Re: [Mimedefang] graphdefang Max Unixtime
Greg, Try using ntp (Network Time Protocol), it will keep that clock of your stable and on time. Greg Miller wrote: I'm having an odd problem with graphdefang that I hope someone else has seen before. I execute grapdefang.pl the first time and all graphs are generated as expected. However, on subsequent runs I see that the value for Max Unixtime in SummaryDB.db is several hours in the future. As a result, graphdefang doesn't process any new log lines. It seems that eventually my machine catches up to this futuristic time and logs are processed again, for a time. Then, for some reason, Max Unixtime get sets in the future again, and the problem repeats. First thought was that this was a time zone issue. But, I have tried setting the TZ environment variable from the shelll and in the Perl script to no avail. Any ideas appeciated. Thanks. Greg ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- Albert E. Whale, CHS CISA CISSP Sr. Security, Network, Risk Assessment and Systems Consultant --- ABS Computer Technology, Inc. - www.ABS-CompTech.com SPAM Zapper - No-JunkMail.com - Spam-Zapper.com - SPAM Stops Here. President of the Pittsburgh InfraGard Alliance ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Problems with Outlook CWS?
Can someone tell me if they have any users with: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) What version is this? Are there attachment of MIME Issues with this Email Client? -- Albert E. Whale, CISA CISSP Sr. Security, Network, Risk Assessment and Systems Consultant --- ABS Computer Technology, Inc. - www.ABS-CompTech.com SPAM Zapper - No-JunkMail.com - Spam-Zapper.com - SPAM Stops Here. President of the Pittsburgh InfraGard Alliance ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] running but not working
Tom Jones wrote: i have clamav installed still not sure about spamassissan and i have mimedefang installed. It shows that it is running when i ps -ax but there is nothing in the maillog that show mimedefang is doing anything. I am running this on a bsd machine help!! it is not filtering a thing Tom Jones Tom, Did you compile Sendmail with the MILTER Option? Check it out with this command: sendmail -d0.1 -bt /dev/null If it does not contact something of the follwoing, that may be your first issue: Version 8.12.11 Compiled with: DNSMAP LOG MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETUNIX NEWDB SCANF USERDB XDEBUG -- Albert E. Whale, CISSP - Sr. Security, Network, and Systems Consultant http://www.abs-comptech.com http://www.No-JunkMail.com ABS Computer Technology, Inc. - ESM, Computer Networking Specialists SPAM ZapperTM - No-JunkMail.com - Spam-Zapper.com - SPAM Stops Here. President of the Pittsburgh InfraGard ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] MD 2.43 - Missing Viruses
I've noticed the several Viruses are getting through my mimedefang Filter. One sample is a copy of Bounce message including the Headers, and Multi part MIME Attachments Containing the . The Virus is detectable with Clamscan, but not with antivir. I am not certain if this is an issue with the message structure, or MD 2.43. Since May 10th, I have received six viruses which were not detected with MD 2.43 (previously I had no issues with MD virus detection). Has anyone else received a virus coming through their installation lately? I realize that the message is actually a resend of a 'original' (or better yet, spoofed) message. But the Attachment Type (message.scr) is still not permitted. Is it because of the the obfuscation of the message, or is there more filtering that was required in order to capture this email? While I can repeat this one message getting through the MD Scanner (although it is correctly detected as spam) and receive a warning from my PC Scanner, I don't want to rely on my Laptop's AntiVirus Scanner. I am wondering if the assortment of Mime-Types is the Latest formula from our friends the Hackers. Here is part of the original message for the formatting information: From - Sat May 29 01:26:26 2004 X-UIDL: 40b81caf001a X-Mozilla-Status: X-Mozilla-Status2: Return-Path: [EMAIL PROTECTED] Received: from server43.totalchoicehosting.com (server43.totalchoicehosting.com [209.51.157.42]) by ns.ABS-CompTech.com (8.12.10/8.12.10) with ESMTP id i4T5Kvvp010138 for [EMAIL PROTECTED]; Sat, 29 May 2004 01:20:58 -0400 Received: from mailnull by server43.totalchoicehosting.com with local (Exim 4.34 ) id 1BTpey-00073b-Pf for [EMAIL PROTECTED]; Fri, 28 May 2004 18:17:04 -0400 X-Failed-Recipients: [EMAIL PROTECTED] Auto-Submitted: auto-generated From: Mail Delivery System [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Mail delivery failed: returning message to sender Message-Id: [EMAIL PROTECTED] Date: Fri, 28 May 2004 18:17:04 -0400 X-AntiAbuse: This header was added to track abuse, please include it with any ab use report X-AntiAbuse: Primary Hostname - server43.totalchoicehosting.com X-AntiAbuse: Original Domain - abs-comptech.com X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - X-Source: X-Source-Args: X-Source-Dir: X-SPAM-Checked-by: www.No-JunkMail.com X-SPAM-Checked-by: The SPAM Zapper tm Status: This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: [EMAIL PROTECTED] This message has been rejected because it has a potentially executable attachment message.scr This form of attachment has been used by recent viruses or other malware. If you meant to send this file then please package it up as a zip file and resend it. -- This is a copy of the message, including all the headers. -- Return-path: [EMAIL PROTECTED] Received: from [66.153.141.82] (helo=timebrush.com) by server43.totalchoicehosting.com with esmtp (Exim 4.34) id 1BTpev-0006u4-0R for [EMAIL PROTECTED]; Fri, 28 May 2004 18:17:04 -0400 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Mail Delivery (failure [EMAIL PROTECTED]) Date: Fri, 28 May 2004 18:17:03 -0400 MIME-Version: 1.0 Content-Type: multipart/related; type=multipart/alternative; boundary==_NextPart_000_001B_01C0CA80.6B015D10 X-Priority: 3 X-MSMail-Priority: Normal This is a multi-part message in MIME format. --=_NextPart_000_001B_01C0CA80.6B015D10 Content-Type: multipart/alternative; boundary==_NextPart_001_001C_01C0CA80.6B015D10 --=_NextPart_001_001C_01C0CA80.6B015D10 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable --=_NextPart_001_001C_01C0CA80.6B015D10 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META content=3Dtext/html; charset=3Diso-8859-1 = http-equiv=3DContent-Type META content=3DMSHTML 5.00.2920.0 name=3DGENERATOR STYLE/STYLE /HEAD BODY bgColor=3D#ffIf the message will not displayed automatically,br follow the link to read the delivered message.brbr Received message is available at:br a href=3Dcid:[EMAIL PROTECTED] height=3D0 width=3D0ww w.timebrush.com/inbox/webmaster/read.php?sessionid-27050/a iframe src=3Dcid:[EMAIL PROTECTED] height=3D0 width=3D0/ifra me DIVnbsp;/DIV/BODY/HTML --=_NextPart_001_001C_01C0CA80.6B015D10-- --=_NextPart_000_001B_01C0CA80.6B015D10 Content-Type: audio/x-wav; name=message.scr Content-Transfer-Encoding: base64 Content-ID:[EMAIL PROTECTED] TVqQAAME//8AALgAQAAA snip Vp96R29mUudzUXVyY582Tzqpaw1iYWQWEElpbrZueko9dE2+ZClsXbMiRvFweUlSm+R0RkTA
Re: [Mimedefang] MD 2.43 - Missing Viruses
Thanks for the reply. David F. Skoll wrote: -- This is a copy of the message, including all the headers. -- The bounce message doesn't encapsulate the virus in a MIME message, but just sticks the whole original message in a text/plain part. So MIMEDefang never sees the virus, and any e-mail client that *does* attempt to decode the virus is completely broken. MIMEDefang is behaving correctly. OK, MIMEDefang is behaving correctly, but I don't want to send Viruses to my Users. The problem is not with the rest of the world, as this virus is detected with a manual scan using Clamscan. Unfortunately the PC Tool that detects it is Norton Anti-Virus, used the world over. I can manually run the scanner on the mbox file and detect the virus. I just cannot see what the difference is between a Manual Scan and an MD Scan, given the same tools. I am filtering with MD using the sequence: # Virus scan # Copy original message into work directory as an mbox file for # virus-scanning md_copy_orig_msg_to_work_dir_as_mbox_file(); # Scan for viruses if any virus-scanners are installed my($code, $category, $action) = message_contains_virus(); # Lower level of paranoia - only looks for actual viruses $FoundVirus = ($category eq virus); SO, if MD is behaving correctly, why can I scan the mbox manually and find the virus, but not while using MD? BTW, I am running the same command line for clamscan manually as what it run from MD. Now I am confused, if I copy the original message to work dir. as a mbox and cannot detect it, I would think that I should not be able to perform the same function manually. Right? Wrong? Did this make sense? -- Albert E. Whale, CISSP - Sr. Security, Network, and Systems Consultant http://www.abs-comptech.com http://www.No-JunkMail.com ABS Computer Technology, Inc. - ESM, Computer Networking Specialists SPAM Zapper - www.No-JunkMail.com - SPAM Stops Here. Founding Board of Directors of Pittsburgh FBI - InfraGard ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MD 2.43 - Missing Viruses
David F. Skoll wrote: Enable ScanMail in your clamav.conf It is. -- Albert E. Whale, CISSP - Sr. Security, Network, and Systems Consultant http://www.abs-comptech.com http://www.No-JunkMail.com ABS Computer Technology, Inc. - ESM, Computer Networking Specialists SPAM Zapper - www.No-JunkMail.com - SPAM Stops Here. Founding Board of Directors of Pittsburgh FBI - InfraGard ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MD 2.43 - Missing Viruses
Albert Whale wrote: David F. Skoll wrote: Enable ScanMail in your clamav.conf It is. My Config info: grep -v ^# /usr/etc/clamav.conf | sort | uniq AllowSupplementaryGroups ArchiveBlockEncrypted ArchiveMaxCompressionRatio 200 ArchiveMaxFiles 1000 ArchiveMaxFileSize 10M ArchiveMaxRecursion 5 ClamukoIncludePath /home ClamukoMaxFileSize 1M ClamukoScanArchive ClamukoScanOnClose ClamukoScanOnExec ClamukoScanOnOpen FixStaleSocket FollowDirectorySymlinks FollowFileSymlinks LocalSocket /var/spool/MIMEDefang/clamd.sock LogFileMaxSize 10M LogFile /var/log/clamd.log LogSyslog LogTime MaxConnectionQueueLength 30 MaxDirectoryRecursion 15 MaxThreads 10 PidFile /var/run/clamd.pid ReadTimeout 300 ScanArchive ScanMail ScanOLE2 SelfCheck 600 StreamMaxLength 10M StreamSaveToDisk TemporaryDirectory /var/tmp User defang -- Albert E. Whale, CISSP - Sr. Security, Network, and Systems Consultant http://www.abs-comptech.com http://www.No-JunkMail.com ABS Computer Technology, Inc. - ESM, Computer Networking Specialists SPAM Zapper - www.No-JunkMail.com - SPAM Stops Here. Founding Board of Directors of Pittsburgh FBI - InfraGard ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MD 2.43 - Missing Viruses
David F. Skoll wrote: Well, that's odd. Does clamdscan (not clamscan) catch it? Yes, I thought that it was odd as well. That's why I'm reporting it. My original testing included both clamd and clamscan configurations in MD. My most recent testing was with clamd disabled (so that I could narrow down any other issues in the filter). Manually testing the sample and clamdscan DID correctly identify the virus. What's next? -- Albert E. Whale, CISSP - Sr. Security, Network, and Systems Consultant http://www.abs-comptech.com http://www.No-JunkMail.com ABS Computer Technology, Inc. - ESM, Computer Networking Specialists SPAM Zapper - www.No-JunkMail.com - SPAM Stops Here. Founding Board of Directors of Pittsburgh FBI - InfraGard ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MD 2.43 - Missing Viruses
David F. Skoll wrote: On Mon, 31 May 2004, Albert Whale wrote: My original testing included both clamd and clamscan configurations in MD. Did you run Clam on the actual MIMEDefang spool directory, or on a copy of the message in the quarantine? Ok, well I don't have the original Quarantine file, so I did the next best thing, and that was to rerun the message (from several different servers/domains). While they all detected SPAM, none detected the virus. Seriously, I did the testing every way I could think (thanks for the offsite testing offers). In reviewing the clamd.log log, I noticed that all of the detections had three (3) entries in the logs. I was able to track this message to the entry in the /var/log/clamd.log file. Unfortunately, this entry is a SINGLE entry: Sat May 29 01:20:59 2004 - /var/spool/MIMEDefang/mdefang-i4T5Kvvp010138/Work/INPUTMBOX: Worm.SomeFool.P FOUND The mdefang-i4T5Kvvp010138 matches the header in the message: by ns.ABS-CompTech.com (8.12.10/8.12.10) with ESMTP id i4T5Kvvp010138 for [EMAIL PROTECTED]; Sat, 29 May 2004 01:20:58 -0400 As I indicated, the previous entries all had three lines: Fri May 28 22:23:02 2004 - /var/spool/MIMEDefang/mdefang-i4T2Mvvq000469/Work/msg-16237-189.pif: Worm.Bagle.P FOUND Fri May 28 22:23:02 2004 - /var/spool/MIMEDefang/mdefang-i4T2Mvvq000469/Work/msg-16237-189.pif: Worm.Bagle.P FOUND Fri May 28 22:23:02 2004 - /var/spool/MIMEDefang/mdefang-i4T2Mvvq000469/Work/msg-16237-189.pif: Worm.Bagle.P FOUND It would appear that clamd DID identify the Virus correctly. However, there is only one line entry in the logfile, while all of the other detections include three? I'm confused. Any NEW or Fresh Ideas? -- Albert E. Whale, CISSP - Sr. Security, Network, and Systems Consultant http://www.abs-comptech.com http://www.No-JunkMail.com ABS Computer Technology, Inc. - ESM, Computer Networking Specialists SPAM Zapper - www.No-JunkMail.com - SPAM Stops Here. Founding Board of Directors of Pittsburgh FBI - InfraGard ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] clamscan missing some virus's
Lucas Albers wrote: I am currently using filescan/clamscan/fprot/mcafee virus scanners. On virus's that get missed by clamscan, i get notified, and then I report the virus to clamav for inclusion. I have been seeing 2-4 virus's slip by per day. This is on a volume of 200-300 virus's per day. These virus's are quarantined. When I run a manual scan, with the same options, it appears to pick them up. Any ideas, why it could be missing the virus's? Or what I could do to troubleshoot? Lucas, What command do you use to scan the virus objects manually? -- Albert E. Whale, CISSP - Sr. Security, Network, and Systems Consultant http://www.abs-comptech.com http://www.No-JunkMail.com ABS Computer Technology, Inc. - ESM, Computer Networking Specialists SPAM Zapper - www.No-JunkMail.com - SPAM Stops Here. Founding Board of Directors of Pittsburgh FBI - InfraGard ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] horsepower for Baysian
Charles Mount wrote: I am running MimeDefang 2.39 with SpamAssassin 2.63 on Sendmail or Sendmail-Switch. I have a collection of SUN computers running Solaris 8. I have a volume of about 12 million messages per week. Right now, the load average is staying below 4 on the eight processor computers. I am considering adding Baysian check to the plain SpamAssassin. I need some way of predicting whether I have enough computer horsepower to handle the extra load of the Baysian checks. Does someone have data on how much the load average changed when Baysian check was turned on? First of all, can you determine that you have your Mail Volume equally distributed over the Existing Sun Server? Have you reviewed the Existing Bottle necks in the configuration as it currently stands (i.e. is it well tuned?)? Let start there, as I'm not convivnced that there may be other issues at play that can possibly reduce your load average and increase your throughput. -- Albert E. Whale, CISSP - Sr. Security, Network, and Systems Consultant http://www.abs-comptech.com http://www.No-JunkMail.com ABS Computer Technology, Inc. - ESM, Computer Networking Specialists SPAM Zapper - www.No-JunkMail.com - SPAM Stops Here. Founding Board of Directors of Pittsburgh FBI - InfraGard ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang