Loading ...
Sorry, an error occurred while loading the content.

Re: add-on Sanesecurity anti-spam signatures

Expand Messages
  • Benny Pedersen
    ... one way could be to make a clamav sigature whitelist that only hits on this mail reports, imho clamav whitelist is to get such problem solved that way if
    Message 1 of 8 , Feb 5, 2013
    • 0 Attachment
      Doug Sampson skrev den 2013-02-06 05:22:

      > Has anyone implemented a way of doing so? If it would help matters, I
      > would be happy to have any email addressed to root be skipped as
      > well.

      one way could be to make a clamav sigature whitelist that only hits on
      this mail reports, imho clamav whitelist is to get such problem solved
      that way if one whitelist hits, it then does not matter how manny
      blacklist also hits

      if you add in the reports an >PASSWORD< and then make a whitelist on
      exact that password in reports, then it should work

      if you used clamav-milter i was just use whitelist rcpt
    • Doug Sampson
      ... Unfortunately I am not using clamav-milter, only clamsmtpd. This doesn t exclude clamav-milter as a potential solution though.
      Message 2 of 8 , Feb 6, 2013
      • 0 Attachment
        > Doug Sampson skrev den 2013-02-06 05:22:
        >
        > > Has anyone implemented a way of doing so? If it would help matters, I
        > > would be happy to have any email addressed to root be skipped as
        > > well.
        >
        > one way could be to make a clamav sigature whitelist that only hits on
        > this mail reports, imho clamav whitelist is to get such problem solved
        > that way if one whitelist hits, it then does not matter how manny
        > blacklist also hits
        >
        > if you add in the reports an >PASSWORD< and then make a whitelist on
        > exact that password in reports, then it should work
        >
        > if you used clamav-milter i was just use whitelist rcpt
        >

        Unfortunately I am not using clamav-milter, only clamsmtpd. This doesn't exclude clamav-milter as a potential solution though.
      • Noel Jones
        ... Does clamsmtpd not have any whitelisting mechanism? Seems a recipient whitelist would be a pretty basic feature, and the easiest fix for this problem. One
        Message 3 of 8 , Feb 6, 2013
        • 0 Attachment
          On 2/5/2013 10:22 PM, Doug Sampson wrote:
          > After implementing the add-on Sanesecurity anti-spam signatures in
          > response to a recent posting on the mailing list (thanks Noel!), I
          > am now faced with a small issue. One of my daily Postscreen summary
          > reports and a Postfix summary report are being flagged by the jurlbl
          > database and discarded.
          >
          >
          >
          > Question is- how can I exclude these two reports from the clamsmtpd
          > scanning? I’ve reviewed the man pages for clamsmtpd and clamav-clamd
          > and am unable to devise a method to skip these two reports. I also
          > looked at the Postfix main.cf and again am unable to figure out a
          > method for doing so.
          >
          >
          >
          > Has anyone implemented a way of doing so? If it would help matters,
          > I would be happy to have any email addressed to root be skipped as well.
          >
          >
          >
          > ~Doug
          >


          Does clamsmtpd not have any whitelisting mechanism? Seems a
          recipient whitelist would be a pretty basic feature, and the easiest
          fix for this problem.

          One option is to not filter "local" mail submitted with the
          sendmail(1) interface. This is a good option if the machine has no
          local users. This is what I do on most servers.
          # master.cf
          pickup ... pickup
          -o content_filter=

          Another option is to use the mini_sendmail or similar program to
          send your reports to an "unfiltered" port (such as the after-filter
          reinjection port) instead of through port 25. I do this on a couple
          machines to send reports around the filters.
          Instead of typical
          some_command | mail
          I use
          some_command | mini_sendmail -p 10025


          -- Noel Jones
        • Benny Pedersen
          ... maybe send a sample msg to sanesecurity and see if it can be redone sigs for this hits, well i will in comming days try to read on how to make the
          Message 4 of 8 , Feb 6, 2013
          • 0 Attachment
            Doug Sampson skrev den 2013-02-06 15:13:

            > Unfortunately I am not using clamav-milter, only clamsmtpd. This
            > doesn't exclude clamav-milter as a potential solution though.

            maybe send a sample msg to sanesecurity and see if it can be redone
            sigs for this hits, well i will in comming days try to read on how to
            make the whitelist sigs more closely, if it really can be used to
            disable virus scanning in a safe way then i would use it myself atleast,
            kind of how dspam does it in body

            if it turns out as succes i will post here a how to make such signature
          • Robert Schetterer
            ... sanesecurity signatures are added to the clamd signature base so using clamsmtpd should be ok, no need for milter, however you better only choose sources
            Message 5 of 8 , Feb 6, 2013
            • 0 Attachment
              Am 07.02.2013 02:11, schrieb Benny Pedersen:
              > Doug Sampson skrev den 2013-02-06 15:13:
              >
              >> Unfortunately I am not using clamav-milter, only clamsmtpd. This
              >> doesn't exclude clamav-milter as a potential solution though.

              sanesecurity signatures are added to the clamd signature base
              so using clamsmtpd should be ok, no need for milter, however
              you better only choose sources in the sanesecurity download script which
              are not known to produce to much false positives

              >
              > maybe send a sample msg to sanesecurity and see if it can be redone sigs
              > for this hits, well i will in comming days try to read on how to make
              > the whitelist sigs more closely, if it really can be used to disable
              > virus scanning in a safe way then i would use it myself atleast, kind of
              > how dspam does it in body
              >
              > if it turns out as succes i will post here a how to make such signature
              >



              Best Regards
              MfG Robert Schetterer

              --
              [*] sys4 AG

              http://sys4.de, +49 (89) 30 90 46 64
              Franziskanerstraße 15, 81669 München

              Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
              Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
              Aufsichtsratsvorsitzender: Joerg Heidrich
            • Benny Pedersen
              ... only using phishtank sigs here to limit ram usage, not becurse sigs are bad, my mailserver have litle mem so i need to limit usage this way, but i am in
              Message 6 of 8 , Feb 7, 2013
              • 0 Attachment
                Robert Schetterer skrev den 2013-02-07 08:39:

                > sanesecurity signatures are added to the clamd signature base
                > so using clamsmtpd should be ok, no need for milter, however
                > you better only choose sources in the sanesecurity download script
                > which
                > are not known to produce to much false positives

                only using phishtank sigs here to limit ram usage, not becurse sigs are
                bad, my mailserver have litle mem so i need to limit usage this way, but
                i am in progress with a new server with more ram, also to get dovecot
                2.x stable, have mailboxes on dovecot 1.x with is stable, 2.x is like
                flying pigs atm :)
              • Len Conrad
                ... The huge weakness of clamsmtpd is that the developer says there is now way to release false positives. Len
                Message 7 of 8 , Feb 7, 2013
                • 0 Attachment
                  >
                  >Unfortunately I am not using clamav-milter, only clamsmtpd. This doesn't exclude clamav-milter as a potential solution though.

                  The huge weakness of clamsmtpd is that the developer says there is now way to release false positives.

                  Len
                Your message has been successfully submitted and would be delivered to recipients shortly.