[SOLVED] SaneSecurity ClamAV or FuzzyOCR SpamAssassin Plugins

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
blazeking
Outstanding Member
Outstanding Member
Posts: 218
Joined: Fri Sep 12, 2014 11:30 pm

[SOLVED] SaneSecurity ClamAV or FuzzyOCR SpamAssassin Plugins

Postby blazeking » Thu Apr 02, 2009 5:14 pm

[quote user="uxbod"]...Obviously you can tune the scores to your own requirements as 0.1 is very low, but there have been some FPs in the past. Any question please ask :) enjoy.[/QUOTE]
I'm having trouble making the scores in salocal.cf.in do the work here. Whatever I specify in amavisd.conf.in seems to override everything. Anyone know how to properly use the scores in salocal.cf.in? Here's what's currently in /opt/zimbra/conf/amavisd.conf.in:
[ qr'^Sanesecurity(.[^., ]*)*.' => 2 ],
That obviously makes all scores =2. Setting to "0" or leaving blank doesn't do any better. Help!!


uxbod
Ambassador
Ambassador
Posts: 7811
Joined: Fri Sep 12, 2014 10:21 pm

[SOLVED] SaneSecurity ClamAV or FuzzyOCR SpamAssassin Plugins

Postby uxbod » Fri Apr 03, 2009 12:56 am

I have my amavisd.conf.in like this
@virus_name_to_spam_score_maps =

(new_RE( # the order matters!

[ qr'^Phishing.' => 0 ],

[ qr'^(Email|HTML).Phishing.(?!.*Sanesecurity)' => 0 ],

[ qr'^Sanesecurity.(Malware|Rogue|Trojan).' => undef ],# keep as infected

[ qr'^Sanesecurity(.[^., ]*)*.' => 0 ],

[ qr'^Sanesecurity_PhishBar_' => 0 ],

[ qr'^Email.Spam.Bounce(.[^., ]*)*.Sanesecurity.' => 0 ],

[ qr'^(MSRBL-Images|MSRBL-SPAM.)' => 0 ],

[ qr'^VX.Honeypot-SecuriteInfo.com.Joke' => 0 ],

[ qr'^VX.not-virus_(Hoax|Joke)..*-SecuriteInfo.com(.|z)' => 0 ],

[ qr'^Email.Spam.*-SecuriteInfo.com(.|z)' => 0 ],

[ qr'-SecuriteInfo.com(.|z)' => undef ], # keep as infected

[ qr'^MBL_' => undef ], # keep as infected

));
and then use salocal.conf.in to override the scores
################################################################################

# SaneSecurity & MSRBL Signatures

################################################################################

header L_AV_Phish X-Amavis-AV-Status =~ m{AV:(Email|HTML).Phishing.}i

header L_AV_SS_PhishBar X-Amavis-AV-Status =~ m{AV:Sanesecurity_PhishBar_}

header L_AV_SS_Phish X-Amavis-AV-Status =~ m{AV:Sanesecurity.Phishing.}

header L_AV_SS_Malware X-Amavis-AV-Status =~ m{AV:Sanesecurity.(Malware|Rogue|Trojan).}

header L_AV_SS_Scam X-Amavis-AV-Status =~ m{AV:Sanesecurity.(Scam[A-Za-z0-9]+)}

header L_AV_SS_Spam X-Amavis-AV-Status =~ m{AV:Sanesecurity.(Bou|Cred|Dipl|Job|Loan|Porn|Spam.[A-Za-z0-9]+|Stk|Junk).}

header L_AV_SS_Hdr X-Amavis-AV-Status =~ m{AV:Sanesecurity.Hdr.}

header L_AV_SS_Img X-Amavis-AV-Status =~ m{AV:Sanesecurity.(Img|ImgO).}

header L_AV_SS_Bounce X-Amavis-AV-Status =~ m{.Spam.Bounce(.[^., ]*)*.Sanesecurity}

header __L_AV_SS X-Amavis-AV-Status =~ m{AV:Sanesecurity.}

meta L_AV_SS_other __L_AV_SS && !(L_AV_SS_Phish || L_AV_SS_Scam || L_AV_SS_Spam || L_AV_SS_Malware || L_AV_SS_Hdr || L_AV_SS_Img || L_AV_SS_Bounce)

header L_AV_MSRBL_Img X-Amavis-AV-Status =~ m{AV:MSRBL-Images}

header L_AV_MSRBL_Spam X-Amavis-AV-Status =~ m{AV:MSRBL-SPAM.}

header L_AV_MBL X-Amavis-AV-Status =~ m{AV:MBL_}

header L_AV_SecInf X-Amavis-AV-Status =~ m{-SecuriteInfo.com}
score L_AV_Phish 14

score L_AV_SS_Phish 5

score L_AV_SS_PhishBar 0.5

score L_AV_SS_Scam 8

score L_AV_SS_Spam 8

score L_AV_SS_Hdr 6

score L_AV_SS_Img 3.5

score L_AV_SS_Bounce 0.1

score L_AV_SS_other 1

score L_AV_SS_Malware 14

score L_AV_MBL 14

score L_AV_MSRBL_Img 3.5

score L_AV_MSRBL_Spam 6

score L_AV_SecInf 8
as these are the stub/include files then for any changes to become active you will need to restart ZCS.
blazeking
Outstanding Member
Outstanding Member
Posts: 218
Joined: Fri Sep 12, 2014 11:30 pm

[SOLVED] SaneSecurity ClamAV or FuzzyOCR SpamAssassin Plugins

Postby blazeking » Fri Apr 03, 2009 10:26 am

Huh... that doesn't work for me. Whatever I specify in amavis.conf.in here "=> 0", that is the score that is given. If it's 0, all scores show 0. If it's blank, all scores show 1. It's still not looking to salocal.conf.in for the scores.
uxbod
Ambassador
Ambassador
Posts: 7811
Joined: Fri Sep 12, 2014 10:21 pm

[SOLVED] SaneSecurity ClamAV or FuzzyOCR SpamAssassin Plugins

Postby uxbod » Fri Apr 03, 2009 12:55 pm

salocal.cf.in is a template file! You have to restart ZCS for them to take effect and be persistent across further ZCS restarts.
8142mek1
Advanced member
Advanced member
Posts: 75
Joined: Fri Sep 12, 2014 11:39 pm

[SOLVED] SaneSecurity ClamAV or FuzzyOCR SpamAssassin Plugins

Postby 8142mek1 » Wed Apr 08, 2009 3:39 pm

Which script would you recommend using for Sanesecurity? I am looking into adding this to our system.
uxbod
Ambassador
Ambassador
Posts: 7811
Joined: Fri Sep 12, 2014 10:21 pm

[SOLVED] SaneSecurity ClamAV or FuzzyOCR SpamAssassin Plugins

Postby uxbod » Thu Apr 09, 2009 1:02 am

I personally use unofficial-clamav-sigs.sh which works just fine.
bbarrons
Advanced member
Advanced member
Posts: 174
Joined: Fri Sep 12, 2014 11:18 pm

[SOLVED] SaneSecurity ClamAV or FuzzyOCR SpamAssassin Plugins

Postby bbarrons » Sat Sep 26, 2009 5:16 pm

thank you for this thread. I had to read thru it several times before I was able to see where I was going wrong. I used the salocal and amvisd.conf files as templates and I had put in alot more in them than was needed. I cleaned them up and my spam filters started to work. I do have 2 issues that I cant find an answer to if someone can help with. First is a permissions issue. When I restart postfix I get this error before it starts:

postfix/postfix-script: warning: not owned by root: /opt/zimbra/data/postfix/spool

postfix/postfix-script: warning: not owned by root: /opt/zimbra/postfix-2.6.2.2z/conf/main.cf

postfix/postfix-script: warning: not owned by root: /opt/zimbra/postfix-2.6.2.2z/conf/master.cf

postfix/postfix-script: warning: not owned by root: /opt/zimbra/postfix-2.6.2.2z/conf/master.cf.in

postfix/postfix-script: starting the Postfix mail system
I did run zmfixperms but it didnt correct it. DO they in fact need to be owned by root or as they are now by zimbra?
and when I try and implement b.barracuda.org in my list of rbls it rejects all incoming mail. I had this problem last week when I set it up on the school server. I went thru everything again and then set it up at home and sent 2 test mails and both were rejected.

Where do I start to look for the problem? I know it must be something I have wrong but not sure where to start looking... any ideas would be appreciated...

Bill
uxbod
Ambassador
Ambassador
Posts: 7811
Joined: Fri Sep 12, 2014 10:21 pm

[SOLVED] SaneSecurity ClamAV or FuzzyOCR SpamAssassin Plugins

Postby uxbod » Mon Sep 28, 2009 12:43 pm

Perms issue is not a problem. With respect to the RBL did you register all your MTA IP addresses? What if you do a manual dig against it?
bbarrons
Advanced member
Advanced member
Posts: 174
Joined: Fri Sep 12, 2014 11:18 pm

[SOLVED] SaneSecurity ClamAV or FuzzyOCR SpamAssassin Plugins

Postby bbarrons » Mon Sep 28, 2009 4:58 pm

here is what I did to add barracudacentral.org to my rbl list.

First I ran zmprov gacf | grep zimbraMtaRestriction

to see my list and then zmprov mcf +zimbraMtaRestriction "reject_rbl_client b.barracudacentral.org" to add it. Checked again to verify that it was listed. I restarted zimbra, sent a test email from an sbcglobal.net account and it was rejected. it said it was rejected by barracudacentral.org.

I then ran zmprov mcf -zimbraMtaRestriction "reject_rbl_client b.barracudacentral.org"

to remove it from the list. restarted zimbra and had no problems sending an email from sbcglobal. With everything else I have done in the past week to stop spam I probably dont need to set thiss up but I hate it when I run into a problem that I cant solve.

I am not sure I understand about registering my mta ip addresses. I didnt do anything different for any of the other rbls I added.

Bill
ewilen
Elite member
Elite member
Posts: 1429
Joined: Fri Sep 12, 2014 11:34 pm

[SOLVED] SaneSecurity ClamAV or FuzzyOCR SpamAssassin Plugins

Postby ewilen » Mon Sep 28, 2009 6:02 pm

Bill, in order for barracuda to reply to your lookup requests, you must register the IP address(es) of your DNS server(s) with them. See BarracudaCentral.org - Technical Insight for Security Pros
(You don't have to register your MTAs. I believe uxbod misspoke about that.)

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 11 guests