Nasser Heidari

2008-04-02

Installing Spamfilltering with Postfix ClamAV SpamAssassin MailScanner on Gentoo 2007

Filed under: Linux — Nasser Heidari @ 10:43
Tags: , , , , , , ,

– SpamFilter ~ # cat /etc/make.conf
CHOST=”i686-pc-linux-gnu”
CFLAGS=”-march=pentium4 -O2 -pipe -fomit-frame-pointer”
CXXFLAGS=”${CFLAGS}”
MAKEOPTS=”-j2″
GENTOO_MIRRORS=”http://open-systems.ufl.edu/mirrors/gentoo
USE=”acpi apm gpm syslog milter apache2 clamav mysql php gd”
CCACHE_SIZE=”2G”
– SpamFilter portage # cat /etc/portage/package.keywords
sys-devel/gcc
– SpamFilter portage # cat package.mask
sys-devel/gcc
– SpamFilter portage # cat package.unmask
sys-devel/gcc
– SpamFilter portage # cat package.use
sys-devel/gcc
media-libs/gd png
dev-perl/GD png
mail-filter/clamassassin clamd subject-rewrite
mail-filter/spamassassin-fuzzyocr logrotate tools
– SpamFilter ~ # emerge postfix
– SpamFilter ~ # cat /etc/postfix/main.cf | egrep -v ‘^#|^ *$’
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
mail_owner = postfix
unknown_local_recipient_reject_code = 550
debug_peer_level = 2
header_checks = regexp:/etc/postfix/header_checks
append_at_myorigin = no
append_dot_mydomain = no
biff = no
mail_name = SpamFilter.myisp.com
smtpd_banner = $mail_name ESMTP
mydestination = localhost
mydomain = myisp.com
myhostname = SpamFilter
mynetworks = /etc/postfix/mynetworks
default_destination_recipient_limit = 5
default_destination_recipient_limit = 5
smtpd_recipient_limit = 5
queue_run_delay = 180s
maximal_queue_lifetime = 2d
bounce_queue_lifetime = 2d
smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
reject_unauth_destination,
smtpd_sender_restrictions =
reject_non_fqdn_sender
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
smtpd_client_connection_rate_limit = 100
smtpd_client_connection_count_limit = 20
– SpamFilter ~ # cat /etc/postfix/master.cf | egrep -v ‘^#|^ *$’
smtp inet n – n – – smtpd
pickup fifo n – n 60 1 pickup
cleanup unix n – n – 0 cleanup
qmgr fifo n – n 300 1 qmgr
tlsmgr unix – – n 1000? 1 tlsmgr
rewrite unix – – n – – trivial-rewrite
bounce unix – – n – 0 bounce
defer unix – – n – 0 bounce
trace unix – – n – 0 bounce
verify unix – – n – 1 verify
flush unix n – n 1000? 0 flush
proxymap unix – – n – – proxymap
smtp unix – – n – – smtp
relay unix – – n – – smtp
-o fallback_relay=
showq unix n – n – – showq
error unix – – n – – error
retry unix – – n – – error
discard unix – – n – – discard
local unix – n n – – local
virtual unix – n n – – virtual
lmtp unix – – n – – lmtp
anvil unix – – n – 1 anvil
scache unix – – n – 1 scache
– SpamFilter ~ # rc-update add postfix default
– SpamFilter ~ # cat /etc/postfix/header_checks
/^Received:/ HOLD
– SpamFilter ~ # cat /etc/postfix/mynetworks
!192.168.18.97
192.168.10.0/23
192.168.18.0/24
– SpamFilter postfix # cat /etc/hosts | egrep -v ‘^#|^ *$’
127.0.0.1 localhost
127.0.0.1 SpamFilter
::1 localhost
– SpamFilter postfix # newaliases
– SpamFilter postfix # emerge spamassassin
– SpamFilter ~ # rc-update add spamd default
– SpamFilter postfix # gcc-config -l
[1] i686-pc-linux-gnu-4.1.1 *
[2] i686-pc-linux-gnu-4.2.3
– SpamFilter postfix # gcc-config 2
* Switching native-compiler to i686-pc-linux-gnu-4.2.3 …
>>> Regenerating /etc/ld.so.cache… [ ok ]

* If you intend to use the gcc from the new profile in an already
* running shell, please remember to do:

* # source /etc/profile
– SpamFilter postfix # source /etc/profile
– SpamFilter postfix # emerge clamav
– SpamFilter ~ # cat /etc/conf.d/clamd
START_CLAMD=yes
START_FRESHCLAM=yes
CLAMD_NICELEVEL=3
FRESHCLAM_NICELEVEL=19
START_MILTER=no
MILTER_SOCKET=”/var/run/clamav/clmilter.sock”
MILTER_OPTS=”-m 10 –timeout=0″
– SpamFilter ~ # rc-update add clamd default
– SpamFilter ~ # cd /usr/local/src
– SpamFilter src # wget http://www.mailscanner.info/files/4/tar/MailScanner-install-4.68.8-1.tar.gz
– SpamFilter src # tar –zxvf MailScanner-install-4.68.8-1.tar.gz
– SpamFilter src # cd MailScanner-install-4.68.8
– SpamFilter MailScanner-install-4.68.8 # ./install.sh
– SpamFilter MailScanner-install-4.68.8 # cd /opt/MailScanner
– SpamFilter MailScanner # cat > /opt/MailS
canner/etc/MailScanner.conf
%org-name% = MYISP
%org-long-name% = MYISP Full Name
%web-site% = http://www.myisp.com
%etc-dir% = /opt/MailScanner/etc
%report-dir% = /opt/MailScanner/etc/reports/en
%rules-dir% = /opt/MailScanner/etc/rules
%mcp-dir% = /opt/MailScanner/etc/mcp
Max Children = 5
Run As User = postfix
Run As Group = postfix
Queue Scan Interval = 5
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
Incoming Work Dir = /var/spool/MailScanner/incoming
Quarantine Dir = /var/spool/MailScanner/quarantine
PID file = /opt/MailScanner/var/MailScanner.pid
Restart Every = 7200
MTA = postfix
Sendmail = /usr/lib/sendmail
Sendmail2 = /usr/lib/sendmail
Incoming Work User =
Incoming Work Group =
Incoming Work Permissions = 0600
Quarantine User =
Quarantine Group =
Quarantine Permissions = 0600
Max Unscanned Bytes Per Scan = 100m
Max Unsafe Bytes Per Scan = 50m
Max Unscanned Messages Per Scan = 30
Max Unsafe Messages Per Scan = 30
Max Normal Queue Size = 800
Scan Messages = yes
Reject Message = no
Maximum Attachments Per Message = 200
Expand TNEF = yes
Use TNEF Contents = replace
Deliver Unparsable TNEF = no
TNEF Expander = /opt/MailScanner/bin/tnef –maxsize=100000000
TNEF Timeout = 120
File Command = /usr/bin/file
File Timeout = 20
Gunzip Command = /bin/gunzip
Gunzip Timeout = 50
Unrar Command = /usr/bin/unrar
Unrar Timeout = 50
Find UU-Encoded Files = no
Maximum Message Size = %rules-dir%/max.message.size.rules
Maximum Attachment Size = -1
Minimum Attachment Size = -1
Maximum Archive Depth = 2
Find Archives By Content = yes
Zip Attachments = no
Attachments Zip Filename = MessageAttachments.zip
Attachments Min Total Size To Zip = 100k
Attachment Extensions Not To Zip = .zip .rar .gz .tgz .jpg .jpeg .mpg .mpe .mpeg .mp3 .rpm .htm .html .eml
Virus Scanning = yes
Virus Scanners = clamav
Virus Scanner Timeout = 300
Deliver Disinfected Files = no
Silent Viruses = HTML-IFrame All-Viruses
Still Deliver Silent Viruses = yes
Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar
Block Encrypted Messages = no
Block Unencrypted Messages = no
Allow Password-Protected Archives = no
Check Filenames In Password-Protected Archives = yes
Allowed Sophos Error Messages =
Sophos IDE Dir = /opt/sophos-av/lib/sav
Sophos Lib Dir = /opt/sophos-av/lib
Monitors For Sophos Updates = /opt/sophos-av/lib/sav/*.ide
Monitors for ClamAV Updates = /usr/local/share/clamav/*.inc/* /usr/local/share/clamav/*.cvd
ClamAVmodule Maximum Recursion Level = 8
ClamAVmodule Maximum Files = 1000
ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes)
ClamAVmodule Maximum Compression Ratio = 250
Clamd Port = 3310
Clamd Socket = /tmp/clamd
Clamd Lock File = # /var/lock/subsys/clamd
Clamd Use Threads = no
ClamAV Full Message Scan = yes
Dangerous Content Scanning = yes
Allow Partial Messages = no
Allow External Message Bodies = no
Find Phishing Fraud = yes
Also Find Numeric Phishing = yes
Use Stricter Phishing Net = yes
Highlight Phishing Fraud = yes
Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf
Phishing Bad Sites File = %etc-dir%/phishing.bad.sites.conf
Country Sub-Domains List = %etc-dir%/country.domains.conf
Allow IFrame Tags = disarm
Allow Form Tags = disarm
Allow Script Tags = disarm
Allow WebBugs = disarm
Ignored Web Bug Filenames = spacer pixel.gif pixel.png gap
Known Web Bug Servers = msgtag.com
Web Bug Replacement = http://www.sng.ecs.soton.ac.uk/mailscanner/images/1x1spacer.gif
Allow Object Codebase Tags = disarm
Convert Dangerous HTML To Text = no
Convert HTML To Text = no
Allow Filenames =
Deny Filenames =
Filename Rules = %etc-dir%/filename.rules.conf
Allow Filetypes =
Allow File MIME Types =
Deny Filetypes =
Deny File MIME Types =
Filetype Rules = %etc-dir%/filetype.rules.conf
Quarantine Infections = yes
Quarantine Silent Viruses = no
Quarantine Modified Body = no
Quarantine Whole Message = no
Quarantine Whole Messages As Queue Files = no
Keep Spam And MCP Archive Clean = no
Language Strings = %report-dir%/languages.conf
Rejection Report = %report-dir%/rejection.report.txt
Deleted Bad Content Message Report = %report-dir%/deleted.content.message.txt
Deleted Bad Filename Message Report = %report-dir%/deleted.filename.message.txt
Deleted Virus Message Report = %report-dir%/deleted.virus.message.txt
Deleted Size Message Report = %report-dir%/deleted.size.message.txt
Stored Bad Content Message Report = %report-dir%/stored.content.message.txt
Stored Bad Filename Message Report = %report-dir%/stored.filename.message.txt
Stored Virus Message Report = %report-dir%/stored.virus.message.txt
Stored Size Message Report = %report-dir%/stored.size.message.txt
Disinfected Report = %report-dir%/disinfected.report.txt
Inline HTML Signature = %report-dir%/inline.sig.html
Inline Text Signature = %report-dir%/inline.sig.txt
Signature Image Filename = %report-dir%/sig.jpg
Signature Image <img> Filename = signature.jpg
Inline HTML Warning = %report-dir%/inline.warning.html
Inline Text Warning = %report-dir%/inline.warning.txt
Sender Content Report = %report-dir%/sender.content.report.txt
Sender Error Report = %report-dir%/sender.error.report.txt
Sender Bad Filename Report = %report-dir%/sender.filename.report.txt
Sender Virus Report = %report-dir%/sender.virus.report.txt
Sender Size Report = %report-dir%/sender.size.report.txt
Hide Incoming Work Dir = yes
Include Scanner Name In Reports = yes
Mail Header = X-%org-name%-SpamFilter:
Spam Header = X-%org-name%-SpamFilter-SpamCheck:
Spam Score Header = X-%org-name%-SpamFilter-SpamScore:
Information Header = X-%org-name%-SpamFilter-Information:
Add Envelope From Header = yes
Add Envelope To Header = no
Envelope From Header = X-%org-name%-SpamFilter-From:
Envelope To Header = X-%org-name%-SpamFilter-To:
Spam Score Character = s
SpamScore Number Instead Of Stars = no
Minimum Stars If On Spam List = 0
Clean Header Value = Found to be clean
Infected Header Value = Found to be infected
Disinfected Header Value = Disinfected
Information Header Value = Please contact the ISP for more information
Detailed Spam Report = yes
Include Scores In SpamAssassin Report = yes
Always Include SpamAssassin Report = no
Multiple Headers = append
Hostname = the %org-name% ($HOSTNAME) SpamFilter
Sign Messages Already Processed = no
Sign Clean Messages = no
Attach Image To Signature = no
Attach Image To HTML Message Only = yes
Mark Infected Messages = yes
Mark Unscanned Messages = yes
Unscanned Header Value = Not scanned: please contact your Internet E-Mail Service Provider for details
Remove These Headers = X-Mozilla-Status: X-Mozilla-Status2:
Deliver Cleaned Messages = yes
Notify Senders = yes
Notify Senders Of Viruses = no
Notify Senders Of Blocked Filenames Or Filetypes = yes
Notify Senders Of Blocked Size Attachments = no
Notify Senders Of Other Blocked Content = yes
Never Notify Senders Of Precedence = list bulk
Scanned Modify Subject = no # end
Scanned Subject Text = {Scanned}
Virus Modify Subject = start
Virus Subject Text = {Virus?}
Filename Modify Subject = start
Filename Subject Text = {Filename?}
Content Modify Subject = start
Content Subject Text = {Dangerous Content?}
Size Modify Subject = start
Size Subject Text = {Size}
Disarmed Modify Subject = start
Disarmed Subject Text = {Disarmed}
Phishing Modify Subject = no
Phishing Subject Text = {Fraud?}
Spam Modify Subject = start
Spam Subject Text = {Spam?}
High Scoring Spam Modify Subject = start
High Scoring Spam Subject Text = {Spam?}
Warning Is Attachment = yes
Attachment Warning Filename = %org-name%-Attachment-Warning.txt
Attachment Encoding Charset = ISO-8859-1
Archive Mail =
Send Notices = yes
Notices Include Full Headers = yes
Hide Incoming Work Dir in Notices = yes
Notice Signature = — \nSpamFilter\nEmail Virus Scanner\nwww.myisp.com
Notices From = MailScanner
Notices To = postmaster
Local Postmaster = postmaster
Spam List Definitions = %etc-dir%/spam.lists.conf
Virus Scanner Definitions = %etc-dir%/virus.scanners.conf
Spam Checks = yes
Spam List = spamhaus.org spamcop.net ORDB-RBL
Spam Domain List =
Spam Lists To Be Spam = 1
Spam Lists To Reach High Score = 3
Spam List Timeout = 10
Max Spam List Timeouts = 7
Spam List Timeouts History = 10
Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules
Is Definitely Spam = no
Definite Spam Is High Scoring = no
Ignore Spam Whitelist If Recipients Exceed = 20
Max Spam Check Size = 200k
Use Watermarking = no
Add Watermark = yes
Check Watermarks With No Sender = yes
Treat Invalid Watermarks With No Sender as Spam = nothing
Check Watermarks To Skip Spam Checks = yes
Watermark Secret = %org-name%-Secret
Watermark Lifetime = 604800
Watermark Header = X-%org-name%-SpamFilter-Watermark:
Use SpamAssassin = yes
Max SpamAssassin Size = 200k
Required SpamAssassin Score = 6
High SpamAssassin Score = 10
SpamAssassin Auto Whitelist = yes
SpamAssassin Timeout = 75
Max SpamAssassin Timeouts = 10
SpamAssassin Timeouts History = 30
Check SpamAssassin If On Spam List = yes
Include Binary Attachments In SpamAssassin = no
Spam Score = yes
Cache SpamAssassin Results = yes
SpamAssassin Cache Database File = /var/spool/MailScanner/incoming/SpamAssassin.cache.db
Rebuild Bayes Every = 0
Wait During Bayes Rebuild = no
Use Custom Spam Scanner = no
Max Custom Spam Scanner Size = 20k
Custom Spam Scanner Timeout = 20
Max Custom Spam Scanner Timeouts = 10
Custom Spam Scanner Timeout History = 20
Spam Actions = deliver header “X-Spam-Status: Yes”
High Scoring Spam Actions = deliver header “X-Spam-Status: Yes”
Non Spam Actions = deliver header “X-Spam-Status: No”
SpamAssassin Rule Actions =
Sender Spam Report = %report-dir%/sender.spam.report.txt
Sender Spam List Report = %report-dir%/sender.spam.rbl.report.txt
Sender SpamAssassin Report = %report-dir%/sender.spam.sa.report.txt
Inline Spam Warning = %report-dir%/inline.spam.warning.txt
Recipient Spam Report = %report-dir%/recipient.spam.report.txt
Enable Spam Bounce = %rules-dir%/bounce.rules
Bounce Spam As Attachment = no
Syslog Facility = mail
Log Speed = yes
Log Spam = yes
Log Non Spam = no
Log Permitted Filenames = no
Log Permitted Filetypes = no
Log Permitted File MIME Types = no
Log Silent Viruses = yes
Log Dangerous HTML Tags = no
SpamAssassin Temporary Dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp
SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin
SpamAssassin Install Prefix =
SpamAssassin Site Rules Dir = /etc/mail/spamassassin
SpamAssassin Local Rules Dir =
SpamAssassin Local State Dir = # /var/lib/spamassassin
SpamAssassin Default Rules Dir =
MCP Checks = no
First Check = spam
MCP Required SpamAssassin Score = 1
MCP High SpamAssassin Score = 10
MCP Error Score = 1
MCP Header = X-%org-name%-SpamFilter-MCPCheck:
Non MCP Actions = deliver
MCP Actions = deliver
High Scoring MCP Actions = deliver
Bounce MCP As Attachment = no
MCP Modify Subject = start
MCP Subject Text = {MCP?}
High Scoring MCP Modify Subject = start
High Scoring MCP Subject Text = {MCP?}
Is Definitely MCP = no
Is Definitely Not MCP = no
Definite MCP Is High Scoring = no
Always Include MCP Report = no
Detailed MCP Report = yes
Include Scores In MCP Report = no
Log MCP = no
MCP Max SpamAssassin Timeouts = 20
MCP Max SpamAssassin Size = 100k
MCP SpamAssassin Timeout = 10
MCP SpamAssassin Prefs File = %mcp-dir%/mcp.spam.assassin.prefs.conf
MCP SpamAssassin User State Dir =
MCP SpamAssassin Local Rules Dir = %mcp-dir%
MCP SpamAssassin Default Rules Dir = %mcp-dir%
MCP SpamAssassin Install Prefix = %mcp-dir%
Recipient MCP Report = %report-dir%/recipient.mcp.report.txt
Sender MCP Report = %report-dir%/sender.mcp.report.txt
Use Default Rules With Multiple Recipients = no
Spam Score Number Format = %d
MailScanner Version Number = 4.67.6
SpamAssassin Cache Timings = 1800,300,10800,172800,600
Debug = no
Debug SpamAssassin = no
Run In Foreground = no
Always Looked Up Last = no
Always Looked Up Last After Batch = no
Deliver In Background = yes
Delivery Method = batch
Split Exim Spool = no
Lockfile Dir = /tmp
Custom Functions Dir = /opt/MailScanner/lib/MailScanner/CustomFunctions
Lock Type =
Syslog Socket Type =
Minimum Code Status = supported
– SpamFilter MailScanner # cat /etc/init.d/mailscanner
#!/sbin/runscript
# Copyright 1999-2003 Gentoo Technologies, Inc.
# Distributed under the terms of the GNU General Public License v2

opts=”${opts} reload”

depend() {
need net
use logger dns
}

start() {
ebegin “Starting MailScanner”
/sbin/start-stop-daemon –quiet \
–start –startas /opt/MailScanner/bin/check_mailscanner \
–pidfile /opt/MailScanner/var/MailScanner.pid
eend $?
}

stop() {
ebegin “Stopping MailScanner”
start-stop-daemon -o –quiet –stop –pidfile /opt/MailScanner/var/MailScanner.pid
[ -f /opt/MailScanner/var/MailScanner.pid ] && rm /opt/MailScanner/var/MailScanner.pid
eend $?
}

restart() {
svc_stop
rm -f /opt/MailScanner/var/MailScanner.pid
sleep 3
/sbin/start-stop-daemon –quiet \
–start –startas /opt/MailScanner/bin/check_mailscanner \
–pidfile /opt/MailScanner/var/MailScanner.pid
svc_start
eend $?
}

reload() {
ebegin “Reloading MailScanner workers:”
pid=`pidof -x MailScanner`
if [ -n “$pid” ] ;
then
/bin/kill -HUP $pid
fi
eend $?
}
– SpamFilter MailScanner #mkdir -p /var/spool/MailScanner/incoming
– SpamFilter MailScanner #mkdir -p /var/spool/MailScanner/quarantine
– SpamFilter MailScanner # chown postfix.postfix /var/spool/MailScanner/incoming
– SpamFilter MailScanner #chown postfix.postfix /var/spool/MailScanner/quarantine
– SpamFilter MailScanner #mkdir /var/spool/MailScanner/spamassassin
– SpamFilter MailScanner #chown postfix:postfix /var/spool/MailScanner/spamassassin
– SpamFilter MailScanner # rc-update add mailscanner default
– SpamFilter MailScanner # cd /opt/MailScanner/etc/reports/en/
– SpamFilter en # perl -p -i.bak -e ‘s/For\ all\ your\ IT\ requirements\ visit:\ http:\/\/www.transtec.co.uk/-/’ ./*.*
– SpamFilter en # rm -f ./*.bak
– SpamFilter ~ # emerge net-snmp apache mrtg
– SpamFilter ~ # cat /etc/snmp/snmpd.conf
agentaddress localhost:161
rocommunity MYISP localhost
syslocation Tehran-Sepah
syscontact blackhat_hk@yahoo.com
– SpamFilter ~ # rc-update add snmpd default
– SpamFilter ~ # rc-update add apache2 default
– SpamFilter ~ # cd /usr/local/src
– SpamFilter src # wget http://mesh.dl.sourceforge.net/sourceforge/mailscannermrtg/mailscanner-mrtg-0.10.00.tar.gz
– SpamFilter src # tar –zxvf mailscanner-mrtg-0.10.00.tar.gz
– SpamFilter ~ # cd /usr/local/src/mailscanner-mrtg-0.10.00
– SpamFilter ~ # ./install.pl
– SpamFilter ~ # cd /usr/local/bin
– SpamFilter ~ # wget http://sandgnat.com/rdj/rules_du_jour
– SpamFilter ~ # chmod +x rules_du_jour
– SpamFilter ~ # mkdir /etc/rulesdujour
SpamFilter ~ # cat /etc/rulesdujour/config
TRUSTED_RULESETS=”TRIPWIRE ANTIDRUG SARE_EVILNUMBERS0 SARE_EVILNUMBERS1 \
SARE_EVILNUMBERS2 RANDOMVAL BOGUSVIRUS \
SARE_ADULT SARE_FRAUD SARE_FRAUD_PRE25X SARE_BML SARE_BML_PRE25X \
SARE_RATWARE SARE_SPOOF SARE_BAYES_POISON_NXM SARE_OEM SARE_RANDOM \
SARE_HEADER SARE_HEADER0 SARE_HEADER1 SARE_HEADER2 SARE_HEADER3 \
SARE_HEADER_ENG SARE_HEADER_X264_X30 SARE_HEADER_X30 SARE_HTML \
SARE_HTML0 SARE_HTML1 SARE_HTML2 SARE_HTML3 SARE_HTML4 SARE_HTML_ENG \
SARE_HTML_PRE300 SARE_SPECIFIC SARE_OBFU SARE_OBFU0 SARE_OBFU1 SARE_OBFU2 \
SARE_OBFU3 SARE_REDIRECT SARE_REDIRECT_POST300 SARE_SPAMCOP_TOP200 \
SARE_GENLSUBJ SARE_GENLSUBJ0 SARE_GENLSUBJ1 SARE_GENLSUBJ2 \
SARE_GENLSUBJ3 \
SARE_GENLSUBJ_X30 \
SARE_GENLSUBJ_ENG \
SARE_HIGHRISK \
SARE_UNSUB \
SARE_URI0 \
SARE_URI1 \
SARE_URI2 \
SARE_URI3 \
SARE_URI_ENG \
SARE_WHITELIST \
SARE_WHITELIST_PRE30″

SA_DIR=/etc/mail/spamassassin
EMAIL_RDJ_UPDATE_ONLY=
SINGLE_EMAIL_ONLY=true
MAIL_ADDRESS=Blackhat_hk@yahoo.com
SA_LINT=”spamassassin –lint”
SA_RESTART=”/etc/init.d/spamd restart”
TMPDIR=”${SA_DIR}/RulesDuJour”
– SpamFilter ~ # bash /usr/local/bin/rulesdujour
– SpamFilter ~ # cat /etc/crontab | egrep -v ‘^#|^
*$’
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/
37 5 * * * /opt/MailScanner/bin/update_phishing_sites
07 * * * * /opt/MailScanner/bin/update_bad_phishing_sites
58 23 * * * /opt/MailScanner/bin/clean.quarantine
42 * * * * /opt/MailScanner/bin/update_virus_scanners
3,23,43 * * * * /opt/MailScanner/bin/check_mailscanner
58 4 * * * root /usr/local/bin/rules_de_jour
0 * * * * root rm -f /var/spool/cron/lastrun/cron.hourly
1 3 * * * root rm -f /var/spool/cron/lastrun/cron.daily
15 4 * * 6 root rm -f /var/spool/cron/lastrun/cron.weekly
30 5 1 * * root rm -f /var/spool/cron/lastrun/cron.monthly
*/10 * * * * root test -x /usr/sbin/run-crons && /usr/sbin/run-crons
– SpamFilter ~ # reboot

Testing it

You should now have a system which can scan mail for viruses and spam. Using the setup from before, try sending an email to yourself. When it arrives, look at the header and make sure that it includes the strings to show it’s been through MailScanner.
Now send an email containing the string:

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

It should be delivered but flagged as {Spam?} – this test string is known as GTUBE and should be picked up by all spam checkers.
Now try sending a message including the string:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

This shouldn’t be delivered. EICAR is a standard virus test (note that it’s not a virus; it’s just a pattern which virus scanners should all pick up)
You can check if all this has worked by looking a the file /var/log/maillog – it’s a plain text file and if you look through it you’ll find lines like:

Jun 4 00:14:02 tconwl9 postfix/smtpd[69875]: connect from unknown[65.199.194.153]
Jun 4 00:14:16 tconwl9 postfix/smtpd[69875]: 3BA5F2093: client=unknown[65.199.194.153]
Jun 4 00:14:24 tconwl9 postfix/cleanup[69876]: 3BA5F2093: message-id=<20040603231412.3BA5F2093@tconwl9.cnwl.ac.uk>
Jun 4 00:15:17 tconwl9 postfix/smtpd[69875]: disconnect from unknown[65.199.194.153]
Jun 4 00:15:17 tconwl9 postfix/qmgr[12866]: 3BA5F2093: from=<fxsjj@iname.com>, size=31680, nrcpt=1 (queue active)
Jun 4 00:15:17 tconwl9 postfix/qmgr[12866]: 3BA5F2093: to=<international.admin@cnwl.ac.uk>, relay=none, delay=65, status=deferred (delivery temporarily suspended: deferred transport)
Jun 4 00:15:19 tconwl9 MailScanner[64484]: New Batch: Scanning 1 messages, 31958 bytes
Jun 4 00:15:19 tconwl9 MailScanner[64484]: Spam Checks: Starting
Jun 4 00:15:25 tconwl9 MailScanner[64484]: Message 3BA5F2093 from 65.199.194.153 (fxsjj@iname.com) to cnwl.ac.uk is spam, SpamAssassin (score=17.181, required 6, BAYES_99 5.40, MIME_MISSING_BOUNDARY 1.84, MISSING_MIMEOLE 1.59, MSGID_FROM_MTA_SHORT 3.03, NO_REAL_NAME 0.16, PRIORITY_NO_NAME 1.21, RAZOR2_CF_RANGE_51_100 1.10, RAZOR2_CHECK 1.05, X_MSMAIL_PRIORITY_HIGH 0.50, X_PRIORITY_HIGH 1.30)
Jun 4 00:15:25 tconwl9 MailScanner[64484]: Spam Checks: Found 1 spam messages
Jun 4 00:15:25 tconwl9 MailScanner[64484]: Spam Actions: message 3BA5F2093 actions are deliver
Jun 4 00:15:25 tconwl9 MailScanner[64484]: Virus and Content Scanning: Starting
Jun 4 00:15:25 tconwl9 MailScanner[64484]: /3BA5F2093/Notice.zip Found the W32/Netsky.z@MM!zip virus !!!
Jun 4 00:15:25 tconwl9 MailScanner[64484]: /3BA5F2093/Notice.txt .exe Found the W32/Netsky.z@MM virus !!!
Jun 4 00:15:25 tconwl9 MailScanner[64484]: Virus Scanning: McAfee found 2 infections
Jun 4 00:15:25 tconwl9 MailScanner[64484]: Infected message 3BA5F2093 came from 65.199.194.153
Jun 4 00:15:25 tconwl9 MailScanner[64484]: Virus Scanning: Found 2 viruses
Jun 4 00:15:25 tconwl9 MailScanner[64484]: Filename Checks: Windows/DOS Executable (3BA5F2093 Notice.txt .exe)
Jun 4 00:15:25 tconwl9 MailScanner[64484]: Other Checks: Found 1 problems
Jun 4 00:15:25 tconwl9 MailScanner[64484]: Saved infected “Notice.txt .exe” to /var/spool/MailScanner/quarantine/20040604/3BA5F2093
Jun 4 00:15:25 tconwl9 MailScanner[64484]: Saved infected “Notice.zip” to /var/spool/MailScanner/quarantine/20040604/3BA5F2093

This shows you that a computer at IP address 65.199.194.153 has tried to deliver a message for international.admin@Cnwl.ac.uk apparently from fxsjj@iname.com. Postfix has queued it and flagged it for deferred delivery. MailScanner checks at regular intervals and this time has found just 1 message waiting. It runs a spam check and decides it’s spam (score 17.1 is nearly 3 times our safety level!)MailScanner is configured to tag the message as spam but still to deliver it so it now virus scans it. This particular message has an attachment which it recognises as the W32/Netsky virus; it extracts the contents of the file and confirms that there is an .exe file inside which is the virus payload. MailScanner is configured not to deliver infected email so it saves this message to the quarantine folder.

References :

http://techinfo.cnwl.ac.uk/MailScanner%20on%20FreeBSD/
http://gentoo-wiki.com/HOWTO_Email_Virus_Scanner_–_Mailscanner

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: