# Spam Assassin not working with amavisd-new [Solved]

## jasonpf

I have a server which runs (output with use flags, just so you know)

mail-mta/postfix-2.1.5-r2 -hardened -ipv6 -ldap -mailwrapper -mbox +mysql -nis +pam -postgres +sasl (-selinux) +ssl -vda

mail-filter/amavisd-new-2.3.3-r1  -ldap -milter +mysql -postgres

mail-filter/spamassassin-3.0.4  -berkdb -doc -qmail +ssl

app-antivirus/clamav-0.87  +crypt -mailwrapper -milter (-selinux)

The issue that I'm having is that even though I have spamassassin set to add the spam scores to all messages, none are getting them added.  ClamAV works fine - it dumps all messages with a virus in it, I just can't get it to check for spam.  Here are some notes on my setup:

We use mysql to store our postfix configuration for our domains and use it for virtual hosting.

Btw, I ran my conf files through a few greps to remove comments and whitespaces to condense it a bit.  This also removed things like #!/usr/bin/perl or things like that.

Postfix

main.cf

```

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

mail_owner = postfix

myhostname = hermes.azxws.com

mydomain = hermes.xelia-wizard.com

mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mail.$mydomain

unknown_local_recipient_reject_code = 550

mynetworks = 10.0.0.0/8, 127.0.0.0/8, 68.142.66.0/24, 192.168.0.0/24, 68.142.67.0/24

smtpd_banner = mail.azxws.com ESMTP $mail_name - ($mail_version)

local_destination_concurrency_limit = 2

default_destination_concurrency_limit = 20

debug_peer_level = 2

debugger_command =

         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

         xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

html_directory = no

manpage_directory = /usr/share/man

sample_directory = /etc/postfix

readme_directory = /usr/share/doc/postfix-2.1.5-r2/readme

default_destination_concurrency_limit = 10

alias_database = hash:/etc/mail/aliases

local_destination_concurrency_limit = 5

relocated_maps = mysql:/etc/postfix/mysql-relocated.cf

local_transport = local

local_recipient_maps = $alias_maps $virtual_mailbox_maps unix:passwd.byname

virtual_transport = virtual

virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-domains.cf

virtual_minimum_uid = 10000

virtual_gid_maps = static:10000

virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-maps.cf

alias_maps = hash:/usr/local/mailman/data/aliases,

             mysql:/etc/postfix/mysql-aliases.cf

virtual_alias_maps = hash:/usr/local/mailman/data/virtual-mailman,

                     mysql:/etc/postfix/mysql-virtual.cf

virtual_uid_maps = static:10000

virtual_mailbox_base = /

home_mailbox = .maildir/

smtpd_sasl_auth_enable = yes

smtpd_sasl2_auth_enable = yes

smtpd_sasl_security_options = noanonymous

broken_sasl_auth_clients = yes

smtpd_sasl_local_domain =

smtpd_recipient_restrictions =

        permit_sasl_authenticated,

        permit_mynetworks,

        reject_unauth_destination

smtpd_use_tls = yes

smtpd_tls_key_file = /etc/postfix/newreq.pem

smtpd_tls_cert_file = /etc/postfix/newcert.pem

smtpd_tls_CAfile = /etc/postfix/cacert.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

owner_request_special = no

recipient_delimiter = +

biff = no

empty_address_recipient = MAILER-DAEMON

queue_minfree = 120000000

content_filter = smtp-amavis:[127.0.0.1]:10024

```

master.cf

```

smtp      inet  n       -       n       -       -       smtpd

pickup    fifo  n       -       n       60      1       pickup

cleanup   unix  n       -       n       -       0       cleanup

qmgr      fifo  n       -       n       300     1       qmgr

rewrite   unix  -       -       n       -       -       trivial-rewrite

bounce    unix  -       -       n       -       0       bounce

defer     unix  -       -       n       -       0       bounce

trace     unix  -       -       n       -       0       bounce

verify    unix  -       -       n       -       1       verify

flush     unix  n       -       n       1000?   0       flush

proxymap  unix  -       -       n       -       -       proxymap

smtp      unix  -       -       n       -       -       smtp

relay     unix  -       -       n       -       -       smtp

showq     unix  n       -       n       -       -       showq

error     unix  -       -       n       -       -       error

local     unix  -       n       n       -       -       local

virtual   unix  -       n       n       -       -       virtual

lmtp      unix  -       -       n       -       -       lmtp

anvil     unix  -       -       n       -       1       anvil

maildrop  unix  -       n       n       -       -       pipe

  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}

old-cyrus unix  -       n       n       -       -       pipe

  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}

cyrus     unix  -       n       n       -       -       pipe

  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}

uucp      unix  -       n       n       -       -       pipe

  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

ifmail    unix  -       n       n       -       -       pipe

  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)

bsmtp     unix  -       n       n       -       -       pipe

  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient

smtp-amavis     unix -        -       n     -       2  smtp

  -o smtp_data_done_timeout=1200

  -o smtp_send_xforward_command=yes

127.0.0.1:10025 inet n        -       n     -       - smtpd

  -o content_filter=

  -o local_recipient_maps=

  -o relay_recipient_maps=

  -o smtpd_restriction_classes=

  -o smtpd_client_restrictions=

  -o smtpd_helo_restrictions=

  -o smtpd_sender_restrictions=

  -o smtpd_recipient_restrictions=permit_mynetworks,reject

  -o mynetworks=127.0.0.0/8

  -o strict_rfc821_envelope=yes

  -o smtpd_error_sleep_time=0

  -o smtpd_soft_error_limit=1001

  -o smtpd_hard_error_limit=1000

```

amavisd.conf

```

use strict;

$MYHOME = '/var/amavis';   # (default is '/var/amavis')

$mydomain = 'hermes.azxws.com';      # (no useful default)

$daemon_user  = 'amavis';   # (no default;  customary: vscan or amavis)

$daemon_group = 'amavis';   # (no default;  customary: vscan or amavis or sweep)

$TEMPBASE = "$MYHOME/tmp";      # prefer to keep home dir /var/amavis clean?

$db_home = "$MYHOME/db";        # DB databases directory, default "$MYHOME/db"

$helpers_home = $MYHOME;        # (defaults to $MYHOME)

$ENV{TMPDIR} = $TEMPBASE;       # wise to set TMPDIR, but not obligatory

$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)

$enable_global_cache = 1;    # enable use of libdb-based cache if $enable_db=1

$forward_method = 'smtp:[127.0.0.1]:10025';  # where to forward checked mail

$notify_method = $forward_method;            # where to submit notifications

$max_servers  =  4;   # number of pre-forked children          (default 2)

$max_requests = 20;   # retire a child after that many accepts (default 10)

$child_timeout=5*60;  # abort child if it does not complete each task in

                      # approximately n sec (default: 8*60 seconds)

@local_domains_maps = ( [".$mydomain"] );  # $mydomain and its subdomains

                                  # (does not apply to sendmail/milter)

                                  # (default is true)

$unix_socketname = "$MYHOME/amavisd.sock"; # amavis helper protocol socket

                                  # (default is undef, i.e. disabled)

                                  # (usual setting is $MYHOME/amavisd.sock)

$inet_socket_port = 10024;        # accept SMTP on this local TCP port

                                  # (default is undef, i.e. disabled)

$inet_socket_bind = '127.0.0.1'; # limit socket bind to loopback interface

                                  # (default is '127.0.0.1')

@inet_acl = qw(127.0.0.1 [::1]);  # allow SMTP access only from localhost IP

                                  # (default is qw(127.0.0.1 [::1]) )

$DO_SYSLOG = 1;                   # (defaults to 0)

$LOGFILE = "$MYHOME/amavis.log";  # (defaults to empty, no log)

$log_level = 0;           # (defaults to 0)

$log_recip_templ = undef;  # undef disables by-recipient level-0 log entries

$final_virus_destiny      = D_DISCARD;  # (defaults to D_DISCARD)

$final_banned_destiny     = D_BOUNCE;  # (defaults to D_BOUNCE)

$final_spam_destiny       = D_BOUNCE;  # (defaults to D_BOUNCE)

$final_bad_header_destiny = D_PASS;  # (defaults to D_PASS), D_BOUNCE suggested

@viruses_that_fake_sender_maps = (new_RE(

  qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i,

  qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i,

  qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i,

  qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i,

  qr'@mm|@MM',    # mass mailing viruses as labeled by f-prot and uvscan

  qr'Worm'i,      # worms as labeled by ClamAV, Kaspersky, etc

  [qr/^/ => 1],   # true by default  (remove or comment-out if undesired)

));

$virus_admin = "virusalert\@azxws.com";

$mailfrom_notify_admin     = "virusalert\@$mydomain";

$mailfrom_notify_recip     = "virusalert\@$mydomain";

$mailfrom_notify_spamadmin = "spam.police\@$mydomain";

$mailfrom_to_quarantine = '';   # override sender address with null return path

$QUARANTINEDIR = "$MYHOME/quarantine";

$virus_quarantine_to  = 'virus-quarantine';    # traditional local quarantine

$banned_quarantine_to     = 'banned-quarantine';     # local quarantine

$bad_header_quarantine_to = 'bad-header-quarantine'; # local quarantine

$spam_quarantine_to       = 'spam-quarantine';       # local quarantine

$X_HEADER_TAG = 'X-Virus-Scanned';      # (default: 'X-Virus-Scanned')

$undecipherable_subject_tag = '***UNCHECKED*** ';  # undef disables it

$defang_virus  = 1;  # default is false: don't modify mail body

$defang_banned = 1;  # default is false: don't modify mail body

$defang_undecipherable = 1;  # default is false: don't modify mail body

$remove_existing_x_scanned_headers = 0; # leave existing X-Virus-Scanned alone

                                        # (defaults to false)

$remove_existing_spam_headers  = 1;     # remove existing spam headers if

                                        # spam scanning is enabled (default)

@keep_decoded_original_maps = (new_RE(

  qr'^MAIL-UNDECIPHERABLE$',  # retain full mail if it contains undecipherables

  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,

));

$banned_filename_re = new_RE(

  # block certain double extensions anywhere in the base name

  qr'\.[^./]*[A-Za-z][^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,

  qr'^application/x-msdownload$'i,                  # block these MIME types

  qr'^application/x-msdos-program$'i,

  qr'^application/hta$'i,

  [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives

  qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic

  qr'^\.(exe-ms)$',                       # banned file(1) types

);

$banned_namepath_re = new_RE(

  # block these MIME types

  qr'(?#NO X-MSDOWNLOAD)   ^(.*\t)? M=application/x-msdownload   (\t.*)? $'xmi,

  qr'(?#NO X-MSDOS-PROGRAM)^(.*\t)? M=application/x-msdos-program(\t.*)? $'xmi,

  qr'(?#NO HTA)            ^(.*\t)? M=application/hta            (\t.*)? $'xmi,

  # within traditional Unix archives allow any name and type

  [ qr'(?#rule-4) ^ (.*\t)? T=(tar|rpm|cpio) (\t.*)? $'xmi => 0 ],  # allow

  # block certain double extensions in filenames

  qr'(?# BLOCK DOUBLE-EXTENSIONS )

     ^ (.*\t)? N= [^\t\n]* \. [^./\t\n]* [A-Za-z] [^./\t\n]* \.

                  (exe|vbs|pif|scr|bat|cmd|com|cpl|dll) \.? (\t.*)? $'xmi,

  # banned filename extensions (in declared names) anywhere - basic

  qr'(?# BLOCK COMMON NAME EXENSIONS )

     ^ (.*\t)? N= [^\t\n]* \. (exe|vbs|pif|scr|bat|com|cpl) (\t.*)? $'xmi,

  [ qr'(?# BLOCK EMPTY MIME PART APPLICATION/OCTET-STREAM )

       ^ (.*\t)? M=application/octet-stream \t(.*\t)* T=empty (\t.*)? $'xmi

    => 'DISCARD' ],

  qr'(?# BLOCK Microsoft EXECUTABLES )

     ^ (.*\t)? T=exe-ms (\t.*)? $'xm,              # banned file(1) type

);

  $banned_namepath_re = undef;  # to disable new-style

$sql_select_white_black_list = undef;  # undef disables SQL white/blacklisting

$localpart_is_case_sensitive = 0;       # (default is false)

@score_sender_maps = ({  # a by-recipient hash lookup table

  # site-wide opinions about senders (the '.' matches any recipient)

  '.' => [  # the _first_ matching sender determines the score boost

   new_RE(  # regexp-type lookup table, just happens to be all soft-blacklist

    [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i         => 5.0],

    [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],

    [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],

    [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i   => 5.0],

    [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i  => 5.0],

    [qr'^(your_friend|greatoffers)@'i                                => 5.0],

    [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i                    => 5.0],

   ),

   { # a hash-type lookup table (associative array)

     'nobody@cert.org'                        => -3.0,

     'cert-advisory@us-cert.gov'              => -3.0,

     'owner-alert@iss.net'                    => -3.0,

     'slashdot@slashdot.org'                  => -3.0,

     'bugtraq@securityfocus.com'              => -3.0,

     'ntbugtraq@listserv.ntbugtraq.com'       => -3.0,

     'security-alerts@linuxsecurity.com'      => -3.0,

     'mailman-announce-admin@python.org'      => -3.0,

     'amavis-user-admin@lists.sourceforge.net'=> -3.0,

     'notification-return@lists.sophos.com'   => -3.0,

     'owner-postfix-users@postfix.org'        => -3.0,

     'owner-postfix-announce@postfix.org'     => -3.0,

     'owner-sendmail-announce@lists.sendmail.org'   => -3.0,

     'sendmail-announce-request@lists.sendmail.org' => -3.0,

     'donotreply@sendmail.org'                => -3.0,

     'ca+envelope@sendmail.org'               => -3.0,

     'noreply@freshmeat.net'                  => -3.0,

     'owner-technews@postel.acm.org'          => -3.0,

     'ietf-123-owner@loki.ietf.org'           => -3.0,

     'cvs-commits-list-admin@gnome.org'       => -3.0,

     'rt-users-admin@lists.fsck.com'          => -3.0,

     'clp-request@comp.nus.edu.sg'            => -3.0,

     'surveys-errors@lists.nua.ie'            => -3.0,

     'emailnews@genomeweb.com'                => -5.0,

     'yahoo-dev-null@yahoo-inc.com'           => -3.0,

     'returns.groups.yahoo.com'               => -3.0,

     'clusternews@linuxnetworx.com'           => -3.0,

     lc('lvs-users-admin@LinuxVirtualServer.org')    => -3.0,

     lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,

     # soft-blacklisting (positive score)

     'sender@example.net'                     =>  3.0,

     '.example.net'                           =>  1.0,

   },

  ],  # end of site-wide tables

});

@blacklist_sender_maps = ( new_RE(

    qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou|greatcasino)@'i,

    qr'^(investments|lose_weight_today|market\.alert|money2you|MyGreenCard)@'i,

    qr'^(new\.tld\.registry|opt-out|opt-in|optin|saveonlsmoking2002k)@'i,

    qr'^(specialoffer|specialoffers|stockalert|stopsnoring|wantsome)@'i,

    qr'^(workathome|yesitsfree|your_friend|greatoffers)@'i,

    qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i,

));

$MAXLEVELS = 14;                # (default is undef, no limit)

$MAXFILES = 1500;               # (default is undef, no limit)

$MIN_EXPANSION_QUOTA =      100*1024;  # bytes  (default undef, not enforced)

$MAX_EXPANSION_QUOTA = 300*1024*1024;  # bytes  (default undef, not enforced)

$MIN_EXPANSION_FACTOR =   5;  # times original mail size  (default is 5)

$MAX_EXPANSION_FACTOR = 500;  # times original mail size  (default is 500)

$virus_check_negative_ttl=  3*60; # time to remember that mail was not infected

$virus_check_positive_ttl= 30*60; # time to remember that mail was infected

$spam_check_negative_ttl = 30*60; # time to remember that mail was not spam

$spam_check_positive_ttl = 30*60; # time to remember that mail was spam

$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin:/opt/bin';

$file   = 'file';   # file(1) utility; use 3.41 or later to avoid vulnerability

$dspam  = 'dspam';

@decoders = (

  ['mail', \&do_mime_decode],

  ['asc',  \&do_ascii],

  ['uue',  \&do_ascii],

  ['hqx',  \&do_ascii],

  ['ync',  \&do_ascii],

  ['F',    \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ],

  ['Z',    \&do_uncompress, ['uncompress','gzip -d','zcat'] ],

  ['gz',   \&do_gunzip],

  ['gz',   \&do_uncompress,  'gzip -d'],

  ['bz2',  \&do_uncompress,  'bzip2 -d'],

  ['lzo',  \&do_uncompress,  'lzop -d'],

  ['rpm',  \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ],

  ['cpio', \&do_pax_cpio,   ['pax','gcpio','cpio'] ],

  ['tar',  \&do_pax_cpio,   ['pax','gcpio','cpio'] ],

  ['tar',  \&do_tar],

  ['deb',  \&do_ar,          'ar'],

  ['zip',  \&do_unzip],

  ['rar',  \&do_unrar,      ['rar','unrar'] ],

  ['arj',  \&do_unarj,      ['arj','unarj'] ],

  ['arc',  \&do_arc,        ['nomarch','arc'] ],

  ['zoo',  \&do_zoo,         'zoo'],

  ['lha',  \&do_lha,         'lha'],

  ['cab',  \&do_cabextract,  'cabextract'],

  ['tnef', \&do_tnef_ext,    'tnef'],

  ['tnef', \&do_tnef],

  ['exe',  \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ],

);

$sa_local_tests_only = 0;   # (default: false)

                            # for SA 3.0, its cf option is use_auto_whitelist)

$sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger

                            # (less than 1% of spam is > 64k)

                            # default: undef, no limitations

$sa_tag_level_deflt  = -100; # add spam info headers if at, or above that level;

                            # undef is interpreted as lower than any spam level

$sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level to

                            # passed mail (e.g. when $final_spam_destiny=D_PASS

                            # or for spam_lovers or when below kill_level)

$sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions

                            # at or above that level: bounce/reject/drop,

                            # quarantine, and adding mail address extension

$sa_dsn_cutoff_level = 9;   # spam level beyond which a DSN is not sent,

                            # effectively turning D_BOUNCE into D_DISCARD;

                            # undef disables this feature and is a default;

                             # (only seen when spam is passed and recipient is

                             # in local_domains*)

                             # undef or empty disables inserting X-Spam-Level

$first_infected_stops_scan = 1;  # default is false, all scanners in a section

                                  # are called

@av_scanners = (

['ClamAV-clamd',

\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],

qr/\bOK$/, qr/\bFOUND$/,

qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

  ### http://www.kaspersky.com/  (in the 'file server version')

  ['KasperskyLab AVP - aveclient',

    ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient',

     '/opt/kav/bin/aveclient','aveclient'],

    '-p /var/run/aveserver -s {}/*', [0,3,6,8], qr/\b(INFECTED|SUSPICION)\b/,

    qr/(?:INFECTED|SUSPICION) (.+)/,

  ],

  ### http://www.kaspersky.com/

  ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'],

    '-* -P -B -Y -O- {}', [0,3,6,8], [2,4],    # any use for -A -K   ?

    qr/infected: (.+)/,

    sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"},

    sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},

  ],

  ### The kavdaemon and AVPDaemonClient have been removed from Kasperky

  ### products and replaced by aveserver and aveclient

  ['KasperskyLab AVPDaemonClient',

    [ '/opt/AVP/kavdaemon',       'kavdaemon',

      '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient',

      '/opt/AVP/AvpTeamDream',    'AvpTeamDream',

      '/opt/AVP/avpdc', 'avpdc' ],

    "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/ ],

    # change the startup-script in /etc/init.d/kavd to:

    #   DPARMS="-* -Y -dl -f=/var/amavis /var/amavis"

    #   (or perhaps:   DPARMS="-I0 -Y -* /var/amavis" )

    # adjusting /var/amavis above to match your $TEMPBASE.

    # The '-f=/var/amavis' is needed if not running it as root, so it

    # can find, read, and write its pid file, etc., see 'man kavdaemon'.

    # defUnix.prf: there must be an entry "*/var/amavis" (or whatever

    #   directory $TEMPBASE specifies) in the 'Names=' section.

    # cd /opt/AVP/DaemonClients; configure; cd Sample; make

    # cp AvpDaemonClient /opt/AVP/

    # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}"

  ### http://www.centralcommand.com/

  ['CentralCommand Vexira (new) vascan',

    ['vascan','/usr/lib/Vexira/vascan'],

    "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ".

    "--vdb=/usr/lib/Vexira/vexira8.vdb --log=/var/log/vascan.log {}",

    [0,3], [1,2,5],

    qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ / ],

    # Adjust the path of the binary and the virus database as needed.

    # 'vascan' does not allow to have the temp directory to be the same as

    # the quarantine directory, and the quarantine option can not be disabled.

    # If $QUARANTINEDIR is not used, then another directory must be specified

    # to appease 'vascan'. Move status 3 to the second list if password

    # protected files are to be considered infected.

  ### http://www.hbedv.com/

  ['H+BEDV AntiVir or the (old) CentralCommand Vexira Antivirus',

    ['antivir','vexira'],

    '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/,

    qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |

         (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ],

    # NOTE: if you only have a demo version, remove -z and add 214, as in:

    #  '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/,

  ### http://www.commandsoftware.com/

  ['Command AntiVirus for Linux', 'csav',

    '-all -archive -packed {}', [50], [51,52,53],

    qr/Infection: (.+)/ ],

  ### http://www.symantec.com/

  ['Symantec CarrierScan via Symantec CommandLineScanner',

    'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}',

    qr/^Files Infected:\s+0$/, qr/^Infected\b/,

    qr/^(?:Info|Virus Name):\s+(.+)/ ],

  ### http://www.symantec.com/

  ['Symantec AntiVirus Scan Engine',

    'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}',

    [0], qr/^Infected\b/,

    qr/^(?:Info|Virus Name):\s+(.+)/ ],

    # NOTE: check options and patterns to see which entry better applies

  ### http://www.f-secure.com/products/anti-virus/

  ['F-Secure Antivirus', 'fsav',

    '--dumb --mime --archive {}', [0], [3,8],

    qr/(?:infection|Infected|Suspected): (.+)/ ],

  ['CAI InoculateIT', 'inocucmd',  # retired product

    '-sec -nex {}', [0], [100],

    qr/was infected by virus (.+)/ ],

  # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html

  ### http://www3.ca.com/Solutions/Product.asp?ID=156  (ex InoculateIT)

  ['CAI eTrust Antivirus', 'etrust-wrapper',

    '-arc -nex -spm h {}', [0], [101],

    qr/is infected by virus: (.+)/ ],

    # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer

    # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783

  ### http://mks.com.pl/english.html

  ['MkS_Vir for Linux (beta)', ['mks32','mks'],

    '-s {}/*', [0], [1,2],

    qr/--[ \t]*(.+)/ ],

  ### http://mks.com.pl/english.html

  ['MkS_Vir daemon', 'mksscan',

    '-s -q {}', [0], [1..7],

    qr/^... (\S+)/ ],

  ### http://www.nod32.com/

  ['ESET Software NOD32', 'nod32',

    '--arch --mail {}', [0], [1,10], qr/^object=.*, virus="(.*?)",/ ],

  # with old versions use:

  #   '-all -subdir+ {}', [0], [1,2],

  #   qr/^.+? - (.+?)\s*(?:backdoor|joke|trojan|virus|worm)/ ],

  ### http://www.nod32.com/

  ['ESET Software NOD32 - Client/Server Version', 'nod32cli',

    '-a -r -d recurse --heur standard {}', [0], [10,11],

    qr/^\S+\s+infected:\s+(.+)/ ],

  ### http://www.norman.com/products_nvc.shtml

  ['Norman Virus Control v5 / Linux', 'nvcc',

    '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14],

    qr/(?i).* virus in .* -> \'(.+)\'/ ],

  ### http://www.pandasoftware.com/

  ['Panda Antivirus for Linux', ['pavcl'],

    '-aut -aex -heu -cmp -nbr -nor -nso -eng {}',

    qr/Number of files infected[ .]*: 0+(?!\d)/,

    qr/Number of files infected[ .]*: 0*[1-9]/,

    qr/Found virus :\s*(\S+)/ ],

  ### http://www.nai.com/

  ['NAI McAfee AntiVirus (uvscan)', 'uvscan',

    '--secure --mime --program --mailbox -rv --mime --summary --noboot --timeout 180 - {}', [0], [13],

    qr/(?x) Found (?:

        \ the\ (.+)\ (?:virus|trojan)  |

        \ (?:virus|trojan)\ or\ variant\ ([^ ]+)  |

        :\ (.+)\ NOT\ a\ virus)/,

  # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'},

  # sub {delete $ENV{LD_PRELOAD}},

  ],

  # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before

  # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6

  # and then clear it when finished to avoid confusing anything else.

  # NOTE2: to treat encrypted files as viruses replace the [13] with:

  #  qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/

  ### http://www.virusbuster.hu/en/

  ['VirusBuster', ['vbuster', 'vbengcl'],

    "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1],

    qr/: '(.*)' - Virus/ ],

  # VirusBuster Ltd. does not support the daemon version for the workstation

  # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of

  # binaries, some parameters AND return codes have changed (from 3 to 1).

  # See also the new Vexira entry 'vascan' which is possibly related.

  ### http://www.cyber.com/

  ['CyberSoft VFind', 'vfind',

    '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/,

  # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'},

  ],

  ### http://www.ikarus-software.com/

  ['Ikarus AntiVirus for Linux', 'ikarus',

    '{}', [0], [40], qr/Signature (.+) found/ ],

  ### http://www.bitdefender.com/

  ['BitDefender', 'bdc',

    '--all --arc --mail {}', qr/^Infected files *:0+(?!\d)/,

    qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/,

    qr/(?:suspected|infected): (.*)(?:\033|$)/ ],

);

@av_scanners_backup = (

  ### http://www.clamav.net/   - backs up clamd or Mail::ClamAV

  ['ClamAV-clamscan', 'clamscan',

    "--stdout --disable-summary -r --tempdir=$TEMPBASE {}", [0], [1],

    qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

  ### http://www.f-prot.com/   - backs up F-Prot Daemon

  ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],

    '-dumb -ai -archive -packed -server {}', [0,8], [3,6],

    qr/Infection: (.+)|\s+contains\s+(.+)$/ ],

  ### http://www.trendmicro.com/   - backs up Trophie

  ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],

    '-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ],

  ### http://www.sald.com/, http://drweb.imshop.de/   - backs up DrWebD

  ['drweb - DrWeb Antivirus',

    ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'],

    '-path={} -al -go -ot -cn -upn -ok-',

    [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'],

  ['KasperskyLab kavscanner', ['/opt/kav/bin/kavscanner','kavscanner'],

    '-i1 -xp {}', [0,10,15], [5,20,21,25],

    qr/(?:CURED|INFECTED|CUREFAILED|WARNING|SUSPICION) (.*)/ ,

    sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"},

    sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},

  ],

);

map { $bypass_spam_checks{lc($_)}=1 } (qw(

        postmaster@

        abuse@

));

1;  # insure a defined return

```

local.cf  (spamassassin)

```

skip_rbl_checks         0

use_razor2              1

use_dcc                 1

use_pyzor               1

ok_languages            en de es ja

ok_locales              en de es ja

```

Here is an e-mail I sent myself, I'm expecting to have spam headers on it, I've since added the following to local.cf for spamassassin:

```
add_header all Level _STARS(*)_
```

E-Mail Headers:

```

Return-Path: <jpfingstmann@gmail.com>

X-Original-To: jpfingstmann@azxws.com

Delivered-To: jpfingstmann@azxws.com

Received: from localhost (localhost [127.0.0.1])

     by hermes.azxws.com (Postfix) with ESMTP id 6443E2793B

     for <jpfingstmann@azxws.com>; Wed, 12 Oct 2005 14:14:20 -0700 (MST)

Received: from hermes.azxws.com ([127.0.0.1])

     by localhost (hermes.azxws.com [127.0.0.1]) (amavisd-new, port 10024)

     with ESMTP id 17747-01 for <jpfingstmann@azxws.com>;

     Wed, 12 Oct 2005 14:14:17 -0700 (MST)

Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.200])

     by hermes.azxws.com (Postfix) with ESMTP id B81F214E8C

     for <admin@azxws.com>; Wed, 12 Oct 2005 14:14:17 -0700 (MST)

Received: by xproxy.gmail.com with SMTP id t13so139814wxc

     for <admin@azxws.com>; Wed, 12 Oct 2005 14:24:44 -0700 (PDT)

DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;

     s=beta; d=gmail.com;

     h=received:message-id:date:from:to:subject:mime-version:content-type;

     b=PXI37VR3TDmqaAK+kGQUy5nU/1kpM0t0rHC+yz/OeupTftZ4wsOyjJvYNz4t16wVQ4DxGFz/daowLZQ47MM8giHGSYYyHA+hL9SCq6icQ1B7HMArv8u+JKNdn+4v0uJsa1M+Y18tfCD14rmIBIE4iS4R/3ILQp9FjmVHwH3kD+4=

Received: by 10.70.108.14 with SMTP id g14mr346106wxc;

     Wed, 12 Oct 2005 14:24:44 -0700 (PDT)

Received: by 10.70.29.16 with HTTP; Wed, 12 Oct 2005 14:24:44 -0700 (PDT)

Message-ID: <5f8757e80510121424o16093c45i7b4ae1d81d3fd6df@mail.gmail.com>

Date: Wed, 12 Oct 2005 14:24:44 -0700

From: Jason Pfingstmann <jpfingstmann@gmail.com>

To: admin@azxws.com

Subject: SPAM me!

MIME-Version: 1.0

Content-Type: multipart/alternative;

     boundary="----=_Part_31758_1218440.1129152284870"

X-Virus-Scanned: amavisd-new at hermes.azxws.com

```

Any help is appreciated, it took a while to get these changes made and I'm afraid to troubleshoot too much in fear of breaking something or changing something in a bad way and not noticing it.  Thanks.

Jason PfingstmannLast edited by jasonpf on Fri Oct 14, 2005 9:19 pm; edited 1 time in total

----------

## sandcrawler

I was hoping to shed some light on this but I can't seem to reproduce this error.  The only major difference I can see is that you have razor turned on, but I don't think that should affect it. 

```

mail-mta/postfix-2.1.5-r2  +ipv6 +ldap +mailwrapper +mbox +mysql +pam -postgres +sasl (-selinux) +ssl -vda

mail-filter/spamassassin-3.0.4  +berkdb -doc -qmail +ssl

mail-filter/amavisd-new-2.3.3  +ldap -milter +mysql -postgres

app-antivirus/clamav-0.87  +crypt +mailwrapper -milter (-selinux)

```

Since this should be an amavis/spamassassin function I would think it would be responsible for those headers...  I'll skip all the postfix config and just post the pertinent stuff I have...

/etc/mail/spamassassin/local.cf

```

bayes_auto_learn 1

bayes_path /etc/mail/spamassassin/bayes

##Thanks for this tip :)

add_header all Level _STARS(*)_

```

/etc/amavisd.conf

```

# SpamAssassin settings

$sa_local_tests_only = 0;   # (default: false)

$sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger

##I set this back to 2.0 after testing the -100.0 setting

$sa_tag_level_deflt  = 2.0; # add spam info headers if at, or above that level;

$sa_tag2_level_deflt = 5.0; # add 'spam detected' headers at that level to

$sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions

$sa_dsn_cutoff_level = 9;   # spam level beyond which a DSN is not sent,

```

As a note, I do NOT have Mail::SpamAssassin installed

Here is a sanitized excerpt from my logs..

/var/log/amavisd.log

```

Oct 12 21:06:23 my.server.org /usr/sbin/amavisd[6796]: (06796-05) spam_scan: score=1.103 tests=

[AWL=0.826,BAYES_50=0.001,HTML_50_60=0.087,HTML_FONT_BIG=0.142,HTML_MESSAGE=0.001,MIME_QP_LONG_LINE=0.039,NO

_REAL_NAME=0.007]

Oct 12 21:06:23 my.server.org /usr/sbin/amavisd[6796]: (06796-05) SPAM-TAG, <someuser@aol.com>

 -> <OurUser@server.org>, No, score=1.103 tagged_above=-100 required=5 tests=[AWL=0.826, BAYES_5

0=0.001, HTML_50_60=0.087, HTML_FONT_BIG=0.142, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.039, NO_REAL_NAME=0.

007]

```

And here are the headers from the delivered message..

```

X-Virus-Scanned: amavisd-new at myserver.org

X-Spam-Status: No, score=1.103 tagged_above=-100 required=5 tests=[AWL=0.826,

 BAYES_50=0.001, HTML_50_60=0.087, HTML_FONT_BIG=0.142, HTML_MESSAGE=0.001,

 MIME_QP_LONG_LINE=0.039, NO_REAL_NAME=0.007]

X-Spam-Score: 1.103

X-Spam-Level: *

```

Here's some from

/etc/postfix/master.cf

```

smtp-amavis     unix    -       -       n       -       2       smtp

        -o smtp_data_done_timeouts=1200

        -o disable_dns_lookups=yes

#

127.0.0.1:10025 inet    n       -       n       -       -       smtpd

        -o content_filter=

```

I do all the nice recipient restictions in main.cf, myself...

/etc/postfix/main.cf

```

smtpd_recipient_restrictions =  permit_sasl_authenticated, permit_mynetworks, reject_invalid_hostname, rejec

t_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain,

 reject_unauth_destination, reject_rbl_client relays.ordb.org, reject_rbl_client opm.blitzed.org, reject_rbl

_client list.dsbl.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_cli

ent dul.dnsbl.sorbs.net, permit

```

Anyhow, maybe some of this will make a difference and get your system purring like it should...

----------

## smellis83

I had the same problem.  It seems that amavisd-new will not put it through SA unless you have your domains in a hash called %local_domains.  To see if this is the problem, make sure everything that can put a value in %local_domains if commented out.  Then, on a line by itself, put this in:

$local_domains{"yourdomain.com"} = 1;

obviously replace yourdomain.com with your actual domain.

restart amavisd and put a test mail in. That did it for me.  You can also have it use the read_hash function to set the %local_domains hash up from your postfix relay_domains file.  It's all documented in amavisd.conf.  I extended amavisd to read all that shiz from a mysql database so that I could configure a cluster of these machines to all do the same thing.

----------

## jasonpf

Thanks for your replies, I'll take a look at this later today, I got tied up yesterday building a secondary web/dns server...

-Jason

----------

## jasonpf

Added to amavisd.conf:

```
@local_domains_maps = ( read_hash("/etc/amavisd-domains.db") );
```

Created script that runs nightly:

```
#!/bin/bash

echo "select domain from vmailbox;" | mysql -N -u mailsql -p<password>^ mailsql > /etc/amavisd-domains.db

amavisd reload &> /dev/null
```

Thanks again for all your help.

----------

## olli.bo

I have the same problem... Isn't it possible to put in a * or something else for selecting every domain...?

----------

