[Mimedefang] Sophie 3.01/3.02 does not set $FoundVirus in mimedefang-filter

Troy Carpenter troy at carpenter.cx
Mon May 19 12:46:01 EDT 2003 

I may be late on this one, but that's the risk of being on the digest
instead of getting messages real-time.

In my mimedefang-filter, I have to set that variable manually.  Here's
the code I have:

        # Scan for viruses if any virus-scanners are installed
        $VirusScannerMessages = "";
        my($code, $category, $action) = message_contains_virus();
->      $FoundVirus = ($category eq "virus");
        chomp $VirusScannerMessages;
        if ($FoundVirus) {
		# Do something here;
	  }

I have sent myself the eicar test virus and had no problem with my
filter using Sophie 3.02.

Troy

-----Original Message-----

There is a major bug in sophie 3.01 (and 3.02 as well).

Even if sophie detects a virus, the $FoundVirus variable in 
/etc/mail/mimedefang-filter is not set to "true" and so the code:

            # discard without notification Viruses which fake SMTP info
            return action_discard() if $VirusName =~ ...

            # Bounce the mail!
            action_bounce("Virus $VirusName found in mail - rejected");

            # But quarantine the part for examination later.  Comment
            # the next line out if you don't want to bother.
            action_quarantine($entity, "A known virus was discovered....

is never executed!!!

Luckilly viruses get caught because usually they fulfill the $bad_exts
condition (they are .exe's .pif's etc.) and so they are flagged thanks
to filter_bad_filename(). But this is definitely NOT the right way to
treat them! Viruses should be either bounced back or discarded and not
quarantined *just because* they are e.g. exe's. BTW, I discovered this
because I:

            # But quarantine the part for examination later.  Comment
            # the next line out if you don't want to bother.
            # action_quarantine($entity, "A known virus was
discovered....

... indeed didn't want to bother and commented action_quarantine() out
here. Still, viruses flooded into my quarantine directory.

Andrzej

P.S. I'm crossposting this to mimedefang at lists.roaringpenguin.com
and vtools at vanja.com.

A.
-- 
------------------------------------------------------------------------
-----  
Andrzej Marecki                | 
Torun Centre for Astronomy     |   e-mail: amr at astro.uni.torun.pl
N. Copernicus University       |   WWW:    http://www.astro.uni.torun.pl
ul. Gagarina 11                |   tel: +48 56 6113032
PL-87-100 Torun, POLAND        |   fax: +48 56 6113009
------------------------------------------------------------------------
-----  

--__--__--

Message: 10
Date: Mon, 19 May 2003 14:02:59 +0200 (CEST)
From: Steffen Kaiser <skmimedefang at smail.inf.fh-bonn-rhein-sieg.de>
To: mimedefang at lists.roaringpenguin.com
Subject: Re: [Mimedefang] Notifying virus recipients
Reply-To: mimedefang at lists.roaringpenguin.com

On Sat, 17 May 2003, Adrian Chadd wrote:

> because I'd like to know whether its a local recipient and have the 
> 'local' user name after sendmail handles virtual user stuff, et al?

You must then running a completely different setup as mine, e.g. my
sendmail handles each mail only once, and @Recipient and
filter_recipient do contain / get passed the same stuff.

Bye,

-- 
Steffen Kaiser

--__--__--

Message: 11
From: "VCI Help Desk" <admin at vci.net>
To: <mimedefang at lists.roaringpenguin.com>
Subject: Re: [Mimedefang] MimeDefang and SpamAssassin
Date: Mon, 19 May 2003 08:45:07 -0500
Organization: VCI Internet Services
Reply-To: mimedefang at lists.roaringpenguin.com

    Ok, I added these entries into my "border mail servers" as the older
message that said Bayes was disabled described and have primed it with
sa-learn. In my /var/spool/MIMEDefang/bayes/ folder I have 3 bayes_
files that are being updated after an email arrives. The concern I have
is that I don't see any BAYES_* entries in ANY of the emails that pass
into my system. I have mimedefang adding a header that resembles the
following. None of the
rules over the past 3 days have ever said anything about BAYES_*
Shouldn't
there be a BAYES rule added in every message?

    X-Spam-Level: * 1.5 HTML_10_20,HTML_MESSAGE

    As another post mentioned I'm using a site wide installation that
probably makes bayes testing useless. I'm trying to block more spam
because over the past 10-15 days the amount of spam has gone up a LOT. A
lot of the spam emails that come in seem to have one big picture and
little text in them. If all spam emails start doing that they we may as
well start converting our spam reduction services to services that block
all emails except those from people we specifically authorize - which
I've considered also.

      Bill Dunn





----- Original Message ----- 
From: "Albert E. Whale, CISSP" <aewhale at ABS-CompTech.com>
To: <mimedefang at lists.roaringpenguin.com>
Sent: Friday, May 16, 2003 10:53 PM
Subject: Re: [Mimedefang] MimeDefang and SpamAssassin




VCI Help Desk wrote:

>    Hi,
>
>    I read an earlier post that MimeDefang disables the Bayes filters. 
>Is this true? I can't find any documentation in MimeDefang or 
>SpamAssassin to support this.
>
>      Bill Dunn
>

Bill,

The answer to that is no.  Once you manually prime the bayes pump (use
the sa-learn command), the filtering will take off on it's own.  You
will need to set the following variables in the
/etc/mail/assassin/sa-mimedefang.cf files:

auto_learn 1
use_bayes 1
bayes_path    /var/spool/MIMEDefang/bayes

That should get you started.

>
>
-- 
Albert E. Whale, CISSP
http://www.abs-comptech.com
----------------------------------------------------------------------
ABS Computer Technology, Inc. - ESM, Computer & Networking Specialists
Sr. Security, Network, and Systems Consultant Founding Board of
Directors of Pittsburgh FBI - InfraGard




_______________________________________________
MIMEDefang mailing list
MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang


--__--__--

Message: 12
Date: Mon, 19 May 2003 23:01:23 +0900
Subject: Re: [Mimedefang] MimeDefang and SpamAssassin
From: alan premselaar <alien at 12inch.com>
To: <mimedefang at lists.roaringpenguin.com>
Reply-To: mimedefang at lists.roaringpenguin.com

On 5/19/03 10:45 PM, "VCI Help Desk" <admin at vci.net> wrote:

>   Ok, I added these entries into my "border mail servers" as the older

> message that said Bayes was disabled described and have primed it with

> sa-learn. In my /var/spool/MIMEDefang/bayes/ folder I have 3 bayes_ 
> files that are being updated after an email arrives. The concern I 
> have is that I don't see any BAYES_* entries in ANY of the emails that

> pass into my system. I have mimedefang adding a header that resembles
the following. None of the
> rules over the past 3 days have ever said anything about BAYES_*
Shouldn't
> there be a BAYES rule added in every message?
> 

the following BAYES tests have 0 scores and therefore won't return in
your list of tests:

50_scores.cf:score BAYES_40 0.0
50_scores.cf:score BAYES_44 0.0
50_scores.cf:score BAYES_50 0.0
50_scores.cf:score BAYES_56 0.0

so basically if bayes is on the fence about the spaminess of an email,
it won't score it.  also, you have to make sure you have at least 200
spam and 200 ham learned before the bayes filters will become active.

>   X-Spam-Level: * 1.5 HTML_10_20,HTML_MESSAGE
> 
>   As another post mentioned I'm using a site wide installation that 
> probably makes bayes testing useless. I'm trying to block more spam 
> because over the past 10-15 days the amount of spam has gone up a LOT.

> A lot of the spam emails that come in seem to have one big picture and

> little text in them. If all spam emails start doing that they we may 
> as well start converting our spam reduction services to services that 
> block all emails except those from people we specifically authorize - 
> which I've considered also.

I'm using bayes site-wide on my personal domain as well as my office
domain. My personal domain doesn't have many users, so perhaps bayes is
more effective there. My office domain has relatively few users
(compared to a lot of places) at approx. 150 unique email accounts.
I've just recently turned on the bayes auto-learning, although it hasn't
kicked in yet.

my take on the whole site-wide bayes thing is, there are some common
spam techniques that may be caught by bayes filters yet too complicated
or inconsistant to be caught by rules alone. every little bit helps, no?

this may be a topic you'll want to discuss on the SpamAssassin (SATalk)
list however. 

hope this helps,

alan



--__--__--

_______________________________________________
MIMEDefang mailing list
MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang


End of MIMEDefang Digest

More information about the MIMEDefang mailing list