Re: [Mimedefang] spams slipping by, because they bigger than the SA size cutoff
On 2/1/06, Gary Funck [EMAIL PROTECTED] wrote: I've had a couple of spams drop in my inbox recently, and at first, I couldn't see how they made it past SA. I looked at the headers, and to my surprise, the message hadn't been scanned by Spamassassin(!). Why? How? I looked further, and noticed that one message was 800K bytes, and the other 140K. The first had an attached .wmv file (hopefully not one of _those_ .wmv files, but I didn't click on it to find out). Well depending on how patched your system is.. and what application you are using for email you do not have to click on the wmv file. Just having some clients process the email can cause problems (according to one write up about WMV). I would recommend that you put wmv on the extensions block list and your problem is solved. I would also recommend a grey-list or other mechanism. -- Stephen J Smoogen. CSIRT/Linux System Administrator ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Re: [Clamav-users] Once again a Newbe question
On 11/20/05, Darryl Baker [EMAIL PROTECTED] wrote: I'm building a new system with Sendmail 8.13.5, ClamAV 0.87.1, and MIMEDefang 2.49. I'm tearing out what little hair I have left trying to get everyone to play together. First it was sock permission problems for the MIMEDefang socket. The it was finding the Clamd socket. Now MIMEDefang can't talk to Clamd on the socket. Anyone have a simple cheat sheet with who owns what and the mode they should be so everything just works as advertised and I can get on with tuning the rules? The general way I have seen mimedefang+clamav has been with mimedefang calling the clam process versus using clamd. In any case, all the items that you are wanting to talk need to talk should run in the same ownership mode. Normally this is the defang user. I had these working on my old system and I don't remember having this level of trouble. Darryl Baker [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html -- Stephen J Smoogen. CSIRT/Linux System Administrator ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] learning database
On 10/15/05, Matevz [EMAIL PROTECTED] wrote:
Hi,
I am pretty new to mimedefang, so i have a question regarding to learning.
When I use sa-learn command as root it stores data in /root/.spamassassin/ ?
So I add these lines to sa-mimedefang.cf
use_bayes 1
use_bayes_rules 1
bayes_path /root/.spamassassin/
bayes_auto_learn 1
bayes_learn_to_journal 1
bayes_auto_expire 0
Is this OK?
You need to have the database in a way that mimedefang can read and write.
I am running Fedora Core 3 with mimedefang and spamassassin.
mimedefang runs as the user defang and uses /etc/mail/spamassassin for
its database area. How I set things up is the following:
gather 100+ yam and 100+ spam messages for the broth.
cp ham spam /tmp
chmod 0444 /tmp/yam /tmp/spam
su - root
chown defang.defang /etc/mail/spamassassin
chmod 0755 /etc/mail/spamassassin
su -s /bin/bash - defang
sa-learn --ham --mbox --dbpath /etc/mail/spamassassin/ /tmp/yam
sa-learn --spam --mbox --dbpath /etc/mail/spamassassin/ /tmp/spam
exit
rm /tmp/yam /tmp/spam
exit
Thats about it. I am a small site with 4 email addresses so this works
well. I have heard that for larger sites you will want to extend this
with individual spamassassin databases as one mans spam is another
mans yam.
Because I think spamassassin does not use this database, how can i test
this if it works?
Well you should also make sure the lines in
/etc/mail/mimedefang-filter are turned on:
if ($Features{SpamAssassin}) {
spam_assassin_init()-compile_now(1) if defined(spam_assassin_init());
if (defined($SASpamTester)) {
use Mail::SpamAssassin::DBBasedAddrList;
my $awl = Mail::SpamAssassin::DBBasedAddrList-new();
$SASpamTester-set_persistent_address_list_factory($awl) if
defined($awl);
}
}
and
sub filter_end ($) {
my($entity) = @_;
return if message_rejected();
if ($Features{SpamAssassin}) {
if (-s ./INPUTMSG 100*1024) {
my($hits, $req, $names, $report) = spam_assassin_check();
my($score);
if ($hits 40) {
$score = * x int($hits);
} else {
$score = * x 40;
}
if ($hits = $req) {
action_change_header(X-Spam-Score, $hits ($score) $names);
md_graphdefang_log('spam', $hits, $RelayAddr);
} else {
}
}
}
md_graphdefang_log('mail_in');
}
If these are turned on you should see X-Spam-Score being added to
your messages.
--
Stephen J Smoogen.
CSIRT/Linux System Administrator
___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [OT] clamd doesn't recognize virus
On 9/21/05, Marco Berizzi [EMAIL PROTECTED] wrote: Hello everybody. I'm using clam 0.87 with mimedefang 2.51. This morning a virus has been slipped through MD. This is the output from clamdscan: /tmp/photo.zip: OK Clearly clamd doesn't recognize it as a virus and MD accept the message. Hints? Drop all zips until clamav gets a working signature? -- Stephen J Smoogen. CSIRT/Linux System Administrator ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: OT: Re: [Mimedefang] Fedora to replace sendmail with Exim as default MTA?
On Mon, 28 Feb 2005 14:44:40 -0500 (EST), David F. Skoll [EMAIL PROTECTED] wrote: On Mon, 28 Feb 2005, Nels Lindquist wrote: Huh. I've already become so fed up with Red Hat that I'm switching to Debian anyway. (Exim is the default on Debian, but it's easy to replace it with Sendmail.) Are you fed up with RedHat due to their packaging choices, or their pricing/licensing? Packaging choices, mostly. I also don't like the way SELinux breaks almost everything useful. :-( Can you give me some tips on where you are seeing this. I think if all goes well I will be the Fedora packager for mimedefang... and want to get it into place in a happy way. -- Stephen J Smoogen. CSIRT/Linux System Administrator ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Ad / Announcement: CanIt is free for small organizations
On Tue, 01 Mar 2005 12:24:09 -0500, G. Roderick Singleton [EMAIL PROTECTED] wrote: On Mon, 2005-02-28 at 16:32 -0500, David F. Skoll wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I hope you don't consider this an abuse of the MIMEDefang list, but... I do not and thanks for the opportunity. All I hope for is that the Fedora1 release works under RH7.3 No a fedora 1 would work with a RH9 pretty ok... but the changes in threading models and other changes between 8 and 9 pretty much break any chance of stuff working in 7.3. -- G. Roderick Singleton [EMAIL PROTECTED] PATH tech ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- Stephen J Smoogen. CSIRT/Linux System Administrator ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: OT: Re: [Mimedefang] Fedora to replace sendmail with Exim as default MTA?
On Tue, 1 Mar 2005 14:39:47 -0500 (EST), David F. Skoll [EMAIL PROTECTED] wrote: On Tue, 1 Mar 2005, Stephen J. Smoogen wrote: Can you give me some tips on where you are seeing this. I think if all goes well I will be the Fedora packager for mimedefang... and want to get it into place in a happy way. Well, it only affects CanIt. Under Fedora's SELinux settings, Apache is not allowed to open a UNIX-domain socket. Since the default for PostgreSQL is to use a UNIX-domain socket if the client is on the same host, it kind of breaks our software. I'm not familiar enough with SELinux configuration to know how to allow Apache to open a UNIX-domain socket. I will look at it . It will effect some web socket stuff for other database driven items I am looking to package (drupal). That would mean getting that working correctly. Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- Stephen J Smoogen. CSIRT/Linux System Administrator ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Danger of .vcs files?
Jim McCullars wrote: On Thu, 30 Sep 2004, Jim Hatfield wrote: I see that .vcs is listed in filter_bad_filename. I think David got those extensions from a list that Microsoft published at one time. At my site, I pared the list down considerably, to a list of about 10 or so that are commonly used to send mail bombs. .vcf isn't one of them. Which 10? -- Stephen John Smoogen| CCN-5 Security Team LANL SIRT Team Leader | SMTP: [EMAIL PROTECTED] Los Alamos National Laboratory | Voice: 505.664.0645 Ta-03 SM-1498 MS: B255 DP 10S | FAX: 505.665.7793 Los Alamos, NM 87545| ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang 2.45-BETA-3 is available
David F. Skoll wrote:
Hi,
MIMEDefang 2.45-BETA-3 is available at http://www.mimedefang.org/node.php?id=1
I would like this to be the last beta before the 2.45 Final release.
Full changelog going back to 2.44 follows.
Regards,
David.
How long of a test period do you want. I am running BETA2 on a small
site at the moment without too many issues {all of the issues have been
me being silly... except the sa-mimedefang overwritten one}.
Also could you update the tar balls of recommended CPAN items to use if
there have been any changes to what you would consider golden versus
dead. I see that the DAG repository now has RPMs for mimedefang and
such.. so you probably dont need my spec files now that I finally got
the time to do them :(.
2004-08-23 David F. Skoll [EMAIL PROTECTED]
* Version 2.45-BETA-3 released.
* Makefile.in: Prevent sa-mimedefang.cf from being overwritten.
* mimedefang.filter.5.in: Correct some documentation errors.
* mimedefang.pl.in: Added and documented read_commands_file function
so that you can initialize certain global variables in
filter_sender and filter_recipient. Code contributed by
Jan Pieter Cornet.
* mimedefang-multiplexor.c: Log UNIX error code if problem
communicating with a slave.
* mimedefang-multiplexor.c: Implement new commands help,
slaves, and slaveinfo.
* watch-mimedefang: added -command, -interval, -10s, -1m, -5m,
-10m and -title command-line options.
* mimedefang.pl.in(message_contains_virus_clamd): Time out if
clamd doesn't respond in 8 seconds. Based on a patch from Chris
Myers.
* mimedefang-spec.in: Fix error in %preun script.
* watch-mimedefang.in: Many bug fixes.
--
Stephen John Smoogen[EMAIL PROTECTED]
Los Alamos National Lab CCN-5 | PH: 4-0645
Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [resend] Specfile bug: disables service on update
David F. Skoll wrote: Off topic: I hate RPM! Does anyone have a *good* document where all this stuff is documented? Half the stuff in .spec files seems to be undocumented magic. Sorry.. I know most of my RPM via just working on them over and over and over again. I read Maximum RPM a long time ago, and am trying to dig through the new Red Hat RPM Guide, and by working at RH for 4 years ;). I can try to help on these issues.. now that I have my off-wrok website working a bit more. Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- Stephen John Smoogen[EMAIL PROTECTED] Los Alamos National Lab CCN-5 Sched 5/40 PH: 4-0645 Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545 ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
