AmaVis - deal with spam, viruses, banned attachements, and bad headers

From Linux - Help
Jump to navigation Jump to search

Once undesirable mail is found, AMaViS has the ability to quarantine, discard and/or allow the undesirable mail to pass and be delivered to destination address(es). Amavisd-new can place useful information in the header of processed eMails, notifying people of taken actions and also “defang” undesirable messages.

When AMaViS “defangs” eMails, the original message can be encapsulated as attachment of a notice, delivered to destination address.

The critical point of AMaViS configuration is to decide what action should be taken when an undesirable message is found.

Settings that deal with viruses, banned attachments, and bad headers:

  $final_virus_destiny =
  $final_banned_destiny =
  $final_bad_header_destiny =
  $virus_quarantine_to =
  $banned_quarantine_to =
  $bad_header_quarantine_to =

Possible settings for the $final_*_destiny variables are: D_PASS, D_BOUNCE, D_REJECT and D_DISCARD.

In this context, indeed, two possible settings for the $*_quarantine_to variables will be analyzed: these variables can either be configured, or undefined. $*_quarantine_to variables define where the quarantined items will be stored, or assigning an empty value means “no place for quarantined items to go”.

When an undesirable email is found, following actions will be taken configuring $final_*_destiny variables (for undesirable eMail messages):

D_PASS: Mail will pass to recipients, regardless of bad contents. If a quarantine is configured, a copy of the mail will go there, if not, at least the recipient received the mail. Note that including a recipient in a @*_lovers_maps is functionally equivalent to setting $final_*_destiny = D_PASS; for that recipient.

D_BOUNCE: Mail will not be delivered to its recipients. A non-delivery notification (bounce) will be created and sent to the sender. Exceptions: Bounce (DSN) will not be sent if a virus name matches @viruses_that_fake_sender_maps, or to messages from mailing-lists (Precedence: bulk|list|junk), or for spam level that exceeds the $sa_dsn_cutoff_level. If a quarantine is configured, a copy of the mail will go there, if not eMail message will be lost, but if the mail was legitimate, the sender should receive notification of the disposition of the message.

D_REJECT: Mail will not be delivered to its recipients. AMaViS will send the typical 55x reject response to the upstream MTA and that MTA may create a reject notice (bounce) and return it to the sender. This notice is not as informative as the one created using D_BOUNCE, so usually D_BOUNCE is preferred over D_REJECT. If a quarantine is configured, a copy of the mail will go there, if not eMail message will be lost, but the sender should be notified their message was rejected.

D_DISCARD: Mail will not be delivered to its recipients and the sender normally will NOT be notified. If a quarantine is configured, a copy of the mail will go there, if not eMail message will be lost. Note that there are additional settings available that can send notifications to persons that normally may not be notified when an undesirable message is found, so it is possible to notify the sender even when using D_DISCARD. Commonly, D_DISCARD method is preferred for SPAM or Viruses, as creating a DSN is usually a bad idea for several reasons, among them the fact that if the mail is “MalWare” or originated by BOTNets, sender address is probably undeliverable or non existent, or worse it is a real address that has been forged.

Practical examples of how a system might be configured:

 $final_virus_destiny = D_DISCARD;
 $virus_quarantine_to = undef;

When a virus is detected, the mail will be discarded.

 $final_banned_destiny = D_BOUNCE;
 $banned_quarantine_to = "banned\@$mydomain";

If a message containing a banned file is received, the sender may (or may not) be sent a notification, and the message will be quarantined to the email address listed here. Typically it is up to the system administrator to review what is in this mailbox, and either forward the message to the recipient, or delete the message.

 $final_bad_header_destiny = D_PASS;
 $bad_header_quarantine_to = 'bad-header-quarantine';

If a message is received that contains a malformed header, the message will be sent to the recipient, and a copy will be sent to a quarantine area on the local machine. This copy can be examined by the administrator and a determination made whether there should be any further action to prevent similar email from entering the system. Malformed headers, while annoying, are typically not a security risk.

SPAM is different than the other types of undesirable mail because in addition to “quarantine, discard and/or allow the mail to pass”, there are 2 more actions that can occur: it is possible to rewrite the Subject line in the eMail that is passed to the recipients to notify them that the message is possible SPAM and generate SPAM-related informations in the header of the mail. SpamAssassin’s only goal in life is to come up with a numerical score. Very low scores and negative scores may be considered HAM (NON-SPAM) and higher scores may be considered SPAM. Usually a score of 5.0 is the target demarcation-point between HAM and SPAM, but unfortunately legitimate mail does on occasion score higher – and spam lower. It is completely up to eMail System Administrator to decide what score will be the demarcation point between HAM and SPAM.

 $final_spam_destiny =
 $spam_quarantine_to =

These work exactly the same as described above in the first group. In other words, these two spam settings are parallel to the settings of the other three types of undesirable mail.

 $sa_tag_level_deflt =
 $sa_tag2_level_deflt =
 $sa_kill_level_deflt =

These settings are numeric values that will be compared to the score produced by SpamAssassin.

 $sa_tag_level_deflt sets at which score the X-Spam-Status, X-Spam-Score and X-Spam-Level headers are added.

Setting this to undef or -999 means every message that is considered local will have these informative headers added, SPAM or not. The domain the mail is addressed to must match an entry in @local_domains_maps (or other lookup table that provides the same functionality) to be considered local. Note that for this particular setting, undef means ‘lower than any possible score’.

$sa_tag2_level_deflt is the level at which the Subject line of the email will be prepended with whatever is assigned to the $sa_spam_subject_tag variable (assuming $sa_spam_modifies_subj is true). This is done for mail that (once again) is considered local and will actually reach a recipient. The X-Spam-Status extra header will change from “NO” to “YES” and a new X-Spam-Flag: YESheader will be added.

$sa_kill_level_deflt is the score at which actions are taken with the SPAM message. Once an email scores at this level, $final_spam_destiny settings (D_PASS, D_BOUNCE, D_REJECT or D_DISCARD) will occur.

Practical examples of how a system might be configured:

 $final_spam_destiny = D_DISCARD;
 $spam_quarantine_to = "spam\@$mydomain";

If a message reaches the score set in $sa_kill_level_deflt the message will not be delivered to its recipients and sender will not be notified. A copy of the mail will go to the email address configured.

 $sa_tag_level_deflt = undef;

Any message that is addressed to a recipient that is considered local will have X-Spam-Status, X-Spam-Score and X-Spam-Level headers added.

 $sa_spam_subject_tag = '[SPAM] ';
 $sa_tag2_level_deflt = 5.0;

Mail that scores at 5.0 or above will have ‘[SPAM] ‘ prepended to the Subject line. The X-Spam-Status extra header will change from “NO” to “YES” and a new ‘X-Spam-Flag: YES’ header will be added.

 $sa_kill_level_deflt = 8.0;

This is the level that triggers the D_DISCARD action assigned to $final_spam_destiny and is also the level at which quarantining occurs (if a quarantine is configured).

Additional SPAM related settings:

 $sa_dsn_cutoff_level = 12.0;

Using D_DISCARD, this setting has no purpose instead, using D_BOUNCE, this set a level at which the sender will no longer be notified.

 $sa_quarantine_cutoff_level = 20;

If SPAM is quarantined, it is possible to delete high scoring spam (therefore reducing the number of items in the quarantine). This setting allows to discard quarantined spam at this level and above.

It only makes sense to maintain the relationship: sa_tag_level <= sa_tag2_level <= sa_kill_level < sa_dsn_cutoff <= sa_quarantine_cutoff_level


Find here the original post. I just Copy & Paste it for my own documentation.