he
vast majority of my daily viruses come from one or two DSL or Cable dialup
IPs, and usually they arrive in a 30 minute or 1 hour burst. It would be
great if I could just block such IPs in /etc/tcp.smtp after the first 5 or
10 viruses.
Can SpamGuardian be easily adapted to do this?
Thanks!
--
o
> their email is never quarantined. 60 % of all spam sent to us comes from
> yahoo.com and hotmail.com.
Sounds like you'll need to do custom coding.
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v) 4
anner to
your QMAILQUEUE env var.
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v) 423-559-5145 (f)
http://www.wingnet.net
---
This SF.Net email is sponsored by
untar it in a temp dir,
cd to the temp dir and run:
./configure --help
That should show you the options you can use. You'll want to pay special
attention to the --notify option. I personally prefer psender.
You might want to back up your current qmail-scanner-queue.pl script just in
case
m just 2 unique
IP addresses yesterday. My mail server software
should be intelligent enough to ignore an IP
after a certain number of viruses come from it.
:)
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v) 423-55
detail log, or syslog file though.
Instead, it uses quarantine.log, which is know to be incorrect.
Does anyone have a patch for QSS that would allow it to use a syslog
detail log?
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // C
Mário Gamito wrote:
> Hi,
>
> Sorry for my ignorance, but what software generates that graphic ? Is it
> QS ???
> It interests me a lot.
The GD library. It's part of PHP.
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, T
Hello,
Does anyone know if QSS works on qmail-scanner's detail log file
(i.e. not quarantine.log)? Jason stated a few weeks ago that the
quarantine log shouldn't be trusted, but I'd still like to install
QSS. It makes pretty graphs. :)
--
Jesse Guardiani, Systems Administrator
W
Jason Haar wrote:
> On Tue, Jun 01, 2004 at 02:12:45PM -0400, Jesse Guardiani wrote:
>> > Is this because qmail-scanner.log accounts for each individual
>> > recipient, whereas quarantine.log only counts the original message? Can
>> > someone explain to
Jesse Guardiani wrote:
> Hello,
>
> I'm getting stuff like this in my logs from time to time:
>
> May 28 13:34:46 chortos X-Qmail-Scanner-1.22:
> [chortos.wingnet.net108576568547982828] clamdscan: corrupt or unknown
> clamd scanner error or memory/resource/perms proble
Jesse Guardiani wrote:
> Hello,
>
> I log from qmail-scanner via syslog, and send anything from qmail-scanner
> to it's own log file: qmail-scanner.log with these statements in
> syslog.conf:
>
> !qmail-scanner
> *.*
n was scanning when it
crashed as shown above?
I believe I've found a bug in clamd, but I need the file
it was scanning to test my theory.
Thanks!
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v) 423-559-514
there is a discrepancy?
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v) 423-559-5145 (f)
http://www.wingnet.net
---
This SF.Net email is sponsored by: Oracle 10g
Get ce
argument. If the user's mail server is AV protected
then the mail server won't deliver an infected email in the first place. If the
user's mail server is NOT AV protected, then the user is getting a ton of viruses
anyway, so no additional harm is done.
--
Jesse Guardiani, Systems
Jason Haar wrote:
> On Wed, May 12, 2004 at 10:07:26AM -0400, Jesse Guardiani wrote:
>> Yes, let's look at my actual issue:
>>
>> 4. I am a business customer, and I rely on email to do business. I send
>> a word doc or a zipped binary attachment that just happen
_scanner, and I'd
like to continue using them. I just want my users to know IMMEDIATELY when
their email has been rejected.
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v) 423-559-5145 (f)
http://www.wingnet.net
ad/negative aspects involved in incorporating a couple of extra
> options to the list of people to notify. ie, as well as psender, sender,
> admin, etc, we include bounce and extbounce.
>
> bounce = send a 5xx message (whatever the cryptic standard qmail error
> message is).
>
>
ra resource" required really is tiny. I
> realise that's very site-dependent... The reality is all of our queues are
> stuffed full of bounced SPAM - not virus alerts...
>
>> Loosen up man...
>
> Gotta be kidding. I'm runnin' on coffee this week...
--
custom-written alerts of Qmail-Scanner do...
It doesn't matter. At least the user knows that his email didn't go through.
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v) 423-559-5145 (f)
http://www.wingnet.
Jason Haar wrote:
> Jesse Guardiani wrote:
>
>>I'm eager to hear what Jason Haar has to say about this. I don't know
>>how error codes are generated in q-s so I can't really comment on the
>>usability of the above code, but in concept it looks like what I
he wordl in the form of "virus warnnings" or
> bounces talking about you maybe has sent a virus, and the queue of my
> server doesn't fill with undeliberabily mails to address that really
> don't exist ([EMAIL PROTECTED])
I don't think you understand what I'm
s so I can't really comment on the
usability of the above code, but in concept it looks like what I'm
suggesting.
> In order to get error codes that mean something, instead of '451 qq temp
> fail', you'll need to recompile qmail/netqmail.
Yeah, what a shame. I t
irus was not
delivered successfully.
We can still use psender functionality to
avoid spamming incocent netizens with
"you sent us a virus" notifications.
CONS: ???
What do you think?
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 26
Yes. UNIX sockets.
> Is the softlimit high enough?
Yes.
You can read more about my problem here if you're interested:
http://thread.gmane.org/gmane.comp.security.virus.clamav.user/8785
And here:
http://thread.gmane.org/gmane.comp.security.virus.clamav.user/7573
> -Orig
On Wednesday 05 May 2004 15:16, Jim Maul wrote:
> > -Original Message-
> > From: Jesse Guardiani [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, May 05, 2004 3:13 PM
> > To: Jim Maul
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: [Qmail-scanner-general]left o
On Wednesday 05 May 2004 15:04, Jim Maul wrote:
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] Behalf Of
> > Jesse Guardiani
> > Sent: Wednesday, May 05, 2004 2:23 PM
> > To: [EMAIL PROTECTED]
> > Subject: [Qmail-s
scand wheel 512 Apr 26 06:23 f9a5ae8ea85f3ba8
Any ideas?
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v) 423-559-5145 (f)
http://www.wingnet.net
---
On Monday 12 April 2004 22:18, you wrote:
> Hi,
>
> On Mon, Apr 12, 2004 at 10:23:48AM -0400, Jesse Guardiani wrote:
> > Sure. Here's mine:
>
> Before I comment on your, can you tell why this won't work.
>
> set daemon 120
> set alert payal
>
>
Payal Rathod wrote:
> On Sun, Apr 11, 2004 at 11:00:27AM -0400, Jesse Guardiani wrote:
>> have to load the sig database for each scan), and if you set it up with
>> daemontools and Monit then you can quickly recover from problems when/if
>> clamd hangs or crashes.
>
>
ose packages up, you're
probably better off running clamscan, but you should still upgrade to 0.70rc.
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v) 423-559-5145 (f)
http://www.wingnet.net
AV is any good.
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v) 423-559-5145 (f)
http://www.wingnet.net
---
This SF.Net email is sponsored by: IBM Linux Tutor
un ClamAV.
>
> AND THIS AS WELL
>
> Test #4: Eicar virus sent using uuencoding
> does not get droped at all ever.
Install uuencode. Works for me.
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v) 423-
c1654 free() copt
@4000405e782d2ceca9ec server ended; result=0
@4000405e782d2cecc92c free() copt
@4000405e7a8a08e30064 server ended; result=0
@4000405e7a8a08e31fa4 free() copt
This is with ClamAV 0.70-rc BTW. I upgraded last night and everything went very
smooth. I'll try to resubmit my
oftware is running but unresponsive.
> If it happens once more, I guess I'll replace the memory in the box - it's
> just strange that it is only ClamAV in conjunction with qmail-scanner (but
> ClamAV is outside the scope of this list)
ClamAV has a long history of crashing. I pe
ficient
for qmail-scanner to cause qmail-smtpd to return a 451 code. This way the remote
sending mail server would queue the message and try again later.
My question would be: Does qmail-scanner cause qmail-smtpd to return a 451 if it
detects problems with one of it's scanners? Do
red it 'clean'? I think
this is an excellent solution, and it allows us to continue using the sender
notification code for something useful.
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Clev
ell.
If you tell us which virus scanner you're using then we can probably give
you a list of our own personal crop.
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v) 423-559-5145 (
Jesse Guardiani wrote:
> Howdy list,
>
> 1.) I'm personally tired of notifying the sender of a virus
> that they've just sent a virus. Most viruses forge the
> sender address now-a-days, so I find myself updating my
> silent viruses list much mo
be ideal, IMO. My customers need to know
when a clean attachment has been blocked, but I prefer
that we don't spam innocent people every time we receive
a virus.
Is the above possible without patching?
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box
Howdy list,
Before I re-invent the wheel: Does anyone have a cron
script that will go through the quarantine directory
removing items that are X days old?
Since implementing qmail-scanner in Sept of 2003 I have
4.8 gigs in my quarantine directory.
--
Jesse Guardiani, Systems Administrator
heck though: Did 1.20RC3 run as the 'qscand'
user? If not then you'll have to add the qscand user to your system
while upgrading. This change happened sometime in the 1.20RCx series,
but I don't remember which exactly.
--
Jesse Guardiani, Systems Administrator
WingNET Interne
ur definitions every
hour or so, you'll always catch the new viruses - sometimes before the
commercial scanners!
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v) 423-559-5145 (f)
http://www.wingnet.net
Jason Haar wrote:
> On Fri, Jan 30, 2004 at 05:10:03PM -0500, Jesse Guardiani wrote:
>> Howdy list,
>>
>> It would be nice if the silent_viruses_array was populated
>> (or replaced) by a CDB or DBM constant database for relatively
>> fast lookups.
>>
>
%d\n",
ipaddr, (int)mytime);
(The above is untested... so don't blame me if it doesn't compile or work.)
And recompile.
Alternatively, Ed Henderson suggests:
"Another option is to set the QMAILQUEUE variable in the startup script
for qmail-smtpd."
On Wednesday 28 January 2004 8:41 pm, Rick Macdougall wrote:
> Jesse Guardiani wrote:
> > Howdy list, Mr. Haar,
> >
> > I noticed that the qmail-scanner FAQ page is now
> > claiming that qmail-scanner doesn't work with vpopmail:
[...]
> I've been through t
ing Python before, but never Perl,
so unfortunately I'm not the man to implement it right now.
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v) 423-559-5145 (f)
http://
7;s until
you open the message.
Putting the server's name in the body of the notification
like Qmail does for bounces might help too.
Just thinking out loud.
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v) 423-
;t for me either, but after carefull examination of the source
code I realized that the notification in question had a different
From: address.
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v) 423
tting RELAYCLIENT
and RBLSMTPD and add a QMAILQUEUE variable to the mix then recompile EVERYTHING
that relies on vpopmail. This is what we do on our systems.
Otherwise you're pretty much out of luck. I suppose you could also try the
qmail SMTP AUTH patches as a workaround, but you're still
canner either.
Just an FYI.
Thanks!
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v) 423-559-5145 (f)
http://www.wingnet.net
---
The SF.Net email is sponsore
PowerEdge 4300 has really
made a huge negative impact on CPU load. I went from mostly 90% idle
to nearly always 0% idle.
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v) 4
Jason Haar wrote:
> On Tue, Sep 30, 2003 at 02:07:53PM -0400, Jesse Guardiani wrote:
>> Yeah, great. I know it came from a local network. But what IP address?
>> What user? I can't answer those questions without an IP address/host
>> name.
>
> Why are you making
Jason Haar wrote:
> On Mon, Sep 29, 2003 at 09:47:47AM -0400, Jesse Guardiani wrote:
>> Why not? I think it's useful to log the TCPREMOTEHOST and TCPREMOTEIP.
>> That way you can be 100% sure that a virus is coming from a computer
>> on your local network, and that it
Jason Haar wrote:
> Jesse Guardiani said:
>> 1.) Find the actual quarantined virus email
>> 2.) Find the IP address (TCPREMOTEIP) this message came in from?
>
> You don't. That information is not contained within the syslog record.
Why not? I think it's usef
r:
1.) Find the actual quarantined virus email
2.) Find the IP address (TCPREMOTEIP) this message came in from?
Thanks!
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v) 423-559-5145 (f)
http:/
ge.net/
To monitor your virus logs and send emails or perform other actions (like paging
you) when something really important happens, like an internal user sending
a virus to your mail server.
--
Jesse Guardiani, Systems Administrator
WingNET In
fication to <>, and why does it
log it? I've seen the same thing with rc3, and I'm confused too.
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v) 423-559-5145 (f)
http://www.wingnet.net
---
Jason Haar wrote:
> On Mon, Sep 22, 2003 at 10:45:18AM -0400, Jesse Guardiani wrote:
>> Howdy list,
>>
>> Is there any way I can get qmail-scanner to only
>> send me virus notifications via email if the headers
>> of the quarantined virus contain a certain
Jesse Guardiani wrote:
> Howdy list,
>
> I'm currently running qmail-scanner-1.20rc1 on my production
> mail server. I saw this thread back in August:
>
> http://news.gmane.org/onethread.php?group=gmane.mail.qmail.scanner&root=%3C20030824230334.GB25047%40trimble.co.n
don't see much point in being notified for
EVERY virus caught. That's what log files and quarantine
directories are for...
Thanks.
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v) 423-559-5145 (
y been made to
qmail-scanner-1.20rc3? I like the idea of running the AV
prog before perlscanner, and I'd like to upgrade if that
change has already been made.
Thanks!
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (
queue-filters/block-forged-sender.tar.gz
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v) 423-559-5145 (f)
http://www.wingnet.net
---
This sf.net email is spon
[EMAIL PROTECTED] wrote:
> - Original Message -
> From: "Jesse Guardiani" <[EMAIL PROTECTED]>
[...]
> Jesse,
>
> Thank you for that explanation. That makes sense. So what does your
> script
> / program do if the envelope sender is blank or non
[EMAIL PROTECTED] wrote:
> - Original Message -
> From: "Jesse Guardiani" <[EMAIL PROTECTED]>
[...]
> Jesse,
>
> Sorry for sounding like a dummy but can you explain point # 2 for me? The
> envelope sender is what a user sees in their email client
On Wednesday 17 September 2003 12:27, you wrote:
> - Original Message -
> From: "Jesse Guardiani" <[EMAIL PROTECTED]>
>
> > I have written (and currently use in production) a python script
> > designed to block email addresses and/or domains using a
ipt) and fast.
It's also well tested at this point, and relatively bug-free. It
runs under qmail-qfilter (a C wrapper for QMAILQUEUE scripts).
Let me know if you're interested.
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 373
a uvscan command line scanner license alone...
> Any tips are appreciated...
I use ClamAV. Works great:
http://www.clamav.com
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v) 423-559-5145 (f
l anyhow. zip/tar em
>> up
>>
>> dallas
>>
>>
>
>
> Dallas,
>
> How well does this policy work in an ISP environment? Are your users
> corporate or ISP?
It works as well as you want it to work. You'll probably get more
calls about it and have to dole o
ted as silent? Grep for the sender
>>address in my maillog? (nothing there)
>>
>>Thanks!
>>
>
> If you are blocking all the pif files attachment,
I'm not. I'm running ClamAV. Sorry I didn't specify that
outright.
--
Jesse Guardiani, Systems Administrator
WingN
ow your system is setup... my maillog does not contain
> delivery information. /var/log/qmail/current does since i use
> daemontools.
:) Not in my setup. /var/log/maillog contains delivery info, and
/var/log/qmail/smtpd/current contains SMTP tcpserver logging info
(IP addresses, timestamps, et
Rodrigo Vaz wrote:
> Thanks to all ,
>
>
> I solved the problem only removing the softlimit from run script .
> Now this work fine =)
Not a good idea, friend. Softlimit is a Good Thing. Instead,
try adjusting softlimit to something like 2000. That's
what I do.
--
Jess
Dallas L. Engelken wrote:
>
>> -Original Message-
>> From: Jesse Guardiani [mailto:[EMAIL PROTECTED]
>> Sent: Wednesday, September 03, 2003 10:04 AM
>> To: [EMAIL PROTECTED]
>> Subject: [Qmail-scanner-general]SoBig.F silent
>>
>>
>&
Howdy list,
I have "sobig" in my list of --silent-viruses.
And I am (appropriately) still getting emails
to the email alert address.
How can I confirm that this virus is indeed
being treated as silent? Grep for the sender
address in my maillog? (nothing there)
Thanks!
--
Jesse
73 matches
Mail list logo
