headers
Gary Funck | 2 Aug 2010 23:46

Re: MD and ClamAV

On 07/22/10 12:06:36, Mi??u Moldovan wrote:
> [...]
> In fact, I have given up on using an AV on the MX servers altogether,
> just ban the dangerous file extensions like com, exe, pif, lnk etc.
> and you are good to go. [...]

CLAMAV is also useful for spam filtering.  We use the
"SANE Security" anti-spam, custom signatures, which
seem to improve spam detection in some instances,
though I haven't tried to measure its capabilities.
see: http://www.sanesecurity.com/

- Gary
Permalink | Reply | 0 comments |
headers
Gary Funck | 3 Aug 2010 01:18

CLAMAV: pid files, sockets, and init scripts

Recently, I upgraded to the latest clamav-unofficial-sigs
script/config. file, and while doing that noticed
a few issues that relate to the init scripts distributed
via .rpm and some unexpected clamav behavior:
https://wwws.clamav.net/bugzilla/show_bug.cgi?id=2158

A couple of questions:

1) How does MimeDefang deal with clamav starting/stopping?
I ask, because the current init scripts implement
"reload" as a stop/start operation.

2) How does MimeDefang deal with the situation that
clamd socket file is deleted by either clamd when
it shuts down, or the init script when it executes
a "stop" operation?

3) Per the bug report above, the clamav developer states:

    "clamdscan --reload will reload the DB, and so
    will SIGUSR2.  There is no command to reload the
    config file, which is probably what the initscript
    wants to do with reload."

Is there a Linux/Unix guideline that states something
along the lines that a init.d controlled service 
must interpret "reload" narrowly to only reload the
config. file, or is it acceptable to also clear
caches, reload databases, etc.?
(Continue reading)

Permalink | Reply | 1 comment |
headers
Steffen Kaiser | 3 Aug 2010 08:52
Picon

Re: CLAMAV: pid files, sockets, and init scripts


On Mon, 2 Aug 2010, Gary Funck wrote:

> 2) How does MimeDefang deal with the situation that
> clamd socket file is deleted by either clamd when
> it shuts down, or the init script when it executes
> a "stop" operation?

If you look at entity_contains_virus_clamd() in mimedefang.pl,
you'll see that the socket is opened for each request.

> 3) Per the bug report above, the clamav developer states:
>
>    "clamdscan --reload will reload the DB, and so
>    will SIGUSR2.  There is no command to reload the
>    config file, which is probably what the initscript
>    wants to do with reload."
>
> Is there a Linux/Unix guideline that states something
> along the lines that a init.d controlled service
> must interpret "reload" narrowly to only reload the
> config. file, or is it acceptable to also clear
> caches, reload databases, etc.?

http://refspecs.freestandards.org/LSB_3.1.0/LSB-Core-generic/LSB-Core-generic/iniscrptact.html

"
reload  cause the configuration of the service to be reloaded without 
actually stopping and restarting the service
"
(Continue reading)

Permalink | Reply | 0 comments |
headers
- | 9 Aug 2010 23:36
Picon
Favicon

Bug at SA website: SA 3.3.1 - Is "local.cf" read in TWICE when loading configuration files?

URL:  https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6481

Could we make certain that MIMEDefang isn't the cause of this?  Thanks.
Permalink | Reply | 4 comments |
headers
Steffen Kaiser | 10 Aug 2010 10:25
Picon

Re: Bug at SA website: SA 3.3.1 - Is "local.cf" read in TWICE when loading configuration files?


On Mon, 9 Aug 2010, - wrote:

> URL:  https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6481
>
> Could we make certain that MIMEDefang isn't the cause of this?  Thanks.

How do you invoke SpamAssassin in your filter?
Do you have these settings in /etc/mail/sa-mimedefang.cf, too?

Regards,

--

-- 
Steffen Kaiser
Permalink | Reply | 0 comments |
headers
mimedefang | 10 Aug 2010 16:20
Picon
Favicon

MIMEDefang and monit

I'm using MIMEDefang and monit on Debian lenny, all up-to-date.

From time to time spamassassin, clamav and MIMEDefang stop working 
without any hints in the logfiles. 

After all I started using monit. No proplems with spamassassin and 
clamav, but the MIMEDefang process wasn't started again.

The startup-script for MIMEDefang will start 2 processes, mimedefang 
and mimedefang-multiplexor, and I believe, that's the problem, because 
the mimedefang-multiplexor still keeps running, while mimedefang 
crashed.

It seems to me that monit parses the output of the startup-script and 
therefor doesn't restart MIMEDefang properly (manually restart or 
stop/start no problem).

As I understood from the man-pages of monit, it first tries to stop 
the process, than start it again, so something like:
  invoke-rc.d mimedefang stop    (Debian style!)
  invoke-rc-d mimedefang start
or
  /etc/init.d/mimedefang start  
  /etc/init.d/mimedefang stop

If I do it manually (with killed mimedefang but running 
mimedefang-multiplexor it shows the following:
   # invoke-rc.d mimedefang stop
   Shutting down mimedefang:     /etc/init.d/mimedefang: line 307: kill: (9820) - No such process
/usr/bin/mimedefang: no process killed [FAILED]
(Continue reading)

Permalink | Reply | 0 comments |
headers
Kevin A. McGrail | 10 Aug 2010 18:29
Favicon

Re: Bug at SA website: SA 3.3.1 - Is "local.cf" read in TWICE when loading configuration files?


> URL:  https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6481
>
> Could we make certain that MIMEDefang isn't the cause of this?  Thanks.
>    
I'd be shocked if this isn't a mimedefang-filter or duplicated 
information in a cf file on your installation.  I've used SA and MD in a 
number of ways and never seen this issue.

I'm not ruling things out but I would check what cf files you have in 
/etc/mail and /etc/mail/spamasssassin and I'd post your 
mimedefang-filter for review.

Regards,
KAM
Permalink | Reply | 0 comments |
headers
- | 10 Aug 2010 20:48
Picon
Favicon

Re: Bug at SA website: SA 3.3.1 - Is "local.cf" read in TWICE when loading configuration files?

--- On Tue, 8/10/10, Kevin A. McGrail <KMcGrail <at> PCCC.com> wrote:
> > URL:  https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6481
> > 
> > Could we make certain that MIMEDefang isn't the cause of this?  Thanks.
> >    
> I'd be shocked if this isn't a mimedefang-filter or
> duplicated information in a cf file on your
> installation.  I've used SA and MD in a number of ways
> and never seen this issue.
> 
> I'm not ruling things out but I would check what cf files
> you have in /etc/mail and /etc/mail/spamasssassin and I'd
> post your mimedefang-filter for review.

I'm not going to post the entire filter, but there is only one reference to SA from my MD code:

sub filter_end {
    my($entity) =  <at> _;
    return if message_rejected();
    if ($Features{'SpamAssassin'} && (-s './INPUTMSG' < (128 * 1024))) {
        my($hits, $req, $names, $report) = spam_assassin_check();
        md_syslog('info',"$QueueID: Spam-Score=$hits Relay=$RelayAddr To=".
            join(',', <at> Recipients) . ($names ? " Rules=$names" : ''));
        action_insert_header('Authentication-Results', ...[DELETED]..., 0);
        if ($hits >= ($req / 3.6)) {
            action_add_part($entity, 'text/plain', '-suggest', $report,
                'SpamReport.text', 'attachment');
            if ($hits >= $req) {
...
(Continue reading)

Permalink | Reply | 1 comment |
headers
Kevin A. McGrail | 10 Aug 2010 21:25
Favicon

Re: Bug at SA website: SA 3.3.1 - Is "local.cf" read in TWICE when loading configuration files?


> As noted, spam_assassin_check() is the ONLY call I make to SA, and only in filter_end().
>
> I've taken a look at the subroutines in mimedefang.pl, and I note that in spam_assassin_init() a
reference to "config" which selects a configuration file.  Although I don't select one explicitly, the
routine may suggest that it picks one to load -- one that may already be loaded by SA itself, so the
"user_prefs" parameter may not be needed.
>
> I experimented with setting an empty configuration, spam_assassin_check(""), and that worked. 
Apparently, leaving the default allowed mimedefang.pl to pick a file that SA was already loading.  ARGH!
>
> The lines 6749-6759 in spam_assassin_init(), where it picks a configuration file if none was passed, are
the problem.  The choices in the "/etc/mail/spamassassin/" directory are ALREADY LOADED by SA.  Perhaps
they should be deleted?
>
> I conclude that MD is at fault in causing a file to be loaded twice.
> I also have my fix:  Explicitly pass "" as the configuration parameter to spam_assassin_check(), such
that "user_prefs" =>  "" to the ..._init() call.
>    

Copying the same information I put on Bugzilla for SA:

Hmm.  I think you are on the right track that it's not SA but I also don't
think it is MD, per se.

I think the key point you have to realize is that SA isn't loading anything
prior. MD is instead calling SA through an API at least by default since I
actually use MD to interact with SA through spamd/spamc.

Anyway, it sounds like to me you've got multiple cf files that are being read
(Continue reading)

Permalink | Reply | 0 comments |
headers
Fred Bacon | 12 Aug 2010 18:24
Picon

suspicious characters in headers

Lately, I've been having problems with legitimate messages being
quarantined due to "suspicious characters in headers".  The messages in
question come from a Government mailing list from the National Institute
of Allergy and Infectious Diseases.  I can't see anything which I would
consider suspicious in the headers listed in the quarantine message.

Could someone explain what constitutes "suspicious characters" and how
this might be circumvented for these messages?  Is there any control
over the algorithm, or is this a case where I have to turn off this
feature completely to avoid the problem?

I'm running mimedefang 2.68 on a fully patched CentOS 5 system.

Fred Bacon
Permalink | Reply | 1 comment |

Gmane