thanks to all for your help I already avtivate it was simple but i did not how to do,, now
the problem is this a recive in amavis log exactly in when i do this to check if everything is ok tail -f /var/log/mail.err I recive this messages Oct 3 19:34:21 ns amavis[2151]: (02151-02) FRISK F-Prot Daemon av-scanner FAILED: Too many retries to talk to 127.0.0.1:10200 (Can't connect to INET socket 127.0.0.1:10200: Connection refused) at (eval 52) line 257. thanks again for all your help 2005/10/3, [EMAIL PROTECTED] <[EMAIL PROTECTED]>: > Send AMaViS-user mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/amavis-user > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of AMaViS-user digest..." > > > Today's Topics: > > 1. whitelisting inconsistancy (Cami) > 2. Re: Amavis "fork" errors (Mark Martinec) > 3. Re: whitelisting inconsistancy (Mark Martinec) > 4. Re: whitelisting inconsistancy (Cami) > 5. Re: whitelisting inconsistancy (Mark Martinec) > 6. Re: help f-prot amavis suse 9.3 (Gary V) > 7. Re: help f-prot amavis suse 9.3 (Moises Rivera Alvarez) > 8. Re: help f-prot amavis suse 9.3 (Stephen Carter) > 9. Re: whitelisting inconsistancy (Cami) > 10. Re: help f-prot amavis suse 9.3 (Gary V) > 11. Re: help f-prot amavis suse 9.3 (Gary V) > 12. geocities spammers switched to new urls (Gregory Mokhin) > > --__--__-- > > Message: 1 > Date: Mon, 03 Oct 2005 10:55:44 +0200 > From: Cami <[EMAIL PROTECTED]> > Reply-To: [email protected] > To: [email protected] > Subject: [AMaViS-user] whitelisting inconsistancy > > Hi All, > > Recently a few users have been complaining that after having > sender addresses whitelisted, they are still getting tagged > as spam. Looking a the logging across the cluster of amavisd-new > machines, it is confirmed. I'm unable to figure out exactly where > the issue could be. All records etc are stored inside MySQL.. > > Sep 30 18:42:59 spamwall04.mweb.co.za amavis[23746]: (23746-01-10) > <[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,Blocked,Hits=7.79,Message-ID=<[EMAIL > PROTECTED]>,Size=2378 > Sep 30 18:43:05 spamwall02.mweb.co.za amavis[5990]: (05990-01-73) > <[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,Passed,Hits=3.89,Message-ID=<[EMAIL > PROTECTED]>,Size=2182 > Sep 30 18:47:25 spamwall01.mweb.co.za amavis[25015]: (25015-01-15) > <[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,Passed,Hits=5.2,Message-ID=<[EMAIL > PROTECTED]>,Size=3866 > Sep 30 18:48:02 spamwall02.mweb.co.za amavis[28525]: (28525-01-28) > <[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,Passed,Hits=1.951,Message-ID=<[EMAIL > PROTECTED]>,Size=2662 > Sep 30 18:48:14 spamwall03.mweb.co.za amavis[23124]: (23124-01-12) > <[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,Blocked,Hits=7.79,Message-ID=<[EMAIL > PROTECTED]>,Size=2186 > Sep 30 18:48:49 spamwall01.mweb.co.za amavis[30084]: (30084-01-19) > <[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,Blocked,Hits=7.6,Message-ID=<[EMAIL > PROTECTED]>,Size=2432 > Sep 30 18:48:54 spamwall05.mweb.co.za amavis[9386]: (09386-02-80) > <[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,Passed,Hits=3.7,Message-ID=<[EMAIL > PROTECTED]>,Size=2496 > Sep 30 18:49:29 spamwall12.mweb.co.za amavis[31445]: (31445-01-99) > > ^^ Broken.. > > <[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,Passed,Hits=-,Message-ID=<[EMAIL > PROTECTED]>,Size=2085 > Sep 30 18:49:51 spamwall01.mweb.co.za amavis[15655]: (15655-01-33) > > ^^ Working.. > > <[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,Passed,Hits=5.39,Message-ID=<[EMAIL > PROTECTED]>,Size=2696 > Sep 30 18:50:39 spamwall06.mweb.co.za amavis[4985]: (04985-02-4) > > ^^ Broken.. > > <[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,Passed,Hits=-,Message-ID=<[EMAIL > PROTECTED]>,Size=2268 > Sep 30 18:50:39 spamwall09.mweb.co.za amavis[16191]: (16191-01-23) > <[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,Passed,Hits=-,Message-ID=<[EMAIL > PROTECTED]>,Size=2590 > Sep 30 18:51:10 spamwall04.mweb.co.za amavis[23746]: (23746-01-84) > <[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,Blocked,Hits=7.6,Message-ID=<[EMAIL > PROTECTED]>,Size=2556 > > Here it appears that whitelisting is broken again. > > Currently all the machines part of amavisd-new serverfarms > are the same software configuration/versions. > > amavisd-new-2.3.3 + SpamAssassin-3.1.0 > > Please let me know if any other information is needed. > > Cami > > > --__--__-- > > Message: 2 > From: Mark Martinec <[EMAIL PROTECTED]> > Organization: J. Stefan Institute > To: [email protected] > Subject: Re: [AMaViS-user] Amavis "fork" errors > Date: Mon, 3 Oct 2005 14:49:10 +0200 > > Scott, > > > Amavisd version is : amavisd-new-2.3.0 > > Consider upgrading to 2.3.3. > > > About every 4-5 days, email will stop sending/receiving, and I get the > > following error in my amavisd log file. > > > Oct 1 16:14:41 ns1 /usr/local/sbin/amavisd[16241]: (16241-03) ESMTP> > > 451 4.5.0 Error in processing, id=16241-03, mime_decode-1 FAILED: > > run_command (open pipe): > > Can't fork at /usr/lib/perl5/5.8.3/i586-linux-thread-multi/IO/File.pm > > line 176. at /usr/local/sbin/amavisd line 1783. > > Like Gary said, check for resource depletion, like swap space full. > On some OS a tmpfs maps into swap. > > > After rebooting, amavisd will fail (kicked off via rc.local) with the > > following error: > > > Oct 1 16:28:34 ns1 /usr/local/sbin/amavisd[1015]: SpamControl: > > initializing Mail::SpamAssassin > > Oct 1 16:28:34 ns1 /usr/local/sbin/amavisd[1015]: > > TROUBLE in pre_loop_hook: Error creating a DNS resolver socket: > > Network is unreachable > > at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/DnsResolver.pm line 202. > > The code there does: > $sock = IO::Socket::INET->new(%args); > $errno = $!; > die "Error creating a DNS resolver socket: $errno"; > > It appears the IO::Socket::INET->new fails to connect > to resolver socket because "Network is unreachable" > (assuming you are not using IPv6 network addresses > to access local resolver) > > If you are using remote resolver in /etc/resolve.conf, > consider having a locally running 'named' as a caching-only DNS server. > > > After this, if I manually run /usr/local/sbin/amavisd it will start > > successfully. > > Seems like the network is not fully up by the time amavisd > is being started. Perhaps you need to reorder startup sequence. > > > The second part only started after I did the most recent update of > > SpamAssassin (SA version 3.1.0) > > SA 3.1 does DNS resolver setup differently in order to be able > to work around Net::DNS problems that were affecting SA 3.0.x. > > Mark > > > --__--__-- > > Message: 3 > From: Mark Martinec <[EMAIL PROTECTED]> > Organization: J. Stefan Institute > To: [email protected] > Subject: Re: [AMaViS-user] whitelisting inconsistancy > Date: Mon, 3 Oct 2005 15:16:15 +0200 > > Cami, > > > Recently a few users have been complaining that after having > > sender addresses whitelisted, they are still getting tagged > > as spam. Looking a the logging across the cluster of amavisd-new > > machines, it is confirmed. I'm unable to figure out exactly where > > the issue could be. All records etc are stored inside MySQL.. > > > > <[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,Blocked,Hits=7.79, > > ^^ Broken.. > > > > <[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,Passed,Hits=- > > ^^ Working.. > > > > Currently all the machines part of amavisd-new serverfarms > > are the same software configuration/versions. > > amavisd-new-2.3.3 + SpamAssassin-3.1.0 > > You are using a non-default $log_temp, so I don't know whether > the [EMAIL PROTECTED] is a sender address or one of the two > recipient addresses. My first guess is that these users are > whitelisting a From address from a mail header, but amavisd-new > only works on SMTP envelope sender address. > > If this is not the case, it would be worth taking a look at level 4 or 5 > log and see how the sender address lookups are being done. > > Mark > > > --__--__-- > > Message: 4 > Date: Mon, 03 Oct 2005 15:48:06 +0200 > From: Cami <[EMAIL PROTECTED]> > Reply-To: [email protected] > To: [email protected] > Subject: Re: [AMaViS-user] whitelisting inconsistancy > > Mark Martinec wrote: > > Cami, > > > >><[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,Blocked,Hits=7.79, > >>^^ Broken.. > >> > >><[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,Passed,Hits=- > >>^^ Working.. > >> > >>Currently all the machines part of amavisd-new serverfarms > >>are the same software configuration/versions. > >>amavisd-new-2.3.3 + SpamAssassin-3.1.0 > > > > You are using a non-default $log_temp, so I don't know whether > > the [EMAIL PROTECTED] is a sender address or one of the two > > recipient addresses. > > $log_templ = ' > [?%#D|| > [? [?%#V|1]|INFECTED (%V)|# > [? [?%#F|1]|BANNED (%F)|# > [? [? %2|1]|SPAM|# > [? [?%#X|1]|BAD-HEADER|CLEAN]]]]# > , <%o> -> [%D|,]# > [? %q ||, quarantine: %i]# > [? %m ||, Message-ID: %m]# > , Hits=%c tag1=3.0 tag2=7.5 kill=7.5# > [? %#T ||, tests=[%T|,]]# > , [? %p ||%p ][?%a||[?%l||LOCAL ]\[%a\] ] > ] > [?%#O|| > [? [?%#V|1]|INFECTED (%V)|# > [? [?%#F|1]|BANNED (%F)|# > [? [? %2|1]|SPAM|# > [? [?%#X|1]|BAD-HEADER|CLEAN]]]]# > , <%o> -> [%O|,]# > [? %q ||, quarantine: %i]# > , Yes, Hits=%c tag1=3.0 tag2=7.5 kill=7.5# > [? %#T ||, tests=[%T|,]]# > , [? %p ||%p ][?%a||[?%l||LOCAL ]\[%a\] ] > ]'; > > $log_recip_templ = ' > [?%#D||<%o>,%D,Passed,Hits=%c,Message-ID=%m,Size=%z|\n] > [?%#O||<%o>,%O,Blocked,Hits=%c,Message-ID=%m,Size=%z|\n]'; > > > My first guess is that these users are > > whitelisting a From address from a mail header, but amavisd-new > > only works on SMTP envelope sender address. > > Since amavisd-new only deals with envelope information, > I don't see how its possible. Something is certainly up, > because people whom have been opted out are intermittently > getting opted in and then back to being opted out. > I can confirm the database is quite static and no one > is opting in then opting out again. > > Comments on this one? > > > If this is not the case, it would be worth taking a look at level 4 or 5 > > log and see how the sender address lookups are being done. > > I've just set 1/2 of the serverfarm at loglevel 5. > > Cami > > > --__--__-- > > Message: 5 > From: Mark Martinec <[EMAIL PROTECTED]> > Organization: J. Stefan Institute > To: [email protected] > Subject: Re: [AMaViS-user] whitelisting inconsistancy > Date: Mon, 3 Oct 2005 17:15:42 +0200 > > Cami, > > > $log_recip_templ = ' > > [?%#D||<%o>,%D,Passed,Hits=%c,Message-ID=%m,Size=%z|\n] > > [?%#O||<%o>,%O,Blocked,Hits=%c,Message-ID=%m,Size=%z|\n]'; > > Ok, so these were per-recip log entries. > > > > My first guess is that these users are > > > whitelisting a From address from a mail header, but amavisd-new > > > only works on SMTP envelope sender address. > > > > Since amavisd-new only deals with envelope information, > > I don't see how its possible. > > I was trying to put a blame on the GUI or user or admin > who placed the sender address in the whitelist for perhaps > choosing a wrong address. > > > I've just set 1/2 of the serverfarm at loglevel 5. > > Ok, lets see a specific case. > > Mark > > > --__--__-- > > Message: 6 > Date: Mon, 3 Oct 2005 09:42:29 -0600 > From: Gary V <[EMAIL PROTECTED]> > To: [email protected] > Subject: Re: [AMaViS-user] help f-prot amavis suse 9.3 > > Moises wrote: > > > Hi I have been looking how to ativate amavis-new to use f-prot > > antivirus on SuSE 9.3 but i could not find the info to do even in the > > website so please can somebody tell me how to do, or please give an > > example > > Assuming you have f-prot installed, you should know that most likely > the f-prot you are using (the free workstation version) is a command > line version, and not a daemonized version. > > In the @av_scanners section, comment out the daemonized version: > > # ### http://www.f-prot.com/ > # ['FRISK F-Prot Daemon', > # \&ask_daemon, > # ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n", > # ['127.0.0.1:10200','127.0.0.1:10201','127.0.0.1:10202', > # '127.0.0.1:10203','127.0.0.1:10204'] ], > # qr/(?i)<summary[^>]*>clean<\/summary>/, > # qr/(?i)<summary[^>]*>infected<\/summary>/, > # qr/(?i)<name>(.+)<\/name>/ ], > > And in the @av_scanners_backup section, insure the command line > version is not commented out: > > ### http://www.f-prot.com/ - backs up F-Prot Daemon > ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'], > '-dumb -archive -packed {}', [0,8], [3,6], > qr/Infection: (.+)|\s+contains\s+(.+)$/ ], > > amavisd-new should simply use it. If you like, I suppose you could > move the command line version from the backup section, to the primary > section, but I believe this would be cosmetic only. > > Gary V > > > > --__--__-- > > Message: 7 > Date: Mon, 3 Oct 2005 09:55:40 -0600 > From: Moises Rivera Alvarez <[EMAIL PROTECTED]> > Reply-To: Moises Rivera Alvarez <[EMAIL PROTECTED]> > To: [email protected] > Subject: Re: [AMaViS-user] help f-prot amavis suse 9.3 > > thanks a lot i will check againd, maybe a did not see that > > 2005/10/3, Alan Munday <[EMAIL PROTECTED]>: > > Moises Rivera Alvarez wrote the following on 03/10/2005 02:46: > > > Hi I have been looking how to ativate amavis-new to use f-prot > > > antivirus on SuSE 9.3 but i could not find the info to do even in the > > > website so please can somebody tell me how to do, or please give an > > > example > > > > > > > Search for f-prot in amavisd.conf, or look in the example conf files. > > > > You will find 2 sections, one for the daemon, one for the command line. > > > > Alan > > > > > --__--__-- > > Message: 8 > Date: Mon, 03 Oct 2005 16:55:31 +0100 > From: "Stephen Carter" <[EMAIL PROTECTED]> > To: <[email protected]> > Subject: Re: [AMaViS-user] help f-prot amavis suse 9.3 > > >>> Gary V <[EMAIL PROTECTED]> 10/03/05 4:42 PM >>> > >Moises wrote: > > > >> Hi I have been looking how to ativate amavis-new to use f-prot > >> antivirus on SuSE 9.3 but i could not find the info to do even in the > >> website so please can somebody tell me how to do, or please give an > >> example > > > >Assuming you have f-prot installed, you should know that most likely > >the f-prot you are using (the free workstation version) is a command > >line version, and not a daemonized version. > > > >In the @av_scanners section, comment out the daemonized version: > > ># ### http://www.f-prot.com/ > ># ['FRISK F-Prot Daemon', > ># \&ask_daemon, > ># ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n", > ># ['127.0.0.1:10200','127.0.0.1:10201','127.0.0.1:10202', > ># '127.0.0.1:10203','127.0.0.1:10204'] ], > ># qr/(?i)<summary[^>]*>clean<\/summary>/, > ># qr/(?i)<summary[^>]*>infected<\/summary>/, > ># qr/(?i)<name>(.+)<\/name>/ ], > > > >And in the @av_scanners_backup section, insure the command line > >version is not commented out: > > > > ### http://www.f-prot.com/ - backs up F-Prot Daemon > > ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'], > > '-dumb -archive -packed {}', [0,8], [3,6], > > qr/Infection: (.+)|\s+contains\s+(.+)$/ ], > > > >amavisd-new should simply use it. If you like, I suppose you could > >move the command line version from the backup section, to the primary > >section, but I believe this would be cosmetic only. > > > >Gary V > > Unless there is more than 1 AV scanner installed. I believe the > primary/backup location becomes important if more than 1 scanner is > enabled as Amavis will only use primary scanners then fall back to > backup scanners if no primary is found. > > So if using say F-Prot and ClamAV, if Amavis picks up ClamAV in the > primary section it will only use F-prot as a backup (as that is where > the workstation version is defined) if ClamAV fails, in > the order they are found in the backup section. > > Then again my understanding here could be misplaced. > > SteveC > > > --__--__-- > > Message: 9 > Date: Mon, 03 Oct 2005 18:33:35 +0200 > From: Cami <[EMAIL PROTECTED]> > Reply-To: [email protected] > To: [email protected] > Subject: Re: [AMaViS-user] whitelisting inconsistancy > > Mark Martinec wrote: > >>I've just set 1/2 of the serverfarm at loglevel 5. > > > > Ok, lets see a specific case. > > The debugging logs allowed me to see what was wrong. > > Certainly an admin error on 1/2 of the machines in > the serverfarm. Configs are not identical and some > of the amavisd-new setups didn't have SQL lookups > enabled. > > Sorry for wasting your time. > > Cami > > > --__--__-- > > Message: 10 > Date: Mon, 3 Oct 2005 11:30:32 -0600 > From: Gary V <[EMAIL PROTECTED]> > To: [email protected] > Subject: Re: [AMaViS-user] help f-prot amavis suse 9.3 > > Stephen wrote: > > >>And in the @av_scanners_backup section, insure the command line > >>version is not commented out: > >> > >> ### http://www.f-prot.com/ - backs up F-Prot Daemon > >> ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'], > >> '-dumb -archive -packed {}', [0,8], [3,6], > >> qr/Infection: (.+)|\s+contains\s+(.+)$/ ], > >> > >>amavisd-new should simply use it. If you like, I suppose you could > >>move the command line version from the backup section, to the primary > >>section, but I believe this would be cosmetic only. > >> > >>Gary V > > > Unless there is more than 1 AV scanner installed. I believe the > > primary/backup location becomes important if more than 1 scanner is > > enabled as Amavis will only use primary scanners then fall back to > > backup scanners if no primary is found. > > > So if using say F-Prot and ClamAV, if Amavis picks up ClamAV in the > > primary section it will only use F-prot as a backup (as that is where > > the workstation version is defined) if ClamAV fails, in > > the order they are found in the backup section. > > > Then again my understanding here could be misplaced. > > SteveC > > Sounds good. Backups will only be tried if all primary scanners fail. > So it is a good idea to have all the daemonized scanners tried first. > Especially when a vendor offers both versions. My comment was assuming > no other virus scanning programs were installed. If you are only using > one scanner, regardless of whether that scanner is daemonized or not, > it might save the lookup into the backup scanners section if it is > placed in the primary section. > > # If no virus scanners from the @av_scanners list produce 'clean' nor > # 'infected' status (i.e. they all fail to run or the list is empty), > # then _all_ scanners from the @av_scanners_backup list are tried > # (again, subject to $first_infected_stops_scan). When there are both > # daemonized and equivalent or similar command-line scanners available, > # it is customary to place slower command-line scanners in the > # @av_scanners_backup list. The default choice is somewhat arbitrary, > # move entries from one list to another as desired, keeping main scanners > # in the primary list to avoid warnings. > > Assuming we do not have f-prot daemonized version available, > it looks like there would also be an advantage to moving f-prot command > line version to the primary section even if some other virus scanner is > in the primary section. Doing so would insure the message is scanned by > more than one engine. It looks like you would want to include all > vendors in the primary section, unless you are using daemonized and > non-daemonized versions from the same vendor, then you would want to > place the slower version from the same vendor in the backup file. > > Gary V > > > > --__--__-- > > Message: 11 > Date: Mon, 3 Oct 2005 11:48:30 -0600 > From: Gary V <[EMAIL PROTECTED]> > To: [email protected] > Subject: Re: [AMaViS-user] help f-prot amavis suse 9.3 > > Stephen wrote: > > > It looks like you would want to include all > > vendors in the primary section, unless you are using daemonized and > > non-daemonized versions from the same vendor, then you would want to > > place the slower version from the same vendor in the backup file. > > This is exactly what you said, Stephen, but I have to repeat it to > myself so I am sure I understand it correctly! :) > > Yes, it is important which section it is in, it is not cosmetic. > > Gary V > > > > --__--__-- > > Message: 12 > To: [email protected] > From: Gregory Mokhin <[EMAIL PROTECTED]> > Date: Mon, 03 Oct 2005 16:35:35 -0400 > Subject: [AMaViS-user] geocities spammers switched to new urls > > Looks like same spammers that had used geocities before now send > messages with new urls (an excerpt): > > **** > Free check-up details review with our approved expert. > > http://if.jlp.forwardthebest.com/n4j/ > > message to oz, saying if he lilyhanded did not let them in self-politician > ruby port to see him at once they > **** > > A question: is it actually useful to train SA on these messages? > Doesn't the garbage after the url just poison the bayes db? > > Regards, > Gregory > > > > > --__--__-- > > _______________________________________________ > AMaViS-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/amavis-user > AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 > > > End of AMaViS-user Digest > ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
