From: "Doug Bissett" Received: from [192.168.100.201] (HELO mail.2rosenthals.com) by 2rosenthals.com (CommuniGate Pro SMTP 5.4.10) with ESMTP id 11206065 for ecs-isp@2rosenthals.com; Mon, 04 Nov 2024 21:07:54 -0500 Received: from [192.168.200.201] (port=33609 helo=mail2.2rosenthals.com) by mail.2rosenthals.com with esmtp (Exim 4.97.1) (envelope-from ) id 1t88yq-0000000032e-24vv for ecs-isp@2rosenthals.com; Mon, 04 Nov 2024 21:07:41 -0500 Received: from 209.205.66.1.ae-bonded.cipherkey.net ([209.205.66.1]:52538 helo=nephi.ocii.com) by mail2.2rosenthals.com with esmtp (Exim 4.97.1) (envelope-from ) id 1t88ye-0000000079N-1d63 for ecs-isp@2rosenthals.com; Mon, 04 Nov 2024 21:07:29 -0500 Received: from sam.ocii.com (sam.ocii.com [209.205.66.14]) by nephi.ocii.com (8.13.8+Sun/8.13.8) with ESMTP id 4A51jVEM029485 for ; Mon, 4 Nov 2024 18:45:31 -0700 (MST) Received: from dougb.tplinkdns.com (207x205250198.lightspeed.ca [205.250.198.207] (may be forged)) by sam.ocii.com (8.13.8+Sun/8.12.9) with ESMTP id 4A51mBJt000860 for ; Mon, 4 Nov 2024 18:48:11 -0700 (MST) Received: from IREBBS8 (207x205250198.lightspeed.ca [205.250.198.207]) by dougb.tplinkdns.com (Weasel v3.01) for ; Mon, 04 Nov 2024 18:48:32 -0700 X-SASI-Hits: BODY_SIZE_3000_3999 0.000000, BODY_SIZE_5000_LESS 0.000000, BODY_SIZE_7000_LESS 0.000000, CTE_7BIT 0.000000, DATE_TZ_NA 0.000000, HTML_00_01 0.050000, HTML_00_10 0.050000, IN_REP_TO 0.000000, LEGITIMATE_SIGNS 0.000000, MAY_BE_FORGED 0.000000, MSG_THREAD 0.000000, NO_CTA_URI_FOUND 0.000000, NO_URI_HTTPS 0.000000, RDNS_GENERIC_POOLED 0.000000, RDNS_SUSP 0.000000, RDNS_SUSP_GENERIC 0.000000, REFERENCES 0.000000, REPLYTO_SAMEAS_FROM 0.000000, SENDER_NO_AUTH 0.000000, SUPERLONG_LINE 0.050000, SUSP_DH_NEG 0.000000, TO_IN_SUBJECT 0.500000, USER_AGENT 0.000000, __ANY_URI 0.000000, __BEC_SUBJ_KEYWORD 0.000000, __BODY_NO_MAILTO 0.000000, __BOUNCE_CHALLENGE_SUBJ 0.000000, __BOUNCE_NDR_SUBJ_EXEMPT 0.000000, __CT 0.000000, __CTE 0.000000, __CTYPE_CHARSET_QUOTED 0.000000, __CT_TEXT_PLAIN 0.000000, __DC_PHRASE 0.000000, __DQ_NEG_DOMAIN 0.000000, __DQ_NEG_HEUR 0.000000, __DQ_NEG_IP 0.000000, __EXTORTION_MALWARE 0.000000, __FORWARDED_MSG 0.000000, __FRAUD_BEC 0.000000, __FROM_ACC_ENDS_IN_DIGIT 0.000000, __FUR_HEADER 0.000000, __HAS_FROM 0.000000, __HAS_MSGID 0.000000, __HAS_REFERENCES 0.000000, __HAS_REPLYTO 0.000000, __HAS_X_MAILER 0.000000, __INVOICE_MULTILINGUAL 0.000000, __IN_REP_TO 0.000000, __MAIL_CHAIN 0.000000, __MIME_BOUND_CHARSET 0.000000, __MIME_TEXT_ONLY 0.000000, __MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000, __MIME_VERSION 0.000000, __MY_MAIL_BODY 0.000000, __NO_HTML_TAG_RAW 0.000000, __PHISH_SPEAR_SUBJ_ALERT 0.000000, __RCVD_FROM_DOMAIN 0.000000, __RCVD_FROM_SUSP_HOSTNAME 0.000000, __REFERENCES 0.000000, __REPLYTO_SAMEAS_FROM 0.000000, __REPLYTO_SAMEAS_FROM_ACC 0.000000, __REPLYTO_SAMEAS_FROM_ADDY 0.000000, __REPLYTO_SAMEAS_FROM_DOMAIN 0.000000, __REPLYTO_SAMEAS_FROM_NAME 0.000000, __SANE_MSGID 0.000000, __SCAN_D_NEG 0.000000, __SCAN_D_NEG2 0.000000, __SCAN_D_NEG_HEUR 0.000000, __SCAN_D_NEG_HEUR2 0.000000, __SHIPPING_PHRASE 0.000000, __SUBJ_ALPHA_END 0.000000, __SUBJ_ALPHA_NEGATE 0.000000, __SUBJ_REPLY 0.000000, __TO_IN_SUBJECT2 0.000000, __TO_MALFORMED_2 0.000000, __TO_NAME 0.000000, __TO_NAME_DIFF_FROM_ACC 0.000000, __TO_REAL_NAMES 0.000000, __URI_MAILTO 0.000000, __URI_NO_WWW 0.000000, __URI_NS 0.000000, __USER_AGENT 0.000000, __WEBINAR_PHRASE 0.000000 X-SASI-Probability: 10% X-SASI-RCODE: 200 X-SASI-Version: Antispam-Engine: 5.1.4, AntispamData: 2024.11.5.5715 X-SASI-Hits: BODY_SIZE_3000_3999 0.000000, BODY_SIZE_5000_LESS 0.000000, BODY_SIZE_7000_LESS 0.000000, CTE_7BIT 0.000000, DATE_TZ_NA 0.000000, HTML_00_01 0.050000, HTML_00_10 0.050000, IN_REP_TO 0.000000, LEGITIMATE_SIGNS 0.000000, MAY_BE_FORGED 0.000000, MSG_THREAD 0.000000, NO_CTA_URI_FOUND 0.000000, NO_URI_HTTPS 0.000000, RDNS_GENERIC_POOLED 0.000000, RDNS_SUSP 0.000000, RDNS_SUSP_GENERIC 0.000000, REFERENCES 0.000000, REPLYTO_SAMEAS_FROM 0.000000, SENDER_NO_AUTH 0.000000, SUPERLONG_LINE 0.050000, SUSP_DH_NEG 0.000000, TO_IN_SUBJECT 0.500000, USER_AGENT 0.000000, __ANY_URI 0.000000, __BEC_SUBJ_KEYWORD 0.000000, __BODY_NO_MAILTO 0.000000, __BOUNCE_CHALLENGE_SUBJ 0.000000, __BOUNCE_NDR_SUBJ_EXEMPT 0.000000, __CT 0.000000, __CTE 0.000000, __CTYPE_CHARSET_QUOTED 0.000000, __CT_TEXT_PLAIN 0.000000, __DC_PHRASE 0.000000, __DQ_NEG_DOMAIN 0.000000, __DQ_NEG_HEUR 0.000000, __DQ_NEG_IP 0.000000, __EXTORTION_MALWARE 0.000000, __FORWARDED_MSG 0.000000, __FRAUD_BEC 0.000000, __FROM_ACC_ENDS_IN_DIGIT 0.000000, __FUR_HEADER 0.000000, __HAS_FROM 0.000000, __HAS_MSGID 0.000000, __HAS_REFERENCES 0.000000, __HAS_REPLYTO 0.000000, __HAS_X_MAILER 0.000000, __INVOICE_MULTILINGUAL 0.000000, __IN_REP_TO 0.000000, __MAIL_CHAIN 0.000000, __MIME_BOUND_CHARSET 0.000000, __MIME_TEXT_ONLY 0.000000, __MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000, __MIME_VERSION 0.000000, __MY_MAIL_BODY 0.000000, __NO_HTML_TAG_RAW 0.000000, __PHISH_SPEAR_SUBJ_ALERT 0.000000, __RCVD_FROM_DOMAIN 0.000000, __RCVD_FROM_SUSP_HOSTNAME 0.000000, __REFERENCES 0.000000, __REPLYTO_SAMEAS_FROM 0.000000, __REPLYTO_SAMEAS_FROM_ACC 0.000000, __REPLYTO_SAMEAS_FROM_ADDY 0.000000, __REPLYTO_SAMEAS_FROM_DOMAIN 0.000000, __REPLYTO_SAMEAS_FROM_NAME 0.000000, __SANE_MSGID 0.000000, __SCAN_D_NEG 0.000000, __SCAN_D_NEG2 0.000000, __SCAN_D_NEG_HEUR 0.000000, __SCAN_D_NEG_HEUR2 0.000000, __SHIPPING_PHRASE 0.000000, __SUBJ_ALPHA_END 0.000000, __SUBJ_ALPHA_NEGATE 0.000000, __SUBJ_REPLY 0.000000, __TO_IN_SUBJECT 0.000000, __TO_IN_SUBJECT2 0.000000, __TO_MALFORMED_2 0.000000, __TO_NAME 0.000000, __TO_NAME_DIFF_FROM_ACC 0.000000, __TO_REAL_NAMES 0.000000, __URI_MAILTO 0.000000, __URI_NO_WWW 0.000000, __URI_NS 0.000000, __USER_AGENT 0.000000, __WEBINAR_PHRASE 0.000000 X-SASI-Probability: 10% X-SASI-RCODE: 200 X-SASI-Version: Antispam-Engine: 5.1.4, AntispamData: 2024.11.5.5715 X-PostmasterCheck: FAIL Message-ID: <100.781b0d0050792967.044@ocii.com> To: "Steven Levine" Date: Mon, 04 Nov 2024 18:48:00 -0700 (MST) Reply-To: "Doug Bissett" In-Reply-To: References: Priority: Normal User-Agent: PMMail/3.26 (os/2; U; Warp 4.5; en-CA; i386; ver 3.26.00.1995) X-Mailer: PMMail 3.26.00.1995 for OS/2 Warp 4.5 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Subject: Re: [eCS-ISP] clamscan issue - directories with a lot of files On 2024-11-04, at 13:55:28, Steven Levine wrote: > >In , on 11/04/24 > at 10:36 PM, "Massimo S." said: > >Hi Massimo, > >>i run this command for each domain > >Can I conclude you pasted a partially wrong command line? When you are >running for a domain, you will need to use --recurse. > >>and i also run it "divided" on some single recipient directories for the >>small ones eg. >>X:\weasel\MailRoot\mydomain.com\mail1 >>X:\weasel\MailRoot\mydomain.com\mail2 >>etc.. > >For the large mailstores, you may have to use --include and --exclude to >subdivide the directory contents into smaller chunks. > >Another option you have is to limit clamscan to checking only the recently >modified files. Use your favorite file manager to build a list of the >recenly modified files and run clamscan with the --file-list=FILE switch >option. > >Given what we know about clamscan's memory usage and your mailstores, I >probably would use the --file-list option for all runs. With 4OS2 and >some easily accessible utilities, this is easy. To check all files >changed in the last 5 days, it's > > dir /[d-5,%_DATE] /a:-d /f /s maildir... >5days.lst > clamscan ... --file-lst=5days.lst > >where ... are your current switch options, excluding --recurse of course. > >If the resulting list is still too large for clamscan to handle without >errors, we can use split to break the list into smaller lists that >clamscan can handle. For 200 lines per file, it's > > split -l200 5days.lst > >The resulting split files will be named xaa, aab etc. We can adjust 200 >upward until clamscan start to fail due to memory issues. Then it's > > for %XX in ( x* ) clamscan ... --file-list=%XX > >To use the above technique to check all files, we use > > dir /a:-d /f /s maildir... >allfiles.lst > >>Y: and Z: are both ramdisk filesystems >>but also i believe this is not important > >I agree. This does not appear to be related to your problems. > >Steven I have been following this, and would like to make some comments: First, I used Clamscan, some years ago. to scan my mail store (in PMMail). It was a memory hog, and was causing a lot more problems than any virus ever did. So I quit using it. Not feeling good about that, I did some experimenting. I came to the conclusion that OS/2 is not vulnerable to viruses, so the only way a file would be infected, was before it arrived on my system. The solution was to scan every (e-mail) file, as it arrived (PMMail can run programs as files arrive - I am pretty sure that weasel can too). I seem to recall using ClamDscan for some reason (probably so it was already loaded, and didn't have to restart for every run - reducing fragmentation problems). Now, I was scanning ONE file at a time, which did not solve all of the problems, but it was much better. Once the file is stored in OS/2, the chances that it will be infected are very close to zero. There is no point in scanning them again, unless you want to do them, one at a time, as they exit your system. Users should have appropriate protection against malware anyway. Then, I decided that I was the only user, so there was no point in scanning files, at all. So I quit using C lamscan. In the five, or so, years that I did use Clamscan, it never did find a bad file (other than one that I had for testing). Another approach, that worked, was to use a windows (Linux?) virus scanner, to scan the files over the LAN. I never bothered to actually implement that, but it does work. Hope this gives you some ideas... -- **************************** From Doug Bissett's ArcaOS system dougb007 AT ocii.com **************************** ... The only shortage we really face is the shortage of imagination.