Hi Eric:
I've spent the morning going from one mailserver to another checking
/var/log/qmail/smtp and /var/log/qmail/submission to see what was
happening and I'm more confused than before. Now it appears the 1.2MB
email is getting scanned - at least on one server. I'm going to have to
setup and document some tests.
But here's some interesting tidbits I learned:
1. Simcan is running ClamAV and checking for viruses (but not spam) on
outgoing emails - this shows in /var/log/qmail/submission with
SIMSCAN_DEBUG="5"
2. In tcprules.d/tcpsmtp if you assign RELAYCLIENT=""' to an IP address
then mail from that IP is not checked by simscan for viruses or spam.
Same thing happens if you forget to add
QMAILQUEUE="/var/qmail/bin/simscan".
Jeff
On 9/17/2020 12:22 PM, Eric Broch wrote:
Jeff,
Also, can you post the whole simscan transaction?
Eric
On 9/17/2020 10:16 AM, Eric Broch wrote:
What's in /var/qmail/control/databytes ?
On 9/17/2020 8:50 AM, Jeff Koch wrote:
Hi Andreas:
Thanks. However we did some testing yesterday and found that a 1.2MB
email with a PDF attachment was not getting scanned for viruses or
spam whereas a 219KB email with a doc attachment was. I'm thinking
there must be some other setting controlling what simscan scans or
doesn't.
Jeff
On 9/17/2020 5:41 AM, Andreas Galatis wrote:
Hi Jeff,
the setting is in clamd.conf
# Files larger than this limit won't be scanned. Affects the input
file itself
# as well as files contained inside it (when the input file is an
archive, a
# document or some other kind of container).
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result in
severe damage
# to the system.
# Default: 25M
#MaxFileSize 30M
Andreas
Am 16.09.20 um 23:24 schrieb Jeff Koch:
Hi Eric:
One thing I've noticed is that there's a message size limit on
what simscan/spamd/clamd will check. Messages over several
megabytes are skipped. Is there a config file somewhere
controlling that?
Jeff
On 9/16/2020 2:07 PM, Eric Broch wrote:
Hi Jeff,
I'm not sure why ClamAV would miss a virus. Maybe they'd have a
better ideal on the ClamAV mailing list.
I've never really depended on ClamAV or Spamassassin, though I'd
like to, but when killing spam was absolutely necessary I used a
third party spam gateway.
Eric
On 9/16/2020 9:43 AM, Jeff Koch wrote:
We think we're having a problem with one of our mailservers
whereby user's PC's are getting hit with viruses. All
mailservers have had ClamAV recently updated to version 0.102.4.
The logs at /var/log/qmail/smtp and /var/log/qmail/submission
show that ClamAV is indeed analyzing emails and attachments so
we're trying to figure out how these viruses are getting
through. We do see that most 'Virus Drops' are due to spoofed
domains. Very, very few are noted as Trojans or actual viruses.
Can anyone share the results of:
grep simscan /var/log/qmail/smtp/current|tai64nlocal |less
showing that clamav is finding actual viruses?
Any thoughts or suggestions would be appreciated.
Jeff
