Re: [Mimedefang] clamd memory leak?
On Fri, Apr 16, 2004 at 11:54:26PM -0500, Les Mikesell wrote:
> On Fri, 2004-04-16 at 22:24, Kelsey Cummings wrote:
>
> > That's probably true but clamd has insane memory requirements for
> > processing deeply nested mime messages. (See the thread about this for
> > more information. David's hinted that he might patch the MIME module so
> > you can retrieve and nesting depth from it easily which could be used to
> > block excessively deep messages in MD.)
>
> The interesting thing in my case was that a single run didn't
> seem to be so much of a problem memory-wise as that mimedefang
> timed out the connection. However the memory wasn't completely
> released or re-used on subsequent runs so it kept growing as
> the sending server retried the tmp failures.
Clamd has definitely has had some pretty severe memory leaks. Later CVS
snapshots are probably you best bet but .70rc has been okay for us.
BTW, it's not related to clamd but I thought I'd share it here.
We just hacked MD to query and report to a private DCC server mesh in order
to reduce spam influx. (We were only using MD to wrap clamd and for some
of it's mime sanity features.) The catch is that we've been doing spam
list poisioning for years and get around 250k spams a day to our trolling
accounts and that we feed these messages tagged as many to the servers
directly from MD. If we see a message that is not sent to a troll and has
was sent to a troll we bounce it. Were rejecting nearly 200k messages a
day based on this, many of the rejected spams are hard to filter url spams.
I hacked it in as a virus filter and pushed it in first so it runs before
our virus filters. There some other small changes to get the virus code to
respect the 'spam' bounce.
sub message_contains_spam_localdcc () {
my $is_troll = 0;
my %virtusers;
my $DB_HASH = new DB_File::HASHINFO;
tie %virtusers, 'DB_File', '/etc/mail/virtusertable.db', O_RDONLY, 0666 ,
$DB_HASH;
for my $recipient (@Recipients)
{
#strip '<...>'
$recipient =~ s/^$//;
#lc it
$recipient = lc $recipient;
#md_syslog('err',"$MsgID: looking up $recipient in virtusertable");
if ( exists $virtusers{$recipient} && $virtusers{$recipient} eq
'[EMAIL PROTECTED]')
{
$is_troll = 1;
next;
}
my ($lhs,$rhs) = split(/@/,$recipient);
if ( exists $virtusers{"[EMAIL PROTECTED]"} && $virtusers{"[EMAIL
PROTECTED]"} eq '[EMAIL PROTECTED]')
{
$is_troll = 1;
next;
}
}
untie %virtusers;
my $cmd = '';
if ( $is_troll )
{
$cmd = "/opt/dcc/bin/dccproc -ERt many -c all,0,-1 -l /opt/dcc/log -i
./Work/INPUTMSG";
md_syslog('err',"$MsgID: Fed local dcc database.");
}
else
{
$cmd = "/opt/dcc/bin/dccproc -H -i ./Work/INPUTMSG";
}
unless( open DCC, "$cmd |" )
{
my $msg = "Unable to execute $cmd: $!\n";
md_syslog('err',"$MsgID: message_contains_spam_localdcc: $msg");
return(return (wantarray ? (0, 'ok', 'ok') : 0));
}
my $results = ;
close DCC;
chomp($results);
if ( $is_troll == 0 && $results =~ /=many/ )
{
md_syslog('err',"$MsgID: Bounce: $results");
return ( wantarray ? (1, 'spam', 'reject') : 1);
}
return (wantarray ? (0, 'ok', 'ok') : 0);
}
--
Kelsey Cummings - [EMAIL PROTECTED] sonic.net, inc.
System Administrator 2260 Apollo Way
707.522.1000 (Voice) Santa Rosa, CA 95407
707.547.2199 (Fax)http://www.sonic.net/
Fingerprint = D5F9 667F 5D32 7347 0B79 8DB7 2B42 86B6 4E2C 3896
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] clamd memory leak?
On Fri, Apr 16, 2004 at 09:38:34PM -0600, Tim Pushor wrote: > Does the non-daemonized clamav have the same issues? clamscan did not exhibit the same excessive memory usage. The memory requirements for the nested messages went down noticably after .70rc but are still very high. -- Kelsey Cummings - [EMAIL PROTECTED] sonic.net, inc. System Administrator 2260 Apollo Way 707.522.1000 (Voice) Santa Rosa, CA 95407 707.547.2199 (Fax)http://www.sonic.net/ Fingerprint = D5F9 667F 5D32 7347 0B79 8DB7 2B42 86B6 4E2C 3896 ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] clamd memory leak?
On Fri, 2004-04-16 at 22:24, Kelsey Cummings wrote: > That's probably true but clamd has insane memory requirements for > processing deeply nested mime messages. (See the thread about this for > more information. David's hinted that he might patch the MIME module so > you can retrieve and nesting depth from it easily which could be used to > block excessively deep messages in MD.) The interesting thing in my case was that a single run didn't seem to be so much of a problem memory-wise as that mimedefang timed out the connection. However the memory wasn't completely released or re-used on subsequent runs so it kept growing as the sending server retried the tmp failures. --- Les Mikesell [EMAIL PROTECTED] ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] clamd memory leak?
Does the non-daemonized clamav have the same issues? Kelsey Cummings wrote: There are some outside cases where a 4mb message can make some versions of clamd consume >gigs< of RAM. It's also decompressing files into RAM so a ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] clamd memory leak?
On Fri, Apr 16, 2004 at 07:07:01PM -0700, Jeffrey Goldberg wrote: > On Fri, 16 Apr 2004, Kelsey Cummings wrote: > > > There are some outside cases where a 4mb message can make some versions of > > clamd consume >gigs< of RAM. It's also decompressing files into RAM so a > > 50 MB message that's compressed 2:1 will take at least 100MB of RAM. Add > > to this the overhead for the scanner's structures and recursion it could > > take a great deal more. Clamd can be DoS'd pretty easily right now. You > > may want to consider tuning it, running something later than .70rc, running > > it under ulimits and adding as much RAM to the server as you can afford or > > will fit. > > I suspect that what can be done to Clamav can be done to others as well. That's probably true but clamd has insane memory requirements for processing deeply nested mime messages. (See the thread about this for more information. David's hinted that he might patch the MIME module so you can retrieve and nesting depth from it easily which could be used to block excessively deep messages in MD.) What we do is run clamd in foreground mode inside of a service loop that set's ulimits on the process. This also keeps clamd running, which it doesn't always like to do on it's own. #!/bin/sh ulmit blah while [ 1 ] do clamd sleep 1 done For all of it's problems, clamd has been a life saver. -- Kelsey Cummings - [EMAIL PROTECTED] sonic.net, inc. System Administrator 2260 Apollo Way 707.522.1000 (Voice) Santa Rosa, CA 95407 707.547.2199 (Fax)http://www.sonic.net/ Fingerprint = D5F9 667F 5D32 7347 0B79 8DB7 2B42 86B6 4E2C 3896 ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Tuning for taking mail from qmail - practically denial of service
As some of your probably know, qmail sends a lot of mail at a time and does not do connection caching, so it'll just hit the box with 15 or so mails at a time if the mail is destined for that specific host. My mail server seems to keep running out of slaves every time the sender does a queue run and 1/2 of it doesn't finish, so it'll just take my box out momentarily for 5 minutes at a time. Does anyone have some good tuning tips? Thanks! ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] clamd memory leak?
On Fri, 16 Apr 2004, Kelsey Cummings wrote: > There are some outside cases where a 4mb message can make some versions of > clamd consume >gigs< of RAM. It's also decompressing files into RAM so a > 50 MB message that's compressed 2:1 will take at least 100MB of RAM. Add > to this the overhead for the scanner's structures and recursion it could > take a great deal more. Clamd can be DoS'd pretty easily right now. You > may want to consider tuning it, running something later than .70rc, running > it under ulimits and adding as much RAM to the server as you can afford or > will fit. I suspect that what can be done to Clamav can be done to others as well. It might be a good idea to take your suggestion about setting ulimits when calling the virus scanner. I took a look a mimedefang.pl and found the function run_virus_scanner That contains a fragment of a line open(SCANNER, "$cmd |") Now I'm sure there must be some relatively easy way in perl to get something openned like this to run with various rlimits set. But I couldn't find it. But I think that it would be a good idea to have a configurable variable which corresponds to a ulimit -m VALUE. That seems like the safest general solution instead of having to worry about each and every release of each and every third party program that MD calls. -j -- Jeffrey Goldberghttp://www.goldmark.org/jeff/ Relativism is the triumph of authority over truth, convention over justice Hate spam? Boycott MCI! http://www.goldmark.org/jeff/anti-spam/mci/ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] clamd memory leak?
Kelsey Cummings said: > Kelsey Cummings - [EMAIL PROTECTED] sonic.net, inc. > An alternate choice is to use clamscan which appears to do a better job > with it's memory management but has the expense of reading the sigs for > every check along with the process startup costs. If you don't need the performance of clamd or clamdscan, then you get better reliability by just running clamscan. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] clamd memory leak?
Kelsey Cummings said: > Kelsey Cummings - [EMAIL PROTECTED] sonic.net, inc. > An alternate choice is to use clamscan which appears to do a better job > with it's memory management but has the expense of reading the sigs for > every check along with the process startup costs. If you don't need the performance of clamd or clamdscan, then you get better reliability by just running clamscan. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] clamd memory leak?
On Thu, Apr 15, 2004 at 11:00:46PM -0700, Jeffrey Goldberg wrote: > On Thu, 15 Apr 2004 [EMAIL PROTECTED] wrote: > > > We limit messages to 10 MB. > > We use 20 MB. I wanted 10, my boss wanted 20, so we compromised on 20. > But we still haven't clarified (or maybe I missed it) whether there is > a memory leak in clamav or whether the huge file caused the problems > leaklessly. I should note that the example/default mimedefang-filter has > a condition on it to not run spamassassin on very large messages. It > might be safe to do the same with virus scanning. A worm so large that > most mail hubs would reject on size is not really going to propogate very > far. There are some outside cases where a 4mb message can make some versions of clamd consume >gigs< of RAM. It's also decompressing files into RAM so a 50 MB message that's compressed 2:1 will take at least 100MB of RAM. Add to this the overhead for the scanner's structures and recursion it could take a great deal more. Clamd can be DoS'd pretty easily right now. You may want to consider tuning it, running something later than .70rc, running it under ulimits and adding as much RAM to the server as you can afford or will fit. An alternate choice is to use clamscan which appears to do a better job with it's memory management but has the expense of reading the sigs for every check along with the process startup costs. Disabling archive scanning can also help. -- Kelsey Cummings - [EMAIL PROTECTED] sonic.net, inc. System Administrator 2260 Apollo Way 707.522.1000 (Voice) Santa Rosa, CA 95407 707.547.2199 (Fax)http://www.sonic.net/ Fingerprint = D5F9 667F 5D32 7347 0B79 8DB7 2B42 86B6 4E2C 3896 ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] clamd memory leak?
On Fri, 16 Apr 2004, Jeffrey Goldberg wrote: > On Fri, 16 Apr 2004, Les Mikesell wrote: > > [...] I am pretty sure that clamd leaked memory. > I does sound like a leak. Other than saying your suspicion sounds > reasonable to me, I can't offer any help. There is a clamav mailing list. What version of clamav are you running. There are reports of memory management problems in some versions. Appearently versions prior to 0.67? were vulnerable to a DoS through a carefully constructed message. -j -- Jeffrey Goldberghttp://www.goldmark.org/jeff/ Relativism is the triumph of authority over truth, convention over justice Hate spam? Boycott MCI! http://www.goldmark.org/jeff/anti-spam/mci/ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] clamd memory leak?
On Fri, 16 Apr 2004, Les Mikesell wrote: > On Fri, 2004-04-16 at 01:00, Jeffrey Goldberg wrote: > I don't want to repeat the condition to test again, but I am > pretty sure that clamd leaked memory. It did not crash > immediately on the first attempts to forward these messages > but after some (dozens?) of attempts it would take all > of the machine's RAM and eventually swap. Restarting > clamd would clear it up. It may be related to the > outlook winmail.dat encoding of a zip file as well as > the size. Maybe it wouldn't happen with normal MIME. > I think if clamd just died at a certain memory consumption > level, mimedefang would have handled things correctly and > there might be a way to arrange that. I does sound like a leak. Other than saying your suspicion sounds reasonable to me, I can't offer any help. There is a clamav mailing list. > > I should note that the example/default mimedefang-filter has > > a condition on it to not run spamassassin on very large messages. It > > might be safe to do the same with virus scanning. A worm so large that > > most mail hubs would reject on size is not really going to propogate very > > far. > > I think that would just beg the virus writers to exploit the > hole. If, say, you set things up to not scan files of more than 30MB, things would be safe. Virus writers would could make their vectors more than 30BM to get through that hole, but a virus transmitted by email via a message that is larger than 30MB just isn't going to propogate. > > > > Use ftp for larger messages. > You make this sound easy when in fact you are talking about huge > security issues. [...] How do you suggest moving a big file that should > be confidential between two users that don't have write access to a > server or a password in common? Hmm. You are right. ftp and http are designed for "one to many" distribution, while email is designed with one to one in mind. There are, of course, solutions. But they require changes in habits that amount to serious (prohibitive) inconvenience. If users were infinitely educable I would suggest (a) Everyone have easy web publishing ability. (b) PGP encryption of uploaded files with intended recipient's public key So if you wanted to send me something large, you would encrypt it with my public key, upload it to your public web space and email me the URL. But getting people to work that way isn't going to happen any time soon. So yes. Unfortunately there does remain a role for email for large file transfers. -j -- Jeffrey Goldberghttp://www.goldmark.org/jeff/ Relativism is the triumph of authority over truth, convention over justice Hate spam? Boycott MCI! http://www.goldmark.org/jeff/anti-spam/mci/ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Update to MIMEDefang Filter KAM
md_graphdefang_log('modify',"$badtag Iframe/Object/Script tag(s)
deactivated by MIMEDefang using Columbia filter");
But please replace "Columbia filter" with whatever your site is!
That's there to clarify for us that our mail system did it.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Update to MIMEDefang Filter KAM
Thanks to Joe Brennan, we have implemented a new addition to our MIMEDefang
filter to disable iframe/object/script elements from HTML emails. It's in
the filter () section in the file here:
http://www.peregrinehw.com/downloads/MIMEDefang/mimedefang-filter-KAM
and here's the code though word wrapping will probably kill it:
#Disable bad HTML code -- Based on work by Columbia University / Joseph
Brennan
#Modified by KAM 2004-04-16
if ($type eq "text/html") {
my($currentline, $output, $badtag);
$badtag = 0;
$output = "";
if ($io = $entity->open("r")) {
while (defined($currentline = $io->getline)) {
if ($currentline =~ s/<(iframe|script|object)\b/close;
if ($badtag) {
if ($io = $entity->open("w")) {
$io->print($output);
$io->close;
}
md_graphdefang_log('modify',"$badtag Iframe/Object/Script tag(s)
deactivated by MIMEDefang using Columbia filter");
action_change_header("X-Warning", "$badtag Iframe/Object/Script
tag(s) deactivated by MIMEDefang using Columbia filter");
action_rebuild();
}
}
}
regards,
KAM
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Counting mail traffic
> If you need a breakdown of mailsize per users, then it might be easiest to > parse your maillog. Each log entry showing the "from=" also shows the > sendmail message ID and the "size=". You would need to search for the > "size=", capture the message ID number, then search the log again, for the > "to=" entry that has the same message ID number. Yes, i walked through it easily but there are some problems with sendmail logs. The information which is kept there is not reliable so i decided to choose mimedefang filter because it contains all info about connection and mail processing. So, it suits me in every respect but as i said earlier, it logs empty strings sometimes (see my first posting above). I want to understand why it does and how to walk around this problem. Egor Moskvichev ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] $RelayAddr in filter_end()
Thanks for the answer! - Henrik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Henrik Schmiediche Sent: Friday, April 16, 2004 10:17 AM To: [EMAIL PROTECTED] Subject: [Mimedefang] $RelayAddr in filter_end() Hello, According to the doc's $RelayAddr is not available in filter_end(). If I want to do spam checking based on where the email is coming from how would I do this? How can I get access to this variable in filter_end()? Sincerely, - henrik ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] $RelayAddr in filter_end()
- Original Message - From: "Henrik Schmiediche" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, April 16, 2004 10:16 AM Subject: [Mimedefang] $RelayAddr in filter_end() > According to the doc's $RelayAddr is not available in filter_end(). If I > want to do spam checking based on where the email is coming from how would I > do this? How can I get access to this variable in filter_end()? $RelayAddr *IS* available in filter_end. The manpage's description of individual variables is somewhat misleading since they state "variable X is available in filter_recipient". What they really mean is "variable X is first available in filter_recipient, and all filter subroutines called after filter_recipient". The calling order is: filter_relay, filter_sender, filter_recipient, filter_begin, filter, filter_multipart, filter_end Chris Myers Networks By Design ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] $RelayAddr in filter_end()
On Fri, 16 Apr 2004, Henrik Schmiediche wrote: > According to the doc's $RelayAddr is not available in filter_end(). No: "All of these variables are always available to filter_begin, filter, fil- ter_multipart and filter_end. In addition, some of them are available in filter_relay, filter_sender or filter_recipient. If this is the case, it will be noted below." -- David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] $RelayAddr in filter_end()
Hello, According to the doc's $RelayAddr is not available in filter_end(). If I want to do spam checking based on where the email is coming from how would I do this? How can I get access to this variable in filter_end()? Sincerely, - henrik ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] command line notification of failure of mimedefang or similar
Lucas Albers wrote: I am currently using swatch to monitor my mail log for clamd errors. If mimedefang or clamd stop working I cannot email notify anyone. Does anyone use a command-line mailer/script to connect directly to another mail server in this situation? For cases in which the local mail server is not functioning? I haven't used it, but it sounds like nullmailer should do what you're asking: http://untroubled.org/nullmailer/ We've had good results using sendpage to page us via modem if email goes down: http://sendpage.cpoint.net/ Josh Kelley ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Some installation prob on Solaris 9..Pl reply Urgent
[EMAIL PROTECTED] wrote on 04/16/2004 09:48:53 AM: > Permission for necessary files are :- > > /var/spool/ > drwx-- 2 defang other MIMEDefang > > drwx-- 2 defang other MD-Quarantine Would it help to make the group defang? I'm still kind of new to Linus and file permissions. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] action_bounce in filter_end
On Fri, 16 Apr 2004, kamal wrote: > How do I reject an email from filter_end? Can we use action_bounce in > filter_end? Yes. > It seems to work, but man page is not clear, it doesn't say > that it can be called from filter_end. Similarly for > action_quarantine_entire_message Same answer. :-) Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Some installation prob on Solaris 9..Pl reply Urgent
Thanks for your mailWBrown I think my MIMEDefang is not working as I got mails with attachment .pif in my mailbox.Reason could be due to these sockets which sendmail is trying to find but not able to get connect and thus MIMEdefang is not doing what it was suppose to do :-( So pl help me in getting rid of that error messege . Permission for necessary files are :- / drwxr-xr-t 39 root sys var /var drwxr-xr-x 16 root bin spool /var/spool/ drwx-- 2 defang other MIMEDefang drwx-- 2 defang other MD-Quarantine Please reply .. With best regards, Mani --- [EMAIL PROTECTED] wrote: > > 1) How to check that MIMEDEFANG is working > properly ? > > The ultimate proof is to send test messages through > the filter. Send a > message with a .exe file attached to test the > executable blocking. Send a > message with the GTUBE string to test that it is > calling SpamAssissin > > > 2) What are the important file to look for ? > > The most important is the mail log file. If you're > using antivirus, make > sure it is updating. > > > 3)/var/log/syslog is having following error entry > no > > idea what may be the cause :- > > > > > > check this: > http://lists.roaringpenguin.com/pipermail/mimedefang/2003-November/018069.html > ___ > Visit http://www.mimedefang.org and > http://www.canit.ca > MIMEDefang mailing list > [EMAIL PROTECTED] > http://lists.roaringpenguin.com/mailman/listinfo/mimedefang __ Do you Yahoo!? Yahoo! Tax Center - File online by April 15th http://taxes.yahoo.com/filing.html ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] action_bounce in filter_end
How do I reject an email from filter_end? Can we use action_bounce in filter_end? It seems to work, but man page is not clear, it doesn't say that it can be called from filter_end. Similarly for action_quarantine_entire_message ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] clamd memory leak?
On Fri, 2004-04-16 at 01:00, Jeffrey Goldberg wrote: > But we still haven't clarified (or maybe I missed it) whether there is > a memory leak in clamav or whether the huge file caused the problems > leaklessly. I don't want to repeat the condition to test again, but I am pretty sure that clamd leaked memory. It did not crash immediately on the first attempts to forward these messages but after some (dozens?) of attempts it would take all of the machine's RAM and eventually swap. Restarting clamd would clear it up. It may be related to the outlook winmail.dat encoding of a zip file as well as the size. Maybe it wouldn't happen with normal MIME. I think if clamd just died at a certain memory consumption level, mimedefang would have handled things correctly and there might be a way to arrange that. > I should note that the example/default mimedefang-filter has > a condition on it to not run spamassassin on very large messages. It > might be safe to do the same with virus scanning. A worm so large that > most mail hubs would reject on size is not really going to propogate very > far. I think that would just beg the virus writers to exploit the hole. > > > Use ftp for larger messages. > > > > I agree. Large files should be transfered using something other than > > email. > > Just to be picky, I always recommend http in the hopes that someday ftp > will just go away. > You make this sound easy when in fact you are talking about huge security issues. My particular instance was just dumb because the file the user was trying to send was already on our public ftp server, but that isn't always the case. How do you suggest moving a big file that should be confidential between two users that don't have write access to a server or a password in common? --- Les Mikesell [EMAIL PROTECTED] ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Some installation prob on Solaris 9..Pl reply Urgent
> 1) How to check that MIMEDEFANG is working properly ? The ultimate proof is to send test messages through the filter. Send a message with a .exe file attached to test the executable blocking. Send a message with the GTUBE string to test that it is calling SpamAssissin > 2) What are the important file to look for ? The most important is the mail log file. If you're using antivirus, make sure it is updating. > 3)/var/log/syslog is having following error entry no > idea what may be the cause :- > milter(mimedefang''): local socket name > /var/spool/MIMEDefang/mimedefang.sock' unsafe > local check this: http://lists.roaringpenguin.com/pipermail/mimedefang/2003-November/018069.html ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Counting mail traffic
If you need a breakdown of mailsize per users, then it might be easiest to parse your maillog. Each log entry showing the "from=" also shows the sendmail message ID and the "size=". You would need to search for the "size=", capture the message ID number, then search the log again, for the "to=" entry that has the same message ID number. Ken -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Egor Moskvichev Sent: Thursday, April 15, 2004 1:02 AM To: [EMAIL PROTECTED] Subject: Re: [Mimedefang] Counting mail traffic > Simply use the "mailstats" command. It will give you output that you need. Thank you for an answer. I've tried your method, but it's not i really need. Mailstats output is very lack of information: Statistics from Thu Apr 15 12:49:43 2004 M msgsfr bytes_from msgstobytes_to msgsrej msgsdis Mailer 30 0K5 20K0 0 local 54 19K0 0K0 0 esmtp = T4 19K5 20K0 0 C620 I need to know mail traffic for each user exactly. Egor Mockvichev ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Some installation prob on Solaris 9..Pl reply Urgent
Dear All, I just installed MIMEDEFANG on my Solaris 9 with great difficulty but need to clear some doubt.. 1) How to check that MIMEDEFANG is working properly ? 2) What are the important file to look for ? 3)/var/log/syslog is having following error entry no idea what may be the cause :- milter(mimedefang''): local socket name /var/spool/MIMEDefang/mimedefang.sock' unsafe local Permission and all things are fine ...for each file. __ Do you Yahoo!? Yahoo! Tax Center - File online by April 15th http://taxes.yahoo.com/filing.html ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] surbl
At 01:46 PM 4/13/2004, Lucas Albers wrote: Need to patch SA. I'm leery of modifying my code, and hopefully the package maintainer for my OS will fold in surbl into their package. As I understand it, the next release of SpamAssassin will be able to handle this type of feature without patching. Kelson Vibber SpeedGate Communications ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
