On Fri, Nov 14, 2003 at 08:29:27AM -0700, Stephen wrote:
Here is a chunk of my smtpd log (/var/log/qmail/smtpd/current):
2003-11-13 20:04:02.658932500 tcpserver: end 19143 status 0 2003-11-13 20:04:02.658939500 tcpserver: status: 0/20
None of that means anything - all you're showing there is the logging of
tcpserver.
Sorry, that's right. I was tired and that's what somebody told me to look at.
Is Qmail-Scanner actually running at all? What does qmail-queue.log contain? i.e. when a message from the outside goes through, does it show up in qmail-queue.log?
It seems to be at least running:
14/11/2003 13:06:46:20660: all finished. Total of 1.154211 secs
Fri, 14 Nov 2003 13:11:11 -0700:20686: +++ starting debugging for process 20686 by uid=401 at Fri, 14 Nov 2003 13:11:11 -0700
Fri, 14 Nov 2003 13:11:11 -0700:20686: setting UID to EUID so subprocesses can access files generated by this script
Fri, 14 Nov 2003 13:11:11 -0700:20686: program name is qmail-scanner-queue.pl, version 1.20
Fri, 14 Nov 2003 13:11:11 -0700:20686: incoming SMTP connection from via SMTP from 209.115.249.136
Fri, 14 Nov 2003 13:11:11 -0700:20686: w_c: mkdir /var/spool/qmailscan/tmp/www.vodacomm.ca106884067146120686
Fri, 14 Nov 2003 13:11:11 -0700:20686: w_c: start dumping incoming msg into /var/spool/qmailscan/working/tmp/www.vodacomm.ca106884067146120686 [1068840671.44974]
Fri, 14 Nov 2003 13:11:11 -0700:20686: w_c: primary Content-Type of multipart/mixed found
Fri, 14 Nov 2003 13:11:11 -0700:20686: w_c: found a top-level boundary definition of \-\-\-\-\-\-\-\-\-\-\-\-080600050008060102040104
Fri, 14 Nov 2003 13:11:11 -0700:20686: w_c: attachment 1: Content-Type of text/plain found
Fri, 14 Nov 2003 13:11:11 -0700:20686: found C-T attachment filename importantfile.exe
Fri, 14 Nov 2003 13:11:11 -0700:20686: w_c: attachment 2: Content-Type of application/x-msdownload found
Fri, 14 Nov 2003 13:11:11 -0700:20686: w_c: rename new msg from /var/spool/qmailscan/working/tmp/www.vodacomm.ca106884067146120686 to /var/spool/qmailscan/working/new/www.vodacomm.ca106884067146120686 [1068840671.45456]
Fri, 14 Nov 2003 13:11:11 -0700:20686: d_m: starting /usr/bin/reformime -x/var/spool/qmailscan/tmp/www.vodacomm.ca106884067146120686/ </var/spool/qmailscan/working/new/www.vodacomm.ca106884067146120686 [1068840671.45502]
Fri, 14 Nov 2003 13:11:11 -0700:20686: d_m: finished /usr/bin/reformime -x/var/spool/qmailscan/tmp/www.vodacomm.ca106884067146120686/ [1068840671.46826]
Fri, 14 Nov 2003 13:11:11 -0700:20686: d_m: unpacking message took 0.013577 seconds
Fri, 14 Nov 2003 13:11:11 -0700:20686: unsetting QMAILQUEUE env var
Fri, 14 Nov 2003 13:11:11 -0700:20686: g_e_h: return-path is "[EMAIL PROTECTED]", recips is "[EMAIL PROTECTED],[EMAIL PROTECTED]"
Fri, 14 Nov 2003 13:11:11 -0700:20686: from=Stephen Bosch <[EMAIL PROTECTED]>,subj=augh, x-qmail-scanner-message-id=<[EMAIL PROTECTED]> via SMTP from 209.115.249.136
Fri, 14 Nov 2003 13:11:11 -0700:20686: ini_sc: start scanning
Fri, 14 Nov 2003 13:11:11 -0700:20686: ini_sc: recursively scan the directory /var/spool/qmailscan/tmp/www.vodacomm.ca106884067146120686/
Fri, 14 Nov 2003 13:11:11 -0700:20686: scanloop: starting scan of directory "/var/spool/qmailscan/tmp/www.vodacomm.ca106884067146120686"...
Fri, 14 Nov 2003 13:11:11 -0700:20686: scanloop: scanner=sweep_scanner,plain_text_msg=0
Fri, 14 Nov 2003 13:11:11 -0700:20686: sweep: starting scan of directory "/var/spool/qmailscan/tmp/www.vodacomm.ca106884067146120686"...
Fri, 14 Nov 2003 13:11:11 -0700:20686: run /usr/bin/sweep -f -all -eec -sc -nc -ss -nb -archive /var/spool/qmailscan/tmp/www.vodacomm.ca106884067146120686 2>&1
Fri, 14 Nov 2003 13:11:11 -0700:20686: --output of sophos sweep was:
--
Fri, 14 Nov 2003 13:11:11 -0700:20686: sweep: finished scan of dir "/var/spool/qmailscan/tmp/www.vodacomm.ca106884067146120686" in 1.088565 secs
Fri, 14 Nov 2003 13:11:11 -0700:20686: scanloop: scanner=spamassassin,plain_text_msg=0
Fri, 14 Nov 2003 13:11:11 -0700:20686: SA: run /usr/bin/spamc -c -f < /var/spool/qmailscan/working/new/www.vodacomm.ca106884067146120686
Fri, 14 Nov 2003 13:11:11 -0700:20686: spamassassin: finished scan of dir "/var/spool/qmailscan/tmp/www.vodacomm.ca106884067146120686" in 0.350587 secs
Fri, 14 Nov 2003 13:11:11 -0700:20686: scanloop: finished scan of "/var/spool/qmailscan/tmp/www.vodacomm.ca106884067146120686"...
Fri, 14 Nov 2003 13:11:11 -0700:20686: p_s: starting scan of directory "/var/spool/qmailscan/tmp/www.vodacomm.ca106884067146120686"...
Fri, 14 Nov 2003 13:11:11 -0700:20686: p_s: '81:ILOVEYOU' = 'Virus-subject' = 'Love Letter Virus/Trojan'
Fri, 14 Nov 2003 13:11:11 -0700:20686: p_s: type is a header!
Fri, 14 Nov 2003 13:11:11 -0700:20686: p_s: checking for objects containing subject: ILOVEYOU
Fri, 14 Nov 2003 13:11:11 -0700:20686: p_s: '82:message/partial.*' = 'Virus-content-type' = 'Message/partial MIME attachments blocked by policy'
Fri, 14 Nov 2003 13:11:11 -0700:20686: p_s: type is a header!
Fri, 14 Nov 2003 13:11:11 -0700:20686: p_s: checking for objects containing content-type: message/partial.*
Fri, 14 Nov 2003 13:11:11 -0700:20686: p_s: '85:.{100,}' = 'Virus-date' = 'MIME Header Buffer Overflow'
Fri, 14 Nov 2003 13:11:11 -0700:20686: p_s: type is a header!
Fri, 14 Nov 2003 13:11:11 -0700:20686: p_s: checking for objects containing date: .{100,}
Fri, 14 Nov 2003 13:11:11 -0700:20686: p_s: '86:.{100,}' = 'Virus-mime-version' = 'MIME Header Buffer Overflow '
Fri, 14 Nov 2003 13:11:11 -0700:20686: p_s: type is a header!
Fri, 14 Nov 2003 13:11:11 -0700:20686: p_s: checking for objects containing mime-version: .{100,}
Fri, 14 Nov 2003 13:11:11 -0700:20686: p_s: '87:.{100,}' = 'Virus-resent-date' = 'MIME Header Buffer Overflow'
Fri, 14 Nov 2003 13:11:11 -0700:20686: p_s: type is a header!
Fri, 14 Nov 2003 13:11:11 -0700:20686: p_s: checking for objects containing resent-date: .{100,}
Fri, 14 Nov 2003 13:11:11 -0700:20686: p_s: '90:[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]' = 'Virus-to' = 'BadTrans Trojan exploit!'
Fri, 14 Nov 2003 13:11:11 -0700:20686: p_s: type is a header!
Fri, 14 Nov 2003 13:11:11 -0700:20686: p_s: checking for objects containing to: [EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
Fri, 14 Nov 2003 13:11:11 -0700:20686: p_s: 'eicar.com' = '69' = 'EICAR Test Virus'
Fri, 14 Nov 2003 13:11:11 -0700:20686: p_s: type is a size!
Fri, 14 Nov 2003 13:11:11 -0700:20686: p_s: 'happy99.exe' = '10000' = 'Happy99 Trojan'
Fri, 14 Nov 2003 13:11:11 -0700:20686: p_s: type is a size!
Fri, 14 Nov 2003 13:11:11 -0700:20686: p_s: 'zipped_files.exe' = '120495' = 'W32/ExploreZip.worm.pak virus'
Fri, 14 Nov 2003 13:11:11 -0700:20686: p_s: type is a size!
Fri, 14 Nov 2003 13:11:11 -0700:20686: p_s: skipping auto-generated file 1068840671.20688-0.www.vodacomm.ca
Fri, 14 Nov 2003 13:11:11 -0700:20686: p_s: checking importantfile.exe against perlscanner database...
Fri, 14 Nov 2003 13:11:11 -0700:20686: p_s: file importantfile.exe is lowercased to importantfile.exe and has extension .exe
Fri, 14 Nov 2003 13:11:11 -0700:20686: p_s: compare importantfile.exe (size 68,421951) against perlscanner database
Fri, 14 Nov 2003 13:11:11 -0700:20686: p_s: checking importantfile.exe against perlscanner database...
Fri, 14 Nov 2003 13:11:11 -0700:20686: p_s: file importantfile.exe is lowercased to importantfile.exe and has extension .exe
Fri, 14 Nov 2003 13:11:11 -0700:20686: p_s: compare importantfile.exe (size 68,421951) against perlscanner database
Fri, 14 Nov 2003 13:11:11 -0700:20686: p_s: finished scan of dir "/var/spool/qmailscan/tmp/www.vodacomm.ca106884067146120686" in 0.006297 secs
Fri, 14 Nov 2003 13:11:11 -0700:20686: ini_sc: scanning message took 1.446524 seconds
Fri, 14 Nov 2003 13:11:11 -0700:20686: q_r: fork off child into /var/qmail/bin/qmail-queue...
Fri, 14 Nov 2003 13:11:11 -0700:20693: q_r: xstatus=0
Fri, 14 Nov 2003 13:11:11 -0700:20686: cleanup: /bin/rm -rf /var/spool/qmailscan/tmp/www.vodacomm.ca106884067146120686/ /var/spool/qmailscan/working/new/www.vodacomm.ca106884067146120686
14/11/2003 13:11:12:20686: all finished. Total of 1.537165 secs
If not, then your tcpserver rules are not set up correctly, or you don't have the QMAILQUEUE patch installed - but Q-S should have told you that during the install.
Well, that's not a problem. It's there, it's obviously handling the mail, as the log above indicates.
Oh yeah - and you DON'T have vpopmail installed - right?
Ugh. Nope -- no pop at all. Courier IMAP.
So here's what I have tried in the meantime.
First, I tried sending the EICAR test sequence in a text file that I attached and sent from Yahoo account. It went straight through. Looking at qmail-queue.log I could see that qmail-scanner was ignoring it because it was text.
So I took the same file, renamed it with a .exe extension, and tried to send it using Yahoo -- bam, it wouldn't let me; it refused to attach the file because it detected the EICAR pseudo-virus immediately.
Tried it using my personal ISP's mail server, same result, it bounced it before it even got to our mail server.
I tried setting QS_SPAMASSASSIN="on" in tcp.smtp and reloaded the cdb, but this is only supposed to affect spamc processing. Anyway, it didn't work.
What I don't grasp is that sweep seems to be scanning the file but passing it through. Scan that same file from the command line, and it detects it. I even used the same switches.
I sure hope this isn't going to be something stupid (For the record, I have only installed one copy of sweep :) -- at least, only one copy that I am aware of... I am the only administrator for the server in question).
HELP
-Stephen-
------------------------------------------------------- This SF. Net email is sponsored by: GoToMyPC GoToMyPC is the fast, easy and secure way to access your computer from any Web browser or wireless device. Click here to Try it Free! https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl _______________________________________________ Qmail-scanner-general mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
