Topic: 6.0 Beta 3 Spam and Virus working together

[zoran]

OK, I've been running 6.0 beta 3 and I love it.  I've enjoyed the email and webmail features, but now i find the spam terrible.

What can I do for the beta 3 version of SME6?  Please let me know if there is anything I can do, or am I going to have to upgrade to 6.0.1?

thanks for your time!

z

[jezrichens]

I to am running 6.0beta 3 and have recently added Clam AV using Damien Curtain's proceadures  at http://www.pagefault.org/howto/e-smith-antivirus.shtml
This also gives you the commands to run Spamassissn which I dont think is dependant.
We were not suffering to much with spam so its hard to say what if any effect it has had, but it only took 15 minutes to complete the whole proceadure and Im no command line Linux expert by any means, so it might be easier than going to 6.0.1 for that reason alone !

[zoran]

Ok I followed the procedure at http://www.pagefault.org/howto/e-smith-antivirus.shtml but not I don't think Spamassasin works.

Initially I had installed the spamassassin rpm and that seemed to work fine when I added a domain to the blacklist and tried to mail myself.

I then came across the CLAMAV and installed that as well, following the above procedure.  I know that part works, as I've already been notified of Email viruses already.

I think I screwed up when after I did:

rpm -Uhv http://www.pagefault.org/download/e-smith/6.0/legacy-utils/i386/rpm-python-4.0.4-7x.18.i386.rpm \
        http://www.pagefault.org/download/e-smith/6.0/legacy-utils/i386/yum-1.0.3-6.0.7.x.esmith.noarch.rpm

This completed, then I did this:

wget http://www.pagefault.org/code/e-smith/antivirus/6.0/conf/yum-e-smith-antivirus.conf

and finally:

yum -c ./yum-e-smith-antivirus.conf install e-smith-antivirus

Lastly I read on the pagefault site:

To enable Spamassassin after installing and configuring these packages via the web manager panel at the command line type the commands:

/sbin/e-smith/db configuration setprop amavis-ng qmail-queue /var/qmail/bin/qmail-spamc
/sbin/e-smith/signal-event email-update.

I wasn't sure if that worked, cause the blacklist didn't seem to be working.  So me, being the n00bie that I am, I just re-installed the spamassasin rpm.

Now I'm all screwed up.  What would be the right thing to do at this point?  Any advice would be greatly appreciated!

zoran

[zoran]

I did

To enable Spamassassin after installing and configuring these packages via the web manager panel at the command line type the commands:

/sbin/e-smith/db configuration setprop amavis-ng qmail-queue /var/qmail/bin/qmail-spamc
/sbin/e-smith/signal-event email-update

and I think it started working again....  Is there a way I can test?

[raem]

/etc/init.d/spamd status

/sbin/e-smith/config show spamd

/sbin/e-smith/config show amavis-ng

You can also send your self an email with spam type content in it to see if spamassassin detects it.

Also look at the header of received messages and you should see information about spam filtering.

Regs
Ray

[k_graham]

OK, I've been running 6.0 beta 3 and I love it.  I've enjoyed the email and webmail features, but now i find the spam terrible.

What can I do for the beta 3 version of SME6?  Please let me know if there is anything I can do, or am I going to have to upgrade to 6.0.1?

thanks for your time!

z

I liked 6.03 beta as well but updataed to the 6.0.1 that was a compilation by someone from New Zealand a while back.

It installed without a hitch, Clam AV still worked fine and SpamAssasin still sent most everything to the junk mail folder, marked and unmarked spam. So I disabled Spam Assasin until someone figures out how to get it to only send marked Spam to the junk mail folder and did the following

--------------------------------------------------------------------------------
 
Make these simple adjustments to your system using smtpfront-qmail and you will receive virtually NO virus infected attachments and signficantly reduced spam messages. I don't run spamassasssin now and the amount of junk email is quite tolerable.

You should still keep clamav installed though, to catch newer viruses.

See

http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/Spam%20blocking%20HOWTO%20using%20smtpfront-qmail%20for%20sme%20server.htm

and

http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/Virus%20and%20file%20blocking%20HOWTO%20using%20smtpfront-qmail%20for%20sme%20server.htm

Regs
 

Actually I only did the first of the 2 and only used the spamhaus list and junk mail dropped by 90%. The second part looks interesting but I was concerned certain file attachments like coreldraw .cdr files might not get through if I enabled the 2nd part.

Upgrade, but of course backup just in case.

Ken

[raem]

Dear k graham

> The second part looks interesting but I was concerned certain file attachments like
> coreldraw .cdr files might not get through if I enabled the 2nd part.

I assume you mean the pattern matching howto.
Don't be scared to enable Pattern matching, it works very well. The only attached files that will be rejected must have executable content, and be of a pattern that is in the patterns database.

After you instal the updated rpms and enable pattern matching you can very easily disable the functionality with a server manager selection check box that gets added to the Email panel.

After enabling, you can send yourself some of the files you are concerned about to see if they get delivered or get rejected. You can always zip those type of file attachments and they will get through OK.

You can also selectively disable certain patterns using simple commands outlined in the howto.

I have received NO messages with virus infected attachments for many many weeks now as they have ALL been rejected. I have Clamavis-ng installed but it detects nothing !!

By the way, what are coreldraw .cdr files ?

[k_graham]

Dear k graham

> The second part looks interesting but I was concerned certain file attachments like
> coreldraw .cdr files might not get through if I enabled the 2nd part.

I assume you mean the pattern matching howto.
Don't be scared to enable Pattern matching, it works very well. The only attached files that will be rejected must have executable content, and be of a pattern that is in the patterns database.

After you instal the updated rpms and enable pattern matching you can very easily disable the functionality with a server manager selection check box that gets added to the Email panel.

After enabling, you can send yourself some of the files you are concerned about to see if they get delivered or get rejected. You can always zip those type of file attachments and they will get through OK.

You can also selectively disable certain patterns using simple commands outlined in the howto.

I have received NO messages with virus infected attachments for many many weeks now as they have ALL been rejected. I have Clamavis-ng installed but it detects nothing !!

By the way, what are coreldraw .cdr files ?

Coreldraw files are a art file which consist of vector and bitmap graphics. From what you say they should not be affected and I will try enabling the exe protection.

At the moment however I have a bit of a concern. My SME server is refusing to send a email to a certain person I bought a Courier modem from on Ebay (to try the Fax server idea). I was able to finish the correspondence from my home address but  was wondering if the blocking list also blocks outgoing mail. Following is the message

Hi. This is the qmail-send program at dc.communityprinters.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

Hi. This is the qmail-send program at dc.communityprinters.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<namechangedtopreventspam@mail.ru>:
194.67.23.20 does not like recipient.
Remote host said: 550-Verification failed for <namechangedtopreventspam@communityprinters.com> It appears that the DNS operator for communityprinters.com has installed an invalid MX record with an IP address instead of a domain name on the right hand side.
550 non-local sender verification failed
Giving up on 194.67.23.20.

I have been using free dns services at www.mydomain.com and haven't had troulbes of this sort until recently. Which makes me wonder if its the blocking list, and if Spamhaus also blocks to problem outgoing addresses. Though the person on the other end is located in Canada they appear to be using a Russian email address for whatever reason. They could not reply to my business location either and had to email my home address. I have enquired as to their mail server ip address to check it against Spamhaus.org . which only checks ip addresses not email addresses.

Ken Graham

[raem]

As far as I know the Spam blocking feature using smtpfront-qmail & RBL's only blocks incoming messages.

You are perhaps getting your analysis confused with the way the Virus and file blocking using Pattern matching feature works. It does block incoming and outgoing messages with executable content, but that's not your issue.

That message sounds like your recipient records are misconfigured (perhaps to avoid detection).
see
http://www.rfc-ignorant.org
and
http://www.rfc-ignorant.org/policy-bogusmx.php

If you want to prove that RBL blocking is not involved you can very easily disable RBL blocking and try sending again.
From the HOWTO
To disable RBL blocking do the following

/sbin/e-smith/config delprop smtpfront-qmail RBLList

/sbin/e-smith/expand-template /var/service/smtpfront-qmail/runenv

svc -t /service/smtpfront-qmail

You can check the RBL criteria at their websites.
http://www.spamhaus.org/
http://www.abuse.net/
http://dsbl.org/main
http://mail-abuse.org/
http://www.sorbs.net/
http://www.spews.org/

Also this LOOKUP URL is very handy for checking whether senders are on RBL's & other information.
Spamhaus listings are shown.

http://openrbl.org/