Re: [Clamav-users] simplest replacement for ancient amavis-perl
Hi there, On Fri, 8 Aug 2008 jef moskot wrote: Re: simplest replacement for ancient amavis-perl Currently, we accept all infected mail, and quietly quarantine it. May I suggest that you quarantine it, BUT STILL REJECT IT after it has been read (and recorded) in its entirety? You're making a rod for your own back if you accept bad mail. The sender will sell the recipients' addresses to all his spammer friends and you'll just get more of it. We don't refuse it at SMTP connect, although I might be able to be convinced that that's a better idea. You can reject it all the way up to the last dot (er, period). ... I was looking at clamav-milter, which looks simple and also comes with the benefit of a community I'm comfortable with. Many of us here have been using it for years with no problems. I'll second that about the community. I can't find any decent documentation on it, however, (if I'm missing something obvious, please point me at it!) There's quite a lot on the Web but when you download and extract the source tarball you should have all you need. ... and it seems to jam mail at SMTP connection time rather than accepting and scanning later. SMTP conversation, not connection, but that's the best place really. There are other ways to use it of course. You can just insert a mail header as a flag and pass it through, leaving e.g YetanOtherMilter or something like SpamAssassin to decide. Personally, I like mail that will be rejected to be rejected at the earliest possible opportunity so that it doesn't waste everybody's money. I've found references to using it to quarantine messages, which would be perfect, but I haven't seen the docs to explain how to do that. After you install it, you can do man clamav-milter [snip] -A, --advisory When in advisory mode, clamav-milter flags emails with viruses but still forwards them. The default option is to stop viruses. This mode is incompatible with --quarantine and --quarantine-dir. [snip] and man clamd.conf etc. etc. (SEE ALSO clamd(8), clamdscan(1), clamav-milter(8), clamscan(1), freshclam(1), sigtool(1)) If you want to look at those before installing them they're in the docs/man directory after extracting the tarball, just do man docs/man/clamav-milter.8 or whatever. Also I've found some explanations of how to compile clam to get the milter, but those were in connection with FreeBSD ports, and I don't like to have to wait until an update has been bundled before I can deploy it. You can just grab the source tarball and compile and install it like you would for any almost other Open Source tool. The instructions are in the tarball itself. Granted there's a slight chicken-and-egg thing there if you're not used to doing this: mail4:~$ tar tzvf [...]/clamav-0.93.3.tar.gz | grep 'clamav-0.93.3/\(README\|INSTALL\)' -rw-r--r-- 1000/1000 73422 2008-07-07 18:38:08 clamav-0.93.3/README -rw-r--r-- 1000/1000 9416 2008-03-06 18:41:14 clamav-0.93.3/INSTALL Just extract the tarball to some convenient place beneath your home directory. Then there's quite a lot to read in the docs directory: mail4:~$ ls -l [...]/clamav-0.93.3/docs/*pdf total 2044 [snip] -rw-r--r-- 1 ged users 82058 2008-03-06 18:41 clamav-mirror-howto.pdf -rw-r--r-- 1 ged users 240788 2008-07-07 18:41 clamdoc.pdf -rw-r--r-- 1 ged users 102697 2008-03-06 18:41 phishsigs_howto.pdf -rw-r--r-- 1 ged users 27199 2008-04-02 21:17 signatures.pdf Plus more HTML than you can shake a stick at in the same place. -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
G.W. Haywood wrote: Currently, we accept all infected mail, and quietly quarantine it. May I suggest that you quarantine it, BUT STILL REJECT IT after it has been read (and recorded) in its entirety? No, please don't do that for viruses. If they are being transmitted by a real SMTP client, you'll generate annoying backscatter. You're making a rod for your own back if you accept bad mail. The sender will sell the recipients' addresses to all his spammer friends and you'll just get more of it. That is not true, in my experience. We see countless attempts by spammers to send to invalid addresses, years after those addresses cease to be valid. In my experience, spammers do not bother cleaning their address lists. It's so cheap to spam with a zombie network that the effort required to clean the list is not worth it. Regards, David. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
David F. Skoll wrote: G.W. Haywood wrote: Currently, we accept all infected mail, and quietly quarantine it. May I suggest that you quarantine it, BUT STILL REJECT IT after it has been read (and recorded) in its entirety? No, please don't do that for viruses. If they are being transmitted by a real SMTP client, you'll generate annoying backscatter. If done during the SMTP conversation the only thing that is going to see backscatter is the thing that sent it. Which really isn't backscatter. I am under the opinion that a message should never be silently blackholed. Steven ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
[EMAIL PROTECTED] wrote: If done during the SMTP conversation the only thing that is going to see backscatter is the thing that sent it. Which is why I qualified my reply with if the sending relay is a valid SMTP client. I am under the opinion that a message should never be silently blackholed. I used to share that opinion, but no longer do for viruses. If you turn off Clam's dubious Phishing options, the odds of a false-positive from Clam are very low. In that situation, there is no point in rejecting; it's better to silently discard. Regards, David. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
Hi all,
I need to open ports for Clamav database update, but since yesterday it
seems that IP address are changing every hour.. Can you guys please let
me know what should I do to resolve this issue.
Sending you ping output.
[EMAIL PROTECTED] root]# ping db.us.clamav.net
PING db.us.rr.clamav.net (199.184.215.2) 56(84) bytes of data.
--- db.us.rr.clamav.net ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2014ms
[EMAIL PROTECTED] root]# ping db.us.clamav.net
PING db.us.rr.clamav.net (208.67.80.27) 56(84) bytes of data.
--- db.us.rr.clamav.net ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4018ms
[EMAIL PROTECTED] root]# ping db.us.clamav.net
PING db.us.rr.clamav.net (64.142.100.50) 56(84) bytes of data.
--- db.us.rr.clamav.net ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 6016ms
You have new mail in /var/spool/mail/root
Thanks,
Parveen
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David F.
Skoll
Sent: Thursday, August 07, 2008 2:28 PM
To: ClamAV users ML
Subject: Re: [Clamav-users] simplest replacement for ancient amavis-perl
jef moskot wrote:
I didn't mean to spark a milter fight, but as the Subject line says,
we're
looking for the simplest thing out there. I'm replacing a simplistic
perl
script that just broke a message down, clamscanned it, and either
passed
it on for delivery or quarantined and notified. That's it.
Here is a complete MIMEDefang filter to do just that:
#=
$Features{'Virus:CLAMD'} = '/full/path/to/clamd';
$ClamdSock = '/full/path/to/clamd.sock';
$Features{'Virus:CLAMAV'} = '/full/path/to/clamscan'
$AdminAddress = '[EMAIL PROTECTED]';
sub filter_end
{
my ($code, $category, $action) = message_contains_virus();
if ($action eq 'quarantine') {
send_quarantine_notifications();
action_discard();
}
}
#=
It'll quarantine the virus and sent a notification to $AdminAddress.
Regards,
David.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
**
This email may contain proprietary and confidential information and is sent for
the intended recipient(s) only. If by an addressing or transmission error this
email has been delivered to you, you are requested to delete it immediately.
You are also hereby notified that any use, any form of reproduction,
dissemination, copying, disclosure, modification, distribution and/or
publication of this e-mail message, contents or its attachment(s) other than by
its intended recipient(s) is strictly prohibited. All rights reserved
ikaSystems CorporationR.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
On Fri, Aug 08, 2008 at 03:20:01PM CEST, [EMAIL PROTECTED] said: David F. Skoll wrote: G.W. Haywood wrote: Currently, we accept all infected mail, and quietly quarantine it. May I suggest that you quarantine it, BUT STILL REJECT IT after it has been read (and recorded) in its entirety? No, please don't do that for viruses. If they are being transmitted by a real SMTP client, you'll generate annoying backscatter. If done during the SMTP conversation the only thing that is going to see backscatter is the thing that sent it. Which really isn't backscatter. I am under the opinion that a message should never be silently blackholed. This mean your MTA must call clamav after the DATA end, but before answering it. -- Erwan ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
On Fri, Aug 08, 2008 at 09:25:19AM -0400, David F. Skoll wrote: I am under the opinion that a message should never be silently blackholed. I used to share that opinion, but no longer do for viruses. If you turn off Clam's dubious Phishing options, the odds of a false-positive from Clam are very low. In that situation, there is no point in rejecting; it's better to silently discard. I agree with David: it's better to discard a virus, than reject it just because the sending server has a slightly worse virus scanner, or hasn't received the signature updates yet. But I'm more paranoid: We only discard when _2_ independant scanners say it's a virus. Otherwise, we used to tempfail, but nowadays it's not worth the bother, and we just reject for single virus scanner hits. That's a measly few percent of the already insignificant amount of email viruses (we don't count phishes as a virus, they add to the score in SA). -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clamav phishing sigs
Hi Steve, The site is interesting and will help with general cases but lately the school is getting phishing specific to the university, which does not help us. For an example, the latest phishing we got had a Subject: ODU Network and in the body of the message contained: The reason for this message is because of the Email Scams Phishing going on the ODU Network. We have decided to contact all our students and staffs to provide their password so that we can confirm the active users and to de-activate the inactive user. We regret the inconveniences this might have cost you. Please provide us with the below details. Username: Password: So, the e-mail team and security staff need to be able to create signatures so that clamd can detect this spam, and similar phishing, and need to get the database updated in a short time frame. I do not think submitting these to the ClamAV database maintainers or other signature maintainers to update the databases and get the databases downloaded is going to suffice. Regards, Darren Steve Basford wrote: Hi Darron, You could try and use my add-on clamav sigs here: http://www.sanesecurity.co.uk/clamav/usage.htm http://www.sanesecurity.co.uk/clamav/downloads.htm If your find the samples you have still are being missed: http://www.sanesecurity.co.uk/clamav/feedback.htm I'll see if I can create a signature for you, which may also help others. Also, extra docs (a little outdated here): http://www.sanesecurity.co.uk/clamav/docs.htm Cheers, Steve Sanesecurity -- BEGIN-ANTISPAM-VOTING-LINKS -- Teach CanIt if this mail (ID 98963468) is spam: Spam:https://www.spamtrap.odu.edu/b.php?c=si=98963468m=3736acdb8e69 Not spam:https://www.spamtrap.odu.edu/b.php?c=ni=98963468m=3736acdb8e69 Forget vote: https://www.spamtrap.odu.edu/b.php?c=fi=98963468m=3736acdb8e69 -- END-ANTISPAM-VOTING-LINKS ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
David F. Skoll wrote: [EMAIL PROTECTED] wrote: If done during the SMTP conversation the only thing that is going to see backscatter is the thing that sent it. Which is why I qualified my reply with if the sending relay is a valid SMTP client. Maybe we are just arguing semantics but anything that connects to my mail server and speaks RFC821 is valid. I might not like what it feeds me but that is what ClamAV/SpamAssassin is for. :) I am under the opinion that a message should never be silently blackholed. I used to share that opinion, but no longer do for viruses. If you turn off Clam's dubious Phishing options, the odds of a false-positive from Clam are very low. In that situation, there is no point in rejecting; it's better to silently discard. Returning a 5xx message is neither hard or resource intensive. Then even in the unlikely event of a false positive the sender knows. Steven ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
On Fri, 8 Aug 2008 13:31:24 +0100 (BST) G.W. Haywood [EMAIL PROTECTED] wrote: Currently, we accept all infected mail, and quietly quarantine it. May I suggest that you quarantine it, BUT STILL REJECT IT after it has been read (and recorded) in its entirety? You're making a rod for your own back if you accept bad mail. The sender will sell the recipients' addresses to all his spammer friends and you'll just get more of it. Unless I am incorrectly interpreting this, you are implying that he can accept the mail and then reject it later. That would cause 'backscatter' that will inevitable end up getting him blacklisted. -- Gerard [EMAIL PROTECTED] Marriage is the waste-paper basket of the emotions. signature.asc Description: PGP signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clamav phishing sigs
Take a look at http://iserv.rs-hilter.de/doc/clamav-0.91.2/signatures.pdf Which I found very useful for exactly this situation. Phil. Phil Chambers Postmaster University of Exeter ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
Parveen Malik wrote: Hi all, I need to open ports for Clamav database update, but since yesterday it seems that IP address are changing every hour.. Can you guys please let me know what should I do to resolve this issue. Sending you ping output. [EMAIL PROTECTED] root]# ping db.us.clamav.net PING db.us.rr.clamav.net (199.184.215.2) 56(84) bytes of data. --- db.us.rr.clamav.net ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2014ms [EMAIL PROTECTED] root]# ping db.us.clamav.net PING db.us.rr.clamav.net (208.67.80.27) 56(84) bytes of data. --- db.us.rr.clamav.net ping statistics --- 5 packets transmitted, 0 received, 100% packet loss, time 4018ms [EMAIL PROTECTED] root]# ping db.us.clamav.net PING db.us.rr.clamav.net (64.142.100.50) 56(84) bytes of data. --- db.us.rr.clamav.net ping statistics --- 7 packets transmitted, 0 received, 100% packet loss, time 6016ms Can't you just have your firewall keep state on all outgoing connections? Steven ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
[EMAIL PROTECTED] wrote: Which is why I qualified my reply with if the sending relay is a valid SMTP client. Maybe we are just arguing semantics but anything that connects to my mail server and speaks RFC821 is valid. I might not like what it feeds me but that is what ClamAV/SpamAssassin is for. :) OK, let me be precise: By valid SMTP client, I mean one that generates a DSN in response to a 5xx status code. Returning a 5xx message is neither hard or resource intensive. I'm not arguing that. I'm just disagreeing with the statement that it's a good idea. Then even in the unlikely event of a false positive the sender knows. This is so unlikely that the backscatter risk outweighs the benefit. Regards, David. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
On Fri, 8 Aug 2008, David F. Skoll wrote: G.W. Haywood wrote: You're making a rod for your own back if you accept bad mail. The sender will sell the recipients' addresses to all his spammer friends and you'll just get more of it. In my experience, spammers do not bother cleaning their address lists. My thought process has been that if we give feedback as to which messages made it past our defenses, we're essentially telling the spammers how to construct better spam. Then again, maybe no one is there to see the 550s these days and since (I agree with David) spammers don't seem to care if addresses are valid, they probably don't care if the spam gets there or not. As for why we quarantine in the first place, we roll our own clam signatures, some of which are a little dicey, so we like to be able to dig ourselves out of the problems we create for ourselves. As long as the volume isn't out of control (it isn't yet), it's better for us to accept the responsibility than to place it on the users who somehow managed to construct sentences that read like Mab Libs but are nonetheless valid. Perhaps clam is the wrong tool for that kind of thing, but it's just so convenient, that it's going to be hard to choose another method. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clamav phishing sigs
Chambers, Phil wrote: Take a look at http://iserv.rs-hilter.de/doc/clamav-0.91.2/signatures.pdf I have seen this document but it does not show how to add signatures to a database OR for clamd to detect the phishing e-mail. I was able to create the signature (a .hbd file) and clamscan detects the phishing but clamd does not. Maybe I am missing something. Darren ODU Which I found very useful for exactly this situation. Phil. Phil Chambers Postmaster University of Exeter ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml -- BEGIN-ANTISPAM-VOTING-LINKS -- Teach CanIt if this mail (ID 99007033) is spam: Spam:https://www.spamtrap.odu.edu/b.php?c=si=99007033m=c2eab1b7b6c8 Not spam:https://www.spamtrap.odu.edu/b.php?c=ni=99007033m=c2eab1b7b6c8 Forget vote: https://www.spamtrap.odu.edu/b.php?c=fi=99007033m=c2eab1b7b6c8 -- END-ANTISPAM-VOTING-LINKS ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
David F. Skoll wrote: [EMAIL PROTECTED] wrote: Which is why I qualified my reply with if the sending relay is a valid SMTP client. Maybe we are just arguing semantics but anything that connects to my mail server and speaks RFC821 is valid. I might not like what it feeds me but that is what ClamAV/SpamAssassin is for. :) OK, let me be precise: By valid SMTP client, I mean one that generates a DSN in response to a 5xx status code. Fair enough. Then even in the unlikely event of a false positive the sender knows. This is so unlikely that the backscatter risk outweighs the benefit. I have had it happen. When messages mysteriously go missing and people call me asking where it went I can be rest assured saying that if something was rejected somewhere they should have received a bounce. It makes things easier to debug when there is feedback. What backscatter? If done at SMTP the only person that should be notified is the sender. If that sender goes and does something stupid with my rejection then that is the senders problem. Otherwise there is zero backscatter. Steven ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
[EMAIL PROTECTED] wrote: [...] What backscatter? If done at SMTP the only person that should be notified is the sender. I see. And it's impossible for a virus to forge MAIL FROM:, is it? Regards, David. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
Steven, I have a secured environment which governed by HIPAA regulatory, so I can't keep open everything. Thanks, Parveen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 08, 2008 9:56 AM To: ClamAV users ML Subject: Re: [Clamav-users] simplest replacement for ancient amavis-perl Parveen Malik wrote: Hi all, I need to open ports for Clamav database update, but since yesterday it seems that IP address are changing every hour.. Can you guys please let me know what should I do to resolve this issue. Sending you ping output. [EMAIL PROTECTED] root]# ping db.us.clamav.net PING db.us.rr.clamav.net (199.184.215.2) 56(84) bytes of data. --- db.us.rr.clamav.net ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2014ms [EMAIL PROTECTED] root]# ping db.us.clamav.net PING db.us.rr.clamav.net (208.67.80.27) 56(84) bytes of data. --- db.us.rr.clamav.net ping statistics --- 5 packets transmitted, 0 received, 100% packet loss, time 4018ms [EMAIL PROTECTED] root]# ping db.us.clamav.net PING db.us.rr.clamav.net (64.142.100.50) 56(84) bytes of data. --- db.us.rr.clamav.net ping statistics --- 7 packets transmitted, 0 received, 100% packet loss, time 6016ms Can't you just have your firewall keep state on all outgoing connections? Steven ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ** This email may contain proprietary and confidential information and is sent for the intended recipient(s) only. If by an addressing or transmission error this email has been delivered to you, you are requested to delete it immediately. You are also hereby notified that any use, any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this e-mail message, contents or its attachment(s) other than by its intended recipient(s) is strictly prohibited. All rights reserved ikaSystems CorporationR. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clamav phishing sigs
On Fri, Aug 08, 2008 at 09:44:11AM -0400, Darren G Pifer wrote: Hi Steve, The site is interesting and will help with general cases but lately the school is getting phishing specific to the university, which does not help us. Have you considered using a regular-expression based filtering mechanism, say, SpamAssassin? I use it to block directed phishes (for the ISP I work for), and it works pretty well. Unfortunately, it looks like, for directed phishes, the phishing mails are first tried out, likely via compromised accounts, until they pass the filter. At least, some do, it seems. -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clamav phishing sigs
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren G Pifer Sent: Fri 08 August 2008 15:09 To: ClamAV users ML Subject: Re: [Clamav-users] Clamav phishing sigs Chambers, Phil wrote: Take a look at http://iserv.rs-hilter.de/doc/clamav-0.91.2/signatures.pdf I have seen this document but it does not show how to add signatures to a database OR for clamd to detect the phishing e-mail. I was able to create the signature (a .hbd file) and clamscan detects the phishing but clamd does not. Maybe I am missing something. Darren ODU It appears that you need to wait until clamd sees that the signature files in the database directory have changed. I think the default is for clamd to check every 3 hours. It will also check if freshclam downloads updates because freshclam tells clamd to check. What I have done is to lift the bit of code from freshclam which notifies clamd and put it into a script called clamdreload.pl. If I put a new signature in my local list I then run that script to make clamd read it. You should see the reload in the clamd log. Phil. Phil Chambers Postmaster University of Exeter ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
[EMAIL PROTECTED] wrote: No, is is trivial for anyone to forge mail from headers but that is irrelevant when virus filtering is done at the SMTP level. You don't send the rejection to the address in the mail from. You send the rejection to the server/client that sent you the message because the SMTP conversation is still going on and you know exactly who is trying to feed it to you. :-) I see. So you actually do believe it's impossible to forge SMTP envelope information? See, I have this bridge for sale... Regards, David. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
David F. Skoll wrote: [EMAIL PROTECTED] wrote: No, is is trivial for anyone to forge mail from headers but that is irrelevant when virus filtering is done at the SMTP level. You don't send the rejection to the address in the mail from. You send the rejection to the server/client that sent you the message because the SMTP conversation is still going on and you know exactly who is trying to feed it to you. :-) I see. So you actually do believe it's impossible to forge SMTP envelope information? See, I have this bridge for sale... No, I did not say that. I said it was trivial. I am just pointing out that it is irrelevant while the SMTP conversation is still going on. It is impossible(mostly) to forge the IP the message is being sent from if there is a live SMTP conversation going on and while that conversation is going on you know exactly what is sending you the garbage and you know exactly what to tell you don't want it. There is zero backscatter. Steven ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
[EMAIL PROTECTED] wrote: No, I did not say that. I said it was trivial. I am just pointing out that it is irrelevant while the SMTP conversation is still going on. It is impossible(mostly) to forge the IP the message is being sent from if there is a live SMTP conversation going on and while that conversation is going on you know exactly what is sending you the garbage and you know exactly what to tell you don't want it. There is zero backscatter. You obviously misunderstand SMTP. Please reread RFC 2821 and 2822. If you have further questions, let's take them off-list because this thread is likely boring to SMTP veterans. Regards, David. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
David F. Skoll wrote: [EMAIL PROTECTED] wrote: No, I did not say that. I said it was trivial. I am just pointing out that it is irrelevant while the SMTP conversation is still going on. It is impossible(mostly) to forge the IP the message is being sent from if there is a live SMTP conversation going on and while that conversation is going on you know exactly what is sending you the garbage and you know exactly what to tell you don't want it. There is zero backscatter. You obviously misunderstand SMTP. Please reread RFC 2821 and 2822. If you have further questions, let's take them off-list because this thread is likely boring to SMTP veterans. No need to be condescending about it. I have no problem taking it off list and explaining how you are mistaken. Steven ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
[EMAIL PROTECTED] wrote: No need to be condescending about it. I have no problem taking it off list and explaining how you are mistaken. OK, look. I guess I need to spell it out for you. End-user PC has virus. Virus does this: telnet isps-smtp-server 25 HELO bogus MAIL FROM:[EMAIL PROTECTED] RCPT TO:[EMAIL PROTECTED] DATA . Then ISP's mail server does this: telnet victims-smtp-server 25 HELO isps-smtp-server MAIL FROM:[EMAIL PROTECTED] RCPT TO:[EMAIL PROTECTED] DATA . If victim's SMTP server fails the DATA with a 5xx code, then backscatter goes [EMAIL PROTECTED] Understand now? Regards, David. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
David F. Skoll wrote: [EMAIL PROTECTED] wrote: No need to be condescending about it. I have no problem taking it off list and explaining how you are mistaken. OK, look. I guess I need to spell it out for you. End-user PC has virus. Virus does this: telnet isps-smtp-server 25 HELO bogus MAIL FROM:[EMAIL PROTECTED] RCPT TO:[EMAIL PROTECTED] DATA . Then ISP's mail server does this: telnet victims-smtp-server 25 HELO isps-smtp-server MAIL FROM:[EMAIL PROTECTED] RCPT TO:[EMAIL PROTECTED] DATA . If victim's SMTP server fails the DATA with a 5xx code, then backscatter goes [EMAIL PROTECTED] Understand now? I understand that but it is not my problem what the ISP's mail server does with it after I send a 5xx. It is the ISP's problem. I don't need random ISP's making their problems my problems. If anything it encourages the ISP to virus filter their users and take care of abuse problems rather then silently sweeping them under the rug. Steven ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
David F. Skoll writes: [EMAIL PROTECTED] wrote: i'm far from an expert but at some level i believe that you're both right. the real question boils down (i think) to who is trying to deliver this piece of unwanted email? if it's a Real MTA, then kicking back a 550 will -- probably -- have the MTA trying to return the message to the sender. there will probably be backscatter. if it's NOT a real MTA -- if it's a spam proxy or a virus trying to send the message -- then kicking back a 550 will -- probably -- have the message dropped on the floor. there will probably not be backscatter. so i think you're both right, more or less. rp rick pim [EMAIL PROTECTED] information technology services (613) 533-2242 queen's university, kingston --- Hmm hmm hmmm Reality stinks. That's why I try to improve on it whenever I can. -- The Flash (TV) ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
rick pim wrote: David F. Skoll writes: [EMAIL PROTECTED] wrote: i'm far from an expert but at some level i believe that you're both right. the real question boils down (i think) to who is trying to deliver this piece of unwanted email? if it's a Real MTA, then kicking back a 550 will -- probably -- have the MTA trying to return the message to the sender. there will probably be backscatter. if it's NOT a real MTA -- if it's a spam proxy or a virus trying to send the message -- then kicking back a 550 will -- probably -- have the message dropped on the floor. there will probably not be backscatter. so i think you're both right, more or less. I think you are right. Sending a 5xx and silently quarantining both have their advantages and disadvantages. Who can say whether one is better than the other. Steven ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
David F. Skoll schrieb: OK, look. I guess I need to spell it out for you. End-user PC has virus. Virus does this: telnet isps-smtp-server 25 In my experience that's very unusual behaviour for a virus. The vast majority try to connect directly to the recipient's MX. -- Tilman Schmidt Phoenix Software GmbH Bonn, Germany signature.asc Description: OpenPGP digital signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
On Fri, 8 Aug 2008 11:20:54 -0400 rick pim [EMAIL PROTECTED] wrote: David F. Skoll writes: [EMAIL PROTECTED] wrote: i'm far from an expert but at some level i believe that you're both right. the real question boils down (i think) to who is trying to deliver this piece of unwanted email? if it's a Real MTA, then kicking back a 550 will -- probably -- have the MTA trying to return the message to the sender. there will probably be backscatter. if it's NOT a real MTA -- if it's a spam proxy or a virus trying to send the message -- then kicking back a 550 will -- probably -- have the message dropped on the floor. there will probably not be backscatter. so i think you're both right, more or less. Employing 'greylisting' would vastly improve the chances of eliminating the acceptance of SPAM at the MTA level. -- Gerard [EMAIL PROTECTED] The tree of research must from time to time be refreshed with the blood of bean counters. Alan Kay signature.asc Description: PGP signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
David F. Skoll wrote: [EMAIL PROTECTED] wrote: [...] What backscatter? If done at SMTP the only person that should be notified is the sender. I see. And it's impossible for a virus to forge MAIL FROM:, is it? That is the concern of the connecting system - they will suffer any consequences of accepting the responsibility of forwarding bad mail and I really don't care if that happens. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
David F. Skoll wrote: [EMAIL PROTECTED] wrote: No need to be condescending about it. I have no problem taking it off list and explaining how you are mistaken. OK, look. I guess I need to spell it out for you. End-user PC has virus. Virus does this: telnet isps-smtp-server 25 HELO bogus MAIL FROM:[EMAIL PROTECTED] RCPT TO:[EMAIL PROTECTED] DATA . Then ISP's mail server does this: telnet victims-smtp-server 25 HELO isps-smtp-server MAIL FROM:[EMAIL PROTECTED] RCPT TO:[EMAIL PROTECTED] DATA . If victim's SMTP server fails the DATA with a 5xx code, then backscatter goes [EMAIL PROTECTED] Understand now? Sounds like the isps-smtp-server operator has a problem of accepting responsibility to forward mail that may be undeliverable. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
Gerard writes: Employing 'greylisting' would vastly improve the chances of eliminating the acceptance of SPAM at the MTA level. it certainly does. unfortunately, in practice, one of the prime advantages of greylisting -- the fact that it will never block 'real' mail -- turns out, um, not to be true. there are so many standards-noncompliant MTAs out there that greylisting does block real mail. (this is one of the things that makes me crazy.) (we still use it, of course.) rp rick pim [EMAIL PROTECTED] information technology services (613) 533-2242 queen's university, kingston --- You call this a *trial*?! This is nothing but a *kangaroo* *court* without the hoppy, furry guy! -- The Flash (TV) ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Malformed database problem
Chambers, Phil wrote: I have looked at the source code and there are numerous places where it detects problems with signature, but they all generate the same failure message: Malformed database. It is going to take me a very long time to patch the code to make it generate different error messages for each case where a signature can be malformed, so that I can diagnose my problem, but I see no alternative. Search text Malformed database replace all ocucrrences by File __FILE__ encountered a malformed database on line STRINGIFY(__LINE__) And globally define this: #define STRINGIFY2(x) #x #define STRINGIFY(x) STRINGIFY2(x) ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
On Fri, 8 Aug 2008 [EMAIL PROTECTED] wrote: telnet isps-server 25 ... HELO bogus ... MAIL FROM:[EMAIL PROTECTED] telnet victims-server 25 ... HELO isps-server ... MAIL FROM If victim's SMTP server fails the DATA with a 5xx code, then backscatter goes [EMAIL PROTECTED] it is not my problem what the ISP's mail server does with it after I send a 5xx. Well, first of all, yes it IS. It's *everyone's* problem. That forged address could be on *your* server, and *you* get the backscatter from some other victim system that also doesn't care what the ISP does with it... That being said, I agree that the number of viruses that still try to find and use an infected PC's SMTP server is very small... In which case the odds of hitting a false positive via a mail relay are greater than hitting a virus via a mail relay. Now that you make me think about it, the only time I ever see backscatter from a virus is when someone uses a virus checker that generates its own DSN rather than issue SMTP 5xx rejections. I am so *very* glad that ClamAV is just a *reporting* tool! :) If anything it encourages the ISP to virus filter their users and take care of abuse problems rather then silently sweeping them under the rug. Begging pardon, but just because someone uses a standard postfix config and follows the standard 'recommended' practice of listing dial-up IP's as 'trusted clients' does not mean they are 'sweeping' anything under their 'rug'. It is just a choice made to minimize the performance hit of scanning and filtering mail that is 99.99+% valid. BUT this practice of not scanning mail from trusted clients is only 'safe' if virus checking is done post-SMTP, in procmail. Otherwise, there is the risk that mail from one user of a system to another will not be virus checked at *all*, permitting the spread of viruses within a given user base. So my closing thought is that I will want to do two things with my new Mail Avenger setup: 1) I will want to run clamav on *all* messages, regardless of source. This will prevent intra-system viruses and also cut down on backscatter by preventing my server from relaying an outgoing virus. 2) I will want to check in procmail to see whether an intra-system message passed through my SMTP or was directly delivered via LDA, and in the latter case I will need to run clamav from procmail. So thank you all, for stirring up some good serious thoughts! - Charles, HWCN ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
Tilman Schmidt wrote: telnet isps-smtp-server 25 In my experience that's very unusual behaviour for a virus. The vast majority try to connect directly to the recipient's MX. I see both. I see malware that connects directly from end-user PCs, and more sophisticated malware that actually breaks CAPTCHAs on Hotmail/GMail/etc. and sends via those services. I've also seen malware that checks the user's Outlook settings and sends via the configured SMTP server (though that case is admittedly the rarest.) Regards, David. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
On Fri, 8 Aug 2008, Charles Gregory wrote: Well, first of all, yes it IS. It's *everyone's* problem. That forged address could be on *your* server, and *you* get the backscatter from some other victim system that also doesn't care what the ISP does with it... what he said: we have two accounts/addresses that get, between them, about 200,000 bounces a day; this has been going on for something more than 8 months. (that said, there's something to be said for bouncing mail: one of our vendors is occasionally silently blocking my email to them. clearly SOMETHING about my messages are triggering their spam filters. it sure would be nice if i got the bounces for those) rp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clamav phishing sigs
Noel Jones wrote: Darren G Pifer wrote: Chambers, Phil wrote: Take a look at http://iserv.rs-hilter.de/doc/clamav-0.91.2/signatures.pdf I have seen this document but it does not show how to add signatures to a database OR for clamd to detect the phishing e-mail. I was able to create the signature (a .hbd file) and clamscan detects the phishing but clamd does not. Maybe I am missing something. If the sig works with clamscan, it will also work with clamdscan. Clamd must be stopped and restarted to recognize new signature files. Make sure you have the latest version of clamav. I think there are times when a milter might pull an incoming message apart and submit it in pieces to clamd that creates a different situation than scanning a message that is whole, and stored as a disk file. In this case two entirely different objects are being scanned, and depending on the way the signature was defined, there can be differences in the results. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
rick pim wrote: (that said, there's something to be said for bouncing mail: one of our vendors is occasionally silently blocking my email to them. clearly SOMETHING about my messages are triggering their spam filters. it sure would be nice if i got the bounces for those) I discard viruses, but reject (with 5xx) spam, because spam-detectors have a much higher false-positive rate than virus-detectors. Regards, David ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
Charles Gregory wrote: On Fri, 8 Aug 2008 [EMAIL PROTECTED] wrote: telnet isps-server 25 ... HELO bogus ... MAIL FROM:[EMAIL PROTECTED] telnet victims-server 25 ... HELO isps-server ... MAIL FROM If victim's SMTP server fails the DATA with a 5xx code, then backscatter goes [EMAIL PROTECTED] it is not my problem what the ISP's mail server does with it after I send a 5xx. Well, first of all, yes it IS. It's *everyone's* problem. That forged address could be on *your* server, and *you* get the backscatter from some other victim system that also doesn't care what the ISP does with it... Heh, everyone is entitled to their opinion. Mine just happens to differ from yours. I have been at the other end of backscatter and it is by no means fun but when it happens I am fully capable of taking measures against as I would any other spam/virus source. This is where RBLs come in handy. If anything it encourages the ISP to virus filter their users and take care of abuse problems rather then silently sweeping them under the rug. Begging pardon, but just because someone uses a standard postfix config and follows the standard 'recommended' practice of listing dial-up IP's as 'trusted clients' does not mean they are 'sweeping' anything under their 'rug'. It is just a choice made to minimize the performance hit of scanning and filtering mail that is 99.99+% valid. I meant to imply that when the ISP does not virus filter and the recipient silently drops the message the problem never gets resolved because nobody is made aware of it. The ISP customer will continue to be infected and continue to send out garbage. I suppose this is all based on the assumption that the ISP even cares. Cause as everyone knows *all* ISPs care. Right? ;) So thank you all, for stirring up some good serious thoughts! It has been entertaining. Steven ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
rick pim wrote: On Fri, 8 Aug 2008, Charles Gregory wrote: Well, first of all, yes it IS. It's *everyone's* problem. That forged address could be on *your* server, and *you* get the backscatter from some other victim system that also doesn't care what the ISP does with it... what he said: we have two accounts/addresses that get, between them, about 200,000 bounces a day; this has been going on for something more than 8 months. If the bulk of thoses is coming from infected PC's there is no harm in rejecting them with a 5xx - the PC is going to ignore that anyway - it is certainly not going to bounce the message back to the sender. If it is coming from a legitimate system it would be useful to provide feedback to that system's operator that they are handling dirty mail. In that case a 5xx error is appropriate. If they then bounce the message to some unsuspecting victim then they will get additional feedback. I don't see where dropping those messages is helpful but do see all manor of advantages of rejecting with 5xx. My 5xx rejects, which are in the thousands, are 10 to one generated by DNSBL or dictionary attempts (user unknown), not ClamAV hits. (that said, there's something to be said for bouncing mail: one of our vendors is occasionally silently blocking my email to them. clearly SOMETHING about my messages are triggering their spam filters. it sure would be nice if i got the bounces for those) Can't have it both ways - although you could ask to be whitelisted. I do that for all our regular customers and contacts, and also whitelist any mail lists our users are on. I'm very happy to expect connecting systems to be well run or to suffer the consequences. In fact I feel that way about my systems. If I make a mistake I expect to pay for it. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
Charles Gregory wrote: On Fri, 8 Aug 2008 [EMAIL PROTECTED] wrote: telnet isps-server 25 ... HELO bogus ... MAIL FROM:[EMAIL PROTECTED] telnet victims-server 25 ... HELO isps-server ... MAIL FROM If victim's SMTP server fails the DATA with a 5xx code, then backscatter goes [EMAIL PROTECTED] it is not my problem what the ISP's mail server does with it after I send a 5xx. Well, first of all, yes it IS. It's *everyone's* problem. That forged address could be on *your* server, and *you* get the backscatter from some other victim system that also doesn't care what the ISP does with it... That being said, I agree that the number of viruses that still try to find and use an infected PC's SMTP server is very small... In which case the odds of hitting a false positive via a mail relay are greater than hitting a virus via a mail relay. Now that you make me think about it, the only time I ever see backscatter from a virus is when someone uses a virus checker that generates its own DSN rather than issue SMTP 5xx rejections. I am so *very* glad that ClamAV is just a *reporting* tool! :) If anything it encourages the ISP to virus filter their users and take care of abuse problems rather then silently sweeping them under the rug. Begging pardon, but just because someone uses a standard postfix config and follows the standard 'recommended' practice of listing dial-up IP's as 'trusted clients' does not mean they are 'sweeping' anything under their 'rug'. It is just a choice made to minimize the performance hit of scanning and filtering mail that is 99.99+% valid. BUT this practice of not scanning mail from trusted clients is only 'safe' if virus checking is done post-SMTP, in procmail. Otherwise, there is the risk that mail from one user of a system to another will not be virus checked at *all*, permitting the spread of viruses within a given user base. So my closing thought is that I will want to do two things with my new Mail Avenger setup: 1) I will want to run clamav on *all* messages, regardless of source. This will prevent intra-system viruses and also cut down on backscatter by preventing my server from relaying an outgoing virus. 2) I will want to check in procmail to see whether an intra-system message passed through my SMTP or was directly delivered via LDA, and in the latter case I will need to run clamav from procmail. So thank you all, for stirring up some good serious thoughts! - Charles, HWCN ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clamav phishing sigs
Dennis Peterson wrote: Noel Jones wrote: Darren G Pifer wrote: Chambers, Phil wrote: Take a look at http://iserv.rs-hilter.de/doc/clamav-0.91.2/signatures.pdf I have seen this document but it does not show how to add signatures to a database OR for clamd to detect the phishing e-mail. I was able to create the signature (a .hbd file) and clamscan detects the phishing but clamd does not. Maybe I am missing something. If the sig works with clamscan, it will also work with clamdscan. Clamd must be stopped and restarted to recognize new signature files. Make sure you have the latest version of clamav. I think there are times when a milter might pull an incoming message apart and submit it in pieces to clamd that creates a different situation than scanning a message that is whole, and stored as a disk file. In this case two entirely different objects are being scanned, and depending on the way the signature was defined, there can be differences in the results. dp That's true. There are some milters and such that try to be helpful and unpack/demime mail into its component parts, causing signatures designed to scan the complete mail to not work. However, there was a time not too long ago (maybe 0.93.1) that some signatures worked with clamscan but were silently ignored by clamdscan. This was seen with command-line file scanning of a static file, no milter/filter/whatever involved. There was discussion here about it at the time. So make sure you have the latest version, which is never bad advice when dealing with (seemingly) inconsistent behavior. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
[EMAIL PROTECTED] wrote: Charles Gregory wrote: On Fri, 8 Aug 2008 [EMAIL PROTECTED] wrote: telnet isps-server 25 ... HELO bogus ... MAIL FROM:[EMAIL PROTECTED] telnet victims-server 25 ... HELO isps-server ... MAIL FROM If victim's SMTP server fails the DATA with a 5xx code, then backscatter goes [EMAIL PROTECTED] it is not my problem what the ISP's mail server does with it after I send a 5xx. Well, first of all, yes it IS. It's *everyone's* problem. That forged address could be on *your* server, and *you* get the backscatter from some other victim system that also doesn't care what the ISP does with it... That being said, I agree that the number of viruses that still try to find and use an infected PC's SMTP server is very small... In which case the odds of hitting a false positive via a mail relay are greater than hitting a virus via a mail relay. Now that you make me think about it, the only time I ever see backscatter from a virus is when someone uses a virus checker that generates its own DSN rather than issue SMTP 5xx rejections. I am so *very* glad that ClamAV is just a *reporting* tool! :) If anything it encourages the ISP to virus filter their users and take care of abuse problems rather then silently sweeping them under the rug. Begging pardon, but just because someone uses a standard postfix config and follows the standard 'recommended' practice of listing dial-up IP's as 'trusted clients' does not mean they are 'sweeping' anything under their 'rug'. It is just a choice made to minimize the performance hit of scanning and filtering mail that is 99.99+% valid. BUT this practice of not scanning mail from trusted clients is only 'safe' if virus checking is done post-SMTP, in procmail. Otherwise, there is the risk that mail from one user of a system to another will not be virus checked at *all*, permitting the spread of viruses within a given user base. So my closing thought is that I will want to do two things with my new Mail Avenger setup: 1) I will want to run clamav on *all* messages, regardless of source. This will prevent intra-system viruses and also cut down on backscatter by preventing my server from relaying an outgoing virus. 2) I will want to check in procmail to see whether an intra-system message passed through my SMTP or was directly delivered via LDA, and in the latter case I will need to run clamav from procmail. So thank you all, for stirring up some good serious thoughts! - Charles, HWCN Doh, sorry about this. To many windows open at the same time... Steven ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
[EMAIL PROTECTED] wrote: I meant to imply that when the ISP does not virus filter and the recipient silently drops the message the problem never gets resolved because nobody is made aware of it. The ISP customer will continue to be infected and continue to send out garbage. I suppose this is all based on the assumption that the ISP even cares. Cause as everyone knows *all* ISPs care. Right? ;) http://www.spam-site.com/isp-doing-business-with-spammers.shtml Oh, sure :) dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] [0.3] Re: simplest replacement for ancient amavis-perl
On Fri, 8 Aug 2008 [EMAIL PROTECTED] wrote: I have been at the other end of backscatter and it is by no means fun but when it happens I am fully capable of taking measures against as I would any other spam/virus source. This is where RBLs come in handy. How would an RBL help? Backscatter comes from otherwise legitimate servers that would not be listed. (or if they are I wouldn't trust those RBL's with my mail!) I meant to imply that when the ISP does not virus filter and the recipient silently drops the message the problem never gets resolved because nobody is made aware of it. (nod) Then, strictly, speaking, that is the *recipient* sweeping it under the rug, at which point we agree. I much prefer to get the rejections (even if my server then generates backscatter for them), because they stand out in my logs and I can quickly spot and eliminate a problem. The ISP customer will continue to be infected and continue to send out garbage. I suppose this is all based on the assumption that the ISP even cares. Cause as everyone knows *all* ISPs care. Right? ;) Inverse square ratio - size to caring. :-P - Charles ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] [0.3] Re: simplest replacement for ancient amavis-perl
Charles Gregory wrote: On Fri, 8 Aug 2008 [EMAIL PROTECTED] wrote: I have been at the other end of backscatter and it is by no means fun but when it happens I am fully capable of taking measures against as I would any other spam/virus source. This is where RBLs come in handy. How would an RBL help? Backscatter comes from otherwise legitimate servers that would not be listed. (or if they are I wouldn't trust those RBL's with my mail!) Private RBLs. Steven ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clamav phishing sigs
Steve Basford wrote: Darren G Pifer wrote: So, the e-mail team and security staff need to be able to create signatures so that clamd can detect this spam, and similar phishing, and need to get the database updated in a short time frame. I do not think submitting these to the ClamAV database maintainers or other signature maintainers to update the databases and get the databases downloaded is going to suffice. Totally understand I have been adding some of these seemingly targeted ones into the database, as most of the time, the body of the email is the same... all they do is change the name of the university... for example, does this one look like the same thing you've been seeing: http://gwblogspot.blogspot.com/2008/07/email-scam.html http://technews.ucdavis.edu/news2.cfm?id=1666 The offer is there... if you have any samples you want me to add, to benefit other uni's too... just sent them to: [EMAIL PROTECTED] Looks the same to me, except for the name of the uni. I will do as you suggest, that is, send ODU specific e-mail to the above address. I will also take a look at the link sent earlier to see if we can make our own signatures. Darren ODU ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clamav phishing sigs
On Fri, 08 Aug 2008 13:26:23 -0500 Noel Jones [EMAIL PROTECTED] wrote: If the sig works with clamscan, it will also work with clamdscan. Clamd must be stopped and restarted to recognize new signature files. You can use something like: pidof clamd # Get the pid of clamd kill -USR2 clamd pid # place the pid found # above here sans quotation marks. You could place the whole thing in a small script file if you are going to use it repeatedly. -- Gerard [EMAIL PROTECTED] One man's theology is another man's belly laugh. signature.asc Description: PGP signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
