1 (edited by Falador 2009-06-17 05:02:36)

Topic: Virus and Spam Protection [SOLVED]

Do I need to take any extra steps to enable spam and virus protection?

I have used the following service http://www.gfi.com/emailsecuritytest/ to send a number of infected emails and every single one made it to my mailbox.

All emails have the following in the recieved line (amavisd-new, port 10024) so they are passing through the scanner. Some do have a BANNED statement in the email header, can I quarantine these by default?

Both the eicar and GTUBE test strings make it through unaffected.

If I run clamscan on my mail directory it finds them all.

Any clues for where to start looking?

Everything else is working great. Once I get to the bottom of the above problem I do plan to put this in to production use, thanks for all your hard work.

UPDATE:
Sorry, forget to mention I'm using Debian 5.0.1 and iRedMail-0.5.0-RC1

2

Re: Virus and Spam Protection [SOLVED]

I think i forgot someting settings in Debian & Ubuntu, please try to add below lines in /etc/amavis/conf.d/50-users and restart amavis service:

@bypass_virus_checks_maps = (0);  # controls running of anti-virus code
@bypass_spam_checks_maps  = (0);  # controls running of anti-spam code
$bypass_decode_parts = 0;         # controls running of decoders&dearchivers

Default setting in binary packages for RHEL/CentOS enables anti-virus & anti-spam by default, but it seems not in Debian & Ubuntu.

Please help to test and give us feedback. Thanks very much smile

3

Re: Virus and Spam Protection [SOLVED]

email now fails, heres the log entry;

Jun 16 15:37:16 monkeybox postfix/smtpd[2436]: connect from col0-omc4-s3.col0.hotmail.com[65.55.34.205]
Jun 16 15:37:16 monkeybox postfix-policyd: connection from: 127.0.0.1 port: 41830 slots: 0 of 4096 used
Jun 16 15:37:16 monkeybox postfix-policyd: rcpt=5, greylist=update, host=65.55.34.205 (col0-omc4-s3.col0.hotmail.com), from=test@hotmail.com, to=test@test.com, size=1502
Jun 16 15:37:16 monkeybox postfix-policyd: rcpt=5, throttle_rcpt=clear(a), host=65.55.34.205, from=test@hotmail.com, to=test@test.com, count=0/64(2), threshold=0%
Jun 16 15:37:16 monkeybox postfix/smtpd[2436]: C98AE36147: client=col0-omc4-s3.col0.hotmail.com[65.55.34.205]
Jun 16 15:37:17 monkeybox postfix/cleanup[2440]: C98AE36147: message-id=<COL110-W22604900404D787323C11ACA3F0@phx.gbl>
Jun 16 15:37:17 monkeybox postfix/qmgr[2238]: C98AE36147: from=<test@hotmail.com>, size=1801, nrcpt=1 (queue active)
Jun 16 15:37:17 monkeybox amavis[1754]: (01754-01) (!!)run_av (ClamAV-clamd) FAILED - unexpected , output="/var/lib/amavis/tmp/amavis-20090616T153717-01754/parts: lstat() failed: Permission denied. ERROR\n"
Jun 16 15:37:17 monkeybox postfix/smtpd[2436]: disconnect from col0-omc4-s3.col0.hotmail.com[65.55.34.205]
Jun 16 15:37:17 monkeybox amavis[1754]: (01754-01) (!!)ClamAV-clamd av-scanner FAILED: CODE(0x9c56260) unexpected , output="/var/lib/amavis/tmp/amavis-20090616T153717-01754/parts: lstat() failed: Permission denied. ERROR\n" at (eval 98) line 527.
Jun 16 15:37:17 monkeybox amavis[1754]: (01754-01) (!!)WARN: all primary virus scanners failed, considering backups
Jun 16 15:37:17 monkeybox amavis[1754]: (01754-01) (!!)run_av (ClamAV-clamscan) FAILED - unexpected exit 40, output="WARNING: Ignoring deprecated option --disable-summary\nERROR: Option --tempdir requires a non-empty string argument\nERROR: Can't parse command line options"
Jun 16 15:37:17 monkeybox amavis[1754]: (01754-01) (!!)ClamAV-clamscan av-scanner FAILED: /usr/bin/clamscan unexpected exit 40, output="WARNING: Ignoring deprecated option --disable-summary\nERROR: Option --tempdir requires a non-empty string argument\nERROR: Can't parse command line options" at (eval 98) line 527.
Jun 16 15:37:17 monkeybox amavis[1754]: (01754-01) (!!)TROUBLE in check_mail: virus_scan FAILED: virus_scan: ALL VIRUS SCANNERS FAILED: ClamAV-clamd av-scanner FAILED: CODE(0x9c56260) unexpected , output="/var/lib/amavis/tmp/amavis-20090616T153717-01754/parts: lstat() failed: Permission denied. ERROR\n" at (eval 98) line 527.; ClamAV-clamscan av-scanner FAILED: /usr/bin/clamscan unexpected exit 40, output="WARNING: Ignoring deprecated option --disable-summary\nERROR: Option --tempdir requires a non-empty string argument\nERROR: Can't parse command line options" at (eval 98) line 527.
Jun 16 15:37:17 monkeybox amavis[1754]: (01754-01) (!)PRESERVING EVIDENCE in /var/lib/amavis/tmp/amavis-20090616T153717-01754
Jun 16 15:37:17 monkeybox postfix/smtp[2441]: C98AE36147: to=<test@test.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.83, delays=0.61/0.02/0.02/0.17, dsn=4.5.0, status=deferred (host 127.0.0.1[127.0.0.1] said: 451-4.5.0 Error in processing, id=01754-01, virus_scan FAILED: virus_scan: ALL VIRUS SCANNERS FAILED: ClamAV-clamd av-scanner FAILED: CODE(0x9c56260) unexpected , output="/var/lib/amavis/tmp/amavis-20090616T153717-01754/parts: lstat() failed: Permission denied. ERROR 451-4.5.0 " at (eval 98) line 527.; ClamAV-clamscan av-scanner FAILED: /usr/bin/clamscan unexpected exit 40, output="WARNING: Ignoring deprecated option --disable-summary 451-4.5.0 ERROR: Option --tempdir requires a non-empty string argument 451 4.5.0 ERROR: Can't parse command line options" at (eval 98) line 527. (in reply to end of DATA command))

Thanks for the quick response.

4

Re: Virus and Spam Protection [SOLVED]

Jun 16 15:37:17 monkeybox amavis[1754]: (01754-01) (!!)ClamAV-clamd av-scanner FAILED: CODE(0x9c56260) unexpected , output="/var/lib/amavis/tmp/amavis-20090616T153717-01754/parts: lstat() failed: Permission denied. ERROR\n" at (eval 98) line 527.

Could you please check the file permission of directory: /var/lib/amavis/?

$ sudo ls -dl /var/lib/amavis/
$ sudo ls -dl /var/lib/amavis/tmp/

They should be owned by amavis:amavis.

5 (edited by Falador 2009-06-16 23:37:52)

Re: Virus and Spam Protection [SOLVED]

We're making progress, permissions were correct but I had to add the clamav user to the amavis group.

Spam is now been bagged and tagged but virus are still coming through. They are showing up in /var/log/clamav/clamd.log and I get an extra line in email header (X-Virus-Scanned: Debian amavisd-new). Do I need to state what to do if a virus is found?

I also noticed this, which I assume is a notification about the virus detection.

Jun 16 16:51:26 monkeybox postfix/smtpd[2454]: warning: Illegal address syntax from unknown[127.0.0.1] in MAIL command: <postmaster@${myhostname}>
Jun 16 16:51:26 monkeybox amavis[2397]: (02397-06-13) Negative SMTP resp. to DATA: 503 5.5.1 Error: need RCPT command
Jun 16 16:51:26 monkeybox amavis[2397]: (02397-06-13) (!)SEND via SMTP: <postmaster@${myhostname}> -> <postmaster@monkeybox.test.net>,ENVID=AM..20090616T155126Z@monkeybox.test.net 501 5.1.7 Failed, id=02397-06-13, from MTA([127.0.0.1]:10025): 501 5.1.7 Bad sender address syntax
Jun 16 16:51:26 monkeybox amavis[2397]: (02397-06-13) (!)FAILED to notify admin: 501 5.1.7 Failed, id=02397-06-13, from MTA([127.0.0.1]:10025): 501 5.1.7 Bad sender address syntax

Again, thank you for your help.

6

Re: Virus and Spam Protection [SOLVED]

OK, I'm now blocking viruses in addition to spam.

I uncommented the following 4 lines from the /etc/amavis/conf.d/15-content_filter_mode

@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

emails with disallowed attachments like vbs or bat still get through but are marked has banned in the email headers. I have found where I can block the entire email but not just the attachment.

I still have to solve the above notify admin error, currently working through google smile

7

Re: Virus and Spam Protection [SOLVED]

Everythings working the way I want now. To solve the sender errors I had to define a sender address. I added the following to the 50-user file

$mailfrom_notify_admin = "emailalerts";
$mailfrom_notify_recip = "emailalerts"

Notifications are now sent from "emailalerts@mydomain"

8

Re: Virus and Spam Protection [SOLVED]

Fixed in r1077, tested on Debian 5.0.1 (amd64):

  • Comment $daemon_user and $daemon_group in 50-user. Use debian default setting.

  • Add @bypass_virus_checks_maps in 50-user to enable anti-virus by default.

  • Add @bypass_spam_checks_maps in 50-user to enable anti-spam by default.

  • Add notifications sender, default is root@mydomain.

PS: this fix is not required to add the clamav user to the amavis group.

Thanks Falador smile