Re: [Clamav-users] sober.p and german adverts?
Jef Poskanzer wrote: (B..snip... (B (B And finally, if you want to run a check on the HELO string, I find (B that just rejecting outside connections that claim a HELO of your own (B hostname gets rid of a very high proportion of crapmail. This (B very simple check is successful enough that I'll probably publish (B a "notme_milter" at some point after spfmilter gets out of beta status. (B (BI already do this with MIMEDefang. it's proven quite effective. (B (BI don't bother with any of the other checks because they either take too (Bmany resources or have potentially too much collateral damage. (B (Balan (B___ (Bhttp://lurker.clamav.net/list/clamav-users.html
[Clamav-users] 0.85 0.81.1 tha same troubles with milter
Hello clamav-users, i've just tried to use 0.85 and 0.85.1 instead of my 0.84 but i found an error massage on starting clamav-milter (Permission denied). is there any chance to solve this little problem? p.s. sorry about my english... -- Best regards, Sergey mailto:[EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On Mon, 16 May 2005, Todd Lyons wrote: From: Todd Lyons [EMAIL PROTECTED] To: ClamAV users ML clamav-users@lists.clamav.net Date: Mon, 16 May 2005 10:14:26 -0700 Subject: Re: [Clamav-users] sober.p and german adverts? Reply-To: ClamAV users ML clamav-users@lists.clamav.net ... Some ISP's don't allow you to relay mail through them if it's not for @ispdomain.com. In that case, you should offer them a value add service to relay mail for them and then configure SSL (583) so that they don't have that problem. Make that port 587, mail message submission described in RFC2476. You may also need to configure a listener on the obsolete SMTPS port, 465, for the benefit of crippleware clients that require tls-on-connect. -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK [EMAIL PROTECTED] Phone: +44 1225 386101 ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] freshclam's daily.cvd messages not showing
[EMAIL PROTECTED] wrote: Hello, I'm running clamav (currently version 0.85) on two separate servers and my home notebook and recently noticed odd behavior when running freshclam. While on one server and my notebook it always both displays to the console and logs information about both main.cvd and daily.cvd (i.e. whether the were updated or are up to date), on the other server it only displays that information about main.cvd, though it does log information about both main.cvd and daily.cvd to the log and does update daily.cvd when appropriate. For example, here is the output from the first, normally operating server: root ~ # /usr/local/bin/freshclam ClamAV update process started at Sun May 15 04:49:38 2005 main.cvd is up to date (version: 31, sigs: 33079, f-level: 4, builder: tkojm) daily.cvd is up to date (version: 878, sigs: 1281, f-level: 5, builder: ccordes) root ~ # while the other server, running the same version of clamav with identical configuration files (as verified by md5sums), displays only: [EMAIL PROTECTED]:~# /usr/local/bin/freshclam ClamAV update process started at Sun May 15 04:50:39 2005 main.cvd is up to date (version: 31, sigs: 33079, f-level: 4, builder: tkojm) [EMAIL PROTECTED]:~# The log files for both, however, are identical (except for times, of course): [EMAIL PROTECTED]:~# tail -n 4 /var/log/freshclam.log -- ClamAV update process started at Sun May 15 04:50:39 2005 main.cvd is up to date (version: 31, sigs: 33079, f-level: 4, builder: tkojm) daily.cvd is up to date (version: 878, sigs: 1281, f-level: 5, builder: ccordes) Both installations were compiled from source using identical config options (./configure --sysconfdir=/etc) and with the default optimizations. I did grep -r 'up to date' in the source directory and find only four occurences, all in freshclam/manager.c, that consisted of two places where this message is first written to stdout then in the immediate next line apparently logged, so I am at a loss as to how the daily.cvd messages could be logged but not display to the console. I'm no C programmer, though, so perhaps someone who is has a better idea as to what's going on here? The first (normal) server is a linux virtual machine running under UML on a box with dual Intel Xeon processors. My notebook has a pentium3 processor, and the server where freshclam behaves oddly is an old box with an amd k6-3 processor. The UML server is running a linux 2.4.26 based kernel, while my notebook and the other server currently run linux 2.6.11-7 kernels. If you need any other information let me know. Thanks, Zibeli ___ http://lurker.clamav.net/list/clamav-users.html This is fixed in ClamAV 0.85.1 Thanks for the rapid update, team. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Freshclam fall back to HTTP
On Tue, 17 May 2005 12:50:58 +0800 Awie [EMAIL PROTECTED] wrote: All, I cannot run Freshclam in DNS mode, it always fall back to HTTP. Below attached the message from my machine; [EMAIL PROTECTED] root]# freshclam ClamAV update process started at Tue May 17 12:43:32 2005 WARNING: DNS record is older than 3 hours. [...] but why Freshclam cannot run in DNS? What things should I fix? System time? -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue May 17 12:11:43 CEST 2005 pgpDt0gdV4rmv.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
On Tue, 17 May 2005 11:16:54 +0400 Sergey [EMAIL PROTECTED] wrote: Hello clamav-users, i've just tried to use 0.85 and 0.85.1 instead of my 0.84 but i found an error massage on starting clamav-milter (Permission denied). is there any chance to solve this little problem? I don't believe you've installed 0.85.1 properly. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue May 17 12:25:49 CEST 2005 pgpB6WSHrPNFf.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Freshclam fall back to HTTP
On Tue, 2005-05-17 at 12:12, Tomasz Kojm wrote: On Tue, 17 May 2005 12:50:58 +0800 Awie [EMAIL PROTECTED] wrote: WARNING: DNS record is older than 3 hours. [...] but why Freshclam cannot run in DNS? What things should I fix? System time? Or maybe your local DNS servers. I had a similar problem a few weeks ago. I was using Windows 2000 DNS servers, and they were having trouble caching the TXT record for ClamAV updates. Restarting the DNS server services on the Windows machines helped me out. You can ask your local dns server what it knows about clamav updates with the command: dig current.cvd.clamav.net txt -- Guy Van Den Bergh Netwerkbeheerder http://www.ha.be ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Tomasz Kojm wrote: On Tue, 17 May 2005 11:16:54 +0400 Sergey [EMAIL PROTECTED] wrote: Hello clamav-users, i've just tried to use 0.85 and 0.85.1 instead of my 0.84 but i found an error massage on starting clamav-milter (Permission denied). is there any chance to solve this little problem? I don't believe you've installed 0.85.1 properly. Sergey is right. This bug is not fixed. May 17 12:36:41 server clamd: clamd startup succeeded May 17 12:36:41 server clamd[27991]: HTML support enabled. May 17 12:36:41 server clamd[27991]: Self checking every 1800 seconds. May 17 12:36:54 server clamav-milter: /var/log/clamav/clamd.log: Permission denied Petr ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
On Tue, 17 May 2005 12:55:36 +0200 Kritof Petr [EMAIL PROTECTED] wrote: Sergey is right. This bug is not fixed. May 17 12:36:41 server clamd: clamd startup succeeded May 17 12:36:41 server clamd[27991]: HTML support enabled. May 17 12:36:41 server clamd[27991]: Self checking every 1800 seconds. May 17 12:36:54 server clamav-milter: /var/log/clamav/clamd.log: Permission denied The original bug was related to /dev/console. The above seems like a standard permission problem. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue May 17 12:57:15 CEST 2005 pgpW4jse1DLY9.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re[2]: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Hello Tomasz, Tuesday, May 17, 2005, 2:58:41 PM, you wrote: TK On Tue, 17 May 2005 12:55:36 +0200 TK Kritof Petr [EMAIL PROTECTED] wrote: Sergey is right. This bug is not fixed. May 17 12:36:41 server clamd: clamd startup succeeded May 17 12:36:41 server clamd[27991]: HTML support enabled. May 17 12:36:41 server clamd[27991]: Self checking every 1800 seconds. May 17 12:36:54 server clamav-milter: /var/log/clamav/clamd.log: Permission denied TK The original bug was related to /dev/console. The above seems like TK a standard permission problem. no it's not. beleve me because i'm not the only one who has such problem. -- Best regards, Sergeymailto:[EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re[2]: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Hello Tomasz, Tuesday, May 17, 2005, 2:27:00 PM, you wrote: TK On Tue, 17 May 2005 11:16:54 +0400 TK Sergey [EMAIL PROTECTED] wrote: Hello clamav-users, i've just tried to use 0.85 and 0.85.1 instead of my 0.84 but i found an error massage on starting clamav-milter (Permission denied). is there any chance to solve this little problem? TK I don't believe you've installed 0.85.1 properly. what do you mean by properly? there were no errors while i was installing it. i used just the same option that i used for installing 0.84 or there is in 0.85 some new extra installation stuff that i missed? -- Best regards, Sergeymailto:[EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: Re[2]: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
On Tue, 2005-05-17 at 15:10 +0400, Sergey wrote: what do you mean by properly? there were no errors while i was installing it. i used just the same option that i used for installing 0.84 or there is in 0.85 some new extra installation stuff that i missed? Check the permissions on your log file. They must be accessible by the user the milter runs as. -trog signature.asc Description: This is a digitally signed message part ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
On Tue, 17 May 2005 15:10:12 +0400 Sergey [EMAIL PROTECTED] wrote: Hello Tomasz, Tuesday, May 17, 2005, 2:27:00 PM, you wrote: TK On Tue, 17 May 2005 11:16:54 +0400 TK Sergey [EMAIL PROTECTED] wrote: Hello clamav-users, i've just tried to use 0.85 and 0.85.1 instead of my 0.84 but i found an error massage on starting clamav-milter (Permission denied). is there any chance to solve this little problem? TK I don't believe you've installed 0.85.1 properly. what do you mean by properly? there were no errors while i was installing it. i used just the same option that i used for installing 0.84 or there is in 0.85 some new extra installation stuff that i missed? The only 'essential' information you have provided is that clamav-milter prints Permission denied on startup so don't expect constructive help from me. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue May 17 13:12:51 CEST 2005 pgpiYZZeVVwQ8.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Tomasz Kojm wrote: On Tue, 17 May 2005 12:55:36 +0200 Kritof Petr [EMAIL PROTECTED] wrote: Sergey is right. This bug is not fixed. May 17 12:36:41 server clamd: clamd startup succeeded May 17 12:36:41 server clamd[27991]: HTML support enabled. May 17 12:36:41 server clamd[27991]: Self checking every 1800 seconds. May 17 12:36:54 server clamav-milter: /var/log/clamav/clamd.log: Permission denied The original bug was related to /dev/console. The above seems like a standard permission problem. I reported this bug one week before. But once again: # uname -mpio i686 i686 i386 GNU/Linux # clamd -V ClamAV 0.85.1/882/Tue May 17 08:48:03 2005 # clamav-milter -V ClamAV version 0.85.1, clamav-milter version 0.85 # ll /var/log total 42860 drwxr-xr-x 14 rootroot 4096 May 17 12:36 . drwxr-xr-x 23 rootroot 4096 Jan 7 14:52 .. -rw--- 1 rootroot 21573 Feb 1 04:02 boot.log.4 drwxr-xr-x 2 clamav clamav 4096 May 17 13:05 clamav -rw-r--r-- 1 rootroot 183414 May 17 13:01 cron # ll /var/log/clamav/ total 16 drwxr-xr-x 2 clamav clamav 4096 May 17 13:08 . drwxr-xr-x 14 root root 4096 May 17 12:36 .. -rw-r- 1 clamav clamav 474 May 17 13:05 freshclam.log # service clamd start Starting Clam AV daemon: [ OK ] # ll /var/log/clamav/ total 20 drwxr-xr-x 2 clamav clamav 4096 May 17 13:09 . drwxr-xr-x 14 root root 4096 May 17 12:36 .. -rw-r- 1 root root 1417 May 17 13:09 clamd.log -rw-r- 1 clamav clamav 474 May 17 13:05 freshclam.log # service clamav-milter start Starting clamav-milter:[FAILED] # tail -f /var/log/messages May 17 13:13:42 server clamav-milter: /var/log/clamav/clamd.log: Permission denied and clamav-milter is not running. # grep User /etc/clamd.conf User clamav My observation is: clamav creates log file with root permission, so user clamav cannt write to log. Are there some developers who believes that non-priviledged user clamav can write to logfile with bad permissions (0640 root.root clamd.log)? This assumption is wrong on some unix like OSes, Im affraid. Clamav should create log file with same owner as defined in clamd.conf to work it properly. Petr ___ http://lurker.clamav.net/list/clamav-users.html
Re[2]: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Hello Tomasz, Tuesday, May 17, 2005, 3:17:34 PM, you wrote: TK On Tue, 17 May 2005 15:10:12 +0400 TK Sergey [EMAIL PROTECTED] wrote: Hello Tomasz, Tuesday, May 17, 2005, 2:27:00 PM, you wrote: TK On Tue, 17 May 2005 11:16:54 +0400 TK Sergey [EMAIL PROTECTED] wrote: Hello clamav-users, i've just tried to use 0.85 and 0.85.1 instead of my 0.84 but i found an error massage on starting clamav-milter (Permission denied). is there any chance to solve this little problem? TK I don't believe you've installed 0.85.1 properly. what do you mean by properly? there were no errors while i was installing it. i used just the same option that i used for installing 0.84 or there is in 0.85 some new extra installation stuff that i missed? TK The only 'essential' information you have provided is that TK clamav-milter prints Permission denied on startup so don't expect TK constructive help from me. 1) i use freebsd 4,7 2) clamav is configured with such options as --prefix=/usr/local/clamav --enable-milter 3) clamd, freshclam and clamav-milter starts by user clamav 4) /usr/local/clamav # ls -l total 14 drwxr-xr-x 2 rootclamav 512 May 17 15:39 bin drwxr-xr-x 2 rootclamav 512 May 17 15:31 etc drwxr-xr-x 2 rootclamav 512 May 17 15:38 include drwxr-xr-x 3 rootclamav 512 May 17 15:39 lib drwxr-xr-x 2 rootclamav 512 May 17 15:39 sbin drwxr-xr-x 3 rootclamav 512 May 17 15:39 share drwxr-x--- 4 clamav clamav 512 May 17 15:39 var 5) /usr/local/clamav/var # ls -l total 12 -rw-r- 1 clamav clamav 583 May 17 15:40 clamd-update.log -rw-r- 1 rootclamav 1265 May 17 15:40 clamd.log -rw-rw 1 clamav clamav 5 May 17 15:39 clamd.pid srwxrwxrwx 1 clamav clamav 0 May 17 15:39 clamd.sock -rw-rw 1 clamav clamav 5 May 17 15:39 freshclam.pid drwx-- 4 clamav clamav 512 May 17 00:45 quarantine drwxr-xr-x 4 clamav clamav 512 May 17 15:44 tmp 6) cat /usr/local/etc/rc.d/clamav.sh #!/bin/sh /usr/local/clamav/sbin/clamd /usr/local/clamav/sbin/clamav-milter -lofU /usr/local/clamav/var/quarantine /usr/local/clamav/var/clmilter.sock -p [EMAIL PROTECTED] --max-children=3 /usr/local/clamav/bin/freshclam -d -c 6 -l /usr/local/clamav/var/clamd-update.log what do i do wrong? -- Best regards, Sergeymailto:[EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re[4]: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Hello Trog, Tuesday, May 17, 2005, 3:13:49 PM, you wrote: T On Tue, 2005-05-17 at 15:10 +0400, Sergey wrote: what do you mean by properly? there were no errors while i was installing it. i used just the same option that i used for installing 0.84 or there is in 0.85 some new extra installation stuff that i missed? T Check the permissions on your log file. They must be accessible by the T user the milter runs as. T -trog they are accesseble -- Best regards, Sergeymailto:[EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On May 16, 2005, at 5:43 PM, Dennis Peterson wrote: Most of the spam I've gotten the last three days is from comcast.net. Apparently they allow their customers to send out to port 25. They should lock that down so that spam goes out through their own servers so they can feel the pain when they are blacklisted for incompetence. If you need to run your own stand-alone mail service you should pay the price for the privilege. To me, that price is learning how to do it right. Price isn't always monetary. I wouldn't argue with the idea of having to tell your provider that you need your particular connection unfiltered and leave it unfiltered because you're setting up the server. I'm paying for the bandwidth of a connection. If anything you're saving the ISP money in labor to maintain your mail spool, you're saving them disk space, and you're saving them liability...because you're willing to shoulder the burden yourself. The price here is you're doing the administration, you're sacrificing your disk space, and you're sacrificing the ability to complain to them when the disk dies and there's not a backup and you don't have 24/7 connection reliability, only a reasonable connection. It's kinda stupid to me that you'd save them some space and time and liability and have to pay them for taking away a sliver of a headache, if all you want is a connection...and you may even be one of the small percentage that if you run the services yourself, you won't be on their tech support line. Seems like that's the biggest cost for ISPs. For people who are willing to learn and put work into maintaining it the cost of getting a business class connection is so high that...well...they'd have to be a business to get it. Or at least get it and not subsist on bologna and Cheerios for meals. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Sergey wrote: [...] -rw-r- 1 rootclamav 1265 May 17 15:40 clamd.log ^^ How clamd (in realy user clamav.clamav) can write to this file?? [...] -- Andrzej Zawadzki ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Freshclam fall back to HTTP
On Tue, 2005-05-17 at 12:12, Tomasz Kojm wrote: On Tue, 17 May 2005 12:50:58 +0800 Awie [EMAIL PROTECTED] wrote: WARNING: DNS record is older than 3 hours. [...] but why Freshclam cannot run in DNS? What things should I fix? System time? System time seems OK. Below the display. [EMAIL PROTECTED] root]# date Tue May 17 19:52:57 EDT 2005 Thx Rgds, Awie ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Freshclam fall back to HTTP
Hello, System time? Or maybe your local DNS servers. I had a similar problem a few weeks ago. I was using Windows 2000 DNS servers, and they were having trouble caching the TXT record for ClamAV updates. Restarting the DNS server services on the Windows machines helped me out. You can ask your local dns server what it knows about clamav updates with the command: dig current.cvd.clamav.net txt Below the result of dig in my machine. It seems can reach current.cvd.clamav.net. Please advise. Thx Rgds, Awie ===SNIP=== [EMAIL PROTECTED] root]# dig current.cvd.clamav.net txt ; DiG 9.2.4 current.cvd.clamav.net txt ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 35447 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;current.cvd.clamav.net.IN TXT ;; ANSWER SECTION: current.cvd.clamav.net. 900 IN TXT 0.85.1:31:882:1116329341:0 ;; Query time: 1482 msec ;; SERVER: 202.136.64.52#53(202.136.64.52) ;; WHEN: Tue May 17 19:54:59 2005 ;; MSG SIZE rcvd: 79 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
One final point here, I know I, and I'm sure many of you, have seen or come into contact with infected exchange serverson static ip addresses. The fact that it's static, or in fact, a business connection, speaks not a thing for the competence of the administrator, or the security of the server. My point before was this: my ip in no way says you should trust me, I can be infected and misconfigured on a static ip as a dynamic one. Also, I'm being penalized for microsoft's inability to engineer and distribute a secure os. You have every right to block whatever address ranges you want, and when I get the bounce, I'll add you to my transport file for postfix. All else, I'll manage the queue myself. On Tuesday 17 May 2005 06:48 am, Bart Silverstrim wrote: On May 16, 2005, at 5:43 PM, Dennis Peterson wrote: Most of the spam I've gotten the last three days is from comcast.net. Apparently they allow their customers to send out to port 25. They should lock that down so that spam goes out through their own servers so they can feel the pain when they are blacklisted for incompetence. If you need to run your own stand-alone mail service you should pay the price for the privilege. To me, that price is learning how to do it right. Price isn't always monetary. I wouldn't argue with the idea of having to tell your provider that you need your particular connection unfiltered and leave it unfiltered because you're setting up the server. I'm paying for the bandwidth of a connection. If anything you're saving the ISP money in labor to maintain your mail spool, you're saving them disk space, and you're saving them liability...because you're willing to shoulder the burden yourself. The price here is you're doing the administration, you're sacrificing your disk space, and you're sacrificing the ability to complain to them when the disk dies and there's not a backup and you don't have 24/7 connection reliability, only a reasonable connection. It's kinda stupid to me that you'd save them some space and time and liability and have to pay them for taking away a sliver of a headache, if all you want is a connection...and you may even be one of the small percentage that if you run the services yourself, you won't be on their tech support line. Seems like that's the biggest cost for ISPs. For people who are willing to learn and put work into maintaining it the cost of getting a business class connection is so high that...well...they'd have to be a business to get it. Or at least get it and not subsist on bologna and Cheerios for meals. ___ http://lurker.clamav.net/list/clamav-users.html -- John Jolet Technology Solutions Your On-Demand IT Department 512-762-0729 www.jolet.net [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: Re[4]: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
On Tue, 2005-05-17 at 15:44 +0400, Sergey wrote: T Check the permissions on your log file. They must be accessible by the T user the milter runs as. T -trog they are accesseble No they aren't. Actually look at the file permissions this time. -trog signature.asc Description: This is a digitally signed message part ___ http://lurker.clamav.net/list/clamav-users.html
Re[2]: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Hello Kritof, Tuesday, May 17, 2005, 3:22:21 PM, you wrote: KP Tomasz Kojm wrote: On Tue, 17 May 2005 12:55:36 +0200 Kritof Petr [EMAIL PROTECTED] wrote: Sergey is right. This bug is not fixed. May 17 12:36:41 server clamd: clamd startup succeeded May 17 12:36:41 server clamd[27991]: HTML support enabled. May 17 12:36:41 server clamd[27991]: Self checking every 1800 seconds. May 17 12:36:54 server clamav-milter: /var/log/clamav/clamd.log: Permission denied The original bug was related to /dev/console. The above seems like a standard permission problem. KP I reported this bug one week before. But once again: KP # uname -mpio KP i686 i686 i386 GNU/Linux KP # clamd -V KP ClamAV 0.85.1/882/Tue May 17 08:48:03 2005 KP # clamav-milter -V KP ClamAV version 0.85.1, clamav-milter version 0.85 KP # ll /var/log KP total 42860 KP drwxr-xr-x 14 rootroot 4096 May 17 12:36 . KP drwxr-xr-x 23 rootroot 4096 Jan 7 14:52 .. KP -rw--- 1 rootroot 21573 Feb 1 04:02 boot.log.4 KP drwxr-xr-x 2 clamav clamav 4096 May 17 13:05 clamav KP -rw-r--r-- 1 rootroot 183414 May 17 13:01 cron KP # ll /var/log/clamav/ KP total 16 KP drwxr-xr-x 2 clamav clamav 4096 May 17 13:08 . KP drwxr-xr-x 14 root root 4096 May 17 12:36 .. KP -rw-r- 1 clamav clamav 474 May 17 13:05 freshclam.log KP # service clamd start KP Starting Clam AV daemon: [ OK ] KP # ll /var/log/clamav/ KP total 20 KP drwxr-xr-x 2 clamav clamav 4096 May 17 13:09 . KP drwxr-xr-x 14 root root 4096 May 17 12:36 .. KP -rw-r- 1 root root 1417 May 17 13:09 clamd.log KP -rw-r- 1 clamav clamav 474 May 17 13:05 freshclam.log KP # service clamav-milter start KP Starting clamav-milter:[FAILED] KP # tail -f /var/log/messages KP May 17 13:13:42 server clamav-milter: /var/log/clamav/clamd.log: KP Permission denied KP and clamav-milter is not running. KP # grep User /etc/clamd.conf KP User clamav KP My observation is: clamav creates log file with root permission, KP so user clamav cannt write to log. KP Are there some developers who believes that non-priviledged user clamav KP can write to logfile with bad permissions (0640 root.root clamd.log)? KP This assumption is wrong on some unix like OSes, Im affraid. KP Clamav should create log file with same owner as defined in clamd.conf KP to work it properly. i've just noticed the same thing. clamd.log is made by root. but 0.84 doesn't care about that it works properly. -- Best regards, Sergeymailto:[EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Sergey wrote: Hello Kritof, KP # grep User /etc/clamd.conf KP User clamav Shouldn't the conf files be in /usr/local/etc/ ??? That's how it works for me and my log file is owned by clamav Cheers Bill -- What's the difference between Linux and Windoze? Linux - Thousands of programmers are working *WITH*you. Windoze - Thousands of programmers are working *AGAINST* you. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Freshclam fall back to HTTP
On Tue, 2005-05-17 at 13:53, Awie wrote: Below the result of dig in my machine. It seems can reach current.cvd.clamav.net. Please advise. ===SNIP=== [EMAIL PROTECTED] root]# dig current.cvd.clamav.net txt ; DiG 9.2.4 current.cvd.clamav.net txt ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 35447 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;current.cvd.clamav.net.IN TXT ;; ANSWER SECTION: current.cvd.clamav.net. 900 IN TXT 0.85.1:31:882:1116329341:0 ;; Query time: 1482 msec ;; SERVER: 202.136.64.52#53(202.136.64.52) ;; WHEN: Tue May 17 19:54:59 2005 ;; MSG SIZE rcvd: 79 This looks fine to me. My DNS servers were messing up the expiration time (900 seconds right here, as it should be...). In my freshclam.conf, I have a section that says: # Use DNS to verify virus database version. Freshclam uses DNS TXT records # to verify database and software versions. We highly recommend enabling # this option. # Default: disabled DNSDatabaseInfo current.cvd.clamav.net -- What is your configuration? Does it have a DNSDatabaseInfo directive? Maybe you're still using a configuration file from a previous version, from before the DNSDatabasInfo days? (just guessing, I have no clue what else could be happening at this point.) ___ http://lurker.clamav.net/list/clamav-users.html -- Guy Van Den Bergh Netwerkbeheerder Hogeschool Antwerpen http://www.ha.be ___ http://lurker.clamav.net/list/clamav-users.html
Re[2]: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
On Tue, 17 May 2005, Sergey wrote: i've just noticed the same thing. clamd.log is made by root. but 0.84 doesn't care about that it works properly. Yes -- this is what I posted about Sat morning. Previous to 0.85, clamav-milter didn't care if it couldn't write to it's log file. Starting with 0.85, it won't run if it can't write to it's log file. Personally I don't think that's a good enough reason to not run, but evidently people disagree, and I'm not inclined to argue about it further. I solved the problem here by making clamd.log owned by group clamav and move 660 == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On May 17, 2005, at 2:17 AM, Alan Premselaar wrote: Jef Poskanzer wrote: ..snip... And finally, if you want to run a check on the HELO string, I find that just rejecting outside connections that claim a HELO of your own hostname gets rid of a very high proportion of crapmail. This very simple check is successful enough that I'll probably publish a notme_milter at some point after spfmilter gets out of beta status. I already do this with MIMEDefang. it's proven quite effective. I don't bother with any of the other checks because they either take too many resources or have potentially too much collateral damage. What I'd like is a system that takes incoming mail, strips rich text/html and reinterprets it into plain text, strips attachments and puts them into an ACL-controlled quarantine so users can get to them only if they really wanted them (within X days before it's wiped from the database and storage area) whether it's a networked fileshare or (probably better) a website. Stick headers in as to probability of message being spam so client filtering can work still. Have DNS lookups on the helo string...not valid, don't take it. Maybe even do a reverse check to see if there's a mail server on the sending system...how many systems would break doing a check like that? Enough to be significant? Build in some tarpitting if the same site keeps hitting users on your site that are invalid more than X times when checking against your user database. How much collateral damage would a system like this cause, I wonder? After yet another day of putting up with all this crap from viruses, there's a part of me that wonders what would happen if someone wrote a virus that would pull a sober.p infectinfectinfect...sleep...payload trick where instead of turning the computer into a spambot would instead delete some system files so Windows wouldn't boot again, forcing people to STOP CLICKING ON RANDOM ATTACHMENTS and fixing the problem systems. Isn't that the primary trick being used now to spread spam and viruses? People are clicking and running attachments from other viruses and are clueless about NOT CLICKING RANDOM ATTACHMENTS? Although I already know people abhor the idea and it's definitely not the first time that idea's been entertained in some twisted form of vigilante online justice. *sigh* too much of this stuff makes Johnny a dull boy. Need more sleep. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Bart Silverstrim said: On May 16, 2005, at 5:43 PM, Dennis Peterson wrote: Most of the spam I've gotten the last three days is from comcast.net. Apparently they allow their customers to send out to port 25. They should lock that down so that spam goes out through their own servers so they can feel the pain when they are blacklisted for incompetence. If you need to run your own stand-alone mail service you should pay the price for the privilege. To me, that price is learning how to do it right. Price isn't always monetary. I wouldn't argue with the idea of having to tell your provider that you need your particular connection unfiltered and leave it unfiltered because you're setting up the server. What you are paying for is their trust that you are doing your part correctly. As an ISP my greatest investment aside from my hardware is my IP. Anything that puts it at risk puts all at risk. Policy describes I do all I can to protect that investment so I set the rules. I don't have to trust my average customers because I manage the resources. If you come to me and ask me to loosen my rules I will do that but you have to invest in my trust in you. By requiring you to have a higher liability I encourage you to avoid activities that put your investment in jeopardy. Imagine I am an ISP and you are a customer and you spam the world with your own machine, drawing attention to my IP block. As is the norm, my IP is blacklisted and I have to go to the blacklist vendors, hat in hand, to explain that you, not I, did the dirty deed, and that I've pulled your account. Personally I would probably find you and kick your ass, but technically, I could have avoided the problem by requiring you to use my smtp server and my traffic policies. Now imagine you are one of 25,000 customers I have to deal with. Where do you think I'm going to put my effort? It can be argued that true spammers are so profitable they can afford to throw away any reasonable fees I might impose. It is certainly true, but what I advocate is not directed at them. I'm just trying to help keep the 99.9% honest people out there from screwing up my business because they use a POS Windows system that even Bill Gates, Inc. can't keep clean. But let's get back to anti-virus issues - 0.85.1 is out and appears to have an interesting issue with permissions and there's an easy solution. I wonder who will find it first. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Bill Maidment said: Sergey wrote: Hello Kritof, KP # grep User /etc/clamd.conf KP User clamav Shouldn't the conf files be in /usr/local/etc/ ??? That's how it works for me and my log file is owned by clamav That is dependant upon who built the binaries and the choices they made when doing so. If this were standardized there would be fewer instances of multiple versions of libs, executables, and config files installed on systems. As a minimum, packagers should describe in their docs where things go. My guess is most noobies would still not read it, but those who try to debug the mess they have would have another tool to work with. The lesson to learn is: know your system and don't trust packagers. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Hello, On 17 May 2005, at 13:17, Tomasz Kojm wrote: On Tue, 17 May 2005 15:10:12 +0400 Sergey [EMAIL PROTECTED] wrote: Hello Tomasz, Tuesday, May 17, 2005, 2:27:00 PM, you wrote: TK On Tue, 17 May 2005 11:16:54 +0400 TK Sergey [EMAIL PROTECTED] wrote: Hello clamav-users, i've just tried to use 0.85 and 0.85.1 instead of my 0.84 but i found an error massage on starting clamav-milter (Permission denied). is there any chance to solve this little problem? TK I don't believe you've installed 0.85.1 properly. what do you mean by properly? there were no errors while i was installing it. i used just the same option that i used for installing 0.84 or there is in 0.85 some new extra installation stuff that i missed? The only 'essential' information you have provided is that clamav-milter prints Permission denied on startup so don't expect constructive help from me. There appears to be something not quite good happening. More information, for version v0.85 the following scenario seems consistent on my server: clamd.conf contains: User clamav . LogFile /var/log/clam/clamd.log Now delete stop clamd delete /var/log/clam/clamd.log start clamd again Upon restart clamd.log is created, but owned by root. ls -l /var/log/clam/clamd.log -rw-r-1 root root 2675 May 17 14:42 /var/log/clam/ clamd.log (Additional information: ls -ld /var/log/clam/ drwxr-xr-x2 clamav clamav 4096 May 17 14:42 /var/log/clam/ ) -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue May 17 13:12:51 CEST 2005 ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Clam AV allows e-mail from www.webmail.us/testvirus through?
I have recently installed Clam AV 0.85 and have downloaded the latest updates through freshclam. We are running this software on a new e-mail gateway server built with Postfix and Mandrake LE2005. Please excuse my ignorance as I am very new to this product. My question is that with clamd running as a process and freshclam telling me that the latest updates are loaded the test viruses sent from webmail.us are being allowed through. I believe that clamav is working as numbers 1-3, 6-12, and 13 were all blocked but the rest of the 27 files were allowed through. Am I missing something? Shouldn't clamav have a better detection rate than that? Should I be restarting the clamd process every time freshclam updates? Everything starts properly with no errors in either clamd.log or freshclam.log. Shouldn't clamav be intercepting all virus messages passing through the gateway? There is no local delivery on this server - everything is relayed to four internal mail servers. I re-read the documentation, faq's, and mailling list archives and didn't see much of help. Any assistance anyone can provide would be most welcome. Douglas Ward Director of Information Technology NC Methodist Conference 1307 Glenwood Ave. Raleigh, NC 27605 Work: (919) 832-9560 ext. 227 Fax: (919) 834-7989 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Freshclam fall back to HTTP
This looks fine to me. My DNS servers were messing up the expiration time (900 seconds right here, as it should be...). In my freshclam.conf, I have a section that says: # Use DNS to verify virus database version. Freshclam uses DNS TXT records # to verify database and software versions. We highly recommend enabling # this option. # Default: disabled DNSDatabaseInfo current.cvd.clamav.net I use a new freshclam.conf. -- What is your configuration? Does it have a DNSDatabaseInfo directive? Maybe you're still using a configuration file from a previous version, from before the DNSDatabasInfo days? Below attached lines in the file (just guessing, I have no clue what else could be happening at this point.) . :( Thx Rgds, Awie ---SNIP--- [EMAIL PROTECTED] src]# cat /usr/local/etc/freshclam.conf ## ## Example config file for freshclam ## Please read the clamav.conf(5) manual before editing this file. ## This file may be optionally merged with clamav.conf. ## # You can change the default database directory here. #DatabaseDirectory /var/lib/clamav # Path to the config file (make sure it has proper permissions) #UpdateLogFile /var/log/freshclam.log # Enable verbose logging. #LogVerbose # By default when freshclam is started by root it drops privileges and # switches to the clamav user. You can change this behaviour here. #DatabaseOwner clamav # Use DNS to verify virus database version. Freshclam uses DNS TXT records # to verify database and software versions. With this directive you can change # the database verification domain. # Default: enabled, pointing to current.cvd.clamav.net DNSDatabaseInfo current.cvd.clamav.net # The main database mirror is database.clamav.net (this is a round-robin # DNS that points to many mirrors on the world) and in most cases you # SHOULD NOT change it. DatabaseMirror db.sg.clamav.net DatabaseMirror database.clamav.net # How many attempts to make before giving up. MaxAttempts 3 # How often check for a new database. We suggest checking for it every # two hours. Checks 12 # Proxy settings #HTTPProxyServer myproxy.com #HTTPProxyPort 1234 #HTTPProxyUsername myusername #HTTPProxyPassword mypass # Send the RELOAD command to clamd. #NotifyClamd [/optional/config/file/path] # Run command after database update. #OnUpdateExecute command # Run command if database update failed. #OnErrorExecute command ___ http://lurker.clamav.net/list/clamav-users.html
Re: Re[2]: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Christopher X. Candreva said: On Tue, 17 May 2005, Sergey wrote: i've just noticed the same thing. clamd.log is made by root. but 0.84 doesn't care about that it works properly. Yes -- this is what I posted about Sat morning. Previous to 0.85, clamav-milter didn't care if it couldn't write to it's log file. Starting with 0.85, it won't run if it can't write to it's log file. Personally I don't think that's a good enough reason to not run, but evidently people disagree, and I'm not inclined to argue about it further. I solved the problem here by making clamd.log owned by group clamav and move 660 You will have solved the problem only if you put this procedure in your startup scripts and any tools that rotate your logs. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: Re[2]: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Sergey said: Hello Andrzej, Tuesday, May 17, 2005, 3:52:31 PM, you wrote: AZ Sergey wrote: AZ [...] -rw-r- 1 rootclamav 1265 May 17 15:40 clamd.log AZ ^^ AZ How clamd (in realy user clamav.clamav) can write to this file?? AZ [...] i've no idea, but 0.84 does. i've just found a solution. if clamd makes clamd.log it's useless to change the permissions. so before running clamd and so on i made touch clamd.log and than set all the permissions that is needed. now it works. We have a winner! Now if you put that in your startup script and log rotation tool you'll have the job finished. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: Re[2]: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
On Tue, 17 May 2005, Dennis Peterson wrote: You will have solved the problem only if you put this procedure in your startup scripts and any tools that rotate your logs. Gee, I wish I had already posted that -- oh wait, I did. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Freshclam fall back to HTTP
On Tue, 2005-05-17 at 15:09, Awie wrote: I use a new freshclam.conf. -- What is your configuration? Does it have a DNSDatabaseInfo directive? Maybe you're still using a configuration file from a previous version, from before the DNSDatabasInfo days? Below attached lines in the file All is looking good as far as I'm concerned. I would start sniffing on your server (with ethereal) to see what's happening on the wire. Any experience with that? -- Guy Van Den Bergh Netwerkbeheerder Hogeschool Antwerpen http://www.ha.be ___ http://lurker.clamav.net/list/clamav-users.html
Re[4]: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Hello Dennis, Tuesday, May 17, 2005, 5:11:43 PM, you wrote: DP Sergey said: Hello Andrzej, Tuesday, May 17, 2005, 3:52:31 PM, you wrote: AZ Sergey wrote: AZ [...] -rw-r- 1 rootclamav 1265 May 17 15:40 clamd.log AZ ^^ AZ How clamd (in realy user clamav.clamav) can write to this file?? AZ [...] i've no idea, but 0.84 does. i've just found a solution. if clamd makes clamd.log it's useless to change the permissions. so before running clamd and so on i made touch clamd.log and than set all the permissions that is needed. now it works. DP We have a winner! Now if you put that in your startup script and log DP rotation tool you'll have the job finished. why is that? if i'll restart clamd it won't going to change the permissions of clamd.log. and by the way i don't need any log rotation because my clamd.log doesn't eveê become big or something like that. -- Best regards, Sergeymailto:[EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: Re[2]: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Christopher X. Candreva said: On Tue, 17 May 2005, Dennis Peterson wrote: You will have solved the problem only if you put this procedure in your startup scripts and any tools that rotate your logs. Gee, I wish I had already posted that -- oh wait, I did. Not completely, and not at the point at which I was responding. But good for you anyway. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Dennis Peterson wrote: Bill Maidment said: Sergey wrote: Hello Kritof, KP # grep User /etc/clamd.conf KP User clamav Shouldn't the conf files be in /usr/local/etc/ ??? That's how it works for me and my log file is owned by clamav That is dependant upon who built the binaries and the choices they made when doing so. If this were standardized there would be fewer instances of multiple versions of libs, executables, and config files installed on systems. As a minimum, packagers should describe in their docs where things go. My guess is most noobies would still not read it, but those who try to debug the mess they have would have another tool to work with. Agreed. Interestingly, it made me look at my setup again and, because I run Mimedefang, I have User defang in my clamd.conf clamav belongs to group defang and the log file permissions are 0660 clamav.clamav yet it still works on every clamav version including 0.85 and 0.85.1 My brain hurts. The lesson to learn is: know your system and don't trust packagers. I build clamav from source using default configure (even though I'm running Fedora 3.) -- What's the difference between Linux and Windoze? Linux - Thousands of programmers are working *WITH*you. Windoze - Thousands of programmers are working *AGAINST* you. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Freshclam fall back to HTTP
Below attached lines in the file All is looking good as far as I'm concerned. I would start sniffing on your server (with ethereal) to see what's happening on the wire. Any experience with that? I never use Ethereal (for Linux) before. However, I will learn how to use it. I will inform you when I will be ready. Thanks for your kind help. Thx Rgds, Awie ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Sergey wrote: Hello Dennis, Tuesday, May 17, 2005, 5:11:43 PM, you wrote: DP Sergey said: Hello Andrzej, Tuesday, May 17, 2005, 3:52:31 PM, you wrote: AZ Sergey wrote: AZ [...] -rw-r- 1 rootclamav 1265 May 17 15:40 clamd.log AZ ^^ AZ How clamd (in realy user clamav.clamav) can write to this file?? AZ [...] i've no idea, but 0.84 does. i've just found a solution. if clamd makes clamd.log it's useless to change the permissions. so before running clamd and so on i made touch clamd.log and than set all the permissions that is needed. now it works. DP We have a winner! Now if you put that in your startup script and log DP rotation tool you'll have the job finished. why is that? if i'll restart clamd it won't going to change the permissions of clamd.log. and by the way i don't need any log rotation because my clamd.log doesn't eveê become big or something like that. Maybe thats because clamav couldnt write to it ;) Regardless, this is a workaround not a solution. The logfile should not be created with root owner to begin with. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clam AV allows e-mail from www.webmail.us/testvirus through?
On Tue, 2005-05-17 at 09:05 -0400, Douglas Ward wrote: I have recently installed Clam AV 0.85 and have downloaded the latest updates through freshclam. We are running this software on a new e-mail gateway server built with Postfix and Mandrake LE2005. Please excuse my ignorance as I am very new to this product. My question is that with clamd running as a process and freshclam telling me that the latest updates are loaded the test viruses sent from webmail.us are being allowed through. I believe that clamav is working as numbers 1-3, 6-12, and 13 were all blocked but the rest of the 27 files were allowed through. Am I missing something? Shouldn't clamav have a better detection rate than that? Should I be restarting the clamd process every time freshclam updates? Everything starts properly with no errors in either clamd.log or freshclam.log. Shouldn't clamav be intercepting all virus messages passing through the gateway? There is no local delivery on this server - everything is relayed to four internal mail servers. I re-read the documentation, faq's, and mailling list archives and didn't see much of help. Any assistance anyone can provide would be most welcome. There is something wrong with your configuration. Probably something related to the way you have plugged clam and postfix together. -trog signature.asc Description: This is a digitally signed message part ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Freshclam fall back to HTTP
On Tue, 2005-05-17 at 15:34, Awie wrote: All is looking good as far as I'm concerned. I would start sniffing on your server (with ethereal) to see what's happening on the wire. Any experience with that? I never use Ethereal (for Linux) before. However, I will learn how to use it. One last hint: use a filter like udp port 53 to see only dns traffic. Otherwise you will probably get lots and lots of noise. I will inform you when I will be ready. Thanks for your kind help. Good luck! -- Guy Van Den Bergh Netwerkbeheerder Hogeschool Antwerpen http://www.ha.be ___ http://lurker.clamav.net/list/clamav-users.html
Re: Re[4]: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Sergey said: Hello Dennis, Tuesday, May 17, 2005, 5:11:43 PM, you wrote: DP Sergey said: Hello Andrzej, Tuesday, May 17, 2005, 3:52:31 PM, you wrote: AZ Sergey wrote: AZ [...] -rw-r- 1 rootclamav 1265 May 17 15:40 clamd.log AZ ^^ AZ How clamd (in realy user clamav.clamav) can write to this file?? AZ [...] i've no idea, but 0.84 does. i've just found a solution. if clamd makes clamd.log it's useless to change the permissions. so before running clamd and so on i made touch clamd.log and than set all the permissions that is needed. now it works. DP We have a winner! Now if you put that in your startup script and log DP rotation tool you'll have the job finished. why is that? if i'll restart clamd it won't going to change the permissions of clamd.log. and by the way i don't need any log rotation because my clamd.log doesn't eveê become big or something like that. -- Best regards, Sergeymailto:[EMAIL PROTECTED] Many suggestions are applicable in the general sense and are good practice. Not all apply specifically to any single environment. You're lucky to have a low-demand system, Sergey. dp ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] clamav-milter and key --max-children
Hello, 1. Why clamav-milter ignores a key --max-children=N? I start with key --max-children=5, but I receive: # pstree init-+-atd |-bdaemon |-bdflush |-bserver |-clamav-milter---clamav-milter---16*[clamav-milter] 2. /usr/local/clamav/sbin/clamav-milter -h|grep Maximum --max-childen -m Maximum number of concurrent scans. Typing error ? version clamav 0.85.1 -- Andrey Nekrasov __ [EMAIL PROTECTED] | http://www.design.ru ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
On Tue, May 17, 2005 at 01:17:34PM +0200, Tomasz Kojm said: The only 'essential' information you have provided is that clamav-milter prints Permission denied on startup so don't expect constructive help from me. The problem here is that clamav opens/creates the log at clamd/clamd.c:144, but only drops priviledges to the user specified by the User directive at clamd/clamd.c:235 It would perhaps be better if this priviledge drop happened earlier, before opening the logfile. I have never noticed this behavior, as the set up scripts and log rotate scripts I use always touch the logfile and give it appropriate permissions. Since the milter never complained about log file permissions until recently, I guess no one else noticed it either. -- -- | Stephen Gran | Patience is a minor form of despair,| | [EMAIL PROTECTED] | disguised as virtue. -- Ambrose | | http://www.lobefin.net/~steve | Bierce, on qualifiers | -- pgpWPW8SoJhof.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clam AV allows e-mail from www.webmail.us/testvirus through?
On Tue, 2005-05-17 at 09:05 -0400, Douglas Ward wrote: I have recently installed Clam AV 0.85 and have downloaded the latest updates through freshclam. We are running this software on a new e-mail gateway server built with Postfix and Mandrake LE2005. Please excuse my ignorance as I am very new to this product. My question is that with clamd running as a process and freshclam telling me that the latest updates are loaded the test viruses sent from webmail.us are being allowed through. I believe that clamav is working as numbers 1-3, 6-12, and 13 were all blocked but the rest of the 27 files were allowed through. Am I missing something? Shouldn't clamav have a better detection rate than that? Should I be restarting the clamd process every time freshclam updates? Everything starts properly with no errors in either clamd.log or freshclam.log. Shouldn't clamav be intercepting all virus messages passing through the gateway? There is no local delivery on this server - everything is relayed to four internal mail servers. I re-read the documentation, faq's, and mailling list archives and didn't see much of help. Any assistance anyone can provide would be most welcome. On my system, only #24 and #25 make it through ... both of which don't have a test virus in them :) -- Ken Jones ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Clam AV allows e-mail fromwww.webmail.us/testvirus through?
Do you by chance know of any resources that I could look at that would outline how to plug the two together? Thanks! Douglas Ward Director of Information Technology NC Methodist Conference 1307 Glenwood Ave. Raleigh, NC 27605 Work: (919) 832-9560 ext. 227 Fax: (919) 834-7989 -Original Message- From: [EMAIL PROTECTED] on behalf of Trog Sent: Tue 5/17/2005 9:44 AM To: ClamAV users ML Subject: Re: [Clamav-users] Clam AV allows e-mail fromwww.webmail.us/testvirus through? On Tue, 2005-05-17 at 09:05 -0400, Douglas Ward wrote: I have recently installed Clam AV 0.85 and have downloaded the latest updates through freshclam. We are running this software on a new e-mail gateway server built with Postfix and Mandrake LE2005. Please excuse my ignorance as I am very new to this product. My question is that with clamd running as a process and freshclam telling me that the latest updates are loaded the test viruses sent from webmail.us are being allowed through. I believe that clamav is working as numbers 1-3, 6-12, and 13 were all blocked but the rest of the 27 files were allowed through. Am I missing something? Shouldn't clamav have a better detection rate than that? Should I be restarting the clamd process every time freshclam updates? Everything starts properly with no errors in either clamd.log or freshclam.log. Shouldn't clamav be intercepting all virus messages passing through the gateway? There is no local delivery on this server - everything is relayed to four internal mail servers. I re-read the documentation, faq's, and mailling list archives and didn't see much of help. Any assistance anyone can provide would be most welcome. There is something wrong with your configuration. Probably something related to the way you have plugged clam and postfix together. -trog ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Jim Maul said: DP We have a winner! Now if you put that in your startup script and log DP rotation tool you'll have the job finished. why is that? if i'll restart clamd it won't going to change the permissions of clamd.log. and by the way i don't need any log rotation because my clamd.log doesn't eveê become big or something like that. Maybe thats because clamav couldnt write to it ;) Regardless, this is a workaround not a solution. The logfile should not be created with root owner to begin with. -Jim That would be a good trick if the directory it is found in is owned ro by root. I suppose it could be created by root then chowned to clam_user, but that too presumes much. To make it entirely turnkey the process should see if the user-selected log directory is readable by clam_user first, then it should see if the file already exists (or if a directory of the same name exists), and if it is writable by clam_user. If everything isn't perfect it could fail with a warning to the console. Now what to do about your log rotator? How should clam predict a misconfigured rotator? That seems like a lot of hand holding. Call me old fashioned, but this is something I like to deal with myself. There's still a roll for the thinking admin. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On May 17, 2005, at 8:48 AM, Dennis Peterson wrote: Bart Silverstrim said: To me, that price is learning how to do it right. Price isn't always monetary. I wouldn't argue with the idea of having to tell your provider that you need your particular connection unfiltered and leave it unfiltered because you're setting up the server. What you are paying for is their trust that you are doing your part correctly. I'm not sure of that...maybe that's your relationship with your provider, but I know what I was looking for when I bought access :-) As an ISP my greatest investment aside from my hardware is my IP. Anything that puts it at risk puts all at risk. Your intellectual property? Or do you mean your address? Policy describes I do all I can to protect that investment so I set the rules. I don't have to trust my average customers because I manage the resources. And vice-versa. If you want to offload the responsibility and liability. I'm telling you there are people who don't want that, and if they're willing to shoulder the burden it should be shifted to them. Second, as a business, businesses cater to market desires. If you don't want to do that then that's your business. You probably won't lose a huge number of people because of it but there are some that would leave if they couldn't find a solution that fits them. Most businesses understand that there's a balance...give customers what they want, and they will be your customers instead of your competitor's. Other businesses don't really care or don't want to serve that kind of market. If you come to me and ask me to loosen my rules I will do that but you have to invest in my trust in you. By requiring you to have a higher liability I encourage you to avoid activities that put your investment in jeopardy. *shrug* fine with me. :-) Imagine I am an ISP and you are a customer and you spam the world with your own machine, drawing attention to my IP block. As is the norm, my IP is blacklisted and I have to go to the blacklist vendors, hat in hand, to explain that you, not I, did the dirty deed, and that I've pulled your account. Personally I would probably find you and kick your ass, but technically, I could have avoided the problem by requiring you to use my smtp server and my traffic policies. Ahh...see...there are other things that can draw unwanted attention. And while using just your resources may be one way to prevent the problem, there are others as well, and it's not a guarantee that you'll be entirely protected still. There are trojans now spamming through the legit servers now. Blocking ports can have oddball side effects...secondary collateral damage. Not always significance, but non-blocking is one less thing to worry about. And why must I trust you? Is there something else you're doing to the email that I don't know about? After all, you could be subpoenaed into handing over copies of my email to other people without my knowledge or permission. What if I want to have my email stored on my servers with my own resources instead? Unless you're covering something up, perhaps? So if you're going to shoulder the burden of protecting me from my own stupidity to keep yourself looking better and off lists, what else are you going to block or monitor? I mean, RIAA surely must be knocking at your door if you have more than a hundred users out there. So you block those ports too? Monitor for any and all programs that can be used for file sharing? Mandatory website traffic blocking to prevent porn from hitting the end user? Maybe you could require users to only run Linux or OS X, immune to most attacks and thus making your network better and safer? Or probe your customer's systems to see that they have the latest updates, and if not, cut off access at your router and have them redirected to a site that has the latest updates for Windows and not allow access until the updates are installed? There are some colleges that take that approach. I wouldn't want the liability of forcing a customer to update to the latest service pack and possibly having it keep them from booting or wiping some data, but hey, to each their own. Now imagine you are one of 25,000 customers I have to deal with. Where do you think I'm going to put my effort? Serving the customer the service they want? :-) If I don't want anything other than access, that's all I'm looking for. I don't want to pay for blocking, filtering, or storage space on your servers. It can be argued that true spammers are so profitable they can afford to throw away any reasonable fees I might impose. Considering that they're A) using zombied Wintel crap to spam and/or B) using foreign soil systems to spam, I don't think that's the problem. It is certainly true, but what I advocate is not directed at them. I'm just trying to help keep the 99.9% honest people out there from screwing up my business because they use a POS Windows system that even
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Stephen Gran said: On Tue, May 17, 2005 at 01:17:34PM +0200, Tomasz Kojm said: The only 'essential' information you have provided is that clamav-milter prints Permission denied on startup so don't expect constructive help from me. The problem here is that clamav opens/creates the log at clamd/clamd.c:144, but only drops priviledges to the user specified by the User directive at clamd/clamd.c:235 It would perhaps be better if this priviledge drop happened earlier, before opening the logfile. I have never noticed this behavior, as the set up scripts and log rotate scripts I use always touch the logfile and give it appropriate permissions. Since the milter never complained about log file permissions until recently, I guess no one else noticed it either. I think it would be better if clamd, like syslogd, didn't create the file at all. End of problem. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Dennis Peterson wrote: Jim Maul said: DP We have a winner! Now if you put that in your startup script and log DP rotation tool you'll have the job finished. why is that? if i'll restart clamd it won't going to change the permissions of clamd.log. and by the way i don't need any log rotation because my clamd.log doesn't eveê become big or something like that. Maybe thats because clamav couldnt write to it ;) Regardless, this is a workaround not a solution. The logfile should not be created with root owner to begin with. -Jim That would be a good trick if the directory it is found in is owned ro by root. I suppose it could be created by root then chowned to clam_user, but that too presumes much. To make it entirely turnkey the process should see if the user-selected log directory is readable by clam_user first, then it should see if the file already exists (or if a directory of the same name exists), and if it is writable by clam_user. If everything isn't perfect it could fail with a warning to the console. Now what to do about your log rotator? How should clam predict a misconfigured rotator? That seems like a lot of hand holding. Call me old fashioned, but this is something I like to deal with myself. There's still a roll for the thinking admin. No, dont get me wrong here, im not saying clamav should predict anything. Nor should it have to deal with misconfigured software. This is of course left up to the admin. However, it seems that it *creates* the logfile owned by root. And that..well..just isnt right. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] AES encrypted zips causing scan error
Hi All, WinZip 9 256 bit AES encrypted zip files cause errors [tested against 0.85.1]. We're calling clam from MIMEDefang and the scan returns an error. Other encrypted zip files scan OK. Is there any way round this as we have users wanting to get these files through? Thanks, Chris LibClamAV debug: Loading databases from /usr/local/clamav-0.85.1/share/clamav LibClamAV debug: Loading /usr/local/clamav-0.85.1/share/clamav/main.cvd LibClamAV debug: in cli_cvdload() LibClamAV debug: MD5(.tar.gz) = 97483b1d8189548e820e8a3f4bef787b LibClamAV debug: Decoded signature: 97483b1d8189548e820e8a3f4bef787b LibClamAV debug: Digital signature is correct. LibClamAV debug: in cli_untgz() LibClamAV debug: Unpacking /tmp/clamav-9ed9a4f6e5fc39f3/COPYING LibClamAV debug: Unpacking /tmp/clamav-9ed9a4f6e5fc39f3/main.db LibClamAV debug: Unpacking /tmp/clamav-9ed9a4f6e5fc39f3/main.hdb LibClamAV debug: Unpacking /tmp/clamav-9ed9a4f6e5fc39f3/main.ndb LibClamAV debug: Unpacking /tmp/clamav-9ed9a4f6e5fc39f3/main.zmd LibClamAV debug: Unpacking /tmp/clamav-9ed9a4f6e5fc39f3/main.fp LibClamAV debug: Loading databases from /tmp/clamav-9ed9a4f6e5fc39f3 LibClamAV debug: Loading /tmp/clamav-9ed9a4f6e5fc39f3/main.db LibClamAV debug: Initializing main node LibClamAV debug: Initializing trie LibClamAV debug: Initializing BM tables LibClamAV debug: in cli_bm_init() LibClamAV debug: BM: Number of indexes = 63744 LibClamAV debug: Loading /tmp/clamav-9ed9a4f6e5fc39f3/main.hdb LibClamAV debug: Initializing md5 list structure LibClamAV debug: Loading /tmp/clamav-9ed9a4f6e5fc39f3/main.ndb LibClamAV debug: Loading /tmp/clamav-9ed9a4f6e5fc39f3/main.zmd LibClamAV debug: Loading /tmp/clamav-9ed9a4f6e5fc39f3/main.fp LibClamAV debug: Loading /usr/local/clamav-0.85.1/share/clamav/daily.cvd LibClamAV debug: in cli_cvdload() LibClamAV debug: MD5(.tar.gz) = 42269589481f2dbe16f277ce58a5a080 LibClamAV debug: Decoded signature: 42269589481f2dbe16f277ce58a5a080 LibClamAV debug: Digital signature is correct. LibClamAV debug: in cli_untgz() LibClamAV debug: Unpacking /tmp/clamav-3181b9a816c26648/COPYING LibClamAV debug: Unpacking /tmp/clamav-3181b9a816c26648/daily.db LibClamAV debug: Unpacking /tmp/clamav-3181b9a816c26648/daily.hdb LibClamAV debug: Unpacking /tmp/clamav-3181b9a816c26648/daily.ndb LibClamAV debug: Loading databases from /tmp/clamav-3181b9a816c26648 LibClamAV debug: Loading /tmp/clamav-3181b9a816c26648/daily.db LibClamAV debug: Loading /tmp/clamav-3181b9a816c26648/daily.hdb LibClamAV debug: Loading /tmp/clamav-3181b9a816c26648/daily.ndb LibClamAV debug: Recognized ZIP file LibClamAV debug: in scanzip() LibClamAV debug: Zip: A File.txt, crc32: 0x0, encrypted: 1, compressed: 4921, normal: 43378, method: 99, ratio: 8 (max: 250) LibClamAV debug: ZzipLib: Unsupported compression mode (99) LibClamAV debug: Zip: Can't open file A File.txt LibClamAV debug: Calculated MD5 checksum: aa70e748d4c68d5a337cca261693bfea problem.ZIP: Zip module failure LibClamAV debug: Recognized ZIP file LibClamAV debug: Calculated MD5 checksum: aa70e748d4c68d5a337cca261693bfea problem.ZIP: OK --- SCAN SUMMARY --- Known viruses: 34399 Engine version: 0.85.1 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.01 MB Time: 0.804 sec (0 m 0 s) __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On Tue, 17 May 2005, Bart Silverstrim wrote: After yet another day of putting up with all this crap from viruses, there's a part of me that wonders what would happen if someone wrote a virus that would pull a sober.p infectinfectinfect...sleep...payload trick where instead of turning the computer into a spambot would instead delete some system files so Windows wouldn't boot again, forcing people to STOP CLICKING ON RANDOM ATTACHMENTS and fixing the problem systems. Isn't that the primary trick being used now to spread spam and viruses? People are clicking and running attachments from other viruses and are clueless about NOT CLICKING RANDOM ATTACHMENTS? Although I already know people abhor the idea and it's definitely not the first time that idea's been entertained in some twisted form of vigilante online justice. Would the person who implements this do me a favor and make the virus pretend to be a viagra spam? If we format the hard drives of people that buy from spammers, and the media picks up on it, then everyone will be informed of how dangerous spam is. Nobody will click it anymore, and spammer profits will plummet. This has a very real chance of eliminating the spam problem. Kill two birds with one stone... I like it. Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Clam AV allows e-mail fromwww.webmail.us/testv irus through?
Douglas Ward asked: Do you by chance know of any resources that I could look at that would outline how to plug the two together? Thanks! Have a look at MailScanner (http://www.mailscanner.info). Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: virus passing through clamav-milter, but not through clamdscan!
Hi evrybody I first posted this a week ago, but I still have not found a solution. Since v0.84, I've been receiving various obviously crafted mails that contain viruses, but pass through clamav-milter ok. However, when I save the mail and scan the mbox file with clamdscan (not clamscan) Worm.Bagz.D is found. When I submit the contaminated mailbox (http://users.auth.gr/~apap/spurious-viral-mbox) to www.clamav.net, I get the expected response clamav already recognizes the content you submitted, there is no reason to resubmit it. It seems that when the crafted mail is sent directly to my mail server (now sendmail 8.13.4, clamav-milter 0.85, ClamAV 0.85.1/882/Tue May 17 09:48:03 2005), the mail passes through. As I have found out, if it gets relayed to another mail server with clamav, some how the virus is then detected, but if the recipient is local, the viral mail gets through. It seems that there is something strange in the original headers, that gets cleared when passing through a mail server. Here is the raw evidence that a mail that gets detected as viral by clamdscan, passes through clamav-milter that uses the very same clamd, at least at the first mail server in the path. Both clamdscan, and the mail server clamav-milter use the very same clamd. $ wget -q http://users.auth.gr/~apap/spurious-viral-mbox # Fetch a copy of my viral mail $ clamdscan spurious-viral-mbox # Checkit your self /home/apap/spurious-viral-mbox: Worm.Bagz.D FOUND $ /usr/sbin/sendmail -v [EMAIL PROTECTED] spurious-viral-mbox # Try this if you have sendmail [EMAIL PROTECTED] Connecting to smtp.ccf.auth.gr via relay... 220 Sendmail ESMTP Server Ready ; Tue, 17 May 2005 16:53:47 +0300 (EEST) EHLO helios.ccf.auth.gr 250-olympos.ccf.auth.gr Hello helios.ccf.auth.gr [155.207.1.6], pleased to meet you MAIL From:[EMAIL PROTECTED] SIZE=202598 BODY=8BITMIME 250 2.1.0 [EMAIL PROTECTED]... Sender ok RCPT To:[EMAIL PROTECTED] DATA 250 2.1.5 [EMAIL PROTECTED]... Recipient ok 354 Enter mail, end with . on a line by itself . 250 2.0.0 j4HDrlkc007312 Message accepted for delivery [EMAIL PROTECTED] Sent (j4HDrlkc007312 Message accepted for delivery) Closing connection to smtp.ccf.auth.gr QUIT 221 2.0.0 olympos.ccf.auth.gr closing connection -- Apostolis Papayanakis [EMAIL PROTECTED], 2310-998416 On Wed, 11 May 2005, Apostolos Papayanakis wrote: Hi everybody, I've received more than twenty profoundly viral mails since last night. They passed without being stopped, through our sendmail Clamav (ClamAV 0.84/875/Tue May 10 14:27:59 2005+clamav-milter 0.84e). However if I save each of these viral mails in a seperate mbox, clamdscan with the same definitions can suddenly detect Worm.Bagz.D in them. It seems that clamav-milter cannot handle these mails correctly, and misses something while communicating (externally) with clamd. I should mention that the mbox contains an attachment BASE64 encoded in long lines o 2048 bytes(!), a mangled date header and a crafted filename with lots of spaces, eg: help.doc .exe I cannot submit the viral mbox on www.clamav.net, because it says that the virus is already detected. Is this a wide-spread problem? Apostolis Papayanakis p.s. Here follows a part of the mailbox that passes through our mail server= , and detected as Worm.Bagz.D from clamdscan: ( is added at the start of each line to avoid being detected as broken = executable by clamd) ---= From [EMAIL PROTECTED] Wed May 11 03:02:23 2005 Received: from 127.0.0.1 ([211.191.198.7]) by olympos.ccf.auth.gr (8.13.3/8.13.3) with ESMTP id j4B02EsG01374= 5 for [EMAIL PROTECTED]; Wed, 11 May 2005 03:02:1= 5 +0300 (EEST) Message-Id: [EMAIL PROTECTED] SUBJECT: text FROM: [EMAIL PROTECTED] TO: [EMAIL PROTECTED] DATE: [[ =BC=F6, 11 5 2005 =BF=C0=C0=FC 9:02:24 ]] MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=3Dbound-- X-Virus-Scanned: ClamAV version 0.84, clamav-milter version 0.84e on antiv= irus1.ccf.auth.gr X-Virus-Status: Clean X-Spam-Checker-Version: SpamAssassin 3.0.2-gr1 (2004-11-16) on helios.ccf.auth.gr X-Spam-Level: * X-Spam-Status: No, score=3D5.7 required=3D7.0 tests=3DBAYES_50,FORGED_HOTM= AIL_RCVD2, HEAD_ILLEGAL_CHARS,INVALID_DATE,MSGID_FROM_MTA_ID,NO_REAL_NAME, RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL autolearn=3Dno version=3D3.0.2= -gr1 Status: R Content-Length: 207546 X-Keywords: --bound-- Content-Type: text/plain; charset=3Dus-ascii Content-Transfer-Encoding: 7bit Hello, What version of windows you are using? This last document I received from you came out weird. Please see the attached word file and resend the file to me. Many thanks, User --bound-- Content-Type: application/x-msdownload; name=3Dhelp.doc = .exe
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Jim Maul said: Dennis Peterson wrote: That would be a good trick if the directory it is found in is owned ro by root. I suppose it could be created by root then chowned to clam_user, but that too presumes much. To make it entirely turnkey the process should see if the user-selected log directory is readable by clam_user first, then it should see if the file already exists (or if a directory of the same name exists), and if it is writable by clam_user. If everything isn't perfect it could fail with a warning to the console. Now what to do about your log rotator? How should clam predict a misconfigured rotator? That seems like a lot of hand holding. Call me old fashioned, but this is something I like to deal with myself. There's still a roll for the thinking admin. No, dont get me wrong here, im not saying clamav should predict anything. Nor should it have to deal with misconfigured software. This is of course left up to the admin. However, it seems that it *creates* the logfile owned by root. And that..well..just isnt right. Maybe I should have said doughnut :-) I meant role. I use syslog for the log files here because I want them available to a common remote logger server for processing. Ownership is not a problem, and it's one less issue the deal with. My underlying point is that a take-charge admin would have no problem dealing with this bug. dp ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Problem creating temporary file
I've installed ClamAV 0.83 on an HP-UX 11.11 system. I'm running clamd, and it's communicating with MIMEDefang 2.51 via a socket. Clamd is not able to unpack tar archives or compressed files. I've set and exported the TMPDIR, TMP, and TEMP environment variables in the init script that runs clamd; I've explicitly set the TemporaryDirectory setting in clamd.conf. I'm using /var/tmp as the temporary directory, and anyone can write to it, and it has about 1.5 Gb free. I know clamd can write to /var/tmp, because it successfully unpacks the initial db stuff there on startup. I've tried running clamd in the foreground with debugging turned on, but haven't found anything helpful. Any suggestions would be greatly appreciated. Karl Boyken -- Karl Boyken, system administrator [EMAIL PROTECTED] 303A MLH, Dept. of Comp. Sci. http://www.cs.uiowa.edu/~boyken/ The U. of Iowa, Iowa City, IA 52242 319-335-2730 (voice) 319-335-3668 (fax) ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
On Tue, May 17, 2005 at 07:03:10AM -0700, Dennis Peterson said: That would be a good trick if the directory it is found in is owned ro by root. I suppose it could be created by root then chowned to clam_user, but that too presumes much. To make it entirely turnkey the process should see if the user-selected log directory is readable by clam_user first, then it should see if the file already exists (or if a directory of the same name exists), and if it is writable by clam_user. If everything isn't perfect it could fail with a warning to the console. Now what to do about your log rotator? How should clam predict a misconfigured rotator? That seems like a lot of hand holding. On Tue, May 17, 2005 at 07:04:56AM -0700, Dennis Peterson said: I think it would be better if clamd, like syslogd, didn't create the file at all. End of problem. So you want either all possible checks, or no seperable logging? That does seem like a rather drastic set of solutions to a trivial to fix bug. Moving about 10 lines of code will fix the bug under discussion, and the rest is the job of the packager/local admin. I have to say I have never noticed this bug up until now, because the install scripts and logrotate scripts I use handle permissions in a way that allows it to work (pats self on back, and wrenches arm doing so). 5 minutes looking at the code could have avoided several hundred lines of email, methinks. -- -- | Stephen Gran | A holding company is a thing where you | | [EMAIL PROTECTED] | hand an accomplice the goods while the | | http://www.lobefin.net/~steve | policeman searches you. | -- pgpkqGmT5G7ze.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Freshclam fall back to HTTP
Hi Guy, This is the captured text from Ethereal (Text mode) I open 2 screen console Screen 1: [EMAIL PROTECTED] src]# tethereal -F libpcap -f udp Capturing on eth0 0.00 202.136.73.3 - 202.136.64.52 DNS Standard query TXT current.cvd.clamav.net 0.707822 202.136.64.52 - 202.136.73.3 DNS Standard query response TXT 0.708643 202.136.73.3 - 202.136.64.52 DNS Standard query A db.sg.clamav.net 2.520258 202.136.64.52 - 202.136.73.3 DNS Standard query response A 203.81.37.58 Screen 2: [EMAIL PROTECTED] root]# freshclam ClamAV update process started at Tue May 17 22:39:18 2005 WARNING: DNS record is older than 3 hours. WARNING: Invalid DNS reply. Falling back to HTTP mode. Reading CVD header (main.cvd): OK (IMS) main.cvd is up to date (version: 31, sigs: 33079, f-level: 4, builder: tkojm) Reading CVD header (daily.cvd): OK daily.cvd is up to date (version: 882, sigs: 1320, f-level: 5, builder: arnaud) Please advise. Thx Rgds, Awie - Original Message - From: Guy Van Den Bergh [EMAIL PROTECTED] To: ClamAV users ML clamav-users@lists.clamav.net Sent: Tuesday, May 17, 2005 9:46 PM Subject: Re: [Clamav-users] Freshclam fall back to HTTP On Tue, 2005-05-17 at 15:34, Awie wrote: All is looking good as far as I'm concerned. I would start sniffing on your server (with ethereal) to see what's happening on the wire. Any experience with that? I never use Ethereal (for Linux) before. However, I will learn how to use it. One last hint: use a filter like udp port 53 to see only dns traffic. Otherwise you will probably get lots and lots of noise. I will inform you when I will be ready. Thanks for your kind help. Good luck! -- Guy Van Den Bergh Netwerkbeheerder Hogeschool Antwerpen http://www.ha.be ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Dennis Peterson wrote: Jim Maul said: Dennis Peterson wrote: That would be a good trick if the directory it is found in is owned ro by root. I suppose it could be created by root then chowned to clam_user, but that too presumes much. To make it entirely turnkey the process should see if the user-selected log directory is readable by clam_user first, then it should see if the file already exists (or if a directory of the same name exists), and if it is writable by clam_user. If everything isn't perfect it could fail with a warning to the console. Now what to do about your log rotator? How should clam predict a misconfigured rotator? That seems like a lot of hand holding. Call me old fashioned, but this is something I like to deal with myself. There's still a roll for the thinking admin. No, dont get me wrong here, im not saying clamav should predict anything. Nor should it have to deal with misconfigured software. This is of course left up to the admin. However, it seems that it *creates* the logfile owned by root. And that..well..just isnt right. Maybe I should have said doughnut :-) I meant role. I use syslog for the log files here because I want them available to a common remote logger server for processing. Ownership is not a problem, and it's one less issue the deal with. My underlying point is that a take-charge admin would have no problem dealing with this bug. Indeed. I was merely trying to clarify the exact issue that other admins were having. I am not experiencing this problem myself. Mainly because im still using 0.84 but thats another story ;) -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Stephen Gran said: On Tue, May 17, 2005 at 07:03:10AM -0700, Dennis Peterson said: That would be a good trick if the directory it is found in is owned ro by root. I suppose it could be created by root then chowned to clam_user, but that too presumes much. To make it entirely turnkey the process should see if the user-selected log directory is readable by clam_user first, then it should see if the file already exists (or if a directory of the same name exists), and if it is writable by clam_user. If everything isn't perfect it could fail with a warning to the console. Now what to do about your log rotator? How should clam predict a misconfigured rotator? That seems like a lot of hand holding. On Tue, May 17, 2005 at 07:04:56AM -0700, Dennis Peterson said: I think it would be better if clamd, like syslogd, didn't create the file at all. End of problem. So you want either all possible checks, or no seperable logging? Where did I say that? With syslog you touch a file and it starts logging. Simple, effective. It can be the same with clam. No local logging until you, the admin, create the file and set the needed permissions. We do it all the time. That does seem like a rather drastic set of solutions to a trivial to fix bug. Moving about 10 lines of code will fix the bug under discussion, and the rest is the job of the packager/local admin. I have to say I have never noticed this bug up until now, because the install scripts and logrotate scripts I use handle permissions in a way that allows it to work (pats self on back, and wrenches arm doing so). That level of competence should be the norm - it's not rocket science. 5 minutes looking at the code could have avoided several hundred lines of email, methinks. -- I think the coders are trying too hard to support the lower level admins. That is a thankless job. As thankless as educating them. Threads like this one do get some of them thinking, though. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Stephen Gran wrote: ... So you want either all possible checks, or no seperable logging? That does seem like a rather drastic set of solutions to a trivial to fix bug. Moving about 10 lines of code will fix the bug under discussion, might lead to problems with logging _before_ dropping privileges and the rest is the job of the packager/local admin. I have to say I have never noticed this bug up until now, because the install scripts and logrotate scripts I use handle permissions in a way that allows it to work (pats self on back, and wrenches arm doing so). 5 minutes looking at the code could have avoided several hundred lines of email, methinks. cheers Erich ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Problem creating temporary file
I've installed ClamAV 0.83 on an HP-UX 11.11 system. I'm running clamd, and it's communicating with MIMEDefang 2.51 via a socket. Clamd is not able to unpack tar archives or compressed files. I've set and exported the TMPDIR, TMP, and TEMP environment variables in the init script that runs clamd; I've explicitly set the TemporaryDirectory setting in clamd.conf. I'm using /var/tmp as the temporary directory, and anyone can write to it, and it has about 1.5 Gb free. I know clamd can write to /var/tmp, because it successfully unpacks the initial db stuff there on startup. I've tried running clamd in the foreground with debugging turned on, but haven't found anything helpful. Any suggestions would be greatly appreciated. I had a similar problem. I had to make clamd run as the same user as my script. Check what user your MIMEDefang is running as. -- Kevin W. Gagel Postmaster for College of New Caledonia (250) 562-2131 loc. 448 (250) 561-5848 loc. 448 [EMAIL PROTECTED] http://www.cnc.bc.ca Anti-Spam info at: http://avas.cnc.bc.ca --- The College of New Caledonia, Visit us at http://www.cnc.bc.ca Virus scanning is done on all incoming and outgoing email. Anti-spam information for CNC can be found at http://avas.cnc.bc.ca --- ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
On Tue, May 17, 2005 at 02:56:14PM +, Erich Titl said: Stephen Gran wrote: ... So you want either all possible checks, or no seperable logging? That does seem like a rather drastic set of solutions to a trivial to fix bug. Moving about 10 lines of code will fix the bug under discussion, might lead to problems with logging _before_ dropping privileges What, in particular, are you thinking of? If the first thing clamd does is drop priviledges, there is no logging before dropping priviledges. If the milter tries to log before dropping priviledges (say), it will be running as root and can write to the logfile. Or am I missing something? -- -- | Stephen Gran | Time sharing: The use of many people by | | [EMAIL PROTECTED] | the computer. | | http://www.lobefin.net/~steve | | -- pgpT2KN9owzOn.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Freshclam fall back to HTTP
THANKS A LOT to Tomasz, Guy, Daniel and others. I decide to use NTP to sync my machine time and it works !!! Freshclam run in DNS mode. My apologize to Tomasz for ignoring his advise to check system time. Again, thanks a lot. Thx Rgds, Awie - Original Message - From: Daniel J McDonald [EMAIL PROTECTED] To: ClamAV users ML clamav-users@lists.clamav.net Sent: Tuesday, May 17, 2005 10:56 PM Subject: Re: [Clamav-users] Freshclam fall back to HTTP On Tue, 2005-05-17 at 22:39 +0800, Awie wrote: Hi Guy, This is the captured text from Ethereal (Text mode) I open 2 screen console Screen 1: [EMAIL PROTECTED] src]# tethereal -F libpcap -f udp add -V so we can see the packet details. -- Daniel J McDonald, CCIE # 2495, CNX Austin Energy [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Problem creating temporary file
Thanks. Both MIMEDefang and clamd are running as the same user, so that's not the problem. I had a similar problem. I had to make clamd run as the same user as my script. Check what user your MIMEDefang is running as. -- Karl Boyken, system administrator [EMAIL PROTECTED] 303A MLH, Dept. of Comp. Sci. http://www.cs.uiowa.edu/~boyken/ The U. of Iowa, Iowa City, IA 52242 319-335-2730 (voice) 319-335-3668 (fax) ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: virus passing through clamav-milter, but not through clamdscan!
I first posted this a week ago, but I still have not found a solution. Since v0.84, I've been receiving various obviously crafted mails that contain viruses, but pass through clamav-milter ok. However, when I save the mail and scan the mbox file with clamdscan (not clamscan) Worm.Bagz.D is found. Yeah. I too have been posting about this issue for weeks, and have been almost completely ignored. I'm happy (sort of) to see that other folks have the same problem, anyway. For me it started when I was running version 0.83, on 01May. I'm still getting 3000 to 5000 of these false negatives per day, where my usual rate is more like a tenth of that. --- Jef Jef Poskanzer [EMAIL PROTECTED] http://www.acme.com/jef/ ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: custom signature files
Jef Poskanzer wrote: Hey, has anyone made or run across a signature file that matches all windows executables and all archive formats? Seems like this would be fairly easy to create. --- Jef Jef Poskanzer [EMAIL PROTECTED] http://www.acme.com/jef/ ___ http://lurker.clamav.net/list/clamav-users.html Since not all executables and archives are malicious, ClamAV may not be the proper tool to use. If you want to handle all executables and archives regardless of content, procmail may work well for you. Googleing for sanitizer may help as well. -- Morgan Smith Dutro Company 675 North 600 West Logan, UT 84321 (435) 752-3922 ext.146 (435) 512-3374 [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: custom signature files
Hey, has anyone made or run across a signature file that matches all windows executables and all archive formats? Seems like this would be fairly easy to create. Since not all executables and archives are malicious, ClamAV may not be the proper tool to use. I think ClamAV would be a fine tool to use for this. Plus the smaller and simpler signature file would make it run faster. I wouldn't expect this to get widespread use, but I suspect I'm far from the only site out there which never sends or receives any Windows files or PC executables as email. --- Jef Jef Poskanzer [EMAIL PROTECTED] http://www.acme.com/jef/ ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clam AV allows e-mail from www.webmail.us/testvirus through?
On Tue, 2005-05-17 at 09:05 -0400, Douglas Ward wrote: I have recently installed Clam AV 0.85 and have downloaded the latest updates through freshclam. We are running this software on a new e-mail gateway server built with Postfix and Mandrake LE2005. How is postfix calling clamav? The Mandriva postfix rpm allows for a content filter at port 10025. Are you using amavisd-new? Or are you using some other sort of milter-like configuration with postfix? -- Daniel J McDonald, CCIE # 2495, CNX Austin Energy [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: virus passing through clamav-milter, but not through clamdscan!
I tried your test and got this, so your end is NOT passing this virus through clamav-milter: The original message was received at Tue, 17 May 2005 16:41:57 +0100 from bandsman.co.uk [127.0.0.1] - The following addresses had permanent fatal errors - [EMAIL PROTECTED] (reason: 554 5.7.1 virus Worm.Bagz.D detected by ClamAV - http://www.clamav.net) - Transcript of session follows - ... while talking to olympos.ccf.auth.gr.: DATA 554 5.7.1 virus Worm.Bagz.D detected by ClamAV - http://www.clamav.net 554 5.0.0 Service unavailable ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Stephen Gran wrote: On Tue, May 17, 2005 at 02:56:14PM +, Erich Titl said: Stephen Gran wrote: ... So you want either all possible checks, or no seperable logging? That does seem like a rather drastic set of solutions to a trivial to fix bug. Moving about 10 lines of code will fix the bug under discussion, might lead to problems with logging _before_ dropping privileges What, in particular, are you thinking of? If the first thing clamd does is drop priviledges, there is no logging before dropping priviledges. If the milter tries to log before dropping priviledges (say), it will be running as root and can write to the logfile. Or am I missing something? You could not log problems while dropping privileges, well basically it might go to the (unwatched) console /* drop privileges */ #ifndef C_OS2 if(geteuid() == 0 (cpt = cfgopt(copt, User))) { if((user = getpwnam(cpt-strarg)) == NULL) { fprintf(stderr, ERROR: Can't get information about user %s.\n, cpt-strarg); logg(!Can't get information about user %s.\n, cpt-strarg); exit(1); } cheers Erich ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Stephen Gran said: On Tue, May 17, 2005 at 07:54:03AM -0700, Dennis Peterson said: Stephen Gran said: So you want either all possible checks, or no seperable logging? Where did I say that? With syslog you touch a file and it starts logging. Simple, effective. It can be the same with clam. No local logging until you, the admin, create the file and set the needed permissions. We do it all the time. Of course it's trivial. As every good admin knows, though, rote tasks deserve to be automated. Since this one is basically already automated (the logg() function will create the file if it does not exist), the simplest approach would be to change the order of a few events. That's why I'd manage it in the startup scripts. That way reliability of the process is owned by me and not subject to the vagaries of the next version release. It can't hurt. That does seem like a rather drastic set of solutions to a trivial to fix bug. Moving about 10 lines of code will fix the bug under discussion, and the rest is the job of the packager/local admin. I have to say I have never noticed this bug up until now, because the install scripts and logrotate scripts I use handle permissions in a way that allows it to work (pats self on back, and wrenches arm doing so). That level of competence should be the norm - it's not rocket science. Er, yes, I think you missed the sarcasm there. It is fairly stragiht forward. Just stating the obvious. 5 minutes looking at the code could have avoided several hundred lines of email, methinks. I think the coders are trying too hard to support the lower level admins. That is a thankless job. As thankless as educating them. Threads like this one do get some of them thinking, though. The fact that many people masquerade as admins when they shouldn't is no reason to shout down a minor bug. My point is that there are two options - fix it in the place where it happens, so everyone gets the benefits, or have everyone do the trivial workarounds. Which one sounds more reasonable to you? If you answer option b, then it sounds like you spend too much time admin'ing the simple things on your machines. I'm not shouting down the bug - just saying that being a victim of it is unnecessary. I think it would be fine if they correct it, but... Putting this process in the startup script is a matter of reliability and repeatability, not a work-around. I'd do it even if this bug didn't exist. I'd prefer to think it's being anal, and being anal can be a good thing. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
On Tue, May 17, 2005 at 03:50:38PM +, Erich Titl said: Stephen Gran wrote: On Tue, May 17, 2005 at 02:56:14PM +, Erich Titl said: might lead to problems with logging _before_ dropping privileges What, in particular, are you thinking of? If the first thing clamd does is drop priviledges, there is no logging before dropping priviledges. If the milter tries to log before dropping priviledges (say), it will be running as root and can write to the logfile. Or am I missing something? You could not log problems while dropping privileges, well basically it might go to the (unwatched) console /* drop privileges */ #ifndef C_OS2 if(geteuid() == 0 (cpt = cfgopt(copt, User))) { if((user = getpwnam(cpt-strarg)) == NULL) { fprintf(stderr, ERROR: Can't get information about user %s.\n, cpt-strarg); logg(!Can't get information about user %s.\n, cpt-strarg); exit(1); } No, the logg() function creates the file if it does not exist. So, if the getpwnam fails, the logg() call will still work. This one logg() call (well, and the one following this, if it fails) will still create a root owned log file, but that is basically OK in this scenario, as the local admin has clearly already goofed the install. -- -- | Stephen Gran | If you do not think about the future, | | [EMAIL PROTECTED] | you cannot have one. -- John | | http://www.lobefin.net/~steve | Galsworthy | -- pgpMmJROn9SVX.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Erich Titl said: You could not log problems while dropping privileges, well basically it might go to the (unwatched) console Because I'm self-described anal, I capture my console to a file with syslog and it is watched with automation and so is syslog. Here's to anal admins and self-healing systems everywhere! dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: custom signature files
On May 17, 2005, at 11:28 AM, Morgan Smith wrote: Jef Poskanzer wrote: Hey, has anyone made or run across a signature file that matches all windows executables and all archive formats? Seems like this would be fairly easy to create. --- Jef Jef Poskanzer [EMAIL PROTECTED] http://www.acme.com/jef/ ___ http://lurker.clamav.net/list/clamav-users.html Since not all executables and archives are malicious, ClamAV may not be the proper tool to use. If you want to handle all executables and archives regardless of content, procmail may work well for you. Googleing for sanitizer may help as well. Maybe something like mimedefang? Haven't used it, but am considering it and read good things about it... ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Sergey wrote: KP Clamav should create log file with same owner as defined in KP clamd.conf to work it properly. i've just noticed the same thing. clamd.log is made by root. but 0.84 doesn't care about that it works properly. The response someone posted a few days ago regarding 'software covering up sloppy administration' springs to mind regarding this. Matt ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Bart Silverstrim wrote: Maybe even do a reverse check to see if there's a mail server on the sending system...how many systems would break doing a check like that? The sending server isn't guaranteed to be a MX, so any DNS MX or reverse connection tests would fail. Matt ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On May 17, 2005, at 12:17 PM, Matt Fretwell wrote: Bart Silverstrim wrote: Maybe even do a reverse check to see if there's a mail server on the sending system...how many systems would break doing a check like that? The sending server isn't guaranteed to be a MX, so any DNS MX or reverse connection tests would fail. No guarantees in life :-) No matter what solution is put into place, there's going to be problems for some group that they would need to adapt to. There has to be some sensible solution that doesn't involve fifty patches and hacks and sub-scanners... ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Sergey wrote: DP We have a winner! Now if you put that in your startup script and log DP rotation tool you'll have the job finished. why is that? if i'll restart clamd it won't going to change the permissions of clamd.log. and by the way i don't need any log rotation because my clamd.log doesn't eveê become big or something like that. And the reply above is a perfect example of sloppy administration. Matt ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Jim Maul wrote: Call me old fashioned, but this is something I like to deal with myself. There's still a roll for the thinking admin. No, dont get me wrong here, im not saying clamav should predict anything. Nor should it have to deal with misconfigured software. This is of course left up to the admin. However, it seems that it *creates* the logfile owned by root. And that..well..just isnt right. Just to test, as an ordinary user, run: touch /var/log/test.log Now why does it create the logfile as root? Matt ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Bart Silverstrim wrote: On May 17, 2005, at 12:17 PM, Matt Fretwell wrote: Bart Silverstrim wrote: Maybe even do a reverse check to see if there's a mail server on the sending system...how many systems would break doing a check like that? The sending server isn't guaranteed to be a MX, so any DNS MX or reverse connection tests would fail. No guarantees in life :-) Actually, having separate servers for incoming and outgoing mail is quite common. That's why people have tried to devise standards like RMX, SPF, Caller-Id, Sender-Id, and Domain Keys instead of just making the simple MX check you suggest. And even *those* solutions have problems. -- Kelson Vibber SpeedGate Communications www.speed.net ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Matt Fretwell wrote: Jim Maul wrote: Call me old fashioned, but this is something I like to deal with myself. There's still a roll for the thinking admin. No, dont get me wrong here, im not saying clamav should predict anything. Nor should it have to deal with misconfigured software. This is of course left up to the admin. However, it seems that it *creates* the logfile owned by root. And that..well..just isnt right. Just to test, as an ordinary user, run: touch /var/log/test.log Now why does it create the logfile as root? While i get your point, it is irrelevant because it should not log in /var/log/ directly. It should log in /var/log/clamav/ -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Jim Maul wrote: touch /var/log/test.log Now why does it create the logfile as root? While i get your point, it is irrelevant because it should not log in /var/log/ directly. It should log in /var/log/clamav/ The main point of my point, (I know that sounds weird), is that an admin who relies upon any piece of software to correctly create and set permissions on the logfile is asking for trouble. Clam is not alone in this. This is not a bug in Clam, it is poor admin technique on the part of the admin. Your logs are vital for a smoothly running system. The admin should take full control of their logs. Matt ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Jim Maul wrote: Matt Fretwell wrote: Just to test, as an ordinary user, run: touch /var/log/test.log Now why does it create the logfile as root? While i get your point, it is irrelevant because it should not log in /var/log/ directly. It should log in /var/log/clamav/ -Jim Hopefully this will help someone. I got it off the list earlier (sorry, don't remember who sent it to me originally:) $ cat /etc/logrotate.d/clamav /var/log/clamav/clamd.log { missingok nocompress create 640 clamav defang postrotate /bin/kill -HUP `cat /var/run/clamav/clamd.pid 2 /dev/null` 2 /dev/null || true endscript } /var/log/clamav/freshclam.log { missingok nocompress create 640 clamav defang postrotate /bin/kill -HUP `cat /var/run/clamav/freshclam.pid 2 /dev/null` 2 /dev/null || true endscript } I use defang as a generic mail administration group, which is why that group gets read access. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer perl -emap{y/a-z/l-za-k/;print}shift Jjhi pcdiwtg Ptga wprztg, ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Matt Fretwell wrote: Bart Silverstrim wrote: Maybe even do a reverse check to see if there's a mail server on the sending system...how many systems would break doing a check like that? The sending server isn't guaranteed to be a MX, so any DNS MX or reverse connection tests would fail. But that doesn't mean you can't connect to an MX for the sender's domain to confirm they exist -- that you could send mail *to* them. This is a fairly regular check some mail systems perform. I was amused by one recent system that did this against my MX but did it from a host with a name that didn't match it's IP address, so mine rejected it... haha Bill ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Matt Fretwell wrote: Jim Maul wrote: touch /var/log/test.log Now why does it create the logfile as root? While i get your point, it is irrelevant because it should not log in /var/log/ directly. It should log in /var/log/clamav/ The main point of my point, (I know that sounds weird), is that an admin who relies upon any piece of software to correctly create and set permissions on the logfile is asking for trouble. Clam is not alone in this. This is not a bug in Clam, it is poor admin technique on the part of the admin. Your logs are vital for a smoothly running system. The admin should take full control of their logs. And the main point of my point (again with the weirdness) is that yes this should be handled by the admin, however it is indeed a (small) bug. While the situation SHOULD never come up, clamav should not attempt to create a log file which it can never write to. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Jim Maul wrote: The main point of my point, (I know that sounds weird), is that an admin who relies upon any piece of software to correctly create and set permissions on the logfile is asking for trouble. Clam is not alone in this. This is not a bug in Clam, it is poor admin technique on the part of the admin. Your logs are vital for a smoothly running system. The admin should take full control of their logs. And the main point of my point (again with the weirdness) is that yes this should be handled by the admin, however it is indeed a (small) bug. While the situation SHOULD never come up, clamav should not attempt to create a log file which it can never write to. I think we have reached stalemate on this one :) Matt ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Matt Fretwell wrote: Jim Maul wrote: The main point of my point, (I know that sounds weird), is that an admin who relies upon any piece of software to correctly create and set permissions on the logfile is asking for trouble. Clam is not alone in this. This is not a bug in Clam, it is poor admin technique on the part of the admin. Your logs are vital for a smoothly running system. The admin should take full control of their logs. And the main point of my point (again with the weirdness) is that yes this should be handled by the admin, however it is indeed a (small) bug. While the situation SHOULD never come up, clamav should not attempt to create a log file which it can never write to. I think we have reached stalemate on this one :) Agreed. ;) -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Jim Maul said: Matt Fretwell wrote: Jim Maul wrote: Call me old fashioned, but this is something I like to deal with myself. There's still a roll for the thinking admin. No, dont get me wrong here, im not saying clamav should predict anything. Nor should it have to deal with misconfigured software. This is of course left up to the admin. However, it seems that it *creates* the logfile owned by root. And that..well..just isnt right. Just to test, as an ordinary user, run: touch /var/log/test.log Now why does it create the logfile as root? While i get your point, it is irrelevant because it should not log in /var/log/ directly. It should log in /var/log/clamav/ It will log where ever the clamd.conf file says it will log - permissions permitting. There is no concept of should. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Dennis Peterson wrote: Jim Maul said: Matt Fretwell wrote: Jim Maul wrote: Call me old fashioned, but this is something I like to deal with myself. There's still a roll for the thinking admin. No, dont get me wrong here, im not saying clamav should predict anything. Nor should it have to deal with misconfigured software. This is of course left up to the admin. However, it seems that it *creates* the logfile owned by root. And that..well..just isnt right. Just to test, as an ordinary user, run: touch /var/log/test.log Now why does it create the logfile as root? While i get your point, it is irrelevant because it should not log in /var/log/ directly. It should log in /var/log/clamav/ It will log where ever the clamd.conf file says it will log - permissions permitting. There is no concept of should. To the program itself, no. If you tell it to log to / it will, however, it SHOULDNT. See what im saying? To say that clamav *has* to create the log file as root because only root can write to /var/log/ is irrelevant to the issue. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Jim Maul said: Dennis Peterson wrote: Jim Maul said: Matt Fretwell wrote: Jim Maul wrote: Call me old fashioned, but this is something I like to deal with myself. There's still a roll for the thinking admin. No, dont get me wrong here, im not saying clamav should predict anything. Nor should it have to deal with misconfigured software. This is of course left up to the admin. However, it seems that it *creates* the logfile owned by root. And that..well..just isnt right. Just to test, as an ordinary user, run: touch /var/log/test.log Now why does it create the logfile as root? While i get your point, it is irrelevant because it should not log in /var/log/ directly. It should log in /var/log/clamav/ It will log where ever the clamd.conf file says it will log - permissions permitting. There is no concept of should. To the program itself, no. If you tell it to log to / it will, however, it SHOULDNT. See what im saying? To say that clamav *has* to create the log file as root because only root can write to /var/log/ is irrelevant to the issue. While you're out there making up rules can you think of any reason clamd needs to be started as user root if all you do is scan incoming email? I can't. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: virus passing through clamav-milter, but not through clamdscan!
I tried your test and got this, so your end is NOT passing this virus through clamav-milter: I.e. clamav-milter works for me, therefore it works for you, therefore you are doing something else wrong. This may be true but it's far from proven. Furthermore, if Apostolos' problem is like mine, then the false-negatives have ClamAV headers added, showing that they *do* pass through clamav-milter. Here are the headers off the latest of the many thousands of examples in my non-clamav virus folder: X-Virus-Scanned: ClamAV 0.84/882/Mon May 16 23:48:03 2005 on gate.acme.com X-Virus-Status: Clean Running this file through clamscan or clamdscan shows: Worm.Bagz.E FOUND. --- Jef Jef Poskanzer [EMAIL PROTECTED] http://www.acme.com/jef/ ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Dennis Peterson wrote: Jim Maul said: Dennis Peterson wrote: Jim Maul said: Matt Fretwell wrote: Jim Maul wrote: Call me old fashioned, but this is something I like to deal with myself. There's still a roll for the thinking admin. No, dont get me wrong here, im not saying clamav should predict anything. Nor should it have to deal with misconfigured software. This is of course left up to the admin. However, it seems that it *creates* the logfile owned by root. And that..well..just isnt right. Just to test, as an ordinary user, run: touch /var/log/test.log Now why does it create the logfile as root? While i get your point, it is irrelevant because it should not log in /var/log/ directly. It should log in /var/log/clamav/ It will log where ever the clamd.conf file says it will log - permissions permitting. There is no concept of should. To the program itself, no. If you tell it to log to / it will, however, it SHOULDNT. See what im saying? To say that clamav *has* to create the log file as root because only root can write to /var/log/ is irrelevant to the issue. While you're out there making up rules can you think of any reason clamd needs to be started as user root if all you do is scan incoming email? I can't. Um, where am i making up rules? Thanks for the accusation though. And no, i cant think of why you would want to or have to run clamd as root. I run clamd as user qscand, not root so im not sure what your implying here. Thanks again, -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Jim Maul said: Dennis Peterson wrote: To the program itself, no. If you tell it to log to / it will, however, it SHOULDNT. See what im saying? To say that clamav *has* to create the log file as root because only root can write to /var/log/ is irrelevant to the issue. While you're out there making up rules can you think of any reason clamd needs to be started as user root if all you do is scan incoming email? I can't. Um, where am i making up rules? Thanks for the accusation though. And no, i cant think of why you would want to or have to run clamd as root. I run clamd as user qscand, not root so im not sure what your implying here. Thanks again, -Jim You said it shouldn't log to / and there's no reason it shouldn't if that is where one wishes it to log. There's lots of reasons why that would be a bad idea, but it's an admin decision, not an application issue. Do you start clamd as root or as qscand? My point is there is, or at least can be no requirement that one start it as root and was trying to demonstrate additional administrative latitude for the reading public that isn't already put to sleep by this thread :-) If you su to qscand (in your case) it should still start and run just fine. It was just an injected factoid for thought. Many people just light things off as root and go on their way. It is frequently safer and managerially more convenient to write root scripts that su to the run-as user first, then fire off the proc (/usr/bin/su - qscand -c /usr/local/bin/blah_blah_blah). Imagine how it simplifies file ownerhips. dp ... did I mention I'm anal? ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Dennis Peterson wrote: Jim Maul said: Dennis Peterson wrote: To the program itself, no. If you tell it to log to / it will, however, it SHOULDNT. See what im saying? To say that clamav *has* to create the log file as root because only root can write to /var/log/ is irrelevant to the issue. While you're out there making up rules can you think of any reason clamd needs to be started as user root if all you do is scan incoming email? I can't. Um, where am i making up rules? Thanks for the accusation though. And no, i cant think of why you would want to or have to run clamd as root. I run clamd as user qscand, not root so im not sure what your implying here. Thanks again, -Jim You said it shouldn't log to / and there's no reason it shouldn't if that is where one wishes it to log. There's lots of reasons why that would be a bad idea, but it's an admin decision, not an application issue. Do you start clamd as root or as qscand? My point is there is, or at least can be no requirement that one start it as root and was trying to demonstrate additional administrative latitude for the reading public that isn't already put to sleep by this thread :-) If you su to qscand (in your case) it should still start and run just fine. It was just an injected factoid for thought. Many people just light things off as root and go on their way. It is frequently safer and managerially more convenient to write root scripts that su to the run-as user first, then fire off the proc (/usr/bin/su - qscand -c /usr/local/bin/blah_blah_blah). Imagine how it simplifies file ownerhips. dp ... did I mention I'm anal? Let me attempt to clear up any confusion (and hopefully put this thread to rest) by saying that I personally am not having any problems with clamav and i am not experiencing the logging issue that actually started this thread. I do and always have run clamav as qscand. My clamav logs are owned by qscand and everything works great. I simply joined the conversation somewhere in the middle because something caught my attention. The fact that clamav creates its log file as root if it doesnt already exist. Why create it at all if you cant write to it? Its just silly. Im anal as well which is why i stated that one should not tell anything to log to / or /var/log directly for that matter. I like to have all programs logging in their own directories under /var/log/. clamav is /var/log/clamav/ apache is /var/log/apache/ and so on. That was the basis for my SHOULDNT statement above. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
On 5/17/05, Dennis Peterson [EMAIL PROTECTED] wrote: You said it shouldn't log to / and there's no reason it shouldn't if that is where one wishes it to log. There's lots of reasons why that would be a bad idea, but it's an admin decision, not an application issue. It sounds like clam is creating the log files *before* the root startup process hands over control to the user defined in the config files. In 0.84 and prior, it sounds like there was something that handed off an open filehandle to the defined user, but that filehandle was opened by root... I'm not sure if that's possible or not, so please correct me if I'm wrong.. :) It seems that the current behaviour is more correct, but still not completely correct.. I would expect that when clamav starts, all control should be handed to the defined user immediately and then files should be created, opened, etc... It's possible that the current problems are mostly due to pre-existing logfiles that are already owned by root, as opposed to new installations. To be honest, I haven't tried a new install to see if the files are still created with improper permissions. dp ... did I mention I'm anal? Isn't anal a required attribute for those who are security conscious? ;) -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
On Tue, 17 May 2005 16:09:01 +0400 in [EMAIL PROTECTED] Sergey [EMAIL PROTECTED] wrote: i've just noticed the same thing. clamd.log is made by root. but 0.84 doesn't care about that it works properly. I have the same setup as you, but my log files are owned clamav:clamav, using an rpm install based on Petr's rpms with the 0.85.1 tarball specified in the spec file. -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Jim Maul said: Let me attempt to clear up any confusion (and hopefully put this thread to rest) by saying that I personally am not having any problems with clamav and i am not experiencing the logging issue that actually started this thread. I do and always have run clamav as qscand. My clamav logs are owned by qscand and everything works great. I simply joined the conversation somewhere in the middle because something caught my attention. The fact that clamav creates its log file as root if it doesnt already exist. Why create it at all if you cant write to it? Its just silly. That doesn't happen if you start it as the run-as user. It happens if you start it as root. That is why I say this bug is not necessarily a bug, but an administrative issue. Im anal as well which is why i stated that one should not tell anything to log to / or /var/log directly for that matter. I like to have all programs logging in their own directories under /var/log/. clamav is /var/log/clamav/ apache is /var/log/apache/ and so on. That was the basis for my SHOULDNT statement above. And it's a good idea. Especially if you don't start clamd as root. dp ___ http://lurker.clamav.net/list/clamav-users.html