Re: [Mimedefang] bounce check with sendmail and md_check_against
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 30 Nov 2006, Wayne wrote: What does a telnet session to mail.bwtelcom.net results with the invalid name? I mean: helo smtp1.hamilton.net mail from: <> rcpt to: bad_user quit ? It looks that the host rejects a bad user, but you've said that you configured the host to act on sessions differently depending on the connecting host. ($result, $rmesg)= md_check_against_smtp_server($sender, $recip,"smtp1.hamilton.net","mail.bwtelcom.net"); } else{ ($result, $rmesg)= md_check_against_smtp_server($sender, $recip,"smtp1.hamilton.net","mail.hamilton.net"); } I would add a md_syslog(" $recip, $result, $rmesg") here and see the logs. if($result =~ /CONTINUE/){ No deal, but eq/ne operators would be OK. return ('CONTINUE' ,"ok"); } elsif($result =~ /TEMPFAIL/){ return ('TEMPFAIL' ,"$rmesg"); } else { if ( $relayflag ){ return ('REJECT', "unknown user account", "550", "5.1.1", "10"); } else{ return('REJECT',"unknown user account", "550", "5.1.1", "3"); } } - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iQEVAwUBRW/ZJOgJIbZtwg6XAQJK1QgAnB+3UrG82gVj5s+KzQZk95Z57xe44ely zBk6C6AZeHoMG9yQLMeokC7kgzxv1mUKUk9OSZDXY+6YUXyPfIMFkxVFOJU2a2yz ECKfw9krpqlrqMn5fHafHYc93lbU3PCJpatLh42Dz0jRtBG51f3fTq1oApoYfDYf S9Z9n9u3+2q/MC5csvAf3/BZ5cmfTtFd7u4b0cqaGAogw1vkMKQZfl4bG9oz2f9P M6UMZ50Mpt1obTqfCcQlK3FWyr0gg9FaG7qbyuLmPoNnkNyzNown5couLlbHAG8F yu0P021D6iAch9R2fGNW7slrX7YxdtBTUtBQUYNwU0yzfbodkoMRjA== =NhUl -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] "RESULTS file is unreasonably large"
Peter Smith wrote: > mimedefang[16241]: kAULHMmj016249: RESULTS file is unreasonably large - > 66248 byes; max is 65535 bytes The RESULTS file is passed back from the Perl code to the C milter instructing the milter what to do. It's typically tiny -- a few dozen to a couple of hundred bytes at most. You should add the "-k" option to MIMEDefang. This causes it not to delete directories when filtering fails. That will let you have a look at the RESULTS file, and you might be able to figure out what the problem is (or if you e-mail it to me, I probably will be able to.) Are you doing anything fancy in your filter, like adding lots of headers (or very long headers?) Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] "RESULTS file is unreasonably large"
Hi, Out of the blue I started seeing messages like this in my maillog: mimedefang[16241]: kAULHMmj016249: RESULTS file is unreasonably large - 66248 byes; max is 65535 bytes , which caused the mail in question to be reject. I started seeing this message for every subsequent mail. Restarting mimedefang seemed to fix the problem, but I'd like to learn more about it (google didn't return anything), and the threat of it happening again is worrying. Thanks, Peter Smith ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] bounce check with sendmail and md_check_against
DFS wrote on 11/30/2006 02:10:27 PM: > What's your internal server running? Some versions of MS Exchange and qmail > don't reject invalid recipients at RCPT time, so md_check_against_smtp_server > is useless. With other versions of Exchange, you need to explicitly > enable RCPT-time checks; google for "Exchange Recipient Filter" Early versions of Lotus Domino servers did not reject invalid recipients at RCPT time either. It became an option in 6.0 or 6.5. If the original poster needs help finding the option, contact me off list, I'd be glad to help. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] bounce check with sendmail and md_check_against
I do realize that it is open but I restrict that on the server. Here is my filter_recipient. #* # %PROCEDURE: filter_recipient # sub filter_recipient { connect_to_database(); my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; my $from_name; my $from_domain; my $relayflag = 0; # set the relay flag to 0 then check the hostname and use it later for delay if (($host !~ /\.(?:com|net|edu|org|gov|mil|ca|ne.us)$/) || ($host =~/\d{1,3}-\d{1,3}-\d{1,3}/) || ($host =~ /\d{1,3}\.\d{1,3}\.\d{1,3}\..*/) || ($host =~ /dial|client|dhcp|dynamic|\.dyn\./) || { $relayflag = 1; } if ($recip =~ /bwtelcom/i){ ($result, $rmesg)= md_check_against_smtp_server($sender, $recip,"smtp1.hamilton.net","mail.bwtelcom.net"); } else{ ($result, $rmesg)= md_check_against_smtp_server($sender, $recip,"smtp1.hamilton.net","mail.hamilton.net"); } if($result =~ /CONTINUE/){ return ('CONTINUE' ,"ok"); } elsif($result =~ /TEMPFAIL/){ return ('TEMPFAIL' ,"$rmesg"); } else { if ( $relayflag ){ return ('REJECT', "unknown user account", "550", "5.1.1", "10"); } else{ return('REJECT',"unknown user account", "550", "5.1.1", "3"); } } Wayne - Original Message - From: "David F. Skoll" <[EMAIL PROTECTED]> To: Sent: Thursday, November 30, 2006 3:18 PM Subject: Re: [Mimedefang] bounce check with sendmail and md_check_against Wayne wrote: Communigate Pro. It does reject about 99% of them. It's the clever spammers that are getting buy me causing me to bounce the messages. You do realize that mail.hamilton.net is reachable on port 25 from the Internet? That's probably a bad idea. Still, I don't know why you'd be getting those bounces. How are you using md_check_against_smtp_server in your filter? -- David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] bounce check with sendmail and md_check_against
Wayne wrote: > Communigate Pro. It does reject about 99% of them. It's the clever > spammers that are getting buy me causing me to bounce the messages. You do realize that mail.hamilton.net is reachable on port 25 from the Internet? That's probably a bad idea. Still, I don't know why you'd be getting those bounces. How are you using md_check_against_smtp_server in your filter? -- David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: bounce check with sendmail and md_check_against
It seems to be SPAM. The problem I have is why did this just fail with md_check. Here is an example of the reject I get in my postmaster account. I don't know why it was rejected to r3ay8.net.upc.cz before I even got the message. Wayne Return-Path: Received: from localhost (localhost) by smtp2.hamilton.net (8.13.8/8.13.8) id kAUIDIlV069493; Thu, 30 Nov 2006 12:13:18 -0600 (CST) Date: Thu, 30 Nov 2006 12:13:18 -0600 (CST) From: Mail Delivery Subsystem Message-Id: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="kAUIDIlV069493.1164910398/smtp2.hamilton.net" Subject: Returned mail: see transcript for details Auto-Submitted: auto-generated (failure) This is a MIME-encapsulated message --kAUIDIlV069493.1164910398/smtp2.hamilton.net The original message was received at Thu, 30 Nov 2006 12:13:17 -0600 (CST) from r3ay8.net.upc.cz [213.220.242.8] - The following addresses had permanent fatal errors - <[EMAIL PROTECTED]> (reason: 550 [EMAIL PROTECTED] unknown user account) - Transcript of session follows - ... while talking to mail.hamilton.net.: DATA <<< 550 [EMAIL PROTECTED] unknown user account 550 5.1.1 <[EMAIL PROTECTED]>... User unknown <<< 554 no valid RCPT address specified --kAUIDIlV069493.1164910398/smtp2.hamilton.net Content-Type: message/delivery-status Reporting-MTA: dns; smtp2.hamilton.net Received-From-MTA: DNS; r3ay8.net.upc.cz Arrival-Date: Thu, 30 Nov 2006 12:13:17 -0600 (CST) Final-Recipient: RFC822; [EMAIL PROTECTED] Action: failed Status: 5.1.1 Remote-MTA: DNS; mail.hamilton.net Diagnostic-Code: SMTP; 550 [EMAIL PROTECTED] unknown user account Last-Attempt-Date: Thu, 30 Nov 2006 12:13:18 -0600 (CST) --kAUIDIlV069493.1164910398/smtp2.hamilton.net Content-Type: message/rfc822 Return-Path: <[EMAIL PROTECTED]> Received: from r3ay8.net.upc.cz (r3ay8.net.upc.cz [213.220.242.8]) by smtp2.hamilton.net (8.13.8/8.13.8) with ESMTP id kAUID6lV069340 for <[EMAIL PROTECTED]>; Thu, 30 Nov 2006 12:13:17 -0600 (CST) Received: from vpokojiku (vpokojiku [213.220.242.8]) by vpokojiku (8.12.8p1/8.12.8) with ESMTP id i7A2B709F62958 for <[EMAIL PROTECTED]>; Thu, 30 Nov 2006 20:13:08 +0100 (envelope-from [EMAIL PROTECTED]) Date: Thu, 30 Nov 2006 20:13:08 +0100 From: Fifth Third Bank 2006 <[EMAIL PROTECTED]> Reply-To: "<[EMAIL PROTECTED]>" <[EMAIL PROTECTED]> X-Priority: 3 (Normal) Message-ID: <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Fifth Third Bank: details confirmation MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--0E34523B878DC5BB" X-Spam-X: SPAM hits=17.227 X-Spam-Report: pts rule name description -- -- 0.3 SPOOF_OURI URI: URI has items in odd places 2.5 SARE_SPOOF_COM2COM URI: a.com.b.com 0.5 SPOOF_COM2OTH URI: URI contains ".com" in middle 1.7 BIZ_TLDURI: Contains an URL in the BIZ top-level domain 0.6 HTML_90_100BODY: Message is 90% to 100% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 0.4 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 2.8 HTML_IMAGE_ONLY_04 BODY: HTML: images with 0-400 bytes of words 2.3 HTML_SHORT_LINK_IMG_1 HTML is very short with a linked image 3.0 SARE_FORGED_53 SARE_FORGED_53 X-Scanned-By: MIMEDefang 2.58 on 208.6.238.6 - Original Message - From: "Scott Silva" <[EMAIL PROTECTED]> To: Sent: Thursday, November 30, 2006 12:39 PM Subject: [Mimedefang] Re: bounce check with sendmail and md_check_against Wayne spake the following on 11/30/2006 10:04 AM: Hello All, I know everyone has probably figured this out but me. I am using md_check_against_smtp_server on my mimedefang server to check usernames before sending the mail to my server. I seem to have a lot of bounce messages that get sent from my server with invalid from addresses. I know there are some that are being rejected because of full mail boxes and I can understand those but I have messages that are being rejected by unknown user and then the bounce fails. These end up in my postmaster account. I have also notice that at times AOL or some other provider will black hole me for this. I don't know why these messages don't get rejected by md_check_against_smtp_server. How do I keep my server to discard these messages without trying to send them? Thanks in Advance Wayne What exactly are you bouncing? Do you do content scanning at the MX or only on the main server? If you are bouncing things like spam or viruses, you will get blacklisted often. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mim
[Mimedefang] $RelayHostname not matching sendmail's Received header?
I'm trying to implement some new relay checks in my filter and I'm noticing some unexpected (to me) behavior regarding $RelayHostname. (I searched the archives but didn't see any reference to this, apologies if it has been asked before.) I have a message delivered by a relay whose hostname sendmail was able to determine (according to the Received header): Received: from adsl86-34-215-137.romtelecom.net (adsl86-34-215-137.romtelecom.net [86.34.215.137] (may be forged)) by ... However, inside my mimedefang-filter, the value of $RelayHostname was not "adsl86-34-215-137.romtelecom.net" as I expected, but rather it was "[86.34.215.137]", seemingly indicating that MIMEDefang was not able to determine the relay's hostname. I tried to dive into the source to determine if MIMEDefang gets this info from sendmail, or if it tries to do the lookup itself, but it wasn't obvious to me. Can anyone think of a scenario where this might happen? My check is being called from within filter_end, so I don't believe I should have to explicitly call read_commands_file, should I? Are there situations where MIMEDefang issues a second DNS check for this info (which might fail)? Any help is appreciated... (running MIMEDefang 2.56 if that is relevant...) Michael Sims ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] bounce check with sendmail and md_check_against
Communigate Pro. It does reject about 99% of them. It's the clever spammers that are getting buy me causing me to bounce the messages. Thanks Wayne - Original Message - From: "David F. Skoll" <[EMAIL PROTECTED]> To: Sent: Thursday, November 30, 2006 1:10 PM Subject: Re: [Mimedefang] bounce check with sendmail and md_check_against Wayne wrote: I know everyone has probably figured this out but me. I am using md_check_against_smtp_server on my mimedefang server to check usernames before sending the mail to my server. What's your internal server running? Some versions of MS Exchange and qmail don't reject invalid recipients at RCPT time, so md_check_against_smtp_server is useless. With other versions of Exchange, you need to explicitly enable RCPT-time checks; google for "Exchange Recipient Filter" Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] bounce check with sendmail and md_check_against
Wayne wrote: > I know everyone has probably figured this out but me. I am using > md_check_against_smtp_server on my mimedefang server to check usernames > before sending the mail to my server. What's your internal server running? Some versions of MS Exchange and qmail don't reject invalid recipients at RCPT time, so md_check_against_smtp_server is useless. With other versions of Exchange, you need to explicitly enable RCPT-time checks; google for "Exchange Recipient Filter" Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Re: bounce check with sendmail and md_check_against
Wayne spake the following on 11/30/2006 10:04 AM: > Hello All, > > I know everyone has probably figured this out but me. I am using > md_check_against_smtp_server on my mimedefang server to check usernames > before sending the mail to my server. I seem to have a lot of bounce > messages that get sent from my server with invalid from addresses. I > know there are some that are being rejected because of full mail boxes > and I can understand those but I have messages that are being rejected > by unknown user and then the bounce fails. These end up in my postmaster > account. I have also notice that at times AOL or some other provider > will black hole me for this. I don't know why these messages don't get > rejected by md_check_against_smtp_server. How do I keep my server to > discard these messages without trying to send them? > > Thanks in Advance > Wayne > What exactly are you bouncing? Do you do content scanning at the MX or only on the main server? If you are bouncing things like spam or viruses, you will get blacklisted often. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] bounce check with sendmail and md_check_against
Hello All, I know everyone has probably figured this out but me. I am using md_check_against_smtp_server on my mimedefang server to check usernames before sending the mail to my server. I seem to have a lot of bounce messages that get sent from my server with invalid from addresses. I know there are some that are being rejected because of full mail boxes and I can understand those but I have messages that are being rejected by unknown user and then the bounce fails. These end up in my postmaster account. I have also notice that at times AOL or some other provider will black hole me for this. I don't know why these messages don't get rejected by md_check_against_smtp_server. How do I keep my server to discard these messages without trying to send them? Thanks in Advance Wayne ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] When to do Virus checks
Joseph Brennan wrote: --On Thursday, November 30, 2006 8:18 -0800 John Rudd <[EMAIL PROTECTED]> wrote: Joseph Brennan wrote: If you reject messages with executable attachments first, let us know whether the virus check catches anything at all. There have been viruses that were distributed in non-executable zip files. Simple attachment checks probably wont catch those. Absolutely correct. You have to be willing to examine zip file contents or reject zip files. Or ... run a virus scanner. :-) For my home use, it doesn't matter. All of the machines in my house are Mac's with PowerPC processors running OS X. The likelihood of a virus is vanishingly small. At work, it's a campus full of varying machines with users of varying levels of clue. Whether it's strictly necessary or not isn't really relevant: not running a virus scanner would simply be a lack of due diligence. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] When to do Virus checks
--On Thursday, November 30, 2006 8:18 -0800 John Rudd <[EMAIL PROTECTED]> wrote: Joseph Brennan wrote: If you reject messages with executable attachments first, let us know whether the virus check catches anything at all. There have been viruses that were distributed in non-executable zip files. Simple attachment checks probably wont catch those. Absolutely correct. You have to be willing to examine zip file contents or reject zip files. I like the point about clamav having phish signatures in it. That is very worthwhile these days. I should look into that. Joseph Brennan Lead Email Systems Engineer Columbia University Information Technology ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] When to do Virus checks
Paul Murphy wrote: [Disguise VIRUS.EXE as README.TXT] > I'd be prepared to wager that 90% plus would allow it through...because > they have configured their virus scanner to only scan potentially > damaging files, and they decide that a file is potentially damaging > based on the user-provided file extension. Anyone running MIMEDefang shouldn't accept it, because the virus-integration code tries as hard as possible to convince the associated virus scanner to scan all files, regardless of extension. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Eeeeek MIME::Parser::ParanoidFiler
WOOHOO! Rock on dude! Sendmail didn't like option two so I changed the ownership of the /var/run/clamav directory and ran clamd as defang and that fixed us right up! Thanks again, Stephen - Original Message - From: "David F. Skoll" <[EMAIL PROTECTED]> To: Sent: Thursday, November 30, 2006 10:05 AM Subject: Re: [Mimedefang] Ek MIME::Parser::ParanoidFiler Stephen Loeckle wrote: Nov 30 09:49:17 mail mimedefang.pl[10044]: kAUFnFOa010050: Clamd returned error: /var/spool/MIMEDefang/mdefang-kAUFnFOa010050/Work: lstat() failed. Clamd does not have read access inside that directory. There are a couple of ways to fix it: 1) Run clamd as the "defang" user instead of "clamav" 2) Add "clamav" to the "defang" group (if there is one) and make /var/spool/MIMEDefang's group "defang" and make it group-readable and group-executable. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] When to do Virus checks
> I think you don't need a virus check at all, if you reject executable > file attachments. That's what a few years of experience tells me. Take a virus packaged as an executable file, rename it to README.TXT, and send it as an attachment to 100 domains with a message which says "Your e-mail system wouldn't allow me to send you this great video, so I've renamed it - save it as runme.exe, and give it a go". How many domains would accept it? I'd be prepared to wager that 90% plus would allow it through...because they have configured their virus scanner to only scan potentially damaging files, and they decide that a file is potentially damaging based on the user-provided file extension. Paul. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Eeeeek MIME::Parser::ParanoidFiler
> Ok I tried these two lines: > $Features{'Virus:CLAMD'} = '/usr/sbin/clamd'; > $ClamdSock = '/var/run/clamav/clamd.ctl'; > and I got the following. I appreciate everyone's patience and help with this > one. I just can't figure it out and I want to do it the right way... When you built CLAM, you did use the "--with-user=defang --with-group=defang" options with the "configure" step, right? Ken ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] When to do Virus checks
Joseph Brennan wrote: If you reject messages with executable attachments first, let us know whether the virus check catches anything at all. There have been viruses that were distributed in non-executable zip files. Simple attachment checks probably wont catch those. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Eeeeek MIME::Parser::ParanoidFiler
Stephen Loeckle wrote: > Nov 30 09:49:17 mail mimedefang.pl[10044]: kAUFnFOa010050: Clamd > returned error: /var/spool/MIMEDefang/mdefang-kAUFnFOa010050/Work: > lstat() failed. Clamd does not have read access inside that directory. There are a couple of ways to fix it: 1) Run clamd as the "defang" user instead of "clamav" 2) Add "clamav" to the "defang" group (if there is one) and make /var/spool/MIMEDefang's group "defang" and make it group-readable and group-executable. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Re: When to do Virus checks
Joseph Brennan spake the following on 11/30/2006 7:09 AM: --On Thursday, November 30, 2006 15:23 +0100 Johan Sleeuwenhoek <[EMAIL PROTECTED]> wrote: I think it is worth the extra CPU time to stop a virus at the earliest time possible. This makes it less dangerous, since the virus does not pass all the components of your emailscanning system. I think you don't need a virus check at all, if you reject executable file attachments. That's what a few years of experience tells me. An independent test of this assertion will be interesting. Joseph Brennan Lead Email Systems Engineer Columbia University Information Technology But clam-av contains some very good phishing signatures. I catch more of that garbage than actual viruses these days. Maybe 2 to 1 or better. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Eeeeek MIME::Parser::ParanoidFiler
Ok I tried these two lines: $Features{'Virus:CLAMD'} = '/usr/sbin/clamd'; $ClamdSock = '/var/run/clamav/clamd.ctl'; and I got the following. I appreciate everyone's patience and help with this one. I just can't figure it out and I want to do it the right way... Stephen Nov 30 09:49:17 mail mimedefang.pl[10044]: kAUFnFOa010050: Clamd returned error: /var/spool/MIMEDefang/mdefang-kAUFnFOa010050/Work: lstat() failed. Nov 30 09:49:17 mail mimedefang.pl[10044]: Problem running virus scanner: code=999, category=swerr, action=tempfail Nov 30 09:49:17 mail mimedefang.pl[10044]: filter: kAUFnFOa010050: tempfail=1 Nov 30 09:49:17 mail mimedefang[10042]: kAUFnFOa010050: Tempfailing because filter instructed us to Nov 30 09:49:17 mail sm-mta[10050]: kAUFnFOa010050: milter=mimedefang, reject=451 4.3.0 Problem running virus-scanner Nov 30 09:49:17 mail sm-mta[10050]: kAUFnFOa010050: Milter: data, reject=451 4.3.0 Problem running virus-scanner Nov 30 09:49:17 mail sm-mta[10050]: kAUFnFOa010050: --- 451 4.3.0 Problem running virus-scanner (hold) Nov 30 09:49:17 mail sm-mta[10050]: kAUFnFOa010050: to=<[EMAIL PROTECTED]>, delay=00:00:00, pri=31349, stat=Problem running virus-scanner Nov 30 09:49:17 mail sm-mta[10050]: kAUFnFOa010050: --- 451 4.3.0 Problem running virus-scanner (held) - Original Message - From: "Steffen Kaiser" <[EMAIL PROTECTED]> To: Sent: Tuesday, November 21, 2006 8:23 AM Subject: RE: [Mimedefang] Ek MIME::Parser::ParanoidFiler -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 16 Nov 2006, Stephen Loeckle wrote: $Features{'Virus:CLAMAV'} = '/usr/bin/clamdscan'; or $Features{'Virus:CLAMAV'} = '/usr/sbin/clamd'; There is also 'Virus:CLAMD' And tried with and without: $ClamdSock = '/var/run/clamav/clamd.ctl'; Has the mdefang user write permission to this socket? Bye, - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iQEVAwUBRWML3egJIbZtwg6XAQLsmQf9GHI4ncpvBSlttcfNSVM3W8uKG8dCi73S Uc7jl9rLR6oxWTRNeDN7XqQcbGvTnEul5A9hR2h+bby9m1uMcfdP2uoEPgkYJJqN UHVE9gNvIkz2jrdc2OsDSgMIDDqx0yg302IIJJwGESBhiVb5NXx/5fjxTcCAASC/ 04sNduo9t3VWCGVxUxjXf1l35zqPMEHdOXPD2DQf+hJFxLMvPMk5c98iHsF5Lxfw RqNfPDKyJfpWLtgZD47ZlAd577ZX64riQ31/jfhUb1LbgVpZbL1QeyQ6pNCURy+/ WFSqHCFb3XvJ4CN5Fcm7ZzshiSjrNCyR1VyvWNRsEWCDyS3fkXwqfA== =ccsw -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] When to do Virus checks
On Thu, 2006-11-30 at 10:09 -0500, Joseph Brennan wrote: > > I think it is worth the extra CPU time to stop a virus at the earliest > > time possible. This makes it less dangerous, since the virus does not > > pass all the components of your emailscanning system. > > > I think you don't need a virus check at all, if you reject executable > file attachments. That's what a few years of experience tells me. What do you do with zip and other archive types that are popular virus containers? -- Les Mikesell [EMAIL PROTECTED] ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] When to do Virus checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 30 Nov 2006, Johan Sleeuwenhoek wrote: I think it is worth the extra CPU time to stop a virus at the earliest time possible. This makes it less dangerous, since the virus does not pass all the components of your emailscanning system. I wonder what a virus can do when the mail is processed by MIMEDefang. The message is already broken up into MIME parts, so to reject the mail in filter_begin does not skip this work. I think John is right. When you can reject the mail because of other means, it seems to be cheaper (except SpamAssassin). And you shouldn't scan the individual parts of the mail for viruses in order to remove infected parts only. Bye, - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iQEVAwUBRW73BugJIbZtwg6XAQItCAf/e2PhNu9JPpGrNlaQKuDoYo0DIvy53S/4 gCro4hTUR6IkC+XCNfq+2DquDosUuUYRBq6hHbL1geOSidHaNiA7rmAxzXT5EUjP wnzOukMCWy4OHdHOGPZEtSDUDAVlLVvP7ME/ojbFTjco3+0EWnLlNLnGmKooO7WD MaJNkt630OU1yJ98sj1q0Gdi9NfNmxdv+px+Qz4U9OqLXLyV+3LijHlHVD9dyKRm bhqNsu8MzgWBxHsKJgoMhaZZEQqfJOeG2ewyCYqIDXGUdlBcynh8+NMH9yjTKEBS aVhp5EnHLfoI0asLM45YvtTzJqhWz8TpOAgNqslQ7s3Zpwt9X43oyg== =Mv9J -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] When to do Virus checks
Johan Sleeuwenhoek wrote: > I think it is worth the extra CPU time to stop a virus at the earliest > time possible. This makes it less dangerous, since the virus does not > pass all the components of your emailscanning system. ??? But what possible damage could a Widoze virus do on a UNIX-based mail-scanning system? -- David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] When to do Virus checks
[EMAIL PROTECTED] wrote: > Out of curiousity, I looked at the statistics report from my CanIt Pro > installation. More virii than executables. Most probably it's because ClamAV includes some Phishing signatures in its virus database. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] When to do Virus checks
--On Thursday, November 30, 2006 15:23 +0100 Johan Sleeuwenhoek <[EMAIL PROTECTED]> wrote: I think it is worth the extra CPU time to stop a virus at the earliest time possible. This makes it less dangerous, since the virus does not pass all the components of your emailscanning system. I think you don't need a virus check at all, if you reject executable file attachments. That's what a few years of experience tells me. An independent test of this assertion will be interesting. Joseph Brennan Lead Email Systems Engineer Columbia University Information Technology ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] When to do Virus checks
2006/11/30, John Rudd <[EMAIL PROTECTED]>: I was thinking about moving the virus check from filter_begin to filter_end (I do them in filter_begin, having inherited that from the example mimedefang-filter). My reason is: it seems to me that the attachment checks (in filter and filter_multipart) are going to be cheaper (in CPU time and elapsed time) than the virus checks, and my general principle in organizing my AV/AS checks right now is: cheapest checks first, so that as little as possible gets sent to the more expensive checks. If the virus check is more expensive than the attachment checks, then the attachment checks should be done first. Does anyone have any thoughts about whether or not it seems like a good or bad idea to move the virus checks to filter_end (before the SpamAssassin check)? I think it is worth the extra CPU time to stop a virus at the earliest time possible. This makes it less dangerous, since the virus does not pass all the components of your emailscanning system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] When to do Virus checks
Joseph Brennan <[EMAIL PROTECTED]> wrote on 11/30/2006 08:56:14 AM: > If you reject messages with executable attachments first, let us know > whether the virus check catches anything at all. Out of curiousity, I looked at the statistics report from my CanIt Pro installation. More virii than executables. I hadn't really paid attention to that before. I checked the documentation and it indicates that it checks for infection before executable. Now I'm curious why. I agree that it would seem to make sense to check for extension before virus scanning. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] When to do Virus checks
--On Thursday, November 30, 2006 4:49 -0800 John Rudd <[EMAIL PROTECTED]> wrote: If the virus check is more expensive than the attachment checks, then the attachment checks should be done first. Does anyone have any thoughts about whether or not it seems like a good or bad idea to move the virus checks to filter_end (before the SpamAssassin check)? If you reject messages with executable attachments first, let us know whether the virus check catches anything at all. (Someone once said programming is about generalizing the problem, not about checking for hundreds of specific cases.) Joseph Brennan Lead Email Systems Engineer Columbia University Information Technology ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] When to do Virus checks
I was thinking about moving the virus check from filter_begin to filter_end (I do them in filter_begin, having inherited that from the example mimedefang-filter). My reason is: it seems to me that the attachment checks (in filter and filter_multipart) are going to be cheaper (in CPU time and elapsed time) than the virus checks, and my general principle in organizing my AV/AS checks right now is: cheapest checks first, so that as little as possible gets sent to the more expensive checks. If the virus check is more expensive than the attachment checks, then the attachment checks should be done first. Does anyone have any thoughts about whether or not it seems like a good or bad idea to move the virus checks to filter_end (before the SpamAssassin check)? So, it would look something like this: filter_sender reject *.local senders reject some basic/egregious HELO strings filter_recipient reject *.local recipients validate recipients with final destination filter_begin reject messages with suspicious characters reject relays that look like botnets (which uses @Recipients so it can exempt messages headed only to postmaster and/or abuse) remove the headers that filter and filter_multipart will add (to keep them from being spoofed) filter reject bad attachments by name and/or type add headers for good attachments filter_multipart reject bad attachments by name and/or type add headers for good attachments filter_end reject viruses remove spam/ham related headers reject high scoring spam add headers for ham or regular spam ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang