On Wed, 26 Sep 2018 14:29:25 -0500 (CDT), Ted Hatfield stated: >On Wed, 26 Sep 2018, Jerry wrote: > >> I am running clamav version 0.100.1 on a FreeBSD 11.2 / amd64 machine. I >> also have the clamav-milter installed. My problem is that even though I am >> trying to whitelist some addresses, they get marked as Spam. >> >> This is an example of one such address: ? Puritan's Pride >> <puritanspr...@e.puritan.com> >> >> I entered this into the white list file: From:puritanspr...@e.puritan.com >> >> I then restarted the milter. Unfortunately, the email is still marked as >> Spam. I thought that clamav-milter would simply ignore the file. >> >> X-Virus-Status: Infected (SecuriteInfo.com.Spam-4701.UNOFFICIAL) >> X-Virus-Scanned: clamav-milter 0.100.1 at scorpio.seibercom.net >> >> This is the output from "clamconf" >> >> Checking configuration files in /usr/local/etc >> >> Config file: clamd.conf >> ----------------------- >> BlockMax disabled >> PreludeEnable disabled >> PreludeAnalyzerName disabled >> LogFile = "/var/log/clamav/clamd.log" >> LogFileUnlock disabled >> LogFileMaxSize = "1048576" >> LogTime disabled >> LogClean disabled >> LogSyslog disabled >> LogFacility = "LOG_LOCAL6" >> LogVerbose disabled >> LogRotate = "yes" >> ExtendedDetectionInfo disabled >> PidFile = "/var/run/clamav/clamd.pid" >> TemporaryDirectory disabled >> DatabaseDirectory = "/var/db/clamav" >> OfficialDatabaseOnly disabled >> LocalSocket = "/var/run/clamav/clamd.sock" >> LocalSocketGroup disabled >> LocalSocketMode disabled >> FixStaleSocket = "yes" >> TCPSocket disabled >> TCPAddr disabled >> MaxConnectionQueueLength = "200" >> StreamMaxLength = "26214400" >> StreamMinPort = "1024" >> StreamMaxPort = "2048" >> MaxThreads = "10" >> ReadTimeout = "120" >> CommandReadTimeout = "5" >> SendBufTimeout = "500" >> MaxQueue = "100" >> IdleTimeout = "30" >> ExcludePath disabled >> MaxDirectoryRecursion = "15" >> FollowDirectorySymlinks disabled >> FollowFileSymlinks disabled >> CrossFilesystems = "yes" >> SelfCheck = "600" >> DisableCache disabled >> VirusEvent disabled >> ExitOnOOM disabled >> AllowAllMatchScan = "yes" >> Foreground disabled >> Debug disabled >> LeaveTemporaryFiles disabled >> User = "clamav" >> Bytecode = "yes" >> BytecodeSecurity = "TrustSigned" >> BytecodeTimeout = "5000" >> BytecodeUnsigned disabled >> BytecodeMode = "Auto" >> DetectPUA disabled >> ExcludePUA disabled >> IncludePUA disabled >> AlgorithmicDetection = "yes" >> ScanPE = "yes" >> ScanELF = "yes" >> DetectBrokenExecutables disabled >> ScanMail = "yes" >> ScanPartialMessages disabled >> PhishingSignatures = "yes" >> PhishingScanURLs = "yes" >> PhishingAlwaysBlockCloak disabled >> PhishingAlwaysBlockSSLMismatch disabled >> PartitionIntersection disabled >> HeuristicScanPrecedence disabled >> StructuredDataDetection disabled >> StructuredMinCreditCardCount = "3" >> StructuredMinSSNCount = "3" >> StructuredSSNFormatNormal = "yes" >> StructuredSSNFormatStripped disabled >> ScanHTML = "yes" >> ScanOLE2 = "yes" >> OLE2BlockMacros disabled >> ScanPDF = "yes" >> ScanSWF = "yes" >> ScanXMLDOCS = "yes" >> ScanHWP3 = "yes" >> ScanArchive = "yes" >> ArchiveBlockEncrypted disabled >> ForceToDisk disabled >> MaxScanSize = "104857600" >> MaxFileSize = "26214400" >> MaxRecursion = "16" >> MaxFiles = "10000" >> MaxEmbeddedPE = "10485760" >> MaxHTMLNormalize = "10485760" >> MaxHTMLNoTags = "2097152" >> MaxScriptNormalize = "5242880" >> MaxZipTypeRcg = "1048576" >> MaxPartitions = "50" >> MaxIconsPE = "100" >> MaxRecHWP3 = "16" >> PCREMatchLimit = "100000" >> PCRERecMatchLimit = "5000" >> PCREMaxFileSize = "26214400" >> ScanOnAccess disabled >> OnAccessMountPath disabled >> OnAccessIncludePath disabled >> OnAccessExcludePath disabled >> OnAccessExcludeRootUID disabled >> OnAccessExcludeUID disabled >> OnAccessMaxFileSize = "5242880" >> OnAccessDisableDDD disabled >> OnAccessPrevention disabled >> OnAccessExtraScanning disabled >> DevACOnly disabled >> DevACDepth disabled >> DevPerformance disabled >> DevLiblog disabled >> DisableCertCheck disabled >> >> Config file: freshclam.conf >> --------------------------- >> LogFileMaxSize = "2097152" >> LogTime disabled >> LogSyslog disabled >> LogFacility = "LOG_LOCAL6" >> LogVerbose disabled >> LogRotate = "yes" >> PidFile = "/var/run/clamav/freshclam.pid" >> DatabaseDirectory = "/var/db/clamav" >> Foreground disabled >> Debug disabled >> UpdateLogFile = "/var/log/clamav/freshclam.log" >> DatabaseOwner = "clamav" >> Checks = "24" >> DNSDatabaseInfo = "current.cvd.clamav.net" >> DatabaseMirror = "db.US.clamav.net", "database.clamav.net" >> PrivateMirror disabled >> MaxAttempts = "3" >> ScriptedUpdates = "yes" >> TestDatabases = "yes" >> CompressLocalDatabase disabled >> ExtraDatabase disabled >> DatabaseCustomURL disabled >> HTTPProxyServer disabled >> HTTPProxyPort disabled >> HTTPProxyUsername disabled >> HTTPProxyPassword disabled >> HTTPUserAgent disabled >> NotifyClamd = "/usr/local/etc/clamd.conf" >> OnUpdateExecute disabled >> OnErrorExecute disabled >> OnOutdatedExecute disabled >> LocalIPAddress disabled >> ConnectTimeout = "30" >> ReceiveTimeout = "30" >> SafeBrowsing = "yes" >> Bytecode = "yes" >> >> Config file: clamav-milter.conf >> ------------------------------- >> LogFile = "/var/log/clamav/clamav-milter.log" >> LogFileUnlock disabled >> LogFileMaxSize = "2097152" >> LogTime = "yes" >> LogSyslog disabled >> LogFacility = "LOG_LOCAL6" >> LogVerbose disabled >> LogRotate = "yes" >> PidFile = "/var/run/clamav/clamav-milter.pid" >> TemporaryDirectory disabled >> FixStaleSocket = "yes" >> MaxThreads = "10" >> ReadTimeout = "120" >> Foreground disabled >> User = "clamav" >> MaxFileSize = "26214400" >> ClamdSocket = "unix:/var/run/clamav/clamd.sock" >> MilterSocket = "/var/run/clamav/clmilter.sock" >> MilterSocketGroup disabled >> MilterSocketMode disabled >> LocalNet = "192.168.0.101/32", "192.168.0.192/32" >> OnClean = "Accept" >> OnInfected = "Accept" >> OnFail = "Defer" >> RejectMsg disabled >> AddHeader = "Add" >> ReportHostname disabled >> VirusAction disabled >> Chroot disabled >> Whitelist = "/usr/local/etc/whitelisted_addresses.txt" >> SkipAuthenticated = "file:/usr/local/etc/clamav_exclusions.txt" >> LogInfected = "basic" >> LogClean disabled >> SupportMultipleRecipients = "yes" >> >> Software settings >> ----------------- >> Version: 0.100.1 >> Optional features supported: MEMPOOL IPv6 BIGSTACK AUTOIT_EA06 BZIP2 >> LIBXML2 PCRE JSON RAR >> >> Database information >> -------------------- >> Database directory: /var/db/clamav >> [3rd Party] EK_Zeus.yar: 28 sigs >> [3rd Party] foxhole_mail.cdb: 23 sigs >> [3rd Party] securiteinfopdf.hdb: 3367 sigs >> [3rd Party] foxhole_generic.cdb: 211 sigs >> [3rd Party] EK_Crimepack.yar: 49 sigs >> [3rd Party] CVE-2010-1297.yar: 15 sigs >> [3rd Party] spearl.ndb: 150 sigs >> [3rd Party] foxhole_all.cdb: 145 sigs >> [3rd Party] spamimg.hdb: 184 sigs >> daily.cld: version 24983, sigs: 2100133, built on Tue Sep 25 22:39:15 2018 >> [3rd Party] spear.ndb: 15009 sigs >> [3rd Party] spamattach.hdb: 14 sigs >> [3rd Party] winnow.attachments.hdb: 182 sigs >> [3rd Party] Maldoc_Hidden_PE_file.yar: 23 sigs >> [3rd Party] malware.expert.hdb: 388 sigs >> [3rd Party] winnow.complex.patterns.ldb: 3 sigs >> [3rd Party] porcupine.ndb: 4012 sigs >> [3rd Party] winnow_phish_complete.ndb: 9320 sigs >> [3rd Party] phishtank.ndb: 27161 sigs >> [3rd Party] scam.ndb: 12501 sigs >> [3rd Party] EK_ZeroAcces.yar: 211 sigs >> [3rd Party] foxhole_js.ndb: 4 sigs >> [3rd Party] securiteinfohtml.hdb: 54089 sigs >> [3rd Party] MiscreantPunch099-INFO-Low.ldb: 21 sigs >> [3rd Party] jurlbl.ndb: 17854 sigs >> [3rd Party] lott.ndb: 2335 sigs >> [3rd Party] rfxn.hdb: 12674 sigs >> [3rd Party] EK_Fragus.yar: 210 sigs >> main.cvd: version 58, sigs: 4566249, built on Wed Jun 7 17:38:10 2017 >> [3rd Party] winnow_spam_complete.ndb: 931 sigs >> [3rd Party] phish.ndb: 27425 sigs >> [3rd Party] winnow_malware_links.ndb: 4623 sigs >> [3rd Party] CVE-2013-0074.yar: 17 sigs >> [3rd Party] sanesecurity.ftm: 170 sigs >> [3rd Party] securiteinfoold.hdb: 2213713 sigs >> [3rd Party] jurlbla.ndb: 1682 sigs >> [3rd Party] CVE-2010-0887.yar: 21 sigs >> [3rd Party] foxhole_filename.cdb: 1971 sigs >> [3rd Party] EK_Blackhole.yar: 453 sigs >> [3rd Party] EK_Phoenix.yar: 483 sigs >> [3rd Party] spam_marketing.ndb: 23032 sigs >> [3rd Party] securiteinfoandroid.hdb: 99086 sigs >> [3rd Party] bofhland_malware_attach.hdb: 1835 sigs >> [3rd Party] Sanesecurity_spam.yara: 46 sigs >> [3rd Party] winnow_extended_malware_links.ndb: 1 sig >> bytecode.cvd: version 327, sigs: 91, built on Wed Aug 8 20:43:48 2018 >> [3rd Party] winnow_malware.hdb: 293 sigs >> [3rd Party] CVE-2015-5119.yar: 22 sigs >> [3rd Party] malwarepatrol.ndb: 0 sig >> [3rd Party] EK_BleedingLife.yar: 112 sigs >> [3rd Party] foxhole_js.cdb: 48 sigs >> [3rd Party] malware.expert.ndb: 855 sigs >> [3rd Party] winnow_extended_malware.hdb: 245 sigs >> [3rd Party] spam.ldb: 2 sigs >> [3rd Party] porcupine.hsb: 873 sigs >> [3rd Party] maldoc_somerules.yar: 283 sigs >> [3rd Party] securiteinfo.hdb: 1377783 sigs >> [3rd Party] rfxn.ndb: 2034 sigs >> [3rd Party] foxhole_all.ndb: 101 sigs >> [3rd Party] EK_Eleonore.yar: 165 sigs >> [3rd Party] scamnailer.ndb: 50995 sigs >> [3rd Party] shelter.ldb: 15 sigs >> [3rd Party] blurl.ndb: 108974 sigs >> [3rd Party] CVE-2013-0422.yar: 21 sigs >> [3rd Party] javascript.ndb: 44092 sigs >> [3rd Party] securiteinfoascii.hdb: 98180 sigs >> [3rd Party] rogue.hdb: 6761 sigs >> [3rd Party] malwarehash.hsb: 771 sigs >> [3rd Party] malware.expert.ldb: 142 sigs >> [3rd Party] MiscreantPunch099-Low.ldb: 1208 sigs >> [3rd Party] EK_Angler.yar: 283 sigs >> [3rd Party] Javascript_exploit_and_obfuscation.yar: 59 sigs >> safebrowsing.cld: version 47916, sigs: 2840247, built on Wed Sep 26 >> 00:56:14 2018 [3rd Party] bofhland_cracked_URL.ndb: 24 sigs >> [3rd Party] Sanesecurity_sigtest.yara: 54 sigs >> [3rd Party] badmacro.ndb: 501 sigs >> [3rd Party] bofhland_phishing_URL.ndb: 186 sigs >> [3rd Party] winnow_bad_cw.hdb: 1 sig >> [3rd Party] bofhland_malware_URL.ndb: 60 sigs >> [3rd Party] CVE-2010-0805.yar: 14 sigs >> [3rd Party] hackingteam.hsb: 435 sigs >> [3rd Party] EK_Sakura.yar: 62 sigs >> [3rd Party] crypto.yar: 1 sig >> [3rd Party] malware.expert.fp: 42 sigs >> [3rd Party] EK_Zerox88.yar: 55 sigs >> Total number of signatures: 13738144 >> >> Platform information >> -------------------- >> uname: FreeBSD 11.2-RELEASE-p3 FreeBSD 11.2-RELEASE-p3 #0: Thu Sep 6 >> 07:14:16 UTC 2018 roo amd64 OS: freebsd11.2, ARCH: amd64, CPU: amd64 >> zlib version: 1.2.11 (1.2.11), compile flags: a9 >> platform id: 0x03235c5c0800000000040201 >> >> Build information >> ----------------- >> Clang: 4.2.1 Compatible FreeBSD Clang 6.0.0 (tags/RELEASE_600/final >> 326565) (4.2.1) CPPFLAGS: -I/usr/local/include >> CFLAGS: -O2 -pipe -march=core2 -fstack-protector -fno-strict-aliasing >> -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 CXXFLAGS: >> -O2 -pipe -march=core2 -fstack-protector -fno-strict-aliasing LDFLAGS: >> -lthr -L/usr/local/lib -Wl,-rpath,/usr/local/lib -fstack-protector >> Configure: '--libdir=/usr/local/lib' '--with-dbdir=/var/db/clamav' >> '--with-zlib=/usr' '--disable-clamuko' '--disable-clamav' >> '--enable-bigstack' '--enable-readdir_r' '--enable-gethostbyname_r' >> '--disable-dependency-tracking' '--disable-zlib-vcheck' >> '--enable-clamdtop' '--enable-xml' '--disable-experimental' >> '--without-iconv' '--enable-ipv6' '--with-libjson' '--enable-milter' >> '--with-pcre' '--disable-check' '--enable-unrar' >> '--with-sendmail=/usr/sbin/sendmail' '--prefix=/usr/local' >> '--localstatedir=/var' '--mandir=/usr/local/man' '--disable-silent-rules' >> '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd11.2' >> 'build_alias=amd64-portbld-freebsd11.2' 'CC=cc' 'CFLAGS=-O2 -pipe >> -march=core2 -fstack-protector -fno-strict-aliasing ' 'LDFLAGS= -lthr >> -L/usr/local/lib -Wl,-rpath,/usr/local/lib -fstack-protector ' 'LIBS=' >> 'CPPFLAGS=-I/usr/local/include' 'CPP=cpp' sizeof(void*) = 8 Engine flevel: >> 92, dconf: 92 >> >> If some one could tell me what I am doing incorrectly, I would appreciate >> it. >> >> -- >> Jerry
>Jerry, > >A quick google search comes up with this information from 2009. > >> Whitelisting is NOT based on the mail header fields (To:, From:) but on >> the "MAIL FROM" and "RCPT TO" SMTP commands. > >Is perhaps the "MAIL FROM" not the same as the From address. > >Look at the full headers of the message for the "envelope-from" address >and see if it matches. > >I run clamav-milter on a freebsd 11.2-stable machine and your >configuration looks good to me. > >Ted Hatfield I just checked the "clamav-milter.log" and noticed that all of the addresses are enclosed in < > symbols. Perhaps I should use them to. I will give it a try. -- Jerry _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
