I am using Ubuntu Server 9.04 and used the Perfect Server ISPConfig 3 howto for my distribution. I have been searching far and wide for answers to my spam problems, most of the answers I have found here in this forum. Here is /etc/amavis/conf.d/20-debian_defaults: HTML: use strict; # ADMINISTRATORS: # Debian suggests that any changes you need to do that should never # be "updated" by the Debian package should be made in another file, # overriding the settings in this file. # # The package will *not* overwrite your settings, but by keeping # them separate, you will make the task of merging changes on these # configuration files much simpler... # see /usr/share/doc/amavisd-new/examples/amavisd.conf-default for # a list of all variables with their defaults; # see /usr/share/doc/amavisd-new/examples/amavisd.conf-sample for # a traditional-style commented file # [note: the above files were not converted to Debian settings!] # # for more details see documentation in /usr/share/doc/amavisd-new # and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html $QUARANTINEDIR = "$MYHOME/virusmails"; $quarantine_subdir_levels = 1; # enable quarantine dir hashing $log_recip_templ = undef; # disable by-recipient level-0 log entries $DO_SYSLOG = 1; # log via syslogd (preferred) $syslog_ident = 'amavis'; # syslog ident tag, prepended to all messages $syslog_facility = 'mail'; $syslog_priority = 'debug'; # switch to info to drop debug output, etc $enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny) $enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1 $inet_socket_port = 10024; # default listening socket $sa_spam_subject_tag = '***SPAM*** '; $sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level $sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level $sa_kill_level_deflt = 6.31; # triggers spam evasive actions $sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent $sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger $sa_local_tests_only = 0; # only tests which do not require internet access? # Quota limits to avoid bombs (like 42.zip) $MAXLEVELS = 14; $MAXFILES = 1500; $MIN_EXPANSION_QUOTA = 100*1024; # bytes $MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes # You should: # Use D_DISCARD to discard data (viruses) # Use D_BOUNCE to generate local bounces by amavisd-new # Use D_REJECT to generate local or remote bounces by the calling MTA # Use D_PASS to deliver the message # # Whatever you do, *NEVER* use D_REJECT if you have other MTAs *forwarding* # mail to your account. Use D_BOUNCE instead, otherwise you are delegating # the bounce work to your friendly forwarders, which might not like it at all. # # On dual-MTA setups, one can often D_REJECT, as this just makes your own # MTA generate the bounce message. Test it first. # # Bouncing viruses is stupid, always discard them after you are sure the AV # is working correctly. Bouncing real SPAM is also useless, if you cannot # D_REJECT it (and don't D_REJECT mail coming from your forwarders!). $final_virus_destiny = D_DISCARD; # (data not lost, see virus quarantine) $final_banned_destiny = D_BOUNCE; # D_REJECT when front-end MTA $final_spam_destiny = D_DISCARD; $final_bad_header_destiny = D_DISCARD; # False-positive prone (for spam) $virus_admin = "postmaster\@$mydomain"; # due to D_DISCARD default # Set to empty ("") to add no header $X_HEADER_LINE = "Debian $myproduct_name at $mydomain"; # REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS # # DO NOT SEND VIRUS NOTIFICATIONS TO OUTSIDE OF YOUR DOMAIN. EVER. # # These days, almost all viruses fake the envelope sender and mail headers. # Therefore, "virus notifications" became nothing but undesired, aggravating # SPAM. This holds true even inside one's domain. We disable them all by # default, except for the EICAR test pattern. # @viruses_that_fake_sender_maps = (new_RE( [qr'\bEICAR\b'i => 0], # av test pattern name [qr/.*/ => 1], # true for everything else )); @keep_decoded_original_maps = (new_RE( # qr'^MAIL$', # retain full original message for virus checking (can be slow) qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, # qr'^Zip archive data', # don't trust Archive::Zip )); # for $banned_namepath_re, a new-style of banned table, see amavisd.conf-sample $banned_filename_re = new_RE( # qr'^UNDECIPHERABLE$', # is or contains any undecipherable components # block certain double extensions anywhere in the base name qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i, qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?$'i, # Windows Class ID CLSID, strict qr'^application/x-msdownload$'i, # block these MIME types qr'^application/x-msdos-program$'i, qr'^application/hta$'i, # qr'^application/x-msmetafile$'i, # Windows Metafile MIME type # qr'^\.wmf$', # Windows Metafile file(1) type # qr'^message/partial$'i, qr'^message/external-body$'i, # rfc2046 MIME types # [ qr'^\.(Z|gz|bz2)$' => 0 ], # allow any in Unix-compressed # [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives # [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within such archives # [ qr'^application/x-zip-compressed$'i => 0], # allow any within such archives qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic # qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta| # inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst| # ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs| # wmf|wsc|wsf|wsh)$'ix, # banned ext - long # qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab. qr'^\.(exe-ms)$', # banned file(1) types # qr'^\.(exe|lha|tnef|cab|dll)$', # banned file(1) types ); # See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631 # and http://www.cknow.com/vtutor/vtextensions.htm # ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING @score_sender_maps = ({ # a by-recipient hash lookup table, # results from all matching recipient tables are summed # ## per-recipient personal tables (NOTE: positive: black, negative: white) # '[email protected]' => [{'[email protected]' => 10.0}], # '[email protected]' => [{'.ebay.com' => -3.0}], # '[email protected]' => [{'[email protected]' => -7.0, # '.cleargreen.com' => -5.0}], ## site-wide opinions about senders (the '.' matches any recipient) '.' => [ # the _first_ matching sender determines the score boost new_RE( # regexp-type lookup table, just happens to be all soft-blacklist [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0], [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0], [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0], [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0], [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0], [qr'^(your_friend|greatoffers)@'i => 5.0], [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0], ), # read_hash("/var/amavis/sender_scores_sitewide"), { # a hash-type lookup table (associative array) '[email protected]' => -3.0, '[email protected]' => -3.0, '[email protected]' => -3.0, '[email protected]' => -3.0, 'securityfocus.com' => -3.0, '[email protected]' => -3.0, '[email protected]' => -3.0, '[email protected]' => -3.0, '[email protected]'=> -3.0, '[email protected]' => -3.0, 'spamassassin.apache.org' => -3.0, '[email protected]' => -3.0, '[email protected]' => -3.0, '[email protected]' => -3.0, '[email protected]' => -3.0, '[email protected]' => -3.0, '[email protected]' => -3.0, '[email protected]' => -3.0, '[email protected]' => -3.0, '[email protected]' => -3.0, '[email protected]' => -3.0, '[email protected]' => -3.0, '[email protected]' => -3.0, '[email protected]' => -3.0, '[email protected]' => -3.0, '[email protected]' => -5.0, '[email protected]' => -3.0, 'returns.groups.yahoo.com' => -3.0, '[email protected]' => -3.0, lc('[email protected]') => -3.0, lc('[email protected]') => -5.0, # soft-blacklisting (positive score) '[email protected]' => 3.0, '.example.net' => 1.0, }, ], # end of site-wide tables }); 1; # ensure a defined return As you see $final_spam_destiny is set to D_DISCARD but I'm still getting spam that is being labeled but not discarded. here is an example header from an email that got through: HTML: Return-Path: <[email protected]> Received: from localhost (localhost [127.0.0.1]) by host.example.com (Postfix) with ESMTP id 10E811007B8 for <[email protected]>; Tue, 7 Jul 2009 12:59:46 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at host.example.com X-Spam-Flag: YES X-Spam-Score: 19.043 X-Spam-Level: ******************* X-Spam-Status: Yes, score=19.043 tagged_above=3 required=6 tests=[BAYES_99=3.5, HELO_DYNAMIC_HCC=4.295, HTML_IMAGE_ONLY_20=1.546, HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_3=0.001, MIME_HTML_ONLY=1.457, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RDNS_DYNAMIC=0.1, URIBL_AB_SURBL=1.86, URIBL_JP_SURBL=1.501, URIBL_OB_SURBL=1.5, URIBL_WS_SURBL=1.5] autolearn=spam Received: from host.example.com ([127.0.0.1]) by localhost (host.example.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FEEQMtUdyjCV for <[email protected]>; Tue, 7 Jul 2009 12:59:39 +0000 (UTC) Received: from bl8-161-37.dsl.telepac.pt (bl8-161-37.dsl.telepac.pt [85.241.161.37]) by host.example.com (Postfix) with ESMTP id 8513010075D for <[email protected]>; Tue, 7 Jul 2009 12:59:37 +0000 (UTC) From: [email protected] To: [email protected] Subject: ***SPAM*** For you Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Message-Id: <[email protected]> Date: Tue, 7 Jul 2009 12:59:37 +0000 (UTC)