On 8/9/07, Barry Irwin <[EMAIL PROTECTED]> wrote: > Hi All > > I'm having a bit of a problem isolating why Mails are not being > quarantined. Clam is identifying Messages correctly (as per clamd.log) > and amavis is not reporting them. Somewhere however I'm missing > something so that the mail is passing rather than being quarantined. > Real viruses are being caught okay: > > A virus was found: Win32:Mydoom-L [Wrm] >
This is a real virus, so with 2.5.2 is will be detected as a virus and quarantined as a virus (provided you have a quarantine set up) > Scanners detecting a virus: ClamAV-clamd > > Content type: Virus > Internal reference code for the message is 01434-06/WBLZZlKgwA-e > > <snip> > > Return-Path: <> > Message-ID: <[EMAIL PROTECTED]> > Subject: Mail delivery failed: returning message to sender > The message has been quarantined as: W/virus-WBLZZlKgwA-e And it shows this was quarantined as W/virus-WBLZZlKgwA-e (which you already know) > > Notification to sender will not be mailed. > > The message WAS NOT relayed to: > <[EMAIL PROTECTED]>: > 250 2.7.0 Ok, discarded, id=01434-06 - VIRUS: Win32:Mydoom-L [Wrm], > Win32:Mydoom-L [Wrm], Win32:Mydoom-L [Wrm] > > Virus scanner output: > p001/PartNo_0#1616020234 [+] > p001/attachment.zip#1125232958/attachment.pif [L] Win32:Mydoom-L [Wrm] > p001/attachment.zip#1125232958 [L] Win32:Mydoom-L [Wrm] > p001 [+] > p002 [L] Win32:Mydoom-L [Wrm] > > --clamd.log-- > > > Aug 9 06:21:27 titania clamd[74253]: > /var/amavis/tmp/amavis-20070809T061103-07536/parts/p001: > HTML.Phishing.Bank-593 FOUND > Aug 9 14:33:04 titania clamd[74253]: > /var/amavis/tmp/amavis-20070809T141346-13689/parts/p001: > HTML.Phishing.Bank-532 FOUND > Aug 9 15:13:26 titania clamd[74253]: > /var/amavis/tmp/amavis-20070809T144825-14195/parts/p001: > HTML.Phishing.Bank-532 FOUND > Aug 9 15:26:51 titania clamd[74253]: > /var/amavis/tmp/amavis-20070809T152248-14707/parts/p001: > HTML.Phishing.Bank-532 FOUND > Aug 9 18:00:39 titania clamd[74253]: > /var/amavis/tmp/amavis-20070809T175424-16594/parts/p001: > HTML.Phishing.Bank-532 FOUND > Aug 9 18:25:23 titania clamd[74253]: > /var/amavis/tmp/amavis-20070809T180640-16740/parts/p001: > HTML.Phishing.Bank-532 FOUND > Aug 9 18:25:24 titania clamd[74253]: > /var/amavis/tmp/amavis-20070809T182523-16968/parts/p001: > HTML.Phishing.Bank-532 FOUND > Aug 9 19:16:11 titania clamd[74253]: > /var/amavis/tmp/amavis-20070809T182757-17033/parts/p001: > HTML.Phishing.Bank-532 FOUND With 2.5.0 or newer these are no longer classified as viruses. Read: http://www.ijs.si/software/amavisd/release-notes.txt Search for @virus_name_to_spam_score_maps > > --amavis log messages in maillog-- > Aug 9 06:21:27 titania clamd[74253]: > /var/amavis/tmp/amavis-20070809T061103-07536/parts/p001: > HTML.Phishing.Bank-593 FOUND > Aug 9 06:21:27 titania postfix/pickup[7520]: 84C9C4D46EC: uid=110 > from=<vscan> > Aug 9 06:21:27 titania postfix/cleanup[7703]: 84C9C4D46EC: > message-id=<[EMAIL PROTECTED]> > Aug 9 06:21:27 titania postfix/qmgr[74321]: 84C9C4D46EC: > from=<[EMAIL PROTECTED]>, size=384, nrcpt=1 (queue active) > Aug 9 06:21:28 titania postfix/smtpd[7707]: connect from > localhost[127.0.0.1] > Aug 9 06:21:28 titania postfix/smtpd[7707]: ABFA94D46F0: > client=localhost[127.0.0.1] > Aug 9 06:21:28 titania postfix/cleanup[7724]: ABFA94D46F0: > message-id=<[EMAIL PROTECTED]> > Aug 9 06:21:28 titania postfix/qmgr[74321]: ABFA94D46F0: > from=<[EMAIL PROTECTED]>, size=23024, > nrcpt=1 (queue active) > Aug 9 06:21:28 titania postfix/smtpd[7707]: disconnect from > localhost[127.0.0.1] > Aug 9 06:21:28 titania amavis[6520]: (06520-09) Passed CLEAN, > [72.21.48.210] [216.74.187.171] > <[EMAIL PROTECTED]> -> > <[EMAIL PROTECTED]>, Message-ID: > <[EMAIL PROTECTED]>, mail_id: 5YRmT0tQNxx9, > Hits: 0.324, size: 22525, queued_as: ABFA94D46F0, > 3310 ms > This was not quarantined because it did not score high enough. The default is: @virus_name_to_spam_score_maps = (new_RE( [ qr'^(Email|HTML)\.(Phishing|Spam|Scam[a-z0-9]?)\.'i => 0.1 ], [ qr'^(Email|Html)\.Malware\.Sanesecurity\.' => undef ], [ qr'^(Email|Html)(\.[^., ]*)*\.Sanesecurity\.' => 0.1 ], # [ qr'^(Email|Html)\.(Hdr|Img|ImgO|Bou|Stk|Loan|Cred|Job|Dipl|Doc) # (\.[^., ]*)* \.Sanesecurity\.'x => 0.1 ], [ qr'^(MSRBL-Images/|MSRBL-SPAM\.)' => 0.1 ], )); Which means there is not much of a score boost. Read the release notes. It will tell you you can add rules like this: http://www200.pair.com/mecham/spam/amavis-sanesecurity.cf to boost the scores. > The mail from vscan is clmad running a notification script. I don't understand this statement. > > Quarantine was working until a few weeks ago prior to the upgrade to > clam 9.1 and amavisd-new 2.5.2, with MSRBL being most useful in catching > image spam. > > Does anyone have any pointers ? > > Regards, > Barry > -- Gary V ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
