[Mimedefang] BitDefender load average woes
I'm running BitDefender and ClamAV virus scanners through MIMEDefang. All of a sudden BitDefender started consuming a huge amount of CPU. My load average shot up from under 1 to between 6 and 15. This happened on two servers simultaneously. I disabled BitDefender (delete $Features{Virus:BDC}) and the problems went away. Is anyone else having this problem? $ bdc --info BDC/Linux-Console v7.1 (build 2559) (i386) (Jul 6 2005 16:28:53) Copyright (C) 1996-2004 SOFTWIN SRL. All rights reserved. Engine signatures: 370654 Scan engines: 13 Archive engines: 39 Unpack engines: 4 Mail engines: 6 System engines: 0 -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] BitDefender load average woes
Matthew van Eerde wrote: I'm running BitDefender and ClamAV virus scanners through MIMEDefang. All of a sudden BitDefender started consuming a huge amount of CPU. My load average shot up from under 1 to between 6 and 15. This happened on two servers simultaneously. I disabled BitDefender (delete $Features{Virus:BDC}) and the problems went away. Never mind, false alarm... problem was due to router being saturated by an unrelated process, not due to BitDefender at all. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] BitDefender load average woes
[EMAIL PROTECTED] schrieb: I'm running BitDefender and ClamAV virus scanners through MIMEDefang. All of a sudden BitDefender started consuming a huge amount of CPU. My load average shot up from under 1 to between 6 and 15. Hi Matthew, can you 'reproduce' this behavior ? I've seen an even more strange CPU/Memory consuming *feature* from Kaspersky with all currently Scanners available which triggers your Machine into death. (5-10 Mails of 1.6MB size required) This DOS wasnt taken seriously from Kaspersky neither other 'Security related' sites. Its a tiking boomb waiting there. look for mails which cause such behavior, i will try the Kaspersky DOS on BitDefender as soon as i get time... Kind regards Michael Lang This happened on two servers simultaneously. I disabled BitDefender (delete $Features{Virus:BDC}) and the problems went away. Is anyone else having this problem? $ bdc --info BDC/Linux-Console v7.1 (build 2559) (i386) (Jul 6 2005 16:28:53) Copyright (C) 1996-2004 SOFTWIN SRL. All rights reserved. Engine signatures: 370654 Scan engines: 13 Archive engines: 39 Unpack engines: 4 Mail engines: 6 System engines: 0 ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Image validator/OCR SA plugin
So far in my tests, this OCR plugin looks like it's working ok. I rounded up the needed prereqs (that was a bit of a chore, but everything compiled cleanly), and changed the package definition as indicated in Martin's post (be sure to run spamassassin -D --lint). So far I've seen several hits for the ocr SUSPECT_GIF rule, with no detectable problems. Ken ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Issues w/ authenticated submission
I've been thinking about this issue some more, and was wondering... Would it be easier to have to sendmail instances, one that listens on 465 for authenticated email only, and then requeues it locally by passing it onto the primary instance of sendmail, which would apply mimedefang+spamassassin checks? This would also be the port 25 listener, of course... The problem is that I'm sending email from work on port 465, and I'm seeing an SPF_FAIL, because the initial Received: line from the client reflects my employer's domain... But since I'm submitting on port 465 with authentication, and not on port 25... it doesn't make sense to make certain blanket tests that would be applied to all outside mail. Right? Am I losing it here? -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Issues w/ authenticated submission
Philip Prindeville wrote: Would it be easier to have to sendmail instances, one that listens on 465 for authenticated email only 587 would be the canonical port, but yes... and then requeues it locally by passing it onto the primary instance of sendmail, which would apply mimedefang+spamassassin checks? I believe you can use the same milter from two different instances of sendmail. No need to requeue. The problem is that I'm sending email from work on port 465, and I'm seeing an SPF_FAIL, because the initial Received: line from the client reflects my employer's domain... Authenticated email should not be SPF-checked. If SpamAssassin has a way to tell that the email was submitted via SMTP AUTH, it shouldn't fire SPF_FAIL. But since I'm submitting on port 465 with authentication, and not on port 25... it doesn't make sense to make certain blanket tests that would be applied to all outside mail. Exactly. You're authenticated, so you're special. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Issues w/ authenticated submission
On Wed, Apr 19, 2006 at 03:34:19PM -0600, Philip Prindeville wrote: But since I'm submitting on port 465 with authentication, and not on port 25... it doesn't make sense to make certain blanket tests that would be applied to all outside mail. What I do in this case is make some tests optional on the port you connect to, using: if ( $SendmailMacros{daemon_name} =~ /SSL/ ) { ... } This requires you to put the names used in DaemonPortOptions in your filter, but I guess that's not too bad. daemon_name is even available at connect (and HELO) time, but won't be read by mimedefang.c until envfrom... -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disc lamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinately to allow verification of the logs. !! ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Image validator/OCR SA plugin
On 14 Apr 2006 at 18:42, Martin Blapp wrote: This is just a little advertisement for my plugin which is now in a usable state and works very well. Anyone interested should keep an eye on it - it really helps with the image only spam we get today. But problably the spammers will soon change their tricks to different images which are more difficult to read :-( This is a really cool idea. As far as spammers obfuscating their images, couldn't that be worked around by tying OCR into the bayesian system? Then obfuscation wouldn't matter--whatever munging is done to a particular image would produce the same OCR strings, before and after bayes training. You wouldn't need to know particular strings to match beforehand in that case. That would force image spammers would to produce a unique obfuscated graphic for every single message, which seems like an expensive proposition. Of course, I once thought producing a unique set of (text) bayes poison for every message was expensive, and that sure didn't stop them... Nels Lindquist * Information Systems Manager Morningstar Air Express Inc. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Seeing a lot of these lately
On 10 Apr 2006 at 15:26, Cormack, Ken wrote: SNIP description of stock image spam Have been seeing a number of these lately here, and I'm wondering if anyone has ideas how best to go about blocking some of these things. What version of SpamAssassin are you running? If it's 3.1.1, you might try running sa-update. I was pleasantly surprised to see a bunch of new rules in 80_additional.cf (most of them seem to start with TVD_) which detect these messages quite handily, kicking the score above our reject threshold of 10. Nels Lindquist * Information Systems Manager Morningstar Air Express Inc. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Image validator/OCR SA plugin
Nels Lindquist wrote: As far as spammers obfuscating their images, couldn't that be worked around by tying OCR into the bayesian system? I think the original idea was to obfuscate the images so people could read the text, but OCR tools wouldn't be able to. Then obfuscation wouldn't matter--whatever munging is done to a particular image would produce the same OCR strings, before and after bayes training. You wouldn't need to know particular strings to match beforehand in that case. True, but you'd need to see enough of them to train your Bayes engine. That would force image spammers would to produce a unique obfuscated graphic for every single message, which seems like an expensive proposition. Sadly, serious spammers have virtually unlimited computing resources. There are armies of thousands of zombie machines out there waiting to do their masters' bidding... Adding random noise that fools OCR tools but leaves the images legible for humans probably isn't that computationally expensive. The only way to defeat image spam would be if Microsoft modifies Outlook not to display HTML or images, and for Thunderbird et al to follow suit. Anyone care to bet on the odds of that happening? :-( Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang