On 11/28/2011 09:41 AM, Christoph Langguth wrote: > Am 28.11.2011 15:22, schrieb sean darcy: > > On 11/28/2011 12:37 AM, Dudi Goldenberg wrote: > >> -napt|grep 3310 > > > > Thanks for the suggestion, but: > > > > netstat -napt|grep 3310 > > tcp 0 0 127.0.0.1:3310 0.0.0.0:* > > LISTEN 3270/clamd.clamd-ma > > > > clamav is listening. > > > > Any other thoughts? > > > > You may want to check /var/log/clamav/clamav.log (or wherever your > clamav logs to). Here are a few representative lines from a working > installation: > > Mon Nov 21 11:15:12 2011 -> Accepted connection from 127.0.0.1 on port > 1919, fd 10 > Mon Nov 21 11:24:42 2011 -> SelfCheck: Database status OK. > Mon Nov 21 11:24:42 2011 -> Accepted connection from 127.0.0.1 on port > 1795, fd 10 > Mon Nov 21 11:26:49 2011 -> Accepted connection from 127.0.0.1 on port > 1111, fd 10 > Mon Nov 21 11:30:42 2011 -> Accepted connection from 127.0.0.1 on port > 1734, fd 10 > Mon Nov 21 11:37:24 2011 -> Accepted connection from 127.0.0.1 on port > 1767, fd 10 > Mon Nov 21 11:55:48 2011 -> Accepted connection from 127.0.0.1 on port > 1124, fd 10 > Mon Nov 21 11:56:53 2011 -> Accepted connection from 127.0.0.1 on port > 1803, fd 10 > Mon Nov 21 11:56:58 2011 -> Accepted connection from 127.0.0.1 on port > 1210, fd 10 > Mon Nov 21 11:56:58 2011 -> stream(127.0.0.1@1210): > Sanesecurity.Phishing.Bank.17009.UNOFFICIAL(dbfbdc668a29117bcd94e683d1cfcba3:11176) > FOUND > Mon Nov 21 12:01:55 2011 -> Accepted connection from 127.0.0.1 on port > 1086, fd 10 > Mon Nov 21 12:07:19 2011 -> Accepted connection from 127.0.0.1 on port > 1404, fd 10 > Mon Nov 21 12:09:36 2011 -> Accepted connection from 127.0.0.1 on port > 1076, fd 10 > Mon Nov 21 12:19:03 2011 -> Reading databases from /var/lib/clamav > Mon Nov 21 12:19:07 2011 -> Database correctly reloaded (1288744 signatures) > > In the worst case, check whether there actually is any communication on > port 3310: > > root@bender:~# tcpdump -i lo -nX -s 1000 tcp port 3310 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on lo, link-type EN10MB (Ethernet), capture size 1000 bytes > 15:34:40.649785 IP 127.0.0.1.49063> 127.0.0.1.3310: Flags [S], seq > 4245782264, win 32792, options [mss 16396,sackOK,TS val 1184189240 ecr > 0,nop,wscale 7], length 0 > 0x0000: 4500 003c 35c0 4000 4006 06fa 7f00 0001 E..<5.@.@....... > 0x0010: 7f00 0001 bfa7 0cee fd11 7ef8 0000 0000 ..........~..... > 0x0020: a002 8018 b51f 0000 0204 400c 0402 080a ..........@..... > 0x0030: 4695 4b38 0000 0000 0103 0307 F.K8........ > 15:34:40.649835 IP 127.0.0.1.3310> 127.0.0.1.49063: Flags [S.], seq > 4253107702, ack 4245782265, win 32768, options [mss 16396,sackOK,TS val > 1184189240 ecr 1184189240,nop,wscale 7], length 0 > > You don't have to make sense of the output -- but there should be > something happening while mail is being virus-checked... otherwise this > would indicate that for some reason, dspam is not communicating with clamav. > > HTH > Chris >
OK. It's working. thanks for all the help. Turns out I'd left optOutClamAV "on" Fixed that and all's well. The most important thing lesson in all this is that the Fedora package for dspam does NOT enable clamav. It has to be rebuilt to work. sean ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d _______________________________________________ Dspam-user mailing list Dspam-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspam-user
