Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: max on May 14, 2004, 08:45:28 PM

Title: clamd + amavis-ng + spamassassin need help with zip files
Post by: max on May 14, 2004, 08:45:28 PM

I am running sme 5.6 and I just installed clamd and spamassassin, etc. Almost everything is happy except we have customers send us password protected zip files all the time that we need to get. Clam is sticking them in the "problems" directory however. I tried to turn off scanning for zip files (I know this might be considered dangerous but I think the risk for us is acceptable) but no luck.

Can someone help please?

Title: clamd + amavis-ng + spamassassin need help with zip files
Post by: max on May 14, 2004, 08:47:32 PM

also I forget to mention, I have been re-injecting them by hand, but that will not work long term.

Title: Re: clamd + amavis-ng + spamassassin need help with zip file
Post by: rexgaylord on May 15, 2004, 01:00:11 AM

I was just getting ready to post on a similar concern, so since it's related:

Is anybody concerned that the clamd + amavis-ng + spamassassin install by Swertz consistently fails server tests at http://www.testvirus.org?  I really like the way he does his howtos, but I need some help tightening this up a bit.  Using the Swertz scripts the default configuration on SME 6.0, 6.01, and the custom ISO, clamd + amavis-ng fails these tests:

Test #5: Eicar virus sent using BinHex encoding

Test #8: Eicar virus sent using BinHex encoding within a MIME segment

Test #12: Eicar virus within a password protected ZIP file  **New

 Test #19: Eicar virus within zip file hidden using the "Blank Folding Vulnerability"

Test #20: Eicar virus within zip file hidden using the "MIME Boundary Space Gap Vulnerability"

Test #21: Eicar virus within zip file hidden using the "Long MIME Boundary Vulnerability"

Test #22: Eicar virus within zip file hidden using the "MIME Continuation Vulnerability"

Test #23: Eicar virus within zip file hidden using the "Empty MIME Boundary Vulnerability"

Test #24: Test for the "Partial (Fragmented) Vulnerability". This does not include Eicar virus, but your mail server still must block this since it can break a virus into multiple emails and reassemble it in your inbox.

Test #25: Attachment with a CLSID extension which may hide the real file extension. This does not include Eicar virus, but your mail server still must block this since it can hide the true extension of a file.

clamd + amavis-ng definitely catches the bulk and most common of them, but I'd like to be a little closer to 100%  #12, the encrypted password zip file really concerns me because SME is my first line of virus defense for some non-profits.  The 2nd line of defense is Panda Software running protection on the PC's and Exchange Server.  They catch #8 and #22 leaving me vulnerable still to #5, #12, #19-21, #23-25.  Thanks for any suggestions.  Rex

Title: clamd + amavis-ng + spamassassin need help with zip files
Post by: raem on May 15, 2004, 08:25:33 AM

Here is a good reason to upgrade to v6.0 or v6.0.1, (they are very similar to v5.6 anyway).

Get rid of 99% of incoming viruses and reduce spam by around 75% using the following 2 HOWTOS.

http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/Virus%20and%20file%20blocking%20HOWTO%20using%20smtpfront-qmail%20for%20sme%20server.htm

and

http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/Spam%20blocking%20HOWTO%20using%20smtpfront-qmail%20for%20sme%20server.htm

Regs
Ray

Title: Richest Franchise in Sport
Post by: Lada on June 19, 2004, 01:38:36 AM

Thanks! The mails were from people on my http://freeinternet.250free.com allow list...