Sandy Drobic wrote:
Richard Mixon (qwest) wrote:
<SNIP>
<SNIP>
The logs you send don't really help to narrow down the problem. Could
you rather post /etc/amavisd.conf?
Hmms - the "matches" lines from your debug output make sense. I find
some "matches" in my debug output, but they are quite different. I have
included the debug output form amavisd that is most similar (with
capitalized annotations), followed by my /etc/amavisd.conf as you
requested. The amavisd.conf is 67kb, so I squished all of the comments
out, but left the Section comments.
Thanks once again - Richard
1) Debug output of amavis while processing spam message:
09:01:26 gofish amavisd[5152]: Net::Server: 2005/04/06-09:01:26 CONNECT
TCP Peer: "127.0.0.1:14047" Local: "127.0.0.1:10024"
[BEGINNING OF REMAINING LINES ARE ABBREVIATED TO SAVE SPACE]
26 go amd: lookup_ip_acl: key="127.0.0.1" matches "127.0.0.1", result=1
26 go amd: prolong_timer after new request - timer reset: remaining time
= 300 s
26 go amd: SMTP> 220 [127.0.0.1] ESMTP amavisd-new service ready
26 go amd: prolong_timer after reading SMTP command: remaining time =
300 s
26 go amd: SMTP< EHLO gofish.AcmeSoftware.com\r\n
26 go amd: ESMTP> 250-[127.0.0.1]
26 go amd: ESMTP> 250-PIPELINING
26 go amd: ESMTP> 250-SIZE
26 go amd: ESMTP> 250-8BITMIME
26 go amd: ESMTP> 250 ENHANCEDSTATUSCODES
<SNIP>
26 go amd: (05152-01) Clam Antivirus-clamd result:
/var/spool/amavis/amavis-20050406T090126-05152/parts: OK\n
26 go amd: (05152-01) prolong_timer after virus_scan: remaining time =
300 s
26 go amd: (05152-01) white_black_list: checking sender
26 go amd: (05152-01) lookup_acl: key="rnmixon@qwest.net", no match
26 go amd: (05152-01) lookup_RE: key="rnmixon@qwest.net", no match
26 go amd: (05152-01) lookup_hash: key="rnmixon@qwest.net", no match
26 go amd: (05152-01) lookup_hash: key="rnmixon@", no match
26 go amd: (05152-01) lookup_hash: key="qwest.net", no match
26 go amd: (05152-01) lookup_hash: key=".qwest.net", no match
26 go amd: (05152-01) lookup_hash: key=".net", no match
26 go amd: (05152-01) lookup_hash: key=".", no match
26 go amd: (05152-01) lookup_acl: key="rnmixon@qwest.net", no match
26 go amd: (05152-01) lookup_acl: key="rnmixon@gofish.AcmeSoftware.com",
no match
26 go amd: (05152-01) calling SA parse, SA version 2.64
26 go amd: (05152-01) CALLING SA check
27 go amd: (05152-01) RETURNED FROM NoMailAudit::check, time left: 29 s
27 go amd: (05152-01) prolong_timer after spam_scan_SA: remaining time =
300 s
27 go amd: (05152-01) spam_scan: hits=5
tests=CLICK_BELOW,HTML_40_50,HTML_FONTCOLOR_RED,HTML_FONT_BIG,HTML_LINK_
CLICK_HERE,HTML_MESSAGE,HTML_SHOUTING5,HTML_TAG_EXISTS_TBODY,ONLINE_PHAR
MACY
27 go amd: (05152-01) prolong_timer after spam_scan: remaining time =
300 s
<FIRST MATCHES LINE>
27 go amd: (05152-01) lookup: (scalar) matches, result="5"
27 go amd: (05152-01) lookup: (scalar) matches, result="-20"
27 go amd: (05152-01) lookup: (scalar) matches, result="5"
27 go amd: (05152-01) lookup: (scalar) matches, result="5"
27 go amd: (05152-01) do_spam: looking for a quarantine address
27 go amd: (05152-01) SPAM, ->
, Yes, hits=5.0 tag1=-20.0 tag2=5.0
kill=5.0 tests=CLICK_BELOW, HTML_40_50, HTML_FONTCOLOR_RED,
HTML_FONT_BIG, HTML_LINK_CLICK_HERE, HTML_MESSAGE, HTML_SHOUTING5,
HTML_TAG_EXISTS_TBODY, ONLINE_PHARMACY
<MORE MATCHES>
27 go amd: (05152-01) lookup: (scalar) matches,
result="rnmixon@acme.com"
27 go amd: (05152-01) DO_SPAM - NOTIFICATIONS, sender: rnmixon@qwest.net
27 go amd: (05152-01) lookup_acl: key="rnmixon@qwest.net", no match
27 go amd: (05152-01) first_received_from:
vdsl-130-13-0-7.phnx.qwest.net (HELO redfish) (130.13.0.7)
27 go amd: (05152-01) first_received_from:
vdsl-130-13-0-7.phnx.qwest.net (HELO redfish) (130.13.0.7)
27 go amd: (05152-01) string_to_mime_entity Date: Wed, 6 Apr 2005
09:01:27 -0700 (MST)
27 go amd: (05152-01) string_to_mime_entity From: rnmixon@acme.com
27 go amd: (05152-01) string_to_mime_entity Subject: SPAM FROM
27 go amd: (05152-01) string_to_mime_entity To:
27 go amd: (05152-01) string_to_mime_entity Message-ID:
27 go amd: (05152-01) SEND via SMTP: [127.0.0.1]:10025
->
27 go amd: (05152-01) Remote host introduces itself as:
gofish.AcmeSoftware.com
27 go amd: (05152-01) prolong_timer after fwd-connect: remaining time =
300 s
27 go amd: (05152-01) prolong_timer after fwd-mail-from: remaining time
= 300 s
27 go amd: (05152-01) prolong_timer after fwd-rcpt-to: remaining time =
300 s
27 go amd: (05152-01) response to DATA: "354 End data with
<CR><LF>.<CR><LF>"
27 go amd: (05152-01) prolong_timer after fwd-data: remaining time = 300
s
27 go amd: (05152-01) prolong_timer after fwd-data-end: remaining time =
300 s
27 go amd: (05152-01) response to data end: "250 Ok: queued as
B23BE17A9"
27 go amd: (05152-01) prolong_timer after fwd-rundown-1: remaining time
= 300 s
27 go amd: (05152-01) mail_via_smtp: 250 2.6.0 Ok, id=05152-01, from
MTA: 250 Ok: queued as B23BE17A9
27 go amd: (05152-01) one_response_for_all : success,
dsn_needed=0, '250 2.6.0 Ok, id=05152-01, from MTA: 250 Ok: queued as
B23BE17A9'
27 go amd: (05152-01) DO_SPAM DONE
27 go amd: (05152-01) header: Received: from gofish.AcmeSoftware.com
([127.0.0.1])\n by localhost (gofish [127.0.0.1]) (amavisd-new, port
10024) with ESMTP\n id 05152-01 for ;\n
Wed, 6 Apr 2005 09:01:26 -0700 (MST)\n
27 go amd: (05152-01) header: X-Virus-Scanned: by amavisd-new at
acme.com\n
27 go amd: (05152-01) lookup_acl: key="rnmixon@gofish.AcmeSoftware.com",
no match
27 go amd: (05152-01) lookup_acl: key="rnmixon@gofish.AcmeSoftware.com",
no match
<MORE MATCHES>
27 go amd: (05152-01) lookup: (scalar) matches, result="-20"
27 go amd: (05152-01) lookup: (scalar) matches, result="5"
27 go amd: (05152-01) headers CLUSTERING: NEW CLUSTER
: hits=5.0, tag=0, tag2=0, subj=0,
subj_u=0, local=0, bl=0
27 go amd: (05152-01) headers CLUSTERING: done all 1 recips in one go
<SNIP>
2) /etc/amavisd.conf (comments removed):
use strict;
#
# Section I - Essential daemon and MTA settings
#
$MYHOME = '/var/spool/amavis';
$mydomain = 'Acme.com';
$daemon_user = 'vscan';
$daemon_group = 'vscan';
$TEMPBASE = $MYHOME;
$ENV{TMPDIR} = $TEMPBASE;
$max_servers = 2;
$max_requests = 10;
$child_timeout=5*60;
@local_domains_acl = ( ".$mydomain" );
#
# Section II - MTA specific (defaults should be ok)
#
$unix_socketname = "$MYHOME/amavisd.sock";
$inet_socket_port = 10024;
@inet_acl = qw( 127.0.0.1 );
$DO_SYSLOG = 1;
$LOGFILE = "$MYHOME/amavis.log";
$log_level = 2;
$log_templ = '[? %#V |[? %#F |[?%#D|Not-Delivered|Passed]|BANNED
name/type (%F)]|INFECTED (%V)],
<%o> -> [<%R>|,][? %i ||, quarantine %i], Message-ID: %m, Hits: %c';
#
# Section IV - Notifications/DSN, BOUNCE/REJECT/DROP/PASS destiny,
quarantine
#
$final_virus_destiny = D_BOUNCE;
$final_banned_destiny = D_BOUNCE;
$final_spam_destiny = D_PASS;
$final_bad_header_destiny = D_PASS;
$viruses_that_fake_sender_re = new_RE(
qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar
'i,
qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i
,
qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la
'i,
qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moo
down'i,
qr'@mm|@MM',
qr'Worm'i,
[qr'^(EICAR|Joke\.|Junk\.)'i => 0],
[qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i => 0],
[qr/.*/ => 1],
);
$virus_admin = "rnmixon\@$mydomain";
$spam_admin = "rnmixon\@$mydomain";
$mailfrom_notify_admin = "rnmixon\@$mydomain";
$mailfrom_notify_recip = "rnmixon\@$mydomain";
$mailfrom_notify_spamadmin = "rnmixon\@$mydomain";
$mailfrom_to_quarantine = '';
$QUARANTINEDIR = '/var/spool/amavis/virusmails';
$virus_quarantine_to = 'virus-quarantine';
$spam_quarantine_to = undef;
$X_HEADER_TAG = 'X-Virus-Scanned';
$X_HEADER_LINE = "by amavisd-new at $mydomain";
$undecipherable_subject_tag = '***UNCHECKED*** ';
$remove_existing_x_scanned_headers = 0;
$remove_existing_spam_headers = 1;
$keep_decoded_original_re = new_RE(
qr'^MAIL-UNDECIPHERABLE$',
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
);
$banned_filename_re = new_RE(
qr'\.[^.]*\.(exe|vbs|pif|scr|bat|cmd|com|dll)$'i,
qr'^\.exe$'i,
qr'^application/x-msdownload$'i,
qr'^application/x-msdos-program$'i,
);
#
# Section V - Per-recipient and per-sender handling, whitelisting, etc.
#
$sql_select_white_black_list = undef;
$recipient_delimiter = '+';
$localpart_is_case_sensitive = 0;
$blacklist_sender_re = new_RE(
qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou|greatcasino)@'i,
qr'^(investments|lose_weight_today|market.alert|money2you|MyGreenCar
d)@'i,
qr'^(new\.tld\.registry|opt-out|opt-in|optin|saveonlsmoking2002k)@'i
,
qr'^(specialoffer|specialoffers|stockalert|stopsnoring|wantsome)@'i,
qr'^(workathome|yesitsfree|your_friend|greatoffers)@'i,
qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i,
);
map { $whitelist_sender{lc($_)}=1 } (qw(
nobody@cert.org
owner-alert@iss.net
slashdot@slashdot.org
bugtraq@securityfocus.com
NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
security-alerts@linuxsecurity.com
amavis-user-admin@lists.sourceforge.net
notification-return@lists.sophos.com
mailman-announce-admin@python.org
owner-postfix-users@postfix.org
owner-postfix-announce@postfix.org
owner-sendmail-announce@Lists.Sendmail.ORG
owner-technews@postel.ACM.ORG
lvs-users-admin@LinuxVirtualServer.org
ietf-123-owner@loki.ietf.org
cvs-commits-list-admin@gnome.org
rt-users-admin@lists.fsck.com
clp-request@comp.nus.edu.sg
surveys-errors@lists.nua.ie
emailNews@genomeweb.com
owner-textbreakingnews@CNNIMAIL12.CNN.COM
yahoo-dev-null@yahoo-inc.com
returns.groups.yahoo.com
));
#
# Section VI - Resource limits
#
$MAXLEVELS = 14;
$MAXFILES = 1500;
$MIN_EXPANSION_QUOTA = 100*1024;
$MAX_EXPANSION_QUOTA = 300*1024*1024;
$MIN_EXPANSION_FACTOR = 5;
$MAX_EXPANSION_FACTOR = 500;
#
# Section VII - External programs, virus scanners
$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
$file = 'file';
$gzip = 'gzip';
$bzip2 = 'bzip2';
$lzop = 'lzop';
$uncompress = ['uncompress', 'gzip -d', 'zcat'];
$unfreeze = ['unfreeze', 'freeze -d', 'melt', 'fcat'];
$arc = ['nomarch', 'arc'];
$unarj = ['arj', 'unarj'];
$unrar = ['rar', 'unrar'];
$zoo = 'zoo';
$lha = 'lha';
$cpio = ['gcpio','cpio'];
$sa_timeout = 30;
$sa_mail_body_size_limit = 256*1024;
$sa_tag_level_deflt = -20.0;
$sa_tag2_level_deflt = 5.0;
$sa_kill_level_deflt = $sa_tag2_level_deflt;
$sa_dsn_cutoff_level = 10;
$sa_spam_subject_tag = '***SPAM*** ';
$sa_spam_modifies_subj = 1;
@av_scanners = (
['Clam Antivirus-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/lib/clamav/clamd-socket"],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
['KasperskyLab AVP - aveclient',
['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient'
,
'/opt/kav/bin/aveclient','aveclient'],
'-p /var/run/aveserver -s {}/*', [0,3,6,8],
qr/\b(INFECTED|SUSPICION)\b/,
qr/(?:INFECTED|SUSPICION) (.+)/,
],
['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'],
'-* -P -B -Y -O- {}', [0,8,16,24], [2,3,4,5,6, 18,19,20,21,22],
qr/infected: (.+)/,
sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"},
sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
],
##
##
['KasperskyLab AVPDaemonClient',
[ '/opt/AVP/kavdaemon', 'kavdaemon',
'/opt/AVP/AvpDaemonClient', 'AvpDaemonClient',
'/opt/AVP/AvpTeamDream', 'AvpTeamDream',
'/opt/AVP/avpdc', 'avpdc' ],
"-f=$TEMPBASE {}", [0,8,16,24], [2,3,4,5,6, 18,19,20,21,22],
qr/infected: ([^\r\n]+)/ ],
##
['H+BEDV AntiVir or CentralCommand Vexira Antivirus',
['antivir','vexira'],
'--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/,
qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |
(?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ],
##
['Command AntiVirus for Linux', 'csav',
'-all -archive -packed {}', [50], [51,52,53],
qr/Infection: (.+)/ ],
##
['Symantec CarrierScan via Symantec CommandLineScanner',
'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}',
qr/^Files Infected:\s+0$/, qr/^Infected\b/,
qr/^(?:Info|Virus Name):\s+(.+)/ ],
##
['Symantec AntiVirus Scan Engine',
'savsecls', '-server 127.0.0.1:7777 -mode
scanrepair -details -verbose {}',
[0], qr/^Infected\b/,
qr/^(?:Info|Virus Name):\s+(.+)/ ],
##
['drweb - DrWeb Antivirus',
['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'],
'-path={} -al -go -ot -cn -upn -ok-',
[0,32], [1,33], qr' infected (?:with|by)(?: virus)? (.*)$'],
##
['F-Secure Antivirus', 'fsav',
'--dumb --mime --archive {}', [0], [3,8],
qr/(?:infection|Infected|Suspected): (.+)/ ],
['CAI InoculateIT', 'inocucmd',
'-sec -nex {}', [0], [100],
qr/was infected by virus (.+)/ ],
['MkS_Vir for Linux (beta)', ['mks32','mks'],
'-s {}/*', [0], [1,2],
qr/--[ \t]*(.+)/ ],
['MkS_Vir daemon',
'mksscan', '-s -q {}', [0], [1..7],
qr/^... (\S+)/ ],
##
['ESET Software NOD32', 'nod32',
'-all -subdir+ {}', [0], [1,2],
qr/^.+? - (.+?)\s*(?:backdoor|joke|trojan|virus|worm)/ ],
##
['ESET Software NOD32 - Client/Server Version', 'nod32cli',
'-a -r -d recurse --heur standard {}', [0], [10,11],
qr/^\S+\s+infected:\s+(.+)/ ],
##
['Norman Virus Control v5 / Linux', 'nvccmd',
'-c -l:0 -s -u {}', [0], [1],
qr/(?i).* virus in .* -> \'(.+)\'/ ],
##
['Panda Antivirus for Linux', ['pavcl'],
'-aut -aex -heu -cmp -nbr -nor -nso -eng {}',
qr/Number of files infected[ .]*: 0(?!\d)/,
qr/Number of files infected[ .]*: 0*[1-9]/,
qr/Found virus :\s*(\S+)/ ],
##
['NAI McAfee AntiVirus (uvscan)', 'uvscan',
'--secure -rv --mime --summary --noboot - {}', [0], [13],
qr/(?x) Found (?:
\ the\ (.+)\ (?:virus|trojan) |
\ (?:virus|trojan)\ or\ variant\ ([^ ]+) |
:\ (.+)\ NOT\ a\ virus)/,
],
##
['VirusBuster', ['vbuster', 'vbengcl'],
"{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1],
qr/: '(.*)' - Virus/ ],
##
['CyberSoft VFind', 'vfind',
'--vexit {}/*', [0], [23], qr/#
],
##
['Ikarus AntiVirus for Linux', 'ikarus',
'{}', [0], [40], qr/Signature (.+) found/ ],
##
['BitDefender', 'bdc',
'--all --arc --mail {}', qr/^Infected files *:0(?!\d)/,
qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/,
qr/(?:suspected|infected): (.*)$/ ],
);
@av_scanners_backup = (
##
['Clam Antivirus - clamscan', 'clamscan',
'--stdout --no-summary -r {}', [0], [1],
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
##
['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
'-dumb -archive -packed {}', [0,8], [3,6],
qr/Infection: (.+)/ ],
##
['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],
'-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ],
['KasperskyLab kavscanner', ['/opt/kav/bin/kavscanner','kavscanner'],
'-i1 -xp {}', [0,10,15], [5,20,21,25],
qr/(?:CURED|INFECTED|CUREFAILED|WARNING|SUSPICION) (.*)/ ,
sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"},
sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
],
);
#
# Section VIII - Debugging
#
1;