Thanks Garry for the quick Turn around. Barry
Gary V wrote: > On 8/9/07, Barry Irwin <[EMAIL PROTECTED]> wrote: >> Hi All >> >> I'm having a bit of a problem isolating why Mails are not being >> quarantined. Clam is identifying Messages correctly (as per clamd.log) >> and amavis is not reporting them. Somewhere however I'm missing >> something so that the mail is passing rather than being quarantined. >> Real viruses are being caught okay: >> >> A virus was found: Win32:Mydoom-L [Wrm] >> > > This is a real virus, so with 2.5.2 is will be detected as a virus and > quarantined as a virus (provided you have a quarantine set up) > >> Scanners detecting a virus: ClamAV-clamd >> >> Content type: Virus >> Internal reference code for the message is 01434-06/WBLZZlKgwA-e >> >> <snip> >> >> Return-Path: <> >> Message-ID: <[EMAIL PROTECTED]> >> Subject: Mail delivery failed: returning message to sender >> The message has been quarantined as: W/virus-WBLZZlKgwA-e > > And it shows this was quarantined as W/virus-WBLZZlKgwA-e (which you > already know) > >> Notification to sender will not be mailed. >> >> The message WAS NOT relayed to: >> <[EMAIL PROTECTED]>: >> 250 2.7.0 Ok, discarded, id=01434-06 - VIRUS: Win32:Mydoom-L [Wrm], >> Win32:Mydoom-L [Wrm], Win32:Mydoom-L [Wrm] >> >> Virus scanner output: >> p001/PartNo_0#1616020234 [+] >> p001/attachment.zip#1125232958/attachment.pif [L] Win32:Mydoom-L [Wrm] >> p001/attachment.zip#1125232958 [L] Win32:Mydoom-L [Wrm] >> p001 [+] >> p002 [L] Win32:Mydoom-L [Wrm] >> >> --clamd.log-- >> >> >> Aug 9 06:21:27 titania clamd[74253]: >> /var/amavis/tmp/amavis-20070809T061103-07536/parts/p001: >> HTML.Phishing.Bank-593 FOUND >> Aug 9 14:33:04 titania clamd[74253]: >> /var/amavis/tmp/amavis-20070809T141346-13689/parts/p001: >> HTML.Phishing.Bank-532 FOUND >> Aug 9 15:13:26 titania clamd[74253]: >> /var/amavis/tmp/amavis-20070809T144825-14195/parts/p001: >> HTML.Phishing.Bank-532 FOUND >> Aug 9 15:26:51 titania clamd[74253]: >> /var/amavis/tmp/amavis-20070809T152248-14707/parts/p001: >> HTML.Phishing.Bank-532 FOUND >> Aug 9 18:00:39 titania clamd[74253]: >> /var/amavis/tmp/amavis-20070809T175424-16594/parts/p001: >> HTML.Phishing.Bank-532 FOUND >> Aug 9 18:25:23 titania clamd[74253]: >> /var/amavis/tmp/amavis-20070809T180640-16740/parts/p001: >> HTML.Phishing.Bank-532 FOUND >> Aug 9 18:25:24 titania clamd[74253]: >> /var/amavis/tmp/amavis-20070809T182523-16968/parts/p001: >> HTML.Phishing.Bank-532 FOUND >> Aug 9 19:16:11 titania clamd[74253]: >> /var/amavis/tmp/amavis-20070809T182757-17033/parts/p001: >> HTML.Phishing.Bank-532 FOUND > > With 2.5.0 or newer these are no longer classified as viruses. Read: > http://www.ijs.si/software/amavisd/release-notes.txt > Search for @virus_name_to_spam_score_maps > >> --amavis log messages in maillog-- >> Aug 9 06:21:27 titania clamd[74253]: >> /var/amavis/tmp/amavis-20070809T061103-07536/parts/p001: >> HTML.Phishing.Bank-593 FOUND >> Aug 9 06:21:27 titania postfix/pickup[7520]: 84C9C4D46EC: uid=110 >> from=<vscan> >> Aug 9 06:21:27 titania postfix/cleanup[7703]: 84C9C4D46EC: >> message-id=<[EMAIL PROTECTED]> >> Aug 9 06:21:27 titania postfix/qmgr[74321]: 84C9C4D46EC: >> from=<[EMAIL PROTECTED]>, size=384, nrcpt=1 (queue active) >> Aug 9 06:21:28 titania postfix/smtpd[7707]: connect from >> localhost[127.0.0.1] >> Aug 9 06:21:28 titania postfix/smtpd[7707]: ABFA94D46F0: >> client=localhost[127.0.0.1] >> Aug 9 06:21:28 titania postfix/cleanup[7724]: ABFA94D46F0: >> message-id=<[EMAIL PROTECTED]> >> Aug 9 06:21:28 titania postfix/qmgr[74321]: ABFA94D46F0: >> from=<[EMAIL PROTECTED]>, size=23024, >> nrcpt=1 (queue active) >> Aug 9 06:21:28 titania postfix/smtpd[7707]: disconnect from >> localhost[127.0.0.1] >> Aug 9 06:21:28 titania amavis[6520]: (06520-09) Passed CLEAN, >> [72.21.48.210] [216.74.187.171] >> <[EMAIL PROTECTED]> -> >> <[EMAIL PROTECTED]>, Message-ID: >> <[EMAIL PROTECTED]>, mail_id: 5YRmT0tQNxx9, >> Hits: 0.324, size: 22525, queued_as: ABFA94D46F0, >> 3310 ms >> > > This was not quarantined because it did not score high enough. The default is: > > @virus_name_to_spam_score_maps = > (new_RE( [ qr'^(Email|HTML)\.(Phishing|Spam|Scam[a-z0-9]?)\.'i => 0.1 ], > [ qr'^(Email|Html)\.Malware\.Sanesecurity\.' => undef ], > [ qr'^(Email|Html)(\.[^., ]*)*\.Sanesecurity\.' => 0.1 ], > # [ qr'^(Email|Html)\.(Hdr|Img|ImgO|Bou|Stk|Loan|Cred|Job|Dipl|Doc) > # (\.[^., ]*)* \.Sanesecurity\.'x => 0.1 ], > [ qr'^(MSRBL-Images/|MSRBL-SPAM\.)' => 0.1 ], > )); > > Which means there is not much of a score boost. > > Read the release notes. It will tell you you can add rules like this: > http://www200.pair.com/mecham/spam/amavis-sanesecurity.cf > to boost the scores. > >> The mail from vscan is clmad running a notification script. > > I don't understand this statement. > >> Quarantine was working until a few weeks ago prior to the upgrade to >> clam 9.1 and amavisd-new 2.5.2, with MSRBL being most useful in catching >> image spam. >> >> Does anyone have any pointers ? >> >> Regards, >> Barry >> > ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
