Re: [clamav-users] whitelisting sender or recipient

[Reindl Harald]

Am 20.01.2017 um 02:27 schrieb Paul Kosinski:
We currently chain Postfix (with its SMTP protocol and rate filters)
via Procmail, first to Clamd, to filter any mail with a virus (etc.) and
send it to a Virus bucket. Next the mail goes to Bogofilter which
attaches a tag for Spam/Mail/Ambiguous. Next the mail goes to an
address filter, which blocks some senders while changing the Spam tag
to Ambiguous for other senders (in particular senders who have been
recipients of outbound mail). Finally, anything tagged as Spam is
routed to a Spam bucket (for possible later retrieval), while Mail and
Ambiguous mail is delivered to the final recipient.

postscreen with 50 DNSBL/DNSWL weighted which already kills more than 
90% of all crap as you can see in the stats below and the whole setup is 
running all day long with 50-300 MHz in a VM for some hundret domains

smtpd_milters  = unix:/run/spamass-milter/spamass-milter.sock, 
unix:/run/clamav-milter/clamav-milter.socket

the milters are at the end of the chain
SA is using two clamd instances one with 5.5 points (tag-score) and one 
with (9.5 points) - reject score is 8.0 - so even if the clamav-milter 
whitelists serious things are blocked anyways

two bayes-databases with 110000 hand-selected samples, SA builtin-bayes 
as well as bogofilter and that combined with currently 1500 local 
subject filters from 0.5 to 8.0 points and the same for 2000 body-filters

the clamavmilter is essentially the very last stage and did not hit a 
single message in the last two months because the chain before already 
rejected everything correctly and so a whitelisting there can't do any 
real harm

smtpd_recipient_restrictions =
 reject_unlisted_recipient
 reject_unauth_destination
 reject_non_fqdn_recipient
 reject_non_fqdn_sender
 check_policy_service unix:private/spf-policy-info
 check_recipient_access proxy:hash:/etc/postfix/whitelist_rcpt.cf
 reject_non_fqdn_helo_hostname
 reject_invalid_helo_hostname
 check_helo_access proxy:pcre:/etc/postfix/blacklist_helo_unconditional.cf
 check_recipient_access proxy:hash:/etc/postfix/blacklist_rcpt.cf
 check_sender_access proxy:hash:/etc/postfix/whitelist_sender.cf
 check_sender_access proxy:hash:/etc/postfix/blacklist_sender.cf
 permit_dnswl_client dnswl-aggregate.example.com=127.0.0.[2;3]
 check_sender_access proxy:hash:/etc/postfix/spoofing_protection.cf
 permit_dnswl_client dnswl-aggregate.example.com=127.0.0.4
 check_sender_access proxy:pcre:/etc/postfix/blacklist_sender_regex.cf
 reject_unknown_sender_domain
 check_sender_ns_access proxy:hash:/etc/postfix/blacklist_ns.cf
 check_recipient_access proxy:hash:/etc/postfix/skip_spf_check.cf
 permit_dnswl_client dnswl-aggregate.example.com=127.0.0.5
 permit_dnswl_client wl.mailspike.net=127.0.0.[19;20]
 permit_dnswl_client list.dnswl.org=127.0.[0..255].[2;3]
 check_policy_service unix:private/spf-policy
 check_sender_access proxy:pcre:/etc/postfix/blacklist_tld.cf
 reject_unknown_reverse_client_hostname
 check_recipient_access proxy:hash:/etc/postfix/skip_ptr_check.cf
 permit_dnswl_client dnswl-aggregate.example.com
 permit_dnswl_client dnswl-whitelisted-org.example.com
 permit_dnswl_client list.dnswl.org=127.0.[0..255].[0..254]
 permit_dnswl_client wl.mailspike.net=127.0.0.[16;17;18]
 permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.[1;3;5]
 permit_dnswl_client bl.nszones.com=127.0.0.5
 permit_dnswl_client score.senderscore.com=127.0.4.[80..100]
 permit_dnswl_client iadb.isipp.com
 permit_dnswl_client sa-accredit.habeas.com
 permit_dnswl_client dnswl.inps.de=127.0.[0;1].[2..10]
 permit_dnswl_client swl.spamhaus.org=127.0.2.[2;3;102;103]
 check_helo_access proxy:pcre:/etc/postfix/blacklist_helo.cf
 check_reverse_client_hostname_access 
proxy:pcre:/etc/postfix/blacklist_generic_ptr.cf
 ${stress?sleep 0}${stress: sleep 2}
 check_policy_service unix:/var/spool/postfix/postgrey/socket
 reject_unverified_sender

Since this is a small email system, we also use Procmail to invoke some
recipient dependent adhoc rules along the way to do this and that.

P.S. Depending on the exact set of ClamAV signatures, this flow may have
to be split into two Clamd stages: the first to identify hard malware
to be unconditionally blocked and the second to simply flag bad URLs etc.

that is what we do here

stats of the current month (postscreen only names the RBL with the 
highest score leading to the 8.0 points for a reject)

dnsblcount.sh
spamhaus.org              215710
sorbs.net                  39465
inps.de                    13181
barracudacentral.org        7338
thelounge.net               1826
junkemailfilter.com          413
manitu.net                   256
psbl.org                     147
senderscore.com              135
mailspike.net                 75
spameatingmonkey.net          26
spamcop.net                   23
swinog.ch                     22
spamcannibal.org              16
=================================
Total DNSBL rejections:    278633

spamfilter-scantimes.php
--------------------------------
DAUER           ANZAHL  PROZENT
--------------------------------
< 0.5 Sek       15366   45.7 %
< 1.0 Sek       17705   52.7 %
0.0 - 0.2 Sek   13982   41.6 %
0.3 - 0.4 Sek   1384    4.1 %
0.5 - 1.0 Sek   3314    9.9 %
1.0 - 2.0 Sek   11386   33.9 %
2.0 - 3.0 Sek   1841    5.5 %
3.0 - 4.0 Sek   1133    3.4 %
4.0 - 5.0 Sek   761     2.3 %
5.0 - 6.0 Sek   728     2.2 %
6.0 - 7.0 Sek   376     1.1 %
7.0 - 8.0 Sek   161     0.5 %
8.0 - 9.9 Sek   256     0.8 %
>= 10 Sek       47      0.1 %
>= 15 Sek       22      0.1 %

spamfilter-general-stats.sh
Connections:       361138
Postscreen WL:     17876 (4.94 %)
Delivered:         31208
Blocked:           329930
Invalid User:      3675
Disallowed User:   9
Reject Postscreen: 279687
Reject Postfix:    8614
Reject Milter:     3099
Reject Temporary:  693
Greylisted:        1371
Blacklist:         278631
Pregreet:          22571
Hangup:            285903
Protocol Error:    363
Illegal Syntax:    2
SpamAssassin:      3099
Virus (Milter):    0
Virus (SA):        619
Helo:              152
Subject:           44
From:              16
Attachment:        1
Header Length:     8
Sender Regex:      89
Sender Blocked:    245
Sender Verify:     122
Sender Invalid:    293
Sender Spoofed:    32
Sender Parked:     1
Spam-TLD:          72
PTR Missing:       152
PTR Generic:       150
SPF:               310

URI-BLACKLISTS
URIBL_LOCAL:       373
URIBL_BLACK:       1246
URIBL_SPAM:        423
URIBL_SBL:         200
URIBL_AB_SURBL:    0
URIBL_JP_SURBL:    0
URIBL_MW_SURBL:    10
URIBL_PH_SURBL:    16
URIBL_SC_SURBL:    0
URIBL_WS_SURBL:    0
URIBL_ABUSE_BOTCC: 1
URIBL_ABUSE_MALW:  0
URIBL_ABUSE_PHISH: 6
URIBL_ABUSE_SPAM:  15
URIBL_BOTNETCC:    0
URIBL_MALWARE:     0
URIBL_PHISH:       46
URIBL_GREY:        1768
URIBL_RED:         57
URIBL_ABUSE_REDIR: 2
URIBL_REDIR:       0
URIBL_RHS_DOB:     66

DIGEST_MULTIPLE:   297
RAZOR:             981
PYZOR:             389
IXHASH:            525

CONTENT-ANALYSE
BAYES_00        10571   61.08 %
BAYES_05          478    2.76 %
BAYES_20          592    3.42 %
BAYES_40          522    3.01 %
BAYES_50         2266   13.09 %
BAYES_60          376    2.17 %    12.13 % (OF TOTAL BLOCKED)
BAYES_80          303    1.75 %     9.77 % (OF TOTAL BLOCKED)
BAYES_95          252    1.45 %     8.13 % (OF TOTAL BLOCKED)
BAYES_99         1945   11.23 %    62.76 % (OF TOTAL BLOCKED)
BAYES_999        1621    9.36 %    52.30 % (OF TOTAL BLOCKED)
SPAMMY           2876    8.55 %    92.80 % (OF TOTAL BLOCKED)
DNSWL           30548   90.89 %
SPF             23710   70.55 %
SPF/DKIM WL     13116   39.02 %
SHORTCIRCUIT    16259   48.37 %
CUST_SUBJ         545    1.62 %
CUST_BODY        2910    8.65 %
BLOCKED          3099    9.22 %

On Thu, 19 Jan 2017 20:57:28 +0100
Reindl Harald <h.rei...@thelounge.net> wrote:

and in a really good setup your spamassassin also uses clamd to add
scores to all the other rules, dnsbl, uribl, digest-services and so
the uncondtional whitelisting in the milter at last stage is only for
dumb unconditional fasle positives leading to rejects

Am 19.01.2017 um 20:54 schrieb Reindl Harald:
Am 19.01.2017 um 20:50 schrieb Paul Kosinski:
What if a white-listed sender later becomes part of a botnet?
However trustworthy the person is, their email isn't necessarily
trustworthy. (The "From:" address could easily be a faked, for
example.)

than hopefully your filter setup does not rely only on clamd,
whitelisting is a local decision with many pros and cons and also
depends on the signatures included in your setup

there is also a difference if you have just one or more than one
clamd instance with different signatures and whitelistings

typically clamav-milter is the last stage of filtering - it's faster
than spamassassin but spamassasin does catch much more than clamd
and so the whole clamd can be skipped in case of sa-milter rejects

On Thu, 19 Jan 2017 08:02:39 +0100
z...@aian.de wrote:

Hey there,

I bet it's an easy one for you, but I couldn't find any
documentation about that.
What I want to do is whitelist a specific sender or recipient from
the scanns.

I read about the whitelist.ign2 for whitelisting signatures, but
nothing about user whitelisting.

Can you help?
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml