Re: [Clamav-users] Using ClamAV with Dspam - how do I verif y it's working?
Dennis, Chuck: Thank you - this helps. I think I have it all working now. I appreciate your help. --Jeff ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
Charles Gregory wrote: > Non-compliant 'helo's and all that, but at least please tell me there > isn't a 'big' company out there that is failing to handle 4xx codes > properly (holding breath) Try: hotmail.com bigpond.com optusnet.com.au yahoo.com [for groups particularly...] Greylisting is working very well for me, but I must have a reasonable whitelist that excludes the above 'big' names so that they work! Kind Regards AndrewM Andrew McGlashan Broadband Solutions now including VoIP Current Land Line No: 03 9912 0504 Mobile: 04 2574 1827 Fax: 03 9012 2178 National No: 1300 85 3804 Affinity Vision Australia Pty Ltd http://www.affinityvision.com.au http://adsl2choice.net.au In Case of Emergency -- http://www.affinityvision.com.au/ice.html ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
On Mon, 11 Aug 2008, David F. Skoll wrote: > S:220 smtp.example.net Go ahead > C:MAIL FROM:<[EMAIL PROTECTED]> > S:220 Sender OK > C:RCPT TO:<[EMAIL PROTECTED]> > S:451 Greylisted... try again later > C:RCPT TO:<[EMAIL PROTECTED]> > S:451 Greylisted... try again later > C:DATA > S:500 Need recipient first These same sites have problems when a primary mail server is having trouble, they never try the secondary, then complain we are 'rejecting' their mail. Not even that gets it fixed. Oh well. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] Greylisting (was Re: simplest replacement for ancient amavis-perl)
Chambers, Phil wrote: > The greylisting scheme I have implemented works at the DATA phase. It > uses the sender IP address (top 24 bits only), the sender e-mail address > and header date field to form the key for the message. Once a message > has passed the greylist test the original sender IP address (full 32 > bits) is placed in a whitelist. That's very similar to what we do, except we use the following tuple: (top_24_bits_of_ip_address, sender_address, recipient_addresses, hash_of_subject) We also whitelist the (32-bit) sender IP address once it gets through, but only for 40 days. We include the subject in the grelisting tuple because we have seen instances of spammers mutating subject lines while keeping the other information constant. Regards, David. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
> -Original Message- > > There are some big names that play badly with greylisting. They play > badly with greet-pause, too. A problem I've seen with > greylisting is the > round-robin MTA pool. Each is told in turn to come back later > and if the > pool is large it can take a long time to cycle through all of > them. You > have to be careful how you screen the addresses. > > dp The greylisting scheme I have implemented works at the DATA phase. It uses the sender IP address (top 24 bits only), the sender e-mail address and header date field to form the key for the message. Once a message has passed the greylist test the original sender IP address (full 32 bits) is placed in a whitelist. So, a particular server only needs to demonstrate once that it re-tries and will then be let through in future. By using the top 24 bits of the IP address in the key I hope to cope with a message being re-tried by a different MTA. I have not encountered such a problem yet. I have had a couple of instances where there was a problem because people had written their own code on web servers. They did not re-send the same message, but re-generated it when re-trying and so gave it a new date header. In both cases they modified their code when I explained the problem. Phil. Phil Chambers Postmaster University of Exeter ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
Charles Gregory wrote: > On Mon, 11 Aug 2008, rick pim wrote: >> > > prime advantages of greylisting -- the fact that it will never >> > > block 'real' mail -- turns out, um, not to be true. there are so many >> > > standards-noncompliant MTAs out there >> .. some of the offenders are high profile, fortune-500 companies. > > Could I just clarify this discussion? It started out with a specific > comment about greylisting, which I am preparing to implement. So naturally > it concerns me as to whether these remarks about 'big name' non-compliant > MTA's still apply specifically to greylisting. I mean, I can't really > imagine a 'big' (fortune 500?) company having an MTA that does not attempt > to resend mail if it gets a 400 response from another MTA. I realize they > break all sorts of other stuff. Non-compliant 'helo's and all that, but at > least please tell me there isn't a 'big' company out there that is failing > to handle 4xx codes properly (holding breath) There are some big names that play badly with greylisting. They play badly with greet-pause, too. A problem I've seen with greylisting is the round-robin MTA pool. Each is told in turn to come back later and if the pool is large it can take a long time to cycle through all of them. You have to be careful how you screen the addresses. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
Charles Gregory wrote: > Could I just clarify this discussion? It started out with a specific > comment about greylisting, which I am preparing to implement. So naturally > it concerns me as to whether these remarks about 'big name' non-compliant > MTA's still apply specifically to greylisting. I mean, I can't really > imagine a 'big' (fortune 500?) company having an MTA that does not attempt > to resend mail if it gets a 400 response from another MTA. It depends. We changed our greylisting code to greylist after DATA rather than after each RCPT after observing the following behaviour from a big-name MTA: C:HELO S:220 smtp.example.net Go ahead C:MAIL FROM:<[EMAIL PROTECTED]> S:220 Sender OK C:RCPT TO:<[EMAIL PROTECTED]> S:451 Greylisted... try again later C:RCPT TO:<[EMAIL PROTECTED]> S:451 Greylisted... try again later C:DATA S:500 Need recipient first Oops! The MTA authors obviously hadn't checked their state machine carefully. Regards, David. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
Charles Gregory writes: > but at > least please tell me there isn't a 'big' company out there that is failing > to handle 4xx codes properly (holding breath) does IBM count? their canadian arm was a problem for a while and i had to whitelist their outgoing MTA. this has since been fixed, but stuff like this pops up from time to time, usually for 'small' companies but occasionally for large. currently, the only thing in my graylisting whitelist file is (shudder) facebook. (don't get me started about them...) it's not (IMHO) enough of an issue to avoid using graylisting. just be aware that it IS an issue from time to time, and the occasional Big Player might well be involved. rp rick pim [EMAIL PROTECTED] information technology services (613) 533-2242 queen's university, kingston --- "Better watch out, Carrot, or you're going to wind up as a Saturday morning cartoon character, just like Mr. T!" "Alright! That did it!" -- Flaming Carrot ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
On Mon, 11 Aug 2008, rick pim wrote: > > > prime advantages of greylisting -- the fact that it will never > > > block 'real' mail -- turns out, um, not to be true. there are so many > > > standards-noncompliant MTAs out there > .. some of the offenders are high profile, fortune-500 companies. Could I just clarify this discussion? It started out with a specific comment about greylisting, which I am preparing to implement. So naturally it concerns me as to whether these remarks about 'big name' non-compliant MTA's still apply specifically to greylisting. I mean, I can't really imagine a 'big' (fortune 500?) company having an MTA that does not attempt to resend mail if it gets a 400 response from another MTA. I realize they break all sorts of other stuff. Non-compliant 'helo's and all that, but at least please tell me there isn't a 'big' company out there that is failing to handle 4xx codes properly (holding breath) - Charles ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
Ian Eiloart writes: > --On 8 August 2008 13:06:00 -0400 rick pim <[EMAIL PROTECTED]> wrote: > > in practice, one of the > > prime advantages of greylisting -- the fact that it will never > > block 'real' mail -- turns out, um, not to be true. there are so many > > standards-noncompliant MTAs out there that greylisting does block > > real mail. (this is one of the things that makes me crazy.) > > If it's not standards compliant, it's not an MTA. RFC2821 defines the > behaviour of an MTA, and anything that breaks the standard can't expect to > deliver email. That's our policy here. you're preaching to the choir. unfortunately, some of the offenders are high profile, fortune-500 companies. if l'il 'ol me gets told "professor smith can't get mail from BloatedMegaCorp because you're blocking it", it doesn't MATTER if they're standards-noncompliant, it doesn't MATTER if they're not real MTAs -- i have to find a way for professor smith to get his email. (aside: there are many, many such examples.) rp rick pim [EMAIL PROTECTED] information technology services (613) 533-2242 queen's university, kingston --- "There's too many people here! Maybe we should kill some!" -- Flaming Carrot ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Havp + Clamav + Email.Trojan-8
On Mon, Aug 11, 2008 at 04:04:00PM +0400, Roman V. Isaev wrote: > > > I gave you example HAVP config to stop it more easily: > > > > > IGNOREVIRUS Email. > > < > > Yes, thanks, but I saw your letter after I alredy implemented my own > "solution" :) I just don't want to fiddle with clamd any more until 18:00 > (end of the workday). IGNOREVIRUS is a good solution. > > > There is not much point in searching "Email" viruses from web. Only marginal > > benefit is possibly catching something from peoples webmail. > > According to my squid logs about 40% of my office users visit various > webmail systems (and that's a lot) on regular basis. I'll block exactly the > culprit. Unfortunately less than 5% of Email.* signatures match anything else than a real mail (mbox) file. So there is a pretty slim chance of even catching anything from webmails. But if it makes you happy, who am I to tell otherwise. :) ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Havp + Clamav + Email.Trojan-8
> I gave you example HAVP config to stop it more easily: > > > IGNOREVIRUS Email. > < Yes, thanks, but I saw your letter after I alredy implemented my own "solution" :) I just don't want to fiddle with clamd any more until 18:00 (end of the workday). IGNOREVIRUS is a good solution. > There is not much point in searching "Email" viruses from web. Only marginal > benefit is possibly catching something from peoples webmail. According to my squid logs about 40% of my office users visit various webmail systems (and that's a lot) on regular basis. I'll block exactly the culprit. -- Roman V. Isaev http://www.soprano-recorder.ru Moscow, Russia ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
Hi there, On Mon, 11 Aug 2008 Ian Eiloart wrote: > RFC2821 defines the behaviour of an MTA, and anything that breaks > the standard can't expect to deliver email. That's our policy here. Hehe, I bet you'd change that policy pretty sharpish if the people sending the emails wanted to give you money! I would like to take your unbending approach, but unfortunately while people like macCom and Microdozey completely mess up their servers (not always the same way, and not consistently across all the servers) and many of our customer use them because they don't know any better, then we have to compromise. I'd suggest you can tolerate a little compromise as long as you're getting something accomplished. Sure it's a pain, but not as much of a pain as the very nearly 46,000 /24 networks that we're currently firewalling for (trying to) send spam, not to mention the many hundreds of far bigger networks which we drop for that and more serious offences, like being Romanian. Our firewall rules alone stop at least 95% of the crap, leaving things like milters and Perl with much less work to do, and much less sludge in the logs, so administrators have more time for the personal touch - compromises, for example - and making sure that the virus databases are effective. I think what I'm trying to say is that you need some human involvement in all this, or the risk of throwing out the baby with the bathwater is substantially increased. -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
--On 8 August 2008 14:16:49 -0400 "David F. Skoll" <[EMAIL PROTECTED]> wrote: > Tilman Schmidt wrote: > >>> telnet isps-smtp-server 25 > >> In my experience that's very unusual behaviour for a virus. >> The vast majority try to connect directly to the recipient's MX. > > I see both. Regardless, your responsibility as an MTA operator is to not emit backscatter. You can't be held responsible for backscatter emitted by an ISPs MTA when it hasn't detected a virus. The ISP should be requiring the sender to use authenticated, encrypted SMTP, and the ISP should be able to detect forged sender addresses (they ought not to accept sender email outside of domains that they own), and should treat them with great suspicion when they do. In fact, if you accept the email, then silently discard it, then you effectively endorsing the validity of the email. You'll be improving the reputation of the original sender in the eyes of the ISP. -- Ian Eiloart IT Services, University of Sussex x3148 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
--On 8 August 2008 13:06:00 -0400 rick pim <[EMAIL PROTECTED]> wrote: > Gerard writes: > > Employing 'greylisting' would vastly improve the chances of eliminating > > the acceptance of SPAM at the MTA level. > > it certainly does. unfortunately, in practice, one of the > prime advantages of greylisting -- the fact that it will never > block 'real' mail -- turns out, um, not to be true. there are so many > standards-noncompliant MTAs out there that greylisting does block > real mail. (this is one of the things that makes me crazy.) If it's not standards compliant, it's not an MTA. RFC2821 defines the behaviour of an MTA, and anything that breaks the standard can't expect to deliver email. That's our policy here. > (we still use it, of course.) > > rp > > rick pim [EMAIL PROTECTED] > information technology services (613) 533-2242 > queen's university, kingston > --- > "You call this a *trial*?! This is nothing but a *kangaroo* *court* > without the hoppy, furry guy!" > -- The Flash (TV) > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml -- Ian Eiloart IT Services, University of Sussex x3148 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Havp + Clamav + Email.Trojan-8
Henrik K пишет: > On Mon, Aug 11, 2008 at 12:45:51PM +0400, Roman V. Isaev wrote: > > Your virus database was updated at 9 august 2008, and a lot of sites are > recognised as virus threat. For example: ixbt.com, thg.ru, > overclockers.ru. > Virus is: > Submission-ID: 4157162 > Sender: Ricardo > Added: Email.Trojan-8 > I think that this is mistake. > Yes!!! rambler.ru and utro.ru are blocked too. That's a huge problem, we use havp+clamav and my phone is ringing all the time, angry users complain about blocked sites, most of russian internet is blocked. How to remove this "virus" before everything is fixed? >>> Have you checked HAVP configuration? >>> >> Yes I did. I had to stop freshclam, unpack daily.cld with sigtool, >> remove daily.cld and >> remove this string: >> >> Email.Trojan-8:3:*:696d67207372633d22687474703a2f2f61642e616472697665722e72752f6367692d62696e >> >> After that everything works ok. >> > > I gave you example HAVP config to stop it more easily: > > > > > IGNOREVIRUS Email. > > < > > There is not much point in searching "Email" viruses from web. Only marginal > benefit is possibly catching something from peoples webmail. > > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > > > OK. Thanks it really works for me. Will wait... -- С уважением, Волков Андрей, системный администратор SRL "Rusnac-MoldAqua" ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Havp + Clamav + Email.Trojan-8
On Mon, Aug 11, 2008 at 12:45:51PM +0400, Roman V. Isaev wrote: > > > > Your virus database was updated at 9 august 2008, and a lot of sites are > > > > recognised as virus threat. For example: ixbt.com, thg.ru, > > > > overclockers.ru. > > > > Virus is: > > > > Submission-ID: 4157162 > > > > Sender: Ricardo > > > > Added: Email.Trojan-8 > > > > I think that this is mistake. > > > > > > Yes!!! rambler.ru and utro.ru are blocked too. That's a huge problem, > > > we use > > > havp+clamav and my phone is ringing all the time, angry users complain > > > about > > > blocked sites, most of russian internet is blocked. How to remove this > > > "virus" > > > before everything is fixed? > > Have you checked HAVP configuration? > > Yes I did. I had to stop freshclam, unpack daily.cld with sigtool, > remove daily.cld and > remove this string: > > Email.Trojan-8:3:*:696d67207372633d22687474703a2f2f61642e616472697665722e72752f6367692d62696e > > After that everything works ok. I gave you example HAVP config to stop it more easily: > IGNOREVIRUS Email. < There is not much point in searching "Email" viruses from web. Only marginal benefit is possibly catching something from peoples webmail. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Havp + Clamav + Email.Trojan-8
> > > Your virus database was updated at 9 august 2008, and a lot of sites are > > > recognised as virus threat. For example: ixbt.com, thg.ru, > > > overclockers.ru. > > > Virus is: > > > Submission-ID: 4157162 > > > Sender: Ricardo > > > Added: Email.Trojan-8 > > > I think that this is mistake. > > > > Yes!!! rambler.ru and utro.ru are blocked too. That's a huge problem, > > we use > > havp+clamav and my phone is ringing all the time, angry users complain about > > blocked sites, most of russian internet is blocked. How to remove this > > "virus" > > before everything is fixed? > Have you checked HAVP configuration? Yes I did. I had to stop freshclam, unpack daily.cld with sigtool, remove daily.cld and remove this string: Email.Trojan-8:3:*:696d67207372633d22687474703a2f2f61642e616472697665722e72752f6367692d62696e After that everything works ok. I've downloaded one of the pages from blocked sites and will try to submit it as false positive. To many sites are affected to be a virus and I did not see anything criminal in that page (I'm not that good with javascript tho). -- Roman V. Isaev http://www.soprano-recorder.ru Moscow, Russia ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Havp + Clamav + Email.Trojan-8
On Mon, Aug 11, 2008 at 11:27:57AM +0400, Roman V. Isaev wrote: > > Your virus database was updated at 9 august 2008, and a lot of sites are > > recognised as virus threat. For example: ixbt.com, thg.ru, overclockers.ru. > > Virus is: > > Submission-ID: 4157162 > > Sender: Ricardo > > Added: Email.Trojan-8 > > I think that this is mistake. > > Yes!!! rambler.ru and utro.ru are blocked too. That's a huge problem, > we use > havp+clamav and my phone is ringing all the time, angry users complain about > blocked sites, most of russian internet is blocked. How to remove this > "virus" > before everything is fixed? Have you checked HAVP configuration? IGNOREVIRUS Email. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Havp + Clamav + Email.Trojan-8
> Your virus database was updated at 9 august 2008, and a lot of sites are > recognised as virus threat. For example: ixbt.com, thg.ru, overclockers.ru. > Virus is: > Submission-ID: 4157162 > Sender: Ricardo > Added: Email.Trojan-8 > I think that this is mistake. Yes!!! rambler.ru and utro.ru are blocked too. That's a huge problem, we use havp+clamav and my phone is ringing all the time, angry users complain about blocked sites, most of russian internet is blocked. How to remove this "virus" before everything is fixed? -- Roman V. Isaev http://www.soprano-recorder.ru Moscow, Russia ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml