Hi All I'm having a bit of a problem isolating why Mails are not being quarantined. Clam is identifying Messages correctly (as per clamd.log) and amavis is not reporting them. Somewhere however I'm missing something so that the mail is passing rather than being quarantined. Real viruses are being caught okay:
A virus was found: Win32:Mydoom-L [Wrm] Scanners detecting a virus: ClamAV-clamd Content type: Virus Internal reference code for the message is 01434-06/WBLZZlKgwA-e <snip> Return-Path: <> Message-ID: <[EMAIL PROTECTED]> Subject: Mail delivery failed: returning message to sender The message has been quarantined as: W/virus-WBLZZlKgwA-e Notification to sender will not be mailed. The message WAS NOT relayed to: <[EMAIL PROTECTED]>: 250 2.7.0 Ok, discarded, id=01434-06 - VIRUS: Win32:Mydoom-L [Wrm], Win32:Mydoom-L [Wrm], Win32:Mydoom-L [Wrm] Virus scanner output: p001/PartNo_0#1616020234 [+] p001/attachment.zip#1125232958/attachment.pif [L] Win32:Mydoom-L [Wrm] p001/attachment.zip#1125232958 [L] Win32:Mydoom-L [Wrm] p001 [+] p002 [L] Win32:Mydoom-L [Wrm] --clamd.log-- Aug 9 06:21:27 titania clamd[74253]: /var/amavis/tmp/amavis-20070809T061103-07536/parts/p001: HTML.Phishing.Bank-593 FOUND Aug 9 14:33:04 titania clamd[74253]: /var/amavis/tmp/amavis-20070809T141346-13689/parts/p001: HTML.Phishing.Bank-532 FOUND Aug 9 15:13:26 titania clamd[74253]: /var/amavis/tmp/amavis-20070809T144825-14195/parts/p001: HTML.Phishing.Bank-532 FOUND Aug 9 15:26:51 titania clamd[74253]: /var/amavis/tmp/amavis-20070809T152248-14707/parts/p001: HTML.Phishing.Bank-532 FOUND Aug 9 18:00:39 titania clamd[74253]: /var/amavis/tmp/amavis-20070809T175424-16594/parts/p001: HTML.Phishing.Bank-532 FOUND Aug 9 18:25:23 titania clamd[74253]: /var/amavis/tmp/amavis-20070809T180640-16740/parts/p001: HTML.Phishing.Bank-532 FOUND Aug 9 18:25:24 titania clamd[74253]: /var/amavis/tmp/amavis-20070809T182523-16968/parts/p001: HTML.Phishing.Bank-532 FOUND Aug 9 19:16:11 titania clamd[74253]: /var/amavis/tmp/amavis-20070809T182757-17033/parts/p001: HTML.Phishing.Bank-532 FOUND --amavis log messages in maillog-- Aug 9 06:21:27 titania clamd[74253]: /var/amavis/tmp/amavis-20070809T061103-07536/parts/p001: HTML.Phishing.Bank-593 FOUND Aug 9 06:21:27 titania postfix/pickup[7520]: 84C9C4D46EC: uid=110 from=<vscan> Aug 9 06:21:27 titania postfix/cleanup[7703]: 84C9C4D46EC: message-id=<[EMAIL PROTECTED]> Aug 9 06:21:27 titania postfix/qmgr[74321]: 84C9C4D46EC: from=<[EMAIL PROTECTED]>, size=384, nrcpt=1 (queue active) Aug 9 06:21:28 titania postfix/smtpd[7707]: connect from localhost[127.0.0.1] Aug 9 06:21:28 titania postfix/smtpd[7707]: ABFA94D46F0: client=localhost[127.0.0.1] Aug 9 06:21:28 titania postfix/cleanup[7724]: ABFA94D46F0: message-id=<[EMAIL PROTECTED]> Aug 9 06:21:28 titania postfix/qmgr[74321]: ABFA94D46F0: from=<[EMAIL PROTECTED]>, size=23024, nrcpt=1 (queue active) Aug 9 06:21:28 titania postfix/smtpd[7707]: disconnect from localhost[127.0.0.1] Aug 9 06:21:28 titania amavis[6520]: (06520-09) Passed CLEAN, [72.21.48.210] [216.74.187.171] <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, Message-ID: <[EMAIL PROTECTED]>, mail_id: 5YRmT0tQNxx9, Hits: 0.324, size: 22525, queued_as: ABFA94D46F0, 3310 ms The mail from vscan is clmad running a notification script. Quarantine was working until a few weeks ago prior to the upgrade to clam 9.1 and amavisd-new 2.5.2, with MSRBL being most useful in catching image spam. Does anyone have any pointers ? Regards, Barry ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
