mailscanner.conf

%etc-dir% = /etc/MailScanner
%report-dir% = /etc/MailScanner/reports/en
%rules-dir% = /etc/MailScanner/rules
%mcp-dir% = /etc/MailScanner/mcp
Max Children = 10

Run As User = postfix

Run As Group = postfix

Queue Scan Interval = 3

Incoming Queue Dir = /var/spool/postfix/hold

Outgoing Queue Dir = /var/spool/postfix/incoming

Incoming Work Dir = /var/spool/MailScanner/incoming

Quarantine Dir = /var/spool/MailScanner/quarantine

PID file = /var/run/MailScanner/MailScanner.pid

Restart Every = 14400

MTA = postfix

Sendmail = /usr/sbin/sendmail

Sendmail2 = /usr/sbin/sendmail -DOUTGOING

Incoming Work User =
Incoming Work Group =
Incoming Work Permissions = 0600

Quarantine User =
Quarantine Group =

Quarantine Permissions = 0600

Max Unscanned Bytes Per Scan = 300m
Max Unsafe Bytes Per Scan = 150m
Max Unscanned Messages Per Scan = 2000
Max Unsafe Messages Per Scan = 2000

Max Normal Queue Size = 1600

Scan Messages = yes

Reject Message = no

Maximum Attachments Per Message = 200

Expand TNEF = yes

Use TNEF Contents = replace

Deliver Unparsable TNEF = no

TNEF Expander = /usr/bin/tnef –maxsize=100000000

TNEF Timeout = 120

File Command = /usr/bin/file

File Timeout = 20

Gunzip Command = /bin/gunzip

Gunzip Timeout = 50

Unrar Command = /usr/bin/unrar

Unrar Timeout = 50

Find UU-Encoded Files = no

Maximum Message Size = %rules-dir%/max.message.size.rules

Maximum Attachment Size = -1

Minimum Attachment Size = -1

Maximum Archive Depth = 0

Find Archives By Content = yes

#
# Virus Scanning and Vulnerability Testing
# —————————————-
#
Virus Scanning = no

Virus Scanners = none

Virus Scanner Timeout = 300

Deliver Disinfected Files = no

Silent Viruses = HTML-IFrame All-Viruses

Still Deliver Silent Viruses = no

Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar

Block Encrypted Messages = no

Block Unencrypted Messages = no

Allow Password-Protected Archives = no

#
# Options specific to Sophos Anti-Virus
# ————————————-
#

Monitors for ClamAV Updates = /var/lib/clamav/*.inc/* /var/lib/clamav/*.cvd

ClamAVmodule Maximum Recursion Level = 8

ClamAVmodule Maximum Files = 6800

ClamAVmodule Maximum File Size = 800000000 # (800 Mbytes)

ClamAVmodule Maximum Compression Ratio = 250

#
# Removing/Logging dangerous or potentially offensive content
# ———————————————————–
#

Dangerous Content Scanning = yes

Allow Partial Messages = no

Allow External Message Bodies = no

Find Phishing Fraud = yes

Also Find Numeric Phishing = yes

Use Stricter Phishing Net = yes

Highlight Phishing Fraud = yes

Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf

Country Sub-Domains List = %etc-dir%/country.domains.conf

Allow IFrame Tags = disarm

Allow Form Tags = disarm

Allow Script Tags = disarm

Allow WebBugs = disarm

Ignored Web Bug Filenames =

Web Bug Replacement = http://www.mailscanner.info/images/1x1spacer.gif

Allow Object Codebase Tags = disarm

Convert Dangerous HTML To Text = no

Convert HTML To Text = no

#
# Attachment Filename Checking
# —————————-
#

Allow Filenames =

Deny Filenames =

Filename Rules = %etc-dir%/filename.rules.conf

Allow Filetypes =

Filetype Rules = %etc-dir%/filetype.rules.conf

#
# Reports and Responses
# ———————
#

Quarantine Infections = yes

Quarantine Silent Viruses = no

Quarantine Modified Body = no

Quarantine Whole Message = no

Quarantine Whole Messages As Queue Files = no

Keep Spam And MCP Archive Clean = no

Language Strings = %report-dir%/languages.conf

Rejection Report = %report-dir%/rejection.report.txt

Deleted Bad Content Message Report = %report-dir%/deleted.content.message.txt
Deleted Bad Filename Message Report = %report-dir%/deleted.filename.message.txt
Deleted Virus Message Report = %report-dir%/deleted.virus.message.txt
Deleted Size Message Report = %report-dir%/deleted.size.message.txt

Stored Bad Content Message Report = %report-dir%/stored.content.message.txt
Stored Bad Filename Message Report = %report-dir%/stored.filename.message.txt
Stored Virus Message Report = %report-dir%/stored.virus.message.txt
Stored Size Message Report = %report-dir%/stored.size.message.txt

Disinfected Report = %report-dir%/disinfected.report.txt

Inline HTML Signature = %report-dir%/inline.sig.html
Inline Text Signature = %report-dir%/inline.sig.txt

Inline HTML Warning = %report-dir%/inline.warning.html
Inline Text Warning = %report-dir%/inline.warning.txt

Sender Content Report = %report-dir%/sender.content.report.txt
Sender Error Report = %report-dir%/sender.error.report.txt
Sender Bad Filename Report = %report-dir%/sender.filename.report.txt
Sender Virus Report = %report-dir%/sender.virus.report.txt
Sender Size Report = %report-dir%/sender.size.report.txt

Hide Incoming Work Dir = yes

Include Scanner Name In Reports = yes

Mail Header = X-%org-name%-MailScanner:

Spam Header = X-%org-name%-MailScanner-SpamCheck:

Spam Score Header = X-%org-name%-MailScanner-SpamScore:

Add Envelope From Header = yes

Add Envelope To Header = no

Envelope From Header = X-%org-name%-MailScanner-From:

Envelope To Header = X-%org-name%-MailScanner-To:

Spam Score Character = s

SpamScore Number Instead Of Stars = no

Minimum Stars If On Spam List = 0

Clean Header Value = Found to be clean
Infected Header Value = Found to be infected
Disinfected Header Value = Disinfected

Information Header Value = Please contact the ISP for more information

Detailed Spam Report = yes

Include Scores In SpamAssassin Report = yes

Always Include SpamAssassin Report = yes

Multiple Headers = append

Hostname = the %org-name% ($HOSTNAME) MailScanner

Sign Messages Already Processed = no

Sign Clean Messages = yes

Mark Infected Messages = yes

Mark Unscanned Messages = yes

Unscanned Header Value = Not scanned: please contact your Internet E-Mail Service Provider for details

Remove These Headers = X-Mozilla-Status: X-Mozilla-Status2:

Deliver Cleaned Messages = yes

#
# Notifications back to the senders of blocked messages
# —————————————————–
#

Notify Senders = no

Notify Senders Of Viruses = no

Notify Senders Of Blocked Filenames Or Filetypes = yes

Notify Senders Of Other Blocked Content = yes

Never Notify Senders Of Precedence = list bulk

#
# Changes to the Subject: line
# —————————-
#

Scanned Subject Text = {Scanned}

Virus Modify Subject = yes

Virus Subject Text = {Virus?}

Filename Modify Subject = yes

Filename Subject Text = {Filename?}

Content Modify Subject = yes

Content Subject Text = {Dangerous Content?}

Size Modify Subject = yes

Size Subject Text = {Size}

Disarmed Modify Subject = yes

Disarmed Subject Text = {Disarmed}

Phishing Modify Subject = no

Phishing Subject Text = {Fraud?}

Spam Modify Subject = yes

Spam Subject Text = {Spam?}

High Scoring Spam Modify Subject = yes

High Scoring Spam Subject Text = {Spam?}

#
# Changes to the Message Body
# —————————
#

Warning Is Attachment = yes

Attachment Warning Filename = %org-name%-Attachment-Warning.txt

Attachment Encoding Charset = ISO-8859-1

#
# Mail Archiving and Monitoring
# —————————–
#

Archive Mail =

#
# Notices to System Administrators
# ——————————–
#

Send Notices = yes

Notices Include Full Headers = yes

Hide Incoming Work Dir in Notices = no

Notice Signature = — \nMailScanner\nEmail Virus Scanner\nwww.mailscanner.info

Notices From = MailScanner

Notices To = postmaster

Local Postmaster = postmaster

#
# Spam Detection and Virus Scanner Definitions
# ——————————————–
#

Spam List Definitions = %etc-dir%/spam.lists.conf

Virus Scanner Definitions = %etc-dir%/virus.scanners.conf

#
# Spam Detection and Spam Lists (DNS blocklists)
# ———————————————-
#

Spam Checks = yes

Spam List = # # ORDB-RBL SBL+XBL # You can un-comment this to enable them

Spam Domain List =

Spam Lists To Be Spam = 1

Spam Lists To Reach High Score = 3

Spam List Timeout = 10

Max Spam List Timeouts = 7

Spam List Timeouts History = 10

Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules

Is Definitely Spam = no

Definite Spam Is High Scoring = no

Ignore Spam Whitelist If Recipients Exceed = 20

#
# SpamAssassin
# ————
#
Use SpamAssassin = yes

Max SpamAssassin Size = 30000
.
Required SpamAssassin Score = 6.3

High SpamAssassin Score = 10

SpamAssassin Auto Whitelist = yes
.
SpamAssassin Timeout = 30

Max SpamAssassin Timeouts = 10

SpamAssassin Timeouts History = 30

Check SpamAssassin If On Spam List = yes

Spam Score = yes

Cache SpamAssassin Results = yes

SpamAssassin Cache Database File = /var/spool/MailScanner/incoming/SpamAssassin.cache.db

Rebuild Bayes Every = 0

Wait During Bayes Rebuild = no

#
# Custom Spam Scanner Plugin
# ————————–
#
Use Custom Spam Scanner = no

Max Custom Spam Scanner Size = 20k

Custom Spam Scanner Timeout = 20

Max Custom Spam Scanner Timeouts = 10

Custom Spam Scanner Timeout History = 20

#
# What to do with spam
# ——————–
#

Spam Actions = deliver header “X-Spam-Flag: Yes"

High Scoring Spam Actions = deliver header “X-Spam-Flag: Yes"

Non Spam Actions = deliver header “X-Spam-Flag: No"

Sender Spam Report = %report-dir%/sender.spam.report.txt
Sender Spam List Report = %report-dir%/sender.spam.rbl.report.txt
Sender SpamAssassin Report = %report-dir%/sender.spam.sa.report.txt

Inline Spam Warning = %report-dir%/inline.spam.warning.txt

Recipient Spam Report = %report-dir%/recipient.spam.report.txt

Enable Spam Bounce = %rules-dir%/bounce.rules

Bounce Spam As Attachment = no

#
# Logging
# ——-
#

Syslog Facility = mail

Log Speed = yes

Log Spam = no

Log Non Spam = no

Log Permitted Filenames = no

Log Permitted Filetypes = no

Log Silent Viruses = no

Log Dangerous HTML Tags = no

#
# Advanced SpamAssassin Settings
# ——————————
#
# If you are using Postfix you may well need to use some of the settings
# below, as the home directory for the “postfix" user cannot be written
# to by the “postfix" user.
# You may also need to use these if you have installed SpamAssassin
# somewhere other than the default location.
#

SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin
#SpamAssassin User State Dir = /var/lib/MailScanner

SpamAssassin Install Prefix = /usr/bin

SpamAssassin Site Rules Dir = /etc/mail/spamassassin

SpamAssassin Local Rules Dir =

SpamAssassin Local State Dir = # /var/lib

SpamAssassin Default Rules Dir =

#
# MCP (Message Content Protection)
# —————————–
#
# This scans text and HTML messages segments for any banned text, using
# a 2nd copy of SpamAssassin to provide the searching abilities.
# This 2nd copy has its own entire set of rules, preferences and settings.
# When used together with the patches for SpamAssassin, it can also check
# the content of attachments such as office documents.
#
# See http://www.mailscanner.info/mcp.html for more info.
#

MCP Checks = no

First Check = mcp

# The rest of these options are clones of the equivalent spam options
MCP Required SpamAssassin Score = 1
MCP High SpamAssassin Score = 10
MCP Error Score = 1

MCP Header = X-%org-name%-MailScanner-MCPCheck:
Non MCP Actions = deliver
MCP Actions = deliver
High Scoring MCP Actions = deliver
Bounce MCP As Attachment = no

MCP Modify Subject = yes
MCP Subject Text = {MCP?}
High Scoring MCP Modify Subject = yes
High Scoring MCP Subject Text = {MCP?}

Is Definitely MCP = no
Is Definitely Not MCP = no
Definite MCP Is High Scoring = no
Always Include MCP Report = no
Detailed MCP Report = yes
Include Scores In MCP Report = no
Log MCP = no

MCP Max SpamAssassin Timeouts = 20
MCP Max SpamAssassin Size = 100k
MCP SpamAssassin Timeout = 10

MCP SpamAssassin Prefs File = %mcp-dir%/mcp.spam.assassin.prefs.conf
MCP SpamAssassin User State Dir =
MCP SpamAssassin Local Rules Dir = %mcp-dir%
MCP SpamAssassin Default Rules Dir = %mcp-dir%
MCP SpamAssassin Install Prefix = %mcp-dir%
Recipient MCP Report = %report-dir%/recipient.mcp.report.txt
Sender MCP Report = %report-dir%/sender.mcp.report.txt

#
# Advanced Settings
# —————–
#
# Don’t bother changing anything below this unless you really know
# what you are doing, or else if MailScanner has complained about
# your “Minimum Code Status" setting.
#

Use Default Rules With Multiple Recipients = no

Spam Score Number Format = %d

MailScanner Version Number = 4.55.10

SpamAssassin Cache Timings = 1800,300,10800,172800,600

Debug = no

Debug SpamAssassin = no

Run In Foreground = no

Always Looked Up Last = no

Always Looked Up Last After Batch = no

Deliver In Background = yes

Delivery Method = batch

Split Exim Spool = no

Lockfile Dir = /var/lock/subsys/MailScanner

Custom Functions Dir = /etc/MailScanner/CustomFunctions

Lock Type =

Minimum Code Status = supported

廣告

MailScanner – Sophos Virus Engine Update

每隔一段時間 Sophos 的 Virus Engine 及病毒碼每隔一個月就會更新一個小版本,同時他只保留三個版本,所以每隔三個月,原本我們使用的病毒碼就下載不到,需要使用新的版本。

下面是 Sophos 最新的病毒碼版本 http://www.sophos.com/downloads/ide/

Sophos Anti-Virus version Number of IDEs
IDEs for SAV version 200812 (4.36)
Current CD and web version
194
IDEs for SAV version 200811 (4.35) 365
IDEs for SAV version 200810 (4.34) 532

如果你看到你的 maillog 出現 “Ignored SophosSAVI ‘The main body of virus data is out of date" 就表示你的病毒碼已經過期了。為了使用新的版本的病毒碼,就得先更新 Virus Engine 的版本。
我們來看一下 Sophos 的 Virus Engine 的資訊吧

[root@tcmta01 log]# sweep -v | more
SWEEP virus detection utility
Copyright (c) 1989-2008 Sophos Plc, http://www.sophos.com

System time 10:15:51 AM, System date 10 December 2008

Product version : 4.36.0
Engine version : 2.81.2
Virus data version : 4.36
User interface version : 2.07.216
Platform : Linux/Intel
Released : 01 December 2008
Total viruses (with IDEs) : 561455

目前 Product verison 與 Virus data version 都是 4.36

安裝之前

0. 下載最新的 Sophos Virus Engine 及 IDE
http://downloads.sophos.com/dp/full/linux.intel.libc6.glibc.2.2.tar.Z
http://www.sophos.com/downloads/ide/436_ides.zip

1. 先停掉 MailScanner
/etc/init.d/MailScanner stop

2. 清除 /usr/local/sav
rm -fr /usr/local/sav/*

更新 Virus Engine

#tar xvf linux.intel.libc6.glibc.2.2.tar.Z
#cd sav-install
#./install.sh -so -v
(ps. –so 參數會建立 libsavi.so 的 link)
程式及病毒碼會安裝在 /usr/local/sav, Library 安裝在 /usr/local/lib

更新病毒碼
#mv 436.zip /usr/local/sav
#cd /usr/local/sav
#unzip 436.zip

重新啟動 MailScanner
/etc/init.d/MailScanner start

ps. Sophos依glibc分成數個版本,像libc5使用libc5.tar.Z,
Redhat 7.0之前的glibc2.2之前使用標準的libc6.glibc.tar.Z
Redhat9.0 和 RedHat Enterprise 4.0則使用libc6.glibc2.2.tar.Z
http://downloads.sophos.com/dp/full/linux.intel.libc6.tar.Z

MailScanner 建置心得

  1. 由 MTA 處理 RBL , 及選擇性灰名單

在 MTA 階段的處理是非常重要的,如果在還沒將整封垃圾信收下前就阻擋,將可大大減輕系統負擔。我的經驗是 “RBL + 選擇性灰名單" 足以讓系統減輕將近 75% 的流量,等於是減輕 MailScanner 負擔,並提高 MailScanner 系統效能。若是在 MailScanner 使用 RBL ,等於信件收近來了才檢查,比較耗效能。

2. 建置過程由寬到緊
MailServer 信件進不來是大忌,寧可慢慢來,建立使用者信心。每次調整前,需做完整的測試才上線。如果對某個功能不了解,請了解後再調整。

3. 勿隨便調整系統內定評分
評分亂調常會干擾系統運作不正常,建議收集公司經常使用之白名單。

4. 準備測試環境
上線後,不管是跟改設定或是升級 MailScanner,建議要先在測試環境試看看,誰也不能保證自己每次做的都是對的,但如果做錯了,可是會降低自己的信用喔!

選擇性灰名單/ selective greylisting

傳統灰名單的作法

1.垃圾郵件發信-> 郵件主機.
2.郵件主機會請他稍後再寄(這個是發生在第一次跟公司寄信)
3.若為一般郵件主機會在稍後寄一次進來,這時主機會記住他的發信地的 IP。
4.若是垃圾郵件主機,為了時效,反倒就會跳過你的主機下一站傳送。
5.對於記憶的郵件主機網址,會保留固定的天數再釋放。

此為傳統灰名單機制,優點是可以有效阻擋 SPAM 大量寄送,
進而減少 SPAM Mail 所消耗頻寬,增加 Mail Server 可靠度。
缺點是讓第一次寄進來的正常信件,可能會延遲寄送半小時到一小時左右。
由於傳統灰名單的缺點。

為了解決傳統灰名單缺點,新的 “選擇性灰名單/selective greylisting" 解決方案產生。
選擇性灰名單則針對以下具有爛發垃圾信主機特性做 Greylist,
Ex “撥接 IP", “無網域名稱(No DNS)", “網域名稱過長"(四個點以上, aaa.bbb.ccc.com.tw) ,
一般具有合法名稱的郵件主機不做 Greylist,不會受到影響。
所以可以達到阻擋廣告信主機的大量寄送,亦不會影響到正常信件的寄送。

以下為作法

1. 先安裝 postgrey

可以參考 CentOS Wiki <>
http://wiki.centos.org/HowTos/postgrey
至於重送秒數,一般是預設是五分鐘,上面文章是建議 60 秒,以不影響正常郵件運作。
但由於我們是用選擇性的 postgrey ,正常的 mail server 不會影響,
只會影響一些奇奇怪怪的 mail server , 所以我自己是稍微增加 設成 120s

選擇性 postgrey 就參考下面這篇
http://www.arschkrebs.de/postfix/postfix_greylisting.shtml

MailScanner 原廠最新文件

這是 MailScanner 原廠的文件,主要由 FSL 提供

以下文件並沒有出現在網頁,而是透過 Google 挖出來的,而且是最新版。

MailScanner 手冊
http://www.fsl.com/support/MailScanner-Manual-Version-1.0.5.pdf

MailWatch 手冊
http://www.fsl.com/support/mailwatch-documentation-1.03.pdf

DefenderMX 是 FSL 所推出的產品,文件的說明雖大致於 MailScanner 相同,
但其設定值卻是值得我們所參考的。
http://www.fsl.com/docs/DefenderMX-manual.1.9.pdf

MailScanner 設定 for Postfix 筆記(未完)

0. 基本資訊
%org-name% = yoursite
%org-long-name% = Your Organisation Name Here
%web-site% = http://www.your-organisation.com

1. report
%report-dir% = /etc/MailScanner/reports/tw

2. MTA 相關設定
Run As User = postfix
Run As Group = postfix
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming

3. 掃描附件設定
Maximum Archive Depth = 0

Maximum Archive Depth 附件的壓縮檔深度 , mailout 設定為 0 即不限制以避免困擾

4. 掃毒程式 for sophossavi

Virus Scanners = sophossavi
Still Deliver Silent Viruses = yes
Allowed Sophos Error Messages = “corrupt", “format not supported", “File was encrypted", “The main body of vi
rus data is out of date", “Password protected file"
Sophos IDE Dir = /usr/local/sav
Sophos Lib Dir = /usr/local/lib
Monitors For Sophos Updates = /usr/local/sav/*.ide
Quarantine Whole Message = yes
Quarantine Whole Messages As Queue Files = yes

說明:
Virus Scanners 指定掃毒引擎
Still Deliver Silent Viruses 是否遞送 Silent Viruses
Allowed Sophos Error Messages 是否允許 Sophos 掃描所發生的錯誤訊息,如果發生 Excel 檔案加密 File was encrypted , Sophos 無法掃描,則要設定允許的錯誤訊息才能寄送。

5. SpamAssassin 設定
Sign Clean Messages = no
Spam Score Character = *
SpamScore Number Instead Of Stars = yes

SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin

6. MailWatch 設定
Always Looked Up Last = &MailWatchLogging

[收錄] Rzaor 說明

原本的文章是發佈於 Debian@TW
http://www.debian.org.tw/index.php/Razor

但這個站目前是沒有運作 所以趕緊把文章從 Google cache 搶救回來

——————————————————————————–

Razor

From DebianWiki
目錄

* 1 所需套件
* 2 簡介
* 3 設定 Razor
* 4 測試 Razor
* 5 將已知垃圾郵件之指紋碼上傳至 Razor 之線上資料庫

[編輯]
所需套件

razor
[編輯]
簡介

Vipul’s Razor 是一種線上的垃圾郵件比對資料庫。
它會計算已知垃圾郵件之指紋碼 (使用 SHA 雜湊演算法),然後存至 Razor 之線上資料庫中。而 SpamAssassin 可以經由查詢 Razor 之線上資料庫來判斷該封郵件是否為垃圾郵件。
[編輯]
設定 Razor

安裝完 Razor 套件後,以 amavis 身份(執行 SpamAssassin 之帳號)執行以下指令:

razor-client
razor-admin -create

它會建立 /var/lib/amavis/.razor 目錄,並在此寫入一些設定檔。而 Razor 將依這些設定來進行比對垃圾郵件。

然後,修改 SpamAssassin 的設定檔 /etc/mail/spamassassin/local.cf 如下:

# 是否使用 Razor version 2
use_razor2 1

這樣 SpamAssassin 就會查詢 Razor 之線上資料庫來過濾垃圾郵件了。

另外,Razor 將會對外連線至 Razor 線上資料庫的 TCP 2703 和 7 這兩個 Port。在設定防火牆時要記得打開。
[編輯]
測試 Razor

一樣,寄封測試用的垃圾郵件吧:

# telnet 127.0.0.1 25
Connected to 127.0.0.1.
Escape character is ‘^]’.
220 qemu ESMTP Postfix (Debian/GNU)
MAIL FROM:
250 Ok
RCPT TO:
250 Ok
DATA
354 End data with .
Subject: Test spam mail (GTUBE)

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
.
250 Ok: queued as 0C3E9C906B
QUIT
221 Bye
Connection closed by foreign host.

看看這封郵件是否真的被判定為垃圾郵件了:

From tetralet@example.net Sat Oct 30 15:26:30 2004
Return-Path:
X-Original-To: tetralet@virtual.com
Delivered-To: tetralet@virtual.com
Received: from localhost (localhost.localdomain [127.0.0.1])
by qemu.virtual.com (Postfix) with ESMTP id F0828A06E
for ; Sat, 30 Oct 2004 15:26:29 +0800 (CST)
Received: from qemu.virtual.com ([127.0.0.1])
by localhost (qemu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
id 00565-02 for ;
Sat, 30 Oct 2004 15:26:28 +0800 (CST)
Received: by qemu.virtual.com (Postfix, from userid 103)
id 6D819A06F; Sat, 30 Oct 2004 15:26:27 +0800 (CST)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by qemu.virtual.com (Postfix) with SMTP id AF694A06E
for ; Sat, 30 Oct 2004 15:26:04 +0800 (CST)
Subject: *****SPAM***** Test spam mail (GTUBE)
Message-Id:
Date: Sat, 30 Oct 2004 15:26:04 +0800 (CST)
From: tetralet@example.net
To: undisclosed-recipients: ;
X-Spam-DCC: dcc.uncw.edu: qemu 1201; Body=101 Fuz1=611
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on qemu.virtual.com
X-Spam-Level: **************************************************
X-Spam-Status: Yes, hits=1007.0 required=5.0 tests=AWL,DNS_FROM_RFCI_DSN,
GTUBE,MSGID_FROM_MTA_SHORT,NO_REAL_NAME,RAZOR2_CF_RANGE_51_100,
RAZOR2_CHECK autolearn=no version=2.64
X-Spam-Report:
* 0.3 NO_REAL_NAME From: does not include a real name
* 1000 GTUBE BODY: Generic Test for Unsolicited Bulk Email
* 1.6 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence between 51 and 100
* [cf: 100]
* 2.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
* 3.3 MSGID_FROM_MTA_SHORT Message-Id was added by a relay
* 1.4 DNS_FROM_RFCI_DSN RBL: From: sender listed in dsn.rfc-ignorant.org
* -2.0 AWL AWL: Auto-whitelist adjustment
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at virtual.com

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

如果一切沒問題,那就大功告成囉∼∼
[編輯]
將已知垃圾郵件之指紋碼上傳至 Razor 之線上資料庫

我們也可以將我們手上的垃圾郵件提交給 Razor 線上資料庫。首先,我們得要先從 Razor 線上資料庫得到一組帳號密碼:

razor-admin -register -user postmaster@domain.com

然後… 嗯… 未完待續…加油加油

取自"http://wiki.debian.org.tw/index.php/Razor"

本頁面已經被瀏覽3,943次。 最後更改16:51 2006年十二月12日. 本站所有內容允許以下方式利用: GNU Free Documentation License 1.2

MailScanner 除錯

MailScanner

訊息
None of the files matched by the “Monitors For Sophos Updates" patterns
若 /usr/local/sav 沒有 ***_ides.zip 檔案 Sophos 會認為沒有新的 patten

MailScanner – Filter 安裝

spamassassin 有一些常用的 filter 可以搭配
以下是比較有名的,如 Vipul’Razor, Pyzor, DCC

Vipul’s Razor
http://razor.sourceforge.net/

#wget http://nchc.dl.sourceforge.net/sourceforge/razor/razor-agents-sdk-2.07.tar.bz2
#tar xjvf razor-agents-sdk-2.07.tar.bz2
#cd razor-agents-sdk-2.07
#perl Makefile.PL
#make
#make test
#make install

#wget http://nchc.dl.sourceforge.net/sourceforge/razor/razor-agents-2.84.tar.bz2
#tar -xjvf razor-agents-2.84.tar.bz2
#cd razor-agents-2.84
#perl Makefile.PL
#make
#make test
#make install
#razor-admin -create
#razor-admin -register -user postmaster@your.domain

Pyzor
http://pyzor.sourceforge.net/
#wget http://nchc.dl.sourceforge.net/sourceforge/pyzor/pyzor-0.4.0.tar.bz2
#tar xjvf pyzor-0.4.0.tar.bz2
#cd pyzor-0.4.0
#python setup.py build
#python setup.py install

DCC Filter 安裝
DCC – Distributed Checksum Clearinghouse
http://www.rhyolite.com/anti-spam/dcc/
注意:dcc 需要安裝 sendmail-devel 才能 make 成功

#wget http://www.rhyolite.com/anti-spam/dcc/source/dcc.tar.Z
#tar zxvf dcc.tar.Z
#cd dcc-1.3.86
#./configure
#make
#sudo make install

cp /var/dcc/libexec/rcDCC /etc/init.d/DCC

[CentOS] Mailscanner system 安裝篇

此篇以安裝 MailScanner 在 CentOS5

1.1 [安裝 Sophos]
Sophos AntiVirus For Linux 目前版本為 v4.26.0
http://downloads.sophos.com/dp/full/linux.intel.libc6.glibc.2.2.tar.Z

ps. Sophos依glibc分成數個版本,像libc5使用libc5.tar.Z,
redhat 7.0之前的glibc2.2之前使用標準的libc6.glibc.tar.Z
Redhat9.0 和 RedHat Enterprise 4.0則使用libc6.glibc2.2.tar.Z
http://downloads.sophos.com/dp/full/linux.intel.libc6.tar.Z

Redhat Enterprise 5 請再安裝 compat-glibc, compat-glibc-headers 以支援 glibc2.2

#tar xvf linux.intel.libc6.glibc.2.2.tar.Z
#cd sav-install
#./install.sh -so -v
(ps. –so 參數會建立 libsavi.so 的 link)
程式及病毒碼會安裝在 /usr/local/sav, Library 安裝在 /usr/local/lib

軟體本身會附病毒碼,目前版本為 426, 病毒碼網址如下
http://www.sophos.com/downloads/ide/426_ides.zip

1.2 [Sophos ide update]
我們可以透過 Mark Martinec 提供的 Perl Script – Sophos ide update 自動更新
網址: http://www.ijs.si/software/sophos-ide-update
最新版本為 1.4
http://www.ijs.si/software/sophos-ide-update/sophos-ide-update_1.4.tar.gz

1.3 [SAVI-Perl]
Perl SAVI Module–是一個Sophos本身的perl模組
http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/dist/SAVI-Perl-0.30.tar.gz
請先設好環境變數, 等會在做 make test 時候結果才會正確、成功
#export LD_LIBRARY_PATH=/usr/local/lib (最好是加入 /etc/profile)
#echo /usr/local/lib >> /etc/ld.so.conf (如果已經有了就不用加)

#tar zxvf SAVI-Perl-0.30.tar.gz
#cd SAVI-Perl-0.30
#perl Makefile.PL
#make
#make test
#make install

如果無法 make ,請 copy 一份 libsavi.so.3.2.XX.XXX 成 libsavi.so
cp /usr/local/lib/libsavi.so.3.2.07.191 /usr/local/lib/libsavi.so
注意 make test 一定要成功才可以下 make install 安裝

如果 make test 出現
t/use….Can’t load ‘/usr/local/src/SAVI-Perl-0.30/blib/arch/auto/SAVI/SAVI.so’ for module SAVI: /usr/local/lib/libsavi.so.3: cannot restore segment prot after reloc: Permission denied at /usr/lib/perl5/5.8.8/i386-linux-thread-multi/DynaLoader.pm line 230.
那是 SELinux 打開的關係 導致無法載入 libsavi.so
請用 chcon 設定權限如下

chcon -t textrel_shlib_t /usr/local/lib/libsavi.so

如果去看 /var/log/audit/audit.log 會有下面的訊息
type=AVC msg=audit(1202221002.753:53): avc: denied { execmod } for pid=17869 comm="perl" path="/usr/local/lib/libsavi.so.3.2.07.191″ dev=dm-0 ino=303289 scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=root:object_r:lib_t:s0 tclass=file
type=SYSCALL msg=audit(1202221002.753:53): arch=40000003 syscall=125 success=no exit=-13 a0=40278000 a1=1d9000 a2=5 a3=bfca64a0 items=0 ppid=17865 pid=17869 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="perl" exe="/usr/bin/perl" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)

2. [MailScanner 安裝]
MailScanner 網址為 http://www.mailscanner.info 目前最新為 4.66.5-3
請選 RedHat Linux (and other RPM-based Linux distributions) 下載
http://www.mailscanner.info/files/4/rpm/MailScanner-4.66.5-3.rpm.tar.gz

#tar xvf MailScanner-4.66.5-3.rpm.tar.gz
#cd MailScanner-4.66.5-3
#./install.sh

過程有點久 因為他會 compile 裡面所有的 perl 的模組
可以趁著這個時間 好好再把裡面的文件 QuickInstall.txt 看看

參考
Mail system for RHEL4.0 Total solution安裝筆記
http://phorum.study-area.org/index.php/topic,30462.msg151723.html#msg151723