From Q.G.Campbell at NEWCASTLE.AC.UK Fri Feb 1 07:56:53 2002 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:14:23 2006 Subject: Spamassassin Timeout! Message-ID: Paul Looks like you have enabled the RBL rules in SpamAssassin that require lookups on the Internet and you are suffering from slow responses from the DNS. That happened at this site so I initially increased the SpamAssassin timeout (within the mailscanner.conf) to 20 seconds from 10 but that is unworkable long term on a busy site like ours. In the end I disabled the RBL checks and reduced the timeout to the default again and removed the Net::DNS stuff I had installed. Note that you can do RBL checking within MailScanner so do not have to do it within SpamAssasin. The RBL checking within MailScanner seems to work well since it uses the system DNS resolver rather than Net::DNS. However you lose the MX lookup check as well as the Razor check in SpamAssain if you remove Net::DNS. Quentin --- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." > -----Original Message----- > From: Paul [mailto:hyooga@wt.net] > Sent: 31 January 2002 23:52 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Spamassassin Timeout! > > > Hi all, > > Could anyone please give me some ideas why I receive > "SpamAssassin timed out and was killed" message. I am running > perl 5.0053 and SA 1.5 with MailScanner 3.04. > > Thanks in advanced > > Paul > From LISTSERV at JISCMAIL.AC.UK Fri Feb 1 04:08:30 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:23 2006 Subject: MAILSCANNER: fnord@COSANOSTRA.NET requested to join Message-ID: <200202010408.EAA18583@magpie.ecs.soton.ac.uk> Fri, 1 Feb 2002 04:08:30 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Elie Rosenblum The following membership options have been requested: SUBJECTHDR. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER fnord@COSANOSTRA.NET Elie Rosenblum PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER fnord@COSANOSTRA.NET Elie Rosenblum SET MAILSCANNER SUBJECTHDR FOR fnord@COSANOSTRA.NET // EOJ From jkf at ecs.soton.ac.uk Fri Feb 1 09:10:53 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:23 2006 Subject: Spamassassin Timeout! In-Reply-To: <200201312346.g0VNkkY23990@smtp3.wt.net> Message-ID: <5.1.0.14.2.20020201090913.0485e628@imap.ecs.soton.ac.uk> At 23:51 31/01/2002, you wrote: >Could anyone please give me some ideas why I receive "SpamAssassin timed out >and was killed" message. I am running perl 5.0053 and SA 1.5 with MailScanner >3.04. If you still get the error even after doing all the DNS stuff that Quentin recommends, it is worth noting that there is a bug in 2 of the rules in 1.5 that cause them to (almost) never terminate, which is why I wrote the timeout code in the first place. There was a patch posted on the SA website to get around this problem, or else you can upgrade to SA 2.01 which doesn't suffer from it. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From R.A.Gardener at SHU.AC.UK Fri Feb 1 09:40:30 2002 From: R.A.Gardener at SHU.AC.UK (Ray Gardener) Date: Thu Jan 12 21:14:23 2006 Subject: Exim system filters compatibility References: <007901c1aa78$0963d6e0$2614348f@CISSYS15> <20020131202946.B12346@lemon-computing.com> Message-ID: <003401c1ab04$7d9721c0$2614348f@CISSYS15> Nick, looks like I sent you on a false trail; the system filter made no difference to the items hanging in the queue; I removed them from my exim configure and the problem still occurred. Looking at the messages in the spool whenever I remove the (tagged) subject line the problematic mail then gets delivered by Exim. My confusion was due to the fact that tagged mail was going through before I installed version 3.04. I assumed that this would still work under the latest version of mailscanner and attributed the problem to the new system filter I was implemented. Not tagging the subject line does work that is in mailscanner.conf set Spam Modify Subject = no (Note that the default seems to be set to yes so simply commenting this line out doesn't work). I will send a copy of this note together with a largish tarred version of my mailscanner installation directly to Nick for inspection. Regards Ray ----- Original Message ----- From: "Nick Phillips" To: Sent: Thursday, January 31, 2002 8:29 PM Subject: Re: Exim system filters compatibility > On Thu, Jan 31, 2002 at 04:55:05PM -0000, Ray Gardener wrote: > > Re: my original message below; on turning off SPAM checking in mailscanner the filter works. Strange! Version of mailscanner is 3.04 of exim 3.33. Is there something missing in my configuration? > > Oh, I forgot to mention. There was a bug in the header-mangling code for > Exim that caused this symptom when messages were tagged as spam by mailscanner. > It should no longer be there in 3.04, though. > > -- > Nick Phillips -- nwp@lemon-computing.com > You can create your own opportunities this week. Blackmail a senior executive. > From mdchaney at MICHAELCHANEY.COM Fri Feb 1 10:10:32 2002 From: mdchaney at MICHAELCHANEY.COM (Michael Chaney) Date: Thu Jan 12 21:14:23 2006 Subject: SpamAssassin 2 again Message-ID: <20020201041032.A29741@michaelchaney.com> Just ran a spam through, gets a score of 5.46 on the command line spamassassin version, doesn't get marked as spam when going through mailscanner. Argh. Michael -- Michael Darrin Chaney mdchaney@michaelchaney.com http://www.michaelchaney.com/ From LISTSERV at JISCMAIL.AC.UK Fri Feb 1 10:07:51 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:23 2006 Subject: MAILSCANNER: hushang.balyuzi@KCL.AC.UK requested to join Message-ID: <200202011007.KAA06361@magpie.ecs.soton.ac.uk> Fri, 1 Feb 2002 10:07:51 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Hushang Balyuzi The following membership options have been requested: ACK NOREPRO. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER hushang.balyuzi@KCL.AC.UK Hushang Balyuzi PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER hushang.balyuzi@KCL.AC.UK Hushang Balyuzi SET MAILSCANNER ACK NOREPRO FOR hushang.balyuzi@KCL.AC.UK // EOJ From jkf at ecs.soton.ac.uk Fri Feb 1 10:24:04 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:23 2006 Subject: SpamAssassin 2 again In-Reply-To: <20020201041032.A29741@michaelchaney.com> Message-ID: <5.1.0.14.2.20020201102340.034aea08@imap.ecs.soton.ac.uk> At 10:10 01/02/2002, you wrote: >Just ran a spam through, gets a score of 5.46 on the command line >spamassassin version, doesn't get marked as spam when going through >mailscanner. Argh. Have you applied the patch that was posted to this list yesterday (or the day before) to help solve this problem? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From nwp at LEMON-COMPUTING.COM Fri Feb 1 10:38:53 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:23 2006 Subject: Exim system filters compatibility In-Reply-To: <003401c1ab04$7d9721c0$2614348f@CISSYS15>; from R.A.Gardener@SHU.AC.UK on Fri, Feb 01, 2002 at 09:40:30AM -0000 References: <007901c1aa78$0963d6e0$2614348f@CISSYS15> <20020131202946.B12346@lemon-computing.com> <003401c1ab04$7d9721c0$2614348f@CISSYS15> Message-ID: <20020201103853.A790@lemon-computing.com> On Fri, Feb 01, 2002 at 09:40:30AM -0000, Ray Gardener wrote: > My confusion was due to the fact that tagged mail was going through before I > installed version 3.04. I assumed that this would still work under the > latest version of mailscanner and attributed the problem to the new system > filter I was implemented. Not tagging the subject line does work that is in > mailscanner.conf set > > Spam Modify Subject = no > > (Note that the default seems to be set to yes so simply commenting this line > out doesn't work). > > I will send a copy of this note together with a largish tarred version of my > mailscanner installation directly to Nick for inspection. OK, well that's definitely something that we found recently and thought was fixed. I *think* it's working for me (but mail comes into the machine that I use to work on this from a relay that is never going to be in any of the RBL lists, and I've only just started trying out spamassassin), so I'll have a look at what you've got and see what's up. Thanks, Nick -- Nick Phillips -- nwp@lemon-computing.com If you think last Tuesday was a drag, wait till you see what happens tomorrow! From LISTSERV at JISCMAIL.AC.UK Fri Feb 1 12:09:09 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:23 2006 Subject: MAILSCANNER: hostmaster@MEDIATIS.DE left the JISCmail list Message-ID: <200202011209.MAA16700@magpie.ecs.soton.ac.uk> Fri, 1 Feb 2002 12:09:09 Mediatis Hostmaster has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From joan.bryan at KCL.AC.UK Fri Feb 1 11:55:32 2002 From: joan.bryan at KCL.AC.UK (Joan Bryan) Date: Thu Jan 12 21:14:23 2006 Subject: Large mail queues Message-ID: Hello We are a new user of mailscanner (3.04.01) since weds and are finding it working well for us. However we did have a few problems initially with very large mail queues building up when we went live. (From our usual number of about 600 to 15500) We did several things to improve matters and thought these might be of interest to others in similar situations. 1. Changed the sleep(30) to sleep(2) (the delay time between mailscanner selecting the next batch to process) in mailscanner. We were finding the incoming mail building up faster than mailscanner could cope because of this delay. It would be nice if this were a configurable parameter. 2. Once the queues had built up to this size things deteriorated further because of problems unix has with large directory sizes, and this slowed down mailscanner's ability to process the queue so we recreated the queues from scratch and started afresh. 3. Sendmail change - this was not really anything to do with mailscanner, but it helped the faster delivery of local mail. We started an additional sendmail process for the output queue with parameter of -qRkcl (where kcl is our local domain) to process local mail. 4. The -q1m parameter on sendmail was used (as suggested in the FAQ). Joan Joan Bryan C&IT Services Unix System Team King's College London 020 7848 2671 mailto:joan.bryan@kcl.ac.uk From jkf at ecs.soton.ac.uk Fri Feb 1 14:07:56 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:23 2006 Subject: Large mail queues In-Reply-To: Message-ID: <5.1.0.14.2.20020201140604.0609f938@imap.ecs.soton.ac.uk> Have you tried switching off spam detection, or using "Delivery in Background = yes". The sleep(30) is only used when there is very little/no incoming mail anyway. Perhaps other people with large throughput might like to comment? (I don't like the "-q1m" solution at all, it was suggested by someone else). At 11:55 01/02/2002, you wrote: >However we did have a few problems initially with very large mail queues >building up when we went live. (From our usual number of about 600 to 15500) > >We did several things to improve matters and thought these might be of >interest to others in similar situations. > >1. Changed the sleep(30) to sleep(2) (the delay time between mailscanner >selecting the next batch to process) in mailscanner. We were finding the >incoming mail building up faster than mailscanner could cope because of this >delay. It would be nice if this were a configurable parameter. > >2. Once the queues had built up to this size things deteriorated further >because of problems unix has with large directory sizes, and this slowed >down mailscanner's ability to process the queue so we recreated the queues >from scratch and started afresh. > >3. Sendmail change - this was not really anything to do with mailscanner, >but it helped the faster delivery of local mail. We started an additional >sendmail process for the output queue with parameter of -qRkcl (where kcl is >our local domain) to process local mail. > >4. The -q1m parameter on sendmail was used (as suggested in the FAQ). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Fri Feb 1 14:17:16 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:23 2006 Subject: Per-Domain scanning for viruses and spam In-Reply-To: <5.1.0.14.2.20020131142634.067417c0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020201141604.035b1da8@imap.ecs.soton.ac.uk> At 14:49 31/01/2002, you wrote: >I have implemented per-domain scanning for viruses and spam. It involves a >few new keywords in the config file to switch the various bits on and off: >What I need now is some beta-testers to try out the new features. >Volunteers to me in person at mailscanner@ecs.soton.ac.uk (not the list) >please. I still need some beta-testers for this, else it will just get released in its current state. Various of you said you wanted it, please help test it for me! I've only had 1 offer so far... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From S.R.Patterson at SOTON.AC.UK Fri Feb 1 14:15:54 2002 From: S.R.Patterson at SOTON.AC.UK (Patterson, S R) Date: Thu Jan 12 21:14:23 2006 Subject: Large mail queues Message-ID: The second sendmail to process local mail is a good idea as it stops the delivery runs being held up by a poorly responsive remote server timeout. Then that's not a problem if you deliver in the background and set your batch size to 1 anyway ... :) -- Steven Patterson, MSci ----------------------------------------------+ | Electronic Information Systems Support and Development | | Computing Services, University of Southampton, UK. | +-------------------------------------------- Tel: +44 (0) 2380 595810 ...... ...... .. Conviction is a bigger enemy of the truth than lies. .. ...... ...... > -----Original Message----- > From: Julian Field [mailto:jkf@ECS.SOTON.AC.UK] > Sent: 01 February 2002 14:08 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Large mail queues > > > Have you tried switching off spam detection, or using "Delivery in > Background = yes". > The sleep(30) is only used when there is very little/no > incoming mail anyway. > > Perhaps other people with large throughput might like to comment? > (I don't like the "-q1m" solution at all, it was suggested by > someone else). > > At 11:55 01/02/2002, you wrote: > >However we did have a few problems initially with very large > mail queues > >building up when we went live. (From our usual number of > about 600 to 15500) > > > >We did several things to improve matters and thought these > might be of > >interest to others in similar situations. > > > >1. Changed the sleep(30) to sleep(2) (the delay time between > mailscanner > >selecting the next batch to process) in mailscanner. We were > finding the > >incoming mail building up faster than mailscanner could cope > because of this > >delay. It would be nice if this were a configurable parameter. > > > >2. Once the queues had built up to this size things > deteriorated further > >because of problems unix has with large directory sizes, and > this slowed > >down mailscanner's ability to process the queue so we > recreated the queues > >from scratch and started afresh. > > > >3. Sendmail change - this was not really anything to do with > mailscanner, > >but it helped the faster delivery of local mail. We started > an additional > >sendmail process for the output queue with parameter of > -qRkcl (where kcl is > >our local domain) to process local mail. > > > >4. The -q1m parameter on sendmail was used (as suggested in > the FAQ). > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From felker at GMX.NET Fri Feb 1 16:16:17 2002 From: felker at GMX.NET (Sander Jonkers) Date: Thu Jan 12 21:14:23 2006 Subject: Per-Domain scanning for viruses and spam References: <5.1.0.14.2.20020201141604.035b1da8@imap.ecs.soton.ac.uk> Message-ID: <32266.1012580177@www43.gmx.net> > I still need some beta-testers for this, else it will just get released in > its current state. Various of you said you wanted it, please help test it > for me! I've only had 1 offer so far... I would beta-test it if I could, but I only have got one mail domain. Sorry. Sander -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net From joan.bryan at KCL.AC.UK Fri Feb 1 14:48:15 2002 From: joan.bryan at KCL.AC.UK (Joan Bryan) Date: Thu Jan 12 21:14:23 2006 Subject: Large mail queues In-Reply-To: <5.1.0.14.2.20020201140604.0609f938@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020201140604.0609f938@imap.ecs.soton.ac.uk> Message-ID: On Fri, 1 Feb 2002 14:07:56 +0000 Julian Field wrote: > Have you tried switching off spam detection, or using "Delivery in > Background = yes". > The sleep(30) is only used when there is very little/no incoming mail anyway. > We did switch off spam detection (we weren't supposed to be running with this option but did for a while. Also spam assassin was not used at all). I suppose this might have caused the queues to build up initially. We also tried "Delivery in Background = yes" for a short while, although could not see an effect with this. I'll try this again. Thanks. > Perhaps other people with large throughput might like to comment? > (I don't like the "-q1m" solution at all, it was suggested by someone else). > > At 11:55 01/02/2002, you wrote: > >However we did have a few problems initially with very large mail queues > >building up when we went live. (From our usual number of about 600 to 15500) > > > >We did several things to improve matters and thought these might be of > >interest to others in similar situations. > > > >1. Changed the sleep(30) to sleep(2) (the delay time between mailscanner > >selecting the next batch to process) in mailscanner. We were finding the > >incoming mail building up faster than mailscanner could cope because of this > >delay. It would be nice if this were a configurable parameter. > > > >2. Once the queues had built up to this size things deteriorated further > >because of problems unix has with large directory sizes, and this slowed > >down mailscanner's ability to process the queue so we recreated the queues > >from scratch and started afresh. > > > >3. Sendmail change - this was not really anything to do with mailscanner, > >but it helped the faster delivery of local mail. We started an additional > >sendmail process for the output queue with parameter of -qRkcl (where kcl is > >our local domain) to process local mail. > > > >4. The -q1m parameter on sendmail was used (as suggested in the FAQ). > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ ---------------------- Joan Bryan joan.bryan@kcl.ac.uk From LISTSERV at JISCMAIL.AC.UK Fri Feb 1 16:46:04 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:23 2006 Subject: MAILSCANNER: pete.tedder@KCL.AC.UK requested to join Message-ID: <200202011646.QAA13272@magpie.ecs.soton.ac.uk> Fri, 1 Feb 2002 16:46:04 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Pete Tedder You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER pete.tedder@KCL.AC.UK Pete Tedder PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER pete.tedder@KCL.AC.UK Pete Tedder // EOJ From mdchaney at MICHAELCHANEY.COM Fri Feb 1 19:24:33 2002 From: mdchaney at MICHAELCHANEY.COM (Michael Chaney) Date: Thu Jan 12 21:14:23 2006 Subject: SpamAssassin 2 again In-Reply-To: <5.1.0.14.2.20020201102340.034aea08@imap.ecs.soton.ac.uk>; from jkf@ECS.SOTON.AC.UK on Fri, Feb 01, 2002 at 10:24:04AM +0000 References: <20020201041032.A29741@michaelchaney.com> <5.1.0.14.2.20020201102340.034aea08@imap.ecs.soton.ac.uk> Message-ID: <20020201132433.A31525@michaelchaney.com> On Fri, Feb 01, 2002 at 10:24:04AM +0000, Julian Field wrote: > At 10:10 01/02/2002, you wrote: > >Just ran a spam through, gets a score of 5.46 on the command line > >spamassassin version, doesn't get marked as spam when going through > >mailscanner. Argh. > > Have you applied the patch that was posted to this list yesterday (or the > day before) to help solve this problem? Yep. Spamassassin is coming up with 0 hits inside mailscanner, 5.76 on command line. SPAM: -------------------- Start SpamAssassin results ---------------------- SPAM: This mail is probably spam. The original message has been altered SPAM: so you can recognise or block similar unwanted mail in future. SPAM: See http://spamassassin.org/tag/ for more details. SPAM: SPAM: Content analysis details: (5.46 hits, 5 required) SPAM: Hit! (0.7 points) Subject is all capitals SPAM: Hit! (1.76 points) Sent with 'X-Priority' set to high SPAM: Hit! (3 points) Listed in Razor, see http://razor.sourceforge.net/ SPAM: SPAM: -------------------- End of SpamAssassin results --------------------- \n's aren't helping this one. The above output is same when I use "su - mail" before running spamassassin. I'll bounce the message to you if you like. Michael -- Michael Darrin Chaney mdchaney@michaelchaney.com http://www.michaelchaney.com/ From sevans at FOUNDATION.SDSU.EDU Fri Feb 1 20:16:16 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:14:23 2006 Subject: Mcafee Virus Scanner Message-ID: <20C245C5F9A41949A359CCDBF4B3ADED2A7811@foundation.foundation.sdsu.edu> I used the rpm to install mailscanner. The rpm puts a file called mcafeewrapper in the /usr/local/mcafee directory. The Mcafee comand line scanner install has an executable called uvscan in the same directory. Which executable should I use in the mailscanner.conf file? Steve Evans Computing Services SDSU Foundation 619 594-0653 From s-luppescu at UCHICAGO.EDU Fri Feb 1 20:49:34 2002 From: s-luppescu at UCHICAGO.EDU (Stuart Luppescu) Date: Thu Jan 12 21:14:23 2006 Subject: Mcafee Virus Scanner In-Reply-To: <20C245C5F9A41949A359CCDBF4B3ADED2A7811@foundation.foundation.sdsu.edu> References: <20C245C5F9A41949A359CCDBF4B3ADED2A7811@foundation.foundation.sdsu.edu> Message-ID: <1012596574.4269.50.camel@musuko.uchicago.edu> On ?, 2002-02-01 at 14:16, Steve Evans wrote: > I used the rpm to install mailscanner. The rpm puts a file called mcafeewrapper in the /usr/local/mcafee directory. The Mcafee comand line scanner install has an executable called uvscan in the same directory. Which executable should I use in the mailscanner.conf file? I believe it's in the docs somewhere, but I'm using mcafeewrapper. -- Stuart Luppescu -=- s-luppescu@uchicago.edu University of Chicago -=- CCSR ???????? -=- Kernel 2.4.14-xfs "There is hopeful symbolism in the fact that flags do not wave in a vacuum." --Arthur C. Clarke -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020201/66f0c14f/attachment.bin From miguelk at KONSULTEX.COM.BR Sat Feb 2 02:39:42 2002 From: miguelk at KONSULTEX.COM.BR (Miguel Koren =?iso-8859-1?Q?O=B4?= Brien de Lacy) Date: Thu Jan 12 21:14:23 2006 Subject: Per-Domain scanning for viruses and spam References: <5.1.0.14.2.20020201141604.035b1da8@imap.ecs.soton.ac.uk> Message-ID: <3C5B516D.A47C7A57@konsultex.com.br> Julian; I like the idea of scanning per domain and I have several domains. If I were using 3.x I would test it. I still not on the 'bleeding' edge; I still run 2.60 which works really great for me. Miguel Julian Field wrote: > At 14:49 31/01/2002, you wrote: > >I have implemented per-domain scanning for viruses and spam. It involves a > >few new keywords in the config file to switch the various bits on and off: > >What I need now is some beta-testers to try out the new features. > >Volunteers to me in person at mailscanner@ecs.soton.ac.uk (not the list) > >please. > > I still need some beta-testers for this, else it will just get released in > its current state. Various of you said you wanted it, please help test it > for me! I've only had 1 offer so far... > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Fri Feb 1 20:20:51 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:23 2006 Subject: MAILSCANNER: miket@DIG-NET.NET left the JISCmail list Message-ID: <200202012020.UAA00068@magpie.ecs.soton.ac.uk> Fri, 1 Feb 2002 20:20:51 Mike Terebessy has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From LISTSERV at JISCMAIL.AC.UK Sat Feb 2 10:58:36 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:23 2006 Subject: MAILSCANNER: belluz@QNET.IT requested to join Message-ID: <200202021058.KAA02810@magpie.ecs.soton.ac.uk> Sat, 2 Feb 2002 10:58:36 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Belluz Massimo The following membership options have been requested: HTML DIGEST. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER belluz@QNET.IT Belluz Massimo PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER belluz@QNET.IT Belluz Massimo SET MAILSCANNER HTML DIGEST FOR belluz@QNET.IT // EOJ From rishi at THEARGONCOMPANY.COM Sat Feb 2 14:51:34 2002 From: rishi at THEARGONCOMPANY.COM (Rishi Gangoly) Date: Thu Jan 12 21:14:23 2006 Subject: spam.whitelist.conf file not working Message-ID: <018501c1abf9$1bafd880$1b02a8c0@theargoncompany.com> Hi, A message was detected as spam even though the domain name was in the spam.whitelist.conf file. Can anyone help why this happened and how I can configure it to not happen? Domain name in Spam.whitelist.com = w-o-i.com The From address is anil@w-o-i.com See the Message Headers below. Regards Rishi ---------------------------------------------------------------------------- ----------------------- Return-Path: Received: from localhost (IDENT:rishi@localhost [127.0.0.1]) by theargoncompany.com (8.9.3/8.9.3) with ESMTP id OAA09183 for ; Sat, 2 Feb 2002 14:30:26 +0530 Comments: Received: from theargoncompany.com [203.199.89.92] by localhost with POP3 (fetchmail-5.9.0) for rishi@localhost (single-drop); Sat, 02 Feb 2002 14:30:26 +0530 (IST) Received: from n18.groups.yahoo.com (n18.groups.yahoo.com [216.115.96.68]) by mail003.ownmail.com (8.10.2/8.10.2) with SMTP id g128gpc07563 for ; Sat, 2 Feb 2002 14:12:51 +0530 X-eGroups-Return: sentto-2369197-777-1012639464-rishi=theargoncompany.com@returns.groups.yahoo .com Received: from [216.115.97.164] by n18.groups.yahoo.com with NNFMP; 02 Feb 2002 08:44:38 -0000 X-Sender: anil@w-o-i.com X-Apparently-To: tacdev@yahoogroups.com Received: (EGP: mail-8_0_1_3); 2 Feb 2002 08:44:23 -0000 Received: (qmail 33416 invoked from network); 2 Feb 2002 08:44:23 -0000 Received: from unknown (216.115.97.171) by m10.grp.snv.yahoo.com with QMQP; 2 Feb 2002 08:44:23 -0000 Received: from unknown (HELO w-o-i.com) (202.88.143.72) by mta3.grp.snv.yahoo.com with SMTP; 2 Feb 2002 08:44:22 -0000 Received: from shaq ([192.168.0.104]) by w-o-i.com (8.9.3/8.9.3) with SMTP id OAA15421; Sat, 2 Feb 2002 14:26:14 +0530 Message-ID: <004801c1abc5$3e6fb5e0$6800a8c0@woi.com> To: "Rishi Gangoly" , "TAC Dev" References: <03ed01c1ab30$334dc840$1b02a8c0@theargoncompany.com> X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-MailScanner: Found to be clean, Found to be clean From: "Anil Vaswani \(AKA Nanavati\)" X-Yahoo-Profile: anilnanavati MIME-Version: 1.0 Mailing-List: list tacdev@yahoogroups.com; contact tacdev-owner@yahoogroups.com Delivered-To: mailing list tacdev@yahoogroups.com Precedence: bulk List-Unsubscribe: Date: Sat, 2 Feb 2002 14:10:18 +0530 Subject: {SPAM?} [tacdev] Re: Secure Log Files Reply-To: tacdev@yahoogroups.com Content-Type: multipart/alternative; boundary="----=_NextPart_000_0045_01C1ABF3.57F59740" X-MailScanner-SpamCheck: SpamAssassin (5 hits) Status: From LISTSERV at JISCMAIL.AC.UK Sat Feb 2 14:47:37 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:23 2006 Subject: MAILSCANNER: v.p.p.julien@XS4ALL.NL requested to join Message-ID: <200202021447.OAA10836@magpie.ecs.soton.ac.uk> Sat, 2 Feb 2002 14:47:37 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Victor Julien You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER v.p.p.julien@XS4ALL.NL Victor Julien PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER v.p.p.julien@XS4ALL.NL Victor Julien // EOJ From jkf at ecs.soton.ac.uk Sat Feb 2 15:09:45 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:23 2006 Subject: spam.whitelist.conf file not working In-Reply-To: <018501c1abf9$1bafd880$1b02a8c0@theargoncompany.com> Message-ID: <5.1.0.14.2.20020202150754.02ed2ff0@hawk.ecs.soton.ac.uk> At 14:51 02/02/2002, you wrote: >A message was detected as spam even though the domain name was in the >spam.whitelist.conf file. Can anyone help why this happened and how I can >configure it to not happen? > >Domain name in Spam.whitelist.com = w-o-i.com > >The From address is anil@w-o-i.com You will find that the real "From" address in the envelope was It's that address that matters, not what you happen to put in the headers. Put "returns.groups.yahoo.com" in the spam.whitelist.conf, restart MailScanner and try the same test again. >---------------------------------------------------------------------------- >----------------------- >Return-Path: >o.com> >Received: from localhost (IDENT:rishi@localhost [127.0.0.1]) > by theargoncompany.com (8.9.3/8.9.3) with ESMTP id OAA09183 > for ; Sat, 2 Feb 2002 14:30:26 +0530 >Comments: >Received: from theargoncompany.com [203.199.89.92] > by localhost with POP3 (fetchmail-5.9.0) > for rishi@localhost (single-drop); Sat, 02 Feb 2002 14:30:26 +0530 (IST) >Received: from n18.groups.yahoo.com (n18.groups.yahoo.com [216.115.96.68]) > by mail003.ownmail.com (8.10.2/8.10.2) with SMTP id g128gpc07563 > for ; Sat, 2 Feb 2002 14:12:51 +0530 >X-eGroups-Return: >sentto-2369197-777-1012639464-rishi=theargoncompany.com@returns.groups.yahoo >.com >Received: from [216.115.97.164] by n18.groups.yahoo.com with NNFMP; 02 Feb >2002 08:44:38 -0000 >X-Sender: anil@w-o-i.com >X-Apparently-To: tacdev@yahoogroups.com >Received: (EGP: mail-8_0_1_3); 2 Feb 2002 08:44:23 -0000 >Received: (qmail 33416 invoked from network); 2 Feb 2002 08:44:23 -0000 >Received: from unknown (216.115.97.171) > by m10.grp.snv.yahoo.com with QMQP; 2 Feb 2002 08:44:23 -0000 >Received: from unknown (HELO w-o-i.com) (202.88.143.72) > by mta3.grp.snv.yahoo.com with SMTP; 2 Feb 2002 08:44:22 -0000 >Received: from shaq ([192.168.0.104]) > by w-o-i.com (8.9.3/8.9.3) with SMTP id OAA15421; > Sat, 2 Feb 2002 14:26:14 +0530 >Message-ID: <004801c1abc5$3e6fb5e0$6800a8c0@woi.com> >To: "Rishi Gangoly" , > "TAC Dev" >References: <03ed01c1ab30$334dc840$1b02a8c0@theargoncompany.com> >X-Priority: 3 >X-MSMail-Priority: Normal >X-Mailer: Microsoft Outlook Express 6.00.2600.0000 >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 >X-MailScanner: Found to be clean, Found to be clean >From: "Anil Vaswani \(AKA Nanavati\)" >X-Yahoo-Profile: anilnanavati >MIME-Version: 1.0 >Mailing-List: list tacdev@yahoogroups.com; contact >tacdev-owner@yahoogroups.com >Delivered-To: mailing list tacdev@yahoogroups.com >Precedence: bulk >List-Unsubscribe: >Date: Sat, 2 Feb 2002 14:10:18 +0530 >Subject: {SPAM?} [tacdev] Re: Secure Log Files >Reply-To: tacdev@yahoogroups.com >Content-Type: multipart/alternative; > boundary="----=_NextPart_000_0045_01C1ABF3.57F59740" >X-MailScanner-SpamCheck: SpamAssassin (5 hits) >Status: -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From rishi at THEARGONCOMPANY.COM Sat Feb 2 15:24:06 2002 From: rishi at THEARGONCOMPANY.COM (Rishi Gangoly) Date: Thu Jan 12 21:14:23 2006 Subject: spam.whitelist.conf file not working References: <5.1.0.14.2.20020202150754.02ed2ff0@hawk.ecs.soton.ac.uk> Message-ID: <01a701c1abfd$a729e1e0$1b02a8c0@theargoncompany.com> > At 14:51 02/02/2002, you wrote: > >A message was detected as spam even though the domain name was in the > >spam.whitelist.conf file. Can anyone help why this happened and how I can > >configure it to not happen? > > > >Domain name in Spam.whitelist.com = w-o-i.com > > > >The From address is anil@w-o-i.com > > You will find that the real "From" address in the envelope was > > > It's that address that matters, not what you happen to put in the headers. > Put "returns.groups.yahoo.com" in the spam.whitelist.conf, restart > MailScanner and try the same test again. Done that. Will keep you posted if it repeats. Thanks Rishi From splee at PLEXIO.COM Sun Feb 3 03:10:51 2002 From: splee at PLEXIO.COM (Stephen Lee) Date: Thu Jan 12 21:14:23 2006 Subject: GFI E-mail Test with F-prot Message-ID: <1012705853.7636.29.camel@ralph.plexio.private> Hi, Has anyone tried the email test from http://www.gfi.com/emailsecuritytest for virus vulnerabilities? Using Mailscanner 3.03-1/F-Prot with Exim 3.34 on Trustix 1.5, only 2 of the 6 infected messages were detected. The test included the following: o VBS file vulnerability test o CLSID extension vulnerability test o MIME header vulnerability test o ActiveX vulnerability test o Malformed file extension vulnerability test (for Outlook 2002 - XP) o CLSID extension vulnerability test (for Outlook 2002 - XP) Mailscanner only detected the MIME header and VBS payloads. What kind of adjustments can I make to catch the rest or is it an F-Prot issue? thanks, Stephen From LISTSERV at JISCMAIL.AC.UK Sat Feb 2 19:22:56 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:23 2006 Subject: MAILSCANNER: ben.palmer@INTERMATRIX-SYSTEMS.COM requested to join Message-ID: <200202021922.TAA21029@magpie.ecs.soton.ac.uk> Sat, 2 Feb 2002 19:22:56 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Ben Palmer The following membership options have been requested: CONCEAL. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER ben.palmer@INTERMATRIX-SYSTEMS.COM Ben Palmer PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER ben.palmer@INTERMATRIX-SYSTEMS.COM Ben Palmer SET MAILSCANNER CONCEAL FOR ben.palmer@INTERMATRIX-SYSTEMS.COM // EOJ From jkf at ecs.soton.ac.uk Sun Feb 3 09:52:19 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:23 2006 Subject: GFI E-mail Test with F-prot In-Reply-To: <1012705853.7636.29.camel@ralph.plexio.private> Message-ID: <5.1.0.14.2.20020203094435.02f9b668@hawk.ecs.soton.ac.uk> At 03:10 03/02/2002, you wrote: >Has anyone tried the email test from >http://www.gfi.com/emailsecuritytest for virus vulnerabilities? >Using Mailscanner 3.03-1/F-Prot with Exim 3.34 on Trustix 1.5, only 2 of >the 6 infected messages were detected. The test included the following: > >o VBS file vulnerability test >o CLSID extension vulnerability test >o MIME header vulnerability test >o ActiveX vulnerability test >o Malformed file extension vulnerability test (for Outlook 2002 - >XP) >o CLSID extension vulnerability test (for Outlook 2002 - XP) > >Mailscanner only detected the MIME header and VBS payloads. What kind of >adjustments can I make to catch the rest or is it an F-Prot issue? Detecting the CLSID extensions is just a matter of writing a suitable rule for filename.rules.conf. I'm sure you can do that yourselves (that covers 2 of the above). I'll try to find time to write one for the release of 3.10 to make life easier for you. As for the others, MailScanner (with a virus-detection engine) will happily detect the actual viruses that have exploited these holes in the past (some of which have now been patched against by Microsoft anyway, and so are a bit historical). Not all of them have ever been exploited (read the docs carefully on that web site). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Sun Feb 3 10:12:35 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:23 2006 Subject: GFI E-mail Test with F-prot In-Reply-To: <5.1.0.14.2.20020203094435.02f9b668@hawk.ecs.soton.ac.uk> References: <1012705853.7636.29.camel@ralph.plexio.private> Message-ID: <5.1.0.14.2.20020203100720.02f99908@hawk.ecs.soton.ac.uk> At 09:52 03/02/2002, you wrote: >At 03:10 03/02/2002, you wrote: >>Has anyone tried the email test from >>http://www.gfi.com/emailsecuritytest for virus vulnerabilities? >>Using Mailscanner 3.03-1/F-Prot with Exim 3.34 on Trustix 1.5, only 2 of >>the 6 infected messages were detected. The test included the following: >> >>o VBS file vulnerability test >>o CLSID extension vulnerability test >>o MIME header vulnerability test >>o ActiveX vulnerability test >>o Malformed file extension vulnerability test (for Outlook 2002 - >>XP) >>o CLSID extension vulnerability test (for Outlook 2002 - XP) >> >>Mailscanner only detected the MIME header and VBS payloads. What kind of >>adjustments can I make to catch the rest or is it an F-Prot issue? I've justed this lot on our own systems, using Eudora as the client on a properly patched Win2k system. The only one that I am vulnerable to at all is the CLSID extension test, and even that didn't really work as Eudora showed the entire filename, including the CLSID. However, if you want to block filenames ending in CLSID's, add this to your filename.rules.conf (remember to separate the 4 bits of the line with tab characters!): deny \{[a-hA-H0-9-]{25,}\}$ Filename trying to hide it's real extension Files ending in CLSID's are trying to hide their real extension The other tests just either failed to do anything at all, or left me staring at a message window full of (unexecuted) JavaScript which wasn't very exciting :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From splee at PLEXIO.COM Sun Feb 3 16:01:41 2002 From: splee at PLEXIO.COM (Stephen Lee) Date: Thu Jan 12 21:14:23 2006 Subject: GFI E-mail Test with F-prot In-Reply-To: <5.1.0.14.2.20020203100720.02f99908@hawk.ecs.soton.ac.uk> References: <1012705853.7636.29.camel@ralph.plexio.private> <5.1.0.14.2.20020203100720.02f99908@hawk.ecs.soton.ac.uk> Message-ID: <1012752103.7636.43.camel@ralph.plexio.private> On Sun, 2002-02-03 at 02:12, Julian Field wrote: > At 09:52 03/02/2002, you wrote: > >At 03:10 03/02/2002, you wrote: > >>Has anyone tried the email test from > >>http://www.gfi.com/emailsecuritytest for virus vulnerabilities? > >>Using Mailscanner 3.03-1/F-Prot with Exim 3.34 on Trustix 1.5, only 2 of > >>the 6 infected messages were detected. The test included the following: > >> > >>o VBS file vulnerability test > >>o CLSID extension vulnerability test > >>o MIME header vulnerability test > >>o ActiveX vulnerability test > >>o Malformed file extension vulnerability test (for Outlook 2002 - > >>XP) > >>o CLSID extension vulnerability test (for Outlook 2002 - XP) > >> > >>Mailscanner only detected the MIME header and VBS payloads. What kind of > >>adjustments can I make to catch the rest or is it an F-Prot issue? > > I've justed this lot on our own systems, using Eudora as the client on a > properly patched Win2k system. > > The only one that I am vulnerable to at all is the CLSID extension test, > and even that didn't really work as Eudora showed the entire filename, > including the CLSID. However, if you want to block filenames ending in > CLSID's, add this to your filename.rules.conf (remember to separate the 4 > bits of the line with tab characters!): > > deny \{[a-hA-H0-9-]{25,}\}$ Filename trying to hide it's real > extension Files ending in CLSID's are trying to hide their real extension > > The other tests just either failed to do anything at all, or left me > staring at a message window full of (unexecuted) JavaScript which wasn't > very exciting :-) > -- > Julian Field Teaching Systems Manager Thanks Julian! The above rule took care of the CLSID extensions. I did have to remove the "'" from "Filename trying to hide it's real extension" to get mailscanner to start. I presume quoting the phrase would have worked too. Stephen From brose at MED.WAYNE.EDU Sun Feb 3 17:38:09 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:14:23 2006 Subject: GFI E-mail Test with F-prot Message-ID: Their .hta attachment made it thru and after checking mailscanner is letting any attachment thru that ends in a period. So a rule for trailing periods might be needed also. This seems to work on that note. deny \.$ Deny all attachments with trailing periods Files ending in periods are considered malformed and attempt to hide the real filename extension. -----Original Message----- From: Julian Field [mailto:jkf@ECS.SOTON.AC.UK] Sent: Sunday, February 03, 2002 5:13 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: GFI E-mail Test with F-prot At 09:52 03/02/2002, you wrote: >At 03:10 03/02/2002, you wrote: >>Has anyone tried the email test from >>http://www.gfi.com/emailsecuritytest for virus vulnerabilities? Using >>Mailscanner 3.03-1/F-Prot with Exim 3.34 on Trustix 1.5, only 2 of the >>6 infected messages were detected. The test included the following: >> >>o VBS file vulnerability test >>o CLSID extension vulnerability test >>o MIME header vulnerability test >>o ActiveX vulnerability test >>o Malformed file extension vulnerability test (for Outlook 2002 - >>XP) >>o CLSID extension vulnerability test (for Outlook 2002 - XP) >> >>Mailscanner only detected the MIME header and VBS payloads. What kind >>of adjustments can I make to catch the rest or is it an F-Prot issue? I've justed this lot on our own systems, using Eudora as the client on a properly patched Win2k system. The only one that I am vulnerable to at all is the CLSID extension test, and even that didn't really work as Eudora showed the entire filename, including the CLSID. However, if you want to block filenames ending in CLSID's, add this to your filename.rules.conf (remember to separate the 4 bits of the line with tab characters!): deny \{[a-hA-H0-9-]{25,}\}$ Filename trying to hide it's real extension Files ending in CLSID's are trying to hide their real extension The other tests just either failed to do anything at all, or left me staring at a message window full of (unexecuted) JavaScript which wasn't very exciting :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From brose at MED.WAYNE.EDU Sun Feb 3 17:54:03 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:14:23 2006 Subject: GFI E-mail Test with F-prot Message-ID: Any ideas about this activex bugger? In the message they have an IFRAME marker that sources http://www.gfi.com/emailsecuritytest/ax.htm That page contains the code. I'm trying to figure out how their content scanning would determine if the message had executable code. Wouldn't it have to follow the links embedded in every message or are they just removing any code that sources an external source? If that's the case, what if it's a legit sourcing? From brose at MED.WAYNE.EDU Sun Feb 3 18:38:07 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:14:23 2006 Subject: GFI E-mail Test with F-prot Message-ID: If you send just the ax.html file then the antivirus stuff get it's. So the problem is only when linking to an outside source instead of embedding it. Does anyone know if