yes, there are two controls for Clamav. One is the email scanner which you show in your screenshot. The other is the file server scanner, which I showed.
If you see that you're getting hundreds of emails and that is causing CPU issues then I suggest you look into using some of the antispam configuration settings such as "rbl_blacklist" in postfix. @Nick has a great FAQ to help you through fighting spam on this site. There are also a number of discussions in the forum that give further details. You might also try the greylisting (sp?) for the mail server. I found it to be a bit inconvenient at times but it really reduced the amount of spam coming in.
Mark, I was under the impression that mail scanner was running during email arriving so it wouldn't be bogging down the server unless you got a lot of email at once.
So perhaps what you are looking for is the Server/File/Antimalware Scanner? In the app you can set the scan time. See screenshot.
I suspect that the Antimalware Scanner is clamscan and is managed via cron from the GUI.
Nick Howitt wrote:
AKAIK it does go through spamassassin, but none of the RBL lists will work as they all look up the ClearSDN server IP's.
Nick, I figured out something that might help others. (Perhaps this is also stupid rule as other valid senders might use this, but I haven't found any using this form in the past month's logs.)
I put the following in the Spamassassin blacklist and now i'm spam free from those people stuffing the MX backup. I noticed that they always have the same form in the logs:
Following put in the Spamassassin blacklist:
So far in the past 3 days, it's caught and gotten rid of 1200+ spam. It's a shame for the wasted processing and bandwidth but my email client is clean for the first time in weeks.
Maybe this should be cross posted to the forum dealing with Spamassassin?
Out of curiousity, is there way to run email from the MX backup through spamassassin before putting into the mailbox? Or perhaps have postfix check MX email coming in through those same checks? I already have postfix checking rbl lists and in spamassassin it is checking URIBL.
Thanks again for your help.
Here is the maillog lines.
It does look like they pushed the spam to the backup. The first few lines shows the clearsdn.com server delivering the spam message. Since each spam message comes from a different domain, it will come through from an OK from the clearsdn.com IP address. :-(
I never would have checked this despite seeing the clearsdn.com in the maillog.
Unbelievable. So probably the firewall was working OK.
Now to figure out how to stop this.
That is very interesting and might be what's going on. Yes, I've been using Clear mail MX as backup.
I read about this over the weekend and changing some settings in either Spamassassin or Postfix but I can't remember which. I flew over my head as I didn't even thing about the Clear MX. It was along the lines of making sure that email only came in via the lower MX records. But that screws up if the server goes down for a while. Then all the email go into the black hole.
I'll collect the maillog info this evening and post.
Thanks in advance for having a look.
I had 22.214.171.124/24 originally in the firewall local but then I removed that since it didn't appear to work. So I put individual lines. Those appear to work. But I'd rather just block the IP range. I do have IP ranges in the list from before, and I assume those work but I can't tell at the moment.
This morning I got a bunch of spam from:
126.96.36.199 > in list
188.8.131.52 > new
184.108.40.206 > new
220.127.116.11 > new
18.104.22.168 > new
22.214.171.124 > new
126.96.36.199 > new
I'm going to add the new in a moment but first here is the list of INPUT DROPs.
Thank you Nick.
I am running ClearOS mail server.
I am assuming the IPs aren't connected as the spam is intermittent. So when the reconnect would happen it should block but it doesn't.
Is there a way that I can check?
I'll look into the ipset. I'm always looking for ways to be more efficient. Thanks again for your help.
Over the past few weeks the number of spam messages has been growing and I've been trying to block the offending IP ranges.
I've been adding the IP ranges into the /etc/clearos/firewall.d/local but it doesn't appear to work.
Example: I put in
But then I still get many spam messages from 188.8.131.52; 184.108.40.206; 220.127.116.11 etc. etc.
When I do the command I can see that 18.104.22.168/24 is included in the INPUT with DROP command.
Since it didn't seem to be working properly, I have now blocked the individual IP addresses. That appears to work however it is somewhat time consuming adding each IP address manually. The subnet notation would be so much more efficient.
Have I done something wrong in the subnet statement in the local file that it doesn't work?
Nick Howitt wrote:
For LE, it is in the documentation for LE - https://documentation.clearos.com/content:en_us:7_ug_lets_encrypt#replace_the_self-signed_certificate_for_webconfig. The setting is not backed up, as you say. I wonder if it can be safely but the restore program would need extra functionality to restart the webconfig.
For e-mail, if you use cyrus-imapd, all mail is under /var/spool/imap and /var/lib/imap. The raw mails are under /var/spool/imap and there is a database and other stuff under /var/lib/imap. These can be copied/rsync'd/tar'd across, but it will do everyone at the state of the last mails. If your e-mails have moved on since then, you have a bit of a pickle. You can possibly copy any new e-mails for the user as a backup, can copy in all the old e-mails under /var/spool/imap, but they will all appear as unread and you won't see any where you have replied. Then the new ones you've backed up can probably then be copied in as well, but make sure the files don't duplicate. Be careful manipulating files as the naming is odd as they all end with a . and things don't always go as expected. I think if you edit them you initially lose the trailing ".". Make sure you also copy in the cyrus.* files in each folder or you will have to run "reconstruct" on the mailbox.
I wanted to close this adventure off for now. I change the self signed cert as per the link provided. No more messages! Thanks for the link! I'm not sure why I didn't find it myself!
I gave up on the cyrus email extract and told the individual in question that the email was lost. It's a bit of a cop-out but I ran out of patience.
As always, thanks for all your help, Nick. Much appreciated!!