Re: [Mimedefang] file extension regex bug
On Thu, 12 Feb 2004, David F. Skoll wrote: That was not a bug. It was an attempt to guard against malformed MIME like this: Content-Type: appliaction/octet-stream; name=foobar.exe .txt vs. Content-Type: appliaction/octet-stream; name=foobar.txt .exe However, the old behavior was so unpopular that as of 2.39, I anchored the regexp. Would it be possible to parse and re-create MIME sub headers, in order to place, at least, double quotes around the name? Bye, -- Steffen Kaiser ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] OT: a hole in Sophos
I'm using MD+SA+Sophie+Sophos (SAVI libs + .ide). Do you think that what has been written in: http://www.securitynewsportal.com/cgi-bin/securitynews.cgi?database=JanDDid=74 ...means my system is vulnerable to attacks via that hole? AM -- - Andrzej Marecki| Torun Centre for Astronomy | e-mail: [EMAIL PROTECTED] N. Copernicus University | WWW:http://www.astro.uni.torun.pl ul. Gagarina 11| tel: +48 56 6113032 PL-87-100 Torun, POLAND| fax: +48 56 6113009 - If Bill Gates actually had to admin his own stuff, he'd shoot himself. - - End of forwarded message (env-from amr) - -- - Andrzej Marecki| Torun Centre for Astronomy | e-mail: [EMAIL PROTECTED] N. Copernicus University | WWW:http://www.astro.uni.torun.pl ul. Gagarina 11| tel: +48 56 6113032 PL-87-100 Torun, POLAND| fax: +48 56 6113009 - If Bill Gates actually had to admin his own stuff, he'd shoot himself. - ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] greylisting implementation
I have modified Jonas' code to work on my Redhat servers if anyone is interested. I had to make minor changes to the database locking mechanism. Let me know and I will post the code. Steven Rocha -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonas Eckerman Sent: Thursday, February 12, 2004 6:44 PM To: [EMAIL PROTECTED] Subject: Re: [Mimedefang] greylisting implementation On Fri, 13 Feb 2004 01:17:29 +0530, kamal wrote: Is there a complete greylisting implementation for Mimedefang, as My mimedefang-filter, wich implements fairly complete greylisting, is at: http://whatever.frukt.org/mimedefang-filter.shtml You'll have to manually go though the code and pick out what you need, but that shouldn't be too hard. proposed by http://projects.puremagic.com/greylisting/ I don't remember how close my implementation is to that text, but I made it configurable and IIRC it can be configured exactly as that text proposes. I do think my implementation is more complete than the proposal though. :-) Regards /Jonas Regards /Jonas -- Jonas Eckerman, [EMAIL PROTECTED] http://www.fsdb.org/ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] file extension regex bug
On Fri, 13 Feb 2004, Steffen Kaiser wrote: Would it be possible to parse and re-create MIME sub headers, in order to place, at least, double quotes around the name? action_rebuild() does that. But because of limitations in Milter, it will only change internal MIME headers, not the main headers of the message. Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] ClamAV and related issues running under MD. was: Re: Mimedefangtimeout
On Fri, 13 Feb 2004, Rob wrote: However it would be nice if MD didn't make any assumptions about the capability of any virus scanner and did the same as AMAVIS does - extract and decode the email so that the virus scanner software has as little to do as possible. MIMEDefang does exactly that. Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] memory leak?
On Thu, 12 Feb 2004, Kevin A. McGrail wrote: Yesterday 50K. (grep 'stat=Sent' /var/log/syslog.01 | wc). More actually come in, of course.. I would need a total volume to comment. You have to limit your sendmail process. Figure that otherwise a DoS could take down your box. 200 simulataneous connections is fairly easy to do. So you would do define(`confMAX_DAEMON_CHILDREN',`100'), or somesuch? And what happens if someone hammers us? I would do: define(`confMAX_DAEMON_CHILDREN', `60')dnl Thanks Kevin. Would you recommend any other sendmail tuning, like below? I can see how this could be useful, but I don't have a good feel for what the appropriate settings might be. define(`confQUEUE_LA',`85') define(`confREFUSE_LA',`85') define(`confDELAY_LA',`50') define(`confCONNECTION_RATE_THROTTLE',`5') define(`confNICE_QUEUE_RUN',`3')dnl _ Ron Peterson Network Systems Manager Mount Holyoke College ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Aggressive mailers
Hello! I've been thinking about getting my filter to blacklist (for a month or so) mailers that can't take no for an answer, but yesterday something happened that made me wanna check with others first. Yesterday a mailer went amok when trying to get a mail through to our server. It was tempfailed by the greylist as it should, but instead of waiting for awhile before trying again it retried 886 times in 10 minutes (after witch it was let though by the greylist). At first I thought this had to be some kind of virus or spam, but I turned out to be a legitimate* mail to a user. Not only that, it came from a server handled by an ISP that rents mail services to other companies (and therefore really should know better). My question is: Do you people often see otherwise acceptable mailers exhibiting this kind of behaviour? I can take having to lecture other admins** before our users get their mail as long is it isn't too often. I haven't seen any legitimate mail comming at us like this before, so I suspect it's pretty unusual. *: Ok, the mail wasn't really perfectly legitimate. It wasdeclared as multipart, but it didn't contain any parts at all except the default part that is shown for non MIME-capable clients. That part contained badly formated and completely pointless HTML. But it was legitimate in that the user actually wanted it, and had even asked for it. **: Yes, of course I have written to postmaster (both the ISP's and the domain's) about it. Haven't received any answer yet though. Regards /Jonas -- Jonas Eckerman, [EMAIL PROTECTED] http://www.truls.org/ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] greylisting implementation
All, I have attached a modified version of our mimedefang-filter. Modifications to filter: 1. Added Greylisting 2. Added stream by domain 3. Added clamd virus scanning, dropping specific worm viruses 4. Added filtering of specific filenames 5. Added SALocalTestsOnly for SA rbl checks 6. Added lc($Domain) to facilitate case differences in domain names. 7. Added a subject change to prepend ***SPAM*** 8. Added an additional header to label spam X-SPAM-Listing Notes: I have disabled greylisting in the mimedefang filter. Just change the appropriate variable. There are known issues with WHERE I am greylisting. Please research and possibly greylist in filter begin/end. I will let you do some homework. =;) If anyone has any comments or suggestions on how I could improve my code, it would be welcome. If anyone has problems with this code, hmmm... well... it works for me and I am a Micros0ft/Novell geek. I guess my Comp Sci major helped with being able to read/change the code. Hope this helps!! Later, Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Les Mikesell Sent: Friday, February 13, 2004 7:12 AM To: [EMAIL PROTECTED] Subject: RE: [Mimedefang] greylisting implementation On Fri, 2004-02-13 at 06:03, Steven Rocha wrote: I have modified Jonas' code to work on my Redhat servers if anyone is interested. I had to make minor changes to the database locking mechanism. Let me know and I will post the code. Yes, please post the Redhat version. --- Les Mikesell [EMAIL PROTECTED] ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang mimedefang-filter Description: mimedefang-filter ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Aggressive mailers
Jonas Eckerman wrote: Hello! I've been thinking about getting my filter to blacklist (for a month or so) mailers that can't take no for an answer, but yesterday something happened that made me wanna check with others first. For exactly the reason below, you don't want to do that! Yesterday a mailer went amok when trying to get a mail through to our server. It was tempfailed by the greylist as it should, but instead of waiting for awhile before trying again it retried 886 times in 10 minutes (after witch it was let though by the greylist). What you describe is not uncommon. I have seen this type of behavior exhibited even by some of the major ISPs. AOL is really famous for it, but not to the extent you describe. Sometimes they will have an MTA whose hostname will not resolve and we tempfail the message. They will try again about every 10 or 15 seconds until either their hostname resolves and we accept the message, or about 10 or 15 minutes goes by and they stop trying forever. Worse, they usually do not inform the sender that the message was not delivered. Bottom line... bad idea. -- Jon R. Kibler Chief Technical Officer A.S.E.T., Inc. Charleston, SC USA (843) 849-8214 == Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] memory leak? is it an IBM x-series?
On Fri, 13 Feb 2004 [EMAIL PROTECTED] wrote: We had similar problems with an IBM x345 server -- we tried many things eventually updating to 2.4.23-pre7 and up fixed it. I updated the tg3 driver and stability improved a bit, I updated the ibm ServeRaid driver (ips module) level to 610 and stability improved a bit, disabled hyperthreading did many and various other things (bios/driver/patch), but for us 2.4.23-pre7 and up fixed it -- running 2.4.25-pre6 now without problems. I'm on 2.4.24 from kernel.org right now. I was using the Broadcom driver bcm5700 for a time, but reading through various lists, the consensus seemed to be that tg3 was the better choice. At the time I upgraded my kernel, the bcm5700 driver wasn't patched against 2.4.24 yet. The latest 7.1.22, released 2.3.2004 is up to 2.4.24. Meanwhile, I've purchased a handful of Intel PRO/1000 MT adapters which I'm going to try. If I have the same problem with a completely different adapter, that should rule that out. I now also have define(`confMAX_DAEMON_CHILDREN',`100')dnl Now wait... _ Ron Peterson Network Systems Manager Mount Holyoke College ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Aggressive mailers
On Fri, 13 Feb 2004, Jon R. Kibler wrote: Yesterday a mailer went amok when trying to get a mail through to our server. It was tempfailed by the greylist as it should, but instead of waiting for awhile before trying again it retried 886 times in 10 minutes (after witch it was let though by the greylist). What you describe is not uncommon. Sympatico (a Canadian ISP) also has a rather aggressive retry schedule. Magma (another Canadian ISP) goes to the other extreme, and seems to retry only every 12 hours! Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Aggressive mailers
Geeze, and I once thought I was being overly agressive when I reduced my vendor's sendmail default retry value from 1 hour to 5 minutes. LOL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of David F. Skoll Sent: Friday, February 13, 2004 12:14 PM To: [EMAIL PROTECTED] Subject: Re: [Mimedefang] Aggressive mailers On Fri, 13 Feb 2004, Jon R. Kibler wrote: Yesterday a mailer went amok when trying to get a mail through to our server. It was tempfailed by the greylist as it should, but instead of waiting for awhile before trying again it retried 886 times in 10 minutes (after witch it was let though by the greylist). What you describe is not uncommon. Sympatico (a Canadian ISP) also has a rather aggressive retry schedule. Magma (another Canadian ISP) goes to the other extreme, and seems to retry only every 12 hours! Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] filter_relay not working?
Got it working.My bustI had the -r in mimedefang-multiplexor, not mimedefang :) What you are trying to accomplish is rather opaque to me. Can you please specify? I have a Secondary MX that will spool up mail in the event the primary goes down. As you know, spammers will often try the higher weighted MX's in the hopes of sneaking things through. So on this secondary I'm running MD/SA and RBL checks. I was finding that this machine would identify a message as SPAM and add the headers. Then it would forward to the primary and it would change the SPAM headers and say it wasn't spam. See below. Feb 13 08:19:57 mail sendmail[6308]: i1DGJvR9006308: Milter change: header X-Spam-Status: from Yes, hits=5.533 required=5\n version=SpamAssassin 2.63 tests=BAYES_44,DATE_MISSING,FROM_NO_LOWER,MSGID_FROM_MTA_SHORT to No, hits=-4.562 required=5\n version=SpamAssassin 2.63 tests=BAYES_00,NO_REAL_NAME I have since dropped the mimedefang-ip-key, since by using the filter_relay, there is no way to strip the header since I accept the message outright if coming from my MX02 box. If there is a better way of handling/accomplishing this, I'd love to hear it. Thanks for all the replies. - Mike smime.p7s Description: S/MIME cryptographic signature ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] OT: a hole in Sophos
On Friday 13 February 2004 04:44, Andrzej Marecki wrote: I'm using MD+SA+Sophie+Sophos (SAVI libs + .ide). Do you think that what has been written in: http://www.securitynewsportal.com/cgi-bin/securitynews.cgi?database=JanDDi d=74 ...means my system is vulnerable to attacks via that hole? We have noticed this on our system. It seems to only be happening when cpu-damaged anti-virus programs bounce back a copy of the virus as text. Sophos lets it through because it is not an attachment (I've tried sweep against the entire body of the message, so it isn't just a matter of MIME:Tools not extracting the virus.) Norton, however, does detect it. But, Norton does not always do the right thing once the message is detected. For Eudora users, it removes the entire in.mbx file. Even though, in order to run the virus, a Eudora user would have to: Save the message, find and run a binhex decoder on the body of the message, and double click on the resulting file. In my opinion, the user smart enough to do steps one and two, but clueless enough to do step three doesn't exist. Still, it would be nice to catch these. But, my view is that the fault is not entirely Sophos, and I would rather run message bodies against a binhex extractor to catch fragments missed by MIME:Tools. BTW, When MyDoom first came out we tested Norton and it also missed MyDoom embedded as text. An update last week seems to have changed NAV's behavior, leading to the deleted in.mbx problem. Mike -- Michael D. Sofka [EMAIL PROTECTED] CCT Sr. Systems ProgrammerEmail, TeX, epistemology. Rensselaer Polytechnic Institute, Troy, NY. http://www.rpi.edu/~sofkam/ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] ClamAV and related issues running under MD. was: Re: Mimedefangtimeout
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David F. Skoll On Fri, 13 Feb 2004, Rob wrote: However it would be nice if MD didn't make any assumptions about the capability of any virus scanner and did the same as AMAVIS does - extract and decode the email so that the virus scanner software has as little to do as possible. MIMEDefang does exactly that. Hmm, then something strange is going on with my build - FreeBSD 5.2 with Sendmail 8.12.11, MD 2.39 both built from ports. In the clamd log I get the following for an email with a ZIP attachment: /var/spool/MIMEDefang/mdefang-i1DKATdg040935/Work/msg-38690-4.txt: OK /var/spool/MIMEDefang/mdefang-i1DKATdg040935/Work/msg-38690-5.zip: OK The ZIP file in question contains 3 files (a .ini, .dll and .txt). No sign of them being extracted. Am I likely to be missing something that is required to extract ZIP files? I get the same result for .bz2 and .gz files. -- Rob ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] ClamAV and related issues running under MD. was: Re: Mimedefangtimeout
On Fri, 13 Feb 2004, Rob wrote: /var/spool/MIMEDefang/mdefang-i1DKATdg040935/Work/msg-38690-4.txt: OK /var/spool/MIMEDefang/mdefang-i1DKATdg040935/Work/msg-38690-5.zip: OK The ZIP file in question contains 3 files (a .ini, .dll and .txt). No sign of them being extracted. Ah, I misunderstood. MIMEDefang does not extract zip files. Nor do I ever plan on adding that functionality. I have two reasons for taking this position: 1) The number and variety of archives is bewildering (ZIP, LHARC, tar.gz, tar.bz2, LZH, ...) and when you have zips containing tars containing ... it becomes too messy to deal with. 2) I'm not confident I could obtain code for all those formats which is resistant to decompression bombs. Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] ClamAV and related issues running under MD. was: Re: Mimedefangtimeout
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David F. Skoll Ah, I misunderstood. MIMEDefang does not extract zip files. Nor do I ever plan on adding that functionality. I have two reasons for taking this position: That's a shame, but worth knowing. Means I'll be leaving AMAVIS in the loop for a while longer then :( -- Rob ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] delete_recipient does not work for mixed case recipients
Hi,
I'm still having a problem with mimedefang's delete_recipient
not working with a mixed case recipient.
sendmail 8.12.10
mimedefang 2.38
Here's my sample spam delivered via telneting to my host:
helo myserver
mail from: [EMAIL PROTECTED]
rcpt to: [EMAIL PROTECTED]
data
Date: February 13, 2004
From: J M [EMAIL PROTECTED]
To: [EMAIL PROTECTED] [EMAIL PROTECTED]
Subject: Test of spam analysis 4848
THIS SHOULD LOOK LIKE SPAM SPAM SPAM.
YOU WILL STILL GET IT PER YOUR REQUEST
IT HAS UNDISCLOSED RECIPIENTS
CALL TOLL FREE TO REMOVE
YOU HAVE REQUESTED THIS SPAM
BUY THIS NOW AT 1-800-232-3323 for $10,000,000.00
VIAGRA
CLICK HERE TO REMOVE a href=mailto: [EMAIL PROTECTED] HERE /a
a href=http://www.msn.fullfeed.com;click here/a
.
quit
Here's the code from mimedefang-filter:
if ($MOVESPAM $hits = $SAMoveScore) {
action_add_header(X-Spam-Rec, @Recipients);
my ($neworig);
my ($ok2add);
$ok2add=0;
foreach $neworig (@Recipients) {
delete_recipient(lc($neworig));
delete_recipient(uc($neworig));
delete_recipient($neworig);
$neworig=\.$neworig.\;
delete_recipient(lc($neworig));
delete_recipient(uc($neworig));
delete_recipient($neworig);
} # end of recipient loop
add_recipient([EMAIL PROTECTED]);
} # end of movespam conditional
Here's the log:
Feb 13 14:46:53 mail3 sendmail[32375]: i1DJkfpe032375: [EMAIL PROTECTED], size=488,
class=0, nrcpts=1, msgid=[EMAIL PROTECTED], proto=SMTP, daemon=MTA,
relay=myserver.mydomain.com [MY.IP.ADR.HRE]
Feb 13 14:46:53 mail3 mimedefang.pl[27999]: i1DJkfpe032375: Moved SPAM: 20.829 [EMAIL
PROTECTED] [EMAIL PROTECTED]
Feb 13 14:46:53 mail3 sendmail[32381]: i1DJkfpe032375: [EMAIL PROTECTED],
delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=30488, relay=mta.mydomain.net.
[IP.ADR.HRE.XX], dsn=2.0.0, stat=Sent (i1DJkrku029201 Message accepted for delivery)
Feb 13 14:46:53 mail3 sendmail[32381]: i1DJkfpe032375: to=[EMAIL PROTECTED],
delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=30488, relay=myserver.mydomain.com.
[IP.NO.WAS.HRE], dsn=2.0.0, stat=Sent (Message accepted for delivery)
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] file extension regex bug
Thanks for the succint answer. and I apologize for implying you had a bug and not a feature in your code. :) I will go beat on the downstream maintainers about this. David F. Skoll said: That was not a bug. It was an attempt to guard against malformed MIME like this: However, the old behavior was so unpopular that as of 2.39, I anchored the regexp. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] ClamAV and related issues running under MD. was: Re:Mimedefangtimeout
Rob said: /var/spool/MIMEDefang/mdefang-i1DKATdg040935/Work/msg-38690-4.txt: OK /var/spool/MIMEDefang/mdefang-i1DKATdg040935/Work/msg-38690-5.zip: OK The ZIP file in question contains 3 files (a .ini, .dll and .txt). No sign of them being extracted. Perhaps I really am not understanding this. Don't you have to give it the --unzip -r and --mbox switch to get these in clam? Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] resolving socket errors
I noticed in some situations you need to pause mimedefang on a restart, to give the socket time to get cleared out. Is their a way to test and see if the socket is correctly formed before starting mimedefang? Eg you have another switch on the restart switch that does not wait an arbitrary amount of time between the stop and start, but waits the minimal amount of time by detecting the correct creation of the sock, before starting mimedefang up again. Would it be good enough to detect that the file exists? Example would be another option on restart like smart-restart, which does thus: stop mimedefang, pause until socket is correctly destroyed, then starts up mimedefang. Would checking for the existence of the socket file be good enough? My normal fix is to pause 3 seconds between restarts of mimedefang. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Problem scanning ZIP archives with CLAMAV
On 13 Feb 2004 at 10:18, Alain DESEINE wrote: I got a problem using CLAMAV and MIMEDefang when scanning zip files containing viruses ... snip Are you using *_contains_virus_clamd() or *_contains_virus_clamav() functions? The daemonized scanner requires a local socket accessible to the defang user, which your configuration doesn't include. Also note that there was a bug in clamav 0.65 causing intermittent hangs; I'd suggest upgrading to 0.66. Though there are other options, I personally prefer to run clamd as the defang user and chown defang all files/directories touched by clamav. Nels Lindquist * Information Systems Manager Morningstar Air Express Inc. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] OT: a hole in Sophos
Michael Sofka wrote: On Friday 13 February 2004 04:44, Andrzej Marecki wrote: I'm using MD+SA+Sophie+Sophos (SAVI libs + .ide). Do you think that what has been written in: http://www.securitynewsportal.com/cgi-bin/securitynews.cgi?database=JanDDi d=74 ...means my system is vulnerable to attacks via that hole? We have noticed this on our system. It seems to only be happening when cpu-damaged anti-virus programs bounce back a copy of the virus as text. Sophos lets it through because it is not an attachment (I've tried sweep against the entire body of the message, so it isn't just a matter of MIME:Tools not extracting the virus.) Sophos is not detecting the bounces that display the virus as text on our system either. I didn't see that as a real problem. Looks like I thought incorrectly. It is detecting them if they are an attachment inside a MIME-encoded email which has been bounced and the encoding kept intact. The Sophos page with info and a link to an updated 3.78 scanning engine is here: http://www.sophos.com/support/news/#mime-378 --Loren ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
