razor and connection resets?

I am using an MTA system comprised of
postfix,amavisd,spamassassin etc.  I
added pyzor and razor to help with the scoring  I am real
new at this so
please bare with me.  My manager comes to me and tells me
that
cloudmark.comkeeps doing connection resets against a
connection that
is no longer in
existence.  The firewall we are using is running in HTTP
proxy mode and it
makes sure all HTTP (port 80) traffic is using proper http. 
Since razor
seems to use port 80 to make connections out I am wondering
if razor is not
actually speaking http or 'proper' http and the firewall is
terminating the
connection.  Then maybe cloudmark is then resetting the
connection on their
end.

Has anyone seen this behavior or can expound on this?

thanks

Doug

-- 
What profits a man if he gains the whole world yet loses his
soul?
------------------------------------------------------------
-------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and
take
control of your XML. No limits. Just data. Click to get it
now.
http://sourcefor
ge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

On Tue, 2007-04-24 at 16:21 -0400, Doug Lochart wrote:
> I am using an MTA system comprised of
postfix,amavisd,spamassassin etc.  I
> added pyzor and razor to help with the scoring  I am
real new at this so
> please bare with me.  My manager comes to me and tells
me that
> cloudmark.comkeeps doing connection resets against a
connection that
> is no longer in
> existence.  The firewall we are using is running in
HTTP proxy mode and it
> makes sure all HTTP (port 80) traffic is using proper
http.

from the Razor FAQ:

Q: I have a firewall. What ports do I need to open in order
for
   Razor2 to work?

   Outgoing TCP port 2703 (Razor2), only.  Previous versions
used
   TCP port 7 (echo), but this is no longer used.

-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.c
om

------------------------------------------------------------
-------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and
take
control of your XML. No limits. Just data. Click to get it
now.
http://sourcefor
ge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

I failed to look at the FAQ.  I did not know there was one
but if I had
looked I would have seen it.  My next sin was trusting my
manager when he
said the trafiic was going out over port 80.

That being said why would be we be seeing connection resets
from cloudmark
in our firewall log?

I see from the razor logs that it seems to be working.  At
least I see
messages saying that mails are not spam.

thanks

Doug


On 4/24/07, Daniel J McDonald <dan.mcdonaldaustinenergy.com> wrote:
>
> On Tue, 2007-04-24 at 16:21 -0400, Doug Lochart wrote:
> > I am using an MTA system comprised of
postfix,amavisd,spamassassin
> etc.  I
> > added pyzor and razor to help with the scoring  I
am real new at this so
> > please bare with me.  My manager comes to me and
tells me that
> > cloudmark.comkeeps doing connection resets against
a connection that
> > is no longer in
> > existence.  The firewall we are using is running
in HTTP proxy mode and
> it
> > makes sure all HTTP (port 80) traffic is using
proper http.
>
> from the Razor FAQ:
>
> Q: I have a firewall. What ports do I need to open in
order for
>    Razor2 to work?
>
>    Outgoing TCP port 2703 (Razor2), only.  Previous
versions used
>    TCP port 7 (echo), but this is no longer used.
>
> --
> Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
> Austin Energy
> http://www.austinenergy.c
om
>
>
------------------------------------------------------------
-------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2
express and take
> control of your XML. No limits. Just data. Click to get
it now.
> http://sourcefor
ge.net/powerbar/db2/
> _______________________________________________
> AMaViS-user mailing list
> AMaViS-userlists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/amavis-user

> AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
> AMaViS-HowTos:http://www.amavis.org/ho
wto/
>



-- 
What profits a man if he gains the whole world yet loses his
soul?
------------------------------------------------------------
-------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and
take
control of your XML. No limits. Just data. Click to get it
now.
http://sourcefor
ge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

My amavis logs shows the following number of Passed
UNCHECKED items:

0, 0, 0, 0, 0, 0, 84, 312

That's 84 yesterday and 312 so far today since midnight.

The days with zero have real data, between 12k and 72k
entries,
just no Passed UNCHECKED.

Assuming this is not legit email, what did I likely mangle
yesterday  
to start
getting this behavior?

I did not make an amavisd.conf change, it's got to be
something in
my sql db.

Thanks,
-mark


------------------------------------------------------------
-------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and
take
control of your XML. No limits. Just data. Click to get it
now.
http://sourcefor
ge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

> My amavis logs shows the following number of Passed
UNCHECKED items:
> 
> 0, 0, 0, 0, 0, 0, 84, 312
> 
> That's 84 yesterday and 312 so far today since
midnight.
> 
> The days with zero have real data, between 12k and 72k

> entries, just no Passed UNCHECKED.
> 
> Assuming this is not legit email, what did I likely
mangle 
> yesterday to start getting this behavior?
> 
> I did not make an amavisd.conf change, it's got to be 
> something in my sql db.
> 

Amavis may be unable to check the message content for a
variety of reasons,
such as encrypted archives, unsupported compression methods,
etc.  Eg:

amavis[19836]: (19836-04) ...
 ... (!)do_unzip: p002, unsupported compr. method: 99
 ... presenting full original message to scanners as
/var/amavis/tmp/amavis-20070226T083354-19836/parts/p005, 1
undecipherable


amavis[19804]: (19804-09) ...
 ... do_unzip: p002, 1 members are encrypted, none
extracted, archive
retained
 ... presenting full original message to scanners as
/var/amavis/tmp/amavis-20070226T083012-19804/parts/p005, 1
undecipherable

What are you logs showing in the entries just prior to
Passed UNCHECKED ?

MrC


------------------------------------------------------------
-------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and
take
control of your XML. No limits. Just data. Click to get it
now.
http://sourcefor
ge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

Mark wrote:

> My amavis logs shows the following number of Passed
UNCHECKED items:

> 0, 0, 0, 0, 0, 0, 84, 312

> That's 84 yesterday and 312 so far today since
midnight.

> The days with zero have real data, between 12k and 72k
entries,
> just no Passed UNCHECKED.

> Assuming this is not legit email, what did I likely
mangle yesterday  
> to start
> getting this behavior?

> I did not make an amavisd.conf change, it's got to be
something in
> my sql db.

> Thanks,
> -mark

Quite possibly an encrypted, and as of yet, undetected
virus. I just got
one with a password protected .rar file. I suggest blocking
.rar files. I
hope your users have not opened any of these. Mine claims to
be a patch
for an undetected worm.

Gary V



------------------------------------------------------------
-------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and
take
control of your XML. No limits. Just data. Click to get it
now.
http://sourcefor
ge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

Gary wrote:

> Mark wrote:

>> My amavis logs shows the following number of Passed
UNCHECKED items:

>> 0, 0, 0, 0, 0, 0, 84, 312

>> That's 84 yesterday and 312 so far today since
midnight.

>> The days with zero have real data, between 12k and
72k entries,
>> just no Passed UNCHECKED.

>> Assuming this is not legit email, what did I likely
mangle yesterday  
>> to start
>> getting this behavior?

>> I did not make an amavisd.conf change, it's got to
be something in
>> my sql db.

>> Thanks,
>> -mark

> Quite possibly an encrypted, and as of yet, undetected
virus. I just got
> one with a password protected .rar file. I suggest
blocking .rar files. I
> hope your users have not opened any of these. Mine
claims to be a patch
> for an undetected worm.

A-Squared  Found nothing
AntiVir  Found nothing 
ArcaVir  Found nothing 
Avast  Found nothing 
AVG Antivirus  Found nothing 
BitDefender  Found nothing 
ClamAV  Found Email.Phishing.RB-686  
Dr.Web  Found nothing 
F-Prot Antivirus  Found nothing 
F-Secure Anti-Virus  Found nothing 
Fortinet  Found nothing 
Kaspersky Anti-Virus  Found nothing 
NOD32  Found nothing 
Norman Virus Control  Found nothing 
Panda Antivirus  Found nothing 
Rising Antivirus  Found nothing 
VirusBuster  Found nothing 
VBA32  Found nothing

I think you are getting this virus. I think it's more
serious than
ClamAV thinks it is. I would say there's another storm a
brewin'.


Gary V



------------------------------------------------------------
-------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and
take
control of your XML. No limits. Just data. Click to get it
now.
http://sourcefor
ge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

On Wed, Apr 25, 2007 at 02:40:32PM -0600, Gary V wrote:
> > Quite possibly an encrypted, and as of yet,
undetected virus. I just got
> > one with a password protected .rar file. I suggest
blocking .rar files. I
> > hope your users have not opened any of these. Mine
claims to be a patch
> > for an undetected worm.
> 
> A-Squared  Found nothing
> AntiVir  Found nothing 
> ArcaVir  Found nothing 
> Avast  Found nothing 
> AVG Antivirus  Found nothing 
> BitDefender  Found nothing 
> ClamAV  Found Email.Phishing.RB-686  
> Dr.Web  Found nothing 
...
> VBA32  Found nothing
> 
> I think you are getting this virus. I think it's more
serious than
> ClamAV thinks it is. I would say there's another storm
a brewin'.

  You should be able to stand down from the alert a bit:

  ClamAV by default reports known standard phish emails as
"viruses",
using this "Email.Phishing" format, to protect
unsuspecting users from
getting all their money stolen.  No other AV vendors do
that, so far as
I know.  If you don't want this behavior, ISTR you can
disable those
signatures in current versions of ClamAV.
  -- Clifton

-- 
    Clifton Royston  --  cliftonriandicomputing.com /
cliftonrlava.net
       President  - I and I Computing * http://www.iandicomput
ing.com/
 Custom programming, network design, systems and network
consulting services

------------------------------------------------------------
-------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and
take
control of your XML. No limits. Just data. Click to get it
now.
http://sourcefor
ge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

Clifton wrote:

> On Wed, Apr 25, 2007 at 02:40:32PM -0600, Gary V
wrote:
>> > Quite possibly an encrypted, and as of yet,
undetected virus. I just got
>> > one with a password protected .rar file. I
suggest blocking .rar files. I
>> > hope your users have not opened any of these.
Mine claims to be a patch
>> > for an undetected worm.
>> 
>> A-Squared  Found nothing
>> AntiVir  Found nothing 
>> ArcaVir  Found nothing 
>> Avast  Found nothing 
>> AVG Antivirus  Found nothing 
>> BitDefender  Found nothing 
>> ClamAV  Found Email.Phishing.RB-686  
>> Dr.Web  Found nothing 
> ...
>> VBA32  Found nothing
>> 
>> I think you are getting this virus. I think it's
more serious than
>> ClamAV thinks it is. I would say there's another
storm a brewin'.

>   You should be able to stand down from the alert a
bit:

>   ClamAV by default reports known standard phish emails
as "viruses",
> using this "Email.Phishing" format, to
protect unsuspecting users from
> getting all their money stolen.  No other AV vendors do
that, so far as
> I know.  If you don't want this behavior, ISTR you can
disable those
> signatures in current versions of ClamAV.
>   -- Clifton

I inquired about this on the ClamAV list. It contains the
Nuwar virus
but there are extenuating circumstances.

http://lurker.clamav.net/thread/20070425.232237.
811c419f.en.html


Gary V


------------------------------------------------------------
-------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and
take
control of your XML. No limits. Just data. Click to get it
now.
http://sourcefor
ge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

 >> What are you logs showing in the entries just
prior to Passed  
UNCHECKED ?

Nothing... I'ld bump up the log level but I haven't had
another one  
since I emailed
this list.    So, I think Gary V is correct, there was a
small virus  
storm.   Maybe it
was just a test run 

Thanks,
-mark

------------------------------------------------------------
-------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and
take
control of your XML. No limits. Just data. Click to get it
now.
http://sourcefor
ge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/