lockfile Dir = /tmp
# How to lock spool files.
# Don't set this unless you *know* you need to.
# For sendmail, it defaults to "flock".
# For Exim, it defaults to "posix".
# No other type is implemented.
#Lock Type = flock
# Minimum acceptable code stability status -- if we come across code
# that's not at least as stable as this, we barf.
# This is currently only used to check that you don't end up using untested
# virus scanner support code without realising it.
# Levels used are:
# none - there may not even be any code.
# unsupported - code may be completely untested, a contributed dirty hack,
# anything, really.
# alpha - code is pretty well untested. Don't assume it will work.
# beta - code is tested a bit. It should work.
# supported - code *should* be reliable.
#
# Don't even *think* about setting this to anything other than "beta" or
# "supported" on a system that receives real mail until you have tested it
# yourself and are happy that it is all working as you expect it to.
# Don't set it to anything other than "supported" on a system that could
# ever receive important mail.
#
# READ and UNDERSTAND the above text BEFORE changing this.
#
Minimum Code Status = supported
/etc/mail/spamassassin/loc
As per instructions shown at
http://nospam.arix.com/dns.php
I have added the following (below) into my local.cf file but I'm not getting any hits with these tests (on emails that should be triggering these tests)
Besides just modifying the local.cf file, do I need to put some other setting somewhere else?
#trying to add som RBL tests
header ARIX_DF rbleval:check_rbl('arix-df
describe ARIX_DF Recent dictionary spammer
tflags ARIX_DF net
score ARIX_DF 5.0
#header ARIX_DS rbleval:check_rbl('arix-ds
#describe ARIX_DS Sender has a history of dictionary spamming
#tflags ARIX_DS net
#score ARIX_DS 0.5
header DYNABLOCK rbleval:check_rbl('dynablo
describe DYNABLOCK mm added
tflags DYNABLOCK net
score DYNABLOCK 5.0
header EASYNET rbleval:check_rbl('easynet
describe EASYNET mm added
tflags EASYNET net
score EASYNET 5.0
header ABUSEAT rbleval:check_rbl('abuseat
describe ABUSEAT mm added
tflags ABUSEAT net
score ABUSEAT 5.0
header SPAMHAUS rbleval:check_rbl('spamhau
describe SPAMHAUS mm added
tflags SPAMHAUS net
score SPAMHAUS 5.0
header BLITZED rbleval:check_rbl('blitzed
describe BLITZED mm added
tflags BLITZED net
score BLITZED 5.0
header DSBL rbleval:check_rbl('dsbl', 'list.dsbl.org.')
describe DSBL mm added
tflags DSBL net
score DSBL 5.0
--------------------------
Here is my
etc/MailScanner/spam.assas
# MailScanner
# MailScanner users, please see the comments at the bottom of this file.
# MailScanner
#
# SpamAssassin user preferences file.
#
# Format:
#
# required_hits n
# (how many hits are required to tag a mail as spam.)
#
# auto_report_threshold n
# (spams with this many hits or more, will be reported
# as spam straightaway without requiring human verification.)
#
# score SYMBOLIC_TEST_NAME n
# (if this is omitted, 1 is used as a default score.
# Set the score to 0 to ignore the test.)
#
# # starts a comment, whitespace is not significant.
#
##########################
# JKF 25/10/2002
# These next 3 lines add a local rule to SpamAssassin to help protect you
# from the friendlygreetings.com nasty-gram which will send lots of spam
# from your PC if you let it. Not really a virus, but you don't want your
# users all clicking on it.
header FRIEND_GREETINGS Subject =~ /you have an E-Card from/i
describe FRIEND_GREETINGS Nasty E-card from FriendGreetings.com
score FRIEND_GREETINGS 100.0
header FRIEND_GREETINGS2 Subject =~ /you have a greeting card from/i
describe FRIEND_GREETINGS2 Nasty E-card from FriendGreetings.com
score FRIEND_GREETINGS2 100.0
# MM 23/10/2003
body MMVIAGRA2 /viagra/i
describe MMVIAGRA2 mmrule
score MMVIAGRA2 5
body MMVICODIN2 /vicodin/i
describe MMVICODIN2 mmrule
score MMVICODIN2 5
body MMPRESCRIPTION /prescription/i
describe MMPRESCRIPTION mmrule
score MMPRESCRIPTION 3
##########################
# First of all, the generally useful stuff; thresholds and the whitelist
# of addresses which, for some reason or another, often trigger false
# positives.
# JKF 25/10/2002
# The required_hits value is now specified in the MailScanner configuration
# file, not here. Look for the word "Required" in there and you will find it.
required_hits 5
auto_report_threshold 30
# Whitelist and blacklist addresses are *not* patterns; they're just normal
# strings. one exception is that "*@isp.com" is allowed. They should be in
# lower-case. You can either add multiple addrs on one line,
# whitespace-separated, or you can use multiple lines.
#
# Monty Solomon: he posts from an ISP that has often been the source of spam
# (no fault of his own ;), and sometimes uses Bcc: when mailing.
#
#whitelist_from monty@roscom.com
# Add your blacklist entries in the same format...
#
# blacklist_from friend@public.com
# Mail using languages used in these country codes will not be marked
# as being possibly spam in a foreign language.
#
ok_locales en
# By default, the subject lines of suspected spam will be tagged.
# This can be disabled here.
#
# rewrite_subject 0
# By default, spamassassin will include its report in the body
# of suspected spam. Enabling this causes the report to go in the
# headers instead. Using 'use_terse_report' for this is recommended.
#
# report_header 1
# By default, SpamAssassin uses a fairly long report format.
# Enabling this uses a shorter format which includes all the
# information in the normal one, but without the superfluous
# explanations.
#
# use_terse_report 0
# By default, spamassassin will change the Content-type: header of
# suspected spam to "text/plain". This is a safety feature. If you
# prefer to leave the Content-type header alone, set this to 0.
#
# defang_mime 0
# By default, SpamAssassin will run RBL checks. If your ISP already
# does this, set this to 1.
#
# skip_rbl_checks 1
##########################
# Add your own customised scores for some tests below. The default scores are
# read from the installed "spamassassin.cf" file, but you can override them
# here. To see the list of tests and their default scores, go to
# http://spamassassin.taint.org/tests.html .
# MailScanner: Comment out the next line to enable DCC checking if you
# have dcc installed (optional part of SpamAssassin)
score DCC_CHECK 0.0
#
# Added for MailScanner 14/6/2002
# If you specify these scores, SpamAssassin will do RBL checks as well as
# MailScanner, which just wastes CPU power and network bandwidth. Either
# do them here by uncommenting the rules below (if you have paid for them)
# or else uncomment the "skip_rbl_checks" line above and let MailScanner
# do the checks instead.
#
#score RCVD_IN_BL_SPAMCOP_NET 4
# These next 3 will cost you money, see mailscanner.conf.
#score RCVD_IN_RBL 10
#score RCVD_IN_RSS 1
#score RCVD_IN_DUL 1
--------------------------
And here is my
etc/MailScanner/MailScanne
# Main configuration file for the MailScanner E-Mail Virus Scanner
#
# It's good practice to check through configuration files to make sure
# they fit with your system and your needs, whatever you expect them to
# contain.
#
# Note: If your directories are symlinked (soft-linked) in any way,
# please put their *real* location in here, not a path that
# includes any links. You may get some very strange error
# messages from some of the virus scanners if you don't.
#
# Note for Version 4.00 and above:
# A lot of the settings can take a ruleset as well as just simple
# values. These rulesets are files containing rules which are applied
# to the current message to calculate the value of the configuration
# option. The rules are checked in the order they appear in the ruleset.
#
# Note for Version 4.03 and above:
# As well as rulesets, you can now include your own functions in
# here. Look at the directory containing Config.pm and you will find
# CustomConfig.pm. In here, you can add your own "value" function and
# an Initvalue function to set up any global state you need such as
# database connections. Then for a setting below, you can put:
# Configuration Option = &ValueFunction
# where "ValueFunction" is the name of the function you have
# written in CustomConfig.pm.
#
#
# System settings
# ---------------
#
# How many MailScanner processes do you want to run at a time?
# There is no point increasing this figure if your MailScanner server
# is happily keeping up with your mail traffic.
# If you are running on a server with more than 1 CPU, or you have a
# high mail load (and/or slow DNS lookups) then you should see better
# performance if you increase this figure.
#
# As a rough guide, try 5 children per CPU.
Max Children = 5
# User to run as (not normally used for sendmail)
#Run As User = mail
# Group to run as (not normally used for sendmail)
#Run As Group = mail
# How often (in seconds) should each process check the incoming mail
# queue for new messages? If you have a quiet mail server, you might
# want to increase this value so it causes less load on your server, at
# the cost of slightly increasing the time taken for an average message
# to be processed.
Queue Scan Interval = 10
# Set location of incoming mail queue
#
# This can be any one of
# 1. A directory name
# Example: /var/spool/mqueue.in
# 2. A wildcard giving directory names
# Example: /var/spool/mqueue.in/*
# 3. The name of a file containing a list of directory names,
# which can in turn contain wildcards.
# Example: /etc/MailScanner/mqueue.in
#
Incoming Queue Dir = /home/spool/mqueue.in
# Set location of outgoing mail queue.
# This can also be the filename of a ruleset.
Outgoing Queue Dir = /home/spool/mqueue/q1
# Set where to unpack incoming messages before scanning them
Incoming Work Dir = /var/spool/MailScanner/inc
# Set where to store infected and message attachments (if they are kept)
# This can also be the filename of a ruleset.
Quarantine Dir = /var/spool/MailScanner/qua
# Set where to store the process id number so you can stop MailScanner
PID file = /var/run/MailScanner.pid
# To avoid resource leaks, re-start periodically
Restart Every = 14400
# Set whether to use sendmail or exim
MTA = sendmail
# Set how to invoke MTA when sending messages MailScanner has created
# (e.g. to sender/recipient saying "found a virus in your message")
# This can also be the filename of a ruleset.
Sendmail = /usr/sbin/sendmail
# Sendmail2 is provided for Exim users.
# It is the command used to attempt delivery of outgoing cleaned/disinfected
# messages.
# This is not usually required for sendmail.
# This can also be the filename of a ruleset.
#For Exim users: Sendmail2 = /usr/sbin/exim -C /etc/exim/exim_send.conf
#For sendmail users: Sendmail2 = /usr/sbin/sendmail
Sendmail2 = /usr/sbin/sendmail
#Sendmail2 = /usr/sbin/sendmail -C /etc/exim/exim_send.conf
#
# Processing Incoming Mail
# ------------------------
#
# In every batch of virus-scanning, limit the maximum
# a) number of unscanned messages to deliver
# b) number of potentially infected messages to unpack and scan
# c) total size of unscanned messages to deliver
# d) total size of potentially infected messages to unpack and scan
Max Unscanned Bytes Per Scan = 100000000
Max Unsafe Bytes Per Scan = 50000000
Max Unscanned Messages Per Scan = 100
Max Unsafe Messages Per Scan = 100
# Expand TNEF attachments using an external program (or a Perl module)?
# This should be "yes" unless the scanner you are using (Sophos, McAfee) has
# the facility built-in. However, if you set it to "no", then the filenames
# within the TNEF attachment will not be checked against the filename rules.
Expand TNEF = yes
# Some versions of Microsoft Outlook generate unparsable Rich Text
# format attachments. Do we want to deliver these bad attachments anyway?
# Setting this to yes introduces the slight risk of a virus getting through,
# but if you have a lot of troubled Outlook users you might need to do this.
# We are working on a replacement for the TNEF decoder.
# This can also be the filename of a ruleset.
Deliver Unparsable TNEF = no
# Where the MS-TNEF expander is installed.
# This is EITHER the full command (including maxsize option) that runs
# the external TNEF expander binary,
# OR the keyword "internal" which will make MailScanner use the Perl
# module that does the same job.
# They are both provided as I am unsure which one is faster and which
# one is capable of expanding more file formats (there are plenty!).
#
# The --maxsize option limits the maximum size that any expanded attachment
# may be. It helps protect against Denial Of Service attacks in TNEF files.
#TNEF Expander = internal
# This can also be the filename of a ruleset.
TNEF Expander = /usr/bin/tnef --maxsize=100000000
# The maximum length of time the TNEF Expander is allowed to run for 1 message.
# (in seconds)
TNEF Timeout = 150
#
# Virus Scanning and Vulnerability Testing
# --------------------------
#
# Do you want to scan email for viruses?
# A few people don't have a virus scanner licence and so want to disable
# all the virus scanning.
# NOTE: This switch actually switches on/off all processing of the email
# messages. If you just want to switch off actual virus scanning,
# then set "Virus Scanners = none" instead.
#
# If you want to be able to switch scanning on/off for different users or
# different domains, set this to the filename of a ruleset.
# This can also be the filename of a ruleset.
#Virus Scanning = yes
Virus Scanning = /etc/MailScanner/rules/vir
# Which Virus Scanning package to use:
# sophos from www.sophos.com, or
# mcafee from www.mcafee.com, or
# command from www.command.co.uk, or
# kaspersky from www.kaspersky.com, or
# inoculate from www.cai.com/products/inoculateit.htm, or
# inoculan from ftp.ca.com/getbbs/linux.eng/inoctar.LINUX.Z, or
# nod32 from www.nod32.com, or
# f-secure from www.f-secure.com, or
# f-prot from www.f-prot.com, or
# panda from www.pandasoftware.com, or
# rav from www.ravantivirus.com, or
# antivir from www.antivir.de, or
# clamav from clamav.elektrapro.com, or
# trend from www.trendmicro.com, or
# none (no virus scanning at all)
#
# Note for McAfee users: do not use any symlinks with McAfee at all. It is
# very strange but may not detect all viruses when
# started from a symlink or scanning a directory path
# including symlinks.
#
# Note: If you want to use multiple virus scanners, then this should be a
# space-separated list of virus scanners. For example:
# Virus Scanners = sophos f-prot mcafee
#
Virus Scanners = rav
# The maximum length of time the commercial virus scanner is allowed to run
# for 1 batch of messages (in seconds).
Virus Scanner Timeout = 300
# Should I attempt to disinfect infected attachments and then deliver
# the clean ones. "Disinfection" involves removing viruses from files
# (such as removing macro viruses from documents). "Cleaning" is the
# replacement of infected attachments with "VirusWarning.txt" text
# attachments.
# This can also be the filename of a ruleset.
Deliver Disinfected Files = yes
# Strings listed here will be searched for in the output of the virus scanners.
# It is used to list which viruses should be handled differently from other
# viruses. If a virus name is given here, then
# 1) The sender will not be warned that he sent it
# 2) No attempt at true disinfection will take place
# (but it will still be "cleaned" by removing the nasty attachments
# from the message)
# 3) The recipient will not receive the message,
# unless the "Still Deliver Silent Viruses" option is set
# This can also be the filename of a ruleset.
Silent Viruses = Klez Yaha-E Bugbear Braid-A WinEvar Sobig
# Still deliver (after cleaning) messages that contained viruses listed
# in the above option ("Silent Viruses") to the recipient?
# Setting this to "yes" is good because it shows management that MailScanner
# is protecting them, but it is bad because they have to filter/delete all
# the incoming virus warnings.
# This can also be the filename of a ruleset.
Still Deliver Silent Viruses = no
#
# Removing/Logging dangerous or potentially offensive content
# --------------------------
#
# Do you want to allow <IFrame> tags in email messages? This is not a good
# idea as it allows various Microsoft Outlook security vulnerabilities to
# remain unprotected, but if you have a load of mailing lists sending them,
# then you will want to allow them to keep your users happy.
# This can also be the filename of a ruleset, so you can allow them from
# known mailing lists but ban them from everywhere else.
Allow IFrame Tags = yes
# Banning <IFrame> tags completely is likely to break some common HTML
# mailing lists, such as Dilbert and other important things like that.
# So before you implement any restriction on them, you can log the sender
# of any message containing an <IFrame>, so that you can set the option
# above to be a ruleset allowing IFrame tags from named "From" addresses
# and banning all others.
# This can also be the filename of a ruleset.
Log IFrame Tags = no
# Do you want to allow <Object Codebase=...> tags in email messages?
# This is bad idea as it leaves you unprotected against various
# Microsoft-specific security vulnerabilities. But if your users demand
# it, you can do it.
# This can also be the filename of a ruleset, so you can allow them just
# for specific users or domains.
Allow Object Codebase Tags = no
# Do you want to convert HTML messages containing <IFrame> or
# <Object Codebase=...> tags into plain text?
# This will only apply if you are also allowing the tags to be present
# using the configuration options above. You can allow messages
# that contain the tags, but convert them to plain text. This makes
# the HTML harmless, while still allowing your users to see the text
# content of the messages.
# This can also be the filename of a ruleset, so you can make this apply
# only to specific users or domains.
Convert Dangerous HTML To Text = yes
# Do you want to convert all HTML messages into plain text?
# This is very useful for users who are children or are easily offended
# by nasty things like pornographic spam.
# This can also be the filename of a ruleset, so you can switch this
# feature on and off for particular users or domains.
Convert HTML To Text = no
#
# Attachment Filename Checking
# --------------------------
#
# Set where to find the attachment filename ruleset.
# The structure of this file is explained elsewhere, but it is used to
# accept or reject file attachments based on their name, regardless of
# whether they are infected or not.
#
# This can also point to a ruleset, but the ruleset filename must end in
# ".rules" so that MailScanner can determine if the filename given is
# a ruleset or not!
Filename Rules = /etc/MailScanner/filename.
#
# Reports and Responses
# ---------------------
#
# Do you want to store copies of the infected attachments and messages?
# This can also be the filename of a ruleset.
Quarantine Infections = yes
# Do you want to quarantine the original *entire* message as well as
# just the infected attachments?
# This can also be the filename of a ruleset.
Quarantine Whole Message = no
# When you quarantine an entire message, do you want to store it as
# raw mail queue files (so you can easily send them onto users) or
# as human-readable files (header then body in 1 file)?
Quarantine Whole Messages As Queue Files = no
# Set where to find all the strings used so they can be translated into
# your local language.
# This can also be the filename of a ruleset so you can produce different
# languages for different messages.
Language Strings = /etc/MailScanner/reports/e
# Set where to find the message text sent to users when one of their
# attachments has been deleted from a message.
# These can also be the filenames of rulesets.
Deleted Bad Filename Message Report = /etc/MailScanner/reports/e
Deleted Virus Message Report = /etc/MailScanner/reports/e
# Set where to find the message text sent to users when one of their
# attachments has been deleted from a message and stored in the quarantine.
# These can also be the filenames of rulesets.
Stored Bad Filename Message Report = /etc/MailScanner/reports/e
Stored Virus Message Report = /etc/MailScanner/reports/e
# Set where to find the message text sent to users explaining about the
# attached disinfected documents.
# This can also be the filename of a ruleset.
Disinfected Report = /etc/MailScanner/reports/e
# Set where to find the HTML and text versions that will be added to the
# end of all clean messages, if "Sign Clean Messages" is set.
# These can also be the filenames of rulesets.
Inline HTML Signature = /etc/MailScanner/reports/e
Inline Text Signature = /etc/MailScanner/reports/e
# Set where to find the HTML and text versions that will be inserted at
# the top of messages that have had viruses removed from them.
# These can also be the filenames of rulesets.
Inline HTML Warning = /etc/MailScanner/reports/e
Inline Text Warning = /etc/MailScanner/reports/e
# Set where to find the messages that are delivered to the sender, when they
# sent an email containing either an error, a banned filename or a virus
# infection.
# These can also be the filenames of rulesets.
Sender Error Report = /etc/MailScanner/reports/e
Sender Bad Filename Report = /etc/MailScanner/reports/e
Sender Virus Report = /etc/MailScanner/reports/e
# Hide the directory path from all virus scanner reports sent to users.
# The extra directory paths give away information about your setup, and
# tend to just confuse users.
# This can also be the filename of a ruleset.
Hide Incoming Work Dir = yes
#
# Changes to Message Headers
# --------------------------
#
# Add this extra header to all mail as it is processed.
# This *must* include the colon ":" at the end.
# This can also be the filename of a ruleset.
Mail Header = X-MailScanner:
# Add this extra header to all messages found to be spam.
# This can also be the filename of a ruleset.
Spam Header = X-MailScanner-SpamCheck:
# Add this extra header if "Spam Score" = yes. The header will
# contain 1 character for every point of the SpamAssassin score.
Spam Score Header = X-MailScanner-SpamScore:
# The character to use in the "Spam Score Header".
# Don't use: x as a score of 3 is "xxx" which the users will think is porn,
# # as it will cause confusion with comments in procmail as well
# as MailScanner itself,
# * as it will cause confusion with pattern matches in procmail,
# . as it will cause confusion with pattern matches in procmail,
# ? as it will cause the users to think something went wrong.
# "s" is nice and safe and stands for "spam".
Spam Score Character = s
# Set the "Mail Header" to these values for clean/infected/disinfected
# This can also be the filename of a ruleset.
Clean Header Value = Found to be clean
Infected Header Value = Found to be infected
Disinfected Header Value = Disinfected
# What to do when you get several MailScanner headers in one message,
# from multiple MailScanner servers. Values are
# "append" : Append the new data to the existing header
# "add" : Add a new header
# "replace" : Replace the old data with the new data
# Default is "append"
# This can also be the filename of a ruleset.
Multiple Headers = append
# Name of this host, or a name like "the MailScanner" if you want to hide
# the real hostname. It is used in the Help Desk note contained in the
# virus warnings sent to users.
# This can also be the filename of a ruleset.
Hostname = the MailScanner
# If this is "no", then (as far as possible) messages which have already
# been processed by another MailScanner server will not have the clean
# signature added to the message. This prevents messages getting many
# copies of the signature as they flow through your site.
# This can also be the filename of a ruleset.
Sign Messages Already Processed = no
# Add the "Inline HTML Signature" or "Inline Text Signature" to the end
# of uninfected messages?
# This can also be the filename of a ruleset.
Sign Clean Messages = no
# Add the "Inline HTML Warning" or "Inline Text Warning" to the top of
# messages that have had attachments removed from them?
# This can also be the filename of a ruleset.
Mark Infected Messages = yes
# When a message is to not be virus-scanned (which may happen depending
# upon the setting of "Virus Scanning", especially if it is a ruleset),
# do you want to add the header advising the users to get their email
# virus-scanned by you?
# Very good for advertising your MailScanning service and encouraging
# users to give you some more money and sign up to virus scanning.
# This can also be the filename of a ruleset.
Mark Unscanned Messages = no
# This is the text used by the "Mark Unscanned Messages" option above.
# This can also be the filename of a ruleset.
Unscanned Header Value = Not scanned: please contact your Internet E-Mail Service Provider for details
# Do you want to deliver messages once they have been cleaned of any
# viruses?
# By making this a ruleset, you can re-create the "Deliver From Local"
# facility of previous versions.
Deliver Cleaned Messages = yes
# Do you want to notify the people who sent you messages containing
# viruses or badly-named filenames?
# This can also be the filename of a ruleset.
Notify Senders = yes
# If you supply a space-separated list of message "precedence" settings,
# then senders of those messages will not be warned about anything you
# rejected. This is particularly suitable for mailing lists, so that any
# MailScanner responses do not get sent to the entire list.
Never Notify Senders Of Precedence = list bulk
#
# Changes to the Subject: line
# --------------------------
#
# When the message has been scanned but no other subject line changes
# have happened, do you want modify the subject line?
# This can be 1 of 3 values:
# no = Do not modify the subject line, or
# start = Add text to the start of the subject line, or
# end = Add text to the end of the subject line.
# This makes very good advertising of your MailScanning service.
# This can also be the filename of a ruleset.
Scanned Modify Subject = no # end
# This is the text to add to the start/end of the subject line if the
# "Scanned Modify Subject" option is set.
# This can also be the filename of a ruleset.
Scanned Subject Text = {Scanned}
# If the message contained a virus, do you want to modify the subject line?
# This makes filtering in Outlook very easy.
# This can also be the filename of a ruleset.
Virus Modify Subject = yes
# This is the text to add to the start of the subject if the
# "Virus Modify Subject" option is set.
# This can also be the filename of a ruleset.
Virus Subject Text = {Virus?}
# If an attachment triggered a filename check, but there was nothing
# else wrong with the message, do you want to modify the subject line?
# This makes filtering in Outlook very easy.
# This can also be the filename of a ruleset.
Filename Modify Subject = yes
# This is the text to add to the start of the subject if the
# "Filename Modify Subject" option is set.
# You might want to change this so your users can see at a glance
# whether it just was just the filename that MailScanner rejected.
# This can also be the filename of a ruleset.
Filename Subject Text = {Virus?}
# If the message is spam, do you want to modify the subject line?
# This makes filtering in Outlook very easy.
# This can also be the filename of a ruleset.
Spam Modify Subject = yes
# This is the text to add to the start of the subject if the
# "Spam Modify Subject" option is set.
# This can also be the filename of a ruleset.
Spam Subject Text = {Spam?}
# This is just like the "Spam Modify Subject" option above, except that
# it applies then the score from SpamAssassin is higher than the
# "High SpamAssassin Score" value.
High Scoring Spam Modify Subject = yes
# This is just like the "Spam Subject Text" option above, except that
# it applies then the score from SpamAssassin is higher than the
# "High SpamAssassin Score" value.
High Scoring Spam Subject Text = {Spam?}
#
# Changes to the Message Body
# --------------------------
#
# When a virus or attachment is replaced by a plain-text warning,
# should the warning be in an attachment? If "no" then it will be
# placed in-line. This can also be the filename of a ruleset.
Warning Is Attachment = yes
# When a virus or attachment is replaced by a plain-text warning,
# and that warning is an attachment, this is the filename of the
# new attachment.
# This can also be the filename of a ruleset.
Attachment Warning Filename = VirusWarning.txt
# What character set do you want to use for the attachment that
# replaces viruses (VirusWarning.txt)?
# The default is "us-ascii" but if you speak anything other than
# English, you will probably want "ISO-8859-1" instead.
# This can also be the filename of a ruleset.
Attachment Encoding Charset = us-ascii
#
# Mail Archiving and Monitoring
# --------------------------
#
# Space-separated list of email address and directory names where you want
# a copy of all mail to be forwarded or stored.
#
# If you give this option a ruleset, you can control exactly whose mail
# is archived or forwarded. If you do this, beware of the legal implications
# as this could be deemed to be illegal interception unless the police have
# asked you to do this.
#Archive Mail = /var/spool/MailScanner/arc
#
# Notices to System Administrators
# --------------------------
#
# Notify the local system administrators ("Notices To") when any infections
# are found?
# This can also be the filename of a ruleset.
Send Notices = yes
# Include the full headers of each message in the notices sent to the local
# system administrators?
# This can also be the filename of a ruleset.
Notices Include Full Headers = yes
# Hide the directory path from all the system administrator notices.
# The extra directory paths give away information about your setup, and
# tend to just confuse users but are still useful for local sys admins.
# This can also be the filename of a ruleset.
Hide Incoming Work Dir in Notices = no
# Where to send the notices.
# This can also be the filename of a ruleset.
Notices To = postmaster
# Address of the local Postmaster, which is used as the "From" address in
# virus warnings sent to users.
# This can also be the filename of a ruleset.
Local Postmaster = postmaster
#
# Spam Detection and Virus Scanner Definitions
# --------------------------
#
# This is the name of the file that translates the names of the "Spam List"
# values to the real DNS names of the spam blacklists.
Spam List Definitions = /etc/MailScanner/spam.list
# This is the name of the file that translates the names of the virus
# scanners into the commands that have to be run to do the actual scanning.
Virus Scanner Definitions = /etc/MailScanner/virus.sca
#
# Spam Detection and Spam Lists (DNS blocklists)
# --------------------------
#
# Do you want to check messages to see if they are spam?
# This can also be the filename of a ruleset.
# Spam Checks = yes
Spam Checks = /etc/MailScanner/rules/spa
# This is the list of spam blacklists (RBLs) which you are using.
# See the "Spam List Definitions" file for more information about what
# you can put here.
# This can also be the filename of a ruleset.
Spam List = ORDB-RBL Infinite-Monkeys # MAPS-RBL+ costs money (except .ac.uk)
# This is the list of spam domain blacklists which you are using
# (such as the "rfc-ignorant" domains). See the "Spam List Definitions"
# file for more information about what you can put here.
# This can also be the filename of a ruleset.
#Spam Domain List =
# If an individual "Spam List" or "Spam Domain List" check takes longer
# that this (in seconds), the check is abandoned and the timeout noted.
Spam List Timeout = 10
# The maximum number of timeouts caused by any individual "Spam List" or
# "Spam Domain List" before it is marked as "unavailable". Once marked,
# the list will be ignored until the next automatic re-start (see
# "Restart Every" for the longest time it will wait).
# This can also be the filename of a ruleset.
Max Spam List Timeouts = 15
# Spam Whitelist:
# Make this point to a ruleset, and anything in that ruleset whose value
# is "yes" will *never* be marked as spam.
# This can also be the filename of a ruleset.
#Is Definitely Not Spam = no
Is Definitely Not Spam = /etc/MailScanner/rules/spa
# Spam Blacklist:
# Make this point to a ruleset, and anything in that ruleset whose value
# is "yes" will *always* be marked as spam.
# This can also be the filename of a ruleset.
Is Definitely Spam = no
#
# SpamAssassin
# ------------
#
# Do you want to find spam using the "SpamAssassin" package?
# This can also be the filename of a ruleset.
Use SpamAssassin = yes
# SpamAssassin is not very fast when scanning huge messages, so messages
# bigger than this value will not be tested by SpamAssassin. This value
# is a good compromise as very few spam messages are bigger than this.
Max SpamAssassin Size = 50000
# This replaces the SpamAssassin configuration value 'required_hits'.
# If a message achieves a SpamAssassin score higher than this value,
# it is spam. See also the High SpamAssassin Score configuration option.
# This can also be the filename of a ruleset, so the SpamAssassin
# required_hits value can be set to different values for different messages.
Required SpamAssassin Score = 4
# If a message achieves a SpamAssassin score higher than this value,
# then the "High Scoring Spam Actions" are used. You may want to use
# this to deliver moderate scores, while deleting very high scoring messsages.
# This can also be the filename of a ruleset.
High SpamAssassin Score = 13
# Set this option to "yes" to enable the automatic whitelisting functions
# available within SpamAssassin. This will cause addresses from which you
# get real mail, to be marked so that it will never incorrectly spam-tag
# messages from those addresses.
SpamAssassin Auto Whitelist = no
# Set the location of the SpamAssassin user_prefs file. If you want to
# stop SpamAssassin doing all the RBL checks again, then you can add
# "skip_rbl_checks = 1" to this prefs file.
SpamAssassin Prefs File = /etc/MailScanner/spam.assa
# If SpamAssassin takes longer than this (in seconds), the check is
# abandoned and the timeout noted.
SpamAssassin Timeout = 60
# If SpamAssassin times out more times in a row than this, then it will be
# marked as "unavailable" until MailScanner next re-starts itself.
# This means that remote network failures causing SpamAssassin trouble will
# not mean your mail stops flowing.
Max SpamAssassin Timeouts = 20
# If the message sender is on any of the Spam Lists, do you still want
# to do the SpamAssassin checks? Setting this to "no" will reduce the load
# on your server, but will stop the High Scoring Spam Actions from ever
# happening.
# This can also be the filename of a ruleset.
Check SpamAssassin If On Spam List = yes
# Do you want to always include the Spam Report in the SpamCheck
# header, even if the message wasn't spam?
# This can also be the filename of a ruleset.
Always Include SpamAssassin Report = yes
# Do you want to include the "Spam Score" header. This shows 1 character
# (Spam Score Character) for every point of the SpamAssassin score. This
# makes it very easy for users to be able to filter their mail using
# whatever SpamAssassin threshold they want. For example, they just look
# for "sssss" for every message whose score is > 5, for example.
# This can also be the filename of a ruleset.
Spam Score = yes
#
# What to do with spam
# --------------------
#
# This is a list of actions to take when a message is spam.
# It can be any combination of the following:
# deliver - deliver the message as normal
# delete - delete the message
# store - store the message in the quarantine
# bounce - send a rejection message back to the sender
# forward user@domain.com - forward a copy of the message to user@domain.com
# striphtml - convert all in-line HTML content to plain text.
# - You need to specify "deliver" as well for the
# - message to reach the original recipient.
#
# Note that the bounce message is created in such a way as to stop it
# bouncing back to your site.
#
# This can also be the filename of a ruleset.
#Spam Actions = store forward anonymous@ecs.soton.ac.uk bounce
Spam Actions = deliver
# This is just like the "Spam Actions" option above, except that it applies
# then the score from SpamAssassin is higher than the "High SpamAssassin Score"
# value.
# deliver - deliver the message as normal
# delete - delete the message
# store - store the message in the quarantine
# bounce - send a rejection message back to the sender
# forward user@domain.com - forward a copy of the message to user@domain.com
# striphtml - convert all in-line HTML content to plain text
#
# Note that the bounce message is created in such a way as to stop it
# bouncing back to your site.
#
# This can also be the filename of a ruleset.
High Scoring Spam Actions = deliver
# Set where to find the messages that are delivered to the sender,
# when they have sent a message that was detected as spam and caused the
# "bounce" action to happen. This message is sent with its envelope
# constructed so that the message cannot bounce.
#
# There are 3 reports:
# Sender Spam Report - sent when a message triggers both a Spam
# List and SpamAssassin,
# Sender Spam List Report - sent when a message triggers a Spam List,
# Sender SpamAssassin Report - sent when a message triggers SpamAssassin.
#
# These can also be the filenames of rulesets.
Sender Spam Report = /etc/MailScanner/reports/e
Sender Spam List Report = /etc/MailScanner/reports/e
Sender SpamAssassin Report = /etc/MailScanner/reports/e
#
# Logging
# -------
#
# This is the syslog "facility" name that MailScanner uses. If you don't
# know what a syslog facility name is, then either don't change this value
# or else go and read "man syslog.conf". The default value of "mail" will
# cause the MailScanner logs to go into the same place as all your other
# mail logs.
Syslog Facility = mail
# Do you want all spam to be logged? Useful if you want to gather
# spam statistics from your logs, but can increase the system load quite
# a bit if you get a lot of spam.
Log Spam = no
# Log all the filenames that are allowed by the Filename Rules, or just
# the filenames that are denied?
# This can also be the filename of a ruleset.
Log Permitted Filenames = no
#
# Advanced Settings
# -----------------
#
# Don't bother changing anything below this unless you really know
# what you are doing, or else if MailScanner has complained about
# your "Minimum Code Status" setting.
#
# Set Debug to "yes" to stop it running as a daemon and just process
# one batch of messages and then exit.
Debug = no
# When attempting delivery of outgoing messages, should we do it in the
# background or wait for it to complete? The danger of doing it in the
# background is that the machine load goes ever upwards while all the
# slow sendmail processes run to completion. However, running it in the
# foreground may cause the mail server to run too slowly.
Deliver In Background = yes
# Attempt immediate delivery of messages, or just place them in the outgoing
# queue for the MTA to deliver when it wants to?
# batch -- attempt delivery of messages, in batches of up to 20 at once.
# queue -- just place them in the queue and let the MTA find them.
# This can also be the filename of a ruleset. For example, you could use a
# ruleset here so that messages coming to you are immediately delivered,
# while messages going to any other site are just placed in the queue in
# case the remote delivery is very slow.
Delivery Method = batch
# Where to put the virus scanning engine lock files.
# These lock files are used between MailScanner and the virus signature
# "autoupdate" scripts, to ensure that they aren't both working at the
# same time (which could cause MailScanner to let a virus through).
Lockfile Dir = /tmp
# How to lock spool files.
# Don't set this unless you *know* you need to.
# For sendmail, it defaults to "flock".
# For Exim, it defaults to "posix".
# No other type is implemented.
#Lock Type = flock
# Minimum acceptable code stability status -- if we come across code
# that's not at least as stable as this, we barf.
# This is currently only used to check that you don't end up using untested
# virus scanner support code without realising it.
# Levels used are:
# none - there may not even be any code.
# unsupported - code may be completely untested, a contributed dirty hack,
# anything, really.
# alpha - code is pretty well untested. Don't assume it will work.
# beta - code is tested a bit. It should work.
# supported - code *should* be reliable.
#
# Don't even *think* about setting this to anything other than "beta" or
# "supported" on a system that receives real mail until you have tested it
# yourself and are happy that it is all working as you expect it to.
# Don't set it to anything other than "supported" on a system that could
# ever receive important mail.
#
# READ and UNDERSTAND the above text BEFORE changing this.
#
Minimum Code Status = supported
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Looks like tflags is necessary after doing some googling
I am waiting for some more spam to come to see if the RBL rules now start to appear in the headers. C'mon spammers! ;-)
I am waiting for some more spam to come to see if the RBL rules now start to appear in the headers. C'mon spammers! ;-)
Yes, the syntax is exactly the same.
ASKER
Hi,
It didn't work putting it in
spam.assassin.prefs.conf
So what I did was put the following in
etc/Mailscanner/spam.lists
RBL-dynablock dynablock.easynet.nl
RBL-easynet blackholes.easynet.nl
RBL-abuseat cbl.abuseat.org
RBL-spamhaus sbl.spamhaus.org
RBL-blitzed opm.blitzed.org
RBL-dsbl list.dsbl.org
and in
MailScanner.conf I just changed
# This is the list of spam blacklists (RBLs) which you are using.
# See the "Spam List Definitions" file for more information about what
# you can put here.
# This can also be the filename of a ruleset.
Spam List = ORDB-RBL Infinite-Monkeys # MAPS-RBL+ costs money (except .ac.uk)
to be
Spam List = ORDB-RBL Infinite-Monkeys RBL-dynablock RBL-easynet RBL-abuseat RBL-spamhaus RBL-blitzed RBL-dsbl
And hey presto it works!!!
I will give you the points anyway :-)
If you are interested, I do have another question also, listed here:
https://www.experts-exchange.com/questions/20790106/SpamAssassin-rule-syntax.html
It didn't work putting it in
spam.assassin.prefs.conf
So what I did was put the following in
etc/Mailscanner/spam.lists
RBL-dynablock dynablock.easynet.nl
RBL-easynet blackholes.easynet.nl
RBL-abuseat cbl.abuseat.org
RBL-spamhaus sbl.spamhaus.org
RBL-blitzed opm.blitzed.org
RBL-dsbl list.dsbl.org
and in
MailScanner.conf I just changed
# This is the list of spam blacklists (RBLs) which you are using.
# See the "Spam List Definitions" file for more information about what
# you can put here.
# This can also be the filename of a ruleset.
Spam List = ORDB-RBL Infinite-Monkeys # MAPS-RBL+ costs money (except .ac.uk)
to be
Spam List = ORDB-RBL Infinite-Monkeys RBL-dynablock RBL-easynet RBL-abuseat RBL-spamhaus RBL-blitzed RBL-dsbl
And hey presto it works!!!
I will give you the points anyway :-)
If you are interested, I do have another question also, listed here:
https://www.experts-exchange.com/questions/20790106/SpamAssassin-rule-syntax.html
ASKER
I will assume I can use the same syntax
eg
header DYNABLOCK rbleval:check_rbl('dynablo
describe DYNABLOCK mm added
tflags DYNABLOCK net
score DYNABLOCK 5.0
Q: Is the "tflags" line necessary, do you know what it means?