Re: [Mimedefang] canonicalize_email error

2005-05-04 Thread alan premselaar 
Tim Boyer wrote:
I tried putting in one of the subroutines that David presented at the
Lisa '03 session.  It's got the line
   $recipient = canonicalize_email($recipient);
in filter_recipient.
But when I run it, I get this in the logs:
...snip...
Have I typed it wrong?  Spelled it wrong?

Tim,
 You need to actually define a subroutine called "canonicalize_email" 
in the filter as well.

mine looks like:
sub canonicalize_email ($) {
my ($email) = @_;
$email =~ s/^$//;
return lc($email);
}
basically all it does is remove any < or > from the email and return it 
in lowercase.

hope this helps.
alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Validate users before scanning?

2005-05-04 Thread John Nemeth 
On Sep 24,  7:35am, "David F. Skoll" wrote:
} Kelson wrote:
} 
} > Shouldn't this be happening anyway?  You do your virus scanning in
} > filter_begin or filter_end, right?  Those get triggered in the DATA
} > phase.  The virtusertable lookups should be done for each RCPT TO.  If
} > there are no valid recipients, will sendmail even accept anything for DATA?
} 
} > Or am I just completely confused here as to the process?
} 
} Here's the problem:  Consider this SMTP session:
} 
} C: MAIL FROM:<[EMAIL PROTECTED]>
} S: 250 Sender ok
} C: RCPT TO:<[EMAIL PROTECTED]>
} S: 250 Recipient ok
} C: RCPT TO:<[EMAIL PROTECTED]>
} S: 550 User unknown
} C: DATA
} S: 354 Enter mail...
} C: 
} S: 200 Mail accepted
} 
} Although [EMAIL PROTECTED] doesn't exist, the milter is still passed
} it, and it is NOT told by Sendmail that delivery will fail.  Normally,
} this isn't a big deal, but if you're streaming by recipient, it is
} a big deal.
} 
} The only workaround is to (also) validate recipients in filter_recipient,
} because if *that* function rejects a recipient, then MIMEDefang is smart
} enough not to add it to @Recipients by the time filter_begin is invoked.
} 
} I believe there were patches to Sendmail floating around that skipped
} the milter callback if the RCPT command would fail for other reasons,
} but those patches were never accepted by the Sendmail developers.
} (The rationale is that your milter might indeed want to know about
} all RCPT TO commands, even ones that fail.)

 I created a patch.  I realise that this thread is pretty much dead
now, but here it is anyways:

*** srvrsmtp.c.orig Thu Nov 18 13:46:01 2004
--- srvrsmtp.c  Mon Jan  3 20:13:58 2005
***
*** 2603,2608 
--- 2603,2613 
if (bitset(EF_DISCARD, e->e_flags))
a->q_state = QS_VERIFIED;
  
+   /* save in recipient list after ESMTP mods */
+   a = recipient(a, &e->e_sendqueue, 0, e);
+   if (Errors > 0)
+   goto rcpt_done;
+ 
  #if MILTER
if (smtp.sm_milterlist && smtp.sm_milterize &&
!bitset(EF_DISCARD, e->e_flags))
***
*** 2625,2635 
macid("{dsn_notify}"), NULL);
if (Errors > 0)
goto rcpt_done;
- 
-   /* save in recipient list after ESMTP mods */
-   a = recipient(a, &e->e_sendqueue, 0, e);
-   if (Errors > 0)
-   goto rcpt_done;
  
/* no errors during parsing, but might be a duplicate */
e->e_to = a->q_paddr;
--- 2630,2635 

This patch is against sendmail-8.13.4/sendmail/srvrsmtp.c.  It should
apply to other versions with minor fuzz.  All it does is move the
checks for "other things" above the milter call.  The usual disclaimers
apply, if it breaks your server, you get to keep both parts, etc.
Having said that, I use it on my production mail server that handles
about 15,000 messages per day.  Changing it to just flag the recipient
with the error mailer is on the list of things to do someday.

}-- End of excerpt from "David F. Skoll"
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] canonicalize_email error

2005-05-04 Thread Tim Boyer 
I tried putting in one of the subroutines that David presented at the
Lisa '03 session.  It's got the line

   $recipient = canonicalize_email($recipient);


in filter_recipient.

But when I run it, I get this in the logs:

May  4 21:57:52 melbourne mimedefang-multiplexor[3916]: Slave 0
stderr: Undefined subroutine &main::canonicalize_email called at
/etc/mail/mimedefang-filter line 245,  line 6.

Have I typed it wrong?  Spelled it wrong?



-- 
Tim Boyer
[EMAIL PROTECTED]

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Re: Validate users before scanning?

2005-05-04 Thread Tina Marie 
<[EMAIL PROTECTED]> wrote:
> So, you probably don't need to mess with address verification at all.
> Any email message you get with at least one valid address needs to be
> scanned - and will be scanned, ONCE.  Any email message you get with 
> no valid email addresses will be rejected before the DATA phase and 
> there will be nothing to scan.

I Am An Idiot.  You're right, of course.  I added some more-traditional
logging to verify.  And the stupid thing is, I remember reading that
comment when I modified that line originally.

I'll just be over here flogging myself with a wet socket.

Thanks for your help!

Tina Marie
-- 
http://www.tripacerdriver.com   "...One of the main causes 
of the fall of the Roman Empire was that, lacking zero, they had no way
to indicate successful termination of their C programs." (Robert Firth)  

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Re: Validate users before scanning?

2005-05-04 Thread Kelson 
Tina Marie wrote:
My logfiles have this (where the real domain is replaced with
mydomain.org):
May  2 16:05:32 tripacerdriver mimedefang.pl[5146]: MDLOG,j42L5V6p008516,
virus,Worm.Sober.P,209.198.171.148,<[EMAIL PROTECTED]>,
<[EMAIL PROTECTED]>,Your email was blocked
May  2 16:05:32 tripacerdriver mimedefang.pl[5146]: MDLOG,j42L5V6p008516,
virus,Worm.Sober.P,209.198.171.148,<[EMAIL PROTECTED]>,
<[EMAIL PROTECTED]>,Your email was blocked
So filter_begin is definately called twice, once for each recipient,
one valid and one invalid.  This pattern is repeated, with varying
numbers of recipients, all through my logs.  I believe there is 
always at least one valid recipient, but I don't really have tools
to say that for certain.
Actually, a single call to md_graphdefang_log writes one line per 
recipient, configurable via the second parameter to 
md_graphdefang_log_enable (see man mimedfang-filter).

filter_begin is only called once per message regardless of how many 
recipients there are.  Since those lines show the same sendmail ID and 
the same time, it's just a duplicate log item, not an indication that 
the message is being scanned twice.

--
Kelson Vibber
SpeedGate Communications 
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Re: Validate users before scanning?

2005-05-04 Thread Matthew.van.Eerde 
Tina Marie wrote:
> <[EMAIL PROTECTED]> wrote:
> My logfiles have this (where the real domain is replaced with
> mydomain.org):
> 
> May  2 16:05:32 tripacerdriver mimedefang.pl[5146]:
> MDLOG,j42L5V6p008516,
> virus,Worm.Sober.P,209.198.171.148,<[EMAIL PROTECTED]>,
> <[EMAIL PROTECTED]>,Your email was blocked 
> May  2 16:05:32 tripacerdriver mimedefang.pl[5146]:
> MDLOG,j42L5V6p008516,
> virus,Worm.Sober.P,209.198.171.148,<[EMAIL PROTECTED]>,
> <[EMAIL PROTECTED]>,Your email was blocked 
> 
> So filter_begin is definately called twice, once for each recipient,
> one valid and one invalid.

Ah!  No it isn't.  It's being called once.  Those are graphdefang logs.  See 
these lines in your filter:

# An optional second argument causes a line of output to be produced
# for each recipient (if it is 1), or only a single summary line
# for all recipients (if it is 0.)  The default is 1.
# Comment this line out to disable logging.
#***
md_graphdefang_log_enable('local5', 1);

So, you probably don't need to mess with address verification at all.  Any 
email message you get with at least one valid address needs to be scanned - and 
will be scanned, ONCE.  Any email message you get with no valid email addresses 
will be rejected before the DATA phase and there will be nothing to scan.

Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg," 

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Re: Validate users before scanning?

2005-05-04 Thread Tina Marie 
<[EMAIL PROTECTED]> wrote:
> First, it's somewhat silly to run md_check_against_smtp_server(...) against 
> localhost.
> The way md_check_against_smtp_server works is it opens an SMTP conversation 
> to that 
> server, followed by a RCPT TO command.  This is itself calling 
> filter_recipient, 
> and you get an infinite loop.

Well, that explains it. :)

> So you're tempfailing due to some kind of recursive depth checker saving you.

How thoughtful of it.  I (and my users) would have been far less 
happy if I had been an idiot and crashed sendmail.

Obvious, I've turned it off for now.

> Second, what are you trying to do again? I must confess I don't entirely 
> understand.

What I'm trying to do is avoid calling ClamAV/SA on emails that
will be rejected later, most notably this week's virus.  

Oddly, I'm not doing stream_by_recipient, so I'm not sure why
this is happening.  But I'm definitely getting called for
users who will later be rejected by the virtuser table.

My whole filter is still up, at:
http://www.tripacerdriver.com/mimedefang-filter

My logfiles have this (where the real domain is replaced with
mydomain.org):

May  2 16:05:32 tripacerdriver mimedefang.pl[5146]: MDLOG,j42L5V6p008516,
virus,Worm.Sober.P,209.198.171.148,<[EMAIL PROTECTED]>,
<[EMAIL PROTECTED]>,Your email was blocked
May  2 16:05:32 tripacerdriver mimedefang.pl[5146]: MDLOG,j42L5V6p008516,
virus,Worm.Sober.P,209.198.171.148,<[EMAIL PROTECTED]>,
<[EMAIL PROTECTED]>,Your email was blocked

So filter_begin is definately called twice, once for each recipient,
one valid and one invalid.  This pattern is repeated, with varying
numbers of recipients, all through my logs.  I believe there is 
always at least one valid recipient, but I don't really have tools
to say that for certain.

Tina Marie
-- 
http://www.tripacerdriver.com   "...One of the main causes 
of the fall of the Roman Empire was that, lacking zero, they had no way
to indicate successful termination of their C programs." (Robert Firth)  

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Re: Validate users before scanning?

2005-05-04 Thread Matthew.van.Eerde 
Tina Marie wrote:
> In article <[EMAIL PROTECTED]>, Tina Marie wrote:
>> Thank you! That was exactly what I was looking for.
> 
> Outbound mails are only calling it once.
> 
> Is this normal (googling reveals people complaining about a lot
> of traffic to their LDAP server, so maybe it is...)?  Is 10 calls
> to md_check_against_smtp_server less expensive then one call to
> clamAV? 
> And why is it always tempfailing the first time?  My server's not
> that busy...

Two things.

First, it's somewhat silly to run md_check_against_smtp_server(...) against 
localhost.  The way md_check_against_smtp_server works is it opens an SMTP 
conversation to that server, followed by a RCPT TO command.  This is itself 
calling filter_recipient, and you get an infinite loop.

So you're tempfailing due to some kind of recursive depth checker saving you.

Consider exiting filter_recipient early if $ip eq "127.0.0.1"

Second, what are you trying to do again? I must confess I don't entirely 
understand.

Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg," 

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Re: Validate users before scanning?

2005-05-04 Thread Matthew.van.Eerde 
Matthew.van.Eerde wrote:
> Tina Marie wrote:
>> Outbound mails are only calling it once.
>> 
>> Is 10 calls to md_check_against_smtp_server less expensive then one call to
>> clamAV? And why is it always tempfailing the first time?  My
>> server's not that busy...

Hopefully we can get it down to 1 call to md_check_against_smtp_server per 
recipient.
 
> So you're tempfailing due to some kind of recursive depth checker
> saving you. 

In particular, you're running out of MIMEDefang threads.  The tempfail is 
actually on the LAST call to filter_recipient - the stack pops in reverse call 
order, and your log entries are printed AFTER the md_check_against_smtp_server, 
so they're in reverse order of depth (deepest first.)
 
> Consider exiting filter_recipient early if $ip eq "127.0.0.1"
> 
> Second, what are you trying to do again? I must confess I don't
> entirely understand. 
> 
> Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
> Hispanic Business Inc./HireDiversity.com Software Engineer
> perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"


___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Re: Validate users before scanning?

2005-05-04 Thread Tina Marie 
In article <[EMAIL PROTECTED]>, Tina Marie wrote:
> Thank you! That was exactly what I was looking for.

Hm.

It's getting called a lot.  An awful lot.  This is what I have:

sub filter_recipient {

my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, $rcpt_host, 
$rcpt_addr) = @_;
open(LOG, ">> /var/log/testStats");

&ReadDomainFile(); 

my $domain = &GetDomain($recip);
if (defined( $localDomains{$domain}))
{
($ret1, $ret2) = md_check_against_smtp_server($sender, $recip, 
"127.0.0.1", "127.0.0.1");
printf LOG "%-10s %-25s %-15s %-10s %-10s\n", ('chkRecip', $recip, 
$domain, $ret1, $ret2);
}
else
{
printf LOG "%-10s %-25s %-15s\n", ('notMine', $recip, $domain );
}   

close(LOG);
return ("CONTINUE", "OK");
}

And this is what I'm seeing for every single inbound mail:

chkRecip   <[EMAIL PROTECTED]> tripacerdriver.com TEMPFAIL   Please try again 
later
chkRecip   <[EMAIL PROTECTED]> tripacerdriver.com CONTINUE   <[EMAIL 
PROTECTED]>... Recipient ok
chkRecip   <[EMAIL PROTECTED]> tripacerdriver.com CONTINUE   <[EMAIL 
PROTECTED]>... Recipient ok
chkRecip   <[EMAIL PROTECTED]> tripacerdriver.com CONTINUE   <[EMAIL 
PROTECTED]>... Recipient ok
chkRecip   <[EMAIL PROTECTED]> tripacerdriver.com CONTINUE   <[EMAIL 
PROTECTED]>... Recipient ok
chkRecip   <[EMAIL PROTECTED]> tripacerdriver.com CONTINUE   <[EMAIL 
PROTECTED]>... Recipient ok
chkRecip   <[EMAIL PROTECTED]> tripacerdriver.com CONTINUE   <[EMAIL 
PROTECTED]>... Recipient ok
chkRecip   <[EMAIL PROTECTED]> tripacerdriver.com CONTINUE   <[EMAIL 
PROTECTED]>... Recipient ok
chkRecip   <[EMAIL PROTECTED]> tripacerdriver.com CONTINUE   <[EMAIL 
PROTECTED]>... Recipient ok
chkRecip   <[EMAIL PROTECTED]> tripacerdriver.com CONTINUE   <[EMAIL 
PROTECTED]>... Recipient ok

Outbound mails are only calling it once.

Is this normal (googling reveals people complaining about a lot 
of traffic to their LDAP server, so maybe it is...)?  Is 10 calls 
to md_check_against_smtp_server less expensive then one call to clamAV?
And why is it always tempfailing the first time?  My server's not 
that busy...

There's nothing significantly secure about my filter, so I
stuck a link on my webserver in case someone wants to look
at the whole thing: http://www.tripacerdriver.com/mimedefang-filter

Thanks. :)

Tina Marie
-- 
http://www.tripacerdriver.com   "...One of the main causes 
of the fall of the Roman Empire was that, lacking zero, they had no way
to indicate successful termination of their C programs." (Robert Firth)  

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] freshclam -- Is it a daemon?

2005-05-04 Thread Paul Whittney 
We used to have a big problem with the whole body going back to the
forged from address, which I suppose what the virus is trying to do
in a way, but I added "nobodyreturn" in the sendmail confPRIVACY_FLAGS
define, so if it really happens, places wont blacklist our MX for sending
viruses, even if they are "User: 3Dpwhittney doesn't exist".

This might cut down the ability to track errors for real user to user
email, but I've not had any problems of that nature.

-Paul Whittney

On Wed, May 04, 2005 at 04:01:58PM -0400, Chris Gauch wrote:
> Exact same story at our location -- a few of our clients received so many
> bogus bounces that we had to block several domains and host IPs (some of
> which I am sure are legitimate).  Some of our smaller business offices were
> inundated with thousands of bounces thanks to all of the networks/PCs out
> there infected with Sober.  The largest hassle on our part is fielding the
> calls from dimwitted clients who believe the 4-line, text-only bounces
> actually might contain the virus...
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Sober

2005-05-04 Thread Kayne Kruse 
> The massive Sober virus attack is detected by $SuspiciousCharsInBody.
> Skip the antivirus process if you're willing to reject on that.
> 
> We saw 250,000 Monday, 490,000 yesterday.  Use of our time server also
> skyrocketed when this started.
> 
> Joseph Brennan


I just added below the $SuspiciousCharsInHeaders in filter_begin, for the
quick an dirty:

if ($SuspiciousCharsInBody) {
  md_graphdefang_log('suspicious_chars_body');
action_quarantine_entire_message("Message Quarantined because of
suspicious characters in body");
return action_discard();
  }

This should do the trick.

Hopefully most mail programs out there are sane and do not trigger these, but
at least u can unquarantine.

Kayne

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] freshclam -- Is it a daemon?

2005-05-04 Thread Chris Gauch 
Kelson Vibber wrote: 

> Something I've found that helps cut down on the virus scanning:  When
> you receive a self-mailing virus, check the IP's reverse DNS for any
> signs that it might be a real mail server.  If not, block it for a short
> period of time.  We use 24 hours, and look for patterns like
> ip-add-re-ss-dsl.whatever vs. mail.something or mx.something.
> 
> In the past we used to get lots of repeats, usually to the same sets of
> addresses.  Blocking the IP really cuts down on the load -- our virus
> count only jumped by a factor of 10 on Monday -- and since we're
> scanning inbound mail, it rarely collides with our own users who would
> normally be sending mail.
> 
> In fact, the only time I can remember having a problem with it, one of
> our customers had received a copy of a virus (either defanged before the
> signature was added or from another source, I forget which) and had the
> sense not to open it... but forwarded it to their network consultant,
> asking "Is this a virus?"
> 
> The main nuisance Sober has caused here has been all the bogus bounces.

Exact same story at our location -- a few of our clients received so many
bogus bounces that we had to block several domains and host IPs (some of
which I am sure are legitimate).  Some of our smaller business offices were
inundated with thousands of bounces thanks to all of the networks/PCs out
there infected with Sober.  The largest hassle on our part is fielding the
calls from dimwitted clients who believe the 4-line, text-only bounces
actually might contain the virus...

- Chris

--
Chris Gauch
Systems Administrator
Digicon Communications, Inc.
http://www.digiconcommunications.com
[EMAIL PROTECTED]


___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Re: Validate users before scanning?

2005-05-04 Thread Tina Marie 
<[EMAIL PROTECTED]> wrote:
> See examples on the wiki:
> http://www.mimedefang.org/kwiki/index.cgi?RelayCheckAddresses

Thank you! That was exactly what I was looking for.

Tina Marie

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] freshclam -- Is it a daemon?

2005-05-04 Thread Kelson 
Chris Gauch wrote:
We haven't seen any Sober.P get through ClamAV yet (freshclam updated the
signatures just on time), but it's been a real nuisance the past 3-4 days
and I know a lot of PCs and external networks are infected.  We went from
receiving 100-300 viruses per day total (we do approx. 1 million
messages/day volume), to 15,000 viruses per day total (99% of those being
Sober.P).
Something I've found that helps cut down on the virus scanning:  When 
you receive a self-mailing virus, check the IP's reverse DNS for any 
signs that it might be a real mail server.  If not, block it for a short 
period of time.  We use 24 hours, and look for patterns like 
ip-add-re-ss-dsl.whatever vs. mail.something or mx.something.

In the past we used to get lots of repeats, usually to the same sets of 
addresses.  Blocking the IP really cuts down on the load -- our virus 
count only jumped by a factor of 10 on Monday -- and since we're 
scanning inbound mail, it rarely collides with our own users who would 
normally be sending mail.

In fact, the only time I can remember having a problem with it, one of 
our customers had received a copy of a virus (either defanged before the 
signature was added or from another source, I forget which) and had the 
sense not to open it... but forwarded it to their network consultant, 
asking "Is this a virus?"

The main nuisance Sober has caused here has been all the bogus bounces.
--
Kelson Vibber
SpeedGate Communications 
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Sober

2005-05-04 Thread Joseph Brennan 
The massive Sober virus attack is detected by $SuspiciousCharsInBody.
Skip the antivirus process if you're willing to reject on that.
We saw 250,000 Monday, 490,000 yesterday.  Use of our time server also
skyrocketed when this started.
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Validate users before scanning?

2005-05-04 Thread Kelson 
David F. Skoll wrote:
Although [EMAIL PROTECTED] doesn't exist, the milter is still passed
it, and it is NOT told by Sendmail that delivery will fail.  Normally,
this isn't a big deal, but if you're streaming by recipient, it is
a big deal.
Ah.  Got it.
We only use stream_by_recipient in limited cases, which explains why I 
haven't seen the problem.

The only workaround is to (also) validate recipients in filter_recipient,
because if *that* function rejects a recipient, then MIMEDefang is smart
enough not to add it to @Recipients by the time filter_begin is invoked.
Must file this away for future reference
--
Kelson Vibber
SpeedGate Communications 
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] freshclam -- Is it a daemon?

2005-05-04 Thread Chris Gauch 

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:mimedefang-
> [EMAIL PROTECTED] On Behalf Of Kelson
> Sent: Wednesday, May 04, 2005 1:09 PM
> To: mimedefang@lists.roaringpenguin.com
> Subject: Re: [Mimedefang] freshclam -- Is it a daemon?
> Indeed.  We actually had three copies of Sober.P get through on Monday
> morning during the half-hour between the first hit and the first
> freshlcam after ClamAV added the signature.
> 
> Of course, by "get through" I mean "get defanged instead of discarded
> outright" -- so it could have been considerably worse.

We haven't seen any Sober.P get through ClamAV yet (freshclam updated the
signatures just on time), but it's been a real nuisance the past 3-4 days
and I know a lot of PCs and external networks are infected.  We went from
receiving 100-300 viruses per day total (we do approx. 1 million
messages/day volume), to 15,000 viruses per day total (99% of those being
Sober.P).  

- Chris
 

--
Chris Gauch
Systems Administrator
Digicon Communications, Inc.
http://www.digiconcommunications.com
[EMAIL PROTECTED]

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] freshclam -- Is it a daemon?

2005-05-04 Thread Kelson 
[EMAIL PROTECTED] wrote:
Once an hour is not excessive at all.  Now that it now uses a DNS styule 
lookup to query current version, it generates very little traffic to check 
hourly.

The risk of checking less frequently is too high when a new virus outbreak 
occurs.
Indeed.  We actually had three copies of Sober.P get through on Monday 
morning during the half-hour between the first hit and the first 
freshlcam after ClamAV added the signature.

Of course, by "get through" I mean "get defanged instead of discarded 
outright" -- so it could have been considerably worse.

--
Kelson Vibber
SpeedGate Communications 
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Validate users before scanning?

2005-05-04 Thread David F. Skoll 
Kelson wrote:

> Shouldn't this be happening anyway?  You do your virus scanning in
> filter_begin or filter_end, right?  Those get triggered in the DATA
> phase.  The virtusertable lookups should be done for each RCPT TO.  If
> there are no valid recipients, will sendmail even accept anything for DATA?

> Or am I just completely confused here as to the process?

Here's the problem:  Consider this SMTP session:

C: MAIL FROM:<[EMAIL PROTECTED]>
S: 250 Sender ok
C: RCPT TO:<[EMAIL PROTECTED]>
S: 250 Recipient ok
C: RCPT TO:<[EMAIL PROTECTED]>
S: 550 User unknown
C: DATA
S: 354 Enter mail...
C: 
S: 200 Mail accepted

Although [EMAIL PROTECTED] doesn't exist, the milter is still passed
it, and it is NOT told by Sendmail that delivery will fail.  Normally,
this isn't a big deal, but if you're streaming by recipient, it is
a big deal.

The only workaround is to (also) validate recipients in filter_recipient,
because if *that* function rejects a recipient, then MIMEDefang is smart
enough not to add it to @Recipients by the time filter_begin is invoked.

I believe there were patches to Sendmail floating around that skipped
the milter callback if the RCPT command would fail for other reasons,
but those patches were never accepted by the Sendmail developers.
(The rationale is that your milter might indeed want to know about
all RCPT TO commands, even ones that fail.)

Regards,

Davd.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Validate users before scanning?

2005-05-04 Thread Kelson 
Tina Marie wrote:
It looks to me like most of the ones I'm getting are addressed
to addresses that sendmail is going to reject in the virtuser
table.  It seems like a waste to scan these if I was going to
reject them as NoSuchUser anyway.
Shouldn't this be happening anyway?  You do your virus scanning in 
filter_begin or filter_end, right?  Those get triggered in the DATA 
phase.  The virtusertable lookups should be done for each RCPT TO.  If 
there are no valid recipients, will sendmail even accept anything for DATA?

Or am I just completely confused here as to the process?
--
Kelson Vibber
SpeedGate Communications 
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Validate users before scanning?

2005-05-04 Thread Matthew.van.Eerde 
Tina Marie wrote:
> Is there a way to check, from MimeDefang, that, yes, this
> address is deliverable, before I try to scan it?

Yes - filter_recipient

See examples on the wiki:
http://www.mimedefang.org/kwiki/index.cgi?RelayCheckAddresses

It is a Good Idea (tm) to reject invalid addresses at RCPT-time anyway, 
regardless of malware/spam concerns.

Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg," 

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] freshclam -- Is it a daemon?

2005-05-04 Thread WBrown 
[EMAIL PROTECTED] wrote on 05/04/2005 10:48:47 
AM:

> 
> Every hour may be a little excessive, but we have had issues in the past 

> with virus getting in before the updates are grabbed.

Once an hour is not excessive at all.  Now that it now uses a DNS styule 
lookup to query current version, it generates very little traffic to check 
hourly.

The risk of checking less frequently is too high when a new virus outbreak 
occurs.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Validate users before scanning? + Idea...

2005-05-04 Thread Paul Whittney 
Tina,

I suppose you could get mimedefang to open up the virtualUsers.db
file from sendmail before the virus scanner runs. I've seen code
snips from others that open the db files and use the data. Just a
thought. Not sure how useful it is.

Not sure if this is on topic or not...

With one group of servers I just dont have the power to run AV code
on them, nor do I want to uncompress every zip file to test for
files (anyway, our software guys still need to send .exe's, and
via zip files is the only way left to them, due to my rules), so
I'm matching on the attachments Base64 coding in sub filter.
I think there's a copy of my ziptest code around somewhere, but
grab the first line of $entity->body() and if it matches
 UEsDBAoAA.{6}uS6g1MtEAADLRAAAmAA 
flag it as Sober.O (or P... or whatever the code is). As it seems the
zip files are named differently, but the .exe or .pif starts with the
same name in the file.

Your decision to quarantine, and replace, or discard.

So far its got 300 hits (on 4000 email names, as the virus has found
multiple addresses, I guess) in the last 24 hours. I get the MIMEDefang
quarantine emails, and so far they all look good. Now, I've isolated 
3 sole IP's that are relaying this data, and added them to the access.db.

Curious on any thoughts, or issues, people see with this.

Best Regards,
Paul Whittney


On Wed, May 04, 2005 at 08:53:41AM -0500, Tina Marie wrote:
> Thanks to an auto-updating clamAV and mimeDefang, I didn't even
> notice the new Sober.P worm until I noticed my load up a bit
> (from all the scanning).
> 
> It looks to me like most of the ones I'm getting are addressed
> to addresses that sendmail is going to reject in the virtuser
> table.  It seems like a waste to scan these if I was going to
> reject them as NoSuchUser anyway.
> 
> I googled, but I didn't see anything applicable, but that was 
> probably my lack of a sufficiently good search string.  I
> found lots of ways to do it with LDAP, but I just have one 
> machine, and that seems like overkill.
> 
> Is there a way to check, from MimeDefang, that, yes, this
> address is deliverable, before I try to scan it?
> 
> Thanks!
> 
> Tina Marie
> -- 
> http://www.tripacerdriver.com   "...One of the main causes 
> of the fall of the Roman Empire was that, lacking zero, they had no way
> to indicate successful termination of their C programs." (Robert Firth)  
> 
> ___
> Visit http://www.mimedefang.org and http://www.canit.ca
> MIMEDefang mailing list
> MIMEDefang@lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Validate users before scanning?

2005-05-04 Thread Tina Marie 
Thanks to an auto-updating clamAV and mimeDefang, I didn't even
notice the new Sober.P worm until I noticed my load up a bit
(from all the scanning).

It looks to me like most of the ones I'm getting are addressed
to addresses that sendmail is going to reject in the virtuser
table.  It seems like a waste to scan these if I was going to
reject them as NoSuchUser anyway.

I googled, but I didn't see anything applicable, but that was 
probably my lack of a sufficiently good search string.  I
found lots of ways to do it with LDAP, but I just have one 
machine, and that seems like overkill.

Is there a way to check, from MimeDefang, that, yes, this
address is deliverable, before I try to scan it?

Thanks!

Tina Marie
-- 
http://www.tripacerdriver.com   "...One of the main causes 
of the fall of the Roman Empire was that, lacking zero, they had no way
to indicate successful termination of their C programs." (Robert Firth)  

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] freshclam -- Is it a daemon?

2005-05-04 Thread Doug Hubbard 
It does not run as a daemon.
Here is the cron task that I run to use freshclam to update the defs.
# added to update the clamav defs every hour
18 * * * * /usr/local/bin/freshclam --quiet 
--config-file=/etc/freshclam.conf

Every hour may be a little excessive, but we have had issues in the past 
with virus getting in before the updates are grabbed.

I'm trying to automate the updating of clamav.  I'm using 
 http://sial.org/howto/mimedefang/clamav/
as a HOWTO.

I've installed clamav 0.83 (which seems to be out of date now).
According to the link above, one of my options is to use a script
called up-avdefs.  The web page includes a link with the actual
script.  Yet the implication is that this comes with clamav.  When you
check the script provided by the HOWTO, the comments imply to me that
it comes with the clamav distro.  I don't see it in my distro.
So I moved on.  I'm looking at freshclam, and when I look at both the
config file along with the comments, the implication seems to be that
it runs as a daemon.  Yet, when I run freshclam, and then check for it
with ps -aux, I don't find any such item.
Freshclam seems to run once, and update the database.
So, do I simply place freshclam in the crontab, running it
periodically?  What am I missing?
--
*
Doug Hubbard - IT Manager
TrackMaster, an Equibase Company
email [EMAIL PROTECTED] 
Website www.trackmaster.com 
*
begin:vcard
fn:Doug Hubbard
n:Hubbard;Doug
org:TrackMaster, an Equibase Company
adr:;;14515 56th Ave SE;Everett;WA;98208;USA
email;internet:[EMAIL PROTECTED]
title:IT Manager
tel;work:650-316-1020 x138
tel;fax:781-623-0331
tel;pager:650-599-8883
tel;home:425-338-9520
x-mozilla-html:TRUE
url:http://www.trackmaster.com
version:2.1
end:vcard

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] OT: control internal spam

2005-05-04 Thread James Ebright 
SMTP Auth is well supported now days, uses port 587 (and 483 if you use TLS
and outlook) and would be one way I would approach the issue.. of course.. if
you have a user with a valid username/pass or certificate (depends on flavor
of auth you prefer) then they will be able to send out the spam in either
case.. just harder for them to claim it was a virus or zombied box if they had
to authenticate to do it. Not to mention you can remove the user IP space from
relay so they cannot use the gateway for external mail at all unless they
authenticate first.

Any rate limiting you place on an IP (bandwidth or messages per min or recip
per message) will just give you a false sense of security and possible catch
some legitimate mailing lists as well. The abuser can simply vary the rate or
amount of bulk (or even send them a single at a time) in order to get around
this limit.

I would say this is best handled with a strict email use policy (TOS) and
educating your users on what happens if they are caught sending out spam (e.g.
we charge our hourly rate for "clean up" fees for any time we spend running
down spam, dealing with third parties, etc to our former customer if they are
caught maliciously sending spam). Nothing to prevent you from turning over a
complete archive of evidence to the local authorities for use under the canned
spam act as well (yeah, I know that may be a toothless threat, but students
may not know that). Couple that with the monitoring you are already doing and
you should be fine, 2k messages is not alot at all after all (a couple of
minutes worth on a broadband connection) so you did catch them fairly quickly.

Jim

On Tue, 3 May 2005 17:05:42 -0500 (CDT), -ray wrote
> All,
> 
> We block port 25 at the firewall so all outgoing mail has to go out 
> our gateway.  Occasionally a student will figure out they can make a 
> few $$$ by relaying spam.  It doesn't happen often, but happened 
> today and they managed to sneak out 2000 messages before we noticed.
> 
> Any ideas on how to combat this?  Obviously we have to allow SMTP 
> for internal legit clients on our network.  Is SMTP AUTH the answer? 
> Or pop before SMTP? (currently not using these).  Some kind of rate 
> limiting per IP?  Just looking for any ideas...


--
EsisNet.com Webmail Client
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] freshclam -- Is it a daemon?

2005-05-04 Thread -ray 
On Tue, 3 May 2005, Al Sparks wrote:
So, do I simply place freshclam in the crontab, running it
periodically?  What am I missing?
Did you read the man page for freshclam?
   (2)  Run  as  a  daemon  and check 2 times per day for new
   database:
  freshclam -d -c 2
I typically just run it from cron though...
ray
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Ray DeJean   http://www.r-a-y.org
Systems EngineerSoutheastern Louisiana University
IBM Certified Specialist  AIX Administration, AIX Support
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang