Re: [exim] clamd not scanning?

Page principale
Supprimer ce message
Répondre à ce message
Auteur: lee
Date:  
À: exim-users
Sujet: Re: [exim] clamd not scanning?
On Sun, Nov 16, 2008 at 03:54:40PM -0800, Brent Jones wrote:

> Make sure you use freshclam to update definitions.


They are updated every hour:

--------------------------------------
Received signal: wake up
ClamAV update process started at Sun Nov 16 20:22:51 2008
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.94 Recommended version: 0.94.1
DON'T PANIC! Read http://www.clamav.net/support/faq
main.cld is up to date (version: 49, sigs: 437972, f-level: 35,
builder: sven)
Downloading daily-8637.cdiff [100%]
Downloading daily-8638.cdiff [100%]
Downloading daily-8639.cdiff [100%]
Downloading daily-8640.cdiff [100%]
Downloading daily-8641.cdiff [100%]
daily.cld updated (version: 8641, sigs: 26112, f-level: 35, builder:
guitar)
Database updated (464084 signatures) from db.local.clamav.net (IP:
65.120.238.5)
Clamd successfully notified about the update.
--------------------------------------

> Also make sure that path is correct.


Which path?

> Turn on "Log Clean Messages" in Clamd so you can see if it thinks
> the messages are clean.


Hm, I turned it on and sent test mails, but still nothing shows up.

/var/log/clamav/clamav.log:


Sun Nov 16 20:59:39 2008 -> +++ Started at Sun Nov 16 20:59:39 2008
Sun Nov 16 20:59:39 2008 -> clamd daemon 0.94 (OS: linux-gnu, ARCH: i386, CPU: i486)
Sun Nov 16 20:59:39 2008 -> Log file size limit disabled.
Sun Nov 16 20:59:39 2008 -> Reading databases from /var/lib/clamav
Sun Nov 16 20:59:39 2008 -> Not loading PUA signatures.
Sun Nov 16 20:59:40 2008 -> Loaded 463728 signatures.
Sun Nov 16 20:59:40 2008 -> LOCAL: Unix socket file /var/run/clamav/clamd.ctl
Sun Nov 16 20:59:40 2008 -> LOCAL: Setting connection queue length to 15
Sun Nov 16 20:59:40 2008 -> Listening daemon: PID: 32226
Sun Nov 16 20:59:40 2008 -> Limits: Global size limit set to 104857600bytes.
Sun Nov 16 20:59:40 2008 -> Limits: File size limit set to 26214400bytes.
Sun Nov 16 20:59:40 2008 -> Limits: Recursion level limit set to 16.
Sun Nov 16 20:59:40 2008 -> Limits: Files limit set to 10000.
Sun Nov 16 20:59:40 2008 -> Archive support enabled.
Sun Nov 16 20:59:40 2008 -> Algorithmic detection enabled.
Sun Nov 16 20:59:40 2008 -> Portable Executable support enabled.
Sun Nov 16 20:59:40 2008 -> ELF support enabled.
Sun Nov 16 20:59:40 2008 -> Mail files support enabled.
Sun Nov 16 20:59:40 2008 -> OLE2 support enabled.
Sun Nov 16 20:59:40 2008 -> PDF support disabled.
Sun Nov 16 20:59:40 2008 -> HTML support enabled.
Sun Nov 16 20:59:40 2008 -> Heuristic: precedence enabled
Sun Nov 16 20:59:40 2008 -> Self checking every 3600 seconds.


That's all there always is in this log.

/var/log/exim4/mainlog:


2008-11-16 21:00:59 1L1uMF-0008OB-R6 <=
lee@??? U=lee P=local S=603
id=20081117030059.GB31254@???
2008-11-16 21:00:59 1L1uMF-0008OB-R6 => lee
<lee@???> R=localuser T=local_delivery
2008-11-16 21:00:59 1L1uMF-0008OB-R6 Completed
2008-11-16 21:04:49 1L1uPx-0008Od-Q4 <=
lee@??? U=lee P=local S=652
id=20081117030449.GC31254@???
2008-11-16 21:04:49 1L1uPx-0008Od-Q4 => lee
<lee@???> R=localuser T=local_delivery
2008-11-16 21:04:49 1L1uPx-0008Od-Q4 Completed


These are two test mails I sent after restarting clamd with
"LogClean = yes". The second one had the eicar test signature in the
mail body. Both were delivered.

When clamav isn't reachable (like wrong socket or clamav not the
Debian-exim group), exim complains that the virus scanner doesn't
work.

Meanwhile, I found an entry in /var/log/exim4/reject.log:


2008-11-16 08:58:36 1L1j5A-0006Yb-0c H=mi-ob.rzone.de [81.169.146.145]
F=<servicesonline@???> rejected after DATA: This message
contains a virus (Phishing.Heuristics.Email.SpoofedDomain).
Envelope-from: <servicesonline@???>
Envelope-to: <lee@???>
P Received: from mi-ob.rzone.de ([81.169.146.145])
        by cat.rubenette.is-a-geek.com with esmtp (Exim 4.69)
        (envelope-from <servicesonline@???>)
        id 1L1j5A-0006Yb-0c
        for lee@???; Sun, 16 Nov 2008 08:58:36
    -0600
  X-RZG-FWD-BY: listar@???
P Received: from localhost (client mail forwarder)
        by mailin.webmailer.de (christine mi31) (RZmta 17.20)
        for <lee@???>; Sun, 16 Nov 2008 15:58:35
    +0100 (MET)
  X-RZG-CLASS-ID: mi
T To: undisclosed-recipients:;
P Received: from mail.hertz.at ([88.116.226.98])
        by mailin.webmailer.de (christine mi31) (RZmta 17.20)
        with ESMTP id x030d8kAGEdQrB for <listar@???>;
        Sun, 16 Nov 2008 15:58:35 +0100 (MET)
P Received: from User ([10.7.44.19] unverified) by mail.hertz.at with
Microsoft SMTPSVC(5.0.2195.6713);
         Sun, 16 Nov 2008 15:50:59 +0100
P Received: from User ([79.123.190.1] helo=User) by mail.hertz.at;
        16 Nov 2008 15:52:27 +0100
F From: "PayPal"<servicesonline@???>
  Subject: Multiple Password Failures - Wrong Login Attempts
  Date: Sun, 16 Nov 2008 17:17:35 +0200
  MIME-Version: 1.0
  Content-Type: text/html;
        charset="Windows-1251"
  Content-Transfer-Encoding: 7bit
  X-Priority: 3
  X-MSMail-Priority: Normal
  X-Mailer: Microsoft Outlook Express 6.00.2600.0000
  X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
B Bcc:
* Return-Path: servicesonline@???
I Message-ID: <HQBDCH8J0sca0ZkfzDs00004eb5@???>
  X-OriginalArrivalTime: 16 Nov 2008 14:50:59.0677 (UTC)
  FILETIME=[BD1A18D0:01C947FA]



And in mainlog:


2008-11-16 08:58:36 1L1j5A-0006Yb-0c H=mi-ob.rzone.de [81.169.146.145]
F=<servicesonline@???> rejected after DATA: This message
contains a virus (Phishing.Heuristics.Email.SpoofedDomain).


That is the only one there regarding a virus, though I sent quite a
number of eicar tests. Any idea what might be wrong or how to figure
out what's going on? Is clamd not supposed to detect eicar test files?
I couldn't find something else to test with.