Forums & Blog

Didnt  I read in previous posts that SA doesnt delete the message though if CLAMAV finds a virus it simply marks it?

If you are using SMSPAMC to call SA, you can get it to delete messages that are flagged as viruses.  I choose to move them to a folder so I can review them though.

If you're not using SMSpamC, you should be!  I've found it much more efficient at calling SA than the built in client.

 

Just need to put a few lines in the SMSpamC.ini

To delete virus infected messages: 

[Content-Filtering-PostSA]
DeleteIfHeaderContains=X-Spam-Virus: Yes*

 

To move virus infected messages:

[Content-Filtering-PreSA]
MoveToFolder=D:\Data\SmarterMail\Viruses

[Content-Filtering-PostSA]
MoveIfHeaderContains=X-Spam-Virus: Yes*

 

The problem i have is I didnt install the VM on the same server as Smarter mail..... 

Why is that a problem? 

SMSpamc communicates with the SAVASM "machine" in the same way as SM does ... using TCP direct to a specified IP address.  The SAVASM virtual machine can be located anywhere (mine is on a seperate machine).

So do all I have to do to get ClamAV working using the virtual appliance version rather than the smarter mail clamd.exe is to change the ip in the clamav settings from the 127 local one to the ip of my SAVASM server and leave the port as 3310 and tell SM its a remote server and then that will not use the SM clam AV but the SAVASM version, what then happens when the SAVASM clam version finds a virus by default?

Or do I simply remove it from SM and let the SAVASM server take care of it?

As previously mentioned, either option will be fine.

1. If you have SM run the SAVASM Clam, then you should disable it from the SAVASM SA (as described previously in this topic - or the older one, I can't remeber which, but a search will find it for you). In this case, through, you'll be streaming every message twice between SM and SAVASM (once for clam parsing, and then for SA parsing).

2. If you use clam in the default SAVASM way (i.e. as a SA plugin), then messages will only be passed to SAVASM once. Of course, in this way a message will not be automatically deleted if it is labeled as being a virus, but I consider that to be a bad idea anyway. Remember that there is always the possibility of false positives, and that a deleted message is lost forever.

 

Hope I am posting this correctly. Need some help on why SAVASM just starts locking up. My config is clamv OFF, 940 meg mem with, at the time of this log entry, max child=40 (have tried it at 15, 20, 25, 30.......you name it, no change in problem). SA is on it's own dedicated server behind a perimeter ISA firewall.

SA will run flawlessly for DAYS and then, all of a sudden, my SM spool will go from averaging 200 to over 4k.....It just flakes out. Here is a log entry showing what is normally a 1.6 - 3.0 second processing time to 30+ seconds. Note the cannot open bayes datases??? entry. Does that help? I am lost, but the only way to correct is to disable SA in SM and let spool clear out. Restarting spamd, restarting virtual server or host server......no change.

 e Nov 27 04:06:15 2007 [9123] warn: bayes: cannot open bayes databases /home/spamassassin/.spamassassin/bayes_* R/W: lock failed: File exists
Tue Nov 27 04:06:15 2007 [9123] info: spamd: clean message (-2.6/5.0) for (unknown):502 in 38.5 seconds, 35985 bytes.
Tue

 Any help most appreciated.

 

Not really sure what would cause the bayesian I/O problems. You might want to do a more thorough investigation of your logs (including system logs such as /var/log/messages) to see if you can identify some pattern or anything that would indicate what is triggering the problem. You might also want to try the SpamAssassin mailing lists; maybe there is some known bug or issue with the current version of SA that is causing this. If all else fails, you can simply disable the bayesian engine in SpamAssassin, but that should be a last resort. 

 

Thanks for the input!!!!

This /var/log/messages snippet appears to indicate that during my SM full server backup the SA server started wigging out. Then when my backup completed around 4:45am spamd shutdown. You can then see I did a restart at 08:22 am and all was well, appearingly. Does that point to anything?

 

ov 26 23:30:05 savasm kernel: smb_retry: no connection process
Nov 26 23:30:35 savasm kernel: smb_add_request: request [c9be6e00, mid=0] timed out!
Nov 26 23:30:35 savasm kernel: smb_delete_inode: could not close inode 2
Nov 26 23:30:35 savasm mount.smbfs[27592]: [2007/11/26 23:30:35, 0] client/smbmount.c:send_fs_socket(410)
Nov 26 23:30:35 savasm mount.smbfs[27592]:   mount.smbfs: entering daemon mode for service \\backup1\Spam, pid=27592
Nov 26 23:39:25 savasm kernel: smb_retry: no connection process
Nov 26 23:39:55 savasm kernel: smb_add_request: request [f4f78e00, mid=0] timed out!
Nov 26 23:39:55 savasm kernel: smb_delete_inode: could not close inode 2
Nov 26 23:39:56 savasm mount.smbfs[28076]: [2007/11/26 23:39:56, 0] client/smbmount.c:send_fs_socket(410)
Nov 26 23:39:57 savasm mount.smbfs[28076]:   mount.smbfs: entering daemon mode for service \\backup1\Ham, pid=28076
Nov 27 04:46:23 savasm spamassassin: spamd shutdown succeeded
Nov 27 04:46:24 savasm spamd: [12339] warn: server socket setup failed, retry 1: spamd: could not create INET socket on 0.0.0.0:783: Address already in use
Nov 27 04:46:25 savasm spamd: [12339] warn: server socket setup failed, retry 2: spamd: could not create INET socket on 0.0.0.0:783: Address already in use
Nov 27 04:46:26 savasm spamd: [12339] error: spamd: could not create INET socket on 0.0.0.0:783: Address already in use
Nov 27 04:46:26 savasm spamd: spamd: could not create INET socket on 0.0.0.0:783: Address already in use
Nov 27 04:46:26 savasm spamassassin: spamd startup failed
Nov 27 04:47:00 savasm spamassassin: spamd startup succeeded
Nov 27 04:51:36 savasm spamassassin: spamd shutdown succeeded
Nov 27 04:51:48 savasm spamassassin: spamd startup succeeded
Nov 27 08:22:11 savasm syslogd 1.4.1: restart.
Nov 27 08:22:11 savasm syslog: syslogd startup succeeded

Well, your log seems to indicate some problems with the SMB daemon; during your SM backups, the server is probably under heavy load and notopening network connections properly, so it's upsetting Samba. If you have the bayesian train script enabled, I suggest you disable it (you may run it manually later, when you can keep an eye on it). A problem with that script's execution could explain the bayesian database problems SpamAssassin is having.

 

THANK YOU

I bet that is it. The cron job for baysiantrain is set for 23:30 every day.....right when SM is backing up and when this problem occurrs. I'll change to a time I can watch it and see if manual ends up being best.

THANKS for the evaluation of the log data.

Seeking one last bit of advise and I will hopefuly quit bugging everyone about this....The only message log entry in last 16 hours or so was the baysiantrain fireing off. Do I need to be concerned about the "no connection process" and 30 seconds later the "timed out" entries???

28 05:00:03 savasm kernel: smb_retry: no connection process
Nov 28 05:00:33 savasm kernel: smb_add_request: request [ead19e00, mid=0] timed out!
Nov 28 05:00:33 savasm kernel: smb_delete_inode: could not close inode 2
Nov 28 05:00:33 savasm mount.smbfs[26351]: [2007/11/28 05:00:33, 0] client/smbmount.c:send_fs_socket(410)
Nov 28 05:00:33 savasm mount.smbfs[26351]:   mount.smbfs: entering daemon mode for service \\backup1\Spam, pid=26351
Nov 28 05:05:02 savasm kernel: smb_retry: no connection process
Nov 28 05:05:32 savasm kernel: smb_add_request: request [d8a88e00, mid=0] timed out!
Nov 28 05:05:32 savasm kernel: smb_delete_inode: could not close inode 2
Nov 28 05:05:32 savasm mount.smbfs[26656]: [2007/11/28 05:05:32, 0] client/smbmount.c:send_fs_socket(410)
Nov 28 05:05:32 savasm mount.smbfs[26656]:   mount.smbfs: entering daemon mode for service \\backup1\Ham, pid=26656

Well, it seems that the SAVASM machine is not able to properly connect to your Windows share. This will likely make bayesian updating fail, so if you want to use that, you should try troubleshooting the connection issue.

 

From the host server itself the shares are accessible. I haven't enough linux knowledge to know how to test same from Virutal server. Comman shell attempt is below

> \\backup1\spam
bash: \backup1spam: command not found

 

Sorry I am so ignorant with this, but if you can tell me how to test from the Linux Virtual......I see no reason it should fail since host is having no problems.

 

Thanks AGAIN