You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Troels Walsted Hansen <tr...@thule.no> on 2004/11/06 18:49:27 UTC
Clam AntiVirus plugin for SpamAssassin 3.x
Hi all,
I created a small plugin using the new plugin API in SpamAssassin 3.x.
The plugin connects to a local ClamAV <http://www.clamav.net/> server
(through TCP) and checks the email for virus. If a virus is found, it
returns a positive return code to indicate spam and sets the header
"X-Spam-Virus: Yes ($virusname)".
It may seem odd to invoke an antivirus scanner through SpamAssassin, but
it works very well for me so far. It saved me from dealing with Amavisd
(which was quite painful, in all honesty).
This is my first Perl code ever, so be gentle. ;-) The code is public
domain, do whatever you like with it. Note that it requires
File::Scan::ClamAV.
<http://search.cpan.org/%7Ecfaber/File-Scan-ClamAV/lib/File/Scan/ClamAV.pm>
Tested with SpamAssassin 3.0.1, ClamAV 0.80 and courier 0.44.
Regards,
Troels Walsted Hansen
Re: Clam AntiVirus plugin for SpamAssassin 3.x
Posted by Brook Humphrey <ba...@webmedic.net>.
On Monday 08 November 2004 11:35 am, Kelson wrote:
> Brook Humphrey wrote:
> > I already have tested mimedefang and although better than the one clamav
> > uses it was no were near as good as ripmime. ripmime deals with the fring
> > stuff better. That is things that dont follow standards very well.
>
> Interesting. I'll have to do some testing. We're using MD for a lot of
> other purposes, but if ripmime does handle more cases, it might be worth
> adding another parser....
I can send you my shell scripts for piping these things if you like they make
it very easy to test different mime engines.
>
> > As for binhex
> > you will need to get the program for extracting those. It is a mac native
> > binary format that can be extracted but you will need the binhex tools to
> > do so. I never got it working completely but I did find the tools out
> > there to do it. For some reason clamav just doesn't want to deal with it.
>
> Hmmm, I recall it working under clam's extraction but not MD's, but
> looking back at the logs of our most recent testvirus.org run, the
> binhex attachments were caught by File::Scan. We run FS first, then
> anything that passes goes to clamd, which means that MIMEDefang's own
> MIME parser was able to extract it.
>
> Since the MIMEDefang author recently took over mainaining MIME::Tools, I
> went into the changelog, and sure enough, binhex support was added two
> months ago in version 5.412. It looks like it uses a perl module rather
> than the binhex binary.
That would explain it it has been about 4 or 5 months since I really messed
with this stuff in depth. Speaking of witch I still need to upgrade to 80 so.
>
> (Speaking of the binhex binary, for anyone reading this, Red Hat/Fedora
> includes it in the macutils package.)
Yes same for mandrake if I remember correctly.
--
-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-
Brook Humphrey
Mobile PC Medic, 420 1st, Cheney, WA 99004, 509-235-9107
http://www.webmedic.net, bah@webmedic.net, bah@linux-mandrake.com
Holiness unto the Lord
-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-
Re: Clam AntiVirus plugin for SpamAssassin 3.x
Posted by Kelson <ke...@speed.net>.
Brook Humphrey wrote:
> I already have tested mimedefang and although better than the one clamav uses
> it was no were near as good as ripmime. ripmime deals with the fring stuff
> better. That is things that dont follow standards very well.
Interesting. I'll have to do some testing. We're using MD for a lot of
other purposes, but if ripmime does handle more cases, it might be worth
adding another parser....
> As for binhex
> you will need to get the program for extracting those. It is a mac native
> binary format that can be extracted but you will need the binhex tools to do
> so. I never got it working completely but I did find the tools out there to
> do it. For some reason clamav just doesn't want to deal with it.
Hmmm, I recall it working under clam's extraction but not MD's, but
looking back at the logs of our most recent testvirus.org run, the
binhex attachments were caught by File::Scan. We run FS first, then
anything that passes goes to clamd, which means that MIMEDefang's own
MIME parser was able to extract it.
Since the MIMEDefang author recently took over mainaining MIME::Tools, I
went into the changelog, and sure enough, binhex support was added two
months ago in version 5.412. It looks like it uses a perl module rather
than the binhex binary.
(Speaking of the binhex binary, for anyone reading this, Red Hat/Fedora
includes it in the macutils package.)
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
Re: Clam AntiVirus plugin for SpamAssassin 3.x
Posted by Brook Humphrey <ba...@webmedic.net>.
On Monday 08 November 2004 10:45 am, Kelson wrote:
> We use MIMEDefang, which extracts attachments itself and can also pass
> the original message to clamd. That way you get the benefit of two MIME
> parsers (MD's and ClamAV's), each with its own quirks, looking for
> attachments to scan. Additionally, there are some attachment types
> ClamAV will extract that, when I last compared the two, MIME::Tools
> (which MD uses) wouldn't. (I think it was BinHex, but it might have
> been something else.) With the amount of invalid mime out there (i.e.
> there's no defined way to extract it, so each parser will attempt error
> recovery differently), it's worth the overlap.
I already have tested mimedefang and although better than the one clamav uses
it was no were near as good as ripmime. ripmime deals with the fring stuff
better. That is things that dont follow standards very well. As for binhex
you will need to get the program for extracting those. It is a mac native
binary format that can be extracted but you will need the binhex tools to do
so. I never got it working completely but I did find the tools out there to
do it. For some reason clamav just doesn't want to deal with it.
--
-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-
Brook Humphrey
Mobile PC Medic, 420 1st, Cheney, WA 99004, 509-235-9107
http://www.webmedic.net, bah@webmedic.net, bah@linux-mandrake.com
Holiness unto the Lord
-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-
RE: Clam AntiVirus plugin for SpamAssassin 3.x
Posted by Matt Kettler <mk...@evi-inc.com>.
At 11:39 AM 11/9/2004, Bret Miller wrote:
> > These problems were fixed a while ago. Don't know what you
> > are running, but
> > we're running 0.80 clamav-milter with clamd, no unpacking
> > problems, and
> > I would say with as much confidence as possible that nothing
> > gets by it.
>
>I have to agree. I've been running ClamAV as our primary scanner with
>F-Prot behind it for a couple months. I had a couple of worms get
>through to F-Prot one day-- most likely F-Prot got their definition
>update out before Clam did.
>
>Overall, Clam seems to be catching more than F-Prot did. I state that
>based on the number of messages that get rejected based on attachment
>type. That's been much less since implementing ClamAV as the scanner.
I agree entirely. ClamAV works quite well.
I run ClamAV in parallel with "brand X" AV (commercial product, ISCA
certified, etc. ) on MailScanner. I'm going to restrict the naming to brand
X because this is largely about how well ClamAv works, not about how well
brand X works.
Every email gets scanned by both scanners, which gives me a great ability
to compare the two. I can definitely prove that clam works quite well, very
comparable the commercial product in an email-scanning environment.
Below are some of my statistics. These are live statistics based on
scan-as-it-arrives performance.
clamav 0.80 updated hourly with freshclam using DNS queries.
"brand X" AV updated 8 times a day with wget (every 2 hours from 8am to
4pm, every 4 hours outside that)
Note: clamav performs well, but it is updated more frequently giving it an
inherent edge. Then again, freshclam's lightweight nature makes this possible.
Also over 75% of the difference between the two scanners is attributable to
clamav detecting phishing scams, something which aren't really viruses.
"brand X" also doesn't seem to have a built in for scanning HTML code for
trojan javascripts such as zerolin. If you exclude those two, the rest of
the performance difference is easily accounted for by the difference update
rate favoring clamav ( 8 of 506 vs 1 of 506)
Some raw statistics from the past couple weeks:
total infected messages: 708
ClamAv: caught 699
"brand X" : caught 490
6 files were caught by neither AV, and detected by filename alone.
(I pick up a few highly suspect file extensions, such as
*.cpl, *.wsh, etc. All were 0 byte files from defective viruses, but were
obviously virus generated based on bagle-ish body text)
2 messages trapped due to rules prohibiting fragmented mime
messages (bounces of viruses in these cases)
210 that clam caught but "brand X" missed
158 HTML.Phishing.*
44 Trojan.Dropper.JS.Zerolin-6
4 Worm.Bagle.AT
1 Worm.Mydoom.I (in msgXXX.txt file, part of a bounce)
3 Worm.Bagle.Gen-zippwd
1 that "brand X" caught but clamAV missed:
1 W32/Netsky.C@mm (in attached .com file)
No false negatives that carried any real payload were detected during the
sample period, although some 0-byte files obviously generated by a virus
did sneak by, more than the 6 that got caught by filename. Since I don't
expect any virus scanner to detect a virus in a 0-byte file, and the file
I'm not concerned by that.
Re: Clam AntiVirus plugin for SpamAssassin 3.x
Posted by Brook Humphrey <ba...@webmedic.net>.
On Tuesday 09 November 2004 10:58 am, Christopher X. Candreva wrote:
> My personal opinion -- if you aren't building from source, basicly you
> should be looking for a different AV solution. With Clam it has often been
> necessary in the last few months to run CVS versions to be able to use the
> latest virus updates.
Um did you read anything I said. I do do my rpm's and I do build from source
quite often. Oden is very good about keeping up and i have no need to
duplicate his efforts. The only reason this is happening is because mandrake
was frozen for release. As a matter of fact Oden just uploaded the latest
stuff today.
As for anything else it was not that big a deal as my current setup was
catching about 99% of everything comming through. I set it up to be superior
to begin with so the only real advantage for upgrading besides handling the
new definition files is the fact that it handles more archive formats by
default. This so far has not been an issue but is very forward looking and is
a nice feature to have before it's needed.
>
> If you are running a 4-5 month old version of Clam, it is going to miss a
> lot of recent viruses. You may not even be able to update your database any
> more, as the older database format has been retired.
Covered this in the above.
>
> If nothing else, a new database update mechanisim has been introduced,
> where the DB version is distributed via a DNS record to reduce the load on
> the virus database mirrors. You'll be doing the Clam team a big favor by
> moving to 0.80 soon.
Yes and this is a very good thing also. System is already updated. Now if I
can just get this plugin to work.
--
-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-
Brook Humphrey
Mobile PC Medic, 420 1st, Cheney, WA 99004, 509-235-9107
http://www.webmedic.net, bah@webmedic.net, bah@linux-mandrake.com
Holiness unto the Lord
-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-
Re: Clam AntiVirus plugin for SpamAssassin 3.x
Posted by Brook Humphrey <ba...@webmedic.net>.
On Tuesday 09 November 2004 11:41 am, Cirelle Enterprises wrote:
> also, they just might black list your freshclam server and you won't be
> getting any updates
>
> greg
got new updates about an hour ago after my update. I guess they unlocked
uploads just in time. Hopefully mandrake will push this out as a mandatory
upgrade or there will be allot of very unhappy users out there.
Matter of fact I'm off to make sure this happens.
--
-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-
Brook Humphrey
Mobile PC Medic, 420 1st, Cheney, WA 99004, 509-235-9107
http://www.webmedic.net, bah@webmedic.net, bah@linux-mandrake.com
Holiness unto the Lord
-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-
Re: Clam AntiVirus plugin for SpamAssassin 3.x
Posted by Kelson <ke...@speed.net>.
Cirelle Enterprises wrote:
> also, they just might black list your freshclam server and you won't be
> getting any updates
Only if you're checking for updates more than once an hour.
Repeat: ONLY if you're checking more than once an hour. They've always
asked that you check less frequently than that, just to keep the servers
available. All they're doing now is enforcing it.
Now, if you run 0.80 and enable the DNS-based updates for freshclam,
then it only does a DNS check to see if there's a new DB. If you run
*that* more than once an hour, it won't actually hit the web server
unless DNS says there's an update, so there's no problem.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
Re: Clam AntiVirus plugin for SpamAssassin 3.x
Posted by Cirelle Enterprises <gc...@cirelle.com>.
----- Original Message -----
From: "Christopher X. Candreva" <ch...@westnet.com>
To: <us...@spamassassin.apache.org>
Sent: Tuesday, November 09, 2004 1:58 PM
Subject: Re: Clam AntiVirus plugin for SpamAssassin 3.x
| On Tue, 9 Nov 2004, Brook Humphrey wrote:
|
| > I also have not upgraded to .8 yet since I am a maintainer for mandrake
| > and we just gone done with a release cycle and and so cooker has been
| > locked for new apps. I'm also not eh maintainer for clamav and would
| > rather wait for the official maintainers rpm.
<nip>
| If nothing else, a new database update mechanisim has been introduced, where
| the DB version is distributed via a DNS record to reduce the load on the
| virus database mirrors. You'll be doing the Clam team a big favor by moving
| to 0.80 soon.
|
also, they just might black list your freshclam server and you won't be
getting any updates
greg
Re: Clam AntiVirus plugin for SpamAssassin 3.x
Posted by "Christopher X. Candreva" <ch...@westnet.com>.
On Tue, 9 Nov 2004, Brook Humphrey wrote:
> I also have not upgraded to .8 yet since I am a maintainer for mandrake
> and we just gone done with a release cycle and and so cooker has been
> locked for new apps. I'm also not eh maintainer for clamav and would
> rather wait for the official maintainers rpm.
My personal opinion -- if you aren't building from source, basicly you
should be looking for a different AV solution. With Clam it has often been
necessary in the last few months to run CVS versions to be able to use the
latest virus updates.
If you are running a 4-5 month old version of Clam, it is going to miss a
lot of recent viruses. You may not even be able to update your database any
more, as the older database format has been retired.
If nothing else, a new database update mechanisim has been introduced, where
the DB version is distributed via a DNS record to reduce the load on the
virus database mirrors. You'll be doing the Clam team a big favor by moving
to 0.80 soon.
==========================================================
Chris Candreva -- chris@westnet.com -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/
Re: Clam AntiVirus plugin for SpamAssassin 3.x
Posted by Jim Maul <jm...@elih.org>.
Brook Humphrey wrote:
> On Monday 08 November 2004 05:06 pm, Christopher X. Candreva wrote:
>
>>These problems were fixed a while ago. Don't know what you are running,
>>but we're running 0.80 clamav-milter with clamd, no unpacking problems, and
>>I would say with as much confidence as possible that nothing gets by it.
>
> I also have not upgraded to .8 yet since I am a maintainer for mandrake and we
> just gone done with a release cycle and and so cooker has been locked for new
> apps. I'm also not eh maintainer for clamav and would rather wait for the
> official maintainers rpm.
If you are waiting for an rpm from the clamav developers your going to
be waiting a while..like forever. There are rpms of 0.80 available,
just not from the clamav team. Check
http://www.clamav.net/binary.html#pagestart for more info.
-Jim
Re: Clam AntiVirus plugin for SpamAssassin 3.x
Posted by Brook Humphrey <ba...@webmedic.net>.
On Monday 08 November 2004 05:06 pm, Christopher X. Candreva wrote:
> These problems were fixed a while ago. Don't know what you are running,
> but we're running 0.80 clamav-milter with clamd, no unpacking problems, and
> I would say with as much confidence as possible that nothing gets by it.
Yes I've been busy cleaning systems and making pe cd's for cleaning under
windows. I have not seriously working on my mail server solution for about 4
or 5 months.
I also have not upgraded to .8 yet since I am a maintainer for mandrake and we
just gone done with a release cycle and and so cooker has been locked for new
apps. I'm also not eh maintainer for clamav and would rather wait for the
official maintainers rpm.
--
-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-
Brook Humphrey
Mobile PC Medic, 420 1st, Cheney, WA 99004, 509-235-9107
http://www.webmedic.net, bah@webmedic.net, bah@linux-mandrake.com
Holiness unto the Lord
-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-
RE: Clam AntiVirus plugin for SpamAssassin 3.x
Posted by Bret Miller <br...@wcg.org>.
> > Well yes although this is true your accuracy goes out the
> door. The problem
> > with clamd is that the built in mime parser is really bad
> and it also does
> > not do a good job of unpacking attachments even if you have
> the flag set to
> > scan mail.
>
> These problems were fixed a while ago. Don't know what you
> are running, but
> we're running 0.80 clamav-milter with clamd, no unpacking
> problems, and
> I would say with as much confidence as possible that nothing
> gets by it.
I have to agree. I've been running ClamAV as our primary scanner with
F-Prot behind it for a couple months. I had a couple of worms get
through to F-Prot one day-- most likely F-Prot got their definition
update out before Clam did.
Overall, Clam seems to be catching more than F-Prot did. I state that
based on the number of messages that get rejected based on attachment
type. That's been much less since implementing ClamAV as the scanner.
Bret
Re: Clam AntiVirus plugin for SpamAssassin 3.x
Posted by "Christopher X. Candreva" <ch...@westnet.com>.
On Sat, 6 Nov 2004, Brook Humphrey wrote:
> Well yes although this is true your accuracy goes out the door. The problem
> with clamd is that the built in mime parser is really bad and it also does
> not do a good job of unpacking attachments even if you have the flag set to
> scan mail.
These problems were fixed a while ago. Don't know what you are running, but
we're running 0.80 clamav-milter with clamd, no unpacking problems, and
I would say with as much confidence as possible that nothing gets by it.
==========================================================
Chris Candreva -- chris@westnet.com -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/
Re: Clam AntiVirus plugin for SpamAssassin 3.x
Posted by Kelson <ke...@speed.net>.
Brook Humphrey wrote:
> Well yes although this is true your accuracy goes out the door. The problem
> with clamd is that the built in mime parser is really bad and it also does
> not do a good job of unpacking attachments even if you have the flag set to
> scan mail.
We use MIMEDefang, which extracts attachments itself and can also pass
the original message to clamd. That way you get the benefit of two MIME
parsers (MD's and ClamAV's), each with its own quirks, looking for
attachments to scan. Additionally, there are some attachment types
ClamAV will extract that, when I last compared the two, MIME::Tools
(which MD uses) wouldn't. (I think it was BinHex, but it might have
been something else.) With the amount of invalid mime out there (i.e.
there's no defined way to extract it, so each parser will attempt error
recovery differently), it's worth the overlap.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
Re: change header content
Posted by Theo Van Dinter <fe...@kluge.net>.
On Mon, Nov 08, 2004 at 12:22:11PM +0100, Roel Bindels wrote:
> Does anyone know how to change the "X-Spam-Checker-Version" content to
> something else. It is now calling my total server name, but I like it say
> the company's name.
You can set "report_hostname" to replace the _HOSTNAME_ macro, but you
can't change the content of the header.
--
Randomly Generated Tagline:
If firefighters fight fire, and crimefighters fight crime, what do
freedomfighters fight?
change header content
Posted by Roel Bindels <Ro...@protomation.com>.
Dear Listers,
Does anyone know how to change the "X-Spam-Checker-Version" content to
something else. It is now calling my total server name, but I like it say
the company's name.
greetings
Roel
Re: Clam AntiVirus plugin for SpamAssassin 3.x
Posted by Sam Nilsson <sa...@servingpeace.com>.
Brook Humphrey wrote:
> In my case I run a shell script that uses ripmime and then takes the parts and
> scans them. My detection rate is about 2-3 times higher using this method
> instead. I have tired different mime extracting proggies (about 4 or 5 all I
> could find at the time) and ripmime has by far the best mime support of any
> of them. Some of them were actually worse than the one built into clamav.
Did you happen to compare amavisd-new with ripmime? One of the nice
things about amavisd-new is that it handles unpacking the message *and*
runs fast.
- Sam Nilsson
Re: Clam AntiVirus plugin for SpamAssassin 3.x
Posted by Brook Humphrey <ba...@webmedic.net>.
On Saturday 06 November 2004 01:00 pm, SA wrote:
> I have a question here. Doesn't that require clamav to load the virus
> signatures each time? If so, it would be pretty inefficient and
> resource-hungry. Wouldn't the combination of
> courier-maildrop/clamassassin and clamdscan be a lot faster since the
> clamd daemon keeps the virus.db loaded?
Well yes although this is true your accuracy goes out the door. The problem
with clamd is that the built in mime parser is really bad and it also does
not do a good job of unpacking attachments even if you have the flag set to
scan mail.
In my case I run a shell script that uses ripmime and then takes the parts and
scans them. My detection rate is about 2-3 times higher using this method
instead. I have tired different mime extracting proggies (about 4 or 5 all I
could find at the time) and ripmime has by far the best mime support of any
of them. Some of them were actually worse than the one built into clamav.
So in th3e end the choice is your better detection or more speed. In my case
as well as anybody who really cares about what gets through the server you
really have to choose better security.
Now if at some time in the future clamav starts using ripmime like they have
talked about and if it does a better job of unpacking things then of course
it would be better to use clamd.
--
-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-
Brook Humphrey
Mobile PC Medic, 420 1st, Cheney, WA 99004, 509-235-9107
http://www.webmedic.net, bah@webmedic.net, bah@linux-mandrake.com
Holiness unto the Lord
-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-
Re: Clam AntiVirus plugin for SpamAssassin 3.x
Posted by Troels Walsted Hansen <tr...@thule.no>.
SA wrote:
>On Sat, 2004-11-06 at 09:49, Troels Walsted Hansen wrote:
>
>
>>Hi all,
>>
>>I created a small plugin using the new plugin API in SpamAssassin 3.x.
>>The plugin connects to a local ClamAV server (through TCP) and checks
>>the email for virus. If a virus is found, it returns a positive return
>>code to indicate spam and sets the header "X-Spam-Virus: Yes
>>($virusname)".
>>
>>
>I have a question here. Doesn't that require clamav to load the virus
>signatures each time? If so, it would be pretty inefficient and
>resource-hungry. Wouldn't the combination of
>courier-maildrop/clamassassin and clamdscan be a lot faster since the
>clamd daemon keeps the virus.db loaded?
>
>
The plugin connects to a running clamd daemon through a TCP socket and
submits the mail for checking through the socket. It doesn't invoke
clamscan or clamdscan from the commandline at all.
Using the UNIX socket that clamd listens on might be slightly more
efficient, I haven't tested that.
Troels
Re: Clam AntiVirus plugin for SpamAssassin 3.x
Posted by Bill Landry <bi...@pointshare.com>.
----- Original Message -----
From: "marti" <ma...@ntlworld.com>
> |I have a question here. Doesn't that require clamav to load
> |the virus signatures each time? If so, it would be pretty
> |inefficient and resource-hungry. Wouldn't the combination of
> |courier-maildrop/clamassassin and clamdscan be a lot faster
> |since the clamd daemon keeps the virus.db loaded?
> |--
>
> If the virus.db is always loaded, and assuming long uptimes, which *nix is
> good at, your virus definitions could be well out of date before they are
> next loaded, seems logical to load them on the fly to me.
Running ClamAV as a daemon (clamd) is much more efficient than running
non-daemonized (clamscan), and clamd can be configured to check it virus
definitions for updates periodically:
# Perform internal sanity check (database integrity and freshness).
# Default: 1800 (30 min)
SelfCheck 1800
Bill
Re: Clam AntiVirus plugin for SpamAssassin 3.x
Posted by Troels Walsted Hansen <tr...@thule.no>.
marti wrote:
>If the virus.db is always loaded, and assuming long uptimes, which *nix is
>good at, your virus definitions could be well out of date before they are
>next loaded, seems logical to load them on the fly to me.
>
>
The standard installation of ClamAV features a cron script that
downloads updated virus definitions regularly, and signals the running
clamd daemon to reload the database.
Troels
RE: Clam AntiVirus plugin for SpamAssassin 3.x
Posted by marti <ma...@ntlworld.com>.
|>
|I have a question here. Doesn't that require clamav to load
|the virus signatures each time? If so, it would be pretty
|inefficient and resource-hungry. Wouldn't the combination of
|courier-maildrop/clamassassin and clamdscan be a lot faster
|since the clamd daemon keeps the virus.db loaded?
|--
If the virus.db is always loaded, and assuming long uptimes, which *nix is
good at, your virus definitions could be well out of date before they are
next loaded, seems logical to load them on the fly to me.
Martin
Re: Clam AntiVirus plugin for SpamAssassin 3.x
Posted by SA <rl...@paradigm-omega.com>.
On Sat, 2004-11-06 at 09:49, Troels Walsted Hansen wrote:
> Hi all,
>
> I created a small plugin using the new plugin API in SpamAssassin 3.x.
> The plugin connects to a local ClamAV server (through TCP) and checks
> the email for virus. If a virus is found, it returns a positive return
> code to indicate spam and sets the header "X-Spam-Virus: Yes
> ($virusname)".
>
> It may seem odd to invoke an antivirus scanner through SpamAssassin,
> but it works very well for me so far. It saved me from dealing with
> Amavisd (which was quite painful, in all honesty).
>
> This is my first Perl code ever, so be gentle. ;-) The code is public
> domain, do whatever you like with it. Note that it requires
> File::Scan::ClamAV. Tested with SpamAssassin 3.0.1, ClamAV 0.80 and
> courier 0.44.
>
I have a question here. Doesn't that require clamav to load the virus
signatures each time? If so, it would be pretty inefficient and
resource-hungry. Wouldn't the combination of
courier-maildrop/clamassassin and clamdscan be a lot faster since the
clamd daemon keeps the virus.db loaded?
--
Robin Lynn Frank
Director of Operations
Paradigm-Omega, LLC
http://www.paradigm-omega.com/
====================================================================
Spambots are welcome at http://paradigm-omega.net/cgi-bin/custmail.cgi
====================================================================
Do unto others before others do unto you.
Re: Clam AntiVirus plugin for SpamAssassin 3.x
Posted by Troels Walsted Hansen <tr...@thule.no>.
Brook Humphrey wrote:
>>This is my first Perl code ever, so be gentle. ;-) The code is public
>>domain, do whatever you like with it. Note that it requires
>>File::Scan::ClamAV.
>><http://search.cpan.org/%7Ecfaber/File-Scan-ClamAV/lib/File/Scan/ClamAV.pm>
>>Tested with SpamAssassin 3.0.1, ClamAV 0.80 and courier 0.44.
>>
>>
>I put this into the plugin directory and then the cf file with my others
>under /etc/mail/spamassassin but I get an error that it is unable to load the
>clamav plugin. This is the first time I have tried to work with one am I
>missing something?
>
>
Hmm. Do you have File::Scan::ClamAV installed?
If yes, could you try "spamassassin -D" and locate any debug messages
mentioning the ClamAV plugin?
Troels
Re: Clam AntiVirus plugin for SpamAssassin 3.x
Posted by Brook Humphrey <ba...@webmedic.net>.
On Saturday 06 November 2004 09:49 am, Troels Walsted Hansen wrote:
> Hi all,
>
> I created a small plugin using the new plugin API in SpamAssassin 3.x.
> The plugin connects to a local ClamAV <http://www.clamav.net/> server
> (through TCP) and checks the email for virus. If a virus is found, it
> returns a positive return code to indicate spam and sets the header
> "X-Spam-Virus: Yes ($virusname)".
>
> It may seem odd to invoke an antivirus scanner through SpamAssassin, but
> it works very well for me so far. It saved me from dealing with Amavisd
> (which was quite painful, in all honesty).
>
> This is my first Perl code ever, so be gentle. ;-) The code is public
> domain, do whatever you like with it. Note that it requires
> File::Scan::ClamAV.
> <http://search.cpan.org/%7Ecfaber/File-Scan-ClamAV/lib/File/Scan/ClamAV.pm>
> Tested with SpamAssassin 3.0.1, ClamAV 0.80 and courier 0.44.
I put this into the plugin directory and then the cf file with my others
under /etc/mail/spamassassin but I get an error that it is unable to load the
clamav plugin. This is the first time I have tried to work with one am I
missing something?
>
> Regards,
> Troels Walsted Hansen
--
-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-
Brook Humphrey
Mobile PC Medic, 420 1st, Cheney, WA 99004, 509-235-9107
http://www.webmedic.net, bah@webmedic.net, bah@linux-mandrake.com
Holiness unto the Lord
-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-
Re: Clam AntiVirus plugin for SpamAssassin 3.x
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Cameron Bales wrote:
> <snip plugin code>
>
> Could the plugin on the page:
> http://wiki.apache.org/spamassassin/ClamAVPlugin
> have some sort of version number/date attached so we could easily know
> what version we are talking about on the list, and if additions
> mentioned on the list have been incorporated?
Sure, you could put a version number in the code/comments in innumerable
ways.
Justin and I haven't really been talking about the plugin itself,
anyway, just about how plugins handle adding custom headers.
> Is the plugin mentioned above a direct replacement for clamav.pm from
> the wiki? Daryl - I think this version of the code is yours if it is
> a direct replacemtn for the version on the wiki would you like to
> replace it there? Shall I? I know hardly anything about perl so I
> don't know the common ways to notate versions or author history in
> files like this.
First, the plugin is Troels Hansen's, all credit goes to him. The only
suggestion I made to his code was to add the X-Spam-Virus header to both
spam and ham (it originally only added it to spam). The version you
just re-posted, by replying to my old post, is where I made and
implemented that suggestion.
Troels' next post after mine indicated that he implemented the same
thing in a slightly different way and uploaded it to the wiki. The wiki
version IS the current version, although both the version you reposted
and the wiki version are functionally equivalent.
Daryl
Re: Clam AntiVirus plugin for SpamAssassin 3.x
Posted by Cameron Bales <cb...@gmail.com>.
> > --------------030204020505030202030005
> > Content-Type: text/plain;
> > name="clamav.pm"
> > Content-Transfer-Encoding: 7bit
> > Content-Disposition: inline;
> > filename="clamav.pm"
> >
> > package ClamAV;
> > use strict;
> > use Mail::SpamAssassin;
> > use Mail::SpamAssassin::Plugin;
> > use File::Scan::ClamAV;
> > our @ISA = qw(Mail::SpamAssassin::Plugin);
> >
> > sub new {
> > my ($class, $mailsa) = @_;
> > $class = ref($class) || $class;
> > my $self = $class->SUPER::new($mailsa);
> > bless ($self, $class);
> > $self->register_eval_rule ("check_clamav");
> > return $self;
> > }
> >
> > sub check_clamav {
> > my ($self, $permsgstatus, $fulltext) = @_;
> > my $av = new File::Scan::ClamAV(port => 3310);
> > my ($code, $virus) = $av->streamscan(${$fulltext});
> > if(!$code) {
> > my $errstr = $av->errstr();
> > Mail::SpamAssassin::Plugin::dbg("ClamAV: Error scanning: $errstr");
> > $permsgstatus->{main}->{conf}->{headers_spam}->{"Virus"} = "Error ($errstr)";
> > $permsgstatus->{main}->{conf}->{headers_ham}->{"Virus"} = "Error ($errstr)";
> > } elsif($code eq 'OK') {
> > Mail::SpamAssassin::Plugin::dbg("ClamAV: No virus detected");
> > $permsgstatus->{main}->{conf}->{headers_spam}->{"Virus"} = "No";
> > $permsgstatus->{main}->{conf}->{headers_ham}->{"Virus"} = "No";
> > } elsif($code eq 'FOUND') {
> > Mail::SpamAssassin::Plugin::dbg("ClamAV: Detected virus: $virus");
> > $permsgstatus->{main}->{conf}->{headers_spam}->{"Virus"} = "Yes ($virus)";
> > $permsgstatus->{main}->{conf}->{headers_ham}->{"Virus"} = "Yes ($virus)";
> > return 1;
> > }
> > return 0;
> > }
> >
> > 1;
> >
> > --------------030204020505030202030005--
Could the plugin on the page:
http://wiki.apache.org/spamassassin/ClamAVPlugin
have some sort of version number/date attached so we could easily know
what version we are talking about on the list, and if additions
mentioned on the list have been incorporated?
Is the plugin mentioned above a direct replacement for clamav.pm from
the wiki? Daryl - I think this version of the code is yours if it is
a direct replacemtn for the version on the wiki would you like to
replace it there? Shall I? I know hardly anything about perl so I
don't know the common ways to notate versions or author history in
files like this.
Cameron .:.
--
Cameron Bales .:.
www.bales.ca cbales@gmail.com cameron@bales.ca
Re: Clam AntiVirus plugin for SpamAssassin 3.x
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Troels Walsted Hansen wrote:
> I created a small plugin using the new plugin API in SpamAssassin 3.x.
> The plugin connects to a local ClamAV server (through TCP) and checks
> the email for virus. If a virus is found, it returns a positive return
> code to indicate spam and sets the header "X-Spam-Virus: Yes
> ($virusname)".
Well sort of. The headers only get set if the message ends up being
classified as spam. If you receive a virus from a whitelisted user, or
in a message that would otherwise score less than -5.0 (at least with
the default score CLAMAV 10), the X-Spam-Virus: Yes ($virus) header
won't be added since the headers are only added to %headers_spam. Of
course, clean messages won't have a header added in ham messages either.
Adding the "Virus" headers to the headers_ham hash, as in the attached
file, correct this.
Otherwise a pretty cool plugin for those who can't for whatever reason
do it another way.
Daryl
Re: Clam AntiVirus plugin for SpamAssassin 3.x
Posted by Troels Walsted Hansen <tr...@thule.no>.
Daryl C. W. O'Shea wrote:
> Well sort of. The headers only get set if the message ends up being
> classified as spam. If you receive a virus from a whitelisted user, or
> in a message that would otherwise score less than -5.0 (at least with
> the default score CLAMAV 10), the X-Spam-Virus: Yes ($virus) header
> won't be added since the headers are only added to %headers_spam. Of
> course, clean messages won't have a header added in ham messages either.
>
> Adding the "Virus" headers to the headers_ham hash, as in the attached
> file, correct this.
You're perfectly right, of course. I did notice this problem, but I
wasn't aware of headers_ham so I didn't find a way to fix it. In fact I
was wondering about the legality of manipulating
$permsgstatus->{main}->{conf} from a plugin. Is it considered bad practice?
I was expecting a $permsgstatus->add_header() function or similar, and
when I didn't find I grepped the SA source until I found an alternative
way to add headers to the mail.
Thanks for your fix!
> Otherwise a pretty cool plugin for those who can't for whatever reason
> do it another way.
Thank you.
Troels
Sa-LEARN error, and no debuggibg messages.
Posted by hi...@free.fr.
I have 2 users which classify their messages a ham and spam.
Two new directories have been created :
SPAM-NON-DETECTED
HAM
The non detected spam is transfered (no bounce no forward) to SPAM-NON-DETECTED
The detected spam which isn't in fact SPAM is transfered (no bounce no forward)
to HAM
What sa learn linen do I have to run in order for sa-learn to perform correctly
?.
I'm asking this because I get an ERROR line at the end. Even if I ad a "-D" in
the sa-learn line, i still get the error WHITHOUT any debugging messages !!!.
---------------------------------------------------------------------------------
Another question regarding sa-learn : it is sad that you have to specify the
path to the directory...BUT the HAM and SPAM-NON-DETECTED Folders are
files......
/hitete
Re: Clam AntiVirus plugin for SpamAssassin 3.x
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Troels Walsted Hansen wrote:
> You're perfectly right, of course. I did notice this problem, but I
> wasn't aware of headers_ham so I didn't find a way to fix it. In fact
> I was wondering about the legality of manipulating
> $permsgstatus->{main}->{conf} from a plugin. Is it considered bad
> practice?
As far as I know it's the only way, although I haven't really looked
into it. Not much to go by example wise since plugins are new for v3.
> I was expecting a $permsgstatus->add_header() function or similar, and
> when I didn't find I grepped the SA source until I found an
> alternative way to add headers to the mail.
That would make sense as it would prevent you from overwriting another
plugins (arbitrarily defined / self chosen) headers. You make want to
make a request in the bugzilla at bugzilla.spamassassin.org if nobody
else on the list has a better idea.
> Thanks for your fix!
No problem.
Daryl