From: Bill L. <bi...@po...> - 2004-06-18 18:02:18
|
----- Original Message ----- From: "Eddy Beliveau" <edd...@he...> > I upgrade to p9. Thanks for the suggestion > > I did change the block list as you recommend > Now tests 24 and 25 are getting block correctly... thanks :-) > > But test 16 is NOT getting blocked > > Can you try to block test 16 and tell me the reject message that get on your maillog Here is the postmaster message I received from test 16 (note that only clamd detected the virus, not uvscan, which I also run): ===== A virus (Eicar-Test-Signature) was found. Scanner detecting a virus: Clam Antivirus-clamd The mail originated from: <te...@te...> According to the 'Received:' trace, the message originated at: mail01.excedent.us (crc2.excedent.us [12.5.19.157]) The message WAS NOT delivered to: <bi...@po...>: 250 2.7.1 Ok, discarded, id=11461-04 - VIRUS: Eicar-Test-Signature Virus scanner output: /var/amavis/tmp/amavis-20040618T102206-11461/parts/part-00001: Eicar-Test-Signature FOUND The message has been quarantined as: /var/virusmails/virus-20040618-102313-11461-04 ------------------------- BEGIN HEADERS ----------------------------- Return-Path: <te...@te...> Received: from mail01.excedent.us (crc2.excedent.us [12.5.19.157]) by gw2.pointshare.com (Mail Gateway) with ESMTP id 0B3C2ADEB6 for <bi...@po...>; Fri, 18 Jun 2004 10:23:11 -0700 (PDT) X-Originating-Ip: 204.189.39.72 Message-Id: <349091.@testvirus.org> Date: Fri, 18 Jun 2004 13:22:35 -0500 From: "TESTVIRUS.org" <te...@te...> To: <bi...@po...> Subject: Virus Scanner Test #16 Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=====================_307115168==_" -------------------------- END HEADERS ------------------------------ ===== Here are the associated log entries for this message: ===== Jun 18 10:23:11 gw2 postfix/smtpd[10341]: connect from crc2.excedent.us[12.5.19.157] Jun 18 10:23:12 gw2 postfix/smtpd[10341]: 0B3C2ADEB6: client=crc2.excedent.us[12.5.19.157] Jun 18 10:23:12 gw2 postfix/smtpd[10341]: disconnect from crc2.excedent.us[12.5.19.157] Jun 18 10:23:12 gw2 postfix/cleanup[11584]: 0B3C2ADEB6: message-id=<349091.@testvirus.org> Jun 18 10:23:12 gw2 postfix/qmgr[17458]: 0B3C2ADEB6: from=<te...@te...>, size=895, nrcpt=1 (queue active) Jun 18 10:23:12 gw2 amavis[11461]: (11461-04) ESMTP::10023 /var/amavis/tmp/amavis-20040618T102206-11461: <te...@te...> -> <bi...@po...> Received: SIZE=895 from gw2.pointshare.com ([204.189.38.3]) by localhost (gw2.pointshare.com [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id 11461-04 for <bi...@po...>; Fri, 18 Jun 2004 10:23:12 -0700 (PDT) Jun 18 10:23:12 gw2 amavis[11461]: (11461-04) Checking: <te...@te...> -> <bi...@po...> Jun 18 10:23:13 gw2 amavis[11461]: (11461-04) local delivery: <> -> <virus-quarantine>, mbx=/var/virusmails/virus-20040618-102313-11461-04 Jun 18 10:23:13 gw2 amavis[11461]: (11461-04) SEND via SMTP: [127.0.0.1]:10024 <vir...@gw...> -> <bi...@po...> Jun 18 10:23:13 gw2 postfix/smtpd[11391]: connect from localhost.localdomain[127.0.0.1] Jun 18 10:23:13 gw2 postfix/smtpd[11391]: 5D4E0ADEC0: client=localhost.localdomain[127.0.0.1] Jun 18 10:23:13 gw2 postfix/cleanup[11290]: 5D4E0ADEC0: message-id=<VA1...@gw...> Jun 18 10:23:13 gw2 postfix/qmgr[17458]: 5D4E0ADEC0: from=<vir...@gw...>, size=1663, nrcpt=1 (queue active) Jun 18 10:23:13 gw2 postfix/smtpd[11391]: disconnect from localhost.localdomain[127.0.0.1] Jun 18 10:23:13 gw2 postfix/smtp[11291]: 5D4E0ADEC0: to=<bi...@po...>, relay=206.114.137.47[206.114.137.47], delay=0, status=sent (250 Message queued) Jun 18 10:23:13 gw2 postfix/qmgr[17458]: 5D4E0ADEC0: removed Jun 18 10:23:13 gw2 amavis[11461]: (11461-04) SEND via SMTP: [127.0.0.1]:10024 <vir...@gw...> -> <bi...@po...> Jun 18 10:23:13 gw2 postfix/smtpd[11404]: connect from localhost.localdomain[127.0.0.1] Jun 18 10:23:13 gw2 postfix/smtpd[11404]: 7BDEDADEC0: client=localhost.localdomain[127.0.0.1] Jun 18 10:23:13 gw2 postfix/cleanup[11405]: 7BDEDADEC0: message-id=<VR1...@gw...> Jun 18 10:23:13 gw2 postfix/qmgr[17458]: 7BDEDADEC0: from=<vir...@gw...>, size=647, nrcpt=1 (queue active) Jun 18 10:23:13 gw2 postfix/smtpd[11404]: disconnect from localhost.localdomain[127.0.0.1] Jun 18 10:23:13 gw2 amavis[11461]: (11461-04) INFECTED (Eicar-Test-Signature), <te...@te...> -> <bi...@po...>, quarantine virus-20040618-102313-11461-04, Message-ID: <349091.@testvirus.org>, Hits: - Jun 18 10:23:13 gw2 amavis[11461]: (11461-04) TIMING [total 1162 ms] - SMTP EHLO: 2 (0%), SMTP pre-MAIL: 1 (0%), SMTP pre-DATA-flush: 4 (0%), SMTP DATA: 34 (3%), body hash: 1 (0%), mime_decode: 22 (2%), get-file-type: 28 (2%), decompose_part: 1 (0%), parts: 0 (0%), AV-scan-1: 782 (67%), AV-scan-2: 2 (0%), write-header: 11 (1%), save-to-local-mailbox: 0 (0%), fwd-connect: 45 (4%), fwd-mail-from: 2 (0%), fwd-rcpt-to: 2 (0%), write-header: 5 (0%), fwd-data: 15 (1%), fwd-data-end: 69 (6%), fwd-rundown: 3 (0%), fwd-connect: 30 (3%), fwd-mail-from: 1 (0%), fwd-rcpt-to: 2 (0%), write-header: 5 (0%), fwd-data: 6 (1%), fwd-data-end: 77 (7%), fwd-rundown: 2 (0%), unlink-1-files: 10 (1%), rundown: 0 (0%) Jun 18 10:23:13 gw2 postfix/smtp[11183]: 0B3C2ADEB6: to=<bi...@po...>, relay=127.0.0.1[127.0.0.1], delay=2, status=sent (250 2.7.1 Ok, discarded, id=11461-04 - VIRUS: Eicar-Test-Signature) Jun 18 10:23:13 gw2 postfix/qmgr[17458]: 0B3C2ADEB6: removed ===== It looks like it depends on what virus scanner you are running as to whether this test will get caught or not. On one of my test servers where I am running ClamAV, F-Prot, UVScan, and BitDefender, only ClamAV and F-Prot trigger on test 16. So I would say install ClamAV on your server as an additional scanner and you should be good to go. Bill |