[Mimedefang] Re: MD 2.51/clamav .88.1 failure
On Friday, 4/7, I updated clamav from version .88 to .88.1. When I did so, virus scanning broke. Maillog was filled with entries like: Apr 7 15:49:23 hoover mimedefang.pl[66764]: Problem running virus scanner: code=999, category=cannot-execute, action=tempfail Apr 7 15:49:23 hoover sm-mta[67374]: k37JnNo4067374: Milter: data, reject=451 4.3.0 Problem running virus-scanner Apr 7 15:49:23 hoover sm-mta[67374]: k37JnNo4067374: to=[EMAIL PROTECTED], delay=00:00:00, pri=145673, stat=Problem running virus-scanner The clamd.log showed no problems. It seemed to be happy as a, well, clam. I'm running MD version 2.51 on FreeBSD 5.4. I was able to fix it by re-installing clamav .88 Has anyone else seen this problem? Do I need to update MD? Any other thoughts? Same problem here running RedHat EL4 latest update. No indication as to what is causing the problem. -Shawn ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Failed to process the MS access database zip file
Hi, I had sent the email with the MS access database zip file over my mimedefang process, and mimedefang dropped the attachment and replaced the warning message with drop_with_warning=1 in my log file. I commented out the following statement, and tried again. It worked. if (re_match($entity, '\.zip$') and $Features{Archive::Zip}) { my $bh = $entity-bodyhandle(); if (defined($bh)) { my $path = $bh-path(); if (defined($path)) { return re_match_in_zip_directory($path, $re); } } } I have the perl module Archive-Zip-1.16.tar.gz in my perl 5.8.8. Does anyone have the same experience? Thanks. ming ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Oblivion.rar
I am seeing a very small (2254KB unencoded) RAR file called Oblivion.rar that uncompresses to 4.4GB of disk space. IMO, this is being sent to drive our virus scanner / mail filtering up a wall. We don't even WANT rar files and they are blocked in the bad attachment list. However, we are running the virus scan in filter_begin but the bad_filename check in filter filter_multipart. I think this needs to get changed. Any input on the best way to go about it? Anyone else seeing this? Regards, KAM ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Failed to process the MS access database zip file
if you have this line $bad_exts = '(ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|scr|sct|sh|shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh|\{[^\}]+\})'; in your mimedefang-filter, then you will note, that .mdb is in the bad extensions list, so it would be dropped if it was sent as .mdb or as a zip containting an .mdb If you want to permit mdb's in zip files, then you would need to change the $bad_exts variable to remove mdb (it would also then allow them unzippped as well) Cheers Mack -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ming Hou Sent: Wednesday 12 April 2006 15:28 To: mimedefang@lists.roaringpenguin.com Subject: [Mimedefang] Failed to process the MS access database zip file Hi, I had sent the email with the MS access database zip file over my mimedefang process, and mimedefang dropped the attachment and replaced the warning message with drop_with_warning=1 in my log file. I commented out the following statement, and tried again. It worked. if (re_match($entity, '\.zip$') and $Features{Archive::Zip}) { my $bh = $entity-bodyhandle(); if (defined($bh)) { my $path = $bh-path(); if (defined($path)) { return re_match_in_zip_directory($path, $re); } } } I have the perl module Archive-Zip-1.16.tar.gz in my perl 5.8.8. Does anyone have the same experience? Thanks. ming ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang This Email Has Been Anti-Virus Scanned ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Oblivion.rar
Kevin A. McGrail wrote: We don't even WANT rar files and they are blocked in the bad attachment list. However, we are running the virus scan in filter_begin but the bad_filename check in filter filter_multipart. So run the virus scan in filter_end instead. And be sure not to run it if the message has already been rejected. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: MD 2.51/clamav .88.1 failure
[someone] wrote: On Friday, 4/7, I updated clamav from version .88 to .88.1. When I did so, virus scanning broke. Maillog was filled with entries like: Apr 7 15:49:23 hoover mimedefang.pl[66764]: Problem running virus scanner: code=999, category=cannot-execute, action=tempfail Apr 7 15:49:23 hoover sm-mta[67374]: k37JnNo4067374: Milter: data, reject=451 4.3.0 Problem running virus-scanner Apr 7 15:49:23 hoover sm-mta[67374]: k37JnNo4067374: to=[EMAIL PROTECTED], delay=00:00:00, pri=145673, stat=Problem running virus-scanner The clamd.log showed no problems. It seemed to be happy as a, well, clam. I'm running MD version 2.51 on FreeBSD 5.4. I was able to fix it by re-installing clamav .88 Has anyone else seen this problem? Do I need to update MD? Any other thoughts? Shawn Gendle wrote: Same problem here running RedHat EL4 latest update. No indication as to what is causing the problem. I recently updated a number of systems here; no issues. (I *have* had weird things happen in the past, however.) RH7.3, MD 2.51 Debian woody, MD 2.51 WBEL3, MD 2.54 All of the MIMEDefang installs are locally-built packages, no particularly special customizations. ClamAV is installed from Dag Wieers/RPMForge on the RH and WB systems, and from the Debian package maintainer's people.debian.org woody backport for the Debian system. The RH7.3 and Debian systems run clamd as the defang user; the WBEL3 box runs it as root (WTF? - gotta look closer at that - but it's working fine). The most common problem I've seen with a Clamav upgrade is that the clamd socket gets its permissions mangled somewhere and MD can't communicate with clamd. For RHEL4, you might be seeing an issue with SELinux. No idea for the BSD system; my *BSD experience so far has been downloading the ISO install images only to be unable to boot any of them. HTH, -kgd ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Oblivion.rar
I tried moving the virus scanning routines to filter_end after the rejection check (i.e. after return if message_rejected();). However, I don't believe that fixes the issue because the default action for a bad filename is to drop with warning and I am calling action_quarantine_entire_message. So after I see that the bad_filename is seen, I am still seeing the virus scanner firing and going into the ether. I've also submitted the file to McAfee's Avert and it's bombing that too ;-) Thoughts? KAM We don't even WANT rar files and they are blocked in the bad attachment list. However, we are running the virus scan in filter_begin but the bad_filename check in filter filter_multipart. So run the virus scan in filter_end instead. And be sure not to run it if the message has already been rejected. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Oblivion.rar
Kevin A. McGrail wrote: However, I don't believe that fixes the issue because the default action for a bad filename is to drop with warning and I am calling action_quarantine_entire_message. Ah... you should call action_discard() (at least for the specific Oblivion.rar case...) Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Oblivion.rar
Disable the RAR engine? Don't know how to do that. Can you give any more hints? ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Oblivion.rar
KAM wrote: Disable the RAR engine? Don't know how to do that. Can you give any more hints? Well, for ClamAV it's as simple as editing /etc/clamd.conf; change this line ScanRAR ... to this: #ScanRAR Hopefully your decompression-scanners have a similar configurability. I suppose there's still the worry that someone will slip a virus into a .rar, then rename it to .zip, and rely on the client's unzipper helpfully recognizing the RAR format despite the wrong extension. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Oblivion.rar
Ah... you should call action_discard() (at least for the specific Oblivion.rar case...) Understood but trying to solve the larger issue. If you rename the file to say bob.temp or zip the file (say you have a rar in a zip), the problem still occurs. Regards, KAM ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Oblivion.rar
Disable the RAR engine? Don't know how to do that. Can you give any more hints? For Vexira you can add the following to your vascan.ini file... exclude = *.rar Or... exclude = Oblivion.rar ...if you're looking for a short-term fix for this particular bomb. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Oblivion.rar
Ah... you should call action_discard() (at least for the specific Oblivion.rar case...) Understood but trying to solve the larger issue. If you rename the file to say bob.temp or zip the file (say you have a rar in a zip), the problem still occurs. Two useful approaches: Clamd.conf: === ScanArchive ArchiveMaxRecursion 5 ArchiveMaxFiles 1000 ArchiveMaxFileSize 10M ArchiveMaxCompressionRatio 250 ArchiveBlockMax This will limit the size of files when uncompressing, and will also prevent massive files from being allowed through - the ArchiveBlockMax option reports files as viruses if they fail any of the size, recursion or file count checks. Mimedefang-filter: == Have two lists of bad file extensions - those which are not allowed anywhere, and those which are not allowed in ZIP files. Add ZIP, RAR, BZ2, etc to this list even if you allow them normally - recursive archives are to be strongly discouraged. Paul. -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.4.1/309 - Release Date: 11/04/2006 ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Custom variables in filter, undef needed in filter_end?
Hello, We are running MD 2.56 with the MD multiplexor and embedded Perl. In our configuration, we modify some custom variables in the filter subroutine, and use these values in filter_end for attachment reporting, for example. If we do not undef these variables after using them in filter_end, subsequent MD slaves appear to add to them. For example, our array containing a list of attachments will grow. Is it recommended to undef these variables in filter_end? Is this documented anywhere? Checking the mailing list, I noticed this email with the same basic question: http://lists.roaringpenguin.com/pipermail/mimedefang/2002-August/002043.html One more question: Will $Sender or any of the elements in @Recipients ever have angle brackets? Reading through mimedefang-filter (5), I see that $sender in filter_sender may, and that $recipient in filter_recipient may, but I was wondering about those global variables. Thanks! Brandon Hutchinson ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Oblivion.rar
This is the number one reason why we don't automatically uncompress zip and rar's. It's expensive (on my box, anyway, doesn't have the processing power it needs), and in light of these unzip/rar timebombs could actually destroy the email server (must try it at some point). However, the best way I've found to combat these, is to rely on the uuencoding of the file only. Currently, I've only got the zip parts operational, but seems I'll be looking at others now. Inside filter: .. if (lc($ext) =~ /zip/) { md_graphdefang_log('ziptest', $path); my $lines = $entity-body(); my $name = ; if (scalar( @$lines )) { # It has lines my $line = @$lines[0]; if ( ($line =~ m/^UEsDBAoAA.{6}zy5egAlgAAAJYAA/) || ($line =~ m/^UEsDBAoAA.{6}KJx\+eAFgAAABYAA/) ) { $found = 1; $name = Novarg; } # # more of the same... depends what you want to block.. # ... else { # throw the current line into the logs, for scanning later.. md_syslog('notice',ziptest,$line\n); } } now, you can react with if ($found) { # set up messages, and alterations, or... action_quarantine($entity, A known virus signature was detected, and removed\n); return action_discard(); } That might be expensive to grab the entity into memory, could put file size limits on it #shrugs# Keep an eye on the logs: Apr 12 13:12:25 mx1 mimedefang.pl[132]: ... .. ziptest,UEsDBAoAADtmhDQZTkUg ... (removed parts, as it then lists a filename) I'm sure you could write a DB system to keep track of the amount of hits and I think that pulling the zip/rar standard apart at this level could help find filenames, rather than needing diskspace to uncompress possibly untrusted files. -Paul On Wed, Apr 12, 2006 at 05:49:39PM +0100, Paul Murphy wrote: ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- Paul Whittney ArriveTech, Inc. Network Specialist / Systems Engineer / |3823 West 12th Street, /--|Erie, PA, 16505, USA PWhittney [at] arrivetech.com (Main)/ |www.arrivetech.com PWhittney [at] net.arrivetech.com (Aux)/|Tel: 814 868 3306 ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Free Tool Ferrets Out Mail Server Problems
http://www.emailbattles.com/archive/battles/email_aaddbfghhe_ch/ Free Tool Ferrets Out Mail Server Problems Posted on 04/05/2006 @ 15:11:25 in Email. Trouble receiving mail? Installing a new mail server? Need to make sure all your email servers are accessible? Experienced network managers have long plodded through DNS queries, making sure that MX records matched A records which matched IP addresses. Then they checked SMTP ports to make sure the servers were open for business... This can be a fairly time-consuming and error-prone process, especially if you or your email vendor, sport 11 mail servers, like IBM... Or two MX records that point to 15 hosts, like 3com.com... Or five MX records pointing to 18 IP addresses, some of which are only for outbound email, like sun.com. [...] http://www.emailbattles.com/archive/battles/email_aaddhghiad_ih/ Why Yahoo Can't Deliver Email Posted on 04/12/2006 @ 16:55:14 in Email. Have you ever wondered why senders complain so much about Yahoo Mail's poor delivery? So did Email Battles. Curious, we pointed our hot new diagnostic toy, Mail Server Profiler, at Yahoo's mail servers, to see if we could find any hints. First, Mail Server Profiler mapped and analyzed the Yahoo Mail setup. It found 16 host IP addresses behind four mail server MX records, and identified half of them as closed, ie, not accepting any email messages. [...] Next, we took measurements every two minutes for half an hour. That's 15 separate readings of each of 16 IP addresses, for a total of 240 readings. The results were surprising. During that period, Yahoo mail servers were willing to accept mail just 55% of the time (133 open readings). Average availability for MX record groups over the period ranged from as low as 25% to a high of just 75%. [...] ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Patch to mimedefang...
On 13 Jan 2006 at 19:28, David F. Skoll wrote: One of the biggest complaints from people who've tried MIMEDefang is the number of Perl modules it requires. I really hesitate to make another absolute dependency; I'd rather continue to use the mechanism in detect_and_load_perl_modules to discover modules at run-time and enable bits of functionality based on what is discovered. Catching up on old stuff here... One idea would be to make some very small part of MIMEDefang into a CPAN module, and let that module's build script automatically get the truly required Perl modules. This won't reduce the requirements, but it would allow a MIMEDefang install to be just ./configure make on the MIMEDefang source. -- Jeff Rife | | http://www.nabs.net/Cartoons/OverTheHedge/PizzaDelivery.gif ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Patch to mimedefang...
Jeff Rife wrote: One idea would be to make some very small part of MIMEDefang into a CPAN module, and let that module's build script automatically get the truly required Perl modules. Yes, that's a good idea. But if we did that, I would throw out most of the existing code and rewrite MIMEDefang using proper modular and object-oriented Perl. That won't happen for a while. :-) Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang