From LISTSERV at JISCMAIL.AC.UK Sat Sep 1 20:10:51 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:02 2006 Subject: MAILSCANNER: ispmgr@CLAS.NET requested to join Message-ID: <200109011910.UAA21424@magpie.ecs.soton.ac.uk> Sat, 1 Sep 2001 20:10:51 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Youn Gonzales You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER ispmgr@CLAS.NET Youn Gonzales PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER ispmgr@CLAS.NET Youn Gonzales // EOJ From LISTSERV at JISCMAIL.AC.UK Sat Sep 1 12:18:06 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:02 2006 Subject: MAILSCANNER: masonc@MASONC.COM requested to join Message-ID: <200109011118.MAA18739@magpie.ecs.soton.ac.uk> Sat, 1 Sep 2001 12:18:06 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Chris Mason You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER masonc@MASONC.COM Chris Mason PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER masonc@MASONC.COM Chris Mason // EOJ From jkf at ecs.soton.ac.uk Sat Sep 1 20:33:42 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:02 2006 Subject: Zip of Death attack Message-ID: <5.1.0.14.2.20010901203010.00af1f68@hawk.ecs.soton.ac.uk> Well, we've just had our first "zip of death" denial of service attack. An email message had a file called "42.zip" attached to it (42,374 bytes long) which would have required 53,000 Tbytes of storage to unpack. Interestingly, Sophos didn't run out of memory or disk space or anything like that, so at least it didn't take the server out. However, it just went away to scan the file for a *very* long time (I killed it after several hours). I killed the "sweep" process that was trying to scan it and MailScanner picked up where it left off, scanning the rest of the queue. Not perfect, so I may have a go at Sophos about their software's behaviour in this situation... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Sat Sep 1 11:45:19 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:02 2006 Subject: MAILSCANNER: sfolayan@SKANNET.COM.NG requested to join Message-ID: <200109011045.LAA18490@magpie.ecs.soton.ac.uk> Sat, 1 Sep 2001 11:45:19 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Sunday Folayan The following membership options have been requested: CONCEAL. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER sfolayan@SKANNET.COM.NG Sunday Folayan PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER sfolayan@SKANNET.COM.NG Sunday Folayan SET MAILSCANNER CONCEAL FOR sfolayan@SKANNET.COM.NG // EOJ From syshelp at SOTON.AC.UK Mon Sep 3 09:59:44 2001 From: syshelp at SOTON.AC.UK (Syshelp) Date: Thu Jan 12 21:14:02 2006 Subject: Mailscanner Spam header Message-ID: Hi, Would a configuration option such as "subject-munge" be desirable? This would place at the start of the subject line text of your choice, e.g. "{SPAM?} " if the message is potentially spam (and hence has an X-Mailscanner-Spam" header, or whatever it's called). The rational behind this is that filtering on non-standard headers isn't that easy and particularly for many of our users using Outlook Express filtering on Subject line would be much more simple. Or perhaps it might be considered a bit too "invasive"? Cheers, Steve -- Syshelp - UNIX Systems Support, Southampton University Computing Services From m.sapsed at BANGOR.AC.UK Mon Sep 3 10:10:44 2001 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:14:02 2006 Subject: Minor bug in Sophos autoupdate script References: <5.1.0.14.2.20010831142619.028f8008@hawk.ecs.soton.ac.uk> <5.1.0.14.2.20010831162244.0508a278@hawk.ecs.soton.ac.uk> Message-ID: <3B934914.EF7E02EF@bangor.ac.uk> Julian Field wrote: > > Martin, > > You are absolutely right. Fixed now. Sorry! Thanks Martin -- Martin Sapsed To have no errors Information Services Would be life without meaning University of Wales, Bangor, LL57 2UX No struggle, no joy. Fax: +44 (0)1248 383826 From jethro.binks at STRATH.AC.UK Mon Sep 3 10:55:23 2001 From: jethro.binks at STRATH.AC.UK (Jethro R Binks) Date: Thu Jan 12 21:14:02 2006 Subject: File extensions Message-ID: Hi folks, I've been asked to add ".sit" for Macintosh Stuffit Expander ("Stuffit Archive - Binary" according to one source) files on to the allow list for MailScanner's filename checking. I note that there is already ".sit.bin" in the default list -- are they representing the same thing? Would one expect one extension over the other? On a similar note, I added .sea for Self Extracting Archive, another Mac one. Is there any notable danger in that? I guess it is no worse than allowing plain Windows .exe through. Finally, here's another note I made based on investigations by someone in our Audio-Visual department, which might be of use to some people. If anyone can cast more light on it, feel free to let me know! # When a Mac sends out an EPS file to a PC-using client, it needs to send a # TIFF preview so that the PC can actually use it, since EPS files are # generally not widely understood without special software on Windows. # When the Mac does this, an additional .spc extension gets added to the # filename. # We'll assume here that .eps.spc are benign and allow them, unless we hear # of Really Bad Things that an .spc extension can do on Windows. allow \.eps\.spc$ Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services Mailmaster, Listmaster, Webmaster, University Of Strathclyde, Glasgow, UK Cachemaster jethro.binks@strath.ac.uk From nwp at LEMON-COMPUTING.COM Mon Sep 3 11:42:45 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:02 2006 Subject: File extensions In-Reply-To: ; from jethro.binks@STRATH.AC.UK on Mon, Sep 03, 2001 at 10:55:23AM +0100 References: Message-ID: <20010903114245.A7129@redshift.lemon-computing.com> On Mon, Sep 03, 2001 at 10:55:23AM +0100, Jethro R Binks wrote: > Hi folks, > > I've been asked to add ".sit" for Macintosh Stuffit Expander ("Stuffit > Archive - Binary" according to one source) files on to the allow list for > MailScanner's filename checking. I note that there is already ".sit.bin" > in the default list -- are they representing the same thing? Would one > expect one extension over the other? .sit is a basic stuffit archive, .sit.bin is a BinHex-ed version of that (equivalent to uuencoding). Probably. It gets really confusing on macs which archiver does what, as they all seem to have gradually picked up abilities from each other. > On a similar note, I added .sea for Self Extracting Archive, another Mac > one. Is there any notable danger in that? I guess it is no worse than > allowing plain Windows .exe through. Fairly bad, then, given that users probably won't realise that it's an executable they're clicking on. The other two invoke whatever program the user has installed on their machine that associates with that type, but a self-extractor could be anything (I guess, I don't know whether an .sea has a different type associated with it than a straight executable - macs don't rely on the extension to find the program to use). .sit and .sit.bin and .hqx are the equivalent of .zip as far as danger goes. .sea is probably a different kettle of fish. Potentially the equivalent of .vbs.jpg ;) Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Beware of a dark-haired man with a loud tie. From nwp at LEMON-COMPUTING.COM Mon Sep 3 12:51:45 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:02 2006 Subject: Exim relay problem Message-ID: <20010903125145.A7479@redshift.lemon-computing.com> If you use mailscanner with Exim, please read this. I've just realised that the instructions I wrote on installing the mailscanner with Exim contain a potentially serious problem. The "optional" 3 steps described to prevent exim from ever delivering unscanned mail have the unintentional side-effect of turning your mailserver into an open relay, unless you control that in some other way. For the time being, you should remove or comment out the setting: "local_domains = *" unless you are confident that you are controlling relaying effectively in some other way (e.g. the scanning machine is only able to accept mail from your own network anyway). Having made that change, don't forget to restart Exim. Once you have made that change, it will once again be possible to cause the "incoming" Exim to deliver unscanned mail directly by typing "exim -qf" or similar at the command line. In normal use, Exim will still not deliver any unscanned mail. I am now (once again) looking for a better way to prevent Exim from delivering mail. I believe that the upcoming Exim v.4 will simplify this process by removing the distinction between routers and directors, but in the meantime, all suggestions gratefully accepted. Apologies for the bout of brain-death that allowed this to slip through. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Courage is your greatest present need. From nwp at LEMON-COMPUTING.COM Mon Sep 3 12:58:25 2001 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:02 2006 Subject: Exim relay problem In-Reply-To: <20010903125145.A7479@redshift.lemon-computing.com>; from nwp@LEMON-COMPUTING.COM on Mon, Sep 03, 2001 at 12:51:45PM +0100 References: <20010903125145.A7479@redshift.lemon-computing.com> Message-ID: <20010903125825.B7479@redshift.lemon-computing.com> On Mon, Sep 03, 2001 at 12:51:45PM +0100, Nick Phillips wrote: > For the time being, you should remove or comment out the setting: > "local_domains = *" unless you are confident that you are controlling This should have read something like "comment or remove the setting, and replace it with the normal list of local domains (as in the exim config used for the 'outgoing' exim)" > Apologies for the bout of brain-death that allowed this to slip through. It seems it's not over yet :( -- Nick Phillips -- nwp@lemon-computing.com You are capable of planning your future. From vkbaker at IEEE.ORG Mon Sep 3 13:49:06 2001 From: vkbaker at IEEE.ORG (Vance Baker) Date: Thu Jan 12 21:14:02 2006 Subject: Mailscanner Spam header In-Reply-To: Message-ID: <5.1.0.14.2.20010903083321.02d4f200@envoy.deferonet.com> Flagging a subject line in order to make a spam message more identifiable may prove helpful if additional utilities are utilized to control message delivery. My proposal has more to do with utilizing MailScanner to intercept "junk mail" in order to manage e-mail volume and more importantly reduce the size of the target that solicitors and other such vermin consider educational institutions to be. I am of the opinion that this is a function more appropriately performed at the MTA rather than the client (i.e. outlook). The invasiveness of this proposal may be considered irrelevant due to the fact that the mail targeted for interception is that which is uninvited, unwanted and a non-productive use of educational IS resources. Thanks for your earlier reply. At 09:59 AM 9/3/01 +0100, you wrote: >Hi, > >Would a configuration option such as "subject-munge" be desirable? This >would place at the start of the subject line text of your choice, e.g. >"{SPAM?} " if the message is potentially spam (and hence has an >X-Mailscanner-Spam" header, or whatever it's called). > >The rational behind this is that filtering on non-standard headers isn't >that easy and particularly for many of our users using Outlook Express >filtering on Subject line would be much more simple. > >Or perhaps it might be considered a bit too "invasive"? > >Cheers, Steve >-- >Syshelp - UNIX Systems Support, Southampton University Computing Services From syshelp at SOTON.AC.UK Mon Sep 3 14:12:17 2001 From: syshelp at SOTON.AC.UK (Syshelp) Date: Thu Jan 12 21:14:02 2006 Subject: Mailscanner Spam header In-Reply-To: <5.1.0.14.2.20010903083321.02d4f200@envoy.deferonet.com> Message-ID: On Mon, 3 Sep 2001, Vance Baker wrote: > My proposal has more to do with utilizing MailScanner to intercept "junk > mail" in order to manage e-mail volume and more importantly reduce the size > of the target that solicitors and other such vermin consider educational > institutions to be. I am of the opinion that this is a function more > appropriately performed at the MTA rather than the client (i.e. outlook). This would be pretty simple in sendmail. You'd add a header definition line which redirected to a rule set which in turn bounced the email, something like: HX-ECS-SpamCheck $>bounce_spam Sbounce_spam $+ $#error $@5.7.1 $: This message may be spam I haven't tested that in any way, but it should be pretty close. If you want to filter the junk mail into a different place you could always define an alternative mailer and use that instead of $#error. We've chosen not to do this, we feel that dealing with spam is the choice of the end user, however we do want to provide tools to make this easier for them. Steve -- Syshelp - UNIX Systems Support, Southampton University Computing Services From michael at ERG.ABDN.AC.UK Mon Sep 3 14:15:26 2001 From: michael at ERG.ABDN.AC.UK (Michael Forrest) Date: Thu Jan 12 21:14:02 2006 Subject: Mailscanner Spam header In-Reply-To: <5.1.0.14.2.20010903083321.02d4f200@envoy.deferonet.com> Message-ID: Are you defining interception as the mailscanner software would delete the email and would not be delivered to the user? I'm personally in favour of the subject line tagging and/or mail header field, since it places the onus on the individual user to configure their mail tool to either filter off or just delete the email in question... Regards, Michael. > Flagging a subject line in order to make a spam message more identifiable > may prove helpful if additional utilities are utilized to control message > delivery. > > My proposal has more to do with utilizing MailScanner to intercept "junk > mail" in order to manage e-mail volume and more importantly reduce the size > of the target that solicitors and other such vermin consider educational > institutions to be. I am of the opinion that this is a function more > appropriately performed at the MTA rather than the client (i.e. outlook). > > The invasiveness of this proposal may be considered irrelevant due to the > fact that the mail targeted for interception is that which is uninvited, > unwanted and a non-productive use of educational IS resources. > > Thanks for your earlier reply. > > > At 09:59 AM 9/3/01 +0100, you wrote: >> Hi, >> >> Would a configuration option such as "subject-munge" be desirable? This >> would place at the start of the subject line text of your choice, e.g. >> "{SPAM?} " if the message is potentially spam (and hence has an >> X-Mailscanner-Spam" header, or whatever it's called). >> >> The rational behind this is that filtering on non-standard headers isn't >> that easy and particularly for many of our users using Outlook Express >> filtering on Subject line would be much more simple. >> >> Or perhaps it might be considered a bit too "invasive"? >> >> Cheers, Steve >> -- >> Syshelp - UNIX Systems Support, Southampton University Computing Services > From jkf at ecs.soton.ac.uk Mon Sep 3 15:27:11 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:02 2006 Subject: Mailscanner Spam header In-Reply-To: Message-ID: <5.1.0.14.2.20010903152517.049318d0@hawk.ecs.soton.ac.uk> At 09:59 am 03/09/2001, you wrote: >Would a configuration option such as "subject-munge" be desirable? This >would place at the start of the subject line text of your choice, e.g. >"{SPAM?} " if the message is potentially spam (and hence has an >X-Mailscanner-Spam" header, or whatever it's called). > >The rational behind this is that filtering on non-standard headers isn't >that easy and particularly for many of our users using Outlook Express >filtering on Subject line would be much more simple. Agreed. There will be 2 new configuration variables: Modify Subject = yes or no (or 1 or 0 or true or false or....) Subject Text = {SPAM?} If you set "modify subject" positive, then the text in "subject text" will be put on the front of the subject line of the message (followed by a single space, so it looks nice). That sound okay for everyone? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Mon Sep 3 16:12:19 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:02 2006 Subject: MAILSCANNER: S.R.Patterson@SOTON.AC.UK requested to join Message-ID: <200109031512.QAA27048@magpie.ecs.soton.ac.uk> Mon, 3 Sep 2001 16:12:19 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Steven Patterson The following membership options have been requested: IETFHDR. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER S.R.Patterson@SOTON.AC.UK Steven Patterson PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER S.R.Patterson@SOTON.AC.UK Steven Patterson SET MAILSCANNER IETFHDR FOR S.R.Patterson@SOTON.AC.UK // EOJ From s.kelly at ayrcoll.ac.uk Mon Sep 3 16:46:22 2001 From: s.kelly at ayrcoll.ac.uk (Shane Kelly) Date: Thu Jan 12 21:14:02 2006 Subject: Mailscanner Spam header In-Reply-To: <5.1.0.14.2.20010903152517.049318d0@hawk.ecs.soton.ac.uk> References: <5.1.0.14.2.20010903152517.049318d0@hawk.ecs.soton.ac.uk> Message-ID: <0109031646220B.15369@ned> Hi Julian, Some of my users have been asking if we can do something about spam. This solution (modifying the header) is the best answer I have seen so far. Just my 2p worth. Regards, Shane Kelly -- Shane Kelly Network Controller Ayr College 01292 265184 From jkf at ecs.soton.ac.uk Mon Sep 3 17:04:58 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:02 2006 Subject: Mailscanner Spam header In-Reply-To: <0109031646220B.15369@ned> References: <5.1.0.14.2.20010903152517.049318d0@hawk.ecs.soton.ac.uk> <5.1.0.14.2.20010903152517.049318d0@hawk.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20010903170328.0495d888@hawk.ecs.soton.ac.uk> Shane (and others), At 04:46 pm 03/09/2001, you wrote: > Some of my users have been asking if we can do something about > spam. This >solution (modifying the header) is the best answer I have seen so far. Adding the feature took under 10 minutes :-) Testing it will take several days (at least), and I'm away at the JANET User Support Workshop for the next 3 days. So don't expect anything to be released before the end of next week. >Just my 2p worth. Appreciated! Jules. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Fri Sep 7 09:37:58 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:02 2006 Subject: MAILSCANNER: davor@GRADST.HR requested to join Message-ID: <200109070837.JAA19626@magpie.ecs.soton.ac.uk> Fri, 7 Sep 2001 09:37:58 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Davor Luksic The following membership options have been requested: SUBJECTHDR. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER davor@GRADST.HR Davor Luksic PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER davor@GRADST.HR Davor Luksic SET MAILSCANNER SUBJECTHDR FOR davor@GRADST.HR // EOJ From LISTSERV at JISCMAIL.AC.UK Mon Sep 10 10:13:50 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:02 2006 Subject: MAILSCANNER: jdrobins@LGU.AC.UK requested to join Message-ID: <200109100913.KAA19034@magpie.ecs.soton.ac.uk> Mon, 10 Sep 2001 10:13:50 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from John Robinson You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER jdrobins@LGU.AC.UK John Robinson PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER jdrobins@LGU.AC.UK John Robinson // EOJ From jkf at ecs.soton.ac.uk Mon Sep 10 15:29:07 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:02 2006 Subject: Version 2.42 released Message-ID: <5.1.0.14.2.20010910151945.043775e8@hawk.ecs.soton.ac.uk> I have just released Version 2.42. This version allows you to modify the subject line of mail identified as being likely spam. The default behaviour is to add "{SPAM?} " on the front of the Subject: line. You can switch this feature off if you don't like it using the 2 new configuration variables Spam Modify Subject Spam Subject Text which are both documented at http://www.sng.ecs.soton.ac.uk/mailscanner/install/mailscanner.shtml#conf (The names of these 2 options have changed slightly from what I proposed on the mailing list last week) There is also a new "Sophos.install" script which deletes old versions of Sophos more carefully than Sophos' own installation program, to provide two levels of protection against the Sophos upgrade problem I told you about a little while ago. Replacing the old version of this script with this new one is advisable. Jules. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From S.R.Patterson at SOTON.AC.UK Mon Sep 10 15:16:53 2001 From: S.R.Patterson at SOTON.AC.UK (Patterson, S R) Date: Thu Jan 12 21:14:02 2006 Subject: TNEF problem Message-ID: The problem of TNEF "hanging" and growing to unfeasible sizes has recurred, this time I took a copy of the winmail.dat and have run tnef across it in debug mode. TNEF reached and levelled out at ~540M this time, the output is below (the process is still running but "hung" at this point). The "len: 0" line is interesting at the bottom. Anyone any ideas? I don't want to distribute the winmail.dat just yet as it may be confidential. Steve -- Steven Patterson, MSci ----------------------------------------------+ | Electronic Information Systems Support and Development | | Computing Services, University of Southampton, UK. | +-------------------------------------------- Tel: +44 (0) 2380 595810 ...... ...... .. Conviction is a bigger enemy of the truth than lies. .. ...... ...... ====================================================================== ============================= TNEF Key: 9c TNEF Version [type: dword] = 00010000 OEM Codepage [type: byte] = e4 04 00 00 00 00 00 00 Message Class [type: word] = 5049 5049 5049... Priority [type: short] = 2 Date Modified [type: date] = Mon 2001/09/10 12:03:28 Message ID [type: string] ='8AFBDE5FCCA5D511B8D50090271F3FA1' Date Sent [type: date] = Mon 2001/09/10 12:03:27 Message Status [type: byte] = 81 MAPI Properties [type: byte] = 40 00 00 00 40 00 07 30 d0 21... Attachment Rendering Data [type: byte] = 01 00 ff ff ff ff 20 00 20 00... Attachment Creation Date [type: date] = Mon 2001/09/10 11:46:24 Attachment Modification Date [type: date] = Mon 2001/09/10 11:50:52 Attachment Meta File [type: byte] = 01 00 09 00 00 03 ca 06 00 00... Attachment File Name [type: string] ='INFORE~1.DOC' Attachment Transport Filename [type: byte] = 49 4e 46 4f 52 45 7e 31 2e 44... Attachment [type: byte] = 12 00 00 00 03 00 21 0e 00 00... MAPI_ATTACH_NUM [type: MAPI integer (32 bits)] [num_values = 1] = value #0 [len: 4] = 0 MAPI_OBJECT_TYPE [type: MAPI integer (32 bits)] [num_values = 1] = value #0 [len: 4] = 117440512 MAPI_ACCESS [type: MAPI integer (32 bits)] [num_values = 1] = value #0 [len: 4] = 33554432 MAPI_ACCESS_LEVEL [type: MAPI integer (32 bits)] [num_values = 1] = value #0 [len: 4] = 0 MAPI_ATTACH_METHOD [type: MAPI integer (32 bits)] [num_values = 1] = value #0 [len: 4] = 16777216 MAPI_RENDERING_POSITION [type: MAPI integer (32 bits)] [num_values = 1] = value #0 [len: 4] = -1 MAPI_RECORD_KEY [type: MAPI binary] [num_values = 1] = value #0 [len: 4] = 00 00 00 00 6810 [type: MAPI binary] [num_values = 1] = value #0 [len: 16] = 00 00 00 00 00 00 00 00 00 00 ... MAPI_CREATION_TIME [type: MAPI time] [num_values = 1] = value #0 [len: 8] = 80c7d5 e539c101 MAPI_LAST_MODIFICATION_TIME [type: MAPI time] [num_values = 1] = value #0 [len: 8] = e8575 e639c101 MAPI_ATTACH_ENCODING [type: MAPI binary] [num_values = 1] = value #0 [len: 0] = ====================================================================== ================= -------------- next part -------------- A non-text attachment was scrubbed... Name: Steven Patterson (E-mail).vcf Type: application/octet-stream Size: 867 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20010910/651eaa02/StevenPattersonE-mail.obj From jkf at ecs.soton.ac.uk Mon Sep 10 15:36:36 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:02 2006 Subject: TNEF problem In-Reply-To: Message-ID: <5.1.0.14.2.20010910153549.043b4b30@hawk.ecs.soton.ac.uk> At 03:16 pm 10/09/2001, you wrote: >The problem of TNEF "hanging" and growing to unfeasible sizes has >recurred, this time I took a copy of the winmail.dat and have run tnef >across it in debug mode. TNEF reached and levelled out at ~540M this >time, the output is below (the process is still running but "hung" at >this point). The "len: 0" line is interesting at the bottom. > >Anyone any ideas? I don't want to distribute the winmail.dat just yet >as it may be confidential. Have you tried tnef 1.1 on the file? I distribute the .tar.gz file is in the MailScanner/bin directory. I haven't distributed the binary of it as I haven't had a good chance to test 1.1 yet. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From ispmgr at CLAS.NET Mon Sep 10 15:26:39 2001 From: ispmgr at CLAS.NET (Youn Gonzales) Date: Thu Jan 12 21:14:02 2006 Subject: Kaspersky Anti-Virus References: <5.1.0.14.2.20010910151945.043775e8@hawk.ecs.soton.ac.uk> Message-ID: <025801c13a04$9af34940$813112d0@clas.net> I can provide you with ssh access to a non-production freeBSD server if it would help you to add support for kav. Let me know if this would help.. thx :-) Youn Gonzales System Administrator CLAS Net Inc. Comptia A+, Network+, INET+ Cisco CCNA "Never try to teach a pig how to sing. It only wastes your time and annoys the pig." - Jack Handy From S.R.Patterson at SOTON.AC.UK Mon Sep 10 15:48:41 2001 From: S.R.Patterson at SOTON.AC.UK (Patterson, S R) Date: Thu Jan 12 21:14:02 2006 Subject: Version 2.42 released Message-ID: Although I'm sure we all know the URL anyway it might be worth mentioning from where the software can be downloaded in future mailings of this type! :-) Steve -- Steven Patterson, MSci ----------------------------------------------+ | Electronic Information Systems Support and Development | | Computing Services, University of Southampton, UK. | +-------------------------------------------- Tel: +44 (0) 2380 595810 ...... ...... .. Conviction is a bigger enemy of the truth than lies. .. ...... ...... > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: 10 September 2001 15:29 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Version 2.42 released > > > I have just released Version 2.42. > > This version allows you to modify the subject line of mail > identified as > being likely spam. The default behaviour is to add "{SPAM?} " > on the front > of the Subject: line. You can switch this feature off if you > don't like it > using the 2 new configuration variables > Spam Modify Subject > Spam Subject Text > which are both documented at > > http://www.sng.ecs.soton.ac.uk/mailscanner/install/mailscanner > .shtml#conf > > (The names of these 2 options have changed slightly from what > I proposed on > the mailing list last week) > > There is also a new "Sophos.install" script which deletes old > versions of > Sophos more carefully than Sophos' own installation program, > to provide two > levels of protection against the Sophos upgrade problem I > told you about a > little while ago. Replacing the old version of this script > with this new > one is advisable. > > Jules. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > -------------- next part -------------- A non-text attachment was scrubbed... Name: Steven Patterson (E-mail).vcf Type: application/octet-stream Size: 867 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20010910/4d3e6708/StevenPattersonE-mail.obj From S.R.Patterson at SOTON.AC.UK Mon Sep 10 17:28:36 2001 From: S.R.Patterson at SOTON.AC.UK (Patterson, S R) Date: Thu Jan 12 21:14:02 2006 Subject: TNEF problem Message-ID: > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: 10 September 2001 15:37 > > Have you tried tnef 1.1 on the file? I have and it produces the same result. I'm just about to start poking my nose through the source to see if I can identify what's going on. Steve -- Steven Patterson, MSci ----------------------------------------------+ | Electronic Information Systems Support and Development | | Computing Services, University of Southampton, UK. | +-------------------------------------------- Tel: +44 (0) 2380 595810 ...... ...... .. Conviction is a bigger enemy of the truth than lies. .. ...... ...... -------------- next part -------------- A non-text attachment was scrubbed... Name: Steven Patterson (E-mail).vcf Type: application/octet-stream Size: 867 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20010910/806aaac5/StevenPattersonE-mail.obj From S.R.Patterson at SOTON.AC.UK Mon Sep 10 18:28:32 2001 From: S.R.Patterson at SOTON.AC.UK (Patterson, S R) Date: Thu Jan 12 21:14:02 2006 Subject: TNEF problem Message-ID: Hi, I've identified the TNEF problem, it seems to be some very oddly behaved winmail.dat file. From the number we're getting I'd be surprised if it's some deliberate "attack", perhaps it's more a mail client somewhere which incorrectly creates the tnef format. The problem lies not with the "len: 0" property but with the following property. This claims to be a MAPI binary type with 750 000 000+ entries, presumably each of at least "len: 1". TNEF goes through the headers and MALLOCs memory sufficient to store the entire expanded TNEF based upon the values reported in the TNEF header (the properties). Naturally this causes a problem! Right now I've kludged in a solution which makes tnef abort if any expansion would require more than 20 megabytes of memory (since we limit the maximum size of our email messages to 20 megabytes we can be sure than no genuine TNEF should ever extract to more than this). That circumvents the immediate problem on our site. Ideally the solution is for someone (me? The author of tnef?) to size up the memory requirements but not malloc() them until it's actually reading in each individual chunk of the archive and to free them as soon as the output goes onto disk, rather than malloc()ing everything at the start. That's a pretty hefty rewrite, though, and I don't know off the top of my head whether or not the TNEF structure makes it impossible to work that way. I'm certainly not planning to fix it myself in the near future! If anybody experiences problems with odd winmail.dat files causing TNEF to eat up processor and memory out of all proportion to the real file sizes and requires the kludge, I'll happily pass it on. Steve -- Steven Patterson, MSci ----------------------------------------------+ | Electronic Information Systems Support and Development | | Computing Services, University of Southampton, UK. | +-------------------------------------------- Tel: +44 (0) 2380 595810 ...... ...... .. Conviction is a bigger enemy of the truth than lies. .. ...... ...... -------------- next part -------------- A non-text attachment was scrubbed... Name: Steven Patterson (E-mail).vcf Type: application/octet-stream Size: 867 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20010910/730332dd/StevenPattersonE-mail.obj From LISTSERV at JISCMAIL.AC.UK Mon Sep 10 19:31:47 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:02 2006 Subject: MAILSCANNER: Gregory.A.Chaix@STATE.OR.US requested to join Message-ID: <200109101831.TAA14229@magpie.ecs.soton.ac.uk> Mon, 10 Sep 2001 19:31:47 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Greg Lund-Chaix You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER Gregory.A.Chaix@STATE.OR.US Greg Lund-Chaix PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER Gregory.A.Chaix@STATE.OR.US Greg Lund-Chaix // EOJ From jkf at ecs.soton.ac.uk Mon Sep 10 19:59:34 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:02 2006 Subject: TNEF problem In-Reply-To: Message-ID: <5.1.0.14.2.20010910195709.00af1050@hawk.ecs.soton.ac.uk> At 18:28 10/09/2001, you wrote: >Right now I've kludged in a solution which makes tnef abort if any >expansion would require more than 20 megabytes of memory (since we >limit the maximum size of our email messages to 20 megabytes we can be >sure than no genuine TNEF should ever extract to more than this). >That circumvents the immediate problem on our site. > >If anybody experiences problems with odd winmail.dat files causing >TNEF to eat up processor and memory out of all proportion to the real >file sizes and requires the kludge, I'll happily pass it on. If you could up the limit to 100Mbytes (enough for most sites), and pass it on to me, I will happily put it in the standard MailScanner distribution until you get a new version from the original author. Also, is the problem actually that it runs out of memory, or that it takes a very long time to run (or both)? If it could be killed after running for, say, 2 minutes, then the same DoS attack prevention mechanism I am intending to write for Sophos could be wrapped round the tnef decoder as well. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From S.R.Patterson at SOTON.AC.UK Mon Sep 10 20:42:19 2001 From: S.R.Patterson at SOTON.AC.UK (S.R.Patterson) Date: Thu Jan 12 21:14:02 2006 Subject: TNEF problem In-Reply-To: <5.1.0.14.2.20010910195709.00af1050@hawk.ecs.soton.ac.uk> References: <5.1.0.14.2.20010910195709.00af1050@hawk.ecs.soton.ac.uk> Message-ID: <1000150939.3b9d179b0bf15@webmail.soton.ac.uk> Quoting Julian Field : > If you could up the limit to 100Mbytes (enough for most sites), and pass > it on to me, I will happily put it in the standard MailScanner > distribution until you get a new version from the original author. Will do, in fact if I might be able to kludge it a bit more and add a command line parameter or at very least a #define. I'll pass you a diff and compiled versions for solaris and linux (based on redhat 6.2 probably) once I've done so. > Also, is the problem actually that it runs out of memory, or that it > takes a very long time to run (or both)? I imagine both - so far, owing to huge amounts of swap on our mail servers, we've noticed the delay in email before we've run out of memory and killed it off ourselves (or it's not used all of the 10G or so available before exiting normally!) Of course in the mean time things swap like crazy (which is where a lot of the load originates I'm sure). > If it could be killed after running for, > say, 2 minutes, then the same DoS attack prevention mechanism I am > intending to write for Sophos could be wrapped round the tnef decoder as > well. Yes, that would work quite nicely so long as everyone has enough memory/swap available that it won't be exhausted within 2 minutes. From what I can understand the situation with the current TNEF is it claims that one of the attachments is made up of 750 000 000+ "blocks" of a smallish amount of memory, but I think it could be feasible for the header to instead claim a small number of "blocks" each of a very large amount of memory and this situation may cause your swap to get eaten up a lot more quickly. My kludge is, briefly, to check: 1 - is the number of "blocks" for this "attachment" greated than 20M? If so, we'll assume that none of the blocks would be zero size and hence that the attachment will exceed 20M and so we'll exit without malloc()ing at all. 2 - Otherwise for each block malloc() the claimed block size and keep a running tally. As soon as this tally exceeds 20M abort. This way there's a good chance nastiness will be caught by the first method and tnef will quit pretty quickly. The second test is obviously slower and allows usage of probably 20-30M (there's some overheads) before quitting. That's just based upon my understanding, I've not had a chance to do any intensive sizing tests. Finally it's VERY worthey of note that since this method aborts without unpacking the attachment there is no guarantee that viruses won't get through inside tnef type attachments. If you're worried perhaps you (Jules) can check on the return code of tnef and if it's -1 (failure) then you reject the attachment as "Unexpandable archive, rejected" or something? Or do you already do this? Steve From LISTSERV at JISCMAIL.AC.UK Tue Sep 11 09:38:57 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:02 2006 Subject: MAILSCANNER: j.ramirez@ELPORTALDEINTERNET.COM requested to join Message-ID: <200109110838.JAA10255@magpie.ecs.soton.ac.uk> Tue, 11 Sep 2001 09:38:57 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Javier Ram?rez You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER j.ramirez@ELPORTALDEINTERNET.COM Javier Ram?rez PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER j.ramirez@ELPORTALDEINTERNET.COM Javier Ram?rez // EOJ From LISTSERV at JISCMAIL.AC.UK Mon Sep 10 23:23:30 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:02 2006 Subject: MAILSCANNER: msheean@IDMICRO.COM requested to join Message-ID: <200109102223.XAA22787@magpie.ecs.soton.ac.uk> Mon, 10 Sep 2001 23:23:30 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Mitch Sheean The following membership options have been requested: NOMIME DIGEST. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER msheean@IDMICRO.COM Mitch Sheean PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER msheean@IDMICRO.COM Mitch Sheean SET MAILSCANNER NOMIME DIGEST FOR msheean@IDMICRO.COM // EOJ From jkf at ecs.soton.ac.uk Tue Sep 11 17:33:09 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:02 2006 Subject: Freshmeat MailScanner rating Message-ID: <5.1.0.14.2.20010911173123.03f0fc48@hawk.ecs.soton.ac.uk> I know this is a bit cheeky, but would some of you mind giving MailScanner a mark out of 10 on the Freshmeat web site for me please? You need to point your web browser at http://www.freshmeat.net/projects/mailscanner and rate the project from there. It would be nice to know if I am basically doing what people want. Thanks folks! Jules. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Wed Sep 12 15:18:05 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:02 2006 Subject: MAILSCANNER: benjamin.mercusot@SOPHOS.FR requested to join Message-ID: <200109121418.PAA14836@magpie.ecs.soton.ac.uk> Wed, 12 Sep 2001 15:18:05 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Benjamin MERCUSOT You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER benjamin.mercusot@SOPHOS.FR Benjamin MERCUSOT PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER benjamin.mercusot@SOPHOS.FR Benjamin MERCUSOT // EOJ From LISTSERV at JISCMAIL.AC.UK Wed Sep 12 15:33:56 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:02 2006 Subject: MAILSCANNER: hyooga@WT.NET requested to join Message-ID: <200109121434.PAA15543@magpie.ecs.soton.ac.uk> Wed, 12 Sep 2001 15:33:56 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Paul Yau You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER hyooga@WT.NET Paul Yau PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER hyooga@WT.NET Paul Yau // EOJ From LISTSERV at JISCMAIL.AC.UK Thu Sep 13 13:46:32 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:02 2006 Subject: MAILSCANNER: ben.tullis@INFOMATRIX.LTD.UK requested to join Message-ID: <200109131246.NAA03044@magpie.ecs.soton.ac.uk> Thu, 13 Sep 2001 13:46:32 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Ben Tullis The following membership options have been requested: NOMIME DIGEST. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER ben.tullis@INFOMATRIX.LTD.UK Ben Tullis PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER ben.tullis@INFOMATRIX.LTD.UK Ben Tullis SET MAILSCANNER NOMIME DIGEST FOR ben.tullis@INFOMATRIX.LTD.UK // EOJ From LISTSERV at JISCMAIL.AC.UK Fri Sep 14 13:13:52 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:02 2006 Subject: MAILSCANNER: mariw@ACM.ORG requested to join Message-ID: <200109141213.NAA26874@magpie.ecs.soton.ac.uk> Fri, 14 Sep 2001 13:13:52 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Mari Wang You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER mariw@ACM.ORG Mari Wang PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER mariw@ACM.ORG Mari Wang // EOJ From LISTSERV at JISCMAIL.AC.UK Tue Sep 18 05:39:57 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:02 2006 Subject: MAILSCANNER: Jeffrey.Bird@JCU.EDU.AU requested to join Message-ID: <200109180439.FAA18461@magpie.ecs.soton.ac.uk> Tue, 18 Sep 2001 05:39:57 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Jeffrey Bird You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER Jeffrey.Bird@JCU.EDU.AU Jeffrey Bird PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER Jeffrey.Bird@JCU.EDU.AU Jeffrey Bird // EOJ From LISTSERV at JISCMAIL.AC.UK Wed Sep 19 11:29:20 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:02 2006 Subject: MAILSCANNER: jkha@HPLB.HPL.HP.COM requested to join Message-ID: <200109191030.LAA25800@magpie.ecs.soton.ac.uk> Wed, 19 Sep 2001 11:29:20 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from John Hawkes-Reed You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER jkha@HPLB.HPL.HP.COM John Hawkes-Reed PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER jkha@HPLB.HPL.HP.COM John Hawkes-Reed // EOJ From LISTSERV at JISCMAIL.AC.UK Thu Sep 20 08:37:36 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:02 2006 Subject: MAILSCANNER: mark.lock@ROTADATA.COM requested to join Message-ID: <200109200737.IAA13114@magpie.ecs.soton.ac.uk> Thu, 20 Sep 2001 08:37:36 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Mark Lock The following membership options have been requested: NOMIME DIGEST. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER mark.lock@ROTADATA.COM Mark Lock PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER mark.lock@ROTADATA.COM Mark Lock SET MAILSCANNER NOMIME DIGEST FOR mark.lock@ROTADATA.COM // EOJ From LISTSERV at JISCMAIL.AC.UK Thu Sep 20 17:14:09 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:02 2006 Subject: MAILSCANNER: mark.roberts@BBSRC.AC.UK requested to join Message-ID: <200109201614.RAA09179@magpie.ecs.soton.ac.uk> Thu, 20 Sep 2001 17:14:09 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Mark Roberts You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER mark.roberts@BBSRC.AC.UK Mark Roberts PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER mark.roberts@BBSRC.AC.UK Mark Roberts // EOJ From LISTSERV at JISCMAIL.AC.UK Mon Sep 24 11:11:56 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:02 2006 Subject: MAILSCANNER: paul.haldane@NEWCASTLE.AC.UK requested to join Message-ID: <200109241011.LAA09861@magpie.ecs.soton.ac.uk> Mon, 24 Sep 2001 11:11:56 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Paul Haldane The following membership options have been requested: IETFHDR. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER paul.haldane@NEWCASTLE.AC.UK Paul Haldane PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER paul.haldane@NEWCASTLE.AC.UK Paul Haldane SET MAILSCANNER IETFHDR FOR paul.haldane@NEWCASTLE.AC.UK // EOJ From Paul.Haldane at NEWCASTLE.AC.UK Mon Sep 24 11:47:23 2001 From: Paul.Haldane at NEWCASTLE.AC.UK (Paul Haldane) Date: Thu Jan 12 21:14:02 2006 Subject: Enhancement request In-Reply-To: <5.1.0.14.2.20010910151945.043775e8@hawk.ecs.soton.ac.uk> Message-ID: We're using Mailscanner in test service on one of our mail hubs and would like to move to using it on all of them replacing a home grown solution based on sendmail's filters. One facility that our local stuff has that Mailscanner doesn't have (I think) is the ability to rename attachments as they pass through - for example we currently rename attachments such as "thing.exe" to "thing_exe". Idea being to make executable attachments non-executable (at least without a fair amount of effort by the recipient) even with files that have been passed as clean by the virus checker. There is is concern here over possible time lags between viruses/worms being active and signatures for that virus/worm being in the anti-virus software. I know we could just reject such attachments using the filename rules but we'd rather not do that. Would other sites find this useful (as an option)? Is it something that could be added easily? I'm guessing (without a proper look at the code) that it should be possible since Mailscanner has to get the attachment filename to apply the filename rules. Paul -- Paul Haldane Computing Service University of Newcastle From LISTSERV at JISCMAIL.AC.UK Mon Sep 24 14:41:46 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:02 2006 Subject: MAILSCANNER: dpalmer@SKIDMORE.EDU requested to join Message-ID: <200109241341.OAA20267@magpie.ecs.soton.ac.uk> Mon, 24 Sep 2001 14:41:46 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Deanne Palmer You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER dpalmer@SKIDMORE.EDU Deanne Palmer PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER dpalmer@SKIDMORE.EDU Deanne Palmer // EOJ From LISTSERV at JISCMAIL.AC.UK Tue Sep 25 01:58:02 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:02 2006 Subject: MAILSCANNER: ian@TRUMPET.COM.AU requested to join Message-ID: <200109250058.BAA20889@magpie.ecs.soton.ac.uk> Tue, 25 Sep 2001 01:58:02 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Ian McLean You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER ian@TRUMPET.COM.AU Ian McLean PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER ian@TRUMPET.COM.AU Ian McLean // EOJ From LISTSERV at JISCMAIL.AC.UK Tue Sep 25 13:39:47 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:03 2006 Subject: MAILSCANNER: martin.whinnery@SBIRMC.AC.UK requested to join Message-ID: <200109251239.NAA17008@magpie.ecs.soton.ac.uk> Tue, 25 Sep 2001 13:39:47 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Martin Whinnery The following membership options have been requested: NOMIME DIGEST. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER martin.whinnery@SBIRMC.AC.UK Martin Whinnery PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER martin.whinnery@SBIRMC.AC.UK Martin Whinnery SET MAILSCANNER NOMIME DIGEST FOR martin.whinnery@SBIRMC.AC.UK // EOJ From LISTSERV at JISCMAIL.AC.UK Wed Sep 26 15:23:44 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:03 2006 Subject: MAILSCANNER: pmunn@ELITEAGENTS.COM requested to join Message-ID: <200109261423.PAA16113@magpie.ecs.soton.ac.uk> Wed, 26 Sep 2001 15:23:44 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Paul Munn You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER pmunn@ELITEAGENTS.COM Paul Munn PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER pmunn@ELITEAGENTS.COM Paul Munn // EOJ From Olaf.Kaus at MAXPERT.DE Wed Sep 26 15:41:19 2001 From: Olaf.Kaus at MAXPERT.DE (Olaf Kaus) Date: Thu Jan 12 21:14:03 2006 Subject: clean_quarantine.sh fixed Message-ID: Hi, a few days ago i found a little bug in clean_quarantine shell script. Please install attached patch, if you are using it. Bug description: If year, month or day begins with '0', "expr" interprets that number as octal which may lead to miscalculation. A happy day, Olaf Kaus -- Olaf Kaus Software Developer +49-69-50065-269 Maxpert AG Berner Str. 119 D-60437 Frankfurt (Main) -------------- next part -------------- A non-text attachment was scrubbed... Name: clean_quarantine.diff Type: application/octet-stream Size: 322 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20010926/82ad18ee/clean_quarantine.obj From jkf at ecs.soton.ac.uk Wed Sep 26 17:16:05 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:03 2006 Subject: Enhancement request In-Reply-To: References: <5.1.0.14.2.20010910151945.043775e8@hawk.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20010926171143.03b2fec8@hawk.ecs.soton.ac.uk> At 11:47 24/09/2001, you wrote: >One facility that our local stuff has that Mailscanner doesn't have (I >think) is the ability to rename attachments as they pass through - for >example we currently rename attachments such as "thing.exe" to >"thing_exe". Idea being to make executable attachments non-executable >(at least without a fair amount of effort by the recipient) even with >files that have been passed as clean by the virus checker. Unfortunately, this is actually really hard to do. To keep the load as light as possible (thereby making MailScanner as fast as possible) I don't touch the body of messages without viruses in them. Renaming attachments would entail rebuilding the message body for all messages with attachments, which would add significantly to the system load. >There is >is concern here over possible time lags between viruses/worms being >active and signatures for that virus/worm being in the anti-virus >software. This is why I have things like the double-file-extension trap in filename.rules.conf. This has done the job admirably for us in the past, admittedly at the cost of a number of false positives. Also, Sophos are very good at getting out IDE pattern files in a matter of hours. Run the Sophos autoupdate script 2 or 3 times a day and you'll be very well protected. If you're using McAfee instead, then all I can suggest is that you think about switching to Sophos. (I'm not paid in any way for plugging Sophos, this is purely my personal opinion). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Wed Sep 26 16:54:23 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:03 2006 Subject: News about forthcoming new version Message-ID: <5.1.0.14.2.20010926164941.03b59098@hawk.ecs.soton.ac.uk> I will hopefully release version 2.50 in the next couple of weeks or so. New features will be: - Timeout on virus scanner - Timeout on TNEF decoder (To protect against Denial Of Service attacks) - Sorting incoming mail queue by date (So if there are more messages in the queue than can be scanned at one go, the oldest messages are scanned first, most recent last) - Ability to switch off virus scanning (A couple of people have asked for this, not sure why :-) I am not aware of any of the commercial packages which handle denial of service attacks at all well :( So this should be a feature where I beat the commercial packages hands down :) More importantly, it should reduce the amount of maintenance you have to do still further. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From msheean at IDMICRO.COM Wed Sep 26 17:50:38 2001 From: msheean at IDMICRO.COM (Mitchell D. Sheean) Date: Thu Jan 12 21:14:03 2006 Subject: News about forthcoming new version References: <5.1.0.14.2.20010926164941.03b59098@hawk.ecs.soton.ac.uk> Message-ID: <001601c146ab$5f8295b0$8001a8c0@idmicro.com> Do you have a logo button so I can link mailscanner to my site? Mitch ----- Original Message ----- From: "Julian Field" To: Sent: Wednesday, September 26, 2001 8:54 AM Subject: News about forthcoming new version > I will hopefully release version 2.50 in the next couple of weeks or so. > New features will be: > - Timeout on virus scanner > - Timeout on TNEF decoder > (To protect against Denial Of Service attacks) > - Sorting incoming mail queue by date > (So if there are more messages in the queue than can be scanned at one > go, the oldest messages are scanned first, most recent last) > - Ability to switch off virus scanning > (A couple of people have asked for this, not sure why :-) > > I am not aware of any of the commercial packages which handle denial of > service attacks at all well :( > So this should be a feature where I beat the commercial packages hands down :) > More importantly, it should reduce the amount of maintenance you have to do > still further. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Wed Sep 26 18:29:48 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:03 2006 Subject: News about forthcoming new version In-Reply-To: <001601c146ab$5f8295b0$8001a8c0@idmicro.com> References: <5.1.0.14.2.20010926164941.03b59098@hawk.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20010926182749.065cf5b8@hawk.ecs.soton.ac.uk> At 17:50 26/09/2001, you wrote: >Do you have a logo button so I can link mailscanner to my site? No but I would very much appreciate it if someone could draw me one. C'mon guys and gals, help me out here! Best version gets a credit on the web site... (I'm not too good at art and our webmaster is too busy to help me at the moment) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Thu Sep 27 10:45:29 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:03 2006 Subject: MAILSCANNER: oihmig@ASPERGER.DE requested to join Message-ID: <200109270945.KAA29604@magpie.ecs.soton.ac.uk> Thu, 27 Sep 2001 10:45:29 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Olaf Ihmig You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER oihmig@ASPERGER.DE Olaf Ihmig PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER oihmig@ASPERGER.DE Olaf Ihmig // EOJ From S.R.Patterson at SOTON.AC.UK Thu Sep 27 11:34:07 2001 From: S.R.Patterson at SOTON.AC.UK (Patterson, S R) Date: Thu Jan 12 21:14:03 2006 Subject: Spam email tagging Message-ID: Hi, Having finally got around to implementing the latest version of mailscanner (and Jules tells us there's another one to come!) I've had an issue raised by one of our users. The problem is that they regularly correspond with one or two people who work for remote universities at which the admins have not secured the mail servers. This means that these users' email is consistently marked as spam. The user was concerned that they might accidentally hit "reply" or "forward" and not delete the spam tag from the subject line before sending the mail on to somebody important. His suggestion was that we should be able to "white list" individual email addresses and never mark them. I realise that there is already a facility to never mark email from certain IP ranges but this wouldn't be appropriate. How simple would it be to add a file of white-listed sender addresses to mailscanner, any email from one of these addresses to never be marked with a {SPAM?} tag? Steve -- Steven Patterson, MSci ----------------------------------------------+ | Electronic Information Systems Support and Development | | Computing Services, University of Southampton, UK. | +-------------------------------------------- Tel: +44 (0) 2380 595810 ...... ...... .. Conviction is a bigger enemy of the truth than lies. .. ...... ...... From jkf at ecs.soton.ac.uk Thu Sep 27 12:33:47 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:03 2006 Subject: Spam email tagging In-Reply-To: Message-ID: <5.1.0.14.2.20010927123237.0287d638@hawk.ecs.soton.ac.uk> At 11:34 am 27/09/2001, you wrote: >His suggestion was that we should be able to "white list" individual >email addresses and never mark them. I realise that there is already >a facility to never mark email from certain IP ranges but this >wouldn't be appropriate. > >How simple would it be to add a file of white-listed sender addresses >to mailscanner, any email from one of these addresses to never be >marked with a {SPAM?} tag? It's done. There will now be an (optional) file containing email addresses and/or email domains. Any sender address that appears in there, or any sender address whose domain (everything to the right of the @ sign) appears in there, won't ever be marked as spam. Now back to the testing... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Thu Sep 27 16:50:46 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:03 2006 Subject: MAILSCANNER: mrl@GENSTEAM.COM requested to join Message-ID: <200109271550.QAA13055@magpie.ecs.soton.ac.uk> Thu, 27 Sep 2001 16:50:46 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Mary Ross Lynch The following membership options have been requested: CONCEAL. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER mrl@GENSTEAM.COM Mary Ross Lynch PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER mrl@GENSTEAM.COM Mary Ross Lynch SET MAILSCANNER CONCEAL FOR mrl@GENSTEAM.COM // EOJ From LISTSERV at JISCMAIL.AC.UK Thu Sep 27 19:34:11 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:03 2006 Subject: MAILSCANNER: gcrothers@SHELOB.NET requested to join Message-ID: <200109271834.TAA20294@magpie.ecs.soton.ac.uk> Thu, 27 Sep 2001 19:34:11 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Garry Crothers You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER gcrothers@SHELOB.NET Garry Crothers PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER gcrothers@SHELOB.NET Garry Crothers // EOJ From LISTSERV at JISCMAIL.AC.UK Thu Sep 27 20:17:19 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:03 2006 Subject: MAILSCANNER: csantos@NETOSFERA.PT requested to join Message-ID: <200109271917.UAA22295@magpie.ecs.soton.ac.uk> Thu, 27 Sep 2001 20:17:19 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Carlos Santos You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER csantos@NETOSFERA.PT Carlos Santos PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER csantos@NETOSFERA.PT Carlos Santos // EOJ From brandon.pearson at BBSRC.AC.UK Fri Sep 28 11:14:12 2001 From: brandon.pearson at BBSRC.AC.UK (brandon pearson (BITS)) Date: Thu Jan 12 21:14:03 2006 Subject: TNEF problem Message-ID: <41773CEF2B8FD411920200508BDCDC1203BDB5@bits-exch1.bits.bbsrc.ac.uk> >-----Original Message----- >From: S.R.Patterson [mailto:S.R.Patterson@SOTON.AC.UK] >Sent: Monday, September 10, 2001 8:42 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: TNEF problem > > >Finally it's VERY worthey of note that since this method aborts without >unpacking the attachment there is no guarantee that viruses won't get through >inside tnef type attachments. If you're worried perhaps you (Jules) can check >on the return code of tnef and if it's -1 (failure) then you reject the >attachment as "Unexpandable archive, rejected" or something? Or do you already >do this? > >Steve Hi, We are running mailscanner 2.42 with TNEF 1.0.1. We are seeing a number of mails where TNEF gets stuck and aborted after 2 minutes and the mail is then delivered to the recipient. Is there any way to quarantine these unscanned mails/attachments? Thanks, Brandon From LISTSERV at JISCMAIL.AC.UK Fri Sep 28 11:53:37 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:03 2006 Subject: MAILSCANNER: csantos@NETOSFERA.PT left the JISCmail list Message-ID: <200109281053.LAA29277@magpie.ecs.soton.ac.uk> Fri, 28 Sep 2001 11:53:37 Carlos Santos has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From jkf at ecs.soton.ac.uk Fri Sep 28 19:00:37 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:03 2006 Subject: TNEF problem In-Reply-To: <41773CEF2B8FD411920200508BDCDC1203BDB5@bits-exch1.bits.bbs rc.ac.uk> Message-ID: <5.1.0.14.2.20010928185948.03bb8dc0@hawk.ecs.soton.ac.uk> At 11:14 28/09/2001, you wrote: > >-----Original Message----- > >From: S.R.Patterson [mailto:S.R.Patterson@SOTON.AC.UK] > >Sent: Monday, September 10, 2001 8:42 PM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: TNEF problem > > > > > >Finally it's VERY worthey of note that since this method aborts without > >unpacking the attachment there is no guarantee that viruses won't get >through > >inside tnef type attachments. If you're worried perhaps you (Jules) can >check > >on the return code of tnef and if it's -1 (failure) then you reject the > >attachment as "Unexpandable archive, rejected" or something? Or do you >already > >do this? > > > >Steve > >Hi, > We are running mailscanner 2.42 with TNEF 1.0.1. We are seeing a number of >mails where TNEF gets stuck and aborted after 2 minutes and the mail is then >delivered to the recipient. > >Is there any way to quarantine these unscanned mails/attachments? > >Thanks, > >Brandon This is fixed in version 2.50. If anything goes wrong with the TNEF expansion, it will abandon the entire message as "unparsable" and refuse to deliver any of it. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Fri Sep 28 22:45:15 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:03 2006 Subject: TNEF problem In-Reply-To: <5.1.0.14.2.20010928185948.03bb8dc0@hawk.ecs.soton.ac.uk> References: <41773CEF2B8FD411920200508BDCDC1203BDB5@bits-exch1.bits.bbs rc.ac.uk> Message-ID: <5.1.0.14.2.20010928224345.0493eda0@hawk.ecs.soton.ac.uk> At 19:00 28/09/2001, you wrote: >At 11:14 28/09/2001, you wrote: >> >-----Original Message----- >> >From: S.R.Patterson [mailto:S.R.Patterson@SOTON.AC.UK] >> >Sent: Monday, September 10, 2001 8:42 PM >> >To: MAILSCANNER@JISCMAIL.AC.UK >> >Subject: Re: TNEF problem >> > >> > >> >Finally it's VERY worthey of note that since this method aborts without >> >unpacking the attachment there is no guarantee that viruses won't get >>through >> >inside tnef type attachments. If you're worried perhaps you (Jules) can >>check >> >on the return code of tnef and if it's -1 (failure) then you reject the >> >attachment as "Unexpandable archive, rejected" or something? Or do you >>already >> >do this? >> > >> >Steve >> >>Hi, >> We are running mailscanner 2.42 with TNEF 1.0.1. We are seeing a number of >>mails where TNEF gets stuck and aborted after 2 minutes and the mail is then >>delivered to the recipient. >> >>Is there any way to quarantine these unscanned mails/attachments? >> >>Thanks, >> >>Brandon > >This is fixed in version 2.50. If anything goes wrong with the TNEF >expansion, it will abandon the entire message as "unparsable" and refuse to >deliver any of it. Slight improvement to that: what will happen is the winmail.dat attachment will be deemed "unparsable" and not delivered, but the plain text version of the message will still get through. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Sat Sep 29 10:49:36 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:03 2006 Subject: MAILSCANNER: damin@NACS.NET requested to join Message-ID: <200109290949.KAA15209@magpie.ecs.soton.ac.uk> Sat, 29 Sep 2001 10:49:36 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Greg Boehnlein You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER damin@NACS.NET Greg Boehnlein PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER damin@NACS.NET Greg Boehnlein // EOJ From LISTSERV at JISCMAIL.AC.UK Sat Sep 29 15:13:09 2001 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at CCLRC (1.8d)) Date: Thu Jan 12 21:14:03 2006 Subject: MAILSCANNER: applein@TUTOPIA.COM.BR requested to join Message-ID: <200109291413.PAA20585@magpie.ecs.soton.ac.uk> Sat, 29 Sep 2001 15:13:09 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Flavio Sacchetin You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER applein@TUTOPIA.COM.BR Flavio Sacchetin PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER applein@TUTOPIA.COM.BR Flavio Sacchetin // EOJ From damin at NACS.NET Sat Sep 29 16:24:18 2001 From: damin at NACS.NET (Greg Boehnlein) Date: Thu Jan 12 21:14:03 2006 Subject: Mailscanner Newbie Questions Message-ID: Hello guys, I am considering implementing mailscanner using Redhat 7.1 here at my ISP. Daily, we service several hundred thousand e-mails and recently the number of viruses passing through our system is starting to get out of control. I've purchased a site license for Sohpos anti-virus and am in the process of testing mailscanner. Through that process, I have some questions: 1. I've installed sophos and mailscanner and they seem to be working. I can identify and disinfect files using sweep. However, I do not seem to be cleaning e-mailed files that contain Eicar. How do I test mailscanner? I'm not seeing anything show up in the logs when I send through a virus test pattern in E-mail. 2. Do I need to be running sendmail as well as Mailscanner? I.E. when the system boots, should it be loading sendmail and mailscanner from /etc/rc.d/init.d? 3. What RPMS should I have to extract/test attachements? I just determined that I needed to install zip/unzip RPMS for the sohphos update files.. Am i missing something else? Thanks.. mailscanner looks like it will do a GREAT deal of positive things here! I am psyched! -- Vice President of New Age Consulting Service, Inc. Cleveland Ohio http://www.nacs.net info@nacs.net (216)-619-2000 KP-216-121-ST From jkf at ecs.soton.ac.uk Sat Sep 29 17:28:56 2001 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:03 2006 Subject: Mailscanner Newbie Questions In-Reply-To: Message-ID: <5.1.0.14.2.20010929172109.00af3828@hawk.ecs.soton.ac.uk> At 16:24 29/09/2001, you wrote: >1. I've installed sophos and mailscanner and they seem to be working. I >can identify and disinfect files using sweep. However, I do not seem to be >cleaning e-mailed files that contain Eicar. How do I test mailscanner? I'm >not seeing anything show up in the logs when I send through a virus test >pattern in E-mail. If the correct sendmail processes are running (that is, the ones from MailScanner's init.d script and not from sendmail's), then if you talk to your mail server on port 25 and send it a message containing Eicar, it should be disinfected. If you call the sendmail binary itself (which your mail client may well do by default), on the mail server, then it won't be scanned (there's no real way to avoid this unless you want to turn your /usr/sbin/sendmail into a little wrapper script to add extra command-line options onto the sendmail command). Make sure your mail client is configured to talk SMTP to your mail server. Also, if you are not seeing *anything* from MailScanner in your maillog, check the Installation FAQ on the web site about changing the syslogd command-line options to enable Perl's syslog functions properly. >2. Do I need to be running sendmail as well as Mailscanner? I.E. when the >system boots, should it be loading sendmail and mailscanner from >/etc/rc.d/init.d? A "chkconfig --list | grep sendmail" should list sendmail as being off in *all* runlevels. MailScanner runs its own 2 copies of sendmail from its init.d script. Installing the MailScanner RPM should have disabled the sendmail init.d script for you. >3. What RPMS should I have to extract/test attachements? I just determined >that I needed to install zip/unzip RPMS for the sohphos update files.. Am >i missing something else? You will need lynx for the sophos autoupdate script as well. Though that is probably installed by default. >Thanks.. mailscanner looks like it will do a GREAT deal of positive things >here! I am psyched! Glad to hear it! I am about to release the next version (2.50) hopefully in the next week or so, which will contain features to prevent against Denial Of Service attacks, among other things. The upgrade should be fairly painless. One thing to note: MailScanner does not require any changes to your /etc/sendmail.cf file. Make sure you (and MailScanner's RPM!) have not changed your sendmail.cf file. This is something that will be corrected in 2.50 (I'm removing the sendmail.cf file I currently provide, it causes more trouble than it is worth). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From smhickel at chartermi.net Tue Sep 4 13:31:12 2001 From: smhickel at chartermi.net (smhickel) Date: Thu Jan 12 21:21:34 2006 Subject: Bind and MailScanner In-Reply-To: References: Message-ID: <3B94C990.60404@chartermi.net> I am trying to get mailscanner to send to an isp via smtp. I have the mailscanner box in the local 192.168.1.x subnet. I set up dns in rh 9.0, and I have webmin's latest version. I have sendmail sending to a relay server at the ISP. Webmin bind says it is version *BIND version 9.2.1* When I run the dig -x 192.168.1.250 command it shows it to belong to an outside address at internic as opposed to my internal domain: [root@mail root]# dig -x 192.168.1.250 ; <<>> DiG 9.2.1 <<>> -x 192.168.1.250 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51663 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;250.1.168.192.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 168.192.in-addr.arpa. 10800 IN SOA prisoner.iana.org. hostmaster.root-servers.org. 2002040800 1800 900 604800 604800 ;; Query time: 472 msec ;; SERVER: 192.168.1.254#53(192.168.1.254) ;; WHEN: Mon Dec 15 20:54:44 2003 ;; MSG SIZE rcvd: 121 So, when I send email from 192.168.1.250 it shows up in the mailscanner log as being rejected for relay as it can not do a domain lookup on 192.168.1.250. I tried entering a reverse dns record, but that didn't seem to help. From what I could figure, it almost seemed like dns wasn't working from webmin or something. Any thoughts? Steve -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From smhickel at chartermi.net Tue Sep 4 14:38:07 2001 From: smhickel at chartermi.net (smhickel) Date: Thu Jan 12 21:21:34 2006 Subject: Bind and MailScanner In-Reply-To: <3B94C990.60404@chartermi.net> References: <3B94C990.60404@chartermi.net> Message-ID: <3B94D93F.4000101@chartermi.net> All, In my search for the answer to this problem, I sort of figured it out. Turns out it was a reverse dns thing. Here is a manual I found in case others can benefit. Steve http://www.swelltech.com/support/pdfs/webminguide.pdf smhickel wrote: > I am trying to get mailscanner to send to an isp via smtp. I have the > mailscanner box in the local 192.168.1.x subnet. I set up dns in rh 9.0, > and I have webmin's latest version. I have sendmail sending to a relay > server at the ISP. Webmin bind says it is version *BIND version 9.2.1* > > When I run the dig -x 192.168.1.250 command it shows it to belong to an > outside address at internic as opposed to my internal domain: > > [root@mail root]# dig -x 192.168.1.250 > > ; <<>> DiG 9.2.1 <<>> -x 192.168.1.250 > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51663 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;250.1.168.192.in-addr.arpa. IN PTR > > ;; AUTHORITY SECTION: > 168.192.in-addr.arpa. 10800 IN SOA prisoner.iana.org. > hostmaster.root-servers.org. 2002040800 1800 900 604800 604800 > > ;; Query time: 472 msec > ;; SERVER: 192.168.1.254#53(192.168.1.254) > ;; WHEN: Mon Dec 15 20:54:44 2003 > ;; MSG SIZE rcvd: 121 > > So, when I send email from 192.168.1.250 it shows up in the mailscanner > log as being rejected for relay as it can not do a domain lookup on > 192.168.1.250. I tried entering a reverse dns record, but that didn't > seem to help. > > From what I could figure, it almost seemed like dns wasn't working from > webmin or something. > > Any thoughts? > > Steve > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > MailScanner thanks transtec Computers for their support. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support.