Re: [AMaViS-user] Amavisd logging question
On 2/28/2011 7:08 AM, Mark Martinec wrote: > Bill, > >> I have been noticing for quite some time that amavisd-new logs test >> results messages to the maillog differently at time. For example: >> >> Feb 27 14:22:06 mail amavis[27931]: (27931-08) Passed CLEAN >> Feb 27 14:22:56 mail ch4-03611-04)[3611]: (03611-04) Passed CLEAN >> >> These are 2 different message that amavisd-new tested and reported to >> the maillog as "Passed CLEAN". However, notice that the first log entry >> clearly shows it came from "amavis", but the second log entry show it >> came from "ch4-03611-04)". Note that there is also a closing ")" is the >> second log entry but no opening "(". >> >> Any ideas why this is happening and what I can do to fix it? I am >> currently running amavisd-new-2.6.4 (20090625). > > What syslog variant are you using? > Looks like part of a process name ($0) ends up as a syslog ident. Hi Mark, I'm running Fedora 12: uname -a Linux mail.inetmsg.com 2.6.32.26-175.fc12.i686.PAE #1 SMP Wed Dec 1 21:45:50 UTC 2010 i686 athlon i386 GNU/Linux And syslog is: rsyslogd -v rsyslogd 4.4.2, compiled with: FEATURE_REGEXP: Yes FEATURE_LARGEFILE: Yes FEATURE_NETZIP (message compression): Yes GSSAPI Kerberos 5 support: Yes FEATURE_DEBUG (debug build, slow code): No Atomic operations supported:No Runtime Instrumentation (slow code):No > The $syslog_ident is 'amavis' by default and is never changed > by amavisd itself. It is passed as an argument to openlog(), > so this is the string you should be seing in a syslog. > A custom hook is allowed to change the $syslog_ident > (e.g. in a policy bank), so this would be reflected in a syslog > for entries written when using such a policy bank. The only policy bank I use is (the rest are commented out): = $interface_policy{'SOCK'} = 'AM.PDP-SOCK'; $policy_bank{'AM.PDP-SOCK'} = { protocol => 'AM.PDP', # select Amavis policy delegation protocol auth_required_release => 0, # don't require secret_id for amavisd-release }; = I searched my amaviad.conf file and only find one entry for $syslog_ident, included in this section of the config file: = $log_level = 0; $LOGFILE = undef; $DO_SYSLOG = 1; # same as 0 $syslog_ident = 'amavis'; $syslog_facility = 'mail';# after-default, derived from $SYSLOG_LEVEL $syslog_priority = 'debug'; # after-default, derived from $SYSLOG_LEVEL $SYSLOG_LEVEL = 'mail.debug'; # obsolete variable = I am running a custom logging section that you provided awhile back: = $log_templ = <<'EOD'; [?%#D|#|Passed # [? [:ccat|major] |OTHER|CLEAN|MTA-BLOCKED|OVERSIZED|BAD-HEADER|SPAMMY|SPAM|\ UNCHECKED|BANNED (%F)|INFECTED (%V)]# , [? %p ||%p ][?%a||[?%l||LOCAL ]\[%a\] ][?%e||\[%e\] ]%s -> [%D|,]# [? %q ||, quarantine: %q]# [? %Q ||, Queue-ID: %Q]# [? %m ||, Message-ID: %m]# [? %r ||, Resent-Message-ID: %r]# , mail_id: %i# , Hits: [:SCORE]# , size: %z# [~[:remote_mta_smtp_response]|["^$"]||[", queued_as: "]]\ [remote_mta_smtp_response|[~%x|["queued as ([0-9A-Z]+)$"]|["%1"]|["%0"]]|/]# [? [:header_field|Subject] ||, Subject: [:dquote|[:header_field|Subject]]]# [? [:header_field|From]||, From: [:uquote|[:header_field|From]]]# [? [:useragent|name] ||, [:useragent|name]: [:uquote|[:useragent|body]]]# [? %#T ||, Tests: \[[%T|,]\]]# [ ? [:AUTOLEARN] ||, autolearn=[:AUTOLEARN]]# , %y ms# ] [?%#O|#|Blocked # [? [:ccat|major|blocking] |# OTHER|CLEAN|MTA-BLOCKED|OVERSIZED|BAD-HEADER|SPAMMY|SPAM|\ UNCHECKED|BANNED (%F)|INFECTED (%V)]# , [? %p ||%p ][?%a||[?%l||LOCAL ]\[%a\] ][?%e||\[%e\] ]%s -> [%O|,]# [? %q ||, quarantine: %q]# [? %Q ||, Queue-ID: %Q]# [? %m ||, Message-ID: %m]# [? %r ||, Resent-Message-ID: %r]# , mail_id: %i# , Hits: [:SCORE]# , size: %z# #, smtp_resp: [:smtp_response]# [? [:header_field|Subject] ||, Subject: [:dquote|[:header_field|Subject]]]# [? [:header_field|From]||, From: [:uquote|[:header_field|From]]]# [? [:useragent|name] ||, [:useragent|name]: [:uquote|[:useragent|body]]]# [? %#T ||, Tests: \[[%T|,]\]]# [? [:AUTOLEARN] ||, autolearn=[:AUTOLEARN]]# , %y ms# ] EOD = > Your string "ch4-03611-04)" looks very much like the process > name ($0), except that it is missing the "amavisd (" prefix. > Could it be that your syslog is being creative and tries to use > a process name in place of a syslog ident? Hmmm, maybe, but I don't really know why it would be doing that, it's really just a basic install of Fedora 12. Here is what my maillog shows thus far today: grep -c "mail ch" /var/log/maillog 301 grep -c "mail amavis" /var/log/maillog 2319 As you can see, most log entries use "amavis", but certainly not all. Any ideas on where to look next? Thanks! Bill -- Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index an
[AMaViS-user] Amavisd logging question
Hi List, I have been noticing for quite some time that amavisd-new logs test results messages to the maillog differently at time. For example: Feb 27 14:22:06 mail amavis[27931]: (27931-08) Passed CLEAN Feb 27 14:22:56 mail ch4-03611-04)[3611]: (03611-04) Passed CLEAN These are 2 different message that amavisd-new tested and reported to the maillog as "Passed CLEAN". However, notice that the first log entry clearly shows it came from "amavis", but the second log entry show it came from "ch4-03611-04)". Note that there is also a closing ")" is the second log entry but no opening "(". Any ideas why this is happening and what I can do to fix it? I am currently running amavisd-new-2.6.4 (20090625). Thanks, Bill -- Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user Please visit http://www.ijs.si/software/amavisd/ regularly For administrativa requests please send email to rainer at openantivirus dot org
Re: [AMaViS-user] Blacklisting and spam configuration
On 1/30/2011 4:52 AM, Michael Scheidell wrote: > On 1/30/11 5:46 AM, Peter Charles wrote: >> Hi, I was advised to ask the questions below here after posting on >> freespamfilter org Amavisd-new forum: > they should have sent you to 'alt.conspiracies' > as for why you were blacklisted, it is up to the company at the > receiving end to decide who and how to blacklist. not amavisd, which > doesn't come with any default blacklists. > maybe you need to send them a freedom of information request asking why > they blacklisted you? also, if you got a BOUNCE, the BOUNCE might tell > you why it was blacklisted. > > the company might use one of the free or commercial blacklists to > protect themselves from email send directly from workstations, etc. > > Also, if you spent 3 months, trying to send what you now seem to think > is a critical request, then truly, your earlier statement "I don't know > how email works" is true. > > email is 'best efforts', and unless you have a contract with the sending > company and receiving company saying that they must accept your email, > then maybe you should have spent .41c and sent them an email. Michael, I'm assuming you meant postal mail, not email. And I agree, email is not meant to be used for such things. Peter, rather than wasting any more of your time (or anyone else's for that matter) try using USPS certified mail with return receipt and be done with it. Bill -- Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user Please visit http://www.ijs.si/software/amavisd/ regularly For administrativa requests please send email to rainer at openantivirus dot org
Re: [AMaViS-user] Recent spam increase // Any clue??
> Hello folks, > > I am using a combination of amavisd-new 2.6.4 - spamassassin - p0f - > dcc - razor2 - SPF - DKIM on FBSD box, with quite good results since > many years now. > > > I would like to know if anyone has already found a solution to fight > these scams as I am a little bit clueless to fight these new spam. > > > Since couple of days, I am facing a massive increase in Little SPAM > such as the one presented hereunder: This question is probably better posed to the Spamassassin Users list. With that said, John Hardin recently posted this sample to that list: body GAPPPY_URI /\bwww(?:\s\W?\s?|\W\s)\w{3,6}\d{2,6}(?:\s\W?\s?|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i describe GAPPPY_URI URI contains obfuscation spaces score GAPPPY_URI 1.5 Watch for word-wrapping, as this should only be 3 lines. Bill -- Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/blackberry ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Problem with URIDNSBL module
Benedict White wrote: > I have a couple of servers running Amavisd New and Spamassassin, and I thought > all was well. However whilst one does clearly load and use > Mail::SpamAssassin::Plugin::URIDNSBL > the other appears not to at all. > > I can't see what is wrong. > > $sa_local_tests_only = 0;# only tests which do not require internet > access? > > is set the same (to false so it does internet checks) in Amavisd and there is > a: > loadplugin Mail::SpamAssassin::Plugin::URIDNSBL > in /etc/mail/spamassassin/init.pre > > Is there somewhere else I should look? Do you have rbl checks enabled in local.cf?: skip_rbl_checks 0 Zero means do not skip/disable rbl checks. I don't know what the default setting is, but it's something to check. Bill -- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] amavisd quietly dieing
Eric W. Bates wrote: > I have a mysterious problem. After upgrading amavisd-new to 2.6.2 on > FreeBSD (port version 2.6.2_3,1), it simply dies after about 20 seconds > with no errors or core dumps. > > I cranked the debug level up to 5 and sent it all to syslog. > > As far as I can tell, there is no way to run amavisd non-daemonized (in > the hopes of some non-logged output). You could try running amavisd in debug mode to see if that outputs anything unusual to the screen: amavisd debug > I have tried it both with spamd running and not running (no change). If you are running amavisd-new, then you do not need to run spamd (and should not run it), as amavisd pre-loads spamassassin and its config files into memory at startup (see: http://www.ijs.si/software/amavisd/ for more details). Bill -- The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Changes to local.cf
Jeff Grossman wrote: > If I make changes to SpamAssassin's local.cf file, do I need to restart > Amavis or does Amavis load the local.cf file during each mail delivery? You need to reload amavisd, as it only reads local.cf on startup. Bill -- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensign option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] Script Update & Name Change Announcement
Hi Folks, Sorry for the cross-postings, but I wanted to try an reach as many people that uses the "unofficial-clamav-sigs" script as possible. I have been asked by some package and port maintainers to rename the script and tarball to better support their efforts to package the script for redistribution. The name change will facilitate finding the script when using package managers like yum, apt, pkg, etc., to install ClamAV and its supporting and complementary packages. Please be aware that if you decide to use this or any future script update, you will need to update your cron jobs to reference the new script and config file names. With that said, here's what has changed with this update (from the CHANGELOG): Version 2.7.2 (update 2009-04-23) - * ALERT - ALERT - ALERT - ALERT - ALERT - ALERT - ALERT * The script name has been changed. This has been done to facilitate packaging and redistribution of the scripts by various OS package and port maintainers. By renaming the script and tarball from "unofficial-clamav-sigs" to "clamav-unofficial-sigs", the package will show up when using package managers like yum, apt, pkg, etc., to install ClamAV and its supporting and complementary packages. Please be sure to make the necessary changes to your cron jobs to support the new script and config file names. - Added the new Winnow (winnow_spam_complete.ndb) and SaneSecruity (jurlbl.ndb) database files. - Added a safety net to all "rm" commands in the script in order to prevent script config file editing errors that could potentially cause deletion of unintended files and/or directories. Thanks to Mike Cappella for suggesting this. - Modified the script's "getopts" section logic to make it more efficient and easier to understand. Thanks to Mike Cappella for his comments and suggestions in this area. And forgot to include this with the last script update announcement: - Added missing 'curl_proxy' variable to the SaneSecurity GPG Key download section. Steve Basford, can you update the link on your "Usage" page. The updated tarball can be downloaded from: http://www.inetmsg.com/pub/clamav-unofficial-sigs.tar.gz As usual, let me know if there are any issues, suggestions, or feature requests. Bill PS, Bcc to various package/port maintainers. -- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensign option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] second release candidate: amavisd-new-2.6.3-rc2
Mark Martinec wrote: First off, sorry for the previous inadvertent off-list reply. >> Mark, would you consider including the following perl modules as >> additional "Prerequisites" in the INSTALL document: >>Convert::BinHex > >> fetch_modules: error loading optional module MIME/Decoder/BinHex.pm: >> Can't locate Convert/BinHex.pm in @INC > > The Convert::BinHex is not used directly by amavisd nor by SpamAssassin. > It is a dependancy from a MIME-Tools perl module. Seems like whoever > did the package for MIME-Tools forgot to specify this dependency. > > In FreeBSD ports the dependency is clearly stated in the MIME-Tools' Makefile, > so installing the mail/p5-MIME-Tools port brings in the Convert/BinHex.pm > port automatically. > > It would be futile for amavisd to try an track any indirect dependencies > from subordinate modules. After sending my last response, I started wondering why the missing Convert::BinHex module was not an issue for amavisd-new until after the upgrade from v2.6.2 to v2.6.3-rc2, if "not used directly by amavisd", as you state above? SpamAssassin v3.2.5 was running both before and after the amavisd-new upgrade, so the only thing that changed was amavisd-new. Just curious... Thanks! Bill -- Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] second release candidate: amavisd-new-2.6.3-rc2
Mark Martinec wrote: > Bill, > >> Mark, would you consider including the following perl modules as >> additional "Prerequisites" in the INSTALL document: >>Convert::BinHex > >> fetch_modules: error loading optional module MIME/Decoder/BinHex.pm: >> Can't locate Convert/BinHex.pm in @INC > > The Convert::BinHex is not used directly by amavisd nor by SpamAssassin. > It is a dependancy from a MIME-Tools perl module. Seems like whoever > did the package for MIME-Tools forgot to specify this dependency. > > In FreeBSD ports the dependency is clearly stated in the MIME-Tools' Makefile, > so installing the mail/p5-MIME-Tools port brings in the Convert/BinHex.pm > port automatically. > > It would be futile for amavisd to try an track any indirect dependencies > from subordinate modules. I agree, thanks for the explanation. >>DBI >> >> Even though I'm not using SQL, adding these perl modules resolves the >> following reported issues on Fedora 10 with perl v5.10.0: > >> fetch_modules: error loading optional module >> Mail/SpamAssassin/SQLBasedAddrList.pm: >> Can't locate DBI.pm in @INC > > I'll remove the Mail::SpamAssassin::SQLBasedAddrList from a list > of modules in 'sub getCommonSAModules'. Please see if that helps. I'll remove the DBI module after your next release and then let you know what I find. Thanks, Bill -- Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] second release candidate: amavisd-new-2.6.3-rc2
Mark Martinec wrote: > The second release candidate amavisd-new-2.6.3-rc2 is available at: Mark, would you consider including the following perl modules as additional "Prerequisites" in the INSTALL document: Convert::BinHex DBI Even though I'm not using SQL, adding these perl modules resolves the following reported issues on Fedora 10 with perl v5.10.0: amavisd start fetch_modules: error loading optional module MIME/Decoder/BinHex.pm: Can't locate Convert/BinHex.pm in @INC (@INC contains: /usr/lib/perl5/5.10.0/i386-linux-thread-multi /usr/lib/perl5/5.10.0 /usr/local/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi /usr/local/lib/perl5/site_perl/5.10.0 /usr/lib/perl5/vendor_perl/5.10.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.10.0 /usr/lib/perl5/vendor_perl /usr/local/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi /usr/local/lib/perl5/site_perl/5.10.0 /usr/local/lib/perl5/site_perl /usr/lib/perl5/site_perl) at /usr/local/lib/perl5/site_perl/5.10.0/MIME/Decoder/BinHex.pm line 43. BEGIN failed--compilation aborted at /usr/local/lib/perl5/site_perl/5.10.0/MIME/Decoder/BinHex.pm line 43. Compilation failed in require at /usr/local/sbin/amavisd line 197. fetch_modules: error loading optional module Mail/SpamAssassin/SQLBasedAddrList.pm: Can't locate DBI.pm in @INC (@INC contains: /var/lib/spamassassin/compiled/3.002004 /var/lib/spamassassin/compiled/3.002004/auto /usr/lib/perl5/5.10.0/i386-linux-thread-multi /usr/lib/perl5/5.10.0 /usr/local/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi /usr/local/lib/perl5/site_perl/5.10.0 /usr/lib/perl5/vendor_perl/5.10.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.10.0 /usr/lib/perl5/vendor_perl /usr/local/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi /usr/local/lib/perl5/site_perl/5.10.0 /usr/local/lib/perl5/site_perl /usr/lib/perl5/site_perl) at /usr/local/lib/perl5/site_perl/5.10.0/Mail/SpamAssassin/SQLBasedAddrList.pm line 80. BEGIN failed--compilation aborted at /usr/local/lib/perl5/site_perl/5.10.0/Mail/SpamAssassin/SQLBasedAddrList.pm line 80. Compilation failed in require at /usr/local/sbin/amavisd line 197. === Thanks for your consideration and for the great piece of software! Best regards, Bill -- Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] sanesecurity sigs and bounce_killer ?
Henrik K wrote: > On Wed, Apr 08, 2009 at 02:43:00PM -0700, Bill Landry wrote: >> Michael Scheidell wrote: >>> and it looks like sane security test #2 and 3 did fail if I don't do >>> this in amavisd.conf: >>> (uncomment out the qr'^MAIL'. >>> >>> so, 'can be slow'. how slow is it? and is bill landry wrong saying I >>> need bypass-decode_parts=1? >>> is this something fixed in 2.6.2? >> Not required, but if you don't use "bypass-decode_parts = 1", then you >> will want to set "$keep_decoded_original_re = 1" so that clamd can also >> scan the entire message and not just all of the decoded parts separately. > > I was just thinking about this same stuff. I use bounce killer too, but I > want scanners to scan _only_ the full email and not all the parts which > creates unnecessary load. > > Mark, would it be possible to have some option to only do the stuff that > bounce killer needs and not write unnecessary parts to disk? Amavisd-New already does this, just set "bypass-decode_parts = 1" in your amavisd.conf file, and your good to go (works with amavisd-new 2.5.1-pre1 and newer). When this is set, amavisd does *not* decode messages and split them into parts, it simply passes the full message to clamd for scanning. Bill -- This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] sanesecurity sigs and bounce_killer ?
Michael Scheidell wrote: > sanesecurity site: > refrences this archived email: > says to set bypass_decode_parts=1 in amavisd.conf > > amavisd says to set it to 0 if you are using bounce_killer or using > 'file' to guess the attachment type. > > (i have it set to 0, using bounce killer and file) > > (http://marc.info/?t=11795129371&r=1&w=2) > > OT: bill, funny thing: I can't look up your DNS servers from our > internal network.. Well that's strange, since the domain is public hosted by EditDNS (check "whois inetmsg.com"). The other strange things is I just sent you an email off list about something else. > http://sanesecurity.com/usage.htm > > says: uncomment the #qr'^MAIL' > > @keep_decoded_original_maps = (new_RE( > qr'^MAIL$', # retain full original message for virus checking (can be > slow) > qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains > undecipherables > qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, > # qr'^Zip archive data', # don't trust Archive::Zip > )); > > > and it looks like sane security test #2 and 3 did fail if I don't do > this in amavisd.conf: > (uncomment out the qr'^MAIL'. > > so, 'can be slow'. how slow is it? and is bill landry wrong saying I > need bypass-decode_parts=1? > is this something fixed in 2.6.2? Not required, but if you don't use "bypass-decode_parts = 1", then you will want to set "$keep_decoded_original_re = 1" so that clamd can also scan the entire message and not just all of the decoded parts separately. Bill -- This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] 2.6.3 due out?
Sahil Tandon wrote: > On Fri, 27 Mar 2009, Mark Martinec wrote: > >>> when is 2.6.3 due out? >> No promises on dates, but I'd really like to do it pretty soon now, >> and I'm trying to wrap up things these days. A matter of a week >> or two I hope. > > Not that you need to be told this, but take your time Mark -- we appreciate > your effort in maintaining this entirely free product. Yes indeed! Can't thank you enough, Mark! Your efforts make our jobs so much easier. Bill -- ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] DKIM problem with long domain names?
Mark Martinec wrote: > No, it's just his style of numbering versions. > The 0.33_6 will become 0.34 when released, > just as 0.32_6 now became a 0.33. > > The 0.33_6 is dropping support for pre-standard DKIM. Yes, I see that now. I forced a cpan database update and was able to install 0.33. Thanks for the heads up about the new release. Bill -- Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] DKIM problem with long domain names?
Patrick Wong wrote: > Yes Bill, I can confirm that 0.33 is available from CPAN cause I just > did it this morning after reading Mark's notes. Not for me. Just now tried again: cpan[1]> install Mail::DKIM CPAN: Storable loaded ok (v2.18) Going to read /root/.cpan/Metadata Database was generated on Tue, 10 Mar 2009 11:26:55 GMT CPAN: YAML loaded ok (v0.68) Going to read 72 yaml files from /root/.cpan/build/ CPAN: Time::HiRes loaded ok (v1.9711) DONE Restored the state of 3 (in 1.3195 secs) Mail::DKIM is up to date (0.32). cpan[2]> Bill -- Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] DKIM problem with long domain names?
Mark Martinec wrote: >> Not that I know of, but there is a bug in Mail::DKIM 0.32 or earlier, >> only triggered in marginal cases - yours may be one of them. >> >> From release notes: >>(btw, if testkeys fails and you believe your DNS is correctly serving >>your DKIM public keys, you may need to upgrade Perl module Mail-DKIM >>to version 0.33 or at least 0.32_6) > > Btw, Jason Long (author of Mail::DKIM) has just released an official 0.33, > which is equivalent to 0.32_6, except that it doesn't bear a 'beta' shade. > > So port and package maintainers should no longer have an excuse > not to upgrade their port/package to the current official release > of Mail-DKIM-0.33. > > See: http://cpan.perl.org/authors/id/J/JA/JASLONG/ Hmmm, is Jason possibly still working on the 0.33 release? From the link you posted above: Mail-DKIM-0.33.tar.gz 10-Mar-2009 07:57 74K Mail-DKIM-0.33_5.tar.gz 10-Mar-2009 08:07 74K Mail-DKIM-0.33_6.tar.gz 10-Mar-2009 08:22 74K And it's still not available via CPAN. Bill -- ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] link error in howto link
Bill Landry wrote: > Benny Pedersen wrote: >> http://www.amavis.org/howto/ give me 403 >> >> could one tell me where it is if moved ? > > If you're running amavisd-new, then you should be looking at: > >http://www.ijs.si/software/amavisd/ > > instead of www.amavis.org. BTW, just out of curiosity, why does your post to this list come from: Benny Pedersen but your reply-to header is set as: "Reply-To: jhar...@impsec.org" Isn't that email address owned by: John Hardin Are Benny Pedersen & John Hardin pseudonyms for the same person? Bill -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] link error in howto link
Benny Pedersen wrote: > http://www.amavis.org/howto/ give me 403 > > could one tell me where it is if moved ? If you're running amavisd-new, then you should be looking at: http://www.ijs.si/software/amavisd/ instead of www.amavis.org. Bill -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] problem upgrading amavisd
deconya wrote: > Hi > > User of mailing postfix list pass me this list if would be possible to help > me with my problem. Im upgrading and old version of amavisd-new (2.1.2 > version) to the new 2.6.1. Im looking the README manual and installing all > perl modules but when I start amavisd in debug mode appears: > > -- > Problem in Amavis::DB or Amavis::DB::SNMP code: Can't locate loadable object > for module BerkeleyDB in @INC (@INC contains: > /usr/lib/perl5/5.8.0/i386-linux-thread-multi > /usr/lib/perl5/5.8.0 /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl > /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi > /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl > /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0) at (eval > 34) line 19 > Compilation failed in require at (eval 34) line 19. > BEGIN failed--compilation aborted at (eval 34) line 19. > Undefined subroutine &BerkeleyDB::Term::close_everything called at > /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/BerkeleyDB.pm line > 1649. > END failed--call queue aborted. > -- > > and I don't know how to repair this. In any manual appears information about > this. Someone can help me? > > Best Regards Looks like you're missing the BerkeleyDB perl module. Try: cpan -i BerkeleyDB Then reload amavisd. That should resolve the issue for you. Bill -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] URI/URl severs
Benedict White wrote: > -Original Message- > From: Alexander Wirt [mailto:formo...@debian.org] > Sent: 24 February 2009 16:58 > To: Benedict White > Cc: amavis-user@lists.sourceforge.net > Subject: Re: [AMaViS-user] URI/URl severs > > Benedict White schrieb am Tuesday, den 24. February 2009: > >> One rule set I maintain for several servers is a list of spammy URLS. >> >> I know there are URL blocklists that can be intergrated into spamassassin. >> >> What I wanted to do was run my own, so I could quickly report bad URL's to it >> and know that all the servers would score it how I wanted. >> >> What I wanted to know is: >> >> Does anyone know of some sever side software that does this that is open >> source? > Sure. We use rbldnsd (http://www.corpit.ru/mjt/rbldnsd.html) for that > purpose. > > > Many thanks Alexander and Bill. > > So assuming that is easy enough to set up (I presume it is) then the question > is how do I get > Spamassassin to query it, and how do I tell it of URLS I would like it to > block? > > Kind Regards > > Benedict White It's pretty straight forward to setup. As far as how to query it from SA, you could setup a new test in the same format as the URIBL & SURBL URI tests are setup. Once you've installed rbldnsd, if you have further questions about how to configure it up, either post them to the rbldnsd list or feel free to send them to me off-list, as these questions are OT for this list. Bill -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] URI/URl severs
Benedict White wrote: > One rule set I maintain for several servers is a list of spammy URLS. > > I know there are URL blocklists that can be intergrated into spamassassin. > > What I wanted to do was run my own, so I could quickly report bad URL's to it > and know that all the servers would score it how I wanted. > > What I wanted to know is: > > Does anyone know of some sever side software that does this that is open > source? > > > Kind Regards > > Benedict White Take a look at rbldnsd (http://www.corpit.ru/mjt/rbldnsd.html), it's what URIBL & SURBL both use. Bill -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Issue with clamscan
Mark Martinec wrote: > Here is a patch for this bug (against 2.6.2): > > --- amavisd.orig 2008-12-15 01:50:09.0 +0100 > +++ amavisd 2009-02-15 01:57:40.0 +0100 > @@ -19993,4 +19993,5 @@ >1; > } or do { $eval_stat = $@ ne '' ? $@ : "errno=$!" }; > +prolong_timer('ask_daemon_internal', $deadline-time); > last if $eval_stat eq ''; # mission accomplished > # error handling (most interesting error codes are EPIPE and ENOTCONN) > > Mark Thanks Mark, that did indeed fix the problem. Bill -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Issue with clamscan
Mark Martinec wrote: > Bill, > >> 451 4.5.0 Error in processing, >> id=29363-02, virus_scan FAILED: virus_scan: ALL VIRUS SCANNERS FAILED: >> ClamAV-clamscan av-scanner FAILED: Not a CODE reference at (eval 87) >> line 403, line 65.; > >> @av_scanners_backup = ( >> >> ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV >> ['ClamAV-clamscan', 'clamscan', >> "--stdout --no-summary -r --tempdir=$TEMPBASE {}", [0], [1], > ^ >> qr/:.*\sFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], >> ); > > One argument too many. > > Either use [1] or qr/:.*\sFOUND$/, you can't have both > in that position. > > Mark Thanks for the reply, Mark. I've updated my clamscan entry in amavisd.conf, so it now looks like: ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV ['ClamAV-clamscan', 'clamscan', "--stdout --no-summary -r --tempdir=$TEMPBASE {}", [0], qr/:.*\sFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], ); Then did an "amavisd reload", but I am still seeing in the mailq: 0F6B65A53CB 2037 Fri Feb 13 16:46:50 bill.lan...@gmail.com (host 127.0.0.1[127.0.0.1] said: 451 4.5.0 Error in processing, id=01189-01, virus_scan FAILED: virus_scan: ALL VIRUS SCANNERS FAILED: ClamAV-clamd av-scanner FAILED: run_av error: Too many retries to talk to /var/amavis/clamd.sock (Can't connect to UNIX socket /var/amavis/clamd.sock: No such file or directory) at (eval 87) line 325, line 37.; ClamAV-clamscan av-scanner FAILED: run_av error: run_av: Exceeded allowed time at (eval 87) line 532, line 37. (in reply to end of DATA command)) b...@inetmsg.com And in the maillog: Feb 13 16:46:50 mail postfix/qmgr[28813]: 0F6B65A53CB: from=, size=2037, nrcpt=1 (queue active) Feb 13 16:46:51 mail amavis[1189]: (01189-01) (!)ClamAV-clamd: Can't connect to UNIX socket /var/amavis/clamd.sock: No such file or directory, retrying (2) Feb 13 16:46:57 mail amavis[1189]: (01189-01) (!!)ClamAV-clamd av-scanner FAILED: run_av error: Too many retries to talk to /var/amavis/clamd.sock (Can't connect to UNIX socket /var/amavis/clamd.sock: No such file or directory) at (eval 87) line 325, line 37. Feb 13 16:46:57 mail amavis[1189]: (01189-01) (!!)WARN: all primary virus scanners failed, considering backups Feb 13 16:47:07 mail amavis[1189]: (01189-01) (!)killing process [1320] running ClamAV-clamscan (reason: on reading: timed out) Feb 13 16:47:08 mail amavis[1189]: (01189-01) (!)process [1320] running ClamAV-clamscan is still alive, using a bigger hammer Feb 13 16:47:08 mail amavis[1189]: (01189-01) (!)run_av (ClamAV-clamscan): collect_results - reading aborted: timed out at /usr/local/sbin/amavisd line 3202, line 37. Feb 13 16:47:08 mail amavis[1189]: (01189-01) (!!)ClamAV-clamscan av-scanner FAILED: run_av error: run_av: Exceeded allowed time at (eval 87) line 532, line 37. Feb 13 16:47:08 mail amavis[1189]: (01189-01) (!!)TROUBLE in check_mail: virus_scan FAILED: virus_scan: ALL VIRUS SCANNERS FAILED: ClamAV-clamd av-scanner FAILED: run_av error: Too many retries to talk to /var/amavis/clamd.sock (Can't connect to UNIX socket /var/amavis/clamd.sock: No such file or directory) at (eval 87) line 325, line 37.; ClamAV-clamscan av-scanner FAILED: run_av error: run_av: Exceeded allowed time at (eval 87) line 532, line 37. Feb 13 16:47:08 mail amavis[1189]: (01189-01) (!)PRESERVING EVIDENCE in /var/amavis/tmp/amavis-20090213T164650-01189 Feb 13 16:47:08 mail postfix/smtp[1318]: 0F6B65A53CB: to=, relay=127.0.0.1[127.0.0.1]:10024, delay=18, delays=0.13/0.02/0.04/18, dsn=4.5.0, status=deferred (host 127.0.0.1[127.0.0.1] said: 451 4.5.0 Error in processing, id=01189-01, virus_scan FAILED: virus_scan: ALL VIRUS SCANNERS FAILED: ClamAV-clamd av-scanner FAILED: run_av error: Too many retries to talk to /var/amavis/clamd.sock (Can't connect to UNIX socket /var/amavis/clamd.sock: No such file or directory) at (eval 87) line 325, line 37.; ClamAV-clamscan av-scanner FAILED: run_av error: run_av: Exceeded allowed time at (eval 87) line 532, line 37. (in reply to end of DATA command)) Any other thoughts? Thanks! Bill -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Issue with clamscan
Clayton Keller wrote: > Bill Landry wrote: >> Hi List, >> >> I am running: >> >> amavisd -V >> amavisd-new-2.6.2 (20081215) >> >> ClamD recently crashed and I found entries in the mailq like the >> following: >> >> -Queue ID- --Size-- Arrival Time -Sender/Recipient--- >> 78F8763CE0111253 Fri Feb 13 10:33:28 owner-postfix-us...@postfix.org >> (host 127.0.0.1[127.0.0.1] said: 451 4.5.0 Error in processing, >> id=29363-02, virus_scan FAILED: virus_scan: ALL VIRUS SCANNERS FAILED: >> ClamAV-clamscan av-scanner FAILED: Not a CODE reference at (eval 87) >> line 403, line 65.; ClamAV-clamscan av-scanner FAILED: Not a >> CODE reference at (eval 87) line 403, line 65. (in reply to end >> of DATA command)) >> b...@inetmsg.com >> >> When I reload amavisd, it reports in the maillog: >> >> Feb 13 10:36:38 mail amavis[29477]: Using primary internal av scanner >> code for ClamAV-clamd >> Feb 13 10:36:38 mail amavis[29477]: Found secondary av scanner >> ClamAV-clamscan at /usr/local/bin/clamscan >> >> which is the correct path to clamscan, but amavisd fails when attempting >> to scan a message with clamscan. Here is my secondary scanner entry in >> amavisd.conf: >> >> @av_scanners_backup = ( >> >> ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV >> ['ClamAV-clamscan', 'clamscan', >> "--stdout --no-summary -r --tempdir=$TEMPBASE {}", [0], [1], >> qr/:.*\sFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], >> ); >> >> Any ideas on what I might have configured incorrectly? Any feedback is >> greatly appreciated! >> >> Regards, >> >> Bill >> > > What is your $TEMPBASE set to? Are permissions correct where you can > clamscan in it as well? Or is this also part of your amavis tmp > directory you were scanning ok from? I believe with the config you have > above, clamscan will dump to that $TEMPBASE and recursively scan it. If > it is not set to the same directory you are testing with, maybe that is > the cause of the issue? >From amavisd.conf: $MYHOME= '/var/amavis'; $TEMPBASE = "$MYHOME/tmp"; ls -l /var/amavis/tmp/ drwxr-x--- 3 amavis amavis 4096 2009-01-27 21:47 amavis-20090127T214710-13386 drwxr-x--- 3 amavis amavis 4096 2009-01-27 22:31 amavis-20090127T223134-13163 drwxr-x--- 3 amavis amavis 4096 2009-01-27 22:31 amavis-20090127T223134-13386 drwxr-x--- 3 amavis amavis 4096 2009-01-30 15:57 amavis-20090130T155709-14910 drwxr-x--- 3 amavis amavis 4096 2009-02-03 05:30 amavis-20090203T053028-26240 drwxr-x--- 3 amavis amavis 4096 2009-02-07 03:27 amavis-20090207T032754-25648 Yes, I can scan there just fine: su amavis bash-3.2$ clamscan --stdout --no-summary -r /var/amavis/tmp/ /var/amavis/tmp/amavis-20090127T072652-05434/email.txt: OK /var/amavis/tmp/amavis-20090127T072652-05434/parts/p001: OK /var/amavis/tmp/amavis-20090127T214710-13386/email.txt: Sanesecurity.Junk.6497.UNOFFICIAL FOUND /var/amavis/tmp/amavis-20090127T214710-13386/parts/p001: Sanesecurity.Junk.6497.UNOFFICIAL FOUND /var/amavis/tmp/amavis-20090130T155709-14910/email.txt: OK /var/amavis/tmp/amavis-20090130T155709-14910/parts/p001: OK /var/amavis/tmp/amavis-20090127T223134-13163/email.txt: OK /var/amavis/tmp/amavis-20090127T223134-13163/parts/p001: OK /var/amavis/tmp/amavis-20090127T215729-13386/email.txt: Sanesecurity.Junk.1350.UNOFFICIAL FOUND /var/amavis/tmp/amavis-20090127T215729-13386/parts/p001: Sanesecurity.Junk.1350.UNOFFICIAL FOUND /var/amavis/tmp/amavis-20090207T032754-25648/email.txt: OK /var/amavis/tmp/amavis-20090207T032754-25648/parts/p001: OK /var/amavis/tmp/amavis-20090203T053028-26240/email.txt: OK /var/amavis/tmp/amavis-20090203T053028-26240/parts/p001: OK I don't think this is a permissions issue, but I'm willing to try whatever might help resolve the issue. Thanks! Bill -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Issue with clamscan
Michael Scheidell wrote: >> Hi List, >> >> I am running: >> >> amavisd -V >> amavisd-new-2.6.2 (20081215) >> >> ClamD recently crashed and I found entries in the mailq like the following: >> > > Two things to check (and all mostly permissions) > > As the user running amavisd, use 'clamscan' your $AMAVIS home/tmp > > Then, use clamdscan on same (clamdscan sb same group, or group read for same > directory) Both amavisd and clamd run as user:group amavis:amavis and all of /var/amavis permissions are also set to amavis:amavis. Here's how I tested to see if permissions are ok: ls -l /home drwx-- 3 amavis amavis 4096 2009-02-06 18:42 amavis ls -l /home/amavis -rw-rw-r-- 1 amavis amavis 414720 2008-07-01 14:09 DESPACHO-4542008.exe -rw-r--r-- 1 amavis amavis 3157877 2008-10-04 13:48 postfix-2.5.5.tar.gz -rw-r--r-- 1 amavis amavis 69 2008-11-02 12:08 test.com -rw-r--r-- 1 amavis amavis 81538 2008-11-01 22:23 test.eml -rw-r--r-- 1 amavis amavis3393 2009-01-24 20:40 test.msg -rw-r--r-- 1 amavis amavis 69 2009-02-06 18:41 test.txt su amavis bash-3.2$ clamscan --stdout --no-summary -r /home/amavis/* /home/amavis/DESPACHO-4542008.exe: Trojan.Downloader-46121 FOUND /home/amavis/postfix-2.5.5.tar.gz: OK /home/amavis/test.com: Eicar-Test-Signature FOUND /home/amavis/test.eml: Email.Trojan.GZC FOUND /home/amavis/test.msg: OK /home/amavis/test.txt: OK Seems permissions are ok? Any other ideas? Thanks! Bill -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Issue with clamscan
Michael Scheidell wrote: > > > Bill Landry wrote: >> su amavis >> bash-3.2$ clamscan --stdout --no-summary -r /home/amavis/* >> /home/amavis/DESPACHO-4542008.exe: Trojan.Downloader-46121 FOUND >> /home/amavis/postfix-2.5.5.tar.gz: OK >> /home/amavis/test.com: Eicar-Test-Signature FOUND >> /home/amavis/test.eml: Email.Trojan.GZC FOUND >> /home/amavis/test.msg: OK >> /home/amavis/test.txt: OK >> >> > > but, amavis doesn't use clamscan (except as backup scanner) > > try clamdscan (the d is NOT a typo) Please reread my original email. I'm not having any problems with clamd or clamdscan. The problem is when clamd crashes and the amavisd backup scanner, "clamscan" (without the "d") fails. Bill -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] Issue with clamscan
Hi List, I am running: amavisd -V amavisd-new-2.6.2 (20081215) ClamD recently crashed and I found entries in the mailq like the following: -Queue ID- --Size-- Arrival Time -Sender/Recipient--- 78F8763CE0111253 Fri Feb 13 10:33:28 owner-postfix-us...@postfix.org (host 127.0.0.1[127.0.0.1] said: 451 4.5.0 Error in processing, id=29363-02, virus_scan FAILED: virus_scan: ALL VIRUS SCANNERS FAILED: ClamAV-clamscan av-scanner FAILED: Not a CODE reference at (eval 87) line 403, line 65.; ClamAV-clamscan av-scanner FAILED: Not a CODE reference at (eval 87) line 403, line 65. (in reply to end of DATA command)) b...@inetmsg.com When I reload amavisd, it reports in the maillog: Feb 13 10:36:38 mail amavis[29477]: Using primary internal av scanner code for ClamAV-clamd Feb 13 10:36:38 mail amavis[29477]: Found secondary av scanner ClamAV-clamscan at /usr/local/bin/clamscan which is the correct path to clamscan, but amavisd fails when attempting to scan a message with clamscan. Here is my secondary scanner entry in amavisd.conf: @av_scanners_backup = ( ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV ['ClamAV-clamscan', 'clamscan', "--stdout --no-summary -r --tempdir=$TEMPBASE {}", [0], [1], qr/:.*\sFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], ); Any ideas on what I might have configured incorrectly? Any feedback is greatly appreciated! Regards, Bill -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Using RelayCountry with amavis?
Per olof Ljungmark wrote: > Hi, > > I am fiddling with Mail::SpamAssassin::Plugin::RelayCountry in our > Spamassassin config, and it seems to load ok from init.pre: > spamassain -D --lint: > [85215] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayCountry > from @INC > > However, it does not show up when I start amavisd: > > amavis[85275]: extra modules loaded after daemonizing: > Mail/DomainKeys/Header.pm, Mail/DomainKeys/Key.pm, > Mail/DomainKeys/Key/Public.pm, Mail/DomainKeys/Message.pm, > Mail/DomainKeys/Policy.pm, Mail/DomainKeys/Signature.pm, > Mail/SpamAssassin/Plugin/DomainKeys.pm, Mail/SpamAssassin/Plugin/PDFInfo.pm > > Anyone on the list using this plugin that can give me a hint here? Using > latest stable release. Maybe the RelayCountry module has not been included in "additional_perl_modules" in amavisd? I think you can add it to your amavisd.conf. From the RELEASE_NOTES for the amavisd-new-2.4.3 section: - added a global configuration variable @additional_perl_modules, which is a list of additional Perl module names or absolute file names that should be compiled/executed (by calling 'require') at a program startup time by a master parent process, before chroot-ing and before changing UID takes place. Its purpose is to pre-load additional non-standard SpamAssassin plugins and similar modules that a standard SpamAssassin initialization would miss, causing them to be loaded later by each child process, which is inefficient and may not work in a chrooted process. Example: @additional_perl_modules = qw( /usr/local/etc/mail/spamassassin/FuzzyOcr.pm /usr/local/etc/mail/spamassassin/ImageInfo.pm /usr/local/etc/mail/spamassassin/WebRedirect.pm String::Approx Net::HTTP Net::HTTP::Methods URI URI::http URI::_generic URI::_query URI::_server HTTP::Date HTTP::Headers HTTP::Message HTML::HeadParser HTTP::Request HTTP::Response HTTP::Status LWP LWP::Protocol LWP::Protocol::http LWP::UserAgent LWP::MemberMixin LWP::Debug ); Make sure these files are owned by root and not writable by unprivileged users such as amavis! Try setting up a .cf file for RelayCountry, for example: = ifplugin Mail::SpamAssassin::Plugin::RelayCountry header RELAY_BR X-Relay-Countries =~ /\bBR\b/ describeRELAY_BR Relayed through Brazil score RELAY_BR 1.0 header RELAY_CN X-Relay-Countries =~ /\bCN\b/ describeRELAY_CN Relayed through China score RELAY_CN 1.0 header RELAY_HK X-Relay-Countries =~ /\bHK\b/ describeRELAY_HK Relayed through Hong Kong score RELAY_HK 1.0 endif = and see if SA reports entries like: RELAY_CN=1, RELAY_CN Relayed through China Bill - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] error loading optional module
Mark Martinec wrote: Upon further investigation, I found that this still happens here, as well: However, for me, the odd things is this only happens when "amavisd reload or amavisd stop/start" is executed from within my home directory. If executed anywhere outside of my home directory, no errors are seen. The only other thing I noticed when executing from within my home directory, but again not if executed outside of my home directory, is the following entry in my maillog: > > It looks like a problem reported to me by Tuomo Soini on Apr 29 2008: > > > Some notes: pid file creation was changes from 2.5.4 to 2.6.0 so that > 2.6.0 can't open pid file in /var/run any more, pid file must be in dir > owned by amavis user. > > I could work around this by moving amavisd pid to > /var/run/amavis/amavisd.pid This shouldn't apply to my setup since I have: $pid_file = "$MYHOME/amavisd.pid"; in my amavisd.conf. Thus: ls -l /var/amavis/ total 52 -rw-r- 1 amavis amavis0 2008-05-22 11:55 amavisd.lock -rw-r- 1 amavis amavis6 2008-05-22 11:54 amavisd.pid srwxr-x--- 1 amavis amavis0 2008-05-22 11:54 amavisd.sock srwxrwxrwx 1 amavis amavis0 2008-05-21 14:25 clamd.sock drwxr-x--- 2 amavis amavis 4096 2008-05-22 11:54 db drwxr-x--- 2 amavis amavis 4096 2007-12-17 19:19 home -rw-r--r-- 1 amavis amavis 26 2007-12-18 13:14 local_domains drwxr-xr-x 2 amavis amavis 4096 2008-05-18 05:27 logs drwxr-x--- 28 amavis amavis 4096 2008-05-22 11:55 tmp drwxr-x--- 2 amavis amavis 4096 2007-12-17 19:19 var > I noticed that problem with perl module loading was caused by selinux > denying access to some paths on filesystm and my_require errorously > catching this as permission problem while module was really loading. This doesn't apply in my setup either, since I have selinux disabled: sestatus SELinux status: disabled > This patch did fix it on my system: However, with all of that said, this patch did resolve the issue on my system, as well. Thanks! Bill - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] error loading optional module
Mark Martinec wrote: > Max and Bill, > >> Upon further investigation, I found that this still happens here, as well: >> However, for me, the odd things is this only happens when "amavisd >> reload or amavisd stop/start" is executed from within my home directory. >> If executed anywhere outside of my home directory, no errors are seen. >> The only other thing I noticed when executing from within my home >> directory, but again not if executed outside of my home directory, is >> the following entry in my maillog: >> >> May 21 14:28:38 mail amavis[2612]: (!)_DIE: "image_info" is not exported >> by the Image::Info module\n "dim" is not exported by the Image::Info >> module\nCan't continue after import errors at >> /etc/mail/spamassassin/ImageCheck.pm line 7\nBEGIN failed--compilation >> aborted at /etc/mail/spamassassin/ImageCheck.pm line 7.\n >> >> However, if I drop back to amavisd-new-2.5.4, the errors and maillog >> entry go away, no matter where I execute "amavisd reload or amavisd >> stop/start" from. Thoughts? > > Do you happen to have SpamAssassin or some of Perl modules or plugins > installed/located in your home directory? Here is what's in my home directory: ls -l /home/bill/ total 72 drwxr-xr-x 2 bill bill 4096 2007-12-12 23:22 Desktop drwxr-xr-x 2 bill bill 4096 2008-04-26 19:27 Documents drwxr-xr-x 44 bill bill 4096 2008-05-20 13:45 Download drwxr-xr-x 2 bill bill 4096 2007-12-12 23:22 Music drwxr-xr-x 2 bill bill 4096 2007-12-12 23:22 Pictures drwxr-xr-x 2 bill bill 4096 2007-12-12 23:22 Public drwxr-xr-x 2 bill bill 4096 2008-04-12 13:04 Scripts drwxr-xr-x 2 bill bill 4096 2007-12-12 23:22 Templates drwxr-xr-x 2 bill bill 4096 2007-12-12 23:22 Videos Bill - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] error loading optional module
Max Matslofva wrote: > Hi > I have the same problem on a new server running amavisd-new-2.6.0 (from > ports) on FreeBSD 6.3 and /var/amavis/tmp on 512m ramdisk. > > Bill Landry skrev: >> Mark Martinec wrote: >>> What happens if you provide a username with an -u uption, e.g.: >>> # amavisd -u vscan reload > I get "error loading optional module" >>> vs. >>> # amavisd stop >>> # amavisd -u vscan start > I get "error loading optional module" >>> Anyway, the 'Permission denied' looks like these perl modules >>> or one of their parent directories were not accessible as >>> user vscan/amavis. Please check permissions of .pm files and all >>> their parent directories. Make sure you do not have two copies >>> of Perl module trees, or at least that they are consistent. > [EMAIL PROTECTED] /]# find / -name Fast.pm > /usr/local/lib/perl5/5.8.8/CGI/Fast.pm > [EMAIL PROTECTED] /]# su vscan > [EMAIL PROTECTED] /]# head /usr/local/lib/perl5/5.8.8/CGI/Fast.pm > package CGI::Fast; > > # See the bottom of this file for the POD documentation. Search for the > # string '=head'. > > # You can run this file through either pod2man or pod2html to produce pretty > # documentation in manual or html file format (these utilities are part of the > # Perl 5 distribution). > > # Copyright 1995,1996, Lincoln D. Stein. All rights reserved. > > > > But if I stop and start with rc-script from ports I can use "amavisd reload" ? > [EMAIL PROTECTED] /]# /usr/local/etc/rc.d/amavisd stop > Stopping amavisd. > Waiting for PIDS: 16411. > [EMAIL PROTECTED] /]# /usr/local/etc/rc.d/amavisd start > Starting amavisd. > [EMAIL PROTECTED] /]# amavisd reload > Daemon [16587] terminated by SIGTERM, waiting for dust to settle... > becoming a new daemon... > [EMAIL PROTECTED] /]# Upon further investigation, I found that this still happens here, as well: uname -a Linux mail.inetmsg.com 2.6.24.7-92.fc8 #1 SMP Wed May 7 16:50:09 EDT 2008 i686 i686 i386 GNU/Linux amavisd -V amavisd-new-2.6.0 (20080423) spamassassin -V SpamAssassin version 3.2.4 running on Perl version 5.8.8 However, for me, the odd things is this only happens when "amavisd reload or amavisd stop/start" is executed from within my home directory. If executed anywhere outside of my home directory, no errors are seen. The only other thing I noticed when executing from within my home directory, but again not if executed outside of my home directory, is the following entry in my maillog: May 21 14:28:38 mail amavis[2612]: (!)_DIE: "image_info" is not exported by the Image::Info module\n "dim" is not exported by the Image::Info module\nCan't continue after import errors at /etc/mail/spamassassin/ImageCheck.pm line 7\nBEGIN failed--compilation aborted at /etc/mail/spamassassin/ImageCheck.pm line 7.\n However, if I drop back to amavisd-new-2.5.4, the errors and maillog entry go away, no matter where I execute "amavisd reload or amavisd stop/start" from. Thoughts? Bill - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] error loading optional module
Mark Martinec wrote: > Bill, > >> I recently upgraded to amavisd-new-2.6.0 and all appears to be running >> fine. However, when executing a reload, I am seeing the following >> errors reported: >> >> # amavisd reload >> Daemon [24965] terminated by SIGTERM, waiting for dust to settle... >> becoming a new daemon... >> fetch_modules: error loading optional module IP/Country/Fast.pm: >>Requiring lib/IP/Country/Fast.pm, file is inaccessible: Permission >> denied, >> fetch_modules: error loading optional module Image/Info.pm: >>Requiring lib/Image/Info.pm, file is inaccessible: Permission denied, >> fetch_modules: error loading optional module Image/Info/GIF.pm: >>Requiring lib/Image/Info/GIF.pm, file is inaccessible: Permission >> denied, fetch_modules: error loading optional module Image/Info/JPEG.pm: >>Requiring lib/Image/Info/JPEG.pm, file is inaccessible: Permission >> denied, [...] > >> The paths appear to be incorrect, but I'm not sure how to correct them. >> The errors are only reported when doing a reload (amavisd reload), and >> not when starting amavisd (amavisd start). > > Strange, the 'amavisd reload' is pretty much equivalent to > 'amavisd stop' followed by 'amavisd start'. Was there any > command line option like -R used in one case but not the other? > Or perhaps one was executed as root and the other as user vscan? No both simply executed from su root as: amavisd stop amavisd start amavisd reload > What happens if you provide a username with an -u uption, e.g.: > # amavisd -u vscan reload > vs. > # amavisd stop > # amavisd -u vscan start I should have sent out an update, but I re-downloaded the image and reinstalled amavisd and have had no problems or error reports since - possibly a corrupted download? > Anyway, the 'Permission denied' looks like these perl modules > or one of their parent directories were not accessible as > user vscan/amavis. Please check permissions of .pm files and all > their parent directories. Make sure you do not have two copies > of Perl module trees, or at least that they are consistent. No, since all appears to be running fine now. Anyway, thanks for the reply. Bill - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] error loading optional module
I recently upgraded to amavisd-new-2.6.0 and all appears to be running fine. However, when executing a reload, I am seeing the following errors reported: # amavisd reload Daemon [24965] terminated by SIGTERM, waiting for dust to settle... becoming a new daemon... fetch_modules: error loading optional module IP/Country/Fast.pm: Requiring lib/IP/Country/Fast.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Image/Info.pm: Requiring lib/Image/Info.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Image/Info/GIF.pm: Requiring lib/Image/Info/GIF.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Image/Info/JPEG.pm: Requiring lib/Image/Info/JPEG.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Image/Info/PNG.pm: Requiring lib/Image/Info/PNG.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Image/Info/TIFF.pm: Requiring lib/Image/Info/TIFF.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF.pm: Requiring lib/Mail/SPF.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/Server.pm: Requiring lib/Mail/SPF/Server.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/Request.pm: Requiring lib/Mail/SPF/Request.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/Mech.pm: Requiring lib/Mail/SPF/Mech.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/Mech/A.pm: Requiring lib/Mail/SPF/Mech/A.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/Mech/PTR.pm: Requiring lib/Mail/SPF/Mech/PTR.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/Mech/All.pm: Requiring lib/Mail/SPF/Mech/All.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/Mech/Exists.pm: Requiring lib/Mail/SPF/Mech/Exists.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/Mech/IP4.pm: Requiring lib/Mail/SPF/Mech/IP4.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/Mech/IP6.pm: Requiring lib/Mail/SPF/Mech/IP6.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/Mech/Include.pm: Requiring lib/Mail/SPF/Mech/Include.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/Mech/MX.pm: Requiring lib/Mail/SPF/Mech/MX.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/Mod.pm: Requiring lib/Mail/SPF/Mod.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/Mod/Exp.pm: Requiring lib/Mail/SPF/Mod/Exp.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/Mod/Redirect.pm: Requiring lib/Mail/SPF/Mod/Redirect.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/SenderIPAddrMech.pm: Requiring lib/Mail/SPF/SenderIPAddrMech.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/v1/Record.pm: Requiring lib/Mail/SPF/v1/Record.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/v2/Record.pm: Requiring lib/Mail/SPF/v2/Record.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module NetAddr/IP.pm: Requiring lib/NetAddr/IP.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module NetAddr/IP/Util.pm: Requiring lib/NetAddr/IP/Util.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module auto/NetAddr/IP/Util/inet_n2dx.al: Requiring lib/auto/NetAddr/IP/Util/inet_n2dx.al, file is inaccessible: Permission denied, fetch_modules: error loading optional module auto/NetAddr/IP/Util/ipv6_n2d.al: Requiring lib/auto/NetAddr/IP/Util/ipv6_n2d.al, file is inaccessible: Permission denied, fetch_modules: error loading optional module Mail/SPF/Query.pm: Requiring lib/Mail/SPF/Query.pm, file is inaccessible: Permission denied, fetch_modules: error loading optional module auto/Crypt/OpenSSL/RSA/new_public_key.al: Requiring lib/auto/Crypt/OpenSSL/RSA/new_public_key.al, file is inaccessible: Permission denied, fetch_modules: error loading optional module auto/Crypt/OpenSSL/RSA/new_key_from_parameters.al: Requiring lib/auto/Crypt/OpenSSL/RSA/new_key_from_parameters.al, file is inaccessible: Permission denied, fetch_modules: error loading optional module auto/Crypt/OpenSSL/RSA/
Re: [AMaViS-user] Mime decode failed - can't find object seek
Bill Measday wrote the following on 11/18/2007 11:56 PM -0800: > After a number of issues I had with my previous install (problems I'd > attributed to installing some perl modules from CPAN - may or may not > have been the case), I undertook a clean install of CentOS 5, Postfix, > Amavisd-new, clamav, etc. > > Initially I tried the installation of the 64 bit version, but reverted > to 32 bit when I thought my problem may improve. It didn't. I have > also tried the same setup afresh on a virtual machine under CentOS 5 on > another box. Same problem. > > The error I get is (generated by Amavisd): > > Nov 19 17:33:22 virtual1 postfix/smtp[7470]: B9CB5AED0B: > to=<[EMAIL PROTECTED]>, relay=localhost[127.0.0.1]:10024, delay=0.09, > delays=0.02/0.01/0.01/0.05, dsn=4.5.0, status=deferred (host > localhost[127.0.0.1] said: 451 4.5.0 Error in processing, id=07464-01, > mime_decode-1 FAILED: Can't locate object method "seek" via package > "File::Temp" at /usr/lib/perl5/vendor_perl/5.8.8/MIME/Parser.pm line > 816, line 33. (in reply to end of DATA command)) > > I have searched the net as extensively as I can, but cannot see anything > directly related. As far as I can tell, all my permissions, etc are > correct. I installed Amavis and related dependencies using Dag Wieers > repository. Amavis was running fine until a week or so ago > (unfortunately I can't revert). > > Has anyone seen anything like this? > Looks to me like you're missing the File::Temp perl module. Try installing it via cpan and see if that resolved the issue for you. Bill - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] ot: clamd monitor/restarter
Voytek Eymont wrote the following on 11/8/2007 6:43 PM -0800: > On Fri, November 9, 2007 12:05 am, Bill Landry wrote: > > >> Are you testing third-party signature files before moving them into >> production? There are several scripts available for downloading, testing, >> and utilizing third-party signatures (see www.sanesecurity.com). My >> script can also be set to report the status of clamd and attempt to >> restart it if not running. >> > > Bill, > > with your script, do I just run it from cron say 4 times a day? > does it log what's it done ? > > ooops, I'm trying to comapre what your script does vs what I've installed > last week, and, guess what the 1st 2 lines of my current script says: > > 'a modified version of a script by Bill Landry' > > so perhaps I'm already using your script... just didn't know it till now... > > Voytek, I run the script via cron on a hourly basis. The signature files are only downloaded if an updated file is detected. While other scripts are based on one of my original scripts, they are heavily modified. As far as I know, my script is the only one that checks and reports on the status of clamd and will attempt to restart the daemon, if enabled. I have not built logging into the script (although I have thought about it), but if you enable cron to email you the script results, then you will get a detailed report of what happened with each cron run. Anyway, your current script probably already does signature file testing, so that's most likely not the issue with clamd stopping periodically. Do you possibly have PhishingScanURLs enabled in your clamd.conf. Others have reported issues with this option. Bill - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] ot: clamd monitor/restarter
Voytek Eymont wrote: > whilst in the past clamd has proven extremely reliable, in the last few > weeks I had clamd die maube on 3 ocassions for some reason (perhaps > related to the additional third party signature downloads getting > corrupted?); > > so I was thinking of some sort of deamon monitor, if it dies to restart > it, any suggestions ? Are you testing third-party signature files before moving them into production? There are several scripts available for downloading, testing, and utilizing third-party signatures (see www.sanesecurity.com). My script can also be set to report the status of clamd and attempt to restart it if not running. Bill - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] aborting after x.xxx s, shrunk deadline
Mark Martinec wrote: > Bill, > >> Mark, are there any changes beyond what I am currently running that you >> would like me to test? If so, let me know and I would be happy to test. >> Otherwise, everything appears to be running great here with the latest >> patch and subroutine change you made and I applied a few days ago. > > The new patch contains one more compatibility fix directly related > to third-party plugins such as the URIWhois which you are using. > Please do try with the latest patch, even though it appears to be > working fine at your installation. Also, it offers an additional > parameter (timeout_min) that can be used by such plugins, and I > believe the next version of URIWhois will take advantage of it. I did a fresh build and install of SA 3.2.3 with the new patch and ran a few tests. So far everything looks good, but I'll keep an eye on things and let you know if I see anything unusual. Bill - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Antivirus programs?
Clifton Royston wrote the following on 10/10/2007 5:20 PM -0800: > On Wed, Oct 10, 2007 at 05:07:52PM -0400, Adam65535 wrote: > >> On 10/10/07, Rob MacGregor <[EMAIL PROTECTED]> wrote: >> >>> I've never yet seen clamd take anything close to that on emails. I >>> have to add SpamAssassin to the process to get anything close to that >>> kind of delay. >>> >>> As a quick test, I ran clamdscan against sample-nonspam.txt (that came >>> with SpamAssassin some time back) and it took 0.015s. >>> >>> Now, clamscan, that took 2.6s for the same scan (f-prot took 0.3s, >>> bitdefender a mind blowing 6.3). >>> >>> >> Well the timings I did locally on that simple email confirm what everyone >> else has been stating. Uvscan is slower than clamd. Either I have been >> transposing these two timing all this time or one of the clamav/clamd >> updates improved things. Going by everyone comments it sure seems like I >> have been transposing these numbers :/. >> > > It might be something of both; there was also one of the clamav updates > in the past year which speeded daemon mode up tremendously, IME. > > -- Clifton > > I thought the update had to do with how long it took clamd to load its signature file upon startup. I haven't seen any changes in clamd scan times once the signature files are initially loaded. Bill - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Antivirus programs?
Adam65535 wrote: > On 10/10/07, *Bill Landry* <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> > wrote: > > Adam65535 wrote: > > On 10/9/07, Pelletier, Robert <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > >> I'm using ClamAV. It's a perfect match with Amavis, it's fast and > get's > >> high in the reviews. > >> > > > > In my experiences clamav/clamd is much slower than other mail > scanners (even > > when up against command line scanners like uvscan). It is still a > very > > useful virus scanner but not fast by any means. For an example... the > > command line scanner uvscan takes .15 seconds while clamav takes > 2.6 seconds > > for the same email. This trend is throughout the logs. > > Those figures certainly don't match my results. I ran clamd and > uvscan for > quite some time (at least two years) until our volume became too > great, and then > had to do away with uvscan because it was way too slow. For the > most part, > clamd timings were always sub-second, while uvscan was always in the > multiple > second range, even as high as 17 seconds on some scans. > > I would suggest that you are using clamscan rather than clamd did if > you are > seeing the results you are reporting above. > > > I disabled clamscan with amavis because the timings for that are much > worse than clamd so I don't want that as a backup scanner. I am 110% > sure I am using clamd. I have been running amavisd-new with uvscan and > clamd on a few servers with the same results in timings. Pretty weird > that you are seeing different results. Uvscan has always been quicker > for me with 4.x and the 5.x versions of uvscan than clamd by far. > Just for reference purposes, I still have uvscan running on an old single proc P350 running RedHat 9. Here are some timing comparisons between uvscan (Scan engine v5.1.00 for Linux) and clamdscan (ClamAV 0.91.2): time /usr/local/bin/uvscan --secure -rv --mime --mailbox --noboot test.eml real0m6.371s user0m5.840s sys 0m0.528s === time /usr/local/bin/clamscan --stdout --detect-broken --block-max --mail-follow-urls --max-recursion=15 --unzip=/usr/bin/unzip --unrar=/usr/local/bin/unrar --arj=/usr/bin/arj --unzoo=/usr/bin/unzoo --lha=/usr/bin/lha --jar=/usr/bin/unzip --tar=/bin/tar --tgz=/bin/tar -r test.eml real0m12.790s user0m11.437s sys 0m0.480s === time /usr/local/bin/clamdscan test.eml real0m0.388s user0m0.004s sys 0m0.008s Of all of the virus scanners I've personally tested with amavisd-new (ClamAV, BitDefender, UVScan, Sophis, TrendMicro, Avast, AntiVir, Panda, AVG, and F-Prot), F-Prot is by far the fastest command-line scanner of the bunch. It is almost as fast a some of the other scanners when running in daemon mode. time /usr/local/bin/f-prot -ai -archive=5 -dumb -noboot -nobreak -nomem -follow -packed -server test.eml real0m2.888s user0m2.489s sys 0m0.395s Anyway, just my unsolicited 2 cents... Bill - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Antivirus programs?
Adam65535 wrote: > On 10/9/07, Pelletier, Robert <[EMAIL PROTECTED]> wrote: >> I'm using ClamAV. It's a perfect match with Amavis, it's fast and get's >> high in the reviews. >> > > In my experiences clamav/clamd is much slower than other mail scanners (even > when up against command line scanners like uvscan). It is still a very > useful virus scanner but not fast by any means. For an example... the > command line scanner uvscan takes .15 seconds while clamav takes 2.6 seconds > for the same email. This trend is throughout the logs. Those figures certainly don't match my results. I ran clamd and uvscan for quite some time (at least two years) until our volume became too great, and then had to do away with uvscan because it was way too slow. For the most part, clamd timings were always sub-second, while uvscan was always in the multiple second range, even as high as 17 seconds on some scans. I would suggest that you are using clamscan rather than clamd did if you are seeing the results you are reporting above. Bill - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] aborting after x.xxx s, shrunk deadline
Mark Martinec wrote: > Bill, (any anybody else using SpamAssassin 3.2.3), > >>> This should provide backwards compatibility for third-party plugins >>> which were not adapted by my patch in 5589. >> I applied the subroutine above to AsyncLoop.pm after applying a clean >> patch and all looks great now. > > I prepared a new version of the async timeout handlings patch > for SpamAssassin 3.2.3, to include the more recent feedback > and findings on compatibility. The issue is decribed at: > > http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5589 > > I would appreciate if anyone is willing to give it a try. > The patch is attached to that bug report. It is supposed to be > fully compatible with existing 3.2.3 and plugins. An instant > reward is reduced wait times for responses from DNS/RBL/URIBL > servers, especially for slowly responding or unreliable ones. > Having a module Time::HiRes installed is highly beneficial, > although it should work in principle even without it. > > Mark Mark, are there any changes beyond what I am currently running that you would like me to test? If so, let me know and I would be happy to test. Otherwise, everything appears to be running great here with the latest patch and subroutine change you made and I applied a few days ago. Bill - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] aborting after x.xxx s, shrunk deadline
Mark Martinec wrote the following on 10/7/2007 7:02 PM -0800: > Bill, > > >> Mark, I had also applied the jumbo patch, as well. However, I noticed >> that there were additional changes to AsyncLoop.pm in the jumbo patch >> found at http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5589, so >> I applied this patch and now when doing "spamassassin --lint" or when >> starting or stopping amavisd, I see: >> >> Subroutine log_lookups_timing redefined at >> /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/AsyncLoop.pm line 224. >> > > The second patch is a SUBSTITUTE for the first one, so you must > not apply it ON TOP of the first one, but on a virgin SpamAssassin > (or just do a patch -R on the first one to undo it, before applying > the second). > I tried several things to get the AsyncLoop patch to install cleanly, but without success. I finally had to revert back to the AsyncLoop.pm from SA 3.2.2 in order to get the patch to install with issues. > Please try with the following replacement subroutine (after first applying > the patch), in module AsyncLoop.pm: > > sub set_response_packet { > my ($self, $id, $pkt, $key, $timestamp) = @_; > $self->{finished}->{$id} = 1; # only key existence matters, any value > $timestamp = time if !defined $timestamp; > my $pending = $self->{pending_lookups}; > if (!defined $key) { # backwards compatibility with 3.2.3 and older plugins > # a third-party plugin did not provide $key in a call, search for it: > for my $tkey (keys %$pending) { > if ($id eq $pending->{$tkey}->{id}) { $key = $tkey; last } > } > dbg("async: searching for lookup with id $id, found $key"); > } > if (!defined $key) { > info("async: no key, response packet not remembered, id $id"); > } else { > my $ent = $pending->{$key}; > if ($id ne $ent->{id}) { > info("async: ignoring response, mismatched id $id, $ent->{id}"); > } else { > $ent->{finish_time} = $timestamp; > $ent->{response_packet} = $pkt; > } > } > 1; > } > > > This should provide backwards compatibility for third-party plugins > which were not adapted by my patch in 5589. > I applied the subroutine above to AsyncLoop.pm after applying a clean patch and all looks great now. I posted the output from "amavisd debug-sa" to: http://www.inetmsg.com/debug-sa3.txt if you want to take a look. Anyway, no more panics or async aborts, and all DNS tests return without issue. Thanks again, Mark, for your in resolving this! Bill - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] aborting after x.xxx s, shrunk deadline
Bill Landry wrote the following on 10/7/2007 9:31 AM -0800: > Mark Martinec wrote the following on 10/7/2007 5:53 AM -0800 > >>> [9016] dbg: asn: asn.routeviews.org.: lookup result packet: >>> '14.198.114.38.asn.routeviews.org. 356 IN TXT "40156" "38.114.198.0" "24"' >>> Use of uninitialized value in hash element >>> at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/AsyncLoop.pm line >>> 363, line 168. Use of uninitialized value in string eq >>> at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/AsyncLoop.pm line >>> 364, line 168. Use of uninitialized value in concatenation (.) or >>> string >>> at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/AsyncLoop.pm line >>> 364, line 168. [9016] dbg: async: caught complete_lookups death, >>> aborting: >>> set_response_packet: PANIC - mismatched id 13162/whois.iana.org/A/IN, >>> at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/AsyncLoop.pm line >>> 364, line 168. >>> >>> >> Interesting, I'll take a look. Which version of Net::DNS ? >> You seem to be using my patch to AsyncLoop, is it the first >> version or the second? (attached on the SA problem report ticket). >> >> > Mark, I am running Net::DNS 0.61. The two patches I used were dated: > > --- Dns.pm~ Fri Jun 8 14:55:30 2007 > +++ Dns.pm Tue Jun 12 17:01:08 2007 > > and > > --- Dns.pm~ Fri Jun 15 02:23:23 2007 > +++ Dns.pm Fri Jun 15 02:26:29 2007 > > Let me know if you need anything else. > Mark, I had also applied the jumbo patch, as well. However, I noticed that there were additional changes to AsyncLoop.pm in the jumbo patch found at http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5589, so I applied this patch and now when doing "spamassassin --lint" or when starting or stopping amavisd, I see: Subroutine log_lookups_timing redefined at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/AsyncLoop.pm line 224. This is new, so I re-ran "amavisd debug-sa" and ran the suspect message through again - the output can be found at: http://www.inetmsg.com/debug-sa2.txt It looks pretty much the same to me, but may provide you with more info. Thanks again for looking into this! Bill - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] aborting after x.xxx s, shrunk deadline
Mark Martinec wrote the following on 10/7/2007 5:53 AM -0800 >> [9016] dbg: asn: asn.routeviews.org.: lookup result packet: >> '14.198.114.38.asn.routeviews.org. 356 IN TXT "40156" "38.114.198.0" "24"' >> Use of uninitialized value in hash element >> at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/AsyncLoop.pm line >> 363, line 168. Use of uninitialized value in string eq >> at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/AsyncLoop.pm line >> 364, line 168. Use of uninitialized value in concatenation (.) or >> string >> at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/AsyncLoop.pm line >> 364, line 168. [9016] dbg: async: caught complete_lookups death, >> aborting: >> set_response_packet: PANIC - mismatched id 13162/whois.iana.org/A/IN, >> at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/AsyncLoop.pm line >> 364, line 168. >> > > Interesting, I'll take a look. Which version of Net::DNS ? > You seem to be using my patch to AsyncLoop, is it the first > version or the second? (attached on the SA problem report ticket). > Mark, I am running Net::DNS 0.61. The two patches I used were dated: --- Dns.pm~ Fri Jun 8 14:55:30 2007 +++ Dns.pm Tue Jun 12 17:01:08 2007 and --- Dns.pm~ Fri Jun 15 02:23:23 2007 +++ Dns.pm Fri Jun 15 02:26:29 2007 Let me know if you need anything else. Thanks! Bill - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] aborting after x.xxx s, shrunk deadline
I also just noticed that these types of messages when run through the normal e-mail delivery process are showing several PANIC situations stemming from AsyncLoop.pm: [9016] dbg: async: caught complete_lookups death, aborting: set_response_packet: PANIC - mismatched id 13162/whois.iana.org/A/IN, at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/AsyncLoop.pm line 364, line 168. spf: lookup failed: set_response_packet: PANIC - mismatched id 61972/amberoz.com/SOA/IN, at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/AsyncLoop.pm line 364. spf: lookup failed: set_response_packet: PANIC - mismatched id 37014/zynoxin.com/SOA/IN, at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/AsyncLoop.pm line 364. [9016] dbg: async: caught complete_lookups death, aborting: set_response_packet: PANIC - mismatched id 7887/leucatin.com/SOA/IN, at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/AsyncLoop.pm line 364. [9016] dbg: async: caught complete_lookups death, aborting: set_response_packet: PANIC - mismatched id 62883/sumactin.com/SOA/IN, at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/AsyncLoop.pm line 364. [9016] dbg: async: caught complete_lookups death, aborting: set_response_packet: PANIC - mismatched id 50907/ovulex.com/SOA/IN, at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/AsyncLoop.pm line 364. Bill Bill Landry wrote the following on 10/6/2007 9:33 AM -0800: > I am running: > > amavisd -V > amavisd-new-2.5.2 (20070627) > --- > spamassassin -V > SpamAssassin version 3.2.3 > running on Perl version 5.8.8 > > I've been trying to figure out why some messages are failing DNS based > tests are failing during normal e-mail delivery processing. With > amavisd running is "debug-sa" mode, I am seeing things like the following: > > [9016] dbg: async: aborting after 2.463 s, shrunk deadline: URI-DNSBL, > DNSBL:multi.uribl.com.:zynoxin.com > [9016] dbg: async: aborting after 2.397 s, shrunk deadline: URI-DNSBL, > DNSBL:bl.open-whois.org.:cabbagesoupdietpill.com > [9016] dbg: async: aborting after 2.408 s, shrunk deadline: URI-NS, > NS:zymelite.com > [9016] dbg: async: aborting after 2.404 s, shrunk deadline: URI-DNSBL, > DNSBL:multi.surbl.org.:chongsoolongtea.com > [9016] dbg: async: aborting after 2.442 s, shrunk deadline: URI-DNSBL, > DNSBL:dob.sibl.support-intelligence.net:sumactin.com > [9016] dbg: async: aborting after 2.291 s, shrunk deadline: DNSBL-A, > dns:A:14.198.114.38.sbl.csma.biz. > [9016] dbg: async: aborting after 2.470 s, shrunk deadline: URI-DNSBL, > DNSBL:bl.open-whois.org.:amberoz.com > [9016] dbg: async: aborting after 2.460 s, shrunk deadline: URI-DNSBL, > DNSBL:my.black.list.:zynoxin.com > [...] > [9016] dbg: async: aborted 174 remaining lookups > > However, I don't see these issues when running the same message through > "spamassassin -t" or even "su amavis -c 'spamassassin -t -D < > test.eml'". I have posted the output of the following commands for review: > > Regular e-mail delivery with: amavisd debug-sa: > http://www.inetmsg.com/debug-sa.txt > > su amavis -c 'spamassassin -t -D < test.eml' > http://www.inetmsg.com/su-amavis.txt > > spamassassin -t -D < test.eml: > http://www.inetmsg.com/spamassassin.txt > > If anyone has any thoughts about why DNS based tests happen to fail on > these types of message when running through normal e-mail processing, > but not when run in test mode, I would appreciate the feedback. > > Regards, > > Bill > > - > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > ___ > AMaViS-user mailing list > AMaViS-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/amavis-user > AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 > AMaViS-HowTos:http://www.amavis.org/howto/ > - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] aborting after x.xxx s, shrunk deadline
I am running: amavisd -V amavisd-new-2.5.2 (20070627) --- spamassassin -V SpamAssassin version 3.2.3 running on Perl version 5.8.8 I've been trying to figure out why some messages are failing DNS based tests are failing during normal e-mail delivery processing. With amavisd running is "debug-sa" mode, I am seeing things like the following: [9016] dbg: async: aborting after 2.463 s, shrunk deadline: URI-DNSBL, DNSBL:multi.uribl.com.:zynoxin.com [9016] dbg: async: aborting after 2.397 s, shrunk deadline: URI-DNSBL, DNSBL:bl.open-whois.org.:cabbagesoupdietpill.com [9016] dbg: async: aborting after 2.408 s, shrunk deadline: URI-NS, NS:zymelite.com [9016] dbg: async: aborting after 2.404 s, shrunk deadline: URI-DNSBL, DNSBL:multi.surbl.org.:chongsoolongtea.com [9016] dbg: async: aborting after 2.442 s, shrunk deadline: URI-DNSBL, DNSBL:dob.sibl.support-intelligence.net:sumactin.com [9016] dbg: async: aborting after 2.291 s, shrunk deadline: DNSBL-A, dns:A:14.198.114.38.sbl.csma.biz. [9016] dbg: async: aborting after 2.470 s, shrunk deadline: URI-DNSBL, DNSBL:bl.open-whois.org.:amberoz.com [9016] dbg: async: aborting after 2.460 s, shrunk deadline: URI-DNSBL, DNSBL:my.black.list.:zynoxin.com [...] [9016] dbg: async: aborted 174 remaining lookups However, I don't see these issues when running the same message through "spamassassin -t" or even "su amavis -c 'spamassassin -t -D < test.eml'". I have posted the output of the following commands for review: Regular e-mail delivery with: amavisd debug-sa: http://www.inetmsg.com/debug-sa.txt su amavis -c 'spamassassin -t -D < test.eml' http://www.inetmsg.com/su-amavis.txt spamassassin -t -D < test.eml: http://www.inetmsg.com/spamassassin.txt If anyone has any thoughts about why DNS based tests happen to fail on these types of message when running through normal e-mail processing, but not when run in test mode, I would appreciate the feedback. Regards, Bill - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Keep going if AV Scanner fails?
Adam Gibson wrote: > Bill Landry wrote: >> Adam Gibson wrote: >>> Gary V wrote: >>>> (have not tried it though). Make sure your update script is a recent >>>> one that tests the downloads before employing them and consider >>> This is one of the most important steps IMHO. I would make sure the >>> script tests the dat files before copying them into place. The scripts >>> that I have used over the years tests the dat files with the eicar virus >>> test pattern to make sure they work before copying them into place. >> This issue here is not whether the virus signature files work or not, it's >> whether one of them is corrupted or not. A corrupted signature file will >> cause >> clamd to silently crash and no longer be available for message scanning. The >> test that needs to be done on ClamAV signature files: >> >> clamscan --quiet -d /path/to/sigfile >> >> will detect corrupted signature files, and thus can prevent them from being >> moved into the production directory. Most, if not all, of the download >> scripts >> available on the SaneSecurity site >> (http://www.sanesecurity.com/clamav/usage.htm) enable this testing prior to >> usage. >> >> Bill > > I think we are saying the same thing. By checking to make sure it > detects eicar before copying the dat files over it also makes sure the > dat files are not corrupt. The dat files are initially downloaded to a > temporary staging area which does not impact the running clamd. Only > after testing the dat files to see if they properly detect the eicar > test virus do they get copied into the default clam dat signature > database directory. This solves both problems at the same time. Sounds like a lot of needless extra effort versus the sanctioned and ClamAV developed and supported way of testing signature files for corruption. Bill - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Keep going if AV Scanner fails?
Adam Gibson wrote: > Gary V wrote: >> (have not tried it though). Make sure your update script is a recent >> one that tests the downloads before employing them and consider > > This is one of the most important steps IMHO. I would make sure the > script tests the dat files before copying them into place. The scripts > that I have used over the years tests the dat files with the eicar virus > test pattern to make sure they work before copying them into place. This issue here is not whether the virus signature files work or not, it's whether one of them is corrupted or not. A corrupted signature file will cause clamd to silently crash and no longer be available for message scanning. The test that needs to be done on ClamAV signature files: clamscan --quiet -d /path/to/sigfile will detect corrupted signature files, and thus can prevent them from being moved into the production directory. Most, if not all, of the download scripts available on the SaneSecurity site (http://www.sanesecurity.com/clamav/usage.htm) enable this testing prior to usage. Bill - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Modified scoring of ClamAV spam hits
John Beaver wrote the following on 8/2/2007 4:02 PM -0800: > Mark Martinec wrote: > >> John, >> >> >>>> I'm still getting a few ZIPs, PDF, etc. getting though. I just noticed >>>> this scoring in one of the headers. Note the score for the >>>> sanesecurity=0.1: >>>> >>>> Res, score=5.819 tagged_above=2 required=4 >>>> tests=[AV:Email.Stk.Gen592.Sanesecurity.07071801.pdf=0.1, BAYES_99=3.5, >>>> DKIM_POLICY_SIGNSOME=0, TVD_SPACE_RATIO=2.219] >>>> >>>> I am using amavisd-new with clamav 91.1. Where can I adjust this >>>> scoring? >>>> >> Bill Landry writes: >> >>> That depends on whether you are using a spamassassin .cf file for scoring >>> the header entries or if your scoring them in amavisd.conf. I would guess >>> amavisd.conf since you would probably know if you setup a .cf file for >>> scoring these. >>> >>> In amavisd.conf, look for the section starting with: >>> @virus_name_to_spam_score_maps = >>> You can then adjust the individual SaneSecurity and/or MSRBL scores there. >>> >> Right. Or better yet, add rules to a SpamAssassin config file (e.g. >> local.cf), >> as suggested in release notes. This is also a reason why scores assigned >> by amavisd itself are near-zero. >> >> > > Figures, I missed reading the release notes... > > I am using amavisd-new to call SA, so is SA called AFTER clamav (using > SA local.cf)? Just making sure which method will work best. > > john Virus scanning is always done before spam filtering, otherwise there would be no SaneSecurity or MSRBL headers for SA to trigger on. Bill - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Modified scoring of ClamAV spam hits
John Beaver wrote: > I'm still getting a few ZIPs, PDF, etc. getting though. I just noticed > this scoring in one of the headers. Note the score for the > sanesecurity=0.1: > > Res, score=5.819 tagged_above=2 required=4 > tests=[AV:Email.Stk.Gen592.Sanesecurity.07071801.pdf=0.1, BAYES_99=3.5, > DKIM_POLICY_SIGNSOME=0, TVD_SPACE_RATIO=2.219] > > > I am using amavisd-new with clamav 91.1. Where can I adjust this scoring? > > john beaver That depends on whether you are using a spamassassin .cf file for scoring the header entries or if your scoring them in amavisd.conf. I would guess amavisd.conf since you would probably know if you setup a .cf file for scoring these. In amavisd.conf, look for the section starting with: @virus_name_to_spam_score_maps = You can then adjust the individual SaneSecurity and/or MSRBL scores there. Bill - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] amavis stopped to work, help!
Andres wrote: > I have made no changes at all, and today amavis stopped to work, so my > mail server (Postfix) is not delivering email, this is the log file: > > ul 23 10:50:03 pc009 amavis[11600]: (11600-01) ClamAV-clamscan > av-scanner FAILED: /usr/bin/clamscan unexpected exit 50, > output="LibClamAV Error: Can't load /var/lib/clamav//main.cvd: MD5 > verification error\nERROR: MD5 verification error" at (eval 42) line > 435. > Jul 23 10:50:03 pc009 amavis[11600]: (11600-01) TROUBLE in check_mail: > virus_scan FAILED: virus_scan: ALL VIRUS SCANNERS FAILED: ClamAV-clamd > av-scanner FAILED: Too many retries to talk to > /var/run/clamav/clamd.ctl (Can't connect to UNIX socket Looks like clamd crashed - did you restart clamd? Bill - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Dkim signing and altermime / disclaimer failure
Michael Scheidell wrote the following on 7/7/2007 7:48 AM -0800: > Seems if you use dkim to sign outgoing email through amavisd-new policy > bank and forward-method, the 'disclaimer' added to message does not pass > the body test. since it seems to sign the message before the disclaimer > is added. > > Q) how do I get it to sign AFTER mangling (do I do it in amavisd.conf?) > or wait till Mark gets back? > > (as least assume this is why I get this error on reflector: > testing.dkim.org; [EMAIL PROTECTED]; dkim=fail ( > Err: body altered; RSA-128 err: hdrdiffs=none; bodyvfy=no; > secnap.net/s102 > 4 fail; ); > [EMAIL PROTECTED]; dkim=neutral > > [DKIM-Bodyhash: Warning] > body hashes do not match for "Michael Scheidell" > sig=k9XtizUNBPIHQDW1po4NYI6foNM= calc=QsnK/S4Ee01odgjQhyN9o4FaZjk= > [DKIM-Vfy: Warning] > RSA-128 err: [EMAIL PROTECTED] hdrdiffs=none; bodyvfy=no; > openssl=error::lib(0):func(0):reason(0); 'v=1; a=rsa-sha1; > c=relaxed; d=secnap.net; > h=mime-version:content-type:content-transfer-encoding:subject: > date:message-id:from:to; q=dns/txt; s=s1024; bh=k9XtizUNBPIHQDW1 > po4NYI6foNM=; b=' > > > Using FREEBSD, postfix, amavisd-new 2.5.2, Mail:DKIM .26, dkimproxy. > I don't use dkim proxy, but do sign with both dk and dkim. Just out of curiosity, since you are using postfix (that is, if you are using a relatively new version of postfix that supports milters), why not use the dkim-milter and do your signing as the last thing postfix does before delivering the message to the recipient MTA? That should resolve any issues you may be experiencing with something changing the body or headers after signing. Bill > Used this to do forwarding, disclaimers: > > (using dkim proxy from ports, in rc.conf: > > amavisd-new forward sends to 127.0.0.1:10027. > Dkimproxy listens on 127.0.0.0:10027, signs message and send back out > 10028. > Postfix listens on 10028 and sends email back out. > > dkimproxy_out_enable="YES" > dkimproxy_out_flags="--keyfile=/usr/local/etc/dkimproxy/private.key \ > --selector=s1024 --domain=secnap.com,secnap.net --method=relaxed > \ > 127.0.0.1:10027 127.0.0.1:10028" > > master.cf: > > 127.0.0.1:10028 inet n - n - 10 smtpd > -o content_filter= > -o > receive_override_options=no_unknown_recipient_checks,no_header_body_chec > ks > -o smtpd_helo_restrictions= > -o smtpd_client_restrictions= > -o smtpd_sender_restrictions= > -o smtpd_recipient_restrictions=permit_mynetworks,reject > -o mynetworks=127.0.0.0/8 > -o smtpd_authorized_xforward_hosts=127.0.0.0/8 > > amavisd.conf > > @altermime_args_disclaimer = > qw(--verbose --disclaimer=/var/amavis/etc/disclaimer.txt > --disclaimer-html=/var/amavis/etc/disclaimer.html); > $defang_maps_by_ccat{+CC_CLEAN} = [ 'disclaimer' ]; > > $policy_bank{'MYNETS'} = { # mail originating from @mynetworks > originating => 1, > forward_method => 'smtp:[127.0.0.1]:10027', > allow_disclaimers => 1, > smtpd_discard_ehlo_keywords => ['8BITMIME'], > > > > - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] problem with amavis and nod32
McDouglas wrote the following on 6/18/2007 7:38 AM -0800: > Bill Landry wrote: > >> If you set amavisd to send the raw e-mail to nod32, do you still see >> the error? >> >> Bill >> >> >> > > How do I set that? And what else will change with that setting? > (concerned about the spamassassin/banned files/quarantine settings) > Depends on the version of amavisd-new you are running. With the most recent version, 2.5.1, you can set "$bypass_decode_parts = 1;" to disable all decoding by amavisd-new. From the release notes: - setting $bypass_decode_parts to true now also disables MIME decoding, not just decoders/dearchivers listed in a @decoders list, and also implicitly retains full original message for virus checking, equivalent to having a regular expression /^MAIL$/ in a @keep_decoded_original_maps list This will not change how spamassassin works (SA is sent the raw message for processing anyway), nor will it change your how your virus quarantine settings work; however, it probably will affect how banned files are handled, since amavisd will not be doing any message decoding of its own. I don't have any banned files listed in my amavisd.conf, so someone else will need to confirm this. Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] problem with amavis and nod32
Gregorics Tamás wrote the following on 6/18/2007 7:01 AM -0800: > Hi! > > I'm having a slight problem with my amavisd-new installation. I'm using > the nod32 av scanner with amavis, and sometimes mails generate such > error logs: > > Jun 18 11:26:32 zeusz amavis[9766]: (09766-07) (!!) run_av (ESET > Software NOD32 Command Line Interface v 2.52) FAILED - unexpected exit > 3, output="... > clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 -> > MIME -> part000.txt: > clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 -> > MIME: clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 > -> MIME -> part000.txt: > clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 -> > MIME: clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 > -> MIME -> : > clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 -> > MIME -> part000.txt: > clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 -> > MIME -> part001.htm: > clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 -> > MIME -> szoke.pps: > clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 -> > MIME -> : info="error occurred while reading archive"" > > Jun 18 11:26:32 zeusz amavis[9766]: (09766-07) (!!) ESET Software NOD32 > Command Line Interface v 2.52 av-scanner FAILED: /usr/bin/nod32cli > unexpected exit 3, output="... > clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 -> > MIME -> part000.txt: > clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 -> > MIME: clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 > -> MIME -> part000.txt: > clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 -> > MIME: clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 > -> MIME -> : > clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 -> > MIME -> part000.txt: > clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 -> > MIME -> part001.htm: > clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 -> > MIME -> szoke.pps: > clean\n/var/lib/amavis/tmp/amavis-20070618T112128-09766/parts/p010 -> > MIME -> : info="error occurred while reading archive"" at (eval 44) line > 462. > > > I contacted nod32 support and they suggested that it's amavis' fault > ("it could happen with open source softwares"), because it can not > extract the mail properly. They suggested leaving out amavis from the > delivery chain, but thats clearly not an option for us. > > Any suggestions? > If you set amavisd to send the raw e-mail to nod32, do you still see the error? Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Someone missed a virus..
Michael Scheidell wrote the following on 6/15/2007 12:54 PM -0800: >> -Original Message- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf >> Of Bill Landry >> Sent: Friday, June 15, 2007 3:51 PM >> To: amavis-user@lists.sourceforge.net >> Subject: Re: [AMaViS-user] Someone missed a virus.. >> >> Michael Scheidell wrote the following on 6/15/2007 12:27 PM -0800: >> Thanks for reporting this one Michael, malware distributors >> are getting more creative all the time. Just as an FYI, >> since I am using the recent "$bypass_decode_parts = 1" >> feature that disables all decoding by amavisd-new and instead >> passes the raw messages to the virus scanner(s) and relies on >> the decoding supported by the virus scanner itself. In this >> case I run both clamd and f-prot, and both were able to >> detect the trojan inside the .doc file, without any decoding >> on the part of >> amavisd-new: >> >> F-Prot: >> /var/quarantine/virus/virus-TO4HclB5j1Sz->Proforma_Invoice.doc >> > ->Proforma_Invoice.exe > >> is a security risk named W32/Dropper.ESR >> >> ClamD: >> /var/quarantine/virus/virus-TO4HclB5j1Sz: Trojan.Dropper-1047 FOUND >> >> Thanks again, Mark, for adding the ability to bypass all >> decoding in amavisd-new, it seems to be working fine for me thus far. >> > > Yes, but you only got that because I reported it to clamav at CA: > > (I use clamav, and at the time, it wasn't in the file: > > If you had checked that earlier (before daily/3430) you would have > missed it. > I don't disagree. My comment was more toward the fact that many virus scanners now support mime decoding and file unpacking themselves and thus the decoding feature of amavisd-new can be disabled (meaning no need to install and use unpackers within amavisd.conf, like ripole), which also possibly removes the requirement to try and work around files embedded in other files or mis-labeled file formats within amavisd.conf. Anyway, it was simply an observation on my part. Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Someone missed a virus..
Michael Scheidell wrote the following on 6/15/2007 12:27 PM -0800: > Well, an attachment, a 0 day virus. > > How do we block an exe insite a .doc? > > Maybe hackers/spammers have found a way around Anti-Virus software, or > at least, attachment blocking. > > Spam came in, with a 'proforma invoice' attached. > (if you want to see it, http://www.secnap.com/downloads/proforma.eml) > > > Click on the proforma invoice.doc, ALMOST open it. (or run strings on > it) > > See a self executable zip file (.exe) > > Proforma_Invoice.exe > C:\PROFOR~1.EXE > C:\PROFOR~1.EXE > > > 'file Proforma_Invoice.doc' shows: > > Proforma_Invoice.doc: Microsoft Office Document > > file -i Proforma_Invoice.doc shows: > application/msword > > Clamav and CA didn't see it as a virus. > (Two hours later, after submitting to [EMAIL PROTECTED] and clamav, clam > finds it: > clamdscan Proforma_Invoice.doc > /tmp/Proforma_Invoice.doc: Trojan.Dropper-1047 FOUND > Thanks for reporting this one Michael, malware distributors are getting more creative all the time. Just as an FYI, since I am using the recent "$bypass_decode_parts = 1" feature that disables all decoding by amavisd-new and instead passes the raw messages to the virus scanner(s) and relies on the decoding supported by the virus scanner itself. In this case I run both clamd and f-prot, and both were able to detect the trojan inside the .doc file, without any decoding on the part of amavisd-new: F-Prot: /var/quarantine/virus/virus-TO4HclB5j1Sz->Proforma_Invoice.doc->Proforma_Invoice.exe is a security risk named W32/Dropper.ESR ClamD: /var/quarantine/virus/virus-TO4HclB5j1Sz: Trojan.Dropper-1047 FOUND Thanks again, Mark, for adding the ability to bypass all decoding in amavisd-new, it seems to be working fine for me thus far. Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Can't connect to UNIX socket /va
[EMAIL PROTECTED] wrote the following on 6/5/2007 8:33 AM -0800: > Hallo Mark, > > Op dinsdag 05 juni 2007 schreef Mark Martinec aan > amavis-user@lists.sourceforge.net: > > >> Actually, I did it both ways: amavis added to group clamav and > >> clamav added to group amavis. [...] This certainly solved the > >> problem. I'm still wondering why it doesn't work the other > >> way, but I'll have another look at that later. > MM> It seems this problem is affecting certain installations and is > MM> reported every now and then, but is not affecting most of the > MM> rest. It would be useful to locate the cause of it. It may be > MM> related to the version of clamd, to the OS, and to the version > MM> of the kernel. For starters let's see some versions that exibit > MM> this problem. > > OK. I'm running Linux kernel 2.6.18.8 on a Pentium 4 system. > The version of clamav is 0.90.3, of amavisd-new 2.5.1. > > MM> Just in case, please try to become user clamav, and try > MM> accessing (for reading) some amavis temporary files in its > MM> .../parts/ subdirectories. > > That works without problem. > > I still think I may have made a configuration error somewhere, > but won't have time to investigate that thoroughly until the > weekend. > Just thought I would ask the obvious, just in case. Are the socket locations synchronized between clamd and amavisd? For example: From clamd.conf: LocalSocket /var/amavis/clamd.sock From amavisd.conf: ['ClamAV-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/var/amavis/clamd.sock"], Anyway, good luck! Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] [OT] AntiVirus Bake Off
Gary V wrote the following on 5/31/2007 8:05 AM -0800: > http://www.pcmag.com/article2/0,1895,2135092,00.asp > > I wonder how ClamAV would have faired had the SaneSecurity and MSRBL signatures been included when tested. Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Amavisd phish & malware headers question
Mark Martinec wrote the following on 5/31/2007 1:16 AM -0800: > Bill, > > >> I am marking and passing malware e-mails to a special review account for >> possible listing in URIBL Black (in their malware cluster). Just >> curious to know why amavisd would write all of the duplicate malware >> headers to a single message: >> >> X-Spam-Status: Yes, score=56 required=5 >> tests=[AV:Email.Malware.Sanesecurity.07051800=7.5, MY_TEST=3.5, >> AV:Email.Malware.Sanesecurity.07051800=7.5, >> AV:Email.Malware.Sanesecurity.07051800=7.5, >> AV:Email.Malware.Sanesecurity.07051800=7.5, >> AV:Email.Malware.Sanesecurity.07051800=7.5, >> AV:Email.Malware.Sanesecurity.07051800=7.5, >> AV:Email.Malware.Sanesecurity.07051800=7.5] >> > > amavisd passes each mail component (unless decoding is disabled) > to virus scanners. Perhaps clamd triggered on each mail part. > I have: $bypass_decode_parts = 1; > Or there may be an issue with cached results from previous attempts, > try: > $virus_check_negative_ttl=0; # time to cache contents when not infected > $virus_check_positive_ttl=0; # time to cache contents when infected > $spam_check_negative_ttl =0; # time to cache contents as not spam > $spam_check_positive_ttl =0; # time to cache contents as spam > just to rule out this possibility. > I think these are set to the defaults: $virus_check_negative_ttl= 3*60; # time to cache contents when not infected $virus_check_positive_ttl= 30*60; # time to cache contents when infected $spam_check_negative_ttl = 10*60; # time to cache contents as not spam $spam_check_positive_ttl = 30*60; # time to cache contents as spam > The final answer lies in your log. > If I find any more of these, I'll check to see what the log reports. Thanks, Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Quarantine and non-existing email addresses
Paweł Leśniak wrote the following on 5/28/2007 1:32 AM -0800: > Hello, > > I'm using Amavisd-new with SpamAssassin between two sendmail deamons - > incoming and outgoing. > I've set up quarantine level, so some "spammy" emails go to single > mailbox called "spams". Now once for a while (daily mostly) I'm going > through all those emails to catch some false positives. Most of the > times it's only spam, rarely single email trapped. > Now to the point. > Most of those trapped messages are being sent to addresses which do not > exist in my mail server. So without SA they'd have gone to postmaster. > Is it possible to get all those messages to be dropped, or better to be > stored in some other mailbox/mailfolder ? > > I'm sorry if someone already asked similar question - I can't find > answer myself. > > Look to the MTA (sendmail in your case) to do this. You should be doing some sort of recipient validation at the MTA level and rejecting mail to non-existent accounts. This will save you a bunch of cpu cycles by not having to virus scan and spam filter all of those bogus e-mails. I run postfix, and have never run sendmail, so I can't tell you how to do this, but I have no doubt that sendmail supports recipient validation. Look to the sendmail documentation on how to do this. Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] Amavisd phish & malware headers question
I am marking and passing malware e-mails to a special review account for possible listing in URIBL Black (in their malware cluster). Just curious to know why amavisd would write all of the duplicate malware headers to a single message: X-Spam-Status: Yes, score=56 required=5 tests=[AV:Email.Malware.Sanesecurity.07051800=7.5, MY_TEST=3.5, AV:Email.Malware.Sanesecurity.07051800=7.5, AV:Email.Malware.Sanesecurity.07051800=7.5, AV:Email.Malware.Sanesecurity.07051800=7.5, AV:Email.Malware.Sanesecurity.07051800=7.5, AV:Email.Malware.Sanesecurity.07051800=7.5, AV:Email.Malware.Sanesecurity.07051800=7.5] When I scan the same raw message file with clamdscan I only see one result: = clamdscan /home/amavis/test.eml /home/amavis/test.eml: Email.Malware.Sanesecurity.07051800 FOUND --- SCAN SUMMARY --- Infected files: 1 Time: 0.310 sec (0 m 0 s) = I also periodically see the same with phish e-mail, too: X-Spam-Status: Yes, score=26 required=5 tests=[AV:Phishing.Email.SSL-Spoof=7.5, MY_TEST=3.5, AV:Phishing.Email.SSL-Spoof=7.5, AV:Phishing.Email.SSL-Spoof=7.5] And with clamdscan directly on the raw message file: = clamdscan /home/amavis/test2.eml /home/amavis/test2.eml: Phishing.Email.SSL-Spoof FOUND --- SCAN SUMMARY --- Infected files: 1 Time: 0.084 sec (0 m 0 s) = Again, it not a big deal, just more of a curiosity question. Thanks, Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] SaneSecurity malware signatures are not being detected by amavisd-new
Mark Martinec wrote the following on 5/22/2007 10:04 AM -0800: > Bill, > >> Okay, then is there any reason to have amavisd-new break e-mail messages >> up for individual parts scanning? >> > > Several virus scanners are not able to decode a MIME structure, > or do a poor job at it, or can not decode certain types of > archives or encodings. Carefully decoding by amavisd can also > protect virus scanners from mail bombs, e.g. recursive archives. > > Well, hopefully clamav is up to the task of protecting itself from these type of exploits - only time will tell... > MIME and archive decoding also provides information about > mail structure and its components to banning rules (file names, > file types, mime types), and to a bad MIME-header check. > > Hmmm, hopefully I will not miss these additional capabilities. I'll be monitoring carefully for a while. >> Would it make sense to disable parts scanning and just have >> amavisd-new only pass the entire raw message to clamd for scanning? >> > > If you trust your virus scanner, and don't need extra > information for banning rules, then sure, you may disable > decodings by amavisd. > > Either disable decoders/dearchivers indvidually by > adjusting @decoders list, or turn them off altogether > by setting $bypass_decode_parts=1; > > Now with 2.5.1-pre1, the $bypass_decode_parts=1 also > disables MIME decoding by MIME::Parser, and implicitly > enables passing of a complete mail to virus scanners, > which is what you are asking for. I'm running 2.5.1-pre1 and for testing I have set the following relevant parts in my amavisd.config: $bypass_decode_parts = 1; $keep_decoded_original_re = 0; # @keep_decoded_original_maps = (\$keep_decoded_original_re); [EMAIL PROTECTED] = (new_RE( # qr'^MAIL$', # retain full original message for virus checking (can be slow) # qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables # qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, ## qr'^Zip archive data', # don't trust Archive::Zip #)); [EMAIL PROTECTED] = ( # ['mail', \&do_mime_decode], # ['asc', \&do_ascii], # ['uue', \&do_ascii], # ['hqx', \&do_ascii], # ['ync', \&do_ascii], # ['F',\&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ], # ['Z',\&do_uncompress, ['uncompress','gzip -d','zcat'] ], # ['gz', \&do_gunzip], # ['gz', \&do_uncompress, 'gzip -d'], # ['bz2', \&do_uncompress, 'bzip2 -d'], # ['lzo', \&do_uncompress, 'lzop -d'], # ['rpm', \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ], # ['cpio', \&do_pax_cpio, ['pax','gcpio','cpio'] ], # ['tar', \&do_pax_cpio, ['pax','gcpio','cpio'] ], # ['tar', \&do_tar], # ['deb', \&do_ar, 'ar'], ## ['a',\&do_ar, 'ar'], # unpacking .a seems an overkill # ['zip', \&do_unzip], # ['rar', \&do_unrar, ['rar','unrar'] ], # ['arj', \&do_unarj, ['arj','unarj'] ], # ['arc', \&do_arc,['nomarch','arc'] ], # ['zoo', \&do_zoo, 'zoo'], # ['lha', \&do_lha, 'lha'], ## ['doc', \&do_ole, 'ripole'], # ['cab', \&do_cabextract, 'cabextract'], # ['tnef', \&do_tnef_ext,'tnef'], # ['tnef', \&do_tnef], # ['exe', \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ], # ['7z', \&do_7zip, ['7zr','7za','7z'] ], #); I appears to be working as planned. Before upgrading: Virus scanner output: p006: Worm.Dumaru.Y FOUND p005: Worm.Dumaru.Y FOUND = After upgrading: Virus scanner output: p001: Worm.Dumaru.Y FOUND = And everything since: Virus scanner output: p001: Trojan.Postcard.eml FOUND Virus scanner output: p001: Exploit.Iframe-1 FOUND Virus scanner output: p001: Worm.Mytob.MG FOUND Virus scanner output: p001: Worm.Scano-6 FOUND Virus scanner output: p001: Worm.Mydoom.M FOUND Virus scanner output: p001: Worm.Dumaru.Y FOUND Virus scanner output: p001: Html.Malware.Sanesecurity.07010800 FOUND Virus scanner output: p001: Worm.Bagle.GV FOUND Virus scanner output: p001: Worm.Mytob.KS FOUND Virus scanner output: p001: Worm.Mydoom.I FOUND Virus scanner output: p001: Worm.Nyxem.E FOUND Virus scanner output: p001: Worm.Bagle-8-zippwd FOUND Virus scanner output: p001: Worm.Lovgate.R FOUND Virus scanner output: p001: Worm.Bagle.GV FOUND = Thanks Mark, I'll let you know if I see anything strange since making the upgrade and amavisd.config changes. Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] SaneSecurity malware signatures are not being detected by amavisd-new
Noel Jones wrote the following on 5/21/2007 9:32 PM -0800: > At 09:55 PM 5/21/2007, Bill Landry wrote: > >> Mark, can you tell me why the Email.Malware are still not detected >> without enabling /^MAIL$/? I would like to keep virus scan processing >> to a minimum, but if I disable /^MAIL$/, then Email.Malware messages are >> not detected. >> > > Most of the Email.Malware signatures are "email" type > signatures. Clamav must be presented with a file recognizable as an > email (Received: headers and other clues) for these signature to even > be checked. > > You must always present clamav with raw email files to use all the > published signatures. In addition to the SaneSecurity add-on > signatures, most of the "official" clam Phish signatures are "email" > type, along with several official trojan & worm signatures. > > If you don't set amavisd-new to scan the full email message, you > effectively disable all signatures requiring an email message. > > Okay, then is there any reason to have amavisd-new break e-mail messages up for individual parts scanning? Would it make sense to disable parts scanning and just have amavisd-new only pass the entire raw message to clamd for scanning? Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] SaneSecurity malware signatures are not being detected by amavisd-new
Mark Martinec wrote the following on 5/21/2007 5:06 PM -0800: > Bill, > > >> I've noticed that when multiple message parts match different clamav >> signatures, *all* the signature names must be listed in >> @virus_name_to_spam_score_maps for it to be considered spam. >> > > Yes, as documented in RELEASE_NOTES: > > [...] When a virus scanner returns > names of viruses, and all provided names are matched by the > @virus_name_to_spam_score_maps, and no other virus scanner has > anything more sinister to report, then a message is _not_ flagged > as a virus, but a corresponding spam score is contributed to other > spam results [...] > > This is a key issue here. > > Your test example after enabling /^MAIL$/ (which requests that > a full message is passed to virus scanners, besides each decoded > part), clamd starts to report _two_ malware names. > Mark, can you tell me why the Email.Malware are still not detected without enabling /^MAIL$/? I would like to keep virus scan processing to a minimum, but if I disable /^MAIL$/, then Email.Malware messages are not detected. > As the 'Phishing.Email' was not in your @virus_name_to_spam_score_maps > list, such mail did not fulfill the requirement that _all_ reported > names must be in the list for the result to be turned into spam, > so you ended up with a quarantined 'virus'. Thanks for the explanation, and thanks to Noel for his assistance in figuring this out off-list over the weekend. Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] amavisd, postfix and dkfilter?
Charlie Farinella wrote the following on 5/16/2007 11:33 AM -0800: > Is anyone using amavisd with postfix and dkfilter? I need to attach > domain keys to my outgoing mail and am getting confused. dkfilter wants > to be a content_filter and if I'm seeing this correctly, it seems that > postfix can only have one content_filter and that needs to be amavisd. > > Help, pointers to documentation, etc. are appreciated. > I'm not using dkfilter, but rather dk-milter, postfix, and amavisd-new. Depending on what version of postfix you are using (v2.3 or newer), you might consider using dk-milter and set it up to sign only outgoing mail for your domain(s) - you can find a link to it from the Postfix add-on page: http://www.postfix.org/addon.html. If you decide to consider dk-milter, see the postfix MILTER_README: http://www.postfix.org/MILTER_README.html for setup and configuration information. Otherwise, you could consider running multiple content_filters, either chained (postfix -> dkfilter -> amavisd -> postfix) or setup amavisd-new via main.cf and dkfilter via master.cf under smtpd (postfix -> dkfilter -> postfix -> amavisd -> postfix). Either will work, but the second option may be easier to setup and maintain. As for setting up dkfilter to work with postfix, I have not used it, but the dkfilter site recommends: http://www.postfix.org/CONTENT_INSPECTION_README.html for postfix setup information. Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] SaneSecurity malware signatures are not being detected by amavisd-new
Noel Jones wrote the following on 5/18/2007 3:37 PM -0800: > At 05:28 PM 5/18/2007, Bill Landry wrote: > >> Noel Jones wrote the following on 5/18/2007 3:14 PM -0800: >> >>> At 04:49 PM 5/18/2007, Bill Landry wrote: >>> >>> >>>> Well, this was not a good solution: >>>> >>>> @keep_decoded_original_maps = (new_RE( >>>> qr'^MAIL$', # retain full original message for virus checking (can >>>> be slow) >>>> >>>> as this had the effect of quarantining everything that SaneSecurity and >>>> MSRBL detected, including spam, phish, image, scam, etc., and not just >>>> malware. :-( >>>> >>>> Any other suggestions? Thanks, >>>> >>>> >>> I think your @virus_name_to_spam_score_maps is somehow >>> wrong. Scanning the raw email doesn't change the result text >>> >> from clamdscan. >> >>> >> Other than score changes, it's identical to what can be found in the >> amavis.conf-default included with the distro: >> >> @virus_name_to_spam_score_maps = >> (new_RE( [ qr'^(Email|HTML)\.(Phishing|Spam|Scam[a-z0-9]?)\.'i => 1.5 ], >>[ qr'^(Email|Html)\.Malware\.Sanesecurity\.' => undef ], >>[ qr'^(Email|Html)(\.[^., ]*)*\.Sanesecurity\.' => 1.5 ], >>[ qr'^(MSRBL-Images/|MSRBL-SPAM\.)' => 1.5 ], >> )); >> >> Let me know if you see anything wrong here... >> > > I don't see any obvious problems above. You don't happen to have > @virus_name_to_spam_score_maps defined more than once, do you? > > maybe Mark has other suggestions. > > No, it's only defined once: grep "virus_name_to_spam_score_maps" /etc/amavisd.conf @virus_name_to_spam_score_maps = Thanks for the feedback! Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] SaneSecurity malware signatures are not being detected by amavisd-new
Noel Jones wrote the following on 5/18/2007 3:14 PM -0800: > At 04:49 PM 5/18/2007, Bill Landry wrote: > >> Well, this was not a good solution: >> >> @keep_decoded_original_maps = (new_RE( >> qr'^MAIL$', # retain full original message for virus checking (can >> be slow) >> >> as this had the effect of quarantining everything that SaneSecurity and >> MSRBL detected, including spam, phish, image, scam, etc., and not just >> malware. :-( >> >> Any other suggestions? Thanks, >> > > I think your @virus_name_to_spam_score_maps is somehow > wrong. Scanning the raw email doesn't change the result text from clamdscan. > > Other than score changes, it's identical to what can be found in the amavis.conf-default included with the distro: @virus_name_to_spam_score_maps = (new_RE( [ qr'^(Email|HTML)\.(Phishing|Spam|Scam[a-z0-9]?)\.'i => 1.5 ], [ qr'^(Email|Html)\.Malware\.Sanesecurity\.' => undef ], [ qr'^(Email|Html)(\.[^., ]*)*\.Sanesecurity\.' => 1.5 ], [ qr'^(MSRBL-Images/|MSRBL-SPAM\.)' => 1.5 ], )); Let me know if you see anything wrong here... Thanks, Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] SaneSecurity malware signatures are not being detected by amavisd-new
Bill Landry wrote the following on 5/18/2007 12:54 PM -0800: > Mark Martinec wrote the following on 5/18/2007 12:46 PM -0800: > >> Bill, >> >> >> >>>>> [ qr'^(Email|HTML)\.(Phishing|Spam|Scam[a-z0-9]?)\.'i => 0.1 ], >>>>> [ qr'^(Email|Html)\.Malware\.Sanesecurity\.'=> undef], >>>>> [ qr'^(Email|Html)(\.[^., ]*)*\.Sanesecurity\.' => 0.1 ], >>>>> [ qr'^(MSRBL-Images/|MSRBL-SPAM\.)' => 0.1 ], >>>>> >>>>> >> >> >>> It's setup this way because that's the way you have it shown in the >>> amavisd.conf-default file that comes with the distro >>> >>> >> I have it that way, because I wanted to have the: >> >> ^(Email|Html)\.Malware\.Sanesecurity\. >> >> treated as a virus, and not as a spam. >> >> The rule stands above the >> ^(Email|Html)(\.[^., ]*)*\.Sanesecurity\. >> rule, which would have matched on such name too. >> >> So my intention is to let Email|Html * .Sanesecurity >> be spam, except for Email|Html .Malware .Sanesecurity >> >> >> > Yep, that's exactly what I want, as well. However, it does not work > this way in reality. I can send you a sample malware off-list to test > with, if you would like (let me know). > >> >> >>> If it does work then it looks like amavisd-new separates the headers >>> from the body...and then uses clamd to scan the body ONLY... >>> >>> >> Yes, as always, except when some decoder declares it is >> unable to decode, or if @keep_decoded_original_maps matches, >> in this case AV scanner would also see the complete mail, >> in addition to each decoded part. >> >> > > I know that, as Noel suggested, I can set "qr'^MAIL$',", but didn't > really want to have to do that unless absolutely necessary due to the > additional overhead. Well, this was not a good solution: @keep_decoded_original_maps = (new_RE( qr'^MAIL$', # retain full original message for virus checking (can be slow) as this had the effect of quarantining everything that SaneSecurity and MSRBL detected, including spam, phish, image, scam, etc., and not just malware. :-( Any other suggestions? Thanks, Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] SaneSecurity malware signatures are not being detected by amavisd-new
Mark Martinec wrote the following on 5/18/2007 12:46 PM -0800: > Bill, > > [ qr'^(Email|HTML)\.(Phishing|Spam|Scam[a-z0-9]?)\.'i => 0.1 ], [ qr'^(Email|Html)\.Malware\.Sanesecurity\.'=> undef], [ qr'^(Email|Html)(\.[^., ]*)*\.Sanesecurity\.' => 0.1 ], [ qr'^(MSRBL-Images/|MSRBL-SPAM\.)' => 0.1 ], > > >> It's setup this way because that's the way you have it shown in the >> amavisd.conf-default file that comes with the distro >> > > I have it that way, because I wanted to have the: > > ^(Email|Html)\.Malware\.Sanesecurity\. > > treated as a virus, and not as a spam. > > The rule stands above the > ^(Email|Html)(\.[^., ]*)*\.Sanesecurity\. > rule, which would have matched on such name too. > > So my intention is to let Email|Html * .Sanesecurity > be spam, except for Email|Html .Malware .Sanesecurity > > Yep, that's exactly what I want, as well. However, it does not work this way in reality. I can send you a sample malware off-list to test with, if you would like (let me know). > >> If it does work then it looks like amavisd-new separates the headers >> from the body...and then uses clamd to scan the body ONLY... >> > > Yes, as always, except when some decoder declares it is > unable to decode, or if @keep_decoded_original_maps matches, > in this case AV scanner would also see the complete mail, > in addition to each decoded part. > I know that, as Noel suggested, I can set "qr'^MAIL$',", but didn't really want to have to do that unless absolutely necessary due to the additional overhead. Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] SaneSecurity malware signatures are not being detected by amavisd-new
Mark Martinec wrote the following on 5/18/2007 11:52 AM -0800: > Bill, > > >> [ qr'^(Email|HTML)\.(Phishing|Spam|Scam[a-z0-9]?)\.'i => 0.1 ], >> [ qr'^(Email|Html)\.Malware\.Sanesecurity\.'=> undef], >> [ qr'^(Email|Html)(\.[^., ]*)*\.Sanesecurity\.' => 0.1 ], >> [ qr'^(MSRBL-Images/|MSRBL-SPAM\.)' => 0.1 ], >> > > >> However, it does not seem to detect and quarantine any signature that >> starts with "Email", even though clamdscan corrected detects and reports >> the malware signature: >> test.msg: Email.Malware.Sanesecurity.07051800 FOUND >> The entries in amavisd.conf look correct, but for some reason, malware >> signatures beginning with "Email" do not get detected and quarantined by >> amaviad-new. Thoughts? >> > > Why do you have the second entry (... => undef) ??? > If matched, it terminates the search and reports that a lookup > did not find enything. You probably intended to just remove the line. > > Mark > Hi Mark, It's setup this way because that's the way you have it shown in the amavisd.conf-default file that comes with the distro, and I want the file to be quarantined. However, Steve had me try the following: = Change this signature from: Email.Malware.Sanesecurity.07051800:4:*:687474703a2f2f6d61696c2e756262692e636f6d2e62722f7664526663326174742f7266633261747461636832302e646c6c to: Email.Malware.Sanesecurity.07051800:0:*:687474703a2f2f6d61696c2e756262692e636f6d2e62722f7664526663326174742f7266633261747461636832302e646c6c Ie. change the type 4 (mail file) to type 0 (all file types). Save and re-load clamd Now re-send the ecard to yourself... is it detected now? If it does work then it looks like amavisd-new separates the headers from the body...and then uses clamd to scan the body ONLY... which might be no type 4 (Email.) would ever work? But I'm sure you would have noticed. = and without any changes to the amavisd.conf file, amavisd-new now correctly identifies the malware and quarantines the message. Mark/Steve, how would you suggest we handle these going forward? Thanks, Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] SaneSecurity malware signatures are not being detected by amavisd-new
I have been exchanging e-mails with Steve Basford of SaneSecuirty regarding malware e-mails that are not detected and quarantined by amavisd-new, yet are detected fine when scanned directly by clamdscan. Here is my amavisd.conf entries for SaneSecurity and MSRBL signature detection: @virus_name_to_spam_score_maps = (new_RE( [ qr'^(Email|HTML)\.(Phishing|Spam|Scam[a-z0-9]?)\.'i => 0.1 ], [ qr'^(Email|Html)\.Malware\.Sanesecurity\.' => undef ], [ qr'^(Email|Html)(\.[^., ]*)*\.Sanesecurity\.' => 0.1 ], [ qr'^(MSRBL-Images/|MSRBL-SPAM\.)' => 0.1 ], )); However, it does not seem to detect and quarantine any signature that starts with "Email", even though clamdscan corrected detects and reports the malware signature: clamdscan test.msg test.msg: Email.Malware.Sanesecurity.07051800 FOUND The entries in amavisd.conf look correct, but for some reason, malware signatures beginning with "Email" do not get detected and quarantined by amaviad-new. Thoughts? Thanks, Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] postfix/amavisd-new
Mark Martinec wrote the following on 5/10/2007 4:27 PM -0800: > On Friday May 11 2007 00:51:14 Bill Landry wrote: > >> So explain a situation where the first filter would *not* apply. As >> written, it applies to everything and anything after >> "check_client_access pcre:/etc/postfix/filter_outbound" is useless, as >> everything will be sent to the first content_filter and thus, end of >> "smtpd_recipient_restrictions" processing. >> > > The FILTER action only replaces the current content_filter setting > and does not stop processing restrictions. Multiple FILTER > actions can all stick their value into a content_filter > one after another, whatever remains there when some restriction > finally does terminate processing (or the list runs out) > then applies as the chosen setting for the content_filter. > > Ah, ok, now the light bulb is lit. Thanks for the explanation, I didn't realize that was how the filter action worked, nor did I understand what Gary was saying. It makes sense now. Thanks, Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] postfix/amavisd-new
Jeremy Laidman wrote the following on 5/10/2007 3:40 PM -0800: > Bill Landry wrote: > > >>>>>>> smtpd_recipient_restrictions = >>>>>>> ... >>>>>>> check_client_access pcre:/etc/postfix/filter_outbound >>>>>>> permit_mynetworks >>>>>>> permit_sasl_authenticated >>>>>>> check_client_access pcre:/etc/postfix/filter_inbound >>>>>>> reject_unauth_destination >>>>>>> .. >>>>>>> > > >> Rules are processed top down. Since everything will match /./ in the >> first filter rule, everything will be sent to the first >> "amavis:[1027.0.0.1]:10586" content_filter. Unless some post >> content_filter filtering is being done, nothing ever gets past the first >> filter, and everything only gets virus scanned and relayed. If I am >> totally misunderstanding this, then please explain how anything ever get >> past "check_client_access pcre:/etc/postfix/filter_outbound" in the >> smtpd_recipient_restrictions? If that's the end of processing, then we >> are in trouble. >> > > If "permit_mynetworks" or "permit_sasl_authenticated" matches, then the second > check_client_access never gets hit, so only the first filter applies. > So explain a situation where the first filter would *not* apply. As written, it applies to everything and anything after "check_client_access pcre:/etc/postfix/filter_outbound" is useless, as everything will be sent to the first content_filter and thus, end of "smtpd_recipient_restrictions" processing. Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] postfix/amavisd-new
Gary V wrote the following on 5/10/2007 2:31 PM -0800: > Bill wrote: > > >> Gary V wrote the following on 5/10/2007 2:21 PM -0800: >> >>> Bill wrote: >>> >>> >>> mouss wrote the following on 5/10/2007 1:26 PM -0800: > it is recommended to pass outbound mail through a virus checker. one way > to do this is to tell amavisd-new to listen on two ports (10024 and > 10586 for instance) and use > ... FILTER amavis:[127.0.0.1]:10586 > for outbound mail (mynetworks and if user was authenticated): > > smtpd_recipient_restrictions = > ... > check_client_access pcre:/etc/postfix/filter_outbound > permit_mynetworks > permit_sasl_authenticated > check_client_access pcre:/etc/postfix/filter_inbound > reject_unauth_destination > .. > > filter_outbound: > /./ FILTER amavis:[1027.0.0.1]:10586 > > filter_inbound: > /./ FILTER amavis:[127.0.0.1]:10024 > > > I can see how this will work fine for outbound mail from networks listed in "mynetworks"; however, what is to prevent inbound mail from being virus scanned twice, once by each filter? >>> The last one used wins. >>> >>> >>> >> Yep, so either inbound mail gets processed by just the first content >> filter (in which case we are an open relay) or it gets processed by both >> (not a good use of resources). So which is it? >> > > >> Bill >> > > FILTER results in DUNNO. The message is not sent to the FILTER at that > point, FILTER overrides the transport. The message is not transported > anywhere until it is accepted - queued. > Rules are processed top down. Since everything will match /./ in the first filter rule, everything will be sent to the first "amavis:[1027.0.0.1]:10586" content_filter. Unless some post content_filter filtering is being done, nothing ever gets past the first filter, and everything only gets virus scanned and relayed. If I am totally misunderstanding this, then please explain how anything ever get past "check_client_access pcre:/etc/postfix/filter_outbound" in the smtpd_recipient_restrictions? If that's the end of processing, then we are in trouble. Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] postfix/amavisd-new
Gary V wrote the following on 5/10/2007 2:21 PM -0800: > Bill wrote: > > >> mouss wrote the following on 5/10/2007 1:26 PM -0800: >> >>> it is recommended to pass outbound mail through a virus checker. one way >>> to do this is to tell amavisd-new to listen on two ports (10024 and >>> 10586 for instance) and use >>> ... FILTER amavis:[127.0.0.1]:10586 >>> for outbound mail (mynetworks and if user was authenticated): >>> >>> smtpd_recipient_restrictions = >>> ... >>> check_client_access pcre:/etc/postfix/filter_outbound >>> permit_mynetworks >>> permit_sasl_authenticated >>> check_client_access pcre:/etc/postfix/filter_inbound >>> reject_unauth_destination >>> .. >>> >>> filter_outbound: >>> /./ FILTER amavis:[1027.0.0.1]:10586 >>> >>> filter_inbound: >>> /./ FILTER amavis:[127.0.0.1]:10024 >>> >>> >> I can see how this will work fine for outbound mail from networks listed >> in "mynetworks"; however, what is to prevent inbound mail from being >> virus scanned twice, once by each filter? >> > > The last one used wins. > > Yep, so either inbound mail gets processed by just the first content filter (in which case we are an open relay) or it gets processed by both (not a good use of resources). So which is it? Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] postfix/amavisd-new
mouss wrote the following on 5/10/2007 1:26 PM -0800: > it is recommended to pass outbound mail through a virus checker. one way > to do this is to tell amavisd-new to listen on two ports (10024 and > 10586 for instance) and use > ... FILTER amavis:[127.0.0.1]:10586 > for outbound mail (mynetworks and if user was authenticated): > > smtpd_recipient_restrictions = > ... > check_client_access pcre:/etc/postfix/filter_outbound > permit_mynetworks > permit_sasl_authenticated > check_client_access pcre:/etc/postfix/filter_inbound > reject_unauth_destination > .. > > filter_outbound: > /./ FILTER amavis:[1027.0.0.1]:10586 > > filter_inbound: > /./ FILTER amavis:[127.0.0.1]:10024 > I can see how this will work fine for outbound mail from networks listed in "mynetworks"; however, what is to prevent inbound mail from being virus scanned twice, once by each filter? Bill - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] phishing fraud spam in 2.5.0-pre3
Mark Martinec wrote the following on 3/21/2007 12:51 PM -0800: > Bill, > > >> I like the artificial header idea. If you could at least make it an >> optional flag that would be great. Would be nice to be able to add a >> few SA points if ClamAV detects phish, image, scam, etc., messages, >> otherwise it doesn't make much sense to use the additional ClamAV >> signature files provided by SaneSucurity and MSRBL. >> > > You already have the ability (with 2.5.0-pre3) to add score points > based on phish, image, scam, etc., the only reason why one would > like to have an artificial header field passed to SA is to be > able to have all the rules in one place (local.cf), and perhaps > for Bayes to see this information. > Ah, my misunderstanding, thanks for the clarification, that would meet my needs just fine. > Nevertheless, it can't hurt to provide this ability. One has then > a choice to adjust scores either in the @virus_name_to_spam_score_maps > in amavisd.conf, or by providing rules to match on the artificial > X-Amavis-AV-Status header field, which will be seen by SA only > (not in passed or quarantined mail). > > The following patch to 2.5.0-pre3 provides it: > > --- amavisd.orig Mon Mar 12 21:51:24 2007 > +++ amavisd Wed Mar 21 20:33:05 2007 > @@ -1353,5 +1353,9 @@ > > @virus_name_to_spam_score_maps = > - (new_RE( [qr'^(?:Email|HTML)\.Phishing\.'i => 14] )); > + (new_RE( [ qr'^(Email|HTML)\.(Phishing|Spam|Scam[a-z0-9]?)\.'i => 0.1 ], > + [ qr'^(Email|Html)\.(Hdr|Img|ImgO|Bou|Stk|Loan|Cred|Job|Dipl|Doc) > + (\.[^.]*)* \.Sanesecurity\.'x => 0.1 ], > + [ qr'^(MSRBL-Images/|MSRBL-SPAM\.)' => 0.1 ], > + )); > > # prepend a lookup table label object for logging purposes > @@ -16973,4 +16977,6 @@ >push(@lines, sprintf("X-Amavis-OS-Fingerprint: %s\n", > sanitize_str($os_fp))) if $os_fp ne ''; > + push(@lines, sprintf("X-Amavis-AV-Status: %s\n", > + sanitize_str($msginfo->spam_status))) if $msginfo->spam_status ne > ''; >my($pbpath) = c('policy_bank_path'); >push(@lines, sprintf("X-Amavis-PolicyBank: %s\n",$pbpath)) if $pbpath ne > ''; > > > The above just adds 0.1 score point for each match, but turns off infection > flag > regardless of the actual value on the RHS. The idea is to provide additional > score points by SA rules below. > > The following rules may be placed in local.cf: > > header L_AV_Phish X-Amavis-AV-Status =~ m{\b(Email|HTML)\.Phishing\.}i > header L_AV_SS_Phish X-Amavis-AV-Status =~ > m{\b(Email|Html)\.Phishing(\.[^.]*)*\.Sanesecurity\.} > header L_AV_SS_ScamX-Amavis-AV-Status =~ > m{\b(Email|Html)\.(Scam[A-Za-z0-9]?)(\.[^.]*)*\.Sanesecurity\.} > header L_AV_SS_SpamX-Amavis-AV-Status =~ > m{\b(Email|Html)\.(Spam|Hdr|Bou|Stk|Loan|Cred|Job|Dipl|Doc)(\.[^.]*)*\.Sanesecurity\.} > header L_AV_SS_Hdr X-Amavis-AV-Status =~ > m{\b(Email|Html)\.Hdr(\.[^.]*)*\.Sanesecurity\.} > header L_AV_SS_Img X-Amavis-AV-Status =~ > m{\b(Email|Html)\.(Img|ImgO)(\.[^.]*)*\.Sanesecurity\.} > header L_AV_MSRBL_Img X-Amavis-AV-Status =~ m{\bMSRBL-Images/} > header L_AV_MSRBL_Spam X-Amavis-AV-Status =~ m{\bMSRBL-SPAM\.} > > score L_AV_Phish 14 > score L_AV_SS_Phish -3 > score L_AV_SS_Scam6 > score L_AV_SS_Spam6 > score L_AV_SS_Hdr 3 > score L_AV_SS_Img 3 > score L_AV_MSRBL_Img 3 > score L_AV_MSRBL_Spam 6 > > That's one of the biggest reasons why I love Amavisd-New, you always make your best effort to accommodate reasonable requests, if possible. Thanks again! Bill - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] phishing fraud spam in 2.5.0-pre3
Mark Martinec wrote the following on 3/21/2007 6:51 AM -0800: > Bob, > > >> ah, does SA get any indication that clamav thinks the email is a phish? >> > > No, currectly not. An artificial header field could be inserted I guess, > but for the moment I don't think it is really needed, these phishing > scams collect enough spam points by themselves. > I like the artificial header idea. If you could at least make it an optional flag that would be great. Would be nice to be able to add a few SA points if ClamAV detects phish, image, scam, etc., messages, otherwise it doesn't make much sense to use the additional ClamAV signature files provided by SaneSucurity and MSRBL. Bill > >> Otherwise I guess turning off phishing signatures (as I currently have) >> is pretty similar in affect. >> > > ...except for the absence of additional 14 score points, > contributed by @virus_name_to_spam_score_maps. > > Mark - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] How to force amavis to write out full log entry tosyslog
MrC wrote the following on 3/14/2007 4:20 PM -0800: >> I am running amavisd-new-2.4.5 (20070130). I'm wondering if >> there a way to change how amavis logs to the syslog, in >> particular, a way to keep it from truncating part of the log >> entry? For example: >> >> > > Bill, > > These entries are continuation lines. They must be joined with previous > lines with the same amavis PID / instance. > > amavis cuts syslog lines to be below 1023 bytes include a prefix for max > length of 980 chars. > >my($logline_size) = 980; # less than (1023 - prefix) > > I suppose this is a compatibility issue for systems whose syslog handles < > 1k bytes. > > See the beginning of the amavis filter for logwatch for perl code that > performs continuation line joining. > >http://www.mikecappella.com/logwatch/amavis.tgz > > MrC > Hmmm, right you are. Thanks for the info and the link. Bill - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] How to force amavis to write out full log entry to syslog
I am running amavisd-new-2.4.5 (20070130). I'm wondering if there a way to change how amavis logs to the syslog, in particular, a way to keep it from truncating part of the log entry? For example: Mar 14 09:34:24 mail amavis[1881]: (01881-05) ...BL_AB_SURBL=3,URIBL_BLACK=2.5,URIBL_JP_SURBL=4.087,URIBL_MP_BLOCK=2,URIBL_SC_SURBL=3,URIBL_SC_SWINOG=1.5,URIBL_WS_SURBL=2], autolearn=spam, 19536 ms Mar 14 11:23:06 mail amavis[2956]: (02956-03) ..._IMAGE=2.5,STOCK_IMG_HDR_FROM=1,STOCK_IMG_HTML=1,TVD_FW_GRAPHIC_ID1=2.1,URIBL_AB_SURBL=3,URIBL_BLACK=2.5,URIBL_JP_SURBL=4.087,URIBL_SC_SWINOG=1.5,XTRA_COMPRESS_IMAGE=0.5], autolearn=spam, 65442 ms Mar 14 12:11:29 mail amavis[2956]: (02956-11) ...K_IMG_HDR_FROM=1,STOCK_IMG_HTML=1,TVD_FW_GRAPHIC_ID1=2.1,TW_CV=0.077,TW_SV=0.077,URIBL_AB_SURBL=3,URIBL_BLACK=2.5,URIBL_JP_SURBL=4.087,URIBL_OB_SURBL=3,URIBL_SC_SWINOG=1.5,XTRA_COMPRESS_IMAGE=0.5], autolearn=spam, 47431 ms This causes my hit report to be inaccurate. Any suggestions would be much appreciated. Bill - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] How to actually block
Jason Gauthier wrote the following on 3/9/2007 9:39 AM -0800: > Greetings, > >This is a very nubile question, and I realize that. However, I > cannot find exactly what I'm looking for in the documentation. (Or it's > answered in a way I am not understanding) > > I would like to actually stop email coming in from certain domains, or > email addresses. > I am using the blacklist now which just elevates the spam score to 64. > I would like to actually drop the email completely. (Or bounce it). > > How can I achieve this functionality? > > Thanks, > > Jason Look into doing this via whatever MTA you are using. This would allow you to reject the delivery rather than receive and bounce. Bill - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] IP addresses printed in reverse in log file
Nicklas Bondesson wrote the following on 2/6/2007 11:10 AM -0800: > When I look at my log file from amavisd some/all IP adresser are printed in > reverse. > > "Passed CLEAN, [44.33.22.11]" should be printed "Passed CLEAN, > [11.22.33.44]" > > This makes it a bit harder to trace and parse the logfile. > Are you sure it's reversed? It doesn't seem to be to me... Bill - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] p0f/p0f-analyzer init.d script?
Shaun T. Erickson wrote the following on 1/1/2007 10:01 AM -0800: > On 1/1/07, Bill Landry <[EMAIL PROTECTED]> wrote: > >> I tried the init script and was unsuccessful at making that work. >> Instead, try adding something like the following to /etc/rc.local: >> >> /usr/sbin/p0f -f /etc/p0f/p0f.fp -l 'tcp dst port 25' 2>&1 | >> /usr/local/sbin/p0f-analyzer.pl 2345 & >> >> Use whatever recipe you currently use, but make sure you use full paths >> to all files. This will start both p0f & p0f-analyzer upon reboot. >> > > Yes, I start it in a similar fashion as well. What I want though, is > to have it done "properly", in an init.d script of its own, so that I > can start and stop it at will. > > If this isn't doable (but I'd be surprised if it wasn't), then another > alternative might be to start p0f via it's own init.d script and > modify p0f-analyzer to read from the p0f log, instead of from STDIN. > Now that I think about it, that seems like a better solution. Then > p0f-analyzer could be stopped and started independently from p0f, with > its own init.d script, and both could be started/stopped cleanly. I'm > sure there was a reason it wasn't done this way though, that I'm > missing ... > Well good luck with that. Let us know if you efforts work out any better than mine did. Bill - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] p0f/p0f-analyzer init.d script?
Shaun T. Erickson wrote the following on 1/1/2007 9:39 AM -0800: > Has anyone come up with a clean way of starting and stopping p0f & > p0f-analyzer? On my CentOS 4.4 system, there is an init.d script for > p0f, but that's to use it standalone, logging to a file. I haven't > been able to figure out how to modify it to cleanly start and stop > both programs, while still piping them together as maRBL and > amavisd-new need them to be. > I tried the init script and was unsuccessful at making that work. Instead, try adding something like the following to /etc/rc.local: /usr/sbin/p0f -f /etc/p0f/p0f.fp -l 'tcp dst port 25' 2>&1 | /usr/local/sbin/p0f-analyzer.pl 2345 & Use whatever recipe you currently use, but make sure you use full paths to all files. This will start both p0f & p0f-analyzer upon reboot. Bill - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Suggestions on how to auto-start p0f/p0f-analyzer.pl on reboot
Peter Matulis wrote the following on 12/20/2006 5:00 PM -0800: > --- Bill Landry <[EMAIL PROTECTED]> wrote: > > >> Does anyone have any suggestions on how to start p0f/p0f-analyzer.pl >> automatically at system boot time with Fedora? I have tried using an >> >> init script with chkconfig and that presented strange results. I >> also >> tried adding the following to /etc/rc.local: >> >> /bin/sh /usr/bin/nohup /bin/p0f.sh & >> >> with p0f.sh containing: >> >> p0f -l 'tcp dst port 25' 2>&1 | p0f-analyzer.pl 2345 & >> >> However, that doesn't appear to work either (although executing >> p0f.sh >> manually works). Any suggestions? What are others doing? >> > > You may need to specify the absolute path. > > On OpenBSD, I just put the following command in my /etc/rc.local file: > > /usr/loca/sbin/p0f -l 'dst host and tcp dst port 25' 2>&1 | > /usr/local/sbin/p0f-analyzer.pl 2345 & Ah yes, that worked perfectly. Thanks Peter! Bill - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] Suggestions on how to auto-start p0f/p0f-analyzer.pl on reboot
Does anyone have any suggestions on how to start p0f/p0f-analyzer.pl automatically at system boot time with Fedora? I have tried using an init script with chkconfig and that presented strange results. I also tried adding the following to /etc/rc.local: /bin/sh /usr/bin/nohup /bin/p0f.sh & with p0f.sh containing: p0f -l 'tcp dst port 25' 2>&1 | p0f-analyzer.pl 2345 & However, that doesn't appear to work either (although executing p0f.sh manually works). Any suggestions? What are others doing? Thanks, Bill - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Tests show Razor2 apparently working ...
Shaun T. Erickson wrote: > ... but I see no evidence of it, in the headers. > > I can run spamassassin in debug mode as the amavis user and it appears > to me that razor2 is configured properly and being checked. So far, > none of the mail that's come through since I set it up has been spam, > so razor hasn't had a hit yet. Is it correct behavior that razor not > be mentioned in the X-Spam-Status: header, unless it gets a hit? > > Is there any way to have a razor header added to the email? Or a DCC > or Pyzor header (as I'll be adding those tests next). Or will they > only show up in the X-Spam-Status: header, and only if they get a hit? > They will only show up in the headers if they get a positive hit on the message, just like all other SA tests: X-Spam-Status: Yes, score=23.595 required=10 tests=[AWL=-2.013, BAYES_99=3.5, DATE_IN_PAST_06_12=0.827, DCC_CHECK=3.5, DIGEST_MULTIPLE=1, DK_POLICY_SIGNSOME=0.001, HTML_90_100=0.113, HTML_IMAGE_ONLY_24=1.841, HTML_MESSAGE=0.001, MIME_HTML_MOSTLY=1.102, RAZOR2_CF_RANGE_51_100=2.5, RAZOR2_CF_RANGE_E8_51_100=3.5, RAZOR2_CHECK=1.5, SUBJECT_ENCODED_TWICE=1.723, URIBL_BLACK=2.5, URIBL_WS_SURBL=2] Even though I am running Razor, Pyzor, and DCC, Pyzor does not show up in this X-Spam-Status header because the message did not hit on Pyzor. No different than URIBL_JP_SURBL and URIBL_SC_SURBL did not show up in the header, even though I use those tests, because they did not get a positive hit on the message. Bill - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] How to bypass spam filteringforsystemgeneratedmessages
- Original Message - From: "Mark Martinec" <[EMAIL PROTECTED]> [SNIP] >> Mark, is amavisd-new missing anything that I should be concerned about by >> having mail injected via SMTP vs. ESMTP? I noticed that Postfix delivers >> to Amavisd via ESMTP, but the smtpclient delivers via SMTP. > > Since you were happy with a previous use of pipe/sendmail, you probably > won't be missing much. As mouss stated, you'd be throwing away DSN > options, PIPELINING and 8BITMIME announced capability, and ability to > pass client IP address to amavisd through XFORWARD smtp command extension, > but you didn't have these before either. Thanks Mark. So would warning like this: Our content checker found Non-encoded 8-bit data (char C8 hex): X-Source: \310\250\360\267\314|\214\277\312\212\360\267\202\226\360\267... not be seen if Postfix were delivering to Amavisd via ESMTP? Bill - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] How to bypass spam filtering forsystemgeneratedmessages
- Original Message - From: "Gary V" <[EMAIL PROTECTED]> > Bill wrote: > >>> Is there a way to direct these system messages so that they bypass spam >>> filtering? >>> http://www200.pair.com/mecham/spam/bypassing.html#11 >>> >>> Thanks Gary, however, the issue I run into with this option is that I >>> run >>> multiple content-filters, and the first one actually pipes mail (via the >>> Postfix "sendmail" command) back into postfix which uses the "pickup" >>> daemon >>> to retrieve the message. Since this content-filter runs before the >>> amavisd content-filter, if I add: >>> >>> pickupfifo n - n 60 1 pickup >>>-o content_filter= >>> >>> then the amavis content-filer does not get called. I have to run the >>> amavis >>> content-filter second in order to for SA to be able to score the header >>> mark-up from the first content-filter. I have not been able to figure >>> out >>> if there is a way to tell "sendmail" to use an alternate "pickup" daemon >>> when piping a message back to Postfix. > > I did not come up with anything. You have the first filter: > > smtp inet n - n - - smtpd > -o content_filter=filter > snfilter unix - n n - 10 pipe > flags=q user=filter argv=/var/spool/filter/filter -f ${sender} > ${recipient} > > which sends everything through the pickup daemon. I could not find a > way for 'pickup' to differentiate mail from (for example) from all > the > other mail. > > You mentioned you are changing the filter to deliver via smtp. I'm > sure this will be more flexible. > > I don't know what this filter does, but moving it to the amavisd-new > reinjection port might be an option. Then you would need to override > the content_filter for the pickup daemon to prevent loops. Downside is > since recipient expansion occurs within amavisd-new, unless I'm wrong, > the filter would be called for each recipient. On the other hand, does > this filter expand the recipients so amavisd-new gets a separate > message for each recipient? If so, you should consider placing the > less efficient filter in front of the more efficient filter (if it > makes sense to do so). I assume when a message is expanded in > amavisd-new, the reinjection port gets one separate message for each > recipient. I wrote a script that delivers the post-scanned MessageSniffer message directly to amavisd-new on 127.0.0.1:10024 by using the smtpclient to handle the delivery instead the Postfix sendmail client. This appears to be working great, and allows me to bypass content filtering on the Postfix "pickup" daemon. Chaining the content-filters together also reduces the number of message hand-offs and also cuts down on the amount of Postfix logging. The message delivery process now looks like: Postfix --> MessageSniffer --> Amavisd-new --> Postfix --> Maildrop --> Dovecot, removing the Postfix hand-off between MessageSniffer and Amavisd-new. Mark, is amavisd-new missing anything that I should be concerned about by having mail injected via SMTP vs. ESMTP? I noticed that Postfix delivers to Amavisd via ESMTP, but the smtpclient delivers via SMTP. Bill - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] How to bypass spam filtering for systemgeneratedmessages
- Original Message - From: "Gary V" <[EMAIL PROTECTED]> > Bill wrote: >>> Is there a way to direct these system messages so that they bypass spam filtering? >>> Bill >>> >>> http://www200.pair.com/mecham/spam/bypassing.html#11 > >> Thanks Gary, however, the issue I run into with this option is that I run >> multiple content-filters, and the first one actually pipes mail (via the >> Postfix "sendmail" command) back into postfix which uses the "pickup" >> daemon >> to retrieve the message. Since this content-filter runs before the >> amavisd >> content-filter, if I add: > >> pickupfifo n - n 60 1 pickup >>-o content_filter= > >> then the amavis content-filer does not get called. I have to run the >> amavis >> content-filter second in order to for SA to be able to score the header >> mark-up from the first content-filter. I have not been able to figure >> out >> if there is a way to tell "sendmail" to use an alternate "pickup" daemon >> when piping a message back to Postfix. > >> Bill >> > > Let's see your master.cf Sent off-list... Bill - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] How to bypass spam filtering for system generatedmessages
- Original Message - From: "Gary V" <[EMAIL PROTECTED]> > Bill wrote: > >> I am wondering how people handle system messages and how best to keep >> them >> from being spam filtered and possibly designated as spam. Here are the >> full >> headers from one of my LogWatch messages that got designated as spam: >> == >> Return-Path: <[EMAIL PROTECTED]> >> X-Original-To: [EMAIL PROTECTED] >> Delivered-To: [EMAIL PROTECTED] >> X-Virus-Scanned: by amavisd-new at mail.example.com >> X-Spam-Flag: YES >> X-Spam-Score: 11.781 >> X-Spam-Status: Yes, score=11.781 required=10 tests=[AWL=-12.425, >> BAYES_00=-2.599, BODY_FREE_TRIAL=2.522, BODY_GAPPY_TEXT=1.922, >> BODY_PREAPPROVED=1.811, BODY_ROLEX=3.111, CHICKENPOX_64=0.5, >> CHICKENPOX_82=0.5, LONGWORDS_15=1, LW_FAKEROLEX=5, LW_ROLEX=1, >> LW_ROLEXWATCH=1, NO_RELAYS=-0.001, REPLICA_WATCH=2.9, ROLEX_BODY=0.5, >> SARE_SPEC_REPLICA_OBFU=1.812, SARE_SPEC_ROLEX_NOV5A=1.062, >> SARE_SPEC_ROLEX_REP=1.666, UOLCC_ROLEX_BODY1=0.5] >> To: [EMAIL PROTECTED] >> Subject: LogWatch for mail.example.com >> Message-Id: <[EMAIL PROTECTED]> >> Date: Fri, 22 Sep 2006 03:17:34 -0700 (PDT) >> From: [EMAIL PROTECTED] (root) >> == > >> Is there a way to direct these system messages so that they bypass spam >> filtering? > >> Bill >> > > http://www200.pair.com/mecham/spam/bypassing.html#11 Thanks Gary, however, the issue I run into with this option is that I run multiple content-filters, and the first one actually pipes mail (via the Postfix "sendmail" command) back into postfix which uses the "pickup" daemon to retrieve the message. Since this content-filter runs before the amavisd content-filter, if I add: pickupfifo n - n 60 1 pickup -o content_filter= then the amavis content-filer does not get called. I have to run the amavis content-filter second in order to for SA to be able to score the header mark-up from the first content-filter. I have not been able to figure out if there is a way to tell "sendmail" to use an alternate "pickup" daemon when piping a message back to Postfix. Bill - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] How to bypass spam filtering for system generated messages
I am wondering how people handle system messages and how best to keep them from being spam filtered and possibly designated as spam. Here are the full headers from one of my LogWatch messages that got designated as spam: == Return-Path: <[EMAIL PROTECTED]> X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] X-Virus-Scanned: by amavisd-new at mail.example.com X-Spam-Flag: YES X-Spam-Score: 11.781 X-Spam-Status: Yes, score=11.781 required=10 tests=[AWL=-12.425, BAYES_00=-2.599, BODY_FREE_TRIAL=2.522, BODY_GAPPY_TEXT=1.922, BODY_PREAPPROVED=1.811, BODY_ROLEX=3.111, CHICKENPOX_64=0.5, CHICKENPOX_82=0.5, LONGWORDS_15=1, LW_FAKEROLEX=5, LW_ROLEX=1, LW_ROLEXWATCH=1, NO_RELAYS=-0.001, REPLICA_WATCH=2.9, ROLEX_BODY=0.5, SARE_SPEC_REPLICA_OBFU=1.812, SARE_SPEC_ROLEX_NOV5A=1.062, SARE_SPEC_ROLEX_REP=1.666, UOLCC_ROLEX_BODY1=0.5] To: [EMAIL PROTECTED] Subject: LogWatch for mail.example.com Message-Id: <[EMAIL PROTECTED]> Date: Fri, 22 Sep 2006 03:17:34 -0700 (PDT) From: [EMAIL PROTECTED] (root) == Is there a way to direct these system messages so that they bypass spam filtering? Bill - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] SA add_header
I am wondering if there is a way to configure amavisd-new to allow SA to add the following sample x-header to all messages: X-Spam-Relay-Country: US CN RU I have added the following entry to my SA local.cf file, but then realized that amavisd-new does all header markup, not SA: add_header all Relay-Country _RELAYCOUNTRY_ Can this header somehow be allowed or can amavisd-new be patched to provide support for the SA RelayDomains plugin? For now I would just like the x-header for informational purposes. Bill - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Avast Anti Virus Config
- Original Message - From: "Mark Martinec" <[EMAIL PROTECTED]> Ok, a little refinement to not include a space after a virus name, and to match a '+' literally. Here are the latest avast entries: ### http://www.avast.com/ ['avast! Antivirus daemon', \&ask_daemon, # greets with 220, terminate with QUIT ["SCAN {}\015\012QUIT\015\012", '/var/run/avast4/mailscanner.sock'], qr/\t\[\+\]/, qr/\t\[L\]\t/, qr/\t\[L\]\t([^[ \t\015\012]+)/ ], ### http://www.avast.com/ ['avast! Antivirus - Client/Server Version', 'avastlite', '-a /var/run/avast4/mailscanner.sock -n {}', [0], [1], qr/\t\[L\]\t([^[ \t\015\012]+)/ ], ### http://www.avast.com/ ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'], '-a -i -n -t=A {}', [0], [1], qr/\[infected by: ([^ \t\n\[\]]+)/ ], Mark, the avastcmd script above does not capture the virus name in the log file, rather it's only showing: Feb 21 09:42:13 mgw1.pointshare.com /usr/local/sbin/amavisd[18217]: (18217-01) run_av (Avast! Antivirus): INFECTED: However, with the previous script: ### http://www.avast.com/ ['Avast Anti-Virus', ['/usr/bin/avastcmd','avastcmd'], '-a -i -n -t=A {}', [0], [1], qr/infected by: (.+)/ ], I was getting the virus name: Feb 16 19:05:28 mgw1.pointshare.com /usr/local/sbin/amavisd[26635]: (26635-01) run_av (Avast Anti-Virus): INFECTED: Win32:Beagle-IB [Wrm] But I could not quit seem to figure out how to strip the "[Wrm]" from the end of the line. Bill --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Avast Anti Virus Config
- Original Message - From: "Mark Martinec" <[EMAIL PROTECTED]> > Bill, > > > (08400-01-2) ask_av (Avast! Antivirus daemon): > > /var/amavis/tmp/amavis-20060213T104403-08400/parts INFECTED: Win32:Beagle-HZ > > [Wrm > > > What modification can I make to: > > qr/[\t]\[+\]/, qr/[\t]\[L\][\t]/, qr/[\t]\[L\][\t](.+)[^\r\n]/ ], > > > > in order to cut " [Wrm" from the end of the log output line? > > This regexp does indeed look fishy. > > Could you please provide a couple of samples from the log (level 4 or above): > egrep 'ask_av .* result: ' /var/log/amavisd.log Here are two samples at log level 5: Feb 13 17:59:46 mgw1.pointshare.com /usr/local/sbin/amavisd[10253]: (10253-01-4) ask_av (Avast! Antivirus daemon) result: 220 Welcome to avast! Virus scanning daemon 2.0.0 (VPS 0607-0 13.02.2006)\r\n200 OK\r\n/var/amavis/tmp/amavis-20060213T175527-10253/parts/p005\t[+]\r\n/var/a mavis/tmp/amavis-20060213T175527-10253/parts/p004\t[L]\tWin32:Beagle-HZ [Wrm]\r\n/var/amavis/tmp/amavis-20060213T175527-10253/parts/p001\t[+]\r\n\r\ n221 Service closing transmission channel\r\n Feb 13 17:59:46 mgw1.pointshare.com /usr/local/sbin/amavisd[10253]: (10253-01-4) ask_av (Avast! Antivirus daemon): /var/amavis/tmp/amavis-20060213T175527-10253/parts INFECTED: Win32:Beagle-HZ [Wrm]\r = Feb 13 18:01:29 mgw1.pointshare.com /usr/local/sbin/amavisd[10253]: (10253-01-5) ask_av (Avast! Antivirus daemon) result: 220 Welcome to avast! Virus scanning daemon 2.0.0 (VPS 0607-0 13.02.2006)\r\n200 OK\r\n/var/amavis/tmp/amavis-20060213T175527-10253/parts/p002\t[L]\tWin32:Be agle-AH [Wrm]\r\n/var/amavis/tmp/amavis-20060213T175527-10253/parts/p001\t[+]\r\n\r\ n221 Service closing transmission channel\r\n Feb 13 18:01:29 mgw1.pointshare.com /usr/local/sbin/amavisd[10253]: (10253-01-5) ask_av (Avast! Antivirus daemon): /var/amavis/tmp/amavis-20060213T175527-10253/parts INFECTED: Win32:Beagle-AH [Wrm]\r > The [\t] occurrences could just as well be a plain \t > and the [^\r\n] eats the last ], and possibly misbehaves > on Mac OS X. The \[+ looks suspicious too: matching > one or more left brackets. > > Here is my blind guess at improvement: > > qr/\t\[.\]/, qr/\t\[L\]\t/, qr/\t\[L\]\t([^[\015\012]+)/ ], Here is the output of the same two viruses from your parse string above: Feb 13 18:06:54 mgw1.pointshare.com /usr/local/sbin/amavisd[10480]: (10480-01) ask_av (Avast! Antivirus daemon) result: 220 Welcome to avast! Virus scanning daemon 2.0.0 (VPS 0607-0 13.02.2006)\r\n200 OK\r\n/var/amavis/tmp/amavis-20060213T180640-10480/parts/p005\t[+]\r\n/var/a mavis/tmp/amavis-20060213T180640-10480/parts/p004\t[L]\tWin32:Beagle-HZ [Wrm]\r\n/var/amavis/tmp/amavis-20060213T180640-10480/parts/p001\t[+]\r\n\r\ n221 Service closing transmission channel\r\n Feb 13 18:06:54 mgw1.pointshare.com /usr/local/sbin/amavisd[10480]: (10480-01) ask_av (Avast! Antivirus daemon): /var/amavis/tmp/amavis-20060213T180640-10480/parts INFECTED: Win32:Beagle-HZ = Feb 13 18:07:52 mgw1.pointshare.com /usr/local/sbin/amavisd[10480]: (10480-01-2) ask_av (Avast! Antivirus daemon) result: 220 Welcome to avast! Virus scanning daemon 2.0.0 (VPS 0607-0 13.02.2006)\r\n200 OK\r\n/var/amavis/tmp/amavis-20060213T180640-10480/parts/p002\t[L]\tWin32:Be agle-AH [Wrm]\r\n/var/amavis/tmp/amavis-20060213T180640-10480/parts/p001\t[+]\r\n\r\ n221 Service closing transmission channel\r\n Feb 13 18:07:52 mgw1.pointshare.com /usr/local/sbin/amavisd[10480]: (10480-01-2) ask_av (Avast! Antivirus daemon): /var/amavis/tmp/amavis-20060213T180640-10480/parts INFECTED: Win32:Beagle-AH The output looks great. Let me know if you want to revise the parse string and would like me to do any further testing for you. Thanks for your assistance with this, Mark! Bill PS, here is what I found to be most optimal settings for the Avast command line (avastcmd) scanner entry for amavisd.conf: ### http://www.avast.com/ ['Avast Anti-Virus', ['/usr/bin/avastcmd','avastcmd'], '-a -i -n -t=A {}', [0], [1], qr/infected by: (.+)/ ], This is based on the following scanner options: = avastcmd --help Usage: avastcmd [OPTION...] avastcmd v2.0.0 -- command-line virus scanner Options: -_, --console Application will be working in STDIN/STDOUT mode -a, --testall Test all of the files (default) -b, --blockdevices Scan block devices -c, --testfull Scan entire files -d, --directoryScan only directory content -i, --ignoretype Ignore virus sets -n, --nostats No virus check statistics -p, --continue=1234Automatic action with infected file: 1:delete, 2:(not supported), 3:repair, 4:stop -r, --report=[*]file Create report file, '*' for OK results -t, --archivetype[=ZGBTIJRXOQLAN] Scan archives: Z:ZIP(default), G:GZ(default), B:BZIP2(default), T:TAR(default), I:MIME J:ARJ, R:RAR, X:Exec(default), O:ZOO,
Re: [AMaViS-user] Avast Anti Virus Config
- Original Message - From: "Mark Martinec" <[EMAIL PROTECTED]> Bill, > Has anyone created an amavisd.conf entry for Avast AV scanning support? > If so, would you be willing to share the entry? Responding to my own post, for anyone interested, the command line entry for the Avast virus scanner that will work in the amavisd.conf file is: Avast entries in my current code are: # ### http://www.avast.com/ # ['avast! Antivirus daemon', # \&ask_daemon, # greets with 220, terminates with QUIT # ["SCAN {}\r\nQUIT\r\n", '/var/run/avast4/mailscanner.sock'], # qr/[\t]\[+\]/, qr/[\t]\[L\][\t]/, qr/[\t]\[L\][\t](.+)[^\r\n]/ ], # ### http://www.avast.com/ # ['avast! Antivirus - Client/Server Version', 'avastlite', # '-a /var/run/avast4/mailscanner.sock -n {}', [0], [1], # qr/[\t]\[L\][\t](.+)/ ], ### http://www.avast.com/ ['avast! Antivirus', 'avastcmd', '-ai -n -tA {}', [0], [1], qr/infected by: (.*)/ ], kindly provided by Frantisek Mensik, ALWIL Software Thanks Mark, exactly what I was looking for. One more question, my log output now looks like: = Feb 13 10:45:40 mgw1.pointshare.com /usr/local/sbin/amavisd[8400]: (08400-01-2) ask_av (Avast! Antivirus daemon): /var/amavis/tmp/amavis-20060213T104403-08400/parts INFECTED: Win32:Beagle-HZ [Wrm = What modification can I make to: qr/[\t]\[+\]/, qr/[\t]\[L\][\t]/, qr/[\t]\[L\][\t](.+)[^\r\n]/ ], in order to cut " [Wrm" from the end of the log output line? Thanks, Bill --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Avast Anti Virus Config
- Original Message - From: "Bill Landry" <[EMAIL PROTECTED]> Has anyone created an amavisd.conf entry for Avast AV scanning support? If so, would you be willing to share the entry? Responding to my own post, for anyone interested, the command line entry for the Avast virus scanner that will work in the amavisd.conf file is: ### http://www.avast.com/ ['Avast Anti-Virus', ['/usr/bin/avastcmd','avastcmd'], '-a -c -t=A {}', [0], [1], qr/infected by: (.+) / ], However, Avast also runs as a daemon, but I am not sure how to test and create the daemon support for the amavisd.conf file. Here are the parameters I currently have set for the Avast daemon in the avastd.conf file: === [local] daemoncount = 4 maxdaemoncount = 10 listen = /var/run/avast4/local.sock remoteclients = false timeout = 60 user = root ;rootdir = /var subdirs = true # scanner flags : testall = true testfull = false ignoretype = false # scanner packers : archivetype = A # determine packer bomb : maxfilesizetoextract = 10 maxcompressionratio = 98 compressioncheckthreshold = 1 # log scan results : loginfected = true logerrors = true logcorrect = false === Any suggestions/recommendations on how to setup and test the Avast daemon entries for amavisd.conf would be greatly appreciated. Bill --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] Avast Anti Virus Config
Has anyone created an amavisd.conf entry for Avast AV scanning support? If so, would you be willing to share the entry? TIA, Bill --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] While on the BitDefender subject
- Original Message - From: "Vernon A. Fort" <[EMAIL PROTECTED]> While on the bitdefender topic, I've had to disable this scanner on several server due system load. I use gentoo on most servers, standard setup... postfix+amavisd-new+clamav+spamassassin I tipically use 2-3 scanners on each server but the CPU load with bitdefender appears very high - usually around 40-60 cpu usage per instance. The main reason I'm asking is I just had to disable this scanner on a dual Xeon 3.0 with 2G of memory because I was getting out-of-memory kernel panic. This server does process 50k messages per day with around 15k email accounts. I even dropped the amavis to 3 clients (as well as master.cf) which did not help. Has anyone else experienced this or have any tips on limiting its cpu usage? Vernon, on a test server I run that has 7 scanners installed (AVG, UVScan, Sophos, F-Prot, TrendMicro, ClamAV, and BitDefender), BitDefender is by far the slowest of all scanners, taking at least 4X longer than even the next slowest scanner. I would not use nor recommend its usage in a heavily loaded production environment. Bill --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/