Sandy Drobic wrote:
Richard Mixon (qwest) wrote: <SNIP> <SNIP> The logs you send don't really help to narrow down the problem. Could you rather post /etc/amavisd.conf?
Hmms - the "matches" lines from your debug output make sense. I find some "matches" in my debug output, but they are quite different. I have included the debug output form amavisd that is most similar (with capitalized annotations), followed by my /etc/amavisd.conf as you requested. The amavisd.conf is 67kb, so I squished all of the comments out, but left the Section comments. Thanks once again - Richard 1) Debug output of amavis while processing spam message: 09:01:26 gofish amavisd[5152]: Net::Server: 2005/04/06-09:01:26 CONNECT TCP Peer: "127.0.0.1:14047" Local: "127.0.0.1:10024" [BEGINNING OF REMAINING LINES ARE ABBREVIATED TO SAVE SPACE] 26 go amd: lookup_ip_acl: key="127.0.0.1" matches "127.0.0.1", result=1 26 go amd: prolong_timer after new request - timer reset: remaining time = 300 s 26 go amd: SMTP> 220 [127.0.0.1] ESMTP amavisd-new service ready 26 go amd: prolong_timer after reading SMTP command: remaining time = 300 s 26 go amd: SMTP< EHLO gofish.AcmeSoftware.com\r\n 26 go amd: ESMTP> 250-[127.0.0.1] 26 go amd: ESMTP> 250-PIPELINING 26 go amd: ESMTP> 250-SIZE 26 go amd: ESMTP> 250-8BITMIME 26 go amd: ESMTP> 250 ENHANCEDSTATUSCODES <SNIP> 26 go amd: (05152-01) Clam Antivirus-clamd result: /var/spool/amavis/amavis-20050406T090126-05152/parts: OK\n 26 go amd: (05152-01) prolong_timer after virus_scan: remaining time = 300 s 26 go amd: (05152-01) white_black_list: checking sender <rnmixon@qwest.net> 26 go amd: (05152-01) lookup_acl: key="rnmixon@qwest.net", no match 26 go amd: (05152-01) lookup_RE: key="rnmixon@qwest.net", no match 26 go amd: (05152-01) lookup_hash: key="rnmixon@qwest.net", no match 26 go amd: (05152-01) lookup_hash: key="rnmixon@", no match 26 go amd: (05152-01) lookup_hash: key="qwest.net", no match 26 go amd: (05152-01) lookup_hash: key=".qwest.net", no match 26 go amd: (05152-01) lookup_hash: key=".net", no match 26 go amd: (05152-01) lookup_hash: key=".", no match 26 go amd: (05152-01) lookup_acl: key="rnmixon@qwest.net", no match 26 go amd: (05152-01) lookup_acl: key="rnmixon@gofish.AcmeSoftware.com", no match 26 go amd: (05152-01) calling SA parse, SA version 2.64 26 go amd: (05152-01) CALLING SA check 27 go amd: (05152-01) RETURNED FROM NoMailAudit::check, time left: 29 s 27 go amd: (05152-01) prolong_timer after spam_scan_SA: remaining time = 300 s 27 go amd: (05152-01) spam_scan: hits=5 tests=CLICK_BELOW,HTML_40_50,HTML_FONTCOLOR_RED,HTML_FONT_BIG,HTML_LINK_ CLICK_HERE,HTML_MESSAGE,HTML_SHOUTING5,HTML_TAG_EXISTS_TBODY,ONLINE_PHAR MACY 27 go amd: (05152-01) prolong_timer after spam_scan: remaining time = 300 s <FIRST MATCHES LINE> 27 go amd: (05152-01) lookup: (scalar) matches, result="5" 27 go amd: (05152-01) lookup: (scalar) matches, result="-20" 27 go amd: (05152-01) lookup: (scalar) matches, result="5" 27 go amd: (05152-01) lookup: (scalar) matches, result="5" 27 go amd: (05152-01) do_spam: looking for a quarantine address 27 go amd: (05152-01) SPAM, <rnmixon@qwest.net> -> <rnmixon@gofish.AcmeSoftware.com>, Yes, hits=5.0 tag1=-20.0 tag2=5.0 kill=5.0 tests=CLICK_BELOW, HTML_40_50, HTML_FONTCOLOR_RED, HTML_FONT_BIG, HTML_LINK_CLICK_HERE, HTML_MESSAGE, HTML_SHOUTING5, HTML_TAG_EXISTS_TBODY, ONLINE_PHARMACY <MORE MATCHES> 27 go amd: (05152-01) lookup: (scalar) matches, result="rnmixon@acme.com" 27 go amd: (05152-01) DO_SPAM - NOTIFICATIONS, sender: rnmixon@qwest.net 27 go amd: (05152-01) lookup_acl: key="rnmixon@qwest.net", no match 27 go amd: (05152-01) first_received_from: vdsl-130-13-0-7.phnx.qwest.net (HELO redfish) (130.13.0.7) 27 go amd: (05152-01) first_received_from: vdsl-130-13-0-7.phnx.qwest.net (HELO redfish) (130.13.0.7) 27 go amd: (05152-01) string_to_mime_entity Date: Wed, 6 Apr 2005 09:01:27 -0700 (MST) 27 go amd: (05152-01) string_to_mime_entity From: rnmixon@acme.com 27 go amd: (05152-01) string_to_mime_entity Subject: SPAM FROM <rnmixon@qwest.net> 27 go amd: (05152-01) string_to_mime_entity To: <rnmixon@acme.com> 27 go amd: (05152-01) string_to_mime_entity Message-ID: <SA05152-01@gofish> 27 go amd: (05152-01) SEND via SMTP: [127.0.0.1]:10025 <rnmixon@acme.com> -> <rnmixon@acme.com> 27 go amd: (05152-01) Remote host introduces itself as: gofish.AcmeSoftware.com 27 go amd: (05152-01) prolong_timer after fwd-connect: remaining time = 300 s 27 go amd: (05152-01) prolong_timer after fwd-mail-from: remaining time = 300 s 27 go amd: (05152-01) prolong_timer after fwd-rcpt-to: remaining time = 300 s 27 go amd: (05152-01) response to DATA: "354 End data with <CR><LF>.<CR><LF>" 27 go amd: (05152-01) prolong_timer after fwd-data: remaining time = 300 s 27 go amd: (05152-01) prolong_timer after fwd-data-end: remaining time = 300 s 27 go amd: (05152-01) response to data end: "250 Ok: queued as B23BE17A9" 27 go amd: (05152-01) prolong_timer after fwd-rundown-1: remaining time = 300 s 27 go amd: (05152-01) mail_via_smtp: 250 2.6.0 Ok, id=05152-01, from MTA: 250 Ok: queued as B23BE17A9 27 go amd: (05152-01) one_response_for_all <rnmixon@acme.com>: success, dsn_needed=0, '250 2.6.0 Ok, id=05152-01, from MTA: 250 Ok: queued as B23BE17A9' 27 go amd: (05152-01) DO_SPAM DONE 27 go amd: (05152-01) header: Received: from gofish.AcmeSoftware.com ([127.0.0.1])\n by localhost (gofish [127.0.0.1]) (amavisd-new, port 10024) with ESMTP\n id 05152-01 for <rnmixon@gofish.AcmeSoftware.com>;\n Wed, 6 Apr 2005 09:01:26 -0700 (MST)\n 27 go amd: (05152-01) header: X-Virus-Scanned: by amavisd-new at acme.com\n 27 go amd: (05152-01) lookup_acl: key="rnmixon@gofish.AcmeSoftware.com", no match 27 go amd: (05152-01) lookup_acl: key="rnmixon@gofish.AcmeSoftware.com", no match <MORE MATCHES> 27 go amd: (05152-01) lookup: (scalar) matches, result="-20" 27 go amd: (05152-01) lookup: (scalar) matches, result="5" 27 go amd: (05152-01) headers CLUSTERING: NEW CLUSTER <rnmixon@gofish.AcmeSoftware.com>: hits=5.0, tag=0, tag2=0, subj=0, subj_u=0, local=0, bl=0 27 go amd: (05152-01) headers CLUSTERING: done all 1 recips in one go <SNIP> 2) /etc/amavisd.conf (comments removed): use strict; # # Section I - Essential daemon and MTA settings # $MYHOME = '/var/spool/amavis'; $mydomain = 'Acme.com'; $daemon_user = 'vscan'; $daemon_group = 'vscan'; $TEMPBASE = $MYHOME; $ENV{TMPDIR} = $TEMPBASE; $max_servers = 2; $max_requests = 10; $child_timeout=5*60; @local_domains_acl = ( ".$mydomain" ); # # Section II - MTA specific (defaults should be ok) # $unix_socketname = "$MYHOME/amavisd.sock"; $inet_socket_port = 10024; @inet_acl = qw( 127.0.0.1 ); $DO_SYSLOG = 1; $LOGFILE = "$MYHOME/amavis.log"; $log_level = 2; $log_templ = '[? %#V |[? %#F |[?%#D|Not-Delivered|Passed]|BANNED name/type (%F)]|INFECTED (%V)], <%o> -> [<%R>|,][? %i ||, quarantine %i], Message-ID: %m, Hits: %c'; # # Section IV - Notifications/DSN, BOUNCE/REJECT/DROP/PASS destiny, quarantine # $final_virus_destiny = D_BOUNCE; $final_banned_destiny = D_BOUNCE; $final_spam_destiny = D_PASS; $final_bad_header_destiny = D_PASS; $viruses_that_fake_sender_re = new_RE( qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar 'i, qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i , qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la 'i, qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moo down'i, qr'@mm|@MM', qr'Worm'i, [qr'^(EICAR|Joke\.|Junk\.)'i => 0], [qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i => 0], [qr/.*/ => 1], ); $virus_admin = "rnmixon\@$mydomain"; $spam_admin = "rnmixon\@$mydomain"; $mailfrom_notify_admin = "rnmixon\@$mydomain"; $mailfrom_notify_recip = "rnmixon\@$mydomain"; $mailfrom_notify_spamadmin = "rnmixon\@$mydomain"; $mailfrom_to_quarantine = ''; $QUARANTINEDIR = '/var/spool/amavis/virusmails'; $virus_quarantine_to = 'virus-quarantine'; $spam_quarantine_to = undef; $X_HEADER_TAG = 'X-Virus-Scanned'; $X_HEADER_LINE = "by amavisd-new at $mydomain"; $undecipherable_subject_tag = '***UNCHECKED*** '; $remove_existing_x_scanned_headers = 0; $remove_existing_spam_headers = 1; $keep_decoded_original_re = new_RE( qr'^MAIL-UNDECIPHERABLE$', qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, ); $banned_filename_re = new_RE( qr'\.[^.]*\.(exe|vbs|pif|scr|bat|cmd|com|dll)$'i, qr'^\.exe$'i, qr'^application/x-msdownload$'i, qr'^application/x-msdos-program$'i, ); # # Section V - Per-recipient and per-sender handling, whitelisting, etc. # $sql_select_white_black_list = undef; $recipient_delimiter = '+'; $localpart_is_case_sensitive = 0; $blacklist_sender_re = new_RE( qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou|greatcasino)@'i, qr'^(investments|lose_weight_today|market.alert|money2you|MyGreenCar d)@'i, qr'^(new\.tld\.registry|opt-out|opt-in|optin|saveonlsmoking2002k)@'i , qr'^(specialoffer|specialoffers|stockalert|stopsnoring|wantsome)@'i, qr'^(workathome|yesitsfree|your_friend|greatoffers)@'i, qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i, ); map { $whitelist_sender{lc($_)}=1 } (qw( nobody@cert.org owner-alert@iss.net slashdot@slashdot.org bugtraq@securityfocus.com NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM security-alerts@linuxsecurity.com amavis-user-admin@lists.sourceforge.net notification-return@lists.sophos.com mailman-announce-admin@python.org owner-postfix-users@postfix.org owner-postfix-announce@postfix.org owner-sendmail-announce@Lists.Sendmail.ORG owner-technews@postel.ACM.ORG lvs-users-admin@LinuxVirtualServer.org ietf-123-owner@loki.ietf.org cvs-commits-list-admin@gnome.org rt-users-admin@lists.fsck.com clp-request@comp.nus.edu.sg surveys-errors@lists.nua.ie emailNews@genomeweb.com owner-textbreakingnews@CNNIMAIL12.CNN.COM yahoo-dev-null@yahoo-inc.com returns.groups.yahoo.com )); # # Section VI - Resource limits # $MAXLEVELS = 14; $MAXFILES = 1500; $MIN_EXPANSION_QUOTA = 100*1024; $MAX_EXPANSION_QUOTA = 300*1024*1024; $MIN_EXPANSION_FACTOR = 5; $MAX_EXPANSION_FACTOR = 500; # # Section VII - External programs, virus scanners $path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin'; $file = 'file'; $gzip = 'gzip'; $bzip2 = 'bzip2'; $lzop = 'lzop'; $uncompress = ['uncompress', 'gzip -d', 'zcat']; $unfreeze = ['unfreeze', 'freeze -d', 'melt', 'fcat']; $arc = ['nomarch', 'arc']; $unarj = ['arj', 'unarj']; $unrar = ['rar', 'unrar']; $zoo = 'zoo'; $lha = 'lha'; $cpio = ['gcpio','cpio']; $sa_timeout = 30; $sa_mail_body_size_limit = 256*1024; $sa_tag_level_deflt = -20.0; $sa_tag2_level_deflt = 5.0; $sa_kill_level_deflt = $sa_tag2_level_deflt; $sa_dsn_cutoff_level = 10; $sa_spam_subject_tag = '***SPAM*** '; $sa_spam_modifies_subj = 1; @av_scanners = ( ['Clam Antivirus-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/var/lib/clamav/clamd-socket"], qr/\bOK$/, qr/\bFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], ['KasperskyLab AVP - aveclient', ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient' , '/opt/kav/bin/aveclient','aveclient'], '-p /var/run/aveserver -s {}/*', [0,3,6,8], qr/\b(INFECTED|SUSPICION)\b/, qr/(?:INFECTED|SUSPICION) (.+)/, ], ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'], '-* -P -B -Y -O- {}', [0,8,16,24], [2,3,4,5,6, 18,19,20,21,22], qr/infected: (.+)/, sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"}, sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, ], ## ## ['KasperskyLab AVPDaemonClient', [ '/opt/AVP/kavdaemon', 'kavdaemon', '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient', '/opt/AVP/AvpTeamDream', 'AvpTeamDream', '/opt/AVP/avpdc', 'avpdc' ], "-f=$TEMPBASE {}", [0,8,16,24], [2,3,4,5,6, 18,19,20,21,22], qr/infected: ([^\r\n]+)/ ], ## ['H+BEDV AntiVir or CentralCommand Vexira Antivirus', ['antivir','vexira'], '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/, qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) | (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ], ## ['Command AntiVirus for Linux', 'csav', '-all -archive -packed {}', [50], [51,52,53], qr/Infection: (.+)/ ], ## ['Symantec CarrierScan via Symantec CommandLineScanner', 'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}', qr/^Files Infected:\s+0$/, qr/^Infected\b/, qr/^(?:Info|Virus Name):\s+(.+)/ ], ## ['Symantec AntiVirus Scan Engine', 'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}', [0], qr/^Infected\b/, qr/^(?:Info|Virus Name):\s+(.+)/ ], ## ['drweb - DrWeb Antivirus', ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'], '-path={} -al -go -ot -cn -upn -ok-', [0,32], [1,33], qr' infected (?:with|by)(?: virus)? (.*)$'], ## ['F-Secure Antivirus', 'fsav', '--dumb --mime --archive {}', [0], [3,8], qr/(?:infection|Infected|Suspected): (.+)/ ], ['CAI InoculateIT', 'inocucmd', '-sec -nex {}', [0], [100], qr/was infected by virus (.+)/ ], ['MkS_Vir for Linux (beta)', ['mks32','mks'], '-s {}/*', [0], [1,2], qr/--[ \t]*(.+)/ ], ['MkS_Vir daemon', 'mksscan', '-s -q {}', [0], [1..7], qr/^... (\S+)/ ], ## ['ESET Software NOD32', 'nod32', '-all -subdir+ {}', [0], [1,2], qr/^.+? - (.+?)\s*(?:backdoor|joke|trojan|virus|worm)/ ], ## ['ESET Software NOD32 - Client/Server Version', 'nod32cli', '-a -r -d recurse --heur standard {}', [0], [10,11], qr/^\S+\s+infected:\s+(.+)/ ], ## ['Norman Virus Control v5 / Linux', 'nvccmd', '-c -l:0 -s -u {}', [0], [1], qr/(?i).* virus in .* -> \'(.+)\'/ ], ## ['Panda Antivirus for Linux', ['pavcl'], '-aut -aex -heu -cmp -nbr -nor -nso -eng {}', qr/Number of files infected[ .]*: 0(?!\d)/, qr/Number of files infected[ .]*: 0*[1-9]/, qr/Found virus :\s*(\S+)/ ], ## ['NAI McAfee AntiVirus (uvscan)', 'uvscan', '--secure -rv --mime --summary --noboot - {}', [0], [13], qr/(?x) Found (?: \ the\ (.+)\ (?:virus|trojan) | \ (?:virus|trojan)\ or\ variant\ ([^ ]+) | :\ (.+)\ NOT\ a\ virus)/, ], ## ['VirusBuster', ['vbuster', 'vbengcl'], "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1], qr/: '(.*)' - Virus/ ], ## ['CyberSoft VFind', 'vfind', '--vexit {}/*', [0], [23], qr/# ], ## ['Ikarus AntiVirus for Linux', 'ikarus', '{}', [0], [40], qr/Signature (.+) found/ ], ## ['BitDefender', 'bdc', '--all --arc --mail {}', qr/^Infected files *:0(?!\d)/, qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/, qr/(?:suspected|infected): (.*)$/ ], ); @av_scanners_backup = ( ## ['Clam Antivirus - clamscan', 'clamscan', '--stdout --no-summary -r {}', [0], [1], qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], ## ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'], '-dumb -archive -packed {}', [0,8], [3,6], qr/Infection: (.+)/ ], ## ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'], '-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ], ['KasperskyLab kavscanner', ['/opt/kav/bin/kavscanner','kavscanner'], '-i1 -xp {}', [0,10,15], [5,20,21,25], qr/(?:CURED|INFECTED|CUREFAILED|WARNING|SUSPICION) (.*)/ , sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"}, sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, ], ); # # Section VIII - Debugging # 1;