Server under Virus Attack - Please help it's URGENT !!!

[checked]

Hi Guys,

I'm under a BIG problem as my Redhat 9.0 server is badly under a Virus Attack even after having a mailscanner (clamav) installed and having setting under the exim to remove the attachments like : .pif .exe .scr or something similar but still loads of virus mails are not detectable by the mailscanner.

Here is list of Virus from which my server is affected :

1. Worm.SomeFool.P (90% of the Virus mails are affected by this virus)
2. Worm.SomeFool.Z
3. Worm.SomeFool.Gen-1
4. Worm.SomeFool.Gen-2
5. Worm.Bagle.AG
6. Worm.Bagle.AG.2
7. Worm.Bagle.AC
8. Worm.Gibe.F

and many other also but these are the major ones affecting mails daily


Below are my few problems with it and I need your help :

1) Mailscanner is very much capable of removing the attachments but I want him to simply remove the mail from the queue when it detect it as a virus mail.

2) I want to stop the mailscanner not to send any return mail when it detect a virus. Actually what it does whenever it found a virus it immediately send areturn mail to the sender. Most of the time the sender address is fake but sometime it is set to any email of my clients and they got a return mail they were trying to send a virus mail which they actually not.

Please help me to get out of this big problem.

 

[chirpy]

All your questions have already been answered on these forums. I'd suggest using the search button

The biggest problem you're having is most likely that you are running an old version of MailScanner and an old version of ClamAV - you need to upgrade both to the latest releases.

 

[checked]

Yes I think you are right and it seems that after updating it is solved (looks so). Actually I was so tensed and did a search in a hurry and didn't find anything. But now I did it and looked around many threads and I think I got it.

Once again thanks for your kind advice

 

[rpmws]

Yes I think you are right and it seems that after updating it is solved (looks so). Actually I was so tensed and did a search in a hurry and didn't find anything. But now I did it and looked around many threads and I think I got it.

Once again thanks for your kind advice

Just curious ..what did you find out? I tried mailscanner before. It was so resource intensive I elected to git rid of it. That was back when I had 500 sites on 2 boxes. Now I have 700 on 6 boxes that have more ram. Some of these viruses are fooling people ..like the ones they say hey: "I am youdomain admin. you need to run this script so your email will work". I mean thses bastards are sneeky!! I have had customers send me replies saying "now what? , I ran your file" and I am wondering what they are talking about. I tell you ..if it wasn't for virus and spam we would have 75% less work load!!!

 

[chirpy]

I've never had a virus get through MailScanner+ClamAV. So long as you have freshclam run regularly and keep MailScanner up to date, it's as good a solution as any.

I tried mailscanner before. It was so resource intensive I elected to git rid of it.

I would suspect that you weren't using the clamavmodule which uses Mail::ClamAV, but instead usng the standard clamav which is a resource hog.

There's no denying that it will put load on your server - it's doing a lot of work for you. But if it is well configured on a server that doesn't already have performance issues, there really should not be any problems.

A lot of people like Exiscan, but if you want a very flexible and configurable solution, it'd be very difficult to find anything better, IMHO

 

[rpmws]

I've never had a virus get through MailScanner+ClamAV. So long as you have freshclam run regularly and keep MailScanner up to date, it's as good a solution as any.

I would suspect that you weren't using the clamavmodule which uses Mail::ClamAV, but instead usng the standard clamav which is a resource hog.

There's no denying that it will put load on your server - it's doing a lot of work for you. But if it is well configured on a server that doesn't already have performance issues, there really should not be any problems.

A lot of people like Exiscan, but if you want a very flexible and configurable solution, it'd be very difficult to find anything better, IMHO

was using clamavmodule ..loads on dual boxes were kept average of about 1.2 -1.8 and maxxed out at 3 for breif periods like backups and stuff like that. mailscanner took it to a constant of about 3-4 on loads. This was at a time that we were seeing soooo many new ones hit.

 

[checked]

I tell you, All I did is just upgrade the Mailscanner as directed at the following thread :

http://forums.cpanel.net/showthread.php?t=21290

and after updating it I updated the Clamav to 0.75 (latest version).

The thing which actually did the trick is setting under the mailscanner.conf which were not available under the old verion which I had and I just set few option like : denying to send a return mail whenever gets the virus (most of the time it is fake address) and few other similar options.

It is not like that my server is not receiving virus mails now. It is still receiveing virus infected mails right now but it not delivering them and not even sending the return mail to the Email ID set in the reply-to field (which is actually fake)

I hope this helps