AW: AW: AW: [AMaViS-user] Allowing exe files in zip format
Strange: But as I see now, if I add: $banned_filename_re = new_RE( ... [ qr'^\.(rpm|cpio|tar)$' = 0 ], # allow any in Unix-type archives [ qr'^\.(gz)$'= 0], # allow gzipped [ qr'^\.(zip|rar|arc|arj|zoo)$'= 0 ], # allow any within such archives [ qr'^\.(smp)$'= 0 ], # allow Supermailer file not only forbidden exefiles (within banned_filename_re) are passed, but also complete virus check is being passed?! Banning (or allowing certain files to pass through banned checks) does not affect virus scanning. Before activating the banned_re as described below, a eicar.zip has been detected as a virus properly (OK, due to BANNED NAME). Now after the activation of the banned_re, eicar.zip passes with no warning. Sure, a eicar.com is being removed due to banned_re (.com) But also if I send a VIRUS file with changed extension: The message WILL NOT BE delivered to: Scanner detecting a virus: Clam Antivirus-clamd ... 550 5.7.1 Message content rejected, id=23377-09 - VIRUS: Trojan.PSW.Snitch.11 ... Virus scanner output: /var/lib/amavis/amavis-20060403T123355-23377/parts/part-2: Trojan.PSW.Snitch.11 FOUND And if I do a zip in this file and send ist, it isn't being detected anymore What's wrong here?! Miro Dietiker +---+ +---+ | Miro Dietiker | | MD Systems Miro Dietiker | +---+ +---+ --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
AW: [AMaViS-user] Allowing exe files in zip format
Oh.. And if I do a zip in this file and send ist, it isn't being detected anymore Either your zip decoding doesn't work, or your file(1) utility doesn recognize a zip, or it isn't a zip at all. You're right, amavis doesn't unzip correctly (or even don't try to?): tiger:~# file a.zip a.zip: Zip archive data, at least v1.0 to extract On start, amavisd-new reports: amavisd-new[14469]: Module Archive::Zip But on debug, no extraction happens Apr 3 17:14:38 dev.rootnet.ch amavisd-new[14471]: (14471-01) Extracting mime components .. Apr 3 17:14:38 dev.rootnet.ch amavisd-new[14471]: (14471-01) mime_decode: Content-type: application/octet-stream, name: eicar.zip Apr 3 17:14:38 dev.rootnet.ch amavisd-new[14471]: (14471-01) Charging 0 bytes to remaining quota 1094711 (out of 1095000, (0%)) - by mime_decode .. My complete log: http://dev.rootnet.ch/amavisd-new-debug.log My complete conf: http://dev.rootnet.ch/amavisd.conf (mostly debian sarge preset with some minimal extensions) In amavisd.conf: no entry for any 'zip' But as of the docs (/usr/share/doc/amavisd-new) and some googling, I couldn't find how to configure.. I Kindly ask you to give me a hint :-) Thanks - Miro --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
AW: AW: [AMaViS-user] Allowing exe files in zip format
How right you are! (14600-01) run_command: [14609]... parts/part-2 (14600-01) File-type of part-2: empty; (.empty) Your second MIME part is empty. It bears a Content-type: application/octet-stream,name:eicar.zip, but there is no content, zero bytes there. My local antivirus has removed the file without asking (even that I deactivated it - but that's another topic) *%/%/ç%* ...'magic' applications... Sure the system works properly and unpacks zips perfectly :-) Thanks a lot - Miro --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid0944bid$1720dat1642 ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
AW: [AMaViS-user] strange reply
Hi Attila I created users in ldap and mailboxes in cyrus but I can't send an email for them. I got mail_via_smtp: 550 5.1.0 unknown user. If I created user in local passwd file I can send one. In case of MTA (sendmail, postfix) which implements SMTP you need to tell them also the local recipient (local users and domains) table as the aliases too. Miro +---+ +---+ | Miro Dietiker | | MD Systems Miro Dietiker | +---+ +---+ --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
AW: [AMaViS-user] strange reply
Sorry sorry sorry ... completely wrong mailing target +---+ +---+ | Miro Dietiker | | MD Systems Miro Dietiker | +---+ +---+ --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
AW: [AMaViS-user] strange reply
Von: [EMAIL PROTECTED] [mailto:amavis-user- Miro, $final_spam_destiny = D_REJECT; Never use D_REJECT in dual-MTA or Postfix setups you will cause indiscriminate bounces from your MTA. The D_REJECT is only appropriate for sendmail milter setup (or pre-queue Postfix setup). OK, I updated it for me... This was debian default I expect. Rejecting would be much more appreciated if possible to be reported by MUA immediately... But I see your explanation. This would result in having (many?) failing bounces in my queue, right? Let's see the results for the next few days. These bounces are in general generated between $sa_kill_level_deflt and $sa_dsn_cutoff_level for me.. right? The D_BOUNCE is better behaved, many undesired bounces are suppressed thanks to @viruses_that_fake_sender_maps and $sa_dsn_cutoff_level settings. Mark Many Thanks - Miro --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] strange reply
Hi folks I received a message today in my root account: ##SNIP START Subject: message not delivered Date: Sun, 12 Feb 2006 17:21:13 +0100 From: Mail system [EMAIL PROTECTED] .. Your message for [EMAIL PROTECTED], subject: Undelivered Mail Returned to Sender was rejected because mailbox does not exists ##SNIP END Then I looked for the reason and found none! I never tried to send such a message. Looking at my logs, I see receiving a (as spam detected) mail with this source address. But my configuration looks: (trying to reduce to relevant parts) ##SNIP START $final_virus_destiny = D_DISCARD; $final_banned_destiny = D_BOUNCE; $final_spam_destiny = D_REJECT; $final_bad_header_destiny = D_PASS; $sa_tag2_level_deflt = 6.31; $sa_kill_level_deflt = 12; $sa_dsn_cutoff_level = 15; ##SNIP END Now my SPAM report looks like: ##SNIP START Unsolicited bulk email from: [EMAIL PROTECTED] Subject: Re: mainland synchrophasotron According to the 'Received:' trace, the message originated at: fionline.it (dslb-084-058-213-082.pools.arcor-ip.net [84.58.213.82]) The message WILL NOT BE delivered to: [EMAIL PROTECTED]: 550 5.7.1 Message content rejected, UBE, id=15076-01 ##SNIP END So my system never sendt a mail but rejected one being detected as spam. Why do I receive such a delivery failure notification? I expect that the strange SPAMmer software which originated SPAM to be sendt to my server and faking that address, generated a error report sendt to the server of the faked address due to my REJECT. Strange behaviour... Do you agree? This mail really made me unsure about my system functionality and security. Since any kind of mail going out of my system is being written to a log and there's nothing like that... I never saw such a behaviour before. Any opinion appreciated. :-) Miro Including me in reply list personally wished +---+ +---+ | Miro Dietiker | | MD Systems Miro Dietiker | +---+ +---+ --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
AW: [AMaViS-user] forwarding viruses to host
OOPS: wrong sender address taken the mail before! Retry: Thanks Gary, i found the solution with your help :) Gary V wrote: I'm not exactly clear on all points of your setup but maybe this would work (or at least give you one idea). check_client_access hash:/etc/postfix/amavis_quarantine /etc/postfix/amavis_quarantine: 192.168.1.15 FILTER smtp-amavis:[127.0.0.1]:10026 in amavisd.conf: $inet_socket_port = [10024,10026]; Since both servers run standard Webserver/Mailserver environment, they should communicate under each other using the same path as external servers. Opening a second port with separate rules would be an oversized solution. Then set up a policy bank. This will override amavisd-new's configured settings for any message received on port 10026. $interface_policy{'10026'} = 'QUARANTINE'; $policy_bank{'QUARANTINE'} = { bypass_spam_checks_maps = [[qw( [EMAIL PROTECTED] )]], bypass_banned_checks_maps = [[qw( [EMAIL PROTECTED] )]], bypass_virus_checks_maps = [[qw( [EMAIL PROTECTED] )]], ... Gary V And this was the moment where i registered: Simple bypassing the spam-checks for my two quarantine accounts would result in the right behaviour. No matter which source. @bypass_spam_checks_acl = qw( [EMAIL PROTECTED] ); Virus checks don't need to be bypassed since I don't deliver viruses in the collector mailbox and therefore no scanner would catch anything. +---+ +---+ | Miro Dietiker | | MD Systems Miro Dietiker | +---+ +---+ --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] forwarding viruses to host
Hi! I'm running two servers with amavisd-new under debian with postfix. On Server A there is a spam collection account [EMAIL PROTECTED], where all viruses have to be delivered to. On host B all spam found should be delivered to Server A into the spam.collect account. If now Server A receives SPAM, I can see two messages in the spam.collect box. The SPAM mail itself, and a resport for each SPAM with title SPAM FROM xxx If Server B receives SPAM, I can see three messages since (I expect) server B identifies spam, generates a SPAM FROM message to Server A, forwards SPAM itself to Server A, where server A also identifies message as SPAM again and produces a second report... This second report always shows up as SPAM FROM (?) where the exclamation mark is present. What would be the right or common way to forward that Mails? I already was thinking of using a transport from B to A, not being handled via amavis but i don't want to switch off too much checks and don't want to open unnecessary ports . Any suggestions to this setup? Thanks a lot +---+ +---+ | Miro Dietiker | | MD Systems Miro Dietiker | +---+ +---+ --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
AW: [AMaViS-user] Allowing exe files in zip format
This one would interest me too ... Which var did you passed this option? May you pass the paragraph here? In my debian amavisd.conf is no such uncommentable line. Thanks! +---+ +---+ | Miro Dietiker | | MD Systems Miro Dietiker | +---+ +---+ -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von MJ Gesendet: Mittwoch, 28. Dezember 2005 15:55 An: amavis-user@lists.sourceforge.net Betreff: RE: [AMaViS-user] Allowing exe files in zip format Hi, Got it. I uncommented the following line in /etc/amavisd.conf and it solved my problem. [ qr'^\.(zip|rar|arc|arj|zoo)$'= 0 ], # allow any within such archives Thanks, MJ --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/ --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37alloc_id865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
AW: [AMaViS-user] forwarding viruses to host
Ups... subject mistake ... I primarily talk of SPAM forwarding. Virus forwarding works with no trouble, since the virus is being removed on source complaining server .. so the notification to the collect server is unpolluted... But that SPAM-Forwarding still is unclear.. (so replace all virus with spam to understand my question right ...sorry) Isn't it possible (or what arguments against) to make a spam report with original message attached as a file? Or any other suggestion about configuring that central spam collector? Thanks - Miro +---+ +---+ | Miro Dietiker | | MD Systems Miro Dietiker | +---+ +---+ -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Miro Dietiker, MD Systems Gesendet: Mittwoch, 28. Dezember 2005 13:36 An: amavis-user@lists.sourceforge.net Betreff: [AMaViS-user] forwarding viruses to host Hi! I'm running two servers with amavisd-new under debian with postfix. On Server A there is a spam collection account [EMAIL PROTECTED], where all viruses have to be delivered to. On host B all spam found should be delivered to Server A into the spam.collect account. If now Server A receives SPAM, I can see two messages in the spam.collect box. The SPAM mail itself, and a report for each SPAM with title SPAM FROM xxx If Server B receives SPAM, I can see three messages since (I expect) server B identifies spam, generates a SPAM FROM message to Server A, forwards SPAM itself to Server A, where server A also identifies message as SPAM again and produces a second report... This second report always shows up as SPAM FROM (?) where the exclamation mark is present. What would be the right or common way to forward that Mails? I already was thinking of using a transport from B to A, not being handled via amavis but i don't want to switch off too much checks and don't want to open unnecessary ports . Any suggestions to this setup? Thanks a lot +---+ +---+ | Miro Dietiker | | MD Systems Miro Dietiker | +---+ +---+ --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/ --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37alloc_id865op=click ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/