Loading ...
Sorry, an error occurred while loading the content.

add-on Sanesecurity anti-spam signatures

Expand Messages
  • Doug Sampson
    After implementing the add-on Sanesecurity anti-spam signatures in response to a recent posting on the mailing list (thanks Noel!), I am now faced with a small
    Message 1 of 8 , Feb 5 8:22 PM
    • 0 Attachment

      After implementing the add-on Sanesecurity anti-spam signatures in response to a recent posting on the mailing list (thanks Noel!), I am now faced with a small issue. One of my daily Postscreen summary reports and a Postfix summary report are being flagged by the jurlbl database and discarded.

       

      Question is- how can I exclude these two reports from the clamsmtpd scanning? I’ve reviewed the man pages for clamsmtpd and clamav-clamd and am unable to devise a method to skip these two reports. I also looked at the Postfix main.cf and again am unable to figure out a method for doing so.

       

      Has anyone implemented a way of doing so? If it would help matters, I would be happy to have any email addressed to root be skipped as well.

       

      ~Doug

    • Benny Pedersen
      ... one way could be to make a clamav sigature whitelist that only hits on this mail reports, imho clamav whitelist is to get such problem solved that way if
      Message 2 of 8 , Feb 5 9:04 PM
      • 0 Attachment
        Doug Sampson skrev den 2013-02-06 05:22:

        > Has anyone implemented a way of doing so? If it would help matters, I
        > would be happy to have any email addressed to root be skipped as
        > well.

        one way could be to make a clamav sigature whitelist that only hits on
        this mail reports, imho clamav whitelist is to get such problem solved
        that way if one whitelist hits, it then does not matter how manny
        blacklist also hits

        if you add in the reports an >PASSWORD< and then make a whitelist on
        exact that password in reports, then it should work

        if you used clamav-milter i was just use whitelist rcpt
      • Doug Sampson
        ... Unfortunately I am not using clamav-milter, only clamsmtpd. This doesn t exclude clamav-milter as a potential solution though.
        Message 3 of 8 , Feb 6 6:13 AM
        • 0 Attachment
          > Doug Sampson skrev den 2013-02-06 05:22:
          >
          > > Has anyone implemented a way of doing so? If it would help matters, I
          > > would be happy to have any email addressed to root be skipped as
          > > well.
          >
          > one way could be to make a clamav sigature whitelist that only hits on
          > this mail reports, imho clamav whitelist is to get such problem solved
          > that way if one whitelist hits, it then does not matter how manny
          > blacklist also hits
          >
          > if you add in the reports an >PASSWORD< and then make a whitelist on
          > exact that password in reports, then it should work
          >
          > if you used clamav-milter i was just use whitelist rcpt
          >

          Unfortunately I am not using clamav-milter, only clamsmtpd. This doesn't exclude clamav-milter as a potential solution though.
        • Noel Jones
          ... Does clamsmtpd not have any whitelisting mechanism? Seems a recipient whitelist would be a pretty basic feature, and the easiest fix for this problem. One
          Message 4 of 8 , Feb 6 9:41 AM
          • 0 Attachment
            On 2/5/2013 10:22 PM, Doug Sampson wrote:
            > After implementing the add-on Sanesecurity anti-spam signatures in
            > response to a recent posting on the mailing list (thanks Noel!), I
            > am now faced with a small issue. One of my daily Postscreen summary
            > reports and a Postfix summary report are being flagged by the jurlbl
            > database and discarded.
            >
            >
            >
            > Question is- how can I exclude these two reports from the clamsmtpd
            > scanning? I’ve reviewed the man pages for clamsmtpd and clamav-clamd
            > and am unable to devise a method to skip these two reports. I also
            > looked at the Postfix main.cf and again am unable to figure out a
            > method for doing so.
            >
            >
            >
            > Has anyone implemented a way of doing so? If it would help matters,
            > I would be happy to have any email addressed to root be skipped as well.
            >
            >
            >
            > ~Doug
            >


            Does clamsmtpd not have any whitelisting mechanism? Seems a
            recipient whitelist would be a pretty basic feature, and the easiest
            fix for this problem.

            One option is to not filter "local" mail submitted with the
            sendmail(1) interface. This is a good option if the machine has no
            local users. This is what I do on most servers.
            # master.cf
            pickup ... pickup
            -o content_filter=

            Another option is to use the mini_sendmail or similar program to
            send your reports to an "unfiltered" port (such as the after-filter
            reinjection port) instead of through port 25. I do this on a couple
            machines to send reports around the filters.
            Instead of typical
            some_command | mail
            I use
            some_command | mini_sendmail -p 10025


            -- Noel Jones
          • Benny Pedersen
            ... maybe send a sample msg to sanesecurity and see if it can be redone sigs for this hits, well i will in comming days try to read on how to make the
            Message 5 of 8 , Feb 6 5:11 PM
            • 0 Attachment
              Doug Sampson skrev den 2013-02-06 15:13:

              > Unfortunately I am not using clamav-milter, only clamsmtpd. This
              > doesn't exclude clamav-milter as a potential solution though.

              maybe send a sample msg to sanesecurity and see if it can be redone
              sigs for this hits, well i will in comming days try to read on how to
              make the whitelist sigs more closely, if it really can be used to
              disable virus scanning in a safe way then i would use it myself atleast,
              kind of how dspam does it in body

              if it turns out as succes i will post here a how to make such signature
            • Robert Schetterer
              ... sanesecurity signatures are added to the clamd signature base so using clamsmtpd should be ok, no need for milter, however you better only choose sources
              Message 6 of 8 , Feb 6 11:39 PM
              • 0 Attachment
                Am 07.02.2013 02:11, schrieb Benny Pedersen:
                > Doug Sampson skrev den 2013-02-06 15:13:
                >
                >> Unfortunately I am not using clamav-milter, only clamsmtpd. This
                >> doesn't exclude clamav-milter as a potential solution though.

                sanesecurity signatures are added to the clamd signature base
                so using clamsmtpd should be ok, no need for milter, however
                you better only choose sources in the sanesecurity download script which
                are not known to produce to much false positives

                >
                > maybe send a sample msg to sanesecurity and see if it can be redone sigs
                > for this hits, well i will in comming days try to read on how to make
                > the whitelist sigs more closely, if it really can be used to disable
                > virus scanning in a safe way then i would use it myself atleast, kind of
                > how dspam does it in body
                >
                > if it turns out as succes i will post here a how to make such signature
                >



                Best Regards
                MfG Robert Schetterer

                --
                [*] sys4 AG

                http://sys4.de, +49 (89) 30 90 46 64
                Franziskanerstraße 15, 81669 München

                Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
                Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
                Aufsichtsratsvorsitzender: Joerg Heidrich
              • Benny Pedersen
                ... only using phishtank sigs here to limit ram usage, not becurse sigs are bad, my mailserver have litle mem so i need to limit usage this way, but i am in
                Message 7 of 8 , Feb 7 2:20 AM
                • 0 Attachment
                  Robert Schetterer skrev den 2013-02-07 08:39:

                  > sanesecurity signatures are added to the clamd signature base
                  > so using clamsmtpd should be ok, no need for milter, however
                  > you better only choose sources in the sanesecurity download script
                  > which
                  > are not known to produce to much false positives

                  only using phishtank sigs here to limit ram usage, not becurse sigs are
                  bad, my mailserver have litle mem so i need to limit usage this way, but
                  i am in progress with a new server with more ram, also to get dovecot
                  2.x stable, have mailboxes on dovecot 1.x with is stable, 2.x is like
                  flying pigs atm :)
                • Len Conrad
                  ... The huge weakness of clamsmtpd is that the developer says there is now way to release false positives. Len
                  Message 8 of 8 , Feb 7 3:01 AM
                  • 0 Attachment
                    >
                    >Unfortunately I am not using clamav-milter, only clamsmtpd. This doesn't exclude clamav-milter as a potential solution though.

                    The huge weakness of clamsmtpd is that the developer says there is now way to release false positives.

                    Len
                  Your message has been successfully submitted and would be delivered to recipients shortly.