From MailScanner at ecs.soton.ac.uk Wed Aug 8 12:58:08 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed, 08 Aug 2007 13:58:08 +0100 Subject: Release 4.63.1 beta Message-ID: <46B9BDE0.2050507@ecs.soton.ac.uk> I have released a new beta, 4.63.1. The main new feature is a live updated list of known bad phishing sites. The sites in this list have been manually tested and have been compromised or set up specifically as phishing sites. You should update your copy of this list once every hour. RPM installations of MailScanner will do this automatically. Download as usual from www.mailscanner.info. The full Change Log is this: * New Features and Improvements * 1 Improved init.d script, so that 'service MailScanner restart' or '/etc/init.d/MailScanner restart' runs faster. It pauses for just long enough for the old MailScanner to die gracefully, and starts up the new one as soon as the old one has died. Previously, it just waited for a fixed length of time which was much longer than needed for most people. 1 Improved tar installer so the directory created for MailScanner includes the build revision number as well as the main version number. 1 Improved phishing net logging to log entire real URL not just hostname. 1 Improvement to update_spamassassin to stop cron-generated mail. 1 New setting "Phishing Bad Sites File" which is a live continuously-updated list of known bad sites that have been reported to various mechanisms around the world. Please don't ask me for more information as I can't give it to you, but every site on the list has been manually tested and the list can be relied upon. Your installation should update this file every hour. NOTE: Run upgrade_languages_conf after installing this upgrade! * Fixes * 1 Improvement to phishing net to allow HTML tags with contents split over multiple lines. 1 Changed options to ClamAVmodule so it doesn't hit false positives with the phishing and scam email detection signatures. 1-2 Fixed bug where --lint gives "MailScanner.conf file not found" error. Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at hyperlast.com Sat Aug 11 15:32:41 2007 From: mailscanner at hyperlast.com (mailscanner) Date: Sat, 11 Aug 2007 22:32:41 +0700 Subject: infected bubble bath Message-ID: <004201c7dc2d$3059a990$b1eeb3d4@hdvfx> jsnevni irnfsok xotxook yqqevjr -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: cup.jpeg Type: image/jpeg Size: 4684 bytes Desc: not available URL: From uxbod at splatnix.net Sat Aug 11 15:08:06 2007 From: uxbod at splatnix.net (UxBoD) Date: Sat, 11 Aug 2007 16:08:06 +0100 (BST) Subject: infected bubble bath In-Reply-To: <004201c7dc2d$3059a990$b1eeb3d4@hdvfx> Message-ID: <22213371.14501186844886305.JavaMail.root@office.splatnix.net> Oh no! A spammer on the list. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod at sip.splatnix.net ----- Original Message ----- From: "mailscanner" To: mailscanner-request at lists.mailscanner.info, mailscanner-owner at lists.mailscanner.info, mailscanner-bounces at lists.mailscanner.info, mailscanner-beta at lists.mailscanner.info Sent: 11 August 2007 16:32:41 o'clock (GMT) Europe/London Subject: infected bubble bath -- MailScanner-Beta mailing list mailscanner-beta at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner-beta Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Sun Aug 12 16:30:20 2007 From: mailscanner at ecs.soton.ac.uk (mailscanner) Date: Sun, 12 Aug 2007 09:30:20 -0700 Subject: flabby mirror Message-ID: <01b001c7dcf5$e46c9cd0$c64cd247@PKSS> edge bipwe ehorux cjvybgn -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: dilettante.jpeg Type: image/jpeg Size: 4834 bytes Desc: not available URL: From mailer-daemon at zerex.ru Tue Aug 14 06:20:37 2007 From: mailer-daemon at zerex.ru (mailer-daemon) Date: Tue, 14 Aug 2007 08:20:37 +0200 Subject: proverbial earring Message-ID: <01ef01c7de33$ca547720$933da44b@axcpu> thfx yfapgq nruxwka frssnq -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: tuba player.jpeg Type: image/jpeg Size: 4730 bytes Desc: not available URL: From MailScanner at ecs.soton.ac.uk Wed Aug 15 20:07:38 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed, 15 Aug 2007 21:07:38 +0100 Subject: Release 4.63.2 beta Message-ID: <46C35D0A.8060108@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I thought it was about time for a new beta. So I've just released 4.63.2. The main new points compared to the last beta are: - -- New setting "Check Filenames In Password-Protected Archives = yes". Useful if you allow password-protected archives to a few of your developers, and they need to exchange executables in them. - -- New setting "Include Binary Attachments In SpamAssassin = no". You can use this option, in conjunction with the small SpamAssassin patch applied for MCP to work, to add to the spam checking the feature that MCP has over it, in that it will process all attachments for spam content, not just the text and HTML. Download as usual from www.mailscanner.info. Please check that the new features all work correctly and that the bug fixes have actually fixed any problems you were having. Thanks! The full Change Log is: * New Features and Improvements * 1 Improved init.d script, so that 'service MailScanner restart' or '/etc/init.d/MailScanner restart' runs faster. It pauses for just long enough for the old MailScanner to die gracefully, and starts up the new one as soon as the old one has died. Previously, it just waited for a fixed length of time which was much longer than needed for most people. 1 Improved tar installer so the directory created for MailScanner includes the build revision number as well as the main version number. 1 Improved phishing net logging to log entire real URL not just hostname. 1 Improvement to update_spamassassin to stop cron-generated mail. 1 New setting "Phishing Bad Sites File" which is a live continuously-updated list of known bad sites that have been reported to various mechanisms around the world. Please don't ask me for more information as I can't give it to you, but every site on the list has been manually tested and the list can be relied upon. Your installation should update this file every hour. NOTE: Run upgrade_languages_conf after installing this upgrade! 2 Reduce default "Restart Every" time to 2 hours so that updates to the known bad phishing sites list are re-read more frequently. 2 Added *.fdf to the list of dangerous filenames. Opening a .fdf file can cause the loading of any file on the internet into Adobe Acrobat. 2 Added 2 new variables to the sender reports: $size = size of message in bytes and $maxmessagesize = maximum allowed size of this message in bytes. 2 Added new setting "Check Filenames In Password-Protected Archives = yes" so that the filename checks can be suppressed on encrypted archives to allow a few people to get exe's and so on through the mail as part of their business needs. Normally leave this setting at "yes". 2 Added new setting "Include Binary Attachments In SpamAssassin = no" which can be used to tell SpamAssassin to look at all attachments, not just the ones containing text (or HTML, etc) which is its normal behaviour. Changing this setting to "yes" will have no effect without a patch to the SpamAssassin code, which you can fetch from http://www.mailscanner.info/mcp.html#patches It will slightly slow down SpamAssassin some of the time, and is therefore disabled by default. This can be very useful if you want to look for rude or derogatory content in messages, and do not want the huge speed impact of using MCP. It can successfully scan the content of Microsoft Word documents, for example. It won't be effective on PDF files however, as these are compressed internally so there is no readable text anywhere in the file. * Fixes * 1 Improvement to phishing net to allow HTML tags with contents split over multiple lines. 1 Changed options to ClamAVmodule so it doesn't hit false positives with the phishing and scam email detection signatures. 1-2 Fixed bug where --lint gives "MailScanner.conf file not found" error. 2 Stopped writing a PID file when "MailScanner --lint" is run. 2 update_spamassassin no longer produces any output, so no crond email. 2 Fixed bug where clamavmodule scanner name wouldn't always be logged correctly. 2 Bugfix in ZMDiskStore.pm ZMailer support from Leonardo Helman. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules at Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGw10LEfZZRxQVtlQRAjloAJ4ghpnmoEiLjv4gMay0ZkFo4ByZaACg7T61 g4H315BtDcN2R9NbcbWUGVY= =w7rF -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Aug 15 21:33:58 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed, 15 Aug 2007 22:33:58 +0100 Subject: Release 4.63.2 beta In-Reply-To: <46C35D0A.8060108@ecs.soton.ac.uk> References: <46C35D0A.8060108@ecs.soton.ac.uk> Message-ID: <46C37146.2060201@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > -- New setting "Check Filenames In Password-Protected Archives = yes". > Useful if you allow password-protected archives to a few of your > developers, and they need to exchange executables in them. That was easy to add, once I found the right place to put it, so was feasible even if only 1 person wanted it, so far. Hopefully others will find it useful given time to think about it. > -- New setting "Include Binary Attachments In SpamAssassin = no". You > can use this option, in conjunction with the small SpamAssassin patch > applied for MCP to work, to add to the spam checking the feature that > MCP has over it, in that it will process all attachments for spam > content, not just the text and HTML. This is particularly useful if you use MCP to detect certain strings such as rude language (if you have children among your users) or the names of your company's projects or competitors, when these strings might appear in Word documents. Obviously there isn't much point scanning images for strings like this, but who's to say that my_industrial_espionage_notes.jpg is actually an image and not a renamed Word document? So safer to scan everything. You can then use SpamAssassin Rule Actions to detect these rules firing and send the mail to the boss/teacher instead. And all this without the huge speed impact of actually running MCP. Which has to be a good thing, as anyone with MCP running in a large site will probably tell you. > * New Features and Improvements * > 1 Improved init.d script, so that 'service MailScanner restart' or > '/etc/init.d/MailScanner restart' runs faster. It pauses for just long > enough for the old MailScanner to die gracefully, and starts up the > new one > as soon as the old one has died. Previously, it just waited for a fixed > length of time which was much longer than needed for most people. On busy servers you might find it can take quite a while for the children to all die. But they will, eventually. > 1 New setting "Phishing Bad Sites File" which is a live > continuously-updated > list of known bad sites that have been reported to various mechanisms > around > the world. Please don't ask me for more information as I can't give > it to > you, but every site on the list has been manually tested and the list > can be > relied upon. Your installation should update this file every hour. > NOTE: Run upgrade_languages_conf after installing this upgrade! This file is developing nicely and currently lists over 900 sites, all reported within the last week or so. It will continue to grow. Sites are eventually expired out of this file, it won't grow indefinitely. > 2 Added *.fdf to the list of dangerous filenames. Opening a .fdf file can > cause the loading of any file on the internet into Adobe Acrobat. Can someone with one of these fdf files run it through the "file" command and tell me what it says please? > 2 Added new setting "Check Filenames In Password-Protected Archives = > yes" so > that the filename checks can be suppressed on encrypted archives to > allow > a few people to get exe's and so on through the mail as part of their > business needs. Normally leave this setting at "yes". This effectively sets Max Archive Depth = 0 for password-protected archives. > 2 Stopped writing a PID file when "MailScanner --lint" is run. That was a real brain failure on my part! :-) Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules at Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGw3FIEfZZRxQVtlQRAm97AJ9VpW3xv26NcFSIu51GXRst3U90rgCfcZ1w GEVnfLduxRF5EmmXfuO3L8M= =ultL -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Mon Aug 27 11:17:04 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon, 27 Aug 2007 12:17:04 +0100 Subject: Release 4.63.4 Message-ID: <46D2B2B0.2030309@ecs.soton.ac.uk> Hi folks! I hope all of you in the UK are having a nice day off, it's the last one before Christmas :-( I have just released beta 4.63.4, which will turn into the stable release at the start of September, unless anything important happens before then. The new feature in this release that is not in the previous beta is that in the "SpamAssassin Rule Actions" feature, you can now specify a comma-separated list of actions for each each RULE=>action statement in it, saving you having to specify the RULE once for each action. Please let me know of any bugs in this release, as I want to get them fixed before the stable release on 1st September. Download as usual from www.mailscanner.info. The full Change Log for this release is this: * New Features and Improvements * 1 Improved init.d script, so that 'service MailScanner restart' or '/etc/init.d/MailScanner restart' runs faster. It pauses for just long enough for the old MailScanner to die gracefully, and starts up the new one as soon as the old one has died. Previously, it just waited for a fixed length of time which was much longer than needed for most people. 1 Improved tar installer so the directory created for MailScanner includes the build revision number as well as the main version number. 1 Improved phishing net logging to log entire real URL not just hostname. 1 Improvement to update_spamassassin to stop cron-generated mail. 1 New setting "Phishing Bad Sites File" which is a live continuously-updated list of known bad sites that have been reported to various mechanisms around the world. Please don't ask me for more information as I can't give it to you, but every site on the list has been manually tested and the list can be relied upon. Your installation should update this file every hour. NOTE: Run upgrade_languages_conf after installing this upgrade! 2 Reduce default "Restart Every" time to 2 hours so that updates to the known bad phishing sites list are re-read more frequently. 2 Added *.fdf to the list of dangerous filenames. Opening a .fdf file can cause the loading of any file on the internet into Adobe Acrobat. 2 Added 2 new variables to the sender reports: $size = size of message in bytes and $maxmessagesize = maximum allowed size of this message in bytes. 2 Added new setting "Check Filenames In Password-Protected Archives = yes" so that the filename checks can be suppressed on encrypted archives to allow a few people to get exe's and so on through the mail as part of their business needs. Normally leave this setting at "yes". 2 Added new setting "Include Binary Attachments In SpamAssassin = no" which can be used to tell SpamAssassin to look at all attachments, not just the ones containing text (or HTML, etc) which is its normal behaviour. Changing this setting to "yes" will have no effect without a patch to the SpamAssassin code, which you can fetch from http://www.mailscanner.info/mcp.html#patches It will slightly slow down SpamAssassin some of the time, and is therefore disabled by default. This can be very useful if you want to look for rude or derogatory content in messages, and do not want the huge speed impact of using MCP. It can successfully scan the content of Microsoft Word documents, for example. It won't be effective on PDF files however, as these are compressed internally so there is no readable text anywhere in the file. 3 Added a long $PATH to f-prot-autoupdate so we can find wget on most OS-es including Solaris. 3 Improved Sophos.install to disable the savupdate cron job and switch off the unwanted Sophos services. 3 Added a feature to the "SpamAssassin Rule Actions". You can now specify "SpamScore" and a number comparison, instead of just giving a SpamAssassin rule name. So you can say SpamAssassin Rule Actions = SpamScore>25=>delete and this will cause all messages scoring over 25 to be deleted. You can use this to set different actions at different spam scores, in addition to the normal spam actions and high-scoring spam actions. The numerical tests you can use are ">", ">=", "==", "<=" and "<". 4 The "action" in each "RULE=>action" in "SpamAssassin Rule Actions" can now be a comma-separated list of actions, so you can easily specify multiple actions per rule. * Fixes * 1 Improvement to phishing net to allow HTML tags with contents split over multiple lines. 1 Changed options to ClamAVmodule so it doesn't hit false positives with the phishing and scam email detection signatures. 1-2 Fixed bug where --lint gives "MailScanner.conf file not found" error. 2 Stopped writing a PID file when "MailScanner --lint" is run. 2 update_spamassassin no longer produces any output, so no crond email. 2 Fixed bug where clamavmodule scanner name wouldn't always be logged correctly. 2 Bugfix in ZMDiskStore.pm ZMailer support from Leonardo Helman. 3 Force installation of perl-Getopt-Long to try to solve the problems with command-line options producing 'config file not found' errors. 3 Commented out sample rules in max.message.size.rules file. 3 Fixed MailScanner.conf Sophos-specific settings for Sophos 5. Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules at Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk