well - as I have users not having physical accounts on my machine - but
rather have an entry in LDAP on my system - that is a no go situation for
me.
Just testing a setup - where I'm sing the same stream of data through
anomy_filter.sh to try to put clamav X-Antivirus: Header into the mail -
_without_ the use of temporary files I dump the E-Mail into.
If I manage to et it to work reliably - I'll post a little description.
Migt take on or 2 more weeks (as I'm travalling around at the moment.
Cheers
Joerg
<quote who="tickticker">
>
> Of course, this is assuming he has Procmail installed (I have the exact
> same
> setup, just no procmail).
>
> I adjusted the advosys script to call CLAMSCAN and scan the whole email.
> this
> leaves a blank email if positive, if the email is blank, i drop it. If
> it's
> not, it gets passed through anomy for further filtering. (it's not that i
> don't trust clamav, i don't trust any antivirus system 100%). And believe
> it
> or not, it's FAST.
>
> it's simple, clean (one script with options for piping to a directory for
> further review if need be) and easily is handling an avg of 25k to 45k
> emails
> a day for 3k users on a server that also gets over 3 million web hits a
> month. and it's just a dual 1GHz with 2 gigs ram and a sucky drive
> system.
> we are in the middle of seperating out the web services to 4 load balanced
> web servers, an email server, and an AV/Spamassassin server. Not due to
> slowness mind you, but to bring the OS up to date and we were running out
> of
> drive space.
>
> I have 11 instances of spamd running at all times, and four have less than
> 10
> seconds of CPU time in the last month:
>
> 8:59pm up 33 days, 4:43, 2 users, load average: 0.37, 0.45, 0.82
> 143 processes: 141 sleeping, 1 running, 1 zombie, 0 stopped
> CPU0 states: 2.0% user, 4.0% system, 0.0% nice, 93.0% idle
> CPU1 states: 0.0% user, 0.0% system, 0.0% nice, 100.0% idle
> Mem: 2064828K av, 1806196K used, 258632K free, 0K shrd, 204368K
> buff
> Swap: 2040212K av, 77424K used, 1962788K free 1134668K
> cached
>
> PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND
> 1137 filter 9 0 22800 1372 448 S 0.0 0.0 0:07
> spamd
> 25285 filter 9 0 30660 25M 1712 S 0.0 1.2 1:39
> spamd
> 8759 filter 9 0 31424 25M 1772 S 0.0 1.2 0:49
> spamd
> 12278 filter 9 0 30228 24M 1784 S 0.0 1.2 0:34
> spamd
> 16183 filter 9 0 32492 26M 1784 S 0.0 1.3 0:29
> spamd
> 20004 filter 9 0 34624 29M 1784 S 0.0 1.4 0:22
> spamd
> 20158 filter 9 0 28972 23M 1792 S 0.0 1.1 0:15
> spamd
> 21057 filter 9 0 30052 24M 1792 S 0.0 1.2 0:14
> spamd
> 22470 filter 9 0 27036 21M 1776 S 0.0 1.0 0:07
> spamd
> 22570 filter 9 0 27976 22M 1760 S 0.0 1.1 0:06
> spamd
> 23002 filter 9 0 27364 21M 1764 S 0.0 1.0 0:05
> spamd
>
> with an uptime of 33 days
>
> It should be simple to setup here's a snippet of my filter.sh:
>
> # Exit codes from <sysexits.h>
> EX_TEMPFAIL=75
> EX_UNAVAILABLE=69
>
> cd $INSPECT_DIR || { echo $INSPECT_DIR does not exist; exit $EX_TEMPFAIL;
> }
>
> # Clean up when done or when aborting.
> trap "rm -f out.$$" 0 1 2 3 15
>
> # Pipe message through SA to a temp file:
> cat | $SPAMC -f -d localhost -p 783 -u filter > out.$$
>
> # Are there more than $SPAMLIMIT stars in X-Spam-Level header? :
> if $EGREP -q "^X-Spam-Level: \*{$SPAMLIMIT,}" < out.$$
> then
> # Option 1: Move high scoring messages to sideline dir so a human
> can
> look at them later:
> # mv out.$$ $SIDELINE_DIR
> # Option 2: Divert to an alternate e-mail address:
> # (Comment out the above, then uncomment next line to use this
> option)
> # $SENDMAIL 137518@xyz.molar.is < out.$$
> # Option 3: Delete the message
> rm -f out.$$
> else
> #run through clamav and dump to a directory for further review?
> #$CLAMSCAN -v --mbox --unzip=/usr/bin/unzip --move=/tmp/quarentine
> -l /var/log/avmail < out.$$
> #run through clamav and delete(default)
> $CLAMSCAN -v --mbox --unzip=/usr/bin/unzip --remove -l
> /var/log/avmail
> < out.$$
>
>
> And you can probably set up a better removal tool, in fact i'm embarrased
> to
> show it, as i have the scripting prowess of a speedbump, any offers for a
> clean solution to removing the empty emails in a line or two would be
> HIGHLY
> appreciated.
>
> Anthony
>
> On Monday 17 January 2005 05:21 pm, you wrote:
>> # rpm -qa | grep clam
>> clamav-0.70-1
>>
>> file_list_6_scanner = 0:2:3:/usr/local/anomy/bin/clamavd.sh %FILENAME
>> file_list_6_policy = accept:save:drop:drop
>> file_list_6 = (?i)(.*\@.*\.com)$
>>
>> /usr/local/anomy/bin/clamavd.sh
>> #!/bin/sh
>>
>> # Script for the Sanitizer (procmail filter)
>> # Using ClamAV
>> # Version: 1.02, Xavier Roche/Serianet
>> # Usage: /etc/procmail/clamavd.sh <filename>
>> # Returns: "CLEAN : OK" | "VIRUS : <information>" | "ERROR"
>> # Exitcode: 0=OK 2=SUSPICIOUS 3=VIRUS
>> # This script is under GPL
>>
>> ###########################################################################
>>## #
>> # Instructions (copied from e-mail from Xavier by Bjarni):
>> #
>> # I tested various AV systems (avp, f-prot..) and attached to this mail
>> # a simple script which recognizes the four most used av scanners on
>> # linux systems (the script can be freely used and spread, of course).
>> #
>> # The use is simple: check_for_virus <filename>
>> # which will return 0 (OK), 2 (warning), or 3 (danger)
>> #
>> # For example, I use the main policy:
>> #
>> # file_list_1_scanner = 0:2:3:/etc/procmail/check_for_virus %FILENAME
>> # file_list_1_policy = unknown:mangle:save:save
>> # file_list_1 = (?i).*
>> #
>>
>> logger -p mail.notice "check $1"
>>
>> if test -n "$1"; then
>> if test -f "$1"; then
>>
>>
>> RET=0
>>
>> # ClamAV (Clam AntiVirus)
>> if test -x /usr/bin/clamdscan; then
>> STATUS=
>> /usr/bin/clamdscan --quiet "$1"
>> RETURNCODE=$?
>> if test $RETURNCODE -eq 1; then
>> STATUS="virus found"
>> RET=3
>> fi
>> if test -n "$STATUS"; then
>> INFO=`/usr/bin/clamdscan --disable-summary --stdout
>> "$1"|cut -f2 -d' '`
>> logger -i -p mail.notice "virus check for $1: VIRUS
>> FOUND!!
>> - $INFO"
>> echo "VIRUS : $INFO"
>> else
>> logger -i -p mail.notice "virus check for $1: ok"
>> echo "CLEAN : OK"
>> fi
>> fi
>> exit $RET
>>
>> fi
>> fi
>> echo "ERROR"
>> exit 0
>>
>>
>> ________________________________
>>
>> From: Alan Munday [mailto:137555@xyz.molar.is]
>> Sent: Mon 1/17/2005 2:35 PM
>> To: 137606@xyz.molar.is
>> Subject: [anomy-list]: Calling ClamAV
>>
>>
>>
>> I'm looking to add ClamAV to my system (RH9) where I have Anomy
>> configured
>> with Postfix pretty much as per the Advosys document.
>>
>> Having done some searching I thought the easiest way to add clamav to
>> the
>> system is to use the rpm's produced by Dag Wieers. I'm assuming that I
>> would only need to instal clamav-db and clamav rpm's (at least
>> initially).
>>
>> While I found a couple of references to calling clamav from Anomy they
>> were
>> not clear to me. One required editing the sanitizer.pl which I would
>> like
>> to clarify as a requirement so I can remember this at upgrade time.
>>
>> Any how, does anyone have any clear advice on the set-up of Anomy to
>> call
>> clamav please?
>>
>> Thanks
>>
>> Alan
>>
>>
>>
>>
>>
>>
>> Attachments:
>> +
>> http://mailtools.anomy.net/archives/anomy-list//b6/41/ec5638/01.unnamed.htm
>>l
>>
>
>
>
>
-- ------------------------------------------------------------------------ | Joerg Mertin : 137440@xyz.molar.is (Home)| | in Forchheim/Germany : 137657@xyz.molar.is (Alt1)| | Stardust's LiNUX System : | | Web: http://www.solsys.org | ------------------------------------------------------------------------ PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A