clamav and rspamd question
1,035 views
Skip to first unread message
Sophie Loe
Jan 25, 2018, 3:06:35 PM1/25/18
to rspamd
Hi,
I just added clamav into rspamd.
I sent this :
# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 mail.example.co.uk ESMTP Postfix
ehlo mail
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: te...@example.co.uk
250 2.1.0 Ok
rcpt to: te...@example.co.uk
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Subject: aaaaa AB
5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
.
250 2.0.0 Ok: queued as 027223C
quit
221 2.0.0 Bye
Connection closed by foreign host.
I saw a connection from rspamd in clamav.log:
Thu Jan 25 19:56:38 2018 -> instream(127.0.0.1@58312): OK
But no AV headers were added.
The rpsamd headers were:
X-Spamd-Bar: ++
X-Spam-Level: **
X-Rspamd-Server: mx10
X-Rspamd-Queue-Id: 027223C
X-Spamd-Result: default: False [2.40 / 150.00]
FROM_NO_DN(0.00)[]
SUBJECT_ENDS_SPACES(0.50)[]
MISSING_TO(2.00)[]
RCVD_TLS_ALL(0.00)[]
ARC_NA(0.00)[]
MIME_GOOD(-0.10)[text/plain]
ARC_SIGNED(0.00)[i=1]
DKIM_SIGNED(0.00)[]
RCVD_COUNT_ZERO(0.00)[0]
FROM_EQ_ENVFROM(0.00)[]
Installed rspamd version on debian is:
1.6.5-4~stretch
The local.d/antivirus.conf contains:
clamav {
action = "reject";
symbol = "CLAM_VIRUS";
type = "clamav";
log_clean = true;
attachments_only = false;
max_size = 256000;
#servers = "/var/run/clamav/clamd.ctl";
servers = "127.0.0.1:3310";
}
And the local.d/milter_headers.conf has:
use = ["x-spamd-bar", "x-spam-level", "x-virus","authentication-results" ];
extended_spam_headers = true;
skip_local = false;
skip_authenticated = false;
routines {
x-virus {
header = "X-Virus";
remove = 1;
symbols = ["CLAM_VIRUS", "FPROT_VIRUS"];
}
}
I had expected to see some of these :-
an AV related header
a higher spam score
an rspamd rule hit indicating this was a virus
Did I misconfigure or mis-something?
Best, Sophie
Jered Floyd
Jan 25, 2018, 3:44:01 PM1/25/18
to Sophie Loe, rspamd
Sophie,
1) (Dumb question): Is clamav installed and running?
2) Do you see any notes on clamav in /var/log/rspamd/rspamd.log?
--Jered
--
You received this message because you are subscribed to the Google Groups "rspamd" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rspamd+un...@googlegroups.com.
Visit this group at https://groups.google.com/group/rspamd.
Sophie Loe
Jan 25, 2018, 3:54:35 PM1/25/18
to Jered Floyd, rspamd
Hi Jered,
Not a dump question. Clamd is running:
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ SWAP COMMAND
22667 clamav 20 0 878240 531448 4000 S 0.0 52.1 0:19.43 0 clamd
rspamd.log had this line for the email,
2018-01-25 19:56:38 #22790(rspamd_proxy) <8cb36e>; lua; antivirus.lua:466: CLAM_VIRUS [clamav]: message is clean
Full details are,
# grep 8cb36e rspamd.log
2018-01-25 19:56:03 #22790(rspamd_proxy) <8cb36e>; proxy; proxy_accept_socket: accepted milter connection from 127.0.0.1 port 57508
2018-01-25 19:56:28 #22790(rspamd_proxy) <8cb36e>; milter; rspamd_milter_process_command: got connection from 127.0.0.1:40606
2018-01-25 19:56:37 #22790(rspamd_proxy) <8cb36e>; proxy; rspamd_mime_parse_message: cannot find content-type for a message, assume text/plain
2018-01-25 19:56:37 #22790(rspamd_proxy) <8cb36e>; proxy; rspamd_mime_part_get_cte: detected missing CTE for part as: 7bit
2018-01-25 19:56:37 #22790(rspamd_proxy) <8cb36e>; proxy; rspamd_message_parse: loaded message; id: <20180125195...@mx10.example.co.uk>; queue-id: <027223C>; size: 219; checksum: <b32af87effbe3389b24159f22b680934>
2018-01-25 19:56:38 #22790(rspamd_proxy) <8cb36e>; proxy; spf_symbol_callback: skip SPF checks for local networks and authorized users
2018-01-25 19:56:38 #22790(rspamd_proxy) <8cb36e>; proxy; dkim_symbol_callback: skip DKIM checks for local networks and authorized users
2018-01-25 19:56:38 #22790(rspamd_proxy) <8cb36e>; proxy; fuzzy_generate_commands: <20180125195...@mx10.example.co.uk>, part is shorter than 1000 bytes: 138 (69 * 2.00 bytes), skip fuzzy check
2018-01-25 19:56:38 #22790(rspamd_proxy) <8cb36e>; lua; ip_score.lua:303: skip IP Score for local networks and authorized users
2018-01-25 19:56:38 #22790(rspamd_proxy) <8cb36e>; surbl; surbl_test_url: disable surbl dbl.spamhaus.org as it is reported to be offline
2018-01-25 19:56:38 #22790(rspamd_proxy) <8cb36e>; surbl; surbl_test_url: disable surbl sbl.spamhaus.org as it is reported to be offline
2018-01-25 19:56:38 #22790(rspamd_proxy) <8cb36e>; lua; once_received.lua:82: Skipping once_received for authenticated user or local network
2018-01-25 19:56:38 #22790(rspamd_proxy) <8cb36e>; lua; dmarc.lua:241: skip DMARC checks for local networks and authorized users
2018-01-25 19:56:38 #22790(rspamd_proxy) <8cb36e>; lua; antivirus.lua:466: CLAM_VIRUS [clamav]: message is clean
2018-01-25 19:56:38 #22790(rspamd_proxy) <8cb36e>; proxy; bayes_classify: skip classification as ham class has not enough learns: 62, 200 required
2018-01-25 19:56:38 #22790(rspamd_proxy) <8cb36e>; lua; replies.lua:105: storing message-id for replies check
2018-01-25 19:56:38 #22790(rspamd_proxy) <8cb36e>; proxy; rspamd_task_write_log: id: <20180125195...@mx10.example.co.uk>, qid: <027223C>, ip: 127.0.0.1, from: <te...@example.co.uk>, (default: F (no action): [2.40/150.00] [MISSING_TO(2.00){},SUBJECT_ENDS_SPACES(0.50){},MIME_GOOD(-0.10){text/plain;},ARC_NA(0.00){},ARC_SIGNED(0.00){i=1;},DKIM_SIGNED(0.00){},FROM_EQ_ENVFROM(0.00){},FROM_NO_DN(0.00){},RCVD_COUNT_ZERO(0.00){0;},RCVD_TLS_ALL(0.00){}]), len: 219, time: 292.004ms real, 17.300ms virtual, dns req: 0, digest: <b32af87effbe3389b24159f22b680934>, rcpts: <te...@example.co.uk>
2018-01-25 19:56:38 #22790(rspamd_proxy) <8cb36e>; proxy; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 2 regexps matched, 188 regexps total, 98 regexps cached, 0B bytes scanned using pcre, 355B bytes scanned total
To unsubscribe from this group and stop receiving emails from it, send an email to rspamd+unsubscribe@googlegroups.com.
Jered Floyd
Jan 25, 2018, 5:44:21 PM1/25/18
to Sophie Loe, rspamd
Perhaps you omitted it to prevent your message from being blocked, but it appears that your EICAR test string is missing a leading "X"? (See https://en.wikipedia.org/wiki/EICAR_test_file)
Otherwise, it does appear that Rspamd is working normally, and ClamAV is not marking it as a virus -- I would suggest testing with "clamscan" locally to ensure it is working correctly next.
--Jered
To unsubscribe from this group and stop receiving emails from it, send an email to rspamd+un...@googlegroups.com.
Visit this group at https://groups.google.com/group/rspamd.
--
You received this message because you are subscribed to the Google Groups "rspamd" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rspamd+un...@googlegroups.com.
Sophie Loe
Jan 25, 2018, 5:50:08 PM1/25/18
to Jered Floyd, rspamd
Hi Jared,
You are right. How embarrassing.
Thanks for your help.
Sophie
250 DSN
mail from: test@example
250 2.1.0 Ok
rcpt to: test@example
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Subject: test AV
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
.
554 5.7.1 clamav: virus found: \"Eicar-Test-Signature\"
quit
221 2.0.0 Bye
Connection closed by foreign host.
2018-01-25 22:46:51 #22790(rspamd_proxy) <f7c09e>; lua; antivirus.lua:85: clamav: virus found: "Eicar-Test-Signature"
2018-01-25 22:46:51 #22790(rspamd_proxy) <f7c09e>; proxy; lua_task_set_pre_result: <20180125224...@mail.example.co.uk>: set pre-result to reject: 'clamav: virus found: "Eicar-Test-Signature"'
On 25 January 2018 at 23:44, Jered Floyd <je...@convivian.com> wrote:
Perhaps you omitted it to prevent your message from being blocked, but it appears that your EICAR test string is missing a leading "X"? (See https://en.wikipedia.org/wiki/EICAR_test_file)Otherwise, it does appear that Rspamd is working normally, and ClamAV is not marking it as a virus -- I would suggest testing with "clamscan" locally to ensure it is working correctly next.--Jered
----- On Jan 25, 2018, at 9:54 PM, Sophie Loe <1sophiel...@gmail.com> wrote:
Hi Jered,Not a dump question. Clamd is running:PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ SWAP COMMAND22667 clamav 20 0 878240 531448 4000 S 0.0 52.1 0:19.43 0 clamdrspamd.log had this line for the email,2018-01-25 19:56:38 #22790(rspamd_proxy) <8cb36e>; lua; antivirus.lua:466: CLAM_VIRUS [clamav]: message is cleanFull details are,
# grep 8cb36e rspamd.log2018-01-25 19:56:03 #22790(rspamd_proxy) <8cb36e>; proxy; proxy_accept_socket: accepted milter connection from 127.0.0.1 port 575082018-01-25 19:56:28 #22790(rspamd_proxy) <8cb36e>; milter; rspamd_milter_process_command: got connection from 127.0.0.1:406062018-01-25 19:56:37 #22790(rspamd_proxy) <8cb36e>; proxy; rspamd_mime_parse_message: cannot find content-type for a message, assume text/plain2018-01-25 19:56:37 #22790(rspamd_proxy) <8cb36e>; proxy; rspamd_mime_part_get_cte: detected missing CTE for part as: 7bit
2018-01-25 19:56:37 #22790(rspamd_proxy) <8cb36e>; proxy; rspamd_message_parse: loaded message; id: <20180125195626.027223C@mx10.example.co.uk>; queue-id: <027223C>; size: 219; checksum: <b32af87effbe3389b24159f22b680934>
2018-01-25 19:56:38 #22790(rspamd_proxy) <8cb36e>; proxy; spf_symbol_callback: skip SPF checks for local networks and authorized users2018-01-25 19:56:38 #22790(rspamd_proxy) <8cb36e>; proxy; dkim_symbol_callback: skip DKIM checks for local networks and authorized users
2018-01-25 19:56:38 #22790(rspamd_proxy) <8cb36e>; proxy; fuzzy_generate_commands: <20180125195626.027223C@mx10.example.co.uk>, part is shorter than 1000 bytes: 138 (69 * 2.00 bytes), skip fuzzy check
2018-01-25 19:56:38 #22790(rspamd_proxy) <8cb36e>; lua; ip_score.lua:303: skip IP Score for local networks and authorized users2018-01-25 19:56:38 #22790(rspamd_proxy) <8cb36e>; surbl; surbl_test_url: disable surbl dbl.spamhaus.org as it is reported to be offline2018-01-25 19:56:38 #22790(rspamd_proxy) <8cb36e>; surbl; surbl_test_url: disable surbl sbl.spamhaus.org as it is reported to be offline2018-01-25 19:56:38 #22790(rspamd_proxy) <8cb36e>; lua; once_received.lua:82: Skipping once_received for authenticated user or local network2018-01-25 19:56:38 #22790(rspamd_proxy) <8cb36e>; lua; dmarc.lua:241: skip DMARC checks for local networks and authorized users2018-01-25 19:56:38 #22790(rspamd_proxy) <8cb36e>; lua; antivirus.lua:466: CLAM_VIRUS [clamav]: message is clean2018-01-25 19:56:38 #22790(rspamd_proxy) <8cb36e>; proxy; bayes_classify: skip classification as ham class has not enough learns: 62, 200 required2018-01-25 19:56:38 #22790(rspamd_proxy) <8cb36e>; lua; replies.lua:105: storing message-id for replies check
2018-01-25 19:56:38 #22790(rspamd_proxy) <8cb36e>; proxy; rspamd_task_write_log: id: <20180125195626.027223C@mx10.example.co.uk>, qid: <027223C>, ip: 127.0.0.1, from: <te...@example.co.uk>, (default: F (no action): [2.40/150.00] [MISSING_TO(2.00){},SUBJECT_ENDS_SPACES(0.50){},MIME_GOOD(-0.10){text/plain;},ARC_NA(0.00){},ARC_SIGNED(0.00){i=1;},DKIM_SIGNED(0.00){},FROM_EQ_ENVFROM(0.00){},FROM_NO_DN(0.00){},RCVD_COUNT_ZERO(0.00){0;},RCVD_TLS_ALL(0.00){}]), len: 219, time: 292.004ms real, 17.300ms virtual, dns req: 0, digest: <b32af87effbe3389b24159f22b680934>, rcpts: <te...@example.co.uk>
To unsubscribe from this group and stop receiving emails from it, send an email to rspamd+unsubscribe@googlegroups.com.
Visit this group at https://groups.google.com/group/rspamd.
--
You received this message because you are subscribed to the Google Groups "rspamd" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rspamd+unsubscribe@googlegroups.com.
Andrew Lewis
Jan 26, 2018, 8:52:45 AM1/26/18
to rsp...@googlegroups.com
Hi,
>> Subject: aaaaa AB
>>
>> 5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
https://pastebin.com/raw/8B67H3bP
Best,
-AL.
Sophie Loe
Jan 26, 2018, 9:25:25 AM1/26/18
to Andrew Lewis, rsp...@googlegroups.com
It did in plain text :-)
--
You received this message because you are subscribed to a topic in the Google Groups "rspamd" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rspamd/zMlv7eeeH8Y/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rspamd+un...@googlegroups.com.
Visit this group at https://groups.google.com/group/rspamd.
--
Regards, Sophie
Andrew Lewis
Jan 26, 2018, 9:41:36 AM1/26/18
to rsp...@googlegroups.com
Indeed; I'd not caught up on the thread before sending that. :( It
didn't work for me (my version of Clam might be quite old).
Best,
-AL.
didn't work for me (my version of Clam might be quite old).
Best,
-AL.
Reply all
Reply to author
Forward
0 new messages