Re: [AMaViS-user] Amavis Not quarantining messages

On 8/9/07, Barry Irwin <bvi@lair.moria.org> wrote:
> Hi All
>
> I'm having a bit of a problem isolating why Mails are not being
> quarantined. Clam is identifying Messages correctly (as per clamd.log)
> and amavis is not reporting them. Somewhere however I'm missing
> something so that the mail is passing rather than being quarantined.
> Real viruses are being caught okay:
>
> A virus was found: Win32:Mydoom-L [Wrm]
>

This is a real virus, so with 2.5.2 is will be detected as a virus and
quarantined as a virus (provided you have a quarantine set up)

> Scanners detecting a virus: ClamAV-clamd
>
> Content type: Virus
> Internal reference code for the message is 01434-06/WBLZZlKgwA-e
>
> <snip>
>
> Return-Path: <>
> Message-ID: <E1IIqEb-0005Ro-48@sudeki.mweb.com.na>
> Subject: Mail delivery failed: returning message to sender
> The message has been quarantined as: W/virus-WBLZZlKgwA-e

And it shows this was quarantined as W/virus-WBLZZlKgwA-e (which you
already know)

>
> Notification to sender will not be mailed.
>
> The message WAS NOT relayed to:
> <xxx@xxx.za>:
> 250 2.7.0 Ok, discarded, id=01434-06 - VIRUS: Win32:Mydoom-L [Wrm],
> Win32:Mydoom-L [Wrm], Win32:Mydoom-L [Wrm]
>
> Virus scanner output:
> p001/PartNo_0#1616020234 [+]
> p001/attachment.zip#1125232958/attachment.pif [L] Win32:Mydoom-L [Wrm]
> p001/attachment.zip#1125232958 [L] Win32:Mydoom-L [Wrm]
> p001 [+]
> p002 [L] Win32:Mydoom-L [Wrm]
>
> --clamd.log--
>
>
> Aug 9 06:21:27 titania clamd[74253]:
> /var/amavis/tmp/amavis-20070809T061103-07536/parts/p001:
> HTML.Phishing.Bank-593 FOUND
> Aug 9 14:33:04 titania clamd[74253]:
> /var/amavis/tmp/amavis-20070809T141346-13689/parts/p001:
> HTML.Phishing.Bank-532 FOUND
> Aug 9 15:13:26 titania clamd[74253]:
> /var/amavis/tmp/amavis-20070809T144825-14195/parts/p001:
> HTML.Phishing.Bank-532 FOUND
> Aug 9 15:26:51 titania clamd[74253]:
> /var/amavis/tmp/amavis-20070809T152248-14707/parts/p001:
> HTML.Phishing.Bank-532 FOUND
> Aug 9 18:00:39 titania clamd[74253]:
> /var/amavis/tmp/amavis-20070809T175424-16594/parts/p001:
> HTML.Phishing.Bank-532 FOUND
> Aug 9 18:25:23 titania clamd[74253]:
> /var/amavis/tmp/amavis-20070809T180640-16740/parts/p001:
> HTML.Phishing.Bank-532 FOUND
> Aug 9 18:25:24 titania clamd[74253]:
> /var/amavis/tmp/amavis-20070809T182523-16968/parts/p001:
> HTML.Phishing.Bank-532 FOUND
> Aug 9 19:16:11 titania clamd[74253]:
> /var/amavis/tmp/amavis-20070809T182757-17033/parts/p001:
> HTML.Phishing.Bank-532 FOUND

With 2.5.0 or newer these are no longer classified as viruses. Read:
http://www.ijs.si/software/amavisd/release-notes.txt
Search for @virus_name_to_spam_score_maps

>
> --amavis log messages in maillog--
> Aug 9 06:21:27 titania clamd[74253]:
> /var/amavis/tmp/amavis-20070809T061103-07536/parts/p001:
> HTML.Phishing.Bank-593 FOUND
> Aug 9 06:21:27 titania postfix/pickup[7520]: 84C9C4D46EC: uid=110
> from=<vscan>
> Aug 9 06:21:27 titania postfix/cleanup[7703]: 84C9C4D46EC:
> message-id=<20070809042127.84C9C4D46EC@services.async.org. za>
> Aug 9 06:21:27 titania postfix/qmgr[74321]: 84C9C4D46EC:
> from=<vscan@services.XXX.za>, size=384, nrcpt=1 (queue active)
> Aug 9 06:21:28 titania postfix/smtpd[7707]: connect from
> localhost[127.0.0.1]
> Aug 9 06:21:28 titania postfix/smtpd[7707]: ABFA94D46F0:
> client=localhost[127.0.0.1]
> Aug 9 06:21:28 titania postfix/cleanup[7724]: ABFA94D46F0:
> message-id=<resultsmail-15317-640-38211051@freelotto.com>
> Aug 9 06:21:28 titania postfix/qmgr[74321]: ABFA94D46F0:
> from=<bounces-ResultsMail-38211051@bounces.freelotto.com>, size=23024,
> nrcpt=1 (queue active)
> Aug 9 06:21:28 titania postfix/smtpd[7707]: disconnect from
> localhost[127.0.0.1]
> Aug 9 06:21:28 titania amavis[6520]: (06520-09) Passed CLEAN,
> [72.21.48.210] [216.74.187.171]
> <bounces-ResultsMail-38211051@bounces.freelotto.com> ->
> <localuser@xxx.za>, Message-ID:
> <resultsmail-15317-640-38211051@freelotto.com>, mail_id: 5YRmT0tQNxx9,
> Hits: 0.324, size: 22525, queued_as: ABFA94D46F0,
> 3310 ms
>

This was not quarantined because it did not score high enough. The default is:

@virus_name_to_spam_score_maps =
(new_RE( [ qr'^(Email|HTML)\.(Phishing|Spam|Scam[a-z0-9]?)\.'i => 0.1 ],
[ qr'^(Email|Html)\.Malware\.Sanesecurity\.' => undef ],
[ qr'^(Email|Html)(\.[^., ]*)*\.Sanesecurity\.' => 0.1 ],
# [ qr'^(Email|Html)\.(Hdr|Img|ImgO|Bou|Stk|Loan|Cred| Job|Dipl|Doc)
# (\.[^., ]*)* \.Sanesecurity\.'x => 0.1 ],
[ qr'^(MSRBL-Images/|MSRBL-SPAM\.)' => 0.1 ],
));

Which means there is not much of a score boost.

Read the release notes. It will tell you you can add rules like this:
http://www200.pair.com/mecham/spam/a...anesecurity.cf
to boost the scores.

> The mail from vscan is clmad running a notification script.

I don't understand this statement.

>
> Quarantine was working until a few weeks ago prior to the upgrade to
> clam 9.1 and amavisd-new 2.5.2, with MSRBL being most useful in catching
> image spam.
>
> Does anyone have any pointers ?
>
> Regards,
> Barry
>

--
Gary V

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/...fo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/