spamassasin/clamAV not working

Hi, I sent a GTUBE test and SA didn't register the email as spam. how can I verify if it's up and working?

Also, is there any way to have clamAV send a message to the user instead of just deleting it and sending a message to the av admin? Cause I'm not getting any A/V admin notices so for even though I've sent eicar like a bazillion times.

 

oh, should probably mention running:

FC5
postfix
dovecot

 

Yes. It is enabled for this account. level is set at 5. Here are some example headers.

Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from localhost (pool-72-81-13-110.phlapa.east.verizon.net [72.81.13.110])
by xxxxxxx.com (Postfix) with SMTP id 1490428812B
for <[email protected]>; Sat, 6 Jan 2007 09:07:52 -0600 (CST)
Message-ID: <000001c731a3$df5a0f00$0100007f@localhost>
From: "Alec Murphy" <[email protected]>
To: <[email protected]>
Subject: Need S0ftware?
Date: Sat, 06 Jan 2007 11:07:43 -0400
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.3610
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.1125
X-Virus-Status: No
X-Virus-Checker-Version: clamassassin 1.2.3 with clamscan / ClamAV 0.88.6/2416/Fri Jan 5 22:54:14 2007



Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from smtp8-g19.free.fr (smtp8-g19.free.fr [212.27.42.65])
by xxxxxxx.com (Postfix) with ESMTP id CC49C28812B
for <[email protected]>; Sat, 6 Jan 2007 09:21:15 -0600 (CST)
Received: from imp1-g19.free.fr (imp1-g19.free.fr [212.27.42.1])
by smtp8-g19.free.fr (Postfix) with ESMTP id 29ED254B0;
Sat, 6 Jan 2007 16:21:14 +0100 (CET)
Received: by imp1-g19.free.fr (Postfix, from userid 33)
id 1A6A28919; Sat, 6 Jan 2007 16:21:14 +0100 (CET)
Received: from 80.227.0.153 ([80.227.0.153])
by imp1-g19.free.fr (IMP) with HTTP
for <[email protected]>; Sat, 06 Jan 2007 16:21:13 +0100
Message-ID: <[email protected]>
Date: Sat, 06 Jan 2007 16:21:13 +0100
From: ben anni <[email protected]>
Reply-to: [email protected]
Subject: Now contact my secretary
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
User-Agent: Internet Messaging Program (IMP) 3.2.5
X-Originating-IP: 80.227.0.153
To: undisclosed-recipients:;
X-Virus-Status: No
X-Virus-Checker-Version: clamassassin 1.2.3 with clamscan / ClamAV 0.88.6/2416/Fri Jan 5 22:54:14 2007

 

I installed razor, pyzor, and dcc but still no difference. I was under the impression that the spam score should be in the headers. Is this right? Here's a recent header.

Return-Path: <xxxxxxx>
X-Original-To: xxxxxxx
Delivered-To: xxxxxxx
Received: from web55704.mail.re3.yahoo.com (web55704.mail.re3.yahoo.com [216.252.110.35])
by xxxxxxx (Postfix) with SMTP id AAB8C28812D
for <xxxxxxx>; Sat, 6 Jan 2007 13:15:31 -0600 (CST)
Received: (qmail 37248 invoked by uid 60001); 6 Jan 2007 19:15:30 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=X-YMail-OSG:Receivedate:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID;
b=m9rNXOGgfuOBowkIFipQXCjjYtA8ZNcJoUhQYi2xhXRf/uqFukXezaSgKfqzKLsNltjDIdnGwOkHncgBROCqfQ4oT5xzOykzgBVYaVL/KEGoAgjuBbAZYMeKkXpRcbsoa3hiCL3VR36n1RFAJqH1F9egrw7/QKMoXaHimd2qC18=;
X-YMail-OSG: jqkksZkVM1mDzOOJKBT6svp151z61WhNhxw3jltWa8uDnQN00oLbr2utmA0ZGM7XcXBvhM5XSpuFtH3ryOtJ0p4SkBgiO63V7pS0ZAE4F.8Ocptcu9r3gO1OwKAszlZ9yYd8TUN9txGR2e8-
Received: from [xxxxxxx] by web55704.mail.re3.yahoo.com via HTTP; Sat, 06 Jan 2007 11:15:30 PST
Date: Sat, 6 Jan 2007 11:15:30 -0800 (PST)
From: xxxxxxx
Subject: test gtuber
To: xxxxxxx
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-833759254-1168110930=:36580"
Content-Transfer-Encoding: 8bit
Message-ID: <[email protected]>
X-Virus-Status: No
X-Virus-Checker-Version: clamassassin 1.2.3 with clamscan / ClamAV 0.88.6/2416/Fri Jan 5 22:54:14 2007

 

I'm trying to test with spamassassin -t -D < /tmp/spam (/tmp/spam being a mail message) but I can't figure out where mail is stored. Can anyone point me in the right direction?

 

Hmmm your mail headers are missing the X-Spam stuff..

Code:

X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on host.aabbccdd.info
X-Spam-Level: *
X-Spam-Status: No, score=2.0 required=5.0 tests=AWL,DNS_FROM_RFC_ABUSE,
	DNS_FROM_RFC_POST,HTML_MESSAGE autolearn=no version=3.1.7

Are you sure that Spamassassin is enabled?

re: Can anyone point me in the right direction?

For me (Debian Sarge) it's in /var/mail

 

errrr, yup. I think anyways. should be like attached pic right? And I'm using FC5. There should be emails waiting (I sent some test from my yahoo account.) but there's nothing in the mail folder. Does it get passed on to elsewhere?

 

Start Spamassassin at boot

Within your file /etc/default/spamassassin you can verify if spamassassin is allowed to start after a reboot.

To give spamassassin permision to start after a reboot change the line

# Change to one to enable spamd
ENABLED=0

into:

# Change to one to enable spamd
ENABLED=1

Maybe, you did this already but i think it can be helpful to you..

 

I don't have that. I have these instances of SA. which is the right one for ISPconfig?

/home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin
/etc/sysconfig/spamassassin
/etc/rc.d/init.d/spamassassin
/usr/bin/spamassassin

I checked them all and none have the identifier you described.

 

Oh yes, you're using FC5.

What is within the file /etc/rc.d/init.d/spamassassin ?
Is there something like:

# Defaults - don't touch, edit /etc/default/spamassassin
ENABLED=0

I use Debian, and as the referer line says, i have to enable spamassassin within the file /etc/default/spamassassin so i did.


Maybe the file /etc/default/spamassassin is only for Debian and you have to edit a different file.

Sorry

If you give the command net stat -tap, is spamd listening?

 

Nope. Sorry.

That command doesn't work and I'm not sure how to do it with FC5 as I'm still pretty new to this. Real sorry.

 

It just sorta sits there with a blinky cursor but here's the debug info I got.

[5058] dbg: logger: adding facilities: all
[5058] dbg: logger: logging level is DBG
[5058] dbg: generic: SpamAssassin version 3.1.0
[5058] dbg: config: score set 0 chosen.
[5058] dbg: util: running in taint mode? yes
[5058] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH
[5058] dbg: util: PATH included '/usr/kerberos/sbin', keeping
[5058] dbg: util: PATH included '/usr/kerberos/bin', keeping
[5058] dbg: util: PATH included '/usr/local/sbin', keeping
[5058] dbg: util: PATH included '/usr/local/bin', keeping
[5058] dbg: util: PATH included '/sbin', keeping
[5058] dbg: util: PATH included '/bin', keeping
[5058] dbg: util: PATH included '/usr/sbin', keeping
[5058] dbg: util: PATH included '/usr/bin', keeping
[5058] dbg: util: PATH included '/root/bin', which doesn't exist, dropping
[5058] dbg: util: final PATH set to: /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
[5058] dbg: dns: is Net:NS::Resolver available? yes
[5058] dbg: dns: Net:NS version: 0.59
[5058] dbg: dns: name server: 4.2.2.1, family: 2, ipv6: 0
[5058] dbg: config: using "/etc/mail/spamassassin" for site rules pre files
[5058] dbg: config: read file /etc/mail/spamassassin/init.pre
[5058] dbg: config: read file /etc/mail/spamassassin/v310.pre
[5058] dbg: config: using "/usr/share/spamassassin" for sys rules pre files
[5058] dbg: config: using "/usr/share/spamassassin" for default rules dir
[5058] dbg: config: read file /usr/share/spamassassin/10_misc.cf
[5058] dbg: config: read file /usr/share/spamassassin/20_advance_fee.cf
[5058] dbg: config: read file /usr/share/spamassassin/20_anti_ratware.cf
[5058] dbg: config: read file /usr/share/spamassassin/20_body_tests.cf
[5058] dbg: config: read file /usr/share/spamassassin/20_compensate.cf
[5058] dbg: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf
[5058] dbg: config: read file /usr/share/spamassassin/20_drugs.cf
[5058] dbg: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf
[5058] dbg: config: read file /usr/share/spamassassin/20_head_tests.cf
[5058] dbg: config: read file /usr/share/spamassassin/20_html_tests.cf
[5058] dbg: config: read file /usr/share/spamassassin/20_meta_tests.cf
[5058] dbg: config: read file /usr/share/spamassassin/20_net_tests.cf
[5058] dbg: config: read file /usr/share/spamassassin/20_phrases.cf
[5058] dbg: config: read file /usr/share/spamassassin/20_porn.cf
[5058] dbg: config: read file /usr/share/spamassassin/20_ratware.cf
[5058] dbg: config: read file /usr/share/spamassassin/20_uri_tests.cf
[5058] dbg: config: read file /usr/share/spamassassin/23_bayes.cf
[5058] dbg: config: read file /usr/share/spamassassin/25_accessdb.cf
[5058] dbg: config: read file /usr/share/spamassassin/25_antivirus.cf
[5058] dbg: config: read file /usr/share/spamassassin/25_body_tests_es.cf
[5058] dbg: config: read file /usr/share/spamassassin/25_body_tests_pl.cf
[5058] dbg: config: read file /usr/share/spamassassin/25_dcc.cf
[5058] dbg: config: read file /usr/share/spamassassin/25_domainkeys.cf
[5058] dbg: config: read file /usr/share/spamassassin/25_hashcash.cf
[5058] dbg: config: read file /usr/share/spamassassin/25_pyzor.cf
[5058] dbg: config: read file /usr/share/spamassassin/25_razor2.cf
[5058] dbg: config: read file /usr/share/spamassassin/25_replace.cf
[5058] dbg: config: read file /usr/share/spamassassin/25_spf.cf
[5058] dbg: config: read file /usr/share/spamassassin/25_textcat.cf
[5058] dbg: config: read file /usr/share/spamassassin/25_uribl.cf
[5058] dbg: config: read file /usr/share/spamassassin/30_text_de.cf
[5058] dbg: config: read file /usr/share/spamassassin/30_text_fr.cf
[5058] dbg: config: read file /usr/share/spamassassin/30_text_it.cf
[5058] dbg: config: read file /usr/share/spamassassin/30_text_nl.cf
[5058] dbg: config: read file /usr/share/spamassassin/30_text_pl.cf
[5058] dbg: config: read file /usr/share/spamassassin/30_text_pt_br.cf
[5058] dbg: config: read file /usr/share/spamassassin/50_scores.cf
[5058] dbg: config: read file /usr/share/spamassassin/60_awl.cf
[5058] dbg: config: read file /usr/share/spamassassin/60_whitelist.cf
[5058] dbg: config: read file /usr/share/spamassassin/60_whitelist_spf.cf
[5058] dbg: config: read file /usr/share/spamassassin/60_whitelist_subject.cf
[5058] dbg: config: using "/etc/mail/spamassassin" for site rules dir
[5058] dbg: config: read file /etc/mail/spamassassin/local.cf
[5058] dbg: config: using "/root/.spamassassin" for user state dir
[5058] dbg: config: using "/root/.spamassassin/user_prefs" for user prefs file
[5058] dbg: config: read file /root/.spamassassin/user_prefs
[5058] dbg: plugin: loading Mail::SpamAssassin:lugin::URIDNSBL from @INC
[5058] dbg: plugin: registered Mail::SpamAssassin:lugin::URIDNSBL=HASH(0xaa71b08)
[5058] dbg: plugin: loading Mail::SpamAssassin:lugin::Hashcash from @INC
[5058] dbg: plugin: registered Mail::SpamAssassin:lugin::Hashcash=HASH(0xaa89870)
[5058] dbg: plugin: loading Mail::SpamAssassin:lugin::SPF from @INC
[5058] dbg: plugin: registered Mail::SpamAssassin:lugin::SPF=HASH(0xaaac218)
[5058] dbg: plugin: loading Mail::SpamAssassin:lugin:yzor from @INC
[5058] dbg: pyzor: network tests on, attempting Pyzor
[5058] dbg: plugin: registered Mail::SpamAssassin:lugin:yzor=HASH(0xaac3690)
[5058] dbg: plugin: loading Mail::SpamAssassin:lugin::SpamCop from @INC
[5058] dbg: reporter: network tests on, attempting SpamCop
[5058] dbg: plugin: registered Mail::SpamAssassin:lugin::SpamCop=HASH(0xab45bf8)
[5058] dbg: plugin: loading Mail::SpamAssassin:lugin::AWL from @INC
[5058] dbg: plugin: registered Mail::SpamAssassin:lugin::AWL=HASH(0xab5483c)
[5058] dbg: plugin: loading Mail::SpamAssassin:lugin::AutoLearnThreshold from @INC
[5058] dbg: plugin: registered Mail::SpamAssassin:lugin::AutoLearnThreshold=HASH(0xacf523c)
[5058] dbg: plugin: loading Mail::SpamAssassin:lugin::WhiteListSubject from @INC
[5058] dbg: plugin: registered Mail::SpamAssassin:lugin::WhiteListSubject=HASH(0xacf5c98)
[5058] dbg: plugin: loading Mail::SpamAssassin:lugin::MIMEHeader from @INC
[5058] dbg: plugin: registered Mail::SpamAssassin:lugin::MIMEHeader=HASH(0xad02894)
[5058] dbg: plugin: loading Mail::SpamAssassin:lugin::ReplaceTags from @INC
[5058] dbg: plugin: registered Mail::SpamAssassin:lugin::ReplaceTags=HASH(0xad0fa0c)
[5058] dbg: config: adding redirector regex: /^http:\/\/chkpt\.zdnet\.com\/chkpt\/\w+\/(.*)$/i
[5058] dbg: config: adding redirector regex: /^http:\/\/www(?:\d+)?\.nate\.com\/r\/\w+\/(.*)$/i
[5058] dbg: config: adding redirector regex: /^http:\/\/.+\.gov\/(?:.*\/)?externalLink\.jhtml\?.*url=(.*?)(?:&.*)?$/i
[5058] dbg: config: adding redirector regex: /^http:\/\/redir\.internet\.com\/.+?\/.+?\/(.*)$/i
[5058] dbg: config: adding redirector regex: /^http:\/\/(?:.*?\.)?adtech\.de\/.*(?:;|\|)link=(.*?)(?:;|$)/i
[5058] dbg: config: adding redirector regex: m'^http.*?/redirect\.php\?.*(?<=[?&])goto=(.*?)(?:$|[&\#])'i
[5058] dbg: config: adding redirector regex: m'^https?:/*(?:[^/]+\.)?emf\d\.com/r\.cfm.*?&r=(.*)'i
[5058] dbg: plugin: Mail::SpamAssassin:lugin::ReplaceTags=HASH(0xad0fa0c) implements 'finish_parsing_end'
[5058] dbg: replacetags: replacing tags
[5058] dbg: replacetags: done replacing tags
[5058] dbg: config: using "/root/.spamassassin" for user state dir
[5058] dbg: bayes: no dbs present, cannot tie DB R/O: /root/.spamassassin/bayes_toks
[5058] dbg: config: score set 1 chosen.
[5058] dbg: bayes: no dbs present, cannot tie DB R/O: /root/.spamassassin/bayes_toks
[5058] dbg: dns: testing resolver nameservers: 4.2.2.1, 4.2.2.2
[5058] dbg: dns: trying (3) google.com...
[5058] dbg: dns: looking up NS for 'google.com'
/usr/bin/perl: symbol lookup error: /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/Net/DNS/DNS.so: undefined symbol: Perl_sv_2uv_flags

 

Answer! It's a bug!

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=218916

It's apparently a PERL issue and updating to 5.8.8-5 resolves. It's all better now!

 

hmmmm, but now I don't seem to be getting any mail. Can anyone tell me what this means? It's from my maillog.

Jan 7 10:26:00 mailserver postfix/local[8271]: BFB0E28812D: to=<[email protected]>, orig_to=<[email protected]>, relay=local, delay=18, status=sent (delivered to command: /usr/bin/procmail -f-)
Jan 7 10:26:00 mailserver postfix/qmgr[8241]: BFB0E28812D: removed

 

This means the mail has been delivered to the mailbox of the user: web3_spamtrap. You should be able to find it in there. The log shows all has worked as expected (status=sent).

 

I never get it. Should the email be deleted because of Eicar if the A/V option is not checked? How do I tell what happens to the email after postfix is done with it?

 

What's the output of

Code:

netstat -tap

, and is Maildir enabled or disabled in your ISPConfig settings?

 

Code:

Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 *:mysql                     *:*                         LISTEN      1735/mysqld         
tcp        0      0 *:netbios-ssn               *:*                         LISTEN      1892/smbd           
tcp        0      0 *:sunrpc                    *:*                         LISTEN      1380/portmap        
tcp        0      0 *:ndmp                      *:*                         LISTEN      2410/perl           
tcp        0      0 *:hosts2-ns                 *:*                         LISTEN      2107/ispconfig_http 
tcp        0      0 192.168.69.70:domain        *:*                         LISTEN      6289/named          
tcp        0      0 xxxxxxx.com:domain     *:*                         LISTEN      6289/named          
tcp        0      0 *:32886                     *:*                         LISTEN      1398/rpc.statd      
tcp        0      0 xxxxxxx.com:ipp        *:*                         LISTEN      22728/cupsd         
tcp        0      0 *:smtp                      *:*                         LISTEN      18877/master        
tcp        0      0 xxxxxxx.com:rndc       *:*                         LISTEN      6289/named          
tcp        0      0 *:microsoft-ds              *:*                         LISTEN      1892/smbd           
tcp        0      0 *:imaps                     *:*                         LISTEN      1762/dovecot        
tcp        0      0 *:pop3s                     *:*                         LISTEN      1762/dovecot        
tcp        0      0 *:pop3                      *:*                         LISTEN      1762/dovecot        
tcp        0      0 *:imap                      *:*                         LISTEN      1762/dovecot        
tcp        0      0 *:http                      *:*                         LISTEN      16767/httpd         
tcp        0      0 *:ftp                       *:*                         LISTEN      32534/proftpd: (acc 
tcp        0      0 *:ssh                       *:*                         LISTEN      1628/sshd           
tcp        0      0 ::1:rndc                    *:*                         LISTEN      6289/named          
tcp        0      0 *:https                     *:*                         LISTEN      16767/httpd         
tcp        0      0 ::ffff:192.168.69.70:http   dsl88-226-19608.t:instantia TIME_WAIT   -                   
tcp        0      0 ::ffff:192.168.69.70:http   host86-134-89-52.:zymed-zpp TIME_WAIT   -                   
tcp        0      0 ::ffff:192.168.69.70:http   dsl88-226-19608.:nmasoverip TIME_WAIT   -                   
tcp        0      0 ::ffff:192.168.69.70:http   host86-134-89-52.range:gris TIME_WAIT   -                   
tcp        0      0 ::ffff:192.168.69.70:http   dsl88-226-19608.ttn:hacl-qs TIME_WAIT   -                   
tcp        0      0 ::ffff:192.168.69.70:ssh    rrcs-24-153-135-122.s:54113 ESTABLISHED 27977/0             
tcp        0      0 ::ffff:192.168.69.70:http   crawl-66-249-65-135.g:61355 TIME_WAIT   -    

and yes. MailDir is enabled as I ended up migrating mail from a different type of mailserver. I do get mail to some accounts. I should probably add that I have added this to my postfix main.conf:

Code:

smtpd_helo_required = yes
disable_vrfy_command = yes
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
#unknown_address_reject_code = 554
#unknown_client_reject_code = 554
#unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
#unknown_relay_recipient_reject_code = 554
#unknown_sender_reject_code = 554
#unknown_virtual_alias_reject_code = 554
#unknown_virtual_mailbox_reject_code = 554
#unverified_recipient_reject_code = 554
#unverified_sender_reject_code = 554

smtpd_recipient_restrictions =
            reject_invalid_hostname,
            reject_unknown_recipient_domain,
            reject_unauth_pipelining,
            permit_mynetworks,
            permit_sasl_authenticated,
            reject_unauth_destination,
            reject_rbl_client dul.dnsbl.sorbs.net,
            reject_rbl_client list.dsbl.org,
            reject_rbl_client sbl-xbl.spamhaus.org,
            reject_rbl_client bl.spamcop.net,
            reject_rbl_client relays.ordb.org,
            reject_rbl_client dnsbl.sorbs.net,
            reject_rbl_client cbl.abuseat.org,
            permit

I commented some stuff out to see if it helped in allowing mail to come through. Mostly, I just wanted the RBL's but wasn't sure how to put it.