Re: [Clamav-users] Cleaning MBOX files?
On Tuesday 20 Apr 2004 3:04 pm, jef moskot wrote: > > ...remember that enabling debug now also leaves the temporary files > > around to aid (of course!) debugging. > Where does it leave these files? In clamscan's temporary directory. > Jeffrey Moskot > System Administrator > [EMAIL PROTECTED] -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Cleaning MBOX files?
Oops. Didn't mean to spam the world with this, but since I've already done it... > ...remember that enabling debug now also leaves the temporary files > around to aid (of course!) debugging. Where does it leave these files? Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Cleaning MBOX files?
> > Is keeping a message counter feasible, given the design of the code? > It's perfectly feasable and I've just done it when you enable debug to help > you (look in the CVS code I've just committed - mbox.c version 1.66). However > please don't enable debug all the time, and remember that enabling debug > now also leaves the temporary files around to aid (of course!) debugging. > > Look for the "Deal with email number %d" messages. This is better than before, but the --debug option still generates an enormous amount of noise. Would it be possible to have a specific option that only explains which mailbox message the infected file is in? Trying to figure out which message is infected is certainly the next step once you've found an infected file, so I think this option would have a very broad appeal. Something like "clamscan -mbox -iN " would be great. Is this possible/reasonable? Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Cleaning MBOX files?
On Wed, 14 Apr 2004, Nigel Horne wrote: > On Wednesday 14 Apr 2004 12:58 am, jef moskot wrote: > > Is keeping a message counter feasible, given the design of the code? > It's perfectly feasable and I've just done it when you enable debug to help > you (look in the CVS code I've just committed - mbox.c version 1.66). This is great news! Thanks very much! Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Cleaning MBOX files?
On Wednesday 14 Apr 2004 12:58 am, jef moskot wrote: > Is keeping a message counter feasible, given the design of the code? It's perfectly feasable and I've just done it when you enable debug to help you (look in the CVS code I've just committed - mbox.c version 1.66). However please don't enable debug all the time, and remember that enabling debug now also leaves the temporary files around to aid (of course!) debugging. Look for the "Deal with email number %d" messages. > Jeffrey Moskot > System Administrator > [EMAIL PROTECTED] -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Cleaning MBOX files?
On Fri, 9 Apr 2004, Tomasz Kojm wrote: > jef moskot <[EMAIL PROTECTED]> wrote: > > Is there no way to get Clam to report which message the infected file > > (or at least the FIRST infected file) is in? > You may try with clamscan -m --debug Could you give some tips on how to use that to figure out which message is being referred to? For example, I have a mail file with just one message in it (which is infected) and the output is quite noisy. I've attached it below. When scanning a mailbox with 1000 messages in it, it's quite difficult to make anything of this output without knowing exactly what to look for. Also, piping the output to a file doesn't seem to work, so even if there's some flag to grep for, it's difficult to manage. Is keeping a message counter feasible, given the design of the code? Jeffrey Moskot System Administrator [EMAIL PROTECTED] SCAN OUTPUT (names have been changed to protect the innocent and not): #: clamscan -m --debug malware.1 LibClamAV debug: Loading databases from /usr/local/share/clamav LibClamAV debug: Loading /usr/local/share/clamav/main.cvd LibClamAV debug: /usr/local/share/clamav/main.cvd: CVD file detected LibClamAV debug: in cli_cvdload() LibClamAV debug: MD5(.tar.gz) = 1b99fa97eec06a4e2946d2c53d63f2c1 LibClamAV debug: Decoded signature: 1b99fa97eec06a4e2946d2c53d63f2c1 LibClamAV debug: Digital signature is correct. LibClamAV debug: in cli_untgz() LibClamAV debug: Unpacking /var/tmp//5be97e661849fdd0/COPYING LibClamAV debug: Unpacking /var/tmp//5be97e661849fdd0/viruses.db LibClamAV debug: Loading databases from /var/tmp//5be97e661849fdd0 LibClamAV debug: Loading /var/tmp//5be97e661849fdd0/viruses.db LibClamAV debug: Initializing trie. LibClamAV debug: Loading /usr/local/share/clamav/daily.cvd LibClamAV debug: /usr/local/share/clamav/daily.cvd: CVD file detected LibClamAV debug: in cli_cvdload() LibClamAV debug: MD5(.tar.gz) = ac07fb36367c36f62aebaf42ff53c273 LibClamAV debug: Decoded signature: ac07fb36367c36f62aebaf42ff53c273 LibClamAV debug: Digital signature is correct. LibClamAV debug: in cli_untgz() LibClamAV debug: Unpacking /var/tmp//2c1156fb087c6d13/COPYING LibClamAV debug: Unpacking /var/tmp//2c1156fb087c6d13/viruses.db2 LibClamAV debug: Loading databases from /var/tmp//2c1156fb087c6d13 LibClamAV debug: Loading /var/tmp//2c1156fb087c6d13/viruses.db2 LibClamAV debug: Recognized MBox file LibClamAV debug: Starting cli_scanmail() LibClamAV debug: in mbox() LibClamAV debug: Deal with header From [EMAIL PROTECTED] Thu Apr 8 11:18:31 2004 LibClamAV debug: parseEmailHeader 'From [EMAIL PROTECTED] Thu Apr 8 11:18:31 2004' LibClamAV debug: parseMimeHeader: cmd='From [EMAIL PROTECTED] Thu Apr 8 11', arg='18:31 2004' LibClamAV debug: Deal with header Return-Path: <[EMAIL PROTECTED]> LibClamAV debug: parseEmailHeader 'Return-Path: <[EMAIL PROTECTED]>' LibClamAV debug: parseMimeHeader: cmd='Return-Path', arg=' <[EMAIL PROTECTED]>' LibClamAV debug: Deal with header Received: from virus.relay.com (virus.relay.com [XXX.XXX.XXX.XXX]) LibClamAV debug: parseEmailHeader 'Received: from virus.relay.com (virus.relay.com [XXX.XXX.XXX.XXX])' LibClamAV debug: parseMimeHeader: cmd='Received', arg=' from virus.relay.com (virus.relay.com [XXX.XXX.XXX.XXX])' LibClamAV debug: Discarding unwanted argument 'by virus.destination.com (8.12.8p1/8.12.8av) with SMTP id i38FIVa7017841' LibClamAV debug: Discarding unwanted argument 'for <[EMAIL PROTECTED]>' LibClamAV debug: Discarding unwanted argument 'Thu, 8 Apr 2004 11' LibClamAV debug: Discarding unwanted argument '18' LibClamAV debug: Discarding unwanted argument '31 -0400 (EDT)' LibClamAV debug: Discarding unwanted argument '(envelope-from [EMAIL PROTECTED])' LibClamAV debug: Deal with header Date: Thu, 8 Apr 2004 11:18:31 -0400 (EDT) LibClamAV debug: parseEmailHeader 'Date: Thu, 8 Apr 2004 11:18:31 -0400 (EDT)' LibClamAV debug: parseMimeHeader: cmd='Date', arg=' Thu, 8 Apr 2004 11:18:31 -0400 (EDT)' LibClamAV debug: Deal with header Message-Id: <[EMAIL PROTECTED]> LibClamAV debug: parseEmailHeader 'Message-Id: <[EMAIL PROTECTED]>' LibClamAV debug: parseMimeHeader: cmd='Message-Id', arg=' <[EMAIL PROTECTED]>' LibClamAV debug: Deal with header Received: (qmail 7 invoked by alias); 8 Apr 2004 15:22:58 - LibClamAV debug: parseEmailHeader 'Received: (qmail 7 invoked by alias); 8 Apr 2004 15:22:58 -' LibClamAV debug: parseMimeHeader: cmd='Received', arg=' (qmail 7 invoked by alias); 8 Apr 2004 15:22:58 -' LibClamAV debug: Deal with header Delivered-To: [EMAIL PROTECTED] LibClamAV debug: parseEmailHeader 'Delivered-To: [EMAIL PROTECTED]' LibClamAV debug: parseMimeHeader: cmd='Delivered-To', arg=' [EMAIL PROTECTED]' LibClamAV debug: Deal with header Received: (qmail 9254 invoked from network); 8 Apr 2004 15:22:37 - LibClamAV debug: parseEmailHeader 'Received: (qmail 9254 invoked from network); 8 Apr 2004 15:22:37 -' LibClamAV debug: parseMimeHeader: cmd='Received', arg=' (qmail 9254 invoked from network); 8 Apr
RE: [Clamav-users] Cleaning MBOX files?
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Jack > London Networks > Sent: Thursday, April 08, 2004 6:47 PM > To: [EMAIL PROTECTED] > Subject: Re: [Clamav-users] Cleaning MBOX files? > > > If I use the --remove flag, it removes the whole mailbox file, not just > the infected message. Glad I tested on a copy of an infected mailbox > and not the real thing! :) > > I'm looking at the other solutions proposed, but they're going to take > more work, obviously..and I don't think that it'll be something that > I can run automatically every night on all the mail folders. > > *sigh* > > -bob Thats because the example given (qmail) uses maildir, not mbox. In the qmail case it would only remove the infected message. In the mbox case...wellyou know what happens. Jim > > Lloyd Albin wrote: > > >If you want to scan all mailboxes the following command is what I use to > >do a manual scan. This example is for qmail with vpopmail. > > > >clamscan -r /home/vpopmail/domains --mbox -i --remove > > > >If you want to scan an individual domain use > > > >clamscan -r /home/vpopmail/domains/sampledomain.com --mbox -i --remove > > > >Or if you want to scan an individual account use > > > >clamscan -r /home/vpopmail/domains/sampledomain.com/username --mbox -i > >--remove > > > >You must use clamscan because it will not timeout which the clamdscan > >will. > > > >-Lloyd > > > > > > > > > > --- > This SF.Net email is sponsored by: IBM Linux Tutorials > Free Linux tutorial presented by Daniel Robbins, President and CEO of > GenToo technologies. Learn everything from fundamentals to system > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > ___ > Clamav-users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/clamav-users > --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Cleaning MBOX files?
On Fri, 9 Apr 2004 00:01:42 -0400 (EDT) jef moskot <[EMAIL PROTECTED]> wrote: > Is there no way to get Clam to report which message the infected file > (or at least the FIRST infected file) is in? Or does that add too > much overhead? Someone once suggested turning verbose mode on, but > that still didn't help to pin down specific messages. You may try with clamscan -m --debug -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Fri Apr 9 12:23:00 CEST 2004 pgp0.pgp Description: PGP signature
Re: [Clamav-users] Cleaning MBOX files?
Is there no way to get Clam to report which message the infected file (or at least the FIRST infected file) is in? Or does that add too much overhead? Someone once suggested turning verbose mode on, but that still didn't help to pin down specific messages. Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Cleaning MBOX files?
I'm running CommuniGatePro. It can store mail two ways - MBOX (one big file)and MailDir (each msg in a seperate file). The default, unfortunately, is MBOX. I'm going to create a new MailDir-style folder and copy all the mail to it, that should help me in the short term. Need to see what it would take to convert everyone over to MailDir - damn, that's going to use lots of inodes -bob Lloyd Albin wrote: What configuration are you running? (e.g. qmail+vpopmail + courierimap) In the setup that I am running each message is stored as a seperate file within the mail box setup. I have the following directory structure /home/vpopmail/domains/sampledomain.com/username/Maildir/cur /home/vpopmail/domains/sampledomain.com/username/Maildir/new /home/vpopmail/domains/sampledomain.com/username/Maildir/tmp Within the new directory is a list of the emails. -rw---1 vpopmail vchkpw 4863 Apr 8 16:01 1081465307.22178.mail.sample domain.com,S=4798 -rw---1 vpopmail vchkpw 5088 Apr 8 16:04 1081465462.22278.mail.sample domain.com,S=5023 So for the configuration that I am running it does work. If you let me know about yours, there may be a easy way also, or maybe not. -Lloyd If I use the --remove flag, it removes the whole mailbox file, not just the infected message. Glad I tested on a copy of an infected mailbox and not the real thing! :) I'm looking at the other solutions proposed, but they're going to take more work, obviously..and I don't think that it'll be something that I can run automatically every night on all the mail folders. *sigh* -bob Lloyd Albin wrote: If you want to scan all mailboxes the following command is what I use to do a manual scan. This example is for qmail with vpopmail. clamscan -r /home/vpopmail/domains --mbox -i --remove If you want to scan an individual domain use clamscan -r /home/vpopmail/domains/sampledomain.com --mbox -i --remove Or if you want to scan an individual account use clamscan -r /home/vpopmail/domains/sampledomain.com/username --mbox -i --remove You must use clamscan because it will not timeout which the clamdscan will. -Lloyd --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Cleaning MBOX files?
What configuration are you running? (e.g. qmail+vpopmail + courierimap) In the setup that I am running each message is stored as a seperate file within the mail box setup. I have the following directory structure /home/vpopmail/domains/sampledomain.com/username/Maildir/cur /home/vpopmail/domains/sampledomain.com/username/Maildir/new /home/vpopmail/domains/sampledomain.com/username/Maildir/tmp Within the new directory is a list of the emails. -rw---1 vpopmail vchkpw 4863 Apr 8 16:01 1081465307.22178.mail.sample domain.com,S=4798 -rw---1 vpopmail vchkpw 5088 Apr 8 16:04 1081465462.22278.mail.sample domain.com,S=5023 So for the configuration that I am running it does work. If you let me know about yours, there may be a easy way also, or maybe not. -Lloyd > If I use the --remove flag, it removes the whole mailbox file, not just > the infected message. Glad I tested on a copy of an infected mailbox > and not the real thing! :) > > I'm looking at the other solutions proposed, but they're going to take > more work, obviously..and I don't think that it'll be something that > I can run automatically every night on all the mail folders. > > *sigh* > > -bob > > Lloyd Albin wrote: > > >If you want to scan all mailboxes the following command is what I use to > >do a manual scan. This example is for qmail with vpopmail. > > > >clamscan -r /home/vpopmail/domains --mbox -i --remove > > > >If you want to scan an individual domain use > > > >clamscan -r /home/vpopmail/domains/sampledomain.com --mbox -i --remove > > > >Or if you want to scan an individual account use > > > >clamscan -r /home/vpopmail/domains/sampledomain.com/username --mbox -i > >--remove > > > >You must use clamscan because it will not timeout which the clamdscan > >will. > > > >-Lloyd > > > > > > > > > > --- > This SF.Net email is sponsored by: IBM Linux Tutorials > Free Linux tutorial presented by Daniel Robbins, President and CEO of > GenToo technologies. Learn everything from fundamentals to system > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > ___ > Clamav-users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/clamav-users -- Lloyd Albin <[EMAIL PROTECTED]> --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Cleaning MBOX files?
If I use the --remove flag, it removes the whole mailbox file, not just the infected message. Glad I tested on a copy of an infected mailbox and not the real thing! :) I'm looking at the other solutions proposed, but they're going to take more work, obviously..and I don't think that it'll be something that I can run automatically every night on all the mail folders. *sigh* -bob Lloyd Albin wrote: If you want to scan all mailboxes the following command is what I use to do a manual scan. This example is for qmail with vpopmail. clamscan -r /home/vpopmail/domains --mbox -i --remove If you want to scan an individual domain use clamscan -r /home/vpopmail/domains/sampledomain.com --mbox -i --remove Or if you want to scan an individual account use clamscan -r /home/vpopmail/domains/sampledomain.com/username --mbox -i --remove You must use clamscan because it will not timeout which the clamdscan will. -Lloyd --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Cleaning MBOX files?
On Thu, 8 Apr 2004, Jack London Networks wrote: > Okay, I like the --mbox support of clamscan. Problem is - now that I > know there are infected messages in people's inboxes/other folders, I > have very little information to go on to find and clean those > messages. For example, I know a few people have copies of Bagle, > SomeFool/Netsky and so forth - but in an inbox of 4,000 items - how do I > know _which_ message is infected? Use formail/procmail. Formail breaks the big mbox into individual messages, call procmail on each message with an rc file that saves to two different mboxes based on the results ie: cat mbox | formail -s procmail -m ./Clam.rc Clam.rc would be something like: # Start of RC file # VIRUS=`/usr/local/bin/clamdscan --mbox --disable-summary --stdout -` :0 Di * VIRUS ?? FOUND VirusMail :0 GoodMail # End of file This is untested, off the top of my head. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Cleaning MBOX files?
If you want to scan all mailboxes the following command is what I use to do a manual scan. This example is for qmail with vpopmail. clamscan -r /home/vpopmail/domains --mbox -i --remove If you want to scan an individual domain use clamscan -r /home/vpopmail/domains/sampledomain.com --mbox -i --remove Or if you want to scan an individual account use clamscan -r /home/vpopmail/domains/sampledomain.com/username --mbox -i --remove You must use clamscan because it will not timeout which the clamdscan will. -Lloyd > Okay, I like the --mbox support of clamscan. Problem is - now that I > know there are infected messages in people's inboxes/other folders, I > have very little information to go on to find and clean those > messages. For example, I know a few people have copies of Bagle, > SomeFool/Netsky and so forth - but in an inbox of 4,000 items - how do I > know _which_ message is infected? > > This also goes back to the naming problem being discussed - I try to go > do research on 'Exploit.HTML.Bagle.Gen-3-eml' - and come up empty. So I > don't know what subjects or attcached files to look for. I second the > notion of putting up a Wiki with a searchable alias database... > > The argument 'who cares what we call it if it's blocked' doesn't hold > water with me - SMTP is not the only way these damn things get on the > server - they come in via imap too when a new employee drag-n-drops half > a gig of outlook PST files to the server.Apart from needing more > details on these damn things, I would also like a way to periodically > clean MBOX files in a more automated fashion, if clam can't do it does > anyone know of commercial products that do? > > -bob > > > --- > This SF.Net email is sponsored by: IBM Linux Tutorials > Free Linux tutorial presented by Daniel Robbins, President and CEO of > GenToo technologies. Learn everything from fundamentals to system > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > ___ > Clamav-users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/clamav-users -- Lloyd Albin <[EMAIL PROTECTED]> --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Cleaning MBOX files?
Antony Stone wrote: On Thursday 08 April 2004 8:45 pm, Jack London Networks wrote: Okay, I like the --mbox support of clamscan. Problem is - now that I know there are infected messages in people's inboxes/other folders, I have very little information to go on to find and clean those messages. For example, I know a few people have copies of Bagle, SomeFool/Netsky and so forth - but in an inbox of 4,000 items - how do I know _which_ message is infected? I guess you could put something together using fetchmail to copy the mailbox to a "scanning" account, fetch the mails from there and pass them through ClamAV, and deliver only the clean ones back to the real mailbox, alternatively there may be something in http://mboxgrep.sourceforge.net which would help out - perhaps use ClamAV to find the names of the attachment files containing the viruses, then use mboxgrep to find the mails containing those attachment names? Just my few random thoughts, Happy Easter. Regards, Antony. formail (man or google it) (I actualy wrote a similar tool for my own use called spool-remail, I leave it up to your imagination what it does) --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Cleaning MBOX files?
Quoting Antony Stone <[EMAIL PROTECTED]>: On Thursday 08 April 2004 8:45 pm, Jack London Networks wrote: Okay, I like the --mbox support of clamscan. Problem is - now that I know there are infected messages in people's inboxes/other folders, I have very little information to go on to find and clean those messages. For example, I know a few people have copies of Bagle, SomeFool/Netsky and so forth - but in an inbox of 4,000 items - how do I know _which_ message is infected? If you have some time, you can use formail to split the mailbox into individual messages and pipe them through clamscan to locate the bad ones... containing the viruses, then use mboxgrep to find the mails containing those attachment names? Most recent viruses use either double extensions or a common set of extensions (.zip, .rar, .scr, .exe, .pif etc) so you can mboxgrep for those to help narrow down the search. If you check the reports for a lot of the recent viruses, the list of possible strings/filenames for some of them is too long to do an actual search on those. But they follow patterns, and your eye will catch the patterns rather quickly. -- Eric Rostetter --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Cleaning MBOX files?
On Thursday 08 April 2004 8:45 pm, Jack London Networks wrote: > Okay, I like the --mbox support of clamscan. Problem is - now that I > know there are infected messages in people's inboxes/other folders, I > have very little information to go on to find and clean those > messages. For example, I know a few people have copies of Bagle, > SomeFool/Netsky and so forth - but in an inbox of 4,000 items - how do I > know _which_ message is infected? I guess you could put something together using fetchmail to copy the mailbox to a "scanning" account, fetch the mails from there and pass them through ClamAV, and deliver only the clean ones back to the real mailbox, alternatively there may be something in http://mboxgrep.sourceforge.net which would help out - perhaps use ClamAV to find the names of the attachment files containing the viruses, then use mboxgrep to find the mails containing those attachment names? Just my few random thoughts, Happy Easter. Regards, Antony. -- Documentation is like sex. When it's good, it's very very good. When it's bad, it's still better than nothing. Please reply to the list; please don't CC me. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Cleaning MBOX files?
Okay, I like the --mbox support of clamscan. Problem is - now that I know there are infected messages in people's inboxes/other folders, I have very little information to go on to find and clean those messages. For example, I know a few people have copies of Bagle, SomeFool/Netsky and so forth - but in an inbox of 4,000 items - how do I know _which_ message is infected? This also goes back to the naming problem being discussed - I try to go do research on 'Exploit.HTML.Bagle.Gen-3-eml' - and come up empty. So I don't know what subjects or attcached files to look for. I second the notion of putting up a Wiki with a searchable alias database... The argument 'who cares what we call it if it's blocked' doesn't hold water with me - SMTP is not the only way these damn things get on the server - they come in via imap too when a new employee drag-n-drops half a gig of outlook PST files to the server.Apart from needing more details on these damn things, I would also like a way to periodically clean MBOX files in a more automated fashion, if clam can't do it does anyone know of commercial products that do? -bob --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users