# Inhaltsfilter greift nicht immer, zu viele Spams kommen durch



## major7 (5. Juni 2018)

Beispiel einer Spam-Mail:


```
Return-Path: <saschapxcsscy@kpffsea.com>
Delivered-To: test@example.com
Received: from localhost (localhost [127.0.0.1])
    by ssl.example.com (Postfix) with ESMTP id 45F7A3E95E
    for <test@example.com>; Tue,  5 Jun 2018 10:32:55 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at example.com
X-Spam-Flag: YES
X-Spam-Score: 6.508
X-Spam-Level: ******
X-Spam-Status: Yes, score=6.508 tagged_above=1 required=4.5
    tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
    HTML_IMAGE_ONLY_12=1.629, HTML_MESSAGE=0.001,
    HTML_SHORT_LINK_IMG_1=0.139, RCVD_IN_BL_SPAMCOP_NET=1.246,
    RCVD_IN_BRBL_LASTEXT=1.644, URIBL_BLOCKED=0.001, URIBL_JP_SURBL=1.948]
    autolearn=no autolearn_force=no
Authentication-Results: example.com (amavisd-new); dkim=pass (1024-bit key)
    header.d=kpffsea.com; domainkeys=fail (1024-bit key)
    reason="fail (message has been altered)"
    header.from=saschapxcsscy@kpffsea.com header.d=kpffsea.com
Received: from ssl.example.com ([127.0.0.1])
    by localhost (example.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id pVt4mDkJ3PJo for <al@example.com>;
    Tue,  5 Jun 2018 10:32:55 +0200 (CEST)
Received: from known.kpffsea.com (known.artisainvapor.com [63.246.154.131])
    by ssl.example.com (Postfix) with ESMTP id E121B3E8BA
    for <al@example.com>; Tue,  5 Jun 2018 10:32:54 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d=kpffsea.com;
 h=Date:To:Message-ID:Subject:From:Reply-To:MIME-Version:List-Unsubscribe:Content-Type:Content-Transfer-Encoding; i=saschapxcsscy@kpffsea.com;
 bh=FflmFvQr2zW6eL70u/Gvbg+86YU=;
 b=XcozkZUYWmt6Vn2SYzsay56B0Bx0ghYiW+yIbUvZj5whfG+FJ5/oSlVp4c6Eg+zlcmz5zzGAbRik
   TCa6zN5F5hSZbLizuIY3kuXI5xaXUpBMGj6cSoAXKzb3b8K3Azap7tUgZz8To55zqWksXnV7Q9pe
   5iDBc1SfKV12mN9UnL0=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=dkim; d=kpffsea.com;
 b=i6xLseQGel825507hWQoBbLCFP5uYTFhDDXl5q8KVuMwWejJnCOG9f46c+NAvuRCmbRSJnkYiE+t
   RiK4IadiXaNwkl8IV3/o50tDP9C0kIsMq4zWP5wD2O1EhhbHpCed5NuewofYRxE4KHymCqP/8PUP
   aAnf0y18eoJHPNL47+c=;
Date: Tue, 5 Jun 2018 10:32:54 +0200
To:  <al@example.com>
Message-ID: <mjjiwuezgRUFPZHBCYCBGEVVBPSXORO@xxjq.kpffsea.com>
Subject: ***SPAM***Fachmann war fassungslos
From: =?UTF-8?Q?Sascha?= <saschapxcsscy@kpffsea.com>
Reply-To: saschapxcsscy@kpffsea.com
MIME-Version: 1.0
List-Unsubscribe:  <http://kpffsea.com/ub.php?b=fdp6922902kh33njqr9xs3km52rmar8dfqv>
X-Report-Abuse:  <http://kpffsea.com/aa.php?a=fdp6922902kh33njqr9xs3km52rmar8dfqv>
X-Priority: 3
Precedence: bulk
X-Mailer: Automizy
Content-Type: multipart/alternative; boundary=b1_ejpaz1ipq0mic6h64zvwe5.O7nHtr5; charset="UTF-8"
Content-Transfer-Encoding: 8bit

--b1_ejpaz1ipq0mic6h64zvwe5.O7nHtr5
Content-Type: text/plain; format=flowed; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable


=0D
Entkratze das Auto - sch=C3=B6ne Lackierung, Home:=0D
http://xqb.kpffsea.com=0D
=0D
=0D
=0D
Ich m=C3=B6chte mich abmelden:=0D
http://kpffsea.com/ub.php?p20=3Dfdp6922902kh33njqr9xs3km52rmar8dfqv=0D


--b1_ejpaz1ipq0mic6h64zvwe5.O7nHtr5
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable


<!DOCTYPE html>=0D
<html>=0D
=0D
<head>=0D
</head><body>=0D
Entkratze das Auto - sch=C3=B6ne Lackierung, Home<br /><a style=3D"top:1px;=
 text-decoration:underline; text-indent:auto; " href=3D"http://xqb.kpffsea.=
com/"><img style=3D"border-bottom-width:0px; height:auto; border-left-color=
:#007700; white-space:normal; border:outset 1px #0000cc; " src=3D"http://jg=
.kpffsea.com/00.jpg" alt=3D"0 Kratzer am Auto damit" /></a>=0D
<br /><a href=3D"http://xqb.kpffsea.com/">Hat ein Vollidiot dein Auto verkr=
atzt? Poliermaschine gegen Kratzer</a>=0D
<br /><br /><br /><br />Politur Set kaschiert Kratzer- schnell, wundersch=
=C3=B6nes Auto<br /><br /><a style=3D"border-bottom:inset 0px #cc0000; bord=
er-color:#000000; border-top:ridge 0px #007700; top:3px;  font-size:12px; b=
ackground-color:#ffffff;" href=3D"http://kpffsea.com/ub.php?cpy=3Dfdp692290=
2kh33njqr9xs3km52rmar8dfqv">Ich m=C3=B6chte mich abmelden</a>=0D
<img src=3D"http://kpffsea.com/ob.php?p20=3Dfdp6922902kh33njqr9xs3km52rmar8=
dfqv" />=0D
</body>=0D
</html>=

--b1_ejpaz1ipq0mic6h64zvwe5.O7nHtr5--
```
In *ISPConfig > E-Mail > Inhaltsfilter* sind folgende Regeln hinterlegt, die leider alle nicht immer greifen (bei etwa 20% der Mails wird jedoch schon rejected):

Header-Filter
/^X-Spam-Level: \*\*\*\*\*.*/
REJECT

Header-Filter
/domainkeys=fail/
REJECT



*/etc/postfix/main.cf*

```
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = ssl.example.com
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
myorigin = /etc/mailname
mydestination = ssl.example.com, localhost, localhost.localdomain
relayhost = 
mynetworks = 127.0.0.0/8 [::1]/128
mailbox_size_limit = 1048576000
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
html_directory = /usr/share/doc/postfix/html
virtual_alias_domains = 
virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf
virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_restriction_classes = greylisting
greylisting = check_policy_service inet:127.0.0.1:10023
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client cbl.abuseat.org, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf
smtpd_tls_security_level = may
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostname, reject_non_fqdn_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo
smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re , permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.re
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
smtpd_client_message_rate_limit = 100
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = dovecot
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
owner_request_special = no
smtp_tls_security_level = may
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_exclude_ciphers = RC4, aNULL
smtp_tls_exclude_ciphers = RC4, aNULL
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings
message_size_limit = 104857600
smtp_host_lookup = dns, native
smtpd_data_restrictions = reject_unauth_pipelining
```


----------



## florian030 (6. Juni 2018)

Den ersten Header-Filter kannst Du direkt entsorgen. Die X-Spam-Werte schreibt idR Dein Server in den Header. Du musst nur für das Postfach move-to-junk aktivieren und dann werden Spam-Mails (X-Spam-Flag: YES) in den Junk-Folder verschoben, soweit die Einstellungen für das Postfach oder die Domain greifen. Sonst schau mal hier.


----------

