AW: AW: AW: [AMaViS-user] Allowing exe files in zip format

[Miro Dietiker, MD Systems]

Strange:

  But as I see now, if I add:
  $banned_filename_re = new_RE(
  ...
   [ qr'^\.(rpm|cpio|tar)$'   = 0 ],  # allow any in Unix-type
  archives
   [ qr'^\.(gz)$'= 0],   # allow gzipped
   [ qr'^\.(zip|rar|arc|arj|zoo)$'= 0 ],  # allow any within such 
  archives  [ qr'^\.(smp)$'= 0 ], # allow Supermailer file
 
  not only forbidden exefiles (within banned_filename_re) are passed, 
  but also complete virus check is being passed?!
 
 Banning (or allowing certain files to pass through banned checks) does

 not affect virus scanning.

Before activating the banned_re as described below, a eicar.zip has been
detected as a virus properly (OK, due to BANNED NAME). Now after the
activation of the banned_re, eicar.zip passes with no warning. Sure, a
eicar.com is being removed due to banned_re (.com)

But also if I send a VIRUS file with changed extension:
The message WILL NOT BE delivered to:
Scanner detecting a virus: Clam Antivirus-clamd
...
   550 5.7.1 Message content rejected, id=23377-09 - VIRUS:
Trojan.PSW.Snitch.11
...
Virus scanner output:
   /var/lib/amavis/amavis-20060403T123355-23377/parts/part-2:
Trojan.PSW.Snitch.11 FOUND

And if I do a zip in this file and send ist, it isn't being detected
anymore

What's wrong here?!

Miro Dietiker

+---+  +---+
| Miro Dietiker |  | MD Systems Miro Dietiker  |
+---+  +---+




---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

AW: [AMaViS-user] Allowing exe files in zip format

[Miro Dietiker, MD Systems]

Oh..

  And if I do a zip in this file and send ist, it isn't being detected
  anymore
 
 Either your zip decoding doesn't work, or your file(1) utility
 doesn recognize a zip, or it isn't a zip at all.

You're right, amavis doesn't unzip correctly (or even don't try to?):

tiger:~# file a.zip
a.zip: Zip archive data, at least v1.0 to extract

On start, amavisd-new reports:
amavisd-new[14469]: Module Archive::Zip

But on debug, no extraction happens
Apr  3 17:14:38 dev.rootnet.ch amavisd-new[14471]: (14471-01) Extracting
mime components
..
Apr  3 17:14:38 dev.rootnet.ch amavisd-new[14471]: (14471-01)
mime_decode: Content-type: application/octet-stream, name: eicar.zip
Apr  3 17:14:38 dev.rootnet.ch amavisd-new[14471]: (14471-01) Charging 0
bytes to remaining quota 1094711 (out of 1095000, (0%)) - by mime_decode
..

My complete log:  http://dev.rootnet.ch/amavisd-new-debug.log
My complete conf: http://dev.rootnet.ch/amavisd.conf
(mostly debian sarge preset with some minimal extensions)

In amavisd.conf: no entry for any 'zip'
But as of the docs (/usr/share/doc/amavisd-new) and some googling, I
couldn't find how to configure..

I Kindly ask you to give me a hint :-)

Thanks - Miro




---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

AW: AW: [AMaViS-user] Allowing exe files in zip format

[Miro Dietiker, MD Systems]

How right you are!

 (14600-01) run_command: [14609]... parts/part-2
 (14600-01) File-type of part-2: empty; (.empty)
 
 Your second MIME part is empty.
 
 It bears a Content-type: application/octet-stream,name:eicar.zip,
 but there is no content, zero bytes there.

My local antivirus has removed the file without asking (even that I
deactivated it - but that's another topic) *%/%/ç%*
...'magic' applications...

Sure the system works properly and unpacks zips perfectly :-)

Thanks a lot - Miro




---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid0944bid$1720dat1642
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

AW: [AMaViS-user] strange reply

[Miro Dietiker, MD Systems]

Hi Attila

 I created users in ldap and mailboxes in cyrus but I can't send an
email
 for them. I got mail_via_smtp: 550 5.1.0 unknown user.
 If I created user in local passwd file I can send one.

In case of MTA (sendmail, postfix) which implements SMTP you need to
tell them also the local recipient (local users and domains) table as
the aliases too.

Miro

+---+  +---+
| Miro Dietiker |  | MD Systems Miro Dietiker  |
+---+  +---+




---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

AW: [AMaViS-user] strange reply

[Miro Dietiker, MD Systems]

Sorry sorry sorry ... completely wrong mailing target

+---+  +---+
| Miro Dietiker |  | MD Systems Miro Dietiker  |
+---+  +---+




---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

AW: [AMaViS-user] strange reply

[Miro Dietiker, MD Systems]

 Von: [EMAIL PROTECTED] [mailto:amavis-user-
 Miro,
 
  $final_spam_destiny = D_REJECT;
 
 Never use D_REJECT in dual-MTA or Postfix setups
 you will cause indiscriminate bounces from your MTA.
 The D_REJECT is only appropriate for sendmail milter setup
 (or pre-queue Postfix setup).

OK, I updated it for me... This was debian default I expect.
Rejecting would be much more appreciated if possible to be reported by
MUA immediately... But I see your explanation.
This would result in having (many?) failing bounces in my queue, right?
Let's see the results for the next few days.

These bounces are in general generated between $sa_kill_level_deflt and
$sa_dsn_cutoff_level for me.. right?

 
 The D_BOUNCE is better behaved, many undesired bounces
 are suppressed thanks to @viruses_that_fake_sender_maps
 and $sa_dsn_cutoff_level settings.
 
   Mark

Many Thanks - Miro




---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

[AMaViS-user] strange reply

[Miro Dietiker, MD Systems]

Hi folks

I received a message today in my root account:
##SNIP START
Subject: message not delivered
Date: Sun, 12 Feb 2006 17:21:13 +0100
From: Mail system [EMAIL PROTECTED]
..
Your message for [EMAIL PROTECTED], subject: Undelivered Mail
Returned to Sender  was rejected because mailbox does not exists
##SNIP END

Then I looked for the reason and found none!
I never tried to send such a message.
Looking at my logs, I see receiving a (as spam detected) mail with this
source address. But my configuration looks:
(trying to reduce to relevant parts)
##SNIP START
$final_virus_destiny  = D_DISCARD;
$final_banned_destiny = D_BOUNCE;
$final_spam_destiny   = D_REJECT;
$final_bad_header_destiny = D_PASS;

$sa_tag2_level_deflt = 6.31;
$sa_kill_level_deflt = 12;
$sa_dsn_cutoff_level = 15;
##SNIP END

Now my SPAM report looks like:
##SNIP START
Unsolicited bulk email from:
   [EMAIL PROTECTED]
Subject: Re: mainland synchrophasotron

According to the 'Received:' trace, the message originated at:
   fionline.it (dslb-084-058-213-082.pools.arcor-ip.net [84.58.213.82]) 

The message WILL NOT BE delivered to:
[EMAIL PROTECTED]:
   550 5.7.1 Message content rejected, UBE, id=15076-01
##SNIP END

So my system never sendt a mail but rejected one being detected as
spam.

Why do I receive such a delivery failure notification?

I expect that the strange SPAMmer software which originated SPAM to be
sendt to my server and faking that address, generated a error report
sendt to the server of the faked address due to my REJECT.
Strange behaviour... Do you agree?

This mail really made me unsure about my system functionality and
security.
Since any kind of mail going out of my system is being written to a log
and there's nothing like that...
I never saw such a behaviour before.

Any opinion appreciated.

:-) Miro

Including me in reply list personally wished
+---+  +---+
| Miro Dietiker |  | MD Systems Miro Dietiker  |
+---+  +---+




---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

AW: [AMaViS-user] forwarding viruses to host

[Miro Dietiker, MD Systems]

OOPS: wrong sender address taken the mail before! Retry:

Thanks Gary, i found the solution with your help :)

Gary V wrote:

I'm not exactly clear on all points of your setup but
maybe this would work (or at least give you one idea).

check_client_access hash:/etc/postfix/amavis_quarantine

/etc/postfix/amavis_quarantine:
192.168.1.15 FILTER smtp-amavis:[127.0.0.1]:10026

in amavisd.conf:
$inet_socket_port = [10024,10026];

Since both servers run standard Webserver/Mailserver environment, they
should communicate under each other using the same path as external
servers. Opening a second port with separate rules would be an oversized
solution.


Then set up a policy bank. This will override amavisd-new's configured 
settings for any message received on port 10026. 
$interface_policy{'10026'} = 'QUARANTINE'; $policy_bank{'QUARANTINE'} =

{  bypass_spam_checks_maps = [[qw( [EMAIL PROTECTED] )]],
 bypass_banned_checks_maps = [[qw( [EMAIL PROTECTED] )]],
 bypass_virus_checks_maps = [[qw( [EMAIL PROTECTED] )]],
 ...
 Gary V

And this was the moment where i registered:

Simple bypassing the spam-checks for my two quarantine accounts would
result in the right behaviour. No matter which source.

@bypass_spam_checks_acl  = qw( [EMAIL PROTECTED] );

Virus checks don't need to be bypassed since I don't deliver viruses in
the collector mailbox and therefore no scanner would catch anything.

+---+  +---+
| Miro Dietiker |  | MD Systems Miro Dietiker  |
+---+  +---+



---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

[AMaViS-user] forwarding viruses to host

[Miro Dietiker, MD Systems]

Hi!

I'm running two servers with amavisd-new under debian with postfix.

On Server A there is a spam collection account [EMAIL PROTECTED], where
all viruses have to be delivered to.
On host B all spam found should be delivered to Server A into the
spam.collect account.

If now Server A receives SPAM, I can see two messages in the
spam.collect box. The SPAM mail itself, and a resport for each SPAM with
title SPAM FROM xxx

If Server B receives SPAM, I can see three messages since (I expect)
server B identifies spam, generates a SPAM FROM message to Server A,
forwards SPAM itself to Server A, where server A also identifies message
as SPAM again and produces a second report...
This second report always shows up as SPAM FROM (?) where the
exclamation mark is present.

What would be the right or common way to forward that Mails?
I already was thinking of using a transport from B to A, not being
handled via amavis but i don't want to switch off too much checks and
don't want to open unnecessary ports .

Any suggestions to this setup?

Thanks a lot

+---+  +---+
| Miro Dietiker |  | MD Systems Miro Dietiker  |
+---+  +---+




---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

AW: [AMaViS-user] Allowing exe files in zip format

[Miro Dietiker, MD Systems]

This one would interest me too ...
Which var did you passed this option? May you pass the paragraph here?

In my debian amavisd.conf is no such uncommentable line.

Thanks!

+---+  +---+
| Miro Dietiker |  | MD Systems Miro Dietiker  |
+---+  +---+

-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Im Auftrag von MJ
Gesendet: Mittwoch, 28. Dezember 2005 15:55
An: amavis-user@lists.sourceforge.net
Betreff: RE: [AMaViS-user] Allowing exe files in zip format

Hi,

Got it. I uncommented the following line in /etc/amavisd.conf and it
solved my problem.

[ qr'^\.(zip|rar|arc|arj|zoo)$'= 0 ],  # allow any within such archives

Thanks,

MJ







---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/



---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37alloc_id865op=click
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

AW: [AMaViS-user] forwarding viruses to host

[Miro Dietiker, MD Systems]

Ups... subject mistake ...

I primarily talk of SPAM forwarding. Virus forwarding works with no
trouble, since the virus is being removed on source complaining server
.. so the notification to the collect server is unpolluted...

But that SPAM-Forwarding still is unclear..
(so replace all virus with spam to understand my question right
...sorry)

Isn't it possible (or what arguments against) to make a spam report
with original message attached as a file?
Or any other suggestion about configuring that central spam collector?

Thanks - Miro

+---+  +---+
| Miro Dietiker |  | MD Systems Miro Dietiker  |
+---+  +---+


-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Im Auftrag von Miro
Dietiker, MD Systems
Gesendet: Mittwoch, 28. Dezember 2005 13:36
An: amavis-user@lists.sourceforge.net
Betreff: [AMaViS-user] forwarding viruses to host

Hi!

I'm running two servers with amavisd-new under debian with postfix.

On Server A there is a spam collection account [EMAIL PROTECTED], where
all viruses have to be delivered to.
On host B all spam found should be delivered to Server A into the
spam.collect account.

If now Server A receives SPAM, I can see two messages in the
spam.collect box. The SPAM mail itself, and a report for each SPAM with
title SPAM FROM xxx

If Server B receives SPAM, I can see three messages since (I expect)
server B identifies spam, generates a SPAM FROM message to Server A,
forwards SPAM itself to Server A, where server A also identifies message
as SPAM again and produces a second report...
This second report always shows up as SPAM FROM (?) where the
exclamation mark is present.

What would be the right or common way to forward that Mails?
I already was thinking of using a transport from B to A, not being
handled via amavis but i don't want to switch off too much checks and
don't want to open unnecessary ports .

Any suggestions to this setup?

Thanks a lot

+---+  +---+
| Miro Dietiker |  | MD Systems Miro Dietiker  |
+---+  +---+




---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/



---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37alloc_id865op=click
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/