I've modified mimedefang-filter so it blocks ZIP files with
executables. I't ugly as hell (I do not know perl - it's copy-paste
programming) but it works. It uses zipinfo command to extract
filenames. Have a look at the diff below.
It blocks all recent Mydoom mails.
Regards
Tometzky
--
On Jan 29, 9:09pm, David F. Skoll wrote:
} On Tue, 14 Oct 2003, John Nemeth wrote:
}
} PERL isn't one of my strong suits, but C is... Sendmail, you're
} going to have a chat with Mr. Vi, and then you're going to have a chat
} with Mr. GCC, said I... I will report back after it is fully
Hi David,
Yes, it's the [EMAIL PROTECTED] worm (that just rolls off the tongue, doesn't
it? :)
Symantec report here:
http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED]
The zip is a 22 Kb archive that includes a single file, the worm itself. The
zip file is delivered
On Wed, 28 Jan 2004, Jos De Graeve wrote:
We're using razor through spamassasin but we see that the razor check
add's approx 10 seconds to the time spamassassin needs to check a message.
I am not surprised.
Is it possible to speedup te razor check process ?
Razor depends on network lookups,
I've been debugging why I've not been catching the
new worm going around for the last day. This morning
I finally received a new message that passed through
my new configuration and was finally caught. What I
had to do in order to get it to scan is alter
mimedefang-filter and change the
Has clamd been restarted (or otherwise forced to reload its
configuration) since your signatures were last updated?
--
Mark Roedel
Web Programmer / Analyst
LeTourneau University
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott
Harris
Sent:
On 01/28/04 at 08:00, 'twas brillig and Scott Harris scrobe:
Subject: [Mimedefang] Problem running clamd but not clamscan
I've been debugging why I've not been catching the
new worm going around for the last day. This morning
I finally received a new message that passed through
my new
Scott, et al -
I had similar issues with clamd versus clamscan (see
lists.roaringpenguin.com/pipermail/mimedefang/2003-December/01
8671.html)
but nobody else seemed to (or at least, nobody responded) and
I gave up due to lack of time. (Figuring, I've got a
solution that works for
I'm getting long delays (30+ seconds) for every message with
MD/SpamAssassin/Razor. I know this comes up a lot but I'd like to learn
how to debug things a little better.
Environment: Redhat Linux 9 on Intel (gobs of CPU/RAM) with sendmail
8.12.8+Milter (to be upgraded once this is solved), MD
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Roedel, Mark
Sent: Wednesday, January 28, 2004 8:23 AM
To: [EMAIL PROTECTED]
Subject: RE: [Mimedefang] Problem running clamd but not clamscan
Has clamd been restarted (or otherwise forced to
On Wed, Jan 28, 2004 at 11:44:51AM -0500, Ole Craig wrote:
Scott -
The problem I had seemed to be that MD wasn't actually talking
to clamd. (Do you catch the EICAR text file with clamd enabled?) It
would make sense that MD processed significantly faster if it's not
incurring the
--
I'm tempted to take the same route, except for the fact
that I noticed
the filter time has gone up dramatically:
Scott -
The problem I had seemed to be that MD wasn't actually
talking to clamd. (Do you catch the EICAR text file with
clamd enabled?) It would make
I am a mimedefang and spamassassin newbie. I have the both products
installed and functioning on an AIX 5.1 server with commercial
Sendmail. So pardon my question if it has been asked a million times
before. Of course I am interested in the best performance I can get. Is
it possible to
Mydoom/Novarg/Worm.SCO seems to be really persistent. Despite using both
ClamAV and manual checking (for known filenames or zips with the particular
file size), one copy actually got through to my inbox this morning where it
was caught by Norton Antivirus. (Not that I would have opened it, of
At 09:19 AM 1/28/2004, Steve Moore wrote:
Is it possible to have mimedefang use spamc/spamd rather than loading
spamassassin? And if so what changes do I make to mimedefang-filter to
accomplish this?
MIMEDefang calls SpamAssassin's perl routines directly. It doesn't
actually load
At 01:59 PM 1/27/2004, Lucas Albers wrote:
Can you try just running clamscan?
I was setting up a new backup mx server and when I ran clamd it had milter
problems, it appeared just running clamscan worked corrrectly.
That will probably be the next thing I try, if my current setup fails. I
looked
Quoting Ole Craig [EMAIL PROTECTED]:
On 01/28/04 at 08:32, 'twas brillig and Scott Harris scrobe:
Subject: RE: [Mimedefang] Problem running clamd but not clamscan
Scott, et al -
I had similar issues with clamd versus clamscan (see
Kelson Vibber said:
After upgrading ClamAV to 0.65 a few weeks ago, we've had problems where
MIMEDefang will simply stop closing down slaves. Instead of timing out,
MD
slaves would just hang around forever, not pass anything through, and
eventually max out and start tempfailing. Often just
Because mimedefang runs it's multiplexor/child processes and pre-loads
SpamAssassin, you would have no benefits by using spamc/spamd. MD is
already mimicking the purpose for those programs to the best of my
knowledge.
Regards,
KAM
I am a mimedefang and spamassassin newbie. I have the both
I am contemplating this, switching to clamd instead of clamscan.
when I ran clamdscan it pukes, so I will stay with what works, (for me)
I also heard reports that clamd pukes on bad archives.
My scan time is low enough with clamscan that I don't really see the point.
--- SCAN SUMMARY
In article [EMAIL PROTECTED] you wrote:
I'm getting long delays (30+ seconds) for every message with
MD/SpamAssassin/Razor.
[...]
I've got spamassassin and MD logging but can't find any RBL debug info
except for the delay times. Can anyone point me towards debugging this
properly?
I
Kelson Vibber said:
At 09:19 AM 1/28/2004, Steve Moore wrote:
Is it possible to have mimedefang use spamc/spamd rather than loading
spamassassin? And if so what changes do I make to mimedefang-filter to
accomplish this?
MIMEDefang calls SpamAssassin's perl routines directly. It doesn't
How did you get the timing for this from mimedefang?
Scott Harris said:
Random cut/paste with clamd
Jan 28 00:24:01 linux1 mimedefang[11848]: i0S8O0R5011847: Filter time is
136ms
Random cut/paste with clamscan
Jan 28 07:28:14 linux1 mimedefang[13723]: i0SFRqHI013722: Filter time is
1823ms
How about
sub filter_recipient() {
my ($recip, $sender, $ip, $hostname, $first, $helo, @rcpt) = @_;
return ('ACCEPT_AND_NO_MORE_FILTERING','ok') if
lc($recip) =~ /[EMAIL PROTECTED]?/;
return ('CONTINUE', ok);
}
I'm assuming that ACCEPT_AND_NO_MORE_FILTERING is a valid
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, January 28, 2004 12:19 PM
To: [EMAIL PROTECTED]
Subject: [Mimedefang] disable antivirus for one user
snip
does anyone have a quick way to say
if the recipient is [EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Lucas Albers
Sent: Wednesday, January 28, 2004 10:02 AM
To: [EMAIL PROTECTED]
Subject: RE: [Mimedefang] Problem running clamd but not clamscan
How did you get the timing for this from
List,
Quite some time ago, we implimented greylisting, based on code snippets
posted here by various people. I'd like to share a problem we're having, to
see if it rings a bell with anyone on this list.
When a triplet is first encountered, we tempfail the message and add the
triplet to the
I don't have a complete answer for you, but it occurs to me that you
might
want to tinker with the SpamAssassin configuration options rbl_timeout
and razor_timeout. According to Mail::SpamAssassin::Conf(3pm) the
defaults for these are 15 seconds for the rbl stuff and 10 seconds for
the
On Wed, 28 Jan 2004, Rick Mallett wrote:
sub filter_recipient() {
my ($recip, $sender, $ip, $hostname, $first, $helo, @rcpt) = @_;
return ('ACCEPT_AND_NO_MORE_FILTERING','ok') if
lc($recip) =~ /[EMAIL PROTECTED]?/;
return ('CONTINUE', ok);
}
That will work, but because
On Wed, 28 Jan 2004, Cormack, Ken wrote:
It seems that RFC brain-dead mailers are out there, that interpret a
tempfail as if it were a 5.x.x permanent failure, and the failure is being
handed back to the sending user's MUA.
No, what's going on is that the brain-dead senders receive 4xx for
Thank you, David, for shedding light on this. If nothing else, I can now
say Put a sniffer on your segment, and see for yourself.
Ken
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of David
F. Skoll
Sent: Wednesday, January 28, 2004 2:20 PM
To: '[EMAIL
I have a sendmail box acting as a gateway for 2 Exchange boxes. I have
been using MD for several months now for appending legal disclaimers and
SA. I have installed clamav 0.65, but I cannot tell if it is working.
/var/log/maillog isn't giving any indication, and /tmp/clamd.log doesn't
have any
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Brad Tarver
Sent: Wednesday, January 28, 2004 12:05 PM
To: [EMAIL PROTECTED]
Subject: [Mimedefang] Not sure if MD is using clamd
I have a sendmail box acting as a gateway for 2 Exchange
At 11:21 AM 1/28/2004, Adam Porter wrote:
So I guess my questions now are: How do I find set up a good, reliable
set of RBLs? Do I need to invest a lot of time or can I automate it? Is
this an anomaly with cloudmark's db/service or does this kind of thing
happen a lot? (PS: I
David F. Skoll said:
That will work, but because of a limitation in Milter, the message
won't be filtered even if there's more than one recipient.--
Big D,
I believe this particular milter problem was fixed in sendmail 8.12.11
Does that sound right?
changelog for 8.12.11
When a milter invokes
On Wed, 28 Jan 2004, Lucas Albers wrote:
I believe this particular milter problem was fixed in sendmail 8.12.11
Does that sound right?
No. They fixed a different problem. Because of the way SMTP works,
there's no way to filter messages differently for different recipients
of a
[EMAIL PROTECTED] wrote:
I personally have chosen not to use all of the various RBLs that
SpamAssassin uses by default and have instead just enabled
RCVD_IN_SBL[1], HABEAS_VIOLATOR[2], RCVD_IN_DYNABLOCK[3] and created my
own RBL rules to access SpamHaus' XBL list[4].
What I wound up doing was just
On Wed, 28 Jan 2004, David F. Skoll wrote:
On Wed, 28 Jan 2004, Cormack, Ken wrote:
It seems that RFC brain-dead mailers are out there, that interpret a
tempfail as if it were a 5.x.x permanent failure, and the failure is being
handed back to the sending user's MUA.
No, what's going on
How do you verify mimedefang is using razor/pyzor?
I just set a new secondary mx, and not sure that sa and mimedefang are
using it.
It works fine on the other box, but I can't remember how I verified it.
I'm led to believe that it's not working because I am not getting a razor
induced delay on my
On 1/29/04 1:44 AM, "Ole Craig" [EMAIL PROTECTED] wrote:
On 01/28/04 at 08:32, 'twas brillig and Scott Harris scrobe:
Subject: RE: [Mimedefang] Problem running clamd but not clamscan
Scott, et al -
I had similar issues with clamd versus clamscan (see
In article [EMAIL PROTECTED] you wrote:
How do you verify mimedefang is using razor/pyzor?
It's more of a SpamAssassin configuration option. But essentially, if
it's working, you should see entries in the razor-agent.log for every
message that comes in. You should be able to cross check the
In article [EMAIL PROTECTED] you wrote:
In the meantime, shortening those delay limits will definitely help us
protect our performance if any of them has problems.
Another list member posted today, in a different thread, about using the
'-T' option when starting mimedefang to get timing
* alan premselaar [EMAIL PROTECTED]
I'm not sure how to get the filter times into the syslog like that
however, i'd be willing to help in anyway I can.
Perhaps something like the following in mimdefang-filter:
use Time::HiRes ();
after installing Time::HiRes if needed and enabling syslog
Kelson Vibber said:
But once upon a time there were viruses that attached themselves to legit
messages (remember happy99?), and the best choice there is to remove the
infected attachment and pass the rest of the message along.
I know I'm not the only one keeps a list of known mass-mailers
Kelson Vibber wrote:
OK, I think most people here would agree that just about all modern
viruses generate their own messages rather than piggybacking on
existing mail, so for anything like Klez, Sobig, and Mydoom, the
obvious choice is to just discard the entire message (possibly placing
it
On Wed, 28 Jan 2004 14:14:34 -0500, Cormack, Ken wrote:
It seems that RFC brain-dead mailers are out there, that interpret
a tempfail as if it were a 5.x.x permanent failure, and the
failure is being handed back to the sending user's MUA.
Yep, they are. And with stupid error messages as
Glad to see I wasn't the only one.
I tracked back through the logs to see why it got through clamd and
MD... trying to work out why one slipped into my inbox which the backup AV
caught not that I would of opened it anyway.
From the log ... The SA tagged a few things
Milter delete: header
We've had a couple like this and it turned out that the message.zip file
didn't contain the virus Maybe there's a hoax virus going around or
someone has sanitised it along the way. We've also had malformed .zip
files get through until we changed the clamav call to specifically do
--unzip
48 matches
Mail list logo
