[Mimedefang] abnormal cpu usage
Dear all i have Redhat 9 Pentitum II 398.950 MHz 1 GB RAM .kernel 2.4.26 /var/spool/MIMEdefang mounted as tmpfs server is not too much busy . MX_MAXIMUM=40 last month i removed spamassassin because of heavy load but still the same problem exists. mimedefang keep on opening new process more than 40 like below [EMAIL PROTECTED] root]# pgrep mimedefang | wc -l 80 09:52:27 up 9 min, 1 user, load average: 40.24, 27.17, 12.86 PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND 1114 defang 9 0 1376 1372 684 S99.9 0.1 0:00 0 mimedefang 1284 defang20 0 9756 9752 1908 R 8.2 0.9 1:53 0 mimedefang.pl 8730 defang19 0 9708 9704 1908 R 8.0 0.9 0:04 0 mimedefang.pl 1281 defang20 0 9908 9904 1908 R 7.8 0.9 2:32 0 mimedefang.pl 8515 defang20 0 9656 9652 1908 R 7.8 0.9 0:24 0 mimedefang.pl 8711 defang20 0 9708 9704 1908 R 7.6 0.9 0:07 0 mimedefang.pl 1110 defang17 0 9896 9892 1916 R 7.4 0.9 4:45 0 mimedefang.pl 1120 defang20 0 9900 9896 1908 R 7.4 0.9 4:14 0 mimedefang.pl 1265 defang20 0 9868 9864 1908 R 7.2 0.9 3:07 0 mimedefang.pl 1294 defang19 0 9852 9848 1908 R 7.2 0.9 1:20 0 mimedefang.pl 1277 defang18 0 9864 9860 1908 R 6.8 0.9 2:45 0 mimedefang.pl 0077 root 17 0 1516 1516 1152 R 3.1 0.1 0:00 0 snmpwalk ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Poll: Time to drop Trophie support?
One point I prefer Sophie/Sophos vs Clamav is because I can get a newsletter from Sophos indicating new release of IDE (viral signatures). I've set up a procmail catch up which download new IDE as they are released. So I think I'm more uptodate with Sophie/Sophos than with Clamav. Maybe I'm wrong and you can correct me :) BTW, as I have worked for a company who sold Trendmicro ISVW, we were facing a big problem with that product, we wanted to benefit of it's power but also sendmail power. By default, ISVW use a very little of sendmail, nor AUTH, nor SASL, nor real mime treatment, etc. We would have been very interested in Trophie, but the lack of ISVW feature was the big deal. I would have like seeing Trendmicro supporting a little more Trophie as they do not offer a milter solution. Matthew Schumacher wrote: David F. Skoll wrote: Hi, all. Is anyone using Trophie with MIMEDefang? It looks like Trend Micro doesn't give out enough docs for the Trophie author to maintain it. If it's a dead end, I will drop Trophie support. Yell if that will hurt you! It seems like clamav is the best solution for mail systems anyway. I'm looking at replacing sohpie with clamav so I have both running right now and I am finding that nothing is getting though clamav to sophie (sophos). schu ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- Jérôme Tytgat Administrateur Réseau et Sécurité ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Problem with clamav 0.70 /tmp full of directories
On fedora core B using mimedefang 2.42 clamav-0.70 or last from cvs I am not sure the problem coming from MD but I have /tmp full of directories drwx-- 2 defang defang 4096 avr 29 10:28 clamav-cf15fe6738d54335 drwx-- 2 defang defang 4096 avr 29 10:28 clamav-628ab4bef9112b1d drwx-- 2 defang defang 4096 avr 29 10:28 clamav-8857c8b5861df0cb drwx-- 2 defang defang 4096 avr 29 10:28 clamav-c7b1de517aa4da1d drwx-- 2 defang defang 4096 avr 29 10:28 clamav-e21fffe5cfd6cd71 drwx-- 2 defang defang 4096 avr 29 10:28 clamav-790919150bd147ae drwx-- 2 defang defang 4096 avr 29 10:28 clamav-8de99ad727552066 drwx-- 2 defang defang 4096 avr 29 10:28 clamav-b8d9d48a30d7b776 drwx-- 2 defang defang 4096 avr 29 10:28 clamav-9ed97da3e284ea86 drwx-- 2 defang defang 4096 avr 29 10:28 clamav-23233323612fa989 drwx-- 2 defang defang 4096 avr 29 10:28 clamav-be8ed231e65d1ebd drwx-- 2 defang defang 4096 avr 29 10:28 clamav-a87aed47b663d439 drwx-- 2 defang defang 4096 avr 29 10:28 clamav-5a3e39480f3f1bb6 drwx-- 2 defang defang 4096 avr 29 10:28 clamav-c7d4e26429093066 drwx-- 2 defang defang 4096 avr 29 10:28 clamav-e4bb63b13645c536 drwx-- 2 defang defang 4096 avr 29 10:28 clamav-955beceaddd2c2c7 drwx-- 2 defang defang 4096 avr 29 10:28 clamav-8c8b445896fa1d55 - Ignored: drwx-- 2 defang defang 4096 avr 29 10:28 clamav-8c1c22436fe364e2 drwx-- 2 defang defang 4096 avr 29 10:28 clamav-09e18be16db1a926 drwx-- 2 defang defang 4096 avr 29 10:28 clamav-0d5506f41a9c94b0 . In it there are pieces of files to be scanned I supposed clamav-13ebdb3e9fcf2c4c: total 64 -rw--- 1 defang defang 59838 avr 29 10:29 18_0340013E.pdfrIRTqf clamav-8cc0f61bce8f9e9f: total 108 -rw--- 1 defang defang 1329 avr 29 10:30 unknown7S9Ek5 -rw--- 1 defang defang 100353 avr 29 10:30 Groupe action doc avril 2004.docrCptfV These directories never disapeared Do yo have the same problem ? Thanks Sujet: Problem with clamav.0.70 /tmp full De: jean-marc pouchoulon [EMAIL PROTECTED] Date: Thu, 29 Apr 2004 10:32:44 +0200 Pour: [EMAIL PROTECTED] Hi On fedora core B using mimedefang 2.42 clamav-0.70 or last from cvs I am not sure the problem coming from MD but I have /tmp full of directorys drwx-- 2 defang defang 4096 avr 29 10:28 clamav-cf15fe6738d54335 drwx-- 2 defang defang 4096 avr 29 10:28 clamav-628ab4bef9112b1d drwx-- 2 defang defang 4096 avr 29 10:28 clamav-8857c8b5861df0cb drwx-- 2 defang defang 4096 avr 29 10:28 clamav-c7b1de517aa4da1d drwx-- 2 defang defang 4096 avr 29 10:28 clamav-e21fffe5cfd6cd71 drwx-- 2 defang defang 4096 avr 29 10:28 clamav-790919150bd147ae drwx-- 2 defang defang 4096 avr 29 10:28 clamav-8de99ad727552066 drwx-- 2 defang defang 4096 avr 29 10:28 clamav-b8d9d48a30d7b776 drwx-- 2 defang defang 4096 avr 29 10:28 clamav-9ed97da3e284ea86 drwx-- 2 defang defang 4096 avr 29 10:28 clamav-23233323612fa989 drwx-- 2 defang defang 4096 avr 29 10:28 clamav-be8ed231e65d1ebd drwx-- 2 defang defang 4096 avr 29 10:28 clamav-a87aed47b663d439 drwx-- 2 defang defang 4096 avr 29 10:28 clamav-5a3e39480f3f1bb6 drwx-- 2 defang defang 4096 avr 29 10:28 clamav-c7d4e26429093066 drwx-- 2 defang defang 4096 avr 29 10:28 clamav-e4bb63b13645c536 drwx-- 2 defang defang 4096 avr 29 10:28 clamav-955beceaddd2c2c7 drwx-- 2 defang defang 4096 avr 29 10:28 clamav-8c8b445896fa1d55 drwx-- 2 defang defang 4096 avr 29 10:28 clamav-8c1c22436fe364e2 drwx-- 2 defang defang 4096 avr 29 10:28 clamav-09e18be16db1a926 drwx-- 2 defang defang 4096 avr 29 10:28 clamav-0d5506f41a9c94b0 . In it there are pieces of files to be scanned I supposed clamav-13ebdb3e9fcf2c4c: total 64 -rw--- 1 defang defang 59838 avr 29 10:29 18_0340013E.pdfrIRTqf clamav-8cc0f61bce8f9e9f: total 108 -rw--- 1 defang defang 1329 avr 29 10:30 unknown7S9Ek5 -rw--- 1 defang defang 100353 avr 29 10:30 Groupe action doc avril 2004.docrCptfV These directorys never disapeared Do yo have the same problem ? Thanks ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Problem with clamav 0.70 /tmp full of directories
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of jean-marc pouchoulon On fedora core B using mimedefang 2.42 clamav-0.70 or last from cvs I am not sure the problem coming from MD but I have /tmp full of directories AFAIK this has been reported on the clam list - trawl the archive there for details. PLEASE - keep list traffic on the list. Email sent directly to me may be ignored utterly. -- Rob | What part of no was it you didn't understand? ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Managing Quarantined Messages
[EMAIL PROTECTED] wrote on 04/28/2004 08:12:27 PM: Ahem... that's why we get the big bucks for CanIt... I disagree. But only with your use of the phrase big bucks. I found CanIT Pro to be one of the most affordable spam solutions on the market. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] abnormal cpu usage
From the list below: mimedefang keep on opening new process more than 40 like below PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND 1114 defang 9 0 1376 1372 684 S99.9 0.1 0:00 0 mimedefang 1284 defang20 0 9756 9752 1908 R 8.2 0.9 1:53 0 mimedefang.pl 8730 defang19 0 9708 9704 1908 R 8.0 0.9 0:04 0 mimedefang.pl 1281 defang20 0 9908 9904 1908 R 7.8 0.9 2:32 0 mimedefang.pl 8515 defang20 0 9656 9652 1908 R 7.8 0.9 0:24 0 mimedefang.pl It looks like you have processes from a previous session (all PIDs starting with 8) as well as those from the current session, starting with 1, which were spawned by 1114. Linux systems have been reported previously to have problems in shutting down slaves - to be sure, modify your init script to issue a pkill to all mimedefang.pl processes as part of the stop section: pkill -9 mimedefang.pl Best Wishes, Paul. __ Paul Murphy Head of Informatics Ionix Pharmaceuticals Ltd 418 Science Park, Cambridge, CB4 0PA Tel. 01223 433741 Fax. 01223 433788 ___ DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please contact the sender or the Ionix IT Helpdesk on +44 (0) 1223 433741 ___ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] abnormal cpu usage
On Thu, 29 Apr 2004, Muhammad Talha wrote: i have Redhat 9 Pentitum II 398.950 MHz 1 GB RAM .kernel 2.4.26 /var/spool/MIMEdefang mounted as tmpfs 400MHz is a rather slow processor. Try using the embedded Perl interpreter (-E option to the multiplexor.) Try stracing one of the Perl filters to see what it's doing. It might be a network-related issue. Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Managing Quarantined Messages
On Wed, 28 Apr 2004, Tim Pushor wrote: sendmail -odi -f`cat SENDER` `cat RECIPIENTS` ENTIRE_MESSAGE Actually, I made a typo: It should be -oi and not -odi Yeah thats fine, but two things initially popped up, one the not filtering 127.0.0.1 - I don't know if this would affect anything else - how about if I use stream_by_recipient or domain - wouldn't these messages be coming through with localhost being the relay? I would still want to filter these.. See PRESERVING RELAY INFORMATION in the mimedefang-filter man page to get around that. Also is it possible that some recipients already got the message? Nope. They won't show up in the RECIPIENTS file if it was streamed. Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Problem with HTML messages
Thanks David, it's working .. Regards, Sylvain PEPIN - Original Message - From: David F. Skoll [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 28, 2004 2:40 PM Subject: Re: [Mimedefang] Problem with HTML messages On Wed, 28 Apr 2004 [EMAIL PROTECTED] wrote: I'm using MimeDefang v2.39, on a RH9. Few of my users complained they don't received messages contain HTML body correctly. The messages bodies are replaced by this message : No text/plain version of the HTML message available I didn't have this trouble with the previous installed vesion (v2.33). Remove or comment out this line in /etc/mail/mimedefang-filter: remove_redundant_html_parts($entity); and restart MIMEDefang. Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Starting with embedded perl
On Thu, 29 Apr 2004, J.D. Bronson wrote: Is there any way to verify that it is using the embedded Perl interpreter? Enable multiplexor logging; you should see this in the mail log when MD starts: Apr 27 15:56:50 www mimedefang-multiplexor[28323]: Initialized embedded Perl interpreter Also, if you do ps auxww | grep mimedefang, you'll see a bunch of mimedefang-multiplexor processes, and no mimedefang.pl processes. (The ps options are Linux/BSDish. Solaris would be ps -ef) -- David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Poll: Time to drop Trophie support?
Jerome Tytgat wrote: One point I prefer Sophie/Sophos vs Clamav is because I can get a newsletter from Sophos indicating new release of IDE (viral signatures). I've set up a procmail catch up which download new IDE as they are released. So I think I'm more uptodate with Sophie/Sophos than with Clamav. ClamAV offers an email list of virus signature updates as well: http://lists.sourceforge.net/lists/listinfo/clamav-virusdb It's been my experience that ClamAV updates their signatures VERY fast; much faster than McAfee (the only other antivirus program that I have much experience with). Bugtraq indicates that they've been faster than Sophos too: http://www.securityfocus.com/archive/1/353379/2004-02-07/2004-02-13/0 I'd recommend that you give ClamAV a try; as others on the list have pointed out, you can set up MIMEDefang to use both virus scanners for a while, so you can test out ClamAV and make sure that it isn't letting anything through to Sophie. Josh Kelley ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Poll: Time to drop Trophie support?
- Original Message - From: Jerome Tytgat [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 29, 2004 2:28 AM Subject: Re: [Mimedefang] Poll: Time to drop Trophie support? One point I prefer Sophie/Sophos vs Clamav is because I can get a newsletter from Sophos indicating new release of IDE (viral signatures). I've set up a procmail catch up which download new IDE as they are released. Use freshclam and set it to poll the virus signature servers twice an hour: freshclam --checks=48 That will have substantially the same effect, and you don't have to wait an arbitrarily long time for someone's mail server to get the message delivered to you. If the list has many thousands of subscribers, it could be a while. Chris Myers Networks By Design ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Starting with embedded perl
At 08:31 AM 04/29/2004, you wrote: On Thu, 29 Apr 2004, J.D. Bronson wrote: Is there any way to verify that it is using the embedded Perl interpreter? Enable multiplexor logging; you should see this in the mail log when MD starts: Apr 27 15:56:50 www mimedefang-multiplexor[28323]: Initialized embedded Perl interpreter Also, if you do ps auxww | grep mimedefang, you'll see a bunch of mimedefang-multiplexor processes, and no mimedefang.pl processes. (The ps options are Linux/BSDish. Solaris would be ps -ef) -- David. Sure enough: ps auxww | grep mimedefang defang 23858 0.0 1.01140810304 ?S 08:08:33 0:00 /usr/local/bin/mimedefang-multiplexor -p /var/spool/MIMEDefang/mimedefang-multiplexor.pid -E -S LOCAL5 -m 1 -x 4 -U defang -i 120 -b 600 -R 1 -M 3 -l -s /var/spool/MIMEDefang/mimedefang-multiplexor.sock defang 23870 0.0 0.2 2264 1276 ?S 08:08:33 0:00 /usr/local/bin/mimedefang -P /var/spool/MIMEDefang/mimedefang.pid -m /var/spool/MIMEDefang/mimedefang-multiplexor.sock -U defang -S LOCAL5 -p /var/spool/MIMEDefang/mimedefang.sock defang 23871 0.0 0.611600 6216 ?S 08:08:34 0:00 /usr/local/bin/mimedefang-multiplexor -p /var/spool/MIMEDefang/mimedefang-multiplexor.pid -E -S LOCAL5 -m 1 -x 4 -U defang -i 120 -b 600 -R 1 -M 3 -l -s /var/spool/MIMEDefang/mimedefang-multiplexor.sock ..Thanks David! -- J.D. Bronson Aurora Health Care // Information Services // Milwaukee, WI USA Office: 414.978.8282 // Email: [EMAIL PROTECTED] // Pager: 414.314.8282 ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] OT: adaptec scsi card help with fedora
Hi All, Sorry its way off topic, but I am trying to get a new mimedefang server up and running. Problem is it's the Intel nightshade board. I've disabled the symbios scsi chip and got a pci Adaptec aha 2940uw card to replace it. Trouble is where fedora used to hang on the smybios driver install it now hangs on the Adaptec driver install aic 7xxx. I have tried the Linux dd install with a driver disk and the Linux noprobe, neither of which will recognize the disks when it gets to partition time. Can anyone give me some advice on solving this issue? Andrew ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Poll: Time to drop Trophie support?
That will have substantially the same effect, Absolutely not, with the method I use I don't have to open unuseful internet connections. And the method is really less aggressive. I really prefer the PUSH method to the PULL method. and you don't have to wait an arbitrarily long time for someone's mail server to get the message delivered to you. If there mail server is slow, I'm guess there FTP/HTTP server might be too... If the list has many thousands of subscribers, it could be a while. Yes of course, you r right but I'm pretty sure I'll be more uptodate than using a scheduler. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Poll: Time to drop Trophie support?
I'd recommend that you give ClamAV a try; as others on the list have pointed out, you can set up MIMEDefang to use both virus scanners for a while, so you can test out ClamAV and make sure that it isn't letting anything through to Sophie. thanks for the advice, but I fact, I'm already using the two one with Mimedefang modified because I wanted Sophos/Sophie first. Mainly because I wanted to use the Virus Names given by Sophos and not the ones given by Sophos (which looks likes difficult to find in antivirus web site as they are not listed in alias virus names). ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Poll: Time to drop Trophie support?
If the list has many thousands of subscribers, it could be a while. Yes of course, you r right but I'm pretty sure I'll be more uptodate than using a scheduler. Only if you're around 24x7x365, and can get your e-mail delivered and acted upon within 30 minutes. These days, it is not unusual to see a virus released over a holiday weekend, on the basis that it will be able to spread to a lot more machines before anyone picks up the warning and updates their signature files. Doing a freshclam check consumes so little bandwidth that it is a no-brainer to use it. By all means subscribe to the mailing list and update when a notification comes out if it makes you happy, but don't take away the safety net on the assumption that you'll never be ill, or forget, or fail to receive the e-mail. Best Wishes, Paul. __ Paul Murphy Head of Informatics Ionix Pharmaceuticals Ltd 418 Science Park, Cambridge, CB4 0PA Tel. 01223 433741 Fax. 01223 433788 ___ DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please contact the sender or the Ionix IT Helpdesk on +44 (0) 1223 433741 ___ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] backup quarantine directory, large number of files.
I am trying to backup my quarantine directory. So I can delete the original from disk. But it appears tar is unable to handle the large number of files. What method have you used to backup upwards of 30K directories in a directory, on linux? -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] OT: adaptec scsi card help with fedora
On Thu, 29 Apr 2004, Andrew Jayes wrote: Sorry its way off topic, but I am trying to get a new mimedefang server up and running. Problem is it's the Intel nightshade board. I've disabled the symbios scsi chip and got a pci Adaptec aha 2940uw card to replace it. Trouble is where fedora used to hang on the smybios driver install it now hangs on the Adaptec driver install aic 7xxx. I have tried the Linux dd install with a driver disk and the Linux noprobe, neither of which will recognize the disks when it gets to partition time. Ah, it's a known issue, but the workarounds aren't guaranteed: https://bugzilla.redhat.com/bugzilla/long_list.cgi?buglist=107880 --Paul Heinlein [EMAIL PROTECTED] ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] backup quarantine directory, large number of fil es.
What method have you used to backup upwards of 30K directories in a directory, on linux? I'd use cpio... # cd /var/spool/MD-Quarantine cpio to an on-disk archive... # find . -depth -print | cpio -ocvB /tmp/backup.cpio cpio to a tape device... # find . -depth -print | cpio -ocvB /dev/devicename To restore the whole thing, use this syntax... # cd /var/spool/MD-Quarantine # cpio -icvdumB /tmp/backup.cpio or # cpio -icvdumB /dev/devicename To restore a select file or directory... # cpio -icvdumB dirname/filename /tmp/backup.cpio ...and so on. KEN CORMACK, RHCE Sr. UNIX Systems Analyst, Open Systems Group Sr. Software Analyst, TSG Midrange Systems Group AFFILIATED COMPUTER SERVICES, INC. If that that is 'is' is that that is not 'not is', is that that is 'not is' that that is not 'is'? It is! - Ken Cormack Sendmail administration is not black magic. There are legitimate technical reasons why it requires the sacrificing of a live chicken. - Unknown ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] B W lists
Hi All, I have black white lists in a mysql database that we check using our own code instead of SpamAssassins built-in functionality (so that they are not constrained by size limitations like spam_assassin_check is and because I don't run SpamAssassin in spamd mode). However our own functionality is limited to checking the envelop sender ($Sender) and not other From or Reply-To headers. So a couple of questions: - Is it correct that SpamAssassins built-in database functionality is only available in spamd mode? - Does SpamAssassins built-in database functionality have a where clause? - The only way of obtaining the From and Reply-To headers [from within the mimdefang-filter script] is by explicitly reading ./INPUTMSG? - What kind of overhead would reading/greping ./INPUMSG on a per mail basis place on an already loaded scanning box? Thanks for any help on this, Chris __ Do you Yahoo!? Win a $20,000 Career Makeover at Yahoo! HotJobs http://hotjobs.sweepstakes.yahoo.com/careermakeover ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] B W lists
On Thu, 29 Apr 2004, Chris Masters wrote: So a couple of questions: I can't answer them all, but I'll tackle the ones I can: - The only way of obtaining the From and Reply-To headers [from within the mimdefang-filter script] is by explicitly reading ./INPUTMSG? Actually, you want to read ./HEADERS, not ./INPUTMSG. - What kind of overhead would reading/greping ./INPUMSG on a per mail basis place on an already loaded scanning box? Small, I would think, if your MIMEDefang spool is on a ramdisk. Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] abnormal cpu usage
So its not just me having this issue? Nice to know (sort of ;-) And I'm still trying to figure out why that is. If anyone's keeping track: Kernel 2.4.18 sendmail-8.12.9 sendmail-8.12.11 mimedefang 2.39 2.41 perl v5.6.1 with and without spamassassin (yes, items exist on different boxes, and there's a lot missing from that list) -Paul Whittney On Thu, Apr 29, 2004 at 01:09:04PM +0100, Paul Murphy wrote: Linux systems have been reported previously to have problems in shutting down slaves - to be sure, modify your init script to issue a pkill to all mimedefang.pl processes as part of the stop section: ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Feature / SOP Request
Already using it...
Its works for me, but it's no way optimized:
(Sorry, word wrapping may cause some issues...)
--- code ---
sub filter_bad_filename_paw ($) {
my($entity) = @_;
my($bad_exts, $re, $result, $quar, $qre, $quar_exts);
$bad_exts = '(ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|fx
p|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|p
rg|reg|scr|sct|sh|shb|shs|sys|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh|\{[^\}]
+\})';
$quar_exts = '(dll|pif|scr)';
# Do not allow:
# - CLSIDs {foobarbaz}
# - bad extensions (possibly with trailing dots) at end
$re = '\.' . $bad_exts . '\.*$';
$qre = '\.' . $quar_exts . '\.*$';
$result = re_match($entity, $re);
$quar = re_match($entity, $qre);
return ($result, $quar);
}
--- end code ---
Then, to use it, alter the filter_bad_filename references to:
--- code ---
# PAW Change, bad filenames, with Really bad filename checking
($res,$quar) = filter_bad_filename_paw($entity);
if ($quar) {
md_graphdefang_log('bad_filename_paw', $fname, $type);
action_quarantine($entity,Message quarantined because of bad .
filename extension in part\n .
** NOTE ** This email was silently discarded\n .
-emailAdmin\n);
return action_discard();
}
if ($res) {
md_graphdefang_log('bad_filename', $fname, $type);
return action_quarantine($entity, An attachment named $fname .
was removed from this document as it\n .
constituted a security hazard. If you require this .
document, please contact\n.
the sender and arrange an alternate means of receiving
it.\n);
}
--- end code ---
Someone could do a batter job, I admit... Also, a bounce might be a better
idea, but the Mail server would have to accept nearly all, if not all,
the email anyway... Depends if you like giving an error, or silent
discard.
In fact, I found that a bounce returned the whole email to me,
including the attachment, which caused the possible forged From:
address to get what ever was bad... Thoughts?
Note: The list of extensions might be different from what is in use..
I didn't add to CVS until after I did the function, so I don't if I
changed it or not.
-Paul Whittney
On Wed, Apr 28, 2004 at 02:47:14PM -0400, Kevin A. McGrail wrote:
Split the bad_exts into two lists: bad_exts and REALLY_bad_exts.
Add things are NEVER legitimate mail (like .scr and .pif) to
really_bad_exts.
Have this really_bad_exts checked during the virus routine so that those
mails can be silently discarded. False positives are nil and the users are
always confused.
Then the bad_exts list can still contain .exe's etc. that might need to be
quarantined.
KAM
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Spamassassin 3.0 + MD 2.42
I've been testing SA 3.0 (CVS) plus MD 2.42 (latest release), and I am happy to report that the two are working together rather well! In addition, the SPF rules within SpamAssassin are a must! (check out the Linux Journal article(s) regarding the implementation of SPF on your servers! http://www.linuxjournal.com/article.php?sid=7327 and the follow up article at http://www.linuxjournal.com/article.php?sid=7328) -Rich -- Richard West $14.95 Registrations mailto:[EMAIL PROTECTED] Wesmo Computer Services.com .net .org .tv .cchttp://www.wesmo.com Full Domain Web Hosting .BIZ .INFO MORE!! ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Upgrade from 2.38 to 2.42
HI all, Working a lot here, that a miss some upgrades of MD. Is there any special item that I should take care when upgrading from 2.38 to 2.42? My filter will work seamless? - Marcelo ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Upgrade from 2.38 to 2.42
Did for me!! HI all, Working a lot here, that a miss some upgrades of MD. Is there any special item that I should take care when upgrading from 2.38 to 2.42? My filter will work seamless? - Marcelo ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- Peter P. Benac, CCNA Emacolet Networking Services, Inc Phone: 919-847-1740 Web: http://www.emacolet.com For free expert system and network management advice visit: http://www.nmsusers.org ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Upgrade from 2.38 to 2.42
Peter - If you use any sort of virus scanner, then preserving your old mimedefang-filter will NOT work, since David moved the virus-scanner calls from mimedefang-filter to mimedefang.pl just a version-or-two ago. So, either: 1. you dont employ an external virus scanner (other than File::Scan) 2. you merged your customizations into the new mimedefang-filter and dont remember doing so 3. you had never modified your original mimedefang-filter and/or mimedefang.pl in the first place, and just blindly overwrote them with the new versions 4. you upgraded all portions of mimedefang except for mimedefang.pl and mimedefang-filter (not sure how well that would work) 5. you did not upgrade (at least not from as far back as 2.38 to 2.42 in one swoop.) Ken -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Peter P. Benac Sent: Thursday, April 29, 2004 3:48 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Mimedefang] Upgrade from 2.38 to 2.42 Did for me!! HI all, Working a lot here, that a miss some upgrades of MD. Is there any special item that I should take care when upgrading from 2.38 to 2.42? My filter will work seamless? - Marcelo ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- Peter P. Benac, CCNA Emacolet Networking Services, Inc Phone: 919-847-1740 Web: http://www.emacolet.com For free expert system and network management advice visit: http://www.nmsusers.org ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Upgrade from 2.38 to 2.42
Hi, I have just configure/compile the 2.42 and as a silly test I did, before install: perl mimedefang.pl -test And the following error ocurred: Can't locate warnings.pm in @INC (@INC contains: /usr/local/lib/perl5/site_perl/5.005/i386-freebsd /usr/local/lib/perl5/site_perl/5.005 . /usr/libdata/perl/5.00503/mach /usr/libdata/perl/5.00503) at ./mimedefang.pl line 22. BEGIN failed--compilation aborted at ./mimedefang.pl line 22. Is there any new Perl module required? I running FreeBSd 4.7, with perl 5.5.3. Should I upgrade Perl to 5.8 ? - Marcelo On Thu, 29 Apr 2004, Cormack, Ken wrote: |Peter - | |If you use any sort of virus scanner, then preserving your old |mimedefang-filter will NOT work, since David moved the virus-scanner calls |from mimedefang-filter to mimedefang.pl just a version-or-two ago. | |So, either: | |1. you dont employ an external virus scanner (other than File::Scan) |2. you merged your customizations into the new mimedefang-filter and dont |remember doing so |3. you had never modified your original mimedefang-filter and/or |mimedefang.pl in the first place, and just blindly overwrote them with the |new versions |4. you upgraded all portions of mimedefang except for mimedefang.pl and |mimedefang-filter (not sure how well that would work) |5. you did not upgrade (at least not from as far back as 2.38 to 2.42 in one |swoop.) | |Ken | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] Behalf Of Peter |P. Benac |Sent: Thursday, April 29, 2004 3:48 PM |To: [EMAIL PROTECTED] |Cc: [EMAIL PROTECTED] |Subject: Re: [Mimedefang] Upgrade from 2.38 to 2.42 | | |Did for me!! | | | HI all, | | Working a lot here, that a miss some upgrades of MD. | Is there any special item that I should take care when upgrading | from 2.38 to 2.42? | My filter will work seamless? | | | - Marcelo | | | ___ | Visit http://www.mimedefang.org and http://www.canit.ca | MIMEDefang mailing list | [EMAIL PROTECTED] | http://lists.roaringpenguin.com/mailman/listinfo/mimedefang | | | |-- |Peter P. Benac, CCNA |Emacolet Networking Services, Inc |Phone: 919-847-1740 |Web: http://www.emacolet.com |For free expert system and network management advice visit: |http://www.nmsusers.org | |___ |Visit http://www.mimedefang.org and http://www.canit.ca |MIMEDefang mailing list |[EMAIL PROTECTED] |http://lists.roaringpenguin.com/mailman/listinfo/mimedefang |___ |Visit http://www.mimedefang.org and http://www.canit.ca |MIMEDefang mailing list |[EMAIL PROTECTED] |http://lists.roaringpenguin.com/mailman/listinfo/mimedefang | - Marcelo ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Upgrade from 2.38 to 2.42
On 29 Apr 2004 at 17:43, [EMAIL PROTECTED] wrote: snip Can't locate warnings.pm in @INC (@INC contains: /usr/local/lib/perl5/site_perl/5.005/i386-freebsd /usr/local/lib/perl5/site_perl/5.005 . /usr/libdata/perl/5.00503/mach /usr/libdata/perl/5.00503) at ./mimedefang.pl line 22. BEGIN failed--compilation aborted at ./mimedefang.pl line 22. Is there any new Perl module required? I running FreeBSd 4.7, with perl 5.5.3. Technically, it's 5.00503. :-) Anyway, you *can* get away with commenting out the use warnings line near the beginning of mimedefang.pl--David has stated that its functionality is only required for Can-It. Should I upgrade Perl to 5.8 ? Up to you. :-) However, if you use SpamAssassin you probably will want to upgrade to at least perl 5.6.x fairly soon because the upcoming 3.0 release will not support your perl version. The new Mail::SpamAssassin::SpamCopURI plugin for SA 2.63 requires a newer perl as well, if you feel inclined to try that out. Nels Lindquist * Quidquid latine dictum sit altum viditur. Whatever is said in Latin, sounds profound. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] socket file is 'unsafe'. How to fix?
MD 2.42 warns me that the socket file is unsafe. Then is shuts down. Here is the error, plus the permissions on the files: Apr 29 16:09:21 phobos sm-mta[9033]: [ID 801593 mail.error] i3TK9ALm009033: Milter (mimedefang): local socket name /var/spool/MIMEDefang/mimedefang.sock unsafe /var/spool/MIMEDefang total 6 -rw-r- 1 defang other 5 Apr 29 16:09 mimedefang.pid -rw-r- 1 defang other 5 Apr 29 16:09 mimedefang-multiplexor.pid srw--- 1 defang other 0 Apr 29 16:09 mimedefang-multiplexor.sock drwxr-x--- 2 defang other512 Apr 24 15:01 mdefang-i3OJ15tZ025803 Thanks for any hints you can give me. Henry ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Spamassassin 3.0 + MD 2.42
On 29 Apr 2004 at 15:20, Rich West wrote: I've been testing SA 3.0 (CVS) plus MD 2.42 (latest release), and I am happy to report that the two are working together rather well! In addition, the SPF rules within SpamAssassin are a must! (check out the Linux Journal article(s) regarding the implementation of SPF on your servers! http://www.linuxjournal.com/article.php?sid=7327 and the follow up article at http://www.linuxjournal.com/article.php?sid=7328) Even if you're *not* running SpamAssassin, you can pretty easily make use of the Mail::SPF::Query module directly within your mimedefang- filter, and if you can reject a message due to SPF policy and thereby avoid a SpamAssassin call, it's more efficient! Nels Lindquist * Quidquid latine dictum sit altum viditur. Whatever is said in Latin, sounds profound. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] OT: adaptec scsi card help with fedora
I've heard terrible things about linux and these boards. I have a friend that tried exactly that but never could he get linux (he tried redhat 89 and suse 8.29) to install. Windows (ick) installed fine which is weird. Stephen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Jayes Sent: Thursday, April 29, 2004 10:18 AM To: [EMAIL PROTECTED] Subject: [Mimedefang] OT: adaptec scsi card help with fedora Hi All, Sorry its way off topic, but I am trying to get a new mimedefang server up and running. Problem is it's the Intel nightshade board. I've disabled the symbios scsi chip and got a pci Adaptec aha 2940uw card to replace it. Trouble is where fedora used to hang on the smybios driver install it now hangs on the Adaptec driver install aic 7xxx. I have tried the Linux dd install with a driver disk and the Linux noprobe, neither of which will recognize the disks when it gets to partition time. Can anyone give me some advice on solving this issue? Andrew ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Managing Quarantined Messages
On Wed, 2004-04-28 at 18:35, David F. Skoll wrote: On Wed, 28 Apr 2004, Tim Pushor wrote: You know, I was half expecting this answer ;-) Well, you know, gotta try... So how much for a home user with 1-5 users ;). -- Stephen John Smoogen[EMAIL PROTECTED] Los Alamos National Lab CCN-5 Sched 5/40 PH: 4-0645 Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545 -- You should consider any operational computer to be a security problem -- ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Upgrade from 2.38 to 2.42
Hi, I have just configure/compile the 2.42 and as a silly test I did, before install: perl mimedefang.pl -test And the following error ocurred: Can't locate warnings.pm in @INC (@INC contains: /usr/local/lib/perl5/site_perl/5.005/i386-freebsd /usr/local/lib/perl5/site_perl/5.005 . /usr/libdata/perl/5.00503/mach /usr/libdata/perl/5.00503) at ./mimedefang.pl line 22. BEGIN failed--compilation aborted at ./mimedefang.pl line 22. Is there any new Perl module required? I running FreeBSd 4.7, with perl 5.5.3. Should I upgrade Perl to 5.8 ? - Marcelo On Thu, 29 Apr 2004, Cormack, Ken wrote: |Peter - | |If you use any sort of virus scanner, then preserving your old |mimedefang-filter will NOT work, since David moved the virus-scanner calls |from mimedefang-filter to mimedefang.pl just a version-or-two ago. | |So, either: | |1. you dont employ an external virus scanner (other than File::Scan) |2. you merged your customizations into the new mimedefang-filter and dont |remember doing so |3. you had never modified your original mimedefang-filter and/or |mimedefang.pl in the first place, and just blindly overwrote them with the |new versions |4. you upgraded all portions of mimedefang except for mimedefang.pl and |mimedefang-filter (not sure how well that would work) |5. you did not upgrade (at least not from as far back as 2.38 to 2.42 in one |swoop.) | |Ken | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] Behalf Of Peter |P. Benac |Sent: Thursday, April 29, 2004 3:48 PM |To: [EMAIL PROTECTED] |Cc: [EMAIL PROTECTED] |Subject: Re: [Mimedefang] Upgrade from 2.38 to 2.42 | | |Did for me!! | | | HI all, | | Working a lot here, that a miss some upgrades of MD. | Is there any special item that I should take care when upgrading | from 2.38 to 2.42? | My filter will work seamless? | | | - Marcelo | | | ___ | Visit http://www.mimedefang.org and http://www.canit.ca | MIMEDefang mailing list | [EMAIL PROTECTED] | http://lists.roaringpenguin.com/mailman/listinfo/mimedefang | | | |-- |Peter P. Benac, CCNA |Emacolet Networking Services, Inc |Phone: 919-847-1740 |Web: http://www.emacolet.com |For free expert system and network management advice visit: |http://www.nmsusers.org | |___ |Visit http://www.mimedefang.org and http://www.canit.ca |MIMEDefang mailing list |[EMAIL PROTECTED] |http://lists.roaringpenguin.com/mailman/listinfo/mimedefang |___ |Visit http://www.mimedefang.org and http://www.canit.ca |MIMEDefang mailing list |[EMAIL PROTECTED] |http://lists.roaringpenguin.com/mailman/listinfo/mimedefang | - Marcelo ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] MD SpamAssassin behavior change
Recently upgraded to MD 2.41 from 2.27. This section of the man page caught my eye. $AddApparentlyToForSpamAssassin By default, MIMEDefang tries to pass SpamAssassin a message that looks exactly like one it would receive via procmail. This means adding a Received: header, adding a Message-ID header if necessary, and adding a Return-Path: header. If you set $AddAp- parentlyToForSpamAssassin to 1, then MIMEDefang also adds an Apparently-To: header with all the envelope recipients before passing the message to SpamAssassin. This lets SpamAssassin detect possibly whitelisted recipient addresses. The default value for $AddApparentlyToForSpamAssassin is 0. I had custom SA rules to check for the non-existance of the Received header or the Message-ID header which I found to be fairly effective in helping catch direct to MX spam. header ECC_MSGID_MISSING Message-Id =~ /^UNSET$/ [if-unset: UNSET] header ECC_RCVD_MISSING Received =~ /^UNSET$/ [if-unset: UNSET] Obviously, these don't work now. The man page states By default these headers are added, which would imply that this is optional. Is there a way to turn this back off? If this can't be turned off, is there an example of what these headers would look like - so that I can make rules to look for them? ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: Freshclam load (was RE: [Mimedefang] Poll: Time to drop Trophie support?)
- Original Message - From: David F. Skoll [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 29, 2004 11:28 AM Subject: Freshclam load (was RE: [Mimedefang] Poll: Time to drop Trophie support?) On Thu, 29 Apr 2004, Paul Murphy wrote: the basis that it will be able to spread to a lot more machines before anyone picks up the warning and updates their signature files. Doing a freshclam check consumes so little bandwidth that it is a no-brainer to use it. Freshclam actually uses an astounding amount of bandwidth if you aggregate it across all Freshclam users. I don't have the statistics handy, but I remember reading that each clam mirror does over 100GB/month. I wonder if there's a very light way to announce updates? Maybe a DNS record with a TTL of a few minutes that gets updated with the latest DB version string? It might lower the load on the DB servers. (Unfortunately, DNS is not secure.) Actually, that would probably crush the servers instead since everyone would pounce on the signature update seconds after it was released. At least this way it's spread over an hour or two. 100GB a month actually isn't that much bandwidth, it's only 17% of a T1 line if the load were spread out over a month. Obviously there are bursts rather than a constant load, but folks with 10M/45M/155M connections are a lot more common today -- and if they aren't an ISP, the odds are good that normal use is inbound-traffic-heavy, so outbound traffic is virtually free and doesn't affect operations. Still, it's definitely good to run your own signature server if you have a number of systems running ClamAV. Much more polite! Chris Myers Networks By Design ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
