Re: [Clamav-users] clamav-milter dies
[EMAIL PROTECTED] wrote: To clarify, the milter isn't dying... it's just refusing to accept inputs (there's a difference). And the issue is with the milter, not with libclamav. In my case the milter is dying, and needs to be re-started... (started should I say). ___ http://lurker.clamav.net/list/clamav-users.html In the previous thread it was pointed out that due to the behavior of sendmail libmilter, which is compiled either staticaly into the milter or on some distributions as a shared object library, there is little difference in refusing to accept connections and dying. This is because libmilter will abort a milter that has consecutive errors responding to a sendmail's connection attempts. ( I was explored the possibility of changing this behavior but its not quite clear what the absolute correct course of action is: for more information see http://groups-beta.google.com/group/comp.mail.sendmail/browse_frm/thread/65658b2f5797c626/8a61ae5f825ca3aa ) Therefore milters must always do all that is neccesary to handle every sendmail connection. If scanning is not possible they need to either TEMPFAIL immediately or after a (very) short wait for resources to become available or let the message pass through unscanned. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Memory limit per process hit
Pablo Alsina wrote: On 5/28/05, Matt Fretwell [EMAIL PROTECTED] wrote: snip If this is not your preferred solution, how do you suggest to stop those scumbags searching for my user-database? Remember I'm not stopping spammers, I'm stopping user-db harvesters (probably future spammers). My patch does this. And this is not a clear cut issue as you have no objective mechanism for determining what is plain and simple a wrong email address and what is probe attempts. All current mechanisms are subjective, to the tune of If X bad rcpts, then probably probing or if bad Rcpts look to be random -- (subjective), than it is probing So you can make educated guesses but there is no way to be 100 percent certain 100 percent of the time (or any other close value for that matter) I would encourage you to use DNSBL blocklists intensively, they are currently the only (relatively) cheap mechanism for keeping unwanteds away from your system. (my patch works for those as well) Of course you will also need to couple that with aggressive whitelisting. I would recommend you setup a DNSWL for that exact purpose. One proposed solution was to run another SMTP box, redirect SMTP traffic to it, and stop those attempts there, either with tarpitting, or directly terminate connections that reach a certain ratio of bad rcpts (as Joe Maimon suggested with a provided patch). This seems OK, but introduces another single point of failure, as this works if I disable SMTP directly to my real box (no secondary MX register allowed). No new box needed for my patch The other thing with this is if I terminate the connection when a threshold is reached, what avoids having this client reconnect, and continue with its mission? The whole point of tarpitting is that it does not stop them, just make it more expensive. sendmail rate-limiting of connection attempts. Interesting concept would be to prejudice rate-limiting code against previous offenders, but in practice, I have found the current setup to be more than effective without causing ANY reported issues. Regards. ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Memory limit per process hit
Pablo Alsina wrote: Hi We have been having some problems lately with our installation. We are using Sendmail+clamav-milter+clamd as our antivirus solution, over an RedHat Linux with a 2.4.21 kernel (RH9). This is somewhat outdated. Might I recommend you use the newer Fedora Core's or switch to a always-current distribution such as Debian Testing? We added a sort of tarpitting solution to our sendmail in order to stop people from scanning our userbase. What this means is that responses to SMTP rcpt to gets delayed when the envelope user is unknown. The more you miss, the more you get delayed (its exponential). So what happens is that some SMTP clients may have to wait up to 15 minutes for a response from Sendmail if the miss to many recipents. snip I cant help thinking that this is a bad idea as the cost you pay in overhead is far greater than the cost to the attacker. You have all these sendmail proccesses hanging around and all those milter threads. To DOS your box, all I have to do is open a few hundred connections to it and try to send email to a few dozen fake users. If that does not do it, I can simply open a few hundred more. Cheap for me, expensive for you. I would recommend a different approach, using this patch http://www.jmaimon.com/sendmail/patches/badrcpt_shutdown.v1.81301.patch http://www.jmaimon.com/sendmail/#badrcptshutdown This patch terminates connections that have a (configurable) high ratio of bad user attempts. This feature is compatible with sendmails delaying feature, so you can delay the connection for the first X bad users and shutdown the connection after Y bad users. Use that with sendmail rate-limiting. In this day and age all MTA's need to implement some kind of rate-limiting, otherwise all it takes is a few aggressive mta's out there and a joe job to put you out of business. I have been using this setup for quite some time. Works fine and dandy. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Clamav-milter dies after working ok for some hours
Damian Menscher wrote: On Tue, 24 May 2005, Doug Hardie wrote: On May 24, 2005, at 13:21, Stephen Gran wrote: snip Just to bring you (and anyone else joining us) up to speed, here's a description of how it's supposed to work: When there's a database update, the milter wants everything to be quiet. So it stops accepting new connections. It then waits for the currently-running children to finish. Once n_children drops to 0, it reloads the database and resumes accepting connections. At least, that's the theory. In practice, n_children isn't ever hitting 0, so it stays in the !accepting state forever. For example, in the ktrace you posted, n_children dropped from 7 down to 2. The fact that it never reached 0 is the entire problem. Of course, nobody knows *why* it isn't reaching 0. It might be from a hung scanner thread, or from a pthreads race condition, or even a locking issue. The hope was that getting an strace of each thread of a hung milter would provide information on which of those causes was at fault, and perhaps enable us to actually locate the bug. Damian Menscher Is that how clamd does it also? For clamav-milter, milter sessions can be quite long lived depending on the nature of the connection. If this !accepting depends on the sendmail closing the milter connection/thread this could potentialy be quite a long time. It does not take long for sendmail to abort a milter that does not accept new connections and successfully launch a new milter thread. Milters should never intentionaly refuse connections from sendmail; libmilter will abort and exit the milter after N consecutive errors of which non-accepts and failure to create a thread are one. (why is this about accepting connections...the errors I have seen are about launching the new threads) Would it be possible to have existing threads use the old loaded database and to have the new threads use a new loaded database? Destroy the old database when its ref_count hits 0. Joe ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav-milter received header in notification message
Joe Maimon wrote: snip I can probably send a patch if you would like. Joe ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users This patch still works...can someone tell me whether this is up for consideration? #! /bin/sh /usr/share/dpatch/dpatch-run ## 100_clamav-milter.smrcv.patch.dpatch by [EMAIL PROTECTED] ## ## All lines beginning with `## DP:' are a description of the patch. ## DP: No description. @DPATCH@ diff -urNad clamav-0.85.1-0-JM/clamav-milter/clamav-milter.c /tmp/dpep.qdUNc5/clamav-0.85.1-0-JM/clamav-milter/clamav-milter.c --- clamav-0.85.1-0-JM/clamav-milter/clamav-milter.c2005-05-12 17:10:27.0 -0400 +++ /tmp/dpep.qdUNc5/clamav-0.85.1-0-JM/clamav-milter/clamav-milter.c 2005-05-20 10:50:03.670473065 -0400 @@ -2267,8 +2267,44 @@ privdata-from = strdup(mailaddr); - if(hflag) + if(hflag) { + /* craft a sendmail like header for notifications */ + char *macro_b, *macro_s, *macro_j, *macro__; + char *p; + int plen = 0; + char *fmt = from %s (%s) by %s; + + privdata-headers = header_list_new(); + macro_s = smfi_getsymval(ctx, s); + macro_j = smfi_getsymval(ctx, j); + macro__ = smfi_getsymval(ctx, _); + + plen += (macro_s) ? strlen(macro_s) : sizeof(unknown); + plen += (macro_j) ? strlen(macro_j) : sizeof(localhost); + plen += (macro__) ? strlen(macro__) : 0; + plen += strlen(fmt); + + p = cli_malloc(plen); + if(p) { + sprintf(p, fmt, + (macro_s) ? macro_s : unknown, + (macro__) ? macro__ : , + (macro_j) ? macro_j : localhost + ); +#ifdef CL_DEBUG + if(debug_level 5) { + char *msg_p = clamfi_header: created Recieved header alloclen=%d, len=%d,\%s\\n; + if(use_syslog) + syslog(LOG_NOTICE, msg_p, plen, strlen(p), p); + cli_dbgmsg(msg_p,plen, strlen(p), p); + } +#endif + + header_list_add(privdata-headers, Received, p); + free(p); + } + } if(smfi_setpriv(ctx, privdata) == MI_SUCCESS) return SMFIS_CONTINUE; ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Trivial patch for syslogging when running multiple instances of clamav-milter
I have two clamav-milters running on a system. The sendmail on this system can choose which email gets scanned by which milter. One is set to send notifications, to be used for automatically blacklisting virus sending sources. The other does not notify because it is used by sendmail to scan email to all those who have elected to not participate in the systems anti-abuse mechanisms, which include blocklists. Due to network security needs, virus scanning is still mandatory, but the notifications are worthless, as invariably they would all have been blocked by a blocklist. So I run two instances. I do this by copying /etc/init.d/clamav-milter to /etc/init.d/clamav-milter2 and making obvious edits to /etc/init.d/clamav-milter2 (debian update-rc.d redhat chkconfig and friends) I do the same for /etc/default/clamav-milter2 I then symlink /usr/sbin/clamav-milter2 to /usr/sbin/clamav-milter This works fine. Only problem is that syslog logging both say clamav-milter. So here is a trivial patch that solves it for meeven though a more proper approach should probably rely on a command line argument. ( Thanks steven for your excellent debs and one quick trivial request.. apt-get source clamav vi debian/rules Add dpatch include and targets!! Thanks! ) Joe #! /bin/sh /usr/share/dpatch/dpatch-run ## 110-clamav_milter.syslog-name.patch.dpatch by [EMAIL PROTECTED] ## ## All lines beginning with `## DP:' are a description of the patch. ## DP: No description. @DPATCH@ diff -urNad clamav-0.85.1-0-JM/clamav-milter/clamav-milter.c /tmp/dpep.zyzqDz/clamav-0.85.1-0-JM/clamav-milter/clamav-milter.c --- clamav-0.85.1-0-JM/clamav-milter/clamav-milter.c2005-05-20 14:10:38.522543627 -0400 +++ /tmp/dpep.zyzqDz/clamav-0.85.1-0-JM/clamav-milter/clamav-milter.c 2005-05-20 14:16:59.576682600 -0400 @@ -1038,6 +1038,7 @@ if(cfgopt(copt, LogSyslog)) { int fac = LOG_LOCAL6; + char * progname = NULL; if(cfgopt(copt, LogVerbose)) { logVerbose = 1; @@ -1054,7 +1055,10 @@ argv[0], cpt-strarg); return EX_CONFIG; } - openlog(clamav-milter, LOG_CONS|LOG_PID, fac); + if(!(progname = basename(argv[0]))) + progname = clamav-milter; + + openlog(progname, LOG_CONS|LOG_PID, fac); } else { if(qflag) fprintf(stderr, _(%s: (-q !LogSyslog): warning - all interception message methods are off\n), ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav as HTTP scanner?
Freddie Cash wrote: On December 15, 2004 08:57 am, Rainer Zocholl wrote: In the really meanwhile long long linear list of mail scanners I only see the (non GPLed) DansGuardian Anti-Virus Patch. Do you mean that? AFAIK is DansGuardian payware except for private use. Please do at least the bare minimum research before posting things like the above. Opening even the first page of the DansGuardian website will show that it is available free (as in no money), for anyone to use (at home, at work, at school, whereever). OT license rant. (Disclaimer: This is first time in quite a while that I have looked at his terms. I have not followed any other discussions concerning this. In my opinion, the stated terms are the only things that should matter to people wishing to decide whether the legalities of the software suits them.) I did. I went to the page and I saw G-Parent was completey correct. Just swap private out for non-commercial. DG is licensed under the GPL for everyone who downloads it for non-commercial purposes. (defined there). If you download it for commerical purposes then you theoretically have conditions attached as to your ability to download the software. (logically the author intends for you to have restrictions on redistributing your source under GPL unencumbered as well) Since the author pretty much obviously does not intend to relinquish his stated conditions upon application of the GPL licensing (otherwise it would be trivial to fork off an unencumbered version) nobody in their right mind would think this satisfies either the Open Source Definition or the DFSG. I hardly imagine the FSF would call this FS either. (not to say reading the web site content clearly says that, its ambiguous, however we can make a reasonably logical deduction as to what he MEANS) No matter the blurb about RMS on the page. I dont believe it for a second and neither would anyone familiar with RMS literature and attitude. Dual licensing and timed relicensing are about at the edge of the cliff when it comes to his approval. Now what does this mean? Can you download it for non commerical purposes and redistribute it freely (which seems to cover non-commerical to me) to any other party under the GPL? I dont think thats what Dan intended. So being as he holds the copyright and can legally license it as he wishes, it appears he has licensed it to people under contradictory terms. There is no way to exercise the rights granted by the GPL in their entirety without violating his stated attached conditions. IOW an indian gift. The attached GPL license is basically eviscerated by the stated non-commerical conditions. Which is completely within his right to do. Not to say that Dan hasnt made a wonderfull contribution to all those who have benefited from his work. But this is about as open source as MS shared source. Joe ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] clamav as HTTP scanner?
BitFuzzy wrote: Is this a joke? licensed under the GPL not free for commercial use. As far as I can tell there is nothing wrong with this. In fact I've seen this quite alot. The GPL does not prevent anyone from making money. Since saying not free for commerical use pretty much means that you are getting a half-a-gpl possibly dead before birth, Tomasz is quite correct. And since he among others has enabled a large community to utilize huge amounts of his effort under the terms of 100% GPL he (not I) can be as disapproving as he wishes of anyone else who has not chosen to do so. Saying the software is licensed under the GPL and disallowing people to download and use/redistribute the software under the terms of the GPL if for commerical use IS a joke. Read the GPL. In this case Dan's gracious offer of GPL licensing is probably useless to most people. See my previous rant. Also: One can read the summary and the terms and come up with completely different conclusions. Thats a bug in the terms. I am fairly certain the author does not intend you to exercise the full rights of the GPL license. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] I need help installing ClamAV Antivirus on Red Hat Enterprise linux es3 version !!!
Nigel Horne wrote: On Thu, 2004-12-16 at 15:48 +0530, Mohamed Jahfar Sadiq M.R wrote: Hi All, I need to install a new Sendmail server with more security features like ClamAV Anti Virus + Spam Assasin + Squirrel Mail + Sendmail. I was really confused with where I should start working upon. So if anyone has already done a similar settings, please guide me through. I need to create a custom RPM for all these packages. So if anyone can get me the documents which explains to a better level or some websites which I can refer to. Download the source rpms and rebuild them to your tastes OR Install the checkinstall software Download the fresh source and create rpms for them on the fly with checkinstall If you dont feel comfortable with doing either of the above, you should not be making custom RPMs. There lies madness and unmaintainability. (consider making a custom RPM containing ONLY your changes to the software if we are talking about config files) Sid -Nigel ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] clamav as HTTP scanner?
Joe Maimon wrote: BitFuzzy wrote: Is this a joke? licensed under the GPL not free for commercial use. As far as I can tell there is nothing wrong with this. In fact I've seen this quite alot. The GPL does not prevent anyone from making money. Since saying not free for commerical use pretty much means that you are getting a half-a-gpl possibly dead before birth, Tomasz is quite correct. And since he among others has enabled a large community to utilize huge amounts of his effort under the terms of 100% GPL he (not I) can be as disapproving as he wishes of anyone else who has not chosen to do so. Bad form to reply to my own post, but I forgot to mention that for what Tomasz and the rest of the Clamav team (debian packager also) have done and are doing they have my apreciation and thanks. Truly excellent software in the making. Extremely patient and helpfull mailing list (despite lots of provocation). FWIW, Thanks! Joe ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] RE: Re: This is how I use ClamAV
Kiril Todorov wrote: Ian Lewis wrote: That is very interesting information Samuel. I shall be interested to compare it to my own data. We quarantine our emails just in case there are any which are genuine but holding viruses. Not very likely but you never know. Do I understand from what you say that having identified 4 million viruses you reject them and they go 'back' to the often spoofed sender, still capable of causing trouble? I belive he meant rejected at SMTP level with a permanent error code (5.x.x) Which could mean that a host not running a virus scanner would then bounce the DSN to the sender Counter arguments are usualy a) They should be running a virus scanner and they too should be 5xx/4xx rejecting. Serves them right. b) Modern virus infected hosts are direct to MX emailers Remember, there is a point that can be made here. Its plausible to conclude that every un virus scanned email service is contributing directly to the epidemic by allowing their users to become infected and spew crap to everyone else. Clogged queues are therefore no less than they deserve, as the arguments against virus scanning are usualy in the form of resource concerns. Service providers should be aware too that allowing their users to become infected which generally result in tech support calls to the effect of My internet is {slow|broken} Joe ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] clamav-milter received header in notification message
Joe Maimon wrote: I can probably send a patch if you would like. Here is a rough version that I am testing that seems to work for me. Joe ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users --- clamav-devel/clamav-milter/clamav-milter.c 2004-11-20 18:02:23.0 -0500 +++ clamav-devel.smrecv/clamav-milter/clamav-milter.c 2004-11-29 22:41:58.0 -0500 @@ -2272,8 +2272,44 @@ privdata-from = strdup(argv[0]); - if(hflag) + if(hflag) { + /* craft a sendmail like header for notifications */ + char *macro_b, *macro_s, *macro_j, *macro__; + char *p; + int plen = 0; + char *fmt = from %s (%s) by %s\n; + + privdata-headers = header_list_new(); + macro_s = smfi_getsymval(ctx, s); + macro_j = smfi_getsymval(ctx, j); + macro__ = smfi_getsymval(ctx, _); + + plen += (macro_s) ? strlen(macro_s) : sizeof(unknown); + plen += (macro_j) ? strlen(macro_j) : sizeof(localhost); + plen += (macro__) ? strlen(macro__) : 0; + plen += strlen(fmt); + + p = cli_malloc(plen); + if(p) { + sprintf(p, fmt, + (macro_s) ? macro_s : unknown, + (macro__) ? macro__ : , + (macro_j) ? macro_j : localhost + ); +#ifdef CL_DEBUG + if(debug_level 5) { + char *msg_p = clamfi_header: created Recieved header alloclen=%d, len=%d,\%s\\n; + if(use_syslog) + syslog(LOG_NOTICE, _(msg_p), plen, strlen(p), p); + cli_dbgmsg(_(msg_p),plen, strlen(p), p); + } +#endif + + header_list_add(privdata-headers, Received, p); + free(p); + } + } if(smfi_setpriv(ctx, privdata) == MI_SUCCESS) return SMFIS_CONTINUE; ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] clamav-milter received header in notification message
Seems like it would be usefull for clamav-milter to craft a sendmail like header in the notification it sends (with --headers arg). amavis-milter does this. Currently only headers sendmail receives are sent to clamav-milter which inserts them into the notification message. Otherwise you tend to be missing the only believable header information. Usefull information would be sending helo name, sender hostname, sender ip address, queueid, rfc time. And, if by some chance we can tell if the virus was submitted by an authenticated user, that should be noteworthy as well. As an example, I would use this to semi-automaticaly blacklist hosts that send viruses by feeding the email into a script to extract the sender ip address. http://spamikaze.nl.linux.org/ I can probably send a patch if you would like. Joe ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and othersocial engineering attacks
Steve Basford wrote: since ClamAV reached v0.80, I am using it to scan and reject e-mail messages. Today I noticed that ClamAV also detects phishing attacks. Phishing is pure social engineering and poses no threat whatsoever in a technical sense. I'm certainly *very* happy that ClamAV team have added more phishing detections (thanks Trog et all). Yes, you're correct it's social engineering but it doesn't stop users clicking on the links and downloading the keylogging trojan, from the remote site that the phish email takes them to. I don't personally think we need a --no-phishing option in ClamAV but someone might ;) Perhaps a way to disable certain signatures or patterns of signatures would be better? Cheers, Steve ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] clamav on woody: clamav-milter hangs when stopped
Stephen Gran wrote: On Fri, Nov 12, 2004 at 10:29:20AM -0600, Jeremy Kitchen said: On Thursday 11 November 2004 05:56 pm, Stephen Gran wrote: [snip] So, when start-stop-daemon (or daemon) sends a kill signal, it ends up signalling the wrong thread, and it takes a long time for the signal to work. http://cr.yp.to/daemontools.html http://smarden.org/runit makes it very easy to send signals to applications. Unfortunately in my role as packaager, I can't make too many assumptions about what methods people are using to run things on their system. Thanks, though. Perhaps a Pidfile option? ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Experimental patches to sendmail/libmilter provide functionality of -R patch
Hello All, If anyone was interested in the -R recipient filter patch for spamass-milter perhaps you would be interested in this patch http://www.jmaimon.com/sendmail/patches/milter-rrres.v6.tar.gz (more info at http://www.jmaimon.com/sendmail ) Which provides the same functionality (and a whole lot more) by way of rulesets that sendmail calls before passing data/commands to a milter. I am currently running with a slightly later version of the patch and have been doing so for some time without any problems. Joe ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] clamd don't die on memory allocation problem?
Fajar A. Nugraha wrote: Hi, I got these errors on Linux Console running ClamAV 0.80 : LibClamAV Error: cli_calloc(): Can't allocate memory (131282 bytes). calloc_problem: Cannot allocate memory LibClamAV Error: cli_calloc(): Can't allocate memory (131282 bytes). calloc_problem: Cannot allocate memory LibClamAV Error: cli_calloc(): Can't allocate memory (131282 bytes). The thing is, clamd didn't die when it happens. I thought new implementations of libclamav was supposed to die when it's unable to allocate memory (e.g. to make it work with daemontools?) Since when was this decided to be a good idea? Suppose I am running clamd under ulimit to control its memory usage. I dont want it to die on out of memory issues caused by scan jobs, making it unavailable for possible jobs that wont cause OOM and terminating all other scanning jobs. I want it to recover gracefully and continue scanning other jobs. Assuming there is no memory leak, recovering gracefully means possibly aborting the current scanning job (or not expanding the current file format or similar task) and leaving all the other jobs and threads alone. Perhaps this should be configurable for the folk who want clamd to exit on memory alloc failure and those who do not? If you keep bumping into an OOM for normal operation your limit is too low or clamd is losing memory. Constantly restarting clamd can cause a fair amount of missed/canceled jobs or scanning delays. Constantly restarting any daemon meant to run continuously is poor operational procedure. Even with clamscan, dieing on OOM while doing a large recursive filesystem scan would be a real PITA. Just back off the offending job and continue with the rest. The only other way to reliabily scan every scannable file is to call clamscan on them one by one like find . -exec clamscan {}. I also dont particulary think its wise for a library to include any calls to exit. Libraries you link your program to should not terminate your program without your direct permission. In fact, the only benefit this brings is to limit the impact of memory leaks. Which are bugs and should not dictate normal program behavior. All other cases of OOM should be handled gracefully, assuming the program has gotten itself off the ground already. Regards, Fajar ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] clamd don't die on memory allocation problem?
Tomasz Kojm wrote: On Mon, 08 Nov 2004 09:08:30 -0500 Joe Maimon [EMAIL PROTECTED] wrote: Perhaps this should be configurable for the folk who want clamd to exit on memory alloc failure and those who do not? No problem: Mon Nov 8 15:24:18 CET 2004 (tk) - * clamd: new directive ExitOnOOM (stop deamon when libclamav reports out of memory condition) (disabled by default) Wow! Thanks! I also dont particulary think its wise for a library to include any calls to exit. Libraries you link your program to should not terminate your program without your direct permission. libclamav doesn't contain any exit()-like calls. Thats what I seemed to recall when I was looking at the code, around .70 time. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] clamd don't die on memory allocation problem?
Fajar A. Nugraha wrote: Tomasz Kojm wrote: On Mon, 08 Nov 2004 09:08:30 -0500 Joe Maimon [EMAIL PROTECTED] wrote: Perhaps this should be configurable for the folk who want clamd to exit on memory alloc failure and those who do not? No problem: Mon Nov 8 15:24:18 CET 2004 (tk) - * clamd: new directive ExitOnOOM (stop deamon when libclamav reports out of memory condition) (disabled by default) OK, I downloaded the new code from CVS, make, make install, activate ExitOnOOM, reduce memory ulimits to 64 MBs, and now I have this Tue Nov 9 10:28:54 2004 - /var/spool/exim/scan/1CRMgW-0004yX-Mv/1CRMgW-0004yX-Mv.eml: Worm.Bagle.AU FOUND Tue Nov 9 10:28:55 2004 - ERROR: pthread_create failed Tue Nov 9 10:28:55 2004 - ERROR: pthread_create failed Tue Nov 9 10:28:55 2004 - ERROR: pthread_create failed Tue Nov 9 10:28:55 2004 - ERROR: pthread_create failed Tue Nov 9 10:28:55 2004 - ERROR: pthread_create failed Tue Nov 9 10:28:55 2004 - ERROR: pthread_create failed Tue Nov 9 10:28:55 2004 - ERROR: pthread_create failed Tue Nov 9 10:28:56 2004 - ERROR: pthread_create failed Tue Nov 9 10:28:56 2004 - ERROR: pthread_create failed I suspect this is also memory related since if I increase ulimits to ... say ... 256M, it didn't happen. Again, clamd didn't die on this error :) On the side note, if the error is calloc_problem: Cannot allocate memory, I see clamd now gracefuly dies and daemontools kick in immediately. Which is good. Now, shouldn't the same behaviour also happen on pthread errors? Or can clamd really continue despite of the error (e.g. using some existing thread or something)? Sounds like you are asking for too many threads than your ulimit allows. As long as there is at least one working clam worker thread, clamd can in theory keep working. Probably ExitOnOOM if set should exit for this as well. OTOH if clamd cant intialize the startup amount of threads indicated by configuration, maybe it should bail regardless of ExitOnOOM? (on a redhat7.2 kernel 2.4 box each thread instance took a fairly large chunk of vsz as opposed to a debian 2.6 box) Are you ulimiting vsz or rss? Regards, Fajar ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Exploit-Mime.gen.c detection
Cali Federico wrote: Hi all, analyzing the same e-mail with two different antivirus software I have different results: -- ClamAv detects Worm.SomeFool.p virus -- McAfee WebShield detects both W32/[EMAIL PROTECTED] and Exploit-MIME.gen.c I know that Worm.SomeFool.p and W32/[EMAIL PROTECTED] are the same but what about Exploit ? Could you explain me why ClamAv doesn't detect this virus? I believe clam stops after the first virus found Thanks a lot Federico ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Performance Help - 100% cpu usage
James Lick wrote: Jason Haar wrote: I am now going to figure out a way that the installation of Qmail-Scanner will *ignore* the presense of clamdscan if its actually clamscan - that is really too gross to allow to continue. The ClamAV authors could put a stop to this by making clamdscan and clamscan the same program and then acting differently depending on which name is run. This is similiar to how gzip and gunzip are actually the same program but when called as gzip it compresses and as gunzip it uncompresses. The way I understand it most people recommend that the argv[0] mechanism be only used a) each of the programs functionality would duplicate significant portions of functionality/code b) there be a command-line switch that overrides any meaning argv[0] may have c) there should be an intelligent default Its not done nearly as often as it is _possible_ to be done, for the above reasons. Gzip and sendmail are some well known programs who do this. However, most people do not agree that sendmail is a textbook example of fine design. I believe GNU coding conventions recommends against the practice as well. Often one accomplishes the goal of (a) above by linking in some of the object files of one program to another. Or a librarywait...clamav does this already. As far as I am aware sym/hard links are currently only commonplace on unix-like systems. This would be an unneccessary hardship to the windows porters. As for the stated goal, my personal feelings is that just as users should not be trying to thwart developers, neither should developers try to thwart users. And since large portions of clamscan arguments do not apply for clamdscan, we would be provoking more confusion in that regard as well. I also suspect that there is far less similarity in the code for clamscan and clamdscan than one would expectbut I havent looked recently. As for the packager, his instructions do clearly note that it is his personal workaround preference. People who ignore that disclaimer are IMO doing so at their own risk. So are people who install complext software without reading *any* of the vendor(clamav) supplied doc. My alma mater, School Of Hard Knocks advises me that they deserve what they get. However, this list does not deserve the repeated annoyance of answering the same question. Most intelligent humans seem to feel that answering the same question repeatedly is a unique 21st century form of torture. Were I the packager, my personal workaround preference would be to configure qscan to call clamscan, instead of mucking with the clamav install. Furthermore, the documentation appears to have been updated for the .80 series -- notice the use of clamd.conf (Perhaps the workaround is meant to be overriden by newer installs of clamav?) Excuse the above rants... Joe ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Old ClamAV workaround
Bart Silverstrim wrote: On Oct 24, 2004, at 3:29 PM, Mark Adams wrote: Matt wrote: What's the worst that can happen? It fails to compile, and you still need to find a packaged version. You'll be no worse off than you are now. The worst that can happen? I descend once again into dependency hell and spend hours loosing my mind over this. I totally alienate my sense of well being and take up arms on a shooting spree that threatens everyone in a 400 mile circle leaving my children without any parents. Fortunatley, that didn't happen. I snagged a copy of source and it compiled smoothly. It seems to be working just fine for now. Stupid question (I've got TONS of them :-) ... When you only install programs from source, how do you know when upgrading them that there aren't remnants of binaries or libraries scattered around the OS? I grew up having to use Windows, so please forgive the question; I had one too many instances of uninstallers getting rid of the program then having old DLL's and older registry entries left behind (and before that, old .ini files). So when using source compiles, I have this ingrained flinch towards the idea of just running a compile and installing the results then trying to do an upgrade if there's no version control, etc. built into it (which I suppose is why RPM and apt-get and all the other packagers are so popular...supposedly they help prevent conflicts from upgrades) -Bart checkinstall is what you need. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Strange Behavior
Scott Rothgaber wrote: Good Morning! I've built a gateway using sendmail, clamav and spamassassin. After setting the MX records for a test domain to go through this box, the spam is rolling in! ;-) Then, I threw a virus at it. The resulting behavior is nothing like what I expected... 1) sendmail receives message, calls clamd 2) clamd identifies virus 3) clmilter adds headers, hands message to sendmail-submit ^^^ You need to disable spamd scanning local generated email. Be wise to do the same for clamav-milter. Currently this is milter-specific. (If you dont mind checking out the bleeding edge there is a patch out there that allows sendmail to control this..milter rulesets...google) 4) sendmail-submit calls spamd Dont go that route. ... Say what?!?! In an attempt to get rid of sendmail-submit, I renamed submit.cf and tried again. This time, the message is rejected as it should be but now I get a bunch of bitching from sendmail about the inability to save queue files because of permissions. H!!! Anyone been down this road before? Thanks! Scott ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Strange Behavior
Stephen Gran wrote: On Wed, Oct 13, 2004 at 09:38:03AM -0400, Scott Rothgaber said: Stephen Gran wrote: Well, really, it looks like something sendmail is failing to do. Thanks, Stephen! Here's what I have in .mc (wrapped)... INPUT_MAIL_FILTER(`clmilter',`S=local:/var/run/clamav/clmilter.sock, F=,T=S:4m;R:4m') INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamd/spamass-milter.sock, F=, T=C:15m;S:4m;R:4m;E:10m') define(`confINPUT_MAIL_FILTERS', `clmilter, spamassassin') Try ending the lines with dnl's? Sendmail's m4 makes my ears bleed, but it looks like something is definitely going wrong. Your setup looks reasonable, and sendmail should be giving a 5xx in response to a virus being found. I read the FP as saying that after a virus is found sendmail-submit is called which should only happen if a notification is being sent. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] virus submission problem
Matt wrote: Steffen Heil wrote: For example, I DO have dnsblacklists, helo string checking, mime checks, clsid extension checks, empty and to large boundary checks, verify sender domain and soon some callout-checks in front of clamav. However, some mail should get delivered and those should be checked, right? The helo checks, blacklists and other sender/client checks are just generalisations for any type of junk email. They are not the ones that I was including in that assessment. The main types of checks that should be done are regarding the composition of the emails. For example, the ones you mention above, clsid and boundary checks, will stop a proportional amount of virus mails from getting any further. Then there are others, like iframe, executabl I may be in the minority here but I strenuously object to the banned extensions methodology. Especialy when implementing outside of the SMTP layer. For a service provider its a hassle for their customers. An internal corp. may be able to inflict such abuse on its users, but not an SP. For that matter, thanks to MS new outlooks You cant open this attachement if your life depended on it (except if you hack the reg for each and every one -- but if you trash your machine your sol) security misfeature, is now a pain in the neck to email anything usefull to a windows/outlook user. You send it, you go on your merry way, you (maybe) hear back I cant open it Send it again What are you talking about. Just wait till zips become a banned extension. What are we going to do when users become accustomed to renaming attachments back to the proper form? Make them click an extra ok button? And for those who say but they wont do that? -- password protected zips? Aggressive blacklisting is the answer. People who send you viruses should get blacklisted semi-automatically. Now you dont even have to enter the DATA stage when they come knocking again. Joe --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] milter errors
snip INPUT_MAIL_FILTER(`clamav-milter', `S=local:/clamav/clmilter.sock,F=, T=S:4m;R:4m')dnl define(`confINPUT_MAIL_FILTERS', `clamav-milter')dnl You need to pass the proper socket path to the milter as its startup arguments snip LocalSocket /clamav/clmilter.sock Sendmail need one socket to talk to the clamav-milter The clamav-milter uses ANOTHER socket to talk to clamd They cannot be set to the same one --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] contrib/init/RedHat suggested patch
Damian Menscher wrote: On Mon, 16 Aug 2004, Richard A Nelson wrote: On Mon, 16 Aug 2004, Todd Lyons wrote: It shouldn't, however change if a virus is accepted - since sendmail should be tempfailing mail until the milters are functioning. Incorrect, depending on how you define your milter call for sendmail. Yes, I guess one cant legislate sanity, can one :( But spamassassin and clamav should default to tempfail ! ...still cant believe that people aren't recommending a safe, by default setup. We are. ;) For most mailserver admins, the danger of losing our jobs is much greater if we tempfail all incoming mail due to a clamav crash than is the danger of losing our jobs due to a couple of viruses leaking through. Where email is concerned, message delivery is critical. Virus and spam filtering are features. Damian Menscher Hear Hear. Precisely right in any service situation I have seen. More important to get email than to get clean email. At least these days, for whatever reasons. Especialy when customers may/should have their own line of defense. Also why limiting sendmail connections/rate limiting or attachment sizes in repsonse to clamav limits is not the way to go, as I have advocated in the past. I advocate running a second line virus scanner with quarantine and notifying site postmaster/administrator to catch the ones that slip through for whatever reason, and actualy keep them around for diagnostics. AMavisd-new works well for this, on sendmail. One can get rid of the ones clamav recognizes by running #!/bin/bash AMAVIS_QDIR=/var/lib/amavis/virusmails for tempvar in `ls $AMAVIS_QDIR`; do echo $AMAVIS_QDIR/$tempvar cat $AMAVIS_QDIR/$tempvar | clamdscan --disable-summary - if (( $? == 1 )); then rm -- $AMAVIS_QDIR/$tempvar fi done --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Idea for more timely virusdb updates
Christopher X. Candreva wrote: This thread on Trojan.JS.RunMe had me thinking: Hourly virus updates is better than any of the commercial virus scanners, but obviously still has issues, especially since a bunch of us obviously submitted updates that had already been entered. I gather from these posts that the virusdb's actually have some form of version number. This could actualy be easily accomplished also by attaching a soa record to a zone ... for example dbversion.clamav.net Incrementing the serial for that should be trivial enough.writing a mechanism to rapidly query against it and then to invoke a freshclam is left as an exercise to the reader. Presumably then the lists of Nameservers for that particular zone would be expanded to about 10 or more. Notification from whatever master zone server could be trivialy accomplished on that. We should probably consider that the load balancing of all those end users/isp's DNS resolvers may not be all it can be, particularly the selection of which nameserver to talk to out of many for a particular zone. Anyways I did a dig Arent CNAMEs that Point to CNAMEs contrary to RFC? Might that be behind the infrequent dns resolution complaints? Also... Is there any single name that covers ALL mirrors? Also Any insight as to how the { presumably dynamic } selection to alias the db-local to db.america is done? c:\Documents and Settings\joe.JOE.000dig database.clamav.net ; DiG 9.2.3rc3 database.clamav.net ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 41 ;; flags: qr rd ra; QUERY: 1, ANSWER: 15, AUTHORITY: 5, ADDITIONAL: 2 ;; QUESTION SECTION: ;database.clamav.net. IN A ;; ANSWER SECTION: database.clamav.net.5 IN CNAME db.local.clamav.net. db.local.clamav.net.7200IN CNAME db.america.clamav.net. db.america.clamav.net. 5 IN A 128.121.60.235 db.america.clamav.net. 5 IN A 196.40.71.226 db.america.clamav.net. 5 IN A 199.239.233.95 db.america.clamav.net. 5 IN A 200.68.106.39 db.america.clamav.net. 5 IN A 24.244.193.21 db.america.clamav.net. 5 IN A 38.136.139.7 db.america.clamav.net. 5 IN A 64.18.103.6 db.america.clamav.net. 5 IN A 64.69.64.158 db.america.clamav.net. 5 IN A 65.75.154.69 db.america.clamav.net. 5 IN A 65.77.42.207 db.america.clamav.net. 5 IN A 66.139.75.171 db.america.clamav.net. 5 IN A 67.18.205.218 db.america.clamav.net. 5 IN A 69.93.108.98 ;; AUTHORITY SECTION: clamav.net. 7200IN NS ns5.clamav.net. clamav.net. 7200IN NS ns1.oltrelinux.com. clamav.net. 7200IN NS ns2.clamav.net. clamav.net. 7200IN NS ns3.clamav.net. clamav.net. 7200IN NS ns4.clamav.net. ;; ADDITIONAL SECTION: ns1.oltrelinux.com. 38516 IN A 194.242.226.43 ns5.clamav.net. 153717 IN A 80.69.66.9 ;; Query time: 671 msec ;; SERVER: 64.95.32.37#53(64.95.32.37) ;; WHEN: Tue Aug 10 16:40:04 2004 ;; MSG SIZE rcvd: 429 --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Additional logging info.
Stephen Gran wrote: snip As for your actual question, I don;t think the milter has access to that - it gets the email as a data stream from sendmail, and is relatively isolated from the actual connection, AFAIK. If you feel like patching the milter http://www.milter.org/milter_api/xxfi_connect.html Or you could find and retrieve the apropriate macro from sendmail with http://www.milter.org/milter_api/smfi_getsymval.html In general this is a good resource for milters http://www.milter.org/milter_api/ --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Clamav and Qscanq
galactic wrote: PS, last message was in Rich Text NOT HTML. SO.. I'll just stick to plain Text for you guys. Whatever your mail user agent (Outlook) says, what we got here was nice pure unadulterated HTML. How do you think Outlook implements Rich Text? By attaching a rich text format file? --- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Clamv-milter
Stephen Gran wrote: On Mon, May 24, 2004 at 03:38:09PM +0200, Cristian Del Carlo said: Hi, i use sendmail in my smtp server. I have configured sendmail.mc with the follwing options: INPUT_MAIL_FILTER(`clmilter',`S=local:/var/run/clmilter.sock, F=, T=S:4m;R:4m') define(`confINPUT_MAIL_FILTERS',`clmilter') I have a problem when my users send e-mails greater than 400-500K becouse i have from the server the follwing error : May 24 12:53:50 X sm-mta[17458]: i4OAqHsX017458: Milter: data, reject=451 4.7.1 Please try again later This error is not present if my users send little mails . I use ClamAV version 0.70-rc and clamav-milter version 0.70. Where is the mistake ? Thanks , Cristian Del Carlo You'll want to look at the StreamMaxLength setting in clamav.conf, I believe. Although the F=, should be passing the messages through unscanned if there is a milter problem. Not sure why sendmail is doing that. Thats not what the F= is for.If the milter -sendmail comm. fails, than F= either tempfail or reject. Upgrade your clamav installation. Significant fixes went into the suite, some of them specificaly addressing these issues. --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Compiled with '-g'
passing --enable-debug through the configure script might help Sean Matheson wrote: Scrap that. I found that it was compiled with the '-g' option. But I still can't seem to get gdb working with the core file dumped by the freshclam seg fault. Back to the drawing board. -- Sean Matheson Student Programmer --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Compiled with '-g'
Sean Matheson wrote: Do I simply put --enable-debug in the CFLAGS definition? If you want to localize the debugging you can do add -g to CFLAGS as defined in the generated by configure Makefile If you go that route also add -DCL_DEBUG Better to use --enable-debug in the initial configure script. --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] softlimit+clamav
Rich wrote: Jason, I Googled my clamav problem (memory usage grows!) and found this thread. I've had numerous OOM with my production box so I thought running Softlimit+Clamd would be a good idea. The problem is I get get segmentation fault error and all the clamd processes seems to hang. You mentioned that you figured out the problem, can you please provide details on this? Thanks! -Richie Re: [Cl How about trying to get a core file for the seg faults and stracing the hanging clamd processes? Joe --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Updates to my patches
Hello All, For those who care, There are new versions of these patches on my http://www.jmaimon.com/clamav page - clamav-devel.jm-pl4 OR - max-child-wait - clamav-milter 0.70x (with the recent fix) - streammaxlength - clamav-milter 0.70x - ALLOC_CHECK - clamav-milter 0.70x - vsnprintf_alloc has now become vasprintf. There is now a patch which should apply against un-jm patched clamav-milter. - Loginfected - new version that applies against a jm patched clamav-milter 0.70x As usual any feedback, including flames is welcome, Joe --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav-milter[xxx]: ClamAv: thread_create() failed: 11, try again
Samuel Benzaquen wrote: Hello all, We've installed clamav / clamav-milter on a sendmail server with HIGH trafic. It worked well most of the time, but on peak hours (more than 400 concurrent connections per server and 150K mail per hour) the clamav-milter thorws these errors on the syslog and slows down the process: May 7 09:27:41 rs25s8 clamav-milter[6926]: ClamAv: thread_create() failed: 11, try again This is a libmilter error. Specificaly it occurs in listener.c when libmilter tries to spawn a thread to call the apropriate functions from your milter. The CPU never went over 70% (1 Xeon with HT). The RAM never went over 80% (1 Gb total + 1,5 Gb SWAP) It just can create the thread! This is always when it tries to create the 257th concurrent thread of clamav-milter. When this happens you can see thru 'ps' near 256 threads of clamav-milter (between 250 and 256, never more). I'm guessing it is a limit on the kernel/libraries/implementation. Thaty would be my guess. Why dont you try testing with a null-milter and see if you get the same results? The system is a RedHat 7.3, kernel 2.4.20-19.7smp compiled by RedHat, glibc-2.2.5-43. We also tried on a Fedora Core 1, kernel 2.6.4 (downloaded and compiled), glibc-2.3.2-101.1. Any help would be appreciated, /* A Sample Filter The following sample logs each message to a separate temporary file, adds a recipient given with the -a flag, and rejects a disallowed recipient address given with the -r flag. It recognizes the following options: -p port The port through which the MTA will connect to the filter. -t sec The timeout value. -r addr A recipient to reject. -a addr A recipient to add. _ */ #include sys/types.h #include sys/stat.h #include errno.h #include stdio.h #include stdlib.h #include string.h #include sysexits.h #include unistd.h #include syslog.h #include libmilter/mfapi.h #ifndef bool # define bool int # define TRUE 1 # define FALSE 0 #endif /* ! bool */ struct mlfiPriv { char*mlfi_fname; char*mlfi_connectfrom; char*mlfi_helofrom; FILE*mlfi_fp; }; #define MLFIPRIV((struct mlfiPriv *) smfi_getpriv(ctx)) extern sfsistat mlfi_cleanup(SMFICTX *, bool); /* recipients to add and reject (set with -a and -r options) */ char *add = NULL; char *reject = NULL; sfsistat mlfi_connect(ctx, hostname, hostaddr) SMFICTX *ctx; char *hostname; _SOCK_ADDR *hostaddr; { /* continue processing */ return SMFIS_CONTINUE; } sfsistat mlfi_helo(ctx, helohost) SMFICTX *ctx; char *helohost; { return SMFIS_CONTINUE; } sfsistat mlfi_envfrom(ctx, argv) SMFICTX *ctx; char **argv; { /* continue processing */ return SMFIS_CONTINUE; } sfsistat mlfi_envrcpt(ctx, argv) SMFICTX *ctx; char **argv; { /* continue processing */ return SMFIS_CONTINUE; } sfsistat mlfi_header(ctx, headerf, headerv) SMFICTX *ctx; char *headerf; unsigned char *headerv; { /* continue processing */ return SMFIS_CONTINUE; } sfsistat mlfi_eoh(ctx) SMFICTX *ctx; { /* continue processing */ return SMFIS_CONTINUE; } sfsistat mlfi_body(ctx, bodyp, bodylen) SMFICTX *ctx; unsigned char *bodyp; size_t bodylen; { /* continue processing */ return SMFIS_CONTINUE; } sfsistat mlfi_eom(ctx) SMFICTX *ctx; { return SMFIS_ACCEPT; } sfsistat mlfi_abort(ctx) SMFICTX *ctx; { return SMFIS_CONTINUE; } sfsistat mlfi_close(ctx) SMFICTX *ctx; { return SMFIS_CONTINUE; } struct smfiDesc smfilter = { Null-Milter, /* filter name */ SMFI_VERSION, /* version code -- do not change */ SMFIF_ADDHDRS, /* flags */ mlfi_connect, /* connection info filter */ mlfi_helo, /* SMTP HELO command filter */ mlfi_envfrom, /* envelope sender filter */ mlfi_envrcpt, /* envelope recipient filter */ mlfi_header,/* header filter */ mlfi_eoh, /* end of header */ mlfi_body, /* body block filter */ mlfi_eom, /* end of message */ mlfi_abort, /* message aborted */ mlfi_close, /* connection cleanup */ }; static void usage(prog) char *prog; { fprintf(stderr, Usage: %s -p socket-addr [-t timeout]\n, prog); } int main(argc, argv) int argc; char **argv; { bool setconn = FALSE; int c; const char *args = p:t:h; extern char *optarg; /* Process command line options */ while ((c = getopt(argc, argv, args)) != -1) { switch (c) { case 'p':
Re: [Clamav-users] Re: There is something I dont get here ...
Flynn wrote: There are many ways to do this - using the --mbox option should detect the virus if the _full_ e-mail is scanned by ClamAV. Well - let me clarify this situation very carefully : (v0.70)-clamscan --mbox does *NOT* recognized the _full_ email as a virus. I have experienced the same issue. There is always supposed to be a Received: header but..stuff was being quarantined by amavis that did not have one or be otherwise recognized as mbox.. See mbox-force patch at http://www.jmaimon.com/clamav for an experimental workaround. --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Sasser Worm Virus not shown with sigtool
Colin A. Bartlett wrote: Lynn Duerksen Sent: Wednesday, May 05, 2004 11:26 AM Freshclam reports: RELAY:root[sbin] freshclam ClamAV update process started at Wed May 5 10:07:25 2004 Reading CVD header (main.cvd): OK main.cvd is up to date (version: 22, sigs: 20229, f-level: 1, builder: tkojm) Reading CVD header (daily.cvd): OK daily.cvd is up to date (version: 303, sigs: 1196, f-level: 2, builder: trog) However when I run: sigtool -l | grep -i sasser I get nothing. Shouldn't Worm.Sasser.A, Worm.Sasser.D and Worm.Sasser.B all show up using this? You probably have 2 versions of the database. Happened to me and many others. Happens to everybody it seems. Perhaps a command line option for database path and a corresponding entry in --help output to show where the default location is for the database? Perhaps a lookup into clamav.conf? Joe --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] problems using sendmail with clamav on rh7.3
Raul Elizondo wrote: Run m4? make -C /etc/mail should compile the .m4 file into the .cf result. -- Steve sorry, but that does not make sense, at least with RH7.3 Make sure that sendmail-cf is installed. -- Regards... Todd [EMAIL PROTECTED] mail]# rpm -qa | grep sendmail sendmail-cf-8.11.6-27.73 sendmail-8.11.6-27.73 sendmail-devel-8.11.6-27.73 This wont do. Get a newer sendmail or compile one your self from www.sendmail.org Usualy if you do the latter it is a drop in replacement. --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] problems using sendmail with clamav on rh7.3
Raul Elizondo wrote: This wont do. Get a newer sendmail or compile one your self from www.sendmail.org Usualy if you do the latter it is a drop in replacement. i didnt get it, you mean this version of sendmail wont work? it is working right now with the changes i did in my last email, it is detectig/blocking viruses regards, -=Raul=- This means that the sendmail you are using is 3 years old, assuming it has been security patched by RH. There were real milter improvements in 8.12 (among much else), including making it a supported feature, instead of a _FFR --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] problems using sendmail with clamav on rh7.3
Raul Elizondo wrote: Hi agian, I finnally could compile it and it runs at least the tests, but now the problem comes when i try to add it in sendmail INPUT_MAIL_FILTER(`clamav', `S=local:/usr/local/clamav/clamav.sock, F=, T=S:4m;R:4m')dnl define(`confINPUT_MAIL_FILTERS', `clamav')dnl and when i run m4, this 2 lines does not even make any change in sendmail.cf. I tried to copy/paste these lines in a sendmail.cf from another running system (rh9) with clamav to see if at least i could have an idea, but i get errors regarding to a TSL path not found. Perhaps rh7.3 (sendmail 8.11.6) need someother command rather than INPUT_MAIL_FILTER and define? Regards, -=Raul=- Please enclose your sendmail.mc and the command you used to produce the senmail.cf (typicaly you can use m4 sendmail.mc sendmail.cf on a redhat system. Please sanity check the above before doing something you might regret) --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] problems compiling on rh7.3
looks like libsm from sendmail Try downloading and installing the sendmail-devel kit Or downloading and compiling libmilter from sendmail source distribution and using that path to the configure script Raul Elizondo wrote: Hi, I am having this problem to compile clamav, the problem comes when i do --enable-milter in the ./configure then make. If i dont use that, it compile with no problem. Any hint or help? Regards... -=Raul=- gcc -DHAVE_CONFIG_H -DSENDMAIL_BIN=\/usr/sbin/sendmail\ -I. -I. -I.. -I../ clam d -I../libclamav -I../shared-g -O2 -c `test -f 'clamav-milter.c' || echo './ '`clamav-milter.c /bin/sh ../libtool --mode=link gcc -g -O2 -o clamav-milter cfgparser.o getop t.o memory.o clamav-milter.o -L../libclamav -lclamav -L/usr/lib/libmilter -lmil ter -lwrap -lpthread gcc -g -O2 -o .libs/clamav-milter cfgparser.o getopt.o memory.o clamav-milter.o -L/usr/local/src/clamav-0.70/libclamav /usr/local/src/clamav-0.70/libclamav/.li bs/libclamav.so -lz -lbz2 -lgmp -lnsl -L/usr/lib/libmilter -lmilter -lwrap - lpth read /usr/lib/gcc-lib/i386-redhat-linux/2.96/../../../libmilter.a(main.o): In functio n `smfi_register': main.o(.text+0x74): undefined reference to `strlcpy' /usr/lib/gcc-lib/i386-redhat-linux/2.96/../../../libmilter.a(main.o): In functio n `smfi_setconn': main.o(.text+0x12f): undefined reference to `strlcpy' /usr/lib/gcc-lib/i386-redhat-linux/2.96/../../../libmilter.a(listener.o): In fun ction `mi_milteropen': listener.o(.text+0x184): undefined reference to `strlcpy' /usr/lib/gcc-lib/i386-redhat-linux/2.96/../../../libmilter.a(engine.o): In funct ion `st_connectinfo': engine.o(.text+0x83a): undefined reference to `strlcpy' collect2: ld returned 1 exit status make[2]: *** [clamav-milter] Error 1 make[2]: Leaving directory `/usr/local/src/clamav-0.70/clamav-milter' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/usr/local/src/clamav-0.70' make: *** [all] Error 2 --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Mail::ClamAV
Have a look at the magic array cli_magic_s cli_magic at the top of libclamav/scanners.c Or look at my patch which adds the option --mbox-force http://www.jmaimon.com/clamav Glen Eustace wrote: Well, I have gotten further now, my problem seems to be that the scandesc function doesn't recognise my temporary file as a mail message. My filter places the SMTP commands in the file as well, these seem to prevent the scanner from working properly. Is there anyway I can trick the scanner, or is it time to hack code ? Either mine or ClamAV --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav-milter hanging
Angelo Turetta wrote: Do you have any suggestion as to what might be triggering a fatal hanging of clamav-milter on my server? This is FreeBSD 4.9-STABLE (cvsup about march 25th), with sendmail 8.12.11/8.12.11, clamav0.70 from ports (but it showed up the same with 0.67-1) When this happens, I see a lot of clamav-milter processes equally partaging 100% cpu (see attached ps output), with uptime showing a load of [n. of milter processes], and sendmail stopping processing mail due to excessive system load. I even tried lowering the -max-children from 50 to 5, but this parameter is obviously not controlling the number of processes. Recent threads and a patch of mine at http://www.jmaimon.com/clamav are addressed at trying to resolve the max-children issue. The mail log doesn't contain anything particularly vicious, the only strange thing is a lot of 'host did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA' (about 4 to 10 per hour) with host every time different and having nothing to do with this server (which is a company mail server with very little roaming usage, and at most 1000-2000 messages per day) System log is absolutely quiet, while clamd.log (fragment atached) shows some strange behaviour. Tonight, for example, at about midnight, it seems the database was reloaded, and since then the virus-rate dropped from 10-20 per hour to 2 in 6 hours. I suppose this might be the initial event. It all seems to have begun last week when I also installed spamass-milter on the same server, but that may be coincidence, because since the same day the server became the primary MX for the domain, while previously it had an upstream mail server intercepting viruses, and so clamd was a lot more idle than now. Thanks for any hints, Angelo. Try reconfiguring with --enable-debug and recompiling, so that you might be able to debug the processes. Also try strace or similar on the hung processes. --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] [PATCH] clamav-milter --max-child-w
Andy Fiddaman wrote: Having a maximum at all makes it easy for someone to DoS you because a thread is created for each new SMTP connection.. just connect X times and don't start entering a sender address. You dont have a max process/children configuration for sendmail? That enables the same thing. Besides with all the cheap zombies out there, they can just flood you with viruses all at once. Cost the same to the attacker. I think the thread maximum should be implemented around the actual virus scan because having a thread which is just waiting to receive an email doesn't actually impact on system resources significantly. Memory, threads, file descriptors. Delaying Sendmail's handling of email Is NOT a good idea. Sendmail has its own controls to handle max process and connection rate. If you are not going to have the allowable resources to process, you bail. How about implementing this as a semaphore in the eom callback, i.e. decrement semaphore; scan using clamd increment semaphore; That would limit the number of simultaneous scans and keep the synchronisation completely within the eom() callback, so fixing the problem with some threads exiting without decrementing the current counter. Yes but waiting around will cause sendmail processes to pile up, producing the DoS effect anyways (perhaps even worse). You are also delaying all other milters on the system. When the system stops accepting email because its being flooded, the sysadmin will come and block the attackers out, restoring service. As opposed to driving down to the datacenter to restore the thrashed box. So long as clamfi_free is called it should always decrement. Clamfi_cleanup will always call clamfi_free if smfi_getprivdata(ctx) != NULL That means that after we have successfuly stored privdata we should only be concerned about early thread termination. libmilter will warn in syslog if the milter finishes with the private data pointer not null. It also makes it difficult to mount a DoS attack because the clamd scan should return within a determinable amount of time. It is impossible to protect from a DoS attack Your system just will never be big enough to take on the world, should it come knocking.Whats important is making sure that when the server is hit, the box is still usuable. In other words, the attacked services should fail/stop accepting work much sooner than the threshold of the box maxing out. What you want to avoid are the trivial attacks that produce fake DoS. So set your max-children high enough to avoid that, taking into account your sendmail settings. As always, any thoughts appreciated. --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] clamdwatch exit code
Hello Mike, I appreciate your work on clamdwatch. Very nice utility. Should serve my purpose well. I do have one suggestion. The exit code for clamdwatch should probably stick to standards, as true echo $?; false || echo $? can demonstrate. 0 exit success, anything else error. (yes this is opposite c coding and countless other languages) Instead of clamdwatch.pl /etc/init.d/clamd restart as a cron entry, you would have clamdwatch.pl || /etc/init.d/clamd restart Thanks, Joe (bit me cause i didnt read docs or check source ; clamd restarting every 15 minutes.) --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Patching clamd to log to stderr (for use with multilog)
Nigel Horne wrote: On Fri, 2004-04-30 at 13:06, Dale Gallagher wrote: Nigel Horne wrote LogFile /dev/stderr will work on many systems Slackware Linux complains if one uses the above - hence the patch ;-) I'd be interested to know which OS's are ok with the above? Perhaps on slackware (a distribution of Linux for you non Linux people) you can use /dev/fd/2? -Nigel or /proc/self/fd/2? To demonstrate: echo echo stdout /proc/self/fd/1 ; echo stderr /proc/self/fd/2 | sh --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] [PATCH] clamav-milter --max-child-w
Andy Fiddaman wrote: snip What I actually want to limit on my boxes is the number of concurrent scans, not the number of milter threads since 1 thread == 1 incoming email (over the initial signal threads etc.) and sendmail can control that itself. Other people may have different priorities. Sounds like a good idea. Except that sendmail controls are not as fine grained as the milter. The milter may be configured to scan a certain subset of email traffic and therefore the sendmail values would not be representative of the true maximum you want to be running at once. The way I see it, your main benefit in moving the logic closer to the actual scanning is in eliminating slow DATA senders from counting in the tally. Concurrent scans can be controlled via clamd MaxThreads option I believe. I'm currently using something similar to the code below. Because each thread snip Would love a patch if you had one available. --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] [PATCH] clamav-milter --max-child-wait
working. It would be really nice to actually have the bug fixed properly though, rather than resorting to work-rounds like that. Mike. Well than try my latest patch for max-children-wait argument http://www.jmaimon.com/clamav The default will be to EXIT when we hit the max-children mark, instead of loitering around, piling up and delaying email, then still running even though there are still too many children. BE Warned: This means that unless you configure otherwise, clamav-milter will TEMPFAIL email whenever it hits the max-children threshold. Which means you would probably wish to consider exactly why the max-children figure you are using and the sendmail define(`confMAX_DAEMON_CHILDREN',`100')dnl are different... --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Update
Marco Draghi wrote: I've received the warning about the outdated version of my clamav-0.67 too. For install the new clamav-0.70.tar.gz do I need to uninstall the first one and after install the new one, or just install the last version over 0.67?? Thanks, Marco. If you use the same configure arguments, you should be ok. However, do yourself a favor and search for any duplicate copies of the virus sig database. That said, you may wish to backup the config files, any local mods you have done and do a make uninstall from the .67 src directory you make installed from. --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Updating on SuSE?
cH4os wrote: ? Im kinda new to this, here is what I thought I should do, what did I do wrong? FIx the date time on your system (as root): man date in the source directory (NOT as root) ./configure --help | less To get a list of options you may find usefull. Then put you options and run configure For example if you have libmilter (sendmail) ./configure --enable-milter make Once it finishes compiling you can do a make install as root. --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Re: clam-av/milter, NOW: that one resolved, moved on
Don Levey wrote: Apr 27 21:38:54 davinci sendmail[7174]: i3S1csjm007174: from=[EMAIL PROTECTED], size=700, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], proto=ESMTP, daemon=MTA, relay=smtp03.mrf.mail.rcn.net [207.172.4.62] Apr 27 21:42:54 davinci sendmail[7174]: i3S1csjm007174: Milter (clmilter): timeout during data read Apr 27 21:42:54 davinci sendmail[7174]: i3S1csjm007174: Milter (clmilter): to error state This looks like exactly what it seems. clamav-milter did not respond during the 5 minute timeout (check your sendmail cf readme or look at www.sendmail.org) Apr 27 21:40:43 davinci sendmail[7212]: i3S1egjm007212: from=[EMAIL PROTECTED], size=703, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], proto=ESMTP, daemon=MTA, relay=smtp03.mrf.mail.rcn.net [207.172.4.62] Apr 27 21:40:43 davinci sendmail[7212]: i3S1egjm007212: Milter: data, reject=451 4.7.1 Please try again later Apr 27 21:40:43 davinci sendmail[7212]: i3S1egjm007212: to=[EMAIL PROTECTED], delay=00:00:00, pri=30695, stat=Please try again later Apr 27 21:40:43 davinci sendmail[7214]: i3S1ehjm007214: from=[EMAIL PROTECTED], size=703, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], proto=ESMTP, daemon=MTA, relay=smtp03.mrf.mail.rcn.net [207.172.4.62] Apr 27 21:40:43 davinci sendmail[7214]: i3S1ehjm007214: Milter: data, reject=451 4.7.1 Please try again later Apr 27 21:40:43 davinci sendmail[7214]: i3S1ehjm007214: to=[EMAIL PROTECTED], delay=00:00:00, pri=30695, stat=Please try again later What seem to be corresponding entries from an strace run of clamav-milter: accept(1, {sa_family=AF_UNIX, [EMAIL PROTECTED], [2]) = 2 setsockopt(2, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0 clone(child_stack=0x410cba90, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SETTLS|CLONE_PARENT_SETTI D|CLONE_CHILD_CLEARTID|CLONE_DETACHED, [7175], {entry_number:6, base_addr:0x410cbb30, limit:1048575, seg_32bit:1, contents:0 , read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 7175 accept(1, {sa_family=AF_UNIX, [EMAIL PROTECTED], [2]) = 3 setsockopt(3, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0 clone(child_stack=0x418cca90, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SETTLS|CLONE_PARENT_SETTI D|CLONE_CHILD_CLEARTID|CLONE_DETACHED, [7213], {entry_number:6, base_addr:0x418ccb30, limit:1048575, seg_32bit:1, contents:0 , read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 7213 select(2, [1], NULL, [1], {5, 0}) = 1 (in [1], left {4, 78}) accept(1, {sa_family=AF_UNIX, [EMAIL PROTECTED], [2]) = 3 setsockopt(3, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0 clone(child_stack=0x418cca90, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SETTLS|CLONE_PARENT_SETTI D|CLONE_CHILD_CLEARTID|CLONE_DETACHED, [7215], {entry_number:6, base_addr:0x418ccb30, limit:1048575, seg_32bit:1, contents:0 , read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 7215 Your strace looks like the code in libmilter. Exactly what version of sendmail and sendmail-devel do you have? --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] [PATCH] clamav-milter --max-child-wait
This is actualy a lot worse than I thought. Apr 27 04:25:50 nameserver2 clamav-milter[4431]: ClamAv: private data not NULL Apr 27 04:25:50 nameserver2 clamav-milter[4417]: ClamAv: private data not NULL Apr 27 04:25:52 nameserver2 clamav-milter[4427]: ClamAv: private data not NULL Apr 27 04:25:52 nameserver2 clamav-milter[4429]: ClamAv: private data not NULL Apr 27 04:25:52 nameserver2 sendmail[4484]: i3R8PMaZ004484: Milter (clamav-milter): timeout before data read Apr 27 04:25:52 nameserver2 sendmail[4484]: i3R8PMaZ004484: Milter (clamav-milter): to error state Apr 27 04:25:53 nameserver2 sendmail[4484]: i3R8PMaZ004484: from=[EMAIL PROTECTED], size=1043, class=0, nrcpts =1, msgid=[EMAIL PROTECTED], proto=ESMTP, daemon=MTA, relay=mx20.blackberry.net [206.51.26.249] Apr 27 04:25:54 nameserver2 clamav-milter[4435]: ClamAv: private data not NULL Apr 27 04:25:54 nameserver2 clamav-milter[4518]: hit max-children limit (11253 = 25): waiting for some to exit Apr 27 04:25:56 nameserver2 sendmail[4487]: i3R8PO9w004487: Milter (clamav-milter): timeout before data read Apr 27 04:25:56 nameserver2 sendmail[4487]: i3R8PO9w004487: Milter (clamav-milter): to error state Something obviously went horribly wrong. Patches at http://www.jmaimon.com/clamav (the ClamAv: private data not NULL are libmilter errors. I think the reason they occur is because sendmail places the mail filter into error state and closes the connection. Therefore I do not yet see how clamfi_cleanup would get called) Joe Maimon wrote: So this morning clamd hung up. But then to add insult to injury max-children of clamav-milter piled up behind it like a car wreck. This patch adds the argument --max-child-wait=, which works like this. * -1 wait 60 seconds for max_children and continue.(Old behavior) * 0 or no value, no waiting, exit if max_children.(New default) * 0 means wait that long, then exit if neccessary.(Mix) Justification: If there are too many milters, hanging around doing nothing for 60 seconds wont make it any better. Besides, sendmail milter could be configured to time out before that. Also, you would expect that saying --max-children actualy limited it to --max-children. Joe --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Re: clam-av/milter, NOW: that one resolved, moved on
Don Levey wrote: On My sendmail and sendmail-devel are both 8.12.8-9.90. Is this known to cause problems? Thanks again! -Don I dont know. Perhaps you would like to try compiling sendmail,libmilter,clamav from source? --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] [PATCH] clamav-milter --max-child-wait
So this morning clamd hung up. But then to add insult to injury max-children of clamav-milter piled up behind it like a car wreck. This patch adds the argument --max-child-wait=, which works like this. * -1 wait 60 seconds for max_children and continue.(Old behavior) * 0 or no value, no waiting, exit if max_children.(New default) * 0 means wait that long, then exit if neccessary.(Mix) Justification: If there are too many milters, hanging around doing nothing for 60 seconds wont make it any better. Besides, sendmail milter could be configured to time out before that. Also, you would expect that saying --max-children actualy limited it to --max-children. Joe diff -ur clamav-devel-jm1/clamav-milter/clamav-milter.c clamav-devel-jm2/clamav-milter/clamav-milter.c --- clamav-devel-jm1/clamav-milter/clamav-milter.c Tue Apr 27 13:48:27 2004 +++ clamav-devel-jm2/clamav-milter/clamav-milter.c Tue Apr 27 13:53:20 2004 @@ -603,7 +603,7 @@ */ static charconst rcsid[] = $Id: clamav-milter.c,v 1.83 2004/04/25 12:56:35 nigelhorne Exp $; -#defineCM_VERSION 0.70s +#defineCM_VERSION 0.70s-jm /*#define CONFDIR /usr/local/etc*/ @@ -820,6 +820,12 @@ static pthread_cond_t n_children_cond = PTHREAD_COND_INITIALIZER; static unsignedint n_children = 0; static unsignedint max_children = 0; +/* + * -1 wait 60 seconds for max_children and continue. + * 0 no waiting, exit if max_children. + * 0 means wait that long, then exit if neccessary. + */ +static int max_child_wait = 0; short use_syslog = 0; static const char*pidFile; static int logVerbose = 0; @@ -860,6 +866,13 @@ puts(\t--headers\t\t-H\tInclude original message headers in the report.); puts(\t--local\t\t\t-l\tScan messages sent from machines on our LAN.); puts(\t--outgoing\t\t-o\tScan outgoing messages from this machine.); + puts(\t--max-children\t\t-m\tMaximum amount of children to run.); + puts(\t--max-child-wait=secs\t-w\tAfter maximum amount of children,); + puts(\t\t\t\t\thow long do we wait for less children and do we exit?); + puts(\t\t\t\t\t0 or unspecified means no wait and exit.); + puts(\t\t\t\t\tNegative value means wait 60 seconds and continue.); + puts(\t\t\t\t\tPositive value means wait value seconds ); + puts(\t\t\t\t\tand exit if still max-children.); puts(\t--noreject\t\t-N\tDon't reject viruses, silently throw them away.); puts(\t--noxheader\t\t-n\tSuppress X-Virus-Scanned/X-Virus-Status headers.); puts(\t--pidfile=FILE\t\t-i FILE\tLocation of pidfile.); @@ -920,9 +933,9 @@ for(;;) { int opt_index = 0; #ifdef CL_DEBUG - const char *args = bc:CDfF:lm:nNop:PqQ:dhHs:St:U:Vx:; + const char *args = bc:CDfF:lm:nNop:PqQ:dhHs:St:U:Vw::x:; #else - const char *args = bc:CDfF:lm:nNop:PqQ:dhHs:St:U:V; + const char *args = bc:CDfF:lm:nNop:PqQ:dhHs:St:U:Vw::; #endif static struct option long_options[] = { @@ -987,6 +1000,9 @@ max-children, 1, NULL, 'm' }, { + max-child-wait, 2, NULL, 'w' + }, + { server, 1, NULL, 's' }, { @@ -1098,6 +1114,12 @@ case 'V': puts(clamav_version); return EX_OK; + case 'w': + if(optarg) + max_child_wait = atoi(optarg); + else + max_child_wait = 0; + break; #ifdef CL_DEBUG case 'x': debug_level = atoi(optarg); @@ -1816,6 +1838,22 @@ struct timeval now; struct timespec timeout; struct timezone tz; + + /* +* If --max-child-wait=0, then we dont bs around with +* waiting for children to exit. +*/ + + if(max_child_wait == 0) { + pthread_mutex_unlock(n_children_mutex); + if(use_syslog) + syslog(LOG_NOTICE, + %s: hit max-children limit (%u = %u): exiting., + smfi_getsymval(ctx,i), n_children, max_children); + clamfi_cleanup(ctx); + return cl_error; + } + /*
Re: [Clamav-users] Problem with clamscan .vs. clamdscan
Jim Maul wrote: Exactly. I never said clamscan should use clamav.conf. I simply stated that since clamd/clamdscan (and optionally freshclam as well) are the only programs to use clamav.conf, clamav-milter references it as well. --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Can't get clamav-milter going
George Bell wrote: I had clamav antivirus working fine for a couple months. Now after a reboot I can't it started to save my neck. After starting the clamd deamon, which creates /var/run/clamav/clamd.sock, and starting clamav-milter, clamav-milter exits with following error message: ClamAv: Unable to bind to port local:/var/run/clamav/clamd.sock: Address already in use. The socket you start the clamav-milter process as an argument is used for communicating with sendmail depending on your clamd /etc/clamav.conf configuration, clamav-milter will connect to clamd using ANOTHER socket. If you specified the milter to use the same socket as clamd, the above is what will happen. Try stopping clamd, stopping clamav-milter. Check the socket paths in the /etc/sysconfig/clamav-milter and the arguments passed to clamav-milter (possibly in the init.d script). It should be the same as what you have in your sendmail.mc/sendmail.cf file. Check the socket path that clamd uses (clamav.conf). It should be DIFFERENT than above. If files exist there remove them.(use your judgement here) --- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Can't get clamav-milter going
George Bell wrote: Xclmilter, S=local:/var/run/clmilter.sock, F=, T=S:4m;R:4m I hope you are using the sendmail.mc method of sendmail configuration instead of hand hacking the sendmail.cf, but thats not actualy relevant... With sendmail stopped, I start clamd(which creates /var/run/clamav/clamd.sock as before), then clamav-milter this time as clamav-milter -options local:/var/run/clmilter.sock Now I get error: ClamAv: Unable to bind to port local:/var/run/clmilter.sock: Permission Denied ClamAv: Unable to create listening socket on conn local:/var/run/clmilter.sock the clamav-milter program will try to run as clamav user under typical install. Odds are that ls -la /var/run /var/run/clmilter.sock will show you a permissions conundrum. My recommendation? Switch the sendmail/clamav-milter sock to point to /var/run/clamav/clamav-milter.sock I'm entering all these commands as root. If sendmail is already running it issues a warning that /var/run/clmilter.sock is missing. If I then try again to start clmilter again the above error repeats. So ??? Thanks George Joe Maimon wrote: George Bell wrote: I had clamav antivirus working fine for a couple months. Now after a reboot I can't it started to save my neck. After starting the clamd deamon, which creates /var/run/clamav/clamd.sock, and starting clamav-milter, clamav-milter exits with following error message: ClamAv: Unable to bind to port local:/var/run/clamav/clamd.sock: Address already in use. The socket you start the clamav-milter process as an argument is used for communicating with sendmail depending on your clamd /etc/clamav.conf configuration, clamav-milter will connect to clamd using ANOTHER socket. If you specified the milter to use the same socket as clamd, the above is what will happen. Try stopping clamd, stopping clamav-milter. Check the socket paths in the /etc/sysconfig/clamav-milter and the arguments passed to clamav-milter (possibly in the init.d script). It should be the same as what you have in your sendmail.mc/sendmail.cf file. Check the socket path that clamd uses (clamav.conf). It should be DIFFERENT than above. If files exist there remove them.(use your judgement here) --- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Re: clam-av/milter, segmentation fault
Andrzej Migdalski wrote: Don Levey wrote: The lines in sendmail.mc are: INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clamav-milter.sock, F=, ^^ change it to `clmilter' I think what you are trying to say is that this part of the config line local:/var/run/clamav/clamav-milter.sock must match the socket that the clamav-milter process works. A. --- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Re: [Clamav-devel] Patches For Your Amusement
I have setup a small page for all my (updated) clamav patches for purposes of convenience. http://www.jmaimon.com/clamav (still running ok) I will stop harassing you all now about this. Joe Maimon wrote: These patches --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Delete infected email
Marco Draghi wrote: Hi, I've been using Clamav on Cyrus imap mail server. Clamscan works great on mbox, but I'd like to delete automatically infected mail after clamscan. How can I set it? Thanks, Marco. As answered previously on this list Make sure you only scan one peice of email each time you call clamscan, then by using the return code delete it/quarantine it/flag it/whatever If their are in a mbox spool file, tools such as formail can help you with that. You will probaly see a large performance improvement in the above by using clamd with the ScanMail directive uncommented in /etc/clamav.conf or wherever your is. I have found that you can usualy do something like this cat $email_msg | clamdscan - --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Write failure
This is an ongoing issue. Please reach the list archives. Julio Galicia wrote: Hi, list: --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav.conf
Daniel J McDonald wrote: On Fri, 2004-04-09 at 06:28, Mike van Vugt wrote: Hello, Keep getting the message below over and over again. Have you edited /etc/clamav/clamav.conf? Lots of important things there you need to set up. I am new to Linux and having a hard time to get this working. I want to uninstall Clamav and start over again. Can anyone tell me how to uninstall??? How did you install it the first time? If you used an RPM - just # rpm -e clamav If you installed from source, then you'll have to hunt down the pieces and pull them out. I would imagine, since this is an automake'd package, you could do make uninstall --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clmilter errors - i'm lost, help?
unruhtech wrote: i just got clamav 0.70-rc up and running on rh 7.3. this is from my /var/log/maillog Apr 9 11:11:48 shell mta-daemon[5840]: i39GBmxu005840: Milter (clmilter): local socket name /var/run/clmilter.sock unsafe Apr 9 11:11:48 shell mta-daemon[5840]: i39GBmxu005840: Milter (clmilter): to error state what does it mean and how do i fix it? thanks much, steve Couple causes: Sendmail cant find/use the socket you specified in your sendmail{cf.mc}either because a) the socket isnt where its supposed to be b) clamav-milter is actualy using a different socket (check its startup arguments) c) the socket has the wrong uid/moide d) clamav-milter is not running --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Clamav-0.70-rc missed email messages
Hello all, I have been running a clamav-milter setup for a while. Previously I had been running a amavisd+uvscan setup. I setup clamav-milter to run before amavisd and configured amavisd to quarantine instead of discard. I have also created a little script which rm anything from the amavis quarantine that clamscan --mbox detects. This should elminate cases such as when a write error or other error condition allows the email to pass clamav-milter and proceed to amavis-milter. Whats left can be broken down into the following generic categories. Advice on how to proceed on these is greatly appreciated. Anyone with interest in the messages will be sent a copy. - Emails that do not appear to start with headers that would enable the magic detection in libclamav to see it as an email message Apparently clamav-milter sends a made up received header (Received: is a magic phrase...) to clamd so this should never happen while using clamav-milter, unless this is coincidentally also an email that passed clamav-milter due to error conditions. Perhaps a flag to FORCE mbox processing of input? A clamd protocol extension? - Emails that do not contain proper MIME and content type headers in the beggining headers of the message. As I am not well versed in the appropriate standards I cannot say who is right here, but amavisd which uses MIME::Parser and also mpack-1.6 unpack the attachments with ease. clamscan does flag those unpacked attachments as viruses. Of the above category they vary. Usualy it is a mail bounce containing a copy of the message. The messages are sometimes delimited with a Unix mbox style from, but more often just contain a new set of headers and body. The new set of headers has proper MIME headers. - Truncated mime attachments that uvscan catches after munpack and that clamscan does not Presumably these are defanged and useless viruses. - NAI Uvscan Exploit-URLSpoof.gen which I just submitted. sigtool said signature was too short. I have more but. Joe --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Cleaning MBOX files?
Antony Stone wrote: On Thursday 08 April 2004 8:45 pm, Jack London Networks wrote: Okay, I like the --mbox support of clamscan. Problem is - now that I know there are infected messages in people's inboxes/other folders, I have very little information to go on to find and clean those messages. For example, I know a few people have copies of Bagle, SomeFool/Netsky and so forth - but in an inbox of 4,000 items - how do I know _which_ message is infected? I guess you could put something together using fetchmail to copy the mailbox to a scanning account, fetch the mails from there and pass them through ClamAV, and deliver only the clean ones back to the real mailbox, alternatively there may be something in http://mboxgrep.sourceforge.net which would help out - perhaps use ClamAV to find the names of the attachment files containing the viruses, then use mboxgrep to find the mails containing those attachment names? Just my few random thoughts, Happy Easter. Regards, Antony. formail (man or google it) (I actualy wrote a similar tool for my own use called spool-remail, I leave it up to your imagination what it does) --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Deferred=451 4.7.1 Please try again later - HELP
Tomasz Kojm wrote: On Tue, 30 Mar 2004 18:37:53 -0500 Joe Maimon [EMAIL PROTECTED] wrote: Anyone care to try these? fresh from the oven. barely tested. + btread = ( (maxsize ( size + btread maxsize)) ? (maxsize - size) : btread); The patch is incorrect. Works for me. the call to read will never read more than StreamMaxLength and instead of returning with an error, we will scan whatever we have up to that point. (if streammaxlength is greater than sizeof(buff)) Perhaps it should be written like this if(maxsize (size + btread maxsize)) { /* next loop iteration might read too much data */ /* only read in at most up to maxsize */ btread = (maxsize - size); } What am I missing? --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Deferred=451 4.7.1 Please try again later - HELP
With respect for your considerably greater experience and skill set than mine. Tomasz Kojm wrote: On Tue, 30 Mar 2004 16:03:07 -0500 Joe Maimon [EMAIL PROTECTED] wrote: by. 2) clamd does not scan anything if the stream is larger than StreamMaxLength - sizeof(buff). That's not true. from clamd/scanner.c, function scanstream char buff[32768]; ... ... ... ... if(maxsize (size + sizeof(buff)) maxsize) { ... ... ... return -1; In my book thats a bug. It should read up to the max. It does. It does not. Any stream that is larger than (maxsize - sizeoff(buf)) does not get scanned. Which means that StreamMaxLength is effectively the user's value minus an internal number. Old syslog entries: ScanStream: Size exceeded (stopped at 10453272, max: 10485760) While patching Debug syslog entries: Mar 30 17:59:30 nameserver2 clamd[13267]: ScanStream: btread 32768 Mar 30 17:59:30 nameserver2 clamd[13267]: ScanStream: btread now 32341 Mar 30 17:59:30 nameserver2 clamd[13267]: ScanStream: btread 32341 Mar 30 17:59:30 nameserver2 clamd[13267]: ScanStream: btread now 0 Mar 30 17:59:30 nameserver2 clamd[13267]: ScanStream: Size exceeded (stopped at 10485760, max: 10485760) With patch syslog: ScanStream: Size limit reached (max: 10485760 What did I miss? --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Deferred=451 4.7.1 Please try again later - HELP
Jaap Scholten wrote: Joe Maimon wrote: Joe Maimon wrote: I have been having the same as well. I added some more verbosity into the syslog statement and got this logged write failure to clamd, nbytes: -1, quarantine_dir: (null), error: Bad file descriptor Any ideas? OK I think I know what the problem is. Large attachments. this got logged in my clamav syslog - I probaly turned on debugging or something ScanStream: Size exceeded (stopped at 10453272, max: 10485760 I also grabbed one of the continually tempfailed emails. 11M attachment. snip Just found StreamMaxLength 10M config option I have been getting this since upgrading to 0.70. It is driving me insane (and my clients too) I have checked streamlength, and all is as before (0.67). I get this only from some clients who smarthost off me. Using sendmail. From the maillog: dsn=4.0.0, stat=Deferred: 451 4.7.1 Please try again later Any ideas, anyone? (The latest tarball had issues during the make, so I could not get it installed) In my case this is directly due to large emails. Also that above message means that clamd is no longer listening to clamav-milter. In your case it might be a thread timeout. Which is a macro defined in defaults.h Short answer run clamav-milter with -d option which will effectively not scan email larger than 10megabytes, instead accepting it. It will also not scan any email and just accept for many other error conditions which can include all cases listed by grep cl_error clamav-milter/* man clamav-milter If you have sendmail, you may find (as I did) the common denominator staring at you in the face in the maillog. Check the size= and delay= sendmail log equates. Or if you find it reproducible, setup the alias to distribute the incoming email for the recipient into a file and disable clamav-milter or use -d and then examine the message at your leisure. Or packet capture it. Long answer, stuff that I found 1) clamav-milter does not respect the options in clamav.conf for StreamMaxLength. clamd is the program which does. It respects it by. 2) clamd does not scan anything if the stream is larger than StreamMaxLength - sizeof(buff). In my book thats a bug. It should read up to the max. It might be wiser to a) make clamav-milter respect MaxStreamLength and also make clamd actualy go up to StreamMaxLength b) scan whatever we got prior to exceeding StreamMaxLength, which is probaly easier to do once you do (a) than current behavior. I have been playing with making a patch to do this. Disclaimer: I am a clamav newbie, someone else probaly has a much better handle on this. Joe --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Deferred=451 4.7.1 Please try again later - HELP
Joe Maimon wrote: snip From the maillog: dsn=4.0.0, stat=Deferred: 451 4.7.1 Please try again later Any ideas, anyone? (The latest tarball had issues during the make, so I could not get it installed) In my case this is directly due to large emails. Also that above message means that clamd is no longer listening to clamav-milter. snip Long answer, stuff that I found 1) clamav-milter does not respect the options in clamav.conf for StreamMaxLength. clamd is the program which does. It respects it by. 2) clamd does not scan anything if the stream is larger than StreamMaxLength - sizeof(buff). In my book thats a bug. It should read up to the max. It might be wiser to a) make clamav-milter respect MaxStreamLength and also make clamd actualy go up to StreamMaxLength b) scan whatever we got prior to exceeding StreamMaxLength, which is probaly easier to do once you do (a) than current behavior. I have been playing with making a patch to do this. Disclaimer: I am a clamav newbie, someone else probaly has a much better handle on this. Joe Anyone care to try these? fresh from the oven. barely tested. Joe --- clamav-0.70-rc/clamav-milter/clamav-milter.cMon Mar 15 15:03:13 2004 +++ clamav-0.70-rc-jm/clamav-milter/clamav-milter.c Tue Mar 30 18:29:39 2004 @@ -566,6 +566,7 @@ char*filename; /* Where to store the message in quarantine */ u_char *body; /* body of the message if Sflag is set */ size_t bodyLen;/* number of bytes in body */ + size_t nWritten; /* number of bytes we have written */ header_list_t headers; /* Message headers */ }; @@ -1914,17 +1915,14 @@ clamfi_body(SMFICTX *ctx, u_char *bodyp, size_t len) { struct privdata *privdata = (struct privdata *)smfi_getpriv(ctx); + struct cfgstruct *cpt = NULL; + size_t sendlen = 0; if(logVerbose) syslog(LOG_DEBUG, clamfi_envbody: %u bytes, len); #ifdef CL_DEBUG printf(clamfi_envbody: %u bytes\n, len); #endif - - if(clamfi_send(privdata, len, (char *)bodyp) 0) { - clamfi_cleanup(ctx); - return cl_error; - } if(Sflag) { if(privdata-body) { assert(privdata-bodyLen 0); @@ -1938,6 +1936,41 @@ privdata-bodyLen = len; } } + + if((!quarantine_dir) +(cpt = cfgopt(copt, StreamMaxLength)) +cpt-numarg (len + privdata-nWritten) + ){ + sendlen = (cpt-numarg - privdata-nWritten); + if(use_syslog privdata-nWritten != cpt-numarg){ + char buf[1024]; + strncpy(buf,privdata-from,sizeof(buf)); + syslog(LOG_INFO,Stream from %s size exceeded max of %u , already wrote %u, will write %u more instead of len %u, + buf, + cpt-numarg, + privdata-nWritten, + sendlen, + len); + } + } + else { + sendlen = len; + } + + if(!sendlen) + return SMFIS_CONTINUE; + + + if(sendlen (clamfi_send(privdata, sendlen, (char *)bodyp) 0)) { + clamfi_cleanup(ctx); + return cl_error; + }else + { + if(sendlen) + privdata-nWritten += sendlen; + } + + return SMFIS_CONTINUE; } @@ -2389,6 +2422,7 @@ printf(clamfi_send: len=%u bufsiz=%u\n, len, sizeof(output)); #endif + errno = 0; while(len 0) { const int nbytes = (quarantine_dir) ? write(privdata-dataSocket, ptr, len) : @@ -2400,7 +2434,8 @@ perror(send); checkClamd(); if(use_syslog) - syslog(LOG_ERR, write failure to clamd); + syslog(LOG_ERR, write failure to clamd, nbytes: %d, quarantine_dir: %s, error: %s, + nbytes, quarantine_dir, strerror(errno) ); return -1; } --- clamav-0.70-rc/clamd/scanner.c Mon Mar 15 15:03:12 2004 +++ clamav-0.70-rc-jm/clamd/scanner.c Tue Mar 30 18:28:29 2004 @@ -186,7 +186,7 @@ int scanstream(int odesc, unsigned long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, const struct cfgstruct *copt) { - int ret, portscan = CL_DEFAULT_MAXPORTSCAN, sockfd, port, acceptd, tmpd, bread, retval; + int ret, portscan = CL_DEFAULT_MAXPORTSCAN, sockfd, port, acceptd, tmpd, bread, btread, retval; long int size = 0, maxsize = 0; short bound = 0; const char
Re: [Clamav-users] reject=451 4.7.1 Please try again later
Joe Maimon wrote: I have been having the same as well. I added some more verbosity into the syslog statement and got this logged write failure to clamd, nbytes: -1, quarantine_dir: (null), error: Bad file descriptor Any ideas? OK I think I know what the problem is. Large attachments. this got logged in my clamav syslog - I probaly turned on debugging or something ScanStream: Size exceeded (stopped at 10453272, max: 10485760 I also grabbed one of the continually tempfailed emails. 11M attachment. See this from clamd/scanner.c Apparently the socket gets closed. If this is right, shouldnt this be changed to just throw the bytes out instead of closing the socket? Also the scantimeout needs to jive with the mail daemon timeouts. I will see if I can work on some fix to test this. (line 265) while((retval = poll_fd(acceptd, CL_DEFAULT_SCANTIMEOUT)) == 1) { bread = read(acceptd, buff, sizeof(buff)); if (bread = 0) { break; } size += bread; if(maxsize (size + sizeof(buff)) maxsize) { shutdown(sockfd, 2); close(sockfd); close(acceptd); mdprintf(odesc, Size exceeded ERROR\n); logg(^ScanStream: Size exceeded (stopped at %d, max: %d)\n, size, maxsize); if(tmp) fclose(tmp); return -1; } if(write(tmpd, buff, bread) 0) { shutdown(sockfd, 2); close(sockfd); close(acceptd); mdprintf(odesc, Temporary file - write ERROR\n); logg(!ScanStream: Can't write to temporary file.\n); if(tmp) fclose(tmp); return -1; } --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] reject=451 4.7.1 Please try again later
Joe Maimon wrote: Joe Maimon wrote: I have been having the same as well. I added some more verbosity into the syslog statement and got this logged write failure to clamd, nbytes: -1, quarantine_dir: (null), error: Bad file descriptor Any ideas? OK I think I know what the problem is. Large attachments. this got logged in my clamav syslog - I probaly turned on debugging or something ScanStream: Size exceeded (stopped at 10453272, max: 10485760 I also grabbed one of the continually tempfailed emails. 11M attachment. snip Just found StreamMaxLength 10M config option --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] reject=451 4.7.1 Please try again later
Nigel Horne wrote: The evidence points to incoming connections taking a long time (minutes) to send the first line of header after establishing a connection.so clamd gives up waiting. Increasing clamd's timeout will help. I have seen 4-5 minutes between an SMTP connection being established and the conversation finally getting around to doing a DATA statement. -Nigel Cant be it. # Thread (scanner - single task) will be stopped after this time (seconds). # Default is 180. Value of 0 disables the timeout. SECURITY HINT: Increase the # timeout instead of disabling it. ThreadTimeout 600 Still happening. Besides sendmail is only reporting aroound a (max) 2:00 delay for the rejected 451 emails. Joe --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] reject=451 4.7.1 Please try again later
Trog wrote: On Fri, 2004-03-26 at 15:44, Nigel Horne wrote: The evidence points to incoming connections taking a long time (minutes) to send the first line of header after establishing a connection.so clamd gives up waiting. Increasing clamd's timeout will help. I have seen 4-5 minutes between an SMTP connection being established and the conversation finally getting around to doing a DATA statement. The only reason I can think off for something like this, is that maybe sendmail is tar-pitting the connection and deliberately adding a delay. Does sendmail have tar-pitting these days? Not my sendmail. There are milters that do it and sendmail 8.13.0 looks like it will have some kind of tarpitting. Do you have a tcpdump of such a conversation? Nope. That might be doable. -trog --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] reject=451 4.7.1 Please try again later
Trog wrote: On Fri, 2004-03-26 at 17:03, Joe Maimon wrote: # Thread (scanner - single task) will be stopped after this time (seconds). # Default is 180. Value of 0 disables the timeout. SECURITY HINT: Increase the # timeout instead of disabling it. ThreadTimeout 600 Still happening. Besides sendmail is only reporting aroound a (max) 2:00 delay for the rejected 451 emails. What version of clamav are you using? ThreadTimeout is not used on anything past 0.68, or CVS for the last couple of months. The default timeout for receiving data on a socket is 1 minute. -trog Color me clueless but I just downloaded and installed clamav. (Past week) Only timeout related thing I have in clamav.conf or man clamav.conf is ThreadTimeout Guess its to the source. Nope, no timeout named options in clamd/config.c other LogTime and ThreadTimeout How about this? (I added a zero) grep CL_DEFAULT_SCANTIMEOU * defaults.h:#define CL_DEFAULT_SCANTIMEOUT 600 Suggestions? --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] new clamav user - comparison to amavisd with uvscan
Hello All, I am new here, I hope this hasnt been hashed to death already. I recently installed clamav into a production email system, using clamav-milter. This system had been operating with amavisd and uvscan (nai's command line scanner) for years. Now email is scanned twice, first by clamav-milter and then by amavis-milter. After I noticed in my maillog that some viruses were still being caught by amavis, I turned on quarantining. I have collected a number of these email's already. I have figured out how to manually extract the mime attachment and scan it manually with uvscan. The one I worked on scanned positive as netsky. clamscan did not catch it. (clamscan --mbox presumably does not need any extracting) I do not know that this isnot some damaged virus.(not about to test it on my windows machines) Is there any value in automating the mime extracting of the quarantined email to find out why clam misses those? Does anyone want these email messages for dissection? Any recommendations on my next step? I would prefer to not have to pay the performance penalty of a scanner twice. Joe --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] new clamav user - comparison to amavisd with uvscan
Never-Mind. Standard database path screwup. Joe Maimon wrote: Hello All, I am new here, I hope this hasnt been hashed to death already. I recently installed clamav into a production email system, using clamav-milter. This system had been operating with amavisd and uvscan (nai's command line scanner) for years. Now email is scanned twice, first by clamav-milter and then by amavis-milter. After I noticed in my maillog that some viruses were still being caught by amavis, I turned on quarantining. I have collected a number of these email's already. I have figured out how to manually extract the mime attachment and scan it manually with uvscan. The one I worked on scanned positive as netsky. clamscan did not catch it. (clamscan --mbox presumably does not need any extracting) I do not know that this isnot some damaged virus.(not about to test it on my windows machines) Is there any value in automating the mime extracting of the quarantined email to find out why clam misses those? Does anyone want these email messages for dissection? Any recommendations on my next step? I would prefer to not have to pay the performance penalty of a scanner twice. Joe --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] reject=451 4.7.1 Please try again later
I have been having the same as well. I added some more verbosity into the syslog statement and got this logged write failure to clamd, nbytes: -1, quarantine_dir: (null), error: Bad file descriptor Any ideas? --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users