Re: [AMaViS-user] amavisd-new cut connection from postfix
Andreas, I have increased amavisd loglevel via debug_sender_maps an found the same last line in my logfile CALLING SA check Is it possible to setup SA loglevel selektive too ? No, unfortunately this is not possible (without modifying the code). You will have to collect all SA logging for a while and then search the log when the problem occurs. ('amavisd debug-sa' or set: $sa_debug = '1,all'). Mark --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Fw: [AMaViS-user] amavisd-new cut connection from postfix
Thx Mark, now it is working. the SA mysql config were broken. Greets Michael - Original Message - From: Mark Martinec [EMAIL PROTECTED] To: amavis-user@lists.sourceforge.net Sent: Thursday, December 29, 2005 8:14 PM Subject: Re: [AMaViS-user] amavisd-new cut connection from postfix Michael, My Amavisd-new cut the connection to postfix if the amavisd-new spammodule is in use. I installed all Modules, but it still doesn't work. Here are my amavisd.conf the logfile with loglevel 5. I Hope someone else can help me. https://mail.lug-wt.de/amavis.log https://mail.lug-wt.de/amavisd.conf Thanks for the log. Indeed it is within SA that the Perl process crashes. Do the 'spamassassin' command line utility and the 'sa-learn' work? Try: # su vscan -c 'spamassassin --lint' # su vscan -c 'sa-learn --sync --force-expire --showdots' If they do work without complaints, then try: amavisd debug-sa Mark --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/ --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Multiple recipient question with postfix
Rob, 1) There was no way of specifying system maximums. Eg. drop anything with a spam score higher then 30, or quarentine all virus emails. The user could always override the maximums. If you are talking about SQL lookups for per-recipient settings, you must already have some SQL authentication in place and some value validation when users are updating their settings - one would not let users mess directly with SQL SELECT/UPDATE/INSERT. So if you need to provide some maximum allowed value, the most natural place to do so is in your (G)UI to SQL. 2) If an email was sent to three recipients, and one of them passed it, then all recipients would get it because amavis did not modify the envelope. That is not the case. Both the header tagging and appending address extensions are fully per-recipient capable, and so is *_lovers and setting spam levels (tag/tag2/kill). Does amavis support the lmtp per user responses now? It did not use to. I am using 2.2 with Maia. It does on its server side. The only missing catch was handling the 4xx responses, which came with the 2.3.0 release: - at last: when mail is received through LMTP protocol, gracefully handle a temporary failure 4xx reply from MTA to a RCPT TO command and pass it back to a LMTP client for tempfailed recipients only, instead of returning 450 for _all_ recipients (needed the sending routine to be aware of the receiving side capabilities, which was previously not available); On the amavisd client side (forwarding mail back to MTA), LMTP is currently not supported, mostly because of the lack of a quality Perl module for this protocol. Mark --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] Re: Blocking Windows Metafile image format by amavisd-new
it may be prudent to let amavisd-new block WMF based on file contents examination as provided by a file(1) utility, which reports: test.wmf: ms-windows metafont .wmf (note that file(1) version 4.16 says 'metafont' instead of 'metafile', I hope that this mistake will be rectified in the next version) Mark: thank you! My testing with file(1) (both versions 4.10 and 4.16) shows it does not reliably identify .wmf files, based on the magic bytes. file(1) did not identify a standard .wmf file copied from my Windows XP SP2 laptop, and it also missed the .wmf exploit file from metasploit. This is due to the .wmf entry in magic(5): # Windows Metafont .WMF 0 string \327\315\306\232\000\000\000\000\000\000ms-windows metafont .wmf Based on my testing, only the first 4 bytes (\327\315\306\232) reliably appear in some WMF files. Others use an entirely different string: the metasploit-based WMF file has the magic byte string: \001\000\011\000 The file magic.xml from the ImageMagic distribution seems to support these magic bytes: # grep -i wmf config/magic.xml magic name=WMF offset=0 target=\327\315\306\232 / magic name=WMF offset=0 target=\001\000\011\000 / Source: ftp://ftp.nluug.nl/pub/ImageMagick/ImageMagick-6.2.5-5.tar.gz Here are two patches to add the proper WMF magic bytes, for both file 4.10 and file 4.16 on Unix-based systems. Copy the patch the the proper directory (/usr/share/misc on FreeBSD), and patch patchfile. You will probably need to generate a new magic.mgc file, normally by typing this: # file -C -m magic They seem to work fine on my systems, and my amavisd is now reliably spotting .wmf files (even those named with another extension). Please let me know if you have any issues. Thanks, ...Eric - file-4.10: *** magic Fri Dec 30 11:14:37 2005 --- magic.new Fri Dec 30 11:14:21 2005 *** *** 1300,1306 15 string 1.0\ --\ HyperTerminal\ data\ file MS-windows Hyperterminal # Windows Metafont .WMF ! 0 string \327\315\306\232\000\000\000\000\000\000ms-windows metafont .wmf #tz3 files whatever that is (MS Works files) 0 string \003\001\001\004\070\001\000\000tz3 ms-works file --- 1300,1308 15 string 1.0\ --\ HyperTerminal\ data\ file MS-windows Hyperterminal # Windows Metafont .WMF ! 0 string \327\315\306\232ms-windows metafont .wmf ! 0 string \001\000\011\000ms-windows metafont .wmf ! #tz3 files whatever that is (MS Works files) 0 string \003\001\001\004\070\001\000\000tz3 ms-works file - file-4.16: *** magic Fri Dec 30 11:10:52 2005 --- magic.new Fri Dec 30 11:10:45 2005 *** *** 8303,8309 15 string 1.0\ --\ HyperTerminal\ data\ file MS-windows Hyperterminal # Windows Metafont .WMF ! 0 string \327\315\306\232\000\000\000\000\000\000ms-windows metafont .wmf #tz3 files whatever that is (MS Works files) 0 string \003\001\001\004\070\001\000\000tz3 ms-works file --- 8303,8310 15 string 1.0\ --\ HyperTerminal\ data\ file MS-windows Hyperterminal # Windows Metafont .WMF ! 0 string \327\315\306\232ms-windows metafont .wmf ! 0 string \001\000\011\000ms-windows metafont .wmf #tz3 files whatever that is (MS Works files) 0 string \003\001\001\004\070\001\000\000tz3 ms-works file - --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
RE: [AMaViS-user] Custom spamassassin rule don't work
Hi Santos, -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Santos Sent: Friday, 30 December 2005 9:15 a.m. To: amavis-user@lists.sourceforge.net Subject: [AMaViS-user] Custom spamassassin rule don't work I have this custom rule on /etc/mail/spamassassin/local.cf uri GEOCITIES /^http:\/\/(uk|it|de|sg|ar|jp|in|es|au|ca|www)\.geocities\.com \/.*\/\?/i describe GEOCITIES Tons of spam with Geocities URL scoreGEOCITIES 4.0 However it simply doesn't work. Geocities spam, still enters my mailbox. SA headers show nothing about this URI test. Someone recomended this rule to stop geo spam, i just added the other country sub-domains. The rule looks ok to me. It should happily check something like (I put spaces to evade various filters): Ht tp:// uk. geocities. com/asdf/?asdf As Mark said, did you put whole uri into one line? Also, did you restart amavisd-new after this? Remember that all SpamAssassin files will be parsed only at the beginning. You can test this from command line - just use spamassassin -D and redirect the raw e-mail message to it. Cheers, Bojan --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Custom spamassassin rule don't work
Gary V wrote: Bojan wrote: Hi Santos, -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Santos Sent: Friday, 30 December 2005 9:15 a.m. To: amavis-user@lists.sourceforge.net Subject: [AMaViS-user] Custom spamassassin rule don't work I have this custom rule on /etc/mail/spamassassin/local.cf uri GEOCITIES /^http:\/\/(uk|it|de|sg|ar|jp|in|es|au|ca|www)\.geocities\.com \/.*\/\?/i describe GEOCITIES Tons of spam with Geocities URL scoreGEOCITIES 4.0 However it simply doesn't work. Geocities spam, still enters my mailbox. SA headers show nothing about this URI test. Someone recomended this rule to stop geo spam, i just added the other country sub-domains. The rule looks ok to me. It should happily check something like (I put spaces to evade various filters): Ht tp:// uk. geocities. com/asdf/?asdf As Mark said, did you put whole uri into one line? Also, did you restart amavisd-new after this? Remember that all SpamAssassin files will be parsed only at the beginning. You can test this from command line - just use spamassassin -D and redirect the raw e-mail message to it. Cheers, Bojan Yes, I see, \/.*\/\? a forward slash, followed by anything, followed by a forward slash, followed by a question mark, but that is why it no longer works. There is no longer a question mark in the URLs. I also wonder if the trailing forward slash is also not present on some, but it is present on all the ones in my quarantine at this time. Gary V Yes, this was the cause. Thanks to all that replied. It works now :) Santos --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/