[AMaViS-user] Re: Stupid store & bounce behaivour of Amavis-New

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Benoit,

> But why the hell is an open source product having the same stupid problem?
> Wouldn't it be possible to get Amavis also to either reject SPAM/Viruses
> during the SMTP Handshake and thus not cause bounces or just silently drop
> those messages?
> It just does not make sense to notify the owners of fake sender addresses
> that somebody abused that address to send email.

As far as rejecting (vs. bouncing) is concerned, content filters fall into two
main categories. In Postfix parlance these are pre-queue or post-queue 
filters. Sendmail milter and Postfix smtp proxy are examples of a pre-queue
content filter setup which allows for the original SMTP session to REJECT
the mail. Postfix 'content_filter' setup is a post-queue filter, which can no 
longer REJECT mail, because the original SMTP session is no longer around.
It can only bounce or discard or deliver the mail.

While the pre-queue content filtering has a definitive advantage in that it 
can reject mail, it also has serious performance/stability drawbacks when 
non-lightweight content filters are used in anything above a SOHO site,
e.g. when spam scanning with SA is enabled, or when command-line
virus scanners are used (vs. daemonized scanners, which are faster).
The issues are explained in the Postfix documentation: 
README_FILES/CONTENT_INSPECTION_README, and also discussed
in the http://www.ijs.si/software/amavisd/README.sendmail-dual

In principle amavisd-new can be used as a pre-queue or a post-queue
content filter, but in reality the pre-queue setup is strongly discouraged
for the system stability reasons, except perhaps for small/home sites.
That leaves us a choice or bouncing or discarding (or delivering) malware.

It is clearly undesirable to bounce (i.e. generate a non-delivery 
notifications) on faked sender address, as commonly used by viruses
or spam nowadays. To prevent undesired bounces, amavisd-new allows
to DISCARD malware outright (possibly quarantining it), but also
possesses two softer mechanisms to suppress DSN, even if bouncing
is configured, which is a default.

These mechanisms are:

- bounce is suppressed if virus is know to fake the sender address.
  This is _always_ true by default since version amavisd-new-20030616-p8,
  which is more than a year old by now. In older versions, the list of virus
  names used to be adjusted to new threats, but this turned out to be too
  slow, and was abandoned;

- bouncing spam is suppressed if spam scores above sa_dsn_cutoff_level,
  the recommended value (in the docs) is 10. This feature became available
  in the same version (March 9 2004), a year ago.

So if you see a bounce from amavisd-new to a virus, this in almost all the
cases means the site uses an ancient version of the software. As there is
no self-destruct mechanism built into the package, there is nothing one can
do about it, except to urge each site to upgrade.

A bounce to a spam with versions amavisd-new-20030616-p8 and
later indicates the spam score is within a score window above kill_level
and below sa_dsn_cutoff_level. This window includes genuine mail
which happened to be false positives, but unfortunately also some
lower-level spam. Adjusting/narrowing the window is up to site administrator
and recent spam trends, and is necessarily only a more or less good
compromise between loosing genuine mail and genering some spam bounces.
I'll consider lowering the sa_dsn_cutoff_level even further for the next 
release.

  Mark