Exiscan + ClamAV

[hci]

So how is this working for everyone? Its working super on our server.

I also added this to the exim.conf ACLs to block SPAM.

deny dnslists = relays.ordb.org : sbl-xbl.spamhaus.org : dnsbl.sorbs.net
message = SPAM: rejected because $sender_host_address is in the blacklist at $dnslist_domain\n\ ($dnslist_text)

These lists are all rather conservative and rarely ever false and still block a lot of crud. I have Spamassassin running to tag SPAM more aggressively so end users can choose to filter further at there own risk.

I am also working on making some scripts for Rrdtool that will graph the whole works. Spare time projects are slow coming though.

Matthew

 

[interfasys]

I wouldn't use sorbs. They ask you $50 to remove an IP. They're extortionists.

 

[hci]

I wouldn't use sorbs. They ask you $50 to remove an IP. They're extortionists.

I did not realize that. Will remove them. I only added them for there dialup pools. Know of a good blacklist for dialup pools?

Matthew

 

[Dennis]

I also added this to the exim.conf ACLs to block SPAM.



quote:
--------------------------------------------------------------------------------

deny dnslists = relays.ordb.org : sbl-xbl.spamhaus.org : dnsbl.sorbs.net
message = SPAM: rejected because $sender_host_address is in the blacklist at $dnslist_domain\n\ ($dnslist_text)

--------------------------------------------------------------------------------



These lists are all rather conservative and rarely ever false and still block a lot of crud. I have Spamassassin running to tag SPAM more aggressively so end users can choose to filter further at there own risk.

Hi all,

Is this ok to use?? And (important) is it free?

tnks!

Dennis

 

[nobaloney]

All DirectAdmin installs during at least the last year, and all up to date DA installs as well, include the SpamBlocker version of exim.conf.

That standard exim.conf file includes the following blocklists by default:

bl.spamcop.net
cbl.abuseat.org
dnsbl.njabl.org
sbl-xbl.spamhaus.org
relays.ordb.org
rhsbl.sorbs.net

and all of the dnsbl.sorbs.net blocklists except for:

spam.dnsbl.sorbs.net

which is defined thusly on the Sorbs website:

List of hosts that have been noted as sending spam/UCE/UBE to the admins of SORBS. This zone also contains netblocks of spam supporting service providers, including those who provide websites, DNS or drop boxes for a spammer. Spam supporters are added on a 'third strike and you are out' basis, where the third spam will cause the supporter to be added to the list.

SpamCop website
CBL Website
NJABL website
sbl-xbl.spamhaus website
ORDB website
Sorbs website

All you have to do to use these blocklists (all are available at no charge) is copy (not cut and copy) the domain names that you want to use the blocklists for, when receiving their email, from /etc/virtual/domains to /etc/virtual/use_rbl_domains.

Jeff

 

[Dennis]

Tnx Jeff, and also for all the other posts! Really helps!

I just got one thing:

I've installed Exim and the ClamAV as said in this post.....but all normal email is now: "temporarily rejected after DATA". I think this has something to do with the scanning?

I can also see he is scanning "/var/spool/exim/scan/1CoILG-0006hO-7O: Access denied. ERROR" This is in the paniclog of Exim.

What can be the error? Not enough rights?

Tnx again!

Dennis

Edit: Sorry.....looked closer in this forum and found this post:

http://www.directadmin.com/forum/showthread.php?s=&threadid=5444

I am going to check if there is a reboot or just restart clamd.....I'll edit this post again.

Edit2: Yep, you also have to restart clamd aswell as Exim......The mainlog tells me: "2005-01-11 11:12:56 1CoJ1E-0002Kq-9I Completed" Witch is the same filename as when it went wrong.

 

[rldev]

Well I believe I have clam working. Other then not receiving test viri email, where can I check in the logs and what should I be looking for in the logs to verify it's operation?

Thanks.

 

[hci]

Goto the Directadmin log viewer and look at Exim reject log. Look for MALWARE entries. Directadmin's log viewer rocks.

Here is a test virus.

http://www.aleph-tec.com/eicar/index.php

Matthew

 

[rldev]

It's working like a charm

 

[interfasys]

http://www.webmail.us/testvirus/

 

[rldev]

Actually, I'm not sure what happened over the last few days but clam has given me some problems. I have clam updated to .81. Clam started blocking all emails on the server. My admin changed the exim.conf to

#av_scanner = clamd:127.0.0.1 3310
av_scanner = clamd:/var/run/clamav/clamd

Now why would the bottom line work and not the one above?

 

[albatroz]

Check out how is the clamd daemon configured in your server...

Look for the clamd.conf file at /etc/
and see if it matches with what exim is looking for.

 

[rldev]

It looks like it mateches up, but what is the significance of the tcp port address for clam?

TCP port address.
# Default: disabled
#TCPSocket 3310

 

[albatroz]

In your clamd.conf file should be an
uncommented line like this
LocalSocket /var/run/clamav/clamd


Why?
Clamd has 2 modes of operation.
1st as a daemon linked to a tcp port, just like telnet. In these cases the TCP port 3310
is used, and EXIM uses that TCP port to interface with the antivirus.

2nd with a local socket, what is supposed to be most secure method. It seems that your admin tried to configure everything in that way, but something seems to be wrong.

Just make sure that paths are correct

 

[rldev]

LocalSocket /var/run/clamav/clamd

is there and all is running,

Is it better to run it one way or another?

 

[Muzza]

i'm trying to install the latest version of ClamAV, but i got some failed dependacies:

libc.so.6(GLIBC_2.3.4) is needed by clamav-0.83-1
libcurl.so.3 is needed by clamav-0.83-1
libidn is needed by clamav-0.83-1
libidn.so.11 is needed by clamav-0.83-1
zlib >= 1.2.1.2 is needed by clamav-0.83-1

so i got zlib.1.2.1.2

but when i tried to update the zlib i got the following error

zlib = 1.1.4 is needed by (installed) zlib-devel-1.1.4-8

When i try to update zlib-devel-1.2.1.2 i get the following error

zlib = 1.2.1.2 is needed by zlib-devel-1.2.1.2-1

Any help would be appreciated as it seems i can't update one without the other being updated already. Kind of catch 22.

Sorry I kind of still fair new to all this.

Edit: I found out what i needed to do. Didn't realise you could have more than one rpm installing at a time.

Used: rpm -Uvh zlib-1.2.1.2-1.i386.rpm zlib-devel-1.2.1.2-1.i386.rpm

That worked fine.

 

[Muzza]

I am running redhat 9 (which i think is the same as Fedora 3)

i've d/l the following

glibc-2.3.4-2.fc3.i386.rpm
glibc-common-2.3.4-2.fc3.i386.rpm
glibc-devel-2.3.4-2.fc3.i386.rpm
glibc-headers-2.3.4-2.fc3.i386.rpm
glibc-profile-2.3.4-2.fc3.i386.rpm
glibc-utils-2.3.4-2.fc3.i386.rpm

but when i try and do a

# rpm -Uvh glibc*.i386.rpm

i get the follow error

error: Failed dependencies:
shadow-utils < 2:4.0.3-20 conflicts with glibc-2.3.4-2.fc3
nscd < 2.3.3-52 conflicts with glibc-2.3.4-2.fc3
tzdata >= 2003a is needed by glibc-common-2.3.4-2.fc3
libgd.so.2 is needed by glibc-utils-2.3.4-2.fc3

Have i d/l the correct .rpm's or not. I tried d/l the source for clamAV, but got some different failed dependencies.

 

[dragon2611]

i cheated...

im using centos and i get my clam av from the dag redhat enterprise reposotory which i added to yum, doesnt seem to cause any problems

not sure if there is a DAG repository for redhat9 but if there is grab yum or apt-get for rh and then add it (http://freshrpms.net for yum/apt)

then a simple 'yum update' will update your clam-av and anything else that needs updated


(apt-get update then apt-get upgrade if you grab apt instead)

 

[emkubed]

I am having similar issues as Muzza. We just got a new webserver running RedHat 9. Apt-get is "working" as in I grabbed it via wget, installed it, and can run -update and -upgrade. I added:

### Dag Apt Repository for Red Hat 9
rpm http://apt.sw.be redhat/9/en/i386 dag

...to my sources.list file.

It does list a few things to be upgraded:

The following packages will be upgraded


apt lftp libxml2 libxml2-devel logwatch mtools mtr pine proftpd rsync splint syslinux wireless-tools

I suppose I expected apt-get to find GLIBC and zlib updates, since Clam is looking for newer versions of those.

What I'm finding is Clam needs a newer glibc, and glibc needs a newer shadow-utils, nscd, etc.

I tried to grab Yum, and it wants a newer libxml2, and so forth.

I'm curious, if I grab an older version of Clam (.7x or something) to get around the dependencies, I'm obviously missing out on a newer scan engine and newer features. I'd like to be able to run a tool that updates all of my dependencies. Am I running into issues because its RedHat 9.0, and latest and greatest are all FC3 or Redhat Enterprise? If I'm stuck with RH9, am I stuck with old Clam?

Thanks for your time.

 

[dragon2611]

try grabing yum from http://ftp.freshrpms.net/pub/freshrpms/redhat/9/yum/

if you dont have clam installed try yum install clamav or apt-get install clamav


hopefully it would sort the depdencys itself