For those running MailScanner - Important Information

[equens]

ops!! since I deleted and reinstalled Clamav I give this errors:

temporarily rejected after DATA
malware acl condition: clamd: unable to connect to UNIX socket /var/clamd (No such file or directory)

2005-01-07 17:23:09 1CmwtJ-0004LD-8i H=(mail1.bluebarrel.net) [66.165.231.123] F=<bounce-alqtdc9giqzpismim2ybrkpa@bluefame.com> temporarily rejected after DATA
2005-01-07 17:23:11 1CmwtL-0004LE-4f malware acl condition: clamd: unable to connect to UNIX socket /var/clamd (No such file or directory)
2005-01-07 17:23:11 1CmwtL-0004LE-4f H=(mc3-s21.hotmail.com) [65.54.163.220] F=<> temporarily rejected after DATA

.. and I have reinstalled Clamav with http://www.webumake.com/free/clamav.htm instructions, it is very strange :-( What do you thinks is wrong?

Perhaps these files were more important... ? All mail in server are stopped.

[chirpy]

Make sure that you do not have the clamavconnector installed. Also make sure that there's no clamv line in the first textbox of the WHM > Exim Configuration Editor > Advanced Mode

[brentp]

sorry, but cpanel will be rolling out dspam later this week as far as i know.

Regards,
Brent

[equens]

sorry, but cpanel will be rolling out dspam later this week as far as i know.

Regards,
Brent

Hi Brent, what do you want to mean? thanks

[chirpy]

Good. So long as it's implemented with per domain scanning with user configurable options from within cPanel and performs virus scanning, then it'll replace MailScanner. If not, it won't.

sorry, but cpanel will be rolling out dspam later this week as far as i know.

Regards,
Brent

[ispro]

sorry, but cpanel will be rolling out dspam later this week as far as i know.

Regards,
Brent

Any news on this implementation?
While chirpy said that he is pretty happy with MailScanner DSPAM looks very promising and several big (not so big, however) companies manually implemented it with a good results and drop in cpu load...

[spiff06]

Installed MailScanner with Chirpy's script.

Had to struggle mildly with the clamd part, as I used an earlier script to update it, which sent params to ./configure (./configure --prefix=/usr --sysconfdir=/etc) and sent me happily down the trail of the unknown Sophie. Redid the install with a plain ./configure call, success.

Now MailScanner is hunting for viruses again, as indicated in /var/log/maillog.

Chirpy's page doesn't mention anything needs to be done in particular to the exim.conf.

So the question is: Are additions to exim.conf, such as the ones mentioned here, useful, or should installing MailScanner/ClamAV with Chirpy's instructions be sufficient?

[chirpy]

The mail header checks can be helpful (e.g. EHLO/HELO checking) and I'd certainly recommend my dictionary attack ACL

You might also want to look into adding DCC and Vipul's Razor to help improve SpamAssassin scoring, as well as looking into adding SARE rules from:
http://www.rulesemporium.com

[spiff06]

Thanks, Chirpy, for the pointers.

Before I install another couple of software packages, my top priority issue is now this:

root[~]# service exim restart
Shutting down clamd: [ OK ]
Shutting down exim: [FAILED]
Shutting down antirelayd: [ OK ]
Shutting down spamd: [FAILED]
Starting clamd: [ OK ]
Starting exim: [ OK ]
Starting exim-26: [ OK ]
Starting exim-outgoing: [ OK ]
Starting exim-smtps: [ OK ]
Starting antirelayd: [ OK ]

You'll note that clamd is shut down but not restarted, and that both Exim and SpamAssassin have trouble shutting down.

Other issues:

Previously cPanel's SpamAssassin was placing messages into the spam box, but I'm now getting loads of messages prefixed with "{Spam?}" or "{Definitely Spam?}". All those messages are also forwarded when Forwarders have been set.

What is the best practice regarding this? My customers are seeing all those messages coming in and wonder why they are swamped with them even though they are correctly identified as spam.

Existential issue:

Why do virii and spam even exist? *Sigh*

[chirpy]

Not sure I'm with you on all parts. If you're running MailScanner then nether clamd nor spamd should be running and should fail. If you're finding clamd is running, you need to delete /usr/sbin/clamd.

The default installation of MailScanner using our package continues to deliver all email so that users can filter them in their own email software. You can change this behaviour by editing:

/usr/mailscanner/etc/rules/spam.action.rules
/usr/mailscanner/etc/rules/spamhigh.action.rules

The latter one being for high scoring {Definitely Spam?}

You can set the action to be:

deliver - what it is set to be default
delete - deletes the email
forward another@emailaddress.com delete - forwards it to a separate email address and not to the intended recipient address

If you change those files, restart MailScanner:

service MailScanner reload

[spiff06]

Not sure I'm with you on all parts. If you're running MailScanner then nether clamd nor spamd should be running and should fail. If you're finding clamd is running, you need to delete /usr/sbin/clamd.

Whoa. Ok. And here I was restarting clamd and spamd manually... Duh. Thanks for clearing that up. There are so many contradictory posts on the subject, dealing with various install packages that it's hard sorting them out sometimes.

About updates:

- Do I need to update the MailScanner script regularly, or will it take care of itself?
- Are SpamAssassin rules (such as the recent rules for German spam made irrelevant by this package's installation?

[chirpy]

You should upgrade as I release new packages when MailScanner release new versions:
http://www.mailscanner.info

The upgrade details for the package are within the tarball from my site.

It's still a good idea to include extra SA rulesets to help solidify spam scores and you should still do so (pop them into a .cf file within /etc/mail/spamassassin/).

[gflamerich]

Hi Chirpy
We are having troubles because can't find where to set up mailscanner to scan viruses in forwarded messages.
Some ISP are blocking our server because our box sends messages infected, all of them are forward addresses.
Is there any place to set/unset scanning of this kind of mails?
Thanks


2005-06-19 07:05:20 1Djxby-00065p-Nz ** ####@cantv.net <####@#####.com> R=lookuphost T=remote_smtp: SMTP error from remote mailer after end of data: host relay.cantv.net [200.44.32.36]: 554 5.7.1 virus HTML.Phishing.Bank-1 detected by ClamAV - http://www.clamav.net

As you can see, they detected the virus using ClamAV, bout exim sent the mesage to the forwarded address

[chirpy]

So long as you have the domains configured to be scanned and have the appropriate actions set (i.e. presumably to delete the spam) in the ruleset files, MailScanner will scan all email (unlike the inbuild SpamAssassin method). Those ruleset files are in:

/usr/mailscanner/etc/rules/spam.scanning.rules

/usr/mailscanner/etc/rules/spam.action.rules
/usr/mailscanner/etc/rules/spamhigh.action.rules

Remember that in those last two files, if you set the action to deliver then spam will still be forwarded, but tagged. If you don't want it forwarded, change deliver to delete then restart MailScanner.

[kmsd]

Chirpy,

Using your setup is there anyway we can automatically update the software? What command do I use?

Thanks,
kmsd