[AMaViS-user] Re: AMaViS-user digest, Vol 1 #3334 - 3 msgs

thanks to all for your help I already avtivate it was simple but i did
not how to do,, now

the problem is this a recive in amavis log exactly in when i do this
to check if everything is ok

tail -f /var/log/mail.err

I recive this messages

Oct 3 19:34:21 ns amavis[2151]: (02151-02) FRISK F-Prot Daemon
av-scanner FAILED: Too many retries to talk to 127.0.0.1:10200 (Can't
connect to INET socket 127.0.0.1:10200: Connection refused) at (eval
52) line 257.

and I send simple file whit virus and the amavis let it pass

thanks again for all your help


2005/10/3, amavis-user-request@lists.sourceforge.net
<amavis-user-request@lists.sourceforge.net>:
> Send AMaViS-user mailing list submissions to
> amavis-user@lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.sourceforge.net/lists/...fo/amavis-user
> or, via email, send a message with subject or body 'help' to
> amavis-user-request@lists.sourceforge.net
>
> You can reach the person managing the list at
> amavis-user-admin@lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of AMaViS-user digest..."
>
>
> Today's Topics:
>
> 1. Re: geocities spammers switched to new urls (mouss)
> 2. Re: AMaViS-user digest, Vol 1 #3333 - 12 msgs (Moises Rivera Alvarez=
)
> 3. Re: help f-prot amavis suse 9.3 (Gary V)
>
> --__--__--
>
> Message: 1
> Date: Mon, 03 Oct 2005 23:16:07 +0200
> From: mouss <usebsd@free.fr>
> To: Gregory Mokhin <mok@kde.ru>
> CC: amavis-user@lists.sourceforge.net
> Subject: Re: [AMaViS-user] geocities spammers switched to new urls
>
> Gregory Mokhin a =3DC3=3DA9crit :
>
> >Looks like same spammers that had used geocities before now send
> >messages with new urls (an excerpt):
> >
> >****
> >Free check-up details review with our approved expert.
> >
> >http://if.jlp.forwardthebest.com/n4j/
> >
> >message to oz, saying if he lilyhanded did not let them in self-politici=
=3D
> an
> >ruby port to see him at once they
> >****
> >
> >A question: is it actually useful to train SA on these messages?
> >Doesn't the garbage after the url just poison the bayes db?
> >
> >
> > =3D20
> >
> You should train SA on all errors. if the words appear in lot of spam,=3D=
20
> then you get the training. if it happens in a lot of ham, it won't=3D20
> affect the results.
> and after all, bayes is not the only test in SA.
>
>
>
> --__--__--
>
> Message: 2
> Date: Mon, 3 Oct 2005 19:36:32 -0600
> From: Moises Rivera Alvarez <mriveracr2@gmail.com>
> Reply-To: Moises Rivera Alvarez <mriveracr2@gmail.com>
> To: amavis-user@lists.sourceforge.net
> Subject: [AMaViS-user] Re: AMaViS-user digest, Vol 1 #3333 - 12 msgs
>
> thanks to all for your help I already avtivate it was simple but i did
> not how to do,, now
>
> the problem is this a recive in amavis log exactly in when i do this
> to check if everything is ok
>
> tail -f /var/log/mail.err
>
> I recive this messages
>
> Oct 3 19:34:21 ns amavis[2151]: (02151-02) FRISK F-Prot Daemon
> av-scanner FAILED: Too many retries to talk to 127.0.0.1:10200 (Can't
> connect to INET socket 127.0.0.1:10200: Connection refused) at (eval
> 52) line 257.
>
> thanks again for all your help
>
> 2005/10/3, amavis-user-request@lists.sourceforge.net
> <amavis-user-request@lists.sourceforge.net>:
> > Send AMaViS-user mailing list submissions to
> > amavis-user@lists.sourceforge.net
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> > https://lists.sourceforge.net/lists/...fo/amavis-user
> > or, via email, send a message with subject or body 'help' to
> > amavis-user-request@lists.sourceforge.net
> >
> > You can reach the person managing the list at
> > amavis-user-admin@lists.sourceforge.net
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of AMaViS-user digest..."
> >
> >
> > Today's Topics:
> >
> > 1. whitelisting inconsistancy (Cami)
> > 2. Re: Amavis "fork" errors (Mark Martinec)
> > 3. Re: whitelisting inconsistancy (Mark Martinec)
> > 4. Re: whitelisting inconsistancy (Cami)
> > 5. Re: whitelisting inconsistancy (Mark Martinec)
> > 6. Re: help f-prot amavis suse 9.3 (Gary V)
> > 7. Re: help f-prot amavis suse 9.3 (Moises Rivera Alvarez)
> > 8. Re: help f-prot amavis suse 9.3 (Stephen Carter)
> > 9. Re: whitelisting inconsistancy (Cami)
> > 10. Re: help f-prot amavis suse 9.3 (Gary V)
> > 11. Re: help f-prot amavis suse 9.3 (Gary V)
> > 12. geocities spammers switched to new urls (Gregory Mokhin)
> >
> > -- __--__--
> >
> > Message: 1
> > Date: Mon, 03 Oct 2005 10:55:44 +0200
> > From: Cami <camis@mweb.co.za>
> > Reply-To: amavis-user@lists.sourceforge.net
> > To: amavis-user@lists.sourceforge.net
> > Subject: [AMaViS-user] whitelisting inconsistancy
> >
> > Hi All,
> >
> > Recently a few users have been complaining that after having
> > sender addresses whitelisted, they are still getting tagged
> > as spam. Looking a the logging across the cluster of amavisd-new
> > machines, it is confirmed. I'm unable to figure out exactly where
> > the issue could be. All records etc are stored inside MySQL..
> >
> > Sep 30 18:42:59 spamwall04.mweb.co.za amavis[23746]: (23746-01-10)
> > <mmsain13@yahoo.es>,<mathurs@mweb.co.za>,Blocked,H its=3D3D7.79,Message-=
ID=3D
> =3D3D<20050930164244.82239.qmail@web26701.mail.ukl .yahoo.com>,Size=3D3D23=
78
> > Sep 30 18:43:05 spamwall02.mweb.co.za amavis[5990]: (05990-01-73)
> > <mmsain13@yahoo.es>,<mathurs@mweb.co.za>,Passed,Hi ts=3D3D3.89,Message-I=
D=3D3D=3D
> <20050930164254.88814.qmail@web26710.mail.ukl.yaho o.com>,Size=3D3D2182
> > Sep 30 18:47:25 spamwall01.mweb.co.za amavis[25015]: (25015-01-15)
> > <mmsain13@yahoo.es>,<mathurs@mweb.co.za>,Passed,Hi ts=3D3D5.2,Message-ID=
=3D3D<=3D
> 20050930164706.97877.qmail@web26708....kl.yahoo .com>,Size=3D3D3866
> > Sep 30 18:48:02 spamwall02.mweb.co.za amavis[28525]: (28525-01-28)
> > <mmsain13@yahoo.es>,<mathurs@mweb.co.za>,Passed,Hi ts=3D3D1.951,Message-=
ID=3D
> =3D3D<20050930164750.83245.qmail@web26701.mail.ukl .yahoo.com>,Size=3D3D26=
62
> > Sep 30 18:48:14 spamwall03.mweb.co.za amavis[23124]: (23124-01-12)
> > <mmsain13@yahoo.es>,<mathurs@mweb.co.za>,Blocked,H its=3D3D7.79,Message-=
ID=3D
> =3D3D<20050930164754.97828.qmail@web26707.mail.ukl .yahoo.com>,Size=3D3D21=
86
> > Sep 30 18:48:49 spamwall01.mweb.co.za amavis[30084]: (30084-01-19)
> > <mmsain13@yahoo.es>,<mathurs@mweb.co.za>,Blocked,H its=3D3D7.6,Message-I=
D=3D3D=3D
> <20050930164832.58595.qmail@web26709.mail.ukl.yaho o.com>,Size=3D3D2432
> > Sep 30 18:48:54 spamwall05.mweb.co.za amavis[9386]: (09386-02-80)
> > <mmsain13@yahoo.es>,<mathurs@mweb.co.za>,Passed,Hi ts=3D3D3.7,Message-ID=
=3D3D<=3D
> 20050930164842.58605.qmail@web26709....kl.yahoo .com>,Size=3D3D2496
> > Sep 30 18:49:29 spamwall12.mweb.co.za amavis[31445]: (31445-01-99)
> >
> > ^^ Broken..
> >
> > <mmsain13@yahoo.es>,<mathurs@mweb.co.za>,Passed,Hi ts=3D3D-,Message-ID=
=3D3D<20=3D
> 050930164920.98268.qmail@web26708.mail.ukl.yahoo.c om>,Size=3D3D2085
> > Sep 30 18:49:51 spamwall01.mweb.co.za amavis[15655]: (15655-01-33)
> >
> > ^^ Working..
> >
> > <mmsain13@yahoo.es>,<mathurs@mweb.co.za>,Passed,Hi ts=3D3D5.39,Message-I=
D=3D3D=3D
> <20050930164934.58739.qmail@web26709.mail.ukl.yaho o.com>,Size=3D3D2696
> > Sep 30 18:50:39 spamwall06.mweb.co.za amavis[4985]: (04985-02-4)
> >
> > ^^ Broken..
> >
> > <mmsain13@yahoo.es>,<mathurs@mweb.co.za>,Passed,Hi ts=3D3D-,Message-ID=
=3D3D<20=3D
> 050930165021.10447.qmail@web26702.mail.ukl.yahoo.c om>,Size=3D3D2268
> > Sep 30 18:50:39 spamwall09.mweb.co.za amavis[16191]: (16191-01-23)
> > <mmsain13@yahoo.es>,<mathurs@mweb.co.za>,Passed,Hi ts=3D3D-,Message-ID=
=3D3D<20=3D
> 050930165025.85624.qmail@web26705.mail.ukl.yahoo.c om>,Size=3D3D2590
> > Sep 30 18:51:10 spamwall04.mweb.co.za amavis[23746]: (23746-01-84)
> > <mmsain13@yahoo.es>,<mathurs@mweb.co.za>,Blocked,H its=3D3D7.6,Message-I=
D=3D3D=3D
> <20050930165055.85732.qmail@web26705.mail.ukl.yaho o.com>,Size=3D3D2556
> >
> > Here it appears that whitelisting is broken again.
> >
> > Currently all the machines part of amavisd-new serverfarms
> > are the same software configuration/versions.
> >
> > amavisd-new-2.3.3 + SpamAssassin-3.1.0
> >
> > Please let me know if any other information is needed.
> >
> > Cami
> >
> >
> > -- __--__--
> >
> > Message: 2
> > From: Mark Martinec <Mark.Martinec+amavis@ijs.si>
> > Organization: J. Stefan Institute
> > To: amavis-user@lists.sourceforge.net
> > Subject: Re: [AMaViS-user] Amavis "fork" errors
> > Date: Mon, 3 Oct 2005 14:49:10 +0200
> >
> > Scott,
> >
> > > Amavisd version is : amavisd-new-2.3.0
> >
> > Consider upgrading to 2.3.3.
> >
> > > About every 4-5 days, email will stop sending/receiving, and I get th=
e
> > > following error in my amavisd log file.
> >
> > > Oct 1 16:14:41 ns1 /usr/local/sbin/amavisd[16241]: (16241-03) ESMTP>
> > > 451 4.5.0 Error in processing, id=3D3D16241-03, mime_decode-1 FAILED:
> > > run_command (open pipe):
> > > Can't fork at /usr/lib/perl5/5.8.3/i586-linux-thread-multi/IO/File.pm
> > > line 176. at /usr/local/sbin/amavisd line 1783.
> >
> > Like Gary said, check for resource depletion, like swap space full.
> > On some OS a tmpfs maps into swap.
> >
> > > After rebooting, amavisd will fail (kicked off via rc.local) with the
> > > following error:
> >
> > > Oct 1 16:28:34 ns1 /usr/local/sbin/amavisd[1015]: SpamControl:
> > > initializing Mail::SpamAssassin
> > > Oct 1 16:28:34 ns1 /usr/local/sbin/amavisd[1015]:
> > > TROUBLE in pre_loop_hook: Error creating a DNS resolver socket:
> > > Network is unreachable
> > > at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/DnsResolver.pm li=
ne=3D
> 202.
> >
> > The code there does:
> > $sock =3D3D IO::Socket::INET->new(%args);
> > $errno =3D3D $!;
> > die "Error creating a DNS resolver socket: $errno";
> >
> > It appears the IO::Socket::INET->new fails to connect
> > to resolver socket because "Network is unreachable"
> > (assuming you are not using IPv6 network addresses
> > to access local resolver)
> >
> > If you are using remote resolver in /etc/resolve.conf,
> > consider having a locally running 'named' as a caching-only DNS server.
> >
> > > After this, if I manually run /usr/local/sbin/amavisd it will start
> > > successfully.
> >
> > Seems like the network is not fully up by the time amavisd
> > is being started. Perhaps you need to reorder startup sequence.
> >
> > > The second part only started after I did the most recent update of
> > > SpamAssassin (SA version 3.1.0)
> >
> > SA 3.1 does DNS resolver setup differently in order to be able
> > to work around Net::DNS problems that were affecting SA 3.0.x.
> >
> > Mark
> >
> >
> > -- __--__--
> >
> > Message: 3
> > From: Mark Martinec <Mark.Martinec+amavis@ijs.si>
> > Organization: J. Stefan Institute
> > To: amavis-user@lists.sourceforge.net
> > Subject: Re: [AMaViS-user] whitelisting inconsistancy
> > Date: Mon, 3 Oct 2005 15:16:15 +0200
> >
> > Cami,
> >
> > > Recently a few users have been complaining that after having
> > > sender addresses whitelisted, they are still getting tagged
> > > as spam. Looking a the logging across the cluster of amavisd-new
> > > machines, it is confirmed. I'm unable to figure out exactly where
> > > the issue could be. All records etc are stored inside MySQL..
> > >
> > > <mmsain13@yahoo.es>,<mathurs@mweb.co.za>,Blocked,H its=3D3D7.79,
> > > ^^ Broken..
> > >
> > > <mmsain13@yahoo.es>,<mathurs@mweb.co.za>,Passed,Hi ts=3D3D-
> > > ^^ Working..
> > >
> > > Currently all the machines part of amavisd-new serverfarms
> > > are the same software configuration/versions.
> > > amavisd-new-2.3.3 + SpamAssassin-3.1.0
> >
> > You are using a non-default $log_temp, so I don't know whether
> > the mmsain13@yahoo.es is a sender address or one of the two
> > recipient addresses. My first guess is that these users are
> > whitelisting a From address from a mail header, but amavisd-new
> > only works on SMTP envelope sender address.
> >
> > If this is not the case, it would be worth taking a look at level 4 or =
5
> > log and see how the sender address lookups are being done.
> >
> > Mark
> >
> >
> > -- __--__--
> >
> > Message: 4
> > Date: Mon, 03 Oct 2005 15:48:06 +0200
> > From: Cami <camis@mweb.co.za>
> > Reply-To: amavis-user@lists.sourceforge.net
> > To: amavis-user@lists.sourceforge.net
> > Subject: Re: [AMaViS-user] whitelisting inconsistancy
> >
> > Mark Martinec wrote:
> > > Cami,
> > >
> > >><mmsain13@yahoo.es>,<mathurs@mweb.co.za>,Blocked ,Hits=3D3D7.79,
> > >>^^ Broken..
> > >>
> > >><mmsain13@yahoo.es>,<mathurs@mweb.co.za>,Passed, Hits=3D3D-
> > >>^^ Working..
> > >>
> > >>Currently all the machines part of amavisd-new serverfarms
> > >>are the same software configuration/versions.
> > >>amavisd-new-2.3.3 + SpamAssassin-3.1.0
> > >
> > > You are using a non-default $log_temp, so I don't know whether
> > > the mmsain13@yahoo.es is a sender address or one of the two
> > > recipient addresses.
> >
> > $log_templ =3D3D '
> > [?%#D||
> > [? [?%#V|1]|INFECTED (%V)|#
> > [? [?%#F|1]|BANNED (%F)|#
> > [? [? %2|1]|SPAM|#
> > [? [?%#X|1]|BAD-HEADER|CLEAN]]]]#
> > , <%o> -> [%D|,]#
> > [? %q ||, quarantine: %i]#
> > [? %m ||, Message-ID: %m]#
> > , Hits=3D3D%c tag1=3D3D3.0 tag2=3D3D7.5 kill=3D3D7.5#
> > [? %#T ||, tests=3D3D[%T|,]]#
> > , [? %p ||%p ][?%a||[?%l||LOCAL ]\[%a\] ]
> > ]
> > [?%#O||
> > [? [?%#V|1]|INFECTED (%V)|#
> > [? [?%#F|1]|BANNED (%F)|#
> > [? [? %2|1]|SPAM|#
> > [? [?%#X|1]|BAD-HEADER|CLEAN]]]]#
> > , <%o> -> [%O|,]#
> > [? %q ||, quarantine: %i]#
> > , Yes, Hits=3D3D%c tag1=3D3D3.0 tag2=3D3D7.5 kill=3D3D7.5#
> > [? %#T ||, tests=3D3D[%T|,]]#
> > , [? %p ||%p ][?%a||[?%l||LOCAL ]\[%a\] ]
> > ]';
> >
> > $log_recip_templ =3D3D '
> > [?%#D||<%o>,%D,Passed,Hits=3D3D%c,Message-ID=3D3D%m,Size=3D3D%z|\n]
> > [?%#O||<%o>,%O,Blocked,Hits=3D3D%c,Message-ID=3D3D%m,Size=3D3D%z|\n]';
> >
> > > My first guess is that these users are
> > > whitelisting a From address from a mail header, but amavisd-new
> > > only works on SMTP envelope sender address.
> >
> > Since amavisd-new only deals with envelope information,
> > I don't see how its possible. Something is certainly up,
> > because people whom have been opted out are intermittently
> > getting opted in and then back to being opted out.
> > I can confirm the database is quite static and no one
> > is opting in then opting out again.
> >
> > Comments on this one?
> >
> > > If this is not the case, it would be worth taking a look at level 4 o=
r =3D
> 5
> > > log and see how the sender address lookups are being done.
> >
> > I've just set 1/2 of the serverfarm at loglevel 5.
> >
> > Cami
> >
> >
> > -- __--__--
> >
> > Message: 5
> > From: Mark Martinec <Mark.Martinec+amavis@ijs.si>
> > Organization: J. Stefan Institute
> > To: amavis-user@lists.sourceforge.net
> > Subject: Re: [AMaViS-user] whitelisting inconsistancy
> > Date: Mon, 3 Oct 2005 17:15:42 +0200
> >
> > Cami,
> >
> > > $log_recip_templ =3D3D '
> > > [?%#D||<%o>,%D,Passed,Hits=3D3D%c,Message-ID=3D3D%m,Size=3D3D%z|\n]
> > > [?%#O||<%o>,%O,Blocked,Hits=3D3D%c,Message-ID=3D3D%m,Size=3D3D%z|\n]'=
;
> >
> > Ok, so these were per-recip log entries.
> >
> > > > My first guess is that these users are
> > > > whitelisting a From address from a mail header, but amavisd-new
> > > > only works on SMTP envelope sender address.
> > >
> > > Since amavisd-new only deals with envelope information,
> > > I don't see how its possible.
> >
> > I was trying to put a blame on the GUI or user or admin
> > who placed the sender address in the whitelist for perhaps
> > choosing a wrong address.
> >
> > > I've just set 1/2 of the serverfarm at loglevel 5.
> >
> > Ok, lets see a specific case.
> >
> > Mark
> >
> >
> > -- __--__--
> >
> > Message: 6
> > Date: Mon, 3 Oct 2005 09:42:29 -0600
> > From: Gary V <lists@johnmecham.com>
> > To: amavis-user@lists.sourceforge.net
> > Subject: Re: [AMaViS-user] help f-prot amavis suse 9.3
> >
> > Moises wrote:
> >
> > > Hi I have been looking how to ativate amavis-new to use f-prot
> > > antivirus on SuSE 9.3 but i could not find the info to do even in the
> > > website so please can somebody tell me how to do, or please give an
> > > example
> >
> > Assuming you have f-prot installed, you should know that most likely
> > the f-prot you are using (the free workstation version) is a command
> > line version, and not a daemonized version.
> >
> > In the @av_scanners section, comment out the daemonized version:
> >
> > # ### http://www.f-prot.com/
> > # ['FRISK F-Prot Daemon',
> > # \&ask_daemon,
> > # ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n",
> > # ['127.0.0.1:10200','127.0.0.1:10201','127.0.0.1:102 02',
> > # '127.0.0.1:10203','127.0.0.1:10204'] ],
> > # qr/(?i)<summary[^>]*>clean<\/summary>/,
> > # qr/(?i)<summary[^>]*>infected<\/summary>/,
> > # qr/(?i)<name>(.+)<\/name>/ ],
> >
> > And in the @av_scanners_backup section, insure the command line
> > version is not commented out:
> >
> > ### http://www.f-prot.com/ - backs up F-Prot Daemon
> > ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
> > '-dumb -archive -packed {}', [0,8], [3,6],
> > qr/Infection: (.+)|\s+contains\s+(.+)$/ ],
> >
> > amavisd-new should simply use it. If you like, I suppose you could
> > move the command line version from the backup section, to the primary
> > section, but I believe this would be cosmetic only.
> >
> > Gary V
> >
> >
> >
> > -- __--__--
> >
> > Message: 7
> > Date: Mon, 3 Oct 2005 09:55:40 -0600
> > From: Moises Rivera Alvarez <mriveracr2@gmail.com>
> > Reply-To: Moises Rivera Alvarez <mriveracr2@gmail.com>
> > To: amavis-user@lists.sourceforge.net
> > Subject: Re: [AMaViS-user] help f-prot amavis suse 9.3
> >
> > thanks a lot i will check againd, maybe a did not see that
> >
> > 2005/10/3, Alan Munday <amavis@brightheadtechnology.com>:
> > > Moises Rivera Alvarez wrote the following on 03/10/2005 02:46:
> > > > Hi I have been looking how to ativate amavis-new to use f-prot
> > > > antivirus on SuSE 9.3 but i could not find the info to do even in t=
he
> > > > website so please can somebody tell me how to do, or please give an
> > > > example
> > > >
> > >
> > > Search for f-prot in amavisd.conf, or look in the example conf files.
> > >
> > > You will find 2 sections, one for the daemon, one for the command lin=
e.
> > >
> > > Alan
> > >
> >
> >
> > -- __--__--
> >
> > Message: 8
> > Date: Mon, 03 Oct 2005 16:55:31 +0100
> > From: "Stephen Carter" <stephen@retnet.co.uk>
> > To: <amavis-user@lists.sourceforge.net>
> > Subject: Re: [AMaViS-user] help f-prot amavis suse 9.3
> >
> > >>> Gary V <lists@johnmecham.com> 10/03/05 4:42 PM >>>
> > >Moises wrote:
> > >
> > >> Hi I have been looking how to ativate amavis-new to use f-prot
> > >> antivirus on SuSE 9.3 but i could not find the info to do even in th=
e
> > >> website so please can somebody tell me how to do, or please give an
> > >> example
> > >
> > >Assuming you have f-prot installed, you should know that most likely
> > >the f-prot you are using (the free workstation version) is a command
> > >line version, and not a daemonized version.
> > >
> > >In the @av_scanners section, comment out the daemonized version:
> >
> > ># ### http://www.f-prot.com/
> > ># ['FRISK F-Prot Daemon',
> > ># \&ask_daemon,
> > ># ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n",
> > ># ['127.0.0.1:10200','127.0.0.1:10201','127.0.0.1:102 02',
> > ># '127.0.0.1:10203','127.0.0.1:10204'] ],
> > ># qr/(?i)<summary[^>]*>clean<\/summary>/,
> > ># qr/(?i)<summary[^>]*>infected<\/summary>/,
> > ># qr/(?i)<name>(.+)<\/name>/ ],
> > >
> > >And in the @av_scanners_backup section, insure the command line
> > >version is not commented out:
> > >
> > > ### http://www.f-prot.com/ - backs up F-Prot Daemon
> > > ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
> > > '-dumb -archive -packed {}', [0,8], [3,6],
> > > qr/Infection: (.+)|\s+contains\s+(.+)$/ ],
> > >
> > >amavisd-new should simply use it. If you like, I suppose you could
> > >move the command line version from the backup section, to the primary
> > >section, but I believe this would be cosmetic only.
> > >
> > >Gary V
> >
> > Unless there is more than 1 AV scanner installed. I believe the
> > primary/backup location becomes important if more than 1 scanner is
> > enabled as Amavis will only use primary scanners then fall back to
> > backup scanners if no primary is found.
> >
> > So if using say F-Prot and ClamAV, if Amavis picks up ClamAV in the
> > primary section it will only use F-prot as a backup (as that is where
> > the workstation version is defined) if ClamAV fails, in
> > the order they are found in the backup section.
> >
> > Then again my understanding here could be misplaced.
> >
> > SteveC
> >
> >
> > -- __--__--
> >
> > Message: 9
> > Date: Mon, 03 Oct 2005 18:33:35 +0200
> > From: Cami <camis@mweb.co.za>
> > Reply-To: amavis-user@lists.sourceforge.net
> > To: amavis-user@lists.sourceforge.net
> > Subject: Re: [AMaViS-user] whitelisting inconsistancy
> >
> > Mark Martinec wrote:
> > >>I've just set 1/2 of the serverfarm at loglevel 5.
> > >
> > > Ok, lets see a specific case.
> >
> > The debugging logs allowed me to see what was wrong.
> >
> > Certainly an admin error on 1/2 of the machines in
> > the serverfarm. Configs are not identical and some
> > of the amavisd-new setups didn't have SQL lookups
> > enabled.
> >
> > Sorry for wasting your time.
> >
> > Cami
> >
> >
> > -- __--__--
> >
> > Message: 10
> > Date: Mon, 3 Oct 2005 11:30:32 -0600
> > From: Gary V <lists@johnmecham.com>
> > To: amavis-user@lists.sourceforge.net
> > Subject: Re: [AMaViS-user] help f-prot amavis suse 9.3
> >
> > Stephen wrote:
> >
> > >>And in the @av_scanners_backup section, insure the command line
> > >>version is not commented out:
> > >>
> > >> ### http://www.f-prot.com/ - backs up F-Prot Daemon
> > >> ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
> > >> '-dumb -archive -packed {}', [0,8], [3,6],
> > >> qr/Infection: (.+)|\s+contains\s+(.+)$/ ],
> > >>
> > >>amavisd-new should simply use it. If you like, I suppose you could
> > >>move the command line version from the backup section, to the primary
> > >>section, but I believe this would be cosmetic only.
> > >>
> > >>Gary V
> >
> > > Unless there is more than 1 AV scanner installed. I believe the
> > > primary/backup location becomes important if more than 1 scanner is
> > > enabled as Amavis will only use primary scanners then fall back to
> > > backup scanners if no primary is found.
> >
> > > So if using say F-Prot and ClamAV, if Amavis picks up ClamAV in the
> > > primary section it will only use F-prot as a backup (as that is where
> > > the workstation version is defined) if ClamAV fails, in
> > > the order they are found in the backup section.
> >
> > > Then again my understanding here could be misplaced.
> > > SteveC
> >
> > Sounds good. Backups will only be tried if all primary scanners fail.
> > So it is a good idea to have all the daemonized scanners tried first.
> > Especially when a vendor offers both versions. My comment was assuming
> > no other virus scanning programs were installed. If you are only using
> > one scanner, regardless of whether that scanner is daemonized or not,
> > it might save the lookup into the backup scanners section if it is
> > placed in the primary section.
> >
> > # If no virus scanners from the @av_scanners list produce 'clean' nor
> > # 'infected' status (i.e. they all fail to run or the list is empty),
> > # then _all_ scanners from the @av_scanners_backup list are tried
> > # (again, subject to $first_infected_stops_scan). When there are both
> > # daemonized and equivalent or similar command-line scanners available,
> > # it is customary to place slower command-line scanners in the
> > # @av_scanners_backup list. The default choice is somewhat arbitrary,
> > # move entries from one list to another as desired, keeping main scanne=
rs
> > # in the primary list to avoid warnings.
> >
> > Assuming we do not have f-prot daemonized version available,
> > it looks like there would also be an advantage to moving f-prot command
> > line version to the primary section even if some other virus scanner is
> > in the primary section. Doing so would insure the message is scanned by
> > more than one engine. It looks like you would want to include all
> > vendors in the primary section, unless you are using daemonized and
> > non-daemonized versions from the same vendor, then you would want to
> > place the slower version from the same vendor in the backup file.
> >
> > Gary V
> >
> >
> >
> > -- __--__--
> >
> > Message: 11
> > Date: Mon, 3 Oct 2005 11:48:30 -0600
> > From: Gary V <lists@johnmecham.com>
> > To: amavis-user@lists.sourceforge.net
> > Subject: Re: [AMaViS-user] help f-prot amavis suse 9.3
> >
> > Stephen wrote:
> >
> > > It looks like you would want to include all
> > > vendors in the primary section, unless you are using daemonized and
> > > non-daemonized versions from the same vendor, then you would want to
> > > place the slower version from the same vendor in the backup file.
> >
> > This is exactly what you said, Stephen, but I have to repeat it to
> > myself so I am sure I understand it correctly! :)
> >
> > Yes, it is important which section it is in, it is not cosmetic.
> >
> > Gary V
> >
> >
> >
> > -- __--__--
> >
> > Message: 12
> > To: amavis-user@lists.sourceforge.net
> > From: Gregory Mokhin <mok@kde.ru>
> > Date: Mon, 03 Oct 2005 16:35:35 -0400
> > Subject: [AMaViS-user] geocities spammers switched to new urls
> >
> > Looks like same spammers that had used geocities before now send
> > messages with new urls (an excerpt):
> >
> > ****
> > Free check-up details review with our approved expert.
> >
> > http://if.jlp.forwardthebest.com/n4j/
> >
> > message to oz, saying if he lilyhanded did not let them in self-politic=
ia=3D
> n
> > ruby port to see him at once they
> > ****
> >
> > A question: is it actually useful to train SA on these messages?
> > Doesn't the garbage after the url just poison the bayes db?
> >
> > Regards,
> > Gregory
> >
> >
> >
> >
> > -- __--__--
> >
> > _______________________________________________
> > AMaViS-user mailing list
> > AMaViS-user@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/...fo/amavis-user
> > AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
> >
> >
> > End of AMaViS-user Digest
> >
>
>
> --__--__--
>
> Message: 3
> Date: Mon, 3 Oct 2005 20:48:56 -0600
> From: Gary V <lists@johnmecham.com>
> To: amavis-user@lists.sourceforge.net
> Subject: Re: [AMaViS-user] help f-prot amavis suse 9.3
>
> Moises wrote:
>
> > thanks to all for your help I already avtivate it was simple but i did
> > not how to do,, now
>
> > the problem is this a recive in amavis log exactly in when i do this
> > to check if everything is ok
>
> > tail -f /var/log/mail.err
>
> > I recive this messages
>
> > Oct 3 19:34:21 ns amavis[2151]: (02151-02) FRISK F-Prot Daemon
> > av-scanner FAILED: Too many retries to talk to 127.0.0.1:10200 (Can't
> > connect to INET socket 127.0.0.1:10200: Connection refused) at (eval
> > 52) line 257.
>
> > thanks again for all your help
>
> Did you read this part? Are you using the free workstation version? If
> you are, then this applies to you.
>
> >> >Assuming you have f-prot installed, you should know that most likely
> >> >the f-prot you are using (the free workstation version) is a command
> >> >line version, and not a daemonized version.
> >> >
> >> >In the @av_scanners section, comment out the daemonized version:
> >>
> >> ># ### http://www.f-prot.com/
> >> ># ['FRISK F-Prot Daemon',
> >> ># \&ask_daemon,
> >> ># ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n",
> >> ># ['127.0.0.1:10200','127.0.0.1:10201','127.0.0.1:102 02',
> >> ># '127.0.0.1:10203','127.0.0.1:10204'] ],
> >> ># qr/(?i)<summary[^>]*>clean<\/summary>/,
> >> ># qr/(?i)<summary[^>]*>infected<\/summary>/,
> >> ># qr/(?i)<name>(.+)<\/name>/ ],
> >> >
> >> >And in the @av_scanners_backup section, insure the command line
> >> >version is not commented out:
> >> >
> >> > ### http://www.f-prot.com/ - backs up F-Prot Daemon
> >> > ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
> >> > '-dumb -archive -packed {}', [0,8], [3,6],
> >> > qr/Infection: (.+)|\s+contains\s+(.+)$/ ],
> >> >
>
> Then move the command line version:
>
> ### http://www.f-prot.com/ - backs up F-Prot Daemon
> ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
> '-dumb -archive -packed {}', [0,8], [3,6],
> qr/Infection: (.+)|\s+contains\s+(.+)$/ ],
>
> from the @av_scanners_backup section, to the @av_scanners section.
>
> Gary V
>
> Also, as you can see, it makes a bit of a mess when you reply to a
> digest version of the mail.
>
>
>
>
> --__--__--
>
> _______________________________________________
> AMaViS-user mailing list
> AMaViS-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/...fo/amavis-user
> AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
>
>
> End of AMaViS-user Digest
>


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/...fo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/