From valianp at SOUTHWESTERN.EDU Sat Dec 1 02:08:47 2001 From: valianp at SOUTHWESTERN.EDU (Peter Valian) Date: Thu Jan 12 21:14:07 2006 Subject: Alternatives to Sophos References: <1007157540.2291.2.camel@ralph.plexio.private> <3C08067D.2040007@southwestern.edu> <3C081800.E9352440@travellingkiwi.com> Message-ID: <3C083BAF.3020004@southwestern.edu> oh well...glad we have that site license :) Hamish Marson wrote: > Peter Valian wrote: > > >>If Im not mistaken, you technically only need one license to run on your >>mail server. Only one user is *technically* scanning mail (root). >> >> > > You're mistaken. The license is actually for the number of users to be > protected by the software... > > > >>we use mcafee on our campus...we have some sort of site license for >>desktop scanning software and they just gave us the unix scanner as part >>of that agreement. I have no idea what we paid. >> >>-peter >> >>Stephen Lee wrote: >> >> >>>Hi, >>> >>>I am currently running Mailscanner 2.60-2 and the demo version of Sophos >>>on a Redhat7.1 - Sendmail 8.11.6. It works very well but the Sophos >>>license for 10 users is $600 USD. When converted to Canadian dollars, >>>that is very expensive for us. We only have 5-6 mail users so it's hard >>>to justify the cost especially when you consider that each desktop copy >>>of Norton AV is around $40. Are there alternatives to Sophos that work >>>with Mailscanner which might be more friendly on the pocket for small >>>businesses? >>> >>>Thanks for any suggestions. >>> >>>Stephen >>> >>> >>-- >>Peter Valian >>Network & Systems Administrator >>Southwestern University >>Georgetown, Texas >>-- >> > > -- > > I don't suffer from Insanity... | Linux User #237369 > I enjoy every minute of it... | > | > http://www.travellingkiwi.com/ | > -- Peter Valian Network & Systems Administrator Southwestern University Georgetown, Texas 512.863.1586 office 512.863.1605 fax -- From LISTSERV at JISCMAIL.AC.UK Sat Dec 1 11:09:36 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:07 2006 Subject: MAILSCANNER: roald@PROXY.BRIKKEN.NO requested to join Message-ID: <200112011109.LAA25662@magpie.ecs.soton.ac.uk> Sat, 1 Dec 2001 11:09:36 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Roald Amundsen You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER roald@PROXY.BRIKKEN.NO Roald Amundsen PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER roald@PROXY.BRIKKEN.NO Roald Amundsen // EOJ From sfarrell at ICCONSULTING.COM.AU Mon Dec 3 22:10:31 2001 From: sfarrell at ICCONSULTING.COM.AU (Scott Farrell) Date: Thu Jan 12 21:14:07 2006 Subject: Alternatives to Sophos Message-ID: I have written a demo for integrating to CA Antivirus - innoculateIT. We found innoculateIT to have competitive pricing. Julian is yet to integrate it into the main code base, I can email appropriate files if required. regards Scott Farrell http://www.icconsulting.com.au ic Consulting - the people that make eBusiness happen. We offer e-business consulting and perform services. We deliver high impact consulting, and fast turn around projects for our clients. Ask us about Web Content Management, Web Self Service, or working closer with your customers or suppliers. 0412 927 156, 02 9411 3622 mailto:sfarrell@icconsulting.com.au Stephen Lee Sent by: MailScanner mailing list 01/12/2001 07:58 AM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Alternatives to Sophos Hi, I am currently running Mailscanner 2.60-2 and the demo version of Sophos on a Redhat7.1 - Sendmail 8.11.6. It works very well but the Sophos license for 10 users is $600 USD. When converted to Canadian dollars, that is very expensive for us. We only have 5-6 mail users so it's hard to justify the cost especially when you consider that each desktop copy of Norton AV is around $40. Are there alternatives to Sophos that work with Mailscanner which might be more friendly on the pocket for small businesses? Thanks for any suggestions. Stephen -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20011204/ea1da445/attachment.html From LISTSERV at JISCMAIL.AC.UK Sat Dec 1 18:27:21 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:07 2006 Subject: MAILSCANNER: kvwong@SINGNET.COM.SG requested to join Message-ID: <200112011827.SAA09695@magpie.ecs.soton.ac.uk> Sat, 1 Dec 2001 18:27:21 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Kelvin Wong You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER kvwong@SINGNET.COM.SG Kelvin Wong PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER kvwong@SINGNET.COM.SG Kelvin Wong // EOJ From LISTSERV at JISCMAIL.AC.UK Sun Dec 2 04:10:33 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:07 2006 Subject: MAILSCANNER: yanik@YAN.CO.IL requested to join Message-ID: <200112020410.EAA24040@magpie.ecs.soton.ac.uk> Sun, 2 Dec 2001 04:10:33 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Yan Malinov You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER yanik@YAN.CO.IL Yan Malinov PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER yanik@YAN.CO.IL Yan Malinov // EOJ From nwp at LEMON-COMPUTING.COM Mon Dec 3 09:32:47 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:07 2006 Subject: Alternatives to Sophos In-Reply-To: <1007157540.2291.2.camel@ralph.plexio.private>; from splee@PLEXIO.COM on Fri, Nov 30, 2001 at 01:58:58PM -0800 References: <1007157540.2291.2.camel@ralph.plexio.private> Message-ID: <20011203093247.D9401@lemon-computing.com> On Fri, Nov 30, 2001 at 01:58:58PM -0800, Stephen Lee wrote: > Hi, > > I am currently running Mailscanner 2.60-2 and the demo version of Sophos > on a Redhat7.1 - Sendmail 8.11.6. It works very well but the Sophos > license for 10 users is $600 USD. When converted to Canadian dollars, > that is very expensive for us. We only have 5-6 mail users so it's hard > to justify the cost especially when you consider that each desktop copy > of Norton AV is around $40. Are there alternatives to Sophos that work > with Mailscanner which might be more friendly on the pocket for small > businesses? You should be able to get a 6-user license for Sophos for about 45-50GBP per user. Not quite as cheap as NAV, but then IMHO NAV isn't even worth $40. Should you ever need it, Sophos' support is also excellent. Don't know how much McAfee would be, but that would currently be the only other package to work with mailscanner. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Don't Worry, Be Happy. From nwp at LEMON-COMPUTING.COM Mon Dec 3 09:43:21 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:07 2006 Subject: Alternatives to Sophos In-Reply-To: <3C08067D.2040007@southwestern.edu>; from valianp@SOUTHWESTERN.EDU on Fri, Nov 30, 2001 at 04:21:49PM -0600 References: <1007157540.2291.2.camel@ralph.plexio.private> <3C08067D.2040007@southwestern.edu> Message-ID: <20011203094321.E9401@lemon-computing.com> On Fri, Nov 30, 2001 at 04:21:49PM -0600, Peter Valian wrote: > If Im not mistaken, you technically only need one license to run on your > mail server. Only one user is *technically* scanning mail (root). They are seemingly quite confused about this kind of situation, but basically end up saying "one license per workstation that benefits" which in this case could mean many things. They also don't seem to have quite grasped that rather than gaining desktop business like this, they are losing server business to whichever random company's scanner came preinstalled on the muppet clients' workstations. I wish they'd see the light. It would make my job so much easier. Still, IMHO they are still the best option for desktops & all -- in combination with a good (or at least adequate) backup system. ;) -- Nick Phillips -- nwp@lemon-computing.com Do not overtax your powers. From gcrothers at SHELOB.NET Mon Dec 3 10:01:07 2001 From: gcrothers at SHELOB.NET (gcrothers) Date: Thu Jan 12 21:14:07 2006 Subject: Alternatives to Sophos References: <1007157540.2291.2.camel@ralph.plexio.private> <3C08067D.2040007@southwestern.edu> <20011203094321.E9401@lemon-computing.com> Message-ID: <023c01c17be1$6f6606e0$580a0a0a@nin> ----- Original Message ----- From: Nick Phillips To: Sent: 03 December 2001 09:43 Subject: Re: Alternatives to Sophos I'm also confused about the licensing issue, So what is the name of the product that is required from Sophos.?? Is it SWEEP, SAVI, MAILMONITOR or what?/ tia garry From LISTSERV at JISCMAIL.AC.UK Mon Dec 3 00:30:55 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:07 2006 Subject: MAILSCANNER: richard@BROOKHUIS.ATH.CX requested to join Message-ID: <200112030031.AAA29283@magpie.ecs.soton.ac.uk> Mon, 3 Dec 2001 00:30:55 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Richard Brookhuis You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER richard@BROOKHUIS.ATH.CX Richard Brookhuis PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER richard@BROOKHUIS.ATH.CX Richard Brookhuis // EOJ From nwp at LEMON-COMPUTING.COM Mon Dec 3 11:18:38 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:07 2006 Subject: Alternatives to Sophos In-Reply-To: <023c01c17be1$6f6606e0$580a0a0a@nin>; from gcrothers@SHELOB.NET on Mon, Dec 03, 2001 at 10:01:07AM -0000 References: <1007157540.2291.2.camel@ralph.plexio.private> <3C08067D.2040007@southwestern.edu> <20011203094321.E9401@lemon-computing.com> <023c01c17be1$6f6606e0$580a0a0a@nin> Message-ID: <20011203111838.G9401@lemon-computing.com> On Mon, Dec 03, 2001 at 10:01:07AM -0000, gcrothers wrote: > ----- Original Message ----- > From: Nick Phillips > To: > Sent: 03 December 2001 09:43 > Subject: Re: Alternatives to Sophos > > I'm also confused about the licensing issue, > So what is the name of the product that is required from Sophos.?? > > Is it SWEEP, SAVI, MAILMONITOR or what?/ > > tia > garry Sophos Anti-Virus (SAV). Of which sweep is part. intercheck is the other main part. SAVI is an NT/win2k-based admin interface for a network's SAV installation. MailMonitor is an SMTP relay with integrated SAV (much like a correctly configured mailscanner+sweep box could be). -- Nick Phillips -- nwp@lemon-computing.com Your reasoning is excellent -- it's only your basic assumptions that are wrong. From gcrothers at SHELOB.NET Mon Dec 3 11:30:02 2001 From: gcrothers at SHELOB.NET (gcrothers) Date: Thu Jan 12 21:14:07 2006 Subject: Alternatives to Sophos References: <1007157540.2291.2.camel@ralph.plexio.private> <3C08067D.2040007@southwestern.edu> <20011203094321.E9401@lemon-computing.com> <023c01c17be1$6f6606e0$580a0a0a@nin> <20011203111838.G9401@lemon-computing.com> Message-ID: <003d01c17bed$df4d1140$6600000a@cwarehouse> > Sophos Anti-Virus (SAV). Of which sweep is part. intercheck is the other > main part. SAVI is an NT/win2k-based admin interface for a network's SAV > installation. MailMonitor is an SMTP relay with integrated SAV (much like > a correctly configured mailscanner+sweep box could be). thanks for the info..... so.. like I asked in a previous thread what does mailscanner + SAV give me compared to Sophos MailMonitor. tia garry From nwp at LEMON-COMPUTING.COM Mon Dec 3 11:31:41 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:07 2006 Subject: Alternatives to Sophos In-Reply-To: <003d01c17bed$df4d1140$6600000a@cwarehouse>; from gcrothers@SHELOB.NET on Mon, Dec 03, 2001 at 11:30:02AM -0000 References: <1007157540.2291.2.camel@ralph.plexio.private> <3C08067D.2040007@southwestern.edu> <20011203094321.E9401@lemon-computing.com> <023c01c17be1$6f6606e0$580a0a0a@nin> <20011203111838.G9401@lemon-computing.com> <003d01c17bed$df4d1140$6600000a@cwarehouse> Message-ID: <20011203113141.I9401@lemon-computing.com> On Mon, Dec 03, 2001 at 11:30:02AM -0000, gcrothers wrote: > > Sophos Anti-Virus (SAV). Of which sweep is part. intercheck is the other > > main part. SAVI is an NT/win2k-based admin interface for a network's SAV > > installation. MailMonitor is an SMTP relay with integrated SAV (much like > > a correctly configured mailscanner+sweep box could be). > > thanks for the info..... > > so.. like I asked in a previous thread what does mailscanner + SAV give me > compared to Sophos MailMonitor. Control of filename rules applied. A choice of AV engine (zero lock-in). Larger amounts of source code. You can see whether you think mailscanner's reasonably well-designed or not, you can only see whether MailMonitor appears to work or not. Overall, choice. -- Nick Phillips -- nwp@lemon-computing.com Don't worry. Life's too long. From tyler at beloit.edu Mon Dec 3 15:41:28 2001 From: tyler at beloit.edu (Tim Tyler) Date: Thu Jan 12 21:14:07 2006 Subject: Alternatives to Sophos In-Reply-To: <3C081800.E9352440@travellingkiwi.com> from "Hamish Marson" at Nov 30, 2001 11:36:32 PM Message-ID: <200112031541.JAA22652@beloit.edu> Yes, Sophos appears to force a site license as a necessary purchase if you want to protect all users using mailscanner. This creates a dilema since we are heavily invested in Norton at the desktop level. If we want to stay with Norton at the desktop and use Sophos at the server level, we would be caught with a double site license essentially. This for us is like paying an extra $5k or $6k per year. That creates a bit of a dilema for us as an educational institution without much of a budget. I wish it were possible to negotiate some compromise on the licensing issue. We are nearing the end of our testing phase with Mailscanner and may have to turn it off if we can't work out a budget agreement for Sophos. McAfee is just as bad. Alternatively, I wish Norton would create something to work with mailscanner - hence removing our particular dilema. I have written to them about this, but I am not very optomistic. Tim > >Peter Valian wrote: > >> If Im not mistaken, you technically only need one license to run on your >> mail server. Only one user is *technically* scanning mail (root). >> > >You're mistaken. The license is actually for the number of users to be >protected by the software... > > >> >> we use mcafee on our campus...we have some sort of site license for >> desktop scanning software and they just gave us the unix scanner as part >> of that agreement. I have no idea what we paid. >> >> -peter >> >> Stephen Lee wrote: >> >> >Hi, >> > >> >I am currently running Mailscanner 2.60-2 and the demo version of Sophos >> >on a Redhat7.1 - Sendmail 8.11.6. It works very well but the Sophos >> >license for 10 users is $600 USD. When converted to Canadian dollars, >> >that is very expensive for us. We only have 5-6 mail users so it's hard >> >to justify the cost especially when you consider that each desktop copy >> >of Norton AV is around $40. Are there alternatives to Sophos that work >> >with Mailscanner which might be more friendly on the pocket for small >> >businesses? >> > >> >Thanks for any suggestions. >> > >> >Stephen >> > >> >> -- >> Peter Valian >> Network & Systems Administrator >> Southwestern University >> Georgetown, Texas >> -- > >-- > >I don't suffer from Insanity... | Linux User #237369 > I enjoy every minute of it... | > | >http://www.travellingkiwi.com/ | > -- Tim Tyler Network Manager - Beloit College tyler@beloit.edu Go Packers! Go Badgers! 1999&2000 Rose Bowl Champions! From nwp at LEMON-COMPUTING.COM Mon Dec 3 16:40:28 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:07 2006 Subject: Alternatives to Sophos In-Reply-To: <20011203111838.G9401@lemon-computing.com>; from nwp@LEMON-COMPUTING.COM on Mon, Dec 03, 2001 at 11:18:38AM +0000 References: <1007157540.2291.2.camel@ralph.plexio.private> <3C08067D.2040007@southwestern.edu> <20011203094321.E9401@lemon-computing.com> <023c01c17be1$6f6606e0$580a0a0a@nin> <20011203111838.G9401@lemon-computing.com> Message-ID: <20011203164028.L9401@lemon-computing.com> On Mon, Dec 03, 2001 at 11:18:38AM +0000, Nick Phillips wrote: > main part. SAVI is an NT/win2k-based admin interface for a network's SAV > installation. Sorry. Now I'm getting confused too. SAVI is the "SAV Interface" which is *usually* for the .dll-based sophos for integration into 3rd-party products. It is also (so they've just told me) the appropriate *license* to get for installation of Sweep on a single gateway/mail server for protection of a large number of users who do not have SAV on their desktops. So, this is what Tim -- at least I think it was Tim -- was looking for. SAVAdmin is what I was thinking of before. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Avoid reality at all costs. From splee at PLEXIO.COM Mon Dec 3 16:37:58 2001 From: splee at PLEXIO.COM (Stephen Lee) Date: Thu Jan 12 21:14:07 2006 Subject: Alternatives to Sophos In-Reply-To: <200112031541.JAA22652@beloit.edu> References: <200112031541.JAA22652@beloit.edu> Message-ID: <1007397480.10527.1.camel@ralph.plexio.private> As I understand it, the SAV license covers both the server and the desktop so NAV wouldn't be needed. You can even run a client copy at home. What bugs me about Sophos though, is that they are not very obvious about their pricing structure. Pricing is not on their website and even if you asked for it by email, they insist you try the demo first - why bother if it is too expensive in the first place? Having asked Sophos on several occasions for pricing for a particular number of users at a certain geographic location (Canada) without much luck, I finally broke down and tried the demo. Several more emails and phone calls later, I finally got some prices. It's like pulling teeth! The US/Canada pricing quoted to me was: $150USD for 1 user, $120 for 2-4 users, $85 for 5-9 user and $60 for 10-? users. In the end, SAV _is_ a nice product but is expensive and is targetted at the corporate market. Thanks to those responding to my original request for alternatives to Sophos. Stephen On Mon, 2001-12-03 at 07:41, Tim Tyler wrote: > Yes, Sophos appears to force a site license as a necessary purchase if you > want to protect all users using mailscanner. This creates a dilema since we > are heavily invested in Norton at the desktop level. If we want to stay > with Norton at the desktop and use Sophos at the server level, we would be > caught with a double site license essentially. This for us is like paying > an extra $5k or $6k per year. That creates a bit of a dilema for us as an > educational institution without much of a budget. > I wish it were possible to negotiate some compromise on the licensing > issue. We are nearing the end of our testing phase with Mailscanner and may > have to turn it off if we can't work out a budget agreement for Sophos. > McAfee is just as bad. Alternatively, I wish Norton would create something > to work with mailscanner - hence removing our particular dilema. I have > written to them about this, but I am not very optomistic. > > Tim > > > > >Peter Valian wrote: > > > >> If Im not mistaken, you technically only need one license to run on your > >> mail server. Only one user is *technically* scanning mail (root). > >> > > > >You're mistaken. The license is actually for the number of users to be > >protected by the software... > > > > > >> > >> we use mcafee on our campus...we have some sort of site license for > >> desktop scanning software and they just gave us the unix scanner as part > >> of that agreement. I have no idea what we paid. > >> > >> -peter > >> > >> Stephen Lee wrote: > >> > >> >Hi, > >> > > >> >I am currently running Mailscanner 2.60-2 and the demo version of Sophos > >> >on a Redhat7.1 - Sendmail 8.11.6. It works very well but the Sophos > >> >license for 10 users is $600 USD. When converted to Canadian dollars, > >> >that is very expensive for us. We only have 5-6 mail users so it's hard > >> >to justify the cost especially when you consider that each desktop copy > >> >of Norton AV is around $40. Are there alternatives to Sophos that work > >> >with Mailscanner which might be more friendly on the pocket for small > >> >businesses? > >> > > >> >Thanks for any suggestions. > >> > > >> >Stephen > >> > > >> > >> -- > >> Peter Valian > >> Network & Systems Administrator > >> Southwestern University > >> Georgetown, Texas > >> -- > > > >-- From LISTSERV at JISCMAIL.AC.UK Mon Dec 3 16:40:35 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:07 2006 Subject: MAILSCANNER: cntech@LUTON.AC.UK requested to join Message-ID: <200112031758.RAA17032@magpie.ecs.soton.ac.uk> Mon, 3 Dec 2001 16:40:35 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Chris Newby You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER cntech@LUTON.AC.UK Chris Newby PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER cntech@LUTON.AC.UK Chris Newby // EOJ From LISTSERV at JISCMAIL.AC.UK Tue Dec 4 06:46:05 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:07 2006 Subject: MAILSCANNER: henrich@MSU.EDU requested to join Message-ID: <200112040646.GAA20369@magpie.ecs.soton.ac.uk> Tue, 4 Dec 2001 06:46:05 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Charles Henrich You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER henrich@MSU.EDU Charles Henrich PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER henrich@MSU.EDU Charles Henrich // EOJ From LISTSERV at JISCMAIL.AC.UK Tue Dec 4 09:22:41 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:07 2006 Subject: MAILSCANNER: imran@TRABAS.COM requested to join Message-ID: <200112040923.JAA27351@magpie.ecs.soton.ac.uk> Tue, 4 Dec 2001 09:22:41 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Imran Rosyadi You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER imran@TRABAS.COM Imran Rosyadi PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER imran@TRABAS.COM Imran Rosyadi // EOJ From LISTSERV at JISCMAIL.AC.UK Tue Dec 4 22:33:39 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:07 2006 Subject: MAILSCANNER: cfast@ALLIEDBUILDING.COM requested to join Message-ID: <200112042233.WAA13311@magpie.ecs.soton.ac.uk> Tue, 4 Dec 2001 22:33:39 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Clint Fast You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER cfast@ALLIEDBUILDING.COM Clint Fast PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER cfast@ALLIEDBUILDING.COM Clint Fast // EOJ From Q.G.Campbell at NEWCASTLE.AC.UK Wed Dec 5 12:16:10 2001 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:14:07 2006 Subject: Sender warnings going to recipients! Message-ID: We have ben running 2.60-2 since it was released. The platforms are Solaris 2.7 running sendmail 8.10.1. We have started to receive complaints (and evidence) that _recipients_ of infected messages are sometimes getting the "sender" warning message. That is, the "To:" address _in_ the warning message (a local recipient) also becomes the "To:" address _for_ the warning message itself. The latter should be the address of the sender. Any ideas? An example follows with the original message at the end: --------------- cut here > Date: Tue, 4 Dec 2001 17:02:52 GMT > From: MailScanner > To: netskills-admin@netskills.ac.uk > Subject: Warning: E-mail viruses detected > > Our virus detector has just been triggered by a message you sent:- > To: > Subject: Re: > Date: Tue Dec 4 17:02:52 2001 > Any infected parts of the message have not been delivered. > > This message is simply to warn you that your computer system may have > a virus present and should be checked. > > The virus detector said this about the message: > Report: /fB4H2et10389/README.MP3.scr Found the W32/BadTrans@MM virus !!! > Attempt to hide real filename extension in README.MP3.scr > > > Information on viruses can be found at the sites of commercial > suppliers of anti-virus tools such as NAI (http://vil.nai.com/vil). If > you are a user at Newcastle University then information and guidance > on anti-virus measures can be found at > http://www.ncl.ac.uk/ucs/docs/G17.html. > -- > Message sent on behalf of Postmaster@ncl.ac.uk --------------- cut here Original message as shown in the attachment received by our local recipient with the warning is: --------------- cut here Message-Id: <200112041702.fB4H2et10389@cheviot2.ncl.ac.uk> From: "Support" To: netskills-admin@netskills.ac.uk Subject: Re: Message from Newcastle University MailScanner E-Mail Virus Protection Service ------------------------------------------------------------------------ ----- The original e-mail attachment "README.MP3.scr" was believed to be infected by a virus and has been replaced by this warning message. At Tue Dec 4 17:02:51 2001 the virus scanner said: /fB4H2et10389/README.MP3.scr Found the W32/BadTrans@MM virus !!! Attempt to hide real filename extension in README.MP3.scr Due to limitations placed on us by the Regulation of Investigatory Powers Act 2000, we were unable to keep a copy of the infected attachment. Please ask the sender of the message to disinfect their original version and send you a clean copy. Information on viruses can be found at the sites of commercial suppliers of anti-virus tools such as NAI (http://vil.nai.com/vil). If you are a user at Newcastle University then information and guidance on anti-virus measures can be found at http://www.ncl.ac.uk/ucs/docs/G17.html. -- --------------- cut here Quentin --- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." From LISTSERV at JISCMAIL.AC.UK Wed Dec 5 13:40:14 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:07 2006 Subject: MAILSCANNER: dll@SCITOOLS.COM requested to join Message-ID: <200112051340.NAA24316@magpie.ecs.soton.ac.uk> Wed, 5 Dec 2001 13:40:14 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Daniel Leavitt You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER dll@SCITOOLS.COM Daniel Leavitt PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER dll@SCITOOLS.COM Daniel Leavitt // EOJ From nwp at LEMON-COMPUTING.COM Wed Dec 5 14:11:16 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:07 2006 Subject: Sender warnings going to recipients! In-Reply-To: ; from Q.G.Campbell@NEWCASTLE.AC.UK on Wed, Dec 05, 2001 at 12:16:10PM -0000 References: Message-ID: <20011205141116.E11655@lemon-computing.com> On Wed, Dec 05, 2001 at 12:16:10PM -0000, Quentin Campbell wrote: > We have ben running 2.60-2 since it was released. The platforms are > Solaris 2.7 running sendmail 8.10.1. > > We have started to receive complaints (and evidence) that _recipients_ > of infected messages are sometimes getting the "sender" warning message. > That is, the "To:" address _in_ the warning message (a local recipient) > also becomes the "To:" address _for_ the warning message itself. The > latter should be the address of the sender. Any ideas? An example > follows with the original message at the end: We've seen things that initially appeared to be incorrect, but actually turned out to be correct, caused by Badtrans. What we've seen is that the postmaster appears to receive the recipient message, but that's actually caused by the virus replying to the sender warning with another copy of itself. Nice. Are you *sure* (like really really really sure) that the recipients of the infected messages are not in fact infected and therefore also senders? Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Increased knowledge will help you now. Have mate's phone bugged. From Q.G.Campbell at NEWCASTLE.AC.UK Wed Dec 5 15:42:16 2001 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:14:07 2006 Subject: Human factors... Message-ID: The message below is typical of a sort that I often receive. Many of our users have become wary (as they should be) about opening any attachment, particularly where the word "virus" is present in the message. This is becoming an obstacle to them opening the attachment that MailScanner helpfully sends with the recipient warning message. I wonder how things could be restructured so that the recipient warning does not induce this reaction so strongly? Perhaps I need to modify the text of the warning so that it is more clearly seen to be a message from us that can be trusted; has anyone approached this problem in the same way? Quentin --- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." ----------- cut here >[snip] >sorry to bother you with this, but I'm not sure who else to ask.. I >still get the occasional email with an attachment and: > >>I send you this file in order to have your advice > >as part of the text. I can't remember which virus/worm it was, but now >there is now a header which says > >>Warning: This message has had one or more attachments removed. Please >>read the "Virus Warning.txt" attachment(s) for more information. > >and indeed there is indeed an attachment Warning.txt > >However being a bit on the over cautious side I'm reluctant to read >said Warning.txt until I know from where its come. Is this all real UCS >protection in action or is it all another nasty but clever ploy? > > Thanks ----------- cut here From Q.G.Campbell at NEWCASTLE.AC.UK Wed Dec 5 15:52:12 2001 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:14:07 2006 Subject: Sender warnings going to recipients! Message-ID: > -----Original Message----- > From: Nick Phillips [mailto:nwp@lemon-computing.com] > Sent: 05 December 2001 14:11 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Sender warnings going to recipients! > > > On Wed, Dec 05, 2001 at 12:16:10PM -0000, Quentin Campbell wrote: > > We have ben running 2.60-2 since it was released. The platforms are > > Solaris 2.7 running sendmail 8.10.1. > > > > We have started to receive complaints (and evidence) that > _recipients_ > > of infected messages are sometimes getting the "sender" warning > > message. That is, the "To:" address _in_ the warning > message (a local > > recipient) also becomes the "To:" address _for_ the warning message > > itself. The latter should be the address of the sender. Any > ideas? An > > example follows with the original message at the end: > > We've seen things that initially appeared to be incorrect, > but actually turned out to be correct, caused by Badtrans. > > What we've seen is that the postmaster appears to receive the > recipient message, but that's actually caused by the virus > replying to the sender warning with another copy of itself. > > Nice. ** We are seeing an increasing amount of this as well. The message are ** characterised by being in HTML with the string "Warning" in big, ** bold, red letters. > > Are you *sure* (like really really really sure) that the > recipients of the infected messages are not in fact infected > and therefore also senders? Yes, we are _sure_ that the recipients are not infected. They use Unix workstations! Quentin From nwp at LEMON-COMPUTING.COM Wed Dec 5 16:33:03 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:07 2006 Subject: Human factors... In-Reply-To: ; from Q.G.Campbell@NEWCASTLE.AC.UK on Wed, Dec 05, 2001 at 03:42:16PM -0000 References: Message-ID: <20011205163303.G11655@lemon-computing.com> On Wed, Dec 05, 2001 at 03:42:16PM -0000, Quentin Campbell wrote: > The message below is typical of a sort that I often receive. Many of our > users have become wary (as they should be) about opening any attachment, > particularly where the word "virus" is present in the message. > > This is becoming an obstacle to them opening the attachment that > MailScanner helpfully sends with the recipient warning message. I wonder > how things could be restructured so that the recipient warning does not > induce this reaction so strongly? Perhaps I need to modify the text of > the warning so that it is more clearly seen to be a message from us that > can be trusted; has anyone approached this problem in the same way? [laugh] I needed that. It's been a bad day. I wish our users were that paranoid. I guess they just need to get used to what it looks like. Maybe you could put a web page up on your internal web site to show what it should look like, and reference the URL in the plain text warning. Or even just send round a plain-text mail to everyone to tell them where to find your anti-virus help page (which they should look at if they're ever in doubt)... Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com You are sick, twisted and perverted. I like that in a person. From nwp at LEMON-COMPUTING.COM Wed Dec 5 16:36:41 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:07 2006 Subject: Sender warnings going to recipients! In-Reply-To: ; from Q.G.Campbell@NEWCASTLE.AC.UK on Wed, Dec 05, 2001 at 03:52:12PM -0000 References: Message-ID: <20011205163641.H11655@lemon-computing.com> On Wed, Dec 05, 2001 at 03:52:12PM -0000, Quentin Campbell wrote: > > On Wed, Dec 05, 2001 at 12:16:10PM -0000, Quentin Campbell wrote: > > > We have ben running 2.60-2 since it was released. The platforms are > > > Solaris 2.7 running sendmail 8.10.1. > > > > > > We have started to receive complaints (and evidence) that > > _recipients_ > > > of infected messages are sometimes getting the "sender" warning > > > message. That is, the "To:" address _in_ the warning > > message (a local > > > recipient) also becomes the "To:" address _for_ the warning message > > > itself. The latter should be the address of the sender. Any > > ideas? An > > > example follows with the original message at the end: > > Are you *sure* (like really really really sure) that the > > recipients of the infected messages are not in fact infected > > and therefore also senders? > > Yes, we are _sure_ that the recipients are not infected. They use Unix > workstations! You really don't realise how lucky you are... Unix workstations and paranoid users -- what more could you possibly want ;) Anyway, since it's sendmail you're using, over to Jules (I use Exim and avoid sendmail like the plague, so am not in a position to help)... Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Your reasoning is excellent -- it's only your basic assumptions that are wrong. From Q.G.Campbell at NEWCASTLE.AC.UK Wed Dec 5 16:41:25 2001 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:14:07 2006 Subject: Human factors... Message-ID: Nick Thanks. You make a couple of useful suggestions that I will follow up. Quentin > -----Original Message----- > From: Nick Phillips [mailto:nwp@lemon-computing.com] > Sent: 05 December 2001 16:33 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Human factors... > > > On Wed, Dec 05, 2001 at 03:42:16PM -0000, Quentin Campbell wrote: > > > The message below is typical of a sort that I often > receive. Many of > > our users have become wary (as they should be) about opening any > > attachment, particularly where the word "virus" is present in the > > message. > > > > This is becoming an obstacle to them opening the attachment that > > MailScanner helpfully sends with the recipient warning message. I > > wonder how things could be restructured so that the > recipient warning > > does not induce this reaction so strongly? Perhaps I need to modify > > the text of the warning so that it is more clearly seen to be a > > message from us that can be trusted; has anyone approached this > > problem in the same way? > > [laugh] > > I needed that. It's been a bad day. I wish our users were > that paranoid. > > I guess they just need to get used to what it looks like. > Maybe you could put a web page up on your internal web site > to show what it should look like, and reference the URL in > the plain text warning. > > Or even just send round a plain-text mail to everyone to tell > them where to find your anti-virus help page (which they > should look at if they're ever in doubt)... > > > Cheers, > > > Nick > > -- > Nick Phillips -- nwp@lemon-computing.com > You are sick, twisted and perverted. I like that in a person. > From yhodso01 at BCUC.AC.UK Wed Dec 5 16:58:07 2001 From: yhodso01 at BCUC.AC.UK (Yvonne.Hodson) Date: Thu Jan 12 21:14:08 2006 Subject: Human factors... Message-ID: <200112051658.QAA27552@deborah.buckscol.ac.uk> We too had a couple of paranoid users as described. However, the reverse has taken place this morning in that users have been lulled into a sense of false security since mailscanner was introduced and a few of them managed to let the goner virus get the better of them. (It hadn't got included in last night's automatic ide download from Sophos.) Yvonne Hodson Computer Support Buckinghamshire Chilterns University College. From jkf at ecs.soton.ac.uk Wed Dec 5 17:16:43 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:08 2006 Subject: Goner-A problems Message-ID: <5.1.0.14.2.20011205170833.07596f48@imap.ecs.soton.ac.uk> MailScanner seems to be having some problems catching the Goner-A virus. On my systems it appears to miss it, so presumably the MIME decoding is failing to work properly on it. Until I manage to find the cause and publish the fix, I strongly advise you to warn your users about this problem. Sorry about this, it's the first time it has happened and I will try to find a fix as fast as I can. Anyone else who wants to join the bug hunt is welcome to try too! I have already contacted the author of the MIME-tools module to see if he responds with any ideas. Sorry again folks :-( If you have managed to catch it, I would be very interested to hear exactly what versions of the MIME-tools module you are using. It may be a bug only present in some versions. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From yhodso01 at BCUC.AC.UK Wed Dec 5 17:31:01 2001 From: yhodso01 at BCUC.AC.UK (Yvonne.Hodson (by way of Julian Field )) Date: Thu Jan 12 21:14:08 2006 Subject: Goner-A Message-ID: <5.1.0.14.2.20011205173046.03f2cec0@imap.ecs.soton.ac.uk> Julian, The autoupdate from sophos did not work last night due to problems with unzip of the zip file. This morning, I manually downloaded the individual ide file for goner from sophos into the ide directory and now it is catching it. We are using 2.60-2 Sophos version is 349 on the unix mailserver (but 3.51 on my pc) I'm intending to install 3.52 (now been released) tomorrow to see if the zip file will work. Yvonne BCUC From paul at CWIE.NET Wed Dec 5 17:32:39 2001 From: paul at CWIE.NET (Paul Fries) Date: Thu Jan 12 21:14:08 2006 Subject: Goner-A problems In-Reply-To: <5.1.0.14.2.20011205170833.07596f48@imap.ecs.soton.ac.uk> Message-ID: <004101c17db2$d77a6d20$d900000a@paul01> Perhaps upgrading TNEF would fix this problem? http://world.std.com/~damned/software.html v1.1 is out. Regards, Paul Fries paul@cwie.net CWIE LLC -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Wednesday, December 05, 2001 10:17 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Goner-A problems MailScanner seems to be having some problems catching the Goner-A virus. On my systems it appears to miss it, so presumably the MIME decoding is failing to work properly on it. Until I manage to find the cause and publish the fix, I strongly advise you to warn your users about this problem. Sorry about this, it's the first time it has happened and I will try to find a fix as fast as I can. Anyone else who wants to join the bug hunt is welcome to try too! I have already contacted the author of the MIME-tools module to see if he responds with any ideas. Sorry again folks :-( If you have managed to catch it, I would be very interested to hear exactly what versions of the MIME-tools module you are using. It may be a bug only present in some versions. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From tlyons at DIGITALVOODOO.ORG Wed Dec 5 17:34:05 2001 From: tlyons at DIGITALVOODOO.ORG (Tim Lyons) Date: Thu Jan 12 21:14:08 2006 Subject: Goner-A problems In-Reply-To: <5.1.0.14.2.20011205170833.07596f48@imap.ecs.soton.ac.uk> Message-ID: Julian, I have been catching it here on a RH7.1 box. Not local right at the moment and don't have time to check versions - will do it later - sorry. --Tim On Wed, 5 Dec 2001, Julian Field wrote: > Date: Wed, 5 Dec 2001 17:16:43 +0000 > From: Julian Field > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Goner-A problems > > MailScanner seems to be having some problems catching the Goner-A virus. On > my systems it appears to miss it, so presumably the MIME decoding is > failing to work properly on it. > > Until I manage to find the cause and publish the fix, I strongly advise you > to warn your users about this problem. > > Sorry about this, it's the first time it has happened and I will try to > find a fix as fast as I can. Anyone else who wants to join the bug hunt is > welcome to try too! I have already contacted the author of the MIME-tools > module to see if he responds with any ideas. > > Sorry again folks :-( > > If you have managed to catch it, I would be very interested to hear exactly > what versions of the MIME-tools module you are using. It may be a bug only > present in some versions. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > -- From y.huang at UTORONTO.CA Wed Dec 5 17:49:28 2001 From: y.huang at UTORONTO.CA (Bruce Huang) Date: Thu Jan 12 21:14:08 2006 Subject: Goner-A problems Message-ID: Hi Julian, My system did caught two e-mails with W32/Goner@MM right after I update virus def from McAfee. Cheers, Bruce From dpalmer at SKIDMORE.EDU Wed Dec 5 18:05:16 2001 From: dpalmer at SKIDMORE.EDU (Deanne Palmer) Date: Thu Jan 12 21:14:08 2006 Subject: Goner-A problems References: <5.1.0.14.2.20011205170833.07596f48@imap.ecs.soton.ac.uk> Message-ID: <3C0E61DC.C1794865@skidmore.edu> According to our logs MailScanner has caught 252 instances of Goner-A in the past 26 hours. Running MailScanner-2.60-2 on Solaris 8, sophos, tnef-1.1. Appears to be working fine. ---- Deanne Palmer Systems Administrator, Skidmore College dpalmer@skidmore.edu ------------- Julian Field wrote: > MailScanner seems to be having some problems catching the Goner-A virus. On > my systems it appears to miss it, so presumably the MIME decoding is > failing to work properly on it. > > Until I manage to find the cause and publish the fix, I strongly advise you > to warn your users about this problem. > > Sorry about this, it's the first time it has happened and I will try to > find a fix as fast as I can. Anyone else who wants to join the bug hunt is > welcome to try too! I have already contacted the author of the MIME-tools > module to see if he responds with any ideas. > > Sorry again folks :-( > > If you have managed to catch it, I would be very interested to hear exactly > what versions of the MIME-tools module you are using. It may be a bug only > present in some versions. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ ------------------ End of network mail From jkf at ecs.soton.ac.uk Wed Dec 5 17:43:12 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:08 2006 Subject: Goner-A problems In-Reply-To: <004101c17db2$d77a6d20$d900000a@paul01> References: <5.1.0.14.2.20011205170833.07596f48@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20011205174249.07665ce0@imap.ecs.soton.ac.uk> At 17:32 05/12/2001, you wrote: >Perhaps upgrading TNEF would fix this problem? >http://world.std.com/~damned/software.html > v1.1 is out. It's not TNEF encoded (the copies I'm seeing aren't anyway). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Wed Dec 5 17:43:41 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:08 2006 Subject: Goner-A problems - false alarm In-Reply-To: <5.1.0.14.2.20011205170833.07596f48@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20011205173905.075e78f8@imap.ecs.soton.ac.uk> I have now had 3 reports to say that MailScanner is catching it just fine. :-) Phew! I thought it better to alert you (possibly with a false alarm) than sit around for a day and a half (I'm off to a hospital appt in London tomorrow) then discover it's a real problem. I have now seen 3 copies of it myself, all successfully caught by MailScanner. But one note of caution: it sounds like it's time for people to remember to upgrade their Sophos installations, a few people (including me!) were caught out by having a copy of Sophos so old that they were no longer getting up-to-date IDE files. Just download it from www.sophos.com and run "Sophos.install" and all will be well again. At 17:16 05/12/2001, you wrote: >MailScanner seems to be having some problems catching the Goner-A virus. On >my systems it appears to miss it, so presumably the MIME decoding is >failing to work properly on it. > >Until I manage to find the cause and publish the fix, I strongly advise you >to warn your users about this problem. > >Sorry about this, it's the first time it has happened and I will try to >find a fix as fast as I can. Anyone else who wants to join the bug hunt is >welcome to try too! I have already contacted the author of the MIME-tools >module to see if he responds with any ideas. > >Sorry again folks :-( > >If you have managed to catch it, I would be very interested to hear exactly >what versions of the MIME-tools module you are using. It may be a bug only >present in some versions. >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jethro.binks at STRATH.AC.UK Wed Dec 5 18:23:21 2001 From: jethro.binks at STRATH.AC.UK (Jethro R Binks) Date: Thu Jan 12 21:14:08 2006 Subject: Human factors... In-Reply-To: Message-ID: <20011205181616.N92888-100000@defjam.cc.strath.ac.uk> Hi Quentin, A couple of people here mentioned something to the same effect. So I modified mailscanner.conf to say: === Inline Text Warning = Warning: This message has had one or more viruses removed by the University of Strathclyde Email Scanning System. Please read the "VirusWarning.txt" attachment(s) for more information. Contact the IT Services Helpdesk on the usual number to check the authenticity of this message. Inline HTML Warning =

Warning: This message has had one or more viruses removed by the University of Strathclyde Email Scanning System. Please read the "VirusWarning.txt" attachment(s) for more information. Contact the IT Services Helpdesk on the usual number to check the authenticity of this message.

=== The Helpdesk know what to tell people. In some sense, the methods of contacting the IT Services Helpdesk are a shared secret, hopefully by not dictating the number/email address there will be a minor level of assurance. I also added extensive (maybe too extensive!) blurb to the other messages that get sent out. I suppose there should be a URL with more info quoted for all cases, but I'm a bit rubbish at documenting things on web pages. I would like to be able to configure the name of the attachment with the warning in it, however ... Jethro. On Wed, 5 Dec 2001, Quentin Campbell wrote: > The message below is typical of a sort that I often receive. Many of our > users have become wary (as they should be) about opening any attachment, > particularly where the word "virus" is present in the message. > > This is becoming an obstacle to them opening the attachment that > MailScanner helpfully sends with the recipient warning message. I wonder > how things could be restructured so that the recipient warning does not > induce this reaction so strongly? Perhaps I need to modify the text of > the warning so that it is more clearly seen to be a message from us that > can be trusted; has anyone approached this problem in the same way? > > Quentin > --- > PHONE: +44 191 222 8209 Computing Service, University of Newcastle > FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. > ------------------------------------------------------------------------ > "Any opinion expressed above is mine. The University can get its own." > > ----------- cut here > >[snip] > >sorry to bother you with this, but I'm not sure who else to ask.. I > >still get the occasional email with an attachment and: > > > >>I send you this file in order to have your advice > > > >as part of the text. I can't remember which virus/worm it was, but now > >there is now a header which says > > > >>Warning: This message has had one or more attachments removed. Please > >>read the "Virus Warning.txt" attachment(s) for more information. > > > >and indeed there is indeed an attachment Warning.txt > > > >However being a bit on the over cautious side I'm reluctant to read > >said Warning.txt until I know from where its come. Is this all real UCS > > >protection in action or is it all another nasty but clever ploy? > > > > Thanks > ----------- cut here > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services Mailmaster, Listmaster, Webmaster, University Of Strathclyde, Glasgow, UK Cachemaster jethro.binks@strath.ac.uk From ed at THE7THBEER.COM Wed Dec 5 18:14:31 2001 From: ed at THE7THBEER.COM (Edward Mitchell) Date: Thu Jan 12 21:14:08 2006 Subject: Goner-A problems In-Reply-To: <5.1.0.14.2.20011205170833.07596f48@imap.ecs.soton.ac.uk> Message-ID: I've mananged to find and stop the virus with 2.60 using MIME-tools-BETA-5.503. HTH ed > > Sorry again folks :-( > > If you have managed to catch it, I would be very interested to hear exactly > what versions of the MIME-tools module you are using. It may be a bug only > present in some versions. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From jkha at HPLB.HPL.HP.COM Wed Dec 5 17:59:37 2001 From: jkha at HPLB.HPL.HP.COM (John Hawkes-Reed) Date: Thu Jan 12 21:14:08 2006 Subject: Goner-A problems References: <5.1.0.14.2.20011205170833.07596f48@imap.ecs.soton.ac.uk> Message-ID: <3C0E6089.52C31100@hplb.hpl.hp.com> Julian Field wrote: > If you have managed to catch it, I would be very interested to hear exactly > what versions of the MIME-tools module you are using. It may be a bug only > present in some versions. It appears to be working here. There are a variety of version numbers in the MIME directory, but Tools.pm reports 5.411 Mailscanner is at version 2-52, running on HP-UX 10.20 -- John Hawkes-Reed Unix hacker. RIT Bristol. T:(0117) 312-8787 From tonyy at FOE.CO.UK Wed Dec 5 17:40:13 2001 From: tonyy at FOE.CO.UK (Tony Yates) Date: Thu Jan 12 21:14:08 2006 Subject: Goner-A problems References: <5.1.0.14.2.20011205170833.07596f48@imap.ecs.soton.ac.uk> Message-ID: <3C0E5BFD.D022F585@foe.co.uk> Julian et al, Hi. Julian Field wrote: > > MailScanner seems to be having some problems catching the Goner-A virus. On > my systems it appears to miss it, so presumably the MIME decoding is > failing to work properly on it. > [snip] > > If you have managed to catch it, I would be very interested to hear exactly > what versions of the MIME-tools module you are using. It may be a bug only > present in some versions. > -- We've intercepted a clutch today (20+) since last nights signature update. We're using MIME-tools-BETA-5.503 on a mailscanner dedicated perl install (5.6.1). HTH. Regards, Tony.. -- Tony Yates Email: tonyy@foe.co.uk Tel: +44 (0)20 7566 1632 IT Manager, Friends of the Earth, 26-28 Underwood St, London N1 7JQ --------------------------------------------------------------------- From ed at THE7THBEER.COM Wed Dec 5 18:25:24 2001 From: ed at THE7THBEER.COM (Edward Mitchell) Date: Thu Jan 12 21:14:08 2006 Subject: Goner-A problems - false alarm In-Reply-To: <5.1.0.14.2.20011205173905.075e78f8@imap.ecs.soton.ac.uk> Message-ID: On a side note, I'm having problems with loggin. Messages are going in /var/log/syslog (Solaris 8) but I'm not finding a way to configure the software to log *which* virii were found. Maybe I'm too sleepy, but what did i miss in the configuration?(MailScanner 2.60). > >Sorry again folks :-( > > > >If you have managed to catch it, I would be very interested to hear exactly > >what versions of the MIME-tools module you are using. It may be a bug only > >present in some versions. > >-- > >Julian Field Teaching Systems Manager > >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > >Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From dpowell at LSSI.NET Wed Dec 5 18:38:04 2001 From: dpowell at LSSI.NET (Darrin Powell) Date: Thu Jan 12 21:14:08 2006 Subject: Goner-A problems In-Reply-To: <5.1.0.14.2.20011205170833.07596f48@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20011205170833.07596f48@imap.ecs.soton.ac.uk> Message-ID: <1007577485.7330.5.camel@powell> Julian I am catching it just fine. I am using Redhat 7.1 operating system with the latest mailscanner installed. Let me know if I can help any. Darrin On Wed, 2001-12-05 at 12:16, Julian Field wrote: > MailScanner seems to be having some problems catching the Goner-A virus. On > my systems it appears to miss it, so presumably the MIME decoding is > failing to work properly on it. > > Until I manage to find the cause and publish the fix, I strongly advise you > to warn your users about this problem. > > Sorry about this, it's the first time it has happened and I will try to > find a fix as fast as I can. Anyone else who wants to join the bug hunt is > welcome to try too! I have already contacted the author of the MIME-tools > module to see if he responds with any ideas. > > Sorry again folks :-( > > If you have managed to catch it, I would be very interested to hear exactly > what versions of the MIME-tools module you are using. It may be a bug only > present in some versions. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From hyooga at WT.NET Wed Dec 5 23:45:13 2001 From: hyooga at WT.NET (Paul) Date: Thu Jan 12 21:14:08 2006 Subject: Goner-A problems In-Reply-To: <1007577485.7330.5.camel@powell> References: <5.1.0.14.2.20011205170833.07596f48@imap.ecs.soton.ac.uk> <1007577485.7330.5.camel@powell> Message-ID: <200112052344.fB5NiEx29009@smtp3.wt.net> On Wednesday 05 December 2001 12:38 pm, you wrote: Oh Solaris 8 and redhat 7.2 with MailScanner 2.60 all work fine. Servers been catching it. Paul > Julian > > I am catching it just fine. I am using Redhat 7.1 operating system > with the latest mailscanner installed. Let me know if I can help any. > > > > Darrin > > On Wed, 2001-12-05 at 12:16, Julian Field wrote: > > MailScanner seems to be having some problems catching the Goner-A virus. > > On my systems it appears to miss it, so presumably the MIME decoding is > > failing to work properly on it. > > > > Until I manage to find the cause and publish the fix, I strongly advise > > you to warn your users about this problem. > > > > Sorry about this, it's the first time it has happened and I will try to > > find a fix as fast as I can. Anyone else who wants to join the bug hunt > > is welcome to try too! I have already contacted the author of the > > MIME-tools module to see if he responds with any ideas. > > > > Sorry again folks :-( > > > > If you have managed to catch it, I would be very interested to hear > > exactly what versions of the MIME-tools module you are using. It may be a > > bug only present in some versions. > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ From andrewh at CQG.COM Thu Dec 6 02:36:31 2001 From: andrewh at CQG.COM (Andrew Hoying) Date: Thu Jan 12 21:14:08 2006 Subject: TNEF taking up 86% of 512MB of ram In-Reply-To: <200112052344.fB5NiEx29009@smtp3.wt.net> Message-ID: Is there any reason why TNEF would suddenly take up over 400MB of ram to process an attachment that is only a few kilobytes in size? This slowed my whole server to a crawl and caused mail delivery to stop for 20 minutes today. I tried to recreate this event, but of the 6 e-mails that could have caused it, I only recovered 4 and only one had a winfile.dat attachment. I sent the e-mail through the scanner a few times, but it never had the same behavior. Any help is greatly appreciated. I have the tnef timeout set to 120 seconds, but mailscanner didn't seem to stop the process after the timeout. Thanks, Andrew Hoying From tom at TILMANT.COM Thu Dec 6 03:29:45 2001 From: tom at TILMANT.COM (Tom Tilmant) Date: Thu Jan 12 21:14:08 2006 Subject: Goner-A problems In-Reply-To: <5.1.0.14.2.20011205174249.07665ce0@imap.ecs.soton.ac.uk> Message-ID: Julian, I am using RH7.1 and have had no issues with the goner virus. Occuring to the sophoswrapper command, I recieved the update at 7:38 12/4: Data file name : /usr/local/Sophos/ide/goner-a.ide Data file type : IDE Data file date : 04 December 2001, 07:38:17 Data file status : Loaded So, it appears that mailscanner/Sophos were working fine for me :-). Tom -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Wednesday, December 05, 2001 9:43 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Goner-A problems At 17:32 05/12/2001, you wrote: >Perhaps upgrading TNEF would fix this problem? >http://world.std.com/~damned/software.html > v1.1 is out. It's not TNEF encoded (the copies I'm seeing aren't anyway). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Q.G.Campbell at NEWCASTLE.AC.UK Thu Dec 6 07:51:06 2001 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:14:08 2006 Subject: Human factors... Message-ID: > -----Original Message----- > From: Jethro R Binks [mailto:jethro.binks@STRATH.AC.UK] > Sent: 05 December 2001 18:23 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Human factors... > > > Hi Quentin, > > A couple of people here mentioned something to the same > effect. So I modified mailscanner.conf to say: > > === > Inline Text Warning = Warning: This message has had one or > more viruses removed by the University of Strathclyde Email > Scanning System. Please read the "VirusWarning.txt" > attachment(s) for more information. Contact the IT Services > Helpdesk on the usual number to check the authenticity of > this message. Inline HTML Warning =

COLOR="red">Warning: This message has had one or more > viruses removed by the University of Strathclyde Email > Scanning System. Please read the "VirusWarning.txt" > attachment(s) for more information. Contact the IT Services > Helpdesk on the usual number to check the authenticity of > this message.

=== Jethro Noted with thanks. We have a well developed Heldesk system here so I guess I can exploit that in the wording of the messages in order to build more trust. Quentin --- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." From LISTSERV at JISCMAIL.AC.UK Wed Dec 5 18:10:22 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:08 2006 Subject: MAILSCANNER: thope@BTHSOLUTIONS.COM requested to join Message-ID: <200112051810.SAA10700@magpie.ecs.soton.ac.uk> Wed, 5 Dec 2001 18:10:22 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Terry Hope The following membership options have been requested: NOHTML MIME DIGEST. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER thope@BTHSOLUTIONS.COM Terry Hope PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER thope@BTHSOLUTIONS.COM Terry Hope SET MAILSCANNER NOHTML MIME DIGEST FOR thope@BTHSOLUTIONS.COM // EOJ From LISTSERV at JISCMAIL.AC.UK Wed Dec 5 20:27:37 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:08 2006 Subject: MAILSCANNER: alex@IALEX.NET requested to join Message-ID: <200112052027.UAA18771@magpie.ecs.soton.ac.uk> Wed, 5 Dec 2001 20:27:37 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Alex Short You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER alex@IALEX.NET Alex Short PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER alex@IALEX.NET Alex Short // EOJ From LISTSERV at JISCMAIL.AC.UK Wed Dec 5 21:48:07 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:08 2006 Subject: MAILSCANNER: nash@SDSU.EDU requested to join Message-ID: <200112052148.VAA23151@magpie.ecs.soton.ac.uk> Wed, 5 Dec 2001 21:48:07 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Ron Nash You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER nash@SDSU.EDU Ron Nash PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER nash@SDSU.EDU Ron Nash // EOJ From sfarrell at ICCONSULTING.COM.AU Thu Dec 6 08:48:12 2001 From: sfarrell at ICCONSULTING.COM.AU (Scott Farrell) Date: Thu Jan 12 21:14:08 2006 Subject: Goner-A problems Message-ID: I caught it also, with mailscanner-2.53-1 - I am using CA innoculateIT - and it caught it just fine. Not to mention that it was stopped by BOTH by virus scanner, and my explicit rules. I have added many rules based use usenet postings about known virus;. Here are some of the explicit rules I have: deny \.dll$ Possible trojan horse possible virus deny \.scr$ Possible trojan horse possible virus deny \.exe$ Possible trojan horse possible virus deny \.asd$ possible virus possible virus deny \.chm$ possible virus possible virus deny \.dll$ possible virus possible virus deny \.ocx$ possible virus possible virus deny \.hlp$ possible virus possible virus deny \.hta$ possible virus possible virus deny \.js$ possible virus possible virus deny \.pif$ possible virus possible virus deny \.scr$ possible virus possible virus deny \.shb$ possible virus possible virus deny \.shs$ possible virus possible virus deny \.vb$ possible virus possible virus deny \.vbe$ possible virus possible virus deny \.vbs$ possible virus possible virus deny \.wsf$ possible virus possible virus deny \.wsh$ possible virus possible virus as you can see we just simply blocked the gone.scr - based on it is scr extension. (yes I know - we are pretty anal around here). regards Scott Farrell http://www.icconsulting.com.au ic Consulting - the people that make eBusiness happen. We offer e-business consulting and perform services. We deliver high impact consulting, and fast turn around projects for our clients. Ask us about Web Content Management, Web Self Service, or working closer with your customers or suppliers. 0412 927 156, 02 9411 3622 mailto:sfarrell@icconsulting.com.au Julian Field cc: Sent by: Subject: Goner-A problems MailScanner mailing list 06/12/01 04:16 AM Please respond to MailScanner mailing list MailScanner seems to be having some problems catching the Goner-A virus. On my systems it appears to miss it, so presumably the MIME decoding is failing to work properly on it. Until I manage to find the cause and publish the fix, I strongly advise you to warn your users about this problem. Sorry about this, it's the first time it has happened and I will try to find a fix as fast as I can. Anyone else who wants to join the bug hunt is welcome to try too! I have already contacted the author of the MIME-tools module to see if he responds with any ideas. Sorry again folks :-( If you have managed to catch it, I would be very interested to hear exactly what versions of the MIME-tools module you are using. It may be a bug only present in some versions. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Q.G.Campbell at NEWCASTLE.AC.UK Thu Dec 6 09:49:01 2001 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:14:08 2006 Subject: Sender warnings going to recipients! Message-ID: > -----Original Message----- > From: Nick Phillips [mailto:nwp@lemon-computing.com] > Sent: 05 December 2001 14:11 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Sender warnings going to recipients! > > > On Wed, Dec 05, 2001 at 12:16:10PM -0000, Quentin Campbell wrote: > > We have ben running 2.60-2 since it was released. The platforms are > > Solaris 2.7 running sendmail 8.10.1. > > > > We have started to receive complaints (and evidence) that > _recipients_ > > of infected messages are sometimes getting the "sender" warning > > message. That is, the "To:" address _in_ the warning > message (a local > > recipient) also becomes the "To:" address _for_ the warning message > > itself. The latter should be the address of the sender. Any > ideas? An > > example follows with the original message at the end: > > We've seen things that initially appeared to be incorrect, > but actually turned out to be correct, caused by Badtrans. > > What we've seen is that the postmaster appears to receive the > recipient message, but that's actually caused by the virus > replying to the sender warning with another copy of itself. > > Nice. Nick My collaegue, Paul Haldane, did a bit of digging around last night and the sendmail log records show what is really going on. The envelope From address is a Newcastle one although the message source was a machine at a college in Leeds. In fact our mail logs showed two messages from the same source sent just one second apart. Both had Newcastle addresses in the envelope From field that relate to the Newcastle Netskills team. In both cases the messages carried the Badtrans virus. This I think is the clue to what is going on. A machine at the college in Leeds is infected with Badtrans. The same machine has previously been in correspondence with various Netskills lists here at Newcastle. Badtrans is a mass mailing worm which attempts to send itself using Microsoft Outlook by replying to unread email messages. It has got some Newcastle addresses from Outlook and used them to send virus carrying message to us with spoofed envelope From addresses. In fact its use of the addresses that it collects is a little more sophisticated than what the brief description above implies. As a consequence the only way to see what is really going on is to look at your MTA logs, both at the envelope From address and the source of the message that is being queried. We should thus expect to see "Badtrans" in any other messages of this sort that are brought to our attention. Quentin --- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." From S.R.Patterson at soton.ac.uk Thu Dec 6 09:59:16 2001 From: S.R.Patterson at soton.ac.uk (Patterson, S R) Date: Thu Jan 12 21:14:08 2006 Subject: TNEF taking up 86% of 512MB of ram Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Set a maximum size on TNEF extraction (-x or --maxsize switch). TNEF attempts to allocate enough memory to extract the entire attachment based upon how big the TNEF header says the parts are - and for some reasons some TNEF headers claim their parts are many hundreds of megabytes in size when they quite clearly are not. That's exactly what prompted me to put in the --maxsize switch - and yes, I'm still planning to one day write a fix that involves not pre-malloc()ing all of the memory! - -- Steven Patterson, MSci ---------------------- Tel: +44 (0) 2380 595810 | Electronic Information Systems Support and Development | | Computing Services, University of Southampton, UK. | +------ PGP Public Key: http://www.soton.ac.uk/~srp/pubkey.asc ------+ ...... ...... .. Conviction is a bigger enemy of the truth than lies. .. ...... ...... > -----Original Message----- > From: Andrew Hoying [mailto:andrewh@CQG.COM] > Sent: 06 December 2001 02:37 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: TNEF taking up 86% of 512MB of ram > > > Is there any reason why TNEF would suddenly take up over > 400MB of ram to > process an attachment that is only a few kilobytes in size? > This slowed my > whole server to a crawl and caused mail delivery to stop for > 20 minutes > today. I tried to recreate this event, but of the 6 e-mails > that could have > caused it, I only recovered 4 and only one had a winfile.dat > attachment. I > sent the e-mail through the scanner a few times, but it never > had the same > behavior. > > Any help is greatly appreciated. I have the tnef timeout set > to 120 seconds, > but mailscanner didn't seem to stop the process after the timeout. > > Thanks, > Andrew Hoying > -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPA9Bba2fOiTs5+WvEQLsoQCgpSQqHzsFeSaoIYnwChMp+76dhMYAoKUw wCVvyR4aQf61DgvEpMiq3n2Q =u7gv -----END PGP SIGNATURE----- From nwp at LEMON-COMPUTING.COM Thu Dec 6 10:23:13 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:08 2006 Subject: Sender warnings going to recipients! In-Reply-To: ; from Q.G.Campbell@NEWCASTLE.AC.UK on Thu, Dec 06, 2001 at 09:49:01AM -0000 References: Message-ID: <20011206102313.D1289@lemon-computing.com> On Thu, Dec 06, 2001 at 09:49:01AM -0000, Quentin Campbell wrote: > In fact its use of the addresses that it collects is a little more > sophisticated than what the brief description above implies. As a > consequence the only way to see what is really going on is to look at > your MTA logs, both at the envelope From address and the source of the > message that is being queried. > > We should thus expect to see "Badtrans" in any other messages of this > sort that are brought to our attention. I'm sure it won't be the last virus to do such things... :( -- Nick Phillips -- nwp@lemon-computing.com You have been selected for a secret mission. From hzhu at mail.wesleyan.edu Thu Dec 6 13:56:16 2001 From: hzhu at mail.wesleyan.edu (Hong Zhu) Date: Thu Jan 12 21:14:08 2006 Subject: Goner-A problems + versions... In-Reply-To: <5.1.0.14.2.20011205170833.07596f48@imap.ecs.soton.ac.uk> Message-ID: Hi All, > If you have managed to catch it, I would be very interested to > hear exactly > what versions of the MIME-tools module you are using. It may be a bug only > present in some versions. We're catching Goner-A here, and I meant to response yesterday. Embarrassingly, I couldn't locate the version used here, as we have deleted the perl module source we downloaded, or renamed the unpacked source like mailscanner. Therefore, I'm checking with you how I am able to find out the version used for mailscanner, perl modules like MIME-tools etc. Many thanks in advance, Hong From LISTSERV at JISCMAIL.AC.UK Thu Dec 6 11:35:53 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:08 2006 Subject: MAILSCANNER: carl@CAPAHO.COM requested to join Message-ID: <200112061135.LAA28145@magpie.ecs.soton.ac.uk> Thu, 6 Dec 2001 11:35:53 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Carl Hogue You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER carl@CAPAHO.COM Carl Hogue PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER carl@CAPAHO.COM Carl Hogue // EOJ From LISTSERV at JISCMAIL.AC.UK Thu Dec 6 15:15:34 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:08 2006 Subject: MAILSCANNER: gerry_doris@STORAGETEK.COM requested to join Message-ID: <200112061515.PAA11607@magpie.ecs.soton.ac.uk> Thu, 6 Dec 2001 15:15:34 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Gerry Doris You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER gerry_doris@STORAGETEK.COM Gerry Doris PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER gerry_doris@STORAGETEK.COM Gerry Doris // EOJ From LISTSERV at JISCMAIL.AC.UK Thu Dec 6 15:26:07 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:08 2006 Subject: MAILSCANNER: didier.belhomme@FUNDP.AC.BE requested to join Message-ID: <200112061526.PAA12391@magpie.ecs.soton.ac.uk> Thu, 6 Dec 2001 15:26:07 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Didier Belhomme You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER didier.belhomme@FUNDP.AC.BE Didier Belhomme PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER didier.belhomme@FUNDP.AC.BE Didier Belhomme // EOJ From LISTSERV at JISCMAIL.AC.UK Thu Dec 6 19:29:05 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:08 2006 Subject: MAILSCANNER: ryanw@FALSEHOPE.COM requested to join Message-ID: <200112061929.TAA27651@magpie.ecs.soton.ac.uk> Thu, 6 Dec 2001 19:29:05 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Ryan Weaver The following membership options have been requested: SUBJECTHDR. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER ryanw@FALSEHOPE.COM Ryan Weaver PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER ryanw@FALSEHOPE.COM Ryan Weaver SET MAILSCANNER SUBJECTHDR FOR ryanw@FALSEHOPE.COM // EOJ From LISTSERV at JISCMAIL.AC.UK Fri Dec 7 01:41:27 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:08 2006 Subject: MAILSCANNER: carl@AOB-DAVINCI.COM requested to join Message-ID: <200112070141.BAA15286@magpie.ecs.soton.ac.uk> Fri, 7 Dec 2001 01:41:27 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Carl Hogue You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER carl@AOB-DAVINCI.COM Carl Hogue PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER carl@AOB-DAVINCI.COM Carl Hogue // EOJ From LISTSERV at JISCMAIL.AC.UK Fri Dec 7 01:44:24 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:08 2006 Subject: MAILSCANNER: rem@MAIL.ULSA.MX requested to join Message-ID: <200112070144.BAA15333@magpie.ecs.soton.ac.uk> Fri, 7 Dec 2001 01:44:24 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Roberto Espinosa You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER rem@MAIL.ULSA.MX Roberto Espinosa PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER rem@MAIL.ULSA.MX Roberto Espinosa // EOJ From LISTSERV at JISCMAIL.AC.UK Fri Dec 7 01:51:10 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:08 2006 Subject: MAILSCANNER: gerry@DORFAM.CA requested to join Message-ID: <200112070151.BAA15508@magpie.ecs.soton.ac.uk> Fri, 7 Dec 2001 01:51:10 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Gerry Doris You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER gerry@DORFAM.CA Gerry Doris PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER gerry@DORFAM.CA Gerry Doris // EOJ From jkf at ecs.soton.ac.uk Fri Dec 7 12:17:33 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:08 2006 Subject: Human factors... --- Next version In-Reply-To: <20011205181616.N92888-100000@defjam.cc.strath.ac.uk> References: Message-ID: <5.1.0.14.2.20011207120913.06e7efa8@imap.ecs.soton.ac.uk> At 18:23 05/12/2001, you wrote: >Inline Text Warning = Warning: This message has had one or more viruses >removed by the University of Strathclyde Email Scanning System. Please >read the "VirusWarning.txt" attachment(s) for more information. Contact >the IT Services Helpdesk on the usual number to check the authenticity of >this message. I have just implemented support for multi-line "Inline Text Warning" and "Inline HTML Warning" messages. >I would like to be able to configure the name of the attachment with the >warning in it, however ... Just implemented that, too. Changes for the next version include: Support for Command (CSAV) virus scanner Support for Inoculate-IT virus scanner Changes to debug logging to quieten down syslog Support for using Sophos's built-in (but undocumented) TNEF decoding to improve reliability of scanning TNEF attachments from MS Outlook Multi-line inline message warnings Configurable "VirusWarning.txt" filename Other changes planned include: Support for other virus scanners (if I can find them) Support for SpamAssassin spam detection Support for list of local domain names from which we will never send cleaned up messages, just warn the sender instead. This saves face if you are scanning outgoing mail and have an internal outbreak of a mail worm that got in via some non-MailScanner route. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From carl at CAPAHO.COM Fri Dec 7 12:32:59 2001 From: carl at CAPAHO.COM (Carl Hogue) Date: Thu Jan 12 21:14:08 2006 Subject: No Message Collected Message-ID: On Wed, 28 Nov 2001 10:22:25 -0600, Peter Valian wrote: >Hello, > >Im having an interesting problem. It seems my message bodies are lost >and all scanned email goes through with the correct header and the >X-ECS-Mailscanner tag but the body just contains " <<< No Message >Collected >>> ". > >any ideas? > >thanks, >peter > >-- >Peter Valian >Network & Systems Administrator >Southwestern University >Georgetown, Texas >-- I had the same problem on a Cobalt Raq3. A previous upgrade patch had moved mqueue to /home/spool/mqueue from /var/spool/mqueue and used a symlink from /var/spool/mqueue to point to /home/spool/mqueue, I created an mqueue.in directory in /home/spool, deleted the mqueue.in directory from /var/spool and created a symlink to point /var/spool/mqueue.in to /home/spool/mqueue.in. That solved the problem on the Cobalt Raq3. From carl at CAPAHO.COM Fri Dec 7 12:48:41 2001 From: carl at CAPAHO.COM (Carl Hogue) Date: Thu Jan 12 21:14:08 2006 Subject: MailScanner Shutdown/Restart Problem Message-ID: I am running MailScanner on a Cobalt Raq3 (Linux OS). Using the command "/etc/rc.d/init.d/mailscanner restart" or "stop" fails to stop or restart MailScanner. A simple "Error"is reported and although sendmail stops and restarts properly, there is no effect on MailScanner. For some reason, the mailscanner process cannot be identified from the script. I have to manually kill the MailScanner pid and then start MailScanner again. Any idea what the problem might be? Best Regards, Carl Hogue carl@capaho.com From sfarrell at ICCONSULTING.COM.AU Sun Dec 9 10:32:53 2001 From: sfarrell at ICCONSULTING.COM.AU (Scott Farrell) Date: Thu Jan 12 21:14:08 2006 Subject: Human factors... --- Next version Message-ID: I'd like to help out on both the CA innoculateIT support, and support for spamAssassin. Let me know how I can help. regards Scott Farrell http://www.icconsulting.com.au ic Consulting - the people that make eBusiness happen. We offer e-business consulting and perform services. We deliver high impact consulting, and fast turn around projects for our clients. Ask us about Web Content Management, Web Self Service, or working closer with your customers or suppliers. 0412 927 156, 02 9411 3622 mailto:sfarrell@icconsulting.com.au Julian Field Sent by: MailScanner mailing list 07/12/2001 10:17 PM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Re: Human factors... --- Next version At 18:23 05/12/2001, you wrote: >Inline Text Warning = Warning: This message has had one or more viruses >removed by the University of Strathclyde Email Scanning System. Please >read the "VirusWarning.txt" attachment(s) for more information. Contact >the IT Services Helpdesk on the usual number to check the authenticity of >this message. I have just implemented support for multi-line "Inline Text Warning" and "Inline HTML Warning" messages. >I would like to be able to configure the name of the attachment with the >warning in it, however ... Just implemented that, too. Changes for the next version include: Support for Command (CSAV) virus scanner Support for Inoculate-IT virus scanner Changes to debug logging to quieten down syslog Support for using Sophos's built-in (but undocumented) TNEF decoding to improve reliability of scanning TNEF attachments from MS Outlook Multi-line inline message warnings Configurable "VirusWarning.txt" filename Other changes planned include: Support for other virus scanners (if I can find them) Support for SpamAssassin spam detection Support for list of local domain names from which we will never send cleaned up messages, just warn the sender instead. This saves face if you are scanning outgoing mail and have an internal outbreak of a mail worm that got in via some non-MailScanner route. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20011209/514412fe/attachment.html From richard at BROOKHUIS.ATH.CX Fri Dec 7 13:45:08 2001 From: richard at BROOKHUIS.ATH.CX (Richard Brookhuis) Date: Thu Jan 12 21:14:08 2006 Subject: Human factors... --- Next version References: Message-ID: <3C10C7E4.9030401@brookhuis.ath.cx> CSAV support is already done... I'm using CSAV at my work and I made a patch for mailscanner, which I recently sent to mr. Field. Scott Farrell wrote: > I'd like to help out on both the CA innoculateIT support, and support > for spamAssassin. > > Let me know how I can help. > > regards > Scott Farrell > > http://www.icconsulting.com.au > ic Consulting - the people that make eBusiness happen. > We offer e-business consulting and perform services. We deliver high > impact consulting, and fast turn around projects for our clients. > Ask us about Web Content Management, Web Self Service, or working > closer with your customers or suppliers. > > 0412 927 156, 02 9411 3622 mailto:sfarrell@icconsulting.com.au > > > *Julian Field * > Sent by: MailScanner mailing list > > 07/12/2001 10:17 PM > Please respond to MailScanner mailing list > > > To: MAILSCANNER@JISCMAIL.AC.UK > cc: > Subject: Re: Human factors... --- Next version > > > At 18:23 05/12/2001, you wrote: > >Inline Text Warning = Warning: This message has had one or more viruses > >removed by the University of Strathclyde Email Scanning System. Please > >read the "VirusWarning.txt" attachment(s) for more information. Contact > >the IT Services Helpdesk on the usual number to check the authenticity of > >this message. > > I have just implemented support for multi-line "Inline Text Warning" and > "Inline HTML Warning" messages. > > >I would like to be able to configure the name of the attachment with the > >warning in it, however ... > > Just implemented that, too. > > Changes for the next version include: > Support for Command (CSAV) virus scanner > Support for Inoculate-IT virus scanner > Changes to debug logging to quieten down syslog > Support for using Sophos's built-in (but undocumented) TNEF > decoding to improve reliability of scanning TNEF attachments from MS > Outlook > Multi-line inline message warnings > Configurable "VirusWarning.txt" filename > > Other changes planned include: > Support for other virus scanners (if I can find them) > Support for SpamAssassin spam detection > Support for list of local domain names from which we will never > send cleaned up messages, just warn the sender instead. This saves face if > you are scanning outgoing mail and have an internal outbreak of a mail > worm > that got in via some non-MailScanner route. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > From jkf at ecs.soton.ac.uk Fri Dec 7 14:20:27 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:08 2006 Subject: Human factors... --- Next version In-Reply-To: <3C10C7E4.9030401@brookhuis.ath.cx> References: Message-ID: <5.1.0.14.2.20011207142014.03a6c218@imap.ecs.soton.ac.uk> At 13:45 07/12/2001, you wrote: >CSAV support is already done... >I'm using CSAV at my work and I made a patch for mailscanner, which I >recently sent to mr. Field. That's what I'm using. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Fri Dec 7 14:20:05 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:08 2006 Subject: Human factors... --- Next version In-Reply-To: Message-ID: <5.1.0.14.2.20011207141842.06e6a568@imap.ecs.soton.ac.uk> At 10:32 09/12/2001, you wrote: >I'd like to help out on both the CA innoculateIT support, and support for >spamAssassin. I've put in the code you sent me for Innoculate-IT support. I'm just starting on the SpamAssassin work, shouldn't take me too long. >Let me know how I can help. Can you just check that you haven't changed the InoculateIT support in a while? I'll send you the current sweep.pl if you like, it's not quite the same as what you sent me (I changed "ino" to "inoculate"). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Fri Dec 7 14:18:34 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:08 2006 Subject: MailScanner Shutdown/Restart Problem In-Reply-To: Message-ID: <5.1.0.14.2.20011207141803.06f04008@imap.ecs.soton.ac.uk> At 12:48 07/12/2001, you wrote: >I am running MailScanner on a Cobalt Raq3 (Linux OS). Using the command >"/etc/rc.d/init.d/mailscanner restart" or "stop" fails to stop or restart >MailScanner. A simple "Error"is reported and although sendmail stops and >restarts properly, there is no effect on MailScanner. For some reason, the >mailscanner process cannot be identified from the script. I have to >manually kill the MailScanner pid and then start MailScanner again. Any >idea what the problem might be? The simple answer is that I could have written the init.d script better than I did. You need to kill off both copies of sendmail and the mailscanner process, then "start" it again. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From brandon.pearson at BBSRC.AC.UK Fri Dec 7 16:45:47 2001 From: brandon.pearson at BBSRC.AC.UK (brandon pearson (BITS)) Date: Thu Jan 12 21:14:08 2006 Subject: Goner-A problems - false alarm Message-ID: <41773CEF2B8FD411920200508BDCDC1203BFAE@bits-exch1.bits.bbsrc.ac.uk> Our mailhub with mailscanner 2.42/sophos appears to have let some goner viruses through. We had an internal outbreak after sophos had been updated. The mail had arrived before sophos was updated and the user ran it after sophos had been updated but before the desktops had been updated. We then got reports from external sites that we were sending out goner viruses. I traced 188 known virus mails going to the mail hub mailscanner/sophos quarantined 178 but let 10 through. These 10 were caught by macafee at the remote site. The only thing I can find is that each mail that got through recorded a resource error in the syslog. Dec 5 11:32:24 mhub2.bbsrc.ac.uk mailscanner[22339]: Failed to lock /exim/exim_incoming/input/16BaF0-0003aY-04-D: Resource temporarily unavailable We get a lot of these errors and I have read on this list that they can be ignored. The mail hub was busy at the time and mailscanner was running flat out processing 100 mails at a time. Any ideas? Thanks, Brandon -----Original Message----- From: Julian Field [mailto:jkf@ECS.SOTON.AC.UK] Sent: Wednesday, December 05, 2001 5:44 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Goner-A problems - false alarm I have now had 3 reports to say that MailScanner is catching it just fine. :-) Phew! I thought it better to alert you (possibly with a false alarm) than sit around for a day and a half (I'm off to a hospital appt in London tomorrow) then discover it's a real problem. I have now seen 3 copies of it myself, all successfully caught by MailScanner. But one note of caution: it sounds like it's time for people to remember to upgrade their Sophos installations, a few people (including me!) were caught out by having a copy of Sophos so old that they were no longer getting up-to-date IDE files. Just download it from www.sophos.com and run "Sophos.install" and all will be well again. At 17:16 05/12/2001, you wrote: >MailScanner seems to be having some problems catching the Goner-A virus. On >my systems it appears to miss it, so presumably the MIME decoding is >failing to work properly on it. > >Until I manage to find the cause and publish the fix, I strongly advise you >to warn your users about this problem. > >Sorry about this, it's the first time it has happened and I will try to >find a fix as fast as I can. Anyone else who wants to join the bug hunt is >welcome to try too! I have already contacted the author of the MIME-tools >module to see if he responds with any ideas. > >Sorry again folks :-( > >If you have managed to catch it, I would be very interested to hear exactly >what versions of the MIME-tools module you are using. It may be a bug only >present in some versions. >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From howard at harper-adams.ac.uk Fri Dec 7 17:55:36 2001 From: howard at harper-adams.ac.uk (hrobinson@harper-adams.ac.uk) Date: Thu Jan 12 21:14:08 2006 Subject: Goner-A problems In-Reply-To: Message-ID: <200112071754.fB7Hsjb01206@blackhole.harper-adams.ac.uk> Dear List members I have added the rule for the .scr files (see below) I have also stopped and restarted mailscanner but it seems to be ignoring the rule, I tested it by sending myself an attachment called goner.scr (a text file) and it passes through. Testing the system by sending myself a filename with double extentions is also getting through even though I #ed the allow commend and rebooted the mailscanner! Any pointers. Stopping mailscanner stops send mail as well doesn't it? . ---snip-- > Not to mention that it was stopped by BOTH by virus scanner, and my > explicit rules. I have added many rules based use usenet postings about > known virus;. > > Here are some of the explicit rules I have: > > deny \.dll$ Possible trojan horse possible virus > deny \.scr$ Possible trojan horse possible virus > deny \.exe$ Possible trojan horse possible virus > deny \.asd$ possible virus possible virus deny \.chm$ ---snip-- > Scott Farrell --more snip-- Regards Howard Robinson (Senior Technical Development Officer) Harper Adams University College Edgmond Newport Shropshire TF10 8NB UK E-mail: hrobinson@harper-adams.ac.uk Tel. : +44(0)1952 820280 Via switchboard : +44(0)1952 815253 Direct line Fax. : +44(0)1952 814783 College Web site http://www.harper-adams.ac.uk From nwp at LEMON-COMPUTING.COM Fri Dec 7 18:23:52 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:08 2006 Subject: Goner-A problems - false alarm In-Reply-To: <41773CEF2B8FD411920200508BDCDC1203BFAE@bits-exch1.bits.bbsrc.ac.uk>; from brandon.pearson@BBSRC.AC.UK on Fri, Dec 07, 2001 at 04:45:47PM -0000 References: <41773CEF2B8FD411920200508BDCDC1203BFAE@bits-exch1.bits.bbsrc.ac.uk> Message-ID: <20011207182352.E435@lemon-computing.com> On Fri, Dec 07, 2001 at 04:45:47PM -0000, brandon pearson (BITS) wrote: > Our mailhub with mailscanner 2.42/sophos appears to have let some goner > viruses through. > Dec 5 11:32:24 mhub2.bbsrc.ac.uk mailscanner[22339]: Failed to lock > /exim/exim_incoming/input/16BaF0-0003aY-04-D: Resource temporarily > unavailable > > We get a lot of these errors and I have read on this list that they can be > ignored. The mail hub was busy at the time and mailscanner was running flat > out processing 100 mails at a time. > > Any ideas? You're still running exim over the incoming queue, probably from a cronjob. You should probably have a look at the updated version of the installation instructions for exim -- we've found a better way of preventing delivery now than would have been listed when 2.4x versions of mailscanner were current. You should probably also have a look in /etc/crontab, /etc/cron.d/exim, and any other cron bits you may have lying around (are you running Debian by any chance)... ...if you're running Debian, you will find that even if you have exim set up to run the queue as a daemon, it will *also* be started from cron at 8 and 38 minutes past the hour. Which I noticed the other day after a client who doesn't use mailscanner started sending goner-a out. There were about 700 messages in the queue, so I did /etc/init.d/exim stop immediately. By the time I got on site, all but about 100 messages had gone thanks to the f***ing cron job. Oops. Anyway, I'd recommend updating the default exim config to be a bit firmer about refusing to deliver, as contained in the new updated and altogether more wonderful Exim instructions of the mailscanner web site. Cheers, Nick P.S. You will find that most messages most of the time have been getting scanned, as chances are that mailscanner gets there first. But every 30 minutes, anything in the queue will have been getting chucked straight out by the flipping cronjob. Assuming I've guessed your situation correctly. -- Nick Phillips -- nwp@lemon-computing.com You will be surprised by a loud noise. From nwp at LEMON-COMPUTING.COM Fri Dec 7 18:29:08 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:08 2006 Subject: Human factors... --- Next version In-Reply-To: <5.1.0.14.2.20011207141842.06e6a568@imap.ecs.soton.ac.uk>; from jkf@ECS.SOTON.AC.UK on Fri, Dec 07, 2001 at 02:20:05PM +0000 References: <5.1.0.14.2.20011207141842.06e6a568@imap.ecs.soton.ac.uk> Message-ID: <20011207182908.F435@lemon-computing.com> On Fri, Dec 07, 2001 at 02:20:05PM +0000, Julian Field wrote: > Can you just check that you haven't changed the InoculateIT support in a > while? I'll send you the current sweep.pl if you like, it's not quite the > same as what you sent me (I changed "ino" to "inoculate"). I've heard that Inoculate-IT is now called E-Trust EZ-Armor. Which is, er, "nice". Or maybe that's just if you buy it with a bunch of the other E-Trust stuff... -- Nick Phillips -- nwp@lemon-computing.com Day of inquiry. You will be subpoenaed. From marc at ODTSL.COM Fri Dec 7 19:04:15 2001 From: marc at ODTSL.COM (Marc Balcells) Date: Thu Jan 12 21:14:08 2006 Subject: Human factors... --- Next version In-Reply-To: References: Message-ID: <1007751855.1530.0.camel@marcpor> I would like to help also, specially on CA innoculateIT 6.0 support. I don't know if you are going to include support for it or for the 4.0 free version. Thank's Marc Balcells On dg, 2001-12-09 at 11:32, Scott Farrell wrote: > I'd like to help out on both the CA innoculateIT support, and support for > spamAssassin. > > Let me know how I can help. > > regards > Scott Farrell > > http://www.icconsulting.com.au > ic Consulting - the people that make eBusiness happen. > We offer e-business consulting and perform services. We deliver high > impact consulting, and fast turn around projects for our clients. > Ask us about Web Content Management, Web Self Service, or working closer > with your customers or suppliers. > > 0412 927 156, 02 9411 3622 mailto:sfarrell@icconsulting.com.au > > > > > Julian Field > Sent by: MailScanner mailing list > 07/12/2001 10:17 PM > Please respond to MailScanner mailing list > > > To: MAILSCANNER@JISCMAIL.AC.UK > cc: > Subject: Re: Human factors... --- Next version > At 18:23 05/12/2001, you wrote: > >Inline Text Warning = Warning: This message has had one or more viruses > >removed by the University of Strathclyde Email Scanning System. Please > >read the "VirusWarning.txt" attachment(s) for more information. Contact > >the IT Services Helpdesk on the usual number to check the authenticity of > >this message. > > I have just implemented support for multi-line "Inline Text Warning" and > "Inline HTML Warning" messages. > > >I would like to be able to configure the name of the attachment with the > >warning in it, however ... > > Just implemented that, too. > > Changes for the next version include: > Support for Command (CSAV) virus scanner > Support for Inoculate-IT virus scanner > Changes to debug logging to quieten down syslog > Support for using Sophos's built-in (but undocumented) TNEF > decoding to improve reliability of scanning TNEF attachments from MS > Outlook > Multi-line inline message warnings > Configurable "VirusWarning.txt" filename > > Other changes planned include: > Support for other virus scanners (if I can find them) > Support for SpamAssassin spam detection > Support for list of local domain names from which we will never > send cleaned up messages, just warn the sender instead. This saves face if > you are scanning outgoing mail and have an internal outbreak of a mail > worm > that got in via some non-MailScanner route. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > From LISTSERV at JISCMAIL.AC.UK Fri Dec 7 18:51:42 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:08 2006 Subject: MAILSCANNER: fredd@CI.ASPEN.CO.US requested to join Message-ID: <200112071851.SAA04905@magpie.ecs.soton.ac.uk> Fri, 7 Dec 2001 18:51:42 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Fred Dick You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER fredd@CI.ASPEN.CO.US Fred Dick PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER fredd@CI.ASPEN.CO.US Fred Dick // EOJ From jkf at ecs.soton.ac.uk Fri Dec 7 19:43:00 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:08 2006 Subject: Human factors... --- Next version In-Reply-To: <1007751855.1530.0.camel@marcpor> References: Message-ID: <5.1.0.14.2.20011207194215.032ecd90@hawk.ecs.soton.ac.uk> At 19:04 07/12/2001, you wrote: >I would like to help also, specially on CA innoculateIT 6.0 support. I >don't know if you are going to include support for it or for the 4.0 >free version. You are certainly more than welcome to test the code for me. If you are interested, mail me (mailscanner@ecs.soton.ac.uk) and I'll send you the latest code. >Thank's > >Marc Balcells > >On dg, 2001-12-09 at 11:32, Scott Farrell wrote: > > I'd like to help out on both the CA innoculateIT support, and support for > > spamAssassin. > > > > Let me know how I can help. > > > > regards > > Scott Farrell > > > > http://www.icconsulting.com.au > > ic Consulting - the people that make eBusiness happen. > > We offer e-business consulting and perform services. We deliver high > > impact consulting, and fast turn around projects for our clients. > > Ask us about Web Content Management, Web Self Service, or working closer > > with your customers or suppliers. > > > > 0412 927 156, 02 9411 3622 mailto:sfarrell@icconsulting.com.au > > > > > > > > > > Julian Field > > Sent by: MailScanner mailing list > > 07/12/2001 10:17 PM > > Please respond to MailScanner mailing list > > > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > cc: > > Subject: Re: Human factors... --- Next version > > At 18:23 05/12/2001, you wrote: > > >Inline Text Warning = Warning: This message has had one or more viruses > > >removed by the University of Strathclyde Email Scanning System. Please > > >read the "VirusWarning.txt" attachment(s) for more information. Contact > > >the IT Services Helpdesk on the usual number to check the authenticity of > > >this message. > > > > I have just implemented support for multi-line "Inline Text Warning" and > > "Inline HTML Warning" messages. > > > > >I would like to be able to configure the name of the attachment with the > > >warning in it, however ... > > > > Just implemented that, too. > > > > Changes for the next version include: > > Support for Command (CSAV) virus scanner > > Support for Inoculate-IT virus scanner > > Changes to debug logging to quieten down syslog > > Support for using Sophos's built-in (but undocumented) TNEF > > decoding to improve reliability of scanning TNEF attachments from MS > > Outlook > > Multi-line inline message warnings > > Configurable "VirusWarning.txt" filename > > > > Other changes planned include: > > Support for other virus scanners (if I can find them) > > Support for SpamAssassin spam detection > > Support for list of local domain names from which we will never > > send cleaned up messages, just warn the sender instead. This saves face if > > you are scanning outgoing mail and have an internal outbreak of a mail > > worm > > that got in via some non-MailScanner route. > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gerry at DORFAM.CA Fri Dec 7 21:56:38 2001 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:14:08 2006 Subject: Cost of Virus Scanner! Message-ID: I have an old 486 that just won't die that I use for a mail server for my home network. I have a couple of Windows PC's on the network. I read about MailScanner on the Linux Journal website and tracked it down on Freshmeat. I installed it on Wednesday without problems. This is one superb application!!! I hadn't heard of Sophos but since MailScanner supported it I went ahead and installed it too. I was a little nervous as I couldn't find any pricing on their website. Well, I had a right to be. I got a call yesterday from their US sales office. Their sales rep told me that the minimum license would be 50 seats (ie. to cover 50 PC's) at $15 USD/seat! Obviously, I am not going to pay $750 USD. Sophos said this is a commercial application and is not intended for home users. He felt it was competitive with similar packages from McAfee. I suggest a warning be placed on the MailScanner website (and any other site that carries MailScanner ie. Freshmeat) that it requires a commerical virus scanner for full functionality. The cost of these scanners preclude home use. Gerry -- "The lyfe so short, the craft so long to learne" Chaucer From gerry at DORFAM.CA Fri Dec 7 22:00:38 2001 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:14:08 2006 Subject: MailScanner and Fetchmail? Message-ID: While MailScanner works great for all mail passing through my mail server I have one mail account that's on my ISP. I pull mail from it using fetchmail. If I understand MailScanner it only works for mail arriving at port 25. Is there any way to have it check mail pulled in by fetchmail? Gerry -- "The lyfe so short, the craft so long to learne" Chaucer From chris at MATTS.CO.UK Fri Dec 7 23:12:32 2001 From: chris at MATTS.CO.UK (Chris Kilner) Date: Thu Jan 12 21:14:08 2006 Subject: Cost of Virus Scanner! In-Reply-To: Message-ID: We are resellers of Sophos here in the uk the current price for a single user is ?99.00 sterling I'm not sure what that is in US dollars but it's less than $750 Chris -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Gerry Doris Sent: 07 December 2001 21:57 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Cost of Virus Scanner! I have an old 486 that just won't die that I use for a mail server for my home network. I have a couple of Windows PC's on the network. I read about MailScanner on the Linux Journal website and tracked it down on Freshmeat. I installed it on Wednesday without problems. This is one superb application!!! I hadn't heard of Sophos but since MailScanner supported it I went ahead and installed it too. I was a little nervous as I couldn't find any pricing on their website. Well, I had a right to be. I got a call yesterday from their US sales office. Their sales rep told me that the minimum license would be 50 seats (ie. to cover 50 PC's) at $15 USD/seat! Obviously, I am not going to pay $750 USD. Sophos said this is a commercial application and is not intended for home users. He felt it was competitive with similar packages from McAfee. I suggest a warning be placed on the MailScanner website (and any other site that carries MailScanner ie. Freshmeat) that it requires a commerical virus scanner for full functionality. The cost of these scanners preclude home use. Gerry -- "The lyfe so short, the craft so long to learne" Chaucer From gerry at DORFAM.CA Sat Dec 8 00:16:11 2001 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:14:08 2006 Subject: Cost of Virus Scanner! In-Reply-To: Message-ID: I'm actually in Toronto, Canada. Using today's exchange rates 99 sterling is $229.34 Cdn and $750 USD is a mere $1197.08 Cdn. How can there be that big a difference for the same product? I don't mind paying for a good product but $1200 is ridiculous for a home user. Gerry On Fri, 7 Dec 2001, Chris Kilner wrote: > We are resellers of Sophos here in the uk the current price for a single > user is ?99.00 sterling > I'm not sure what that is in US dollars but it's less than $750 > > Chris > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Gerry Doris > Sent: 07 December 2001 21:57 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Cost of Virus Scanner! > > > I have an old 486 that just won't die that I use for a mail server for my > home network. I have a couple of Windows PC's on the network. > > I read about MailScanner on the Linux Journal website and tracked it down > on Freshmeat. I installed it on Wednesday without problems. This is one > superb application!!! > > I hadn't heard of Sophos but since MailScanner supported it I went ahead > and installed it too. I was a little nervous as I couldn't find any > pricing on their website. Well, I had a right to be. > > I got a call yesterday from their US sales office. Their sales rep told > me that the minimum license would be 50 seats (ie. to cover 50 PC's) at > $15 USD/seat! Obviously, I am not going to pay $750 USD. Sophos said > this is a commercial application and is not intended for home users. He > felt it was competitive with similar packages from McAfee. > > I suggest a warning be placed on the MailScanner website (and any other > site that carries MailScanner ie. Freshmeat) that it requires a commerical > virus scanner for full functionality. The cost of these scanners > preclude home use. > > > Gerry > -- > "The lyfe so short, the craft so long to learne" Chaucer > -- "The lyfe so short, the craft so long to learne" Chaucer From sfarrell at ICCONSULTING.COM.AU Sun Dec 9 22:08:29 2001 From: sfarrell at ICCONSULTING.COM.AU (Scott Farrell) Date: Thu Jan 12 21:14:08 2006 Subject: MailScanner and Fetchmail? Message-ID: I think if you fiddle with fetchmail, you can get it to resend any email it reads via smtp, this is a part of what I use (from .fetchmailrc) : smtpname sfarrell@icconsulting.com.au smtphost 192.168.0.2 This stops fetchmail from even attempting local delivery. regards Scott Farrell http://www.icconsulting.com.au ic Consulting - the people that make eBusiness happen. We offer e-business consulting and perform services. We deliver high impact consulting, and fast turn around projects for our clients. Ask us about Web Content Management, Web Self Service, or working closer with your customers or suppliers. 0412 927 156, 02 9411 3622 mailto:sfarrell@icconsulting.com.au Gerry Doris Sent by: MailScanner mailing list 08/12/2001 08:00 AM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: MailScanner and Fetchmail? While MailScanner works great for all mail passing through my mail server I have one mail account that's on my ISP. I pull mail from it using fetchmail. If I understand MailScanner it only works for mail arriving at port 25. Is there any way to have it check mail pulled in by fetchmail? Gerry -- "The lyfe so short, the craft so long to learne" Chaucer -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20011210/69d191cc/attachment.html From sfarrell at ICCONSULTING.COM.AU Sun Dec 9 22:11:34 2001 From: sfarrell at ICCONSULTING.COM.AU (Scott Farrell) Date: Thu Jan 12 21:14:08 2006 Subject: Human factors... --- Next version Message-ID: no problem, I'll check that I haven't changed anything. Its been running pretty good, got lots of goner, and badtrans over the recent weeks. I'll look forward to you emailing me your current sweep.pl file. regards Scott Farrell http://www.icconsulting.com.au ic Consulting - the people that make eBusiness happen. We offer e-business consulting and perform services. We deliver high impact consulting, and fast turn around projects for our clients. Ask us about Web Content Management, Web Self Service, or working closer with your customers or suppliers. 0412 927 156, 02 9411 3622 mailto:sfarrell@icconsulting.com.au Julian Field Sent by: MailScanner mailing list 08/12/2001 12:20 AM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Re: Human factors... --- Next version At 10:32 09/12/2001, you wrote: >I'd like to help out on both the CA innoculateIT support, and support for >spamAssassin. I've put in the code you sent me for Innoculate-IT support. I'm just starting on the SpamAssassin work, shouldn't take me too long. >Let me know how I can help. Can you just check that you haven't changed the InoculateIT support in a while? I'll send you the current sweep.pl if you like, it's not quite the same as what you sent me (I changed "ino" to "inoculate"). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20011210/d36ad37c/attachment.html From splee at PLEXIO.COM Sat Dec 8 01:46:44 2001 From: splee at PLEXIO.COM (Stephen Lee) Date: Thu Jan 12 21:14:08 2006 Subject: Cost of Virus Scanner! In-Reply-To: References: Message-ID: <1007776006.5743.7.camel@ralph.plexio.private> Here's what I wrote about Sophos pricing in an earlier thread: As I understand it, the SAV license covers both the server and the desktop so NAV wouldn't be needed. You can even run a client copy at home. What bugs me about Sophos though, is that they are not very obvious about their pricing structure. Pricing is not on their website and even if you asked for it by email, they insist you try the demo first - why bother if it is too expensive in the first place? Having asked Sophos on several occasions for pricing for a particular number of users at a certain geographic location (Canada) without much luck, I finally broke down and tried the demo. Several more emails and phone calls later, I finally got some prices. It's like pulling teeth! The US/Canada pricing quoted to me was: $150USD for 1 user, $120 for 2-4 users, $85 for 5-9 user and $60 for 10-? users. In the end, SAV _is_ a nice product but is expensive and is targetted at the corporate market. Stephen On Fri, 2001-12-07 at 16:16, Gerry Doris wrote: > I'm actually in Toronto, Canada. Using today's exchange rates 99 sterling > is $229.34 Cdn and $750 USD is a mere $1197.08 Cdn. How can there be that > big a difference for the same product? > > I don't mind paying for a good product but $1200 is ridiculous for a home > user. > > Gerry > > On Fri, 7 Dec 2001, Chris Kilner wrote: > > > We are resellers of Sophos here in the uk the current price for a single > > user is ?99.00 sterling > > I'm not sure what that is in US dollars but it's less than $750 > > > > Chris > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Gerry Doris > > Sent: 07 December 2001 21:57 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Cost of Virus Scanner! > > > > > > I have an old 486 that just won't die that I use for a mail server for my > > home network. I have a couple of Windows PC's on the network. > > > > I read about MailScanner on the Linux Journal website and tracked it down > > on Freshmeat. I installed it on Wednesday without problems. This is one > > superb application!!! > > > > I hadn't heard of Sophos but since MailScanner supported it I went ahead > > and installed it too. I was a little nervous as I couldn't find any > > pricing on their website. Well, I had a right to be. > > > > I got a call yesterday from their US sales office. Their sales rep told > > me that the minimum license would be 50 seats (ie. to cover 50 PC's) at > > $15 USD/seat! Obviously, I am not going to pay $750 USD. Sophos said > > this is a commercial application and is not intended for home users. He > > felt it was competitive with similar packages from McAfee. > > > > I suggest a warning be placed on the MailScanner website (and any other > > site that carries MailScanner ie. Freshmeat) that it requires a commerical > > virus scanner for full functionality. The cost of these scanners > > preclude home use. > > > > > > Gerry > > -- > > "The lyfe so short, the craft so long to learne" Chaucer > > > > -- > "The lyfe so short, the craft so long to learne" Chaucer > From carl at CAPAHO.COM Sat Dec 8 16:05:49 2001 From: carl at CAPAHO.COM (Carl Hogue) Date: Thu Jan 12 21:14:08 2006 Subject: Expanding Port Use Message-ID: It appears that the default restart every four hours results in a new port connection by syslog without the previous connection being terminated: UDP Lcl port Rmt port Status 4725=? 514=syslog 01=ESTABLISD 4724=? 514=syslog 01=ESTABLISD 4718=? 514=syslog 01=ESTABLISD 4671=? 514=syslog 01=ESTABLISD 4599=? 514=syslog 01=ESTABLISD 4580=? 514=syslog 01=ESTABLISD 4548=? 514=syslog 01=ESTABLISD 4534=? 514=syslog 01=ESTABLISD 4461=? 514=syslog 01=ESTABLISD Suggestions on how to resolve this problem would be appreciated. Best Regards, Carl Hogue carl@capaho.com From LISTSERV at JISCMAIL.AC.UK Sat Dec 8 06:11:55 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:08 2006 Subject: MAILSCANNER: mdchaney@MICHAELCHANEY.COM requested to join Message-ID: <200112080611.GAA01333@magpie.ecs.soton.ac.uk> Sat, 8 Dec 2001 06:11:55 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Michael Chaney You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER mdchaney@MICHAELCHANEY.COM Michael Chaney PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER mdchaney@MICHAELCHANEY.COM Michael Chaney // EOJ From LISTSERV at JISCMAIL.AC.UK Sat Dec 8 10:30:46 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:08 2006 Subject: MAILSCANNER: ntk@RU.ACAD.BG requested to join Message-ID: <200112081030.KAA08954@magpie.ecs.soton.ac.uk> Sat, 8 Dec 2001 10:30:46 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Nikolay Kabaivanov You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER ntk@RU.ACAD.BG Nikolay Kabaivanov PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER ntk@RU.ACAD.BG Nikolay Kabaivanov // EOJ From LISTSERV at JISCMAIL.AC.UK Fri Dec 7 23:56:47 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:08 2006 Subject: MAILSCANNER: racke@LINUXIA.DE left the JISCmail list Message-ID: <200112072356.XAA18678@magpie.ecs.soton.ac.uk> Fri, 7 Dec 2001 23:56:47 Stefan Hornburg has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From LISTSERV at JISCMAIL.AC.UK Sat Dec 8 00:33:28 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:08 2006 Subject: MAILSCANNER: carl@AOB-DAVINCI.COM left the JISCmail list Message-ID: <200112080033.AAA20197@magpie.ecs.soton.ac.uk> Sat, 8 Dec 2001 00:33:28 Carl Hogue has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From jkf at ecs.soton.ac.uk Sun Dec 9 13:33:51 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:08 2006 Subject: Expanding Port Use In-Reply-To: Message-ID: <5.1.0.14.2.20011209133050.035df8e0@hawk.ecs.soton.ac.uk> At 16:05 08/12/2001, you wrote: >It appears that the default restart every four hours results in a new port >connection by syslog without the previous connection being terminated: > >Suggestions on how to resolve this problem would be appreciated. Sounds like me forgetting to close the syslog before re-execing MailScanner after the restart time. I'll fix it in the next version. Fortunately 1 port every 4 hours isn't too critical to the maximum uptime you can achieve. Say 60,000 free ports, should last you 60,000*4 hours > 27 years :-) Well spotted though! -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Sun Dec 9 13:24:34 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:08 2006 Subject: MAILSCANNER: wmcdonald@ORCTEL.CO.UK requested to join Message-ID: <200112091324.NAA20622@magpie.ecs.soton.ac.uk> Sun, 9 Dec 2001 13:24:34 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from "Will Mc Donald." You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER wmcdonald@ORCTEL.CO.UK Will Mc Donald. PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER wmcdonald@ORCTEL.CO.UK Will Mc Donald. // EOJ From nwp at LEMON-COMPUTING.COM Sun Dec 9 13:48:07 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:08 2006 Subject: Expanding Port Use In-Reply-To: ; from carl@CAPAHO.COM on Sat, Dec 08, 2001 at 04:05:49PM +0000 References: Message-ID: <20011209134807.F29751@lemon-computing.com> On Sat, Dec 08, 2001 at 04:05:49PM +0000, Carl Hogue wrote: > It appears that the default restart every four hours results in a new port > connection by syslog without the previous connection being terminated: > > UDP > Lcl port Rmt port Status > 4725=? 514=syslog 01=ESTABLISD > 4724=? 514=syslog 01=ESTABLISD > 4718=? 514=syslog 01=ESTABLISD > 4671=? 514=syslog 01=ESTABLISD > 4599=? 514=syslog 01=ESTABLISD > 4580=? 514=syslog 01=ESTABLISD > 4548=? 514=syslog 01=ESTABLISD > 4534=? 514=syslog 01=ESTABLISD > 4461=? 514=syslog 01=ESTABLISD Thanks for pointing this out. > Suggestions on how to resolve this problem would be appreciated. I'm fixing it in CVS now; it will be fixed in the next release. In the meantime, for anyone who wants to fix it now, you need to modify the bottom of the main mailscanner script to look something like this: # I have done a large number of virus scanning runs now, # so kill and re-run myself. unless ($Config::Debugging) { Log::DebugLog("About to re-exec myself: exec args ($0), (" . @ARGV . "), cwd is (" . `pwd` . ")..."); # Don't want to leave connections to 514/udp open... Sys::Syslog::closelog(); # But we may need to log here... exec $0, @ARGV or do { Log::Start($basename); DieLog("Could not re-exec myself!"); }; } -- Nick Phillips -- nwp@lemon-computing.com Your boss climbed the corporate ladder, wrong by wrong. From wmcdonald at ORCTEL.CO.UK Sun Dec 9 13:52:04 2001 From: wmcdonald at ORCTEL.CO.UK (Will Mc Donald) Date: Thu Jan 12 21:14:09 2006 Subject: MailScanner problems: No such file or directory at sweep.pl line 429 Message-ID: <013501c180b8$b04da1a0$cb3ca8c0@orctel.internal> Hi, I'm a newboy to mailscanner and I'm having some trouble getting it running on one of our mail servers. We're running on Solaris 2.5.1 running sendmail-8.8.5. This is due to be replaced with a linux box running a more recent version of sendmail but for the time being that's the setup. I installed MailScanner-2.60-2, along with all the relevant bits and bobs listed in the install guide on the website. We're using mcafee as the mail scanner. When running mailscanner, on the console I get stuff like... ------------------------------------------------------------------------ cat: cannot open /var/spool/mqueue.in/dfNAA26896 cat: cannot open /var/spool/MailScanner/incoming/NAA26961.header cat: cannot open /var/spool/mqueue.in/dfNAA26961 Commercial virus checker failed with real error: Can't run commercial disinfector: No such file or directory at /usr/local/mailscanner/bin/sweep.pl line 429. Commercial virus checker failed with real error: Can't run commercial disinfector: No such file or directory at sweep.pl line 429. Commercial virus checker failed with real error: Can't run commercial disinfector: No such file or directory at /usr/local/mailscanner/bin/sweep.pl line 429. ------------------------------------------------------------------------ And in the syslog, a barrage of messages like... ------------------------------------------------------------------------ Dec 9 13:48:15 relais1 mailscanner[27014]: Cannot parse /var/spool/MailScanner/incoming/NAA27082.header and /var/spool/mqueue.in/dfNAA27082, write-open /var/spool/MailScanner/incoming/NAA27082/logo.gif: No such file or directory at /usr/local/lib/perl5/site_perl/5.6.1/MIME/Body.pm line 414. Dec 9 13:48:17 relais1 mailscanner[27114]: Commercial virus checker failed with real error: Can't run commercial disinfector: No such file or directory at sweep.pl line 429. Dec 9 13:48:17 relais1 mailscanner[27101]: Commercial disinfector returned 2304 ------------------------------------------------------------------------ I can make all the mail scanner messages from the logs available if it helps. What's happening seems in some ways similar to the thread from Bruce Huang http://makeashorterlink.com/?S1A22673 I'm wondering if the problem could be due to some of the settings in the config.pm. I know Julian mentions you shouldn't need to modify that but looking at the locations for $Config::QuarantineDir = "$prefix/var/quarantine"; $Config::SrcDir = "$prefix/var/incoming"; Those two directories need to be kept on the same partition as mqueue and mqueue.in yes? So would linking $prefix/var/quarantine $prefix/var/incoming to the real directories in /var/spool/MailScanner help or am I way off the mark? Oh, I'm also seeing loads of instances of mailscanner, is that right? [root@relais1 spool]# ps -efl | grep mail 8 S root 27381 27356 0 55 20 609f0000 893 609f01d0 14:00:46 ? 0:00 /usr/bin/perl ./mailscanner 8 S root 26701 1 0 41 20 609f1320 893 609f14f0 13:20:29 ? 0:01 /usr/bin/perl /usr/local/mailscanne 8 S root 27118 26181 0 41 20 6063a008 254 608cf9ce 13:48:28 ? 0:00 /usr/lib/sendmail -q15m 8 S root 27391 27355 0 51 20 60b34680 893 60b34850 14:00:47 ? 0:00 /usr/bin/perl ./mailscanner 8 S root 27359 27330 0 51 20 60e17328 893 60e174f8 14:00:44 ? 0:00 /usr/bin/perl ./mailscanner 8 S root 27356 27280 0 65 20 60bea000 893 60580e74 14:00:44 ? 0:00 /usr/bin/perl ./mailscanner 8 S root 27330 26931 0 61 20 60beb980 893 60581734 14:00:42 ? 0:00 /usr/bin/perl ./mailscanner 8 S root 27385 27346 0 87 20 60a7e008 910 60a7e1d8 14:00:46 ? 0:00 /usr/bin/perl /usr/local/mailscanne 8 S root 27163 1 0 41 20 601ee668 910 601ee838 13:50:40 ? 0:00 /usr/bin/perl /usr/local/mailscanne 8 S root 26987 1 0 41 20 60dc19a0 910 60dc1b70 13:45:37 ? 0:00 /usr/bin/perl /usr/local/mailscanne 8 S root 26841 1 1 50 20 60717998 910 60581eb4 13:34:59 ? 0:01 /usr/bin/perl /usr/local/mailscanne 8 S root 27341 27173 0 44 20 60716cd8 893 60716ea8 14:00:42 ? 0:00 /usr/bin/perl /usr/local/mailscanne 8 S root 27176 1 0 41 20 609d99a0 893 609d9b70 13:50:41 ? 0:00 /usr/bin/perl ./mailscanner 8 S root 26556 1 0 71 20 60b359a0 893 60580fb4 13:05:52 ? 0:01 /usr/bin/perl ./mailscanner 8 S root 27048 1 0 41 20 60893998 893 60893b68 13:46:42 ? 0:00 /usr/bin/perl ./mailscanner 8 S root 27173 1 0 55 20 60b34ce0 893 60581af4 13:50:40 ? 0:00 /usr/bin/perl /usr/local/mailscanne 8 S root 27355 26875 0 61 20 609d4ce0 893 605220d4 14:00:44 ? 0:00 /usr/bin/perl ./mailscanner 8 S root 27280 1 0 54 20 60dc1340 893 60581874 13:55:42 ? 0:00 /usr/bin/perl ./mailscanner 8 S root 27346 26841 0 67 20 601ef988 910 60580ab4 14:00:43 ? 0:00 /usr/bin/perl /usr/local/mailscanne 8 S root 27396 27357 0 54 20 60747980 893 60747b50 14:00:48 ? 0:00 /usr/bin/perl ./mailscanner 8 S root 26931 1 0 51 20 60746660 893 605814b4 13:40:36 ? 0:00 /usr/bin/perl ./mailscanner 8 S root 27400 26113 0 51 20 60e16668 104 60522494 14:01:04 pts/2 0:00 grep mail 8 S root 26875 1 1 53 20 60dc0020 893 60581c34 13:35:33 ? 0:00 /usr/bin/perl ./mailscanner 8 S root 26994 1 0 51 20 601eecc8 893 601eee98 13:45:38 ? 0:00 /usr/bin/perl ./mailscanner 8 S root 26181 1 0 51 20 609d5340 246 609d5510 12:33:28 ? 0:00 /usr/lib/sendmail -q15m 8 S root 27101 1 0 41 20 609d8020 893 609d81f0 13:48:15 ? 0:00 /usr/bin/perl ./mailscanner 8 S root 26185 1 0 41 20 609d4680 249 608adc66 12:33:28 ? 0:00 /usr/lib/sendmail -bd -ODeliveryMod 8 S root 27357 26556 0 64 20 60beacc0 893 60580bf4 14:00:44 ? 0:00 /usr/bin/perl ./mailscanner From nwp at LEMON-COMPUTING.COM Sun Dec 9 14:45:38 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:09 2006 Subject: MailScanner problems: No such file or directory at sweep.pl line 429 In-Reply-To: <013501c180b8$b04da1a0$cb3ca8c0@orctel.internal>; from wmcdonald@ORCTEL.CO.UK on Sun, Dec 09, 2001 at 01:52:04PM -0000 References: <013501c180b8$b04da1a0$cb3ca8c0@orctel.internal> Message-ID: <20011209144538.K29751@lemon-computing.com> On Sun, Dec 09, 2001 at 01:52:04PM -0000, Will Mc Donald wrote: > Hi, I'm a newboy to mailscanner and I'm having some trouble getting it > running on one of our mail servers. We're running on Solaris 2.5.1 running > sendmail-8.8.5. [shudder] > ------------------------------------------------------------------------ > cat: cannot open /var/spool/mqueue.in/dfNAA26896 > cat: cannot open /var/spool/MailScanner/incoming/NAA26961.header > cat: cannot open /var/spool/mqueue.in/dfNAA26961 Not sure why they might be off the top of my head. > Commercial virus checker failed with real error: Can't run commercial > disinfector: No such file or directory at > /usr/local/mailscanner/bin/sweep.pl line 429. Looks like your anti-virus product isn't installed where you told mailscanner it is - check the "Sweep" setting in the mailscanner.conf. > I'm wondering if the problem could be due to some of the settings in the > config.pm. I know Julian mentions you shouldn't need to modify that but > looking at the locations for > > $Config::QuarantineDir = "$prefix/var/quarantine"; > $Config::SrcDir = "$prefix/var/incoming"; > > Those two directories need to be kept on the same partition as mqueue and > mqueue.in yes? Nope. Only the queue directories absolutely must be on the same partition. > Oh, I'm also seeing loads of instances of mailscanner, is that right? Nope. You probably need to modify the settings for the "ps" detection in the check_mailscanner script. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Today is the last day of your life so far. From wmcdonald at ORCTEL.CO.UK Sun Dec 9 14:43:13 2001 From: wmcdonald at ORCTEL.CO.UK (Will Mc Donald) Date: Thu Jan 12 21:14:09 2006 Subject: MailScanner problems: No such file or directory at sweep.pl line 429 References: <013501c180b8$b04da1a0$cb3ca8c0@orctel.internal> <20011209144538.K29751@lemon-computing.com> Message-ID: <019001c180bf$d59e1320$cb3ca8c0@orctel.internal> From: "Nick Phillips" > On Sun, Dec 09, 2001 at 01:52:04PM -0000, Will Mc Donald wrote: > > Hi, I'm a newboy to mailscanner and I'm having some trouble getting it > > running on one of our mail servers. We're running on Solaris 2.5.1 running > > sendmail-8.8.5. > > [shudder] :) I know, I considered not posting that but thought it might be important. > > ------------------------------------------------------------------------ > > cat: cannot open /var/spool/mqueue.in/dfNAA26896 > > cat: cannot open /var/spool/MailScanner/incoming/NAA26961.header > > cat: cannot open /var/spool/mqueue.in/dfNAA26961 > > Not sure why they might be off the top of my head. There are some weird things going on in the incoming and quarantine dirs but I suspect they may be related to the overall problem. > > Commercial virus checker failed with real error: Can't run commercial > > disinfector: No such file or directory at > > /usr/local/mailscanner/bin/sweep.pl line 429. > > Looks like your anti-virus product isn't installed where you told > mailscanner it is - check the "Sweep" setting in the mailscanner.conf. Yep, I've just been double checking this and noticed that the mcafeewrapper wasn't where I'd said it was in the mailscanner.conf. About 30 seconds before receiving this mail too. I've since changed that and restarted mailsweeper and, fingers crossed, it looks OK now. > > I'm wondering if the problem could be due to some of the settings in the > > config.pm. I know Julian mentions you shouldn't need to modify that but > > looking at the locations for > > > > $Config::QuarantineDir = "$prefix/var/quarantine"; > > $Config::SrcDir = "$prefix/var/incoming"; > > > > Those two directories need to be kept on the same partition as mqueue and > > mqueue.in yes? > > Nope. Only the queue directories absolutely must be on the same partition. > > > Oh, I'm also seeing loads of instances of mailscanner, is that right? > > Nope. You probably need to modify the settings for the "ps" detection in > the check_mailscanner script. Will do. Thanks for the pointers. Will. From carl at CAPAHO.COM Mon Dec 10 12:00:44 2001 From: carl at CAPAHO.COM (Carl Hogue) Date: Thu Jan 12 21:14:09 2006 Subject: Cost of Virus Scanner! Message-ID: I received a response from my friendly neighborhood Sophos dealer today. He wants about $450 USD (GBP 310?) for a one-year 25 user SAVI license. That's his minimum price for using Sophos to scan e-mail attachments on a mail server. It seems a bit overpriced to me. Best Regards Carl Hogue carl@capaho.com From nwp at LEMON-COMPUTING.COM Mon Dec 10 12:46:13 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:09 2006 Subject: Cost of Virus Scanner! In-Reply-To: ; from carl@CAPAHO.COM on Mon, Dec 10, 2001 at 12:00:44PM +0000 References: Message-ID: <20011210124613.X29751@lemon-computing.com> On Mon, Dec 10, 2001 at 12:00:44PM +0000, Carl Hogue wrote: > I received a response from my friendly neighborhood Sophos dealer today. > He wants about $450 USD (GBP 310?) for a one-year 25 user SAVI license. > That's his minimum price for using Sophos to scan e-mail attachments on a > mail server. It seems a bit overpriced to me. That is the minimum cost for a SAVI license, but if you were to buy, for example, a 5-user "Classic" license then you would be entitled to use that on a server. That would cost a bit less (not massively so, I admit) and entitle you to use Sophos on all the desktops too. How many users do you actually have? -- Nick Phillips -- nwp@lemon-computing.com You will be a winner today. Pick a fight with a four-year-old. From brandon.pearson at BBSRC.AC.UK Mon Dec 10 15:02:28 2001 From: brandon.pearson at BBSRC.AC.UK (brandon pearson (BITS)) Date: Thu Jan 12 21:14:09 2006 Subject: Goner-A problems - false alarm Message-ID: <41773CEF2B8FD411920200508BDCDC1203BFB5@bits-exch1.bits.bbsrc.ac.uk> Nick, Thanks for the reply. We are running exim 3.31 on Solaris 7. I couldn't find any cronjobs running but we had our incoming queue set to queue_smtp_domains which we thought was pretty much the same as queue_only. However setting this back to queue_only appears to have stopped all the errors so I guess they are not the same. Is this a conflict between mailscanner and exim because exim is still trying to do the routing on the mail while mailscanner is trying to scan it? Thanks again, Brandon -----Original Message----- From: Nick Phillips [mailto:nwp@LEMON-COMPUTING.COM] Sent: Friday, December 07, 2001 6:24 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Goner-A problems - false alarm On Fri, Dec 07, 2001 at 04:45:47PM -0000, brandon pearson (BITS) wrote: > Our mailhub with mailscanner 2.42/sophos appears to have let some goner > viruses through. > Dec 5 11:32:24 mhub2.bbsrc.ac.uk mailscanner[22339]: Failed to lock > /exim/exim_incoming/input/16BaF0-0003aY-04-D: Resource temporarily > unavailable > > We get a lot of these errors and I have read on this list that they can be > ignored. The mail hub was busy at the time and mailscanner was running flat > out processing 100 mails at a time. > > Any ideas? You're still running exim over the incoming queue, probably from a cronjob. You should probably have a look at the updated version of the installation instructions for exim -- we've found a better way of preventing delivery now than would have been listed when 2.4x versions of mailscanner were current. You should probably also have a look in /etc/crontab, /etc/cron.d/exim, and any other cron bits you may have lying around (are you running Debian by any chance)... ...if you're running Debian, you will find that even if you have exim set up to run the queue as a daemon, it will *also* be started from cron at 8 and 38 minutes past the hour. Which I noticed the other day after a client who doesn't use mailscanner started sending goner-a out. There were about 700 messages in the queue, so I did /etc/init.d/exim stop immediately. By the time I got on site, all but about 100 messages had gone thanks to the f***ing cron job. Oops. Anyway, I'd recommend updating the default exim config to be a bit firmer about refusing to deliver, as contained in the new updated and altogether more wonderful Exim instructions of the mailscanner web site. Cheers, Nick P.S. You will find that most messages most of the time have been getting scanned, as chances are that mailscanner gets there first. But every 30 minutes, anything in the queue will have been getting chucked straight out by the flipping cronjob. Assuming I've guessed your situation correctly. -- Nick Phillips -- nwp@lemon-computing.com You will be surprised by a loud noise. From nwp at LEMON-COMPUTING.COM Mon Dec 10 15:19:41 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:09 2006 Subject: Goner-A problems - false alarm In-Reply-To: <41773CEF2B8FD411920200508BDCDC1203BFB5@bits-exch1.bits.bbsrc.ac.uk>; from brandon.pearson@BBSRC.AC.UK on Mon, Dec 10, 2001 at 03:02:28PM -0000 References: <41773CEF2B8FD411920200508BDCDC1203BFB5@bits-exch1.bits.bbsrc.ac.uk> Message-ID: <20011210151941.C29751@lemon-computing.com> On Mon, Dec 10, 2001 at 03:02:28PM -0000, brandon pearson (BITS) wrote: > I couldn't find any cronjobs running but we had our incoming queue set to > queue_smtp_domains which we thought was pretty much the same as queue_only. > However setting this back to queue_only appears to have stopped all the > errors so I guess they are not the same. queue_smtp_domains, if I recall correctly, will only prevent an *immediate* delivery attempt. Whilst queue_only will work so long as you don't explicitly tell exim to do a queue run, I'd recommend going further than that, as documented in the new improved exim+mailscanner installation instructions. > Is this a conflict between mailscanner and exim because exim is still trying > to do the routing on the mail while mailscanner is trying to scan it? Not a conflict; they both co-operate quite happily (always assuming I haven't written too many bugs into the locking ;), but if exim delivers a message from the incoming queue, it obviously won't get virus-scanned. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Don't look back, the lemmings are gaining on you. From brandon.pearson at BBSRC.AC.UK Mon Dec 10 16:09:09 2001 From: brandon.pearson at BBSRC.AC.UK (brandon pearson (BITS)) Date: Thu Jan 12 21:14:09 2006 Subject: Goner-A problems - false alarm Message-ID: <41773CEF2B8FD411920200508BDCDC1203BFB8@bits-exch1.bits.bbsrc.ac.uk> Nick, As far as I can see all the mails were delivered from the outgoing queue. The following extract is for one of the mails that got through with a goner virus. Two entries in the incoming log then two entries in the outgoing log. /previous_logs_incoming/mainlog.06122001:2001-12-05 11:29:16 16BaEj-0003XY-04 <= ken.wright@bbsrc.ac.uk H=(exrout.cc.bbsrc.ac.uk) [149.155.100.88] P=esmtp S=54034 id=41773CEF2B8FD411920200508BDCDC12FD0BBF@bits-exch1.bits.bbsrc.ac.uk T="Hi" /previous_logs_incoming/mainlog.06122001:2001-12-05 11:33:09 16BaEj-0003XY-04 == corrina.hampton@hri.ac.uk T=remote_smtp defer (-1): domain matches queue_smtp_domains, or -odqs set /previous_logs_outgoing/mainlog.06122001:2001-12-05 11:45:04 16BaEj-0003XY-04 => corrina.hampton@hri.ac.uk R=hub_route T=remote_smtp H=ntsw02.hriw.bbsrc.ac.uk [149.155.237.102] C="250 OK" /previous_logs_outgoing/mainlog.06122001:2001-12-05 11:45:04 16BaEj-0003XY-04 Completed The following mailscanner entries in syslog show the mail in the incoming queue, then the error, then the last entry with the mail being copied to the outgoing queue. Dec 5 11:31:27 mhub2.bbsrc.ac.uk mailscanner[22339]: Using fcntl() to lock /exim/exim_incoming/input/16BaEj-0003XY-04-H Dec 5 11:31:27 mhub2.bbsrc.ac.uk mailscanner[22339]: Using fcntl() to lock >/mailscanner/incoming/16BaEj-0003XY-04.header Dec 5 11:31:58 mhub2.bbsrc.ac.uk mailscanner[22339]: Using fcntl() to lock /exim/exim_incoming/input/16BaEj-0003XY-04-D Dec 5 11:31:58 mhub2.bbsrc.ac.uk mailscanner[22339]: Failed to lock /exim/exim_incoming/input/16BaEj-0003XY-04-D: Resource temporarily unavailable Dec 5 11:35:26 mhub2.bbsrc.ac.uk mailscanner[22339]: Using fcntl() to lock /exim/exim_incoming/input/16BaEj-0003XY-04-D Dec 5 11:35:26 mhub2.bbsrc.ac.uk mailscanner[22339]: Using fcntl() to lock >/exim/exim_outgoing/input/16BaEj-0003XY-04-T Thanks, Brandon -----Original Message----- From: Nick Phillips [mailto:nwp@LEMON-COMPUTING.COM] Sent: Monday, December 10, 2001 3:20 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Goner-A problems - false alarm On Mon, Dec 10, 2001 at 03:02:28PM -0000, brandon pearson (BITS) wrote: > I couldn't find any cronjobs running but we had our incoming queue set to > queue_smtp_domains which we thought was pretty much the same as queue_only. > However setting this back to queue_only appears to have stopped all the > errors so I guess they are not the same. queue_smtp_domains, if I recall correctly, will only prevent an *immediate* delivery attempt. Whilst queue_only will work so long as you don't explicitly tell exim to do a queue run, I'd recommend going further than that, as documented in the new improved exim+mailscanner installation instructions. > Is this a conflict between mailscanner and exim because exim is still trying > to do the routing on the mail while mailscanner is trying to scan it? Not a conflict; they both co-operate quite happily (always assuming I haven't written too many bugs into the locking ;), but if exim delivers a message from the incoming queue, it obviously won't get virus-scanned. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Don't look back, the lemmings are gaining on you. From nwp at LEMON-COMPUTING.COM Mon Dec 10 16:27:42 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:09 2006 Subject: Goner-A problems - false alarm In-Reply-To: <41773CEF2B8FD411920200508BDCDC1203BFB8@bits-exch1.bits.bbsrc.ac.uk>; from brandon.pearson@BBSRC.AC.UK on Mon, Dec 10, 2001 at 04:09:09PM -0000 References: <41773CEF2B8FD411920200508BDCDC1203BFB8@bits-exch1.bits.bbsrc.ac.uk> Message-ID: <20011210162742.I29751@lemon-computing.com> On Mon, Dec 10, 2001 at 04:09:09PM -0000, brandon pearson (BITS) wrote: > Nick, > As far as I can see all the mails were delivered from the outgoing > queue. The following extract is for one of the mails that got through with a > goner virus. Two entries in the incoming log then two entries in the > outgoing log. Hmmm... did the message that got delivered have a mailscanner header in it? If so, what did it say? -- Nick Phillips -- nwp@lemon-computing.com You will be surprised by a loud noise. From brandon.pearson at BBSRC.AC.UK Mon Dec 10 17:24:29 2001 From: brandon.pearson at BBSRC.AC.UK (brandon pearson (BITS)) Date: Thu Jan 12 21:14:09 2006 Subject: Goner-A problems - false alarm Message-ID: <41773CEF2B8FD411920200508BDCDC1203BFB9@bits-exch1.bits.bbsrc.ac.uk> Unfortunately all the delivered mail that I know contained viruses were deleted at the remote site before I could see any of them. However we did get a mail this morning, before I changed back to queue_only, that mailscanner let through and our internal groupshield quarantined as containing a W32/Badtrans@MM virus. This mail again caused a "Resource temporarily unavailable" error in syslog and was delivered from the outgoing queue. Here are its headers. Received: from mhub1.bbsrc.ac.uk ([149.155.202.1]) by exrout.cc.bbsrc.ac.uk with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id YK5X5SAH; Mon, 10 Dec 2001 06:17:15 -0000 Received: from [202.54.1.88] (helo=mmb4.vsnl.net.in) by mhub1.bbsrc.ac.uk with esmtp (Exim 3.31 #1) id 16DJkB-000522-03 for amanda.king@bbsrc.ac.uk; Mon, 10 Dec 2001 06:16:52 +0000 Received: from aol.com (unknown [203.199.170.245]) by mmb4.vsnl.net.in (Postfix) with SMTP id CFF69EDC4 for ; Mon, 10 Dec 2001 11:46:16 +0530 (IST) From: "sheetal desai" <_gffaroma@bom3.vsnl.net.in> To: amanda.king@bbsrc.ac.uk Subject: Re: Announcement of Networking Meeting - Rothamsted International Bio Market 2001 MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="====_ABC1234567890DEF_====" X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 Message-Id: <20011210061616.CFF69EDC4@mmb4.vsnl.net.in> Date: Mon, 10 Dec 2001 11:46:16 +0530 (IST) X-ECS-MailScanner-BBSRC: Found to be clean --====_ABC1234567890DEF_==== Content-Type: multipart/alternative; boundary="====_ABC0987654321DEF_====" --====_ABC0987654321DEF_==== Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable --====_ABC0987654321DEF_====-- --====_ABC1234567890DEF_==== Content-Type: audio/x-wav; name="HAMSTER.DOC.pif" Content-Transfer-Encoding: base64 Content-ID: Thanks, Brandon -----Original Message----- From: Nick Phillips [mailto:nwp@LEMON-COMPUTING.COM] Sent: Monday, December 10, 2001 4:28 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Goner-A problems - false alarm On Mon, Dec 10, 2001 at 04:09:09PM -0000, brandon pearson (BITS) wrote: > Nick, > As far as I can see all the mails were delivered from the outgoing > queue. The following extract is for one of the mails that got through with a > goner virus. Two entries in the incoming log then two entries in the > outgoing log. Hmmm... did the message that got delivered have a mailscanner header in it? If so, what did it say? -- Nick Phillips -- nwp@lemon-computing.com You will be surprised by a loud noise. From nwp at LEMON-COMPUTING.COM Mon Dec 10 17:43:45 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:09 2006 Subject: Goner-A problems - false alarm In-Reply-To: <41773CEF2B8FD411920200508BDCDC1203BFB9@bits-exch1.bits.bbsrc.ac.uk>; from brandon.pearson@BBSRC.AC.UK on Mon, Dec 10, 2001 at 05:24:29PM -0000 References: <41773CEF2B8FD411920200508BDCDC1203BFB9@bits-exch1.bits.bbsrc.ac.uk> Message-ID: <20011210174345.L29751@lemon-computing.com> On Mon, Dec 10, 2001 at 05:24:29PM -0000, brandon pearson (BITS) wrote: > MIME-Version: 1.0 > Content-Type: multipart/related; > type="multipart/alternative"; > boundary="====_ABC1234567890DEF_====" > X-Priority: 3 > X-MSMail-Priority: Normal > X-Unsent: 1 > Message-Id: <20011210061616.CFF69EDC4@mmb4.vsnl.net.in> > Date: Mon, 10 Dec 2001 11:46:16 +0530 (IST) > X-ECS-MailScanner-BBSRC: Found to be clean > > --====_ABC1234567890DEF_==== > Content-Type: multipart/alternative; > boundary="====_ABC0987654321DEF_====" > > --====_ABC0987654321DEF_==== > Content-Type: text/html; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > --====_ABC0987654321DEF_====-- > > --====_ABC1234567890DEF_==== > Content-Type: audio/x-wav; > name="HAMSTER.DOC.pif" > Content-Transfer-Encoding: base64 > Content-ID: Interesting. Looks like the message has been successfully passed through the mailscanner then, as the logs would indicate, and been found to be clean. That would be because whatever got passed to the virus scanner was not recognised as badtrans. This would probably be because of some kind of problem with the MIME decoding - which at first glance does look dodgy. If you look at the boundaries, they're all different. I can't see how the MIME stuff that's there would decode; it looks broken. But then a user's mailer would of course try to interpret it all as laxly as possible, and might get bitten. It's possible that if the MIME is not breaking down quite into the chunks that we'd like it to, then some AV products will detect it in what we pass them and others won't. Which AV product are you using? And which version of MIME-tools? Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com You should go home. From jkf at ecs.soton.ac.uk Mon Dec 10 18:19:55 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:09 2006 Subject: Goner-A problems - false alarm In-Reply-To: <41773CEF2B8FD411920200508BDCDC1203BFB9@bits-exch1.bits.bbs rc.ac.uk> Message-ID: <5.1.0.14.2.20011210181848.00ab45c0@hawk.ecs.soton.ac.uk> At 17:24 10/12/2001, you wrote: >However we did get a mail this morning, before I changed back to queue_only, >that mailscanner let through and our internal groupshield quarantined as >containing a W32/Badtrans@MM virus. This mail again caused a "Resource >temporarily unavailable" error in syslog and was delivered from the outgoing >queue. Here are its headers. Please can you send me the full message, including all the headers (preferably just extracted straight from the mailbox concerned). That way we stand a chance of being able to manually push it through and see what happens to it, and whether MailScanner isn't parsing the mail headers correctly. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From carl at CAPAHO.COM Tue Dec 11 04:54:44 2001 From: carl at CAPAHO.COM (Carl Hogue) Date: Thu Jan 12 21:14:09 2006 Subject: Cost of Virus Scanner! Message-ID: On Mon, 10 Dec 2001 12:46:13 +0000, Nick Phillips wrote: >On Mon, Dec 10, 2001 at 12:00:44PM +0000, Carl Hogue wrote: >> I received a response from my friendly neighborhood Sophos dealer today. >> He wants about $450 USD (GBP 310?) for a one-year 25 user SAVI license. >> That's his minimum price for using Sophos to scan e-mail attachments on a >> mail server. It seems a bit overpriced to me. > >That is the minimum cost for a SAVI license, but if you were to buy, >for example, a 5-user "Classic" license then you would be entitled to >use that on a server. That would cost a bit less (not massively so, I >admit) and entitle you to use Sophos on all the desktops too. > >How many users do you actually have? > >-- >Nick Phillips -- nwp@lemon-computing.com >You will be a winner today. Pick a fight with a four-year-old. There are three computers in our office that are used to check e-mail coming in from our web server. Two are Windows machines with Norton Anti-Virus already installed, the third is a Linux box, so it obviously doesn't need the anti-virus software. Sophos is working very well in its trial on our web server with MailScanner and I'm very pleased with both. The problem is the Sophos licensing scheme. Although it does protect our desktops from malicious attachments coming in through our mail server, it doesn't protect them from other sources of infection, such as mail from other ISPs, downloads and floppy disks. That's why I think the license fee is too expensive if it's used only to scan e-mail on a mail server. Best Regards, Carl Hogue carl@capaho.com From LISTSERV at JISCMAIL.AC.UK Mon Dec 10 23:28:31 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:09 2006 Subject: MAILSCANNER: leduc@CTS.COM requested to join Message-ID: <200112102328.XAA14035@magpie.ecs.soton.ac.uk> Mon, 10 Dec 2001 23:28:31 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Gene LeDuc You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER leduc@CTS.COM Gene LeDuc PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER leduc@CTS.COM Gene LeDuc // EOJ From LISTSERV at JISCMAIL.AC.UK Tue Dec 11 11:30:00 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:09 2006 Subject: MAILSCANNER: bp@LICENG.DK requested to join Message-ID: <200112111130.LAA10645@magpie.ecs.soton.ac.uk> Tue, 11 Dec 2001 11:30:00 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Bjarke Pedersen You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER bp@LICENG.DK Bjarke Pedersen PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER bp@LICENG.DK Bjarke Pedersen // EOJ From brandon.pearson at BBSRC.AC.UK Tue Dec 11 12:31:27 2001 From: brandon.pearson at BBSRC.AC.UK (brandon pearson (BITS)) Date: Thu Jan 12 21:14:09 2006 Subject: Goner-A problems - false alarm Message-ID: <41773CEF2B8FD411920200508BDCDC1203BFBE@bits-exch1.bits.bbsrc.ac.uk> > -----Original Message----- > From: Nick Phillips [mailto:nwp@LEMON-COMPUTING.COM] > Sent: Monday, December 10, 2001 5:44 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Goner-A problems - false alarm > > It's possible that if the MIME is not breaking down quite into the > chunks that we'd like it to, then some AV products will > detect it in what > we pass them and others won't. > > Which AV product are you using? > > And which version of MIME-tools? > On our hubs we are using mailscanner 2.42 with sophos/sweep Product version : 3.52 Engine version : 2.7 User interface version : 2.03.083 On our exchange server we are running Groupshield for Exchange 4.0.4, engine 4.1.60. MIME-tools version 5.411. Since changing the exim config to queue_only we have had no resource errors from mailscanner and no reports from groupshield that viruses have got through. Thanks, Brandon From nwp at LEMON-COMPUTING.COM Tue Dec 11 12:49:17 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:09 2006 Subject: Goner-A problems - false alarm In-Reply-To: <41773CEF2B8FD411920200508BDCDC1203BFBE@bits-exch1.bits.bbsrc.ac.uk>; from brandon.pearson@BBSRC.AC.UK on Tue, Dec 11, 2001 at 12:31:27PM -0000 References: <41773CEF2B8FD411920200508BDCDC1203BFBE@bits-exch1.bits.bbsrc.ac.uk> Message-ID: <20011211124917.D5420@lemon-computing.com> On Tue, Dec 11, 2001 at 12:31:27PM -0000, brandon pearson (BITS) wrote: > Since changing the exim config to queue_only we have had no resource errors > from mailscanner and no reports from groupshield that viruses have got > through. The facts don't fit. The message that you pointed us at the other day had supposedly been "found to be clean" judging by the headers. If that really was the case, then that would imply that it did pass through correctly, and that it did get scanned. I'll look into it further... Has anyone else running mailscanner with Exim had any similar problems? Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Don't tell any big lies today. Small ones can be just as effective. From LISTSERV at JISCMAIL.AC.UK Tue Dec 11 13:33:32 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:09 2006 Subject: MAILSCANNER: miguelk@KONSULTEX.COM.BR requested to join Message-ID: <200112111333.NAA15016@magpie.ecs.soton.ac.uk> Tue, 11 Dec 2001 13:33:31 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Miguel Obrien You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER miguelk@KONSULTEX.COM.BR Miguel Obrien PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER miguelk@KONSULTEX.COM.BR Miguel Obrien // EOJ From tyler at beloit.edu Tue Dec 11 15:44:16 2001 From: tyler at beloit.edu (Tim Tyler) Date: Thu Jan 12 21:14:09 2006 Subject: Cost of Virus Scanner! In-Reply-To: from "Carl Hogue" at Dec 11, 2001 04:54:44 AM Message-ID: <200112111544.JAA20520@beloit.edu> Carl, I agree. We have decided to look at the smtp gateway filtering solutions by Symantec and Micro Trend. Set your mx records to push all smtp traffic to the gateway box and all email should be properly filtered. It might come out a bit cheaper than Sophos or McAfee in the long run. Sophos forces you to completely renew eventually depending upon your contract. The Gateway solutions only have a moderate annual renewal fee which I think is cheaper in the long run than a full Sophos renewal though not dramatic. If Sophos would cut its price in half for what they are offering to us I would have to say that mailscanner/Sophos is the solution for us. At this point, its all up in the air for us. At this point I tend to be leaning towards a smtp gateway solution if it will perform as well and cost us less. Tim > >On Mon, 10 Dec 2001 12:46:13 +0000, Nick Phillips >wrote: > >>On Mon, Dec 10, 2001 at 12:00:44PM +0000, Carl Hogue wrote: >>> I received a response from my friendly neighborhood Sophos dealer today. >>> He wants about $450 USD (GBP 310?) for a one-year 25 user SAVI license. >>> That's his minimum price for using Sophos to scan e-mail attachments on a >>> mail server. It seems a bit overpriced to me. >> >>That is the minimum cost for a SAVI license, but if you were to buy, >>for example, a 5-user "Classic" license then you would be entitled to >>use that on a server. That would cost a bit less (not massively so, I >>admit) and entitle you to use Sophos on all the desktops too. >> >>How many users do you actually have? >> >>-- >>Nick Phillips -- nwp@lemon-computing.com >>You will be a winner today. Pick a fight with a four-year-old. > >There are three computers in our office that are used to check e-mail coming >in from our web server. Two are Windows machines with Norton Anti-Virus >already installed, the third is a Linux box, so it obviously doesn't need >the anti-virus software. > >Sophos is working very well in its trial on our web server with MailScanner >and I'm very pleased with both. The problem is the Sophos licensing scheme. >Although it does protect our desktops from malicious attachments coming in >through our mail server, it doesn't protect them from other sources of >infection, such as mail from other ISPs, downloads and floppy disks. That's >why I think the license fee is too expensive if it's used only to scan >e-mail on a mail server. > >Best Regards, >Carl Hogue >carl@capaho.com > -- Tim Tyler Network Manager - Beloit College tyler@beloit.edu Go Packers! Go Badgers! 1999&2000 Rose Bowl Champions! From nwp at LEMON-COMPUTING.COM Tue Dec 11 16:17:15 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:09 2006 Subject: Cost of Virus Scanner! In-Reply-To: <200112111544.JAA20520@beloit.edu>; from tyler@BELOIT.EDU on Tue, Dec 11, 2001 at 09:44:16AM -0600 References: <200112111544.JAA20520@beloit.edu> Message-ID: <20011211161715.E10920@lemon-computing.com> On Tue, Dec 11, 2001 at 09:44:16AM -0600, Tim Tyler wrote: > I agree. We have decided to look at the smtp gateway filtering solutions > by Symantec and Micro Trend. Set your mx records to push all smtp traffic > to the gateway box and all email should be properly filtered. It might come > out a bit cheaper than Sophos or McAfee in the long run. Sophos forces you I believe the list of extra AV systems that mailscanner will work with in the next release (before Christmas) will be: F-Secure, Inoculate-IT, Command Software AV, NAV, possibly Kaspersky. Hope that helps... Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Don't worry. Life's too long. From leduc at CTS.COM Tue Dec 11 16:50:55 2001 From: leduc at CTS.COM (Gene LeDuc) Date: Thu Jan 12 21:14:09 2006 Subject: Configuring e-mail notification Message-ID: <3C16396F.80C8A8FC@cts.com> Greetings, I just installed mailscanner (w/sophos) yesterday and it seems to be working. I have some questions that I haven't been able to find answers to online or in the docs. 1. Is this list archived anywhere? 2. Can I have the scanner send a virus notification to the remote postmaster (postmaster@delivering ISP)? Something like: Notify Remote Postmaster = yes This is a feature in sophos mailmonitor that I love. It took several weeks and about a thousand alert messages copied to postmaster@verizon.net, but they finally stopped an annoying sircam barrage. 3. Regarding local notifications... This is from the .conf file: # Set email address of who to notify about any infections found. # Should put your full domain name here too, # e.g. postmaster@your.domain.com Local Postmaster = postmaster If I change this address to something else then it is also used as the From: address in the notification message. I would like all virus notifications to be from "scanner@this.place" and I would like the local postmaster notifications to go to "me@somewhere.else". Is there a way to make these 2 addresses separate? Regards, Gene From jkf at ecs.soton.ac.uk Tue Dec 11 17:07:27 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:09 2006 Subject: Configuring e-mail notification In-Reply-To: <3C16396F.80C8A8FC@cts.com> Message-ID: <5.1.0.14.2.20011211170608.03c141c0@imap.ecs.soton.ac.uk> At 16:50 11/12/2001, you wrote: >1. Is this list archived anywhere? http://www.jiscmail.ac.uk/lists/mailscanner.html >2. Can I have the scanner send a virus notification to the remote >postmaster (postmaster@delivering ISP)? Something like: > Notify Remote Postmaster = yes >This is a feature in sophos mailmonitor that I love. It took several >weeks and about a thousand alert messages copied to >postmaster@verizon.net, but they finally stopped an annoying sircam >barrage. I will consider it for the next version. >3. Regarding local notifications... This is from the .conf file: > # Set email address of who to notify about any infections found. > # Should put your full domain name here too, > # e.g. postmaster@your.domain.com > Local Postmaster = postmaster >If I change this address to something else then it is also used as the >From: address in the notification message. I would like all virus >notifications to be from "scanner@this.place" and I would like the local >postmaster notifications to go to "me@somewhere.else". Is there a way >to make these 2 addresses separate? Not currently, no. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From fredd at CI.ASPEN.CO.US Tue Dec 11 18:59:13 2001 From: fredd at CI.ASPEN.CO.US (Fred Dick) Date: Thu Jan 12 21:14:09 2006 Subject: Cost of Virus Scanner! Message-ID: Cost of Virus Scanner: Just my 2 cents -- I've been trying a Sophos demo for the past two months and am totally happy with the product and the support help I've received. I originally was drawn to Sophos because we have Solaris boxes that have PC files on the drives. I am also very pleased with the Mailscanner program as it is our first line of defense against viruses and works great! For viruses that don't pass through our mail gateway one definitely needs protection on the PC as well. With viruses like Badtrans that capture and email passwords, the issue is raised about what kind of protection people have that work from home. My understanding is that if I buy Sophos I can send it home with our users to put on their PCs. Saying all that, I do admit that the Sophos pricing is geared towards buyers that can fully utilize the minimum license pack. My guess is that Sophos doesn't want to be in the end user/small office business that is dominated by McAfee and Norton. What probably helps confuse the issue is that the product can scale down to a level where the pricing doesn't make sense. Regards, Fred From LISTSERV at JISCMAIL.AC.UK Tue Dec 11 21:34:47 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:09 2006 Subject: MAILSCANNER: frmitchell@BROOKES.AC.UK requested to join Message-ID: <200112112134.VAA12459@magpie.ecs.soton.ac.uk> Tue, 11 Dec 2001 21:34:47 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Faye Mitchell The following membership options have been requested: NOHTML MIME DIGEST SUBJECTHDR. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER frmitchell@BROOKES.AC.UK Faye Mitchell PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER frmitchell@BROOKES.AC.UK Faye Mitchell SET MAILSCANNER NOHTML MIME DIGEST SUBJECTHDR FOR frmitchell@BROOKES.AC.UK // EOJ From carl at CAPAHO.COM Wed Dec 12 05:03:31 2001 From: carl at CAPAHO.COM (Carl Hogue) Date: Thu Jan 12 21:14:09 2006 Subject: Cost of Virus Scanner! Message-ID: I have been checking into alternatives to Sophos over the past couple of days and I have concluded that their licensing fees are comparable to the other anti-virus products. Some of the alternatives are not available for Linux, so that narrows my options even more. Sophos is working very well with MailScanner on my server, so I am inclined to recommend to my company that we license it, but I want to try to negotiate a bit more realistic license fee based on our company's modest size and needs, if my friendly neighborhood Sophos dealer is so inclined. Unfortunately, he has not yet answered my last message to him regarding the price issue. There does seem to be a bit of irony in pairing an open source utility with an expensive commercial product, but the reality is that there are no open source anti-virus programs (that I am aware of) and anti-virus software does seem to be an increasingly necessary addition to a mail server. Best Regards, Carl Hogue carl@capaho.com From sfarrell at ICCONSULTING.COM.AU Wed Dec 12 08:04:09 2001 From: sfarrell at ICCONSULTING.COM.AU (Scott Farrell) Date: Thu Jan 12 21:14:09 2006 Subject: Cost of Virus Scanner! Message-ID: I don't think that there is any irony. The one thing I don't mind paying for is someone watching out for all the new viruses, and delivering me patches on a daily/hourly basis to detect new nasties. There is a open source virus program in the wings (I cant think of the name at the moment), I dont know how far away it is , but I think the upkeep will be huge to catch all new viruses. regards Scott Farrell http://www.icconsulting.com.au ic Consulting - the people that make eBusiness happen. We offer e-business consulting and perform services. We deliver high impact consulting, and fast turn around projects for our clients. Ask us about Web Content Management, Web Self Service, or working closer with your customers or suppliers. 0412 927 156, 02 9411 3622 mailto:sfarrell@icconsulting.com.au Carl Hogue To: MAILSCANNER@JISCMAIL.AC.UK Sent by: cc: MailScanner Subject: Re: Cost of Virus Scanner! mailing list 12/12/01 04:03 PM Please respond to MailScanner mailing list I have been checking into alternatives to Sophos over the past couple of days and I have concluded that their licensing fees are comparable to the other anti-virus products. Some of the alternatives are not available for Linux, so that narrows my options even more. Sophos is working very well with MailScanner on my server, so I am inclined to recommend to my company that we license it, but I want to try to negotiate a bit more realistic license fee based on our company's modest size and needs, if my friendly neighborhood Sophos dealer is so inclined. Unfortunately, he has not yet answered my last message to him regarding the price issue. There does seem to be a bit of irony in pairing an open source utility with an expensive commercial product, but the reality is that there are no open source anti-virus programs (that I am aware of) and anti-virus software does seem to be an increasingly necessary addition to a mail server. Best Regards, Carl Hogue carl@capaho.com From bp at LICENG.DK Wed Dec 12 08:39:45 2001 From: bp at LICENG.DK (Bjarke Pedersen) Date: Thu Jan 12 21:14:09 2006 Subject: Cost of Virus Scanner! In-Reply-To: <20011211161715.E10920@lemon-computing.com> Message-ID: Hmm, regarding the cost of Sophos. I talked to my dealer. First he wanted a per user fee. 20 users/1 mail server = 20 licences (~20.000dkk/yr~2.000$US/yr=expensive smtp gateway). He then decided that 'one may tweak the rules' - if you buy 5 (or more) licences you are allowed to install one licence on a 'server'. I ended up with 5 licenses (~500$US/yr) to get one linux (server) installation. One may use the other four on 'workstations'. Regards, Bjarke Pedersen -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Nick Phillips Sent: 11. december 2001 17:17 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Cost of Virus Scanner! On Tue, Dec 11, 2001 at 09:44:16AM -0600, Tim Tyler wrote: > I agree. We have decided to look at the smtp gateway filtering solutions > by Symantec and Micro Trend. Set your mx records to push all smtp traffic > to the gateway box and all email should be properly filtered. It might come > out a bit cheaper than Sophos or McAfee in the long run. Sophos forces you I believe the list of extra AV systems that mailscanner will work with in the next release (before Christmas) will be: F-Secure, Inoculate-IT, Command Software AV, NAV, possibly Kaspersky. Hope that helps... Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Don't worry. Life's too long. From miguelk at KONSULTEX.COM.BR Wed Dec 12 11:00:17 2001 From: miguelk at KONSULTEX.COM.BR (Miguel Koren O'Brien de Lacy) Date: Thu Jan 12 21:14:09 2006 Subject: Cost of Virus Scanner! References: Message-ID: <3C1738C1.F4C7EF1D@konsultex.com.br> Carl; You may be interested in looking at this site: www.openantivirus.org and in particular at: http://sourceforge.net/project/showfiles.php?group_id=10590 This is written in Java so I don't know what the preformance and stability would be like. I have found that any Java solution is usually problematic, but I haven't used any in the last 6 months, so stability and performance enhacements are a pretty big probability. As someone pointed out in this list, the problem of keeping the patterns up to date is huge and I would say that that's whatyou are paying Sophos for. However you may find many other alternatives on the Open Anti Virus site useful to your needs. Since I also need this, if you find something intersting, let us know. :-) I was frankly under the impression that I could use 1 license of Sophos on the server. From the comments on this list it looks like this is not true. Best Regrds Miguel Carl Hogue wrote: > I have been checking into alternatives to Sophos over the past couple of > days and I have concluded that their licensing fees are comparable to the > other anti-virus products. Some of the alternatives are not available for > Linux, so that narrows my options even more. Sophos is working very well > with MailScanner on my server, so I am inclined to recommend to my company > that we license it, but I want to try to negotiate a bit more realistic > license fee based on our company's modest size and needs, if my friendly > neighborhood Sophos dealer is so inclined. Unfortunately, he has not yet > answered my last message to him regarding the price issue. > > There does seem to be a bit of irony in pairing an open source utility with > an expensive commercial product, but the reality is that there are no open > source anti-virus programs (that I am aware of) and anti-virus software does > seem to be an increasingly necessary addition to a mail server. > > Best Regards, > Carl Hogue > carl@capaho.com From LISTSERV at JISCMAIL.AC.UK Wed Dec 12 10:39:22 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:09 2006 Subject: MAILSCANNER: fabian@ARRFAB.NET requested to join Message-ID: <200112121039.KAA18006@magpie.ecs.soton.ac.uk> Wed, 12 Dec 2001 10:39:22 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Fabian Arrotin You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER fabian@ARRFAB.NET Fabian Arrotin PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER fabian@ARRFAB.NET Fabian Arrotin // EOJ From frmitchell at brookes.ac.uk Wed Dec 12 12:26:17 2001 From: frmitchell at brookes.ac.uk (F. Mitchell) Date: Thu Jan 12 21:14:09 2006 Subject: Message size query Message-ID: <3C174CE9.19393.282294@localhost> Hi people, I was wondering if anybody can tell me what the maximum size I should expect to be able to put through mailscanner? I've tried altering the Max Safe/Unsafe size, TNEF expander, and the various time outs, but the maximum (uuencoded) size of message that I can send seems to be just short of 20Mb, which is a bit on the small side for my purposes. (If I'm just using sendmail, then my limit is 900Mb (as set in my sendmail.cf) ) So I was wondering anybody knew if this was the limit, and if not anything I need to set to get it to go higher? If it helps then I'm running SuSE (with parts ranging from SuSe 6.3-7.2), with sendmail V8.9.3 and using Sophos. I can recieve, the 20Mb with sendmail, but then I get an error in the logs saying "cannot reopen XXXXXX", and the user's connection times out TIA Faye -=+=- -- Dr. F Mitchell, School of Computing & Mathematical Sciences, Oxford Brookes University. email: frmitchell@brookes.ac.uk (w), faye@mitchellfamily.org.uk (h) Tel.: +44 (0) 1865 48 3684 (w), +44 (0) 1295 266921 (h) Disclaimer: The views and opinions included in this message should in no way be taken to be the views an opinions of the School of Computing and Mathematical Sciences, or the Oxford Brookes University. -=+=- From gcrothers at SHELOB.NET Wed Dec 12 13:21:28 2001 From: gcrothers at SHELOB.NET (gcrothers) Date: Thu Jan 12 21:14:09 2006 Subject: relay to another mail server References: <20011210124613.X29751@lemon-computing.com> Message-ID: <001e01c1830f$ecb641c0$580a0a0a@nin> How do I configure/is it possible to relay all disinfected mail to another mail server on another machine? Can it be done on a domain by domain basis.. I.E all disinfected mail for anyuser@domain1 gets redirected to domain1 mailserver, and anyuser@domain2 gets directed domain2 mailserver tia garry crothers From nwp at LEMON-COMPUTING.COM Wed Dec 12 13:25:05 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:09 2006 Subject: List Archives Message-ID: <20011212132505.B17328@lemon-computing.com> Someone recently asked about archives of this list, and I don't recall seeing any answers. There is one at: http://www.jiscmail.ac.uk/lists/mailscanner.html -- Nick Phillips -- nwp@lemon-computing.com Tuesday After Lunch is the cosmic time of the week. From carl at CAPAHO.COM Wed Dec 12 13:25:50 2001 From: carl at CAPAHO.COM (Carl Hogue) Date: Thu Jan 12 21:14:09 2006 Subject: Cost of Virus Scanner! Message-ID: On Mon, 10 Dec 2001 12:46:13 +0000, Nick Phillips wrote: >On Mon, Dec 10, 2001 at 12:00:44PM +0000, Carl Hogue wrote: >> I received a response from my friendly neighborhood Sophos dealer today. >> He wants about $450 USD (GBP 310?) for a one-year 25 user SAVI license. >> That's his minimum price for using Sophos to scan e-mail attachments on a >> mail server. It seems a bit overpriced to me. > >That is the minimum cost for a SAVI license, but if you were to buy, >for example, a 5-user "Classic" license then you would be entitled to >use that on a server. That would cost a bit less (not massively so, I >admit) and entitle you to use Sophos on all the desktops too. > >How many users do you actually have? > >-- >Nick Phillips -- nwp@lemon-computing.com >You will be a winner today. Pick a fight with a four-year-old. I asked my local distributor about the price of a 5-user "Classic" license but he said he's never heard of it. Would that be a 5-user SAV license? He also said that the 25-user SAVI license would allow me to use Sophos on a SINGLE SERVER ONLY and not on any of our desktops. If that's the case, then the SAVI license is definately over-priced, in my opinion. Comparing that to NAV, for example, a 5-user license is less than $250 USD and a 25- user license is just over $700 USD. Both of those NAV licenses allow for installation on multiple machines up to the user limit. Unfortunately for me, however, there is no Linux version of NAV. Best Regards, Carl Hogue carl@capaho.com From nwp at LEMON-COMPUTING.COM Wed Dec 12 13:29:58 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:09 2006 Subject: relay to another mail server In-Reply-To: <001e01c1830f$ecb641c0$580a0a0a@nin>; from gcrothers@SHELOB.NET on Wed, Dec 12, 2001 at 01:21:28PM -0000 References: <20011210124613.X29751@lemon-computing.com> <001e01c1830f$ecb641c0$580a0a0a@nin> Message-ID: <20011212132958.C17328@lemon-computing.com> On Wed, Dec 12, 2001 at 01:21:28PM -0000, gcrothers wrote: > How do I configure/is it possible to relay all disinfected mail to another > mail server on another machine? > > Can it be done on a domain by domain basis.. > > I.E all disinfected mail for anyuser@domain1 gets redirected to domain1 > mailserver, and anyuser@domain2 gets directed domain2 mailserver Well, assuming that you mean *only* disinfected mail, not including "normal" mail, you may be able to hack something up by getting mailscanner-generated messages routed differently to normal ones. The following information may be helpful: For all messages that are *generated* by mailscanner, the "Sendmail" command defined in mailscanner.conf is used. The desired mail is piped to the command, and envelope information pulled from the headers. So you could do pretty much whatever you like with that. It's not used for anything else, but that's the kind of thing that you'd *really* need to test every time you upgrade ;) For messages that mailscanner has dumped directly into a queue, the "Sendmail2" setting is used. There's not much point changing that too much, as the message is placed in the queue rather than piped to the command. Messages that mailscanner *generates* include: warnings to postmaster warnings to sender disinfected attachments sent to original recipient Messages that mailscanner munges and dumps directly into the queue include: clean messages (hardly even munged!) messages that were dirty but have had dirty bits replaced with warnings -- Nick Phillips -- nwp@lemon-computing.com That secret you've been guarding, isn't. From jkf at ecs.soton.ac.uk Wed Dec 12 13:30:44 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:09 2006 Subject: relay to another mail server In-Reply-To: <001e01c1830f$ecb641c0$580a0a0a@nin> References: <20011210124613.X29751@lemon-computing.com> Message-ID: <5.1.0.14.2.20011212133033.047d5b08@hawk.ecs.soton.ac.uk> At 13:21 12/12/2001, you wrote: >How do I configure/is it possible to relay all disinfected mail to another >mail server on another machine? >Can it be done on a domain by domain basis.. >I.E all disinfected mail for anyuser@domain1 gets redirected to domain1 >mailserver, and anyuser@domain2 gets directed domain2 mailserver Isn't this a sendmail problem? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From s.effertz at JOLA.DE Wed Dec 12 13:40:09 2001 From: s.effertz at JOLA.DE (Stephan Effertz) Date: Thu Jan 12 21:14:09 2006 Subject: Antwort: Message size query Message-ID: I've had the same problem with SuSE 6.4 running sendmail 8.9.x (Not sure about the exact version). After installing the sendmail.rpm from SuSE 7.0 (sendmail 8.11.x - available as update for SuSE 7.0 - ) the error went away. Additionally I've added file locking to mailscanner.conf (flock). Looks like sendmail 8.9 releases file locks while receiving mails before they are completed. So mailscanner "grabs" these files and sendmail come's up with the file re-open error. regards, Stephan "F. Mitchell" Gesendet von: MailScanner mailing list 12.12.2001 13:26 Bitte antworten an frmitchell An: MAILSCANNER@JISCMAIL.AC.UK Kopie: Thema: Message size query Hi people, I was wondering if anybody can tell me what the maximum size I should expect to be able to put through mailscanner? I've tried altering the Max Safe/Unsafe size, TNEF expander, and the various time outs, but the maximum (uuencoded) size of message that I can send seems to be just short of 20Mb, which is a bit on the small side for my purposes. (If I'm just using sendmail, then my limit is 900Mb (as set in my sendmail.cf) ) So I was wondering anybody knew if this was the limit, and if not anything I need to set to get it to go higher? If it helps then I'm running SuSE (with parts ranging from SuSe 6.3-7.2), with sendmail V8.9.3 and using Sophos. I can recieve, the 20Mb with sendmail, but then I get an error in the logs saying "cannot reopen XXXXXX", and the user's connection times out TIA Faye -=+=- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20011212/8f4c44c2/attachment.html From nwp at LEMON-COMPUTING.COM Wed Dec 12 13:33:48 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:09 2006 Subject: Cost of Virus Scanner! In-Reply-To: ; from carl@CAPAHO.COM on Wed, Dec 12, 2001 at 01:25:50PM +0000 References: Message-ID: <20011212133348.D17328@lemon-computing.com> On Wed, Dec 12, 2001 at 01:25:50PM +0000, Carl Hogue wrote: > I asked my local distributor about the price of a 5-user "Classic" license > but he said he's never heard of it. Would that be a 5-user SAV license? Yes, basically. There are now several different licenses that cover use of SAV on desktops. The "classic" is the bog-standard old one, whilst the "Enterprise" includes MailMonitor (their email gateway scanner thing). There are more, but I won't bore you with the details. -- Nick Phillips -- nwp@lemon-computing.com If you can read this, you're too close. From nwp at LEMON-COMPUTING.COM Wed Dec 12 13:42:46 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:09 2006 Subject: Antwort: Message size query In-Reply-To: ; from s.effertz@JOLA.DE on Wed, Dec 12, 2001 at 02:40:09PM +0100 References: Message-ID: <20011212134246.E17328@lemon-computing.com> On Wed, Dec 12, 2001 at 02:40:09PM +0100, Stephan Effertz wrote: > I've had the same problem with SuSE 6.4 running sendmail 8.9.x (Not sure > about the exact version). > After installing the sendmail.rpm from SuSE 7.0 (sendmail 8.11.x - > available as update for SuSE 7.0 - ) the error went away. Additionally > I've added file locking to mailscanner.conf (flock). Looks like sendmail > 8.9 releases file locks while receiving mails before they are completed. > So mailscanner "grabs" these files and sendmail come's up with the file > re-open error. Mailscanner *always* tries to play friendly with locks. The locking parameter in the conf file is there to tell mailscanner *which type* of locking to use, if you have a weird build of sendmail or exim which does not use the standard locking that we think that mailer uses (flock for sendmail, posix for exim). As the comments in the conf file state, *don't change* this parameter unless you are **sure** that you know what you are doing (or unless you don't care about lost/corrupt/infected mail). Without a combination of seeing logs/code/being a sendmail expert, I wouldn't like to rush to judgement, but it does sound like you may be on the right track. But you don't need to change/set mailscanner's locking. -- Nick Phillips -- nwp@lemon-computing.com Give him an evasive answer. From gcrothers at SHELOB.NET Wed Dec 12 14:35:26 2001 From: gcrothers at SHELOB.NET (gcrothers) Date: Thu Jan 12 21:14:09 2006 Subject: relay to another mail server References: <20011210124613.X29751@lemon-computing.com> <001e01c1830f$ecb641c0$580a0a0a@nin> <20011212132958.C17328@lemon-computing.com> Message-ID: <004801c1831a$403fdcc0$580a0a0a@nin> > Well, assuming that you mean *only* disinfected mail, not including "normal" mail, you may be able to hack something up by getting mailscanner-generated messages routed differently to normal ones. I mean all incoming mail that has been scanned, and placed in a queue. What I want to do pass all the mail onto another server, for delivery to the clients using either pop or webmail. tia garry From gcrothers at SHELOB.NET Wed Dec 12 14:40:04 2001 From: gcrothers at SHELOB.NET (gcrothers) Date: Thu Jan 12 21:14:09 2006 Subject: relay to another mail server References: <20011210124613.X29751@lemon-computing.com> <5.1.0.14.2.20011212133033.047d5b08@hawk.ecs.soton.ac.uk> Message-ID: <006401c1831a$e62a3a40$580a0a0a@nin> ----- Original Message ----- From: Julian Field > At 13:21 12/12/2001, you wrote: > >How do I configure/is it possible to relay all disinfected mail to another > >mail server on another machine? > >Can it be done on a domain by domain basis.. > >I.E all disinfected mail for anyuser@domain1 gets redirected to domain1 > >mailserver, and anyuser@domain2 gets directed domain2 mailserver > > Isn't this a sendmail problem? I'm not a sendmail guru, so I dont know if I should be looking at the configuration of mailscanner or sendmail....? and if it is sendmail, should I be looking at the config of sendmail on the virus scanner or on the machine I want the mail to be forwarded to?? tia garry From nwp at LEMON-COMPUTING.COM Wed Dec 12 14:50:59 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:09 2006 Subject: relay to another mail server In-Reply-To: <004801c1831a$403fdcc0$580a0a0a@nin>; from gcrothers@SHELOB.NET on Wed, Dec 12, 2001 at 02:35:26PM -0000 References: <20011210124613.X29751@lemon-computing.com> <001e01c1830f$ecb641c0$580a0a0a@nin> <20011212132958.C17328@lemon-computing.com> <004801c1831a$403fdcc0$580a0a0a@nin> Message-ID: <20011212145059.A32198@lemon-computing.com> On Wed, Dec 12, 2001 at 02:35:26PM -0000, gcrothers wrote: > > Well, assuming that you mean *only* disinfected mail, not including > "normal" mail, you may be able to hack something up by getting > mailscanner-generated messages routed differently to normal ones. > > I mean all incoming mail that has been scanned, and placed in a queue. > > What I want to do pass all the mail onto another server, for delivery to > the clients using either pop or webmail. You need to sort sendmail out on the scanning machine. -- Nick Phillips -- nwp@lemon-computing.com Caution: Keep out of reach of children. From gcrothers at SHELOB.NET Wed Dec 12 15:00:48 2001 From: gcrothers at SHELOB.NET (gcrothers) Date: Thu Jan 12 21:14:09 2006 Subject: relay to another mail server References: <20011210124613.X29751@lemon-computing.com> <001e01c1830f$ecb641c0$580a0a0a@nin> <20011212132958.C17328@lemon-computing.com> <004801c1831a$403fdcc0$580a0a0a@nin> <20011212145059.A32198@lemon-computing.com> Message-ID: <008801c1831d$cbf36220$580a0a0a@nin> ----- Original Message ----- From: Nick Phillips > the clients using either pop or webmail. > > You need to sort sendmail out on the scanning machine. > > -- thanks Nick now back to snail book to figure it out.. garry From s.effertz at JOLA.DE Wed Dec 12 15:35:40 2001 From: s.effertz at JOLA.DE (Stephan Effertz) Date: Thu Jan 12 21:14:09 2006 Subject: Antwort: Re: relay to another mail server Message-ID: > Well, assuming that you mean *only* disinfected mail, not including "normal" mail, you may be able to hack something up by getting mailscanner-generated messages routed differently to normal ones. I mean all incoming mail that has been scanned, and placed in a queue. What I want to do pass all the mail onto another server, for delivery to the clients using either pop or webmail. tia garry ------ The sendmail feature you are looking for is called mailtertable. Check for FEATURE(mailertable) in your m4 file (generating sendmail.cf) and look at /etc/mail/mailertable. This is an example /etc/mail/mailertable. It routes all mail to domain.com to the server at 192.168.1.123. Don't forget to run makemap after all changes. # /etc/mailertable - special handling for hosts or domains # reindex: # makemap hash /etc/mail/mailertable.db < /etc/mail/mailertable domain.com smtp:[192.168.1.123] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20011212/1c42b4aa/attachment.html From cfast at ALLIEDBUILDING.COM Wed Dec 12 17:47:17 2001 From: cfast at ALLIEDBUILDING.COM (Clint Fast) Date: Thu Jan 12 21:14:09 2006 Subject: Cost of Virus Scanner! References: <20011212133348.D17328@lemon-computing.com> Message-ID: <3C179825.2D1C980F@alliedbuilding.com> I have talked directly with Sophos on this myself, and received a quote from them on the SAVI, the "classic" desktops (which include SAVI), and the Mailmonitor (which includes SAVI and the desktops and the mailmonitor app). I explained to them EXACTLY what my intentions were, and he stated that I would only need the SAVI license, as my needs are for only scanning on the mailserver, not at the desktop as well (we have other apps for that). I'm looking at a 500 user license, and I though the prices were quite reasonable. But, I do agree that a 5-user license probably wouldn't rate well on their scale. If you're planning on using mailscanner, as I do, then you only really need the SAVI license. If you want the desktops to have virus coverage/software on them as well, then you'll need the "classic" desktop version (which still includes the SAVI). If you don't want to use mailscanner, then you need MailMonitor for SMTP. But, we all like mailscanner best now don't we? :) It's hard (for any company) to base their pricing on the number of mailboxes that you protect because licensing in that area is hard to check for. It's an ethical question when it comes to "proper" licensing on the scanning. If you're scanning for 1200 mailboxes, then they say you need a 1200 user license. But we all know that a 1-user license will do the trick. I tried McAfee's uvscan on this server (with mailscanner). It failed too much. The sophos anti-virus has worked flawlessly for me so far, and I'm looking forward to purchasing the licenses for that sophos as the reliability is high. I also look forward to help improving the mailscanner code itself, not just to use other scanner's, but for other features as well. --Clint Fast. Nick Phillips wrote: > > On Wed, Dec 12, 2001 at 01:25:50PM +0000, Carl Hogue wrote: > > > I asked my local distributor about the price of a 5-user "Classic" license > > but he said he's never heard of it. Would that be a 5-user SAV license? > > Yes, basically. There are now several different licenses that cover use of SAV > on desktops. The "classic" is the bog-standard old one, whilst the > "Enterprise" includes MailMonitor (their email gateway scanner thing). > > There are more, but I won't bore you with the details. > > -- > Nick Phillips -- nwp@lemon-computing.com > If you can read this, you're too close. From valianp at SOUTHWESTERN.EDU Wed Dec 12 19:47:32 2001 From: valianp at SOUTHWESTERN.EDU (Peter Valian) Date: Thu Jan 12 21:14:09 2006 Subject: procmail EX_TEMPFAIL Message-ID: <3C17B454.7050009@southwestern.edu> hi all, I've been getting a ton of EX_TEMPFAIL deferred mail stuck in my mqueue. Looks like it is happening for users that are over disk quota. Also, it doesn't seem that sendmail is mailing the sender back and telling them the user is over quota (like it did before mailscanner). The message just sits in mqueue (I imagine it keeps retrying the send for 5 days) and then disappears. Anyway to fix this? Thanks. -peter -- Peter Valian Network & Systems Administrator Southwestern University Georgetown, Texas -- From LISTSERV at JISCMAIL.AC.UK Wed Dec 12 20:11:22 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:09 2006 Subject: MAILSCANNER: ahirsch@SLB.COM requested to join Message-ID: <200112122011.UAA26431@magpie.ecs.soton.ac.uk> Wed, 12 Dec 2001 20:11:22 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from "Aaron M. Hirsch" You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER ahirsch@SLB.COM Aaron M. Hirsch PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER ahirsch@SLB.COM Aaron M. Hirsch // EOJ From henrich at MSU.EDU Wed Dec 12 22:09:03 2001 From: henrich at MSU.EDU (Charles Henrich) Date: Thu Jan 12 21:14:09 2006 Subject: Cost of Virus Scanner! Message-ID: <20011212140903.D5853@sigbus.com> > Yes, basically. There are now several different licenses that cover use of > SAV on desktops. The "classic" is the bog-standard old one, whilst the > "Enterprise" includes MailMonitor (their email gateway scanner thing). > > There are more, but I won't bore you with the details. What about McCafee? Virus scan is working quite well here, and cost something like US$70 for a license. -Crh Charles Henrich Eon Entertainment henrich@msu.edu http://www.sigbus.com:81/~henrich From nwp at LEMON-COMPUTING.COM Thu Dec 13 09:54:55 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:09 2006 Subject: Cost of Virus Scanner! In-Reply-To: <20011212140903.D5853@sigbus.com>; from henrich@MSU.EDU on Wed, Dec 12, 2001 at 02:09:03PM -0800 References: <20011212140903.D5853@sigbus.com> Message-ID: <20011213095455.F32198@lemon-computing.com> On Wed, Dec 12, 2001 at 02:09:03PM -0800, Charles Henrich wrote: > What about McCafee? Virus scan is working quite well here, and cost something > like US$70 for a license. "You pays yer money and takes yer choice..." -- Nick Phillips -- nwp@lemon-computing.com Don't relax! It's only your tension that's holding you together. From LISTSERV at JISCMAIL.AC.UK Thu Dec 13 13:50:31 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:09 2006 Subject: MAILSCANNER: debbie@NIMR.MRC.AC.UK requested to join Message-ID: <200112131350.NAA21057@magpie.ecs.soton.ac.uk> Thu, 13 Dec 2001 13:50:31 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Debra Harper You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER debbie@NIMR.MRC.AC.UK Debra Harper PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER debbie@NIMR.MRC.AC.UK Debra Harper // EOJ From LISTSERV at JISCMAIL.AC.UK Thu Dec 13 18:05:17 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:09 2006 Subject: MAILSCANNER: admin@SECUSERVE.CO.UK requested to join Message-ID: <200112131805.SAA08891@magpie.ecs.soton.ac.uk> Thu, 13 Dec 2001 18:05:17 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Neil Whellams You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER admin@SECUSERVE.CO.UK Neil Whellams PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER admin@SECUSERVE.CO.UK Neil Whellams // EOJ From sfarrell at ICCONSULTING.COM.AU Fri Dec 14 03:19:38 2001 From: sfarrell at ICCONSULTING.COM.AU (Scott Farrell) Date: Thu Jan 12 21:14:09 2006 Subject: debug of virus scanner conversation Message-ID: Julian (or anyone else), My code for InoculateIT is working 100% on 1 server, and the the other server I have it on it becomes flakey after a few hours, restarting mailscanner fixes it. Reading the log in /var/log/maillog, and the mailscanner entries - the virus scanner doesn't return any virus' entries as it should, and it goes through as clean. I suspect there is some OS error, or error with InoculateIT, or error somewhere. I would dearly like to output the conversion between mailscanner and the commercial virus program. Is this possible? regards Scott Farrell http://www.icconsulting.com.au ic Consulting - the people that make eBusiness happen. We offer e-business consulting and perform services. We deliver high impact consulting, and fast turn around projects for our clients. Ask us about Web Content Management, Web Self Service, or working closer with your customers or suppliers. 0412 927 156, 02 9411 3622 mailto:sfarrell@icconsulting.com.au From jkf at ecs.soton.ac.uk Fri Dec 14 09:10:32 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:09 2006 Subject: debug of virus scanner conversation In-Reply-To: Message-ID: <5.1.0.14.2.20011214090810.03e7fdf8@imap.ecs.soton.ac.uk> At 03:19 14/12/2001, you wrote: >I suspect there is some OS error, or error with InoculateIT, or error >somewhere. I would dearly like to output the conversion between mailscanner >and the commercial virus program. Is this possible? Take a look in sweep.pl, at the TryCommercial function. There's a loop in there that starts "while() {" for each supported virus scanner. If you find the one you are using for InoculateIT and do a "print STDERR "$_" just inside the top of the loop, it will dump to STDERR all the output from the virus scanner. Hope that helps! -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Fri Dec 14 18:55:02 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:09 2006 Subject: MAILSCANNER: c.d.seelig@RL.AC.UK requested to join Message-ID: <200112141855.SAA04895@magpie.ecs.soton.ac.uk> Fri, 14 Dec 2001 18:55:02 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Chris Seelig You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER c.d.seelig@RL.AC.UK Chris Seelig PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER c.d.seelig@RL.AC.UK Chris Seelig // EOJ From LISTSERV at JISCMAIL.AC.UK Fri Dec 14 20:54:25 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:09 2006 Subject: MAILSCANNER: chris@TAGGART.DEMON.CO.UK requested to join Message-ID: <200112142054.UAA12896@magpie.ecs.soton.ac.uk> Fri, 14 Dec 2001 20:54:25 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Chris Taggart You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER chris@TAGGART.DEMON.CO.UK Chris Taggart PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER chris@TAGGART.DEMON.CO.UK Chris Taggart // EOJ From LISTSERV at JISCMAIL.AC.UK Fri Dec 14 23:53:51 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:09 2006 Subject: MAILSCANNER: kwang@UCALGARY.CA requested to join Message-ID: <200112142353.XAA20813@magpie.ecs.soton.ac.uk> Fri, 14 Dec 2001 23:53:51 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Kai Wang You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER kwang@UCALGARY.CA Kai Wang PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER kwang@UCALGARY.CA Kai Wang // EOJ From sfarrell at ICCONSULTING.COM.AU Sat Dec 15 14:31:28 2001 From: sfarrell at ICCONSULTING.COM.AU (Scott Farrell) Date: Thu Jan 12 21:14:09 2006 Subject: debug of virus scanner conversation Message-ID: Thanks Jules ..... I used this instead, but thanks for your help, it worked wonders ... now I have to wait until it fails again !!!!!: Log::InfoLog("$_"); regards Scott Farrell http://www.icconsulting.com.au ic Consulting - the people that make eBusiness happen. We offer e-business consulting and perform services. We deliver high impact consulting, and fast turn around projects for our clients. Ask us about Web Content Management, Web Self Service, or working closer with your customers or suppliers. 0412 927 156, 02 9411 3622 mailto:sfarrell@icconsulting.com.au Julian Field Sent by: MailScanner mailing list 14/12/2001 07:10 PM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Re: debug of virus scanner conversation At 03:19 14/12/2001, you wrote: >I suspect there is some OS error, or error with InoculateIT, or error >somewhere. I would dearly like to output the conversion between mailscanner >and the commercial virus program. Is this possible? Take a look in sweep.pl, at the TryCommercial function. There's a loop in there that starts "while() {" for each supported virus scanner. If you find the one you are using for InoculateIT and do a "print STDERR "$_" just inside the top of the loop, it will dump to STDERR all the output from the virus scanner. Hope that helps! -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20011216/586f4fdf/attachment.html From sfarrell at ICCONSULTING.COM.AU Sat Dec 15 23:03:05 2001 From: sfarrell at ICCONSULTING.COM.AU (Scott Farrell) Date: Thu Jan 12 21:14:09 2006 Subject: debug of virus scanner conversation Message-ID: Just an update. Below are succesfull and failed scanning logs. You'll notice the successgul one takes about 2 seconds, and the failed one is instant with no logging. Restarting mailscanner fixes the problem, but it eventually re-occurs. Any Ideas? Here is my log from the failed scanning : Dec 16 08:54:52 icconsulting3 mailscanner[10542]: Using flock() to lock /var/spool/mqueue.in/qffBFLsMd10664 Dec 16 08:54:52 icconsulting3 mailscanner[10542]: Using flock() to lock >/var/spool/MailScanner/incoming/fBFLsMd10664.header Dec 16 08:54:52 icconsulting3 mailscanner[10542]: Scanning 1 messages, 1205 bytes Dec 16 08:54:52 icconsulting3 mailscanner[10542]: Going to scan 1 messages Dec 16 08:54:52 icconsulting3 mailscanner[10542]: Commencing scanning... Dec 16 08:54:52 icconsulting3 mailscanner[10542]: Completed scanning Dec 16 08:54:52 icconsulting3 mailscanner[10542]: Scanned 1 messages, 1205 bytes in 0 seconds Dec 16 08:54:52 icconsulting3 mailscanner[10542]: Using flock() to lock >/var/spool/mqueue/tffBFLsMd10664 Dec 16 08:54:52 icconsulting3 mailscanner[10542]: About to deliver 1 messages Here is my log from a successful scanning : Dec 16 00:43:30 icconsulting3 mailscanner[7897]: Using flock() to lock >/var/spool/MailScanner/incoming/fBFDh5t07901.header Dec 16 00:43:30 icconsulting3 mailscanner[7897]: Scanning 1 messages, 1205 bytes Dec 16 00:43:31 icconsulting3 mailscanner[7897]: Going to scan 1 messages Dec 16 00:43:31 icconsulting3 mailscanner[7897]: Commencing scanning... Dec 16 00:43:33 icconsulting3 mailscanner[7897]: ----------/data/MailScanner/incoming/./fBFDh5t07901.header Dec 16 00:43:33 icconsulting3 mailscanner[7897]: ----------/data/MailScanner/incoming/./fBFDh5t07901/msg-7897-1.dat Dec 16 00:43:33 icconsulting3 mailscanner[7897]: File /data/MailScanner/incoming/./fBFDh5t07901/msg-7897-1.dat is infected by virus: EICAR test file Dec 16 00:43:33 icconsulting3 mailscanner[7897]: File /data/MailScanner/incoming/./fBFDh5t07901/msg-7897-1.dat is infected by virus: EICAR test file Dec 16 00:43:33 icconsulting3 mailscanner[7897]: Dec 16 00:43:33 icconsulting3 mailscanner[7897]: Total Files Scanned: 2 Dec 16 00:43:33 icconsulting3 mailscanner[7897]: Total Viruses Found: 1 Dec 16 00:43:33 icconsulting3 mailscanner[7897]: Total Infected Files Found: 1 Dec 16 00:43:33 icconsulting3 mailscanner[7897]: Total Archives Scanned: 1 Dec 16 00:43:33 icconsulting3 mailscanner[7897]: Scan Mode: Reviewer Dec 16 00:43:33 icconsulting3 mailscanner[7897]: Dec 16 00:43:33 icconsulting3 mailscanner[7897]: *** End Of Summary *** Dec 16 00:43:33 icconsulting3 mailscanner[7897]: Completed scanning Dec 16 00:43:33 icconsulting3 mailscanner[7897]: Found 1 viruses in messages fBFDh5t07901 Dec 16 00:43:33 icconsulting3 mailscanner[7897]: Scanned 1 messages, 1205 bytesin 2 seconds Dec 16 00:43:33 icconsulting3 mailscanner[7897]: Saved infections to /var/spool/MailScanner/quarantine/20011216/fBFDh5t07901 regards Scott Farrell http://www.icconsulting.com.au ic Consulting - the people that make eBusiness happen. We offer e-business consulting and perform services. We deliver high impact consulting, and fast turn around projects for our clients. Ask us about Web Content Management, Web Self Service, or working closer with your customers or suppliers. 0412 927 156, 02 9411 3622 mailto:sfarrell@icconsulting.com.au Scott Farrell Sent by: MailScanner mailing list 16/12/2001 12:31 AM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Re: debug of virus scanner conversation Thanks Jules ..... I used this instead, but thanks for your help, it worked wonders ... now I have to wait until it fails again !!!!!: Log::InfoLog("$_"); regards Scott Farrell http://www.icconsulting.com.au ic Consulting - the people that make eBusiness happen. We offer e-business consulting and perform services. We deliver high impact consulting, and fast turn around projects for our clients. Ask us about Web Content Management, Web Self Service, or working closer with your customers or suppliers. 0412 927 156, 02 9411 3622 mailto:sfarrell@icconsulting.com.au Julian Field Sent by: MailScanner mailing list 14/12/2001 07:10 PM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Re: debug of virus scanner conversation At 03:19 14/12/2001, you wrote: >I suspect there is some OS error, or error with InoculateIT, or error >somewhere. I would dearly like to output the conversion between mailscanner >and the commercial virus program. Is this possible? Take a look in sweep.pl, at the TryCommercial function. There's a loop in there that starts "while() {" for each supported virus scanner. If you find the one you are using for InoculateIT and do a "print STDERR "$_" just inside the top of the loop, it will dump to STDERR all the output from the virus scanner. Hope that helps! -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20011216/cba7d013/attachment.html From miguelk at KONSULTEX.COM.BR Sun Dec 16 00:34:14 2001 From: miguelk at KONSULTEX.COM.BR (Miguel Koren O'Brien de Lacy) Date: Thu Jan 12 21:14:09 2006 Subject: debug of virus scanner conversation References: Message-ID: <3C1BEC06.7D365080@konsultex.com.br> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20011215/d34082c3/attachment.html From rfowkar at YAHOO.COM Sun Dec 16 15:57:41 2001 From: rfowkar at YAHOO.COM (Rajesh Fowkar) Date: Thu Jan 12 21:14:09 2006 Subject: redhat 6.2 and mailscanner 2.42 not scanning Message-ID: <20011216155741.GA264@debian> Hi, I have just setup a Red Hat 6.2 email server with mailscanner & sophos for virus scanning. I have done everything as per the documentation in mailscanner. the rpm puts mailscanner script in /etc/rc.d/init.d/mailscanner which starts mailscanner and sendmail (2 queues). It has also created /var/spool/mqueue.in. However whenever I send mail or receive mail it is not passing though mailscanner. What I must have done wrong ? If I do ps -e |grep mailscanner it shows mailscanner process running ps -e |grep sendmail shows two sendmail processes running. Everything seems to be correct. But the mails which I receiving do not contain the header which indicates it has passed through mailscanner. I have tried sending mails with some attachments which contain virus. Since it has not passed through mailscanner no checking has taken place. If I manually do /usr/local/Sophos/bin/sophoswrapper /home/rajesh it scans and gives the results. What I am doing wrong ? Please help. Thanks in advance. Peace -- Rajesh http://www.symonds.net/~rajesh/ ***** Powered By: Debian GNU/Linux Kernel 2.4.16(ext3) You will get what you deserve. From miguelk at KONSULTEX.COM.BR Sun Dec 16 14:43:06 2001 From: miguelk at KONSULTEX.COM.BR (Miguel Koren) Date: Thu Jan 12 21:14:09 2006 Subject: redhat 6.2 and mailscanner 2.42 not scanning In-Reply-To: <20011216155741.GA264@debian> Message-ID: In my case (Red Hat 7.1 thugh) I had Sophos installed BEFORE Mail Scanner. The standard Sophos installation places things in slightly different directories, so instead of reinstalling Sophos (I had deleted their install file) with Mail Scanner I tweaked the scripts. Maybe that's what is happening to you? Miguel On Sun, 16 Dec 2001, Rajesh Fowkar wrote: > Hi, > > I have just setup a Red Hat 6.2 email server with mailscanner & sophos for > virus scanning. I have done everything as per the documentation in > mailscanner. > > the rpm puts mailscanner script in /etc/rc.d/init.d/mailscanner which > starts mailscanner and sendmail (2 queues). It has also created > /var/spool/mqueue.in. > > However whenever I send mail or receive mail it is not passing though > mailscanner. What I must have done wrong ? > > If I do > > ps -e |grep mailscanner it shows mailscanner process running > > ps -e |grep sendmail shows two sendmail processes running. > > Everything seems to be correct. But the mails which I receiving do not > contain the header which indicates it has passed through mailscanner. > > I have tried sending mails with some attachments which contain virus. Since > it has not passed through mailscanner no checking has taken place. If I > manually do /usr/local/Sophos/bin/sophoswrapper /home/rajesh it scans and > gives the results. > > What I am doing wrong ? > > Please help. > > Thanks in advance. > > Peace > > -- > Rajesh > http://www.symonds.net/~rajesh/ ***** Powered By: Debian GNU/Linux > Kernel 2.4.16(ext3) > You will get what you deserve. > From rfowkar at YAHOO.COM Sun Dec 16 21:14:05 2001 From: rfowkar at YAHOO.COM (Rajesh Fowkar) Date: Thu Jan 12 21:14:09 2006 Subject: redhat 6.2 and mailscanner 2.42 not scanning In-Reply-To: References: <20011216155741.GA264@debian> Message-ID: <20011216211405.GA1274@debian> Miguel Koren saw fit to inform me that: >In my case (Red Hat 7.1 thugh) I had Sophos installed BEFORE Mail Scanner. >The standard Sophos installation places things in slightly different >directories, so instead of reinstalling Sophos (I had deleted their >install file) with Mail Scanner I tweaked the scripts. Maybe that's what >is happening to you? No. I had not installed Sophos before Mailscanner. I install Mailscanner and than ran Sophos.install script from /usr/local/Mailscanner/bin/Sophos.install from sav-install directory which contained all the Sophos files. However on my home machine debian with exim the setup works perfectly. To me it looks some permission problems may be. Will check it out. Thanks to developers for this excellent product. Warm Regards Peace Rajesh > >Miguel > > >On Sun, 16 Dec 2001, Rajesh Fowkar wrote: > >> Hi, >> >> I have just setup a Red Hat 6.2 email server with mailscanner & sophos for >> virus scanning. I have done everything as per the documentation in >> mailscanner. >> >> the rpm puts mailscanner script in /etc/rc.d/init.d/mailscanner which >> starts mailscanner and sendmail (2 queues). It has also created >> /var/spool/mqueue.in. >> >> However whenever I send mail or receive mail it is not passing though >> mailscanner. What I must have done wrong ? >> >> If I do >> >> ps -e |grep mailscanner it shows mailscanner process running >> >> ps -e |grep sendmail shows two sendmail processes running. >> >> Everything seems to be correct. But the mails which I receiving do not >> contain the header which indicates it has passed through mailscanner. >> >> I have tried sending mails with some attachments which contain virus. Since >> it has not passed through mailscanner no checking has taken place. If I >> manually do /usr/local/Sophos/bin/sophoswrapper /home/rajesh it scans and >> gives the results. >> >> What I am doing wrong ? >> >> Please help. >> >> Thanks in advance. >> >> Peace >> >> -- >> Rajesh >> http://www.symonds.net/~rajesh/ ***** Powered By: Debian GNU/Linux >> Kernel 2.4.16(ext3) >> You will get what you deserve. >> -- Rajesh http://www.symonds.net/~rajesh/ ***** Powered By: Debian GNU/Linux Kernel 2.4.16(ext3) You're at the end of the road again. From jkf at ecs.soton.ac.uk Sun Dec 16 16:12:43 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:09 2006 Subject: redhat 6.2 and mailscanner 2.42 not scanning In-Reply-To: <20011216155741.GA264@debian> Message-ID: <5.1.0.14.2.20011216161019.00aa9b30@hawk.ecs.soton.ac.uk> At 15:57 16/12/2001, you wrote: >the rpm puts mailscanner script in /etc/rc.d/init.d/mailscanner which >starts mailscanner and sendmail (2 queues). It has also created >/var/spool/mqueue.in. > >However whenever I send mail or receive mail it is not passing though >mailscanner. What I must have done wrong ? > >If I do > >ps -e |grep mailscanner it shows mailscanner process running > >ps -e |grep sendmail shows two sendmail processes running. Check to ensure that sendmail is not being started from runlevel 2. Do a chkconfig --levels 2345 sendmail off and reboot. On some systems, despite our (previous) best attempts, sendmail survives from runlevel 2. This would result in the symptoms you are seeing. In the next version (due around Christmas) I am more careful about killing off sendmail :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From paul at CWIE.NET Sun Dec 16 17:16:30 2001 From: paul at CWIE.NET (Paul Fries) Date: Thu Jan 12 21:14:10 2006 Subject: Please Help! In-Reply-To: <5.1.0.14.2.20011216161019.00aa9b30@hawk.ecs.soton.ac.uk> Message-ID: <000501c18655$6abc6c00$623c0f18@cx360261b> I just started receiving the following error with v2.60-2. I have shut down mailscanner and am delivering mail normally, however I have over 7000 message in mqueue.in that have yet to be delivered.. =( Here is the error: ignoring text in character set `WINDOWS-1251' at /usr/local/lib/perl5/site_perl/5.6.0/MIME/Parser/Filer.pm line 646 Can't call method "parts" on an undefined value at /var/mailscanner/bin/explode.pl line 265. Mailscanner dies after this error, and no messages are delivered. I have been running this version for months, and this is the first time I have seen this error. Any Ideas? Regards, Paul Fries paul@cwie.net CWIE LLC From rfowkar at YAHOO.COM Sun Dec 16 23:23:59 2001 From: rfowkar at YAHOO.COM (Rajesh Fowkar) Date: Thu Jan 12 21:14:10 2006 Subject: mailscanner & exim Message-ID: <20011216232359.GA579@debian> Hi, I am on dial-up connection at my home. Now after configuring mailscanner & exim everything works fine mail is checked, warning sent. But if I send a mail to outside domain from my home machine say xyz@yahoo.com than the mail is scanned and than it waits in /var/spool/exim/input But when I do mailq nothing is visible. I have got two spool directories : --------------------------------------------------------------------------- rajesh@debian:/var/spool$ l total 36 drwxr-xr-x 4 mail mail 4096 Dec 16 19:37 MailScanner drwxr-xr-x 3 root root 4096 Aug 28 19:51 cron drwxr-x--- 5 mail mail 4096 Aug 28 20:02 exim drwxr-x--- 5 mail mail 4096 Dec 16 20:22 exim_incoming drwxr-xr-x 4 sweep sweep 4096 Oct 30 00:57 intercheck drwxr-xr-x 4 root root 4096 Jul 26 22:05 lpd lrwxrwxrwx 1 root root 7 Jul 14 19:44 mail -> ../mail drwxr-xr-x 2 root 12 4096 Aug 29 11:39 mqueue.in drwxr-sr-x 5 news news 4096 Dec 16 21:00 slrnpull drwxr-xr-x 5 root root 4096 Aug 1 00:43 texmf rajesh@debian:/var/spool$ --------------------------------------------------------------------------- What I should do to send the mail waiting in /var/spool/exim/input but not showing in mailq ? I have created two exim conf files : rajesh@debian:/etc$ l exim* -rw-r--r-- 1 root root 15087 Dec 16 22:12 exim.conf -rw-r--r-- 1 root root 14677 Dec 16 21:51 exim_outgoing.conf rajesh@debian:/etc$ added the following in exim.conf : # Settings for Mailscanner ######################################## spool_directory=/var/spool/exim_incoming queue_only=true ######################################## In /etc/init.d/mailscanner, the following lines are present : ------------------------------------------------------------- /usr/sbin/exim -bd /usr/sbin/exim -C /etc/exim_outgoing.conf -bd -q15m /usr/local/MailScanner/bin/check_mailscanner >/dev/null ------------------------------------------------------------- Please help. Due to the above I am unable to send mail while offline. I am sending this mail while I am online. This I cannot afford being a dial-up user. Thanks in advance. Peace -- Rajesh http://www.symonds.net/~rajesh/ ***** Powered By: Debian GNU/Linux Kernel 2.4.16(ext3) Good day for overcoming obstacles. Try a steeplechase. From LISTSERV at JISCMAIL.AC.UK Sun Dec 16 17:19:38 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:10 2006 Subject: MAILSCANNER: home@SIMONB.ORG.UK requested to join Message-ID: <200112161719.RAA08129@magpie.ecs.soton.ac.uk> Sun, 16 Dec 2001 17:19:38 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Simon Blandford You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER home@SIMONB.ORG.UK Simon Blandford PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER home@SIMONB.ORG.UK Simon Blandford // EOJ From LISTSERV at JISCMAIL.AC.UK Mon Dec 17 08:47:57 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:10 2006 Subject: MAILSCANNER: Bobby@LIFE-EXTREME.COM requested to join Message-ID: <200112170847.IAA11000@magpie.ecs.soton.ac.uk> Mon, 17 Dec 2001 08:47:57 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Bobbejaan van Elst You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER Bobby@LIFE-EXTREME.COM Bobbejaan van Elst PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER Bobby@LIFE-EXTREME.COM Bobbejaan van Elst // EOJ From m.sapsed at BANGOR.AC.UK Mon Dec 17 09:04:58 2001 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:14:10 2006 Subject: redhat 6.2 and mailscanner 2.42 not scanning In-Reply-To: Message-ID: On Sun, 16 Dec 2001, Miguel Koren wrote: > In my case (Red Hat 7.1 thugh) I had Sophos installed BEFORE Mail Scanner. > The standard Sophos installation places things in slightly different > directories, so instead of reinstalling Sophos (I had deleted their > install file) with Mail Scanner I tweaked the scripts. Maybe that's what > is happening to you? I found this problem the other way around. I installed mailscanner and Sophos using the mailscanner script. I then tried to enable intercheck and use sophos generally on the machine. intercheck wouldn't start and some incantations of sweep used an old library or engine or something. I think the confusion comes from not using the lib and sav directories in the way sophos intend? Cheers, Martin -- Martin Sapsed To have no errors Information Services Would be life without meaning University of Wales, Bangor, LL57 2UX No struggle, no joy. Fax: +44 (0)1248 383826 From jkf at ecs.soton.ac.uk Mon Dec 17 09:08:57 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:10 2006 Subject: mailscanner & exim In-Reply-To: <20011216232359.GA579@debian> Message-ID: <5.1.0.14.2.20011217090747.03de58b0@imap.ecs.soton.ac.uk> At 23:23 16/12/2001, you wrote: >------------------------------------------------------------- >/usr/sbin/exim -bd >/usr/sbin/exim -C /etc/exim_outgoing.conf -bd -q15m >/usr/local/MailScanner/bin/check_mailscanner >/dev/null >------------------------------------------------------------- I'm not an Exim user, but if that was sendmail there shouldn't be 2 "-bd" lines above, only 1. In sendmail the 2nd one shouldn't have "-bd". Check the Exim installation instructions again, to be sure you are doing this bit right. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Mon Dec 17 09:06:54 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:10 2006 Subject: Please Help! In-Reply-To: <000501c18655$6abc6c00$623c0f18@cx360261b> References: <5.1.0.14.2.20011216161019.00aa9b30@hawk.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20011217090331.0290ae00@imap.ecs.soton.ac.uk> At 17:16 16/12/2001, you wrote: >ignoring text in character set `WINDOWS-1251' > at /usr/local/lib/perl5/site_perl/5.6.0/MIME/Parser/Filer.pm line 646 >Can't call method "parts" on an undefined value at >/var/mailscanner/bin/explode.pl line 265. > >Mailscanner dies after this error, and no messages are delivered. There is something in a message that MailScanner is objecting strongly to. I would like to see what it is. If you start MailScanner, wait for it to stop, then do a "ls -alutr /var/spool/mqueue.in" it should list the messages sorted by access date, with the most recently accessed message last. This is almost certainly the one causing the problem. Move this message out (qf and df files) into a temporary directory somewhere safe, then restart MailScanner. At this point I advise upgrading your MIME-Tools modules to the latest version, which you can get from www.zeegee.com. After that, try putting the message back into mqueue.in and see if it will now deliver it. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mdchaney at MICHAELCHANEY.COM Mon Dec 17 09:46:13 2001 From: mdchaney at MICHAELCHANEY.COM (Michael Chaney) Date: Thu Jan 12 21:14:10 2006 Subject: mailscanner & exim In-Reply-To: <5.1.0.14.2.20011217090747.03de58b0@imap.ecs.soton.ac.uk>; from jkf@ECS.SOTON.AC.UK on Mon, Dec 17, 2001 at 09:08:57AM +0000 References: <20011216232359.GA579@debian> <5.1.0.14.2.20011217090747.03de58b0@imap.ecs.soton.ac.uk> Message-ID: <20011217034612.A11929@michaelchaney.com> On Mon, Dec 17, 2001 at 09:08:57AM +0000, Julian Field wrote: > At 23:23 16/12/2001, you wrote: > >------------------------------------------------------------- > >/usr/sbin/exim -bd > >/usr/sbin/exim -C /etc/exim_outgoing.conf -bd -q15m > >/usr/local/MailScanner/bin/check_mailscanner >/dev/null > >------------------------------------------------------------- > > I'm not an Exim user, but if that was sendmail there shouldn't be 2 "-bd" > lines above, only 1. In sendmail the 2nd one shouldn't have "-bd". I *am* an Exim user, and your answer is correct. Exim uses the same flags as Sendmail (generally), and "-bd" means "listen for smtp on port 25". You definitely don't want that on the second Exim command. Michael -- Michael Darrin Chaney mdchaney@michaelchaney.com http://www.michaelchaney.com/ From nwp at LEMON-COMPUTING.COM Mon Dec 17 11:01:28 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:10 2006 Subject: debug of virus scanner conversation In-Reply-To: ; from sfarrell@ICCONSULTING.COM.AU on Sun, Dec 16, 2001 at 09:03:05AM +1000 References: Message-ID: <20011217110128.B19695@lemon-computing.com> On Sun, Dec 16, 2001 at 09:03:05AM +1000, Scott Farrell wrote: > Just an update. > > Below are succesfull and failed scanning logs. You'll notice the > successgul one takes about 2 seconds, and the failed one is instant with > no logging. > > Restarting mailscanner fixes the problem, but it eventually re-occurs. > > Any Ideas? memory? inoculate being updated and locking between mailscanner/inoculate not working properly? try redirecting the child process' STDERR to somewhere you can see? flush STDOUT before doing the open? That's all off the top of my head. -- Nick Phillips -- nwp@lemon-computing.com Fine day for friends. So-so day for you. From nwp at LEMON-COMPUTING.COM Mon Dec 17 11:18:41 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:10 2006 Subject: mailscanner & exim In-Reply-To: <20011216232359.GA579@debian>; from rfowkar@YAHOO.COM on Sun, Dec 16, 2001 at 11:23:59PM +0000 References: <20011216232359.GA579@debian> Message-ID: <20011217111841.D19695@lemon-computing.com> On Sun, Dec 16, 2001 at 11:23:59PM +0000, Rajesh Fowkar wrote: > Hi, > > I am on dial-up connection at my home. Now after configuring mailscanner & > exim everything works fine mail is checked, warning sent. But if I send a > mail to outside domain from my home machine say xyz@yahoo.com than the mail > is scanned and than it waits in /var/spool/exim/input > > But when I do mailq nothing is visible. This is expected. Exim and all the standard tools will use the standard compiled-in location of the exim config file, which is the mailscanner's incoming queue. Use "mailq -C " It is done this way round to ensure that locally-generated mail gets scanned. One day there will be a worm that is caught by this. > What I should do to send the mail waiting in /var/spool/exim/input but not > showing in mailq ? "exim -C -qf" ...or similar. -- Nick Phillips -- nwp@lemon-computing.com It's lucky you're going so slowly, because you're going in the wrong direction. From nwp at LEMON-COMPUTING.COM Mon Dec 17 11:20:26 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:10 2006 Subject: mailscanner & exim In-Reply-To: <5.1.0.14.2.20011217090747.03de58b0@imap.ecs.soton.ac.uk>; from jkf@ECS.SOTON.AC.UK on Mon, Dec 17, 2001 at 09:08:57AM +0000 References: <20011216232359.GA579@debian> <5.1.0.14.2.20011217090747.03de58b0@imap.ecs.soton.ac.uk> Message-ID: <20011217112026.E19695@lemon-computing.com> On Mon, Dec 17, 2001 at 09:08:57AM +0000, Julian Field wrote: > At 23:23 16/12/2001, you wrote: > >------------------------------------------------------------- > >/usr/sbin/exim -bd > >/usr/sbin/exim -C /etc/exim_outgoing.conf -bd -q15m > >/usr/local/MailScanner/bin/check_mailscanner >/dev/null > >------------------------------------------------------------- > > I'm not an Exim user, but if that was sendmail there shouldn't be 2 "-bd" > lines above, only 1. In sendmail the 2nd one shouldn't have "-bd". Didn't notice that. It won't matter, as the second exim won't be able to bind to a socket that the first is already listening on, but you're right that it shouldn't be there. -- Nick Phillips -- nwp@lemon-computing.com You are confused; but this is your normal state. From jkf at ecs.soton.ac.uk Mon Dec 17 13:53:06 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:10 2006 Subject: mailscanner & exim In-Reply-To: <20011217190404.GA473@debian> References: <5.1.0.14.2.20011217090747.03de58b0@imap.ecs.soton.ac.uk> <20011216232359.GA579@debian> <5.1.0.14.2.20011217090747.03de58b0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20011217135250.058a7138@imap.ecs.soton.ac.uk> Over to all you Exim experts out there... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From viers at UNILIM.FR Mon Dec 17 13:54:35 2001 From: viers at UNILIM.FR (Nicolas Viers - SCI Limoges) Date: Thu Jan 12 21:14:10 2006 Subject: pb with mailscanner and mcafee Message-ID: <4.2.0.58.20011217144500.00a45a70@pop.unilim.fr> Hello, i have installed mailscanner 2.6 with mcafee on a linux mandrake 8.1 mail server (sendmail). I start sendmail with these two lines: /usr/sbin/sendmail -bd -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in /usr/sbin/sendmail -q10m And during a few minutes it works fine . But after these few minutes the number of messages in mqueue.in grow and mailscanner does not scan anymore ? Any ideas ? Thanks a lot ____________________________________________________________ Nicolas Viers | Service Commun Informatique M?l: viers@unilim.fr | 123, avenue Albert Thomas | 87060 Limoges cedex Tel: 05-55-45-77-09 | Fax: 05-55-45-75-95 http://www.unilim.fr/sci ____________________________________________________________ From jkf at ecs.soton.ac.uk Mon Dec 17 14:17:11 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:10 2006 Subject: pb with mailscanner and mcafee In-Reply-To: <4.2.0.58.20011217144500.00a45a70@pop.unilim.fr> Message-ID: <5.1.0.14.2.20011217141618.058e8010@imap.ecs.soton.ac.uk> At 13:54 17/12/2001, you wrote: > Hello, >i have installed mailscanner 2.6 with mcafee on a linux mandrake 8.1 >mail server (sendmail). >I start sendmail with these two lines: >/usr/sbin/sendmail -bd -ODeliveryMode=queueonly >-OQueueDirectory=/var/spool/mqueue.in >/usr/sbin/sendmail -q10m > >And during a few minutes it works fine . But after these few minutes the >number of >messages in mqueue.in grow and mailscanner does not scan anymore ? > > Any ideas ? Is the mailscanner process itself being started properly? (and is it running?) Are you running MailScanner in "debug = 1" mode (I hope not!). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From nwp at LEMON-COMPUTING.COM Mon Dec 17 14:30:49 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:10 2006 Subject: mailscanner & exim In-Reply-To: <5.1.0.14.2.20011217135250.058a7138@imap.ecs.soton.ac.uk>; from jkf@ECS.SOTON.AC.UK on Mon, Dec 17, 2001 at 01:53:06PM +0000 References: <5.1.0.14.2.20011217090747.03de58b0@imap.ecs.soton.ac.uk> <20011216232359.GA579@debian> <5.1.0.14.2.20011217090747.03de58b0@imap.ecs.soton.ac.uk> <20011217190404.GA473@debian> <5.1.0.14.2.20011217135250.058a7138@imap.ecs.soton.ac.uk> Message-ID: <20011217143049.H19695@lemon-computing.com> On Mon, Dec 17, 2001 at 01:53:06PM +0000, Julian Field wrote: > Over to all you Exim experts out there... I answered this this morning. -- Nick Phillips -- nwp@lemon-computing.com Is this really happening? From viers at UNILIM.FR Mon Dec 17 14:32:54 2001 From: viers at UNILIM.FR (Nicolas Viers - SCI Limoges) Date: Thu Jan 12 21:14:10 2006 Subject: pb with mailscanner and mcafee In-Reply-To: <5.1.0.14.2.20011217141618.058e8010@imap.ecs.soton.ac.uk> References: <4.2.0.58.20011217144500.00a45a70@pop.unilim.fr> Message-ID: <4.2.0.58.20011217153036.00a4a3e0@pop.unilim.fr> At 14:17 17/12/01 +0000, vous avez ?crit: >Is the mailscanner process itself being started properly? (and is it >running?) Are you running MailScanner in "debug = 1" mode (I hope not!). yes mailscanner run and i hope properly ;-) Of course not in debug = 1 mode ____________________________________________________________ Nicolas Viers | Service Commun Informatique M?l: viers@unilim.fr | 123, avenue Albert Thomas | 87060 Limoges cedex Tel: 05-55-45-77-09 | Fax: 05-55-45-75-95 http://www.unilim.fr/sci ____________________________________________________________ From LISTSERV at JISCMAIL.AC.UK Mon Dec 17 15:29:44 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:10 2006 Subject: MAILSCANNER: mhw@WITTSEND.COM requested to join Message-ID: <200112171529.PAA05201@magpie.ecs.soton.ac.uk> Mon, 17 Dec 2001 15:29:44 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Michael Warfield You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER mhw@WITTSEND.COM Michael Warfield PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER mhw@WITTSEND.COM Michael Warfield // EOJ From LISTSERV at JISCMAIL.AC.UK Mon Dec 17 16:17:05 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:10 2006 Subject: MAILSCANNER: justin@SOPHOS.COM requested to join Message-ID: <200112171617.QAA08709@magpie.ecs.soton.ac.uk> Mon, 17 Dec 2001 16:17:05 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Justin Hurltburt You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER justin@SOPHOS.COM Justin Hurltburt PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER justin@SOPHOS.COM Justin Hurltburt // EOJ From jkf at ecs.soton.ac.uk Mon Dec 17 16:21:17 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:10 2006 Subject: Looking for beta testers Message-ID: <5.1.0.14.2.20011217161839.03e61f78@imap.ecs.soton.ac.uk> Please could all those who have requested support for a new virus scanner, and a few other people, get in touch so they can try out the new version when it is ready. We're finishing things off now and want some people to test a few things (support for new scanners in particular) before we release it to the world. Many thanks to you all in advance! Jules. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From nwp at LEMON-COMPUTING.COM Mon Dec 17 16:45:44 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:10 2006 Subject: mailscanner & exim In-Reply-To: <20011217215442.GA802@debian>; from rfowkar@YAHOO.COM on Mon, Dec 17, 2001 at 09:54:42PM +0000 References: <20011216232359.GA579@debian> <20011217111841.D19695@lemon-computing.com> <20011217215442.GA802@debian> Message-ID: <20011217164544.J19695@lemon-computing.com> On Mon, Dec 17, 2001 at 09:54:42PM +0000, Rajesh Fowkar wrote: > I tried everything as per the docs. But even after doing > > mailq -C /etc/exim_outgoing.conf > > I don't get anything. You haven't accidentally set your spool_directory in /etc/exim.conf as well as /etc/exim_outgoing.conf, have you? What do exim's logs say? -- Nick Phillips -- nwp@lemon-computing.com Increased knowledge will help you now. Have mate's phone bugged. From rfowkar at YAHOO.COM Mon Dec 17 19:04:04 2001 From: rfowkar at YAHOO.COM (Rajesh Fowkar) Date: Thu Jan 12 21:14:10 2006 Subject: mailscanner & exim In-Reply-To: <5.1.0.14.2.20011217090747.03de58b0@imap.ecs.soton.ac.uk> References: <20011216232359.GA579@debian> <5.1.0.14.2.20011217090747.03de58b0@imap.ecs.soton.ac.uk> Message-ID: <20011217190404.GA473@debian> Julian Field saw fit to inform me that: >At 23:23 16/12/2001, you wrote: >>------------------------------------------------------------- >>/usr/sbin/exim -bd >>/usr/sbin/exim -C /etc/exim_outgoing.conf -bd -q15m >>/usr/local/MailScanner/bin/check_mailscanner >/dev/null >>------------------------------------------------------------- > >I'm not an Exim user, but if that was sendmail there shouldn't be 2 "-bd" >lines above, only 1. In sendmail the 2nd one shouldn't have "-bd". > >Check the Exim installation instructions again, to be sure you are doing >this bit right. Sorry Julian. My mistake. Yes -bd is not required for second exim process. But even after removing it and restarting mailscanner and exim my problem still remains. The mail which I have sent is scanned in /var/spool/exim_incoming/input and than put in /var/spool/exim/input. But mailq does not show anything and I cannot send mail. Now I am sending this mail by stopping mailscanner and just starting plain exim. What else could be wrong ? Thanks a lot for the help. Peace -- Rajesh http://www.symonds.net/~rajesh/ ***** Powered By: Debian GNU/Linux Kernel 2.4.16(ext3) You have the power to influence all with whom you come in contact. From rfowkar at YAHOO.COM Mon Dec 17 21:54:42 2001 From: rfowkar at YAHOO.COM (Rajesh Fowkar) Date: Thu Jan 12 21:14:10 2006 Subject: mailscanner & exim In-Reply-To: <20011217111841.D19695@lemon-computing.com> References: <20011216232359.GA579@debian> <20011217111841.D19695@lemon-computing.com> Message-ID: <20011217215442.GA802@debian> Nick Phillips saw fit to inform me that: >On Sun, Dec 16, 2001 at 11:23:59PM +0000, Rajesh Fowkar wrote: >> Hi, >> >> I am on dial-up connection at my home. Now after configuring mailscanner & >> exim everything works fine mail is checked, warning sent. But if I send a >> mail to outside domain from my home machine say xyz@yahoo.com than the mail >> is scanned and than it waits in /var/spool/exim/input >> >> But when I do mailq nothing is visible. > >This is expected. Exim and all the standard tools will use the standard >compiled-in location of the exim config file, which is the mailscanner's >incoming queue. > >Use "mailq -C " Thanks Nick for the help. I tried everything as per the docs. But even after doing mailq -C /etc/exim_outgoing.conf I don't get anything. rajesh@debian:~$ l /var/spool/exim/input/ total 8 -rw------- 1 mail mail 292 Dec 17 21:02 16G4uL-00006L-00-D -rw------- 1 mail mail 758 Dec 17 21:03 16G4uL-00006L-00-H rajesh@debian:~$ As you can see after scanning the mail is in /var/spool/exim/input > >"exim -C -qf" > >...or similar. > debian:/etc# exim -C /etc/exim_outgoing.conf -qf debian:/etc# Nothing is sent. I have got the following in /usr/local/Mailscanner/etc/mailscanner.conf ----------------------------------------------------------------------- # Set location of sendmail binary, location of incoming mail queue # and location of outgoing mail queue. MTA = exim Sendmail = /usr/sbin/exim Incoming Queue Dir = /var/spool/exim_incoming/input Outgoing Queue Dir = /var/spool/exim/input # Sendmail2 is provided for Exim users. # It defaults to the value supplied for Sendmail. # It is the command used to attempt delivery of outgoing # (scanned/cleaned) messages. Sendmail2 = /usr/sbin/exim -C /etc/exim_outgoing.conf ----------------------------------------------------------------------- In /etc/exim.conf I have added the things as per the docs. Anything else to be done. I think I am missing something silly here. Please help. -- Rajesh http://www.symonds.net/~rajesh/ ***** Powered By: Debian GNU/Linux Kernel 2.4.16(ext3) If your life was a horse, you'd have to shoot it. From viers at UNILIM.FR Mon Dec 17 17:19:54 2001 From: viers at UNILIM.FR (Nicolas Viers - SCI Limoges) Date: Thu Jan 12 21:14:10 2006 Subject: Mailscanner frequence scanning Message-ID: <4.2.0.58.20011217180759.009b1100@pop.unilim.fr> Hello, my mailscanner on a linux mandrake 8.1 with sendmail is very slow in scanning frequence. When i start mailscanner it scans mqueue.in immediatly and after each 5 or 10 minutes. During this time the number messages grow in this directory. And after 1 hour it does not scan any more. Is it possible to tell mailscanner to scan more often ? Is there problem on linux mandrake 8.1 (kernel 2.4.8-26) with mailscanner ? Some help ? Thanks a lot PS: i have mailscanner+mcafee --------mailscanner.conf---------- # Which Virus Scanning package to use: "sophos" or "mcafee" Virus Scanner = mcafee ... # Where the Virus scanner is installed. This is the command needed to run it #Sweep = /usr/local/Sophos/bin/sophoswrapper Sweep =/usr/local/bin/uvscan ---------------------------------- >Is there anything to change in config.pl like : > >$Config::Sweep and $Config::VirusScanner ? ____________________________________________________________ Nicolas Viers | Service Commun Informatique M?l: viers@unilim.fr | 123, avenue Albert Thomas | 87060 Limoges cedex Tel: 05-55-45-77-09 | Fax: 05-55-45-75-95 http://www.unilim.fr/sci ____________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20011217/62b8497c/attachment.html From miguelk at KONSULTEX.COM.BR Mon Dec 17 17:30:35 2001 From: miguelk at KONSULTEX.COM.BR (Miguel Koren O'Brien de Lacy) Date: Thu Jan 12 21:14:10 2006 Subject: Mailscanner frequence scanning References: <4.2.0.58.20011217180759.009b1100@pop.unilim.fr> Message-ID: <3C1E2BBB.220062C1@konsultex.com.br> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20011217/3596c6d3/attachment.html From rfowkar at YAHOO.COM Mon Dec 17 23:24:47 2001 From: rfowkar at YAHOO.COM (Rajesh Fowkar) Date: Thu Jan 12 21:14:10 2006 Subject: mailscanner & exim In-Reply-To: <20011217164544.J19695@lemon-computing.com> References: <20011216232359.GA579@debian> <20011217111841.D19695@lemon-computing.com> <20011217215442.GA802@debian> <20011217164544.J19695@lemon-computing.com> Message-ID: <20011217232447.GA682@debian> Nick Phillips saw fit to inform me that: >On Mon, Dec 17, 2001 at 09:54:42PM +0000, Rajesh Fowkar wrote: > >> I tried everything as per the docs. But even after doing >> >> mailq -C /etc/exim_outgoing.conf >> >> I don't get anything. > >You haven't accidentally set your spool_directory in /etc/exim.conf as >well as /etc/exim_outgoing.conf, have you? Nope. In /etc/exim_outgoing.conf there is no spool_directory statement. This is my default exim.conf file without mailscanner now. Hence there the spool_directory is /var/spool/exim/input. In /etc/exim.conf the spool_directory is set : spool_directory=/var/spool/exim_incoming > >What do exim's logs say? --------------------------------------------------------------------------- 2001-12-17 21:54:30 exim 3.12 daemon started: pid=833, -q30m, listening for SMTP on port 25 2001-12-17 21:54:31 Start queue run: pid=835 2001-12-17 21:54:31 16G4uL-00006L-00 == rfowkar@yahoo.com T=remote_smtp defer (-44): retry time not reached for any host 2001-12-17 21:54:31 End queue run: pid=835 2001-12-17 21:54:43 16G5ic-0000Db-00 <= rfowkar@yahoo.com U=rajesh P=local S=2965 id=20011217215442.GA802@debian 2001-12-17 21:54:43 16G5ic-0000Db-00 == MAILSCANNER@JISCMAIL.AC.UK routing defer (-45): remote delivery skipped --------------------------------------------------------------------------- This is correct. Because I am not connected while sending these mails and after scanning them they are staying in the queue /var/spool/exim/input. But mail does not show them nor mail -C /etc/exim_outgoing.conf. As soon as I stop mailscanner and start only exim all the mails are back in queue and exim starts sending them. Thanks for all the help. Peace -- Rajesh http://www.symonds.net/~rajesh/ ***** Powered By: Debian GNU/Linux Kernel 2.4.16(ext3) You will reach the highest possible point in your business or profession. From ed at THE7THBEER.COM Mon Dec 17 18:03:47 2001 From: ed at THE7THBEER.COM (Edward Mitchell) Date: Thu Jan 12 21:14:10 2006 Subject: pb with mailscanner and mcafee In-Reply-To: <5.1.0.14.2.20011217141618.058e8010@imap.ecs.soton.ac.uk> Message-ID: I have observed this behavior when the SPAM checks are enabled. Mail spools and spools, with little or none of it being delivered. Turning off the SPAM checks alleviates the problem. This is with MailScanner 2.60-1 under Solaris 8, sendmail 8.12.1. > >/usr/sbin/sendmail -bd -ODeliveryMode=queueonly > >-OQueueDirectory=/var/spool/mqueue.in > >/usr/sbin/sendmail -q10m > > > >And during a few minutes it works fine . But after these few minutes the > >number of > >messages in mqueue.in grow and mailscanner does not scan anymore ? > > > > Any ideas ? > > Is the mailscanner process itself being started properly? (and is it > running?) Are you running MailScanner in "debug = 1" mode (I hope not!). From nwp at LEMON-COMPUTING.COM Mon Dec 17 18:19:51 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:10 2006 Subject: mailscanner & exim In-Reply-To: <20011217232447.GA682@debian>; from rfowkar@YAHOO.COM on Mon, Dec 17, 2001 at 11:24:47PM +0000 References: <20011216232359.GA579@debian> <20011217111841.D19695@lemon-computing.com> <20011217215442.GA802@debian> <20011217164544.J19695@lemon-computing.com> <20011217232447.GA682@debian> Message-ID: <20011217181951.L19695@lemon-computing.com> On Mon, Dec 17, 2001 at 11:24:47PM +0000, Rajesh Fowkar wrote: > This is correct. Because I am not connected while sending these mails and > after scanning them they are staying in the queue /var/spool/exim/input. > But mail does not show them nor mail -C /etc/exim_outgoing.conf. > > As soon as I stop mailscanner and start only exim all the mails are back in > queue and exim starts sending them. This would imply that mailscanner is correctly set up but that the exim that should send things out is not; when those mails finally get sent, do they have the mailscanner header added? -- Nick Phillips -- nwp@lemon-computing.com Stay away from flying saucers today. From rfowkar at YAHOO.COM Mon Dec 17 23:59:01 2001 From: rfowkar at YAHOO.COM (Rajesh Fowkar) Date: Thu Jan 12 21:14:10 2006 Subject: mailscanner & exim In-Reply-To: <20011217181951.L19695@lemon-computing.com> References: <20011216232359.GA579@debian> <20011217111841.D19695@lemon-computing.com> <20011217215442.GA802@debian> <20011217164544.J19695@lemon-computing.com> <20011217232447.GA682@debian> <20011217181951.L19695@lemon-computing.com> Message-ID: <20011217235901.GA1367@debian> Nick Phillips saw fit to inform me that: >On Mon, Dec 17, 2001 at 11:24:47PM +0000, Rajesh Fowkar wrote: > >> This is correct. Because I am not connected while sending these mails and >> after scanning them they are staying in the queue /var/spool/exim/input. >> But mail does not show them nor mail -C /etc/exim_outgoing.conf. >> >> As soon as I stop mailscanner and start only exim all the mails are back in >> queue and exim starts sending them. > >This would imply that mailscanner is correctly set up but that the exim that >should send things out is not; when those mails finally get sent, do they >have the mailscanner header added? Yes. mailscanner headers are added since these messages are scanned and than it remains in the outgoing queue without getting delivered. Only when I stop mailscanner and start exim as one process these mails are delivered from /var/spool/exim/input. This mail I am sending directly using exim. I have not started mailscanner. Thus only one exim process is running. You won't get mailscanner header in this mail. Thanks -- Rajesh http://www.symonds.net/~rajesh/ ***** Powered By: Debian GNU/Linux Kernel 2.4.16(ext3) Remark of Dr. Baldwin's concerning upstarts: We don't care to eat toadstools that think they are truffles. -- Mark Twain, "Pudd'nhead Wilson's Calendar" From rfowkar at YAHOO.COM Tue Dec 18 00:27:29 2001 From: rfowkar at YAHOO.COM (Rajesh Fowkar) Date: Thu Jan 12 21:14:10 2006 Subject: mailscanner & exim - solved In-Reply-To: <20011217181951.L19695@lemon-computing.com> References: <20011216232359.GA579@debian> <20011217111841.D19695@lemon-computing.com> <20011217215442.GA802@debian> <20011217164544.J19695@lemon-computing.com> <20011217232447.GA682@debian> <20011217181951.L19695@lemon-computing.com> Message-ID: <20011218002728.GA2092@debian> Nick Phillips saw fit to inform me that: >On Mon, Dec 17, 2001 at 11:24:47PM +0000, Rajesh Fowkar wrote: > >> This is correct. Because I am not connected while sending these mails and >> after scanning them they are staying in the queue /var/spool/exim/input. >> But mail does not show them nor mail -C /etc/exim_outgoing.conf. >> >> As soon as I stop mailscanner and start only exim all the mails are back in >> queue and exim starts sending them. > >This would imply that mailscanner is correctly set up but that the exim that >should send things out is not; when those mails finally get sent, do they >have the mailscanner header added? Sorry Nick, Julian. I was using Mailscanner 2.42. Just now I upgraded it to 2.60 and it started working. Now I can view the mails using mailq -C /etc/exim_outgoing.conf and send the mails using exim -C /etc/exim_outgoing.conf. This mail too will pass through mailscanner. Header will prove that. Thanks for all the help. Peace ps.: Is there any cvs of mailscanner ? -- Rajesh http://www.symonds.net/~rajesh/ ***** Powered By: Debian GNU/Linux Kernel 2.4.16(ext3) Give your very best today. Heaven knows it's little enough. From nwp at LEMON-COMPUTING.COM Mon Dec 17 19:20:06 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:10 2006 Subject: mailscanner & exim - solved In-Reply-To: <20011218002728.GA2092@debian>; from rfowkar@YAHOO.COM on Tue, Dec 18, 2001 at 12:27:29AM +0000 References: <20011216232359.GA579@debian> <20011217111841.D19695@lemon-computing.com> <20011217215442.GA802@debian> <20011217164544.J19695@lemon-computing.com> <20011217232447.GA682@debian> <20011217181951.L19695@lemon-computing.com> <20011218002728.GA2092@debian> Message-ID: <20011217192005.M19695@lemon-computing.com> On Tue, Dec 18, 2001 at 12:27:29AM +0000, Rajesh Fowkar wrote: > Sorry Nick, Julian. I was using Mailscanner 2.42. Just now I upgraded it to > 2.60 and it started working. Good... > ps.: Is there any cvs of mailscanner ? Yes thanks. >;) -- Nick Phillips -- nwp@lemon-computing.com Today is the last day of your life so far. From miguelk at KONSULTEX.COM.BR Mon Dec 17 19:28:12 2001 From: miguelk at KONSULTEX.COM.BR (Miguel Koren O'Brien de Lacy) Date: Thu Jan 12 21:14:10 2006 Subject: Beta test for new Mail Scanner Message-ID: <3C1E474C.DE15049E@konsultex.com.br> Julian announced a beta test for the new version which will support more scanning engines. Since there seems to be some confusion about licensing issues, especially regarding Sophos, so I wonder if I could have a list of the possible new virus scanners that the new version will handle? Miguel From sfarrell at ICCONSULTING.COM.AU Mon Dec 17 23:11:09 2001 From: sfarrell at ICCONSULTING.COM.AU (Scott Farrell) Date: Thu Jan 12 21:14:10 2006 Subject: debug of virus scanner conversation Message-ID: Nick, that sounds great, how do I get a handle to STDERR, Julian suggested print "$_" which output the STDOUT from the commercial scanner. Am I on the right track? On Sun, Dec 16, 2001 at 09:03:05AM +1000, Scott Farrell wrote: > Just an update. > > Below are succesfull and failed scanning logs. You'll notice the > successgul one takes about 2 seconds, and the failed one is instant with > no logging. > > Restarting mailscanner fixes the problem, but it eventually re-occurs. > > Any Ideas? memory? inoculate being updated and locking between mailscanner/inoculate not working properly? try redirecting the child process' STDERR to somewhere you can see? flush STDOUT before doing the open? That's all off the top of my head. -- Nick Phillips -- nwp@lemon-computing.com Fine day for friends. So-so day for you -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20011218/6ace030f/attachment.html From mdchaney at MICHAELCHANEY.COM Mon Dec 17 22:11:05 2001 From: mdchaney at MICHAELCHANEY.COM (Michael Chaney) Date: Thu Jan 12 21:14:10 2006 Subject: mailscanner & exim In-Reply-To: <20011217190404.GA473@debian>; from rfowkar@YAHOO.COM on Mon, Dec 17, 2001 at 07:04:04PM +0000 References: <20011216232359.GA579@debian> <5.1.0.14.2.20011217090747.03de58b0@imap.ecs.soton.ac.uk> <20011217190404.GA473@debian> Message-ID: <20011217161105.E13895@michaelchaney.com> On Mon, Dec 17, 2001 at 07:04:04PM +0000, Rajesh Fowkar wrote: > Julian Field saw fit to inform me that: > >At 23:23 16/12/2001, you wrote: > >>------------------------------------------------------------- > >>/usr/sbin/exim -bd > >>/usr/sbin/exim -C /etc/exim_outgoing.conf -bd -q15m > >>/usr/local/MailScanner/bin/check_mailscanner >/dev/null > >>------------------------------------------------------------- > > > >I'm not an Exim user, but if that was sendmail there shouldn't be 2 "-bd" > >lines above, only 1. In sendmail the 2nd one shouldn't have "-bd". > > > >Check the Exim installation instructions again, to be sure you are doing > >this bit right. > > Sorry Julian. My mistake. Yes -bd is not required for second exim process. > But even after removing it and restarting mailscanner and exim my problem > still remains. > > The mail which I have sent is scanned in /var/spool/exim_incoming/input and > than put in /var/spool/exim/input. But mailq does not show anything and I > cannot send mail. > > Now I am sending this mail by stopping mailscanner and just starting plain > exim. > > What else could be wrong ? mailq probably won't work, anyway. If you have your system configured correctly and mailq is pointing to Exim, then it's still going to hit the default config file and look in /var/spool/exim_incoming/input. You can probably use mailq -C /etc/exim_outgoing.conf Otherwise: exim -C /etc/exim_outgoing.conf -bp to view the queue. Michael -- Michael Darrin Chaney mdchaney@michaelchaney.com http://www.michaelchaney.com/ From LISTSERV at JISCMAIL.AC.UK Mon Dec 17 19:13:26 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:10 2006 Subject: MAILSCANNER: sevans@FOUNDATION.SDSU.EDU requested to join Message-ID: <200112171913.TAA20496@magpie.ecs.soton.ac.uk> Mon, 17 Dec 2001 19:13:26 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Steve Evans You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER sevans@FOUNDATION.SDSU.EDU Steve Evans PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER sevans@FOUNDATION.SDSU.EDU Steve Evans // EOJ From sfarrell at ICCONSULTING.COM.AU Mon Dec 17 23:08:46 2001 From: sfarrell at ICCONSULTING.COM.AU (Scott Farrell) Date: Thu Jan 12 21:14:10 2006 Subject: Looking for beta testers Message-ID: no problem, I'll obviously beta test for you - with inoclulate. regards Scott Farrell http://www.icconsulting.com.au ic Consulting - the people that make eBusiness happen. We offer e-business consulting and perform services. We deliver high impact consulting, and fast turn around projects for our clients. Ask us about Web Content Management, Web Self Service, or working closer with your customers or suppliers. 0412 927 156, 02 9411 3622 mailto:sfarrell@icconsulting.com.au Julian Field Sent by: MailScanner mailing list 18/12/2001 02:21 AM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Looking for beta testers Please could all those who have requested support for a new virus scanner, and a few other people, get in touch so they can try out the new version when it is ready. We're finishing things off now and want some people to test a few things (support for new scanners in particular) before we release it to the world. Many thanks to you all in advance! Jules. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20011218/6e699651/attachment.html From jkf at ecs.soton.ac.uk Tue Dec 18 09:21:15 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:10 2006 Subject: Beta test for new Mail Scanner In-Reply-To: <3C1E474C.DE15049E@konsultex.com.br> Message-ID: <5.1.0.14.2.20011218092031.03ce9010@imap.ecs.soton.ac.uk> At 19:28 17/12/2001, you wrote: >Julian announced a beta test for the new version which will support more >scanning engines. Since there seems to be some confusion about licensing >issues, especially regarding Sophos, so I wonder if I could have a list >of the possible new virus scanners that the new version will handle? The list we are aiming for (but make no guarantees about) is this: Sophos McAfee Command AV F-Secure Kaspersky Inoculate-IT -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Tue Dec 18 09:23:14 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:10 2006 Subject: Mailscanner frequence scanning In-Reply-To: <4.2.0.58.20011217180759.009b1100@pop.unilim.fr> Message-ID: <5.1.0.14.2.20011218092203.03fd1e58@imap.ecs.soton.ac.uk> At 17:19 17/12/2001, you wrote: >When i start mailscanner it scans mqueue.in immediatly and after each >5 or 10 minutes. During this time the number messages grow in this >directory. >And after 1 hour it does not scan any more. >Is it possible to tell mailscanner to scan more often ? Have you tried switching off the spam checks? The DNS timeouts could be hitting you badly. >Is there problem on linux mandrake 8.1 (kernel 2.4.8-26) with mailscanner ? Not as far as we know. >>Is there anything to change in config.pl like : >> >>$Config::Sweep > >and >$Config::VirusScanner ? You shouldn't need to edit config.pl at all. Edit mailscanner.conf instead. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From nwp at LEMON-COMPUTING.COM Tue Dec 18 09:55:35 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:10 2006 Subject: debug of virus scanner conversation In-Reply-To: ; from sfarrell@ICCONSULTING.COM.AU on Tue, Dec 18, 2001 at 09:11:09AM +1000 References: Message-ID: <20011218095535.N19695@lemon-computing.com> On Tue, Dec 18, 2001 at 09:11:09AM +1000, Scott Farrell wrote: > how do I get a handle to STDERR, Julian suggested print "$_" which output > the STDOUT from the commercial scanner. Am I on the right track? I'd just: print STDERR $line; at the start of the ProcessInoculateOutput function. And STDOUT should definitely be flushed before the open; I won't fix it yet, as I'd prefer to know what's causing your problem first -- rather than the problem just disappearing under a mass of small changes. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Artistic ventures highlighted. Rob a museum. From nwp at LEMON-COMPUTING.COM Tue Dec 18 10:14:30 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:10 2006 Subject: Mailscanner frequence scanning In-Reply-To: <5.1.0.14.2.20011218092203.03fd1e58@imap.ecs.soton.ac.uk>; from jkf@ECS.SOTON.AC.UK on Tue, Dec 18, 2001 at 09:23:14AM +0000 References: <4.2.0.58.20011217180759.009b1100@pop.unilim.fr> <5.1.0.14.2.20011218092203.03fd1e58@imap.ecs.soton.ac.uk> Message-ID: <20011218101430.P19695@lemon-computing.com> On Tue, Dec 18, 2001 at 09:23:14AM +0000, Julian Field wrote: > You shouldn't need to edit config.pl at all. Edit mailscanner.conf instead. s/need to // And if you don't know what that means, you should *definitely* stick to editing mailscanner.conf. ;) -- Nick Phillips -- nwp@lemon-computing.com You get along very well with everyone except animals and people. From LISTSERV at JISCMAIL.AC.UK Tue Dec 18 16:21:00 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:10 2006 Subject: MAILSCANNER: S.L.Sargent@QMUL.AC.UK requested to join Message-ID: <200112181629.QAA14999@crow.ecs.soton.ac.uk> Tue, 18 Dec 2001 16:21:00 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Steve Sargent You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER S.L.Sargent@QMUL.AC.UK Steve Sargent PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER S.L.Sargent@QMUL.AC.UK Steve Sargent // EOJ From rfowkar at YAHOO.COM Tue Dec 18 22:00:15 2001 From: rfowkar at YAHOO.COM (Rajesh Fowkar) Date: Thu Jan 12 21:14:10 2006 Subject: mailscanner & exim - solved In-Reply-To: <20011217192005.M19695@lemon-computing.com> References: <20011216232359.GA579@debian> <20011217111841.D19695@lemon-computing.com> <20011217215442.GA802@debian> <20011217164544.J19695@lemon-computing.com> <20011217232447.GA682@debian> <20011217181951.L19695@lemon-computing.com> <20011218002728.GA2092@debian> <20011217192005.M19695@lemon-computing.com> Message-ID: <20011218220015.GA338@debian> Nick Phillips saw fit to inform me that: >On Tue, Dec 18, 2001 at 12:27:29AM +0000, Rajesh Fowkar wrote: > >> Sorry Nick, Julian. I was using Mailscanner 2.42. Just now I upgraded it to >> 2.60 and it started working. > >Good... After installing I realised that if I give mailq from a user login mailq -C /etc/exim_outgoing.conf it does not work. You have to be root to do that. So now I have created a script called mq sudo mailq -C /etc/exim_outgoing.conf Now on typing mq I get the queue of the mails after scanning. Another thing, for exim I have to change the ownership of Mailscanner and exim_incoming. chown -R mail.mail /var/spool/MailScanner chown -R mail.mail /var/spool/exim_incoming > >> ps.: Is there any cvs of mailscanner ? > >Yes thanks. >;) I asked because at present I am using alien to convert the rpm to deb and than install that deb using dpkg. :-) Thanks for this excellent product. Peace -- Rajesh http://www.symonds.net/~rajesh/ ***** Powered By: Debian GNU/Linux Kernel 2.4.16(ext3) Q: What's the difference betweeen USL and the Graf Zeppelin? A: The Graf Zeppelin represented cutting edge technology for its time. From nwp at LEMON-COMPUTING.COM Tue Dec 18 18:43:53 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:10 2006 Subject: mailscanner & exim - solved In-Reply-To: <20011218220015.GA338@debian>; from rfowkar@YAHOO.COM on Tue, Dec 18, 2001 at 10:00:15PM +0000 References: <20011216232359.GA579@debian> <20011217111841.D19695@lemon-computing.com> <20011217215442.GA802@debian> <20011217164544.J19695@lemon-computing.com> <20011217232447.GA682@debian> <20011217181951.L19695@lemon-computing.com> <20011218002728.GA2092@debian> <20011217192005.M19695@lemon-computing.com> <20011218220015.GA338@debian> Message-ID: <20011218184353.G1031@lemon-computing.com> On Tue, Dec 18, 2001 at 10:00:15PM +0000, Rajesh Fowkar wrote: > After installing I realised that if I give mailq from a user login > > mailq -C /etc/exim_outgoing.conf > > it does not work. You have to be root to do that. So now I have created a > script called mq > > sudo mailq -C /etc/exim_outgoing.conf You might be better off setting the exim option that allows any user to view the queue, depending on what users you have on the box. > Another thing, for exim I have to change the ownership of Mailscanner and > exim_incoming. > > chown -R mail.mail /var/spool/MailScanner > chown -R mail.mail /var/spool/exim_incoming Not quite sure exactly what's what there... but evidently your "new" spool directory permissions should be the same as the original ones: drwxr-x--- 5 mail mail 1024 Apr 13 2001 exim drwxr-x--- 5 mail mail 1024 Apr 13 2001 exim.in > >> ps.: Is there any cvs of mailscanner ? > > > >Yes thanks. >;) > > I asked because at present I am using alien to convert the rpm to deb and > than install that deb using dpkg. :-) ...which is a much better way to install it than messing about with CVS, for oh-so-many reasons. I've just started working on a basic installer. Once that works (it's not a high priority, so it'll take a while), I'll move onto the frankly rather scary task of building a Debian package of the whole thing. Hopefully by then I'll be living in the much lower-stress environs of Dunedin, NZ (rather than SW London) and not have too much else to worry about. Then it might be a bit easier to concentrate. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Excellent day for putting Slinkies on an escalator. From rfowkar at YAHOO.COM Wed Dec 19 00:19:20 2001 From: rfowkar at YAHOO.COM (Rajesh Fowkar) Date: Thu Jan 12 21:14:10 2006 Subject: mailscanner & exim - solved In-Reply-To: <20011218184353.G1031@lemon-computing.com> References: <20011216232359.GA579@debian> <20011217111841.D19695@lemon-computing.com> <20011217215442.GA802@debian> <20011217164544.J19695@lemon-computing.com> <20011217232447.GA682@debian> <20011217181951.L19695@lemon-computing.com> <20011218002728.GA2092@debian> <20011217192005.M19695@lemon-computing.com> <20011218220015.GA338@debian> <20011218184353.G1031@lemon-computing.com> Message-ID: <20011219001920.GA995@debian> Nick Phillips saw fit to inform me that: >On Tue, Dec 18, 2001 at 10:00:15PM +0000, Rajesh Fowkar wrote: > >> After installing I realised that if I give mailq from a user login >> >> mailq -C /etc/exim_outgoing.conf >> >> it does not work. You have to be root to do that. So now I have created a >> script called mq >> >> sudo mailq -C /etc/exim_outgoing.conf > >You might be better off setting the exim option that allows any user to >view the queue, depending on what users you have on the box. If I don't start mailscanner and start only one exim process than mailq works for all the users. This happens only when I start two exim processes for mailscanner. However using sudo everthing works. Thanks fine. > >> Another thing, for exim I have to change the ownership of Mailscanner and >> exim_incoming. >> >> chown -R mail.mail /var/spool/MailScanner >> chown -R mail.mail /var/spool/exim_incoming > >Not quite sure exactly what's what there... but evidently your "new" >spool directory permissions should be the same as the original ones: > >drwxr-x--- 5 mail mail 1024 Apr 13 2001 exim >drwxr-x--- 5 mail mail 1024 Apr 13 2001 exim.in Yes. That's true. Since if you are using exim the owner and group running the process are 'mail' /var/spool/MailScanner and its subdirectories too should be owned by 'mail' to do the scanning. However after converting rpm to deb and installing the owner of /var/spool/MailScanner is root which has to be changed using chown. Otherwise no scanning takes place. > >...which is a much better way to install it than messing about with CVS, >for oh-so-many reasons. Thanks. > >I've just started working on a basic installer. Once that works (it's not >a high priority, so it'll take a while), I'll move onto the frankly rather >scary task of building a Debian package of the whole thing. Hopefully by >then I'll be living in the much lower-stress environs of Dunedin, NZ (rather >than SW London) and not have too much else to worry about. Then it might >be a bit easier to concentrate. All the best. Peace -- Rajesh http://www.symonds.net/~rajesh/ ***** Powered By: Debian GNU/Linux Kernel 2.4.16(ext3) You will live to see your grandchildren. From nwp at LEMON-COMPUTING.COM Tue Dec 18 19:00:36 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:10 2006 Subject: mailscanner & exim - solved In-Reply-To: <20011219001920.GA995@debian>; from rfowkar@YAHOO.COM on Wed, Dec 19, 2001 at 12:19:20AM +0000 References: <20011217111841.D19695@lemon-computing.com> <20011217215442.GA802@debian> <20011217164544.J19695@lemon-computing.com> <20011217232447.GA682@debian> <20011217181951.L19695@lemon-computing.com> <20011218002728.GA2092@debian> <20011217192005.M19695@lemon-computing.com> <20011218220015.GA338@debian> <20011218184353.G1031@lemon-computing.com> <20011219001920.GA995@debian> Message-ID: <20011218190036.I1031@lemon-computing.com> On Wed, Dec 19, 2001 at 12:19:20AM +0000, Rajesh Fowkar wrote: > If I don't start mailscanner and start only one exim process than mailq > works for all the users. This happens only when I start two exim processes > for mailscanner. However using sudo everthing works. Thanks fine. Have a look in both exim config files for something like: queue_list_requires_admin = false ...as that's the setting that allows all users to see the queue. The default for Debian systems has been changed in a fairly recent version of the Exim package, so what you have will depend on when it was installed. It may be worth checking that exim is actually using the config file you think it is, as the default compiled-in location for that has also changed in recent versions of the Debian package - it is now /etc/exim/exim.conf rather than just /etc/exim.conf... > >drwxr-x--- 5 mail mail 1024 Apr 13 2001 exim > >drwxr-x--- 5 mail mail 1024 Apr 13 2001 exim.in > > Yes. That's true. Since if you are using exim the owner and group running > the process are 'mail' /var/spool/MailScanner and its subdirectories too > should be owned by 'mail' to do the scanning. However after converting rpm > to deb and installing the owner of /var/spool/MailScanner is root which has > to be changed using chown. Otherwise no scanning takes place. I find that the mailscanner tarball for Solaris is usually more useful than the RPM on Debian systems... you may like to try that if you install mailscanner on Debian again. > All the best. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Be careful! Is it classified? From viers at UNILIM.FR Wed Dec 19 07:57:18 2001 From: viers at UNILIM.FR (Nicolas Viers - SCI Limoges) Date: Thu Jan 12 21:14:10 2006 Subject: Mailscanner frequency scanning - solve Message-ID: <4.2.0.58.20011219084942.00a666e0@pop.unilim.fr> Hello, problem: >my mailscanner on a linux mandrake 8.1 with sendmail is very slow >in scanning frequence. >When i start mailscanner it scans mqueue.in immediatly and after each >5 or 10 minutes. During this time the number messages grow in this >directory. >And after 1 hour it does not scan any more. >Is it possible to tell mailscanner to scan more often ? > >Is there problem on linux mandrake 8.1 (kernel 2.4.8-26) with mailscanner ? Thanks to Miguel Koren, Edward Mitchell and Julian Field for your help. The solution was to put "no" for "Spam checks" (the comment has not the same effect) and "Deliver In Background = yes" in mailscanner.conf And now (during 24 hours) the /var/spool/mqueue and /var/spool/mqueue.in are treated correctly. Thanks ____________________________________________________________ Nicolas Viers | Service Commun Informatique M?l: viers@unilim.fr | 123, avenue Albert Thomas | 87060 Limoges cedex Tel: 05-55-45-77-09 | Fax: 05-55-45-75-95 http://www.unilim.fr/sci ____________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20011219/7dda6bfb/attachment.html From LISTSERV at JISCMAIL.AC.UK Wed Dec 19 15:53:23 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:10 2006 Subject: MAILSCANNER: sjaak@VSM-HOSTING.NL requested to join Message-ID: <200112191558.PAA02167@crow.ecs.soton.ac.uk> Wed, 19 Dec 2001 15:53:23 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Sjaak Nabuurs You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER sjaak@VSM-HOSTING.NL Sjaak Nabuurs PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER sjaak@VSM-HOSTING.NL Sjaak Nabuurs // EOJ From yanik at YAN.CO.IL Wed Dec 19 18:49:34 2001 From: yanik at YAN.CO.IL (Y@N.COM Communications) Date: Thu Jan 12 21:14:10 2006 Subject: Please HELP !!! Message-ID: <02e901c188be$a4623d70$360a0a0a@SysAdmin> Hi .. a have a big problem ... the mailscanner workin for a 1 month succesfully, but when i restart the computer i have a big problem: # mailscanner stop kill: (XXX) - No such pid: [OK] i have a 70 emails in mquery.in and i need them ... i was found the Mcaffe.lock file in /tmp directory .. but when i was deleted them it;s not solve the problem ... sorry about my english.. plese help somebody .... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20011219/12396fb8/attachment.html From LISTSERV at JISCMAIL.AC.UK Wed Dec 19 18:47:16 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:10 2006 Subject: MAILSCANNER: jengland@ENETIS.NET requested to join Message-ID: <200112191847.SAA02985@magpie.ecs.soton.ac.uk> Wed, 19 Dec 2001 18:47:16 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Justin England You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER jengland@ENETIS.NET Justin England PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER jengland@ENETIS.NET Justin England // EOJ From Paul.Haldane at NEWCASTLE.AC.UK Thu Dec 20 14:19:46 2001 From: Paul.Haldane at NEWCASTLE.AC.UK (Paul Haldane) Date: Thu Jan 12 21:14:10 2006 Subject: Double extensions Message-ID: A request for clarification/checking of my understanding... In the example filename.rules.conf we have # Allow repeated file extension, e.g. blah.zip.zip allow (\.[a-z0-9]{3})\1$ - - and then further down we have deny \.shs$ Possible Shell Scrap Object attack Doesn't this mean that an attachment called paul.shs.shs would be passed through? That's certainly what I'm observing here. I know this is just an example file but I'm assuming it reflects to some extent what Julian uses (or a cleaned up version of what he's used in the past). Would it make more sense to move the deny rules for the extensions that we don't want to handle to the top of the file? I guess the important thing being that the (\.[a-z0-9]{3})\1$ rule must be before the \.[a-z][a-z0-9]{2,3}\.[a-z0-9]{3}$ rule. Paul -- Paul Haldane Unix Systems, Computing Service, University of Newcastle upon Tyne From nwp at LEMON-COMPUTING.COM Thu Dec 20 14:42:31 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:10 2006 Subject: Double extensions In-Reply-To: ; from Paul.Haldane@NEWCASTLE.AC.UK on Thu, Dec 20, 2001 at 02:19:46PM -0000 References: Message-ID: <20011220144231.A17731@lemon-computing.com> On Thu, Dec 20, 2001 at 02:19:46PM -0000, Paul Haldane wrote: > Would it make more sense to move the deny rules for the extensions that > we don't want to handle to the top of the file? I guess the important > thing being that the > > (\.[a-z0-9]{3})\1$ > > rule must be before the > > \.[a-z][a-z0-9]{2,3}\.[a-z0-9]{3}$ > > rule. So far as my understanding goes, you're right. -- Nick Phillips -- nwp@lemon-computing.com Live in a world of your own, but always welcome visitors. From m.sapsed at BANGOR.AC.UK Thu Dec 20 14:50:02 2001 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:14:10 2006 Subject: Double extensions References: Message-ID: <3C21FA9A.D7E8272C@bangor.ac.uk> Hi folks, FWIW, I've disabled the double extension stuff in my rules. I found that it was mostly catching things which were clean. Where you have malicious double extensions, you should probably be banning the trailing extension anyway shouldn't you? Cheers, Martin -- Martin Sapsed To have no errors Information Services Would be life without meaning University of Wales, Bangor, LL57 2UX No struggle, no joy. Fax: +44 (0)1248 383826 From LISTSERV at JISCMAIL.AC.UK Thu Dec 20 14:20:23 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:10 2006 Subject: MAILSCANNER: f.campbell@GLASGOW-NAUTICAL.AC.UK requested to join Message-ID: <200112201420.OAA05409@magpie.ecs.soton.ac.uk> Thu, 20 Dec 2001 14:20:23 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Fred Campbell You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER f.campbell@GLASGOW-NAUTICAL.AC.UK Fred Campbell PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER f.campbell@GLASGOW-NAUTICAL.AC.UK Fred Campbell // EOJ From jkf at ecs.soton.ac.uk Thu Dec 20 16:40:13 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:10 2006 Subject: Double extensions In-Reply-To: Message-ID: <5.1.0.14.2.20011220163933.03d86a18@imap.ecs.soton.ac.uk> At 14:19 20/12/2001, you wrote: >Would it make more sense to move the deny rules for the extensions that >we don't want to handle to the top of the file? I guess the important >thing being that the > >(\.[a-z0-9]{3})\1$ >rule must be before the >\.[a-z][a-z0-9]{2,3}\.[a-z0-9]{3}$ >rule. I believe you are absolutely right. Never occurred to me... I will try to remember to fix this for the 3.00 release! -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mdchaney at MICHAELCHANEY.COM Thu Dec 20 23:09:43 2001 From: mdchaney at MICHAELCHANEY.COM (Michael Chaney) Date: Thu Jan 12 21:14:10 2006 Subject: Double extensions In-Reply-To: <5.1.0.14.2.20011220163933.03d86a18@imap.ecs.soton.ac.uk>; from jkf@ECS.SOTON.AC.UK on Thu, Dec 20, 2001 at 04:40:13PM +0000 References: <5.1.0.14.2.20011220163933.03d86a18@imap.ecs.soton.ac.uk> Message-ID: <20011220170942.A31176@michaelchaney.com> On Thu, Dec 20, 2001 at 04:40:13PM +0000, Julian Field wrote: > At 14:19 20/12/2001, you wrote: > >Would it make more sense to move the deny rules for the extensions that > >we don't want to handle to the top of the file? I guess the important > >thing being that the > > > >(\.[a-z0-9]{3})\1$ > >rule must be before the > >\.[a-z][a-z0-9]{2,3}\.[a-z0-9]{3}$ > >rule. > > I believe you are absolutely right. Never occurred to me... > I will try to remember to fix this for the 3.00 release! And while you're busy working on that, might want to cover this, too: http://www.datafellows.com/v-descs/welyah.shtml Basically, think of this file: virus.txt .pif where the spaces between "txt" and ".pif" are part of the name. There is no end. Michael -- Michael Darrin Chaney mdchaney@michaelchaney.com http://www.michaelchaney.com/ From m.sapsed at BANGOR.AC.UK Fri Dec 21 08:31:24 2001 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:14:10 2006 Subject: Double extensions References: <5.1.0.14.2.20011220163933.03d86a18@imap.ecs.soton.ac.uk> <20011220170942.A31176@michaelchaney.com> Message-ID: <3C22F35C.1AE9C205@bangor.ac.uk> Michael Chaney wrote: > And while you're busy working on that, might want to cover this, too: > http://www.datafellows.com/v-descs/welyah.shtml > > Basically, think of this file: > > virus.txt .pif > > where the spaces between "txt" and ".pif" are part of the name. deny *.pif should take care of that though... > There is no end. You're probably right there.. Cheers, Martin P.S. What do people think about having .bat and .scr denied by default as many double extension worms use those? -- Martin Sapsed To have no errors Information Services Would be life without meaning University of Wales, Bangor, LL57 2UX No struggle, no joy. Fax: +44 (0)1248 383826 From jkf at ecs.soton.ac.uk Fri Dec 21 09:26:51 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:10 2006 Subject: Double extensions In-Reply-To: <20011220170942.A31176@michaelchaney.com> References: <5.1.0.14.2.20011220163933.03d86a18@imap.ecs.soton.ac.uk> <5.1.0.14.2.20011220163933.03d86a18@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20011221092605.03063008@imap.ecs.soton.ac.uk> At 23:09 20/12/2001, you wrote: >And while you're busy working on that, might want to cover this, too: >http://www.datafellows.com/v-descs/welyah.shtml > >Basically, think of this file: > >virus.txt .pif > >where the spaces between "txt" and ".pif" are part of the name. # Deny filenames with lots of contiguous white space in them. deny \s{10,} Filename contains lots of white space A long gap in a name is often used to hide part of it will take care of it. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From nwp at LEMON-COMPUTING.COM Fri Dec 21 09:38:12 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:10 2006 Subject: Double extensions In-Reply-To: <3C22F35C.1AE9C205@bangor.ac.uk>; from m.sapsed@BANGOR.AC.UK on Fri, Dec 21, 2001 at 08:31:24AM +0000 References: <20011220170942.A31176@michaelchaney.com> <3C22F35C.1AE9C205@bangor.ac.uk> Message-ID: <20011221093811.B3503@lemon-computing.com> On Fri, Dec 21, 2001 at 08:31:24AM +0000, Martin Sapsed wrote: > P.S. What do people think about having .bat and .scr denied by default as > many double extension worms use those? Each is equivalent to allowing absolutlely everything, so yes, I'd block them. Besides which, with my nasty fascist sysadmin hat on, I don't want people installing screensavers even if they're not deliberate health risks. -- Nick Phillips -- nwp@lemon-computing.com Caution: Keep out of reach of children. From jengland at ENETIS.NET Fri Dec 21 09:43:03 2001 From: jengland at ENETIS.NET (Justin England) Date: Thu Jan 12 21:14:10 2006 Subject: Help - mailscanner quit finding viruses Message-ID: I set up mailscanner on a new mail server, got it working and tested it by send several virus e-mails as well the eicar.com file and it worked just as it should. I then reconfigured the IP / hostname of the machine and put it on as a live mailserver, and now it won't catch any viri. I can see that it is working from the header stamp, the maillog logfile, and by watching the var/incoming directory fill up with files then empty. I have double checked that my virus scanner (uvscan) is still working. My set up is Sendmail 8.12.1, as used when testing (when it worked) Solaris 8 and mailscanner-2.60-2. Again, this all worked fine until I re-configured the machine (sys-unconfig'ed then re-configed, only chaing the IP and hostname) What can I do to find out where the problem is? Now that this is running live, I hate to have to shut it down for an extended period to test again. Thanks, Justin England jengland@enetis.net Network Administrator E-Net Information Services http://www.enetis.net Tel: 605-341-3638 Fax: 605-341-8880 From jkf at ecs.soton.ac.uk Fri Dec 21 10:02:44 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:10 2006 Subject: Help - mailscanner quit finding viruses In-Reply-To: Message-ID: <5.1.0.14.2.20011221100211.05398960@imap.ecs.soton.ac.uk> At 09:43 21/12/2001, you wrote: >I have double >checked that my virus scanner (uvscan) is still working. Check that the mcafeewrapper script is working properly. Sounds like that's where the problem probably lies. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Fri Dec 21 11:43:18 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:10 2006 Subject: MAILSCANNER: ola.anfinsen@NETPOWER.NO left the JISCmail list Message-ID: <200112211143.LAA21182@magpie.ecs.soton.ac.uk> Fri, 21 Dec 2001 11:43:18 Ola Anfinsen has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From tlyons at DIGITALVOODOO.ORG Sun Dec 23 04:33:20 2001 From: tlyons at DIGITALVOODOO.ORG (Tim Lyons) Date: Thu Jan 12 21:14:11 2006 Subject: Return Message Address mungling... help. Message-ID: This is a bit strange. My system detected the following but for some reason mungled the senders address. the true address should be tullberg1@deleted.com but for some reason the script parsed it as uullberg1@deleted.com ^ Any Idea as to why this might be occurring? --Tim -- ---------- Forwarded message ---------- Date: Sat, 22 Dec 2001 21:15:35 -0500 From: MailScanner To: postman@digitalvoodoo.org Subject: Warning: E-mail viruses detected The following e-mail messages were found to have viruses in them: Sender: Recipient: Subject: A few understood the whole MessageID: fBN2F4i30334 Report: >>> Virus 'W32/Magistr-B' found in file ./fBN2F4i30334/developers.pif Shortcuts to MS-Dos programs are very dangerous in email in developers.pif -- Email Virus Scanner --- Original Message Headers: Received: from smtp03.mrf.mail.deleted.net (smtp03.mrf.mail.deleted.net [deleted]) by ns.digitalvoodoo.org (8.11.6/8.11.6) with ESMTP id fBN2F4i30334 for ; Sat, 22 Dec 2001 21:15:05 -0500 Received: from sanitized.c3-0.nwt-ubr1.sbo-nwt.ma.cable.deletedcom ([deleted] helo=SMTP.rcn.com) by smtp03.mrf.mail.deleted.net with smtp (Exim 3.33 #10) id 16HyAB-0001Iu-00; Sat, 22 Dec 2001 21:14:56 -0500 FROM: sender SUBJECT: A few understood the whole X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Outlook Express 4.72.3612.1700 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0010_01C2803E.09803EF0" Content-Transfer-Encoding: 7bit Message-Id: Bcc: Date: Sat, 22 Dec 2001 21:14:56 -0500 X-ECS-MailScanner: Found to be infected From rfowkar at YAHOO.COM Sun Dec 23 21:49:09 2001 From: rfowkar at YAHOO.COM (Rajesh Fowkar) Date: Thu Jan 12 21:14:11 2006 Subject: mcafee virusscan Message-ID: <20011223214909.GA1745@debian> Hi, Is there any linux version of dat files for mcafee ? Where are they available ? Which is better Sophos / Mcafee ? Thanks in advance. Peace -- Rajesh http://www.symonds.net/~rajesh/ ***** Powered By: Debian GNU/Linux Kernel 2.4.17(ext3) Someone is speaking well of you. How unusual! From sevans at FOUNDATION.SDSU.EDU Sun Dec 23 16:56:53 2001 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:14:11 2006 Subject: mcafee virusscan Message-ID: <20C245C5F9A41949A359CCDBF4B3ADED2A7671@foundation.foundation.sdsu.edu> The dat files are all the same for all the different platforms and products (except for MAC's I believe) Just go to www.nai.com and click on download updates now near the top. Steve -----Original Message----- From: Rajesh Fowkar [mailto:rfowkar@YAHOO.COM] Sent: Sunday, December 23, 2001 1:49 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: mcafee virusscan Hi, Is there any linux version of dat files for mcafee ? Where are they available ? Which is better Sophos / Mcafee ? Thanks in advance. Peace -- Rajesh http://www.symonds.net/~rajesh/ ***** Powered By: Debian GNU/Linux Kernel 2.4.17(ext3) Someone is speaking well of you. How unusual! From cfast at ALLIEDBUILDING.COM Sun Dec 23 18:04:34 2001 From: cfast at ALLIEDBUILDING.COM (Clint Fast) Date: Thu Jan 12 21:14:11 2006 Subject: Return Message Address mungling... help. References: Message-ID: <3C261CB2.C7900AF6@alliedbuilding.com> The virus itself actually does the name mungling on the From address. I've seen A LOT of this lately. --Clint. Tim Lyons wrote: > > This is a bit strange. My system detected the following but for some > reason mungled the senders address. the true address should be > tullberg1@deleted.com but for some reason the script parsed it as > uullberg1@deleted.com > ^ > > Any Idea as to why this might be occurring? > > --Tim > > -- > > ---------- Forwarded message ---------- > Date: Sat, 22 Dec 2001 21:15:35 -0500 > From: MailScanner > To: postman@digitalvoodoo.org > Subject: Warning: E-mail viruses detected > > The following e-mail messages were found to have viruses in them: > > Sender: > Recipient: > Subject: A few understood the whole > MessageID: fBN2F4i30334 > Report: >>> Virus 'W32/Magistr-B' found in file ./fBN2F4i30334/developers.pif > Shortcuts to MS-Dos programs are very dangerous in email in developers.pif > > -- > Email Virus Scanner > > --- > > Original Message Headers: > > Received: from smtp03.mrf.mail.deleted.net (smtp03.mrf.mail.deleted.net > [deleted]) > by ns.digitalvoodoo.org (8.11.6/8.11.6) with ESMTP id fBN2F4i30334 > for ; Sat, 22 Dec 2001 21:15:05 -0500 > Received: from sanitized.c3-0.nwt-ubr1.sbo-nwt.ma.cable.deletedcom > ([deleted] helo=SMTP.rcn.com) > by smtp03.mrf.mail.deleted.net with smtp (Exim 3.33 #10) > id 16HyAB-0001Iu-00; Sat, 22 Dec 2001 21:14:56 -0500 > FROM: sender > SUBJECT: A few understood the whole > X-MSMail-Priority: Normal > X-Priority: 3 > X-Mailer: Microsoft Outlook Express 4.72.3612.1700 > MIME-Version: 1.0 > Content-Type: multipart/mixed; > boundary="----=_NextPart_000_0010_01C2803E.09803EF0" > Content-Transfer-Encoding: 7bit > Message-Id: > Bcc: > Date: Sat, 22 Dec 2001 21:14:56 -0500 > X-ECS-MailScanner: Found to be infected From rfowkar at YAHOO.COM Sun Dec 23 23:48:05 2001 From: rfowkar at YAHOO.COM (Rajesh Fowkar) Date: Thu Jan 12 21:14:11 2006 Subject: mcafee virusscan In-Reply-To: <20C245C5F9A41949A359CCDBF4B3ADED2A7671@foundation.foundation.sdsu.edu> References: <20C245C5F9A41949A359CCDBF4B3ADED2A7671@foundation.foundation.sdsu.edu> Message-ID: <20011223234805.GA1100@debian> Steve Evans saw fit to inform me that: >The dat files are all the same for all the different platforms and >products (except for MAC's I believe) > >Just go to www.nai.com and click on download updates now near the top. Thanks steve. I downloaded the unix dat file for mcafee 4.x. mcafeewrapper uses uvscan to scan. Where can I get this uvscan for Linux ? Sorry for this newbie question. Thanks in advance. Peace -- Rajesh http://www.symonds.net/~rajesh/ ***** Powered By: Debian GNU/Linux Kernel 2.4.17(ext3) Q: What's tan and black and looks great on a lawyer? A: A doberman. From tlyons at digitalvoodoo.org Sun Dec 23 18:33:01 2001 From: tlyons at digitalvoodoo.org (Tim Lyons) Date: Thu Jan 12 21:14:11 2006 Subject: Return Message Address mungling... help. In-Reply-To: <3C261CB2.C7900AF6@alliedbuilding.com> Message-ID: <000001c18be0$4097cd30$6e00a8c0@q45> Thanks - much appreciated. I should have thought of that scenario. --Tim -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Clint Fast Sent: Sunday, December 23, 2001 13:05 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Return Message Address mungling... help. The virus itself actually does the name mungling on the From address. I've seen A LOT of this lately. --Clint. From sevans at FOUNDATION.SDSU.EDU Sun Dec 23 18:47:37 2001 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:14:11 2006 Subject: mcafee virusscan Message-ID: <20C245C5F9A41949A359CCDBF4B3ADED08417E@foundation.foundation.sdsu.edu> I don't think you can unless you have a contract with them. You'll need to pay for it. And I'm not sure how the licensing will work with this application. Steve -----Original Message----- From: Rajesh Fowkar Sent: Sun 12/23/2001 3:48 PM To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: Re: mcafee virusscan Steve Evans saw fit to inform me that: >The dat files are all the same for all the different platforms and >products (except for MAC's I believe) > >Just go to www.nai.com and click on download updates now near the top. Thanks steve. I downloaded the unix dat file for mcafee 4.x. mcafeewrapper uses uvscan to scan. Where can I get this uvscan for Linux ? Sorry for this newbie question. Thanks in advance. Peace -- Rajesh http://www.symonds.net/~rajesh/ ***** Powered By: Debian GNU/Linux Kernel 2.4.17(ext3) Q: What's tan and black and looks great on a lawyer? A: A doberman. From rfowkar at YAHOO.COM Mon Dec 24 00:18:16 2001 From: rfowkar at YAHOO.COM (Rajesh Fowkar) Date: Thu Jan 12 21:14:11 2006 Subject: mcafee virusscan In-Reply-To: <20C245C5F9A41949A359CCDBF4B3ADED08417E@foundation.foundation.sdsu.edu> References: <20C245C5F9A41949A359CCDBF4B3ADED08417E@foundation.foundation.sdsu.edu> Message-ID: <20011224001816.GA1800@debian> Steve Evans saw fit to inform me that: >I don't think you can unless you have a contract with them. You'll need >to pay for it. And I'm not sure how the licensing will work with this >application. That means for the desktop home user sophos is the only solution atleast for the time being :-) Thanks a lot for all the help. Peace -- Rajesh http://www.symonds.net/~rajesh/ ***** Powered By: Debian GNU/Linux Kernel 2.4.17(ext3) Your goose is cooked. (Your current chick is burned up too!) From home at SIMONB.ORG.UK Sun Dec 23 18:48:59 2001 From: home at SIMONB.ORG.UK (Simon Blandford) Date: Thu Jan 12 21:14:11 2006 Subject: RAQ3: All mail suddenly started disappearing into void Message-ID: Hi, I just installed Mailscanner and Sophos on a Cobalt RAQ3. Once I got the queues on the same partition it all worked fine for a few days. Then on Friday it stopped for no known reason. Now incomming mail is simply disappearing in a black hole. These are the symptoms... 1) If I go to the Web Admin interface, System Status, the email server LED is shown as grey i.e. no information when last tested. 2) If I send an email to an account on the server, I can see the mail has arrived in /var/log/maillog but nothing gets as far as /home/spool/mail/, no error message gets sent to admin. 3) /var/spool/mqueue, mqueue.in, Mailscanner/incomming directories are all empty. 3) The mailscanner and sendmail processes are running. 4) If I restart the mailscanner process or even reboot the server there is no change in symptoms. Is there any more places I could be looking for clues? If all else fails, what do I have to do to uninstall Mailscanner so I can at least have the server working again as it was before? Regards, Simon B. From home at SIMONB.ORG.UK Sun Dec 23 18:53:57 2001 From: home at SIMONB.ORG.UK (Simon Blandford) Date: Thu Jan 12 21:14:11 2006 Subject: Help - mailscanner quit finding viruses Message-ID: I had a similar problem installing on two RAQ3 servers. One worked, the other just ignored the test virii. I found that on one server "sweep" was segfaulting. I will take this up with Sophos in due course. If sweep just exits then obviously it does not get ot produce any virus alerts. Try running the "/sweep -h" command to see whether or not you have the same problem. Regards, Simon B. From leduc at CTS.COM Sun Dec 23 19:18:27 2001 From: leduc at CTS.COM (Gene & Mary LeDuc) Date: Thu Jan 12 21:14:11 2006 Subject: mcafee virusscan Message-ID: <2.2.16.20011223191827.2717655e@crash.cts.com> Hello Rajesh, At 11:48 PM 12/23/2001 +0000, Rajesh Fowkar wrote: >Thanks steve. I downloaded the unix dat file for mcafee 4.x. mcafeewrapper >uses uvscan to scan. Where can I get this uvscan for Linux ? Go here for evals: http://www.mcafeeb2b.com/naicommon/buy-try/try/products-evals.asp For linux I like Sophos better than McAfee. It seems to have been designed more for linux/unix than the McAfee product and the scanning engine is updated monthly. Using the autoupdate script from the MailScanner distro (set to check every 4 hours) I get updated sigs from Sophos before I even get their e-mail alert that one is available. It has worked flawlessly for me for about a month so far. Your mileage may vary. Regards, Gene From rfowkar at YAHOO.COM Mon Dec 24 00:51:26 2001 From: rfowkar at YAHOO.COM (Rajesh Fowkar) Date: Thu Jan 12 21:14:11 2006 Subject: mcafee virusscan In-Reply-To: <2.2.16.20011223191827.2717655e@crash.cts.com> References: <2.2.16.20011223191827.2717655e@crash.cts.com> Message-ID: <20011224005126.GA2289@debian> Gene & Mary LeDuc saw fit to inform me that: >Hello Rajesh, > >At 11:48 PM 12/23/2001 +0000, Rajesh Fowkar wrote: >>Thanks steve. I downloaded the unix dat file for mcafee 4.x. mcafeewrapper >>uses uvscan to scan. Where can I get this uvscan for Linux ? > >Go here for evals: > http://www.mcafeeb2b.com/naicommon/buy-try/try/products-evals.asp > > >For linux I like Sophos better than McAfee. It seems to have been designed >more for linux/unix than the McAfee product and the scanning engine is >updated monthly. Using the autoupdate script from the MailScanner distro >(set to check every 4 hours) I get updated sigs from Sophos before I even >get their e-mail alert that one is available. It has worked flawlessly for >me for about a month so far. > I have been using sophos and mailscanner for last 1 month and it is working quite well. I just wanted to try out mcafee to compare it with Sophos. Sophos works very well. However for me only problem is autoupdate. If I run autoupdate I get the following : root@debian:/home/rajesh/tmp# /usr/local/Sophos/bin/autoupdate Could not calculate Sophos version number, Bad file descriptor at /usr/local/Sophos/bin/autoupdate line 82. Any ideas what could be the problem ? My Sophos is installed in /usr/local/Sophos. Being a desktop user I will prefer to continue with Sophos. Thanks a lot. -- Rajesh http://www.symonds.net/~rajesh/ ***** Powered By: Debian GNU/Linux Kernel 2.4.17(ext3) A is for Apple. -- Hester Pryne From cfast at ALLIEDBUILDING.COM Sun Dec 23 19:34:14 2001 From: cfast at ALLIEDBUILDING.COM (Clint Fast) Date: Thu Jan 12 21:14:11 2006 Subject: mcafee virusscan References: <2.2.16.20011223191827.2717655e@crash.cts.com> Message-ID: <3C2631B6.1D26BC02@alliedbuilding.com> > > For linux I like Sophos better than McAfee. It seems to have been designed > more for linux/unix than the McAfee product and the scanning engine is > updated monthly. Using the autoupdate script from the MailScanner distro > (set to check every 4 hours) I get updated sigs from Sophos before I even > get their e-mail alert that one is available. It has worked flawlessly for > me for about a month so far. > I second this. Sophos (I believe) is much better than McAfee anti-virus. --Clint. From becher at web.lu Sun Dec 23 19:48:30 2001 From: becher at web.lu (Schiltz Luc) Date: Thu Jan 12 21:14:11 2006 Subject: RAQ3: All mail suddenly started disappearing into void In-Reply-To: Message-ID: Hi, we encountered the same problem on a raq3 but our mail still gets quzeued in mqueue.in so we changed the sendmail config in order to get mail send through mqueue.in reboot did not solve the problem Luc -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Simon Blandford Sent: Sunday, December 23, 2001 19:49 To: MAILSCANNER@JISCMAIL.AC.UK Subject: RAQ3: All mail suddenly started disappearing into void Hi, I just installed Mailscanner and Sophos on a Cobalt RAQ3. Once I got the queues on the same partition it all worked fine for a few days. Then on Friday it stopped for no known reason. Now incomming mail is simply disappearing in a black hole. These are the symptoms... 1) If I go to the Web Admin interface, System Status, the email server LED is shown as grey i.e. no information when last tested. 2) If I send an email to an account on the server, I can see the mail has arrived in /var/log/maillog but nothing gets as far as /home/spool/mail/, no error message gets sent to admin. 3) /var/spool/mqueue, mqueue.in, Mailscanner/incomming directories are all empty. 3) The mailscanner and sendmail processes are running. 4) If I restart the mailscanner process or even reboot the server there is no change in symptoms. Is there any more places I could be looking for clues? If all else fails, what do I have to do to uninstall Mailscanner so I can at least have the server working again as it was before? Regards, Simon B. From gerry at DORFAM.CA Sun Dec 23 20:06:03 2001 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:14:11 2006 Subject: mcafee virusscan In-Reply-To: <20011224001816.GA1800@debian> Message-ID: There is NO practical solution for desktop home users...at least using McAfee or Sophos. Their pricing is set for much larger accounts. Unless you feel that about $750USD is a suitable solution for your home system that is. Gerry On Mon, 24 Dec 2001, Rajesh Fowkar wrote: > That means for the desktop home user sophos is the only solution atleast > for the time being :-) > > Thanks a lot for all the help. > > Peace > > -- > Rajesh > http://www.symonds.net/~rajesh/ ***** Powered By: Debian GNU/Linux > Kernel 2.4.17(ext3) > Your goose is cooked. > (Your current chick is burned up too!) > -- "The lyfe so short, the craft so long to learne" Chaucer From sjaak at VSM-HOSTING.NL Mon Dec 24 09:12:04 2001 From: sjaak at VSM-HOSTING.NL (Sjaak Nabuurs VSM Hosting) Date: Thu Jan 12 21:14:11 2006 Subject: mcafee virusscan References: <2.2.16.20011223191827.2717655e@crash.cts.com> <20011224005126.GA2289@debian> Message-ID: <025001c18c5b$0e513480$1d5afea9@SJAAK> > > root@debian:/home/rajesh/tmp# /usr/local/Sophos/bin/autoupdate > Could not calculate Sophos version number, Bad file descriptor at > /usr/local/Sophos/bin/autoupdate line 82. > > Any ideas what could be the problem ? > He couldn't find the vdl.dat file's I just copy the vdl*.dat files to the /usr/local/Sophos/lib dir but i think it isn't the wright solution. When you change the autoupdate file $VDLDir to /usr/local/sav The problem is same. Just an tip I'm not shure same. Sjaak From home at SIMONB.ORG.UK Mon Dec 24 09:50:43 2001 From: home at SIMONB.ORG.UK (Simon Blandford) Date: Thu Jan 12 21:14:11 2006 Subject: RAQ3: All mail suddenly started disappearing into void References: Message-ID: <3C26FA73.9020904@simonb.org.uk> OK I've fixed this now. On the RAQ3 there are symlinks for each user in /var/spool/mail pointing to /home/spool/mail. For some reason the symlink for the user account I was testing with was missing from /var/spool/mail so the mail actually *was* arriving, even being virus scanned, but ending up in a file in /var/spool/mail and not in /home/spool/mail. Possibly, this is something I did in the not-to-distant past because I don't see how it could of happened by itself! I was alerted by someone that the mail server had stopped working on Friday but it now seems as though the domain naem in question isn't even pointing at the Cobalt server, so that's another problem altogether. Oh well... Regards, Simon B. Simon Blandford wrote: >Hi, > >I just installed Mailscanner and Sophos on a Cobalt RAQ3. Once I got the >queues on the same partition it all worked fine for a few days. Then on >Friday it stopped for no known reason. > >Now incomming mail is simply disappearing in a black hole. These are the >symptoms... > >1) If I go to the Web Admin interface, System Status, the email server LED >is shown as grey i.e. no information when last tested. > >2) If I send an email to an account on the server, I can see the mail has >arrived in /var/log/maillog but nothing gets as far as >/home/spool/mail/, no error message gets sent to admin. > >3) /var/spool/mqueue, mqueue.in, Mailscanner/incomming directories are all >empty. > >3) The mailscanner and sendmail processes are running. > >4) If I restart the mailscanner process or even reboot the server there is >no change in symptoms. > >Is there any more places I could be looking for clues? >If all else fails, what do I have to do to uninstall Mailscanner so I can at >least have the server working again as it was before? > >Regards, >Simon B. > From nwp at LEMON-COMPUTING.COM Mon Dec 24 10:52:33 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:11 2006 Subject: mcafee virusscan In-Reply-To: <20011223214909.GA1745@debian>; from rfowkar@YAHOO.COM on Sun, Dec 23, 2001 at 09:49:09PM +0000 References: <20011223214909.GA1745@debian> Message-ID: <20011224105233.E14789@lemon-computing.com> On Sun, Dec 23, 2001 at 09:49:09PM +0000, Rajesh Fowkar wrote: > Hi, > > Is there any linux version of dat files for mcafee ? > > Where are they available ? Which is better Sophos / Mcafee ? Which is better - an F1 racing car or a double-decker bus? Kind of depends what you want it to do, doesn't it? -- Nick Phillips -- nwp@lemon-computing.com You can create your own opportunities this week. Blackmail a senior executive. From nwp at LEMON-COMPUTING.COM Mon Dec 24 12:09:12 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:11 2006 Subject: mcafee virusscan In-Reply-To: ; from gerry@DORFAM.CA on Sun, Dec 23, 2001 at 03:06:03PM -0500 References: <20011224001816.GA1800@debian> Message-ID: <20011224120912.F14789@lemon-computing.com> On Sun, Dec 23, 2001 at 03:06:03PM -0500, Gerry Doris wrote: > There is NO practical solution for desktop home users...at least using > McAfee or Sophos. Their pricing is set for much larger accounts. Unless > you feel that about $750USD is a suitable solution for your home system > that is. If for whatever resaon you're not happy with either Sophos or McAfee, please do get in touch with Julian and beta-test support for F-Secure, Kaspersky, or Inoculate-IT. Oh, and I haven't forgotten Panda, for whoever mentioned it, but it's not done yet. Alternatively, get out there and write one yourself (or contribute to an existing project). Cheers + Happy Christmas to all... Nick -- Nick Phillips -- nwp@lemon-computing.com Your love life will be... interesting. From LISTSERV at JISCMAIL.AC.UK Tue Dec 25 19:32:18 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:11 2006 Subject: MAILSCANNER: hans@VALLDEN.COM requested to join Message-ID: <200112251932.TAA14295@magpie.ecs.soton.ac.uk> Tue, 25 Dec 2001 19:32:18 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Hans Vallden You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER hans@VALLDEN.COM Hans Vallden PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER hans@VALLDEN.COM Hans Vallden // EOJ From LISTSERV at JISCMAIL.AC.UK Fri Dec 28 16:04:31 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:11 2006 Subject: MAILSCANNER: dcullen@NEO.RR.COM requested to join Message-ID: <200112281604.QAA01399@magpie.ecs.soton.ac.uk> Fri, 28 Dec 2001 16:04:31 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Doug Cullen You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER dcullen@NEO.RR.COM Doug Cullen PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER dcullen@NEO.RR.COM Doug Cullen // EOJ From LISTSERV at JISCMAIL.AC.UK Fri Dec 28 23:38:11 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:11 2006 Subject: MAILSCANNER: japio@OUWEHAND-IT.NL requested to join Message-ID: <200112282338.XAA14812@magpie.ecs.soton.ac.uk> Fri, 28 Dec 2001 23:38:11 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Jaap Jan You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER japio@OUWEHAND-IT.NL Jaap Jan PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER japio@OUWEHAND-IT.NL Jaap Jan // EOJ From LISTSERV at JISCMAIL.AC.UK Sat Dec 29 02:01:36 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:11 2006 Subject: MAILSCANNER: germo@JPS.NET requested to join Message-ID: <200112290201.CAA17911@magpie.ecs.soton.ac.uk> Sat, 29 Dec 2001 02:01:36 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Geraldine Morrison You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER germo@JPS.NET Geraldine Morrison PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER germo@JPS.NET Geraldine Morrison // EOJ From hans at VALLDEN.COM Sat Dec 29 20:26:04 2001 From: hans at VALLDEN.COM (Hans Vallden) Date: Thu Jan 12 21:14:11 2006 Subject: Macintosh compression formats Message-ID: A quick look indicates that none of the MailScanner supported virus checkers (Sophos, McAffee) support checking the compressed formats most often used on Macs. I'm mainly talking about StuffIt (.sit, .sea) compressed archives and BinHex encoding (.hqx). Is this true? If so, are there any workarounds to this rather significant problem (if you happen to have a lot of Macs to worry about)? -- -- Hans Vallden hans@vallden.com From mdchaney at MICHAELCHANEY.COM Sat Dec 29 21:09:30 2001 From: mdchaney at MICHAELCHANEY.COM (Michael Chaney) Date: Thu Jan 12 21:14:11 2006 Subject: Macintosh compression formats In-Reply-To: ; from hans@VALLDEN.COM on Sat, Dec 29, 2001 at 10:26:04PM +0200 References: Message-ID: <20011229150930.A12976@michaelchaney.com> On Sat, Dec 29, 2001 at 10:26:04PM +0200, Hans Vallden wrote: > A quick look indicates that none of the MailScanner supported virus > checkers (Sophos, McAffee) support checking the compressed formats > most often used on Macs. I'm mainly talking about StuffIt (.sit, > .sea) compressed archives and BinHex encoding (.hqx). > > Is this true? If so, are there any workarounds to this rather > significant problem (if you happen to have a lot of Macs to worry > about)? Shouldn't be a problem if you use the macutil package. It can unpack the above formats, making it possible for the virus scanner to read them. I would also bet that it's possible to do it straight in Perl using a package, might check cpan. Michael -- Michael Darrin Chaney mdchaney@michaelchaney.com http://www.michaelchaney.com/ From LISTSERV at JISCMAIL.AC.UK Mon Dec 31 01:34:20 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:11 2006 Subject: MAILSCANNER: paul.welsh@INAME.COM requested to join Message-ID: <200112310136.BAA09281@crow.ecs.soton.ac.uk> Mon, 31 Dec 2001 01:34:20 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Paul Welsh The following membership options have been requested: NOMIME DIGEST. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER paul.welsh@INAME.COM Paul Welsh PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER paul.welsh@INAME.COM Paul Welsh SET MAILSCANNER NOMIME DIGEST FOR paul.welsh@INAME.COM // EOJ From sevans at FOUNDATION.SDSU.EDU Mon Dec 31 18:50:46 2001 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:14:11 2006 Subject: ORDB in mailscanner.conf Message-ID: In mailscanner.conf it lists a few anti-relay services (such as ORDB). Do I need to configure sendmail to use those for that to work or is it working already? Steve From vkbaker at IEEE.ORG Mon Dec 31 20:55:00 2001 From: vkbaker at IEEE.ORG (V.K. Baker) Date: Thu Jan 12 21:14:11 2006 Subject: ORDB in mailscanner.conf In-Reply-To: Message-ID: <5.1.0.14.2.20011231155428.03870020@mail.siemens-nis.com> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20011231/578f68a6/attachment.html