Re: [AMaViS-user] Re: amavis-stats-0.1.19 released
Dale Walsh wrote: On Dec 8, 2005, at 06:15 , Matthias Keller wrote: Joachim Schoenberg wrote: Am Dienstag, 6. Dezember 2005 10:48 schrieb Dale Walsh: Now it's running, but in debug mode I see parseFile(/var/log/mail, 0, 3393576) ERROR : Could not open file /var/log/mail: Permission denied Well, I am logging amavisd-new to /var/log/mail to keep all info in one place. /var/log/mail is rw-r- on all my systems, owned by root:root. How to manage that? Well you could probably change ownership of /var/log/mail to vscan to have a better separation I'm logging amavisd-new to /var/log/ amavisd.log and this one is rw-r- vscan:root which allows my amavis-stats to read it. btw.. i didn't like the default install paths of it so if you want it to install to a (in my opinion) nicer destination like /usr/share/amavis-stats/ (for php and config) /var/lib/amavis-stats/ (for rrd stuff) etc, feel free to use my configure statement: ./configure --enable-id-check --with-user=vscan --mandir=/usr/share/ man --datadir=/usr/share \ --sysconfdir=/etc --localstatedir=/var --sbindir=/sbin --prefix=/ usr/share/amavis-stats .configure --enable-id-check --with-user=vscan --with-group=vscan -- prefix=/usr \ --mandir=/usr/share/man --localstatedir=/var --sysconfdir=/etc Well I left the group as-is (www) because that allows me to set very tight permissions and the webserver ist still able to read all it wants Thanks for the cleaning up. I thought there should be a shorter solution but after some trial and error in my virtual machine i noticed the above works so i used it :) Matt --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] Re: amavis-stats-0.1.19 released
On Dec 9, 2005, at 04:49 , Joachim Schoenberg wrote: Hello Dale, 2. configure finds user www in /etc/passwd, but in fact the user is wwwrun. So make complains about missing user www later. I used --with-user, but I thing configure does wrong parsing. If it's finding www in /etc/passwd then the user is in it. No, it isn't. Only wwwrun is there. If www would exist make would not complain about missing user www later. You state that configure finds user www in /etc/passwd, if the user is not there then it shouldn't find it. I set a default user (www) if this is not the user your web server runs under then you use the user/group of the user that does. OK, that's clear, but the problem was: configure seems to find that user even if doesn't exist. do: cat /etc/passwd | grep www and see what it's matching on. Since I am unable to duplicate this problem I can't see where the problem is. I repeated my installation: configure says ... Checking for user/group checking for www in /etc/passwd... yes, user www and group www exist. ... configure includes that code: webuser=`cat /etc/passwd|grep $web_user` Yes, I see now, a regular grep, needs refinement, I'm extremely busy however, if someone has a solution for the various methods of user checking I'd be happy to add it as soon as time permits. My webuser is wwwrun which is the default for SuSE for a long time. So asking for www with grep that way will give a positive result. Alternately you can just change the group to wwwrun's group and it should work too. Yes, I think that's better because there is no need changing ownerships for some amavis-stats directories. One hint: you had written somewhere you would add a command line option in 0.1.19 to configure for non standard mail logs (/var log/mail in my case). This option is still missing. do ./configure when it's done edit configure.in and change: scan_log_file=/var/log/amavis.log to: AC_ARG_WITH(log-file, [ --with-log-filelogfile to read (default=/var/log/amavis.log)], scan_log_file=$withval, scan_log_file=/var/log/amavis.log) save it. issue: make clean ./configure --help Optional Features: --disable-FEATURE do not include FEATURE (same as --enable- FEATURE=no) --enable-FEATURE[=ARG] include FEATURE [ARG=yes] --enable-id-check use id utility instead of /etc/passwd parsing --enable-yp-check use ypmatch utility instead of /etc/passwd parsing --enable-netinfo-check use netinfo utility instead of /etc/passwd parsing --disable-startup disable startup item --disable-web disable test for web user/group --disable-dependency-tracking speeds up one-time build --enable-dependency-tracking do not reject slow dependency extractors Optional Packages: --with-PACKAGE[=ARG]use PACKAGE [ARG=yes] --without-PACKAGE do not use PACKAGE (same as --with- PACKAGE=no) --with-log-file logfile to read (default=/var/log/amavis.log) --with-user=uid name of the web user (default=www) --with-group=gidname of the web group (default=www) that should take care of the problem. Thanks Joe --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Re: amavis-stats-0.1.19 released
Dale Walsh wrote: On Dec 9, 2005, at 04:49 , Joachim Schoenberg wrote: Hello Dale, 2. configure finds user www in /etc/passwd, but in fact the user is wwwrun. So make complains about missing user www later. I used --with-user, but I thing configure does wrong parsing. If it's finding www in /etc/passwd then the user is in it. No, it isn't. Only wwwrun is there. If www would exist make would not complain about missing user www later. You state that configure finds user www in /etc/passwd, if the user is not there then it shouldn't find it. I set a default user (www) if this is not the user your web server runs under then you use the user/group of the user that does. OK, that's clear, but the problem was: configure seems to find that user even if doesn't exist. do: cat /etc/passwd | grep www and see what it's matching on. Yes, I see now, a regular grep, needs refinement, I'm extremely busy however, if someone has a solution for the various methods of user checking I'd be happy to add it as soon as time permits. That's simple. since www is contained in our user name it returns: wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false webuser=`cat /etc/passwd|grep $web_user` maybe you should egrep for: ^www: to see if a user www really exists... and that cat is inneccessary since grep can read files too... maybe something like webuser=`grep -e ^$web_user: /etc/passwd` If this returns something that user exists for sure. if it fails it should inform of the two options to specify uid and gid... Matt --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Why is banned mail viruschecked anyway?
Matt, I'm running amavisd-new-2.3.3 I recently noticed when the Worm.Mytob.CV comes in which seems to contain a .zip file with a double-extension file inside, my banned rules trigger correctly. (which are set to D_BOUNCE) But instead of acting upon it, amavisd asks my virusscanner too which in the end finally discards it. (D_DISCARD) This isn't much of a problem mail-wise but it messes up my stats a bit as the mail now counts as BANNED _AND_ INFECTED I'd prefer only have it listed as INFECTED (or BANNED if not otherwise possible) Is is possible to somewhere tell it to end at its first finding or something like that? How do you collect your statistics? In the amavisd-agent report counters each mail is counter to exactly one category. It falls in one of the following categories, first match wins: virus, banned, spam, bad-header, oversized, clean. See the first section in: http://www.ijs.si/software/amavisd/amavisd-new-docs.html It is important that virus scanning is not skipped even if mail contents is banned: with infected mail it is desirable that nondelivery notification is NOT sent, while in banned but non-infected mail a NDN is usually desired. Mark --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] logging question
Peter, I see that when I log to file I do not get the same messages as when I log using syslog (maillog). It's messing me up when I'm trying to implement a script/reporting mechanism. Any comments? What differences are you noticing? In message preambles, or perhaps in the amount of logging? Show an example. Mark --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Why is banned mail viruschecked anyway?
Mark Martinec wrote: Matt, I'm running amavisd-new-2.3.3 I recently noticed when the Worm.Mytob.CV comes in which seems to contain a .zip file with a double-extension file inside, my banned rules trigger correctly. (which are set to D_BOUNCE) But instead of acting upon it, amavisd asks my virusscanner too which in the end finally discards it. (D_DISCARD) This isn't much of a problem mail-wise but it messes up my stats a bit as the mail now counts as BANNED _AND_ INFECTED I'd prefer only have it listed as INFECTED (or BANNED if not otherwise possible) Is is possible to somewhere tell it to end at its first finding or something like that? How do you collect your statistics? In the amavisd-agent report counters each mail is counter to exactly one category. It falls in one of the following categories, first match wins: virus, banned, spam, bad-header, oversized, clean. See the first section in: http://www.ijs.si/software/amavisd/amavisd-new-docs.html It is important that virus scanning is not skipped even if mail contents is banned: with infected mail it is desirable that nondelivery notification is NOT sent, while in banned but non-infected mail a NDN is usually desired. Hi I'm using amavis-stats to get a nice graph of all mails Probably it isn't able to distinguish like that... That's why I'd love to get rid of the banned logs if a virus is found. Or in other words: if the virus check doesn't find anything, THEN do banned checks.. That would be the best for me.. But I guess it isn't possible to 'reorder' those things easily? Thanks Matt --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Re: amavis-stats-0.1.19 released
Based on this thread, I decided to install amavis-stats, but man amavis-stats left me in the dark. The synopsis is: amavis-stats [options] logfile, but the manual does not specify what this logfile should be. I'm running debian with spamassassin, clamav, and amavisd-new. The rrdtool is also installed. -- Haines Brown KB1GRM --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Re: amavis-stats-0.1.19 released
Haines Brown wrote: Based on this thread, I decided to install amavis-stats, but man amavis-stats left me in the dark. The synopsis is: amavis-stats [options] logfile, but the manual does not specify what this logfile should be. I'm running debian with spamassassin, clamav, and amavisd-new. The rrdtool is also installed. Have a look at: /etc/amavis-stats.conf /usr/share/amavis-stats/amavis-stats.php.conf and actually all the READMEs in the tar.gz. Matt --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Why is banned mail viruschecked anyway?
Matt, I'm using amavis-stats to get a nice graph of all mails Probably it isn't able to distinguish like that... That's why I'd love to get rid of the banned logs if a virus is found. Or in other words: if the virus check doesn't find anything, THEN do banned checks.. That would be the best for me.. But I guess it isn't possible to 'reorder' those things easily? I don't really know to what you are referring. Here is an example from my log (2.3.3) for a message, that was both infected and had a banned content: amavis[3635]: (03635-07) Blocked INFECTED (W32/Netsky-Q), [...] [...] ... - ..., quarantine: virus/5/59g3j+78tdeQ, Message-ID: [EMAIL PROTECTED], mail_id: 59g3j+78tdeQ, It only says INFECTED, it doesn't mention banned (although at higher log level it is evident that banned was triggered too). Fix the log analyzer. Mark --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] Re: amavis-stats-0.1.19 released
Haines, Based on this thread, I decided to install amavis-stats, but man amavis-stats left me in the dark. The synopsis is: amavis-stats [options] logfile, but the manual does not specify what this logfile should be. I'm running debian with spamassassin, clamav, and amavisd-new. The rrdtool is also installed. The logfile is the amavis-new log you want to have statistics from. Default is /var/log/amavis.log If you want to change this you have to fiddle around a bit. The name of the used log can be found in the makefile(s). Joe -- Joachim Schoenberg PHONE:+49 30 20377 374 Paul-Drude-Institut fuerFAX: +49 30 20377 201 Festkoerperelektronik Berlin --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Why is banned mail viruschecked anyway?
Mark Martinec wrote: Matt, I'm using amavis-stats to get a nice graph of all mails Probably it isn't able to distinguish like that... That's why I'd love to get rid of the banned logs if a virus is found. Or in other words: if the virus check doesn't find anything, THEN do banned checks.. That would be the best for me.. But I guess it isn't possible to 'reorder' those things easily? I don't really know to what you are referring. Here is an example from my log (2.3.3) for a message, that was both infected and had a banned content: amavis[3635]: (03635-07) Blocked INFECTED (W32/Netsky-Q), [...] [...] ... - ..., quarantine: virus/5/59g3j+78tdeQ, Message-ID: [EMAIL PROTECTED], mail_id: 59g3j+78tdeQ, It only says INFECTED, it doesn't mention banned (although at higher log level it is evident that banned was triggered too). Fix the log analyzer. Well it depends on the virus of course For example mytob uses a scheme which triggers banning aswell Dec 8 23:08:27 www.mindblow.ch /usr/sbin/amavisd[3599]: (03599-06) p.path BANNED:1 [EMAIL PROTECTED]: P=p003,L=1,M=multipart/mixed | P=p002,L=1/2,M=application/octet-stream,T=zip,N=readme.zip | P=p004,L=1/2/1,T=exe,N=readme.doc .scr, matching_key=(?i-xsm:\\.[^./]*[A-Za-z][^./]*\\.(exe|vbs|pif|lnk|scr|bat|cmd|com|cpl|dll)\\.?$) Dec 8 23:08:27 www.mindblow.ch /usr/sbin/amavisd[3599]: (03599-06) Blocked INFECTED (Worm.Mytob.CV), [x.x.x.x] [EMAIL PROTECTED] - [EMAIL PROTECTED], quarantine: virus/virus-20051208-230827-03599-06.gz, Message-ID: [EMAIL PROTECTED], mail_id: ZegWCdHVJFHZ, Hits: -, 425 ms I noticed there seem to be two different kinds of BANNED... p.path BANNED Blocked BANNED might it be that p.path suggests this is like a supplemental result that was encountered on the final path or something like that? it apears the p.path BANNED only appers when a virus was triggered afterwards... ? Thanks for your help Matt I'm now also trying to lower my log level from 2 to 1, maybe that helps too.. i'll see. --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Re: amavis-stats-0.1.19 released
Haines Brown wrote: Based on this thread, I decided to install amavis-stats, but man amavis-stats left me in the dark. The synopsis is: amavis-stats [options] logfile, but the manual does not specify what this logfile should be. Have a look at: /etc/amavis-stats.conf /usr/share/amavis-stats/amavis-stats.php.conf and actually all the READMEs in the tar.gz. Matt, thanks. Took a look at the README.tar.gz. Following its direction, I added amavis to the adm group. I then did # su - amavis, but instead of getting to an amavis# prompt as indicated in the README, I end up at [EMAIL PROTECTED]:~$. From this prompt, trying to run /usr/sbin/amavis-stats /var/log/mail.info amavis-stats: /var/lib/amavis-stats does not exist or cannot be written to. The problem may be that I don't know how to give amavis user root privileges. -- Haines Brown KB1GRM --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] Re: amavis-stats-0.1.19 released
Haines, Based on this thread, I decided to install amavis-stats, but man amavis-stats left me in the dark. The synopsis is: amavis-stats [options] logfile, but the manual does not specify what this logfile should be. I'm running debian with spamassassin, clamav, and amavisd-new. The rrdtool is also installed. The logfile is the amavis-new log you want to have statistics from. Default is /var/log/amavis.log No such file on my machine. If you want to change this you have to fiddle around a bit. The name of the used log can be found in the makefile(s). I didn't compile amavis-stats from source, but installed the .deb. -- Haines Brown KB1GRM --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Bayes - Learning Question
Gary V wrote: Gerry wrote: Also, not much spam is getting autolearned: su amavis -c 'sa-learn --dump magic' 0.000 0 3 0 non-token data: bayes db version 0.000 0 29 0 non-token data: nspam 0.000 0 1548 0 non-token data: nham This is scary. Spam often outpaces ham nearly 10 to 1. If you really only get this much spam coming in the front door, are you sure you need SpamAssassin? Is the mail cleaned before amavisd-new sees it? Do you also see ALL_TRUSTED in the headers of mail that is sent to you from outside your network? Gary V Thanks Gary...I do not see ALL_TRUSTED in the headers. I ran a count on the amount of spam we've received in the last three days where the score is above 6 (default) and there are 850 messages. I have quarantine set to 12. Below are the headers of spam received on my account where I am a little more strict with tag level (3), a ham message from yahoo, and a snip of the maillog from that message. Thanks! Return-Path: [EMAIL PROTECTED] X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.nicomtech.com (Postfix) with ESMTP id 469CDFE8584 for [EMAIL PROTECTED]; Fri, 9 Dec 2005 06:48:04 -0500 (EST) Received: from mail.nicomtech.com ([127.0.0.1]) by localhost (mail.nicomtech.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 19188-03 for [EMAIL PROTECTED]; Fri, 9 Dec 2005 06:48:04 -0500 (EST) Received: from maychu (unknown [203.162.25.87]) by mail.nicomtech.com (Postfix) with SMTP id 5E5E6FE8583 for [EMAIL PROTECTED]; Fri, 9 Dec 2005 06:47:55 -0500 (EST) Message-ID: [EMAIL PROTECTED] From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: ***SPAM*** 2: ALL MAJOR DESIGNER REPLICA //ATCHES! Save $32 Date: Fri, 09 Dec 2005 18:47:41 +0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0011_01C5FCF1.08A5F920 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Virus-Scanned: amavisd-new at nicomtech.com X-Spam-Status: Yes, score=4.771 tagged_above=-999 required=3 tests=[FUZZY_ROLEX=2.193, HTML_60_70=0.29, HTML_MESSAGE=0.001, MIME_HTML_MOSTLY=1.703, MIME_QP_LONG_LINE=0.159, MPART_ALT_DIFF=0.425] X-Spam-Score: 4.771 X-Spam-Level: X-Spam-Flag: YES Status: RO From - Fri Dec 09 09:14:22 2005 X-Account-Key: account2 Return-Path: [EMAIL PROTECTED] X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.nicomtech.com (Postfix) with ESMTP id B404DFE8587 for [EMAIL PROTECTED]; Fri, 9 Dec 2005 09:09:58 -0500 (EST) Received: from mail.nicomtech.com ([127.0.0.1]) by localhost (mail.nicomtech.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 21908-11 for [EMAIL PROTECTED]; Fri, 9 Dec 2005 09:09:58 -0500 (EST) Received: from web34609.mail.mud.yahoo.com (web34609.mail.mud.yahoo.com [209.191.68.143]) by mail.nicomtech.com (Postfix) with SMTP id 2854CFE8585 for [EMAIL PROTECTED]; Fri, 9 Dec 2005 09:09:57 -0500 (EST) Received: (qmail 60233 invoked by uid 60001); 9 Dec 2005 14:09:56 - DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=kdizhcJLPiilP6QTGby5VxZZao2XlQX8zd0JwwIL2WoMpX6PHjAlO++LP2uC5InSdWD7oWD+6IGjjQu7f6IUGqP6ftqxS403p9cq6KDZXhwhDh/4JMAZR3EJ51E+IFG/Sd8XXfVgi1oV8SjvuC5vRiM1Iwc+HFs4EZXP2dzqDBQ= ; Message-ID: [EMAIL PROTECTED] Received: from [64.9.81.2] by web34609.mail.mud.yahoo.com via HTTP; Fri, 09 Dec 2005 06:09:56 PST Date: Fri, 9 Dec 2005 06:09:56 -0800 (PST) From: Gerry McOmber [EMAIL PROTECTED] Subject: Test Email To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=0-291847347-1134137396=:59529 Content-Transfer-Encoding: 8bit X-Virus-Scanned: amavisd-new at nicomtech.com X-Spam-Status: No, score=0.263 tagged_above=-999 required=6 tests=[AWL=-0.028, HTML_60_70=0.29, HTML_MESSAGE=0.001] X-Spam-Score: 0.263 X-Spam-Level: X-IMAPbase: 1133920243 103 Status: O X-UID: 103 Content-Length: 732 X-Keywords: Dec 9 09:09:57 mail postfix/smtpd[22732]: connect from web34609.mail.mud.yahoo.com[209.191.68.143] Dec 9 09:09:58 mail postfix/smtpd[22732]: 2854CFE8585: client=web34609.mail.mud.yahoo.com[209.191.68.143] Dec 9 09:09:58 mail postfix/cleanup[23193]: 2854CFE8585: message-id=[EMAIL PROTECTED] Dec 9 09:09:58 mail postfix/qmgr[2502]: 2854CFE8585: from=[EMAIL PROTECTED], size=1843, nrcpt=1 (queue active) Dec 9 09:09:58 mail amavis[21908]: (21908-11) ESMTP::10024 /var/amavis/amavis-20051209T083744-21908: [EMAIL PROTECTED] - [EMAIL PROTECTED] Received: SIZE=1843 BODY=8BITMIME from mail.nicomtech.com ([127.0.0.1]) by
Re: [AMaViS-user] Bayes - Learning Question
Gerry wrote: Also, not much spam is getting autolearned: su amavis -c 'sa-learn --dump magic' 0.000 0 3 0 non-token data: bayes db version 0.000 0 29 0 non-token data: nspam 0.000 0 1548 0 non-token data: nham Thanks Gary...I do not see ALL_TRUSTED in the headers. I ran a count on the amount of spam we've received in the last three days where the score is above 6 (default) and there are 850 messages. I have quarantine set to 12. SA msg read: 1 (0%)38, SA parse: 3 (1%)39, SA check: 80 (30%)70, This seems like a very short time for the SA check. I think the mail must score at 12 or above to be learned as spam (it's actually a little more complicated, but generally true). I find it hard to believe that you would have this paltry amount of spam that scores over 12. With the SA check time this low, it would lead me to believe you may not have network tests enabled. In amavisd.conf, make sure you have set: $sa_local_tests_only = 0; If you were to grep (or search) the items in your quarantine, would you find the string SPAMCOP ? If not, then I think network tests are not being performed. If you have not already done so, consider installing DCC, Razor and Pyzor. Gary V --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Why is banned mail viruschecked anyway?
Matt, amavis[3635]: (03635-07) Blocked INFECTED (W32/Netsky-Q), It only says INFECTED, it doesn't mention banned (although at higher log level it is evident that banned was triggered too). Fix the log analyzer. Well it depends on the virus of course For example mytob uses a scheme which triggers banning aswell Dec 8 23:08:27 www.mindblow.ch /usr/sbin/amavisd[3599]: (03599-06) p.path BANNED:1 [EMAIL PROTECTED]: P=p003,L=1,M=multipart/mixed | P=p002,L=1/2,M=application/octet-stream,T=zip,N=readme.zip | P=p004,L=1/2/1,T=exe,N=readme.doc .scr, matching_key=(?i-xsm:\\.[^./]*[A-Za-z][^./]*\\.(exe|vbs|pif|lnk|scr|bat|cm d|com|cpl|dll)\\.?$) Dec 8 23:08:27 www.mindblow.ch /usr/sbin/amavisd[3599]: (03599-06) Blocked INFECTED (Worm.Mytob.CV), [x.x.x.x] [EMAIL PROTECTED] - [EMAIL PROTECTED], quarantine: virus/virus-20051208-230827-03599-06.gz, Message-ID: [EMAIL PROTECTED], mail_id: ZegWCdHVJFHZ, Hits: -, 425 ms I noticed there seem to be two different kinds of BANNED... p.path BANNED Blocked BANNED might it be that p.path suggests this is like a supplemental result that was encountered on the final path or something like that? Exactly, it is a supplemental result, a debugging log entry. At arbitrarily high log level you may encounter all sorts of log messages, and the only promise I make about these is that they won't start with Passed XXX or Blocked XXX. If a log parser is sloppy and uses low level debug log entries for counting, you are counting the same message multiple times. The ONLY dependable message that should be used by a log parser for counting and classification is the one which is always issued at log level 0, i.e. the Passed XXX or Blocked XXX. It will always indicate the final verdict on mail contents. I'm now also trying to lower my log level from 2 to 1, maybe that helps too.. i'll see. It will probably help, but ultimately the log parser needs to be fixed. Mark --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] bypass scanning outgoing mail
Peter wrote: We have amavis-new with Postfix/ClamAV/SA running as our secure mail gateway and it works very well. We have an internal Linux mail server that only talks to the amavis gateway box for security reasons. I now want to stop all our outgoing mail being scanned as mail with password protected zips get flagged as virus mails and quarantined. :( Looking for a solution. regards Peter The best way is to use a policy bank. This way you can scan for viruses but bypass everything else. You can use the MYNETS policy bank or you can configure a check_client_access map in main.cf to send mail to a different amavisd-new listening port and then configure a policy bank for that port (among other methods). You need to make sure you use smtp_send_xforward_command (or lmtp_send_xforward_command if you use lmtp) here in master.cf: smtp-amavis unix- - y - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes You need to use and configure @mynetworks in amavisd.conf: @mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 ); # default The network (or IP address) the sending server is on should be included here, and at least the IP address of the sending server should also be listed in mynetworks in main.cf Then, if you would like to use MYNETS: $policy_bank{'MYNETS'} = { # mail originating from @mynetworks bypass_spam_checks_maps = [1], # don't spam-check internal mail bypass_banned_checks_maps = [1], # don't banned-check internal mail final_spam_destiny = D_PASS, final_banned_destiny = D_PASS, }; Another way is more specific: smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/amavis_internal permit_mynetworks reject_unauth_destination contents of /etc/postfix/amavis_internal (ip address of the internal server is listed here): 192.168.1.17 FILTER smtp-amavis:[127.0.0.1]:10026 Then in amavisd.conf: $inet_socket_port = [10024, 10026]; $interface_policy{'10026'} = 'INTERNAL'; $policy_bank{'INTERNAL'} = { # mail originating from the internal server bypass_spam_checks_maps = [1], # don't spam-check outgoing mail bypass_banned_checks_maps = [1], # don't banned-check outgoing mail final_spam_destiny = D_PASS, # insure spam passes final_banned_destiny = D_PASS, # insure banned files pass }; See more examples in amavisd.conf-sample and http://www.ijs.si/software/amavisd/amavisd-new-docs.html#pbanks-ex Gary V --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] Climbing queues issue
Hi all, I've been having a problem recently. We have three relay servers (relay1, relay2, and relay3) that are round robin MX for the most part. We have a cisco local director hooked up to them and some domains use it in DNS. Anyway, the servers run fine for the most part, with 20-30 messages queues on each. But on random days on random servers (sometimes its relay3, sometimes its relay1), the queues get gigantic ... 50,000+. I keep thinking these are spam attacks of some sorts, and since we have IDE hard drives, once it starts writing to the queues, it can't read back fast enough and the system gets bogged down. Relay3 had a nice queue load today. It only got up to 5,000 messages before we realized the problem. A reboot will ALWAYS fix this problem. In other words, if a server has 10,000 messages in the queue, and I reboot it, the queue is immediately flushed the second the machine comes back up... usually about 1000 messages every 2 minutes (so a queue of 5,000 clears out in about 10 minutes). Its just odd that we have to reboot the box in order for this problem to be solved. I have a graph of what is going on and I can hand out the URL if that will assist in anyone trying to guess the problem. Maybe my IDE drive idea isn't the best idea in the world. For the record, I just did a top and got this on relay3. If you notice, the CPU is 0% idle (even though its a 3.06 ghz). There are three vscan processes which seem to be using a LOT of cpu time... maybe this is what is occuring, and it gets bad and eventually causes the queue to rise? Anyway, any ideas would be appreciated! -Matt snip last pid: 31870; load averages: 4.35, 4.26, 4.47 93 processes: 5 running, 88 sleeping CPU states: 93.8% user, 0.0% nice, 5.4% system, 0.8% interrupt, 0.0% idle Mem: 266M Active, 381M Inact, 173M Wired, 976K Cache, 110M Buf, 168M Free Swap: 2007M Total, 2007M Free PID USERNAME PRI NICE SIZERES STATETIME WCPUCPU COMMAND 17979 vscan1290 45336K 41692K RUN 49:13 20.17% 20.17% perl5.8.6 4903 vscan1290 45724K 42080K RUN 84:35 19.97% 19.97% perl5.8.6 26248 vscan1290 44500K 40884K RUN 12:44 19.68% 19.68% perl5.8.6 31822 vscan 200 45352K 42088K lockf0:01 5.55% 3.61% perl5.8.6 31656 vscan 40 46000K 42740K select 0:03 2.50% 2.49% perl5.8.6 31604 vscan 200 47076K 43808K lockf0:03 2.30% 2.29% perl5.8.6 31606 vscan 40 47516K 43808K accept 0:04 1.86% 1.86% perl5.8.6 31690 vscan 200 46140K 42840K lockf0:02 1.52% 1.51% perl5.8.6 31670 vscan 200 47624K 44088K lockf0:03 1.47% 1.46% perl5.8.6 31616 vscan 200 46516K 43256K lockf0:03 1.47% 1.46% perl5.8.6 31773 vscan 200 45184K 41920K lockf0:01 1.51% 1.42% perl5.8.6 31601 vscan1050 46572K 43292K RUN 0:03 1.07% 1.07% perl5.8.6 31703 vscan 200 46008K 42756K lockf0:02 0.49% 0.49% perl5.8.6 432 clamav200 13348K 12692K kserel 3:35 0.00% 0.00% clamd snip --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] SQL Quarantine and tmp directory.
Greetings everyone, Is there a way to have amavisd-new 2.3.3 delete the message amavis-* file in the /tmp directory after it has been released from quarantine using the the AM.PDP interface? I am trying to create a custom Quarantine management script with SQL. I have the SQL Quarantine setup and working fine and can see the entire message in the DB. I was thinking about just bypassing the AM.PDP interface completly and reinjecting the message stored in the DB directly to Postfix on port 10025. But this would still leave the /tmp directory files. Is any body see this as a problem, or am I thinking to much into this and shouldn't worry too much about the /tmp directory and just run a script to kill things that are 30 days? Thanks! -- Richard Marriner IIMaingear.Net Sr. Network Consultant I.T. Consulting [EMAIL PROTECTED] www.maingear.net --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Re: amavis-stats-0.1.19 released
On Dec 9, 2005, at 09:38 , Haines Brown wrote: Haines, Based on this thread, I decided to install amavis-stats, but man amavis-stats left me in the dark. The synopsis is: amavis-stats [options] logfile, but the manual does not specify what this logfile should be. I'm running debian with spamassassin, clamav, and amavisd-new. The rrdtool is also installed. The logfile is the amavis-new log you want to have statistics from. Default is /var/log/amavis.log No such file on my machine. Edit the daemon config file (amavis-stats.conf) and change this to the log file you want to use. If you want to change this you have to fiddle around a bit. The name of the used log can be found in the makefile(s). I didn't compile amavis-stats from source, but installed the .deb. If the person who made the package did it correctly, 'man amavis- stats' will list the location of the installed files. -- Haines Brown KB1GRM --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/ --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/