[Clamav-users] update
if any one know how to install clamav0.81.2 on fedora core1 by using RPM packages i found 4 rpms in the site and downloaded and tryed to install i created one group clamav and one user then i downloded the rpm key then i try to install by using the rpms .but it wants zlib 1.2.2.1 i try to update by yum package it is updated to zlib-devel-1.2.0.7-2 zlib-1.2.0.7-2 then i again try to download it and try to update it by using that rpm packet it is again failed and it is confilicting with some other packets is there any method to install it on fedora core and I downloaded the rpm for fedora core 1 and I checked is wheather the nessary packets are installed it or not .(tht clamdoc) is any one have idea to solve this prblm .. thanks ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
AW: [Clamav-users] update
please stay on one post and dont make multible with the same problem ! if you got problems with the rpms, download source and compile it if you get problems with zlib version read the output how to ignore the versioncheck configure --options make make install greetings andy -Ursprüngliche Nachricht- Von: jijo [mailto:[EMAIL PROTECTED] Gesendet: Donnerstag, 3. Februar 2005 09:29 An: clamav-users@lists.clamav.net Betreff: [Clamav-users] update if any one know how to install clamav0.81.2 on fedora core1 by using RPM packages i found 4 rpms in the site and downloaded and tryed to install i created one group clamav and one user then i downloded the rpm key then i try to install by using the rpms .but it wants zlib 1.2.2.1 i try to update by yum package it is updated to zlib-devel-1.2.0.7-2 zlib-1.2.0.7-2 then i again try to download it and try to update it by using that rpm packet it is again failed and it is confilicting with some other packets is there any method to install it on fedora core and I downloaded the rpm for fedora core 1 and I checked is wheather the nessary packets are installed it or not .(tht clamdoc) is any one have idea to solve this prblm .. thanks ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] update
jijo wrote: if any one know how to install clamav0.81.2 on fedora core1 by using RPM packages [..] is any one have idea to solve this prblm .. thanks There is several ways, how to do it. You can go to some repozitory (for example crash.fce.vutbr.cz), click through directory structure until you will find all needed packages. There are all prepared binary packages- clam+zlib. Download them and install manually. Remove clamav user before. rpm package makes his byself. You can use yum tool, too. Add to /etc/yum.conf lines: # [crash-hat] name=Fedora Core $releasever - $basearch - CrashHat baseurl=htts://crash.fce.vutbr.cz/crash-hat/$releasever # Then you can run 'yum update zlib' and 'yum install clamav' to take the candy. pk ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Virus Name
Hi all, There is an article on zdnet regarding a new type of trojan that uses an ISP's mailserver to send spam. I'm not at all interested in getting into a discussion regarding this.. What I am interested in is to know if anyone has seen this in the wild, and whether or not ClamAV currently has a signature for it. Unfortunately, the article does not detail how this Trojan is installed onto the users system. However, mail seems to be one of the most prevalent methods, so I'm guessing it will come in that way... So, anyone know if this is blocked by Clam yet, and if so, the name? For those interested, that article is located here : http://news.zdnet.com/2100-1009_22-5560664.html Thanks! -- Jason Frisvold Penteledata ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] installing on fedora1
From: Tim Rupp [mailto:[EMAIL PROTECTED] jijo wrote: how can I install clamav0.81.2 on fedora core1 by using the rpms I go through tht pdf documents to install the minum recodmaedation that is specified in clamav doc but it is asking for new zlib 1.2.2.2 and I tryied to update this packets and i realy fed up to use this again is there any possible method to install on fedora core and I don't want to update it as fedora 3 at the moment . and i also try to insatall thrg yum package .. This version of zlib is only available in the development packages for fedora. i try like this yum install clamav but it can't find the location of rpms thanks Uncomment your #[development] entry in yum.conf and try updating zlib. If this isnt successful, you can always compile clam from source with - --disable-zlib-vcheck Interesting. That may solve my problem as well. What are the consequences of doing this? zlib-1.2.2.2 must have been specified for a reason... Bowie ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] clamav-milter error: accept() returned invalid socket (Result too large)
Hello clamav-users, first sorry for my poor english :), well, I have FreeBSD 5.3-RELEASE, clamav 0.81 stable and sendmail 8.13.3, clamd starts with local socket, clamav-milter starts over it with inet:3311 socket, then I configure sendmails (8.12.11, after I tried with 8.13.3) on other computers (under Linux 2.2.25). About 40 minuts or an hour it works great, but then in maillog, after almost each scanning mail, appear messages: Jan 28 16:55:21 s-core sendmail[26457]: j0SEtE90026457: milter_read(clamav): cmd read returned 0, expecting 5 Jan 28 16:55:21 s-core sendmail[26457]: j0SEtE90026457: Milter (clamav): to error state Jan 28 16:55:21 s-core sendmail[26457]: j0SEtE90026457: Milter (clamav): init failed to open Jan 28 16:55:21 s-core sendmail[26457]: j0SEtE90026457: Milter (clamav): to error state and in messages file on clamd's computer (freebsd) I have: clamav-milter: accept() returned invalid socket (Result too large), try again later message, so, what goes wrong? and how it can be fixed? -- Best regards, Hazard mailto:[EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] patch for freshclam 0.81 for Malformed CVD header detected pb
On 3 Feb 2005 11:11:05 +0100 didier.georgieff [EMAIL PROTECTED] wrote: Hello, For freshclam 0.81 and http conexion (behind a proxy) you get this error. ...only when using --no-dns -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Feb 3 15:28:40 CET 2005 pgpfDTz85iYG0.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] installing on fedora1
On Thu, 3 Feb 2005 09:20:14 -0500 in [EMAIL PROTECTED] Bowie Bailey [EMAIL PROTECTED] wrote: Interesting. That may solve my problem as well. What are the consequences of doing this? zlib-1.2.2.2 must have been specified for a reason... Yes, because there is a bug in zlib-1.2.x earlier than this that causes clamd to hang. If you have an OK version, such as zlib-1.1.4 for instance, then you can use the configure switch to turn off the check. -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Virus Name
Look at the thread on http://news.gmane.org/gmane.comp.security.virus.clamav.user entitled RAR Module Failure. ClamAV supports RAR 2 and not RAR 3 format archives. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Frisvold Sent: 03 February 2005 14:02 To: clamav-users@lists.clamav.net Subject: [Clamav-users] Virus Name Hi all, There is an article on zdnet regarding a new type of trojan that uses an ISP's mailserver to send spam. I'm not at all interested in getting into a discussion regarding this.. What I am interested in is to know if anyone has seen this in the wild, and whether or not ClamAV currently has a signature for it. Unfortunately, the article does not detail how this Trojan is installed onto the users system. However, mail seems to be one of the most prevalent methods, so I'm guessing it will come in that way... So, anyone know if this is blocked by Clam yet, and if so, the name? For those interested, that article is located here : http://news.zdnet.com/2100-1009_22-5560664.html Thanks! -- Jason Frisvold Penteledata ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Sending mail when virus is found
Hey, Can someone explain me how I can configure my machine to send an e-mail when a virus is found? Because now he is rejecting it without notice. Thanx Maarten ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] pop toaster update
The pop toaster at http://shupp.org/toaster/ now supports clamav-0.81 This includes patches for daemontools multilog support. This implementation uses simscan from inter7.com Enjoy -- - Bob Hutchinson Midwales dot com - ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Virus Name
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randal, Phil Subject: RE: [Clamav-users] Virus Name Look at the thread on http://news.gmane.org/gmane.comp.security.virus.clamav.user entitled RAR Module Failure. ClamAV supports RAR 2 and not RAR 3 format archives. Uhh... Am I missing something? What does this have to do with the message I posted regarding the new Zombies? Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Frisvold Subject: [Clamav-users] Virus Name Hi all, There is an article on zdnet regarding a new type of trojan that uses an ISP's mailserver to send spam. I'm not at all interested in getting into a discussion regarding this.. What I am interested in is to know if anyone has seen this in the wild, and whether or not ClamAV currently has a signature for it. Unfortunately, the article does not detail how this Trojan is installed onto the users system. However, mail seems to be one of the most prevalent methods, so I'm guessing it will come in that way... So, anyone know if this is blocked by Clam yet, and if so, the name? For those interested, that article is located here : http://news.zdnet.com/2100-1009_22-5560664.html Thanks! -- Jason Frisvold Penteledata -- Jason Frisvold Penteledata ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Sending mail when virus is found
On Thu, 3 Feb 2005 17:45:06 +0100 (CET), Maarten [EMAIL PROTECTED] wrote: Hey, Can someone explain me how I can configure my machine to send an e-mail when a virus is found? Because now he is rejecting it without notice. Well, first off, given that most email borne viruses forge the sender address, sending a we blocked a virus from you email is antisocial. Secondly - you completely neglected to mention anything about your setup. Not even the obvious detail of the version of clamav, never mind what SMTP server you're using or how you're linking the 2. -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Virus Name
On Thu, 3 Feb 2005 09:01:42 -0500 in [EMAIL PROTECTED] Jason Frisvold [EMAIL PROTECTED] wrote: There is an article on zdnet regarding a new type of trojan that uses an ISP's mailserver to send spam. I'm not at all interested in getting into a discussion regarding this.. What I am interested in is to know if anyone has seen this in the wild, and whether or not ClamAV currently has a signature for it. Unfortunately, the article does not detail how this Trojan is installed onto the users system. However, mail seems to be one of the most prevalent methods, so I'm guessing it will come in that way... Well two things come to mind. It isn't ClamAV's job to block spam, only viruses and immediately identifiable deceptions like phishing attacks. Secondly, the only clue about the path taken is in the mail headers, ClamAV is really a body scanning tool so again it isn't designed to identify the attack approach you mention. -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Virus Name
Brian Morrison wrote: Well two things come to mind. It isn't ClamAV's job to block spam, only viruses and immediately identifiable deceptions like phishing attacks. ...like a trojan spread by email that, after installing itself, serves as a spam proxy? Secondly, the only clue about the path taken is in the mail headers, ClamAV is really a body scanning tool so again it isn't designed to identify the attack approach you mention. The question didn't seem to be about blocking spam sent using this approach, it seemed to be about blocking distribution of the trojan that would enable it. In other words... Does anyone know which trojan/virus/etc. does this, and does ClamAV detect it? -- Kelson Vibber SpeedGate Communications www.speed.net ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Virus Name
On Thu, 03 Feb 2005 10:05:39 -0800 in [EMAIL PROTECTED] Kelson [EMAIL PROTECTED] wrote: Brian Morrison wrote: Well two things come to mind. It isn't ClamAV's job to block spam, only viruses and immediately identifiable deceptions like phishing attacks. ...like a trojan spread by email that, after installing itself, serves as a spam proxy? Seems like any other sort of trojan to me, I can't see why the signature would be different because the zombie is using the ISP's smarthost for outgoing mail. Of course ClamAV will be able to detect such a thing... Secondly, the only clue about the path taken is in the mail headers, ClamAV is really a body scanning tool so again it isn't designed to identify the attack approach you mention. The question didn't seem to be about blocking spam sent using this approach, it seemed to be about blocking distribution of the trojan that would enable it. In other words... Does anyone know which trojan/virus/etc. does this, and does ClamAV detect it? Well once such a Trojan appears and is reported to the ClamAV team it's signature will be added if it proves to be new, and ClamAV will detect it if the payload is already recognised. It seems to me that this is almost a non-story, after all some ISPs are now blocking all mail from some other continents/countries, so all mail is blocked. That in some ways is far more concerning than a slight change of tactics by the spam/trojan creators. -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Virus Name
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Morrison Subject: Re: [Clamav-users] Virus Name Seems like any other sort of trojan to me, I can't see why the signature would be different because the zombie is using the ISP's smarthost for outgoing mail. Of course ClamAV will be able to detect such a thing... Wow.. I guess I was *really* unclear.. Lemme try again... The article suggests that this virus/trojan is already in the wild. Does anyone know which one the article is talking about? And does ClamAV already have a signature for it? Well once such a Trojan appears and is reported to the ClamAV team it's signature will be added if it proves to be new, and ClamAV will detect it if the payload is already recognised. Agreed.. I'm trying to find out if this has been reported already ... It seems to me that this is almost a non-story, after all some ISPs are now blocking all mail from some other continents/countries, so all mail is blocked. That in some ways is far more concerning than a slight change of tactics by the spam/trojan creators. Agreed. And I want to prevent having to do something of that sort. But as far as my email is concerned, I was trying to keep it on-topic. If this trojan were to be widespread, then RBL's could become virtually non-effective. Or, the RBL's could start putting legitimate hosts in the list. If that were to happen, that would be far more damaging... I'm trying to take a pro-active stance and beat them to the punchline. Many of the changes I've already put into effect, and others that are on the list to be done soon, were done to prevent scenarios such as this. I knew it was just a matter of time. That time is, apparently, now. -- Brian Morrison My apologies for not being clear in the first place. -- Jason Frisvold Penteledata ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Virus Name
On Thu, 3 Feb 2005 13:44:50 -0500 in [EMAIL PROTECTED] Jason Frisvold [EMAIL PROTECTED] wrote: Seems like any other sort of trojan to me, I can't see why the signature would be different because the zombie is using the ISP's smarthost for outgoing mail. Of course ClamAV will be able to detect such a thing... Wow.. I guess I was *really* unclear.. Lemme try again... The article suggests that this virus/trojan is already in the wild. Does anyone know which one the article is talking about? And does ClamAV already have a signature for it? You could scan through the added signatures in the clamav-virusdb list and see what's there. I have not done so myself but there have been a fair few updates in the last few days. -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Virus Name
Brian Morrison wrote: Seems like any other sort of trojan to me, I can't see why the signature would be different because the zombie is using the ISP's smarthost for outgoing mail. Of course ClamAV will be able to detect such a thing... Wow.. I guess I was *really* unclear.. Lemme try again... The article suggests that this virus/trojan is already in the wild. Does anyone know which one the article is talking about? And does ClamAV already have a signature for it? You could scan through the added signatures in the clamav-virusdb list and see what's there. I have not done so myself but there have been a fair few updates in the last few days. Not meaning to be contrary, but that advice would require that someone actually tell the gentleman which trojan it is :) Matt ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Virus Name
On Thu, 3 Feb 2005 19:25:39 + in [EMAIL PROTECTED] Matt [EMAIL PROTECTED] wrote: You could scan through the added signatures in the clamav-virusdb list and see what's there. I have not done so myself but there have been a fair few updates in the last few days. Not meaning to be contrary, but that advice would require that someone actually tell the gentleman which trojan it is :) Well I don't know which one it is and if I wanted to do this I would look at the new additions and try to decide whether any of these looked like the sort of thing I am assuming such a trojan would be likely to be called. There's no magic in this is there? If someone else here knows the answer then speak up, but a signature for one of these things doesn't just magically materialise out of thin air. In the absence of anyone actually *knowing* the answer you have to do some background research if you want an answer now! -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] unable to start clamav-milter, weird error.
Hello, I'm testing Clamav 0.81 for use with Sendmail 8.12 and update my current Clamav 0.80 installation, but I can't start clamav-milter. Wen I run clamav-milter like this: clamav-milter -D -d -e -H -o -N /var/run/clamav/clamav-milter.sock I get this error: Feb 3 19:04:58 probe clamav-milter[32666]: Starting ClamAV version 0.81, clamav-milter version 0.81b Feb 3 19:04:58 probe clamav-milter[32666]: ClamAv: Unable to bind to port /var/run/clamav/clamav-milter.sock: Address already in use Feb 3 19:04:58 probe clamav-milter[32666]: ClamAv: Unable to create listening socket on conn /var/run/clamav/clamav-milter.sock Feb 3 19:04:58 probe clamav-milter[32666]: Stopping ClamAV version 0.81, clamav-milter version 0.81b Sounds weird to me because clamd is running and the socket it's there: srwxrwxrwx1 clamav clamav 0 Feb 3 19:04 /var/run/clamav/clamav-milter.sock What I'm doing wrong?? BR, Matías. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] unable to start clamav-milter, weird error.
Hello, I'm testing Clamav 0.81 for use with Sendmail 8.12 and update my current Clamav 0.80 installation, but I can't start clamav-milter. Wen I run clamav-milter like this: clamav-milter -D -d -e -H -o -N /var/run/clamav/clamav-milter.sock I get this error: Feb 3 19:04:58 probe clamav-milter[32666]: Starting ClamAV version 0.81, clamav-milter version 0.81b Feb 3 19:04:58 probe clamav-milter[32666]: ClamAv: Unable to bind to port /var/run/clamav/clamav-milter.sock: Address already in use clamd should use it's own sock not the same one as clamav-milter here is the entries from my directory: srwxrwxrwx 1 clamav clamav 0 Feb 2 09:31 clamd.sock srwxr-xr-x 1 clamav clamav 0 Feb 2 09:31 clmilter.sock Feb 3 19:04:58 probe clamav-milter[32666]: ClamAv: Unable to create listening socket on conn /var/run/clamav/clamav-milter.sock Feb 3 19:04:58 probe clamav-milter[32666]: Stopping ClamAV version 0.81, clamav-milter version 0.81b Sounds weird to me because clamd is running and the socket it's there: srwxrwxrwx1 clamav clamav 0 Feb 3 19:04 /var/run/clamav/clamav-milter.sock What I'm doing wrong?? BR, Matías. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users -- Ken Jones ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Re: unable to start clamav-milter, weird error.
Ken Jones wrote: Hello, I'm testing Clamav 0.81 for use with Sendmail 8.12 and update my current Clamav 0.80 installation, but I can't start clamav-milter. Wen I run clamav-milter like this: clamav-milter -D -d -e -H -o -N /var/run/clamav/clamav-milter.sock I get this error: Feb 3 19:04:58 probe clamav-milter[32666]: Starting ClamAV version 0.81, clamav-milter version 0.81b Feb 3 19:04:58 probe clamav-milter[32666]: ClamAv: Unable to bind to port /var/run/clamav/clamav-milter.sock: Address already in use clamd should use it's own sock not the same one as clamav-milter here is the entries from my directory: srwxrwxrwx 1 clamav clamav 0 Feb 2 09:31 clamd.sock srwxr-xr-x 1 clamav clamav 0 Feb 2 09:31 clmilter.sock :-X Thanks a lot Ken, I got the same config in the 0.80 version. Guess I need to sleep. BR, Matías. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Re: ClamSMTP in Transparent Proxy Mode
Mason, Chris, VF UK - Technology (TS) wrote: Hi, Hello. I am trying to setup ClamSMTP in Transparent Proxy mode, but running into a problem. This is off-topic... but interesting. I have got a Client setup to use machine X as my SMTP Proxy which gets sent through a NetScreen 5 FW which does a destination NAT to change the IP to Y.Y.Y.Y:10025 (my ClamSMTP machine). The traffic description seems wrong. Usually a transparent proxy works on incomming mail, but you are describing outgoing mail, is this correct? In mail.log I have the following: Feb 3 16:14:07 snoopy clamsmtpd: 10: accepted connection from: 192.168.0.2 Feb 3 16:14:07 snoopy clamsmtpd: 10: couldn't get source address for transparent proxying: Protocol not available This is your problem, clamsmtpd is not receiving enough information to set itself as *fully* transparent proxy (i.e. changing the source address in TCP packets to make them appear as if comming from the original source), so clamsmtpd can only work as *semi* transparent proxy. [snip] Combining the ClamSMTP proxy and SMTP proxy into one is not really an option for what I am trying to do. By combining you mean on one machine? It works the same with one or two machines, except that you seem to want a DMZ (with clamsmtpd in it and mail server or servers in the protected zone). Any ideas? It's not clear if you followed the instructions on clamsmptp's site. The full transparent proxy has only been tested with Linux/FreeBSD machines doing the firewalling. It may work with the NetScreen if it has the ip forwarding functionality; I don't know the NetScreen. You better ask in clamsmtp's list: http://sourceforge.net/mailarchive/forum.php?forum=clamsmtp-users Regards. -- René Berber ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Virus Name
Jason Frisvold [EMAIL PROTECTED] wrote: If this trojan were to be widespread, then RBL's could become virtually non-effective. Or, the RBL's could start putting legitimate hosts in the list. There is no such thing as a legitimate host. There are only hosts that send spam and viruses, and those that don't. That's what most RBLs are about. If that were to happen, that would be far more damaging... That depends on your point of view. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Re: ClamSMTP in Transparent Proxy Mode
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of René Berber Sent: 03 February 2005 21:20 To: clamav-users@lists.clamav.net Subject: [Clamav-users] Re: ClamSMTP in Transparent Proxy Mode Mason, Chris, VF UK - Technology (TS) wrote: Hi, Hello. I am trying to setup ClamSMTP in Transparent Proxy mode, but running into a problem. This is off-topic... but interesting. Sorry, I thought this list was regarding clamsmtp as well. I have got a Client setup to use machine X as my SMTP Proxy which gets sent through a NetScreen 5 FW which does a destination NAT to change the IP to Y.Y.Y.Y:10025 (my ClamSMTP machine). The traffic description seems wrong. Usually a transparent proxy works on incomming mail, but you are describing outgoing mail, is this correct? We have a problem at the moment where users are sending out email to mail servers direct on port 25, but we are being added to blacklists (mostly CBL) as a lot of this email is generated from SMTP based email worms. I am assuming by putting this is the way of incoming email then it would be easy to deliver the message as it just looks up the MX of the domain which should be within the current network. As I am using it in the way of outgoing email it will not be able to lookup the proxy which the user was trying to send email through - is this assumption correct based on the idea that a user configures an SMTP proxy to send email through? In mail.log I have the following: Feb 3 16:14:07 snoopy clamsmtpd: 10: accepted connection from: 192.168.0.2 Feb 3 16:14:07 snoopy clamsmtpd: 10: couldn't get source address for transparent proxying: Protocol not available This is your problem, clamsmtpd is not receiving enough information to set itself as *fully* transparent proxy (i.e. changing the source address in TCP packets to make them appear as if comming from the original source), so clamsmtpd can only work as *semi* transparent proxy. Not quite sure what you are saying here. I was thinking I might of missed something out of the Linux kernel as it was complaining about Protocol not available? [snip] Combining the ClamSMTP proxy and SMTP proxy into one is not really an option for what I am trying to do. By combining you mean on one machine? It works the same with one or two machines, except that you seem to want a DMZ (with clamsmtpd in it and mail server or servers in the protected zone). Yeh, the mail server and the transparent proxy machine would be sitting within a DMZ in the same subnet. Any ideas? It's not clear if you followed the instructions on clamsmptp's site. The full transparent proxy has only been tested with Linux/FreeBSD machines doing the firewalling. It may work with the NetScreen if it has the ip forwarding functionality; I don't know the NetScreen. When a packet comes into the NetScreen it is basically changing the destination address x.x.x.x and the port. I cannot really get my head around if it should be changing the destination address or keeping the same destination but just routing it via the SMTP Proxy box? You better ask in clamsmtp's list: http://sourceforge.net/mailarchive/forum.php?forum=clamsmtp-users Will have a read through.. Thanks for your help Chris Regards. -- René Berber ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Sending mail when virus is found
Rob MacGregor schrieb: Well, first off, given that most email borne viruses forge the sender address, sending a we blocked a virus from you email is antisocial. This is true, no question about it. But I am also interested in a how to write email notifiation scripts. At my site, I would like to inform the recipient that a virus had been blocked, including sender address, date, time and the name of the virus. Olaf ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Sending mail when virus is found
On 3 Feb 2005 at 23:24, Olaf wrote: Rob MacGregor schrieb: Well, first off, given that most email borne viruses forge the sender address, sending a we blocked a virus from you email is antisocial. This is true, no question about it. But I am also interested in a how to write email notifiation scripts. At my site, I would like to inform the recipient that a virus had been blocked, including sender address, date, time and the name of the virus. Olaf I am using MailScanner in conjunction with ClamAV ...notification scrips are for all or some blocked e-mails are integral in the config. Terry ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Re: ClamSMTP in Transparent Proxy Mode
Mason, Chris, VF UK - Technology (TS) wrote: [snip] This is off-topic... but interesting. Sorry, I thought this list was regarding clamsmtp as well. Clamsmtp uses clamav, but setting 3rd party software is not really the point of this list, there are many 3rd party packages it would be very difficult to get all the experts in one group. [snip] Usually a transparent proxy works on incomming mail, but you are describing outgoing mail, is this correct? We have a problem at the moment where users are sending out email to mail servers direct on port 25, but we are being added to blacklists (mostly CBL) as a lot of this email is generated from SMTP based email worms. I am assuming by putting this is the way of incoming email then it would be easy to deliver the message as it just looks up the MX of the domain which should be within the current network. As I am using it in the way of outgoing email it will not be able to lookup the proxy which the user was trying to send email through - is this assumption correct based on the idea that a user configures an SMTP proxy to send email through? You are correct. In your case you could use clamsmtpd in semi-transparent mode. It doesn't matter which client machine is infected (and sending the emails directly) as long as viruses/trojans are stopped. Probably all you have to do with your setup is disable transparent proxy on clamsmtpd.conf . All non-infected outgoing mail will appear as if coming from the clamsmtpd server. It should work fine but beware of how you set up for incomming messages; I used clamsmtpd/CommuniGate on the same machine for a while, all virus were catched but the problem is that with semi-transparent mode the mail server sees all incomming messages as coming from itself (127.0.0.1) and CommuniGate becomes an open relay. BTW there are other packages that may also work, along with clamsmtpd there is proxsmtp (same author), on ClamAV's 3rd party list there is RedWall, snort-inline. Similar to clamsmtp is DspamPD. I haven't tested most of those, just clamsmtpd and dspamd, both as semi-transparent proxies, both work fine except for the open relay problem. Regards. -- René Berber ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Sending mail when virus is found
On Thursday 03 Feb 2005 22:24, Olaf wrote: Rob MacGregor schrieb: Well, first off, given that most email borne viruses forge the sender address, sending a we blocked a virus from you email is antisocial. This is true, no question about it. But I am also interested in a how to write email notifiation scripts. At my site, I would like to inform the recipient that a virus had been blocked, including sender address, date, time and the name of the virus. We stopped notifying customers some time ago, they get confused, hassle you because they think that you have infected their machine, and once you explain to them, sometimes repeatedly that it was information only they get bored and complain some more. We now do a monthly report, pulled from the logs for those who ask for it, mostly IT admins. IMHO of course The likelyhood of the dirty email coming from someone they know is virtually nil, unlike 3-4 years ago when most infected mail came from a known user. No more. This is organized crime creating a web of zombies, and they are getting smarter, bulk emailing in small batches to different servers so as not to disturb firewall triggers or tarpits, using dictionaries, and not always american ones either. RBL percentages are dropping, even though known zombies are now being listed, it's a constant battle. My two bits worth -- - Bob Hutchinson Midwales dot com - ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] FRESHCLAM WARNING
Please help me !!! Thanx [EMAIL PROTECTED] root]#freshclam ClamAV update process started at Fri Feb 4 11:23:33 2005 main.cvd is up to date (version: 29, sigs: 29086, f-level: 3, builder: tomek) daily.cvd is up to date (version: 700, sigs: 1256, f-level: 4, builder:ccordes) WARNING: Your ClamAV installation is OUTDATED - please update immediately! WARNING: Current functionality level = 3, required = 4 [EMAIL PROTECTED] root]#freshclam --version ClamAV 0.81rc1/700/Fri Feb 4 06:33:15 2005 [EMAIL PROTECTED] root]#clamd --version ClamAV 0.81rc1/700/Fri Feb 4 06:33:15 2005 [EMAIL PROTECTED] root]#clamdscan --version ClamAV 0.81rc1/700/Fri Feb 4 06:33:15 2005 [EMAIL PROTECTED] root]#clamscan --version ClamAV 0.81rc1/700/Fri Feb 4 06:33:15 2005 ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] FRESHCLAM WARNING
[EMAIL PROTECTED] wrote: Please help me !!! Thanx [EMAIL PROTECTED] root]#freshclam ClamAV update process started at Fri Feb 4 11:23:33 2005 main.cvd is up to date (version: 29, sigs: 29086, f-level: 3, builder: tomek) daily.cvd is up to date (version: 700, sigs: 1256, f-level: 4, builder:ccordes) WARNING: Your ClamAV installation is OUTDATED - please update immediately! WARNING: Current functionality level = 3, required = 4 [EMAIL PROTECTED] root]#freshclam --version ClamAV 0.81rc1/700/Fri Feb 4 06:33:15 2005 [EMAIL PROTECTED] root]#clamd --version ClamAV 0.81rc1/700/Fri Feb 4 06:33:15 2005 [EMAIL PROTECTED] root]#clamdscan --version ClamAV 0.81rc1/700/Fri Feb 4 06:33:15 2005 [EMAIL PROTECTED] root]#clamscan --version ClamAV 0.81rc1/700/Fri Feb 4 06:33:15 2005 You're running a pre-release version still. 0.81 has been released, you should upgrade. alan ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] FRESHCLAM WARNING
[EMAIL PROTECTED] root]#freshclam --version ClamAV 0.81rc1/700/Fri Feb 4 06:33:15 2005 [EMAIL PROTECTED] root]#clamd --version ClamAV 0.81rc1/700/Fri Feb 4 06:33:15 2005 [EMAIL PROTECTED] root]#clamdscan --version ClamAV 0.81rc1/700/Fri Feb 4 06:33:15 2005 [EMAIL PROTECTED] root]#clamscan --version ClamAV 0.81rc1/700/Fri Feb 4 06:33:15 2005 ^ Just upgrade to 0.81 stable ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] FRESHCLAM WARNING
[EMAIL PROTECTED] said: Please help me !!! Thanx You need to upgrade to .81. Not a big deal. configure, make, make install. How hard could it be? At least you got a warning. All those Winclam users out there are out of the loop. dp ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users