[Mimedefang] Re: clamav/mimedefang

Jeremy Mates jmates at sial.org
Mon Aug 25 04:11:01 EDT 2003 

* cc <cc at belfordhk.com>
> ... while talking to mydomain.com.:
> >>> DATA
> <<< 554 5.7.1 Virus EICAR-Test-File found in mail - rejected
> 554 5.0.0 Service unavailable
> 
> When it says "Service unavailable", does it mean that it couldn't run
> ClamScan or is this part of something else? The ClamD log doesn't show
> anything.

Something found the eicar test virus and caused the Mail Transport Agent
(MTA) to reject the message from your SMTP client.

The 554 and 5.0.0 are mail status codes in the "Permanent Failure"
class. They indicate the server rejected the message from the client
system. For more information on mail status codes, see RFC 1893:

http://www.rfc-editor.org/rfc/rfc1893.txt

That the server in question recognized Eicar indicates some form of anti-
virus software is running on the server being spoken to.

The clamd daemon will log either to the file given by "LogFile" in the
clamav.conf configuration file, or to syslog should "LogSyslog" be set.

If LogSyslog is set, you might be able to locate logs similar to the
following in /var/log/messages (from clamd) and /var/log/maillog (due to
md_graphdefang_log code in mimedefang-filter), though certain vendors
fiddle with the syslog destinations via /etc/syslog.conf.

  Aug 19 04:08:33 <local6.info> mx2 clamd[1786]: /var/spool/MIMEDefang/mdefang-h7JB8Ndi001782/Work/msg-30300-128.scr: Worm.Sobig.F FOUND

  Aug 19 04:08:33 <mail.info> mx2 mimedefang.pl[30300]: MDLOG,h7JB8Ndi001782,virus,Worm.Sobig.F,192.38.46.104,<cando81 at hotmail.com>,<user at example.edu>,Re: That movie

On the other hand, you could be using the LogFile statement (nothing to
syslog), clamscan (which doesn't appear to log to syslog), some other
virus scanner (does "found in mail - rejected" appear in your mimedefang-
filter somewhere?), or be looking at a SMTP reject from a different
server than the one you are trying to setup (the test account on remote
client got a reject from the local MTA before the message got anywhere
near your testing system?). Hard to tell without more information, such
as whether the remote testing client MTA is involved and whether it has
anti-virus support, the contents of your clamav.conf, mimedefang-filter
code used to call clamd, and so forth.

The following page may help with setup and debugging of ClamAV in
MIMEDefang, if you have not found it already:

http://sial.org/howto/mimedefang/clamav/

More information about the MIMEDefang mailing list