Re: [AMaViS-user] Amavisd logging question
On 2/28/2011 7:08 AM, Mark Martinec wrote:
Bill,
I have been noticing for quite some time that amavisd-new logs test
results messages to the maillog differently at time. For example:
Feb 27 14:22:06 mail amavis[27931]: (27931-08) Passed CLEAN
Feb 27 14:22:56 mail ch4-03611-04)[3611]: (03611-04) Passed CLEAN
These are 2 different message that amavisd-new tested and reported to
the maillog as Passed CLEAN. However, notice that the first log entry
clearly shows it came from amavis, but the second log entry show it
came from ch4-03611-04). Note that there is also a closing ) is the
second log entry but no opening (.
Any ideas why this is happening and what I can do to fix it? I am
currently running amavisd-new-2.6.4 (20090625).
What syslog variant are you using?
Looks like part of a process name ($0) ends up as a syslog ident.
Hi Mark,
I'm running Fedora 12:
uname -a
Linux mail.inetmsg.com 2.6.32.26-175.fc12.i686.PAE #1 SMP Wed Dec 1
21:45:50 UTC 2010 i686 athlon i386 GNU/Linux
And syslog is:
rsyslogd -v
rsyslogd 4.4.2, compiled with:
FEATURE_REGEXP: Yes
FEATURE_LARGEFILE: Yes
FEATURE_NETZIP (message compression): Yes
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
Atomic operations supported:No
Runtime Instrumentation (slow code):No
The $syslog_ident is 'amavis' by default and is never changed
by amavisd itself. It is passed as an argument to openlog(),
so this is the string you should be seing in a syslog.
A custom hook is allowed to change the $syslog_ident
(e.g. in a policy bank), so this would be reflected in a syslog
for entries written when using such a policy bank.
The only policy bank I use is (the rest are commented out):
=
$interface_policy{'SOCK'} = 'AM.PDP-SOCK';
$policy_bank{'AM.PDP-SOCK'} = {
protocol = 'AM.PDP', # select Amavis policy delegation protocol
auth_required_release = 0, # don't require secret_id for
amavisd-release
};
=
I searched my amaviad.conf file and only find one entry for
$syslog_ident, included in this section of the config file:
=
$log_level = 0;
$LOGFILE = undef;
$DO_SYSLOG = 1; # same as 0
$syslog_ident = 'amavis';
$syslog_facility = 'mail';# after-default, derived from $SYSLOG_LEVEL
$syslog_priority = 'debug'; # after-default, derived from $SYSLOG_LEVEL
$SYSLOG_LEVEL = 'mail.debug'; # obsolete variable
=
I am running a custom logging section that you provided awhile back:
=
$log_templ = 'EOD';
[?%#D|#|Passed #
[? [:ccat|major] |OTHER|CLEAN|MTA-BLOCKED|OVERSIZED|BAD-HEADER|SPAMMY|SPAM|\
UNCHECKED|BANNED (%F)|INFECTED (%V)]#
, [? %p ||%p ][?%a||[?%l||LOCAL ]\[%a\] ][?%e||\[%e\] ]%s - [%D|,]#
[? %q ||, quarantine: %q]#
[? %Q ||, Queue-ID: %Q]#
[? %m ||, Message-ID: %m]#
[? %r ||, Resent-Message-ID: %r]#
, mail_id: %i#
, Hits: [:SCORE]#
, size: %z#
[~[:remote_mta_smtp_response]|[^$]||[, queued_as: ]]\
[remote_mta_smtp_response|[~%x|[queued as ([0-9A-Z]+)$]|[%1]|[%0]]|/]#
[? [:header_field|Subject] ||, Subject: [:dquote|[:header_field|Subject]]]#
[? [:header_field|From]||, From: [:uquote|[:header_field|From]]]#
[? [:useragent|name] ||, [:useragent|name]: [:uquote|[:useragent|body]]]#
[? %#T ||, Tests: \[[%T|,]\]]#
[ ? [:AUTOLEARN] ||, autolearn=[:AUTOLEARN]]#
, %y ms#
]
[?%#O|#|Blocked #
[? [:ccat|major|blocking] |#
OTHER|CLEAN|MTA-BLOCKED|OVERSIZED|BAD-HEADER|SPAMMY|SPAM|\
UNCHECKED|BANNED (%F)|INFECTED (%V)]#
, [? %p ||%p ][?%a||[?%l||LOCAL ]\[%a\] ][?%e||\[%e\] ]%s - [%O|,]#
[? %q ||, quarantine: %q]#
[? %Q ||, Queue-ID: %Q]#
[? %m ||, Message-ID: %m]#
[? %r ||, Resent-Message-ID: %r]#
, mail_id: %i#
, Hits: [:SCORE]#
, size: %z#
#, smtp_resp: [:smtp_response]#
[? [:header_field|Subject] ||, Subject: [:dquote|[:header_field|Subject]]]#
[? [:header_field|From]||, From: [:uquote|[:header_field|From]]]#
[? [:useragent|name] ||, [:useragent|name]: [:uquote|[:useragent|body]]]#
[? %#T ||, Tests: \[[%T|,]\]]#
[? [:AUTOLEARN] ||, autolearn=[:AUTOLEARN]]#
, %y ms#
]
EOD
=
Your string ch4-03611-04) looks very much like the process
name ($0), except that it is missing the amavisd ( prefix.
Could it be that your syslog is being creative and tries to use
a process name in place of a syslog ident?
Hmmm, maybe, but I don't really know why it would be doing that, it's
really just a basic install of Fedora 12. Here is what my maillog shows
thus far today:
grep -c mail ch /var/log/maillog
301
grep -c mail amavis /var/log/maillog
2319
As you can see, most log entries use amavis, but certainly not all.
Any ideas on where to look next?
Thanks!
Bill
--
Free Software Download: Index, Search Analyze Logs and other IT data in
Real-Time with Splunk. Collect, index and harness all the fast moving IT data
generated by your applications, servers
Re: [AMaViS-user] Blacklisting and spam configuration
On 1/30/2011 4:52 AM, Michael Scheidell wrote: On 1/30/11 5:46 AM, Peter Charles wrote: Hi, I was advised to ask the questions below here after posting on freespamfilter org Amavisd-new forum: they should have sent you to 'alt.conspiracies' as for why you were blacklisted, it is up to the company at the receiving end to decide who and how to blacklist. not amavisd, which doesn't come with any default blacklists. maybe you need to send them a freedom of information request asking why they blacklisted you? also, if you got a BOUNCE, the BOUNCE might tell you why it was blacklisted. the company might use one of the free or commercial blacklists to protect themselves from email send directly from workstations, etc. Also, if you spent 3 months, trying to send what you now seem to think is a critical request, then truly, your earlier statement I don't know how email works is true. email is 'best efforts', and unless you have a contract with the sending company and receiving company saying that they must accept your email, then maybe you should have spent .41c and sent them an email. Michael, I'm assuming you meant postal mail, not email. And I agree, email is not meant to be used for such things. Peter, rather than wasting any more of your time (or anyone else's for that matter) try using USPS certified mail with return receipt and be done with it. Bill -- Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user Please visit http://www.ijs.si/software/amavisd/ regularly For administrativa requests please send email to rainer at openantivirus dot org
Re: [AMaViS-user] Recent spam increase // Any clue??
Hello folks,
I am using a combination of amavisd-new 2.6.4 - spamassassin - p0f -
dcc - razor2 - SPF - DKIM on FBSD box, with quite good results since
many years now.
I would like to know if anyone has already found a solution to fight
these scams as I am a little bit clueless to fight these new spam.
Since couple of days, I am facing a massive increase in Little SPAM
such as the one presented hereunder:
This question is probably better posed to the Spamassassin Users list.
With that said, John Hardin recently posted this sample to that list:
body GAPPPY_URI
/\bwww(?:\s\W?\s?|\W\s)\w{3,6}\d{2,6}(?:\s\W?\s?|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
describe GAPPPY_URI URI contains obfuscation spaces
score GAPPPY_URI 1.5
Watch for word-wrapping, as this should only be 3 lines.
Bill
--
Enter the BlackBerry Developer Challenge
This is your chance to win up to $100,000 in prizes! For a limited time,
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize
details at: http://p.sf.net/sfu/blackberry
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] amavisd quietly dieing
Eric W. Bates wrote: I have a mysterious problem. After upgrading amavisd-new to 2.6.2 on FreeBSD (port version 2.6.2_3,1), it simply dies after about 20 seconds with no errors or core dumps. I cranked the debug level up to 5 and sent it all to syslog. As far as I can tell, there is no way to run amavisd non-daemonized (in the hopes of some non-logged output). You could try running amavisd in debug mode to see if that outputs anything unusual to the screen: amavisd debug I have tried it both with spamd running and not running (no change). If you are running amavisd-new, then you do not need to run spamd (and should not run it), as amavisd pre-loads spamassassin and its config files into memory at startup (see: http://www.ijs.si/software/amavisd/ for more details). Bill -- The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Changes to local.cf
Jeff Grossman wrote: If I make changes to SpamAssassin's local.cf file, do I need to restart Amavis or does Amavis load the local.cf file during each mail delivery? You need to reload amavisd, as it only reads local.cf on startup. Bill -- Crystal Reports #45; New Free Runtime and 30 Day Trial Check out the new simplified licensign option that enables unlimited royalty#45;free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] second release candidate: amavisd-new-2.6.3-rc2
Mark Martinec wrote: The second release candidate amavisd-new-2.6.3-rc2 is available at: Mark, would you consider including the following perl modules as additional Prerequisites in the INSTALL document: Convert::BinHex DBI Even though I'm not using SQL, adding these perl modules resolves the following reported issues on Fedora 10 with perl v5.10.0: amavisd start fetch_modules: error loading optional module MIME/Decoder/BinHex.pm: Can't locate Convert/BinHex.pm in @INC (@INC contains: /usr/lib/perl5/5.10.0/i386-linux-thread-multi /usr/lib/perl5/5.10.0 /usr/local/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi /usr/local/lib/perl5/site_perl/5.10.0 /usr/lib/perl5/vendor_perl/5.10.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.10.0 /usr/lib/perl5/vendor_perl /usr/local/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi /usr/local/lib/perl5/site_perl/5.10.0 /usr/local/lib/perl5/site_perl /usr/lib/perl5/site_perl) at /usr/local/lib/perl5/site_perl/5.10.0/MIME/Decoder/BinHex.pm line 43. BEGIN failed--compilation aborted at /usr/local/lib/perl5/site_perl/5.10.0/MIME/Decoder/BinHex.pm line 43. Compilation failed in require at /usr/local/sbin/amavisd line 197. fetch_modules: error loading optional module Mail/SpamAssassin/SQLBasedAddrList.pm: Can't locate DBI.pm in @INC (@INC contains: /var/lib/spamassassin/compiled/3.002004 /var/lib/spamassassin/compiled/3.002004/auto /usr/lib/perl5/5.10.0/i386-linux-thread-multi /usr/lib/perl5/5.10.0 /usr/local/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi /usr/local/lib/perl5/site_perl/5.10.0 /usr/lib/perl5/vendor_perl/5.10.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.10.0 /usr/lib/perl5/vendor_perl /usr/local/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi /usr/local/lib/perl5/site_perl/5.10.0 /usr/local/lib/perl5/site_perl /usr/lib/perl5/site_perl) at /usr/local/lib/perl5/site_perl/5.10.0/Mail/SpamAssassin/SQLBasedAddrList.pm line 80. BEGIN failed--compilation aborted at /usr/local/lib/perl5/site_perl/5.10.0/Mail/SpamAssassin/SQLBasedAddrList.pm line 80. Compilation failed in require at /usr/local/sbin/amavisd line 197. === Thanks for your consideration and for the great piece of software! Best regards, Bill -- Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] second release candidate: amavisd-new-2.6.3-rc2
Mark Martinec wrote: Bill, Mark, would you consider including the following perl modules as additional Prerequisites in the INSTALL document: Convert::BinHex fetch_modules: error loading optional module MIME/Decoder/BinHex.pm: Can't locate Convert/BinHex.pm in @INC The Convert::BinHex is not used directly by amavisd nor by SpamAssassin. It is a dependancy from a MIME-Tools perl module. Seems like whoever did the package for MIME-Tools forgot to specify this dependency. In FreeBSD ports the dependency is clearly stated in the MIME-Tools' Makefile, so installing the mail/p5-MIME-Tools port brings in the Convert/BinHex.pm port automatically. It would be futile for amavisd to try an track any indirect dependencies from subordinate modules. I agree, thanks for the explanation. DBI Even though I'm not using SQL, adding these perl modules resolves the following reported issues on Fedora 10 with perl v5.10.0: fetch_modules: error loading optional module Mail/SpamAssassin/SQLBasedAddrList.pm: Can't locate DBI.pm in @INC I'll remove the Mail::SpamAssassin::SQLBasedAddrList from a list of modules in 'sub getCommonSAModules'. Please see if that helps. I'll remove the DBI module after your next release and then let you know what I find. Thanks, Bill -- Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] second release candidate: amavisd-new-2.6.3-rc2
Mark Martinec wrote: First off, sorry for the previous inadvertent off-list reply. Mark, would you consider including the following perl modules as additional Prerequisites in the INSTALL document: Convert::BinHex fetch_modules: error loading optional module MIME/Decoder/BinHex.pm: Can't locate Convert/BinHex.pm in @INC The Convert::BinHex is not used directly by amavisd nor by SpamAssassin. It is a dependancy from a MIME-Tools perl module. Seems like whoever did the package for MIME-Tools forgot to specify this dependency. In FreeBSD ports the dependency is clearly stated in the MIME-Tools' Makefile, so installing the mail/p5-MIME-Tools port brings in the Convert/BinHex.pm port automatically. It would be futile for amavisd to try an track any indirect dependencies from subordinate modules. After sending my last response, I started wondering why the missing Convert::BinHex module was not an issue for amavisd-new until after the upgrade from v2.6.2 to v2.6.3-rc2, if not used directly by amavisd, as you state above? SpamAssassin v3.2.5 was running both before and after the amavisd-new upgrade, so the only thing that changed was amavisd-new. Just curious... Thanks! Bill -- Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] sanesecurity sigs and bounce_killer ?
Michael Scheidell wrote: sanesecurity site: refrences this archived email: says to set bypass_decode_parts=1 in amavisd.conf amavisd says to set it to 0 if you are using bounce_killer or using 'file' to guess the attachment type. (i have it set to 0, using bounce killer and file) (http://marc.info/?t=11795129371r=1w=2) OT: bill, funny thing: I can't look up your DNS servers from our internal network.. Well that's strange, since the domain is public hosted by EditDNS (check whois inetmsg.com). The other strange things is I just sent you an email off list about something else. http://sanesecurity.com/usage.htm says: uncomment the #qr'^MAIL' @keep_decoded_original_maps = (new_RE( qr'^MAIL$', # retain full original message for virus checking (can be slow) qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, # qr'^Zip archive data', # don't trust Archive::Zip )); and it looks like sane security test #2 and 3 did fail if I don't do this in amavisd.conf: (uncomment out the qr'^MAIL'. so, 'can be slow'. how slow is it? and is bill landry wrong saying I need bypass-decode_parts=1? is this something fixed in 2.6.2? Not required, but if you don't use bypass-decode_parts = 1, then you will want to set $keep_decoded_original_re = 1 so that clamd can also scan the entire message and not just all of the decoded parts separately. Bill -- This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] sanesecurity sigs and bounce_killer ?
Henrik K wrote: On Wed, Apr 08, 2009 at 02:43:00PM -0700, Bill Landry wrote: Michael Scheidell wrote: and it looks like sane security test #2 and 3 did fail if I don't do this in amavisd.conf: (uncomment out the qr'^MAIL'. so, 'can be slow'. how slow is it? and is bill landry wrong saying I need bypass-decode_parts=1? is this something fixed in 2.6.2? Not required, but if you don't use bypass-decode_parts = 1, then you will want to set $keep_decoded_original_re = 1 so that clamd can also scan the entire message and not just all of the decoded parts separately. I was just thinking about this same stuff. I use bounce killer too, but I want scanners to scan _only_ the full email and not all the parts which creates unnecessary load. Mark, would it be possible to have some option to only do the stuff that bounce killer needs and not write unnecessary parts to disk? Amavisd-New already does this, just set bypass-decode_parts = 1 in your amavisd.conf file, and your good to go (works with amavisd-new 2.5.1-pre1 and newer). When this is set, amavisd does *not* decode messages and split them into parts, it simply passes the full message to clamd for scanning. Bill -- This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] 2.6.3 due out?
Sahil Tandon wrote: On Fri, 27 Mar 2009, Mark Martinec wrote: when is 2.6.3 due out? No promises on dates, but I'd really like to do it pretty soon now, and I'm trying to wrap up things these days. A matter of a week or two I hope. Not that you need to be told this, but take your time Mark -- we appreciate your effort in maintaining this entirely free product. Yes indeed! Can't thank you enough, Mark! Your efforts make our jobs so much easier. Bill -- ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] DKIM problem with long domain names?
Mark Martinec wrote: Not that I know of, but there is a bug in Mail::DKIM 0.32 or earlier, only triggered in marginal cases - yours may be one of them. From release notes: (btw, if testkeys fails and you believe your DNS is correctly serving your DKIM public keys, you may need to upgrade Perl module Mail-DKIM to version 0.33 or at least 0.32_6) Btw, Jason Long (author of Mail::DKIM) has just released an official 0.33, which is equivalent to 0.32_6, except that it doesn't bear a 'beta' shade. So port and package maintainers should no longer have an excuse not to upgrade their port/package to the current official release of Mail-DKIM-0.33. See: http://cpan.perl.org/authors/id/J/JA/JASLONG/ Hmmm, is Jason possibly still working on the 0.33 release? From the link you posted above: Mail-DKIM-0.33.tar.gz 10-Mar-2009 07:57 74K Mail-DKIM-0.33_5.tar.gz 10-Mar-2009 08:07 74K Mail-DKIM-0.33_6.tar.gz 10-Mar-2009 08:22 74K And it's still not available via CPAN. Bill -- ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] DKIM problem with long domain names?
Patrick Wong wrote: Yes Bill, I can confirm that 0.33 is available from CPAN cause I just did it this morning after reading Mark's notes. Not for me. Just now tried again: cpan[1] install Mail::DKIM CPAN: Storable loaded ok (v2.18) Going to read /root/.cpan/Metadata Database was generated on Tue, 10 Mar 2009 11:26:55 GMT CPAN: YAML loaded ok (v0.68) Going to read 72 yaml files from /root/.cpan/build/ CPAN: Time::HiRes loaded ok (v1.9711) DONE Restored the state of 3 (in 1.3195 secs) Mail::DKIM is up to date (0.32). cpan[2] Bill -- Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] DKIM problem with long domain names?
Mark Martinec wrote: No, it's just his style of numbering versions. The 0.33_6 will become 0.34 when released, just as 0.32_6 now became a 0.33. The 0.33_6 is dropping support for pre-standard DKIM. Yes, I see that now. I forced a cpan database update and was able to install 0.33. Thanks for the heads up about the new release. Bill -- Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] link error in howto link
Benny Pedersen wrote: http://www.amavis.org/howto/ give me 403 could one tell me where it is if moved ? If you're running amavisd-new, then you should be looking at: http://www.ijs.si/software/amavisd/ instead of www.amavis.org. Bill -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] link error in howto link
Bill Landry wrote: Benny Pedersen wrote: http://www.amavis.org/howto/ give me 403 could one tell me where it is if moved ? If you're running amavisd-new, then you should be looking at: http://www.ijs.si/software/amavisd/ instead of www.amavis.org. BTW, just out of curiosity, why does your post to this list come from: Benny Pedersen m...@junc.org but your reply-to header is set as: Reply-To: jhar...@impsec.org Isn't that email address owned by: John Hardin jhar...@impsec.org Are Benny Pedersen John Hardin pseudonyms for the same person? Bill -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] URI/URl severs
Benedict White wrote: -Original Message- From: Alexander Wirt [mailto:formo...@debian.org] Sent: 24 February 2009 16:58 To: Benedict White Cc: amavis-user@lists.sourceforge.net Subject: Re: [AMaViS-user] URI/URl severs Benedict White schrieb am Tuesday, den 24. February 2009: One rule set I maintain for several servers is a list of spammy URLS. I know there are URL blocklists that can be intergrated into spamassassin. What I wanted to do was run my own, so I could quickly report bad URL's to it and know that all the servers would score it how I wanted. What I wanted to know is: Does anyone know of some sever side software that does this that is open source? Sure. We use rbldnsd (http://www.corpit.ru/mjt/rbldnsd.html) for that purpose. Many thanks Alexander and Bill. So assuming that is easy enough to set up (I presume it is) then the question is how do I get Spamassassin to query it, and how do I tell it of URLS I would like it to block? Kind Regards Benedict White It's pretty straight forward to setup. As far as how to query it from SA, you could setup a new test in the same format as the URIBL SURBL URI tests are setup. Once you've installed rbldnsd, if you have further questions about how to configure it up, either post them to the rbldnsd list or feel free to send them to me off-list, as these questions are OT for this list. Bill -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] problem upgrading amavisd
deconya wrote: Hi User of mailing postfix list pass me this list if would be possible to help me with my problem. Im upgrading and old version of amavisd-new (2.1.2 version) to the new 2.6.1. Im looking the README manual and installing all perl modules but when I start amavisd in debug mode appears: -- Problem in Amavis::DB or Amavis::DB::SNMP code: Can't locate loadable object for module BerkeleyDB in @INC (@INC contains: /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0) at (eval 34) line 19 Compilation failed in require at (eval 34) line 19. BEGIN failed--compilation aborted at (eval 34) line 19. Undefined subroutine BerkeleyDB::Term::close_everything called at /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/BerkeleyDB.pm line 1649. END failed--call queue aborted. -- and I don't know how to repair this. In any manual appears information about this. Someone can help me? Best Regards Looks like you're missing the BerkeleyDB perl module. Try: cpan -i BerkeleyDB Then reload amavisd. That should resolve the issue for you. Bill -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] URI/URl severs
Benedict White wrote: One rule set I maintain for several servers is a list of spammy URLS. I know there are URL blocklists that can be intergrated into spamassassin. What I wanted to do was run my own, so I could quickly report bad URL's to it and know that all the servers would score it how I wanted. What I wanted to know is: Does anyone know of some sever side software that does this that is open source? Kind Regards Benedict White Take a look at rbldnsd (http://www.corpit.ru/mjt/rbldnsd.html), it's what URIBL SURBL both use. Bill -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Issue with clamscan
Mark Martinec wrote:
Here is a patch for this bug (against 2.6.2):
--- amavisd.orig 2008-12-15 01:50:09.0 +0100
+++ amavisd 2009-02-15 01:57:40.0 +0100
@@ -19993,4 +19993,5 @@
1;
} or do { $eval_stat = $@ ne '' ? $@ : errno=$! };
+prolong_timer('ask_daemon_internal', $deadline-time);
last if $eval_stat eq ''; # mission accomplished
# error handling (most interesting error codes are EPIPE and ENOTCONN)
Mark
Thanks Mark, that did indeed fix the problem.
Bill
--
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Issue with clamscan
Michael Scheidell wrote: Bill Landry wrote: su amavis bash-3.2$ clamscan --stdout --no-summary -r /home/amavis/* /home/amavis/DESPACHO-4542008.exe: Trojan.Downloader-46121 FOUND /home/amavis/postfix-2.5.5.tar.gz: OK /home/amavis/test.com: Eicar-Test-Signature FOUND /home/amavis/test.eml: Email.Trojan.GZC FOUND /home/amavis/test.msg: OK /home/amavis/test.txt: OK but, amavis doesn't use clamscan (except as backup scanner) try clamdscan (the d is NOT a typo) Please reread my original email. I'm not having any problems with clamd or clamdscan. The problem is when clamd crashes and the amavisd backup scanner, clamscan (without the d) fails. Bill -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Issue with clamscan
Michael Scheidell wrote: Hi List, I am running: amavisd -V amavisd-new-2.6.2 (20081215) ClamD recently crashed and I found entries in the mailq like the following: Two things to check (and all mostly permissions) As the user running amavisd, use 'clamscan' your $AMAVIS home/tmp Then, use clamdscan on same (clamdscan sb same group, or group read for same directory) Both amavisd and clamd run as user:group amavis:amavis and all of /var/amavis permissions are also set to amavis:amavis. Here's how I tested to see if permissions are ok: ls -l /home drwx-- 3 amavis amavis 4096 2009-02-06 18:42 amavis ls -l /home/amavis -rw-rw-r-- 1 amavis amavis 414720 2008-07-01 14:09 DESPACHO-4542008.exe -rw-r--r-- 1 amavis amavis 3157877 2008-10-04 13:48 postfix-2.5.5.tar.gz -rw-r--r-- 1 amavis amavis 69 2008-11-02 12:08 test.com -rw-r--r-- 1 amavis amavis 81538 2008-11-01 22:23 test.eml -rw-r--r-- 1 amavis amavis3393 2009-01-24 20:40 test.msg -rw-r--r-- 1 amavis amavis 69 2009-02-06 18:41 test.txt su amavis bash-3.2$ clamscan --stdout --no-summary -r /home/amavis/* /home/amavis/DESPACHO-4542008.exe: Trojan.Downloader-46121 FOUND /home/amavis/postfix-2.5.5.tar.gz: OK /home/amavis/test.com: Eicar-Test-Signature FOUND /home/amavis/test.eml: Email.Trojan.GZC FOUND /home/amavis/test.msg: OK /home/amavis/test.txt: OK Seems permissions are ok? Any other ideas? Thanks! Bill -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Issue with clamscan
Clayton Keller wrote:
Bill Landry wrote:
Hi List,
I am running:
amavisd -V
amavisd-new-2.6.2 (20081215)
ClamD recently crashed and I found entries in the mailq like the
following:
-Queue ID- --Size-- Arrival Time -Sender/Recipient---
78F8763CE0111253 Fri Feb 13 10:33:28 owner-postfix-us...@postfix.org
(host 127.0.0.1[127.0.0.1] said: 451 4.5.0 Error in processing,
id=29363-02, virus_scan FAILED: virus_scan: ALL VIRUS SCANNERS FAILED:
ClamAV-clamscan av-scanner FAILED: Not a CODE reference at (eval 87)
line 403, GEN54 line 65.; ClamAV-clamscan av-scanner FAILED: Not a
CODE reference at (eval 87) line 403, GEN54 line 65. (in reply to end
of DATA command))
b...@inetmsg.com
When I reload amavisd, it reports in the maillog:
Feb 13 10:36:38 mail amavis[29477]: Using primary internal av scanner
code for ClamAV-clamd
Feb 13 10:36:38 mail amavis[29477]: Found secondary av scanner
ClamAV-clamscan at /usr/local/bin/clamscan
which is the correct path to clamscan, but amavisd fails when attempting
to scan a message with clamscan. Here is my secondary scanner entry in
amavisd.conf:
@av_scanners_backup = (
### http://www.clamav.net/ - backs up clamd or Mail::ClamAV
['ClamAV-clamscan', 'clamscan',
--stdout --no-summary -r --tempdir=$TEMPBASE {}, [0], [1],
qr/:.*\sFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
);
Any ideas on what I might have configured incorrectly? Any feedback is
greatly appreciated!
Regards,
Bill
What is your $TEMPBASE set to? Are permissions correct where you can
clamscan in it as well? Or is this also part of your amavis tmp
directory you were scanning ok from? I believe with the config you have
above, clamscan will dump to that $TEMPBASE and recursively scan it. If
it is not set to the same directory you are testing with, maybe that is
the cause of the issue?
From amavisd.conf:
$MYHOME= '/var/amavis';
$TEMPBASE = $MYHOME/tmp;
ls -l /var/amavis/tmp/
drwxr-x--- 3 amavis amavis 4096 2009-01-27 21:47
amavis-20090127T214710-13386
drwxr-x--- 3 amavis amavis 4096 2009-01-27 22:31
amavis-20090127T223134-13163
drwxr-x--- 3 amavis amavis 4096 2009-01-27 22:31
amavis-20090127T223134-13386
drwxr-x--- 3 amavis amavis 4096 2009-01-30 15:57
amavis-20090130T155709-14910
drwxr-x--- 3 amavis amavis 4096 2009-02-03 05:30
amavis-20090203T053028-26240
drwxr-x--- 3 amavis amavis 4096 2009-02-07 03:27
amavis-20090207T032754-25648
Yes, I can scan there just fine:
su amavis
bash-3.2$ clamscan --stdout --no-summary -r /var/amavis/tmp/
/var/amavis/tmp/amavis-20090127T072652-05434/email.txt: OK
/var/amavis/tmp/amavis-20090127T072652-05434/parts/p001: OK
/var/amavis/tmp/amavis-20090127T214710-13386/email.txt:
Sanesecurity.Junk.6497.UNOFFICIAL FOUND
/var/amavis/tmp/amavis-20090127T214710-13386/parts/p001:
Sanesecurity.Junk.6497.UNOFFICIAL FOUND
/var/amavis/tmp/amavis-20090130T155709-14910/email.txt: OK
/var/amavis/tmp/amavis-20090130T155709-14910/parts/p001: OK
/var/amavis/tmp/amavis-20090127T223134-13163/email.txt: OK
/var/amavis/tmp/amavis-20090127T223134-13163/parts/p001: OK
/var/amavis/tmp/amavis-20090127T215729-13386/email.txt:
Sanesecurity.Junk.1350.UNOFFICIAL FOUND
/var/amavis/tmp/amavis-20090127T215729-13386/parts/p001:
Sanesecurity.Junk.1350.UNOFFICIAL FOUND
/var/amavis/tmp/amavis-20090207T032754-25648/email.txt: OK
/var/amavis/tmp/amavis-20090207T032754-25648/parts/p001: OK
/var/amavis/tmp/amavis-20090203T053028-26240/email.txt: OK
/var/amavis/tmp/amavis-20090203T053028-26240/parts/p001: OK
I don't think this is a permissions issue, but I'm willing to try
whatever might help resolve the issue.
Thanks!
Bill
--
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Issue with clamscan
Mark Martinec wrote:
Bill,
451 4.5.0 Error in processing,
id=29363-02, virus_scan FAILED: virus_scan: ALL VIRUS SCANNERS FAILED:
ClamAV-clamscan av-scanner FAILED: Not a CODE reference at (eval 87)
line 403, GEN54 line 65.;
@av_scanners_backup = (
### http://www.clamav.net/ - backs up clamd or Mail::ClamAV
['ClamAV-clamscan', 'clamscan',
--stdout --no-summary -r --tempdir=$TEMPBASE {}, [0], [1],
^
qr/:.*\sFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
);
One argument too many.
Either use [1] or qr/:.*\sFOUND$/, you can't have both
in that position.
Mark
Thanks for the reply, Mark. I've updated my clamscan entry in
amavisd.conf, so it now looks like:
### http://www.clamav.net/ - backs up clamd or Mail::ClamAV
['ClamAV-clamscan', 'clamscan',
--stdout --no-summary -r --tempdir=$TEMPBASE {}, [0],
qr/:.*\sFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
);
Then did an amavisd reload, but I am still seeing in the mailq:
0F6B65A53CB 2037 Fri Feb 13 16:46:50 bill.lan...@gmail.com
(host 127.0.0.1[127.0.0.1] said: 451 4.5.0 Error in processing,
id=01189-01, virus_scan FAILED: virus_scan: ALL VIRUS SCANNERS FAILED:
ClamAV-clamd av-scanner FAILED: run_av error: Too many retries to talk
to /var/amavis/clamd.sock (Can't connect to UNIX socket
/var/amavis/clamd.sock: No such file or directory) at (eval 87) line
325, GEN51 line 37.; ClamAV-clamscan av-scanner FAILED: run_av error:
run_av: Exceeded allowed time at (eval 87) line 532, GEN51 line 37.
(in reply to end of DATA command))
b...@inetmsg.com
And in the maillog:
Feb 13 16:46:50 mail postfix/qmgr[28813]: 0F6B65A53CB:
from=bill.lan...@gmail.com, size=2037, nrcpt=1 (queue active)
Feb 13 16:46:51 mail amavis[1189]: (01189-01) (!)ClamAV-clamd: Can't
connect to UNIX socket /var/amavis/clamd.sock: No such file or
directory, retrying (2)
Feb 13 16:46:57 mail amavis[1189]: (01189-01) (!!)ClamAV-clamd
av-scanner FAILED: run_av error: Too many retries to talk to
/var/amavis/clamd.sock (Can't connect to UNIX socket
/var/amavis/clamd.sock: No such file or directory) at (eval 87) line
325, GEN51 line 37.
Feb 13 16:46:57 mail amavis[1189]: (01189-01) (!!)WARN: all primary
virus scanners failed, considering backups
Feb 13 16:47:07 mail amavis[1189]: (01189-01) (!)killing process [1320]
running ClamAV-clamscan (reason: on reading: timed out)
Feb 13 16:47:08 mail amavis[1189]: (01189-01) (!)process [1320] running
ClamAV-clamscan is still alive, using a bigger hammer
Feb 13 16:47:08 mail amavis[1189]: (01189-01) (!)run_av
(ClamAV-clamscan): collect_results - reading aborted: timed out at
/usr/local/sbin/amavisd line 3202, GEN51 line 37.
Feb 13 16:47:08 mail amavis[1189]: (01189-01) (!!)ClamAV-clamscan
av-scanner FAILED: run_av error: run_av: Exceeded allowed time at (eval
87) line 532, GEN51 line 37.
Feb 13 16:47:08 mail amavis[1189]: (01189-01) (!!)TROUBLE in check_mail:
virus_scan FAILED: virus_scan: ALL VIRUS SCANNERS FAILED: ClamAV-clamd
av-scanner FAILED: run_av error: Too many retries to talk to
/var/amavis/clamd.sock (Can't connect to UNIX socket
/var/amavis/clamd.sock: No such file or directory) at (eval 87) line
325, GEN51 line 37.; ClamAV-clamscan av-scanner FAILED: run_av error:
run_av: Exceeded allowed time at (eval 87) line 532, GEN51 line 37.
Feb 13 16:47:08 mail amavis[1189]: (01189-01) (!)PRESERVING EVIDENCE in
/var/amavis/tmp/amavis-20090213T164650-01189
Feb 13 16:47:08 mail postfix/smtp[1318]: 0F6B65A53CB:
to=b...@inetmsg.com, relay=127.0.0.1[127.0.0.1]:10024, delay=18,
delays=0.13/0.02/0.04/18, dsn=4.5.0, status=deferred (host
127.0.0.1[127.0.0.1] said: 451 4.5.0 Error in processing, id=01189-01,
virus_scan FAILED: virus_scan: ALL VIRUS SCANNERS FAILED: ClamAV-clamd
av-scanner FAILED: run_av error: Too many retries to talk to
/var/amavis/clamd.sock (Can't connect to UNIX socket
/var/amavis/clamd.sock: No such file or directory) at (eval 87) line
325, GEN51 line 37.; ClamAV-clamscan av-scanner FAILED: run_av error:
run_av: Exceeded allowed time at (eval 87) line 532, GEN51 line 37.
(in reply to end of DATA command))
Any other thoughts?
Thanks!
Bill
--
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Using RelayCountry with amavis?
Per olof Ljungmark wrote: Hi, I am fiddling with Mail::SpamAssassin::Plugin::RelayCountry in our Spamassassin config, and it seems to load ok from init.pre: spamassain -D --lint: [85215] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayCountry from @INC However, it does not show up when I start amavisd: amavis[85275]: extra modules loaded after daemonizing: Mail/DomainKeys/Header.pm, Mail/DomainKeys/Key.pm, Mail/DomainKeys/Key/Public.pm, Mail/DomainKeys/Message.pm, Mail/DomainKeys/Policy.pm, Mail/DomainKeys/Signature.pm, Mail/SpamAssassin/Plugin/DomainKeys.pm, Mail/SpamAssassin/Plugin/PDFInfo.pm Anyone on the list using this plugin that can give me a hint here? Using latest stable release. Maybe the RelayCountry module has not been included in additional_perl_modules in amavisd? I think you can add it to your amavisd.conf. From the RELEASE_NOTES for the amavisd-new-2.4.3 section: - added a global configuration variable @additional_perl_modules, which is a list of additional Perl module names or absolute file names that should be compiled/executed (by calling 'require') at a program startup time by a master parent process, before chroot-ing and before changing UID takes place. Its purpose is to pre-load additional non-standard SpamAssassin plugins and similar modules that a standard SpamAssassin initialization would miss, causing them to be loaded later by each child process, which is inefficient and may not work in a chrooted process. Example: @additional_perl_modules = qw( /usr/local/etc/mail/spamassassin/FuzzyOcr.pm /usr/local/etc/mail/spamassassin/ImageInfo.pm /usr/local/etc/mail/spamassassin/WebRedirect.pm String::Approx Net::HTTP Net::HTTP::Methods URI URI::http URI::_generic URI::_query URI::_server HTTP::Date HTTP::Headers HTTP::Message HTML::HeadParser HTTP::Request HTTP::Response HTTP::Status LWP LWP::Protocol LWP::Protocol::http LWP::UserAgent LWP::MemberMixin LWP::Debug ); Make sure these files are owned by root and not writable by unprivileged users such as amavis! Try setting up a .cf file for RelayCountry, for example: = ifplugin Mail::SpamAssassin::Plugin::RelayCountry header RELAY_BR X-Relay-Countries =~ /\bBR\b/ describeRELAY_BR Relayed through Brazil score RELAY_BR 1.0 header RELAY_CN X-Relay-Countries =~ /\bCN\b/ describeRELAY_CN Relayed through China score RELAY_CN 1.0 header RELAY_HK X-Relay-Countries =~ /\bHK\b/ describeRELAY_HK Relayed through Hong Kong score RELAY_HK 1.0 endif = and see if SA reports entries like: RELAY_CN=1, RELAY_CN Relayed through China Bill - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] error loading optional module
Max Matslofva wrote: Hi I have the same problem on a new server running amavisd-new-2.6.0 (from ports) on FreeBSD 6.3 and /var/amavis/tmp on 512m ramdisk. Bill Landry skrev: Mark Martinec wrote: What happens if you provide a username with an -u uption, e.g.: # amavisd -u vscan reload I get error loading optional module vs. # amavisd stop # amavisd -u vscan start I get error loading optional module Anyway, the 'Permission denied' looks like these perl modules or one of their parent directories were not accessible as user vscan/amavis. Please check permissions of .pm files and all their parent directories. Make sure you do not have two copies of Perl module trees, or at least that they are consistent. [EMAIL PROTECTED] /]# find / -name Fast.pm /usr/local/lib/perl5/5.8.8/CGI/Fast.pm [EMAIL PROTECTED] /]# su vscan [EMAIL PROTECTED] /]# head /usr/local/lib/perl5/5.8.8/CGI/Fast.pm package CGI::Fast; # See the bottom of this file for the POD documentation. Search for the # string '=head'. # You can run this file through either pod2man or pod2html to produce pretty # documentation in manual or html file format (these utilities are part of the # Perl 5 distribution). # Copyright 1995,1996, Lincoln D. Stein. All rights reserved. But if I stop and start with rc-script from ports I can use amavisd reload ? [EMAIL PROTECTED] /]# /usr/local/etc/rc.d/amavisd stop Stopping amavisd. Waiting for PIDS: 16411. [EMAIL PROTECTED] /]# /usr/local/etc/rc.d/amavisd start Starting amavisd. [EMAIL PROTECTED] /]# amavisd reload Daemon [16587] terminated by SIGTERM, waiting for dust to settle... becoming a new daemon... [EMAIL PROTECTED] /]# Upon further investigation, I found that this still happens here, as well: uname -a Linux mail.inetmsg.com 2.6.24.7-92.fc8 #1 SMP Wed May 7 16:50:09 EDT 2008 i686 i686 i386 GNU/Linux amavisd -V amavisd-new-2.6.0 (20080423) spamassassin -V SpamAssassin version 3.2.4 running on Perl version 5.8.8 However, for me, the odd things is this only happens when amavisd reload or amavisd stop/start is executed from within my home directory. If executed anywhere outside of my home directory, no errors are seen. The only other thing I noticed when executing from within my home directory, but again not if executed outside of my home directory, is the following entry in my maillog: May 21 14:28:38 mail amavis[2612]: (!)_DIE: image_info is not exported by the Image::Info module\n dim is not exported by the Image::Info module\nCan't continue after import errors at /etc/mail/spamassassin/ImageCheck.pm line 7\nBEGIN failed--compilation aborted at /etc/mail/spamassassin/ImageCheck.pm line 7.\n However, if I drop back to amavisd-new-2.5.4, the errors and maillog entry go away, no matter where I execute amavisd reload or amavisd stop/start from. Thoughts? Bill - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] error loading optional module
Mark Martinec wrote: Max and Bill, Upon further investigation, I found that this still happens here, as well: However, for me, the odd things is this only happens when amavisd reload or amavisd stop/start is executed from within my home directory. If executed anywhere outside of my home directory, no errors are seen. The only other thing I noticed when executing from within my home directory, but again not if executed outside of my home directory, is the following entry in my maillog: May 21 14:28:38 mail amavis[2612]: (!)_DIE: image_info is not exported by the Image::Info module\n dim is not exported by the Image::Info module\nCan't continue after import errors at /etc/mail/spamassassin/ImageCheck.pm line 7\nBEGIN failed--compilation aborted at /etc/mail/spamassassin/ImageCheck.pm line 7.\n However, if I drop back to amavisd-new-2.5.4, the errors and maillog entry go away, no matter where I execute amavisd reload or amavisd stop/start from. Thoughts? Do you happen to have SpamAssassin or some of Perl modules or plugins installed/located in your home directory? Here is what's in my home directory: ls -l /home/bill/ total 72 drwxr-xr-x 2 bill bill 4096 2007-12-12 23:22 Desktop drwxr-xr-x 2 bill bill 4096 2008-04-26 19:27 Documents drwxr-xr-x 44 bill bill 4096 2008-05-20 13:45 Download drwxr-xr-x 2 bill bill 4096 2007-12-12 23:22 Music drwxr-xr-x 2 bill bill 4096 2007-12-12 23:22 Pictures drwxr-xr-x 2 bill bill 4096 2007-12-12 23:22 Public drwxr-xr-x 2 bill bill 4096 2008-04-12 13:04 Scripts drwxr-xr-x 2 bill bill 4096 2007-12-12 23:22 Templates drwxr-xr-x 2 bill bill 4096 2007-12-12 23:22 Videos Bill - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] error loading optional module
Mark Martinec wrote: Upon further investigation, I found that this still happens here, as well: However, for me, the odd things is this only happens when amavisd reload or amavisd stop/start is executed from within my home directory. If executed anywhere outside of my home directory, no errors are seen. The only other thing I noticed when executing from within my home directory, but again not if executed outside of my home directory, is the following entry in my maillog: It looks like a problem reported to me by Tuomo Soini on Apr 29 2008: Some notes: pid file creation was changes from 2.5.4 to 2.6.0 so that 2.6.0 can't open pid file in /var/run any more, pid file must be in dir owned by amavis user. I could work around this by moving amavisd pid to /var/run/amavis/amavisd.pid This shouldn't apply to my setup since I have: $pid_file = $MYHOME/amavisd.pid; in my amavisd.conf. Thus: ls -l /var/amavis/ total 52 -rw-r- 1 amavis amavis0 2008-05-22 11:55 amavisd.lock -rw-r- 1 amavis amavis6 2008-05-22 11:54 amavisd.pid srwxr-x--- 1 amavis amavis0 2008-05-22 11:54 amavisd.sock srwxrwxrwx 1 amavis amavis0 2008-05-21 14:25 clamd.sock drwxr-x--- 2 amavis amavis 4096 2008-05-22 11:54 db drwxr-x--- 2 amavis amavis 4096 2007-12-17 19:19 home -rw-r--r-- 1 amavis amavis 26 2007-12-18 13:14 local_domains drwxr-xr-x 2 amavis amavis 4096 2008-05-18 05:27 logs drwxr-x--- 28 amavis amavis 4096 2008-05-22 11:55 tmp drwxr-x--- 2 amavis amavis 4096 2007-12-17 19:19 var I noticed that problem with perl module loading was caused by selinux denying access to some paths on filesystm and my_require errorously catching this as permission problem while module was really loading. This doesn't apply in my setup either, since I have selinux disabled: sestatus SELinux status: disabled This patch did fix it on my system: However, with all of that said, this patch did resolve the issue on my system, as well. Thanks! Bill - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] error loading optional module
Mark Martinec wrote: Bill, I recently upgraded to amavisd-new-2.6.0 and all appears to be running fine. However, when executing a reload, I am seeing the following errors reported: # amavisd reload Daemon [24965] terminated by SIGTERM, waiting for dust to settle... becoming a new daemon... fetch_modules: error loading optional module IP/Country/Fast.pm: Requiring lib/IP/Country/Fast.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Image/Info.pm: Requiring lib/Image/Info.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Image/Info/GIF.pm: Requiring lib/Image/Info/GIF.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Image/Info/JPEG.pm: Requiring lib/Image/Info/JPEG.pm, file is inaccessible: Permission denied, [...] The paths appear to be incorrect, but I'm not sure how to correct them. The errors are only reported when doing a reload (amavisd reload), and not when starting amavisd (amavisd start). Strange, the 'amavisd reload' is pretty much equivalent to 'amavisd stop' followed by 'amavisd start'. Was there any command line option like -R used in one case but not the other? Or perhaps one was executed as root and the other as user vscan? No both simply executed from su root as: amavisd stop amavisd start amavisd reload What happens if you provide a username with an -u uption, e.g.: # amavisd -u vscan reload vs. # amavisd stop # amavisd -u vscan start I should have sent out an update, but I re-downloaded the image and reinstalled amavisd and have had no problems or error reports since - possibly a corrupted download? Anyway, the 'Permission denied' looks like these perl modules or one of their parent directories were not accessible as user vscan/amavis. Please check permissions of .pm files and all their parent directories. Make sure you do not have two copies of Perl module trees, or at least that they are consistent. No, since all appears to be running fine now. Anyway, thanks for the reply. Bill - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] error loading optional module
I recently upgraded to amavisd-new-2.6.0 and all appears to be running fine. However, when executing a reload, I am seeing the following errors reported: # amavisd reload Daemon [24965] terminated by SIGTERM, waiting for dust to settle... becoming a new daemon... fetch_modules: error loading optional module IP/Country/Fast.pm: Requiring lib/IP/Country/Fast.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Image/Info.pm: Requiring lib/Image/Info.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Image/Info/GIF.pm: Requiring lib/Image/Info/GIF.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Image/Info/JPEG.pm: Requiring lib/Image/Info/JPEG.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Image/Info/PNG.pm: Requiring lib/Image/Info/PNG.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Image/Info/TIFF.pm: Requiring lib/Image/Info/TIFF.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF.pm: Requiring lib/Mail/SPF.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/Server.pm: Requiring lib/Mail/SPF/Server.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/Request.pm: Requiring lib/Mail/SPF/Request.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/Mech.pm: Requiring lib/Mail/SPF/Mech.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/Mech/A.pm: Requiring lib/Mail/SPF/Mech/A.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/Mech/PTR.pm: Requiring lib/Mail/SPF/Mech/PTR.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/Mech/All.pm: Requiring lib/Mail/SPF/Mech/All.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/Mech/Exists.pm: Requiring lib/Mail/SPF/Mech/Exists.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/Mech/IP4.pm: Requiring lib/Mail/SPF/Mech/IP4.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/Mech/IP6.pm: Requiring lib/Mail/SPF/Mech/IP6.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/Mech/Include.pm: Requiring lib/Mail/SPF/Mech/Include.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/Mech/MX.pm: Requiring lib/Mail/SPF/Mech/MX.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/Mod.pm: Requiring lib/Mail/SPF/Mod.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/Mod/Exp.pm: Requiring lib/Mail/SPF/Mod/Exp.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/Mod/Redirect.pm: Requiring lib/Mail/SPF/Mod/Redirect.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/SenderIPAddrMech.pm: Requiring lib/Mail/SPF/SenderIPAddrMech.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/v1/Record.pm: Requiring lib/Mail/SPF/v1/Record.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/v2/Record.pm: Requiring lib/Mail/SPF/v2/Record.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module NetAddr/IP.pm: Requiring lib/NetAddr/IP.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module NetAddr/IP/Util.pm: Requiring lib/NetAddr/IP/Util.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module auto/NetAddr/IP/Util/inet_n2dx.al: Requiring lib/auto/NetAddr/IP/Util/inet_n2dx.al, file is inaccessible: Permission denied, fetch_modules: error loading optional module auto/NetAddr/IP/Util/ipv6_n2d.al: Requiring lib/auto/NetAddr/IP/Util/ipv6_n2d.al, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/Query.pm: Requiring lib/Mail/SPF/Query.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module auto/Crypt/OpenSSL/RSA/new_public_key.al: Requiring lib/auto/Crypt/OpenSSL/RSA/new_public_key.al, file is inaccessible: Permission denied, fetch_modules: error loading optional module auto/Crypt/OpenSSL/RSA/new_key_from_parameters.al: Requiring lib/auto/Crypt/OpenSSL/RSA/new_key_from_parameters.al, file is inaccessible: Permission denied, fetch_modules: error loading optional module
Re: [AMaViS-user] ot: clamd monitor/restarter
Voytek Eymont wrote: whilst in the past clamd has proven extremely reliable, in the last few weeks I had clamd die maube on 3 ocassions for some reason (perhaps related to the additional third party signature downloads getting corrupted?); so I was thinking of some sort of deamon monitor, if it dies to restart it, any suggestions ? Are you testing third-party signature files before moving them into production? There are several scripts available for downloading, testing, and utilizing third-party signatures (see www.sanesecurity.com). My script can also be set to report the status of clamd and attempt to restart it if not running. Bill - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] ot: clamd monitor/restarter
Voytek Eymont wrote the following on 11/8/2007 6:43 PM -0800: On Fri, November 9, 2007 12:05 am, Bill Landry wrote: Are you testing third-party signature files before moving them into production? There are several scripts available for downloading, testing, and utilizing third-party signatures (see www.sanesecurity.com). My script can also be set to report the status of clamd and attempt to restart it if not running. Bill, with your script, do I just run it from cron say 4 times a day? does it log what's it done ? ooops, I'm trying to comapre what your script does vs what I've installed last week, and, guess what the 1st 2 lines of my current script says: 'a modified version of a script by Bill Landry' so perhaps I'm already using your script... just didn't know it till now... Voytek, I run the script via cron on a hourly basis. The signature files are only downloaded if an updated file is detected. While other scripts are based on one of my original scripts, they are heavily modified. As far as I know, my script is the only one that checks and reports on the status of clamd and will attempt to restart the daemon, if enabled. I have not built logging into the script (although I have thought about it), but if you enable cron to email you the script results, then you will get a detailed report of what happened with each cron run. Anyway, your current script probably already does signature file testing, so that's most likely not the issue with clamd stopping periodically. Do you possibly have PhishingScanURLs enabled in your clamd.conf. Others have reported issues with this option. Bill - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] aborting after x.xxx s, shrunk deadline
Mark Martinec wrote: Bill, Mark, are there any changes beyond what I am currently running that you would like me to test? If so, let me know and I would be happy to test. Otherwise, everything appears to be running great here with the latest patch and subroutine change you made and I applied a few days ago. The new patch contains one more compatibility fix directly related to third-party plugins such as the URIWhois which you are using. Please do try with the latest patch, even though it appears to be working fine at your installation. Also, it offers an additional parameter (timeout_min) that can be used by such plugins, and I believe the next version of URIWhois will take advantage of it. I did a fresh build and install of SA 3.2.3 with the new patch and ran a few tests. So far everything looks good, but I'll keep an eye on things and let you know if I see anything unusual. Bill - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] aborting after x.xxx s, shrunk deadline
Mark Martinec wrote: Bill, (any anybody else using SpamAssassin 3.2.3), This should provide backwards compatibility for third-party plugins which were not adapted by my patch in 5589. I applied the subroutine above to AsyncLoop.pm after applying a clean patch and all looks great now. I prepared a new version of the async timeout handlings patch for SpamAssassin 3.2.3, to include the more recent feedback and findings on compatibility. The issue is decribed at: http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5589 I would appreciate if anyone is willing to give it a try. The patch is attached to that bug report. It is supposed to be fully compatible with existing 3.2.3 and plugins. An instant reward is reduced wait times for responses from DNS/RBL/URIBL servers, especially for slowly responding or unreliable ones. Having a module Time::HiRes installed is highly beneficial, although it should work in principle even without it. Mark Mark, are there any changes beyond what I am currently running that you would like me to test? If so, let me know and I would be happy to test. Otherwise, everything appears to be running great here with the latest patch and subroutine change you made and I applied a few days ago. Bill - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Antivirus programs?
Adam65535 wrote: On 10/9/07, Pelletier, Robert [EMAIL PROTECTED] wrote: I'm using ClamAV. It's a perfect match with Amavis, it's fast and get's high in the reviews. In my experiences clamav/clamd is much slower than other mail scanners (even when up against command line scanners like uvscan). It is still a very useful virus scanner but not fast by any means. For an example... the command line scanner uvscan takes .15 seconds while clamav takes 2.6 seconds for the same email. This trend is throughout the logs. Those figures certainly don't match my results. I ran clamd and uvscan for quite some time (at least two years) until our volume became too great, and then had to do away with uvscan because it was way too slow. For the most part, clamd timings were always sub-second, while uvscan was always in the multiple second range, even as high as 17 seconds on some scans. I would suggest that you are using clamscan rather than clamd did if you are seeing the results you are reporting above. Bill - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Antivirus programs?
Adam65535 wrote: On 10/10/07, *Bill Landry* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Adam65535 wrote: On 10/9/07, Pelletier, Robert [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I'm using ClamAV. It's a perfect match with Amavis, it's fast and get's high in the reviews. In my experiences clamav/clamd is much slower than other mail scanners (even when up against command line scanners like uvscan). It is still a very useful virus scanner but not fast by any means. For an example... the command line scanner uvscan takes .15 seconds while clamav takes 2.6 seconds for the same email. This trend is throughout the logs. Those figures certainly don't match my results. I ran clamd and uvscan for quite some time (at least two years) until our volume became too great, and then had to do away with uvscan because it was way too slow. For the most part, clamd timings were always sub-second, while uvscan was always in the multiple second range, even as high as 17 seconds on some scans. I would suggest that you are using clamscan rather than clamd did if you are seeing the results you are reporting above. I disabled clamscan with amavis because the timings for that are much worse than clamd so I don't want that as a backup scanner. I am 110% sure I am using clamd. I have been running amavisd-new with uvscan and clamd on a few servers with the same results in timings. Pretty weird that you are seeing different results. Uvscan has always been quicker for me with 4.x and the 5.x versions of uvscan than clamd by far. Just for reference purposes, I still have uvscan running on an old single proc P350 running RedHat 9. Here are some timing comparisons between uvscan (Scan engine v5.1.00 for Linux) and clamdscan (ClamAV 0.91.2): time /usr/local/bin/uvscan --secure -rv --mime --mailbox --noboot test.eml real0m6.371s user0m5.840s sys 0m0.528s === time /usr/local/bin/clamscan --stdout --detect-broken --block-max --mail-follow-urls --max-recursion=15 --unzip=/usr/bin/unzip --unrar=/usr/local/bin/unrar --arj=/usr/bin/arj --unzoo=/usr/bin/unzoo --lha=/usr/bin/lha --jar=/usr/bin/unzip --tar=/bin/tar --tgz=/bin/tar -r test.eml real0m12.790s user0m11.437s sys 0m0.480s === time /usr/local/bin/clamdscan test.eml real0m0.388s user0m0.004s sys 0m0.008s Of all of the virus scanners I've personally tested with amavisd-new (ClamAV, BitDefender, UVScan, Sophis, TrendMicro, Avast, AntiVir, Panda, AVG, and F-Prot), F-Prot is by far the fastest command-line scanner of the bunch. It is almost as fast a some of the other scanners when running in daemon mode. time /usr/local/bin/f-prot -ai -archive=5 -dumb -noboot -nobreak -nomem -follow -packed -server test.eml real0m2.888s user0m2.489s sys 0m0.395s Anyway, just my unsolicited 2 cents... Bill - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Antivirus programs?
Clifton Royston wrote the following on 10/10/2007 5:20 PM -0800: On Wed, Oct 10, 2007 at 05:07:52PM -0400, Adam65535 wrote: On 10/10/07, Rob MacGregor [EMAIL PROTECTED] wrote: I've never yet seen clamd take anything close to that on emails. I have to add SpamAssassin to the process to get anything close to that kind of delay. As a quick test, I ran clamdscan against sample-nonspam.txt (that came with SpamAssassin some time back) and it took 0.015s. Now, clamscan, that took 2.6s for the same scan (f-prot took 0.3s, bitdefender a mind blowing 6.3). Well the timings I did locally on that simple email confirm what everyone else has been stating. Uvscan is slower than clamd. Either I have been transposing these two timing all this time or one of the clamav/clamd updates improved things. Going by everyone comments it sure seems like I have been transposing these numbers :/. It might be something of both; there was also one of the clamav updates in the past year which speeded daemon mode up tremendously, IME. -- Clifton I thought the update had to do with how long it took clamd to load its signature file upon startup. I haven't seen any changes in clamd scan times once the signature files are initially loaded. Bill - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] aborting after x.xxx s, shrunk deadline
Mark Martinec wrote the following on 10/7/2007 7:02 PM -0800:
Bill,
Mark, I had also applied the jumbo patch, as well. However, I noticed
that there were additional changes to AsyncLoop.pm in the jumbo patch
found at http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5589, so
I applied this patch and now when doing spamassassin --lint or when
starting or stopping amavisd, I see:
Subroutine log_lookups_timing redefined at
/usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/AsyncLoop.pm line 224.
The second patch is a SUBSTITUTE for the first one, so you must
not apply it ON TOP of the first one, but on a virgin SpamAssassin
(or just do a patch -R on the first one to undo it, before applying
the second).
I tried several things to get the AsyncLoop patch to install cleanly,
but without success. I finally had to revert back to the AsyncLoop.pm
from SA 3.2.2 in order to get the patch to install with issues.
Please try with the following replacement subroutine (after first applying
the patch), in module AsyncLoop.pm:
sub set_response_packet {
my ($self, $id, $pkt, $key, $timestamp) = @_;
$self-{finished}-{$id} = 1; # only key existence matters, any value
$timestamp = time if !defined $timestamp;
my $pending = $self-{pending_lookups};
if (!defined $key) { # backwards compatibility with 3.2.3 and older plugins
# a third-party plugin did not provide $key in a call, search for it:
for my $tkey (keys %$pending) {
if ($id eq $pending-{$tkey}-{id}) { $key = $tkey; last }
}
dbg(async: searching for lookup with id $id, found $key);
}
if (!defined $key) {
info(async: no key, response packet not remembered, id $id);
} else {
my $ent = $pending-{$key};
if ($id ne $ent-{id}) {
info(async: ignoring response, mismatched id $id, $ent-{id});
} else {
$ent-{finish_time} = $timestamp;
$ent-{response_packet} = $pkt;
}
}
1;
}
This should provide backwards compatibility for third-party plugins
which were not adapted by my patch in 5589.
I applied the subroutine above to AsyncLoop.pm after applying a clean
patch and all looks great now. I posted the output from amavisd
debug-sa to:
http://www.inetmsg.com/debug-sa3.txt
if you want to take a look. Anyway, no more panics or async aborts, and
all DNS tests return without issue.
Thanks again, Mark, for your in resolving this!
Bill
-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now http://get.splunk.com/
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] aborting after x.xxx s, shrunk deadline
Mark Martinec wrote the following on 10/7/2007 5:53 AM -0800 [9016] dbg: asn: asn.routeviews.org.: lookup result packet: '14.198.114.38.asn.routeviews.org. 356 IN TXT 40156 38.114.198.0 24' Use of uninitialized value in hash element at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/AsyncLoop.pm line 363, GEN20 line 168. Use of uninitialized value in string eq at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/AsyncLoop.pm line 364, GEN20 line 168. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/AsyncLoop.pm line 364, GEN20 line 168. [9016] dbg: async: caught complete_lookups death, aborting: set_response_packet: PANIC - mismatched id 13162/whois.iana.org/A/IN, at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/AsyncLoop.pm line 364, GEN20 line 168. Interesting, I'll take a look. Which version of Net::DNS ? You seem to be using my patch to AsyncLoop, is it the first version or the second? (attached on the SA problem report ticket). Mark, I am running Net::DNS 0.61. The two patches I used were dated: --- Dns.pm~ Fri Jun 8 14:55:30 2007 +++ Dns.pm Tue Jun 12 17:01:08 2007 and --- Dns.pm~ Fri Jun 15 02:23:23 2007 +++ Dns.pm Fri Jun 15 02:26:29 2007 Let me know if you need anything else. Thanks! Bill - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] aborting after x.xxx s, shrunk deadline
Bill Landry wrote the following on 10/7/2007 9:31 AM -0800: Mark Martinec wrote the following on 10/7/2007 5:53 AM -0800 [9016] dbg: asn: asn.routeviews.org.: lookup result packet: '14.198.114.38.asn.routeviews.org. 356 IN TXT 40156 38.114.198.0 24' Use of uninitialized value in hash element at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/AsyncLoop.pm line 363, GEN20 line 168. Use of uninitialized value in string eq at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/AsyncLoop.pm line 364, GEN20 line 168. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/AsyncLoop.pm line 364, GEN20 line 168. [9016] dbg: async: caught complete_lookups death, aborting: set_response_packet: PANIC - mismatched id 13162/whois.iana.org/A/IN, at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/AsyncLoop.pm line 364, GEN20 line 168. Interesting, I'll take a look. Which version of Net::DNS ? You seem to be using my patch to AsyncLoop, is it the first version or the second? (attached on the SA problem report ticket). Mark, I am running Net::DNS 0.61. The two patches I used were dated: --- Dns.pm~ Fri Jun 8 14:55:30 2007 +++ Dns.pm Tue Jun 12 17:01:08 2007 and --- Dns.pm~ Fri Jun 15 02:23:23 2007 +++ Dns.pm Fri Jun 15 02:26:29 2007 Let me know if you need anything else. Mark, I had also applied the jumbo patch, as well. However, I noticed that there were additional changes to AsyncLoop.pm in the jumbo patch found at http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5589, so I applied this patch and now when doing spamassassin --lint or when starting or stopping amavisd, I see: Subroutine log_lookups_timing redefined at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/AsyncLoop.pm line 224. This is new, so I re-ran amavisd debug-sa and ran the suspect message through again - the output can be found at: http://www.inetmsg.com/debug-sa2.txt It looks pretty much the same to me, but may provide you with more info. Thanks again for looking into this! Bill - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] aborting after x.xxx s, shrunk deadline
I am running: amavisd -V amavisd-new-2.5.2 (20070627) --- spamassassin -V SpamAssassin version 3.2.3 running on Perl version 5.8.8 I've been trying to figure out why some messages are failing DNS based tests are failing during normal e-mail delivery processing. With amavisd running is debug-sa mode, I am seeing things like the following: [9016] dbg: async: aborting after 2.463 s, shrunk deadline: URI-DNSBL, DNSBL:multi.uribl.com.:zynoxin.com [9016] dbg: async: aborting after 2.397 s, shrunk deadline: URI-DNSBL, DNSBL:bl.open-whois.org.:cabbagesoupdietpill.com [9016] dbg: async: aborting after 2.408 s, shrunk deadline: URI-NS, NS:zymelite.com [9016] dbg: async: aborting after 2.404 s, shrunk deadline: URI-DNSBL, DNSBL:multi.surbl.org.:chongsoolongtea.com [9016] dbg: async: aborting after 2.442 s, shrunk deadline: URI-DNSBL, DNSBL:dob.sibl.support-intelligence.net:sumactin.com [9016] dbg: async: aborting after 2.291 s, shrunk deadline: DNSBL-A, dns:A:14.198.114.38.sbl.csma.biz. [9016] dbg: async: aborting after 2.470 s, shrunk deadline: URI-DNSBL, DNSBL:bl.open-whois.org.:amberoz.com [9016] dbg: async: aborting after 2.460 s, shrunk deadline: URI-DNSBL, DNSBL:my.black.list.:zynoxin.com [...] [9016] dbg: async: aborted 174 remaining lookups However, I don't see these issues when running the same message through spamassassin -t or even su amavis -c 'spamassassin -t -D test.eml'. I have posted the output of the following commands for review: Regular e-mail delivery with: amavisd debug-sa: http://www.inetmsg.com/debug-sa.txt su amavis -c 'spamassassin -t -D test.eml' http://www.inetmsg.com/su-amavis.txt spamassassin -t -D test.eml: http://www.inetmsg.com/spamassassin.txt If anyone has any thoughts about why DNS based tests happen to fail on these types of message when running through normal e-mail processing, but not when run in test mode, I would appreciate the feedback. Regards, Bill - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] aborting after x.xxx s, shrunk deadline
I also just noticed that these types of messages when run through the normal e-mail delivery process are showing several PANIC situations stemming from AsyncLoop.pm: [9016] dbg: async: caught complete_lookups death, aborting: set_response_packet: PANIC - mismatched id 13162/whois.iana.org/A/IN, at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/AsyncLoop.pm line 364, GEN20 line 168. spf: lookup failed: set_response_packet: PANIC - mismatched id 61972/amberoz.com/SOA/IN, at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/AsyncLoop.pm line 364. spf: lookup failed: set_response_packet: PANIC - mismatched id 37014/zynoxin.com/SOA/IN, at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/AsyncLoop.pm line 364. [9016] dbg: async: caught complete_lookups death, aborting: set_response_packet: PANIC - mismatched id 7887/leucatin.com/SOA/IN, at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/AsyncLoop.pm line 364. [9016] dbg: async: caught complete_lookups death, aborting: set_response_packet: PANIC - mismatched id 62883/sumactin.com/SOA/IN, at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/AsyncLoop.pm line 364. [9016] dbg: async: caught complete_lookups death, aborting: set_response_packet: PANIC - mismatched id 50907/ovulex.com/SOA/IN, at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/AsyncLoop.pm line 364. Bill Bill Landry wrote the following on 10/6/2007 9:33 AM -0800: I am running: amavisd -V amavisd-new-2.5.2 (20070627) --- spamassassin -V SpamAssassin version 3.2.3 running on Perl version 5.8.8 I've been trying to figure out why some messages are failing DNS based tests are failing during normal e-mail delivery processing. With amavisd running is debug-sa mode, I am seeing things like the following: [9016] dbg: async: aborting after 2.463 s, shrunk deadline: URI-DNSBL, DNSBL:multi.uribl.com.:zynoxin.com [9016] dbg: async: aborting after 2.397 s, shrunk deadline: URI-DNSBL, DNSBL:bl.open-whois.org.:cabbagesoupdietpill.com [9016] dbg: async: aborting after 2.408 s, shrunk deadline: URI-NS, NS:zymelite.com [9016] dbg: async: aborting after 2.404 s, shrunk deadline: URI-DNSBL, DNSBL:multi.surbl.org.:chongsoolongtea.com [9016] dbg: async: aborting after 2.442 s, shrunk deadline: URI-DNSBL, DNSBL:dob.sibl.support-intelligence.net:sumactin.com [9016] dbg: async: aborting after 2.291 s, shrunk deadline: DNSBL-A, dns:A:14.198.114.38.sbl.csma.biz. [9016] dbg: async: aborting after 2.470 s, shrunk deadline: URI-DNSBL, DNSBL:bl.open-whois.org.:amberoz.com [9016] dbg: async: aborting after 2.460 s, shrunk deadline: URI-DNSBL, DNSBL:my.black.list.:zynoxin.com [...] [9016] dbg: async: aborted 174 remaining lookups However, I don't see these issues when running the same message through spamassassin -t or even su amavis -c 'spamassassin -t -D test.eml'. I have posted the output of the following commands for review: Regular e-mail delivery with: amavisd debug-sa: http://www.inetmsg.com/debug-sa.txt su amavis -c 'spamassassin -t -D test.eml' http://www.inetmsg.com/su-amavis.txt spamassassin -t -D test.eml: http://www.inetmsg.com/spamassassin.txt If anyone has any thoughts about why DNS based tests happen to fail on these types of message when running through normal e-mail processing, but not when run in test mode, I would appreciate the feedback. Regards, Bill - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/ - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Keep going if AV Scanner fails?
Adam Gibson wrote: Gary V wrote: (have not tried it though). Make sure your update script is a recent one that tests the downloads before employing them and consider This is one of the most important steps IMHO. I would make sure the script tests the dat files before copying them into place. The scripts that I have used over the years tests the dat files with the eicar virus test pattern to make sure they work before copying them into place. This issue here is not whether the virus signature files work or not, it's whether one of them is corrupted or not. A corrupted signature file will cause clamd to silently crash and no longer be available for message scanning. The test that needs to be done on ClamAV signature files: clamscan --quiet -d /path/to/sigfile will detect corrupted signature files, and thus can prevent them from being moved into the production directory. Most, if not all, of the download scripts available on the SaneSecurity site (http://www.sanesecurity.com/clamav/usage.htm) enable this testing prior to usage. Bill - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Keep going if AV Scanner fails?
Adam Gibson wrote: Bill Landry wrote: Adam Gibson wrote: Gary V wrote: (have not tried it though). Make sure your update script is a recent one that tests the downloads before employing them and consider This is one of the most important steps IMHO. I would make sure the script tests the dat files before copying them into place. The scripts that I have used over the years tests the dat files with the eicar virus test pattern to make sure they work before copying them into place. This issue here is not whether the virus signature files work or not, it's whether one of them is corrupted or not. A corrupted signature file will cause clamd to silently crash and no longer be available for message scanning. The test that needs to be done on ClamAV signature files: clamscan --quiet -d /path/to/sigfile will detect corrupted signature files, and thus can prevent them from being moved into the production directory. Most, if not all, of the download scripts available on the SaneSecurity site (http://www.sanesecurity.com/clamav/usage.htm) enable this testing prior to usage. Bill I think we are saying the same thing. By checking to make sure it detects eicar before copying the dat files over it also makes sure the dat files are not corrupt. The dat files are initially downloaded to a temporary staging area which does not impact the running clamd. Only after testing the dat files to see if they properly detect the eicar test virus do they get copied into the default clam dat signature database directory. This solves both problems at the same time. Sounds like a lot of needless extra effort versus the sanctioned and ClamAV developed and supported way of testing signature files for corruption. Bill - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Modified scoring of ClamAV spam hits
John Beaver wrote: I'm still getting a few ZIPs, PDF, etc. getting though. I just noticed this scoring in one of the headers. Note the score for the sanesecurity=0.1: Res, score=5.819 tagged_above=2 required=4 tests=[AV:Email.Stk.Gen592.Sanesecurity.07071801.pdf=0.1, BAYES_99=3.5, DKIM_POLICY_SIGNSOME=0, TVD_SPACE_RATIO=2.219] I am using amavisd-new with clamav 91.1. Where can I adjust this scoring? john beaver That depends on whether you are using a spamassassin .cf file for scoring the header entries or if your scoring them in amavisd.conf. I would guess amavisd.conf since you would probably know if you setup a .cf file for scoring these. In amavisd.conf, look for the section starting with: @virus_name_to_spam_score_maps = You can then adjust the individual SaneSecurity and/or MSRBL scores there. Bill - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Modified scoring of ClamAV spam hits
John Beaver wrote the following on 8/2/2007 4:02 PM -0800: Mark Martinec wrote: John, I'm still getting a few ZIPs, PDF, etc. getting though. I just noticed this scoring in one of the headers. Note the score for the sanesecurity=0.1: Res, score=5.819 tagged_above=2 required=4 tests=[AV:Email.Stk.Gen592.Sanesecurity.07071801.pdf=0.1, BAYES_99=3.5, DKIM_POLICY_SIGNSOME=0, TVD_SPACE_RATIO=2.219] I am using amavisd-new with clamav 91.1. Where can I adjust this scoring? Bill Landry writes: That depends on whether you are using a spamassassin .cf file for scoring the header entries or if your scoring them in amavisd.conf. I would guess amavisd.conf since you would probably know if you setup a .cf file for scoring these. In amavisd.conf, look for the section starting with: @virus_name_to_spam_score_maps = You can then adjust the individual SaneSecurity and/or MSRBL scores there. Right. Or better yet, add rules to a SpamAssassin config file (e.g. local.cf), as suggested in release notes. This is also a reason why scores assigned by amavisd itself are near-zero. Figures, I missed reading the release notes... I am using amavisd-new to call SA, so is SA called AFTER clamav (using SA local.cf)? Just making sure which method will work best. john Virus scanning is always done before spam filtering, otherwise there would be no SaneSecurity or MSRBL headers for SA to trigger on. Bill - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] amavis stopped to work, help!
Andres wrote: I have made no changes at all, and today amavis stopped to work, so my mail server (Postfix) is not delivering email, this is the log file: ul 23 10:50:03 pc009 amavis[11600]: (11600-01) ClamAV-clamscan av-scanner FAILED: /usr/bin/clamscan unexpected exit 50, output=LibClamAV Error: Can't load /var/lib/clamav//main.cvd: MD5 verification error\nERROR: MD5 verification error at (eval 42) line 435. Jul 23 10:50:03 pc009 amavis[11600]: (11600-01) TROUBLE in check_mail: virus_scan FAILED: virus_scan: ALL VIRUS SCANNERS FAILED: ClamAV-clamd av-scanner FAILED: Too many retries to talk to /var/run/clamav/clamd.ctl (Can't connect to UNIX socket Looks like clamd crashed - did you restart clamd? Bill - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Dkim signing and altermime / disclaimer failure
Michael Scheidell wrote the following on 7/7/2007 7:48 AM -0800:
Seems if you use dkim to sign outgoing email through amavisd-new policy
bank and forward-method, the 'disclaimer' added to message does not pass
the body test. since it seems to sign the message before the disclaimer
is added.
Q) how do I get it to sign AFTER mangling (do I do it in amavisd.conf?)
or wait till Mark gets back?
(as least assume this is why I get this error on reflector:
testing.dkim.org; [EMAIL PROTECTED]; dkim=fail (
Err: body altered; RSA-128 err: hdrdiffs=none; bodyvfy=no;
secnap.net/s102
4 fail; );
[EMAIL PROTECTED]; dkim=neutral
[DKIM-Bodyhash: Warning]
body hashes do not match for Michael Scheidell
sig=k9XtizUNBPIHQDW1po4NYI6foNM= calc=QsnK/S4Ee01odgjQhyN9o4FaZjk=
[DKIM-Vfy: Warning]
RSA-128 err: [EMAIL PROTECTED] hdrdiffs=none; bodyvfy=no;
openssl=error::lib(0):func(0):reason(0); 'v=1; a=rsa-sha1;
c=relaxed; d=secnap.net;
h=mime-version:content-type:content-transfer-encoding:subject:
date:message-id:from:to; q=dns/txt; s=s1024; bh=k9XtizUNBPIHQDW1
po4NYI6foNM=; b='
Using FREEBSD, postfix, amavisd-new 2.5.2, Mail:DKIM .26, dkimproxy.
I don't use dkim proxy, but do sign with both dk and dkim. Just out of
curiosity, since you are using postfix (that is, if you are using a
relatively new version of postfix that supports milters), why not use
the dkim-milter and do your signing as the last thing postfix does
before delivering the message to the recipient MTA? That should resolve
any issues you may be experiencing with something changing the body or
headers after signing.
Bill
Used this to do forwarding, disclaimers:
(using dkim proxy from ports, in rc.conf:
amavisd-new forward sends to 127.0.0.1:10027.
Dkimproxy listens on 127.0.0.0:10027, signs message and send back out
10028.
Postfix listens on 10028 and sends email back out.
dkimproxy_out_enable=YES
dkimproxy_out_flags=--keyfile=/usr/local/etc/dkimproxy/private.key \
--selector=s1024 --domain=secnap.com,secnap.net --method=relaxed
\
127.0.0.1:10027 127.0.0.1:10028
master.cf:
127.0.0.1:10028 inet n - n - 10 smtpd
-o content_filter=
-o
receive_override_options=no_unknown_recipient_checks,no_header_body_chec
ks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
amavisd.conf
@altermime_args_disclaimer =
qw(--verbose --disclaimer=/var/amavis/etc/disclaimer.txt
--disclaimer-html=/var/amavis/etc/disclaimer.html);
$defang_maps_by_ccat{+CC_CLEAN} = [ 'disclaimer' ];
$policy_bank{'MYNETS'} = { # mail originating from @mynetworks
originating = 1,
forward_method = 'smtp:[127.0.0.1]:10027',
allow_disclaimers = 1,
smtpd_discard_ehlo_keywords = ['8BITMIME'],
-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] problem with amavis and nod32
Gregorics Tamás wrote the following on 6/18/2007 7:01 AM -0800: Hi! I'm having a slight problem with my amavisd-new installation. I'm using the nod32 av scanner with amavis, and sometimes mails generate such error logs: Jun 18 11:26:32 zeusz amavis[9766]: (09766-07) (!!) run_av (ESET Software NOD32 Command Line Interface v 2.52) FAILED - unexpected exit 3, output=... clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 - MIME - part000.txt: clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 - MIME: clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 - MIME - part000.txt: clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 - MIME: clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 - MIME - : clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 - MIME - part000.txt: clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 - MIME - part001.htm: clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 - MIME - szoke.pps: clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 - MIME - : info=error occurred while reading archive Jun 18 11:26:32 zeusz amavis[9766]: (09766-07) (!!) ESET Software NOD32 Command Line Interface v 2.52 av-scanner FAILED: /usr/bin/nod32cli unexpected exit 3, output=... clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 - MIME - part000.txt: clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 - MIME: clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 - MIME - part000.txt: clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 - MIME: clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 - MIME - : clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 - MIME - part000.txt: clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 - MIME - part001.htm: clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 - MIME - szoke.pps: clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 - MIME - : info=error occurred while reading archive at (eval 44) line 462. I contacted nod32 support and they suggested that it's amavis' fault (it could happen with open source softwares), because it can not extract the mail properly. They suggested leaving out amavis from the delivery chain, but thats clearly not an option for us. Any suggestions? If you set amavisd to send the raw e-mail to nod32, do you still see the error? Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] problem with amavis and nod32
McDouglas wrote the following on 6/18/2007 7:38 AM -0800: Bill Landry wrote: If you set amavisd to send the raw e-mail to nod32, do you still see the error? Bill How do I set that? And what else will change with that setting? (concerned about the spamassassin/banned files/quarantine settings) Depends on the version of amavisd-new you are running. With the most recent version, 2.5.1, you can set $bypass_decode_parts = 1; to disable all decoding by amavisd-new. From the release notes: - setting $bypass_decode_parts to true now also disables MIME decoding, not just decoders/dearchivers listed in a @decoders list, and also implicitly retains full original message for virus checking, equivalent to having a regular expression /^MAIL$/ in a @keep_decoded_original_maps list This will not change how spamassassin works (SA is sent the raw message for processing anyway), nor will it change your how your virus quarantine settings work; however, it probably will affect how banned files are handled, since amavisd will not be doing any message decoding of its own. I don't have any banned files listed in my amavisd.conf, so someone else will need to confirm this. Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Someone missed a virus..
Michael Scheidell wrote the following on 6/15/2007 12:27 PM -0800: Well, an attachment, a 0 day virus. How do we block an exe insite a .doc? Maybe hackers/spammers have found a way around Anti-Virus software, or at least, attachment blocking. Spam came in, with a 'proforma invoice' attached. (if you want to see it, http://www.secnap.com/downloads/proforma.eml) Click on the proforma invoice.doc, ALMOST open it. (or run strings on it) See a self executable zip file (.exe) Proforma_Invoice.exe C:\PROFOR~1.EXE C:\PROFOR~1.EXE 'file Proforma_Invoice.doc' shows: Proforma_Invoice.doc: Microsoft Office Document file -i Proforma_Invoice.doc shows: application/msword Clamav and CA didn't see it as a virus. (Two hours later, after submitting to [EMAIL PROTECTED] and clamav, clam finds it: clamdscan Proforma_Invoice.doc /tmp/Proforma_Invoice.doc: Trojan.Dropper-1047 FOUND Thanks for reporting this one Michael, malware distributors are getting more creative all the time. Just as an FYI, since I am using the recent $bypass_decode_parts = 1 feature that disables all decoding by amavisd-new and instead passes the raw messages to the virus scanner(s) and relies on the decoding supported by the virus scanner itself. In this case I run both clamd and f-prot, and both were able to detect the trojan inside the .doc file, without any decoding on the part of amavisd-new: F-Prot: /var/quarantine/virus/virus-TO4HclB5j1Sz-Proforma_Invoice.doc-Proforma_Invoice.exe is a security risk named W32/Dropper.ESR ClamD: /var/quarantine/virus/virus-TO4HclB5j1Sz: Trojan.Dropper-1047 FOUND Thanks again, Mark, for adding the ability to bypass all decoding in amavisd-new, it seems to be working fine for me thus far. Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Someone missed a virus..
Michael Scheidell wrote the following on 6/15/2007 12:54 PM -0800: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Friday, June 15, 2007 3:51 PM To: amavis-user@lists.sourceforge.net Subject: Re: [AMaViS-user] Someone missed a virus.. Michael Scheidell wrote the following on 6/15/2007 12:27 PM -0800: Thanks for reporting this one Michael, malware distributors are getting more creative all the time. Just as an FYI, since I am using the recent $bypass_decode_parts = 1 feature that disables all decoding by amavisd-new and instead passes the raw messages to the virus scanner(s) and relies on the decoding supported by the virus scanner itself. In this case I run both clamd and f-prot, and both were able to detect the trojan inside the .doc file, without any decoding on the part of amavisd-new: F-Prot: /var/quarantine/virus/virus-TO4HclB5j1Sz-Proforma_Invoice.doc -Proforma_Invoice.exe is a security risk named W32/Dropper.ESR ClamD: /var/quarantine/virus/virus-TO4HclB5j1Sz: Trojan.Dropper-1047 FOUND Thanks again, Mark, for adding the ability to bypass all decoding in amavisd-new, it seems to be working fine for me thus far. Yes, but you only got that because I reported it to clamav at CA: (I use clamav, and at the time, it wasn't in the file: If you had checked that earlier (before daily/3430) you would have missed it. I don't disagree. My comment was more toward the fact that many virus scanners now support mime decoding and file unpacking themselves and thus the decoding feature of amavisd-new can be disabled (meaning no need to install and use unpackers within amavisd.conf, like ripole), which also possibly removes the requirement to try and work around files embedded in other files or mis-labeled file formats within amavisd.conf. Anyway, it was simply an observation on my part. Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Can't connect to UNIX socket /va
[EMAIL PROTECTED] wrote the following on 6/5/2007
8:33 AM -0800:
Hallo Mark,
Op dinsdag 05 juni 2007 schreef Mark Martinec aan
amavis-user@lists.sourceforge.net:
Actually, I did it both ways: amavis added to group clamav and
clamav added to group amavis. [...] This certainly solved the
problem. I'm still wondering why it doesn't work the other
way, but I'll have another look at that later.
MM It seems this problem is affecting certain installations and is
MM reported every now and then, but is not affecting most of the
MM rest. It would be useful to locate the cause of it. It may be
MM related to the version of clamd, to the OS, and to the version
MM of the kernel. For starters let's see some versions that exibit
MM this problem.
OK. I'm running Linux kernel 2.6.18.8 on a Pentium 4 system.
The version of clamav is 0.90.3, of amavisd-new 2.5.1.
MM Just in case, please try to become user clamav, and try
MM accessing (for reading) some amavis temporary files in its
MM .../parts/ subdirectories.
That works without problem.
I still think I may have made a configuration error somewhere,
but won't have time to investigate that thoroughly until the
weekend.
Just thought I would ask the obvious, just in case. Are the socket
locations synchronized between clamd and amavisd? For example:
From clamd.conf:
LocalSocket /var/amavis/clamd.sock
From amavisd.conf:
['ClamAV-clamd',
\ask_daemon, [CONTSCAN {}\n, /var/amavis/clamd.sock],
Anyway, good luck!
Bill
-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Quarantine and non-existing email addresses
Paweł Leśniak wrote the following on 5/28/2007 1:32 AM -0800: Hello, I'm using Amavisd-new with SpamAssassin between two sendmail deamons - incoming and outgoing. I've set up quarantine level, so some spammy emails go to single mailbox called spams. Now once for a while (daily mostly) I'm going through all those emails to catch some false positives. Most of the times it's only spam, rarely single email trapped. Now to the point. Most of those trapped messages are being sent to addresses which do not exist in my mail server. So without SA they'd have gone to postmaster. Is it possible to get all those messages to be dropped, or better to be stored in some other mailbox/mailfolder ? I'm sorry if someone already asked similar question - I can't find answer myself. Look to the MTA (sendmail in your case) to do this. You should be doing some sort of recipient validation at the MTA level and rejecting mail to non-existent accounts. This will save you a bunch of cpu cycles by not having to virus scan and spam filter all of those bogus e-mails. I run postfix, and have never run sendmail, so I can't tell you how to do this, but I have no doubt that sendmail supports recipient validation. Look to the sendmail documentation on how to do this. Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] SaneSecurity malware signatures are not being detected by amavisd-new
Mark Martinec wrote the following on 5/22/2007 10:04 AM -0800: Bill, Okay, then is there any reason to have amavisd-new break e-mail messages up for individual parts scanning? Several virus scanners are not able to decode a MIME structure, or do a poor job at it, or can not decode certain types of archives or encodings. Carefully decoding by amavisd can also protect virus scanners from mail bombs, e.g. recursive archives. Well, hopefully clamav is up to the task of protecting itself from these type of exploits - only time will tell... MIME and archive decoding also provides information about mail structure and its components to banning rules (file names, file types, mime types), and to a bad MIME-header check. Hmmm, hopefully I will not miss these additional capabilities. I'll be monitoring carefully for a while. Would it make sense to disable parts scanning and just have amavisd-new only pass the entire raw message to clamd for scanning? If you trust your virus scanner, and don't need extra information for banning rules, then sure, you may disable decodings by amavisd. Either disable decoders/dearchivers indvidually by adjusting @decoders list, or turn them off altogether by setting $bypass_decode_parts=1; Now with 2.5.1-pre1, the $bypass_decode_parts=1 also disables MIME decoding by MIME::Parser, and implicitly enables passing of a complete mail to virus scanners, which is what you are asking for. I'm running 2.5.1-pre1 and for testing I have set the following relevant parts in my amavisd.config: $bypass_decode_parts = 1; $keep_decoded_original_re = 0; # @keep_decoded_original_maps = (\$keep_decoded_original_re); [EMAIL PROTECTED] = (new_RE( # qr'^MAIL$', # retain full original message for virus checking (can be slow) # qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables # qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, ## qr'^Zip archive data', # don't trust Archive::Zip #)); [EMAIL PROTECTED] = ( # ['mail', \do_mime_decode], # ['asc', \do_ascii], # ['uue', \do_ascii], # ['hqx', \do_ascii], # ['ync', \do_ascii], # ['F',\do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ], # ['Z',\do_uncompress, ['uncompress','gzip -d','zcat'] ], # ['gz', \do_gunzip], # ['gz', \do_uncompress, 'gzip -d'], # ['bz2', \do_uncompress, 'bzip2 -d'], # ['lzo', \do_uncompress, 'lzop -d'], # ['rpm', \do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ], # ['cpio', \do_pax_cpio, ['pax','gcpio','cpio'] ], # ['tar', \do_pax_cpio, ['pax','gcpio','cpio'] ], # ['tar', \do_tar], # ['deb', \do_ar, 'ar'], ## ['a',\do_ar, 'ar'], # unpacking .a seems an overkill # ['zip', \do_unzip], # ['rar', \do_unrar, ['rar','unrar'] ], # ['arj', \do_unarj, ['arj','unarj'] ], # ['arc', \do_arc,['nomarch','arc'] ], # ['zoo', \do_zoo, 'zoo'], # ['lha', \do_lha, 'lha'], ## ['doc', \do_ole, 'ripole'], # ['cab', \do_cabextract, 'cabextract'], # ['tnef', \do_tnef_ext,'tnef'], # ['tnef', \do_tnef], # ['exe', \do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ], # ['7z', \do_7zip, ['7zr','7za','7z'] ], #); I appears to be working as planned. Before upgrading: Virus scanner output: p006: Worm.Dumaru.Y FOUND p005: Worm.Dumaru.Y FOUND = After upgrading: Virus scanner output: p001: Worm.Dumaru.Y FOUND = And everything since: Virus scanner output: p001: Trojan.Postcard.eml FOUND Virus scanner output: p001: Exploit.Iframe-1 FOUND Virus scanner output: p001: Worm.Mytob.MG FOUND Virus scanner output: p001: Worm.Scano-6 FOUND Virus scanner output: p001: Worm.Mydoom.M FOUND Virus scanner output: p001: Worm.Dumaru.Y FOUND Virus scanner output: p001: Html.Malware.Sanesecurity.07010800 FOUND Virus scanner output: p001: Worm.Bagle.GV FOUND Virus scanner output: p001: Worm.Mytob.KS FOUND Virus scanner output: p001: Worm.Mydoom.I FOUND Virus scanner output: p001: Worm.Nyxem.E FOUND Virus scanner output: p001: Worm.Bagle-8-zippwd FOUND Virus scanner output: p001: Worm.Lovgate.R FOUND Virus scanner output: p001: Worm.Bagle.GV FOUND = Thanks Mark, I'll let you know if I see anything strange since making the upgrade and amavisd.config changes. Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] SaneSecurity malware signatures are not being detected by amavisd-new
Mark Martinec wrote the following on 5/21/2007 5:06 PM -0800: Bill, I've noticed that when multiple message parts match different clamav signatures, *all* the signature names must be listed in @virus_name_to_spam_score_maps for it to be considered spam. Yes, as documented in RELEASE_NOTES: [...] When a virus scanner returns names of viruses, and all provided names are matched by the @virus_name_to_spam_score_maps, and no other virus scanner has anything more sinister to report, then a message is _not_ flagged as a virus, but a corresponding spam score is contributed to other spam results [...] This is a key issue here. Your test example after enabling /^MAIL$/ (which requests that a full message is passed to virus scanners, besides each decoded part), clamd starts to report _two_ malware names. Mark, can you tell me why the Email.Malware are still not detected without enabling /^MAIL$/? I would like to keep virus scan processing to a minimum, but if I disable /^MAIL$/, then Email.Malware messages are not detected. As the 'Phishing.Email' was not in your @virus_name_to_spam_score_maps list, such mail did not fulfill the requirement that _all_ reported names must be in the list for the result to be turned into spam, so you ended up with a quarantined 'virus'. Thanks for the explanation, and thanks to Noel for his assistance in figuring this out off-list over the weekend. Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] SaneSecurity malware signatures are not being detected by amavisd-new
Noel Jones wrote the following on 5/21/2007 9:32 PM -0800: At 09:55 PM 5/21/2007, Bill Landry wrote: Mark, can you tell me why the Email.Malware are still not detected without enabling /^MAIL$/? I would like to keep virus scan processing to a minimum, but if I disable /^MAIL$/, then Email.Malware messages are not detected. Most of the Email.Malware signatures are email type signatures. Clamav must be presented with a file recognizable as an email (Received: headers and other clues) for these signature to even be checked. You must always present clamav with raw email files to use all the published signatures. In addition to the SaneSecurity add-on signatures, most of the official clam Phish signatures are email type, along with several official trojan worm signatures. If you don't set amavisd-new to scan the full email message, you effectively disable all signatures requiring an email message. Okay, then is there any reason to have amavisd-new break e-mail messages up for individual parts scanning? Would it make sense to disable parts scanning and just have amavisd-new only pass the entire raw message to clamd for scanning? Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] amavisd, postfix and dkfilter?
Charlie Farinella wrote the following on 5/16/2007 11:33 AM -0800: Is anyone using amavisd with postfix and dkfilter? I need to attach domain keys to my outgoing mail and am getting confused. dkfilter wants to be a content_filter and if I'm seeing this correctly, it seems that postfix can only have one content_filter and that needs to be amavisd. Help, pointers to documentation, etc. are appreciated. I'm not using dkfilter, but rather dk-milter, postfix, and amavisd-new. Depending on what version of postfix you are using (v2.3 or newer), you might consider using dk-milter and set it up to sign only outgoing mail for your domain(s) - you can find a link to it from the Postfix add-on page: http://www.postfix.org/addon.html. If you decide to consider dk-milter, see the postfix MILTER_README: http://www.postfix.org/MILTER_README.html for setup and configuration information. Otherwise, you could consider running multiple content_filters, either chained (postfix - dkfilter - amavisd - postfix) or setup amavisd-new via main.cf and dkfilter via master.cf under smtpd (postfix - dkfilter - postfix - amavisd - postfix). Either will work, but the second option may be easier to setup and maintain. As for setting up dkfilter to work with postfix, I have not used it, but the dkfilter site recommends: http://www.postfix.org/CONTENT_INSPECTION_README.html for postfix setup information. Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] SaneSecurity malware signatures are not being detected by amavisd-new
I have been exchanging e-mails with Steve Basford of SaneSecuirty regarding malware e-mails that are not detected and quarantined by amavisd-new, yet are detected fine when scanned directly by clamdscan. Here is my amavisd.conf entries for SaneSecurity and MSRBL signature detection: @virus_name_to_spam_score_maps = (new_RE( [ qr'^(Email|HTML)\.(Phishing|Spam|Scam[a-z0-9]?)\.'i = 0.1 ], [ qr'^(Email|Html)\.Malware\.Sanesecurity\.' = undef ], [ qr'^(Email|Html)(\.[^., ]*)*\.Sanesecurity\.' = 0.1 ], [ qr'^(MSRBL-Images/|MSRBL-SPAM\.)' = 0.1 ], )); However, it does not seem to detect and quarantine any signature that starts with Email, even though clamdscan corrected detects and reports the malware signature: clamdscan test.msg test.msg: Email.Malware.Sanesecurity.07051800 FOUND The entries in amavisd.conf look correct, but for some reason, malware signatures beginning with Email do not get detected and quarantined by amaviad-new. Thoughts? Thanks, Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] SaneSecurity malware signatures are not being detected by amavisd-new
Mark Martinec wrote the following on 5/18/2007 11:52 AM -0800: Bill, [ qr'^(Email|HTML)\.(Phishing|Spam|Scam[a-z0-9]?)\.'i = 0.1 ], [ qr'^(Email|Html)\.Malware\.Sanesecurity\.'= undef], [ qr'^(Email|Html)(\.[^., ]*)*\.Sanesecurity\.' = 0.1 ], [ qr'^(MSRBL-Images/|MSRBL-SPAM\.)' = 0.1 ], However, it does not seem to detect and quarantine any signature that starts with Email, even though clamdscan corrected detects and reports the malware signature: test.msg: Email.Malware.Sanesecurity.07051800 FOUND The entries in amavisd.conf look correct, but for some reason, malware signatures beginning with Email do not get detected and quarantined by amaviad-new. Thoughts? Why do you have the second entry (... = undef) ??? If matched, it terminates the search and reports that a lookup did not find enything. You probably intended to just remove the line. Mark Hi Mark, It's setup this way because that's the way you have it shown in the amavisd.conf-default file that comes with the distro, and I want the file to be quarantined. However, Steve had me try the following: = Change this signature from: Email.Malware.Sanesecurity.07051800:4:*:687474703a2f2f6d61696c2e756262692e636f6d2e62722f7664526663326174742f7266633261747461636832302e646c6c to: Email.Malware.Sanesecurity.07051800:0:*:687474703a2f2f6d61696c2e756262692e636f6d2e62722f7664526663326174742f7266633261747461636832302e646c6c Ie. change the type 4 (mail file) to type 0 (all file types). Save and re-load clamd Now re-send the ecard to yourself... is it detected now? If it does work then it looks like amavisd-new separates the headers from the body...and then uses clamd to scan the body ONLY... which might be no type 4 (Email.) would ever work? But I'm sure you would have noticed. = and without any changes to the amavisd.conf file, amavisd-new now correctly identifies the malware and quarantines the message. Mark/Steve, how would you suggest we handle these going forward? Thanks, Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] SaneSecurity malware signatures are not being detected by amavisd-new
Mark Martinec wrote the following on 5/18/2007 12:46 PM -0800: Bill, [ qr'^(Email|HTML)\.(Phishing|Spam|Scam[a-z0-9]?)\.'i = 0.1 ], [ qr'^(Email|Html)\.Malware\.Sanesecurity\.'= undef], [ qr'^(Email|Html)(\.[^., ]*)*\.Sanesecurity\.' = 0.1 ], [ qr'^(MSRBL-Images/|MSRBL-SPAM\.)' = 0.1 ], It's setup this way because that's the way you have it shown in the amavisd.conf-default file that comes with the distro I have it that way, because I wanted to have the: ^(Email|Html)\.Malware\.Sanesecurity\. treated as a virus, and not as a spam. The rule stands above the ^(Email|Html)(\.[^., ]*)*\.Sanesecurity\. rule, which would have matched on such name too. So my intention is to let Email|Html * .Sanesecurity be spam, except for Email|Html .Malware .Sanesecurity Yep, that's exactly what I want, as well. However, it does not work this way in reality. I can send you a sample malware off-list to test with, if you would like (let me know). If it does work then it looks like amavisd-new separates the headers from the body...and then uses clamd to scan the body ONLY... Yes, as always, except when some decoder declares it is unable to decode, or if @keep_decoded_original_maps matches, in this case AV scanner would also see the complete mail, in addition to each decoded part. I know that, as Noel suggested, I can set qr'^MAIL$',, but didn't really want to have to do that unless absolutely necessary due to the additional overhead. Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] SaneSecurity malware signatures are not being detected by amavisd-new
Bill Landry wrote the following on 5/18/2007 12:54 PM -0800: Mark Martinec wrote the following on 5/18/2007 12:46 PM -0800: Bill, [ qr'^(Email|HTML)\.(Phishing|Spam|Scam[a-z0-9]?)\.'i = 0.1 ], [ qr'^(Email|Html)\.Malware\.Sanesecurity\.'= undef], [ qr'^(Email|Html)(\.[^., ]*)*\.Sanesecurity\.' = 0.1 ], [ qr'^(MSRBL-Images/|MSRBL-SPAM\.)' = 0.1 ], It's setup this way because that's the way you have it shown in the amavisd.conf-default file that comes with the distro I have it that way, because I wanted to have the: ^(Email|Html)\.Malware\.Sanesecurity\. treated as a virus, and not as a spam. The rule stands above the ^(Email|Html)(\.[^., ]*)*\.Sanesecurity\. rule, which would have matched on such name too. So my intention is to let Email|Html * .Sanesecurity be spam, except for Email|Html .Malware .Sanesecurity Yep, that's exactly what I want, as well. However, it does not work this way in reality. I can send you a sample malware off-list to test with, if you would like (let me know). If it does work then it looks like amavisd-new separates the headers from the body...and then uses clamd to scan the body ONLY... Yes, as always, except when some decoder declares it is unable to decode, or if @keep_decoded_original_maps matches, in this case AV scanner would also see the complete mail, in addition to each decoded part. I know that, as Noel suggested, I can set qr'^MAIL$',, but didn't really want to have to do that unless absolutely necessary due to the additional overhead. Well, this was not a good solution: @keep_decoded_original_maps = (new_RE( qr'^MAIL$', # retain full original message for virus checking (can be slow) as this had the effect of quarantining everything that SaneSecurity and MSRBL detected, including spam, phish, image, scam, etc., and not just malware. :-( Any other suggestions? Thanks, Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] SaneSecurity malware signatures are not being detected by amavisd-new
Noel Jones wrote the following on 5/18/2007 3:14 PM -0800: At 04:49 PM 5/18/2007, Bill Landry wrote: Well, this was not a good solution: @keep_decoded_original_maps = (new_RE( qr'^MAIL$', # retain full original message for virus checking (can be slow) as this had the effect of quarantining everything that SaneSecurity and MSRBL detected, including spam, phish, image, scam, etc., and not just malware. :-( Any other suggestions? Thanks, I think your @virus_name_to_spam_score_maps is somehow wrong. Scanning the raw email doesn't change the result text from clamdscan. Other than score changes, it's identical to what can be found in the amavis.conf-default included with the distro: @virus_name_to_spam_score_maps = (new_RE( [ qr'^(Email|HTML)\.(Phishing|Spam|Scam[a-z0-9]?)\.'i = 1.5 ], [ qr'^(Email|Html)\.Malware\.Sanesecurity\.' = undef ], [ qr'^(Email|Html)(\.[^., ]*)*\.Sanesecurity\.' = 1.5 ], [ qr'^(MSRBL-Images/|MSRBL-SPAM\.)' = 1.5 ], )); Let me know if you see anything wrong here... Thanks, Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] SaneSecurity malware signatures are not being detected by amavisd-new
Noel Jones wrote the following on 5/18/2007 3:37 PM -0800: At 05:28 PM 5/18/2007, Bill Landry wrote: Noel Jones wrote the following on 5/18/2007 3:14 PM -0800: At 04:49 PM 5/18/2007, Bill Landry wrote: Well, this was not a good solution: @keep_decoded_original_maps = (new_RE( qr'^MAIL$', # retain full original message for virus checking (can be slow) as this had the effect of quarantining everything that SaneSecurity and MSRBL detected, including spam, phish, image, scam, etc., and not just malware. :-( Any other suggestions? Thanks, I think your @virus_name_to_spam_score_maps is somehow wrong. Scanning the raw email doesn't change the result text from clamdscan. Other than score changes, it's identical to what can be found in the amavis.conf-default included with the distro: @virus_name_to_spam_score_maps = (new_RE( [ qr'^(Email|HTML)\.(Phishing|Spam|Scam[a-z0-9]?)\.'i = 1.5 ], [ qr'^(Email|Html)\.Malware\.Sanesecurity\.' = undef ], [ qr'^(Email|Html)(\.[^., ]*)*\.Sanesecurity\.' = 1.5 ], [ qr'^(MSRBL-Images/|MSRBL-SPAM\.)' = 1.5 ], )); Let me know if you see anything wrong here... I don't see any obvious problems above. You don't happen to have @virus_name_to_spam_score_maps defined more than once, do you? maybe Mark has other suggestions. No, it's only defined once: grep virus_name_to_spam_score_maps /etc/amavisd.conf @virus_name_to_spam_score_maps = Thanks for the feedback! Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] postfix/amavisd-new
mouss wrote the following on 5/10/2007 1:26 PM -0800: it is recommended to pass outbound mail through a virus checker. one way to do this is to tell amavisd-new to listen on two ports (10024 and 10586 for instance) and use ... FILTER amavis:[127.0.0.1]:10586 for outbound mail (mynetworks and if user was authenticated): smtpd_recipient_restrictions = ... check_client_access pcre:/etc/postfix/filter_outbound permit_mynetworks permit_sasl_authenticated check_client_access pcre:/etc/postfix/filter_inbound reject_unauth_destination .. filter_outbound: /./ FILTER amavis:[1027.0.0.1]:10586 filter_inbound: /./ FILTER amavis:[127.0.0.1]:10024 I can see how this will work fine for outbound mail from networks listed in mynetworks; however, what is to prevent inbound mail from being virus scanned twice, once by each filter? Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] postfix/amavisd-new
Gary V wrote the following on 5/10/2007 2:31 PM -0800: Bill wrote: Gary V wrote the following on 5/10/2007 2:21 PM -0800: Bill wrote: mouss wrote the following on 5/10/2007 1:26 PM -0800: it is recommended to pass outbound mail through a virus checker. one way to do this is to tell amavisd-new to listen on two ports (10024 and 10586 for instance) and use ... FILTER amavis:[127.0.0.1]:10586 for outbound mail (mynetworks and if user was authenticated): smtpd_recipient_restrictions = ... check_client_access pcre:/etc/postfix/filter_outbound permit_mynetworks permit_sasl_authenticated check_client_access pcre:/etc/postfix/filter_inbound reject_unauth_destination .. filter_outbound: /./ FILTER amavis:[1027.0.0.1]:10586 filter_inbound: /./ FILTER amavis:[127.0.0.1]:10024 I can see how this will work fine for outbound mail from networks listed in mynetworks; however, what is to prevent inbound mail from being virus scanned twice, once by each filter? The last one used wins. Yep, so either inbound mail gets processed by just the first content filter (in which case we are an open relay) or it gets processed by both (not a good use of resources). So which is it? Bill FILTER results in DUNNO. The message is not sent to the FILTER at that point, FILTER overrides the transport. The message is not transported anywhere until it is accepted - queued. Rules are processed top down. Since everything will match /./ in the first filter rule, everything will be sent to the first amavis:[1027.0.0.1]:10586 content_filter. Unless some post content_filter filtering is being done, nothing ever gets past the first filter, and everything only gets virus scanned and relayed. If I am totally misunderstanding this, then please explain how anything ever get past check_client_access pcre:/etc/postfix/filter_outbound in the smtpd_recipient_restrictions? If that's the end of processing, then we are in trouble. Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] postfix/amavisd-new
Jeremy Laidman wrote the following on 5/10/2007 3:40 PM -0800: Bill Landry wrote: smtpd_recipient_restrictions = ... check_client_access pcre:/etc/postfix/filter_outbound permit_mynetworks permit_sasl_authenticated check_client_access pcre:/etc/postfix/filter_inbound reject_unauth_destination .. Rules are processed top down. Since everything will match /./ in the first filter rule, everything will be sent to the first amavis:[1027.0.0.1]:10586 content_filter. Unless some post content_filter filtering is being done, nothing ever gets past the first filter, and everything only gets virus scanned and relayed. If I am totally misunderstanding this, then please explain how anything ever get past check_client_access pcre:/etc/postfix/filter_outbound in the smtpd_recipient_restrictions? If that's the end of processing, then we are in trouble. If permit_mynetworks or permit_sasl_authenticated matches, then the second check_client_access never gets hit, so only the first filter applies. So explain a situation where the first filter would *not* apply. As written, it applies to everything and anything after check_client_access pcre:/etc/postfix/filter_outbound is useless, as everything will be sent to the first content_filter and thus, end of smtpd_recipient_restrictions processing. Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] postfix/amavisd-new
Mark Martinec wrote the following on 5/10/2007 4:27 PM -0800: On Friday May 11 2007 00:51:14 Bill Landry wrote: So explain a situation where the first filter would *not* apply. As written, it applies to everything and anything after check_client_access pcre:/etc/postfix/filter_outbound is useless, as everything will be sent to the first content_filter and thus, end of smtpd_recipient_restrictions processing. The FILTER action only replaces the current content_filter setting and does not stop processing restrictions. Multiple FILTER actions can all stick their value into a content_filter one after another, whatever remains there when some restriction finally does terminate processing (or the list runs out) then applies as the chosen setting for the content_filter. Ah, ok, now the light bulb is lit. Thanks for the explanation, I didn't realize that was how the filter action worked, nor did I understand what Gary was saying. It makes sense now. Thanks, Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] phishing fraud spam in 2.5.0-pre3
Mark Martinec wrote the following on 3/21/2007 6:51 AM -0800: Bob, ah, does SA get any indication that clamav thinks the email is a phish? No, currectly not. An artificial header field could be inserted I guess, but for the moment I don't think it is really needed, these phishing scams collect enough spam points by themselves. I like the artificial header idea. If you could at least make it an optional flag that would be great. Would be nice to be able to add a few SA points if ClamAV detects phish, image, scam, etc., messages, otherwise it doesn't make much sense to use the additional ClamAV signature files provided by SaneSucurity and MSRBL. Bill Otherwise I guess turning off phishing signatures (as I currently have) is pretty similar in affect. ...except for the absence of additional 14 score points, contributed by @virus_name_to_spam_score_maps. Mark - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] phishing fraud spam in 2.5.0-pre3
Mark Martinec wrote the following on 3/21/2007 12:51 PM -0800:
Bill,
I like the artificial header idea. If you could at least make it an
optional flag that would be great. Would be nice to be able to add a
few SA points if ClamAV detects phish, image, scam, etc., messages,
otherwise it doesn't make much sense to use the additional ClamAV
signature files provided by SaneSucurity and MSRBL.
You already have the ability (with 2.5.0-pre3) to add score points
based on phish, image, scam, etc., the only reason why one would
like to have an artificial header field passed to SA is to be
able to have all the rules in one place (local.cf), and perhaps
for Bayes to see this information.
Ah, my misunderstanding, thanks for the clarification, that would meet
my needs just fine.
Nevertheless, it can't hurt to provide this ability. One has then
a choice to adjust scores either in the @virus_name_to_spam_score_maps
in amavisd.conf, or by providing rules to match on the artificial
X-Amavis-AV-Status header field, which will be seen by SA only
(not in passed or quarantined mail).
The following patch to 2.5.0-pre3 provides it:
--- amavisd.orig Mon Mar 12 21:51:24 2007
+++ amavisd Wed Mar 21 20:33:05 2007
@@ -1353,5 +1353,9 @@
@virus_name_to_spam_score_maps =
- (new_RE( [qr'^(?:Email|HTML)\.Phishing\.'i = 14] ));
+ (new_RE( [ qr'^(Email|HTML)\.(Phishing|Spam|Scam[a-z0-9]?)\.'i = 0.1 ],
+ [ qr'^(Email|Html)\.(Hdr|Img|ImgO|Bou|Stk|Loan|Cred|Job|Dipl|Doc)
+ (\.[^.]*)* \.Sanesecurity\.'x = 0.1 ],
+ [ qr'^(MSRBL-Images/|MSRBL-SPAM\.)' = 0.1 ],
+ ));
# prepend a lookup table label object for logging purposes
@@ -16973,4 +16977,6 @@
push(@lines, sprintf(X-Amavis-OS-Fingerprint: %s\n,
sanitize_str($os_fp))) if $os_fp ne '';
+ push(@lines, sprintf(X-Amavis-AV-Status: %s\n,
+ sanitize_str($msginfo-spam_status))) if $msginfo-spam_status ne
'';
my($pbpath) = c('policy_bank_path');
push(@lines, sprintf(X-Amavis-PolicyBank: %s\n,$pbpath)) if $pbpath ne
'';
The above just adds 0.1 score point for each match, but turns off infection
flag
regardless of the actual value on the RHS. The idea is to provide additional
score points by SA rules below.
The following rules may be placed in local.cf:
header L_AV_Phish X-Amavis-AV-Status =~ m{\b(Email|HTML)\.Phishing\.}i
header L_AV_SS_Phish X-Amavis-AV-Status =~
m{\b(Email|Html)\.Phishing(\.[^.]*)*\.Sanesecurity\.}
header L_AV_SS_ScamX-Amavis-AV-Status =~
m{\b(Email|Html)\.(Scam[A-Za-z0-9]?)(\.[^.]*)*\.Sanesecurity\.}
header L_AV_SS_SpamX-Amavis-AV-Status =~
m{\b(Email|Html)\.(Spam|Hdr|Bou|Stk|Loan|Cred|Job|Dipl|Doc)(\.[^.]*)*\.Sanesecurity\.}
header L_AV_SS_Hdr X-Amavis-AV-Status =~
m{\b(Email|Html)\.Hdr(\.[^.]*)*\.Sanesecurity\.}
header L_AV_SS_Img X-Amavis-AV-Status =~
m{\b(Email|Html)\.(Img|ImgO)(\.[^.]*)*\.Sanesecurity\.}
header L_AV_MSRBL_Img X-Amavis-AV-Status =~ m{\bMSRBL-Images/}
header L_AV_MSRBL_Spam X-Amavis-AV-Status =~ m{\bMSRBL-SPAM\.}
score L_AV_Phish 14
score L_AV_SS_Phish -3
score L_AV_SS_Scam6
score L_AV_SS_Spam6
score L_AV_SS_Hdr 3
score L_AV_SS_Img 3
score L_AV_MSRBL_Img 3
score L_AV_MSRBL_Spam 6
That's one of the biggest reasons why I love Amavisd-New, you always
make your best effort to accommodate reasonable requests, if possible.
Thanks again!
Bill
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] How to force amavis to write out full log entry to syslog
I am running amavisd-new-2.4.5 (20070130). I'm wondering if there a way to change how amavis logs to the syslog, in particular, a way to keep it from truncating part of the log entry? For example: Mar 14 09:34:24 mail amavis[1881]: (01881-05) ...BL_AB_SURBL=3,URIBL_BLACK=2.5,URIBL_JP_SURBL=4.087,URIBL_MP_BLOCK=2,URIBL_SC_SURBL=3,URIBL_SC_SWINOG=1.5,URIBL_WS_SURBL=2], autolearn=spam, 19536 ms Mar 14 11:23:06 mail amavis[2956]: (02956-03) ..._IMAGE=2.5,STOCK_IMG_HDR_FROM=1,STOCK_IMG_HTML=1,TVD_FW_GRAPHIC_ID1=2.1,URIBL_AB_SURBL=3,URIBL_BLACK=2.5,URIBL_JP_SURBL=4.087,URIBL_SC_SWINOG=1.5,XTRA_COMPRESS_IMAGE=0.5], autolearn=spam, 65442 ms Mar 14 12:11:29 mail amavis[2956]: (02956-11) ...K_IMG_HDR_FROM=1,STOCK_IMG_HTML=1,TVD_FW_GRAPHIC_ID1=2.1,TW_CV=0.077,TW_SV=0.077,URIBL_AB_SURBL=3,URIBL_BLACK=2.5,URIBL_JP_SURBL=4.087,URIBL_OB_SURBL=3,URIBL_SC_SWINOG=1.5,XTRA_COMPRESS_IMAGE=0.5], autolearn=spam, 47431 ms This causes my hit report to be inaccurate. Any suggestions would be much appreciated. Bill - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] How to force amavis to write out full log entry tosyslog
MrC wrote the following on 3/14/2007 4:20 PM -0800: I am running amavisd-new-2.4.5 (20070130). I'm wondering if there a way to change how amavis logs to the syslog, in particular, a way to keep it from truncating part of the log entry? For example: Bill, These entries are continuation lines. They must be joined with previous lines with the same amavis PID / instance. amavis cuts syslog lines to be below 1023 bytes include a prefix for max length of 980 chars. my($logline_size) = 980; # less than (1023 - prefix) I suppose this is a compatibility issue for systems whose syslog handles 1k bytes. See the beginning of the amavis filter for logwatch for perl code that performs continuation line joining. http://www.mikecappella.com/logwatch/amavis.tgz MrC Hmmm, right you are. Thanks for the info and the link. Bill - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] How to actually block
Jason Gauthier wrote the following on 3/9/2007 9:39 AM -0800: Greetings, This is a very nubile question, and I realize that. However, I cannot find exactly what I'm looking for in the documentation. (Or it's answered in a way I am not understanding) I would like to actually stop email coming in from certain domains, or email addresses. I am using the blacklist now which just elevates the spam score to 64. I would like to actually drop the email completely. (Or bounce it). How can I achieve this functionality? Thanks, Jason Look into doing this via whatever MTA you are using. This would allow you to reject the delivery rather than receive and bounce. Bill - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] IP addresses printed in reverse in log file
Nicklas Bondesson wrote the following on 2/6/2007 11:10 AM -0800: When I look at my log file from amavisd some/all IP adresser are printed in reverse. Passed CLEAN, [44.33.22.11] should be printed Passed CLEAN, [11.22.33.44] This makes it a bit harder to trace and parse the logfile. Are you sure it's reversed? It doesn't seem to be to me... Bill - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] p0f/p0f-analyzer init.d script?
Shaun T. Erickson wrote the following on 1/1/2007 9:39 AM -0800: Has anyone come up with a clean way of starting and stopping p0f p0f-analyzer? On my CentOS 4.4 system, there is an init.d script for p0f, but that's to use it standalone, logging to a file. I haven't been able to figure out how to modify it to cleanly start and stop both programs, while still piping them together as maRBL and amavisd-new need them to be. I tried the init script and was unsuccessful at making that work. Instead, try adding something like the following to /etc/rc.local: /usr/sbin/p0f -f /etc/p0f/p0f.fp -l 'tcp dst port 25' 21 | /usr/local/sbin/p0f-analyzer.pl 2345 Use whatever recipe you currently use, but make sure you use full paths to all files. This will start both p0f p0f-analyzer upon reboot. Bill - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] Suggestions on how to auto-start p0f/p0f-analyzer.pl on reboot
Does anyone have any suggestions on how to start p0f/p0f-analyzer.pl automatically at system boot time with Fedora? I have tried using an init script with chkconfig and that presented strange results. I also tried adding the following to /etc/rc.local: /bin/sh /usr/bin/nohup /bin/p0f.sh with p0f.sh containing: p0f -l 'tcp dst port 25' 21 | p0f-analyzer.pl 2345 However, that doesn't appear to work either (although executing p0f.sh manually works). Any suggestions? What are others doing? Thanks, Bill - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Suggestions on how to auto-start p0f/p0f-analyzer.pl on reboot
Peter Matulis wrote the following on 12/20/2006 5:00 PM -0800: --- Bill Landry [EMAIL PROTECTED] wrote: Does anyone have any suggestions on how to start p0f/p0f-analyzer.pl automatically at system boot time with Fedora? I have tried using an init script with chkconfig and that presented strange results. I also tried adding the following to /etc/rc.local: /bin/sh /usr/bin/nohup /bin/p0f.sh with p0f.sh containing: p0f -l 'tcp dst port 25' 21 | p0f-analyzer.pl 2345 However, that doesn't appear to work either (although executing p0f.sh manually works). Any suggestions? What are others doing? You may need to specify the absolute path. On OpenBSD, I just put the following command in my /etc/rc.local file: /usr/loca/sbin/p0f -l 'dst host my_ip and tcp dst port 25' 21 | /usr/local/sbin/p0f-analyzer.pl 2345 Ah yes, that worked perfectly. Thanks Peter! Bill - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Tests show Razor2 apparently working ...
Shaun T. Erickson wrote: ... but I see no evidence of it, in the headers. I can run spamassassin in debug mode as the amavis user and it appears to me that razor2 is configured properly and being checked. So far, none of the mail that's come through since I set it up has been spam, so razor hasn't had a hit yet. Is it correct behavior that razor not be mentioned in the X-Spam-Status: header, unless it gets a hit? Is there any way to have a razor header added to the email? Or a DCC or Pyzor header (as I'll be adding those tests next). Or will they only show up in the X-Spam-Status: header, and only if they get a hit? They will only show up in the headers if they get a positive hit on the message, just like all other SA tests: X-Spam-Status: Yes, score=23.595 required=10 tests=[AWL=-2.013, BAYES_99=3.5, DATE_IN_PAST_06_12=0.827, DCC_CHECK=3.5, DIGEST_MULTIPLE=1, DK_POLICY_SIGNSOME=0.001, HTML_90_100=0.113, HTML_IMAGE_ONLY_24=1.841, HTML_MESSAGE=0.001, MIME_HTML_MOSTLY=1.102, RAZOR2_CF_RANGE_51_100=2.5, RAZOR2_CF_RANGE_E8_51_100=3.5, RAZOR2_CHECK=1.5, SUBJECT_ENCODED_TWICE=1.723, URIBL_BLACK=2.5, URIBL_WS_SURBL=2] Even though I am running Razor, Pyzor, and DCC, Pyzor does not show up in this X-Spam-Status header because the message did not hit on Pyzor. No different than URIBL_JP_SURBL and URIBL_SC_SURBL did not show up in the header, even though I use those tests, because they did not get a positive hit on the message. Bill - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] How to bypass spam filteringforsystemgeneratedmessages
- Original Message - From: Mark Martinec [EMAIL PROTECTED] [SNIP] Mark, is amavisd-new missing anything that I should be concerned about by having mail injected via SMTP vs. ESMTP? I noticed that Postfix delivers to Amavisd via ESMTP, but the smtpclient delivers via SMTP. Since you were happy with a previous use of pipe/sendmail, you probably won't be missing much. As mouss stated, you'd be throwing away DSN options, PIPELINING and 8BITMIME announced capability, and ability to pass client IP address to amavisd through XFORWARD smtp command extension, but you didn't have these before either. Thanks Mark. So would warning like this: Our content checker found Non-encoded 8-bit data (char C8 hex): X-Source: \310\250\360\267\314|\214\277\312\212\360\267\202\226\360\267... not be seen if Postfix were delivering to Amavisd via ESMTP? Bill - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] How to bypass spam filtering for system generatedmessages
- Original Message - From: Gary V [EMAIL PROTECTED] Bill wrote: I am wondering how people handle system messages and how best to keep them from being spam filtered and possibly designated as spam. Here are the full headers from one of my LogWatch messages that got designated as spam: == Return-Path: [EMAIL PROTECTED] X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] X-Virus-Scanned: by amavisd-new at mail.example.com X-Spam-Flag: YES X-Spam-Score: 11.781 X-Spam-Status: Yes, score=11.781 required=10 tests=[AWL=-12.425, BAYES_00=-2.599, BODY_FREE_TRIAL=2.522, BODY_GAPPY_TEXT=1.922, BODY_PREAPPROVED=1.811, BODY_ROLEX=3.111, CHICKENPOX_64=0.5, CHICKENPOX_82=0.5, LONGWORDS_15=1, LW_FAKEROLEX=5, LW_ROLEX=1, LW_ROLEXWATCH=1, NO_RELAYS=-0.001, REPLICA_WATCH=2.9, ROLEX_BODY=0.5, SARE_SPEC_REPLICA_OBFU=1.812, SARE_SPEC_ROLEX_NOV5A=1.062, SARE_SPEC_ROLEX_REP=1.666, UOLCC_ROLEX_BODY1=0.5] To: [EMAIL PROTECTED] Subject: LogWatch for mail.example.com Message-Id: [EMAIL PROTECTED] Date: Fri, 22 Sep 2006 03:17:34 -0700 (PDT) From: [EMAIL PROTECTED] (root) == Is there a way to direct these system messages so that they bypass spam filtering? Bill http://www200.pair.com/mecham/spam/bypassing.html#11 Thanks Gary, however, the issue I run into with this option is that I run multiple content-filters, and the first one actually pipes mail (via the Postfix sendmail command) back into postfix which uses the pickup daemon to retrieve the message. Since this content-filter runs before the amavisd content-filter, if I add: pickupfifo n - n 60 1 pickup -o content_filter= then the amavis content-filer does not get called. I have to run the amavis content-filter second in order to for SA to be able to score the header mark-up from the first content-filter. I have not been able to figure out if there is a way to tell sendmail to use an alternate pickup daemon when piping a message back to Postfix. Bill - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] How to bypass spam filtering for systemgeneratedmessages
- Original Message - From: Gary V [EMAIL PROTECTED] Bill wrote: Is there a way to direct these system messages so that they bypass spam filtering? Bill http://www200.pair.com/mecham/spam/bypassing.html#11 Thanks Gary, however, the issue I run into with this option is that I run multiple content-filters, and the first one actually pipes mail (via the Postfix sendmail command) back into postfix which uses the pickup daemon to retrieve the message. Since this content-filter runs before the amavisd content-filter, if I add: pickupfifo n - n 60 1 pickup -o content_filter= then the amavis content-filer does not get called. I have to run the amavis content-filter second in order to for SA to be able to score the header mark-up from the first content-filter. I have not been able to figure out if there is a way to tell sendmail to use an alternate pickup daemon when piping a message back to Postfix. Bill Let's see your master.cf Sent off-list... Bill - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] How to bypass spam filtering forsystemgeneratedmessages
- Original Message -
From: Gary V [EMAIL PROTECTED]
Bill wrote:
Is there a way to direct these system messages so that they bypass spam
filtering?
http://www200.pair.com/mecham/spam/bypassing.html#11
Thanks Gary, however, the issue I run into with this option is that I
run
multiple content-filters, and the first one actually pipes mail (via the
Postfix sendmail command) back into postfix which uses the pickup
daemon
to retrieve the message. Since this content-filter runs before the
amavisd content-filter, if I add:
pickupfifo n - n 60 1 pickup
-o content_filter=
then the amavis content-filer does not get called. I have to run the
amavis
content-filter second in order to for SA to be able to score the header
mark-up from the first content-filter. I have not been able to figure
out
if there is a way to tell sendmail to use an alternate pickup daemon
when piping a message back to Postfix.
I did not come up with anything. You have the first filter:
smtp inet n - n - - smtpd
-o content_filter=filter
snfilter unix - n n - 10 pipe
flags=q user=filter argv=/var/spool/filter/filter -f ${sender}
${recipient}
which sends everything through the pickup daemon. I could not find a
way for 'pickup' to differentiate mail from root (for example) from all
the
other mail.
You mentioned you are changing the filter to deliver via smtp. I'm
sure this will be more flexible.
I don't know what this filter does, but moving it to the amavisd-new
reinjection port might be an option. Then you would need to override
the content_filter for the pickup daemon to prevent loops. Downside is
since recipient expansion occurs within amavisd-new, unless I'm wrong,
the filter would be called for each recipient. On the other hand, does
this filter expand the recipients so amavisd-new gets a separate
message for each recipient? If so, you should consider placing the
less efficient filter in front of the more efficient filter (if it
makes sense to do so). I assume when a message is expanded in
amavisd-new, the reinjection port gets one separate message for each
recipient.
I wrote a script that delivers the post-scanned MessageSniffer message
directly to amavisd-new on 127.0.0.1:10024 by using the smtpclient to handle
the delivery instead the Postfix sendmail client. This appears to be
working great, and allows me to bypass content filtering on the Postfix
pickup daemon. Chaining the content-filters together also reduces the
number of message hand-offs and also cuts down on the amount of Postfix
logging.
The message delivery process now looks like: Postfix -- MessageSniffer --
Amavisd-new -- Postfix -- Maildrop -- Dovecot, removing the Postfix
hand-off between MessageSniffer and Amavisd-new.
Mark, is amavisd-new missing anything that I should be concerned about by
having mail injected via SMTP vs. ESMTP? I noticed that Postfix delivers to
Amavisd via ESMTP, but the smtpclient delivers via SMTP.
Bill
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] SA add_header
I am wondering if there is a way to configure amavisd-new to allow SA to add the following sample x-header to all messages: X-Spam-Relay-Country: US CN RU I have added the following entry to my SA local.cf file, but then realized that amavisd-new does all header markup, not SA: add_header all Relay-Country _RELAYCOUNTRY_ Can this header somehow be allowed or can amavisd-new be patched to provide support for the SA RelayDomains plugin? For now I would just like the x-header for informational purposes. Bill - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Avast Anti Virus Config
- Original Message -
From: Mark Martinec [EMAIL PROTECTED]
Ok, a little refinement to not include a space after a virus name,
and to match a '+' literally. Here are the latest avast entries:
### http://www.avast.com/
['avast! Antivirus daemon',
\ask_daemon, # greets with 220, terminate with QUIT
[SCAN {}\015\012QUIT\015\012, '/var/run/avast4/mailscanner.sock'],
qr/\t\[\+\]/, qr/\t\[L\]\t/, qr/\t\[L\]\t([^[ \t\015\012]+)/ ],
### http://www.avast.com/
['avast! Antivirus - Client/Server Version', 'avastlite',
'-a /var/run/avast4/mailscanner.sock -n {}', [0], [1],
qr/\t\[L\]\t([^[ \t\015\012]+)/ ],
### http://www.avast.com/
['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'],
'-a -i -n -t=A {}', [0], [1], qr/\[infected by: ([^ \t\n\[\]]+)/ ],
Mark, the avastcmd script above does not capture the virus name in the log
file, rather it's only showing:
Feb 21 09:42:13 mgw1.pointshare.com /usr/local/sbin/amavisd[18217]:
(18217-01) run_av (Avast! Antivirus): INFECTED:
However, with the previous script:
### http://www.avast.com/
['Avast Anti-Virus', ['/usr/bin/avastcmd','avastcmd'],
'-a -i -n -t=A {}', [0], [1], qr/infected by: (.+)/ ],
I was getting the virus name:
Feb 16 19:05:28 mgw1.pointshare.com /usr/local/sbin/amavisd[26635]:
(26635-01) run_av (Avast Anti-Virus): INFECTED: Win32:Beagle-IB [Wrm]
But I could not quit seem to figure out how to strip the [Wrm] from the
end of the line.
Bill
---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Avast Anti Virus Config
- Original Message -
From: Mark Martinec [EMAIL PROTECTED]
Bill,
Has anyone created an amavisd.conf entry for Avast AV scanning support?
If so, would you be willing to share the entry?
Responding to my own post, for anyone interested, the command line entry
for the Avast virus scanner that will work in the amavisd.conf file is:
Avast entries in my current code are:
# ### http://www.avast.com/
# ['avast! Antivirus daemon',
# \ask_daemon, # greets with 220, terminates with QUIT
# [SCAN {}\r\nQUIT\r\n, '/var/run/avast4/mailscanner.sock'],
# qr/[\t]\[+\]/, qr/[\t]\[L\][\t]/, qr/[\t]\[L\][\t](.+)[^\r\n]/ ],
# ### http://www.avast.com/
# ['avast! Antivirus - Client/Server Version', 'avastlite',
# '-a /var/run/avast4/mailscanner.sock -n {}', [0], [1],
# qr/[\t]\[L\][\t](.+)/ ],
### http://www.avast.com/
['avast! Antivirus', 'avastcmd',
'-ai -n -tA {}', [0], [1], qr/infected by: (.*)/ ],
kindly provided by Frantisek Mensik, ALWIL Software
Thanks Mark, exactly what I was looking for. One more question, my log
output now looks like:
=
Feb 13 10:45:40 mgw1.pointshare.com /usr/local/sbin/amavisd[8400]:
(08400-01-2) ask_av (Avast! Antivirus daemon):
/var/amavis/tmp/amavis-20060213T104403-08400/parts INFECTED: Win32:Beagle-HZ
[Wrm
=
What modification can I make to:
qr/[\t]\[+\]/, qr/[\t]\[L\][\t]/, qr/[\t]\[L\][\t](.+)[^\r\n]/ ],
in order to cut [Wrm from the end of the log output line?
Thanks,
Bill
---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Avast Anti Virus Config
- Original Message -
From: Mark Martinec [EMAIL PROTECTED]
Bill,
(08400-01-2) ask_av (Avast! Antivirus daemon):
/var/amavis/tmp/amavis-20060213T104403-08400/parts INFECTED:
Win32:Beagle-HZ
[Wrm
What modification can I make to:
qr/[\t]\[+\]/, qr/[\t]\[L\][\t]/, qr/[\t]\[L\][\t](.+)[^\r\n]/ ],
in order to cut [Wrm from the end of the log output line?
This regexp does indeed look fishy.
Could you please provide a couple of samples from the log (level 4 or
above):
egrep 'ask_av .* result: ' /var/log/amavisd.log
Here are two samples at log level 5:
Feb 13 17:59:46 mgw1.pointshare.com /usr/local/sbin/amavisd[10253]:
(10253-01-4) ask_av (Avast! Antivirus daemon) result: 220 Welcome to avast!
Virus scanning daemon 2.0.0 (VPS 0607-0 13.02.2006)\r\n200
OK\r\n/var/amavis/tmp/amavis-20060213T175527-10253/parts/p005\t[+]\r\n/var/a
mavis/tmp/amavis-20060213T175527-10253/parts/p004\t[L]\tWin32:Beagle-HZ
[Wrm]\r\n/var/amavis/tmp/amavis-20060213T175527-10253/parts/p001\t[+]\r\n\r\
n221 Service closing transmission channel\r\n
Feb 13 17:59:46 mgw1.pointshare.com /usr/local/sbin/amavisd[10253]:
(10253-01-4) ask_av (Avast! Antivirus daemon):
/var/amavis/tmp/amavis-20060213T175527-10253/parts INFECTED: Win32:Beagle-HZ
[Wrm]\r
=
Feb 13 18:01:29 mgw1.pointshare.com /usr/local/sbin/amavisd[10253]:
(10253-01-5) ask_av (Avast! Antivirus daemon) result: 220 Welcome to avast!
Virus scanning daemon 2.0.0 (VPS 0607-0 13.02.2006)\r\n200
OK\r\n/var/amavis/tmp/amavis-20060213T175527-10253/parts/p002\t[L]\tWin32:Be
agle-AH
[Wrm]\r\n/var/amavis/tmp/amavis-20060213T175527-10253/parts/p001\t[+]\r\n\r\
n221 Service closing transmission channel\r\n
Feb 13 18:01:29 mgw1.pointshare.com /usr/local/sbin/amavisd[10253]:
(10253-01-5) ask_av (Avast! Antivirus daemon):
/var/amavis/tmp/amavis-20060213T175527-10253/parts INFECTED: Win32:Beagle-AH
[Wrm]\r
The [\t] occurrences could just as well be a plain \t
and the [^\r\n] eats the last ], and possibly misbehaves
on Mac OS X. The \[+ looks suspicious too: matching
one or more left brackets.
Here is my blind guess at improvement:
qr/\t\[.\]/, qr/\t\[L\]\t/, qr/\t\[L\]\t([^[\015\012]+)/ ],
Here is the output of the same two viruses from your parse string above:
Feb 13 18:06:54 mgw1.pointshare.com /usr/local/sbin/amavisd[10480]:
(10480-01) ask_av (Avast! Antivirus daemon) result: 220 Welcome to avast!
Virus scanning daemon 2.0.0 (VPS 0607-0 13.02.2006)\r\n200
OK\r\n/var/amavis/tmp/amavis-20060213T180640-10480/parts/p005\t[+]\r\n/var/a
mavis/tmp/amavis-20060213T180640-10480/parts/p004\t[L]\tWin32:Beagle-HZ
[Wrm]\r\n/var/amavis/tmp/amavis-20060213T180640-10480/parts/p001\t[+]\r\n\r\
n221 Service closing transmission channel\r\n
Feb 13 18:06:54 mgw1.pointshare.com /usr/local/sbin/amavisd[10480]:
(10480-01) ask_av (Avast! Antivirus daemon):
/var/amavis/tmp/amavis-20060213T180640-10480/parts INFECTED: Win32:Beagle-HZ
=
Feb 13 18:07:52 mgw1.pointshare.com /usr/local/sbin/amavisd[10480]:
(10480-01-2) ask_av (Avast! Antivirus daemon) result: 220 Welcome to avast!
Virus scanning daemon 2.0.0 (VPS 0607-0 13.02.2006)\r\n200
OK\r\n/var/amavis/tmp/amavis-20060213T180640-10480/parts/p002\t[L]\tWin32:Be
agle-AH
[Wrm]\r\n/var/amavis/tmp/amavis-20060213T180640-10480/parts/p001\t[+]\r\n\r\
n221 Service closing transmission channel\r\n
Feb 13 18:07:52 mgw1.pointshare.com /usr/local/sbin/amavisd[10480]:
(10480-01-2) ask_av (Avast! Antivirus daemon):
/var/amavis/tmp/amavis-20060213T180640-10480/parts INFECTED: Win32:Beagle-AH
The output looks great. Let me know if you want to revise the parse string
and would like me to do any further testing for you.
Thanks for your assistance with this, Mark!
Bill
PS, here is what I found to be most optimal settings for the Avast command
line (avastcmd) scanner entry for amavisd.conf:
### http://www.avast.com/
['Avast Anti-Virus', ['/usr/bin/avastcmd','avastcmd'],
'-a -i -n -t=A {}', [0], [1], qr/infected by: (.+)/ ],
This is based on the following scanner options:
=
avastcmd --help
Usage: avastcmd [OPTION...]
avastcmd v2.0.0 -- command-line virus scanner
Options:
-_, --console Application will be working in STDIN/STDOUT
mode
-a, --testall Test all of the files (default)
-b, --blockdevices Scan block devices
-c, --testfull Scan entire files
-d, --directoryScan only directory content
-i, --ignoretype Ignore virus sets
-n, --nostats No virus check statistics
-p, --continue=1234Automatic action with infected file:
1:delete, 2:(not supported), 3:repair, 4:stop
-r, --report=[*]file Create report file, '*' for OK results
-t, --archivetype[=ZGBTIJRXOQLAN] Scan archives: Z:ZIP(default),
G:GZ(default), B:BZIP2(default),
T:TAR(default),
I:MIME J:ARJ, R:RAR, X:Exec(default), O:ZOO,
Q:ARC, H:LHA,
Re: [AMaViS-user] Avast Anti Virus Config
- Original Message -
From: Bill Landry [EMAIL PROTECTED]
Has anyone created an amavisd.conf entry for Avast AV scanning support?
If so, would you be willing to share the entry?
Responding to my own post, for anyone interested, the command line entry for
the Avast virus scanner that will work in the amavisd.conf file is:
### http://www.avast.com/
['Avast Anti-Virus', ['/usr/bin/avastcmd','avastcmd'],
'-a -c -t=A {}', [0], [1], qr/infected by: (.+) / ],
However, Avast also runs as a daemon, but I am not sure how to test and
create the daemon support for the amavisd.conf file. Here are the
parameters I currently have set for the Avast daemon in the avastd.conf
file:
===
[local]
daemoncount = 4
maxdaemoncount = 10
listen = /var/run/avast4/local.sock
remoteclients = false
timeout = 60
user = root
;rootdir = /var
subdirs = true
# scanner flags :
testall = true
testfull = false
ignoretype = false
# scanner packers :
archivetype = A
# determine packer bomb :
maxfilesizetoextract = 10
maxcompressionratio = 98
compressioncheckthreshold = 1
# log scan results :
loginfected = true
logerrors = true
logcorrect = false
===
Any suggestions/recommendations on how to setup and test the Avast daemon
entries for amavisd.conf would be greatly appreciated.
Bill
---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] Avast Anti Virus Config
Has anyone created an amavisd.conf entry for Avast AV scanning support? If so, would you be willing to share the entry? TIA, Bill --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] BitDefender bdc and the --all option in amavisd.conf
- Original Message - From: Max Matslofva [EMAIL PROTECTED] Hi I just installed BitDefender bdc from FreeBSD ports. BDC/FreeBSD 5.x-Console (v7.0-2545) (i386) (Dec 22 2004 19:56:57) Copyright (C) 1996-2004 SOFTWIN SRL. All rights reserved. amavisd-new is version 2.3.3 I got an error from bdc, and the --all option in the logfile. Warning: unknown parameter: --all amavis[91989]: (91989-01) run_av: /usr/local/bin/bdc exit 0, BDC/FreeBSD 5.x-Console (v7.0-2545) (i386) (Dec 22 2004 19:56:57)\nCopyright (C) 1996-2004 SOFTWIN SRL. All rights reserved.\nWarning: unknown parameter: --all\n\n\n\nResults:\nFolders ...:1\nFiles ...:1\nPacked ...:0\nArchives ...:0\nInfected files :0\nSuspect files ...:0\nWarnings ...:0\nI/O errors ...:0\n The default options for bdc in amavisd.conf is --all --arc --mail Can I change it to --arc --mail ? Actually looks like a version change. The newer versions of BDC do not use the --all switch, so looks like you can safely remove it. Bill --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] BitDefender bdc and the --all option in amavisd.conf
- Original Message -
From: Max Matslofva [EMAIL PROTECTED]
Hi
I just installed BitDefender bdc from FreeBSD ports.
BDC/FreeBSD 5.x-Console (v7.0-2545) (i386) (Dec 22 2004 19:56:57)
Copyright (C) 1996-2004 SOFTWIN SRL. All rights reserved.
amavisd-new is version 2.3.3
I got an error from bdc, and the --all option in the logfile.
Warning: unknown parameter: --all
amavis[91989]: (91989-01) run_av: /usr/local/bin/bdc exit 0, BDC/FreeBSD
5.x-Console (v7.0-2545) (i386) (Dec 22 2004
19:56:57)\nCopyright (C) 1996-2004 SOFTWIN SRL. All rights
reserved.\nWarning: unknown parameter: --all\n\n\n\nResults:\nFolders
...:1\nFiles ...:1\nPacked ...:0\nArchives ...:0\nInfected files
:0\nSuspect files ...:0\nWarnings ...:0\nI/O errors ...:0\n
The default options for bdc in amavisd.conf is --all --arc --mail
Can I change it to --arc --mail ?
Should work fine with the --all switch. Here what we have been using for
over a year:
['BitDefender', 'bdc',
'--all --arc --mail --nowarn --alev=15 --flev=15 {}', qr/^Infected files
*:0+(?!\d)/,
qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/,
qr/(?:suspected|infected): (.*)(?:\033|$)/ ],
and bdc --help outputs the following:
BDC/Linux-Console v7.0 (build 2490) (i386) (Dec 10 2003 16:11:35)
Copyright (C) 1996-2003 SOFTWIN SRL. All rights reserved.
Usage: bdc path [parameters]
Parameters:
--files - scan files *
--arc- scan archives
--mail - scan mail databases
--nopack - don't scan packed programs
--nohed - unknown virus detection
--ext=ext1;ext2; - scan only this extensions
--log[=file] - create log file
--list - display all files
--all- scan all files
--append - append to log file
--disinfect - disinfect files
--delete - delete infected files
--copy - copy infected files in quarantine zone
--copys - move suspected files in quarantine zone
--move - move infected files in quarantine zone
--moves - move suspected files in quarantine zone
--info - information
--nowarn - display warnings
--vlist - display virus list
--debug - display debug information
--nor- do not recurse into subdirs
--alev[=n] - set maximum archive depth level
--flev[=n] - set maximum folder depth level
--update - update virus definitions
--help,--? - this help
* = default option
As you can see, the --all switch is a valid and useful switch for BDC.
Bill
---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] While on the BitDefender subject
- Original Message - From: Vernon A. Fort [EMAIL PROTECTED] While on the bitdefender topic, I've had to disable this scanner on several server due system load. I use gentoo on most servers, standard setup... postfix+amavisd-new+clamav+spamassassin I tipically use 2-3 scanners on each server but the CPU load with bitdefender appears very high - usually around 40-60 cpu usage per instance. The main reason I'm asking is I just had to disable this scanner on a dual Xeon 3.0 with 2G of memory because I was getting out-of-memory kernel panic. This server does process 50k messages per day with around 15k email accounts. I even dropped the amavis to 3 clients (as well as master.cf) which did not help. Has anyone else experienced this or have any tips on limiting its cpu usage? Vernon, on a test server I run that has 7 scanners installed (AVG, UVScan, Sophos, F-Prot, TrendMicro, ClamAV, and BitDefender), BitDefender is by far the slowest of all scanners, taking at least 4X longer than even the next slowest scanner. I would not use nor recommend its usage in a heavily loaded production environment. Bill --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] Virus scanner log reporting
I am using custom log reporting ($log_temp1) in my amavisd.conf; however, I am having a difficult time trying to come up with the proper syntax to report virus scanners detecting a virus and the virus name the scanner reported. I am looking for a format as follows: Scanner1 detected virus-name1 Scanner2 detected virus-name2 Scanner3 detected virus-name3 Anyone have any suggestions on what the proper syntax should be to log in this format? Thanks in advance! Bill --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Amavisd-new vs appliance
- Original Message - From: Daniel Bentley [EMAIL PROTECTED] We're currently dealing with one of these at my work, a Barracuda 300 box. I'll have to say, it seems to be doing an okay filtering job for spam it receives. -However-, I'm not sure how other boxes do things, but there's a flaw in how this one's applied. Namely, you give the box an IP, and change the MX record for your domain/s to point to the spam box. That's all fine and dandy, -IF- the sending servers are honoring and sending according to that MX record in DNS. If they're sending to an FQDN or straight IP, it'll go straight to the email server anyways. So it's not exactly a complete solution, so long as your email server still has an IP and a connection to the 'net... We can play the IP and DNS shuffle, but so long as we have records in DNS for SPF identification, the spammers will be able to find out what machines in our domain are e-mail servers and we'll be right at Step 1 again, with mail circumventing the Barracuda box completely. YMMV (Your Model May Vary) of course, just some hands-on I've gotten with one of these Barracuda boxes so far... I still think a more optimal setup would be one that's trully 'in-line' for the mail server, comparable to a traditional firewall. When looking at getting this box, my manager kept reassuring me that it was in-line. Right... At least it -does- help lighten the load on the mail server. Seems like an easy enough solution, don't make the IP address of you internal mail server accessible from the Internet, only allow SMTP connections from your Barracuda IP address. If you have external users and customers sending mail via the internal mail server, have them use the submission port (port 587) and require SMTP Authentication. It might take a bit of work to get this setup, but it would prevent any inbound e-mail from bypassing your Barracuda machine. Bill --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Feature request: for log_templ, different macros for spam score and boost
- Original Message - From: Ed Walker [EMAIL PROTECTED] A request for a small change for the next version of amavisd: We'd like to log slightly more detailed info of the messages. We use log_recip_templ, and it would be nice if we could store the score reported by spam assassin with a separate value for the whitelist/blacklist boost score. While on the subject of next version wishlist items, I very much appreciate the added logging that amavisd-new now does in reporting individual test scores. I was wondering if the URIBL tests could also report what URI in the message was actually tagged by a particular URIBL test? For example, SA reports URIBL test hits like: 1.0 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: realhealthco.com] 0.4 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist [URIs: realhealthco.com redquality.info] 2.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist [URIs: redquality.info] 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist [URIs: realhealthco.com redquality.info] 3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist [URIs: realhealthco.com redquality.info] 4.3 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist Anyway, would be nice to have when it's necessary to report false positives. Bill --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Can't connect to UNIX socket /var/run/clamav/clamd
- Original Message -
From: MJ [EMAIL PROTECTED]
Hi,
Can someone help with following error?
Check the path to your clamd socket in clamd.conf and amavisd.conf. They
need to point to the correct location of the socket and they both need to
match.
Look for this section in your clamd.conf:
# Path to a local socket file the daemon will listen on.
LocalSocket /var/amavis/clamd.socket
Look for this section in your amavisd.conf:
['ClamAV-clamd',
\ask_daemon, [CONTSCAN {}\n, /var/amavis/clamd.socket],
Bill
---
This SF.Net email is sponsored by: NEC IT Guy Games. How far can you shotput
a projector? How fast can you ride your desk chair down the office luge track?
If you want to score the big prize, get to know the little guy.
Play to win an NEC 61 plasma display: http://www.necitguy.com/?r=20
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
