[prev in list] [next in list] [prev in thread] [next in thread]
List: clamav-users
Subject: Re: [clamav-users] whitelisting sender or recipient
From: Reindl Harald <h.reindl () thelounge ! net>
Date: 2017-01-20 2:14:26
Message-ID: 118cc947-fb93-bba0-38c5-4b9c23a143d6 () thelounge ! net
[Download RAW message or body]
Am 20.01.2017 um 02:27 schrieb Paul Kosinski:
> We currently chain Postfix (with its SMTP protocol and rate filters)
> via Procmail, first to Clamd, to filter any mail with a virus (etc.) and
> send it to a Virus bucket. Next the mail goes to Bogofilter which
> attaches a tag for Spam/Mail/Ambiguous. Next the mail goes to an
> address filter, which blocks some senders while changing the Spam tag
> to Ambiguous for other senders (in particular senders who have been
> recipients of outbound mail). Finally, anything tagged as Spam is
> routed to a Spam bucket (for possible later retrieval), while Mail and
> Ambiguous mail is delivered to the final recipient.
postscreen with 50 DNSBL/DNSWL weighted which already kills more than
90% of all crap as you can see in the stats below and the whole setup is
running all day long with 50-300 MHz in a VM for some hundret domains
smtpd_milters = unix:/run/spamass-milter/spamass-milter.sock,
unix:/run/clamav-milter/clamav-milter.socket
the milters are at the end of the chain
SA is using two clamd instances one with 5.5 points (tag-score) and one
with (9.5 points) - reject score is 8.0 - so even if the clamav-milter
whitelists serious things are blocked anyways
two bayes-databases with 110000 hand-selected samples, SA builtin-bayes
as well as bogofilter and that combined with currently 1500 local
subject filters from 0.5 to 8.0 points and the same for 2000 body-filters
the clamavmilter is essentially the very last stage and did not hit a
single message in the last two months because the chain before already
rejected everything correctly and so a whitelisting there can't do any
real harm
smtpd_recipient_restrictions =
reject_unlisted_recipient
reject_unauth_destination
reject_non_fqdn_recipient
reject_non_fqdn_sender
check_policy_service unix:private/spf-policy-info
check_recipient_access proxy:hash:/etc/postfix/whitelist_rcpt.cf
reject_non_fqdn_helo_hostname
reject_invalid_helo_hostname
check_helo_access proxy:pcre:/etc/postfix/blacklist_helo_unconditional.cf
check_recipient_access proxy:hash:/etc/postfix/blacklist_rcpt.cf
check_sender_access proxy:hash:/etc/postfix/whitelist_sender.cf
check_sender_access proxy:hash:/etc/postfix/blacklist_sender.cf
permit_dnswl_client dnswl-aggregate.example.com=127.0.0.[2;3]
check_sender_access proxy:hash:/etc/postfix/spoofing_protection.cf
permit_dnswl_client dnswl-aggregate.example.com=127.0.0.4
check_sender_access proxy:pcre:/etc/postfix/blacklist_sender_regex.cf
reject_unknown_sender_domain
check_sender_ns_access proxy:hash:/etc/postfix/blacklist_ns.cf
check_recipient_access proxy:hash:/etc/postfix/skip_spf_check.cf
permit_dnswl_client dnswl-aggregate.example.com=127.0.0.5
permit_dnswl_client wl.mailspike.net=127.0.0.[19;20]
permit_dnswl_client list.dnswl.org=127.0.[0..255].[2;3]
check_policy_service unix:private/spf-policy
check_sender_access proxy:pcre:/etc/postfix/blacklist_tld.cf
reject_unknown_reverse_client_hostname
check_recipient_access proxy:hash:/etc/postfix/skip_ptr_check.cf
permit_dnswl_client dnswl-aggregate.example.com
permit_dnswl_client dnswl-whitelisted-org.example.com
permit_dnswl_client list.dnswl.org=127.0.[0..255].[0..254]
permit_dnswl_client wl.mailspike.net=127.0.0.[16;17;18]
permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.[1;3;5]
permit_dnswl_client bl.nszones.com=127.0.0.5
permit_dnswl_client score.senderscore.com=127.0.4.[80..100]
permit_dnswl_client iadb.isipp.com
permit_dnswl_client sa-accredit.habeas.com
permit_dnswl_client dnswl.inps.de=127.0.[0;1].[2..10]
permit_dnswl_client swl.spamhaus.org=127.0.2.[2;3;102;103]
check_helo_access proxy:pcre:/etc/postfix/blacklist_helo.cf
check_reverse_client_hostname_access
proxy:pcre:/etc/postfix/blacklist_generic_ptr.cf
${stress?sleep 0}${stress: sleep 2}
check_policy_service unix:/var/spool/postfix/postgrey/socket
reject_unverified_sender
> Since this is a small email system, we also use Procmail to invoke some
> recipient dependent adhoc rules along the way to do this and that.
>
> P.S. Depending on the exact set of ClamAV signatures, this flow may have
> to be split into two Clamd stages: the first to identify hard malware
> to be unconditionally blocked and the second to simply flag bad URLs etc.
that is what we do here
stats of the current month (postscreen only names the RBL with the
highest score leading to the 8.0 points for a reject)
dnsblcount.sh
spamhaus.org 215710
sorbs.net 39465
inps.de 13181
barracudacentral.org 7338
thelounge.net 1826
junkemailfilter.com 413
manitu.net 256
psbl.org 147
senderscore.com 135
mailspike.net 75
spameatingmonkey.net 26
spamcop.net 23
swinog.ch 22
spamcannibal.org 16
=================================
Total DNSBL rejections: 278633
spamfilter-scantimes.php
--------------------------------
DAUER ANZAHL PROZENT
--------------------------------
< 0.5 Sek 15366 45.7 %
< 1.0 Sek 17705 52.7 %
0.0 - 0.2 Sek 13982 41.6 %
0.3 - 0.4 Sek 1384 4.1 %
0.5 - 1.0 Sek 3314 9.9 %
1.0 - 2.0 Sek 11386 33.9 %
2.0 - 3.0 Sek 1841 5.5 %
3.0 - 4.0 Sek 1133 3.4 %
4.0 - 5.0 Sek 761 2.3 %
5.0 - 6.0 Sek 728 2.2 %
6.0 - 7.0 Sek 376 1.1 %
7.0 - 8.0 Sek 161 0.5 %
8.0 - 9.9 Sek 256 0.8 %
>= 10 Sek 47 0.1 %
>= 15 Sek 22 0.1 %
spamfilter-general-stats.sh
Connections: 361138
Postscreen WL: 17876 (4.94 %)
Delivered: 31208
Blocked: 329930
Invalid User: 3675
Disallowed User: 9
Reject Postscreen: 279687
Reject Postfix: 8614
Reject Milter: 3099
Reject Temporary: 693
Greylisted: 1371
Blacklist: 278631
Pregreet: 22571
Hangup: 285903
Protocol Error: 363
Illegal Syntax: 2
SpamAssassin: 3099
Virus (Milter): 0
Virus (SA): 619
Helo: 152
Subject: 44
From: 16
Attachment: 1
Header Length: 8
Sender Regex: 89
Sender Blocked: 245
Sender Verify: 122
Sender Invalid: 293
Sender Spoofed: 32
Sender Parked: 1
Spam-TLD: 72
PTR Missing: 152
PTR Generic: 150
SPF: 310
URI-BLACKLISTS
URIBL_LOCAL: 373
URIBL_BLACK: 1246
URIBL_SPAM: 423
URIBL_SBL: 200
URIBL_AB_SURBL: 0
URIBL_JP_SURBL: 0
URIBL_MW_SURBL: 10
URIBL_PH_SURBL: 16
URIBL_SC_SURBL: 0
URIBL_WS_SURBL: 0
URIBL_ABUSE_BOTCC: 1
URIBL_ABUSE_MALW: 0
URIBL_ABUSE_PHISH: 6
URIBL_ABUSE_SPAM: 15
URIBL_BOTNETCC: 0
URIBL_MALWARE: 0
URIBL_PHISH: 46
URIBL_GREY: 1768
URIBL_RED: 57
URIBL_ABUSE_REDIR: 2
URIBL_REDIR: 0
URIBL_RHS_DOB: 66
DIGEST_MULTIPLE: 297
RAZOR: 981
PYZOR: 389
IXHASH: 525
CONTENT-ANALYSE
BAYES_00 10571 61.08 %
BAYES_05 478 2.76 %
BAYES_20 592 3.42 %
BAYES_40 522 3.01 %
BAYES_50 2266 13.09 %
BAYES_60 376 2.17 % 12.13 % (OF TOTAL BLOCKED)
BAYES_80 303 1.75 % 9.77 % (OF TOTAL BLOCKED)
BAYES_95 252 1.45 % 8.13 % (OF TOTAL BLOCKED)
BAYES_99 1945 11.23 % 62.76 % (OF TOTAL BLOCKED)
BAYES_999 1621 9.36 % 52.30 % (OF TOTAL BLOCKED)
SPAMMY 2876 8.55 % 92.80 % (OF TOTAL BLOCKED)
DNSWL 30548 90.89 %
SPF 23710 70.55 %
SPF/DKIM WL 13116 39.02 %
SHORTCIRCUIT 16259 48.37 %
CUST_SUBJ 545 1.62 %
CUST_BODY 2910 8.65 %
BLOCKED 3099 9.22 %
> On Thu, 19 Jan 2017 20:57:28 +0100
> Reindl Harald <h.reindl@thelounge.net> wrote:
>
>> and in a really good setup your spamassassin also uses clamd to add
>> scores to all the other rules, dnsbl, uribl, digest-services and so
>> the uncondtional whitelisting in the milter at last stage is only for
>> dumb unconditional fasle positives leading to rejects
>>
>> Am 19.01.2017 um 20:54 schrieb Reindl Harald:
>>> Am 19.01.2017 um 20:50 schrieb Paul Kosinski:
>>>> What if a white-listed sender later becomes part of a botnet?
>>>> However trustworthy the person is, their email isn't necessarily
>>>> trustworthy. (The "From:" address could easily be a faked, for
>>>> example.)
>>>
>>> than hopefully your filter setup does not rely only on clamd,
>>> whitelisting is a local decision with many pros and cons and also
>>> depends on the signatures included in your setup
>>>
>>> there is also a difference if you have just one or more than one
>>> clamd instance with different signatures and whitelistings
>>>
>>> typically clamav-milter is the last stage of filtering - it's faster
>>> than spamassassin but spamassasin does catch much more than clamd
>>> and so the whole clamd can be skipped in case of sa-milter rejects
>>>
>>>> On Thu, 19 Jan 2017 08:02:39 +0100
>>>> z@aian.de wrote:
>>>>
>>>>> Hey there,
>>>>>
>>>>> I bet it's an easy one for you, but I couldn't find any
>>>>> documentation about that.
>>>>> What I want to do is whitelist a specific sender or recipient from
>>>>> the scanns.
>>>>>
>>>>> I read about the whitelist.ign2 for whitelisting signatures, but
>>>>> nothing about user whitelisting.
>>>>>
>>>>> Can you help?
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic