From mike at CAMAROSS.NET Mon Jul 1 01:40:36 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:08 2006 Subject: MS not starting after SpamAssassin install References: <000201c20127$5f540790$800f6f80@iquest.ucsb.edu> Message-ID: <009001c22097$eb58c890$01000001@home.wideopenthrottle.org> Ok...I ran into the same thing today. I installed SpamAssassin via CPAN before I installed MS and Sophos. I now see that was a mistake :) Problem is, I have tried to reinstall SA from CPAN and the problem persists (force install Mail::SpamAssassin). Is there a way to uninstall SA and then start fresh? Mike ----- Original Message ----- From: "Support" To: Sent: Tuesday, May 21, 2002 7:26 PM Subject: MS not starting after SpamAssassin install > Hi, > > I have Mailscanner running. when I installed spamassassin I tried running > ./check_mailscanner and ./check_mailscanner.linux but they come up w/ > this... > > > ######################################### > [root@frost bin]# ./check_mailscanner > Starting virus scanner... > Can't locate Mail/SpamAssassin.pm in @INC (@INC contains: > /usr/local/MailScanner/bin /usr/lib/perl5/5.6.0/i386-linux > /usr/lib/perl5/5.6.0 /usr/lib/perl5/site_perl/5.6.0/i386-linux > /usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl .) at > /usr/local/MailScanner/bin/sendmail.pl line 46. > Compilation failed in require at /usr/local/MailScanner/bin/mailscanner line > 77. > > ######################################## > > I found spamassassin to be here /usr/lib > /perl5/site_perl/5.6.1/Mail/SpamAssassin.pm > > so I tried to edit the /bin/sendmail.pl file > > use lib '/usr/lib/perl5/site_perl/5.6.1/Mail'; > use lib '/usr/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin'; > > > And that didnt work even thought the path to the module showed up in @INC. > > This looks like a problem w/ Mailscanner or spam assassin install. > > > Is there another way of fixing this? > > thanx > > From bill at DISTMIRR.COM Mon Jul 1 04:55:01 2002 From: bill at DISTMIRR.COM (Bill Omer) Date: Thu Jan 12 21:15:08 2006 Subject: EX_TEMPFAIL error In-Reply-To: <5.1.0.14.2.20020630165426.03584478@imap.ecs.soton.ac.uk> References: <20020630080352.GX1239@hoiho.nz.lemon-computing.com> <1025419405.2606.8.camel@linuxlaptop.spis.net> <20020630080352.GX1239@hoiho.nz.lemon-computing.com> <5.1.0.14.2.20020630165426.03584478@imap.ecs.soton.ac.uk> Message-ID: <1025495703.2267.22.camel@linuxlaptop.spis.net> > > What is so hard about it? I would like to know where it or the docs need > improving. The actual installation and configuration isn't so terribly difficult, it's mainly the lack of information on error messages. > > To quote the error message: > "FATAL: *Please go and READ* > http://www.sng.ecs.soton.ac.uk/mailscanner/install/codestatus.shtml" > > Have you actually read that web page? Seems fairly clear to me (but then > again it would, I wrote it). Yes I have read the page. I see that Kaspersky is in alpha status and that I should not assume that it works. My problem is though the error messages gives me no information on why it exited out. I would love to see what message Kaspersky gave mailscanner which caused it to exit, that way I might be able to modify the wrapper or what not it self to actually make it work for me. Regards, Bill Omer From nwp at LEMON-COMPUTING.COM Mon Jul 1 07:39:32 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:15:08 2006 Subject: EX_TEMPFAIL error In-Reply-To: <1025495703.2267.22.camel@linuxlaptop.spis.net> References: <20020630080352.GX1239@hoiho.nz.lemon-computing.com> <1025419405.2606.8.camel@linuxlaptop.spis.net> <20020630080352.GX1239@hoiho.nz.lemon-computing.com> <5.1.0.14.2.20020630165426.03584478@imap.ecs.soton.ac.uk> <1025495703.2267.22.camel@linuxlaptop.spis.net> Message-ID: <20020701063932.GP1239@hoiho.nz.lemon-computing.com> On Sun, Jun 30, 2002 at 10:55:01PM -0500, Bill Omer wrote: > > Have you actually read that web page? Seems fairly clear to me (but then > > again it would, I wrote it). > > Yes I have read the page. I see that Kaspersky is in alpha status and > that I should not assume that it works. My problem is though the error > messages gives me no information on why it exited out. I would love to > see what message Kaspersky gave mailscanner which caused it to exit, > that way I might be able to modify the wrapper or what not it self to > actually make it work for me. I think you skimmed the first paragraph. At least, you missed its point. You have probably been sent to this web page by an error message that is put in your logs when you first try to run MailScanner. The rest of this page talks about the mailscanner.conf setting "Minimum Code Status" and what you need to set it to, depending on which virus scanner you are using. There is, as this implies, a setting called "Minimum Code Status" in mailscanner.conf... I think the web page explaining this probably could do with a little rewrite; It also appears to contain a few minor errors. I'll have a go at it. -- Nick Phillips -- nwp@lemon-computing.com It's lucky you're going so slowly, because you're going in the wrong direction. From jsidro at analco.com Mon Jul 1 09:32:31 2002 From: jsidro at analco.com (Jose) Date: Thu Jan 12 21:15:08 2006 Subject: Remove xls and doc macros Message-ID: <004d01c220d9$d8101580$5000a8c0@movil> Does anybody know how I could configure the mailscanner in order to remove all macros in xls as well as in doc even when they don't contain any virus?. Thanks in advance. From mailscanner at ecs.soton.ac.uk Mon Jul 1 10:31:53 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:08 2006 Subject: MS not starting after SpamAssassin install In-Reply-To: <009001c22097$eb58c890$01000001@home.wideopenthrottle.org> References: <000201c20127$5f540790$800f6f80@iquest.ucsb.edu> Message-ID: <5.1.0.14.2.20020701103000.034422d8@imap.ecs.soton.ac.uk> At 01:40 01/07/2002, you wrote: >Ok...I ran into the same thing today. I installed SpamAssassin via CPAN >before I installed MS and Sophos. I now see that was a mistake :) Problem >is, I have tried to reinstall SA from CPAN and the problem persists (force >install Mail::SpamAssassin). Is there a way to uninstall SA and then start >fresh? You'll have to dig into the directories on your @INC path (helpfully printed by the error message you keep getting :-) and manually delete SA. Personally I never use CPAN to install SA, I do it with the perl Makefile.PL make make test make install route described on the website. This seems to work a treat. If you go down this route and hit any problems, I have written an FAQ on the MS website about installing Spamassassin 2.30/2.31. >Mike > >----- Original Message ----- >From: "Support" >To: >Sent: Tuesday, May 21, 2002 7:26 PM >Subject: MS not starting after SpamAssassin install > > > > Hi, > > > > I have Mailscanner running. when I installed spamassassin I tried >running > > ./check_mailscanner and ./check_mailscanner.linux but they come up w/ > > this... > > > > > > ######################################### > > [root@frost bin]# ./check_mailscanner > > Starting virus scanner... > > Can't locate Mail/SpamAssassin.pm in @INC (@INC contains: > > /usr/local/MailScanner/bin /usr/lib/perl5/5.6.0/i386-linux > > /usr/lib/perl5/5.6.0 /usr/lib/perl5/site_perl/5.6.0/i386-linux > > /usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl .) at > > /usr/local/MailScanner/bin/sendmail.pl line 46. > > Compilation failed in require at /usr/local/MailScanner/bin/mailscanner >line > > 77. > > > > ######################################## > > > > I found spamassassin to be here /usr/lib > > /perl5/site_perl/5.6.1/Mail/SpamAssassin.pm > > > > so I tried to edit the /bin/sendmail.pl file > > > > use lib '/usr/lib/perl5/site_perl/5.6.1/Mail'; > > use lib '/usr/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin'; > > > > > > And that didnt work even thought the path to the module showed up in @INC. > > > > This looks like a problem w/ Mailscanner or spam assassin install. > > > > > > Is there another way of fixing this? > > > > thanx > > > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From nwp at LEMON-COMPUTING.COM Mon Jul 1 10:31:01 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:15:08 2006 Subject: Remove xls and doc macros In-Reply-To: <004d01c220d9$d8101580$5000a8c0@movil> References: <004d01c220d9$d8101580$5000a8c0@movil> Message-ID: <20020701093101.GQ1239@hoiho.nz.lemon-computing.com> On Mon, Jul 01, 2002 at 10:32:31AM +0200, Jose wrote: > Does anybody know how I could configure the mailscanner in order to remove > all macros in xls as well as in doc even when they don't contain any virus?. Well, first of all work out how to do it using whichever virus scanning program you use. Then have a look at the options in sweep.pl and the wrapper for that scanner, and change them to always remove macros. Dunno how easy it is with any particular scanner, but if it's going to work, that's how to do it. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Today is National Existential Ennui Awareness Day. From jsidro at analco.com Mon Jul 1 11:13:21 2002 From: jsidro at analco.com (Jose) Date: Thu Jan 12 21:15:08 2006 Subject: Remove xls and doc macros In-Reply-To: <20020701093101.GQ1239@hoiho.nz.lemon-computing.com> Message-ID: <006101c220e7$ee4049c0$5000a8c0@movil> >Well, first of all work out how to do it using whichever virus scanning >program you use. >Then have a look at the options in sweep.pl and the wrapper for that scanner, >and change them to always remove macros. >Dunno how easy it is with any particular scanner, but if it's going to work, >that's how to do it. I have been trying it with f-prot and I have no possitive results. From thomas_duvally at BROWN.EDU Mon Jul 1 13:43:56 2002 From: thomas_duvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:15:08 2006 Subject: Performance Message-ID: <1025527436.2505.9.camel@toms> Julian suggested I post this request here for information. I'm looking to implement MailScanner on our campus, but I want to be able to justify it to upper management. What I'm looking for is info such as how many e-mail a day, general hardware types used, downtime issues, etc. I've been told about sites seeing traffic in the 100,000's, but I don't know what kind of systems, which makes it tough to compare. We're looking at implementing it across 3-4 Sun Netra's. Any help would be greatly appreciated. I REALLY want to get rid of what we have now. Thanks -- Tom DuVally From S.R.Patterson at SOTON.AC.UK Mon Jul 1 14:01:27 2002 From: S.R.Patterson at SOTON.AC.UK (Patterson S.R.) Date: Thu Jan 12 21:15:08 2006 Subject: Performance Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > -----Original Message----- > From: Thomas DuVally [mailto:thomas_duvally@BROWN.EDU] > Sent: 01 July 2002 13:44 > > We're looking at implementing it across 3-4 Sun Netra's. 3-4 Sun Netras should probably handle over 120 000 emails per day without any problem and probably a lot more - that's about how many messages we're handling at the moment on 3-4 Sun Ultra 1s! I'd suggest doing something sensible with disk, though - I think you'd need 3 SCSI disks (not slices!) to be sure of no contention (mirror /var/spool across two of them and stick /var on the third) Maybe if you told us how much traffic (and how large the messages are?) we could come up with some suggested hardware requirements? Steve - -- Steven Patterson, MSci. Tel: +44 (0)2380 595810 Electronic Information Systems Support and Development Computing Services, University of Southampton, UK. Public PGP Key: http://www.soton.ac.uk/~srp/pubkey.asc -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPSBSlK2fOiTs5+WvEQI8GACgnA+jp4xYj/hptl+u8dfINIG+iyQAoLW3 bN/9yh4ITnxgvrOAwQAadOFE =j+Gj -----END PGP SIGNATURE----- From fizz at BOMB.NET Mon Jul 1 14:08:29 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:15:08 2006 Subject: Performance In-Reply-To: <1025527436.2505.9.camel@toms> Message-ID: <000001c22100$64915d40$483cd842@newfizz> I Currently use 2 p3 500's and we process about 50 to 70 thousand emails a day. *********************************** --Total Mail: 43678 --Total Spam: 11590 --Total Virii: 1053 *********************************** That's stats for one day. The machine also has 256 megs ram. ////// ( o o ) +--.oooO--(_)--Oooo.-----------------+ | [Kelly Hamlin] | support@cyberstreet.com | http://www.cyberstreet.com | .oooO | ( ) Oooo. +--- (----( )----------------------------+ \_) ) / (_/ -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Thomas DuVally Sent: Monday, July 01, 2002 8:44 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Performance Julian suggested I post this request here for information. I'm looking to implement MailScanner on our campus, but I want to be able to justify it to upper management. What I'm looking for is info such as how many e-mail a day, general hardware types used, downtime issues, etc. I've been told about sites seeing traffic in the 100,000's, but I don't know what kind of systems, which makes it tough to compare. We're looking at implementing it across 3-4 Sun Netra's. Any help would be greatly appreciated. I REALLY want to get rid of what we have now. Thanks -- Tom DuVally From thomas_duvally at BROWN.EDU Mon Jul 1 10:14:02 2002 From: thomas_duvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:15:08 2006 Subject: Performance In-Reply-To: References: Message-ID: <1025514842.2840.10.camel@toms> > Maybe if you told us how much traffic (and how large the messages > are?) we could come up with some suggested hardware requirements? We see about 150,000 per day with 4g of data, during peak usage. > Steve > - -- > Steven Patterson, MSci. Tel: +44 (0)2380 595810 > Electronic Information Systems Support and Development > Computing Services, University of Southampton, UK. > Public PGP Key: http://www.soton.ac.uk/~srp/pubkey.asc > > -----BEGIN PGP SIGNATURE----- > Version: PGP 7.0.4 > > iQA/AwUBPSBSlK2fOiTs5+WvEQI8GACgnA+jp4xYj/hptl+u8dfINIG+iyQAoLW3 > bN/9yh4ITnxgvrOAwQAadOFE > =j+Gj > -----END PGP SIGNATURE----- -- Tom DuVally Lead Sys. Programmer CIS, Brown University p 401-863-9466 From mike at CAMAROSS.NET Mon Jul 1 14:34:13 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:08 2006 Subject: MS not starting after SpamAssassin install References: <000201c20127$5f540790$800f6f80@iquest.ucsb.edu> <5.1.0.14.2.20020701103000.034422d8@imap.ecs.soton.ac.uk> Message-ID: <002d01c22103$fdb37410$01000001@home.wideopenthrottle.org> Ok...here's a stupid question :) Where is the @INC path defined? Mike ----- Original Message ----- From: "Julian Field" To: Sent: Monday, July 01, 2002 4:31 AM Subject: Re: MS not starting after SpamAssassin install > At 01:40 01/07/2002, you wrote: > >Ok...I ran into the same thing today. I installed SpamAssassin via CPAN > >before I installed MS and Sophos. I now see that was a mistake :) Problem > >is, I have tried to reinstall SA from CPAN and the problem persists (force > >install Mail::SpamAssassin). Is there a way to uninstall SA and then start > >fresh? > > You'll have to dig into the directories on your @INC path (helpfully > printed by the error message you keep getting :-) and manually delete SA. > > Personally I never use CPAN to install SA, I do it with the > perl Makefile.PL > make > make test > make install > route described on the website. This seems to work a treat. If you go down > this route and hit any problems, I have written an FAQ on the MS website > about installing Spamassassin 2.30/2.31. > > > >Mike > > > >----- Original Message ----- > >From: "Support" > >To: > >Sent: Tuesday, May 21, 2002 7:26 PM > >Subject: MS not starting after SpamAssassin install > > > > > > > Hi, > > > > > > I have Mailscanner running. when I installed spamassassin I tried > >running > > > ./check_mailscanner and ./check_mailscanner.linux but they come up w/ > > > this... > > > > > > > > > ######################################### > > > [root@frost bin]# ./check_mailscanner > > > Starting virus scanner... > > > Can't locate Mail/SpamAssassin.pm in @INC (@INC contains: > > > /usr/local/MailScanner/bin /usr/lib/perl5/5.6.0/i386-linux > > > /usr/lib/perl5/5.6.0 /usr/lib/perl5/site_perl/5.6.0/i386-linux > > > /usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl .) at > > > /usr/local/MailScanner/bin/sendmail.pl line 46. > > > Compilation failed in require at /usr/local/MailScanner/bin/mailscanner > >line > > > 77. > > > > > > ######################################## > > > > > > I found spamassassin to be here /usr/lib > > > /perl5/site_perl/5.6.1/Mail/SpamAssassin.pm > > > > > > so I tried to edit the /bin/sendmail.pl file > > > > > > use lib '/usr/lib/perl5/site_perl/5.6.1/Mail'; > > > use lib '/usr/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin'; > > > > > > > > > And that didnt work even thought the path to the module showed up in @INC. > > > > > > This looks like a problem w/ Mailscanner or spam assassin install. > > > > > > > > > Is there another way of fixing this? > > > > > > thanx > > > > > > > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From mailscanner at ecs.soton.ac.uk Mon Jul 1 14:42:44 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:08 2006 Subject: MS not starting after SpamAssassin install In-Reply-To: <002d01c22103$fdb37410$01000001@home.wideopenthrottle.org> References: <000201c20127$5f540790$800f6f80@iquest.ucsb.edu> <5.1.0.14.2.20020701103000.034422d8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020701144209.04976e98@imap.ecs.soton.ac.uk> At 14:34 01/07/2002, you wrote: >Ok...here's a stupid question :) Where is the @INC path defined? Read the error message. From your own posting, your @INC is (@INC contains: /usr/local/MailScanner/bin /usr/lib/perl5/5.6.0/i386-linux /usr/lib/perl5/5.6.0 /usr/lib/perl5/site_perl/5.6.0/i386-linux /usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl .) >Mike > >----- Original Message ----- >From: "Julian Field" >To: >Sent: Monday, July 01, 2002 4:31 AM >Subject: Re: MS not starting after SpamAssassin install > > > > At 01:40 01/07/2002, you wrote: > > >Ok...I ran into the same thing today. I installed SpamAssassin via CPAN > > >before I installed MS and Sophos. I now see that was a mistake :) >Problem > > >is, I have tried to reinstall SA from CPAN and the problem persists >(force > > >install Mail::SpamAssassin). Is there a way to uninstall SA and then >start > > >fresh? > > > > You'll have to dig into the directories on your @INC path (helpfully > > printed by the error message you keep getting :-) and manually delete SA. > > > > Personally I never use CPAN to install SA, I do it with the > > perl Makefile.PL > > make > > make test > > make install > > route described on the website. This seems to work a treat. If you go down > > this route and hit any problems, I have written an FAQ on the MS website > > about installing Spamassassin 2.30/2.31. > > > > > > >Mike > > > > > >----- Original Message ----- > > >From: "Support" > > >To: > > >Sent: Tuesday, May 21, 2002 7:26 PM > > >Subject: MS not starting after SpamAssassin install > > > > > > > > > > Hi, > > > > > > > > I have Mailscanner running. when I installed spamassassin I tried > > >running > > > > ./check_mailscanner and ./check_mailscanner.linux but they come up w/ > > > > this... > > > > > > > > > > > > ######################################### > > > > [root@frost bin]# ./check_mailscanner > > > > Starting virus scanner... > > > > Can't locate Mail/SpamAssassin.pm in @INC (@INC contains: > > > > /usr/local/MailScanner/bin /usr/lib/perl5/5.6.0/i386-linux > > > > /usr/lib/perl5/5.6.0 /usr/lib/perl5/site_perl/5.6.0/i386-linux > > > > /usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl .) at > > > > /usr/local/MailScanner/bin/sendmail.pl line 46. > > > > Compilation failed in require at >/usr/local/MailScanner/bin/mailscanner > > >line > > > > 77. > > > > > > > > ######################################## > > > > > > > > I found spamassassin to be here /usr/lib > > > > /perl5/site_perl/5.6.1/Mail/SpamAssassin.pm > > > > > > > > so I tried to edit the /bin/sendmail.pl file > > > > > > > > use lib '/usr/lib/perl5/site_perl/5.6.1/Mail'; > > > > use lib '/usr/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin'; > > > > > > > > > > > > And that didnt work even thought the path to the module showed up in >@INC. > > > > > > > > This looks like a problem w/ Mailscanner or spam assassin install. > > > > > > > > > > > > Is there another way of fixing this? > > > > > > > > thanx > > > > > > > > > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mike at CAMAROSS.NET Mon Jul 1 14:54:40 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:08 2006 Subject: MS not starting after SpamAssassin install References: <000201c20127$5f540790$800f6f80@iquest.ucsb.edu> <5.1.0.14.2.20020701103000.034422d8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020701144209.04976e98@imap.ecs.soton.ac.uk> Message-ID: <014901c22106$d8edf8f0$01000001@home.wideopenthrottle.org> No...I know which paths defined in @INC. I'm not a perl guru so I don't know how to modify the @INC path. Thanks! ----- Original Message ----- From: "Julian Field" To: Sent: Monday, July 01, 2002 8:42 AM Subject: Re: MS not starting after SpamAssassin install > At 14:34 01/07/2002, you wrote: > >Ok...here's a stupid question :) Where is the @INC path defined? > > Read the error message. From your own posting, your @INC is > > (@INC contains: > /usr/local/MailScanner/bin /usr/lib/perl5/5.6.0/i386-linux > /usr/lib/perl5/5.6.0 /usr/lib/perl5/site_perl/5.6.0/i386-linux > /usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl .) > > > > >Mike > > > >----- Original Message ----- > >From: "Julian Field" > >To: > >Sent: Monday, July 01, 2002 4:31 AM > >Subject: Re: MS not starting after SpamAssassin install > > > > > > > At 01:40 01/07/2002, you wrote: > > > >Ok...I ran into the same thing today. I installed SpamAssassin via CPAN > > > >before I installed MS and Sophos. I now see that was a mistake :) > >Problem > > > >is, I have tried to reinstall SA from CPAN and the problem persists > >(force > > > >install Mail::SpamAssassin). Is there a way to uninstall SA and then > >start > > > >fresh? > > > > > > You'll have to dig into the directories on your @INC path (helpfully > > > printed by the error message you keep getting :-) and manually delete SA. > > > > > > Personally I never use CPAN to install SA, I do it with the > > > perl Makefile.PL > > > make > > > make test > > > make install > > > route described on the website. This seems to work a treat. If you go down > > > this route and hit any problems, I have written an FAQ on the MS website > > > about installing Spamassassin 2.30/2.31. > > > > > > > > > >Mike > > > > > > > >----- Original Message ----- > > > >From: "Support" > > > >To: > > > >Sent: Tuesday, May 21, 2002 7:26 PM > > > >Subject: MS not starting after SpamAssassin install > > > > > > > > > > > > > Hi, > > > > > > > > > > I have Mailscanner running. when I installed spamassassin I tried > > > >running > > > > > ./check_mailscanner and ./check_mailscanner.linux but they come up w/ > > > > > this... > > > > > > > > > > > > > > > ######################################### > > > > > [root@frost bin]# ./check_mailscanner > > > > > Starting virus scanner... > > > > > Can't locate Mail/SpamAssassin.pm in @INC (@INC contains: > > > > > /usr/local/MailScanner/bin /usr/lib/perl5/5.6.0/i386-linux > > > > > /usr/lib/perl5/5.6.0 /usr/lib/perl5/site_perl/5.6.0/i386-linux > > > > > /usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl .) at > > > > > /usr/local/MailScanner/bin/sendmail.pl line 46. > > > > > Compilation failed in require at > >/usr/local/MailScanner/bin/mailscanner > > > >line > > > > > 77. > > > > > > > > > > ######################################## > > > > > > > > > > I found spamassassin to be here /usr/lib > > > > > /perl5/site_perl/5.6.1/Mail/SpamAssassin.pm > > > > > > > > > > so I tried to edit the /bin/sendmail.pl file > > > > > > > > > > use lib '/usr/lib/perl5/site_perl/5.6.1/Mail'; > > > > > use lib '/usr/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin'; > > > > > > > > > > > > > > > And that didnt work even thought the path to the module showed up in > >@INC. > > > > > > > > > > This looks like a problem w/ Mailscanner or spam assassin install. > > > > > > > > > > > > > > > Is there another way of fixing this? > > > > > > > > > > thanx > > > > > > > > > > > > > > > > -- > > > Julian Field Teaching Systems Manager > > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > > Tel. 023 8059 2817 University of Southampton > > > Southampton SO17 1BJ > > > > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From sysadmin at DMS.UMONTREAL.CA Mon Jul 1 15:21:31 2002 From: sysadmin at DMS.UMONTREAL.CA (sysadmin) Date: Thu Jan 12 21:15:08 2006 Subject: MS not starting after SpamAssassin install References: <000201c20127$5f540790$800f6f80@iquest.ucsb.edu> <5.1.0.14.2.20020701103000.034422d8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020701144209.04976e98@imap.ecs.soton.ac.uk> <014901c22106$d8edf8f0$01000001@home.wideopenthrottle.org> Message-ID: <3D20656B.1050008@DMS.UMontreal.CA> Mike Kercher wrote: > No...I know which paths defined in @INC. I'm not a perl guru so I don't > know how to modify the @INC path. > > Thanks! The docs are all built in. One good trick is to try perldoc -q "some_search_term" Here you can read perldoc lib Chris -- -------------------------------------------------------------------- Christopher Albert Responsable des services informatiques Departement de mathematiques et de statistique Universite de Montreal bureau 6188, Pavillon Andre-Aisenstadt Tel: (514) 343-2281 Fax: (514) 343-5700 -------------------------------------------------------------------- From dwokfur at DC.SOTE.HU Mon Jul 1 15:49:06 2002 From: dwokfur at DC.SOTE.HU (=?iso-8859-2?Q?T=F3th_Attila?=) Date: Thu Jan 12 21:15:08 2006 Subject: Error 503 after configuring Exim to use Mailscanner on Debian Sid Message-ID: <2356.193.225.82.130.1025534946.squirrel@dc.sote.hu> I'm using Debian Sid with the latest Mailscanner package and all other related packages: Exim-tls: 3.35-3 Spamassassin: 2.31-2 Mailscanner: 3.14.1-2 After setting it up according to the instructions I've found in the package and also on the web page, the MTA stopped delivering mails. I tried to have a closer look on the problem, so I tried to send a mail using telnet from another host. I got the following results: (I substituted realworld names an IPs) user@tryhost:~/$ telnet myhost.hu 25 Trying 193.225.82.157... Connected to myhost.hu. Escape character is '^]'. 220 dc.sote.hu ESMTP Exim 3.35 #1 Sun, 30 Jun 2002 01:07:34 +0200 helo tryhost.hu 250 myhost.hu Hello tryhost.hu [correct IP address] mail from:user@tryhost.hu 250 is syntactically correct rcpt to:user@myhost.hu 451 All deliveries are deferred data 503 Valid RCPT TO must precede DATA quit 221 myhost.hu closing connection Connection closed by foreign host. So it seems to me, that the MTA couldn't interpret the RCPT command properly. I'm not suprised, that no mails were delivered. Could it be the problem that I use sender and receiver verification? Question: what did I do wrong? T?th Attila, Semmelweis Egyetem ?OK VI. 1031, Bp. Roz?lia u. 37., 242-6765 From sevans at FOUNDATION.SDSU.EDU Mon Jul 1 16:15:47 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:15:08 2006 Subject: {SPAM?} Re: Virus report e-mail Message-ID: <6214C3F9233D764C9E7029396C355015115B25@mail.foundation.sdsu.edu> Okay I have a good story to go with this. Before we were using SpamAssassin I had a user receive a piece of spam. He had me look at it and the from address was whatever@something.something.kr I said, well I could block that address but it probably won't help because they'll using something else next time. He said, well can't you just block everything that ends with .kr. And I said, that would block all of Korea. He didn't seem to understand that that could be a problem. Steve Evans Computing Services (619) 594-0653 -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Sunday, June 30, 2002 10:19 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: {SPAM?} Re: Virus report e-mail At 18:11 30/06/2002, you wrote: >One good reason not to is that .uk is listed, that'll be why >rfc-ignorant flagged it. The whole country? Wow! Now that's what I call a broad brush... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From sevans at FOUNDATION.SDSU.EDU Mon Jul 1 16:32:40 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:15:08 2006 Subject: SpamAssassin & Accept Spam From Message-ID: <6214C3F9233D764C9E7029396C355015116AEE@mail.foundation.sdsu.edu> I have "Accept Spam From = 130.191" in mailscanner.conf. Will mail coming from that subnet be scanned by spamassassin at all? I'm worried about the performance of it scanning all the mail that we send. Steve Evans Computing Services (619) 594-0653 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020701/1fdf2712/attachment.html From mailscanner at ecs.soton.ac.uk Mon Jul 1 16:43:36 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:08 2006 Subject: SpamAssassin & Accept Spam From In-Reply-To: <6214C3F9233D764C9E7029396C355015116AEE@mail.foundation.sds u.edu> Message-ID: <5.1.0.14.2.20020701164243.04a0c6b8@imap.ecs.soton.ac.uk> At 16:32 01/07/2002, you wrote: >I have "Accept Spam From = 130.191" in mailscanner.conf. Will mail coming >from that subnet be scanned by spamassassin at all? I'm worried about the >performance of it scanning all the mail that we send. Shouldn't be. It only does the SpamAssassin scanning if either a) the address is not whitelisted or b) the SpamAssassin header is to always to be included. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From rishi at THEARGONCOMPANY.COM Mon Jul 1 16:42:31 2002 From: rishi at THEARGONCOMPANY.COM (Rishi Gangoly) Date: Thu Jan 12 21:15:08 2006 Subject: any ideas why this got marked as SPAM? Message-ID: <01da01c22115$e9cc37e0$1b02a8c0@theargoncompany.com> Hi Does anyone have any idea on why this email got marked as SPAM? Regards Rishi -------------- next part -------------- An embedded message was scrubbed... From: "Manish Kochar" Subject: {SPAM?} RE: Hi Buddy Date: Mon, 1 Jul 2002 14:10:00 +0530 Size: 4187 Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020701/6192f1ba/SPAM_RE_HiBuddy.eml From nathan at TCPNETWORKS.NET Mon Jul 1 16:53:43 2002 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:15:08 2006 Subject: any ideas why this got marked as SPAM? References: <01da01c22115$e9cc37e0$1b02a8c0@theargoncompany.com> Message-ID: <010601c22117$79e76f10$2400a8c0@johanson> X-MailScanner: Found to be clean X-MailScanner-SpamCheck: ORDB-RBL, SpamAssassin (score=-3.1, required 5, IN_REP_TO, SMTPD_IN_RCVD) X-UIDL: `"*"!;5;"!p4I"!GC2!! It's on the ORDB blacklist. http://www.ordb.org. -Nathan ----- Original Message ----- From: "Rishi Gangoly" To: Sent: Monday, July 01, 2002 8:42 AM Subject: any ideas why this got marked as SPAM? Hi Does anyone have any idea on why this email got marked as SPAM? Regards Rishi From mailscanner at ecs.soton.ac.uk Mon Jul 1 16:51:53 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:08 2006 Subject: any ideas why this got marked as SPAM? In-Reply-To: <01da01c22115$e9cc37e0$1b02a8c0@theargoncompany.com> Message-ID: <5.1.0.14.2.20020701165130.04b90f98@imap.ecs.soton.ac.uk> At 16:42 01/07/2002, you wrote: >Hi > >Does anyone have any idea on why this email got marked as SPAM? > >X-MailScanner-SpamCheck: ORDB-RBL, SpamAssassin (score=-3.1, required 5, > IN_REP_TO, SMTPD_IN_RCVD) Looks pretty clear to me, what's the confusion? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Jul 1 16:54:53 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:08 2006 Subject: any ideas why this got marked as SPAM? In-Reply-To: <01da01c22115$e9cc37e0$1b02a8c0@theargoncompany.com> Message-ID: <5.1.0.14.2.20020701165354.0499da88@imap.ecs.soton.ac.uk> At 16:42 01/07/2002, you wrote: >Does anyone have any idea on why this email got marked as SPAM? 202.71.136.206 is in the ORDB RBL. >Received: from localhost (IDENT:rishi@localhost [127.0.0.1]) > by theargonserver.theargoncompany.com (8.9.3/8.9.3) with ESMTP id > OAA29837 > for ; Mon, 1 Jul 2002 14:10:22 +0530 >Received: from theargoncompany.com [66.109.239.73] > by localhost with POP3 (fetchmail-5.9.0) > for rishi@localhost (single-drop); Mon, 01 Jul 2002 14:10:22 > +0530 (IST) >Received: from cybermine ([202.71.136.206]) > by domain.theargoncompany.com (8.10.2/8.10.2) with ESMTP id > g618aF015761 > for ; Mon, 1 Jul 2002 14:06:15 +0530 >Received: from nt5.oe2000.com [202.174.135.4] by cybermine with ESMTP > (SMTPD32-6.04) id A8474BB017C; Mon, 01 Jul 2002 14:22:23 +0530 >Received: from [192.168.0.2] by nt5.oe2000.com (NTMail >6.00.0014/KW7496.01.10fcbce7) with ESMTP id X-MailScanner-SpamCheck: >ORDB-RBL, SpamAssassin (score=-3.1, required 5, > IN_REP_TO, SMTPD_IN_RCVD) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From lbergman at abi.tconline.net Mon Jul 1 17:13:18 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:15:08 2006 Subject: Performance In-Reply-To: <1025527436.2505.9.camel@toms> References: <1025527436.2505.9.camel@toms> Message-ID: <200207011113.18749.lbergman@abi.tconline.net> > Any help would be greatly appreciated. I REALLY want to get rid of what > we have now. > > Thanks 5,000 - 15,000 a day on a PII450 running 2.2.19 linux Razor dcc SpamAssasin 2.31 MailScanner latest whatever-7 release -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From lbergman at abi.tconline.net Mon Jul 1 17:15:04 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:15:08 2006 Subject: MS not starting after SpamAssassin install In-Reply-To: <014901c22106$d8edf8f0$01000001@home.wideopenthrottle.org> References: <000201c20127$5f540790$800f6f80@iquest.ucsb.edu> <5.1.0.14.2.20020701144209.04976e98@imap.ecs.soton.ac.uk> <014901c22106$d8edf8f0$01000001@home.wideopenthrottle.org> Message-ID: <200207011115.04627.lbergman@abi.tconline.net> On Monday 01 July 2002 08:54 am, Mike Kercher wrote: > No...I know which paths defined in @INC. I'm not a perl guru so I don't > know how to modify the @INC path. One place it is done is at compile time for perl. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From brandonf at BFCONSULT.CO.ZA Mon Jul 1 20:24:33 2002 From: brandonf at BFCONSULT.CO.ZA (Brandon Friedman) Date: Thu Jan 12 21:15:08 2006 Subject: Which MTA Message-ID: <3D20AC71.8040608@bfconsult.co.za> A while back I mention I was looking to ge support for Qmail... We are about to implement a dedicated mail server at our ISP. I have read plenty of articles about each MTA and it's merits. Although Sendmail is the most widely used MTA - I believe exim,postfix and qmail are superior in performance and security However my decision is also based on which one is supported by Mailscanner.... I think in one of the reply thread somebody mentioned adding support for postfix... For those ISPs out there using Mailscanner....what do you recommend? Exim, sendmail,postfix or qmail...or is there another? -- Regards Brandon Friedman Cell:083 408 7840 E-mail: brandonf@bfconsult.co.za www.bfconsult.co.za From LISTSERV at JISCMAIL.AC.UK Mon Jul 1 20:59:20 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:08 2006 Subject: MAILSCANNER: brent@TECHFORPEOPLE.NET requested to join Message-ID: <200207011959.UAA20482@magpie.ecs.soton.ac.uk> Mon, 1 Jul 2002 20:59:20 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Brent Emerson The following membership options have been requested: NOMIME DIGEST NOACK NOREPRO. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER brent@TECHFORPEOPLE.NET Brent Emerson PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER brent@TECHFORPEOPLE.NET Brent Emerson SET MAILSCANNER NOMIME DIGEST NOACK NOREPRO FOR brent@TECHFORPEOPLE.NET // EOJ From brent at TECHFORPEOPLE.NET Mon Jul 1 21:15:37 2002 From: brent at TECHFORPEOPLE.NET (Brent Emerson) Date: Thu Jan 12 21:15:08 2006 Subject: Sendmail 8.12.3 warning with mailscanner Message-ID: I've just installed mailscanner with sendmail 8.12.2 and am seeing the same warning, always generated by the sendmail instance used to deliver a just-scanned message. Is mailscanner calling sendmail with closed standard file descriptors? brent emerson techforpeople > Date: Wed, 19 Jun 2002 11:03:25 -0700 > Reply-To: MailScanner mailing list > Sender: MailScanner mailing list > From: David Closson > Subject: Sendmail 8.12.3 warning with mailscanner > Content-Type: text/plain; format=flowed > > This warning was issued after setting up mailscanner: > > sendmail[9672]: File descriptors missing on startup: stdout, stderr; Bad > file descriptor > > I have read that this is caused if stdin, stdout, or stderr are missing > at sendmail startup (as the error indicates). > > _________ Sincerely, David Closson 209-728-8199 From LISTSERV at JISCMAIL.AC.UK Mon Jul 1 22:02:02 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:08 2006 Subject: MAILSCANNER: steve@CGPSYSTEMS.COM requested to join Message-ID: <200207012102.WAA25284@magpie.ecs.soton.ac.uk> Mon, 1 Jul 2002 22:02:02 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Steve Barr You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER steve@CGPSYSTEMS.COM Steve Barr PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER steve@CGPSYSTEMS.COM Steve Barr // EOJ From mailscanner at ecs.soton.ac.uk Mon Jul 1 22:07:40 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:09 2006 Subject: Sendmail 8.12.3 warning with mailscanner In-Reply-To: Message-ID: <5.1.0.14.2.20020701220506.03858ad0@imap.ecs.soton.ac.uk> Exactly what OS are you using, and what is in your /etc/rc.d/init.d/mailscanner (or /etc/init.d/mailscanner)? I've a feeling the file descriptors may be closed before MailScanner starts... At 21:15 01/07/2002, you wrote: >I've just installed mailscanner with sendmail 8.12.2 and am seeing the >same warning, always generated by the sendmail instance used to deliver a >just-scanned message. > >Is mailscanner calling sendmail with closed standard file descriptors? > >brent emerson >techforpeople > > > > Date: Wed, 19 Jun 2002 11:03:25 -0700 > > Reply-To: MailScanner mailing list > > Sender: MailScanner mailing list > > From: David Closson > > Subject: Sendmail 8.12.3 warning with mailscanner > > Content-Type: text/plain; format=flowed > > > > This warning was issued after setting up mailscanner: > > > > sendmail[9672]: File descriptors missing on startup: stdout, stderr; Bad > > file descriptor > > > > I have read that this is caused if stdin, stdout, or stderr are missing > > at sendmail startup (as the error indicates). > > > > _________ Sincerely, David Closson 209-728-8199 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Jul 1 21:55:37 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:09 2006 Subject: Sendmail 8.12.3 warning with mailscanner In-Reply-To: Message-ID: <5.1.0.14.2.20020701215058.03809bb0@imap.ecs.soton.ac.uk> RedHat have yet to produce RPMs for sendmail 8.12 :-( Can you try setting Sendmail2 = /usr/sbin/sendmail >/dev/null 2>&1 in your mailscanner.conf and then try it (just try pushing a clean text message through it)? Also, does this happen only when MailScanner and its sendmails are started on bootup, or does it occur if you stop and then start MailScanner from a window (and then leave the window open for the first few messages)? STDERR and STDIN certainly appear to be open, the only one that appears doubtful is STDOUT, though I never explicitly close any of them. Is there any documentation with sendmail 8.12 that might help diagnose this? Why does sendmail suddenly need these file descriptors anyway? It never used to :-( At 21:15 01/07/2002, you wrote: >I've just installed mailscanner with sendmail 8.12.2 and am seeing the >same warning, always generated by the sendmail instance used to deliver a >just-scanned message. > >Is mailscanner calling sendmail with closed standard file descriptors? > >brent emerson >techforpeople > > > > Date: Wed, 19 Jun 2002 11:03:25 -0700 > > Reply-To: MailScanner mailing list > > Sender: MailScanner mailing list > > From: David Closson > > Subject: Sendmail 8.12.3 warning with mailscanner > > Content-Type: text/plain; format=flowed > > > > This warning was issued after setting up mailscanner: > > > > sendmail[9672]: File descriptors missing on startup: stdout, stderr; Bad > > file descriptor > > > > I have read that this is caused if stdin, stdout, or stderr are missing > > at sendmail startup (as the error indicates). > > > > _________ Sincerely, David Closson 209-728-8199 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Jul 1 22:14:48 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:09 2006 Subject: Sendmail 8.12.3 warning with mailscanner In-Reply-To: Message-ID: <5.1.0.14.2.20020701221350.0389d618@imap.ecs.soton.ac.uk> From the sendmail release notes: >8.12.2/8.12.2 2002/01/13 >Don't complain too much if stdin, stdout, or stderr are missing at >startup, only log an error message. So at least the warning isn't fatal :-) > > This warning was issued after setting up mailscanner: > > > > sendmail[9672]: File descriptors missing on startup: stdout, stderr; Bad > > file descriptor -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From lbergman at abi.tconline.net Mon Jul 1 22:28:23 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:15:09 2006 Subject: Which MTA In-Reply-To: <3D20AC71.8040608@bfconsult.co.za> References: <3D20AC71.8040608@bfconsult.co.za> Message-ID: <200207011628.23139.lbergman@abi.tconline.net> > For those ISPs out there using Mailscanner....what do you recommend? > Exim, sendmail,postfix or qmail...or is there another? I currently use sendmail but When I get about 5 minutes I'm going to go to exim. Maily because it appears to have better support for databases. I believe you can enter sql queries into its config files and it will execute them. No need for patching. At least that is what I understood (maybe wrongly). -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From dave at ESI.COM.AU Tue Jul 2 00:46:42 2002 From: dave at ESI.COM.AU (Dave Horsfall) Date: Thu Jan 12 21:15:09 2006 Subject: {SPAM?} Re: Virus report e-mail In-Reply-To: <6214C3F9233D764C9E7029396C355015115B25@mail.foundation.sdsu.edu> Message-ID: On Mon, 1 Jul 2002, Steve Evans wrote: > time. He said, well can't you just block everything that ends with .kr. > And I said, that would block all of Korea. He didn't seem to understand > that that could be a problem. I don't see that as being a problem either :-) -- Dave Horsfall DTM VK2KFU dave@esi.com.au Ph: +61 2 9906-3377 Fx: 9906-3468 (Unix Guru) Pacific ESI, Unit 22, 8 Campbell St, Artarmon, NSW 2065, Australia From brent at TECHFORPEOPLE.NET Tue Jul 2 01:07:11 2002 From: brent at TECHFORPEOPLE.NET (Brent Emerson) Date: Thu Jan 12 21:15:09 2006 Subject: Sendmail 8.12.3 warning with mailscanner In-Reply-To: <200207012323.g61NNH1r015588@smtp1.techforpeople.net> Message-ID: oh yeah, it's not a fatal error - as far as I can tell mailscanner + sendmail 8.12.2 seems to be working just fine, but this warning is just making me a little nervous. I'm running FreeBSD 4.5, and starting mailscanner from /usr/local/etc/rc.d/mailscanner.sh, which is a symlink directly to the check_mailscanner script, modified for my pathnames: process=mailscanner virusdir=/usr/local/mailscanner/bin config=/usr/local/mailscanner/etc/mailscanner.conf pid=`/bin/ps axww | /usr/bin/grep '[ ]'$virusdir/$process | /usr/bin/awk '{ print $1 }'` if [ "$pid" = "" ]; then # Restart it PATH=${virusdir}:$PATH echo Starting virus scanner... $process $config else echo Running with pid $pid fi > Date: Mon, 1 Jul 2002 21:55:37 +0100 > From: Julian Field > Subject: Re: Sendmail 8.12.3 warning with mailscanner > > RedHat have yet to produce RPMs for sendmail 8.12 :-( > Can you try setting > Sendmail2 = /usr/sbin/sendmail >/dev/null 2>&1 > in your mailscanner.conf and then try it (just try pushing a clean text > message through it)? > > Also, does this happen only when MailScanner and its sendmails are started > on bootup, or does it occur if you stop and then start MailScanner from a > window (and then leave the window open for the first few messages)? > > STDERR and STDIN certainly appear to be open, the only one that appears > doubtful is STDOUT, though I never explicitly close any of them. Is there > any documentation with sendmail 8.12 that might help diagnose this? Why > does sendmail suddenly need these file descriptors anyway? It never used to :-( > > At 21:15 01/07/2002, you wrote: > >I've just installed mailscanner with sendmail 8.12.2 and am seeing the > >same warning, always generated by the sendmail instance used to deliver a > >just-scanned message. > > > >Is mailscanner calling sendmail with closed standard file descriptors? > > > >brent emerson > >techforpeople > > > > > > > Date: Wed, 19 Jun 2002 11:03:25 -0700 > > > Reply-To: MailScanner mailing list > > > Sender: MailScanner mailing list > > > From: David Closson > > > Subject: Sendmail 8.12.3 warning with mailscanner > > > Content-Type: text/plain; format=flowed > > > > > > This warning was issued after setting up mailscanner: > > > > > > sendmail[9672]: File descriptors missing on startup: stdout, stderr; Bad > > > file descriptor > > > > > > I have read that this is caused if stdin, stdout, or stderr are missing > > > at sendmail startup (as the error indicates). > > > > > > _________ Sincerely, David Closson 209-728-8199 > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > ------------------------------ > > Date: Mon, 1 Jul 2002 22:07:40 +0100 > From: Julian Field > Subject: Re: Sendmail 8.12.3 warning with mailscanner > > Exactly what OS are you using, and what is in your > /etc/rc.d/init.d/mailscanner (or /etc/init.d/mailscanner)? > I've a feeling the file descriptors may be closed before MailScanner starts... > > At 21:15 01/07/2002, you wrote: > >I've just installed mailscanner with sendmail 8.12.2 and am seeing the > >same warning, always generated by the sendmail instance used to deliver a > >just-scanned message. > > > >Is mailscanner calling sendmail with closed standard file descriptors? > > > >brent emerson > >techforpeople > > > > > > > Date: Wed, 19 Jun 2002 11:03:25 -0700 > > > Reply-To: MailScanner mailing list > > > Sender: MailScanner mailing list > > > From: David Closson > > > Subject: Sendmail 8.12.3 warning with mailscanner > > > Content-Type: text/plain; format=flowed > > > > > > This warning was issued after setting up mailscanner: > > > > > > sendmail[9672]: File descriptors missing on startup: stdout, stderr; Bad > > > file descriptor > > > > > > I have read that this is caused if stdin, stdout, or stderr are missing > > > at sendmail startup (as the error indicates). > > > > > > _________ Sincerely, David Closson 209-728-8199 > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > ------------------------------ > > Date: Mon, 1 Jul 2002 22:14:48 +0100 > From: Julian Field > Subject: Re: Sendmail 8.12.3 warning with mailscanner > > From the sendmail release notes: > > >8.12.2/8.12.2 2002/01/13 > >Don't complain too much if stdin, stdout, or stderr are missing at > >startup, only log an error message. > > So at least the warning isn't fatal :-) > > > > This warning was issued after setting up mailscanner: > > > > > > sendmail[9672]: File descriptors missing on startup: stdout, stderr; Bad > > > file descriptor > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > ------------------------------ > > Date: Mon, 1 Jul 2002 16:28:23 -0500 > From: Lewis Bergman > Subject: Re: Which MTA > > > For those ISPs out there using Mailscanner....what do you recommend? > > Exim, sendmail,postfix or qmail...or is there another? > I currently use sendmail but When I get about 5 minutes I'm going to go to > exim. Maily because it appears to have better support for databases. I > believe you can enter sql queries into its config files and it will execute > them. No need for patching. At least that is what I understood (maybe > wrongly). > -- > Lewis Bergman > Texas Communications > 4309 Maple St. > Abilene, TX 79602-8044 > 915-695-6962 ext 115 > > ------------------------------ > > End of MAILSCANNER Digest - 30 Jun 2002 to 1 Jul 2002 (#2002-34) > **************************************************************** > From nwp at LEMON-COMPUTING.COM Tue Jul 2 00:44:57 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:15:09 2006 Subject: Error 503 after configuring Exim to use Mailscanner on Debian Sid In-Reply-To: <2356.193.225.82.130.1025534946.squirrel@dc.sote.hu> References: <2356.193.225.82.130.1025534946.squirrel@dc.sote.hu> Message-ID: <20020701234457.GA24443@hoiho.nz.lemon-computing.com> On Mon, Jul 01, 2002 at 04:49:06PM +0200, T?th Attila wrote: > I'm using Debian Sid with the latest Mailscanner package and all other > related packages: > Exim-tls: 3.35-3 > Spamassassin: 2.31-2 > Mailscanner: 3.14.1-2 > > After setting it up according to the instructions I've found in the > package and also on the web page, the MTA stopped delivering mails. > I tried to have a closer look on the problem, so I tried to send a mail > using telnet from another host. > > I got the following results: > (I substituted realworld names an IPs) > > user@tryhost:~/$ telnet myhost.hu 25 > Trying 193.225.82.157... > Connected to myhost.hu. > Escape character is '^]'. > 220 dc.sote.hu ESMTP Exim 3.35 #1 Sun, 30 Jun 2002 01:07:34 +0200 > helo tryhost.hu > 250 myhost.hu Hello tryhost.hu [correct IP address] > mail from:user@tryhost.hu > 250 is syntactically correct > rcpt to:user@myhost.hu > 451 All deliveries are deferred > data > 503 Valid RCPT TO must precede DATA > quit > 221 myhost.hu closing connection > Connection closed by foreign host. > > So it seems to me, that the MTA couldn't interpret the RCPT command > properly. I'm not suprised, that no mails were delivered. > > Could it be the problem that I use sender and receiver verification? Yes, I need to add a little to the documentation on this. Basically, you need to set verify = false for the defer_director and defer_router. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com What happened last night can happen again. From LISTSERV at JISCMAIL.AC.UK Tue Jul 2 01:27:05 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:09 2006 Subject: MAILSCANNER: admin@NETSYS.HN requested to join Message-ID: <200207020027.BAA08939@magpie.ecs.soton.ac.uk> Tue, 2 Jul 2002 01:27:05 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Quin Taylor You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER admin@NETSYS.HN Quin Taylor PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER admin@NETSYS.HN Quin Taylor // EOJ From P.G.M.Peters at civ.utwente.nl Tue Jul 2 09:02:50 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:09 2006 Subject: Performance In-Reply-To: <1025527436.2505.9.camel@toms> References: <1025527436.2505.9.camel@toms> Message-ID: <6an2iuggvnk7ccfkqcn23umqs2gqnbpsmn@4ax.com> On Mon, 1 Jul 2002 08:43:56 -0400, you wrote: >I've been told about sites seeing traffic in the 100,000's, but I don't >know what kind of systems, which makes it tough to compare. I have two identical systems with PIII 1GHz and 512MB. They do about 20.000 messages a day without any problems. We have had some peaks of over 400 messages a minute when somebodies system started sending virusses for a couple of hours. They where handled well. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From paul-w at BLUEYONDER.CO.UK Tue Jul 2 11:22:13 2002 From: paul-w at BLUEYONDER.CO.UK (Paul Welsh) Date: Thu Jan 12 21:15:09 2006 Subject: SpamAssassin 2.31 doesn't check ordb.org References: <0e3951523230172PCOW028M@blueyonder.co.uk> Message-ID: <020d01c221b2$55071ce0$6a0110ac@sbsplc.com> I'm running MailScanner 3.20-7/SpamAssassin 2.31. I have the line: Spam List = ORDB-RBL, relays.ordb.org. commented out in mailscanner.conf because SpamAssassin does this. The only problem is, it doesn't. However, once I changed mailscanner.conf to make MailScanner do the ordb.org checking, mail sent from ordb.org open relays was detected. So, the advice is to enable MailScanner's ordb.org checking; don't rely on SpamAssassin. From admin at NETSYS.HN Tue Jul 2 13:05:06 2002 From: admin at NETSYS.HN (Quin Taylor) Date: Thu Jan 12 21:15:09 2006 Subject: Best AntiVirus to use w/ Mailscanner Message-ID: Need anyones help on choosing best commercial anti virus to work with Mailscanner. I need to know exactly which product to use from either McAfee or Sophos. I am an internet service provider passing about 11,000 incoming mails and 10,000 outgoing mails a day. We have a ton of SPAM and viruses are always a problem... Need anyones solid, experienced help.. Regards Quintard Taylor Operations Manager Netsys of Honduras From butler at GLOBESERVER.COM Tue Jul 2 13:41:00 2002 From: butler at GLOBESERVER.COM (Philip L. Butler) Date: Thu Jan 12 21:15:09 2006 Subject: Best AntiVirus to use w/ Mailscanner In-Reply-To: References: Message-ID: Quintard, I have been using Sophos for about 2 months and have been pleased with it - it's been catching numerous viruses (mostly Klez) and it works well with MailScanner. I would highly recommend it. Phil >Need anyones help on choosing best commercial anti virus to work with >Mailscanner. I need to know exactly which product to use from either McAfee >or Sophos. > >I am an internet service provider passing about 11,000 incoming mails and >10,000 outgoing mails a day. > >We have a ton of SPAM and viruses are always a problem... > >Need anyones solid, experienced help.. > >Regards > >Quintard Taylor >Operations Manager >Netsys of Honduras From mailscanner at ecs.soton.ac.uk Tue Jul 2 13:42:01 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:09 2006 Subject: Best AntiVirus to use w/ Mailscanner In-Reply-To: Message-ID: <5.1.0.14.2.20020702134048.04a3ed28@imap.ecs.soton.ac.uk> At 13:05 02/07/2002, you wrote: >Need anyones help on choosing best commercial anti virus to work with >Mailscanner. I need to know exactly which product to use from either McAfee >or Sophos. Sophos: You just need to buy a "SAVI licence" for it. You will have to tell them what you are doing so they can charge you the right amount for the licence. Other one to look at is F-Prot as they charge per server (only about $300) which will be a lot less than Sophos of McAfee will want. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From bill at DISTMIRR.COM Tue Jul 2 12:58:21 2002 From: bill at DISTMIRR.COM (Bill Omer) Date: Thu Jan 12 21:15:09 2006 Subject: EX_TEMPFAIL error In-Reply-To: <20020701063932.GP1239@hoiho.nz.lemon-computing.com> References: <20020630080352.GX1239@hoiho.nz.lemon-computing.com> <1025419405.2606.8.camel@linuxlaptop.spis.net> <20020630080352.GX1239@hoiho.nz.lemon-computing.com> <5.1.0.14.2.20020630165426.03584478@imap.ecs.soton.ac.uk> <1025495703.2267.22.camel@linuxlaptop.spis.net> <20020701063932.GP1239@hoiho.nz.lemon-computing.com> Message-ID: <1025611108.2272.3.camel@linuxlaptop.spis.net> > There is, as this implies, a setting called "Minimum Code Status" in > mailscanner.conf... > I owe you (and the list) an apology. I should have read through the codestatus.shtml page a little more closely. Kaspersky is now working great with mailscanner. Regards, Bill Omer From Matthew_doherty at DATAWATCH.COM Tue Jul 2 13:58:29 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:09 2006 Subject: {SPAM?} Re: Virus report e-mail Message-ID: lololol In a world without fences or walls, who needs Windows and Gates? -----Original Message----- From: Dave Horsfall [mailto:dave@ESI.COM.AU] Sent: Monday, July 01, 2002 9:37 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: {SPAM?} Re: Virus report e-mail On Mon, 1 Jul 2002, Steve Evans wrote: > time. He said, well can't you just block everything that ends with .kr. > And I said, that would block all of Korea. He didn't seem to understand > that that could be a problem. I don't see that as being a problem either :-) -- Dave Horsfall DTM VK2KFU dave@esi.com.au Ph: +61 2 9906-3377 Fx: 9906-3468 (Unix Guru) Pacific ESI, Unit 22, 8 Campbell St, Artarmon, NSW 2065, Australia -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020702/abaecd47/attachment.html From Matthew_doherty at DATAWATCH.COM Tue Jul 2 13:58:29 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:09 2006 Subject: SpamAssassin 2.31 doesn't check ordb.org unsubscribe Message-ID: unsubscribe In a world without fences or walls, who needs Windows and Gates? -----Original Message----- From: Paul Welsh [mailto:paul-w@BLUEYONDER.CO.UK] Sent: Tuesday, July 02, 2002 7:44 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: SpamAssassin 2.31 doesn't check ordb.org I'm running MailScanner 3.20-7/SpamAssassin 2.31. I have the line: Spam List = ORDB-RBL, relays.ordb.org. commented out in mailscanner.conf because SpamAssassin does this. The only problem is, it doesn't. However, once I changed mailscanner.conf to make MailScanner do the ordb.org checking, mail sent from ordb.org open relays was detected. So, the advice is to enable MailScanner's ordb.org checking; don't rely on SpamAssassin. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020702/85bd1ee5/attachment.html From P.G.M.Peters at civ.utwente.nl Tue Jul 2 14:09:19 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:09 2006 Subject: Best AntiVirus to use w/ Mailscanner In-Reply-To: <5.1.0.14.2.20020702134048.04a3ed28@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020702134048.04a3ed28@imap.ecs.soton.ac.uk> Message-ID: On Tue, 2 Jul 2002 13:42:01 +0100, you wrote: >Other one to look at is F-Prot as they charge per server (only about $300) >which will be a lot less than Sophos of McAfee will want. We are using f-prot to our full satisfaction. It was the first scanner at our university to clean Yaha infected e-mails. It took our Exchange server (with NAV as the anti-virus scanner) two extra days. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From LISTSERV at JISCMAIL.AC.UK Tue Jul 2 14:36:55 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:09 2006 Subject: MAILSCANNER: janusz.orlowski@DEFCOMP.COM.PL requested to join Message-ID: <200207021336.OAA01856@magpie.ecs.soton.ac.uk> Tue, 2 Jul 2002 14:36:55 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Janusz Orlowski You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER janusz.orlowski@DEFCOMP.COM.PL Janusz Orlowski PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER janusz.orlowski@DEFCOMP.COM.PL Janusz Orlowski // EOJ From ralloway at CHARTERPA.NET Tue Jul 2 14:48:26 2002 From: ralloway at CHARTERPA.NET (Richard D Alloway) Date: Thu Jan 12 21:15:09 2006 Subject: looping over zero length file Message-ID: Hello all! I'm not a long time user of mailscanner, but I have it installed on two low volume servers for testing at the moment. I've noticed that the load on one of the servers went up recently and stayed there. Syslogd was the culprit (according to top) so I checked out the log files. The logs were filled with: Jul 2 09:37:51 www mailscanner[32638]: Scanning 1 messages, 0 bytes Jul 2 09:37:52 www mailscanner[32638]: Scanned 1 messages, 0 bytes in 1 seconds ...about 7 to 10 times per second. I thought mailscanner might has lost it's mind, so I restarted mailscanner, which did no resolve the issue. In /var/spool/mqueue.in, I have a single file: -rw------- 1 root root 0 Jun 7 17:40 qfRAA06251 Removing it solved the problem... Perhaps mailscanner should check to ensure that the file is non-zero length before attempting to parse it... Thanks, and keep up the great work! -Rich From LISTSERV at JISCMAIL.AC.UK Tue Jul 2 14:52:41 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:09 2006 Subject: MAILSCANNER: hugo.1000@GMX.NET requested to join Message-ID: <200207021352.OAA03248@magpie.ecs.soton.ac.uk> Tue, 2 Jul 2002 14:52:41 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Alf Gunz You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER hugo.1000@GMX.NET Alf Gunz PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER hugo.1000@GMX.NET Alf Gunz // EOJ From jkf at ecs.soton.ac.uk Tue Jul 2 14:54:13 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:09 2006 Subject: looping over zero length file In-Reply-To: Message-ID: <5.1.0.14.2.20020702145147.05000c08@imap.ecs.soton.ac.uk> At 14:48 02/07/2002, you wrote: >In /var/spool/mqueue.in, I have a single file: > >-rw------- 1 root root 0 Jun 7 17:40 qfRAA06251 > >Removing it solved the problem... > >Perhaps mailscanner should check to ensure that the file is non-zero >length before attempting to parse it... Good idea. If you are using a recent version, the patch looks like this. Add 1 line (the "+" line) to sendmail.pl. *** 132,141 **** --- 132,142 ---- # Optimised by binning the 50% that aren't H files first next unless $file =~ /$MTA::HFileRegexp/; $tmpdate = (stat("$InQueueDir/$file"))[9]; # 9 = mtime #next unless -f "$InQueueDir/$file"; next unless -f _; + next if -z _; # Skip 0-length qf files $ModDate{$file} = $tmpdate; } @SortedFiles = sort { $ModDate{$a} <=> $ModDate{$b} } keys %ModDate; # Keep going until end of dir or have reached every imposed limit. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From ralloway at CHARTERPA.NET Tue Jul 2 15:04:41 2002 From: ralloway at CHARTERPA.NET (Richard D Alloway) Date: Thu Jan 12 21:15:09 2006 Subject: looping over zero length file In-Reply-To: <5.1.0.14.2.20020702145147.05000c08@imap.ecs.soton.ac.uk> Message-ID: Thanks! That was quick! (I know...I know...easy fix *grin*) -Rich On Tue, 2 Jul 2002, Julian Field wrote: > At 14:48 02/07/2002, you wrote: > >In /var/spool/mqueue.in, I have a single file: > > > >-rw------- 1 root root 0 Jun 7 17:40 qfRAA06251 > > > >Removing it solved the problem... > > > >Perhaps mailscanner should check to ensure that the file is non-zero > >length before attempting to parse it... > > Good idea. If you are using a recent version, the patch looks like this. > Add 1 line (the "+" line) to sendmail.pl. > > *** 132,141 **** > --- 132,142 ---- > # Optimised by binning the 50% that aren't H files first > next unless $file =~ /$MTA::HFileRegexp/; > $tmpdate = (stat("$InQueueDir/$file"))[9]; # 9 = mtime > #next unless -f "$InQueueDir/$file"; > next unless -f _; > + next if -z _; # Skip 0-length qf files > $ModDate{$file} = $tmpdate; > } > @SortedFiles = sort { $ModDate{$a} <=> $ModDate{$b} } keys %ModDate; > > # Keep going until end of dir or have reached every imposed limit. > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From s-luppescu at UCHICAGO.EDU Tue Jul 2 15:14:22 2002 From: s-luppescu at UCHICAGO.EDU (Stuart Luppescu) Date: Thu Jan 12 21:15:09 2006 Subject: Mailscanner didn't start properly Message-ID: <1025619262.27736.4.camel@musuko.uchicago.edu> I started MailScanner yesterday, but it didn't start properly and didn't discover the problem until this morning. service mailscanner status showed all [OK]. When I looked in the logs, I found these messages: Jul 1 16:51:58 csi-www-mail sendmail[6340]: alias database /etc/aliases rebuilt by stuart Jul 1 16:51:58 csi-www-mail sendmail[6340]: /etc/aliases: 44 aliases, longest 32 bytes, 1036 bytes total Jul 1 16:51:58 csi-www-mail sendmail[6346]: starting daemon (8.11.6): SMTP Jul 1 16:51:58 csi-www-mail sendmail[6346]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon Daemon0: cannot bind: Address already in use Jul 1 16:51:58 csi-www-mail sendmail[6346]: daemon Daemon0: problem creating SMTP socket Jul 1 16:51:58 csi-www-mail sendmail[6350]: starting daemon (8.11.6): queueing@00:15:00 and many more lines just like these. This morning, though, it started fine. Any idea what's happening? (I'm running 3.20-7 on RedHat 6.2. and sendmail 8.11.6.) -- Stuart Luppescu -=- s-luppescu@uchicago.edu University of Chicago -=- CCSR $B:MJ8$HCRF`H~$NIc(B -=- Kernel 2.4.19-pre10-xf A modem is a baudy house. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020702/25068ac0/attachment.bin From mdchaney at MICHAELCHANEY.COM Tue Jul 2 15:31:57 2002 From: mdchaney at MICHAELCHANEY.COM (Michael Chaney) Date: Thu Jan 12 21:15:09 2006 Subject: {SPAM?} Re: Virus report e-mail In-Reply-To: <6214C3F9233D764C9E7029396C355015115B25@mail.foundation.sdsu.edu>; from sevans@FOUNDATION.SDSU.EDU on Mon, Jul 01, 2002 at 08:15:47AM -0700 References: <6214C3F9233D764C9E7029396C355015115B25@mail.foundation.sdsu.edu> Message-ID: <20020702093157.A9234@michaelchaney.com> On Mon, Jul 01, 2002 at 08:15:47AM -0700, Steve Evans wrote: > Okay I have a good story to go with this. > > Before we were using SpamAssassin I had a user receive a piece of spam. > He had me look at it and the from address was > whatever@something.something.kr I said, well I could block that address > but it probably won't help because they'll using something else next > time. He said, well can't you just block everything that ends with .kr. > And I said, that would block all of Korea. He didn't seem to understand > that that could be a problem. For many companies, that isn't a problem. Does your company do business overseas? Does it do business with anybody in Korea? Do you care? Blacklisting the whole of South Korea would cut my current spam volume in half. My brother is over there right now or I would have done it long ago. Michael -- Michael Darrin Chaney mdchaney@michaelchaney.com http://www.michaelchaney.com/ From S.R.Patterson at SOTON.AC.UK Tue Jul 2 15:26:16 2002 From: S.R.Patterson at SOTON.AC.UK (Patterson S.R.) Date: Thu Jan 12 21:15:09 2006 Subject: Mailscanner didn't start properly Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > -----Original Message----- > From: Stuart Luppescu [mailto:s-luppescu@UCHICAGO.EDU] > Sent: 02 July 2002 15:14 > > Jul 1 16:51:58 csi-www-mail sendmail[6346]: starting daemon (8.11.6): > SMTP > Jul 1 16:51:58 csi-www-mail sendmail[6346]: NOQUEUE: SYSERR(root): > opendaemonsocket: daemon Daemon0: cannot bind: Address already in use > Jul 1 16:51:58 csi-www-mail sendmail[6346]: daemon Daemon0: problem > creating SMTP socket These errors mean that sendmail was already running. The chances are your computer starts up sendmail when it boots up. I suggest you turn off that behaviour! Steve - -- Steven Patterson, MSci. Tel: +44 (0)2380 595810 Electronic Information Systems Support and Development Computing Services, University of Southampton, UK. Public PGP Key: http://www.soton.ac.uk/~srp/pubkey.asc -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPSG4BK2fOiTs5+WvEQIi3wCcDBWor7oj4wUy8Qh5NPD/pHKB7I8AnAv6 NjU878tE1qaI78iGtfpHl1Sn =lIgX -----END PGP SIGNATURE----- From A.Barker at UCL.AC.UK Tue Jul 2 15:17:51 2002 From: A.Barker at UCL.AC.UK (Adrian Barker) Date: Thu Jan 12 21:15:09 2006 Subject: Sophos Sweep using a lot of CPU Message-ID: <200207021417.g62EHq523425@socrates-a.ucl.ac.uk> For the past two weeks we have seen poor performance on one of our mailscanner machines caused by Sophos sweep using 60% or more CPU for long periods of time. Has anyone else seen this problem ? We were using a fairly old version of mailscanner from last year, but upgraded to 3.15-3 today, and also upgraded various Perl modules and Sophos, but the problem continues. What is puzzling is that we have a second identical machine, apart from a different version of mailscanner, which shares the same load, but this does not have the same problem. Both machines are Suns and are not heavily loaded (about 10,000 messages per day each). Adrian Barker, Information Systems University College London, Gower Street, London WC1E 6BT External phone: (+44) 020 7679 2795, Fax (+44) 20 7388 5406 Internal phone: x 32795 Email: A.Barker@ucl.ac.uk From S.R.Patterson at SOTON.AC.UK Tue Jul 2 15:29:38 2002 From: S.R.Patterson at SOTON.AC.UK (Patterson S.R.) Date: Thu Jan 12 21:15:09 2006 Subject: Sophos Sweep using a lot of CPU Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We had a problem like that at one point - it turned out there was a big core dump file in /var/spool/mailscanner/incoming (or wherever your mailscanner working directory is). Have a look for a core file in that directory and delete it. Steve - -- Steven Patterson, MSci. Tel: +44 (0)2380 595810 Electronic Information Systems Support and Development Computing Services, University of Southampton, UK. Public PGP Key: http://www.soton.ac.uk/~srp/pubkey.asc > -----Original Message----- > From: Adrian Barker [mailto:A.Barker@UCL.AC.UK] > Sent: 02 July 2002 15:18 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Sophos Sweep using a lot of CPU > > > For the past two weeks we have seen poor performance on one > of our mailscanner machines caused by Sophos sweep using 60% > or more CPU for long periods of time. Has anyone else seen > this problem ? We were using a fairly old version of > mailscanner from last year, but upgraded to 3.15-3 today, and > also upgraded various Perl modules and Sophos, but the > problem continues. > > What is puzzling is that we have a second identical machine, > apart from a different version of mailscanner, which shares > the same load, but this does not have the same problem. Both > machines are Suns and are not heavily loaded (about 10,000 > messages per day each). > > > > > Adrian Barker, Information Systems > University College London, Gower Street, London WC1E 6BT > External phone: (+44) 020 7679 2795, Fax (+44) 20 7388 5406 > Internal phone: x 32795 > Email: A.Barker@ucl.ac.uk > -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPSG4z62fOiTs5+WvEQIl1gCfVQnqNMzNw2anaGMscJyJLXpk0cgAmwXg tNGDirnfmRPggdhyC2DSfpiN =8mNG -----END PGP SIGNATURE----- From roberto at MEUPROVEDOR.COM.BR Tue Jul 2 15:40:50 2002 From: roberto at MEUPROVEDOR.COM.BR (Roberto Campos) Date: Thu Jan 12 21:15:09 2006 Subject: MRTG.... In-Reply-To: <5.1.0.14.2.20020702145147.05000c08@imap.ecs.soton.ac.uk> Message-ID: <001a01c221d6$7d9267e0$0600a8c0@escritoriomundial.com.br> Hi, Can someone lend me the MRTG command to get data from MailScanner? I'm usind MailScanner with McAffe in a RH 7.1 machine... Thanks in advance. Roberto Campos _______________________________________________________________ Meu Provedor Tecnologias e Informatica ltda. Rua Camerino, 128 Gr. 302 - Centro Rio de Janeiro - RJ - CEP 20080-010 Tel.: 21 - 25181011 Fax: 21 - 25181911 From mailscanner at ecs.soton.ac.uk Tue Jul 2 16:02:03 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:09 2006 Subject: MRTG.... In-Reply-To: <001a01c221d6$7d9267e0$0600a8c0@escritoriomundial.com.br> References: <5.1.0.14.2.20020702145147.05000c08@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020702160158.04c6c060@imap.ecs.soton.ac.uk> http://www.sng.ecs.soton.ac.uk/mailscanner/mrtg.shtml At 15:40 02/07/2002, you wrote: >Hi, > >Can someone lend me the MRTG command to get data from MailScanner? > >I'm usind MailScanner with McAffe in a RH 7.1 machine... > >Thanks in advance. > >Roberto Campos >_______________________________________________________________ >Meu Provedor Tecnologias e Informatica ltda. >Rua Camerino, 128 Gr. 302 - Centro >Rio de Janeiro - RJ - CEP 20080-010 >Tel.: 21 - 25181011 Fax: 21 - 25181911 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From A.Barker at UCL.AC.UK Tue Jul 2 15:55:46 2002 From: A.Barker at UCL.AC.UK (Adrian Barker) Date: Thu Jan 12 21:15:09 2006 Subject: Sophos Sweep using a lot of CPU In-Reply-To: Your message of "Tue, 02 Jul 2002 15:29:38 BST." Message-ID: <200207021455.g62Etk319271@sun-226.is-eisd.ucl.ac.uk> >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >We had a problem like that at one point - it turned out there was a >big core dump file in /var/spool/mailscanner/incoming (or wherever >your mailscanner working directory is). Have a look for a core file >in that directory and delete it. > >Steve >- -- >Steven Patterson, MSci. Tel: +44 (0)2380 595810 >Electronic Information Systems Support and Development >Computing Services, University of Southampton, UK. >Public PGP Key: http://www.soton.ac.uk/~srp/pubkey.asc Many thanks indeed. That has solved the problem immediately. There was a 1.2 Gb core dump in the mailscanner working directory. We have had two weeks of severe delays to email due to that. It would be worth adding to the FAQ to save other people from having the same problem. Thanks again, Adrian Barker, Information Systems University College London, Gower Street, London WC1E 6BT External phone: (+44) 020 7679 2795, Fax (+44) 20 7388 5406 Internal phone: x 32795 Email: A.Barker@ucl.ac.uk > >> -----Original Message----- >> From: Adrian Barker [mailto:A.Barker@UCL.AC.UK] >> Sent: 02 July 2002 15:18 >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: Sophos Sweep using a lot of CPU >> >> >> For the past two weeks we have seen poor performance on one >> of our mailscanner machines caused by Sophos sweep using 60% >> or more CPU for long periods of time. Has anyone else seen >> this problem ? We were using a fairly old version of >> mailscanner from last year, but upgraded to 3.15-3 today, and >> also upgraded various Perl modules and Sophos, but the >> problem continues. >> >> What is puzzling is that we have a second identical machine, >> apart from a different version of mailscanner, which shares >> the same load, but this does not have the same problem. Both >> machines are Suns and are not heavily loaded (about 10,000 >> messages per day each). >> >> >> >> >> Adrian Barker, Information Systems >> University College London, Gower Street, London WC1E 6BT >> External phone: (+44) 020 7679 2795, Fax (+44) 20 7388 5406 >> Internal phone: x 32795 >> Email: A.Barker@ucl.ac.uk >> > >-----BEGIN PGP SIGNATURE----- >Version: PGP 7.0.4 > >iQA/AwUBPSG4z62fOiTs5+WvEQIl1gCfVQnqNMzNw2anaGMscJyJLXpk0cgAmwXg >tNGDirnfmRPggdhyC2DSfpiN >=8mNG >-----END PGP SIGNATURE----- Adrian. From mailscanner at ecs.soton.ac.uk Tue Jul 2 16:19:12 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:09 2006 Subject: Sophos Sweep using a lot of CPU In-Reply-To: <200207021455.g62Etk319271@sun-226.is-eisd.ucl.ac.uk> References: Message-ID: <5.1.0.14.2.20020702161902.02d00b50@imap.ecs.soton.ac.uk> At 15:55 02/07/2002, you wrote: > >-----BEGIN PGP SIGNED MESSAGE----- > >Hash: SHA1 > > > >We had a problem like that at one point - it turned out there was a > >big core dump file in /var/spool/mailscanner/incoming (or wherever > >your mailscanner working directory is). Have a look for a core file > >in that directory and delete it. > > > >Steve > >- -- > >Steven Patterson, MSci. Tel: +44 (0)2380 595810 > >Electronic Information Systems Support and Development > >Computing Services, University of Southampton, UK. > >Public PGP Key: http://www.soton.ac.uk/~srp/pubkey.asc > > >Many thanks indeed. That has solved the problem immediately. There was >a 1.2 Gb core dump in the mailscanner working directory. We have had >two weeks of severe delays to email due to that. It would be worth adding >to the FAQ to save other people from having the same problem. Good idea. Done. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From FCaen at CI.LAKEWOOD.WA.US Tue Jul 2 16:18:00 2002 From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen) Date: Thu Jan 12 21:15:09 2006 Subject: Best AntiVirus to use w/ Mailscanner Message-ID: -----Original Message----- From: mailscanner@ECS.SOTON.AC.UK Subject: Re: [MAILSCANNER] Best AntiVirus to use w/ Mailscanner > Sophos Julian, may I ask why you recommend Sophos over all the others? Is it because it's the one MS was originally designed for or something similar? Is it actually better than the others? > Other one to look at is F-Prot as they charge per server (only about $300) > which will be a lot less than Sophos of McAfee will want. I have had a lot of success with F-Prot myself, on 2 different sites. The per-server licensing makes it by far the cheapest of all solutions. They even have a discount for non-profits. ------------------------------------------------ Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 From roberto at MEUPROVEDOR.COM.BR Tue Jul 2 16:24:49 2002 From: roberto at MEUPROVEDOR.COM.BR (Roberto Campos) Date: Thu Jan 12 21:15:09 2006 Subject: RES: MRTG.... In-Reply-To: <5.1.0.14.2.20020702160158.04c6c060@imap.ecs.soton.ac.uk> Message-ID: <002301c221dc$a1bdd6d0$0600a8c0@escritoriomundial.com.br> Thanks. Roberto Campos _______________________________________________________________ Meu Provedor Tecnologias e Informatica ltda. Rua Camerino, 128 Gr. 302 - Centro Rio de Janeiro - RJ - CEP 20080-010 Tel.: 21 - 25181011 Fax: 21 - 25181911 -----Mensagem original----- De: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] Em nome de Julian Field Enviada em: ter?a-feira, 2 de julho de 2002 12:02 Para: MAILSCANNER@JISCMAIL.AC.UK Assunto: Re: MRTG.... http://www.sng.ecs.soton.ac.uk/mailscanner/mrtg.shtml At 15:40 02/07/2002, you wrote: >Hi, > >Can someone lend me the MRTG command to get data from MailScanner? > >I'm usind MailScanner with McAffe in a RH 7.1 machine... > >Thanks in advance. > >Roberto Campos >_______________________________________________________________ >Meu Provedor Tecnologias e Informatica ltda. >Rua Camerino, 128 Gr. 302 - Centro >Rio de Janeiro - RJ - CEP 20080-010 >Tel.: 21 - 25181011 Fax: 21 - 25181911 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Jul 2 16:35:20 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:09 2006 Subject: Best AntiVirus to use w/ Mailscanner In-Reply-To: Message-ID: <5.1.0.14.2.20020702163305.0513ce60@imap.ecs.soton.ac.uk> At 16:18 02/07/2002, you wrote: >-----Original Message----- >From: mailscanner@ECS.SOTON.AC.UK >Subject: Re: [MAILSCANNER] Best AntiVirus to use w/ Mailscanner > > > Sophos > >Julian, may I ask why you recommend Sophos over all the others? Is it >because it's the one MS was originally designed for or something similar? >Is it actually better than the others? We've used it for the entire University for over 3 years now. In that time, I don't think we've ever (touch wood) had a duff update or serious problem with it. They produce updates very quickly and it has proved to be an extremely reliable product. That is my personal opinion, though most people in this University would probably agree with me. But unless you are in education, it is quite expensive (they do some *very* good deals). > > Other one to look at is F-Prot as they charge per server (only about $300) > > which will be a lot less than Sophos of McAfee will want. > >I have had a lot of success with F-Prot myself, on 2 different sites. The >per-server licensing makes it by far the cheapest of all solutions. They >even have a discount for non-profits. Discount? Off their prices? Wow, they can't be making much profit there... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From hugo.1000 at GMX.NET Tue Jul 2 16:48:15 2002 From: hugo.1000 at GMX.NET (Alf Gunz) Date: Thu Jan 12 21:15:09 2006 Subject: score DCC_CHECK 0.0 In-Reply-To: <1025619262.27736.4.camel@musuko.uchicago.edu> Message-ID: Hi, that's in the spam.assassin.prefs.conf file. Shouldn't that be something different ? Or is then the default value of 2.0 used ? Thanks. -- MfG Alf From mailscanner at ecs.soton.ac.uk Tue Jul 2 16:57:05 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:09 2006 Subject: score DCC_CHECK 0.0 In-Reply-To: References: <1025619262.27736.4.camel@musuko.uchicago.edu> Message-ID: <5.1.0.14.2.20020702165602.04fe3170@imap.ecs.soton.ac.uk> At 16:48 02/07/2002, you wrote: >that's in the spam.assassin.prefs.conf file. Shouldn't that be something >different ? Or is then the default value of 2.0 used ? That's there to disable the dcc check. It's not installed by default, and if you don't install it then SpamAssassin bleats endlessly about the command not existing. So I put a line in there which keeps the default SpamAssassin installation quiet (error messages worry people). If you have dcc installed then you should remove that line. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From hugo.1000 at GMX.NET Tue Jul 2 18:44:52 2002 From: hugo.1000 at GMX.NET (Alf Gunz) Date: Thu Jan 12 21:15:09 2006 Subject: score DCC_CHECK 0.0 In-Reply-To: <5.1.0.14.2.20020702165602.04fe3170@imap.ecs.soton.ac.uk> Message-ID: Hi, > That's there to disable the dcc check. .. > If you have dcc installed then you should remove that line. But I still don't see "dcc lookups" (tcpdump watching for connections to port 6277). I see them when using spamassassin manually, but not in mailscanner. Can anyone explain this ? -- MfG Alf From P.G.M.Peters at civ.utwente.nl Wed Jul 3 08:22:41 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:09 2006 Subject: Best AntiVirus to use w/ Mailscanner In-Reply-To: <5.1.0.14.2.20020702163305.0513ce60@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020702163305.0513ce60@imap.ecs.soton.ac.uk> Message-ID: On Tue, 2 Jul 2002 16:35:20 +0100, you wrote: >>I have had a lot of success with F-Prot myself, on 2 different sites. The >>per-server licensing makes it by far the cheapest of all solutions. They >>even have a discount for non-profits. > >Discount? Off their prices? Wow, they can't be making much profit there... We have had 25% "educational discount". -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From LISTSERV at JISCMAIL.AC.UK Tue Jul 2 21:40:16 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:09 2006 Subject: MAILSCANNER: todd-lists@DECAGON.COM requested to join Message-ID: <200207022040.VAA08003@magpie.ecs.soton.ac.uk> Tue, 2 Jul 2002 21:40:16 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Todd Martin You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER todd-lists@DECAGON.COM Todd Martin PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER todd-lists@DECAGON.COM Todd Martin // EOJ From LISTSERV at JISCMAIL.AC.UK Wed Jul 3 09:59:08 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:09 2006 Subject: MAILSCANNER: jk@JKDATA.SE requested to join Message-ID: <200207030859.JAA21187@magpie.ecs.soton.ac.uk> Wed, 3 Jul 2002 09:59:08 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Janne Karlsson You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER jk@JKDATA.SE Janne Karlsson PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER jk@JKDATA.SE Janne Karlsson // EOJ From mailscanner at ecs.soton.ac.uk Wed Jul 3 10:06:56 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:09 2006 Subject: Enabling dcc checking In-Reply-To: Message-ID: <5.1.0.14.2.20020703100416.03479918@imap.ecs.soton.ac.uk> At 06:42 03/07/2002, you wrote: >I've installed the dcc checking option for spamassassin and using SA's >test (spamassassin -t < sample-spam.txt > spam) I can see that SA has used >the dcc checking code. I sent the same sample file to myself and it >didn't mention dcc checking. > >I have never seen dcc checking happen when calling SA using mailscanner. >I checked and I have the "score DCC_Checking 0.0" line commented out in >spam.assassin.prefs.conf. Is there something else that I should have >done? If you start MailScanner from an open window (via check_mailscanner) do you get any "command not found" errors? If not, then it's running dcc. I haven't tried dcc yet myself, so I'm not quite sure why this is happening. I'll have to install DCC and see what happens. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From P.G.M.Peters at civ.utwente.nl Wed Jul 3 12:24:38 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:09 2006 Subject: no more virusscanning Message-ID: "Suddenly" scanning of virusses stopped. I noticed because somewhere last week I started getting uncleaned, untagged messages with virusses. I have been looking for all kind of strange things. Finally I changed f-protwrapper to log some more. I see f-prot is run in /var/spool/MailScanner/incoming with the command "/opt/f-prot/f-prot -old -archive -dumb .". But when I look in that directory I only zie .headers files. And when I extend the logging a bit more I get "Error: Cannot open message file.". I am running MailScanner 3.20-4. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From gerry at dorfam.ca Wed Jul 3 13:30:51 2002 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:15:09 2006 Subject: Enabling dcc checking In-Reply-To: <5.1.0.14.2.20020703100416.03479918@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020703100416.03479918@imap.ecs.soton.ac.uk> Message-ID: <19132.129.80.22.134.1025699451.squirrel@tiger.dorfam.ca> > At 06:42 03/07/2002, you wrote: >>I've installed the dcc checking option for spamassassin and using SA's >> test (spamassassin -t < sample-spam.txt > spam) I can see that SA has >> used the dcc checking code. I sent the same sample file to myself and >> it didn't mention dcc checking. >> >>I have never seen dcc checking happen when calling SA using >> mailscanner. I checked and I have the "score DCC_Checking 0.0" line >> commented out in spam.assassin.prefs.conf. Is there something else >> that I should have done? > > If you start MailScanner from an open window (via check_mailscanner) do > you get any "command not found" errors? If not, then it's running dcc. I > haven't tried dcc yet myself, so I'm not quite sure why this is > happening. > > I'll have to install DCC and see what happens. > -- > Julian Field Teaching Systems Manager I ran check_mailscanner and received just a simply one line reply that mailscanner's pid was xxxxx (I forget the exact number). There was no other command not found type of complaint. Perhaps dcc is working but I've never noticed any indication that it is. Gerry From hugo.1000 at GMX.NET Wed Jul 3 14:36:58 2002 From: hugo.1000 at GMX.NET (Alf Gunz) Date: Thu Jan 12 21:15:09 2006 Subject: Enabling dcc checking In-Reply-To: <19132.129.80.22.134.1025699451.squirrel@tiger.dorfam.ca> Message-ID: Hi, > There was no > other command not found type of complaint. Perhaps dcc is working but > I've never noticed any indication that it is. I have the same "problem" :D -- MfG Alf From brose at MED.WAYNE.EDU Wed Jul 3 14:58:27 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:09 2006 Subject: Enabling dcc checking Message-ID: I've been using dcc with SA since it was added without any problems. The score of 0.0 turns it off so just give it a score. You also have to set the DCC thresholds in SA, example dcc_body_max 20 dcc_fuz1_max 30 dcc_fuz2_max 30 Note that DCC must be installed and you should probably setup it's whitelists as well. DCC is similar to razor but is intended to reduce bulk mailings. It records every time a message has been seen and you can set threshold levels to reject the message if using the sendmail milter or tagged by SA. So if the fuz2 hash of this message was seen 30 times and that was the threshold then it's tagged. When you report in SA or DCC, you are explicitly telling the DCC server that the message has been seen "many" times so each of the hashes are for that message is set to many. The whitelisting in DCC is very important because you can generate false positives for mailing lists and internal bulk mailings. I've been using the milter to block the many's and have SA tag anything else with a different threshold. I also use SA to do the reporting so that it's reported to both Razor and DCC. I know DCC is more for bulk mailings but I consider spam to bulk mailing. DCC's algorithms are better than Razorv1 because of the fuzzy hashes but Razorv2 is better than DCC, but still lacks a good milter. -----Original Message----- From: Gerry Doris [mailto:gerry@dorfam.ca] Sent: Wednesday, July 03, 2002 8:31 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Enabling dcc checking > At 06:42 03/07/2002, you wrote: >>I've installed the dcc checking option for spamassassin and using SA's >>test (spamassassin -t < sample-spam.txt > spam) I can see that SA has >>used the dcc checking code. I sent the same sample file to myself and >>it didn't mention dcc checking. >> >>I have never seen dcc checking happen when calling SA using >>mailscanner. I checked and I have the "score DCC_Checking 0.0" line >>commented out in spam.assassin.prefs.conf. Is there something else >>that I should have done? > > If you start MailScanner from an open window (via check_mailscanner) > do you get any "command not found" errors? If not, then it's running > dcc. I haven't tried dcc yet myself, so I'm not quite sure why this is > happening. > > I'll have to install DCC and see what happens. > -- > Julian Field Teaching Systems Manager I ran check_mailscanner and received just a simply one line reply that mailscanner's pid was xxxxx (I forget the exact number). There was no other command not found type of complaint. Perhaps dcc is working but I've never noticed any indication that it is. Gerry From P.G.M.Peters at civ.utwente.nl Wed Jul 3 15:13:42 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:09 2006 Subject: no more virusscanning In-Reply-To: References: Message-ID: On Wed, 03 Jul 2002 13:24:38 +0200, I wrote: >I see f-prot is run in /var/spool/MailScanner/incoming with the command >"/opt/f-prot/f-prot -old -archive -dumb .". But when I look in that >directory I only zie .headers files. And when I extend the logging a bit >more I get "Error: Cannot open message file.". > >I am running MailScanner 3.20-4. Upgrading to the latest MailScanner (3.21-1) did not help. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From eric at AFMB.CNRS-MRS.FR Wed Jul 3 15:29:27 2002 From: eric at AFMB.CNRS-MRS.FR (Eric Blanc) Date: Thu Jan 12 21:15:09 2006 Subject: White & Black Message-ID: <3D230A47.9275350D@afmb.cnrs-mrs.fr> Hye, I'm still playing with the configuration of Mailscanner/SpamAssassin Here are my problems: I would like to turn off SPAM tagging of messages coming from some mailing lists. The Sender address is : NAMEOFTHELIST-return-IDNUMBER-WHO-WHERE@clubs.voila.fr NAMEOFTHELIST,IDNUMBER,WHO and WHERE depend on some factors... AND I do not want to turn off SPAM tagging on the whole clubs.voila.fr ... Any Idea ??? On the contrary, I would like to turn ON spam Tagging on other messages. Is there a way to indicate to spam.assassin.prefs.conf to read the blacklist from a file ? The reason is to keep the possibility to deliver a mail, but to advise it as a potential SPAM. Thanks for any help. Eric. -- -------------------------------- Eric Blanc, PhD Ingenieur d'Etudes Informatique & Reseau WWW: http://afmb.cnrs-mrs.fr/teams/eblanc.html AFMB CNRS-UMR 6098 Email: eric@afmb.cnrs-mrs.fr 31 Ch J. Aiguier Fax: 33-4-91-16-45-36 13402 Marseille CEDEX 20 Phone: 33-4-91-16-45-29 FRANCE From bill at DISTMIRR.COM Wed Jul 3 15:10:41 2002 From: bill at DISTMIRR.COM (Bill Omer) Date: Thu Jan 12 21:15:09 2006 Subject: extreamly long delays Message-ID: <000001c2229b$6ad1e110$40713ed0@billslaptop> I'm having some problems with regarding very long delays in mail delivery. It seems as if it's getting 'stuck' when there are pieces of mail in the mail queue in the state of Deferred. Right now, I see 315 pieces of mail, all in the state of Deferred (with Connection refused) when I do a mailq. There are also 2157 pieces of mail in /var/spool/mqueue.in, and the number keeps growing. I have the following set in my mailscanner.conf: Max Safe Messages Per Scan = 500 Max Unsafe Messages Per Scan = 100 Max Safe Bytes Per Scan = 10000000 Max Unsafe Bytes Per Scan = 5000000 I'm pretty sure this has something to do with it. I've been trying to change the settings here in hopes to increase the speed of both scanning and delivery. I'm also using Delivery Method = batch Any help on this would be great. Regards, Bill Omer -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020703/12602498/attachment.html From gerry at dorfam.ca Wed Jul 3 15:53:05 2002 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:15:09 2006 Subject: Enabling dcc checking In-Reply-To: References: Message-ID: <17374.129.80.22.134.1025707985.squirrel@tiger.dorfam.ca> > I've been using dcc with SA since it was added without any problems. The > score of 0.0 turns it off so just give it a score. You also have to set > the DCC thresholds in SA, example > > dcc_body_max 20 > dcc_fuz1_max 30 > dcc_fuz2_max 30 > > Note that DCC must be installed and you should probably setup it's > whitelists as well. DCC is similar to razor but is intended to reduce > bulk mailings. It records every time a message has been seen and you > can set threshold levels to reject the message if using the sendmail > milter or tagged by SA. So if the fuz2 hash of this message was seen 30 > times and that was the threshold then it's tagged. When you report in > SA or DCC, you are explicitly telling the DCC server that the message > has been seen "many" times so each of the hashes are for that message is > set to many. > > The whitelisting in DCC is very important because you can generate false > positives for mailing lists and internal bulk mailings. I've been using > the milter to block the many's and have SA tag anything else with a > different threshold. I also use SA to do the reporting so that it's > reported to both Razor and DCC. I know DCC is more for bulk mailings > but I consider spam to bulk mailing. DCC's algorithms are better than > Razorv1 because of the fuzzy hashes but Razorv2 is better than DCC, but > still lacks a good milter. > OK, let me try this again...to get dcc to work with mailscanner I should - change the score in mailscanner's spam.assassin.prefs.conf file to a positive number like 5 from 0.0 - add the following to spamassassin's config file dcc_body_max 20 dcc_fuz1_max 30 dcc_fuz2_max 30 - add the dcc white lists (I assume those are on the dcc website) This isn't critical for me. I installed dcc and was just wondering how well it worked. Gerry From LISTSERV at JISCMAIL.AC.UK Wed Jul 3 14:43:29 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:09 2006 Subject: MAILSCANNER: support@UNOFFICIAL-SUPPORT.COM requested to join Message-ID: <200207031343.OAA16481@magpie.ecs.soton.ac.uk> Wed, 3 Jul 2002 14:43:29 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Andrew Allen You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER support@UNOFFICIAL-SUPPORT.COM Andrew Allen PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER support@UNOFFICIAL-SUPPORT.COM Andrew Allen // EOJ From LISTSERV at JISCMAIL.AC.UK Wed Jul 3 14:47:16 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:09 2006 Subject: MAILSCANNER: dviggiani@TISCALI.IT requested to join Message-ID: <200207031347.OAA16867@magpie.ecs.soton.ac.uk> Wed, 3 Jul 2002 14:47:16 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Domenico Viggiani You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER dviggiani@TISCALI.IT Domenico Viggiani PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER dviggiani@TISCALI.IT Domenico Viggiani // EOJ From P.G.M.Peters at civ.utwente.nl Wed Jul 3 16:09:06 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:09 2006 Subject: extreamly long delays In-Reply-To: <000001c2229b$6ad1e110$40713ed0@billslaptop> References: <000001c2229b$6ad1e110$40713ed0@billslaptop> Message-ID: On Wed, 3 Jul 2002 09:10:41 -0500, you wrote: >I'm also using >Delivery Method = batch Check whether you have set "Deliver In Background = yes". Sometimes it takes minutes per recipient to deliver an e-mail. You don't want MailScanner to wait for that. I have had the same problem. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From fizz at BOMB.NET Wed Jul 3 16:11:49 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:15:09 2006 Subject: extreamly long delays In-Reply-To: <000001c2229b$6ad1e110$40713ed0@billslaptop> Message-ID: <000001c222a3$f4866fe0$483cd842@newfizz> Try using delivery method = Queue and set Deliver in background to yes. Also lower your amount of logging in sendmail cf to like 7 from 9. This should help a lot. What are the specs on your mailserver. Also, what features do you have enabled in your mailscanner.conf? ////// ( o o ) +--.oooO--(_)--Oooo.-----------------+ | [Kelly Hamlin] | support@cyberstreet.com | http://www.cyberstreet.com | .oooO | ( ) Oooo. +--- (----( )----------------------------+ \_) ) / (_/ -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Bill Omer Sent: Wednesday, July 03, 2002 10:11 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: extreamly long delays I'm having some problems with regarding very long delays in mail delivery. It seems as if it's getting 'stuck' when there are pieces of mail in the mail queue in the state of Deferred. Right now, I see 315 pieces of mail, all in the state of Deferred (with Connection refused) when I do a mailq. There are also 2157 pieces of mail in /var/spool/mqueue.in, and the number keeps growing. I have the following set in my mailscanner.conf: Max Safe Messages Per Scan = 500 Max Unsafe Messages Per Scan = 100 Max Safe Bytes Per Scan = 10000000 Max Unsafe Bytes Per Scan = 5000000 I'm pretty sure this has something to do with it. I've been trying to change the settings here in hopes to increase the speed of both scanning and delivery. I'm also using Delivery Method = batch Any help on this would be great. Regards, Bill Omer -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020703/1aa499d9/attachment.html From Matthew_doherty at DATAWATCH.COM Wed Jul 3 16:04:24 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:09 2006 Subject: hello Message-ID: Somehow I am not able to participate in the list. I have not changed my account name nor client email program that could cause this issue either. Please reply. Matthew In a world without fences or walls, who needs Windows and Gates? From LISTSERV at JISCMAIL.AC.UK Wed Jul 3 16:09:13 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:09 2006 Subject: MAILSCANNER: joi@SEWANEE.EDU left the JISCmail list Message-ID: <200207031509.QAA24284@magpie.ecs.soton.ac.uk> Wed, 3 Jul 2002 16:09:13 Joi Johannsson has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From brose at MED.WAYNE.EDU Wed Jul 3 16:28:58 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:09 2006 Subject: Enabling dcc checking Message-ID: That's all I did. But you should adjust the thresholds for your purposes. If you still don't see any dcc tags, then run SA on the sample-spam.txt file with the debug switch. If SA is doing the check, then so will Mailscanner. -----Original Message----- From: Gerry Doris [mailto:gerry@dorfam.ca] Sent: Wednesday, July 03, 2002 10:53 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Enabling dcc checking > I've been using dcc with SA since it was added without any problems. > The score of 0.0 turns it off so just give it a score. You also have > to set the DCC thresholds in SA, example > > dcc_body_max 20 > dcc_fuz1_max 30 > dcc_fuz2_max 30 > > Note that DCC must be installed and you should probably setup it's > whitelists as well. DCC is similar to razor but is intended to reduce > bulk mailings. It records every time a message has been seen and you > can set threshold levels to reject the message if using the sendmail > milter or tagged by SA. So if the fuz2 hash of this message was seen > 30 times and that was the threshold then it's tagged. When you report > in SA or DCC, you are explicitly telling the DCC server that the > message has been seen "many" times so each of the hashes are for that > message is set to many. > > The whitelisting in DCC is very important because you can generate > false positives for mailing lists and internal bulk mailings. I've > been using the milter to block the many's and have SA tag anything > else with a different threshold. I also use SA to do the reporting so > that it's reported to both Razor and DCC. I know DCC is more for bulk > mailings but I consider spam to bulk mailing. DCC's algorithms are > better than Razorv1 because of the fuzzy hashes but Razorv2 is better > than DCC, but still lacks a good milter. > OK, let me try this again...to get dcc to work with mailscanner I should - change the score in mailscanner's spam.assassin.prefs.conf file to a positive number like 5 from 0.0 - add the following to spamassassin's config file dcc_body_max 20 dcc_fuz1_max 30 dcc_fuz2_max 30 - add the dcc white lists (I assume those are on the dcc website) This isn't critical for me. I installed dcc and was just wondering how well it worked. Gerry From brose at MED.WAYNE.EDU Wed Jul 3 16:33:59 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:09 2006 Subject: extreamly long delays Message-ID: Use queue for delivery method. Batch will fire off sendmail processes from mailscanner to deliver the message. Queue will just drop it in mqueue and let the sendmail -q1m process deal with delivery. Turn off spam checking since the SA/RBL checks slow it down alot. If you are doing rbl at the MTA then turn off those checks in Mailscanner and SA. If you are doing RBL checks in Mailscanner then turn them off in SA. -----Original Message----- From: Bill Omer [mailto:bill@DISTMIRR.COM] Sent: Wednesday, July 03, 2002 10:11 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: extreamly long delays I'm having some problems with regarding very long delays in mail delivery. It seems as if it's getting 'stuck' when there are pieces of mail in the mail queue in the state of Deferred. Right now, I see 315 pieces of mail, all in the state of Deferred (with Connection refused) when I do a mailq. There are also 2157 pieces of mail in /var/spool/mqueue.in, and the number keeps growing. I have the following set in my mailscanner.conf: Max Safe Messages Per Scan = 500 Max Unsafe Messages Per Scan = 100 Max Safe Bytes Per Scan = 10000000 Max Unsafe Bytes Per Scan = 5000000 I'm pretty sure this has something to do with it. I've been trying to change the settings here in hopes to increase the speed of both scanning and delivery. I'm also using Delivery Method = batch Any help on this would be great. Regards, Bill Omer -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020703/7cabb8ee/attachment.html From support at unofficial-support.com Wed Jul 3 16:38:14 2002 From: support at unofficial-support.com (misnomer) Date: Thu Jan 12 21:15:09 2006 Subject: MailScanner & Ensim WEBppliance Message-ID: <1875217822.20020703163814@unofficial-support.com> Hi, I don't know if anyone can help, but I was interested to know how far people had got with installing MailScanner on an Ensim WEBppliance 3.x installation, and what steps you took to get it working? I am currently investigating it on my own systems, and wanted to get as much feedback as possible, because of the sendmail customizations by Ensim. Thanks for your help. Regards, Andrew Allen -- support@unofficial-support.com Unofficial-Support(.com) - Dedicated To Supporting Your Server http://www.unofficial-support.com/ From LISTSERV at JISCMAIL.AC.UK Wed Jul 3 16:50:12 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:09 2006 Subject: MAILSCANNER: dviggiani@TISCALI.IT left the JISCmail list Message-ID: <200207031550.QAA28337@magpie.ecs.soton.ac.uk> Wed, 3 Jul 2002 16:50:12 Domenico Viggiani has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From LISTSERV at JISCMAIL.AC.UK Wed Jul 3 16:51:40 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:09 2006 Subject: MAILSCANNER: combs@MAGNET.FSU.EDU requested to join Message-ID: <200207031551.QAA28455@magpie.ecs.soton.ac.uk> Wed, 3 Jul 2002 16:51:40 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Tom Combs You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER combs@MAGNET.FSU.EDU Tom Combs PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER combs@MAGNET.FSU.EDU Tom Combs // EOJ From combs at MAGNET.FSU.EDU Wed Jul 3 19:00:59 2002 From: combs at MAGNET.FSU.EDU (Tom Combs) Date: Thu Jan 12 21:15:10 2006 Subject: Don't scan outgoing mail Message-ID: Hello, I'm looking into deploying mailscanner on our departmental server which is a Sun Ultra10 running Solaris 8 and sendmail 8.12.5. This machine cares a heavy load and I would like to only scan incoming mail and not scan outgoing mail. I don't see an option to turn off scanning outgoing mail in the mailscanner.conf. Is it possible to turn off outgoing scans? Thanks, Tom Combs From mailscanner at ecs.soton.ac.uk Wed Jul 3 19:14:36 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:10 2006 Subject: Don't scan outgoing mail In-Reply-To: Message-ID: <5.1.0.14.2.20020703191256.031db7b0@imap.ecs.soton.ac.uk> At 19:00 03/07/2002, you wrote: > I'm looking into deploying mailscanner on our departmental server > which is a Sun Ultra10 running Solaris 8 and sendmail 8.12.5. This > machine cares a heavy load and I would like to only scan incoming > mail and not scan outgoing mail. I don't see an option to turn off > scanning outgoing mail in the mailscanner.conf. Is it possible to > turn off outgoing scans? Use separate servers to handle your incoming and outgoing mail. MailScanner doesn't differentiate between mail going in/out. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From fizz at BOMB.NET Wed Jul 3 20:19:11 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:15:10 2006 Subject: Wow, check out my MTA Rejections today! Message-ID: <000001c222c6$82ad9c40$483cd842@newfizz> SPAM RBL Statistics *********************************** --SpamCOP: 6921 --ordb: 2228 --spews: 17 --spamhause: 1 --osirusoft: 6408 *********************************** ////// ( o o ) +--.oooO--(_)--Oooo.-----------------+ | [Kelly Hamlin] | support@cyberstreet.com | http://www.cyberstreet.com | .oooO | ( ) Oooo. +--- (----( )----------------------------+ \_) ) / (_/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020703/5e1ef753/attachment.html From Matthew_doherty at DATAWATCH.COM Wed Jul 3 20:36:43 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:10 2006 Subject: Don't scan outgoing mail Message-ID: I have a issue where a department is usually sending *.reg files to itself.. ex: joeshmoe@hotdogs.com sending to >> jim@hotdogs.com; joe@hotdogs.com; brian@hotdogs.com with a .reg extension attachment that mailscanner always scoops up. . Gee I guess I'm hungry to use this as a dumb example.. Is there a way to NOT scan mail sent to and from its own domain peers? And have mailscanner just scan mail that's departing from its domain and entering its domain instead? Im afriad to allow .reg files to be left alone and have someone send us a .reg extention virus from outside our domain. In a world without fences or walls, who needs Windows and Gates? -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Wednesday, July 03, 2002 3:25 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Don't scan outgoing mail At 19:00 03/07/2002, you wrote: > I'm looking into deploying mailscanner on our departmental server > which is a Sun Ultra10 running Solaris 8 and sendmail 8.12.5. This > machine cares a heavy load and I would like to only scan incoming > mail and not scan outgoing mail. I don't see an option to turn off > scanning outgoing mail in the mailscanner.conf. Is it possible to > turn off outgoing scans? Use separate servers to handle your incoming and outgoing mail. MailScanner doesn't differentiate between mail going in/out. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020703/bc59ecfb/attachment.html From ink at INCONNU.ISU.EDU Wed Jul 3 20:47:53 2002 From: ink at INCONNU.ISU.EDU (Craig Kelley) Date: Thu Jan 12 21:15:10 2006 Subject: mailscanner dies Message-ID: I've been running Mailscanner for some weeks now, and I got a report today that none of the email was being delivered. I noted that the mailscanner program wasn't running, so I started it back up. It uses up a bit of CPU time and spins around for a while (ending up with 200 items in the incomming/ directory) and then dies. If I run it in debug mode it does this: # ./mailscanner /var/spool/mailscanner/etc/mailscanner.conf In Debugging mode, not forking... # No message, nothing. Any ideas? From thomas_duvally at BROWN.EDU Wed Jul 3 21:06:34 2002 From: thomas_duvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:15:10 2006 Subject: Multiple mailscanners Message-ID: <1025726794.1587.33.camel@toms> Here something I thought about while brainstorming a new setup for mail. Would it be possible to have one machine running 2 or even more instances of Mailscanner? They could have separate incoming and outgoing queues. I thought of this because I was thinking how I could offload the scanning of mail away from the actual mail servers. Say if I have a SAN, where 2 mail servers were dumping mail in two "queue.in"s, Mailscanner scans them and dumps them in the outgoing queues for delivery by the respective mail servers? Any reason this wouldn't work? -- Tom DuVally Lead Sys. Programmer CIS, Brown University p 401-863-9466 From ralloway at CHARTERPA.NET Wed Jul 3 21:10:23 2002 From: ralloway at CHARTERPA.NET (Richard D Alloway) Date: Thu Jan 12 21:15:10 2006 Subject: High SpamAssassin Score/Action In-Reply-To: Message-ID: Hi. I am toying with the High SpamAssassin Score/Action settings and notice that the syslog output is: Jul 3 16:07:11 www mailscanner[31675]: Scanning 1 messages, 3702 bytes Jul 3 16:07:12 www mailscanner[31675]: Deleted spam message QAA31742 from queue Jul 3 16:07:12 www mailscanner[31675]: Scanned 1 messages, 3702 bytes in 0 seconds Even though I have Log Spam set to yes which usually shows: Jul 3 16:06:08 www mailscanner[31675]: Scanning 1 messages, 6121 bytes Jul 3 16:06:09 www mailscanner[31675]: Scanned 1 messages, 6121 bytes in 0 seconds Jul 3 16:06:09 www mailscanner[31675]: Message QAA31691 from 24.x.x.x (smtp1.theadmanager.com) is spam according to SpamAssassin (score=12.5, required 5, RESISTANCE_IS_FUTILE, CLICK_BELOW, COPYRIGHT_CLAIMED, UNSUB_PAGE, BIG_FONT, CLICK_HERE_LINK, CTYPE_JUST_HTML, MSG_ID_ADDED_BY_MTA_2) I'd like to also see the reasons and scores of the High SpamAssassin deletes. Is this option a future possibility? Thanks! -Rich From mailscanner at ecs.soton.ac.uk Wed Jul 3 21:13:58 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:10 2006 Subject: mailscanner dies In-Reply-To: Message-ID: <5.1.0.14.2.20020703210625.034c2c18@imap.ecs.soton.ac.uk> Try changing the "Multiple Headers" option. On a few systems "append" can make it core dump due to bugs in Perl itself. When you run it in debug mode, has it actually reduced the number of messages in /var/spool/mqueue.in? Anything in the maillog? There is a possibility that 1 message is killing it (this is very unlikely but has been known). Set the number of messages per batch to, say, 10 and re-run it. This should help you narrow down exactly what message is causing the trouble, if this is the problem at all. At 20:47 03/07/2002, you wrote: >I've been running Mailscanner for some weeks now, and I got a report today >that none of the email was being delivered. I noted that the mailscanner >program wasn't running, so I started it back up. It uses up a bit of CPU >time and spins around for a while (ending up with 200 items in the >incomming/ directory) and then dies. If I run it in debug mode it does >this: > ># ./mailscanner /var/spool/mailscanner/etc/mailscanner.conf >In Debugging mode, not forking... ># > >No message, nothing. Any ideas? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From ink at INCONNU.ISU.EDU Wed Jul 3 21:31:24 2002 From: ink at INCONNU.ISU.EDU (Craig Kelley) Date: Thu Jan 12 21:15:10 2006 Subject: mailscanner dies [output] In-Reply-To: Message-ID: I did an strace on the process, and the output of that is here: http://inconnu.isu.edu/~ink/strace.out PS- Where can I download the source for the mailscanner program? -Craig From mailscanner at ecs.soton.ac.uk Wed Jul 3 21:16:14 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:10 2006 Subject: Multiple mailscanners In-Reply-To: <1025726794.1587.33.camel@toms> Message-ID: <5.1.0.14.2.20020703211429.0364b4c0@imap.ecs.soton.ac.uk> At 21:06 03/07/2002, you wrote: >Would it be possible to have one machine running 2 or even more >instances of Mailscanner? They could have separate incoming and >outgoing queues. They will need different "Incoming Work Dir" dirs as well. >I thought of this because I was thinking how I could offload the >scanning of mail away from the actual mail servers. Say if I have a >SAN, where 2 mail servers were dumping mail in two "queue.in"s, >Mailscanner scans them and dumps them in the outgoing queues for >delivery by the respective mail servers? Beware that sendmail's file locking does not work over NFS... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Jul 3 21:40:22 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:10 2006 Subject: High SpamAssassin Score/Action In-Reply-To: References: Message-ID: <5.1.0.14.2.20020703213958.047a0a08@imap.ecs.soton.ac.uk> Sorry about that. Fixed for the next (minor) release. At 21:10 03/07/2002, you wrote: >Hi. I am toying with the High SpamAssassin Score/Action settings and >notice that the syslog output is: > >Jul 3 16:07:11 www mailscanner[31675]: Scanning 1 messages, 3702 bytes >Jul 3 16:07:12 www mailscanner[31675]: Deleted spam message QAA31742 from >queue >Jul 3 16:07:12 www mailscanner[31675]: Scanned 1 messages, 3702 bytes in >0 seconds > >Even though I have Log Spam set to yes which usually shows: > >Jul 3 16:06:08 www mailscanner[31675]: Scanning 1 messages, 6121 bytes >Jul 3 16:06:09 www mailscanner[31675]: Scanned 1 messages, 6121 bytes in >0 seconds >Jul 3 16:06:09 www mailscanner[31675]: Message QAA31691 from 24.x.x.x >(smtp1.theadmanager.com) is spam according to SpamAssassin (score=12.5, >required 5, RESISTANCE_IS_FUTILE, CLICK_BELOW, COPYRIGHT_CLAIMED, >UNSUB_PAGE, BIG_FONT, CLICK_HERE_LINK, CTYPE_JUST_HTML, >MSG_ID_ADDED_BY_MTA_2) > >I'd like to also see the reasons and scores of the High SpamAssassin >deletes. > >Is this option a future possibility? > >Thanks! > >-Rich -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Jul 3 21:50:53 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:10 2006 Subject: mailscanner dies [output] In-Reply-To: References: Message-ID: <5.1.0.14.2.20020703215015.047b2268@imap.ecs.soton.ac.uk> At 21:31 03/07/2002, you wrote: >I did an strace on the process, and the output of that is here: > http://inconnu.isu.edu/~ink/strace.out I'm afraid that didn't help much :-( >PS- Where can I download the source for the mailscanner program? Errr... it's written in Perl. You've already got it :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From bill at DISTMIRR.COM Wed Jul 3 23:30:56 2002 From: bill at DISTMIRR.COM (Bill Omer) Date: Thu Jan 12 21:15:10 2006 Subject: extreamly long delays In-Reply-To: <000001c222a3$f4866fe0$483cd842@newfizz> Message-ID: <003401c222e1$4e383e50$40713ed0@billslaptop> I have done both. However, I change: Check Spam = yes to Check Spam = no now everything is flying. After doing a little reading, I've learned that slow dns resolution can cause this problem. However, I don't have a problem at all with resolving domain names. Any idea's on what I should check for this? Spam Assassin was working great before (and still does if I run it rather than mailscanner). Regards, Bill Omer -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Kelly Hamlin Sent: Wednesday, July 03, 2002 10:12 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: extreamly long delays Try using delivery method = Queue and set Deliver in background to yes. Also lower your amount of logging in sendmail cf to like 7 from 9. This should help a lot. What are the specs on your mailserver. Also, what features do you have enabled in your mailscanner.conf? ////// ( o o ) +--.oooO--(_)--Oooo.-----------------+ | [Kelly Hamlin] | support@cyberstreet.com | http://www.cyberstreet.com | .oooO | ( ) Oooo. +--- (----( )----------------------------+ \_) ) / (_/ -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Bill Omer Sent: Wednesday, July 03, 2002 10:11 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: extreamly long delays I'm having some problems with regarding very long delays in mail delivery. It seems as if it's getting 'stuck' when there are pieces of mail in the mail queue in the state of Deferred. Right now, I see 315 pieces of mail, all in the state of Deferred (with Connection refused) when I do a mailq. There are also 2157 pieces of mail in /var/spool/mqueue.in, and the number keeps growing. I have the following set in my mailscanner.conf: Max Safe Messages Per Scan = 500 Max Unsafe Messages Per Scan = 100 Max Safe Bytes Per Scan = 10000000 Max Unsafe Bytes Per Scan = 5000000 I'm pretty sure this has something to do with it. I've been trying to change the settings here in hopes to increase the speed of both scanning and delivery. I'm also using Delivery Method = batch Any help on this would be great. Regards, Bill Omer -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020703/2230a5a3/attachment.html From LISTSERV at JISCMAIL.AC.UK Thu Jul 4 06:09:09 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:10 2006 Subject: MAILSCANNER: kreberger@TEL-PACIFIC.COM requested to join Message-ID: <200207040509.GAA18635@magpie.ecs.soton.ac.uk> Thu, 4 Jul 2002 06:09:09 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Kris Reberger You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER kreberger@TEL-PACIFIC.COM Kris Reberger PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER kreberger@TEL-PACIFIC.COM Kris Reberger // EOJ From mailscanner at ecs.soton.ac.uk Thu Jul 4 08:39:55 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:10 2006 Subject: extreamly long delays In-Reply-To: <003401c222e1$4e383e50$40713ed0@billslaptop> References: <000001c222a3$f4866fe0$483cd842@newfizz> Message-ID: <5.1.0.14.2.20020704083818.04e30140@imap.ecs.soton.ac.uk> At 23:30 03/07/2002, you wrote: >However, I change: >Check Spam = yes >to Check Spam = no >now everything is flying. After doing a little reading, I ve learned that >slow dns resolution can cause this problem. However, I don t have a >problem at all with resolving domain names. >Any idea s on what I should check for this? >Spam Assassin was working great before (and still does if I run it rather >than mailscanner). Do you have any "Spam List" entries or "Spam Domain List" entries? If so, try switching spam checking back on, but comment out all the "Spam List" and "Spam Domain List" entries. That will leave you just running SpamAssassin, so you'll be able to get a better idea of exactly what is running slowly. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Thu Jul 4 10:17:53 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:10 2006 Subject: MAILSCANNER: joe@QITC.CO.UK requested to join Message-ID: <200207040917.KAA05398@magpie.ecs.soton.ac.uk> Thu, 4 Jul 2002 10:17:53 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Joe Quinn The following membership options have been requested: CONCEAL. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER joe@QITC.CO.UK Joe Quinn PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER joe@QITC.CO.UK Joe Quinn SET MAILSCANNER CONCEAL FOR joe@QITC.CO.UK // EOJ From m.sapsed at BANGOR.AC.UK Thu Jul 4 10:32:06 2002 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:15:10 2006 Subject: Don't scan outgoing mail References: Message-ID: <3D241616.A7B3D4BA@bangor.ac.uk> > Matt Doherty wrote: > > I have a issue where a department is usually sending *.reg files to > itself.. ex: joeshmoe@hotdogs.com sending to >> jim@hotdogs.com; > joe@hotdogs.com; brian@hotdogs.com with a .reg extension attachment that > mailscanner always scoops up. . Gee I guess I'm hungry to use this as a > dumb example.. Is there a way to NOT scan mail sent to and from its own > domain peers? And have mailscanner just scan mail that's departing from > its domain and entering its domain instead? Im afriad to allow .reg files > to be left alone and have someone send us a .reg extention virus from > outside our domain. Simpler to tell the people who need to send .reg files to rename them with e.g. .txt on the end first? Cheers, Martin -- Martin Sapsed To have no errors Information Services Would be life without meaning University of Wales, Bangor, LL57 2UX No struggle, no joy. From joe at QITC.CO.UK Thu Jul 4 10:32:13 2002 From: joe at QITC.CO.UK (Joe Quinn) Date: Thu Jan 12 21:15:10 2006 Subject: Just installed MailScanner Message-ID: On Sat, 25 May 2002 13:17:19 +0100, Ray Healy wrote: >Dear All > >After being advised by Julian - thank you very much Julian for the web site >address - I installed F-prot (Small business 312) and Mailscanner 3.15-3 >onto my RAQ4 Cobalt which I believe is running RedHat 6.2 with Sendamil 8.10 >(as you can see I am quite new to this) > >Everything installed perfectly and the F-prot obtained its virus >definitions corrcetly and installed them. I had no errors on the install >whatsoever. > >I carried out the modifications as suggested in the artical at >http://www.uk2raq.com/raqfaq/raqfaqshow.php?faq=96 which again wnet >smoothly. > >The problem is that I can send and receive e-mail through my RAQ server but >Mailscanner does not seem to be scanning the messages or attachments. I >have been using the EICAR test virus and sending it to the server from my >other free ISP account and from my server using Outlook Express. I do not >get any of the additional entries in the e-mail header (X-Mailscanner.....) >so I can only assume that the the messages are bypassing the MailScanner >part of the operation totally. > >I cannot see where I have gone wrong considering I had no errors on install. >Everything appears to be running OK and I have tested the MailScanner >using /usr/local/MailScanner/bin/check_mailscanner and I get back the >correct respons. > >Can anyone through any light on this to where I may have gone wrong as I >have gone through every item in this mailing list and the FAQ to no avail. > >Thanks everyone > >Ray Healy Hi, I have the same problem, I just installed on a RaQ3 and all appears to be working as it should except that there are no headers in the mail? Any ideas? Cheers, Joe From mailscanner at ecs.soton.ac.uk Thu Jul 4 11:03:00 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:10 2006 Subject: Just installed MailScanner In-Reply-To: Message-ID: <5.1.0.14.2.20020704110211.05005490@imap.ecs.soton.ac.uk> At 10:32 04/07/2002, you wrote: >On Sat, 25 May 2002 13:17:19 +0100, Ray Healy >wrote: > > >Dear All > > > >After being advised by Julian - thank you very much Julian for the web site > >address - I installed F-prot (Small business 312) and Mailscanner 3.15-3 > >onto my RAQ4 Cobalt which I believe is running RedHat 6.2 with Sendamil >8.10 > >(as you can see I am quite new to this) > > > >Everything installed perfectly and the F-prot obtained its virus > >definitions corrcetly and installed them. I had no errors on the install > >whatsoever. > > > >I carried out the modifications as suggested in the artical at > >http://www.uk2raq.com/raqfaq/raqfaqshow.php?faq=96 which again wnet > >smoothly. > > > >The problem is that I can send and receive e-mail through my RAQ server but > >Mailscanner does not seem to be scanning the messages or attachments. I > >have been using the EICAR test virus and sending it to the server from my > >other free ISP account and from my server using Outlook Express. I do not > >get any of the additional entries in the e-mail header (X-Mailscanner.....) > >so I can only assume that the the messages are bypassing the MailScanner > >part of the operation totally. > > > >I cannot see where I have gone wrong considering I had no errors on >install. > >Everything appears to be running OK and I have tested the MailScanner > >using /usr/local/MailScanner/bin/check_mailscanner and I get back the > >correct respons. > > > >Can anyone through any light on this to where I may have gone wrong as I > >have gone through every item in this mailing list and the FAQ to no avail. > > > >Thanks everyone > > > >Ray Healy > >Hi, > >I have the same problem, I just installed on a RaQ3 and all appears to be >working as it should except that there are no headers in the mail? Have you fixed the 2 mqueue directories on your server so they are on the same filesystem? I can't remember what I did to Ray's system to solve this one. Suggest you ask Ray... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From joe at QITC.CO.UK Thu Jul 4 11:09:41 2002 From: joe at QITC.CO.UK (Joe Quinn) Date: Thu Jan 12 21:15:10 2006 Subject: Just installed MailScanner References: <5.1.0.14.2.20020704110211.05005490@imap.ecs.soton.ac.uk> Message-ID: <01f601c22342$ea677e60$021b6bd5@T20> Hi, Thanks for the reply. >Have you fixed the 2 mqueue directories on your server so they are on the same filesystem? I thought the mail queue change was only for a RaQ4, mine's a RaQ3? Joe Quinn, QITC Internet Solutions (joe@qitc.co.uk) Cisco re-seller, Cobalt Sapphire Partner. www.qitc.net/stocklist Web Site Hosting, Server Hosting, Co-location. Tel: (UK) +44 776 737 1234 From P.G.M.Peters at civ.utwente.nl Thu Jul 4 11:11:23 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:10 2006 Subject: Don't scan outgoing mail In-Reply-To: <3D241616.A7B3D4BA@bangor.ac.uk> References: <3D241616.A7B3D4BA@bangor.ac.uk> Message-ID: <4m78iuc9l96brmpuc49vt4b4qpgui8hu1k@4ax.com> On Thu, 4 Jul 2002 10:32:06 +0100, you wrote: >> I have a issue where a department is usually sending *.reg files to >> itself.. ex: joeshmoe@hotdogs.com sending to >> jim@hotdogs.com; >> joe@hotdogs.com; brian@hotdogs.com with a .reg extension attachment that >> mailscanner always scoops up. . Gee I guess I'm hungry to use this as a >> dumb example.. Is there a way to NOT scan mail sent to and from its own >> domain peers? And have mailscanner just scan mail that's departing from >> its domain and entering its domain instead? Im afriad to allow .reg files >> to be left alone and have someone send us a .reg extention virus from >> outside our domain. > >Simpler to tell the people who need to send .reg files to rename them with >e.g. .txt on the end first? Do you think they will understand what you tell them? I have had somebody not understanding the check for double extensions. And I have a hard time explaining them what an extension is. That is the kind of people disabling the "view extensions" on their system. They probably don't even know they are sending files with that extension. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Thu Jul 4 11:22:48 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:10 2006 Subject: Just installed MailScanner In-Reply-To: <01f601c22342$ea677e60$021b6bd5@T20> References: <5.1.0.14.2.20020704110211.05005490@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020704112236.04fcc060@imap.ecs.soton.ac.uk> At 11:09 04/07/2002, you wrote: >Hi, > >Thanks for the reply. > > >Have you fixed the 2 mqueue directories on your server so they are on the >same filesystem? > >I thought the mail queue change was only for a RaQ4, mine's a RaQ3? Have you done: Now for the final part (almost) You need to move a directory around to get the mailscanner to work properly cd /var/spool mv /var/spool/mqueue.in/ /home/spool/ ln -s ../../home/spool/mqueue.in /var/spool/mqueue.in -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020704/88afa0a5/attachment.html From smohan at VSNL.COM Thu Jul 4 11:22:03 2002 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:15:10 2006 Subject: No subject Message-ID: <001801c22344$a4feb760$6300a8c0@smohan> Virtusertable is looked up only for local domains. I cannot make public email domains as local domains on my machine to enable me send the mails to port 25 as users might want to send mails out to these domains. Have I got anything wrong? Is there another way of making mailscanner parse mails delivered by fetchmail. Mohan >>I've not been able to get mails coming thro' fetchmail scanned by >>mailscanner. In my scenario, I've a mail host hosting my domain >>vectrasystems.com. All mails destined for vectrasystems.com does get >>scanned - no issues. For a few users, I'm using fetchmail to pick up >>personal mail from their personal mailbags in different email provider >vdomains. Thus those domains are not local and fetchmail delivers to a >>local user specified for each pick up. If I pass these mails to port >>25, the mail will never reach the user on the machine as the domain is >>not local. It will introduce a vicious loop too. > >You have to get it to pass in the mail on port 25. You should be able to >avoid your loop problem by using the virtual user table to handle mail for >those addresses. > >>Can I call the mailscanner engine as a filter program in procmail? > >No, you can't. MailScanner scans all mail coming in through port 25. > > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From joe at QITC.CO.UK Thu Jul 4 11:51:40 2002 From: joe at QITC.CO.UK (Joe Quinn) Date: Thu Jan 12 21:15:10 2006 Subject: Just installed MailScanner References: <5.1.0.14.2.20020704110211.05005490@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020704112236.04fcc060@imap.ecs.soton.ac.uk> Message-ID: <022201c22348$c776e2f0$021b6bd5@T20> Yup, done that and just checked the link again and it's there but still not working. :-( Joe From: Julian Field To: MAILSCANNER@JISCMAIL.AC.UK Sent: Thursday, July 04, 2002 11:22 AM Subject: Re: Just installed MailScanner At 11:09 04/07/2002, you wrote: Hi, Thanks for the reply. >Have you fixed the 2 mqueue directories on your server so they are on the same filesystem? I thought the mail queue change was only for a RaQ4, mine's a RaQ3? Have you done: Now for the final part (almost) You need to move a directory around to get the mailscanner to work properly cd /var/spool mv /var/spool/mqueue.in/ /home/spool/ ln -s ../../home/spool/mqueue.in /var/spool/mqueue.in -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020704/26506789/attachment.html From mailscanner at ecs.soton.ac.uk Thu Jul 4 11:52:44 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:10 2006 Subject: Sendmail 8.12.3 warning with mailscanner In-Reply-To: <5.1.0.14.2.20020701215058.03809bb0@imap.ecs.soton.ac.uk> References: Message-ID: <5.1.0.14.2.20020704115035.02d16cf8@imap.ecs.soton.ac.uk> Did anyone try this out? Any progress on resolving this one? RedHat are still only on sendmail-8.11 :( At 21:55 01/07/2002, you wrote: >RedHat have yet to produce RPMs for sendmail 8.12 :-( >Can you try setting >Sendmail2 = /usr/sbin/sendmail >/dev/null 2>&1 >in your mailscanner.conf and then try it (just try pushing a clean text >message through it)? > >Also, does this happen only when MailScanner and its sendmails are started >on bootup, or does it occur if you stop and then start MailScanner from a >window (and then leave the window open for the first few messages)? > >STDERR and STDIN certainly appear to be open, the only one that appears >doubtful is STDOUT, though I never explicitly close any of them. Is there >any documentation with sendmail 8.12 that might help diagnose this? Why >does sendmail suddenly need these file descriptors anyway? It never used >to :-( > >At 21:15 01/07/2002, you wrote: >>I've just installed mailscanner with sendmail 8.12.2 and am seeing the >>same warning, always generated by the sendmail instance used to deliver a >>just-scanned message. >> >>Is mailscanner calling sendmail with closed standard file descriptors? >> >>brent emerson >>techforpeople >> >> >> > Date: Wed, 19 Jun 2002 11:03:25 -0700 >> > Reply-To: MailScanner mailing list >> > Sender: MailScanner mailing list >> > From: David Closson >> > Subject: Sendmail 8.12.3 warning with mailscanner >> > Content-Type: text/plain; format=flowed >> > >> > This warning was issued after setting up mailscanner: >> > >> > sendmail[9672]: File descriptors missing on startup: stdout, stderr; Bad >> > file descriptor >> > >> > I have read that this is caused if stdin, stdout, or stderr are missing >> > at sendmail startup (as the error indicates). >> > >> > _________ Sincerely, David Closson 209-728-8199 > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From P.G.M.Peters at civ.utwente.nl Thu Jul 4 12:48:00 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:10 2006 Subject: redhat (was: Sendmail 8.12.3 warning with mailscanner) In-Reply-To: <5.1.0.14.2.20020704115035.02d16cf8@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020701215058.03809bb0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020704115035.02d16cf8@imap.ecs.soton.ac.uk> Message-ID: On Thu, 4 Jul 2002 11:52:44 +0100, you wrote: >Did anyone try this out? Any progress on resolving this one? >RedHat are still only on sendmail-8.11 :( Talking about Redhat. When installing the RPM the file /etc/rc.d/init.d/mailscanner has a few lines in it in where makemap is called. Redhat has a test in /etc/rc.d/init.d/sendmail where the existence of /etc/mail/Makefile is tested. The administrator can perform special actions whether he uses sendmail with or without MailScanner. | if test -x /usr/bin/make -a -f /etc/mail/Makefile ; then | make -C /etc/mail -q | else | for i in virtusertable access domaintable mailertable ; do | if [ -f /etc/mail/$i ] ; then | makemap hash /etc/mail/$i < /etc/mail/$i | fi | done | fi -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From thom at DARKSABER.COM Thu Jul 4 13:31:28 2002 From: thom at DARKSABER.COM (Thom Paine) Date: Thu Jan 12 21:15:10 2006 Subject: Sendmail 8.12.3 warning with mailscanner In-Reply-To: <5.1.0.14.2.20020704115035.02d16cf8@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020704115035.02d16cf8@imap.ecs.soton.ac.uk> Message-ID: <1025785888.1240.70.camel@zeus.darksaber.com> On Thu, 2002-07-04 at 06:52, Julian Field wrote: > Did anyone try this out? Any progress on resolving this one? > RedHat are still only on sendmail-8.11 :( Yesterday RedHat released their new beta. It's codename is Limbo and features among other things, Sendmail 8.12 and Gnome 2.0. If anyone wants the full writeup I can post it. Also, now that I have my beta cd's downloaded (all 5 of them) I can install it on one of my computers here in the lab and try it out. -- -=/>Thom Red Hat Linux release 7.3 (Valhalla) running Linux Kernel 2.4.18-5 Uptime: 8:29am up 19:33, 3 users, load average: 1.25, 1.35, 1.58 Registered Linux User #214499 http://counter.li.org From LISTSERV at JISCMAIL.AC.UK Thu Jul 4 13:17:09 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:10 2006 Subject: MAILSCANNER: M.A.Broom@UKC.AC.UK requested to join Message-ID: <200207041217.NAA21797@magpie.ecs.soton.ac.uk> Thu, 4 Jul 2002 13:17:09 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Martin Broom You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER M.A.Broom@UKC.AC.UK Martin Broom PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER M.A.Broom@UKC.AC.UK Martin Broom // EOJ From LISTSERV at JISCMAIL.AC.UK Thu Jul 4 14:38:17 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:10 2006 Subject: MAILSCANNER: rado@INTERSALES.DE left the JISCmail list Message-ID: <200207041338.OAA28395@magpie.ecs.soton.ac.uk> Thu, 4 Jul 2002 14:38:17 Andrej Radonic has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From LISTSERV at JISCMAIL.AC.UK Thu Jul 4 14:40:57 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:10 2006 Subject: MAILSCANNER: rado@INTERSALES.DE requested to join Message-ID: <200207041340.OAA28790@magpie.ecs.soton.ac.uk> Thu, 4 Jul 2002 14:40:57 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Andrej Radonic The following membership options have been requested: HTML DIGEST. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER rado@INTERSALES.DE Andrej Radonic PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER rado@INTERSALES.DE Andrej Radonic SET MAILSCANNER HTML DIGEST FOR rado@INTERSALES.DE // EOJ From kris at JUMPOUT.ORG Thu Jul 4 15:37:06 2002 From: kris at JUMPOUT.ORG (Kris Stumpner) Date: Thu Jan 12 21:15:10 2006 Subject: extreamly long delays In-Reply-To: <003401c222e1$4e383e50$40713ed0@billslaptop> Message-ID: I'm having a problem similar to this. I keep getting 'Spamassassin timed out and was killed.' I bumped the timeout time for scanning the messages from 10 seconds to 30 seconds and now I don't get this error... BUT, SpamAssassin is taking 15-30 seconds to scan each email. Kris -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Bill Omer Sent: Wednesday, July 03, 2002 5:31 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: [MAILSCANNER] extreamly long delays I have done both. However, I change: Check Spam = yes to Check Spam = no now everything is flying. After doing a little reading, I've learned that slow dns resolution can cause this problem. However, I don't have a problem at all with resolving domain names. Any idea's on what I should check for this? Spam Assassin was working great before (and still does if I run it rather than mailscanner). Regards, Bill Omer -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Kelly Hamlin Sent: Wednesday, July 03, 2002 10:12 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: extreamly long delays Try using delivery method = Queue and set Deliver in background to yes. Also lower your amount of logging in sendmail cf to like 7 from 9. This should help a lot. What are the specs on your mailserver. Also, what features do you have enabled in your mailscanner.conf? ////// ( o o ) +--.oooO--(_)--Oooo.-----------------+ | [Kelly Hamlin] | support@cyberstreet.com | http://www.cyberstreet.com | .oooO | ( ) Oooo. +--- (----( )----------------------------+ \_) ) / (_/ -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Bill Omer Sent: Wednesday, July 03, 2002 10:11 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: extreamly long delays I'm having some problems with regarding very long delays in mail delivery. It seems as if it's getting 'stuck' when there are pieces of mail in the mail queue in the state of Deferred. Right now, I see 315 pieces of mail, all in the state of Deferred (with Connection refused) when I do a mailq. There are also 2157 pieces of mail in /var/spool/mqueue.in, and the number keeps growing. I have the following set in my mailscanner.conf: Max Safe Messages Per Scan = 500 Max Unsafe Messages Per Scan = 100 Max Safe Bytes Per Scan = 10000000 Max Unsafe Bytes Per Scan = 5000000 I'm pretty sure this has something to do with it. I've been trying to change the settings here in hopes to increase the speed of both scanning and delivery. I'm also using Delivery Method = batch Any help on this would be great. Regards, Bill Omer -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020704/0bb22717/attachment.html From gerry at dorfam.ca Thu Jul 4 16:00:53 2002 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:15:10 2006 Subject: extreamly long delays In-Reply-To: References: <003401c222e1$4e383e50$40713ed0@billslaptop> Message-ID: <26384.129.80.22.134.1025794853.squirrel@tiger.dorfam.ca> > I'm having a problem similar to this. I keep getting 'Spamassassin > timed out and was killed.' I bumped the timeout time for scanning the > messages from 10 seconds to 30 seconds and now I don't get this error... > BUT, SpamAssassin is taking 15-30 seconds to scan each email. > > Kris > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Bill Omer > Sent: Wednesday, July 03, 2002 5:31 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [MAILSCANNER] extreamly long delays > > > I have done both. > > > > However, I change: > > Check Spam = yes > > to Check Spam = no > > > > now everything is flying. After doing a little reading, I've learned > that > slow dns resolution can cause this problem. However, I don't have a > problem at all with resolving domain names. I've started getting spamassassin timeouts appearing lately too and that's on a small home server. It seems like the RBL checks are really going slowly these days (the heat???). Perhaps these sites have had problems lately??? Gerry From mailscanner at ecs.soton.ac.uk Thu Jul 4 15:59:01 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:10 2006 Subject: extreamly long delays In-Reply-To: References: <003401c222e1$4e383e50$40713ed0@billslaptop> Message-ID: <5.1.0.14.2.20020704155725.07f66a68@imap.ecs.soton.ac.uk> At 15:37 04/07/2002, you wrote: >I'm having a problem similar to this. I keep getting 'Spamassassin timed >out and was killed.' I bumped the timeout time for scanning the messages >from 10 seconds to 30 seconds and now I don't get this error... BUT, >SpamAssassin is taking 15-30 seconds to scan each email. Try disabling the rbl checks in SpamAssassin. Edit your /usr/local/MailScanner/etc/spam.assassin.prefs.conf and remove the "#" from the start of the "# skip_rbl_checks 1" line. Sounds like your DNS lookups are a bit on the slow side. >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Bill Omer >Sent: Wednesday, July 03, 2002 5:31 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: [MAILSCANNER] extreamly long delays > >I have done both. > >However, I change: >Check Spam = yes >to Check Spam = no > >now everything is flying. After doing a little reading, I ve learned that >slow dns resolution can cause this problem. However, I don t have a >problem at all with resolving domain names. > >Any idea s on what I should check for this? > >Spam Assassin was working great before (and still does if I run it rather >than mailscanner). > >Regards, >Bill Omer > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Kelly Hamlin >Sent: Wednesday, July 03, 2002 10:12 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: extreamly long delays > >Try using delivery method = Queue and set Deliver in background to yes. >Also lower your amount of logging in sendmail cf to like 7 from 9. This >should help a lot. >What are the specs on your mailserver. Also, what features do you have >enabled in your mailscanner.conf? > > ////// > ( o o ) >+--.oooO--(_)--Oooo.-----------------+ >| [Kelly Hamlin] >| support@cyberstreet.com >| http://www.cyberstreet.com >| .oooO >| ( ) Oooo. >+--- (----( )----------------------------+ > \_) ) / > (_/ > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Bill Omer >Sent: Wednesday, July 03, 2002 10:11 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: extreamly long delays > >I m having some problems with regarding very long delays in mail >delivery. It seems as if it s getting stuck when there are pieces of >mail in the mail queue in the state of Deferred. Right now, I see 315 >pieces of mail, all in the state of Deferred (with Connection refused) >when I do a mailq. There are also 2157 pieces of mail in >/var/spool/mqueue.in, and the number keeps growing. > >I have the following set in my mailscanner.conf: > >Max Safe Messages Per Scan = 500 >Max Unsafe Messages Per Scan = 100 >Max Safe Bytes Per Scan = 10000000 >Max Unsafe Bytes Per Scan = 5000000 > >I m pretty sure this has something to do with it. I ve been trying to >change the settings here in hopes to increase the speed of both scanning >and delivery. > >I m also using >Delivery Method = batch > >Any help on this would be great. > >Regards, >Bill Omer > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Declan.Grady at NUVOTEM.COM Thu Jul 4 16:42:00 2002 From: Declan.Grady at NUVOTEM.COM (Declan Grady) Date: Thu Jan 12 21:15:10 2006 Subject: logs not showing >>>Virus Message-ID: <20020704164200.B23181@nuvotem.com> Excuse my stupidity / newbieness ... >From memory, and from some recent posts on this list, it seems the syslogs should be showing somwthing like >>>Virus xxx blah blah when mailscanner finds a virus. I dont see anything like this in either messages or in maillog files. I think I saw this with a (much) earlier version of mailscanner. Is it my config ? If so, what option(s) ? Cheers, Declan From mailscanner at ecs.soton.ac.uk Thu Jul 4 17:29:34 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:10 2006 Subject: logs not showing >>>Virus In-Reply-To: <20020704164200.B23181@nuvotem.com> Message-ID: <5.1.0.14.2.20020704172500.02b25660@imap.ecs.soton.ac.uk> Are you getting any messages from MailScanner in your logs at all? If not, then check your /etc/syslog.conf to see where mail.info is being logged. Add mail.info to your maillog line in /etc/syslog.conf and "kill -HUP" your syslogd. At 16:42 04/07/2002, you wrote: >Excuse my stupidity / newbieness ... > > >From memory, and from some recent posts on this list, it seems the > syslogs should be showing somwthing like >>>Virus xxx blah blah when > mailscanner finds a virus. > >I dont see anything like this in either messages or in maillog files. > >I think I saw this with a (much) earlier version of mailscanner. > >Is it my config ? If so, what option(s) ? > >Cheers, >Declan -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From ralloway at CHARTERPA.NET Thu Jul 4 18:00:09 2002 From: ralloway at CHARTERPA.NET (Richard D Alloway) Date: Thu Jan 12 21:15:10 2006 Subject: how to let abuse emails through In-Reply-To: <5.1.0.14.2.20020704172500.02b25660@imap.ecs.soton.ac.uk> Message-ID: Hi. I'm testing mailscanner + spamassassin + f-prot on one of my accounts which receives abuse complaints regarding our users. Since many of the complaints are about our users sending spam, and the message is included, the complaints are marked as spam. If I turn on the high score actions, there is a distinct possibility that the complaints will be deleted since they contain high scoring spam. I don't think using spam.whitelist.conf will work, since you need to enter the sender, not the recipient. Is there a way around this so that all email to, say, abuse@* will be delivered regardless of score (perhaps even bypass spamassassin completely)? Of course, I could be way off base...this could be a spammassassin setting, but I'm still new to this whole setup and am not 100% sure... Thanks! -Rich From LISTSERV at JISCMAIL.AC.UK Thu Jul 4 17:59:19 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:10 2006 Subject: MAILSCANNER: scanner@EWART.NET requested to join Message-ID: <200207041659.RAA15200@magpie.ecs.soton.ac.uk> Thu, 4 Jul 2002 17:59:19 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Rick Ewart The following membership options have been requested: CONCEAL. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER scanner@EWART.NET Rick Ewart PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER scanner@EWART.NET Rick Ewart SET MAILSCANNER CONCEAL FOR scanner@EWART.NET // EOJ From mailscanner at ecs.soton.ac.uk Thu Jul 4 18:38:04 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:10 2006 Subject: how to let abuse emails through In-Reply-To: References: <5.1.0.14.2.20020704172500.02b25660@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020704183301.0343c5c0@imap.ecs.soton.ac.uk> At 18:00 04/07/2002, you wrote: >I'm testing mailscanner + spamassassin + f-prot on one of my accounts >which receives abuse complaints regarding our users. >Since many of the complaints are about our users sending spam, and the >message is included, the complaints are marked as spam. >If I turn on the high score actions, there is a distinct possibility that >the complaints will be deleted since they contain high scoring spam. >I don't think using spam.whitelist.conf will work, since you need to enter >the sender, not the recipient. >Is there a way around this so that all email to, say, abuse@* will be >delivered regardless of score (perhaps even bypass spamassassin >completely)? You could use the "Accept Spam From" setting to mark all your internal IP addresses as ones that never generate spam, so they are automatically "white-listed". If you don't use the "High Score" feature, then you could set "abuse@your.domain.com" to have the rule "deliver" in spam.actions.conf (which you will have to enable in the mailscanner.conf file). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gerry at dorfam.ca Thu Jul 4 18:43:57 2002 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:15:10 2006 Subject: how to let abuse emails through In-Reply-To: References: <5.1.0.14.2.20020704172500.02b25660@imap.ecs.soton.ac.uk> Message-ID: <29118.129.80.22.134.1025804637.squirrel@tiger.dorfam.ca> > Hi. > > I'm testing mailscanner + spamassassin + f-prot on one of my accounts > which receives abuse complaints regarding our users. > > Since many of the complaints are about our users sending spam, and the > message is included, the complaints are marked as spam. > > If I turn on the high score actions, there is a distinct possibility > that the complaints will be deleted since they contain high scoring > spam. > > I don't think using spam.whitelist.conf will work, since you need to > enter the sender, not the recipient. > > Is there a way around this so that all email to, say, abuse@* will be > delivered regardless of score (perhaps even bypass spamassassin > completely)? > > Of course, I could be way off base...this could be a spammassassin > setting, but I'm still new to this whole setup and am not 100% sure... > > Thanks! > > -Rich I could be wrong but I don't think that mailscanner can do a whiltelist on a recipient. In any case, if you really want to scan all these messages (I assume that you're scanning many other users' mail too) then I would use a simple procmail recipe to sort on the To: line looking for "abuse" and forwarding that on to whomever your want to see the message. It won't matter if the message has been marked as {SPAM?} or not. Gerry From ralloway at CHARTERPA.NET Thu Jul 4 19:59:30 2002 From: ralloway at CHARTERPA.NET (Richard D Alloway) Date: Thu Jan 12 21:15:10 2006 Subject: how to let abuse emails through In-Reply-To: <5.1.0.14.2.20020704183301.0343c5c0@imap.ecs.soton.ac.uk> Message-ID: On Thu, 4 Jul 2002, Julian Field wrote: > At 18:00 04/07/2002, you wrote: > >I'm testing mailscanner + spamassassin + f-prot on one of my accounts > >which receives abuse complaints regarding our users. > >Since many of the complaints are about our users sending spam, and the > >message is included, the complaints are marked as spam. > >If I turn on the high score actions, there is a distinct possibility that > >the complaints will be deleted since they contain high scoring spam. > >I don't think using spam.whitelist.conf will work, since you need to enter > >the sender, not the recipient. > >Is there a way around this so that all email to, say, abuse@* will be > >delivered regardless of score (perhaps even bypass spamassassin > >completely)? > > You could use the "Accept Spam From" setting to mark all your internal IP > addresses as ones that never generate spam, so they are automatically > "white-listed". Unfortunately, that wouldn't fix my problem. Most of the complaints I receive are from other ISPs so there is no way to know where the complaints will be from. > If you don't use the "High Score" feature, then you could set > "abuse@your.domain.com" to have the rule "deliver" in spam.actions.conf > (which you will have to enable in the mailscanner.conf file). I take it there is no way to have it both ways... In a perfect world, I would have the High Score feature enabled to filter all of our users but with the abuse@my.domain.com set to deliver. Is this a possible future feature? Thanks for the reply! -Rich From LISTSERV at JISCMAIL.AC.UK Thu Jul 4 20:37:22 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:10 2006 Subject: MAILSCANNER: trooster@INTERSTROOM.NL requested to join Message-ID: <200207041937.UAA26066@magpie.ecs.soton.ac.uk> Thu, 4 Jul 2002 20:37:22 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Joris Trooster You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER trooster@INTERSTROOM.NL Joris Trooster PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER trooster@INTERSTROOM.NL Joris Trooster // EOJ From LISTSERV at JISCMAIL.AC.UK Thu Jul 4 21:03:05 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:10 2006 Subject: MAILSCANNER: ldarnis@ESNAOLA.ORG requested to join Message-ID: <200207042003.VAA27193@magpie.ecs.soton.ac.uk> Thu, 4 Jul 2002 21:03:05 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Lionel Darnis You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER ldarnis@ESNAOLA.ORG Lionel Darnis PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER ldarnis@ESNAOLA.ORG Lionel Darnis // EOJ From mailscanner at ecs.soton.ac.uk Thu Jul 4 22:00:43 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:10 2006 Subject: how to let abuse emails through In-Reply-To: References: <5.1.0.14.2.20020704183301.0343c5c0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020704205235.02e92148@imap.ecs.soton.ac.uk> At 19:59 04/07/2002, you wrote: >On Thu, 4 Jul 2002, Julian Field wrote: > > > At 18:00 04/07/2002, you wrote: > > >I'm testing mailscanner + spamassassin + f-prot on one of my accounts > > >which receives abuse complaints regarding our users. > > >Since many of the complaints are about our users sending spam, and the > > >message is included, the complaints are marked as spam. > > >If I turn on the high score actions, there is a distinct possibility that > > >the complaints will be deleted since they contain high scoring spam. > > >I don't think using spam.whitelist.conf will work, since you need to enter > > >the sender, not the recipient. > > >Is there a way around this so that all email to, say, abuse@* will be > > >delivered regardless of score (perhaps even bypass spamassassin > > >completely)? > > > > You could use the "Accept Spam From" setting to mark all your internal IP > > addresses as ones that never generate spam, so they are automatically > > "white-listed". > >Unfortunately, that wouldn't fix my problem. Most of the complaints I >receive are from other ISPs so there is no way to know where the >complaints will be from. > > > If you don't use the "High Score" feature, then you could set > > "abuse@your.domain.com" to have the rule "deliver" in spam.actions.conf > > (which you will have to enable in the mailscanner.conf file). > >I take it there is no way to have it both ways... In a perfect world, I >would have the High Score feature enabled to filter all of our users but >with the abuse@my.domain.com set to deliver. > >Is this a possible future feature? How about an extension to the Spam White List feature so you can put "to" addresses in there as well as "from" addresses? That should cater for your abuse@my.domain.com quite nicely. If any of you ISP's want to selectively *not* give people spam protection, then you can do that too. I'm sure a few of you will cash in on that one... :-) I've just written it. Speedy Gonzales Software Inc at your service... :-) (You'll have to be a bit of a Tom and Jerry fan to get that one) It'll be in the next minor release, which is collecting all the features at the moment. Give me a shout if you want it urgently or can wait a week or so for it just in case anything else comes along. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From ldarnis at ESNAOLA.ORG Fri Jul 5 06:26:06 2002 From: ldarnis at ESNAOLA.ORG (Lionel Darnis) Date: Thu Jan 12 21:15:10 2006 Subject: mailscanner + WOODY + sendmail Message-ID: <1025846767.811.56.camel@com> Hi, I installed sendmail 8.12.3-4 in package mode. It work fine. I made all modification to use mailscanner with Sophos but all emails stay in the /var/spool/mqueue.in directory .... Can U help me ? rights on mqueue;in are the same than mqueue I don't understand... thanx for your help Lionel From P.G.M.Peters at civ.utwente.nl Fri Jul 5 08:47:27 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:10 2006 Subject: how to let abuse emails through In-Reply-To: <5.1.0.14.2.20020704205235.02e92148@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020704183301.0343c5c0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020704205235.02e92148@imap.ecs.soton.ac.uk> Message-ID: On Thu, 4 Jul 2002 22:00:43 +0100, you wrote: >How about an extension to the Spam White List feature so you can put "to" >addresses in there as well as "from" addresses? That would be great. >That should cater for your abuse@my.domain.com quite nicely. >If any of you ISP's want to selectively *not* give people spam protection, >then you can do that too. I'm sure a few of you will cash in on that one... :-) > >I've just written it. Thanks. >Speedy Gonzales Software Inc at your service... :-) >(You'll have to be a bit of a Tom and Jerry fan to get that one) :-) >It'll be in the next minor release, which is collecting all the features at >the moment. >Give me a shout if you want it urgently or can wait a week or so for it >just in case anything else comes along. Is there something like the Spam White List for virusses? At the university some people examine virusses and it would be nice to have them excluded. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From paul-w at BLUEYONDER.CO.UK Fri Jul 5 08:55:42 2002 From: paul-w at BLUEYONDER.CO.UK (Paul Welsh) Date: Thu Jan 12 21:15:10 2006 Subject: how to let abuse emails through References: <03f912320230472PCOW024M@blueyonder.co.uk> Message-ID: <001a01c223f9$5caa2ac0$6a0110ac@sbsplc.com> Date: Thu, 4 Jul 2002 13:43:57 -0400 From: Gerry Doris Subject: Re: how to let abuse emails through > I don't think using spam.whitelist.conf will work, since you need to > enter the sender, not the recipient. > > Is there a way around this so that all email to, say, abuse@* will be > delivered regardless of score (perhaps even bypass spamassassin > completely)? SpamAssassin does all this. See their documentation at http://www.spamassassin.org/doc/Mail_SpamAssassin_Conf.html#user%20preferenc es. I made the changes to /usr/share/spamassassin/60_whitelist.cf and it works a treat. I tried the mailscanner spam.whitelist.conf file, but found it not to be quite so flexible - it gets overwritten at each upgrade and you need to restart mailscanner to get the changes to kick in. Here's the relevant bits from the SpamAssassin documentation: whitelist_to add@ress.com If the given address appears in the To: or Cc: headers, mail will be whitelisted. Useful if you're deploying SpamAssassin system-wide, and don't want some users to have their mail filtered. Same format as whitelist_from. There are three levels of To-whitelisting, whitelist_to, more_spam_to and all_spam_to. Users in the first level may still get some spammish mails blocked, but users in all_spam_to should never get mail blocked. more_spam_to add@ress.com See above. From mailscanner at ecs.soton.ac.uk Fri Jul 5 09:01:52 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:10 2006 Subject: Mailscanner and fetchmail In-Reply-To: <001401c223cc$a33ed620$2b405bca@mohans> References: <5.1.0.14.2.20020704083311.02c251c0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020705090042.04f7ce80@imap.ecs.soton.ac.uk> At 03:35 05/07/2002, you wrote: >Mailscanner obviously looks at files in mqueue.in, scan them and puts >them into mqueue. This means mailscanner does not listen to port 25. >sendmail listen to port 25 and stores the mails in mqueue.in. Thus, can >I call that part of mailscanner which unpacks attachments, scans them >and returns the cleaned file - thro' procmail? No you can't. Sorry. >Alternatively, can a config be provided in mailscanner whereby I mention >local email ids and these mails are delivered to procmail after scanning >instead of sendmail thro' the mqueue directory? Can't easily do that either. The messages are not left in a form that could be given to procmail, they are turned back into queue files. I'll look at this for the next major version, but that won't be any time soon. >Mohan > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ecs.soton.ac.uk] >Sent: Thursday, July 04, 2002 1:06 PM >To: S Mohan >Subject: Re: Mailscanner and fetchmail > > >At 03:23 04/07/2002, you wrote: > >I've not been able to get mails coming thro' fetchmail scanned by > >mailscanner. In my scenario, I've a mail host hosting my domain > >vectrasystems.com. All mails destined for vectrasystems.com does get > >scanned - no issues. For a few users, I'm using fetchmail to pick up > >personal mail from their personal mailbags in different email provider > >domains. Thus those domains are not local and fetchmail delivers to a > >local user specified for each pick up. If I pass these mails to port > >25, the mail will never reach the user on the machine as the domain is > >not local. It will introduce a vicious loop too. > >You have to get it to pass in the mail on port 25. You should be able to > >avoid your loop problem by using the virtual user table to handle mail >for >those addresses. > > >Can I call the mailscanner engine as a filter program in procmail? > >No, you can't. MailScanner scans all mail coming in through port 25. > >Post you question on the list, I'm pretty sure there are some fetchmail >users there. >There are quite a few fetchmail questions in the archive, I just >searched using >http://www.jiscmail.ac.uk/cgi-bin/wa.exe?S2=mailscanner&q=fetchmail&s=&f >=&a=&b= > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Jul 5 09:10:53 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:10 2006 Subject: how to let abuse emails through In-Reply-To: <001a01c223f9$5caa2ac0$6a0110ac@sbsplc.com> References: <03f912320230472PCOW024M@blueyonder.co.uk> Message-ID: <5.1.0.14.2.20020705090938.04f7eec0@imap.ecs.soton.ac.uk> At 08:55 05/07/2002, you wrote: >I tried the mailscanner spam.whitelist.conf file, but found it not to be >quite so flexible - it gets overwritten at each upgrade Not any more it doesn't :) > and you need to >restart mailscanner to get the changes to kick in. It will re-read it the next time it restarts itself (default is every 4 hours). >Here's the relevant bits from the SpamAssassin documentation: > >whitelist_to add@ress.com > > If the given address appears in the To: or Cc: headers, mail will be >whitelisted. Useful if you're deploying SpamAssassin system-wide, and don't >want some users to have their mail filtered. Same format as whitelist_from. > There are three levels of To-whitelisting, whitelist_to, more_spam_to and >all_spam_to. Users in the first level may still get some spammish mails >blocked, but users in all_spam_to should never get mail blocked. > > > more_spam_to add@ress.com > > See above. Looks like I could have saved myself some time last night... Ho hum. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From m.sapsed at BANGOR.AC.UK Fri Jul 5 09:16:05 2002 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:15:10 2006 Subject: Don't scan outgoing mail References: <3D241616.A7B3D4BA@bangor.ac.uk> <4m78iuc9l96brmpuc49vt4b4qpgui8hu1k@4ax.com> Message-ID: <3D2555C5.FE0ECC0@bangor.ac.uk> Peter Peters wrote: > > On Thu, 4 Jul 2002 10:32:06 +0100, you wrote: > >Simpler to tell the people who need to send .reg files to rename them with > >e.g. .txt on the end first? > > Do you think they will understand what you tell them? I have had > somebody not understanding the check for double extensions. And I have a > hard time explaining them what an extension is. That is the kind of > people disabling the "view extensions" on their system. They probably > don't even know they are sending files with that extension. Fair point. Is it feasible to educate them along the lines of "If you do learn how to do this, your .reg files will get through. If you don't, they won't." Maybe I'm over optimistic but I think I've managed to educate some people here. I gave up on the double extension thing ages ago and rely on looking for the bad final ones. IMHO, the double extension is only a threat if the last one is bad... Cheers, Martin -- Martin Sapsed To have no errors Information Services Would be life without meaning University of Wales, Bangor, LL57 2UX No struggle, no joy. From Declan.Grady at NUVOTEM.COM Fri Jul 5 09:14:27 2002 From: Declan.Grady at NUVOTEM.COM (Declan Grady) Date: Thu Jan 12 21:15:10 2006 Subject: logs not showing >>>Virus In-Reply-To: <5.1.0.14.2.20020704172500.02b25660@imap.ecs.soton.ac.uk>; from mailscanner@ECS.SOTON.AC.UK on Thu, Jul 04, 2002 at 05:29:34PM +0100 References: <20020704164200.B23181@nuvotem.com> <5.1.0.14.2.20020704172500.02b25660@imap.ecs.soton.ac.uk> Message-ID: <20020705091427.B1790@nuvotem.com> Yes, I get the usual messages from mailscanner in the /var/log/maillog file (Snippet from 'tail -100 /var/log/maillog | grep mailscanner' shwon below) My syslog.conf contains the line 'mail.* /var/log/maillog' which I think should cover all mail logging ? Mabye the '>>>Virus' has become 'Possible virus' .. ? Cheers, Declan Jul 5 08:47:28 mail mailscanner[17020]: Scanning 1 messages, 8020 bytes Jul 5 08:47:28 mail mailscanner[17020]: Scanned 1 messages, 8020 bytes in 0 seconds Jul 5 08:47:58 mail mailscanner[17020]: Scanning 4 messages, 259676 bytes Jul 5 08:47:59 mail mailscanner[17020]: Possible virus hidden in a screensaver in Edition.scr Jul 5 08:47:59 mail mailscanner[17020]: Found 2 viruses in messages g657jOCG017225 Jul 5 08:47:59 mail mailscanner[17020]: Scanned 4 messages, 259676 bytes in 1 seconds Jul 5 08:47:59 mail mailscanner[17020]: Deleted infected messages g657iOCG017225 Jul 5 08:47:59 mail mailscanner[17020]: Notified postmaster about 1 infections Jul 5 08:47:59 mail mailscanner[17020]: Scanning 1 messages, 1872 bytes Jul 5 08:47:59 mail mailscanner[17020]: Scanned 1 messages, 1872 bytes in 0 seconds On Thu, Jul 04, 2002 at 05:29:34PM +0100, Julian Field mentioned: > Are you getting any messages from MailScanner in your logs at all? If not, > then check your /etc/syslog.conf to see where mail.info is being logged. > > Add mail.info to your maillog line in /etc/syslog.conf and "kill -HUP" your > syslogd. > > At 16:42 04/07/2002, you wrote: > >Excuse my stupidity / newbieness ... > > > > >From memory, and from some recent posts on this list, it seems the > > syslogs should be showing somwthing like >>>Virus xxx blah blah when > > mailscanner finds a virus. > > > >I dont see anything like this in either messages or in maillog files. > > > >I think I saw this with a (much) earlier version of mailscanner. > > > >Is it my config ? If so, what option(s) ? > > > >Cheers, > >Declan > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From m.sapsed at BANGOR.AC.UK Fri Jul 5 09:22:23 2002 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:15:10 2006 Subject: how to let abuse emails through References: <5.1.0.14.2.20020704183301.0343c5c0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020704205235.02e92148@imap.ecs.soton.ac.uk> Message-ID: <3D25573F.985E4EC5@bangor.ac.uk> Peter Peters wrote: > >Speedy Gonzales Software Inc at your service... :-) > >(You'll have to be a bit of a Tom and Jerry fan to get that one) [OT] Don't recall Speedy being in Tom & Jerry - though he had his own toons (sometimes with Sylvester?) > Is there something like the Spam White List for virusses? At the > university some people examine virusses and it would be nice to have > them excluded. Whenever I want to send a virus to someone I usually zip it up although these days you probably have to rename the file too. (My thread convergence detector has just gone off! ;-) Cheers, Martin -- Martin Sapsed To have no errors Information Services Would be life without meaning University of Wales, Bangor, LL57 2UX No struggle, no joy. From mailscanner at ecs.soton.ac.uk Fri Jul 5 09:32:32 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:10 2006 Subject: how to let abuse emails through In-Reply-To: <3D25573F.985E4EC5@bangor.ac.uk> References: <5.1.0.14.2.20020704183301.0343c5c0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020704205235.02e92148@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020705093127.04f7eec0@imap.ecs.soton.ac.uk> At 09:22 05/07/2002, you wrote: >Peter Peters wrote: > > >Speedy Gonzales Software Inc at your service... :-) > > >(You'll have to be a bit of a Tom and Jerry fan to get that one) > >[OT] Don't recall Speedy being in Tom & Jerry - though he had his own toons >(sometimes with Sylvester?) I thought Speedy was Jerry's long-lost Mexican cousin... > > Is there something like the Spam White List for virusses? At the > > university some people examine virusses and it would be nice to have > > them excluded. > >Whenever I want to send a virus to someone I usually zip it up although >these days you probably have to rename the file too. (My thread convergence >detector has just gone off! ;-) Password-protected zip file is the easiest solution by far. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Fri Jul 5 12:51:23 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:10 2006 Subject: MAILSCANNER: andersan@LTKALMAR.SE requested to join Message-ID: <200207051151.MAA20309@magpie.ecs.soton.ac.uk> Fri, 5 Jul 2002 12:51:23 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Anders Andersson You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER andersan@LTKALMAR.SE Anders Andersson PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER andersan@LTKALMAR.SE Anders Andersson // EOJ From andersan at LTKALMAR.SE Fri Jul 5 14:12:45 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:15:11 2006 Subject: Newbie question.. mailscanner fail to start with mcafee Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EA65@lkl22.ltkalmar.se> Hi I've installed the mailscanner RedHat Linux RPM package version 3.21-1 and the latest McAfee uvscan to my comp The installation of Mailscanner passed without any errors and I change the mailscann.conf to point to mcafee But when I try to start it I get the following msg root@knubbis root]# /etc/rc.d/init.d/mailscanner start Starting MailScanner daemons: incoming sendmail: [ OK ] outgoing sendmail: [ OK ] MailScanner: Configuration file /opt/sophos/bin/sophoswrapper could not be opened for reading! at /usr/local/MailScanner/bin/logger.pl line 64. [ OK ] I tried to change the line in config.pl to use mcafee but no change. Since Im not good at script I dont wanna mess around so Im hoping you can give me some information Packages are instlled under /usr/local/Mailscanner /usr/local/uvscan I did a search in the archives but couldnt find anything that helped me Kind Regards /Anders -------------- next part -------------- # Configuration file for MailScanner E-Mail Virus Scanner # This file assumes everything is in the default locations provided # by the MailScanner and RedHat 6.2 and upwards. # # Note: If your directories are symlinked (soft-linked) in any way, # please put their *real* location in here, not a path that # includes any links. You may get some very strange error # messages from some of the virus scanners if you don't. # User to run as (not normally used for sendmail) #Run As User = mail # Group to run as (not normally used for sendmail) #Run As Group = mail # In every batch of virus-scanning, limit the maximum # a) number of text-only messages to deliver # b) number of potentially infected messages to unpack and scan # c) total size of text-only messages to deliver # d) total size of potentially infected messages to unpack and scan Max Safe Messages Per Scan = 500 Max Unsafe Messages Per Scan = 100 Max Safe Bytes Per Scan = 100000000 Max Unsafe Bytes Per Scan = 50000000 # To avoid resource leaks, re-start periodically. Restart Every = 14400 # 4 hours # Name of this host, or just "the MailScanner" if you want to hide this info. # It can be placed in the Help Desk note contained in virus warnings sent to users. Host name = the MailScanner # Add this extra header to all mail as it is scanned. # (this must *include* terminating colon). Mail Header = X-MailScanner: # Set the mail header to these values for clean/infected messages. Clean Header = Found to be clean Infected Header = Found to be infected Disinfected Header = Disinfected # Set where to unpack incoming messages before scanning them Incoming Work Dir = /var/spool/MailScanner/incoming # Set where to store infected message attachments (if they are kept) Quarantine Dir = /var/spool/MailScanner/quarantine # Set where to store the process id so you can easily stop the scanner Pid File = /usr/local/MailScanner/var/virus.pid # Set where to find the attachment filename ruleset. # The structure of this file is explained elsewhere, but it is used to # accept or reject file attachments based on their name, regardless of # whether they are infected or not. Filename Rules = /usr/local/MailScanner/etc/filename.rules.conf # Log all the filenames that are allowed by the Filename Rules, or just # the filenames that are denied? Log Permitted Filenames = no # Set where to find the message text sent to users when one of their # attachments has been quarantined. Stored Virus Message Report = /usr/local/MailScanner/etc/stored.virus.message.txt Stored Bad Filename Message Report = /usr/local/MailScanner/etc/stored.filename.message.txt # Set where to find the message text sent to users when one of their # attachments has been deleted. Deleted Virus Message Report = /usr/local/MailScanner/etc/deleted.virus.message.txt Deleted Bad Filename Message Report = /usr/local/MailScanner/etc/deleted.filename.message.txt # Set where to find the message text sent to users explaining about the # attached disinfected documents. Disinfected Report = /usr/local/MailScanner/etc/disinfected.report.txt # Set location of incoming mail queue # and location of outgoing mail queue. Incoming Queue Dir = /var/spool/mqueue.in Outgoing Queue Dir = /var/spool/mqueue # Set whether to use sendmail or exim (default is sendmail) MTA = sendmail # Set how to invoke MTA when sending created message # (e.g. to sender/recipient saying "found a virus in your message") Sendmail = /usr/sbin/sendmail # Sendmail2 is provided for Exim users. # It defaults to the value supplied for Sendmail. # It is the command used to attempt delivery of outgoing # (scanned/cleaned) messages. # This is not usually required for sendmail. #Sendmail2 = /usr/sbin/exim -C /etc/exim_send.conf # What syslog "facility" should we use for logging? # If that means nothing to you, then leave this option alone or # else read "man syslog.conf" before making any changes. Log Facility = mail # Do you want to scan email for viruses? # A few people have wanted to disable the entire virus scanning. Virus Scanning = yes # Which Virus Scanning package to use: # sophos from www.sophos.com, or # mcafee from www.mcafee.com, or # command from www.command.co.uk, or # kaspersky from www.kaspersky.com, or # inoculate from www.cai.com/products/inoculateit.htm, or # inoculan from ftp.ca.com/getbbs/linux.eng/inoctar.LINUX.Z, or # nod32 from www.nod32.com, or # f-secure from www.f-secure.com, or # f-prot from www.f-prot.com, or # panda from www.panda.com (?), or # rav from www.rav.com (?) # # Note: If you want to use multiple virus scanners, then this should be a # comma-separated list of virus scanners. For example: # Virus Scanner = sophos, f-prot # Virus Scanner = mcafee # Where the Virus scanner is installed. This is the command needed to run it. # # Note: If you want to use multiple virus scanners, then this should be a # comma-separated list of commands, **in the same order** as they are listed # in the "Virus Scanner" keyword just above. For example: # Sweep = /usr/local/Sophos/bin/sophoswrapper, /usr/local/f-prot/f-protwrapper # mcafee = /usr/local/uvscan/mcafeewrapper # The maximum length of time the commercial virus scanner is allowed to run # for 1 batch of messages (in seconds). Virus Scanner Timeout = 300 # Expand TNEF attachments using an external program? # This should be "yes" except for Sophos and McAfee (when it can be "no") # as Sophos and McAfee have the facility built-in. Expand TNEF = no # Where the MS-TNEF expander is installed. # This is EITHER the full command (including maxsize option) that runs # the external TNEF expander binary, # OR the keyword "internal" which will make MailScanner use the Perl # module that does the same job. # They are both provided as I am unsure which one is faster and which # one is capable of expanding more file formats (there are plenty!). # # The --maxsize option limits the maximum size that any expanded attachment # may be. It helps protect against Denial Of Service attacks in TNEF files. #TNEF Expander = internal TNEF Expander = /usr/local/MailScanner/bin/tnef --maxsize=100000000 # The maximum length of time the TNEF Expander is allowed to run for 1 message. # (in seconds) TNEF Timeout = 120 # What should the attachments be called that replace virus-infected files? Attachment Warning Filename = VirusWarning.txt # Should these replacements be attachments (yes) or in the message body (no) Warning Is Attachment = yes # Should we scan all messages, including plain-text messages which are normally # harmless? This should be "yes" since the MyParty message appeared. Scan All Messages = yes # Once we have removed viruses from an email message and replaced them with # VirusWarning.txt attachments, should we deliver the clean result to the # original recipients (or just delete them if "no")? Deliver To Recipients = yes # Do you want to put some text on the front of the subject line when # it contained a virus which has been removed Virus Modify Subject = yes # What text do we want to put on the front (gets followed by a " ") Virus Subject Text = {VIRUS?} # Deliver messages with viruses removed to their original recipients # if they came from a local address, or just delete them so no-one knows # we have a virus outbreak on our site? Deliver From Local Domains = yes # Notify the senders of infected messages that they should check out # their systems? # This can be 3 different values: # yes = Notify all senders of viruses in mail they sent # no = Do not notify any senders of viruses in mail they sent # local = Only notify senders of viruses in mail they sent if they # appear in the list of Local Domains Notify Senders = local # Set where to find the message text sent to the senders of infected # messages. #Sender Report = /usr/local/MailScanner/etc/sender.report.txt Sender Virus Report = /usr/local/MailScanner/etc/sender.virus.report.txt Sender Bad Filename Report = /usr/local/MailScanner/etc/sender.filename.report.txt Sender Error Report = /usr/local/MailScanner/etc/sender.error.report.txt # Notify the local postmaster when any infections are found? Notify Local Postmaster = yes # Include the full headers of each message in the postmaster notification? Postmaster Gets Full Headers = no # Set email address of who to notify about any infections found. # Should put your full domain name here too, # e.g. postmaster@your.domain.com Local Postmaster = postmaster # Set what to do with infected attachments or messages. # keep ==> Store under the "Quarantine Dir" # delete ==> Just delete them #Action = delete Action = keep # Do you want to quarantine the original *entire* message as well as # just the infected attachment Quarantine Whole Message = no # Should I attempt to disinfect infected attachments and then deliver # the clean ones Deliver Disinfected Files = yes # Local domain name, or filename containing a list of local domain names # The file supports blank entries, '#' and ';' comment characters and # uses the first word off each line. This should be compatible with all # such lines in a sendmail or Exim configuration file. #Local Domains = /usr/local/MailScanner/etc/localdomains.conf Local Domains = soho-data.com # Filename containing a list (1 on each line) of the exact names of # viruses you want to quietly delete or quarantine without informing # the sender. Any email messages containing one # of the viruses listed in this file will be quietly deleted. The only # person who will be warned about the virus will be the local postmaster. # # Make the virus names in this file as specific as possible, in order # to avoid any accidents with files which both # 1) have a filename containing the name of a listed viruses, *and* # 2) are infected with viruses whose names are not listed. # # In other words, you will be just fine so long as you list the exact # names of viruses, e.g. "W32/Klez-H" and "W32/Klez-G", not just # generic names that catch many different viruses, e.g. "Klez". #Viruses To Quietly Delete = /usr/local/MailScanner/etc/viruses.to.delete.conf # Mark infected messages in the message body. # There can now be more than 1 of these configuration lines here, so you can # break the warning message over multiple lines. Mark Infected Messages = yes Inline Text Warning = Warning: This message has had one or more attachments removed. Inline Text Warning = Warning: Please read the "VirusWarning.txt" attachment(s) for more information. Inline HTML Warning =

Warning: This message has had one or more attachments removed. Please read the "VirusWarning.txt" attachment(s) for more information.

# Sign clean messages in the message body. # There can be more than 1 of these configuration lines here, so you can # break the signature message over multiple lines. # Note that enabling this option will add to the overall system load as some # major optimisations will no longer be possible! Sign Clean Messages = no Inline Text Signature = -- Inline Text Signature = This message has been scanned for viruses and Inline Text Signature = dangerous content by MailScanner, and is Inline Text Signature = believed to be clean. Inline HTML Signature =
-- Inline HTML Signature =
This message has been scanned for viruses and Inline HTML Signature =
dangerous content by Inline HTML Signature = MailScanner, Inline HTML Signature = and is
believed to be clean. # Do you want to archive all mail in a directory for later inspection? # Be warned if you are in the UK: this may well be illegal due to RIPA # and DPA restrictions! Archive Mail = no # Where to store the mail archive. # Be warned: this is likely to get big very quickly. Archive Mail Dir = /var/spool/MailArchive # # Per-Domain Scanning and Spam Detection # # Do we want to only scan certain named domains for viruses and spam? Scanning By Domain = no # Filename listing all the domains we want to scan Domains To Scan = /usr/local/MailScanner/etc/domains.to.scan.conf # Do we want to add a MailScanner header to messages we have not scanned Sign Unscanned Messages = yes # What do we want to put in the header Unscanned Header = not scanned: please contact your email provider for details # # Spam Detection # # Should the anti-spam checks be done on all incoming messages? Spam Checks = yes # Set the name of the extra header to add to all messages found to be # likely spam. Spam Header = X-MailScanner-SpamCheck: # Do you want to put some text on the front of the subject line when # we think it is spam? Spam Modify Subject = yes # What text do we want to put on the front (gets followed by a " ") Spam Subject Text = {SPAM?} # Action to take when a message is detected as being spam: # deliver ==> Deliver it to the recipient # store ==> Move it to the quarantine # delete ==> Delete it completely # or else it can be a filename containing per-user and per-domain spam # actions. #Spam Action = /usr/local/MailScanner/etc/spam.actions.conf Spam Action = deliver # Do we want to log every spam message, including why it was spam? # Doing so may well slow down a busy server. Log Spam = no # Do we have the SpamAssassin package installed? # This is a very good, very clever heuristics-based spam checker. # For more info & installation instructions, see http://spamassassin.taint.org/ Use SpamAssassin = no # Set the maximum size of message which we will check with SpamAssassin # Don't set this too large as your system load will get very high processing # huge messages. Max SpamAssassin Size = 50000 # Set the maximum time to allow SpamAssassin to process 1 message SpamAssassin Timeout = 10 # Set the location of the SpamAssassin user_prefs file. If you want to # stop SpamAssassin doing all the RBL checks again, then you can add # "skip_rbl_checks = 1" to this file. # This must be defined if "Compile SpamAssasin Once = yes". SpamAssassin Prefs File = /usr/local/MailScanner/etc/spam.assassin.prefs.conf # Set this option to yes to enable the automatic whitelisting functions # available within SpamAssassin. This will cause addresses from which you # get real mail to be marked, so that it never incorrectly tags mail from # there as being spam. # Note: Personally, I would always set this to yes, but the functionality # is quite new so I didn't want to enable it by default in case there # are problems with it. SpamAssassin Auto Whitelist = no # Should we compile all the SpamAssassin code once, or do it separately # for every message. There certainly used to be bugs in SpamAssassin # that meant this needed to be switched off, but these may have been # fixed. It is a lot faster with it switched on. # If you get a lot of false positives from SpamAssassin, switch this off. Compile SpamAssassin Once = yes # If you set this to yes, then the SpamAssassin report header will be # included in all messages, not just those which are spam. Always Include SpamAssassin Report = no # Set the threshold score, above which a message is labelled as being # "High Scoring". If this value is set, then all messages with a # SpamAssassin score greater than this will have the "High Scoring # Spam Action" applied to them. #High SpamAssassin Score = 20 # Set the action to apply to all high scoring messages. All high # scoring messages will obey this action, regardless of any entries # in the "Spam Action" file. # This can be one of the 3 values "deliver", "store" or "delete". #High Scoring Spam Action = store # Set the list of database names and their corresponding DNS domains. # All of these databases work in a similar way, allowing the simple use # of multiple databases. # See www.ordb.org and www.mail-abuse.org for more information. # Note: If also using SpamAssassin, it is quicker to comment out all # these and let SpamAssassin do it (which it does by default). # Note: There is a complete list of these databases at # http://www.declude.com/JunkMail/Support/ip4r.htm. Spam List = ORDB-RBL, relays.ordb.org. # You might find these 3 useful as well. #Spam List = spamcop.net, bl.spamcop.net. #Spam List = Infinite-Monkeys, proxies.relays.monkeys.com. #Spam List = osirusoft.com, relays.osirusoft.com. # MAPS now charge for their services, so you'll have to buy a contract before # attempting to use the next 3 lines. #Spam List = MAPS-RBL, blackholes.mail-abuse.org. #Spam List = MAPS-DUL, dialups.mail-abuse.org. #Spam List = MAPS-RSS, relays.mail-abuse.org. # This next line works for JANET UK Academic sites only #Spam List = MAPS-RBL+, rbl-plus.mail-abuse.ja.net. # And build a similar list for the RBL domains that work on the name # of the domain rather than the IP address of the exact machine that # is listed. This way the RBL controllers can blacklist entire # domains very quickly and easily. # These are disabled by default, as they will slow down the spam checks. #Spam Domain List = RFC-IGNORANT-DSN, dsn.rfc-ignorant.org. #Spam Domain List = RFC-IGNORANT-POSTMASTER, postmaster.rfc-ignorant.org. #Spam Domain List = RFC-IGNORANT-ABUSE, abuse.rfc-ignorant.org. #Spam Domain List = RFC-IGNORANT-WHOIS, whois.rfc-ignorant.org. # Set the maximum total time per message to do all "Spam List" checks Spam List Timeout = 5 # Define local networks from whom you should always accept mail, and # never mark it as spam. This is useful in case your own mail servers # are ever in the ORBS or MAPS lists. #Accept Spam From = 152.78. #Accept Spam From = 139.166. # Define a list of email addresses and email domains from whom you should # always accept mail, and never mark it as spam. This is useful in case # someone you correspond with a lot has their mail servers in the ORBS or # MAPS lists. Spam White List = /usr/local/MailScanner/etc/spam.whitelist.conf # # Advanced Features # ================= # # Don't bother changing anything below this unless you really know what # you are doing. # # Set Debug to 1 to stop it running as a daemon # and produce more verbose output Debug = 0 # Attempt immediate delivery of messages, or just place them in the outgoing # queue for the MTA to deliver at a time of its own choosing? # If attempting immediate delivery, do them one at a time, # or do them in batches of 30 at a time? # Delivery Method = queue # Delivery Method = individual Delivery Method = batch # How to lock spool files. # Don't set this unless you *know* you need to. # For sendmail, it defaults to "flock". # For Exim, it defaults to "posix". # No other type is implemented. #Lock Type = flock # Where to put the virus scanning engine lock files. # These lock files are used between MailScanner and the virus signature # "autoupdate" scripts, to ensure that they aren't both working at the # same time (which could cause MailScanner to let a virus through). Lock File Dir = /tmp # What to do when you get several MailScanner headers in one message, # from multiple MailScanner servers. Values are # "append" : Append the new data to the existing header # "add" : Add a new header # "replace" : Replace the old data with the new data # Default is "append" Multiple Headers = append # Some versions of Microsoft Outlook generate unparsable Rich Text # format attachments. Do we want to deliver these bad attachments anyway? # Setting this to yes introduces the slight risk of a virus getting through, # but if you have a lot of troubled Outlook users you might need to do this. # We are working on a replacement for the TNEF decoder. Deliver Unparsable TNEF = no # When attempting delivery of outgoing messages, should we do it in the # background or wait for it to complete? The danger of doing it in the # background is that the machine load goes ever upwards while all the # slow sendmail processes run to completion. However, running it in the # foreground may cause the mail server to run too slowly. Deliver In Background = yes # Minimum acceptable code stability status -- if we come across code # that's not at least as stable as this, we barf. # This is currently only used to check that you don't end up using untested # virus scanner support code without realising it. # Levels used are: # none - there may not even be any code. # unsupported - code may be completely untested, a contributed dirty hack, # anything, really. # alpha - code is pretty well untested. Don't assume it will work. # beta - code is tested a bit. It should work. # supported - code *should* be reliable. # # Don't even *think* about setting this to anything other than "beta" or # "supported" on a system that receives real mail until you have tested it # yourself and are happy that it is all working as you expect it to. # Don't set it to anything other than "supported" on a system that could # ever receive important mail. Minimum Code Status = supported From combs at MAGNET.FSU.EDU Fri Jul 5 14:31:03 2002 From: combs at MAGNET.FSU.EDU (Tom Combs) Date: Thu Jan 12 21:15:11 2006 Subject: unix passed to setlogsock Message-ID: Hello, I'm occasionally getting the following message on the console and not in the logs: unix passed to setlogsock, but path not available at /usr/local/mailscanner/bin/logger.pl line 43 I've looked at logger.pl but still don't know what to make of it. Any ideas? TIA, Tom Combs -- Tom Combs E-mail: combs@magnet.fsu.edu National High Magnetic Field Laboratory Phone: (850) 644-1657 1800 E. Paul Dirac Drive Tallahassee, FL 32310 From nwp at LEMON-COMPUTING.COM Fri Jul 5 14:35:06 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:15:11 2006 Subject: no more virusscanning In-Reply-To: References: Message-ID: <20020705133506.GU24443@hoiho.nz.lemon-computing.com> On Wed, Jul 03, 2002 at 01:24:38PM +0200, Peter Peters wrote: > I see f-prot is run in /var/spool/MailScanner/incoming with the command > "/opt/f-prot/f-prot -old -archive -dumb .". But when I look in that > directory I only zie .headers files. And when I extend the logging a bit > more I get "Error: Cannot open message file.". > > I am running MailScanner 3.20-4. Sounds like f-prot is getting confused about where it lives. I've just recently downloaded the latest f-prot and notice that it *really* prefers to live in /usr/local/f-prot... this is IMHO extremely slack of someone. I'd expect that it would 'just work' if you move your f-prot installation to /usr/local/f-prot. Please let me know if you work out what is/has been going on; I'll be looking into it over the next few days in any case. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Don't plan any hasty moves. You'll be evicted soon anyway. From mailscanner at ecs.soton.ac.uk Fri Jul 5 14:45:09 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:11 2006 Subject: Newbie question.. mailscanner fail to start with mcafee In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263EA65@lkl22.ltkalmar.se > Message-ID: <5.1.0.14.2.20020705144353.02c77c48@imap.ecs.soton.ac.uk> At 14:12 05/07/2002, you wrote: >I've installed the mailscanner >RedHat Linux RPM package version 3.21-1 >and the latest McAfee uvscan to my comp > >The installation of Mailscanner passed without >any errors and I change the mailscann.conf >to point to mcafee > >But when I try to start it I get the following msg > >root@knubbis root]# /etc/rc.d/init.d/mailscanner start >Starting MailScanner daemons: > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] > MailScanner: Configuration file /opt/sophos/bin/sophoswrapper >could not be opened for reading! at /usr/local/MailScanner/bin/logger.pl >line 64. >[ OK ] > >I tried to change the line in config.pl to use mcafee >but no change. You shouldn't be editing that at all. >Since Im not good at script I dont wanna mess around so Im >hoping you can give me some information >Packages are instlled under >/usr/local/Mailscanner >/usr/local/uvscan You say you changed "mailscann.conf". That's not what the configuration file is called, it's "mailscanner.conf". -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From andersan at LTKALMAR.SE Fri Jul 5 14:59:54 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:15:11 2006 Subject: SV: Newbie question.. mailscanner fail to start with mcafee Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EA66@lkl22.ltkalmar.se> >I've installed the mailscanner >RedHat Linux RPM package version 3.21-1 >and the latest McAfee uvscan to my comp > >The installation of Mailscanner passed without >any errors and I change the mailscann.conf >to point to mcafee > >But when I try to start it I get the following msg > >root@knubbis root]# /etc/rc.d/init.d/mailscanner start >Starting MailScanner daemons: > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] > MailScanner: Configuration file /opt/sophos/bin/sophoswrapper >could not be opened for reading! at /usr/local/MailScanner/bin/logger.pl >line 64. >[ OK ] > >I tried to change the line in config.pl to use mcafee >but no change. >>You shouldn't be editing that at all. I changed it back, I just tried it but it didnt help >Since Im not good at script I dont wanna mess around so Im >hoping you can give me some information >Packages are instlled under >/usr/local/Mailscanner >/usr/local/uvscan >>You say you changed "mailscann.conf". That's not what the configuration >>file is called, it's "mailscanner.conf". Sorry, a typo from me I changed the lines in mailscanner.conf to use mcaffe Virus scanner = mcafee mcafee = /usr/local/uvscann/mcafeewrapper From gerry at DORFAM.CA Fri Jul 5 15:06:05 2002 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:15:11 2006 Subject: no more virusscanning In-Reply-To: <20020705133506.GU24443@hoiho.nz.lemon-computing.com> Message-ID: On Sat, 6 Jul 2002, Nick Phillips wrote: > On Wed, Jul 03, 2002 at 01:24:38PM +0200, Peter Peters wrote: > > > I see f-prot is run in /var/spool/MailScanner/incoming with the command > > "/opt/f-prot/f-prot -old -archive -dumb .". But when I look in that > > directory I only zie .headers files. And when I extend the logging a bit > > more I get "Error: Cannot open message file.". > > > > I am running MailScanner 3.20-4. > > Sounds like f-prot is getting confused about where it lives. I've just recently > downloaded the latest f-prot and notice that it *really* prefers to live in > /usr/local/f-prot... this is IMHO extremely slack of someone. > > I'd expect that it would 'just work' if you move your f-prot installation to > /usr/local/f-prot. > > Please let me know if you work out what is/has been going on; I'll be looking > into it over the next few days in any case. > > > Cheers, > > > Nick I believe the instructions that come with f-prot describe how to set it up in /usr/local. That's where I put it and it works just fine. I don't have any reference to it in /opt at all. The instructions in mailscanner.conf say to add Sweep=/usr/local/f-prot/f-wrapper if using f-prot. Am I missing something again??? Gerry -- "The lyfe so short, the craft so long to learne" Chaucer From mailscanner at ecs.soton.ac.uk Fri Jul 5 15:06:44 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:11 2006 Subject: SV: Newbie question.. mailscanner fail to start with mcafee In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263EA66@lkl22.ltkalmar.se > Message-ID: <5.1.0.14.2.20020705150558.05082df0@imap.ecs.soton.ac.uk> At 14:59 05/07/2002, you wrote: > >I've installed the mailscanner > >RedHat Linux RPM package version 3.21-1 > >and the latest McAfee uvscan to my comp > > > >The installation of Mailscanner passed without > >any errors and I change the mailscann.conf > >to point to mcafee > > > >But when I try to start it I get the following msg > > > >root@knubbis root]# /etc/rc.d/init.d/mailscanner start > >Starting MailScanner daemons: > > incoming sendmail: [ OK ] > > outgoing sendmail: [ OK ] > > MailScanner: Configuration file >/opt/sophos/bin/sophoswrapper > >could not be opened for reading! at /usr/local/MailScanner/bin/logger.pl > >line 64. > >[ OK ] > > > >I tried to change the line in config.pl to use mcafee > >but no change. > > >>You shouldn't be editing that at all. > >I changed it back, I just tried it but it didnt help > > >Since Im not good at script I dont wanna mess around so Im > >hoping you can give me some information > >Packages are instlled under > >/usr/local/Mailscanner > >/usr/local/uvscan > > >>You say you changed "mailscann.conf". That's not what the configuration > >>file is called, it's "mailscanner.conf". > >Sorry, a typo from me >I changed the lines in mailscanner.conf to use mcaffe >Virus scanner = mcafee >mcafee = /usr/local/uvscann/mcafeewrapper Is that "uvscann" a typo or not? It should of course be "uvscan". If you can't get it running, and you can give me ssh access and the root password, I'll log on and sort it out for you. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Jul 5 15:09:35 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:11 2006 Subject: no more virusscanning In-Reply-To: References: <20020705133506.GU24443@hoiho.nz.lemon-computing.com> Message-ID: <5.1.0.14.2.20020705150853.04c2a060@imap.ecs.soton.ac.uk> At 15:06 05/07/2002, you wrote: >The instructions in mailscanner.conf say to add >Sweep=/usr/local/f-prot/f-wrapper if using f-prot. No, they say "f-protwrapper" not "f-wrapper". -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gerry at DORFAM.CA Fri Jul 5 15:20:54 2002 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:15:11 2006 Subject: SV: Newbie question.. mailscanner fail to start with mcafee In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263EA66@lkl22.ltkalmar.se> Message-ID: On Fri, 5 Jul 2002, Anders Andersson, IT wrote: > >I've installed the mailscanner > >RedHat Linux RPM package version 3.21-1 > >and the latest McAfee uvscan to my comp > > > >The installation of Mailscanner passed without > >any errors and I change the mailscann.conf > >to point to mcafee > > > >But when I try to start it I get the following msg > > > >root@knubbis root]# /etc/rc.d/init.d/mailscanner start > >Starting MailScanner daemons: > > incoming sendmail: [ OK ] > > outgoing sendmail: [ OK ] > > MailScanner: Configuration file > /opt/sophos/bin/sophoswrapper > >could not be opened for reading! at /usr/local/MailScanner/bin/logger.pl > >line 64. > >[ OK ] > > > >I tried to change the line in config.pl to use mcafee > >but no change. > > >>You shouldn't be editing that at all. > > I changed it back, I just tried it but it didnt help > > >Since Im not good at script I dont wanna mess around so Im > >hoping you can give me some information > >Packages are instlled under > >/usr/local/Mailscanner > >/usr/local/uvscan > > >>You say you changed "mailscann.conf". That's not what the configuration > >>file is called, it's "mailscanner.conf". > > Sorry, a typo from me > I changed the lines in mailscanner.conf to use mcaffe > Virus scanner = mcafee > mcafee = /usr/local/uvscann/mcafeewrapper > Do you have any mention of Sophos in mailscanner.conf that isn't commented out? That should be the only reason mailscanner is trying to use Sophos. The only time I see messages about Sophos on my system (I use f-prot) is after I do an update of mailscanner. It happily adds an entry to update Sophos in /etc/cron.daily that I have to go back and delete. Gerry -- "The lyfe so short, the craft so long to learne" Chaucer From andersan at LTKALMAR.SE Fri Jul 5 15:22:02 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:15:11 2006 Subject: SV: SV: Newbie question.. mailscanner fail to start with mcafee Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EA67@lkl22.ltkalmar.se> > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Skickat: den 5 juli 2002 16:07 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: SV: Newbie question.. mailscanner fail to start with mcafee > > > At 14:59 05/07/2002, you wrote: > > >I've installed the mailscanner > > >RedHat Linux RPM package version 3.21-1 > > >and the latest McAfee uvscan to my comp > > > > > >The installation of Mailscanner passed without > > >any errors and I change the mailscann.conf > > >to point to mcafee > > > > > >But when I try to start it I get the following msg > > > > > >root@knubbis root]# /etc/rc.d/init.d/mailscanner start > > >Starting MailScanner daemons: > > > incoming sendmail: [ OK ] > > > outgoing sendmail: [ OK ] > > > MailScanner: Configuration file > >/opt/sophos/bin/sophoswrapper > > >could not be opened for reading! at > /usr/local/MailScanner/bin/logger.pl > > >line 64. > > >[ OK ] > > > > > >I tried to change the line in config.pl to use mcafee > > >but no change. > > > > >>You shouldn't be editing that at all. > > > >I changed it back, I just tried it but it didnt help > > > > >Since Im not good at script I dont wanna mess around so Im > > >hoping you can give me some information > > >Packages are instlled under > > >/usr/local/Mailscanner > > >/usr/local/uvscan > > > > >>You say you changed "mailscann.conf". That's not what the > configuration > > >>file is called, it's "mailscanner.conf". > > > >Sorry, a typo from me > >I changed the lines in mailscanner.conf to use mcaffe > >Virus scanner = mcafee > >mcafee = /usr/local/uvscann/mcafeewrapper > > Is that "uvscann" a typo or not? Damn, typo again, excuse my manners > It should of course be "uvscan". > > > If you can't get it running, and you can give me ssh access > and the root > password, I'll log on and sort it out for you. No ssh is allowed from outside world and that is not something thats gona change. I can pack them and send all files but then I need to know what you need What I cant understand is why its giving me errors about sophos. Maybe I should use the tar file and compile it but since Im not sure that will help. > > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From smohan at VSNL.COM Fri Jul 5 03:35:27 2002 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:15:11 2006 Subject: Mailscanner and fetchmail In-Reply-To: <5.1.0.14.2.20020704083311.02c251c0@imap.ecs.soton.ac.uk> Message-ID: <001401c223cc$a33ed620$2b405bca@mohans> Mailscanner obviously looks at files in mqueue.in, scan them and puts them into mqueue. This means mailscanner does not listen to port 25. sendmail listen to port 25 and stores the mails in mqueue.in. Thus, can I call that part of mailscanner which unpacks attachments, scans them and returns the cleaned file - thro' procmail? Alternatively, can a config be provided in mailscanner whereby I mention local email ids and these mails are delivered to procmail after scanning instead of sendmail thro' the mqueue directory? Mohan -----Original Message----- From: Julian Field [mailto:mailscanner@ecs.soton.ac.uk] Sent: Thursday, July 04, 2002 1:06 PM To: S Mohan Subject: Re: Mailscanner and fetchmail At 03:23 04/07/2002, you wrote: >I've not been able to get mails coming thro' fetchmail scanned by >mailscanner. In my scenario, I've a mail host hosting my domain >vectrasystems.com. All mails destined for vectrasystems.com does get >scanned - no issues. For a few users, I'm using fetchmail to pick up >personal mail from their personal mailbags in different email provider >domains. Thus those domains are not local and fetchmail delivers to a >local user specified for each pick up. If I pass these mails to port >25, the mail will never reach the user on the machine as the domain is >not local. It will introduce a vicious loop too. You have to get it to pass in the mail on port 25. You should be able to avoid your loop problem by using the virtual user table to handle mail for those addresses. >Can I call the mailscanner engine as a filter program in procmail? No, you can't. MailScanner scans all mail coming in through port 25. Post you question on the list, I'm pretty sure there are some fetchmail users there. There are quite a few fetchmail questions in the archive, I just searched using http://www.jiscmail.ac.uk/cgi-bin/wa.exe?S2=mailscanner&q=fetchmail&s=&f =&a=&b= -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From K.Jackson at UNL.AC.UK Fri Jul 5 15:24:58 2002 From: K.Jackson at UNL.AC.UK (Ken Jackson) Date: Thu Jan 12 21:15:11 2006 Subject: Away on a trip Message-ID: <01KJQM31ZEAA00159Z@tara.unl.ac.uk> Ken Jackson is away from the office from Mon 8th July until Mon 29th July. Please direct any enquiries to: Operators@unl.ac.uk Thankyou. Regards, Ken Jackson, Systems Administrator. University of North London. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Voice : +44 (0)20 7753 3163 (Ext: 2504) Fax : +44 (0)20 7753 3315 E-Mail : k.jackson@unl.ac.uk URL : http://www2.unl.ac.uk/~jacksonk ---------------------------------------------------------------- From gerry at DORFAM.CA Fri Jul 5 15:24:00 2002 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:15:11 2006 Subject: no more virusscanning In-Reply-To: <5.1.0.14.2.20020705150853.04c2a060@imap.ecs.soton.ac.uk> Message-ID: On Fri, 5 Jul 2002, Julian Field wrote: > At 15:06 05/07/2002, you wrote: > >The instructions in mailscanner.conf say to add > >Sweep=/usr/local/f-prot/f-wrapper if using f-prot. > > No, they say "f-protwrapper" not "f-wrapper". Of course you're correct. My fingers were moving faster than my mind...a very easy thing to do! Gerry -- "The lyfe so short, the craft so long to learne" Chaucer From P.G.M.Peters at civ.utwente.nl Fri Jul 5 15:27:45 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:11 2006 Subject: no more virusscanning In-Reply-To: <20020705133506.GU24443@hoiho.nz.lemon-computing.com> References: <20020705133506.GU24443@hoiho.nz.lemon-computing.com> Message-ID: <2vabiuceduknfd9bfcro52e41cvhn65ggf@4ax.com> On Sat, 6 Jul 2002 01:35:06 +1200, you wrote: >> I see f-prot is run in /var/spool/MailScanner/incoming with the command >> "/opt/f-prot/f-prot -old -archive -dumb .". But when I look in that >> directory I only zie .headers files. And when I extend the logging a bit >> more I get "Error: Cannot open message file.". >> >> I am running MailScanner 3.20-4. > >Sounds like f-prot is getting confused about where it lives. I've just recently >downloaded the latest f-prot and notice that it *really* prefers to live in >/usr/local/f-prot... this is IMHO extremely slack of someone. Oop. Forgot to tell I solved the problem. Was a big error from my side. I installed the new engine but somehow I deleted a file f-prot needed (ENGLISH.TX0). The "message file" indicated in the error didn't point to the message files MailScanner generated but to the binary file ENGLISH.TX0 in which (I now learned) are the messages f-prot shows. Restoring the file didn't work at first because I changed f-protwrapper to generate some output in a file. And f-prot generated the right output but it went into the file and not into MailScanner. :-( After cleaning f-protwrapper everything went allright. But it helped me to get some better understanding on the workings of MailScanner and f-prot and their interactions. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From andersan at LTKALMAR.SE Fri Jul 5 15:35:04 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:15:11 2006 Subject: SV: SV: Newbie question.. mailscanner fail to start with mcafee Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EA68@lkl22.ltkalmar.se> > -----Ursprungligt meddelande----- > Fr?n: Gerry Doris [mailto:gerry@DORFAM.CA] > Skickat: den 5 juli 2002 16:21 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: SV: Newbie question.. mailscanner fail to start with mcafee > > > On Fri, 5 Jul 2002, Anders Andersson, IT wrote: > > > >I've installed the mailscanner > > >RedHat Linux RPM package version 3.21-1 > > >and the latest McAfee uvscan to my comp > > > > > >The installation of Mailscanner passed without > > >any errors and I change the mailscann.conf > > >to point to mcafee > > > > > >But when I try to start it I get the following msg > > > > > >root@knubbis root]# /etc/rc.d/init.d/mailscanner start > > >Starting MailScanner daemons: > > > incoming sendmail: [ OK ] > > > outgoing sendmail: [ OK ] > > > MailScanner: Configuration file > > /opt/sophos/bin/sophoswrapper > > >could not be opened for reading! at > /usr/local/MailScanner/bin/logger.pl > > >line 64. > > >[ OK ] > > > > > >I tried to change the line in config.pl to use mcafee > > >but no change. > > > > >>You shouldn't be editing that at all. > > > > I changed it back, I just tried it but it didnt help > > > > >Since Im not good at script I dont wanna mess around so Im > > >hoping you can give me some information > > >Packages are instlled under > > >/usr/local/Mailscanner > > >/usr/local/uvscan > > > > >>You say you changed "mailscann.conf". That's not what the > configuration > > >>file is called, it's "mailscanner.conf". > > > > Sorry, a typo from me > > I changed the lines in mailscanner.conf to use mcaffe > > Virus scanner = mcafee > > mcafee = /usr/local/uvscan/mcafeewrapper(fixed typo) > > > > Do you have any mention of Sophos in mailscanner.conf that > isn't commented > out? That should be the only reason mailscanner is trying to > use Sophos. Nope, I changed the above lines for pointing to mcafee > > The only time I see messages about Sophos on my system (I use > f-prot) is > after I do an update of mailscanner. It happily adds an > entry to update > Sophos in /etc/cron.daily that I have to go back and delete. > > Gerry > -- > > "The lyfe so short, the craft so long to learne" Chaucer > From mailscanner at ecs.soton.ac.uk Fri Jul 5 15:35:58 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:11 2006 Subject: SV: SV: Newbie question.. mailscanner fail to start with mcafee In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263EA67@lkl22.ltkalmar.se > Message-ID: <5.1.0.14.2.20020705153208.04c29f18@imap.ecs.soton.ac.uk> At 15:22 05/07/2002, you wrote: > > -----Ursprungligt meddelande----- > > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Skickat: den 5 juli 2002 16:07 > > Till: MAILSCANNER@JISCMAIL.AC.UK > > ?mne: Re: SV: Newbie question.. mailscanner fail to start with mcafee > > > > > > At 14:59 05/07/2002, you wrote: > > > >I've installed the mailscanner > > > >RedHat Linux RPM package version 3.21-1 > > > >and the latest McAfee uvscan to my comp > > > > > > > >The installation of Mailscanner passed without > > > >any errors and I change the mailscann.conf > > > >to point to mcafee > > > > > > > >But when I try to start it I get the following msg > > > > > > > >root@knubbis root]# /etc/rc.d/init.d/mailscanner start > > > >Starting MailScanner daemons: > > > > incoming sendmail: [ OK ] > > > > outgoing sendmail: [ OK ] > > > > MailScanner: Configuration file > > >/opt/sophos/bin/sophoswrapper > > > >could not be opened for reading! at > > /usr/local/MailScanner/bin/logger.pl > > > >line 64. > > > >[ OK ] > > > > > > > >I tried to change the line in config.pl to use mcafee > > > >but no change. > > > > > > >>You shouldn't be editing that at all. > > > > > >I changed it back, I just tried it but it didnt help > > > > > > >Since Im not good at script I dont wanna mess around so Im > > > >hoping you can give me some information > > > >Packages are instlled under > > > >/usr/local/Mailscanner > > > >/usr/local/uvscan > > > > > > >>You say you changed "mailscann.conf". That's not what the > > configuration > > > >>file is called, it's "mailscanner.conf". > > > > > >Sorry, a typo from me > > >I changed the lines in mailscanner.conf to use mcaffe > > >Virus scanner = mcafee > > >mcafee = /usr/local/uvscann/mcafeewrapper > > > > Is that "uvscann" a typo or not? >Damn, typo again, excuse my manners > > > It should of course be "uvscan". > > > > > > If you can't get it running, and you can give me ssh access > > and the root > > password, I'll log on and sort it out for you. > >No ssh is allowed from outside world and that is not >something thats gona change. >I can pack them and send all files but >then I need to know what you need > >What I cant understand is why its giving me errors about >sophos. Maybe I should use the tar file and compile it >but since Im not sure that will help. Let's check a few things (and please check the upper/lower case of everything): Your MailScanner is installed in "/usr/local/MailScanner", Your McAfee is installed "/usr/local/uvscan", You haven't edited "/usr/local/MailScanner/bin/check_mailscanner" at all, You have put "Virus Scanner = mcafee" in your /usr/local/MailScanner/etc/mailscanner.conf, You have put "Sweep = /usr/local/uvscan/mcafeewrapper" in your /usr/local/MailScanner/etc/mailscanner.conf. You haven't edited "/etc/rc.d/init.d/mailscanner" at all. The error you are getting implies that it can't read your /usr/local/MailScanner/etc/mailscanner.conf file, or else it can't read the definition of "Sweep" in it (or there is more than 1 definition of "Sweep"). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jase at SENSIS.COM Fri Jul 5 15:44:08 2002 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:15:11 2006 Subject: SV: Newbie question.. mailscanner fail to start with mcafee Message-ID: > >I've installed the mailscanner > >RedHat Linux RPM package version 3.21-1 > >and the latest McAfee uvscan to my comp > > > >The installation of Mailscanner passed without > >any errors and I change the mailscann.conf > >to point to mcafee > > > >But when I try to start it I get the following msg > > > >root@knubbis root]# /etc/rc.d/init.d/mailscanner start > >Starting MailScanner daemons: > > incoming sendmail: [ OK ] > > outgoing sendmail: [ OK ] > > MailScanner: Configuration file > /opt/sophos/bin/sophoswrapper > >could not be opened for reading! at > /usr/local/MailScanner/bin/logger.pl > >line 64. > >[ OK ] > > > >I tried to change the line in config.pl to use mcafee > >but no change. > > >>You shouldn't be editing that at all. > > I changed it back, I just tried it but it didnt help > > >Since Im not good at script I dont wanna mess around so Im > >hoping you can give me some information > >Packages are instlled under > >/usr/local/Mailscanner > >/usr/local/uvscan > > >>You say you changed "mailscann.conf". That's not what the > configuration > >>file is called, it's "mailscanner.conf". > > Sorry, a typo from me > I changed the lines in mailscanner.conf to use mcaffe > Virus scanner = mcafee > mcafee = /usr/local/uvscann/mcafeewrapper ^^^^^^ Shouldn't that be "Sweep = /usr/local/uvscann/mcafeewrapper" ? From andersan at LTKALMAR.SE Fri Jul 5 15:47:45 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:15:11 2006 Subject: SV: SV: SV: Newbie question.. mailscanner fail to start with mcaf ee ## Problem solved ## Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EA69@lkl22.ltkalmar.se> > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Skickat: den 5 juli 2002 16:36 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: SV: SV: Newbie question.. mailscanner fail to start with > mcafee > > > At 15:22 05/07/2002, you wrote: > > > -----Ursprungligt meddelande----- > > > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > > Skickat: den 5 juli 2002 16:07 > > > Till: MAILSCANNER@JISCMAIL.AC.UK > > > ?mne: Re: SV: Newbie question.. mailscanner fail to start > with mcafee > > > > > > > > > At 14:59 05/07/2002, you wrote: > > > > >I've installed the mailscanner > > > > >RedHat Linux RPM package version 3.21-1 > > > > >and the latest McAfee uvscan to my comp > > > > > > > > > >The installation of Mailscanner passed without > > > > >any errors and I change the mailscann.conf > > > > >to point to mcafee > > > > > > > > > >But when I try to start it I get the following msg > > > > > > > > > >root@knubbis root]# /etc/rc.d/init.d/mailscanner start > > > > >Starting MailScanner daemons: > > > > > incoming sendmail: [ OK ] > > > > > outgoing sendmail: [ OK ] > > > > > MailScanner: Configuration file > > > >/opt/sophos/bin/sophoswrapper > > > > >could not be opened for reading! at > > > /usr/local/MailScanner/bin/logger.pl > > > > >line 64. > > > > >[ OK ] > > > > > > > > > >I tried to change the line in config.pl to use mcafee > > > > >but no change. > > > > > > > > >>You shouldn't be editing that at all. > > > > > > > >I changed it back, I just tried it but it didnt help > > > > > > > > >Since Im not good at script I dont wanna mess around so Im > > > > >hoping you can give me some information > > > > >Packages are instlled under > > > > >/usr/local/Mailscanner > > > > >/usr/local/uvscan > > > > > > > > >>You say you changed "mailscann.conf". That's not what the > > > configuration > > > > >>file is called, it's "mailscanner.conf". > > > > > > > >Sorry, a typo from me > > > >I changed the lines in mailscanner.conf to use mcaffe > > > >Virus scanner = mcafee > > > >mcafee = /usr/local/uvscann/mcafeewrapper > > > > > > Is that "uvscann" a typo or not? > >Damn, typo again, excuse my manners > > > > > It should of course be "uvscan". > > > > > > > > > If you can't get it running, and you can give me ssh access > > > and the root > > > password, I'll log on and sort it out for you. > > > >No ssh is allowed from outside world and that is not > >something thats gona change. > >I can pack them and send all files but > >then I need to know what you need > > > >What I cant understand is why its giving me errors about > >sophos. Maybe I should use the tar file and compile it > >but since Im not sure that will help. > > Let's check a few things (and please check the upper/lower > case of everything): > > Your MailScanner is installed in "/usr/local/MailScanner", yes > Your McAfee is installed "/usr/local/uvscan", yes > You haven't edited > "/usr/local/MailScanner/bin/check_mailscanner" at all, No > You have put "Virus Scanner = mcafee" in your > /usr/local/MailScanner/etc/mailscanner.conf, Yes > You have put "Sweep = /usr/local/uvscan/mcafeewrapper" in your > /usr/local/MailScanner/etc/mailscanner.conf. No, I added "mcaffe = /usr/local/uvscan/mcafeewrapper" Oh I wonder was I was thinking when I did that.... probable of MimeSweeper and though, hey, it should say mcafee I changed it and not it started without problem.... Thanks for all the help, no Im gona do some testing and see what it does about contaminated files =) > You haven't edited "/etc/rc.d/init.d/mailscanner" at all. No > > The error you are getting implies that it can't read your > /usr/local/MailScanner/etc/mailscanner.conf file, or else it > can't read the > definition of "Sweep" in it (or there is more than 1 > definition of "Sweep"). > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From andersan at LTKALMAR.SE Fri Jul 5 15:48:45 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:15:11 2006 Subject: SV: SV: Newbie question.. mailscanner fail to start with mcafee Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EA6A@lkl22.ltkalmar.se> > -----Ursprungligt meddelande----- > Fr?n: Desai, Jason [mailto:jase@SENSIS.COM] > Skickat: den 5 juli 2002 16:44 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: SV: Newbie question.. mailscanner fail to start with mcafee > > > > >I've installed the mailscanner > > >RedHat Linux RPM package version 3.21-1 > > >and the latest McAfee uvscan to my comp > > > > > >The installation of Mailscanner passed without > > >any errors and I change the mailscann.conf > > >to point to mcafee > > > > > >But when I try to start it I get the following msg > > > > > >root@knubbis root]# /etc/rc.d/init.d/mailscanner start > > >Starting MailScanner daemons: > > > incoming sendmail: [ OK ] > > > outgoing sendmail: [ OK ] > > > MailScanner: Configuration file > > /opt/sophos/bin/sophoswrapper > > >could not be opened for reading! at > > /usr/local/MailScanner/bin/logger.pl > > >line 64. > > >[ OK ] > > > > > >I tried to change the line in config.pl to use mcafee > > >but no change. > > > > >>You shouldn't be editing that at all. > > > > I changed it back, I just tried it but it didnt help > > > > >Since Im not good at script I dont wanna mess around so Im > > >hoping you can give me some information > > >Packages are instlled under > > >/usr/local/Mailscanner > > >/usr/local/uvscan > > > > >>You say you changed "mailscann.conf". That's not what the > > configuration > > >>file is called, it's "mailscanner.conf". > > > > Sorry, a typo from me > > I changed the lines in mailscanner.conf to use mcaffe > > Virus scanner = mcafee > > mcafee = /usr/local/uvscann/mcafeewrapper > ^^^^^^ > > Shouldn't that be "Sweep = /usr/local/uvscann/mcafeewrapper" ? Yes, I realised that after a while, sorry for mixing it up =( From LISTSERV at JISCMAIL.AC.UK Fri Jul 5 15:50:41 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:11 2006 Subject: MAILSCANNER: k.jackson@UNL.AC.UK left the JISCmail list Message-ID: <200207051450.PAA04905@magpie.ecs.soton.ac.uk> Fri, 5 Jul 2002 15:50:41 k.jackson@UNL.AC.UK has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From andersan at LTKALMAR.SE Fri Jul 5 16:10:45 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:15:11 2006 Subject: Succes in handling virus mail Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EA6B@lkl22.ltkalmar.se> Hi Just thought I should tell you after my misstake it works fine. Sorry for that =( Now Im gona fix all small things like messages and so on Thanks for all the help But there is one thing i dont understand? In the mailscanner.conf the is a line Expand TNEF = no (changed from yes) since I use mcaffe. But since I use mcaffee on the Exchange I was wondering what do I do if I use a second scanner in mailscan that doesnt support TNEF? Kind regards /Anders From mailscanner at ecs.soton.ac.uk Fri Jul 5 16:23:08 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:11 2006 Subject: Succes in handling virus mail In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263EA6B@lkl22.ltkalmar.se > Message-ID: <5.1.0.14.2.20020705162216.051cf7f0@imap.ecs.soton.ac.uk> At 16:10 05/07/2002, you wrote: >But there is one thing i dont understand? >In the mailscanner.conf the is a line >Expand TNEF = no (changed from yes) >since I use mcaffe. >But since I use mcaffee on the Exchange I was wondering >what do I do if I use a second scanner in mailscan >that doesnt support TNEF? Just set it to yes. Setting it to "no" if you are *only* using Sophos or McAfee just saves time, it doesn't do any harm if it is "yes". -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From ink at INCONNU.ISU.EDU Fri Jul 5 16:56:36 2002 From: ink at INCONNU.ISU.EDU (Craig Kelley) Date: Thu Jan 12 21:15:11 2006 Subject: Just installed MailScanner Message-ID: At 20:47 03/07/2002, you wrote: >> I've been running Mailscanner for some weeks now, and I got a report >> today that none of the email was being delivered. I noted that the mailscanner >> program wasn't running, so I started it back up. It uses up a bit of CPU >> time and spins around for a while (ending up with 200 items in the >> incomming/ directory) and then dies. If I run it in debug mode it does >> this: >> >> # ./mailscanner /var/spool/mailscanner/etc/mailscanner.conf >> In Debugging mode, not forking... >> # >> >> No message, nothing. Any ideas? > > Try changing the "Multiple Headers" option. On a few systems "append" can > make it core dump due to bugs in Perl itself. When you run it in debug > mode, has it actually reduced the number of messages in > /var/spool/mqueue.in? It hadn't, but I changed the Delivery Method to 'individual' and then it delivered some messages (there were 1100 in the queue) and started behaving itself. I then switched off debug mode and it's been running for an hour now without a problem. > Anything in the maillog? Nothing special. > There is a possibility that 1 message is killing it (this is very > unlikely but has been known). Set the number of messages per batch to, > say, 10 and re-run it. This should help you narrow down exactly what > message is causing the trouble, if this is the problem at all. That could have been the reason. What's the reccomended value for "Multiple Headers"? >> PS- Where can I download the source for the mailscanner program? > > Errr... it's written in Perl. You've already got it :-) /me smacks head. I hadn't thought of viewing the actual mailscanner program. -- Craig Kelley -- kellcrai@isu.edu -- This document is rot26-encoded, and protected from being read by the DMCA and all other WIPO treaty nations. http://www.isu.edu/~kellcrai finger ink@inconnu.isu.edu for PGP block From mailscanner at ecs.soton.ac.uk Fri Jul 5 17:10:14 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:11 2006 Subject: Just installed MailScanner In-Reply-To: Message-ID: <5.1.0.14.2.20020705170726.02b02088@imap.ecs.soton.ac.uk> At 16:56 05/07/2002, you wrote: >At 20:47 03/07/2002, you wrote: > > >> I've been running Mailscanner for some weeks now, and I got a report > >> today that none of the email was being delivered. I noted that the > mailscanner > >> program wasn't running, so I started it back up. It uses up a bit of CPU > >> time and spins around for a while (ending up with 200 items in the > >> incomming/ directory) and then dies. If I run it in debug mode it does > >> this: > >> > >> # ./mailscanner /var/spool/mailscanner/etc/mailscanner.conf > >> In Debugging mode, not forking... > >> # > >> > >> No message, nothing. Any ideas? > > > > Try changing the "Multiple Headers" option. On a few systems "append" can > > make it core dump due to bugs in Perl itself. When you run it in debug > > mode, has it actually reduced the number of messages in > > /var/spool/mqueue.in? > >It hadn't, but I changed the Delivery Method to 'individual' and then it >delivered some messages (there were 1100 in the queue) and started >behaving itself. I then switched off debug mode and it's been running for >an hour now without a problem. In debug mode, it doesn't fork and only does 1 pass, it doesn't go round and get more messages. I would switch on "Deliver in Background = yes" if you haven't got it already, and go back to "batch" mode at the same time. > > Anything in the maillog? > >Nothing special. > > > There is a possibility that 1 message is killing it (this is very > > unlikely but has been known). Set the number of messages per batch to, > > say, 10 and re-run it. This should help you narrow down exactly what > > message is causing the trouble, if this is the problem at all. > >That could have been the reason. > >What's the reccomended value for "Multiple Headers"? Normally it should be "append", it's mainly useful for sites that have multiple mail servers running MailScanner, so they can each write a "X-MailScanner:" header value without overwriting previous ones. The reg-exps to do it are pretty hairy though! > >> PS- Where can I download the source for the mailscanner program? > > > > Errr... it's written in Perl. You've already got it :-) > >/me smacks head. I hadn't thought of viewing the actual mailscanner >program. :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From x.mailscanner.mail at MELLONI.COM Fri Jul 5 17:15:56 2002 From: x.mailscanner.mail at MELLONI.COM (Bruno Melloni) Date: Thu Jan 12 21:15:11 2006 Subject: Installing prerequisite packages Message-ID: Hi, Although mailscanner is quite well documented, it has a chain of dependencies of other packages that are not quite as clear (SpamAssassin, a virus scanner, sendmail, CPAN's Net:DNS, Razor or DCC, MRTG, etc - plus an eventual O/S hardening with Bastille to keep a hacker from undoing our antispam work). So far I installed the obvious ones and they appear to be working (sendmail-8.11.6-3, mailscanner-3.21-1, spamassassin-2.20-1 rpm) since I get the mailscanner and spamassassing header lines. The next step appears to be installing the virus scanner (I'll use f-prot since it is free for home use), Net::DNS spamassassin module and Razor. I have a couple questions: 1) Am I missing any steps? Should I install yet something else? 2) Since I installed spamassassin from RPM, could the Net::DNS module or Razor have been included already? How can I check? 3) Has anybody written yet an install & configuration guide that lists all the independent pieces to download, install and configure (and in which order)? 4) Have I interpreted correctly that with mailscanner 3.21-1 all spamassassin configuration is done through the /usr/local/MailScanner/etc/spam.assassin.prefs.conf and that I should just take the defaults in all the spamassassin-provided config files? 5) Am I overkilling by enabling in sendmail FEATURE('blacklist_recipients') and FEATURE('dnsbl')? These seem to be already handled via the spam.assassin.prefs.conf file. 6) Do any ports other than SMTP (25) and Ident(113) need to be open on the mail scanner box? Or in other words, does mailscanner or any of the prerequisite packages depend on ports for their operation? 7) Is there a way to check that the virus scanner got called? I just installed f-prot (and updated the mailscanner conf for it), seems to run, but I see no indication in the logs nor headers that the virus scanner actually got called. Sorry about so many questions, but they are kind of important when doing a real-life setup and I couldn't find answers anywhere. Maybe some of the answer could be added to the FAQ? Thanks, Bruno From bill at DISTMIRR.COM Fri Jul 5 16:32:12 2002 From: bill at DISTMIRR.COM (Bill Omer) Date: Thu Jan 12 21:15:11 2006 Subject: extreamly long delays In-Reply-To: <5.1.0.14.2.20020704083818.04e30140@imap.ecs.soton.ac.uk> Message-ID: <000701c22439$21ff9910$40713ed0@billslaptop> > > Do you have any "Spam List" entries or "Spam Domain List" entries? If so, > try switching spam checking back on, but comment out all the "Spam List" > and "Spam Domain List" entries. That will leave you just running > SpamAssassin, so you'll be able to get a better idea of exactly what is > running slowly. Nope, I don't have any "Spam List" or "Spam Domain List" entries, and I have also added the skip_rbl_checks 1 line to my spam.assassin.prefs.conf file. I am not seeing a change as far as speed goes. I did compile spamass-milter and enabled milter in my sendmail.mc file, and started it as well as spamd when I load up the QueueOnly copy of sendmail. With this setup, it goes like normal (very fast). It too does not do any rbl checks. However, I'm not able to get the functionality that I would/should be getting by using mailscanner. The functionality that I would really like to be able to achieve would be deleting all high-scoring (15+) spam. Of course, I would like to only use mailscanner, not have to worry about using milter or any milter-applications. However, until I'm able to figure out what's causing these very long delays, I'm forced to either do no spam checking, or use the milter. Do you know of a why I could make this happen using spamass-milter? If so, then I'll just use it and be done with it. This actually might be an all around speedier way of doing things. Maybe a future version of MS could suggest using it? Are there any down sides that I should be aware of while using spamass-milter with MS? Regards, Bill Omer From mailscanner at ecs.soton.ac.uk Fri Jul 5 17:39:43 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:11 2006 Subject: extreamly long delays In-Reply-To: <000701c22439$21ff9910$40713ed0@billslaptop> References: <5.1.0.14.2.20020704083818.04e30140@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020705173857.03200490@imap.ecs.soton.ac.uk> At 16:32 05/07/2002, you wrote: > > Do you have any "Spam List" entries or "Spam Domain List" entries? If >so, > > try switching spam checking back on, but comment out all the "Spam >List" > > and "Spam Domain List" entries. That will leave you just running > > SpamAssassin, so you'll be able to get a better idea of exactly what >is > > running slowly. > >Nope, I don't have any "Spam List" or "Spam Domain List" entries, and I >have also added the skip_rbl_checks 1 line to my >spam.assassin.prefs.conf file. >I am not seeing a change as far as speed goes. Are you using "Compile SpamAssassin Once = yes"? Having that set to no will nobble the speed quite a bit. >I did compile spamass-milter and enabled milter in my sendmail.mc file, >and started it as well as spamd when I load up the QueueOnly copy of >sendmail. With this setup, it goes like normal (very fast). It too >does not do any rbl checks. However, I'm not able to get the >functionality that I would/should be getting by using mailscanner. > >The functionality that I would really like to be able to achieve would >be deleting all high-scoring (15+) spam. Of course, I would like to >only use mailscanner, not have to worry about using milter or any >milter-applications. However, until I'm able to figure out what's >causing these very long delays, I'm forced to either do no spam >checking, or use the milter. > >Do you know of a why I could make this happen using spamass-milter? If >so, then I'll just use it and be done with it. This actually might be >an all around speedier way of doing things. Maybe a future version of >MS could suggest using it? Are there any down sides that I should be >aware of while using spamass-milter with MS? > >Regards, >Bill Omer -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Jul 5 17:53:54 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:11 2006 Subject: Installing prerequisite packages In-Reply-To: Message-ID: <5.1.0.14.2.20020705174053.031f6e58@imap.ecs.soton.ac.uk> At 17:15 05/07/2002, you wrote: >Although mailscanner is quite well documented, it has a chain of >dependencies of other packages that are not quite as clear >(SpamAssassin, a virus scanner, sendmail, CPAN's Net:DNS, Razor or DCC, >MRTG, etc - plus an eventual O/S hardening with Bastille to keep a >hacker from undoing our antispam work). All of those except sendmail (or Exim) are optional. So they aren't "dependencies", they are optional add-ins. I have quite a few users who, for example, run without a virus scanner as they can't afford one or have some other product already doing that for them. If you want to enable extra features, then sure, you're going to have to install other software to support that. I personally don't bother using Razor or DCC. SpamAssassin has a few requirements such as Net::DNS, but I cannot be responsible to keeping up to date documenting someone else's code. If you are installing SpamAssassin, then I think it is quite reasonable that you should need to look at SpamAssassin's installation guide for instructions and their dependencies. >So far I installed the obvious ones and they appear to be working >(sendmail-8.11.6-3, mailscanner-3.21-1, spamassassin-2.20-1 rpm) since I >get the mailscanner and spamassassing header lines. The next step >appears to be installing the virus scanner (I'll use f-prot since it is >free for home use), Net::DNS spamassassin module and Razor. Again, you don't need Razor. Installing Net::DNS is pretty much a 1-liner. You are a sysadmin. Don't expect everything to be gift-wrapped for you. If you use the RPM distribution, it does most of the hard work for you anyway (installing required Perl modules as necessary for MailScanner). 99% of the comments I get on this subject say how *easy* it is to install. >I have a couple questions: > >1) Am I missing any steps? Should I install yet something else? > >2) Since I installed spamassassin from RPM, could the Net::DNS module or >Razor have been included already? How can I check? Try using it, it will complain if the modules are missing. >3) Has anybody written yet an install & configuration guide that lists >all the independent pieces to download, install and configure (and in >which order)? We are working on an automatic configuration script to set up the mailscanner.conf file for you. >4) Have I interpreted correctly that with mailscanner 3.21-1 all >spamassassin configuration is done through the >/usr/local/MailScanner/etc/spam.assassin.prefs.conf and that I should >just take the defaults in all the spamassassin-provided config files? Yes. Start by using the defaults so you can learn how it works before you start experimenting with all the parameters. >5) Am I overkilling by enabling in sendmail >FEATURE('blacklist_recipients') and FEATURE('dnsbl')? These seem to be >already handled via the spam.assassin.prefs.conf file. I would always use at least the first of those. MailScanner (and/or SpamAssassin) will do the DNSBL job for you. >6) Do any ports other than SMTP (25) and Ident(113) need to be open on >the mail scanner box? Or in other words, does mailscanner or any of the >prerequisite packages depend on ports for their operation? Ident doesn't need to be open. Neither MailScanner nor any of its prerequisites requires incoming access on any other ports. >7) Is there a way to check that the virus scanner got called? I just >installed f-prot (and updated the mailscanner conf for it), seems to run, >but I see no indication in the logs nor headers that the virus scanner >actually got called. Why not try sending yourself a test message with a virus in it? If you want a nice harmless "test" virus, download the sample file from www.eicar.org which all the virus scanners will detect. >Sorry about so many questions, but they are kind of important when doing >a real-life setup and I couldn't find answers anywhere. Maybe some of the >answer could be added to the FAQ? Even better, how about you write a contribution to the FAQ that explains some of these points from the point of view of a user? I'll happily publish it (though I reserve the right to edit it). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Jul 5 18:00:19 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:11 2006 Subject: extreamly long delays -- 3.22 In-Reply-To: <5.1.0.14.2.20020705173857.03200490@imap.ecs.soton.ac.uk> References: <000701c22439$21ff9910$40713ed0@billslaptop> <5.1.0.14.2.20020704083818.04e30140@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020705175845.031fa4d8@imap.ecs.soton.ac.uk> One other point: 3.22 will log the spam as it detects it, rather than when it delivers/stores/deletes it, so between the "Scanning" and "Scanned" messages you will get the spam logs so you can see more easily whether it is the spam detection or the virus detection that is taking most of the time. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Fri Jul 5 18:33:55 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:11 2006 Subject: MAILSCANNER: chatchaw@CCWF.CC.UTEXAS.EDU requested to join Message-ID: <200207051733.SAA17216@magpie.ecs.soton.ac.uk> Fri, 5 Jul 2002 18:33:55 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Chatchawan Dejitthirat You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER chatchaw@CCWF.CC.UTEXAS.EDU Chatchawan Dejitthirat PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER chatchaw@CCWF.CC.UTEXAS.EDU Chatchawan Dejitthirat // EOJ From x.mailscanner.mail at MELLONI.COM Fri Jul 5 18:39:10 2002 From: x.mailscanner.mail at MELLONI.COM (Bruno Melloni) Date: Thu Jan 12 21:15:11 2006 Subject: Installing prerequisite packages Message-ID: Thanks for the reply to my long list of questions. I apologize if I gave the impression of finding Mailscanner difficult. On the contrary, I find it quite easy and clear. I did have some misunderstandings as to "how necessary" the other non-mailscanner pieces were, and some difficulty with their documentation. I noticed your efforts to consolidate all configuration (including spamassin's and the virus scanners) into mailscanner/etc directory. It makes things a lot easier, since it allows "default" installs of those other packages. I would be glad to contribute an FAQ section for a sophisticated-home-user/small-business setup of mailscanner/spamassassin/f-prot. I am currently tied-up fortifying the security of my home network after a hacker/spammer assault (I ticked-off a spammer), but if you have not heard from me in 60 days feel free to remind me of my promise. In the meantime I have an addition to the FAQ: "Should install f-prot before mailscanner. f-prot creates a symbolic link from /usr/local/f-prot to the actual f-prot directory during install. If mailscanner is installed first and creates the f-prot directory, then the f-prot install does not behave as expected. The problem caused is easily fixed by moving the mailscanner files and creating the symbolic link manually.". Bruno From mailscanner at ecs.soton.ac.uk Fri Jul 5 19:09:49 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:11 2006 Subject: Installing prerequisite packages In-Reply-To: Message-ID: <5.1.0.14.2.20020705190802.0417ff30@imap.ecs.soton.ac.uk> At 18:39 05/07/2002, you wrote: >I apologize if I gave the impression of finding Mailscanner difficult. On >the contrary, I find it quite easy and clear. I did have some >misunderstandings as to "how necessary" the other non-mailscanner pieces >were, and some difficulty with their documentation. I'm not quite sure what I can do about this. Any suggestions welcome. >I noticed your efforts to consolidate all configuration (including >spamassin's and the virus scanners) into mailscanner/etc directory. It >makes things a lot easier, since it allows "default" installs of those other >packages. Thanks. >I would be glad to contribute an FAQ section for a >sophisticated-home-user/small-business setup of >mailscanner/spamassassin/f-prot. I am currently tied-up fortifying the >security of my home network after a hacker/spammer assault (I ticked-off a >spammer), but if you have not heard from me in 60 days feel free to remind >me of my promise. Cheers! >In the meantime I have an addition to the FAQ: "Should install f-prot >before mailscanner. f-prot creates a symbolic link from /usr/local/f-prot >to the actual f-prot directory during install. If mailscanner is installed >first and creates the f-prot directory, then the f-prot install does not >behave as expected. The problem caused is easily fixed by moving the >mailscanner files and creating the symbolic link manually.". Added. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From bill at DISTMIRR.COM Fri Jul 5 18:15:31 2002 From: bill at DISTMIRR.COM (Bill Omer) Date: Thu Jan 12 21:15:11 2006 Subject: extreamly long delays -- 3.22 In-Reply-To: <5.1.0.14.2.20020705175845.031fa4d8@imap.ecs.soton.ac.uk> Message-ID: <000101c22447$90fb6e30$40713ed0@billslaptop> > > One other point: 3.22 will log the spam as it detects it, rather than when > it delivers/stores/deletes it, so between the "Scanning" and "Scanned" > messages you will get the spam logs so you can see more easily whether it > is the spam detection or the virus detection that is taking most of the > time. I see that you only have 3.22 in an rpm package. Any plans to make a tarball? Regards, Bill Omer From bill at DISTMIRR.COM Fri Jul 5 18:12:53 2002 From: bill at DISTMIRR.COM (Bill Omer) Date: Thu Jan 12 21:15:11 2006 Subject: extreamly long delays In-Reply-To: <5.1.0.14.2.20020705173857.03200490@imap.ecs.soton.ac.uk> Message-ID: <000001c22447$32f52600$40713ed0@billslaptop> > > Are you using "Compile SpamAssassin Once = yes"? Having that set to no > will > nobble the speed quite a bit. > Yeap, I have "Compile SpamAssassin Once = yes" in my mailscanner.conf file. As noted in your other email about 3.22, I'm currently using 3.21. I'll go download 3.22 and see if that will fix anything. Also, right now (with 3.21), I'm not seeing any spam messages while using just mailscanner. Let me go install the new version and I'll see what happens. Regards, Bill Omer From mailscanner at ecs.soton.ac.uk Fri Jul 5 19:43:48 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:11 2006 Subject: extreamly long delays -- 3.22 In-Reply-To: <000101c22447$90fb6e30$40713ed0@billslaptop> References: <5.1.0.14.2.20020705175845.031fa4d8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020705194243.02f5a4c8@imap.ecs.soton.ac.uk> At 18:15 05/07/2002, you wrote: > > > > One other point: 3.22 will log the spam as it detects it, rather than >when > > it delivers/stores/deletes it, so between the "Scanning" and "Scanned" > > messages you will get the spam logs so you can see more easily whether >it > > is the spam detection or the virus detection that is taking most of >the > > time. > >I see that you only have 3.22 in an rpm package. Any plans to make a >tarball? 3.22 tar is there, but not linked from anywhere as I haven't released it officially yet. It is still subject to change... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From chatchaw at CCWF.CC.UTEXAS.EDU Fri Jul 5 20:32:24 2002 From: chatchaw at CCWF.CC.UTEXAS.EDU (Chatchawan Dejitthirat) Date: Thu Jan 12 21:15:11 2006 Subject: Failed to lock /var/spool/mqueue.in/qfg65IWbm29468 with unexpected error[29482]: Bad file number Message-ID: Hello, I've installed mailscanner and Mcafee on a Solaris8 machine. I've followed the installation instruction. However, as soon as I started sending mail the the machine, I get the following error: Jul 5 14:00:01 denali root[29482]: MailScanner E-Mail Virus Scanner version 3.20 starting. Jul 5 14:00:01 denali root[29482]: Configuring mailscanner for sendmail... Jul 5 14:00:01 denali lock.pl sees Config[29482]: :LockType = Jul 5 14:00:01 denali lock.pl sees MTA[29482]: :LockType = flock Jul 5 14:00:01 denali root[29482]: lock.pl sees have_module = 0 Jul 5 14:00:01 denali root[29482]: Using locktype = flock Jul 5 14:00:01 denali Failed to lock /var/spool/mqueue.in/qfg65IWbm29468 with unexpected error[29482]: Bad file number Jul 5 14:00:01 denali last message repeated 5 times The problem seems to be at Sendmail.pl:ClearOutQueue() module. I have put all sendmail queue and Mailscanner's incoming and quarantine on the same FS but still doesn't help. Any help is appreciate. Thanks, Chatchawan From chatchaw at CCWF.CC.UTEXAS.EDU Fri Jul 5 20:48:27 2002 From: chatchaw at CCWF.CC.UTEXAS.EDU (Chatchawan Dejitthirat) Date: Thu Jan 12 21:15:11 2006 Subject: Failed to lock /var/spool/mqueue.in/qfg65IWbm29468 with unexpected error[29482]: Bad file number Message-ID: Hello, I got the same error on version 3.2.0 too. Jul 5 14:45:26 denali mailscanner[29599]: MailScanner E-Mail Virus Scanner version 3.21 starting. Jul 5 14:45:26 denali mailscanner[29599]: Configuring mailscanner for sendmail... Jul 5 14:45:26 denali mailscanner[29599]: Using locktype = flock Jul 5 14:45:26 denali mailscanner[29600]: Failed to lock /var/spool/mqueue.in/qfg65Jgum29560 with unexpected error: Bad file number Thanks, Chatchawan D. From mailscanner at ecs.soton.ac.uk Fri Jul 5 20:56:57 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:11 2006 Subject: Failed to lock /var/spool/mqueue.in/qfg65IWbm29468 with unexpected error[29482]: Bad file number In-Reply-To: Message-ID: <5.1.0.14.2.20020705205241.02b3b978@imap.ecs.soton.ac.uk> Assuming you only have 1 MailScanner process running at once, I can't explain it immediately. For some reason the qf* file is open by another process (which it shouldn't be). Is the qf* file 0 bytes long by any chance? Are there any other files corresponding to this message id? If so, how big are they? At 20:48 05/07/2002, you wrote: >Hello, > >I got the same error on version 3.2.0 too. > > Jul 5 14:45:26 denali mailscanner[29599]: MailScanner E-Mail Virus >Scanner version 3.21 starting. > Jul 5 14:45:26 denali mailscanner[29599]: Configuring mailscanner for >sendmail... > Jul 5 14:45:26 denali mailscanner[29599]: Using locktype = flock > Jul 5 14:45:26 denali mailscanner[29600]: Failed to >lock /var/spool/mqueue.in/qfg65Jgum29560 with unexpected error: Bad file >number > > >Thanks, Chatchawan D. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From bill at DISTMIRR.COM Fri Jul 5 20:43:21 2002 From: bill at DISTMIRR.COM (Bill Omer) Date: Thu Jan 12 21:15:11 2006 Subject: extreamly long delays -- 3.22 In-Reply-To: <5.1.0.14.2.20020705194243.02f5a4c8@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020705175845.031fa4d8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020705194243.02f5a4c8@imap.ecs.soton.ac.uk> Message-ID: <1025898204.2382.50.camel@linuxlaptop.spis.net> > > >I see that you only have 3.22 in an rpm package. Any plans to make a > >tarball? > > 3.22 tar is there, but not linked from anywhere as I haven't released it > officially yet. It is still subject to change... I have installed 3.22, just to see if I might get any different results. I got the same thing. I un-commented "skip_rbl_checks 1" in the spam.assassin.prefs.conf file, and commented out all RBL lines in the mailscanner.conf file. I got the same thing. As of right now, it's been over 10 minutes since a "Scanning" message was logged. So in other words, nothing has changed. Any other idea's on where I should look or things I should try? Regards, Bill Omer From chatchaw at CCWF.CC.UTEXAS.EDU Fri Jul 5 21:53:00 2002 From: chatchaw at CCWF.CC.UTEXAS.EDU (Chatchawan Dejitthirat) Date: Thu Jan 12 21:15:11 2006 Subject: Failed to lock /var/spool/mqueue.in/qfg65IWbm29468 with unexpected error[29482]: Bad file number Message-ID: 1. Yes, there is only one mail scanner process bash-2.03# ps -ef |grep mail root 29210 1 0 12:48:16 ? 0:00 /usr/lib/sendmail -q15m root 29611 1 0 15:00:01 ? 0:00 /usr/local/bin/perl /opt/mailscanner/bin/mailscanner /opt/mailscanner/e tc/mails root 29208 1 0 12:48:16 ? 0:00 /usr/lib/sendmail -bd - ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mque 2. The strange thing is there is no process locking the file. And the file is a test message which is small in size. bash-2.03# lsof qfg65Jgum29560 bash-2.03# pwd /var/spool/mqueue.in bash-2.03# ls -l total 4 -rw------- 1 root other 6 Jul 5 14:43 dfg65Jgum29560 -rw------- 1 root other 541 Jul 5 14:43 qfg65Jgum29560 bash-2.03# tail /var/log/syslog Jul 5 15:09:01 denali last message repeated 12 times Jul 5 15:15:31 denali mailscanner[29611]: Failed to lock /var/spool/mqueue.in/qfg65Jgum29560 with unexpected error: Bad file number Jul 5 15:15:31 denali last message repeated 13 times Jul 5 15:22:31 denali mailscanner[29611]: Failed to lock /var/spool/mqueue.in/qfg65Jgum29560 with unexpected error: Bad file number Jul 5 15:22:31 denali last message repeated 12 times Jul 5 15:29:01 denali mailscanner[29611]: Failed to lock /var/spool/mqueue.in/qfg65Jgum29560 with unexpected error: Bad file number Jul 5 15:29:01 denali last message repeated 12 times Jul 5 15:35:31 denali mailscanner[29611]: Failed to lock /var/spool/mqueue.in/qfg65Jgum29560 with unexpected error: Bad file number Jul 5 15:35:31 denali last message repeated 13 times Jul 5 15:42:31 denali mailscanner[29611]: Failed to lock /var/spool/mqueue.in/qfg65Jgum29560 with unexpected error: Bad file number bash-2.03# cat qfg65Jgum29560 V4 T1025898178 K0 N0 P30021 I0/4/27549 $_piglet.cc.utexas.edu [128.83.42.61] $rSMTP $sdfs ${daemon_flags} ${if_addr}128.83.172.41 Schatchaw@ccwf.cc.utexas.edu RPFD:chat H?P?Return-Path: H??Received: from dfs (piglet.cc.utexas.edu [128.83.42.61]) by denali.eco.utexas.edu (8.11.6+Sun/8.11.6) with SMTP id g65Jgum29560 for chat; Fri, 5 Jul 2002 14:42:58 -0500 (CDT) H?D?Date: Fri, 5 Jul 2002 14:42:58 -0500 (CDT) H?F?From: chatchaw@ccwf.cc.utexas.edu H?M?Message-Id: <200207051942.g65Jgum29560@denali.eco.utexas.edu> H??Subject: test . bash-2.03# cat dfg65Jgum29560 mdfsf Thanks, Chatchawan Dejitthirat. From LISTSERV at JISCMAIL.AC.UK Fri Jul 5 21:47:36 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:11 2006 Subject: MAILSCANNER: lists@HUIZEHOFSTEE.XS4ALL.NL requested to join Message-ID: <200207052047.VAA28950@magpie.ecs.soton.ac.uk> Fri, 5 Jul 2002 21:47:36 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Victor Julien You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER lists@HUIZEHOFSTEE.XS4ALL.NL Victor Julien PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER lists@HUIZEHOFSTEE.XS4ALL.NL Victor Julien // EOJ From LISTSERV at JISCMAIL.AC.UK Fri Jul 5 22:01:34 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:11 2006 Subject: MAILSCANNER: richard@HELPPLC.COM requested to join Message-ID: <200207052101.WAA29720@magpie.ecs.soton.ac.uk> Fri, 5 Jul 2002 22:01:34 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Richard Sidlin You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER richard@HELPPLC.COM Richard Sidlin PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER richard@HELPPLC.COM Richard Sidlin // EOJ From richard at HELPPLC.COM Fri Jul 5 22:11:25 2002 From: richard at HELPPLC.COM (Richard Sidlin (Help Plc)) Date: Thu Jan 12 21:15:11 2006 Subject: RBL Error Message-ID: I am getting "RBL Checks timed out and were killed" errors in my maillog after every attempted scan of an email. Any idea how I fix this please? Richard Sidlin From richard at HELPPLC.COM Fri Jul 5 22:24:13 2002 From: richard at HELPPLC.COM (Richard Sidlin (Help Plc)) Date: Thu Jan 12 21:15:11 2006 Subject: RBL Error In-Reply-To: Message-ID: Just as an addendum to this, it always has "7162" in the error i.e "Jul 5 22:22:54 ns mailscanner[7162]: RBL Checks timed out and were killed" Richard Sidlin > Subject: RBL Error > > > I am getting "RBL Checks timed out and were killed" errors in my maillog > after every attempted scan of an email. Any idea how I fix this please? > > > > Richard Sidlin > > ----------------------------------------------------------- > This message has been checked for all known viruses by the > Quarryhouse Internet Virus Scanning Service. > > From David.Sullivan at BARNET.AC.UK Fri Jul 5 23:05:25 2002 From: David.Sullivan at BARNET.AC.UK (David Sullivan) Date: Thu Jan 12 21:15:11 2006 Subject: RBL Error In-Reply-To: References: Message-ID: <21028.194.82.200.31.1025906725.squirrel@webmail.barnet.ac.uk> Help Plc said: > I am getting "RBL Checks timed out and were killed" errors in my > maillog after every attempted scan of an email. Any idea how I fix this > please? Check the RBL services you have listed with "Spam List =" and check that the services you're using are still operational and that you're able to use them. One thing worth pointing out that is noted in the comments of mailscanner.conf: # MAPS now charge for their services, so you'll have to buy a contract before # attempting to use the next 3 lines. #Spam List = MAPS-RBL, blackholes.mail-abuse.org. ... Other than that you might have a DNS problem of some kind. Regards -- David Sullivan IT Services, Barnet College, London David.Sullivan@barnet.ac.uk 020 8275 5036 ============================================================== This communication may contain privileged or confidential information which is for the exclusive use of the intended recipient. If you are not the intended recipient, please note that you may not distribute or use this communication or the information it contains. If this e-mail has reached you in error, please delete it and any attachment. Internet communications are not secure and Barnet College does not accept legal responsibility for the content of this message. Any views or opinions expressed are those of the author and not necessarily those of Barnet College. Please note that Barnet College reserves the right to monitor the source/destinations of all incoming or outgoing e-mail communications. ============================================================== From richard at HELPPLC.COM Fri Jul 5 23:55:43 2002 From: richard at HELPPLC.COM (Richard Sidlin (Help Plc)) Date: Thu Jan 12 21:15:11 2006 Subject: RBL Error In-Reply-To: <21028.194.82.200.31.1025906725.squirrel@webmail.barnet.ac.uk> Message-ID: I've now hashed out all lines in mailscanner.conf relating to spam databases, restarted Mailscanner but the problem persists. Any other thoughts? Richard Sidlin > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of David Sullivan > Sent: 05 July 2002 23:05 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: RBL Error > > > Help Plc said: > > I am getting "RBL Checks timed out and were killed" errors in my > > maillog after every attempted scan of an email. Any idea how I fix this > > please? > > Check the RBL services you have listed with "Spam List =" and check that > the services you're using are still operational and that you're > able to use > them. > > One thing worth pointing out that is noted in the comments of > mailscanner.conf: > > # MAPS now charge for their services, so you'll have to buy a contract > before > # attempting to use the next 3 lines. > #Spam List = MAPS-RBL, blackholes.mail-abuse.org. > ... > > Other than that you might have a DNS problem of some kind. > > Regards > > -- > David Sullivan IT Services, Barnet College, London > David.Sullivan@barnet.ac.uk > 020 8275 5036 > > > > ============================================================== > This communication may contain privileged or confidential > information which > is for the exclusive use of the intended recipient. If you are not the > intended recipient, please note that you may not distribute or use this > communication or the information it contains. If this e-mail has > reached you > in error, please delete it and any attachment. > > Internet communications are not secure and Barnet College does not accept > legal responsibility for the content of this message. Any views > or opinions > expressed are those of the author and not necessarily those of > Barnet College. > > Please note that Barnet College reserves the right to monitor the > source/destinations of all incoming or outgoing e-mail communications. > ============================================================== > > ----------------------------------------------------------- > This message has been checked for all known viruses by the > Quarryhouse Internet Virus Scanning Service. > > From nathan at tcpnetworks.net Sat Jul 6 03:13:49 2002 From: nathan at tcpnetworks.net (Nathan Johanson) Date: Thu Jan 12 21:15:11 2006 Subject: RBL Error Message-ID: <200207060213.g662Dnq32327@ns2.tcpnetworks.com> I noticed the same problem, and commented out a lot of the lesser known blacklists. Also thought about increasing the timeout. Still monitoring it, but... During my investigation, I did a simple nslookup of all of the lists I'm using to make sure they're at least resolving. When I look up "bl.spamcop.net," no record appears to exist for it. ** server can't find bl.spamcop.net: SERVFAIL I've tried a few DNS servers, and all resturn nothing for this list. Am I missing something here, or is this list defunct, or did it change names? Maybe I'm naive about how these lists are used by Mailscanner and Sendmail, but I figure the host name should at least resolve to an IP address. This might explain the timeouts I'm seeing (as this is one of the lists I didn't comment out). Does anyone know the story here? -Nathan > I've now hashed out all lines in mailscanner.conf relating to spam > databases, restarted Mailscanner but the problem persists. > > Any other thoughts? > > Richard Sidlin > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of David Sullivan > > Sent: 05 July 2002 23:05 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: RBL Error > > > > > > Help Plc said: > > > I am getting "RBL Checks timed out and were killed" errors in my > > > maillog after every attempted scan of an email. Any idea how I > fix this > > > please? > > > > Check the RBL services you have listed with "Spam List =" and check that > > the services you're using are still operational and that you're > > able to use > > them. > > > > One thing worth pointing out that is noted in the comments of > > mailscanner.conf: > > > > # MAPS now charge for their services, so you'll have to buy a contract > > before > > # attempting to use the next 3 lines. > > #Spam List = MAPS-RBL, blackholes.mail-abuse.org. > > ... > > > > Other than that you might have a DNS problem of some kind. > > > > Regards > > > > -- > > David Sullivan IT Services, Barnet College, London > > David.Sullivan@barnet.ac.uk > > 020 8275 5036 > > > > > > > > ============================================================== > > This communication may contain privileged or confidential > > information which > > is for the exclusive use of the intended recipient. If you are not the > > intended recipient, please note that you may not distribute or use this > > communication or the information it contains. If this e-mail has > > reached you > > in error, please delete it and any attachment. > > > > Internet communications are not secure and Barnet College does not > accept > > legal responsibility for the content of this message. Any views > > or opinions > > expressed are those of the author and not necessarily those of > > Barnet College. > > > > Please note that Barnet College reserves the right to monitor the > > source/destinations of all incoming or outgoing e-mail communications. > > ============================================================== > > > > ----------------------------------------------------------- > > This message has been checked for all known viruses by the > > Quarryhouse Internet Virus Scanning Service. > > > > From smohan at VSNL.COM Sat Jul 6 03:27:54 2002 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:15:11 2006 Subject: [off-topic] netiquette Message-ID: <003801c22494$bcfc5b50$01000001@mohans> Can mailing list subscribers ensure that vacation mailer/ out of office replies are not enabled for mails coming from this mailing list please (any mailing list for that matter)? This should reduce load on your own mail servers apart from saving us the trouble of reading inconsequential mails. Regards Mohan From mike at ZANKER.ORG Sat Jul 6 07:59:17 2002 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:15:11 2006 Subject: RBL Error In-Reply-To: <200207060213.g662Dnq32327@ns2.tcpnetworks.com> References: <200207060213.g662Dnq32327@ns2.tcpnetworks.com> Message-ID: <204940629.1025942357@jemima.zanker.org> On 05 July 2002 18:13 -0800 Nathan Johanson wrote: > During my investigation, I did a simple nslookup of all of the lists > I'm using to make sure they're at least resolving. When I look up > "bl.spamcop.net," no record appears to exist for it. > > ** server can't find bl.spamcop.net: SERVFAIL Correct, but that's not how the blacklists are used. To find out if, say, 12.34.56.78 is listed in spamcop you look up 78.56.34.12.bl.spamcop.net A response of 127.0.0.x means it's listed - NXDOMAIN means it's not. Mike -- Mike Zanker Northampton, UK PGP Public Key: pgp@zanker.org From nathan at tcpnetworks.net Sat Jul 6 08:17:25 2002 From: nathan at tcpnetworks.net (Nathan Johanson) Date: Thu Jan 12 21:15:11 2006 Subject: RBL Error Message-ID: <200207060717.g667HPq00906@ns2.tcpnetworks.com> Thanks for the clarification. I figured I probably misunderstood the mechanisms behind these lists. -Nathan > wrote: > > > During my investigation, I did a simple nslookup of all of the lists > > I'm using to make sure they're at least resolving. When I look up > > "bl.spamcop.net," no record appears to exist for it. > > > > ** server can't find bl.spamcop.net: SERVFAIL > > Correct, but that's not how the blacklists are used. To find out if, > say, 12.34.56.78 is listed in spamcop you look up > > 78.56.34.12.bl.spamcop.net > > A response of 127.0.0.x means it's listed - NXDOMAIN means it's not. > > Mike > -- > Mike Zanker > Northampton, UK > PGP Public Key: pgp@zanker.org From mystic_sense at CENTURY.LCZ.CO.ZW Sat Jul 6 08:25:43 2002 From: mystic_sense at CENTURY.LCZ.CO.ZW (Mystic Sense) Date: Thu Jan 12 21:15:11 2006 Subject: mailscanner with panda antivirus command line Message-ID: <002501c224be$57200e60$1502a8c0@century.lcz.co.zw> is there anyone who has tried mailscanner with Panda Antivirus command line (linux) I would like to try it on redhat linux 6.0 with sendmail 8.9.3. are there any issues with redhat linux 6.0 and sendmail -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020706/84769625/attachment.html From LISTSERV at JISCMAIL.AC.UK Sat Jul 6 10:47:39 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:11 2006 Subject: MAILSCANNER: jk@JKDATA.SE left the JISCmail list Message-ID: <200207060947.KAA28916@magpie.ecs.soton.ac.uk> Sat, 6 Jul 2002 10:47:39 jk@JKDATA.SE has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From nathan at tcpnetworks.net Sat Jul 6 15:50:20 2002 From: nathan at tcpnetworks.net (Nathan Johanson) Date: Thu Jan 12 21:15:11 2006 Subject: f-prot autoupdate error Message-ID: <200207061450.g66EoKq01938@ns2.tcpnetworks.com> This is output from f-prot's autoupdate script. I tried running it manuall again this morning and received the same error. Any idea what's happening here? For some reason, it's failing to download the macro.def file. FTP address for retrieving files is File SIGN.DEF is already up to date. File SIGN2.DEF is already up to date. F-Prot signature file update script There is a new version of MACRO.DEF, starting download. Download from http://updates.f-prot.com/files/ failed, exiting., Bad file descriptor at /usr/local/f-prot/autoupdate line 281, line 4. Sincerely, Nathan Johanson Email:nathan@tcpnetworks.net From mailscanner at ecs.soton.ac.uk Sat Jul 6 17:33:59 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:11 2006 Subject: RBL Error In-Reply-To: <200207060717.g667HPq00906@ns2.tcpnetworks.com> Message-ID: <5.1.0.14.2.20020706173229.02c5f900@imap.ecs.soton.ac.uk> The one they all list as a test address is 127.0.0.2. So you can lookup 2.0.0.127.relays.osirusoft.com. for example and it will hit. Note that UK2Net are currently blocking access to osirusoft.com so all you RAQ customers will be having nasty consequences that RBL Timeouts at the moment unless you comment that line out of your mailscanner.conf files. At 08:17 06/07/2002, you wrote: >Thanks for the clarification. I figured I probably misunderstood the >mechanisms behind these lists. >-Nathan > > > > wrote: > > > > > During my investigation, I did a simple nslookup of all of the lists > > > I'm using to make sure they're at least resolving. When I look up > > > "bl.spamcop.net," no record appears to exist for it. > > > > > > ** server can't find bl.spamcop.net: SERVFAIL > > > > Correct, but that's not how the blacklists are used. To find out if, > > say, 12.34.56.78 is listed in spamcop you look up > > > > 78.56.34.12.bl.spamcop.net > > > > A response of 127.0.0.x means it's listed - NXDOMAIN means it's not. > > > > Mike > > -- > > Mike Zanker > > Northampton, UK > > PGP Public Key: pgp@zanker.org -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From siewwu.tan at EDGEMATRIX.COM Sun Jul 7 04:22:45 2002 From: siewwu.tan at EDGEMATRIX.COM (Tan Siew Wu) Date: Thu Jan 12 21:15:11 2006 Subject: f-prot autoupdate error Message-ID: This is strange!!! I put in a few print statements to check but not sure what happened to the print "zzz $Server, $FileToCheck\n"; statement. Seems putting two of them together giving problems???!!! ##### modified code #### print STDERR "There is a new version of $FileToCheck, starting download.\n" unless $quiet; $updated = 1; # Download it from the server print "xxx $FileToCheck\n"; print "yyy $Server\n"; print "zzz $Server, $FileToCheck\n"; DownloadFile($Server, $FileToCheck); ########## ******* results ***** FTP address for retrieving files is ftp://ftp.isnet.is/pub/customers/complex.is/ File SIGN.DEF is already up to date. File SIGN2.DEF is already up to date. F-Prot signature file update script There is a new version of MACRO.DEF, starting download. xxx MACRO.DEF yyy ftp://ftp.isnet.is/pub/customers/complex.is/ , MACRO.DEFtp.isnet.is/pub/customers/complex.is/ Download from http://updates.f-prot.com/files/ failed, exiting., Bad file descriptor at /usr/local/f-prot/autoupdate line 285, line 4. *********** From brandonf at BFCONSULT.CO.ZA Sun Jul 7 11:38:18 2002 From: brandonf at BFCONSULT.CO.ZA (Brandon Friedman) Date: Thu Jan 12 21:15:11 2006 Subject: mailscanner with panda antivirus command line References: <002501c224be$57200e60$1502a8c0@century.lcz.co.zw> Message-ID: <3D281A1A.8060003@bfconsult.co.za> Personally.... I would avoid 6.0....too many bugs! If you are looking to stay with 6.x, use 6.2 rather. Also you probaly want to read some info here: http://www.tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3.pdf Mystic Sense wrote: > > > is there anyone who has tried mailscanner with Panda Antivirus command > line (linux) > > > > I would like to try it on redhat linux 6.0 with sendmail 8.9.3. > > are there any issues with redhat linux 6.0 and sendmail > -- Regards Brandon Friedman Cell:083 408 7840 E-mail: brandonf@bfconsult.co.za www.bfconsult.co.za From mailscanner at ecs.soton.ac.uk Sun Jul 7 12:12:36 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:11 2006 Subject: RBL Error In-Reply-To: <5.1.0.14.2.20020706173229.02c5f900@imap.ecs.soton.ac.uk> References: <200207060717.g667HPq00906@ns2.tcpnetworks.com> Message-ID: <5.1.0.14.2.20020707121114.02f43008@imap.ecs.soton.ac.uk> I have improved the logging so the timeout error message includes the name of the RBL that was being checked at the time, so you can easily find out which one is down/unreachable. At 17:33 06/07/2002, you wrote: >The one they all list as a test address is 127.0.0.2. >So you can lookup > 2.0.0.127.relays.osirusoft.com. >for example and it will hit. > >Note that UK2Net are currently blocking access to osirusoft.com so all you >RAQ customers will be having nasty consequences that RBL Timeouts at the >moment unless you comment that line out of your mailscanner.conf files. > >At 08:17 06/07/2002, you wrote: >>Thanks for the clarification. I figured I probably misunderstood the >>mechanisms behind these lists. >>-Nathan >> >> >> > wrote: >> > >> > > During my investigation, I did a simple nslookup of all of the lists >> > > I'm using to make sure they're at least resolving. When I look up >> > > "bl.spamcop.net," no record appears to exist for it. >> > > >> > > ** server can't find bl.spamcop.net: SERVFAIL >> > >> > Correct, but that's not how the blacklists are used. To find out if, >> > say, 12.34.56.78 is listed in spamcop you look up >> > >> > 78.56.34.12.bl.spamcop.net >> > >> > A response of 127.0.0.x means it's listed - NXDOMAIN means it's not. >> > >> > Mike >> > -- >> > Mike Zanker >> > Northampton, UK >> > PGP Public Key: pgp@zanker.org > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sun Jul 7 14:12:12 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:11 2006 Subject: f-prot autoupdate error In-Reply-To: Message-ID: <5.1.0.14.2.20020707141027.031e3ab8@imap.ecs.soton.ac.uk> At 04:22 07/07/2002, you wrote: >This is strange!!! I put in a few print statements to check but not sure >what happened to the print "zzz $Server, $FileToCheck\n"; statement. >Seems putting two of them together giving problems???!!! You need to "print STDERR" not just "print". STDERR is line-buffered whereas stdout is block-buffered. So if you bail out with an error you can't guarantee that all of stdout will be output before the program stops with an error. >##### modified code #### > print STDERR "There is a new version of $FileToCheck, starting >download.\n" > unless $quiet; > $updated = 1; > # Download it from the server >print "xxx $FileToCheck\n"; >print "yyy $Server\n"; >print "zzz $Server, $FileToCheck\n"; > DownloadFile($Server, $FileToCheck); >########## > >******* results ***** >FTP address for retrieving files is >ftp://ftp.isnet.is/pub/customers/complex.is/ >File SIGN.DEF is already up to date. >File SIGN2.DEF is already up to date. >F-Prot signature file update script >There is a new version of MACRO.DEF, starting download. >xxx MACRO.DEF >yyy ftp://ftp.isnet.is/pub/customers/complex.is/ >, MACRO.DEFtp.isnet.is/pub/customers/complex.is/ >Download from http://updates.f-prot.com/files/ failed, exiting., Bad file >descriptor at /usr/local/f-prot/autoupdate line > 285, line 4. >*********** -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From siewwu.tan at EDGEMATRIX.COM Sun Jul 7 18:24:41 2002 From: siewwu.tan at EDGEMATRIX.COM (Tan Siew Wu) Date: Thu Jan 12 21:15:11 2006 Subject: f-prot autoupdate error Message-ID: Thanks for the Perl tip Julian. On further check, the problems seems to be that there is a non-printable character after the ftp download URL. A check with vi on the tmp-web file shows a "^M" character at the end of the download URL. Stripping it off will fix the problem. ########################################################### # Download it from the server print STDERR "xxx $Server xxx\n"; $Server =~ s/\s*$//g; # maybe should strip somewhere on top first instead of here print STDERR "xxx111 $Server xxx111\n"; DownloadFile($Server, $FileToCheck); ########################################################### xxxftp://us-1.updates.f-prot.com/pub/ xxx111 ftp://us-1.updates.f-prot.com/pub/ xxx111 ########################################################### From mailscanner at ecs.soton.ac.uk Sun Jul 7 18:42:15 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:11 2006 Subject: f-prot autoupdate error In-Reply-To: Message-ID: <5.1.0.14.2.20020707184044.032e1318@imap.ecs.soton.ac.uk> Well spotted. This is due to a mistake by F-Prot where they have edited a file on a PC where they previously edited it on a Unix box... My "official" patch (including some line numbers) to f-prot/autoupdate is this *** 131,140 **** --- 131,142 ---- # Read the file once to pull out the ftp URL of the update server # while() { chomp; next unless s/^S://; + # Delete trailing newlines and stuff like that + s/\s*$//g; $Server = $_; } close(TEMPFILE); print STDERR "FTP address for retrieving files is $Server\n" unless $quiet || $cron; This will be fixed in the next minor release. At 18:24 07/07/2002, you wrote: >Thanks for the Perl tip Julian. >On further check, the problems seems to be that there is a non-printable >character after the ftp download URL. A check with vi on the tmp-web file >shows a "^M" character at the end of the download URL. > >Stripping it off will fix the problem. > >########################################################### > # Download it from the server >print STDERR "xxx $Server xxx\n"; > $Server =~ s/\s*$//g; > # maybe should strip somewhere on top first instead of here >print STDERR "xxx111 $Server xxx111\n"; > DownloadFile($Server, $FileToCheck); >########################################################### > xxxftp://us-1.updates.f-prot.com/pub/ >xxx111 ftp://us-1.updates.f-prot.com/pub/ xxx111 >########################################################### -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From andersan at LTKALMAR.SE Mon Jul 8 10:34:20 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:15:11 2006 Subject: Changing konfiguration....... Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EA6C@lkl22.ltkalmar.se> Hi After installation Im happy and it works just fine. But there is one thing I would like to change but I dont have clue how. I want the blocking of files to kick in before it does virusscanning. Is there a way to do that? Its not that big issue but why use cpu for virusscanning when its files I dont want to accept. Thanks in advance /Anders From tal at MUSICGENOME.COM Mon Jul 8 11:04:13 2002 From: tal at MUSICGENOME.COM (Tal Kelrich) Date: Thu Jan 12 21:15:12 2006 Subject: Changing konfiguration....... In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263EA6C@lkl22.ltkalmar.se> References: <7B475DC5E9502B4D91EA73C283AE48D70263EA6C@lkl22.ltkalmar.se> Message-ID: <1026122653.1405.1.camel@johnny5> On Mon, 2002-07-08 at 12:34, Anders Andersson, IT wrote: > I want the blocking of files to kick in before > it does virusscanning. Is there a way to > do that? > Its not that big issue but why use cpu for > virusscanning when its files I dont want to accept. I don't know... I think it's better to inform the user that it wasn't just a mistake and the file _did_ have a virus in it, and not just a possible one. -- Tal Kelrich PGP Fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69 PGP key-id: 12B9AA69 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020708/110a33be/attachment.bin From andersan at LTKALMAR.SE Mon Jul 8 11:06:32 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:15:12 2006 Subject: SV: Changing konfiguration....... Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EA6D@lkl22.ltkalmar.se> > -----Ursprungligt meddelande----- > Fr?n: tal@MUSICGENOME.COM [mailto:tal@MUSICGENOME.COM] > Skickat: den 8 juli 2002 12:01 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: Changing konfiguration....... > > > Security warning. Details in WARNING.TXT about the possible problem. > -------------------------------------------------------------------- > On Mon, 2002-07-08 at 12:34, Anders Andersson, IT wrote: > > I want the blocking of files to kick in before > > it does virusscanning. Is there a way to > > do that? > > Its not that big issue but why use cpu for > > virusscanning when its files I dont want to accept. > > I don't know... I think it's better to inform the user that it wasn't > just a mistake and the file _did_ have a virus in it, and not just a > possible one. Of course, but that dont solve the problem that I still have to use a lot of cpu to check for viruses even though its a file we dont accept to enter our network. On a bad day when external/internal got hit by a virus you dont want to spend the cpu to virus scan those files, just delete and let the cpu handel the documents we need/want to keep the work going /Anders > -- > Tal Kelrich > > PGP Fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69 > PGP key-id: 12B9AA69 > > From tal at MUSICGENOME.COM Mon Jul 8 11:34:14 2002 From: tal at MUSICGENOME.COM (Tal Kelrich) Date: Thu Jan 12 21:15:12 2006 Subject: SV: Changing konfiguration....... In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263EA6D@lkl22.ltkalmar.se> References: <7B475DC5E9502B4D91EA73C283AE48D70263EA6D@lkl22.ltkalmar.se> Message-ID: <1026124454.1414.5.camel@johnny5> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020708/9e3927eb/attachment.bin From tal at MUSICGENOME.COM Mon Jul 8 11:38:07 2002 From: tal at MUSICGENOME.COM (Tal Kelrich) Date: Thu Jan 12 21:15:12 2006 Subject: SV: Changing konfiguration....... In-Reply-To: <1026124454.1414.5.camel@johnny5> References: <7B475DC5E9502B4D91EA73C283AE48D70263EA6D@lkl22.ltkalmar.se> <1026124454.1414.5.camel@johnny5> Message-ID: <1026124688.1414.9.camel@johnny5> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020708/fcc5e261/attachment.bin From andersan at LTKALMAR.SE Mon Jul 8 12:25:46 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:15:12 2006 Subject: SV: SV: Changing konfiguration....... Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EA6E@lkl22.ltkalmar.se> > -----Ursprungligt meddelande----- > Fr?n: tal@MUSICGENOME.COM [mailto:tal@MUSICGENOME.COM] > Skickat: den 8 juli 2002 12:35 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: SV: Changing konfiguration....... > > > Security warning. Details in WARNING.TXT about the possible problem. > -------------------------------------------------------------------- > Aargh, that's a reversed patch... proper patch following > -- Lucky I was on lunch then =) but what does it do and where? It looked like its changes config.pl but I wanna be sure for backup I also need a short info on what to do with it, since Im a newbie at this /Anders > Tal Kelrich > > PGP Fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69 > PGP key-id: 12B9AA69 > > From tal at MUSICGENOME.COM Mon Jul 8 12:56:05 2002 From: tal at MUSICGENOME.COM (Tal Kelrich) Date: Thu Jan 12 21:15:12 2006 Subject: SV: SV: Changing konfiguration....... In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263EA6E@lkl22.ltkalmar.se> References: <7B475DC5E9502B4D91EA73C283AE48D70263EA6E@lkl22.ltkalmar.se> Message-ID: <1026129365.1412.15.camel@johnny5> On Mon, 2002-07-08 at 14:25, Anders Andersson, IT wrote: > Lucky I was on lunch then =) > but what does it do and where? > It looked like its changes config.pl but I wanna be sure for backup > I also need a short info on what to do with it, since Im a newbie at this > > /Anders what it's supposed to do (and I think I may have made a mistake there, you should double check it) is: A. change the order so the file checks are done first, and B. add a No Scan On File config param, which when set to 1 should skip the virus check. again, it's untested, making a backup would be a very good idea (as I probably messed it up) (note that it doesn't log the AV scan skip, though) Tal -- Tal Kelrich PGP Fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69 PGP key-id: 12B9AA69 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020708/d06c036b/attachment.bin From mike at 4frontmedia.net Mon Jul 8 15:24:29 2002 From: mike at 4frontmedia.net (Mike Walker) Date: Thu Jan 12 21:15:12 2006 Subject: FW: Kaspersky Anti-Virus version 4.0.1.0 Message-ID: <016a01c2268b$2c02b600$0100000a@MIKES> I have upgraded my Virus Scanner to kaspersky anti-virus from version 3.0 Build 136 to 4.0.1.0 Now when Mailscanner scans mail it never moves into mqueue for delivery I see in the log the "Scanning 1 messages" message but it does not do anything with it. My telnet console also locks at this point. I guess somethings changed from the old version to the new one. It works fine just running from the command line (/opt/AVP/kavscanner). If I run /usr/local/kaspersky/kasperskywrapper /etc it come back with "Nothing to scan. You should select at least one directory to scan. " Has anyone got mailscanner working correctly with this version of kaspersky? Paul ____________________________________________________________ This message has been scanned for viruses by "VITANIUM" the multi-scan E-mail Virus Protection Service from 4FrontMedia. To safeguard your business call 01233-850906 From kreberger at TEL-PACIFIC.COM Mon Jul 8 00:57:36 2002 From: kreberger at TEL-PACIFIC.COM (kreberger@TEL-PACIFIC.COM) Date: Thu Jan 12 21:15:12 2006 Subject: unsubscribe me from the mailling list. Message-ID: Would you be able to unsubscribe me from the mailling list please. __________________________________________________ Kris Reberger TEL.PACIFIC Pty Ltd 202/815 Pacific Highway Chatswood NSW 2067 Australia Tel: (02) 8448-0621 Fax: 1300 369 222 Web: http://www.telpacific.com.au kreberger@tel-pacific.com __________________________________________________ The information contained in this communication is only intended for the recipient named above. If you are not the intended recipient, any use, disclosure, or copying of this communication is prohibited. If you have received this information in error, please notify the sender immediately and then destroy any copies of it. From LISTSERV at JISCMAIL.AC.UK Mon Jul 8 12:13:16 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:12 2006 Subject: MAILSCANNER: rado@INTERSALES.DE left the JISCmail list Message-ID: <200207081113.MAA18445@magpie.ecs.soton.ac.uk> Mon, 8 Jul 2002 12:13:16 Andrej Radonic has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From LISTSERV at JISCMAIL.AC.UK Mon Jul 8 12:27:18 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:12 2006 Subject: MAILSCANNER: i.m.kitching@APU.AC.UK requested to join Message-ID: <200207081127.MAA19551@magpie.ecs.soton.ac.uk> Mon, 8 Jul 2002 12:27:18 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Ian Kitching You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER i.m.kitching@APU.AC.UK Ian Kitching PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER i.m.kitching@APU.AC.UK Ian Kitching // EOJ From combs at MAGNET.FSU.EDU Mon Jul 8 15:27:46 2002 From: combs at MAGNET.FSU.EDU (Tom Combs) Date: Thu Jan 12 21:15:12 2006 Subject: Stop messages to console? Message-ID: Hello, I just started using mailscanner and I'm very please with the system. Thanks for all the hard work, it should make our lives a lot easier! However, whenever I pop up a root window on our mailserver, it will receive messages about detected viruses. I haven't tested to see if these go to every root window or just to the first one since I'm not actually logged in at the console. How can I change this behavior? I like messages going to the logs but not to my root window. Should I just redirect stdout and/or stderr to /dev/null when I start mailscanner? TIA, Tom Combs -- Tom Combs E-mail: combs@magnet.fsu.edu National High Magnetic Field Laboratory Phone: (850) 644-1657 1800 E. Paul Dirac Drive Tallahassee, FL 32310 From steve at cgpsystems.com Mon Jul 8 23:33:43 2002 From: steve at cgpsystems.com (Steve Barr) Date: Thu Jan 12 21:15:12 2006 Subject: Messages scanned twice Message-ID: I have installed MailScanner on my server. I am very impressed. I'm running Debian "Woody", Exim and Sophos. Currently, it's scanning approximately 300 messages per day. I have one question- Is there any way to tell MailScanner to only scan messages once? I run a mailing list for a local Linux Users Group, and when a message to the list is received it gets scanned. So far, so good. When it gets delivered, it gets scanned again. It's not a major problem, but I have the inline text signature enabled because I want people to easily see that the message was scanned. Each time the message is scanned, the signature gets appended to the message. Thanks! -- Steve (steve at cgpsystems.com) -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jgoggan at DCG.COM Mon Jul 8 23:50:16 2002 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:15:12 2006 Subject: df2mbox problem? Message-ID: <3D2A1728.532190BD@dcg.com> I've noticed that, suddenly, pine no longer thinks that my df2mbox create files are mbox-formatted. It sees the entire file as one long, single message. After researching it a bit, I see that it is because of the date on the From line. Basically, mbox format (although there seem to be multiple mbox variations, but anyway...) seems to state that the date portion will be exactly 24 characters. Currently, df2mbox just calls "date" to get the date when generating the from line: echo From $from `date` My system currently outputs something like this for `date`: Mon Jul 8 19:04:45 EDT 2002 ...which is too long and not liked by pine because it isn't in the mbox format that it expects. As a quick fix, I changed the line to: echo From $from `date "+%a %b %d %T %Y"` ...so that the date generated looks like: Mon Jul 08 19:06:36 2002 ...and, I believe, should always be the required 24 characters. Pine now likes the mbox-formatted file fine. Just wanted to pass that along. - John... From brose at MED.WAYNE.EDU Mon Jul 8 23:58:10 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:12 2006 Subject: df2mbox problem? Message-ID: Hah that explains it. I had noticed it also but thought maybe I had change updated something else that broke it. -----Original Message----- From: John Goggan [mailto:jgoggan@DCG.COM] Sent: Monday, July 08, 2002 6:50 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: df2mbox problem? I've noticed that, suddenly, pine no longer thinks that my df2mbox create files are mbox-formatted. It sees the entire file as one long, single message. After researching it a bit, I see that it is because of the date on the From jgoggan at DCG.COM Tue Jul 9 00:06:11 2002 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:15:12 2006 Subject: df2mbox problem? References: Message-ID: <3D2A1AE3.D209CB82@dcg.com> "Rose, Bobby" wrote: > > Hah that explains it. I had noticed it also but thought maybe I had > change updated something else that broke it. Indeed! I happened to update pine and MailScanner last week -- so I was convinced that it was something in one of those. I kept checking all kinds of weird things. Then I finally realized that it was the df2mbox script. Apparently, in the past, I happened to run it at times that were close enough to the mbox format to work... - John... From jgoggan at DCG.COM Tue Jul 9 03:23:29 2002 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:15:12 2006 Subject: Incorrect "virus" detection? Message-ID: <3D2A4921.A73CDB8A@dcg.com> I got this recently: --- The following e-mail messages were found to have viruses in them: Sender: Recipient: Subject: Evan/Soc. Ministry meeting MessageID: g691fE305173 Report: Attempt to hide real filename extension in evan.agenda.july.doc --- The file does not actually contain a virus -- I am assuming that the "filname extension" checker just caught it, correct? Since I'm running a virus scanner -- do people recommend that I just turn that option off? Or is there something else I should be doing to avoid this misdetection? - John... From gerry at DORFAM.CA Tue Jul 9 03:45:32 2002 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:15:12 2006 Subject: Incorrect "virus" detection? In-Reply-To: <3D2A4921.A73CDB8A@dcg.com> Message-ID: On Mon, 8 Jul 2002, John Goggan wrote: > I got this recently: > > --- > The following e-mail messages were found to have viruses in them: > > Sender: > Recipient: > Subject: Evan/Soc. Ministry meeting > MessageID: g691fE305173 > Report: Attempt to hide real filename extension in evan.agenda.july.doc > --- > > The file does not actually contain a virus -- I am assuming that the "filname > extension" checker just caught it, correct? Since I'm running a virus scanner > -- do people recommend that I just turn that option off? Or is there > something else I should be doing to avoid this misdetection? > > - John... This check is to catch an annoying habit of Windows to only show the first extension ie note.doc when in fact the file name is note.doc.vbs (an executable visual basic file). Unsuspecting receivers of such a file will execute the file by openning a innocent appearing .doc file. It's best to leave this option the way it is and try to avoid multiple extension file names...they're too dangerous in Windows. Gerry -- "The lyfe so short, the craft so long to learne" Chaucer From jgoggan at DCG.COM Tue Jul 9 04:16:39 2002 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:15:12 2006 Subject: Incorrect "virus" detection? References: Message-ID: <3D2A5597.A7B91898@dcg.com> Gerry Doris wrote: > > Report: Attempt to hide real filename extension in evan.agenda.july.doc > This check is to catch an annoying habit of Windows to only show the first > extension ie note.doc when in fact the file name is note.doc.vbs (an > executable visual basic file). Unsuspecting receivers of such a file will > execute the file by openning a innocent appearing .doc file. Yes, I know what it is for... I'm just not sure it is overly relevant and/or worth it if I am running a decent virus scanner. I mean, I just had a person miss a file attachment that was not infected simply because it ended in .july.doc. :) > It's best to leave this option the way it is and try to avoid multiple > extension file names...they're too dangerous in Windows. Indeed -- it should be fairly rare, I guess. Not many Windows people using "." as a separator in the filename normally. - John... From nwp at LEMON-COMPUTING.COM Tue Jul 9 06:43:43 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:15:12 2006 Subject: Stop messages to console? In-Reply-To: References: Message-ID: <20020709054343.GB3459@hoiho.nz.lemon-computing.com> On Mon, Jul 08, 2002 at 03:27:46PM +0100, Tom Combs wrote: > I just started using mailscanner and I'm very please with the system. > Thanks for all the hard work, it should make our lives a lot easier! > > However, whenever I pop up a root window on our mailserver, it will > receive messages about detected viruses. I haven't tested to see > if these go to every root window or just to the first one since I'm > not actually logged in at the console. How can I change this behavior? > I like messages going to the logs but not to my root window. Should > I just redirect stdout and/or stderr to /dev/null when I start mailscanner? Sounds like your syslog is sticking messages of facility/severity mail.info onto root's ttys. See the syslog.conf manpage for more information. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Try the Moo Shu Pork. It is especially good today. From nwp at LEMON-COMPUTING.COM Tue Jul 9 06:48:48 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:15:12 2006 Subject: Incorrect "virus" detection? In-Reply-To: <3D2A5597.A7B91898@dcg.com> References: <3D2A5597.A7B91898@dcg.com> Message-ID: <20020709054848.GC3459@hoiho.nz.lemon-computing.com> On Mon, Jul 08, 2002 at 11:16:39PM -0400, John Goggan wrote: > I mean, I just had a person miss a file attachment that was not infected > simply because it ended in .july.doc. :) > > > It's best to leave this option the way it is and try to avoid multiple > > extension file names...they're too dangerous in Windows. Just how quick do you think it is possible for an AV vendor to be in response to the arrival of a new virus? How likely do you think it is that someone will send them a copy before you get a copy, every time? How badly do you want to avoid getting caught out when you (or your network) are sent the latest greatest BIOS-flashing disk-wiping virus? How inconvenient is it to educate people that using dots in filenames is not a terribly great idea? Your call. -- Nick Phillips -- nwp@lemon-computing.com Your lucky number has been disconnected. From m.sapsed at BANGOR.AC.UK Tue Jul 9 09:45:09 2002 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:15:12 2006 Subject: Incorrect "virus" detection? References: <3D2A5597.A7B91898@dcg.com> <20020709054848.GC3459@hoiho.nz.lemon-computing.com> Message-ID: <3D2AA295.4E5678FF@bangor.ac.uk> nwp@lemon-computing.com wrote: > Just how quick do you think it is possible for an AV vendor to be in response > to the arrival of a new virus? > > How likely do you think it is that someone will send them a copy before you > get a copy, every time? > > How badly do you want to avoid getting caught out when you (or your network) > are sent the latest greatest BIOS-flashing disk-wiping virus? Sorry to keep banging on back about this but surely the significant thing is how windows treats the final extension. If we disallow all the extensions that windows will dumbly execute then it doesn't matter if someone sends out a monthly spreadsheet ending in .jul.xls, or indeed a random file ending in .this.that because no matter what's in the file, windows doesn't (does it?) stupidly execute a file ending in .that? > How inconvenient is it to educate people that using dots in filenames is > not a terribly great idea? It's not a great idea but a load of people do it. When we used to use DOS wordprocessors, a number of secretaries used the initials of the person the memo was for as an extension so you'd have memo.fb, memo.js etc not realising that this meant you only got a backup copy of the last one. > Your call. Indeed... Cheers, Martin -- Martin Sapsed To have no errors Information Services Would be life without meaning University of Wales, Bangor, LL57 2UX No struggle, no joy. From mike at 4frontmedia.net Tue Jul 9 08:34:24 2002 From: mike at 4frontmedia.net (Mike Walker) Date: Thu Jan 12 21:15:12 2006 Subject: FW: Kaspersky Anti-Virus version 4.0.1.0 Message-ID: <01b501c2271b$0cae6070$0100000a@MIKES> Are we the only people out there using 4.0.1.0 - any body out there with some experience? ********************************************************************* We Wrote...... "I have upgraded my Virus Scanner to kaspersky anti-virus from version 3.0 Build 136 to 4.0.1.0 Now when Mailscanner scans mail it never moves into mqueue for delivery I see in the log the "Scanning 1 messages" message but it does not do anything with it. My telnet console also locks at this point. I guess something's changed from the old version to the new one. It works fine just running from the command line (/opt/AVP/kavscanner). If I run /usr/local/kaspersky/kasperskywrapper /etc it come back with "Nothing to scan. You should select at least one directory to scan. " Has anyone got mailscanner working correctly with this version of kaspersky? Paul" ____________________________________________________________ This message has been scanned for viruses by "VITANIUM" the multi-scan E-mail Virus Protection Service from 4FrontMedia. To safeguard your business call 01233-850906 From joe at QITC.CO.UK Tue Jul 9 07:38:54 2002 From: joe at QITC.CO.UK (Joe Quinn) Date: Thu Jan 12 21:15:12 2006 Subject: Strange output from log? References: <3D2A5597.A7B91898@dcg.com> <20020709054848.GC3459@hoiho.nz.lemon-computing.com> Message-ID: <002b01c22713$4c137280$021b6bd5@T20> Hi Folks, Got this today in my logs, what's the bottom bit mean? Cheers, >>> FTP address for retrieving files is ftp://eu-2.updates.f-prot.com/pub/ F-Prot signature file update script There is a new version of SIGN.DEF, starting download. Download completed. Updated SIGN.DEF. There is a new version of SIGN2.DEF, starting download. Updated SIGN2.DEF. File MACRO.DEF is already up to date. Update completed. NOTICE: Rel pg_type: TID 3/6: InsertTransactionInProgress 16319183 - can't shrink relation NOTICE: Rel pg_attribute: TID 23/29: InsertTransactionInProgress 16319183 - can't shrink relation NOTICE: Rel pg_attribute: TID 23/30: InsertTransactionInProgress 16319183 - can't shrink relation NOTICE: Rel pg_attribute: TID 23/31: InsertTransactionInProgress 16319183 - can't shrink relation NOTICE: Rel pg_attribute: TID 23/32: InsertTransactionInProgress 16319183 - can't shrink relation NOTICE: Rel pg_attribute: TID 23/33: InsertTransactionInProgress 16319183 - can't shrink relation NOTICE: Rel pg_attribute: TID 23/34: InsertTransactionInProgress 16319183 - can't shrink relation NOTICE: Rel pg_attribute: TID 23/35: InsertTransactionInProgress 16319183 - can't shrink relation NOTICE: Rel pg_attribute: TID 23/36: InsertTransactionInProgress 16319183 - can't shrink relation NOTICE: Rel pg_attribute: TID 23/37: InsertTransactionInProgress 16319183 - can't shrink relation NOTICE: Rel pg_attribute: TID 23/38: InsertTransactionInProgress 16319183 - can't shrink relation NOTICE: Rel pg_attribute: TID 23/39: InsertTransactionInProgress 16319183 - can't shrink relation NOTICE: Rel pg_attribute: TID 23/40: InsertTransactionInProgress 16319183 - can't shrink relation NOTICE: Rel pg_attribute: TID 23/41: InsertTransactionInProgress 16319183 - can't shrink relation <<< -- Joe Quinn, QITC Internet Solutions (joe@qitc.co.uk) Cisco re-seller, Cobalt Sapphire Partner. www.qitc.net/stocklist Web Site Hosting, Server Hosting, Co-location. Tel: (UK) +44 776 737 1234 From P.G.M.Peters at civ.utwente.nl Tue Jul 9 07:59:29 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:12 2006 Subject: Incorrect "virus" detection? In-Reply-To: <3D2A5597.A7B91898@dcg.com> References: <3D2A5597.A7B91898@dcg.com> Message-ID: <1a2liu063nuc1nuqpjv7809ck7nt3oltk2@4ax.com> On Mon, 8 Jul 2002 23:16:39 -0400, you wrote: >Gerry Doris wrote: >> > Report: Attempt to hide real filename extension in evan.agenda.july.doc >> This check is to catch an annoying habit of Windows to only show the first >> extension ie note.doc when in fact the file name is note.doc.vbs (an >> executable visual basic file). Unsuspecting receivers of such a file will >> execute the file by openning a innocent appearing .doc file. > >Yes, I know what it is for... I'm just not sure it is overly relevant and/or >worth it if I am running a decent virus scanner. > >I mean, I just had a person miss a file attachment that was not infected >simply because it ended in .july.doc. :) > >> It's best to leave this option the way it is and try to avoid multiple >> extension file names...they're too dangerous in Windows. > >Indeed -- it should be fairly rare, I guess. Not many Windows people using >"." as a separator in the filename normally. I have seen Windows do it by their own. Sometimes when you rename a file (and have hide extension enabled) it will suddenly show the extension when the filename is editable. When you forget to delete the extension it is kept with a double extension as a result. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From tal at MUSICGENOME.COM Tue Jul 9 11:24:48 2002 From: tal at MUSICGENOME.COM (Tal Kelrich) Date: Thu Jan 12 21:15:12 2006 Subject: Incorrect "virus" detection? In-Reply-To: <3D2AA295.4E5678FF@bangor.ac.uk> References: <3D2A5597.A7B91898@dcg.com> <20020709054848.GC3459@hoiho.nz.lemon-computing.com> <3D2AA295.4E5678FF@bangor.ac.uk> Message-ID: <1026210289.1780.4.camel@johnny5> On Tue, 2002-07-09 at 11:45, Martin Sapsed wrote: > Sorry to keep banging on back about this but surely the significant thing > is how windows treats the final extension. If we disallow all the > extensions that windows will dumbly execute then it doesn't matter if > someone sends out a monthly spreadsheet ending in .jul.xls, or indeed a > random file ending in .this.that because no matter what's in the file, > windows doesn't (does it?) stupidly execute a file ending in .that? IIRC windows will check the contents of files if it doesn't recognize the extension, though I think only Microsoft Office uses this "feature" -- Tal Kelrich PGP Fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69 PGP key-id: 12B9AA69 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020709/162dd4ca/attachment.bin From nwp at LEMON-COMPUTING.COM Tue Jul 9 11:56:45 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:15:12 2006 Subject: Incorrect "virus" detection? In-Reply-To: <3D2AA295.4E5678FF@bangor.ac.uk> References: <3D2A5597.A7B91898@dcg.com> <20020709054848.GC3459@hoiho.nz.lemon-computing.com> <3D2AA295.4E5678FF@bangor.ac.uk> Message-ID: <20020709105645.GB11669@hoiho.nz.lemon-computing.com> On Tue, Jul 09, 2002 at 09:45:09AM +0100, Martin Sapsed wrote: > random file ending in .this.that because no matter what's in the file, > windows doesn't (does it?) stupidly execute a file ending in .that? Windows recognises certain file types no matter what the extension; Office documents, for example (IIRC). -- Nick Phillips -- nwp@lemon-computing.com Don't get stuck in a closet -- wear yourself out. From jkf at ecs.soton.ac.uk Tue Jul 9 12:46:32 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:12 2006 Subject: Incorrect "virus" detection? In-Reply-To: <1a2liu063nuc1nuqpjv7809ck7nt3oltk2@4ax.com> Message-ID: On Tue, 9 Jul 2002, Peter Peters wrote: > I have seen Windows do it by their own. Sometimes when you rename a file > (and have hide extension enabled) it will suddenly show the extension > when the filename is editable. When you forget to delete the extension > it is kept with a double extension as a result. > That is one of the reasons for the "allow double extensions which are both the same" rules. So, for example, "foobar.doc.doc" is allowed. -- Jules jkf@ecs.soton.ac.uk From Denis.Beauchemin at USHERBROOKE.CA Tue Jul 9 13:46:31 2002 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:15:12 2006 Subject: .exe and .com files Message-ID: <1026218791.5015.43.camel@dbeauchemin.si.usherb.ca> Hi, I just started testing MailScanner and so far it is quite promising. I would like to deny .exe and .com extensions (I know it can be done in filename.rules.conf) but I would like them to be scanned anyways by my antivirus (McAfee) so people would know that the files were infected (if they were). That way we would get much less calls from people requesting their files back. Could this be done? Thanks! -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From andersan at LTKALMAR.SE Tue Jul 9 13:58:59 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:15:12 2006 Subject: SV: .exe and .com files Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EA6F@lkl22.ltkalmar.se> > -----Ursprungligt meddelande----- > Fr?n: Denis Beauchemin [mailto:Denis.Beauchemin@USHERBROOKE.CA] > Skickat: den 9 juli 2002 14:47 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: .exe and .com files > > > Hi, > > I just started testing MailScanner and so far it is quite promising. > > I would like to deny .exe and .com extensions (I know it can > be done in > filename.rules.conf) but I would like them to be scanned anyways by my > antivirus (McAfee) so people would know that the files were > infected (if > they were). As far as I figured out all mail will be scanned before file rules. > > That way we would get much less calls from people requesting > their files > back. > > Could this be done? > > Thanks! > -- > Denis Beauchemin, analyste > Universit? de Sherbrooke, S.T.I. > T: 819.821.8000x2252 F: 819.821.8045 I prefer the other way that first check file rules and then do the scann Since we have an averige of 3-500 mails an hour I prefer to do it in that order, rather use my cpu for the files we accept then having it virusscan files we dont accept I also changed the messages not to say Ive saved the files and they can call helpdesk. Even though I save them for trials and virus test. In our current system I also added a link to Trends-housecall for ppl on the net that might not have their own virusdefense. Its a little slow for ppl on modem but Ive got a lot of nice mails from ppl thanking me for the help. Ups, this got out of hand but maybe it might help somone From rabellino at DI.UNITO.IT Tue Jul 9 13:49:02 2002 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:15:12 2006 Subject: Log error again Message-ID: <3D2ADBBE.7E33D2F9@di.unito.it> Dear Julian, i've downloaded the latest release 3.21, but in logger.pl I must comment out the following line > # Do this in an eval so it can fail quietly if setlogsock > # is not supported in the installed version of Sys::Syslog > eval { Sys::Syslog::setlogsock('unix'); }; # Doesn't need syslogd -r as mailscanner abort during this eval... Could be a problem of my perl installation ?? > #perl -v > > This is perl, v5.6.0 built for sun4-solaris > > Copyright 1987-2000, Larry Wall Thanks. -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From P.G.M.Peters at civ.utwente.nl Tue Jul 9 14:33:56 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:12 2006 Subject: SV: .exe and .com files In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263EA6F@lkl22.ltkalmar.se> References: <7B475DC5E9502B4D91EA73C283AE48D70263EA6F@lkl22.ltkalmar.se> Message-ID: On Tue, 9 Jul 2002 14:58:59 +0200, you wrote: >> That way we would get much less calls from people requesting >> their files >> back. >> >> Could this be done? > >I prefer the other way that first check file rules and then do the scann >Since we have an averige of 3-500 mails an hour I prefer to do it >in that order, rather use my cpu for the files we accept then >having it virusscan files we dont accept Our mailservers don't do anything but handle mail for a number of domains. We have an average of 600 mails per hour (during the day). At this moment we receive 20 mails a minute with a load of 0.25 (10% idle). This is for one Intel/linux server (PIII 1GHz, 512MB) >I also changed the messages not to say Ive saved the files and they can call >helpdesk. Our helpdesk has never had any request for a saved file (yet). Some more statistics: We have 2 identical server (mx1 and mx2) running Suse linux 7.3. We have 121 aliases (mainly listexpansion) and over 8500 virtual users with mailboxes on other systems. We have almost 160 virtual domains. At the moment we have 90 domains in domains.to.scan.conf. Those 90 domains count for 8000 of the virtual users. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From tal at MUSICGENOME.COM Tue Jul 9 14:54:37 2002 From: tal at MUSICGENOME.COM (Tal Kelrich) Date: Thu Jan 12 21:15:12 2006 Subject: SV: SV: Changing konfiguration....... In-Reply-To: <1026129365.1412.15.camel@johnny5> References: <7B475DC5E9502B4D91EA73C283AE48D70263EA6E@lkl22.ltkalmar.se> <1026129365.1412.15.camel@johnny5> Message-ID: <1026222878.1867.8.camel@johnny5> btw... did that patch work properly, or does it need fixing? -- Tal Kelrich PGP Fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69 PGP key-id: 12B9AA69 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020709/e151efb3/attachment.bin From brose at MED.WAYNE.EDU Tue Jul 9 15:02:02 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:12 2006 Subject: Incorrect "virus" detection? Message-ID: I agree. Since the W32/Goner days we block executibles because it took the AV guys until the end of the business day to release definitions. You can change the message in filename.confs so it tells them to rename it. That's what I did. Anything caught by this rule also tells them that they should rename it so that it only has one period. If you don't want the rule then just remove it. -----Original Message----- From: Nick Phillips [mailto:nwp@LEMON-COMPUTING.COM] Sent: Tuesday, July 09, 2002 1:49 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Incorrect "virus" detection? On Mon, Jul 08, 2002 at 11:16:39PM -0400, John Goggan wrote: > I mean, I just had a person miss a file attachment that was not > infected simply because it ended in .july.doc. :) > > > It's best to leave this option the way it is and try to avoid > > multiple extension file names...they're too dangerous in Windows. Just how quick do you think it is possible for an AV vendor to be in response to the arrival of a new virus? How likely do you think it is that someone will send them a copy before you get a copy, every time? How badly do you want to avoid getting caught out when you (or your network) are sent the latest greatest BIOS-flashing disk-wiping virus? How inconvenient is it to educate people that using dots in filenames is not a terribly great idea? Your call. -- Nick Phillips -- nwp@lemon-computing.com Your lucky number has been disconnected. From andersan at LTKALMAR.SE Tue Jul 9 15:19:28 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:15:12 2006 Subject: SV: SV: SV: Changing konfiguration....... Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EA73@lkl22.ltkalmar.se> Hi I havent had time to try it yet.....I was gona mail back and ask you how to apply it but been to busy at work As I said, Im newbie at unix so I really need a howto aproach =) Im still doing some fine fixing on mailscann but I have to put my normal work in prority =) /Anders > -----Ursprungligt meddelande----- > Fr?n: tal@MUSICGENOME.COM [mailto:tal@MUSICGENOME.COM] > Skickat: den 9 juli 2002 16:15 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: SV: SV: Changing konfiguration....... > > > Security warning. Details in WARNING.TXT about the possible problem. > -------------------------------------------------------------------- > btw... did that patch work properly, or does it need fixing? > -- > Tal Kelrich > > PGP Fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69 > PGP key-id: 12B9AA69 > > From fizz at BOMB.NET Tue Jul 9 15:22:21 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:15:12 2006 Subject: Hey, found something very awesome! Message-ID: <000101c22754$099d6000$483cd842@newfizz> Ive been using MRTG For years now and have discovered RRDTool, basically an extention or addon if you will to mrtg. Well I found some people doing REALLY cool things with their rrdtool setups. http://rs6000.univie.ac.at/virstats/ Someone using rrdtool to graph the amount of virus's and which virus's by color by hour. Take a look, and see if anyone things they might be able to hack this together. :-) ////// ( o o ) +--.oooO--(_)--Oooo.-----------------+ | [Kelly Hamlin] | support@cyberstreet.com | http://www.cyberstreet.com | .oooO | ( ) Oooo. +--- (----( )----------------------------+ \_) ) / (_/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020709/1b542e5b/attachment.html From andersan at LTKALMAR.SE Tue Jul 9 15:43:20 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:15:12 2006 Subject: SV: Hey, found something very awesome! Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EA74@lkl22.ltkalmar.se> Wow, another reason why I hate and love *nix. Hate because I dont know nothing and love because all you ever want is there for you to learn -----Ursprungligt meddelande----- Fr?n: Kelly Hamlin [mailto:fizz@BOMB.NET] Skickat: den 9 juli 2002 16:22 Till: MAILSCANNER@JISCMAIL.AC.UK ?mne: Hey, found something very awesome! Ive been using MRTG For years now and have discovered RRDTool, basically an extention or addon if you will to mrtg. Well I found some people doing REALLY cool things with their rrdtool setups. http://rs6000.univie.ac.at/virstats/ Someone using rrdtool to graph the amount of virus's and which virus's by color by hour. Take a look, and see if anyone things they might be able to hack this together. J ////// ( o o ) +--.oooO--(_)--Oooo.-----------------+ | [Kelly Hamlin] | support@cyberstreet.com | http://www.cyberstreet.com | .oooO | ( ) Oooo. +--- (----( )----------------------------+ \_) ) / (_/ From thomas_duvally at BROWN.EDU Tue Jul 9 22:32:57 2002 From: thomas_duvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:15:12 2006 Subject: Symantec CmdLine support Message-ID: <1026250378.1626.55.camel@toms> I've looked through the archives, and understand why Symantec CmdLine scanner isn't supported right now. I've tried to figure it out myself, and not being much of a perl guy, didn't get very far. The most I could do was get it to scan, but I'm not too sure what happened next. It looks like it found the infected file. I REALLY want to figure this out. Would a discussion of how to parse a virus output be too much to ask for here? :) -- Tom DuVally Lead Sys. Programmer CIS, Brown University From jon at XNEXT.COM Tue Jul 9 22:40:11 2002 From: jon at XNEXT.COM (Jonothon Ortiz) Date: Thu Jan 12 21:15:12 2006 Subject: Symantec CmdLine support In-Reply-To: <1026250378.1626.55.camel@toms> Message-ID: >> I REALLY want to figure this out. Would a discussion of how to parse a >>virus output be too much to ask for here? :) Yes lol seriously, it sounds like a fun and educational idea...I know I would learn a bit from a discussion like this. From dave at ESI.COM.AU Wed Jul 10 01:29:50 2002 From: dave at ESI.COM.AU (Dave Horsfall) Date: Thu Jan 12 21:15:12 2006 Subject: Incorrect "virus" detection? In-Reply-To: <20020709105645.GB11669@hoiho.nz.lemon-computing.com> Message-ID: On Tue, 9 Jul 2002, Nick Phillips wrote: > > windows doesn't (does it?) stupidly execute a file ending in .that? > > Windows recognises certain file types no matter what the extension; Office > documents, for example (IIRC). So has anyone looked at www.impsec.org/email-tools/procmail-security.html or are we busy reinventing wheels? It's a generic Perl/procmail solution that works pretty good. -- Dave Horsfall DTM VK2KFU dave@esi.com.au Ph: +61 2 9906-3377 Fx: 9906-3468 (Unix Guru) Pacific ESI, Unit 22, 8 Campbell St, Artarmon, NSW 2065, Australia From m.sapsed at BANGOR.AC.UK Wed Jul 10 10:08:26 2002 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:15:12 2006 Subject: .exe and .com files References: <1026218791.5015.43.camel@dbeauchemin.si.usherb.ca> Message-ID: <3D2BF98A.A0856442@bangor.ac.uk> Denis Beauchemin wrote: > > Hi, > > I just started testing MailScanner and so far it is quite promising. > > I would like to deny .exe and .com extensions (I know it can be done in > filename.rules.conf) but I would like them to be scanned anyways by my > antivirus (McAfee) so people would know that the files were infected (if > they were). You get both/and by default. The e-mail will say if the attachment was removed because it was .exe/.com and if it had a virus it will say that too. Something like: Report: >>> Virus 'W32/Hybris-B' found in file ./g670hdT13685/sexy virgin.scr Windows Screensavers often hide viruses in email in sexy virgin.scr Cheers, Martin -- Martin Sapsed To have no errors Information Services Would be life without meaning University of Wales, Bangor, LL57 2UX No struggle, no joy. From m.sapsed at BANGOR.AC.UK Wed Jul 10 10:24:19 2002 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:15:12 2006 Subject: Incorrect "virus" detection? References: <3D2A5597.A7B91898@dcg.com> <20020709054848.GC3459@hoiho.nz.lemon-computing.com> <3D2AA295.4E5678FF@bangor.ac.uk> <20020709105645.GB11669@hoiho.nz.lemon-computing.com> Message-ID: <3D2BFD43.2599F126@bangor.ac.uk> nwp@lemon-computing.com wrote: > > On Tue, Jul 09, 2002 at 09:45:09AM +0100, Martin Sapsed wrote: > > > random file ending in .this.that because no matter what's in the file, > > windows doesn't (does it?) stupidly execute a file ending in .that? > > Windows recognises certain file types no matter what the extension; Office > documents, for example (IIRC). Blimey! Scary! Apologies folks - didn't realise that. However, it still won't blindly execute files with random extensions (yet, at least on W98 - does XP?) Please tell me it doesn't! Are we sure that we've got all the extensions that windows will blindly execute though? I guess it's anything which has (or can get to) a registry key HKEY_CLASSES_ROOT\\shell\open\command where the value begins with %1? Cheers, Martin -- Martin Sapsed To have no errors Information Services Would be life without meaning University of Wales, Bangor, LL57 2UX No struggle, no joy. From andersan at LTKALMAR.SE Wed Jul 10 12:11:24 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:15:12 2006 Subject: SV: Incorrect "virus" detection? Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EA75@lkl22.ltkalmar.se> > -----Ursprungligt meddelande----- > Fr?n: Martin Sapsed [mailto:m.sapsed@BANGOR.AC.UK] > Skickat: den 10 juli 2002 11:24 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: Incorrect "virus" detection? > > > nwp@lemon-computing.com wrote: > > > > On Tue, Jul 09, 2002 at 09:45:09AM +0100, Martin Sapsed wrote: > > > > > random file ending in .this.that because no matter what's > in the file, > > > windows doesn't (does it?) stupidly execute a file ending > in .that? > > > > Windows recognises certain file types no matter what the > extension; Office > > documents, for example (IIRC). > > Blimey! Scary! Apologies folks - didn't realise that. > However, it still > won't blindly execute files with random extensions (yet, at > least on W98 - > does XP?) Please tell me it doesn't! Outlook/win is really stupid ehn it vcomes to autorun files... get a safe script and turn on preview in explorer and it will execute it... anything that can be executed will eb executed in the priview window... belive me, a co-worker just marked a nimda file and started an outbreak on that mashine. We had protection on the rest of the servers but it could have been bad =( >From outlook update: http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q235309&id=KB;EN-US; Q235309 After you install this version of the security update, when you open attachments with file name extensions of .ade, .adp, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .hta, .inf, .ins, .isp, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .pcd, .pif, .reg, .scr, .sct, .shs, .url, .vb, .vbe, .vbs, .wsc, .wsf or .wsh, you receive the following warning message: Attachment Security Warning > > Are we sure that we've got all the extensions that windows > will blindly > execute though? I guess it's anything which has (or can get > to) a registry > key HKEY_CLASSES_ROOT\\shell\open\command where the > value begins > with %1? > > Cheers, > > Martin > > -- > Martin Sapsed To have no errors > Information Services Would be life without meaning > University of Wales, Bangor, LL57 2UX No struggle, no joy. > From thomas_duvally at BROWN.EDU Wed Jul 10 13:13:57 2002 From: thomas_duvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:15:12 2006 Subject: Symantec CmdLine support In-Reply-To: References: Message-ID: <1026269425.1768.34.camel@duv-lap> Ok, so I cut and pasted a few bits in the sweep.pl. The "my &Scanners =" just seemed to be command line options. That took a little time since I had to figure out how to get the scanner to print any good info. I didn't understand what "InitParser," was for, but since it didn't seem used by most scanners, i ignored it. Now for the big one. "ProcessOutput". I don't think I understand this part much. I did cut and pasted, but with only minimal success. I got it to detect a virus (eicar test string), but it wouldn't clean it. Also got errors to the console. Is every line of output passed through this one at a time? I know what lines are important in the output. Just two from what I figure: Infected: /PATH/TO/FILE Info: Virus name ( what was done to it ) The rest is status and info about none infected files (symlinks, time taken, blah, blah) On Tue, 2002-07-09 at 17:40, Jonothon Ortiz wrote: > >> I REALLY want to figure this out. Would a discussion of how to > parse a > >>virus output be too much to ask for here? :) > > Yes lol > > seriously, it sounds like a fun and educational idea...I know I would learn > a bit from a discussion like this. -- Tom DuVally Lead Sys. Programmer CIS, Brown University p 401-863-9466 From combs at MAGNET.FSU.EDU Wed Jul 10 15:21:37 2002 From: combs at MAGNET.FSU.EDU (Tom Combs) Date: Thu Jan 12 21:15:13 2006 Subject: Need Perl 5.8.0 for RBL? Message-ID: Hello, My next phase with mailscanner involves enabling spamassasin. I've got it running on my test machine and added the recommended Digest::Net module to enable the RBL checks. However, my test machine is running perl 5.8.0 and I can't seem to get the Net module installed on the production machine (perl 5.6.1) due to dependencies on the Digest::MD5 that seems to only be available in perl 5.8.0. Does the SpamAssasin RBL checks work with 5.6.1? I used the perl Makefile.PL route for installing spamassasin instead of perl -MCPAN -e shell method and maybe this is where I went wrong. TIA for any advice, Tom Combs From thomas_duvally at BROWN.EDU Wed Jul 10 15:25:29 2002 From: thomas_duvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:15:13 2006 Subject: Symantec CmdLine support In-Reply-To: <1026269425.1768.34.camel@duv-lap> References: <1026269425.1768.34.camel@duv-lap> Message-ID: <1026311129.1618.17.camel@toms> HOLY $#!T, I think I got it...... I am now going to kiss my O'Reilly Perl books... Now what do I do with the code (once I triple check that it does work). Post it here, or send it to Julian? On Wed, 2002-07-10 at 08:13, Thomas DuVally wrote: > Ok, so I cut and pasted a few bits in the sweep.pl. The "my &Scanners > =" just seemed to be command line options. That took a little time > since I had to figure out how to get the scanner to print any good info. > > I didn't understand what "InitParser," was for, but since it didn't seem > used by most scanners, i ignored it. > > Now for the big one. "ProcessOutput". I don't think I understand this > part much. I did cut and pasted, but with only minimal success. I got > it to detect a virus (eicar test string), but it wouldn't clean it. > Also got errors to the console. > > Is every line of output passed through this one at a time? I know what > lines are important in the output. Just two from what I figure: > > Infected: /PATH/TO/FILE > Info: Virus name ( what was done to it ) > > The rest is status and info about none infected files (symlinks, time > taken, blah, blah) > > On Tue, 2002-07-09 at 17:40, Jonothon Ortiz wrote: > > >> I REALLY want to figure this out. Would a discussion of how to > > parse a > > >>virus output be too much to ask for here? :) > > > > Yes lol > > > > seriously, it sounds like a fun and educational idea...I know I would learn > > a bit from a discussion like this. > -- > Tom DuVally > Lead Sys. Programmer > CIS, Brown University > p 401-863-9466 -- Tom DuVally Lead Sys. Programmer CIS, Brown University p 401-863-9466 From sevans at FOUNDATION.SDSU.EDU Wed Jul 10 15:53:34 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:15:13 2006 Subject: Incorrect "virus" detection? Message-ID: <6214C3F9233D764C9E7029396C355015115B75@mail.foundation.sdsu.edu> http://www.swinc.com/resource/e2kfaq_appxj.htm Steve Evans Computing Services (619) 594-0653 -----Original Message----- From: Anders Andersson, IT [mailto:andersan@LTKALMAR.SE] Sent: Wednesday, July 10, 2002 4:11 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: SV: Incorrect "virus" detection? > -----Ursprungligt meddelande----- > Fr?n: Martin Sapsed [mailto:m.sapsed@BANGOR.AC.UK] > Skickat: den 10 juli 2002 11:24 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: Incorrect "virus" detection? > > > nwp@lemon-computing.com wrote: > > > > On Tue, Jul 09, 2002 at 09:45:09AM +0100, Martin Sapsed wrote: > > > > > random file ending in .this.that because no matter what's > in the file, > > > windows doesn't (does it?) stupidly execute a file ending > in .that? > > > > Windows recognises certain file types no matter what the > extension; Office > > documents, for example (IIRC). > > Blimey! Scary! Apologies folks - didn't realise that. > However, it still > won't blindly execute files with random extensions (yet, at > least on W98 - > does XP?) Please tell me it doesn't! Outlook/win is really stupid ehn it vcomes to autorun files... get a safe script and turn on preview in explorer and it will execute it... anything that can be executed will eb executed in the priview window... belive me, a co-worker just marked a nimda file and started an outbreak on that mashine. We had protection on the rest of the servers but it could have been bad =( >From outlook update: http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q235309&id=KB;EN-US; Q235309 After you install this version of the security update, when you open attachments with file name extensions of .ade, .adp, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .hta, .inf, .ins, .isp, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .pcd, .pif, .reg, .scr, .sct, .shs, .url, .vb, .vbe, .vbs, .wsc, .wsf or .wsh, you receive the following warning message: Attachment Security Warning > > Are we sure that we've got all the extensions that windows > will blindly > execute though? I guess it's anything which has (or can get > to) a registry > key HKEY_CLASSES_ROOT\\shell\open\command where the > value begins > with %1? > > Cheers, > > Martin > > -- > Martin Sapsed To have no errors > Information Services Would be life without meaning > University of Wales, Bangor, LL57 2UX No struggle, no joy. > From m.sapsed at BANGOR.AC.UK Wed Jul 10 17:23:56 2002 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:15:13 2006 Subject: Incorrect "virus" detection? References: <6214C3F9233D764C9E7029396C355015115B75@mail.foundation.sdsu.edu> Message-ID: <3D2C5F9C.37DDAB8C@bangor.ac.uk> Steve Evans wrote: > > http://www.swinc.com/resource/e2kfaq_appxj.htm Doesn't include .lnk strangely... Cheers, Martin -- Martin Sapsed To have no errors Information Services Would be life without meaning University of Wales, Bangor, LL57 2UX No struggle, no joy. From sevans at FOUNDATION.SDSU.EDU Wed Jul 10 17:33:04 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:15:13 2006 Subject: Incorrect "virus" detection? Message-ID: <6214C3F9233D764C9E7029396C355015115B7D@mail.foundation.sdsu.edu> I didn't notice that until now. Steve Evans Computing Services (619) 594-0653 -----Original Message----- From: Martin Sapsed [mailto:m.sapsed@BANGOR.AC.UK] Sent: Wednesday, July 10, 2002 9:24 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Incorrect "virus" detection? Steve Evans wrote: > > http://www.swinc.com/resource/e2kfaq_appxj.htm Doesn't include .lnk strangely... Cheers, Martin -- Martin Sapsed To have no errors Information Services Would be life without meaning University of Wales, Bangor, LL57 2UX No struggle, no joy. From mailscanner at ecs.soton.ac.uk Wed Jul 10 18:49:34 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:13 2006 Subject: Need Perl 5.8.0 for RBL? In-Reply-To: Message-ID: <5.1.0.14.2.20020710184632.03fae0a8@imap.ecs.soton.ac.uk> At 15:21 10/07/2002, you wrote: > My next phase with mailscanner involves enabling spamassasin. I've > got it running on my test machine and added the recommended Digest::Net > module to enable the RBL checks. However, my test machine is running > perl 5.8.0 I haven't tried 5.8 at all yet. > and I can't seem to get the Net module installed on the > production machine (perl 5.6.1) due to > dependencies on the Digest::MD5 that seems to only be available in > perl 5.8.0. Does the SpamAssasin RBL checks work with 5.6.1? Yes. Nothing in MailScanner requires anything beyond 5.005. I only require that because of all the bugs in 5.004. > I > used the perl Makefile.PL route for installing spamassasin instead > of perl -MCPAN -e shell method and maybe this is where I went wrong. I always use the Makefile.PL route myself. But I do use -MCPAN for installing the modules that SpamAssassin requires (except I stop it upgrading my entire copy of Perl!) > TIA for any advice, Tom Combs Sorry response is a bit slow at the moment, I'm working with a 28.8k modem out of a hotel room all this week as I'm in London on a course. Should improve when I get back home this weekend :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mkettler at EVI-INC.COM Wed Jul 10 18:56:41 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:15:13 2006 Subject: Need Perl 5.8.0 for RBL? In-Reply-To: Message-ID: <5.1.0.14.0.20020710134519.02156ec0@192.168.50.2> I run MailScanner with SpamAssassin and razor just fine on perl 5.6.1 (according to perl -v) I installed the following things via cpan for my MailScanner/SpamAssassin/razor setup: bundle::libnet bundle::cpan net:DNS Time:HiRes,Net::Ping,Digest::SHA1,Mail::Internet (for razor) Mail::SpamAssassin IO::Stringy MIME::Tools I allowed CPAN to satisfy anything that needed dependencies and it would appear that Digest::MD5 was pulled down in the process (/root/.cpan/sources/authors/id/G/GA/GAAS/Digest-MD5-2.20.tar exists) Try using the following perl shell command before you try to install Net:DNS: o conf prerequisites_policy ask That will cause cpan to ask you if you want to auto-install dependencies. At 03:21 PM 7/10/2002 +0100, Tom Combs wrote: >Hello, > > My next phase with mailscanner involves enabling spamassasin. I've > got it running on my test machine and added the recommended Digest::Net > module to enable the RBL checks. However, my test machine is running > perl 5.8.0 and I can't seem to get the Net module installed on the > production machine (perl 5.6.1) due to > dependencies on the Digest::MD5 that seems to only be available in > perl 5.8.0. Does the SpamAssasin RBL checks work with 5.6.1? I > used the perl Makefile.PL route for installing spamassasin instead > of perl -MCPAN -e shell method and maybe this is where I went wrong. > > TIA for any advice, Tom Combs From sevans at FOUNDATION.SDSU.EDU Wed Jul 10 19:26:03 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:15:13 2006 Subject: Content Filtering Message-ID: <6214C3F9233D764C9E7029396C355015115B7F@mail.foundation.sdsu.edu> I started using SpamAssassin about a month ago and I'm just loving it. I"m wondering if anyone has any solutions for filtering out in-appropriate content. (nude images, inappropriate jokes, etc.). Steve Evans Computing Services (619) 594-0653 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020710/c0f7c5d5/attachment.html From splee at PLEXIO.COM Wed Jul 10 19:51:56 2002 From: splee at PLEXIO.COM (Stephen Lee) Date: Thu Jan 12 21:15:13 2006 Subject: Content Filtering In-Reply-To: <6214C3F9233D764C9E7029396C355015115B7F@mail.foundation.sdsu.edu> References: <6214C3F9233D764C9E7029396C355015115B7F@mail.foundation.sdsu.edu> Message-ID: <1026327117.1990.1764.camel@ralph.plexio.private> On Wed, 2002-07-10 at 11:26, Steve Evans wrote: > I started using SpamAssassin about a month ago and I'm just loving it. > I"m wondering if anyone has any solutions for filtering out > in-appropriate content. (nude images, inappropriate jokes, etc.). I don't know if there is anything for content filtering of email but for web content I would use Squid with something like Dan's Guardian, (http://www.dansguardian.org). Stephen From y.huang at UTORONTO.CA Wed Jul 10 20:38:35 2002 From: y.huang at UTORONTO.CA (Bruce Huang) Date: Thu Jan 12 21:15:13 2006 Subject: Logger.pl in 3.15 Message-ID: Dear all, I am not sure if this problem is been solved. I just upgarded from v.3.14 to V3.21 with Perl 5.6.0 build for sun4-solaris, and get the same error. The turn around way is as Sergio's suggestion. Any idea or suggestion? Thanks, Bruce On Fri, 24 May 2002 12:53:38 +0200, Rabellino Sergio wrote: >Julian Field wrote: >> >> At 10:00 24/05/2002, you wrote: >> >Dear list, >> > i've updated mailscanner to the latest release, but launching it I >> > obtain the follow error >> > >> >"Your vendor has not defined the Sys::Syslog macro _PATH_LOG at >> >/opt/perl/lib/5.6.0/sun4-solaris/Sys/Syslog.pm line 277." >> > >> >So i've erased in logger.pl the eval line in the start sub >> > > # Do this in an eval so it can fail quietly if setlogsock >> > > # is not supported in the installed version of Sys::Syslog >> > > eval { Sys::Syslog::setlogsock('unix'); }; # Doesn't need syslogd -r >> > >> >And mailscanner is doing it's work fine as usual. Any hints about it ? >> >> How old is your version of Perl? "perl -v". >> >This is perl, v5.6.0 built for sun4-solaris > >Copyright 1987-2000, Larry Wall > >Perl may be copied only under the terms of either the Artistic License or the >GNU General Public License, which may be found in the Perl 5.0 source kit. > >Complete documentation for Perl, including FAQ lists, should be found on >this system using `man perl' or `perldoc perl'. If you have access to the >Internet, point your browser at http://www.perl.com/, the Perl Home Page. > >> >Ps. For SpamAssassin, i've done a minor change, so I can store the >> >SpamAssassin prefs under the mailscanner etc directory. I believe it's a >> >better choice than using the .spamassassin directory in the homedir of the >> >mailscanner user ... >> >I'll wait for your solution >-- >Dott. Sergio Rabellino > > Technical Staff > Department of Computer Science > University of Torino (Italy) > Member of the Internet Society > >http://www.di.unito.it/~rabser >Tel. +39-0116706701 >Fax. +39-011751603 From mrlynx at LAING.E-TARLAC.COM Thu Jul 11 14:10:05 2002 From: mrlynx at LAING.E-TARLAC.COM (JOSEPH BAUTISTA) Date: Thu Jan 12 21:15:13 2006 Subject: Content Filtering In-Reply-To: <6214C3F9233D764C9E7029396C355015115B7F@mail.foundation.sdsu.edu> Message-ID: check www.dansguardian.org you need an squid installed On Wed, 10 Jul 2002, Steve Evans wrote: > I started using SpamAssassin about a month ago and I'm just loving it. > I"m wondering if anyone has any solutions for filtering out > in-appropriate content. (nude images, inappropriate jokes, etc.). > > > Steve Evans > Computing Services > (619) 594-0653 > > > -- - \|/ - (@ @) +----------oOO---------(_)------------+ | Mr. Joseph C. Bautista | | NOC, e-Tarlac.com | | email add: mrlynx@e-tarlac.com | | URL: http://www.e-tarlac.com | +------------------------oOO----------+ |__|__| | | | | ooO Ooo -- It takes more learning, before you learn how little you've learned -- From nwp at LEMON-COMPUTING.COM Thu Jul 11 02:20:03 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:15:13 2006 Subject: Symantec CmdLine support In-Reply-To: <1026311129.1618.17.camel@toms> References: <1026269425.1768.34.camel@duv-lap> <1026311129.1618.17.camel@toms> Message-ID: <20020711012003.GI1345@hoiho.nz.lemon-computing.com> On Wed, Jul 10, 2002 at 10:25:29AM -0400, Thomas DuVally wrote: > HOLY $#!T, I think I got it...... > > I am now going to kiss my O'Reilly Perl books... > > Now what do I do with the code (once I triple check that it does work). > > Post it here, or send it to Julian? Well, ideally send it to me or Jules along with a bunch of other bits and bobs. I've been meaning to write this up for a while; please hassle me to do so if I haven't done it in the next couple of days. In the meantime, if you could send me what you've got, I'll have a look over it and get back to you with a bunch of questions about it. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Excellent time to become a missing person. From nwp at LEMON-COMPUTING.COM Thu Jul 11 02:32:25 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:15:13 2006 Subject: Logger.pl in 3.15 In-Reply-To: References: Message-ID: <20020711013224.GK1345@hoiho.nz.lemon-computing.com> On Wed, Jul 10, 2002 at 08:38:35PM +0100, Bruce Huang wrote: > Dear all, > > I am not sure if this problem is been solved. I just upgarded from v.3.14 > to V3.21 with Perl 5.6.0 build for sun4-solaris, and get the same error. > The turn around way is as Sergio's suggestion. Any idea or suggestion? Commenting out the eval containing the setlogsock will do no harm at all; it will just revert to the previous behaviour of logging via UDP rather than a local socket. This is only a problem if it means that you then need to enable syslog to accept remote log messages on a system that is not protected from DoS attacks on syslog (filling up your disk with spurious log messages). The eval was intended to catch any problems on systems where setlogsock wouldn't work, but if mailscanner is keeling over at that point then evidently all is not quite according to plan. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com You too can wear a nose mitten. From nwp at LEMON-COMPUTING.COM Thu Jul 11 02:25:49 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:15:13 2006 Subject: Incorrect "virus" detection? In-Reply-To: <3D2BFD43.2599F126@bangor.ac.uk> References: <3D2A5597.A7B91898@dcg.com> <20020709054848.GC3459@hoiho.nz.lemon-computing.com> <3D2AA295.4E5678FF@bangor.ac.uk> <20020709105645.GB11669@hoiho.nz.lemon-computing.com> <3D2BFD43.2599F126@bangor.ac.uk> Message-ID: <20020711012549.GJ1345@hoiho.nz.lemon-computing.com> On Wed, Jul 10, 2002 at 10:24:19AM +0100, Martin Sapsed wrote: > Blimey! Scary! Apologies folks - didn't realise that. However, it still > won't blindly execute files with random extensions (yet, at least on W98 - > does XP?) Please tell me it doesn't! I don't *think* it'll execute normal executables, but if you double-click on an office document it will open it and execute all the macros in it (unless you have them turned off somehow), no matter what the file is called. Anyone care to try to get a definitive answer for the most common file types (html with javascript, office docs, normal executables...)? Not forgetting to try multipart/alternative mails that contain things that will be executed in being viewed (e.g. what happens if a word doc is the only part of a multipart/alternative message that a windows system understands?)... Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com You know that thing you're about to do? Don't. From evertjan at VANRAMSELAAR.NL Thu Jul 11 14:13:41 2002 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:15:13 2006 Subject: Failed to link message body between queues Message-ID: <001001c228dc$c6bf30d0$65020a0a@galaxy> Hi list, When looking in my maillog for something else, I noticed multiple of these messages: Jul 11 14:41:15 ram1 mailscanner[7482]: Failed to link message body between queues (/var/spool/mqueue/dfg6BCedG16758 --> /var/spool/ mqueue.in/dfg6BCedG16758) Jul 11 15:00:59 ram1 mailscanner[7482]: Failed to link message body between queues (/var/spool/mqueue/dfg6BD0JG31526 --> /var/spool/ mqueue.in/dfg6BD0JG31526) Jul 11 15:07:22 ram1 mailscanner[7492]: Failed to link message body between queues (/var/spool/mqueue/dfg6BD6ZG05061 --> /var/spool/ mqueue.in/dfg6BD6ZG05061) What is happening here? Both directories are on the same filesystem. These messages started appearing only yesterday, but I have not modified anything to the mailserver setup since the latest release of MailScanner. -- Evert Jan van Ramselaar Van Ramselaar Info Tech From dave at ESI.COM.AU Thu Jul 11 14:31:50 2002 From: dave at ESI.COM.AU (Dave Horsfall) Date: Thu Jan 12 21:15:13 2006 Subject: Failed to link message body between queues In-Reply-To: <001001c228dc$c6bf30d0$65020a0a@galaxy> Message-ID: On Thu, 11 Jul 2002, Evert Jan van Ramselaar wrote: > What is happening here? Both directories are on the same filesystem. > These messages started appearing only yesterday, but I have not modified > anything to the mailserver setup since the latest release of MailScanner. Out of space? Out of inodes? -- Dave Horsfall DTM VK2KFU dave@esi.com.au Ph: +61 2 9906-3377 Fx: 9906-3468 (Unix Guru) Pacific ESI, Unit 22, 8 Campbell St, Artarmon, NSW 2065, Australia From evertjan at VANRAMSELAAR.NL Thu Jul 11 14:39:58 2002 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:15:13 2006 Subject: Failed to link message body between queues In-Reply-To: Message-ID: <001501c228e0$72a386a0$65020a0a@galaxy> > -----Original Message----- > From: Dave Horsfall > Sent: Thursday, July 11, 2002 3:32 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Failed to link message body between queues > > What is happening here? Both directories are on the same filesystem. > > These messages started appearing only yesterday, but I have not modified > > anything to the mailserver setup since the latest release of > MailScanner. > > Out of space? Out of inodes? Not really: root@ram1:/var/spool # df /var Filesystem 1k-blocks Used Available Use% Mounted on /dev/hdb6 995840 278560 665876 29% /var root@ram1:/var/spool # df -i /var Filesystem Inodes IUsed IFree IUse% Mounted on /dev/hdb6 257280 20498 236782 8% /var -- Evert Jan van Ramselaar Van Ramselaar Info Tech From Paul.Haldane at NEWCASTLE.AC.UK Thu Jul 11 14:43:49 2002 From: Paul.Haldane at NEWCASTLE.AC.UK (Paul Haldane) Date: Thu Jan 12 21:15:13 2006 Subject: Failed to link message body between queues Message-ID: Generally means (I think) that there's already a message with that id in the outgoing mail queue. IIRC later versions of sendmail generate queue names that are less likely to produce conflicts. I'm not sure what the nicest way of dealing with this is - creating another queue directory, moving the stuff from the outgoing queue into that and running and extra queue runner for that? Paul -- Paul Haldane Unix Systems, Computing Service, University of Newcastle upon Tyne -----Original Message----- From: Dave Horsfall [mailto:dave@esi.com.au] Sent: 11 July 2002 14:32 To: MailScanner mailing list Subject: Re: Failed to link message body between queues On Thu, 11 Jul 2002, Evert Jan van Ramselaar wrote: > What is happening here? Both directories are on the same filesystem. > These messages started appearing only yesterday, but I have not > modified anything to the mailserver setup since the latest release of > MailScanner. Out of space? Out of inodes? -- Dave Horsfall DTM VK2KFU dave@esi.com.au Ph: +61 2 9906-3377 Fx: 9906-3468 (Unix Guru) Pacific ESI, Unit 22, 8 Campbell St, Artarmon, NSW 2065, Australia From valites at GENESEO.EDU Thu Jul 11 14:47:53 2002 From: valites at GENESEO.EDU (Mark T. Valites) Date: Thu Jan 12 21:15:13 2006 Subject: Failed to link message body between queues In-Reply-To: <001501c228e0$72a386a0$65020a0a@galaxy> Message-ID: I don't think it'll solve your problem, but try "df -i" to see inode usage. The results can be quite different from a plain df. Big Brother tends to blow through inodes like they're going out of style & the bb lists have more info if you need it... On Thu, 11 Jul 2002, Evert Jan van Ramselaar wrote: > Date: Thu, 11 Jul 2002 15:39:58 +0200 > From: Evert Jan van Ramselaar > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Failed to link message body between queues > > > -----Original Message----- > > From: Dave Horsfall > > Sent: Thursday, July 11, 2002 3:32 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Failed to link message body between queues > > > > What is happening here? Both directories are on the same filesystem. > > > These messages started appearing only yesterday, but I have not modified > > > anything to the mailserver setup since the latest release of > > MailScanner. > > > > Out of space? Out of inodes? > > Not really: > > root@ram1:/var/spool # df /var > Filesystem 1k-blocks Used Available Use% Mounted on > /dev/hdb6 995840 278560 665876 29% /var > root@ram1:/var/spool # df -i /var > Filesystem Inodes IUsed IFree IUse% Mounted on > /dev/hdb6 257280 20498 236782 8% /var > > -- > Evert Jan van Ramselaar > Van Ramselaar Info Tech > >--))> >--))> Mark T. Valites Unix Systems Analyst 1 College Circle - 124b1 South Hall SUNY Geneseo Geneseo, NY 14454 585-245-5577 585-259-3471 (Cell) 585-245-5579 (Fax) From LISTSERV at JISCMAIL.AC.UK Mon Jul 8 23:50:31 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:13 2006 Subject: MAILSCANNER: todd@DECAGON.COM left the JISCmail list Message-ID: <200207082250.XAA12455@magpie.ecs.soton.ac.uk> Mon, 8 Jul 2002 23:50:31 Todd Martin has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From LISTSERV at JISCMAIL.AC.UK Wed Jul 10 13:49:26 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:13 2006 Subject: MAILSCANNER: admin@NETSYS.HN left the list Message-ID: <200207101249.NAA23158@magpie.ecs.soton.ac.uk> Wed, 10 Jul 2002 13:49:26 Quin Taylor has just left the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Mon Jul 8 20:59:02 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:13 2006 Subject: MAILSCANNER: steve@AVALON.DARTMOUTH.EDU requested to join Message-ID: <200207081959.UAA01832@magpie.ecs.soton.ac.uk> Mon, 8 Jul 2002 20:59:02 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Stephen Campbell You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER steve@AVALON.DARTMOUTH.EDU Stephen Campbell PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER steve@AVALON.DARTMOUTH.EDU Stephen Campbell // EOJ From LISTSERV at JISCMAIL.AC.UK Mon Jul 8 22:14:38 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:13 2006 Subject: MAILSCANNER: info@ACHIEVE-IT.COM requested to join Message-ID: <200207082114.WAA06560@magpie.ecs.soton.ac.uk> Mon, 8 Jul 2002 22:14:38 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Declan Connolly You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER info@ACHIEVE-IT.COM Declan Connolly PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER info@ACHIEVE-IT.COM Declan Connolly // EOJ From LISTSERV at JISCMAIL.AC.UK Tue Jul 9 18:01:11 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:13 2006 Subject: MAILSCANNER: steve@GRADE1.CO.UK requested to join Message-ID: <200207091701.SAA28375@magpie.ecs.soton.ac.uk> Tue, 9 Jul 2002 18:01:11 A request for to join the MAILSCANNER list (MailScanner mailing list) has been received from Steve Churcher . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER steve@GRADE1.CO.UK Steve Churcher The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+steve%40GRADE1.CO.UK+Steve+Churcher&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Tue Jul 9 21:54:23 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:13 2006 Subject: MAILSCANNER: mfriedel@WPSIC.COM requested to join Message-ID: <200207092054.VAA17704@magpie.ecs.soton.ac.uk> Tue, 9 Jul 2002 21:54:23 A request for to join the MAILSCANNER list (MailScanner mailing list) has been received from Mark Friedel . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER mfriedel@WPSIC.COM Mark Friedel The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+mfriedel%40WPSIC.COM+Mark+Friedel&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Wed Jul 10 14:20:43 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:13 2006 Subject: MAILSCANNER: honal@HRZPUB.TU-DARMSTADT.DE requested to join Message-ID: <200207101320.OAA26136@magpie.ecs.soton.ac.uk> Wed, 10 Jul 2002 14:20:43 A request for to join the MAILSCANNER list (MailScanner mailing list) has been received from Heinrich Honal . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER honal@HRZPUB.TU-DARMSTADT.DE Heinrich Honal The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+honal%40HRZPUB.TU-DARMSTADT.DE+Heinrich+Honal&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Thu Jul 11 14:48:24 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:13 2006 Subject: MAILSCANNER: thc@SCORT.COM requested to join Message-ID: <200207111348.OAA00670@magpie.ecs.soton.ac.uk> Thu, 11 Jul 2002 14:48:24 A request for to join the MAILSCANNER list (MailScanner mailing list) has been received from Thierry Carrez . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER thc@SCORT.COM Thierry Carrez The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+thc%40SCORT.COM+Thierry+Carrez&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From jgoggan at DCG.COM Mon Jul 8 20:42:39 2002 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:15:13 2006 Subject: Maybe virus wrapper should hide path? Message-ID: <3D29EB2F.F70F3A2D@dcg.com> I've noticed that the virus alert messages contain the entire path of the virus. For example: At Mon Jul 8 15:59:01 2002 the virus scanner said: /opt/mailscanner/var/incoming/g68Jwc328189/Xht.pif Infection: W32/Klez.H@mm This seems odd to me -- I would think that, in general, it isn't something that you'd want/need to pass along to the person getting the virus alert. In fact, I can see it confusing some of our users. Maybe the wrapper could parse out the path? I think it would make much more sense for user's notifications to just look like: At Mon Jul 8 15:59:01 2002 the virus scanner said: Xht.pif Infection: W32/Klez.H@mm ...since that makes more sense to users that might get an infected attachment. From their eyes, I think they should just think of it as being IN their mail still -- not a file in a filesystem somewhere. Any thoughts? - John... P.S. Just in case this is scanner specific, I'm using F-Protect. From evertjan at VANRAMSELAAR.NL Thu Jul 11 14:51:14 2002 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:15:13 2006 Subject: Failed to link message body between queues In-Reply-To: Message-ID: <001c01c228e2$05c9daf0$65020a0a@galaxy> > -----Original Message----- > From: Mark T. Valites > Sent: Thursday, July 11, 2002 3:48 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Failed to link message body between queues > > > I don't think it'll solve your problem, but try "df -i" to see inode > usage. If you would have read my message you would have noticed I also did a 'df -i /var'... -- Evert Jan van Ramselaar Van Ramselaar Info Tech From evertjan at VANRAMSELAAR.NL Thu Jul 11 14:52:35 2002 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:15:13 2006 Subject: Failed to link message body between queues In-Reply-To: <001001c228dc$c6bf30d0$65020a0a@galaxy> Message-ID: <001d01c228e2$3610dd30$65020a0a@galaxy> > -----Original Message----- > From: Evert Jan van Ramselaar > Sent: Thursday, July 11, 2002 3:14 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Failed to link message body between queues > > When looking in my maillog for something else, I noticed multiple of these > messages: > > Jul 11 14:41:15 ram1 mailscanner[7482]: Failed to link message > body between > queues (/var/spool/mqueue/dfg6BCedG16758 --> /var/spool/ > mqueue.in/dfg6BCedG16758) To answer my own question: I seemed to have 2 MailScanner processes running instead of just one. Killed both and restarted MailScanner. -- Evert Jan van Ramselaar Van Ramselaar Info Tech From valites at GENESEO.EDU Thu Jul 11 14:55:18 2002 From: valites at GENESEO.EDU (Mark T. Valites) Date: Thu Jan 12 21:15:13 2006 Subject: Failed to link message body between queues In-Reply-To: <001c01c228e2$05c9daf0$65020a0a@galaxy> Message-ID: Apologies. Mailscanner mail somehow misses my procmail filters & ends up in the inbox. When I actually read them instead of hit the d button real quick, I obviously don't pay much attention. On Thu, 11 Jul 2002, Evert Jan van Ramselaar wrote: > Date: Thu, 11 Jul 2002 15:51:14 +0200 > From: Evert Jan van Ramselaar > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Failed to link message body between queues > > > -----Original Message----- > > From: Mark T. Valites > > Sent: Thursday, July 11, 2002 3:48 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Failed to link message body between queues > > > > > > I don't think it'll solve your problem, but try "df -i" to see inode > > usage. > > If you would have read my message you would have noticed I also did a 'df -i > /var'... > > -- > Evert Jan van Ramselaar > Van Ramselaar Info Tech > >--))> >--))> Mark T. Valites Unix Systems Analyst 1 College Circle - 124b1 South Hall SUNY Geneseo Geneseo, NY 14454 585-245-5577 585-259-3471 (Cell) 585-245-5579 (Fax) From robert at VCT.SI Thu Jul 11 16:02:41 2002 From: robert at VCT.SI (Robert) Date: Thu Jan 12 21:15:13 2006 Subject: Failed to link message body between queues In-Reply-To: <001001c228dc$c6bf30d0$65020a0a@galaxy> Message-ID: <3D2DAC21.6118.16520CBF@localhost> Hi The same happened to me once when I had two instances of MailScanner running, so the second one was left without a mail to process. Robert > Hi list, > > When looking in my maillog for something else, I noticed multiple of these > messages: > > Jul 11 14:41:15 ram1 mailscanner[7482]: Failed to link message body between > queues (/var/spool/mqueue/dfg6BCedG16758 --> /var/spool/ > mqueue.in/dfg6BCedG16758) > Jul 11 15:00:59 ram1 mailscanner[7482]: Failed to link message body between > queues (/var/spool/mqueue/dfg6BD0JG31526 --> /var/spool/ > mqueue.in/dfg6BD0JG31526) > Jul 11 15:07:22 ram1 mailscanner[7492]: Failed to link message body between > queues (/var/spool/mqueue/dfg6BD6ZG05061 --> /var/spool/ > mqueue.in/dfg6BD6ZG05061) > > > What is happening here? Both directories are on the same filesystem. > These messages started appearing only yesterday, but I have not modified > anything to the mailserver setup since the latest release of MailScanner. > > -- > Evert Jan van Ramselaar > Van Ramselaar Info Tech -- Manfreda Robert -- robert@vct.si From Denis.Beauchemin at USHERBROOKE.CA Thu Jul 11 15:04:37 2002 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:15:13 2006 Subject: Minor problems with messages to users Message-ID: <1026396277.22101.43.camel@dbeauchemin.si.usherb.ca> Hi, I am experimenting with MailScanner and I have a few problems: 1- using McAfee, when a virus is found I get a line saying so but the line contains the message ID part of the PATH: R?sultats de l'antivirus: /g69IuTY08361/VALUE.exe Found the W32/Klez.h@MM virus !!! I would like it to read: VALUE.exe Found the W32/Klez.h@MM virus !!! How could this be done? I believe it must come from ProcessMcAfeeOutput in sweep.pl, I guess we would have to modify $lastline =~ s/$BaseDir//; for something else containing the message ID, but what? 2- In the message templates, when using $Config::QuarantineDir (message $id), we don't really get the real PATH to the files: /quarantaine (message g6BDvaW18733) while the real PATH is: /quarantaine/20020711/g6BDvaW18733/ Could the date be put back in ($Config::QuarantineDir/DATE_VARIABLE/$id)??? 3- As you may have noticed in question 1, I translated all messages in French. There is a small problem here too: R?sultats de l'antivirus: /g69IuTY08361/VALUE.exe Found the W32/Klez.h@MM virus !!! Les fichiers ?.EXE? sont trop souvent infect?s in VALUE.exe ^^^^^^^^^^^^ Could the "in VALUE.ext" part be eliminated? The "in" isn't the right word in French (it means something else). Besides the file name is listed on the preceding line so I wouldn't miss it. I would like it to stick with the message in filename.rules.conf and not append anything to it. Thanks again for this great software! Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From jon at XNEXT.COM Thu Jul 11 16:03:26 2002 From: jon at XNEXT.COM (Jonothon Ortiz) Date: Thu Jan 12 21:15:13 2006 Subject: Cobalt Mailscanner/F-Prot PKG In-Reply-To: <001d01c228e2$3610dd30$65020a0a@galaxy> Message-ID: Cobalt Mailscanner/F-Prot PKG done by the very talented steve@bassi.com =) Email is replicated here =) Apologies if this is a dupe =) =========================================================================== steve@bassi.com sayeth: ---------------------------------------------------- I have created a pkg for the RAQ3 and 4 using mailscanner and F-Prot. What the package does, is intall the mailscanner and F -Prot files and updates the virus definitions automatically, and emails postmaster@your domain.com , when the definitions are updated. It also installs/upgrades unzip latest version, which is required for the virus definitions. After installing the above files , I back up syslog and amend it so that syslog starts with "daemon syslogd -r -m 0" instead of "daemon syslogd -m 0" Before using the pkg, please see http://www.f-prot.com/products/fplin.html to ensure your situation qualifies to use F-Prot free of charge. If you are using your RAQ commerically, then there would be a license fee payable to Frisk for their virus definitions. I have asked Frisk to consider making a special rate for RAQ owners using their definitions in a commercial environment. Please be honest and do not use the pkg's if you use your RAQ commerically. You may obtain more information regarding MailScanner from the authors website on http://www.mailscanner.info Ok .. heres the pkg's http://www.firstwebspace.com/raq/RAQ3-Bassi-MailScanner-3.21-1.pkg http://www.firstwebspace.com/raq/RaQ4-Bassi-MailScanner-3.21-1.pkg Rgds Bassi From marc.perea at ELECTRONIC-GROUP.COM Thu Jul 11 16:41:14 2002 From: marc.perea at ELECTRONIC-GROUP.COM (Marc Perea) Date: Thu Jan 12 21:15:13 2006 Subject: Minor problems with messages to users In-Reply-To: <1026396277.22101.43.camel@dbeauchemin.si.usherb.ca> References: <1026396277.22101.43.camel@dbeauchemin.si.usherb.ca> Message-ID: <20020711174114.53812bfe.marc.perea@electronic-group.com> On Thu, 11 Jul 2002 10:04:37 -0400 Denis Beauchemin wrote: > Hi, > > I am experimenting with MailScanner and I have a few problems: > > 1- using McAfee, when a virus is found I get a line saying so but the > line contains the message ID part of the PATH: > R?sultats de l'antivirus: > /g69IuTY08361/VALUE.exe Found the W32/Klez.h@MM virus !!! > > I would like it to read: > VALUE.exe Found the W32/Klez.h@MM virus !!! > > How could this be done? I believe it must come from ProcessMcAfeeOutput > in sweep.pl, I guess we would have to modify $lastline =~ s/$BaseDir//; > for something else containing the message ID, but what? My two cents : Some time ago I was on a similar problem, i didn't want to reveal the path to the message, so I modified with this extremely simple trick the f-protwrapper shell script (Hence, you don't have to touch any mailscanner core perl-function) : hiddenpath=/usr/local/mailscanner/var exec ${PackageDir}/$Scanner $ScanOptions "$@" | sed "s%$hiddenpath%%g" You can always make a different regular expression to suit your needs. For example that one should work for your needs : "s%\/[a-zA-Z0-9]*\/\(.*\)%\1%" Hope this helps to you. -- Marc Perea - System Administration Staff Mail: marc.perea@electronic-group.com Tel: (+34) 93 600 23 23 Fax: (+34) 93 600 23 10 ---------------- Electronic Group - http://www.electronic-group.com From james at PCXPERIENCE.COM Thu Jul 11 16:58:09 2002 From: james at PCXPERIENCE.COM (James A. Pattie) Date: Thu Jan 12 21:15:13 2006 Subject: Content Filtering References: Message-ID: <3D2DAB11.9030204@pcxperience.com> I'm looking into possibly embedding the content filtering engine in DansGuardian into a plugin module that could be called from MailScanner. If anyone has C++ embedding experience and would like to help, let me know. :) I'm also working on using the virus scanning helper scripts from MailScanner to scan file attachments that DansGuardian downloads. This unfortunately, means I need to modify sweep.pl (to handle a single file and/or a directory of mail queue files) and will have to wrap DansGuardian in a perl calling program so it is able to have access to the perl methods rather than calling external programs and having to parse output, etc. JOSEPH BAUTISTA wrote: > check www.dansguardian.org > you need an squid installed > > On Wed, 10 Jul 2002, Steve Evans wrote: > > >>I started using SpamAssassin about a month ago and I'm just loving it. >>I"m wondering if anyone has any solutions for filtering out >>in-appropriate content. (nude images, inappropriate jokes, etc.). >> >> >>Steve Evans >>Computing Services >>(619) 594-0653 >> >> >> > > > -- > - \|/ - > (@ @) > +----------oOO---------(_)------------+ > | Mr. Joseph C. Bautista | > | NOC, e-Tarlac.com | > | email add: mrlynx@e-tarlac.com | > | URL: http://www.e-tarlac.com | > +------------------------oOO----------+ > |__|__| > | | | | > ooO Ooo > > -- It takes more learning, before you learn > how little you've learned -- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- James A. Pattie james@pcxperience.com Linux -- SysAdmin / Programmer Xperience, Inc. http://www.pcxperience.com/ http://www.xperienceinc.com/ -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hugo.1000 at GMX.NET Thu Jul 11 17:17:00 2002 From: hugo.1000 at GMX.NET (Alf Gunz) Date: Thu Jan 12 21:15:13 2006 Subject: FW: Kaspersky Anti-Virus version 4.0.1.0 In-Reply-To: <01b501c2271b$0cae6070$0100000a@MIKES> Message-ID: Hi, > My telnet console also locks at this point. > I guess something's changed from the old version to the new one. > It works fine just running from the command line (/opt/AVP/kavscanner). > If I run /usr/local/kaspersky/kasperskywrapper /etc it come back with > > "Nothing to scan. > You should select at least one directory to scan. " I had the same "error". Then I copied the kaspersky.prf in /opt/AVP/etc/defUnix.prf so that kavscanner always uses that one and so it works perfectly. I can't remember changing something else. -- MfG From jkf at ecs.soton.ac.uk Thu Jul 11 18:51:10 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:13 2006 Subject: Cobalt Mailscanner/F-Prot PKG In-Reply-To: Message-ID: This worries me. Please can you produce proof that you have permission to distribute F-Prot for free. I do not want my name associated with anything like this that is "legally dubious" which this most definitely sounds. Install other stuff, fine, there aren't any licence issues there, but I do not like the idea of anyone distributing F-Prot without written (on paper) approval from the F-Prot owners and their lawyers. Please can you confirm this, or else please stop distributing this immediately. The F-Prot owners are currently being very friendly and helpful, I do *not* want to upset them.... On Thu, 11 Jul 2002, Jonothon Ortiz wrote: > > Apologies if this is a dupe =) > =========================================================================== > > steve@bassi.com sayeth: > ---------------------------------------------------- > > I have created a pkg for the RAQ3 and 4 using mailscanner and F-Prot. > > What the package does, is intall the mailscanner and F -Prot files and > updates the virus definitions automatically, and emails postmaster@your > domain.com , when the definitions are updated. > > It also installs/upgrades unzip latest version, which is required for the > virus definitions. > > After installing the above files , I back up syslog and amend it so that > syslog starts with "daemon syslogd -r -m 0" instead of "daemon syslogd -m 0" > > Before using the pkg, please see http://www.f-prot.com/products/fplin.html > to ensure your situation qualifies to use F-Prot free of charge. > > If you are using your RAQ commerically, then there would be a license fee > payable to Frisk for their virus definitions. > > I have asked Frisk to consider making a special rate for RAQ owners using > their definitions in a commercial environment. > > Please be honest and do not use the pkg's if you use your RAQ commerically. > > You may obtain more information regarding MailScanner from the authors > website on http://www.mailscanner.info > > Ok .. heres the pkg's > > http://www.firstwebspace.com/raq/RAQ3-Bassi-MailScanner-3.21-1.pkg > > http://www.firstwebspace.com/raq/RaQ4-Bassi-MailScanner-3.21-1.pkg > > > Rgds > > > Bassi > Jules jkf@ecs.soton.ac.uk From gerry at DORFAM.CA Fri Jul 12 00:24:04 2002 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:15:13 2006 Subject: f-prot script update error Message-ID: I've started getting the following error when running the autoupdate.fprot script. I thought it was related to the ^M that was reported and fixed around line 131 but putting in that fix didn't help. Any ideas what has gone wrong??? Gerry -- "The lyfe so short, the craft so long to learne" Chaucer ---------- Forwarded message ---------- Date: Thu, 11 Jul 2002 13:00:03 -0400 From: Cron Daemon To: root@tiger.dorfam.ca Subject: Cron /home/gerry/autoupdate.f-prot FTP address for retrieving files is ftp://eu-3.updates.f-prot.com/pub/ F-Prot signature file update script There is a new version of SIGN.DEF, starting download. Download completed. Updated SIGN.DEF. There is a new version of SIGN2.DEF, starting download. Updated SIGN2.DEF. File MACRO.DEF is already up to date. There is a new version of fp-def.zip, starting download. Download completed. Download completed. Could not find correct version of fp-def.zip, exiting., Bad file descriptor at /home/gerry/autoupdate.f-prot line 281, line 5. From dave at ESI.COM.AU Fri Jul 12 03:17:42 2002 From: dave at ESI.COM.AU (Dave Horsfall) Date: Thu Jan 12 21:15:13 2006 Subject: f-prot script update error In-Reply-To: Message-ID: On Thu, 11 Jul 2002, Gerry Doris wrote: > Could not find correct version of fp-def.zip, exiting., > Bad file descriptor at /home/gerry/autoupdate.f-prot line 281, > line 5. Me too. -- Dave Horsfall DTM VK2KFU dave@esi.com.au Ph: +61 2 9906-3377 Fx: 9906-3468 (Unix Guru) Pacific ESI, Unit 22, 8 Campbell St, Artarmon, NSW 2065, Australia From nwp at LEMON-COMPUTING.COM Fri Jul 12 03:43:52 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:15:13 2006 Subject: Cobalt Mailscanner/F-Prot PKG In-Reply-To: References: <001d01c228e2$3610dd30$65020a0a@galaxy> Message-ID: <20020712024351.GB8825@hoiho.nz.lemon-computing.com> On Thu, Jul 11, 2002 at 11:03:26AM -0400, Jonothon Ortiz wrote: > Please be honest and do not use the pkg's if you use your RAQ commerically. A better idea (and one of the common ways for people distributing Free Software that works with non-Free Software to get round this problem) is probably for the package to ask you where you have the f-prot package tarball, and install using that. That way, the user themself has to download the f-prot stuff and read/deal with any licensing issues before it gets to you. I would expect Frisk to be very happy for you to package it that way, but very unhappy if you start distributing f-prot yourself. Besides which, mailscanner itself is released under the GPL, and whether or not packaging it with a product for which source is not available in this way constitutes "mere aggregation" (and therefore lets you off the requirement to include sources for everything) is open to vigourous debate. In other words, you may well be violating the licences of both products by distributing them in this way. However, by ensuring that the user obtains the non-Free chunk (F-Prot in this case) on their own, you keep everybody happy. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Your boss climbed the corporate ladder, wrong by wrong. From nwp at LEMON-COMPUTING.COM Fri Jul 12 03:45:10 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:15:13 2006 Subject: f-prot script update error In-Reply-To: References: Message-ID: <20020712024510.GC8825@hoiho.nz.lemon-computing.com> On Thu, Jul 11, 2002 at 07:24:04PM -0400, Gerry Doris wrote: > I've started getting the following error when running the autoupdate.fprot > script. I thought it was related to the ^M that was reported and fixed > around line 131 but putting in that fix didn't help. > > Any ideas what has gone wrong??? No, but I have to install it myself now, so I'll be forced to work it out ;) -- Nick Phillips -- nwp@lemon-computing.com Someone whom you reject today, will reject you tomorrow. From joe at QITC.CO.UK Fri Jul 12 08:40:55 2002 From: joe at QITC.CO.UK (Joe Quinn) Date: Thu Jan 12 21:15:13 2006 Subject: f-prot script update error References: Message-ID: <00ec01c22977$77de7570$021b6bd5@T20> I got it also, although slightly different. Could not find correct version of fp-def.zip, exiting., Bad file descriptor at /etc/cron.daily/f-prot.autoupdate line 283, chunk 5. Joe Quinn, QITC Internet Solutions (joe@qitc.co.uk) Cisco re-seller, Cobalt Sapphire Partner. www.qitc.net/stocklist Web Site Hosting, Server Hosting, Co-location. Tel: (UK) +44 776 737 1234 From lbergman at abi.tconline.net Fri Jul 12 15:21:50 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:15:13 2006 Subject: f-prot script update error In-Reply-To: References: Message-ID: <200207120921.50108.lbergman@abi.tconline.net> On Thursday 11 July 2002 09:17 pm, Dave Horsfall wrote: > On Thu, 11 Jul 2002, Gerry Doris wrote: > > Could not find correct version of fp-def.zip, exiting., > > Bad file descriptor at /home/gerry/autoupdate.f-prot line 281, > > line 5. I get this same error. When I run f-prots update script I get this: /usr/local/f-prot_3.12a/check-updates.sh *************************************** * F-Prot signature file update script * *************************************** There's a new version of fp-def.zip on the web. Starting to download... Download completed. Error: Can't open file!, (/usr/local/f-prot/tmp/fp-def.zip), Possible: No such file or directory /usr/local/f-prot_3.12a/check-updates.sh: [: 504B0304140000000800A85BEB2CFDDEFAB1A25B0A00724A1000080000005349000ED4F00E2F21 209C40: unary operator expected Download completed. Error: Can't open file!, (/usr/local/f-prot/tmp/fp-def.zip), Possible: No such file or directory /usr/local/f-prot_3.12a/check-updates.sh: [: 504B0304140000000800A85BEB2CFDDEFAB1A25B0A00724A1000080000005349000ED4F00E2F21 209C40: unary operator expected The files are not identical and therefore, they will not be installed. This could be caused by downloading from a mirror which hasn't synced yet with the main server. (This should not happen) R: 504B0304140000000800A85BEB2CFDDEFAB1A25B0A00724A1000080000005349000ED4F00E2F21209C40 L: This same error pops up after I downloaded the fp-def.zip manually from both the us mirror and the main f-prot site. I am going to get hold of tech support and see what they say. I noticed the rpm doesn't contain the fp-def.zip file so I doubt reinstalling f-prot would help much. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From Matthew_doherty at DATAWATCH.COM Fri Jul 12 15:35:50 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:13 2006 Subject: sendmail sometimes refuses connections.. anyone have simular problem Message-ID: I know mailscanner runs a script every hour via cron to check its pid.. I'm wondering if it sometimes has difficulty starting the sendmail daemon if it had to.. I'm not quite sure why this happens. I have read my maillogs, xfer logs, kernal messages, and find nothing to conclude this issue. This morning I started to receive calls that sendmail was down. Our web based email could send mail but client email programs were being refused.. Obviousley that ment sendmail was running fine right? I restarted Mailscanner for the hell of it, and now both web based mail and client email clients can send.. So its gotta be sendmail right? or maybe it had some effect on the xinitd? Anyone here know this problem? This has been happening on and off ever since I installed mailscanner. Though it could be a coincidence that it started after the install, I'm not sure. Thanks For your Help! In a world without walls or fences, who needs Windows and Gates? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020712/a6314275/attachment.html From combs at MAGNET.FSU.EDU Fri Jul 12 15:38:27 2002 From: combs at MAGNET.FSU.EDU (Tom Combs) Date: Thu Jan 12 21:15:13 2006 Subject: diff Spam List Timeout +SpamAssassin Timeout Message-ID: Hello, In mailscanner.conf, what is the difference between the Spam List Timeout and the SpamAssassin Timeout? I'm getting some "SpamAssassin timed out and was killed" events and I'm not sure which value is best to adjust. TIA, Tom Combs From marc.perea at ELECTRONIC-GROUP.COM Fri Jul 12 15:59:51 2002 From: marc.perea at ELECTRONIC-GROUP.COM (Marc Perea) Date: Thu Jan 12 21:15:13 2006 Subject: sendmail sometimes refuses connections.. anyone have simular problem In-Reply-To: References: Message-ID: <20020712165951.2195a9c7.marc.perea@electronic-group.com> On Fri, 12 Jul 2002 10:35:50 -0400 Matt Doherty wrote: > > I know mailscanner runs a script every hour via cron to check its pid.. > I'm wondering if it sometimes has difficulty starting the sendmail > daemon if it had to.. My understood is that mailscanner doesn't do anything with sendmail every hour. It only restarts himself to prevent memory leaks. (Correct me if I'm wrong) > I'm not quite sure why this happens. I have read my maillogs, xfer logs, > kernal messages, and find nothing to conclude this issue. This morning I > started to receive calls that sendmail was down. Our web based email > could send mail but client email programs were being refused.. > Obviousley that ment sendmail was running fine right? I restarted > Mailscanner for the hell of it, and now both web based mail and client > email clients can send.. So its gotta be sendmail right? or maybe it had > some effect on the xinitd? Anyone here know this problem? This has been > happening on and off ever since I installed mailscanner. Though it could > be a coincidence that it started after the install, I'm not sure. > That probably means that your sendmail stopped to be in background listening for connections in port 25, that's why the client email programs cannot remotely access to it, but the webmail program (that I suppose it was running on the same machine) was still able to send emails directly invoking /usr/sbin/sendmail in foreground mode. The next time it happens to you, try to list the listening sockets, and the processes ... I'm sure it will help you to diagnose the problem! :) Hope that helps you. Cheers, -- Marc Perea - System Administration Staff Mail: marc.perea@electronic-group.com Tel: (+34) 93 600 23 23 Fax: (+34) 93 600 23 10 ---------------- Electronic Group - http://www.electronic-group.com From Matthew_doherty at DATAWATCH.COM Fri Jul 12 18:31:06 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:13 2006 Subject: sendmail sometimes refuses connections.. anyone have simularproblem Message-ID: Ok Thanks for the tip! Yes the webmail program is on the same machine. And webmail was sending mail fine at the time sendmail refused mail sending from email client programs... >The next time it happens to you, try to list the listening sockets, and t>he processes ... I'm sure it will help you to diagnose the problem! :) You mean run the "top" command i suppose. Right? But how and why would sendmail refuse to listen on the port. DOS attacks wern't present at the time either. Nothing suspicious was happiening during the time of failure. cpu was at 7% 1GB of memory had 25% free, maillog was calm (tail -f maillog).. Problem is, to be able to catch it, I must be here in the wee morning hours with toothpicks holding my eye lids open.. seems to occur anywhere between 11pm - 7am.. I thought it could be a cron job affecting this, but there isnt any problems of any runaway processes going on either.. Anyways, Thank You for the reply! In a world without walls or fences, who needs Windows and Gates? -----Original Message----- From: Marc Perea [mailto:marc.perea@ELECTRONIC-GROUP.COM] Sent: Friday, July 12, 2002 12:00 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: sendmail sometimes refuses connections.. anyone have simularproblem On Fri, 12 Jul 2002 10:35:50 -0400 Matt Doherty wrote: > > I know mailscanner runs a script every hour via cron to check its pid.. > I'm wondering if it sometimes has difficulty starting the sendmail > daemon if it had to.. My understood is that mailscanner doesn't do anything with sendmail every hour. It only restarts himself to prevent memory leaks. (Correct me if I'm wrong) > I'm not quite sure why this happens. I have read my maillogs, xfer logs, > kernal messages, and find nothing to conclude this issue. This morning I > started to receive calls that sendmail was down. Our web based email > could send mail but client email programs were being refused.. > Obviousley that ment sendmail was running fine right? I restarted > Mailscanner for the hell of it, and now both web based mail and client > email clients can send.. So its gotta be sendmail right? or maybe it had > some effect on the xinitd? Anyone here know this problem? This has been > happening on and off ever since I installed mailscanner. Though it could > be a coincidence that it started after the install, I'm not sure. > That probably means that your sendmail stopped to be in background listening for connections in port 25, that's why the client email programs cannot remotely access to it, but the webmail program (that I suppose it was running on the same machine) was still able to send emails directly invoking /usr/sbin/sendmail in foreground mode. The next time it happens to you, try to list the listening sockets, and the processes ... I'm sure it will help you to diagnose the problem! :) Hope that helps you. Cheers, -- Marc Perea - System Administration Staff Mail: marc.perea@electronic-group.com Tel: (+34) 93 600 23 23 Fax: (+34) 93 600 23 10 ---------------- Electronic Group - http://www.electronic-group.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020712/783ac900/attachment.html From davidclosson at MSN.COM Fri Jul 12 18:57:53 2002 From: davidclosson at MSN.COM (David Closson) Date: Thu Jan 12 21:15:13 2006 Subject: MailScanner sudden failure! Message-ID: Greetings Mailscanner users, I came into work this morning and found that my Redhat 7.3 Server (Sendmail 11.6) running stock Mailscanner 3.20-7 (from RPM) stopped working. Sendmail accepts mail and places it in the /var/spool/queue.in as normal but mailscanner stopped processing them. This setup was working fine for almost 1 month. The process list show mailscanner as follows: (1st) root 8754 0.1 3.5 19600 17992 ? S 10:33 0:02 /usr/bin/perl /usr/local/MailScanner/bin/mailscanner /usr/local/MailScanner/etc/mailscanner.conf (2nd) root 11544 4.4 0.0 0 0 ? Z 10:55 0:00 [mailscanner ] _________________________________________________________________ Join the world’s largest e-mail service with MSN Hotmail. http://www.hotmail.com From Denis.Beauchemin at USHERBROOKE.CA Fri Jul 12 19:12:32 2002 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:15:13 2006 Subject: sendmail sometimes refuses connections.. anyone have simularproblem In-Reply-To: References: Message-ID: <1026497552.6809.14.camel@dbeauchemin.si.usherb.ca> On Fri, 2002-07-12 at 13:31, Matt Doherty wrote: > Ok Thanks for the tip! > Yes the webmail program is on the same machine. And webmail was sending mail > fine at the time sendmail refused mail sending from email client programs... > >The next time it happens to you, try to list the listening sockets, and > t>he processes ... I'm sure it will help you to diagnose the problem! :) > > You mean run the "top" command i suppose. Right? I guess he means to use the "netstat -tupan" command: [root@smtp3 bin]# netstat -tupan Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 1504/X tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 16231/sshd tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 3330/sendmail: acce tcp 0 0 0.0.0.0:6010 0.0.0.0:* LISTEN 16550/sshd tcp 0 240 132.210.13.20:22 132.210.12.128:56470 ESTABLISHED 16550/sshd udp 960 0 0.0.0.0:514 0.0.0.0:* 715/syslogd udp 0 0 0.0.0.0:704 0.0.0.0:* 952/xinetd udp 0 0 132.210.13.20:123 0.0.0.0:* 864/ntpd udp 0 0 127.0.0.1:123 0.0.0.0:* 864/ntpd udp 0 0 0.0.0.0:123 0.0.0.0:* 864/ntpd Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From davidclosson at MSN.COM Fri Jul 12 19:16:42 2002 From: davidclosson at MSN.COM (David Closson) Date: Thu Jan 12 21:15:13 2006 Subject: MailScanner sudden failure! Message-ID: I am very sorry to have bothered...it appears as though spamassasin was problem...but why did it become a problem of a sudden? Using SpamAssassin-2.31 Thank you, David Closson >From: David Closson >Reply-To: MailScanner mailing list >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: MailScanner sudden failure! >Date: Fri, 12 Jul 2002 10:57:53 -0700 >MIME-Version: 1.0 >X-Originating-IP: [206.171.171.20] >Received: from [207.46.181.103] by hotmail.com (3.2) with ESMTP id >MHotMailBEF8650C00BB40042148CF2EB5670CA419; Fri, 12 Jul 2002 11:04:16 -0700 >Received: from jiscmail.ac.uk ([130.246.192.48]) by cpimssmtpa29.msn.com >with Microsoft SMTPSVC(5.0.2195.4905); Fri, 12 Jul 2002 11:03:11 -0700 >Received: from jiscmaila (jiscmail.ac.uk) by jiscmail.ac.uk (LSMTP for >Windows NT v1.1b) with SMTP id <2.00111949@jiscmail.ac.uk>; Fri, 12 Jul >2002 18:59:03 +0100 >Received: from JISCMAIL.AC.UK by JISCMAIL.AC.UK (LISTSERV-TCP/IP release >1.8e) with spool id 12551784 for MAILSCANNER@JISCMAIL.AC.UK; Fri, >12 Jul 2002 18:59:03 +0100 >Received: from ori.rl.ac.uk by jiscmail.ac.uk (LSMTP for Windows NT v1.1b) >with SMTP id <0.001D7966@jiscmail.ac.uk>; Fri, 12 Jul 2002 >18:59:02 +0100 >Received: from hotmail.com (f27.pav3.hotmail.com [64.4.39.27]) by >ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g6CHx1B24502 for > ; Fri, 12 Jul 2002 18:59:01 +0100 >Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; >Fri, 12 Jul 2002 10:57:53 -0700 >Received: from 206.171.171.20 by pv3fd.pav3.hotmail.msn.com with HTTP; Fri, >12 Jul 2002 17:57:53 GMT >From owner-mailscanner@JISCMAIL.AC.UK Fri, 12 Jul 2002 11:05:33 -0700 >X-OriginalArrivalTime: 12 Jul 2002 17:57:53.0792 (UTC) > FILETIME=[A54A0000:01C229CD] >Message-ID: >Sender: MailScanner mailing list >Precedence: list >Return-Path: owner-mailscanner@JISCMAIL.AC.UK > >Greetings Mailscanner users, > >I came into work this morning and found that my Redhat 7.3 Server >(Sendmail 11.6) running stock Mailscanner 3.20-7 (from RPM) stopped >working. > Sendmail accepts mail and places it in the /var/spool/queue.in as normal >but mailscanner stopped processing them. This setup was working fine for >almost 1 month. > >The process list show mailscanner as follows: >(1st) >root 8754 0.1 3.5 19600 17992 ? S 10:33 0:02 /usr/bin/perl >/usr/local/MailScanner/bin/mailscanner >/usr/local/MailScanner/etc/mailscanner.conf > >(2nd) >root 11544 4.4 0.0 0 0 ? Z 10:55 0:00 [mailscanner ] > > > > >_________________________________________________________________ >Join the world’s largest e-mail service with MSN Hotmail. >http://www.hotmail.com _________ Sincerely, David Closson 209-728-8199 _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com From dml at UNB.CA Fri Jul 12 19:39:46 2002 From: dml at UNB.CA (David Lancaster) Date: Thu Jan 12 21:15:13 2006 Subject: more/all_spam_to In-Reply-To: <1026497552.6809.14.camel@dbeauchemin.si.usherb.ca> Message-ID: Julian et all, Question: I'm using MailScanner and Spamassassin to scan incoming mail, flag it, and pass it off to a server for delivery. Most of our users will be extermely happy to be able to filter their spam out. Figuring that some users will (for whatever reason) be disgruntled by the addition of {SPAM??} to the subject, I'm looking for a way to "opt-out" certain users. SA has a "more_spam_to and all_spam_to" directive, but those don't seem to work when SA is being called by MailScanner. Am I missing a simple way to configure this? (I can't just setup user accounts and procmail scripts, too many users...) Could MailScanner obey SA's more/all_spam_to directives? Is this (or adding a recipient whitelist) an option that could be added simply? TIA, D. =========================================================== David Lancaster ITS ESS From mailscanner at ecs.soton.ac.uk Fri Jul 12 19:17:21 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:13 2006 Subject: diff Spam List Timeout +SpamAssassin Timeout In-Reply-To: Message-ID: <5.1.0.14.2.20020712191603.02fbfcc8@imap.ecs.soton.ac.uk> At 15:38 12/07/2002, you wrote: > In mailscanner.conf, what is the difference between the > Spam List Timeout and the SpamAssassin Timeout? I'm getting > some "SpamAssassin timed out and was killed" events and I'm > not sure which value is best to adjust. The "Spam List Timeout" affects the "Spam List" entries. The "SpamAssassin Timeout" affects "SpamAssassin". So if the errors say that SpamAssassin timed out, you should adjust the "SpamAssassin Timeout". -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Jul 12 19:19:54 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:13 2006 Subject: MailScanner sudden failure! In-Reply-To: Message-ID: <5.1.0.14.2.20020712191730.02fd76c8@imap.ecs.soton.ac.uk> At 18:57 12/07/2002, you wrote: >I came into work this morning and found that my Redhat 7.3 Server >(Sendmail 11.6) running stock Mailscanner 3.20-7 (from RPM) stopped working. > Sendmail accepts mail and places it in the /var/spool/queue.in as normal >but mailscanner stopped processing them. This setup was working fine for >almost 1 month. > >The process list show mailscanner as follows: >(1st) >root 8754 0.1 3.5 19600 17992 ? S 10:33 0:02 /usr/bin/perl >/usr/local/MailScanner/bin/mailscanner >/usr/local/MailScanner/etc/mailscanner.conf > >(2nd) >root 11544 4.4 0.0 0 0 ? Z 10:55 0:00 [mailscanner ] What did you syslog/maillog say? Are you using the "osirusoft" DNSBL (in a "Spam List" configuration line)? There seem to be distinct problems with osirusoft today, and it may be making things run slowly. The next feature I am going to add is a "Ignore Spam List entry after n timeouts" feature, so that the failure of one of the RBL's doesn't cause MailScanner to run slowly for very long. It will restore it to the list when it next restarts itself, but until then it won't try to use it. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mkettler at EVI-INC.COM Fri Jul 12 20:11:08 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:15:13 2006 Subject: more/all_spam_to In-Reply-To: References: <1026497552.6809.14.camel@dbeauchemin.si.usherb.ca> Message-ID: <5.1.0.14.0.20020712150744.00ab2490@192.168.50.2> Which SA config file did you add your "more_spam_to" directives? Be aware that without a bit of extra work spamassassin is always called as user root by mailscanner so /home/username/.spamassassin/user_prefs is not the proper place. /etc/mail/mailscanner is a good spot, or /root/.spamassassin/user_prefs. These seem to work fine for me, but make sure that mailscanner isn't doing RBL checks, let SA do them. Otherwise the more_spam_to will apply to SA scoring, but it could still be tagged by mailscanner doing a RBL check. At 03:39 PM 7/12/2002 -0300, David Lancaster wrote: >Julian et all, > >Question: >I'm using MailScanner and Spamassassin to scan incoming mail, flag it, and >pass it off to a server for delivery. Most of our users will be extermely >happy to be able to filter their spam out. > >Figuring that some users will (for whatever reason) be disgruntled by the >addition of {SPAM??} to the subject, I'm looking for a way to >"opt-out" certain users. SA has a "more_spam_to and >all_spam_to" directive, but those don't seem to work when SA is being >called by MailScanner. > >Am I missing a simple way to configure this? (I can't just setup user >accounts and procmail scripts, too many users...) Could MailScanner obey >SA's more/all_spam_to directives? Is this (or adding a recipient >whitelist) an option that could be added simply? > >TIA, >D. > > >=========================================================== >David Lancaster >ITS ESS From dml at UNB.CA Fri Jul 12 20:29:51 2002 From: dml at UNB.CA (David Lancaster) Date: Thu Jan 12 21:15:13 2006 Subject: more/all_spam_to In-Reply-To: <5.1.0.14.0.20020712150744.00ab2490@192.168.50.2> Message-ID: Ah, I was adding it to /etc/mail/mailscanner/spam.assassin.prefs.conf correctly. But I didn't read the fine print in "man Mail::SpamAssassin::Conf". The more/all_spam_to only work on the "To: " Headers in the message, and I was telneting to port 25 and smacking in the message without putting in the headers. Course, this means that mail sent to users without the correct "To: " header won't get white-listed (cc/bcc's). Hopefully it'll be enough. Thanks Matt, D. On Fri, 12 Jul 2002, Matt Kettler wrote: > Which SA config file did you add your "more_spam_to" directives? Be aware > that without a bit of extra work spamassassin is always called as user root > by mailscanner so /home/username/.spamassassin/user_prefs is not the proper > place. /etc/mail/mailscanner is a good spot, or /root/.spamassassin/user_prefs. > > These seem to work fine for me, but make sure that mailscanner isn't doing > RBL checks, let SA do them. Otherwise the more_spam_to will apply to SA > scoring, but it could still be tagged by mailscanner doing a RBL check. > > At 03:39 PM 7/12/2002 -0300, David Lancaster wrote: > >Julian et all, > > > >Question: > >I'm using MailScanner and Spamassassin to scan incoming mail, flag it, and > >pass it off to a server for delivery. Most of our users will be extermely > >happy to be able to filter their spam out. > > > >Figuring that some users will (for whatever reason) be disgruntled by the > >addition of {SPAM??} to the subject, I'm looking for a way to > >"opt-out" certain users. SA has a "more_spam_to and > >all_spam_to" directive, but those don't seem to work when SA is being > >called by MailScanner. > > > >Am I missing a simple way to configure this? (I can't just setup user > >accounts and procmail scripts, too many users...) Could MailScanner obey > >SA's more/all_spam_to directives? Is this (or adding a recipient > >whitelist) an option that could be added simply? > > > >TIA, > >D. > > > > > >=========================================================== > >David Lancaster > >ITS ESS > =========================================================== David Lancaster ITS ESS From jbriody at ALA.ORG Fri Jul 12 20:22:51 2002 From: jbriody at ALA.ORG (Jack Briody) Date: Thu Jan 12 21:15:13 2006 Subject: more/all_spam_to Message-ID: The more_spam_to and all_spam_to seemed to work fine on our site. But I added the directives in the SA .cf file itself, ours is at /usr/share/spamassassin/60_whitelist.cf Any reason why, if SA is only being used in conjunction with mail scanner, not to use these .cf files as opposed to the root user file? Jack >>> mkettler@EVI-INC.COM 07/12/02 02:11PM >>> Which SA config file did you add your "more_spam_to" directives? Be aware that without a bit of extra work spamassassin is always called as user root by mailscanner so /home/username/.spamassassin/user_prefs is not the proper place. /etc/mail/mailscanner is a good spot, or /root/.spamassassin/user_prefs. These seem to work fine for me, but make sure that mailscanner isn't doing RBL checks, let SA do them. Otherwise the more_spam_to will apply to SA scoring, but it could still be tagged by mailscanner doing a RBL check. At 03:39 PM 7/12/2002 -0300, David Lancaster wrote: >Julian et all, > >Question: >I'm using MailScanner and Spamassassin to scan incoming mail, flag it, and >pass it off to a server for delivery. Most of our users will be extermely >happy to be able to filter their spam out. > >Figuring that some users will (for whatever reason) be disgruntled by the >addition of {SPAM??} to the subject, I'm looking for a way to >"opt-out" certain users. SA has a "more_spam_to and >all_spam_to" directive, but those don't seem to work when SA is being >called by MailScanner. > >Am I missing a simple way to configure this? (I can't just setup user >accounts and procmail scripts, too many users...) Could MailScanner obey >SA's more/all_spam_to directives? Is this (or adding a recipient >whitelist) an option that could be added simply? > >TIA, >D. > > >=========================================================== >David Lancaster >ITS ESS From Denis.Beauchemin at USHERBROOKE.CA Fri Jul 12 20:46:37 2002 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:15:13 2006 Subject: Minor problems with messages to users In-Reply-To: <20020711174114.53812bfe.marc.perea@electronic-group.com> References: <1026396277.22101.43.camel@dbeauchemin.si.usherb.ca> <20020711174114.53812bfe.marc.perea@electronic-group.com> Message-ID: <1026503198.6696.31.camel@dbeauchemin.si.usherb.ca> Marc, I tried to modify mcafeewrapper: exec ${PackageDir}/$prog -d $datDIR "$@" | sed 's-^.*/--' It worked OK at the command line (got the file name and the virus found) but the line disappeared altogether in MailScanner... not what I wanted... I also tried to modify sweep.pl: $lastline =~ s/$BaseDir\/*\w+\///; but it didn't work either (I still got the last dir part). Denis On Thu, 2002-07-11 at 11:41, Marc Perea wrote: > On Thu, 11 Jul 2002 10:04:37 -0400 > Denis Beauchemin wrote: > > > Hi, > > > > I am experimenting with MailScanner and I have a few problems: > > > > 1- using McAfee, when a virus is found I get a line saying so but the > > line contains the message ID part of the PATH: > > R?sultats de l'antivirus: > > /g69IuTY08361/VALUE.exe Found the W32/Klez.h@MM virus !!! > > > > I would like it to read: > > VALUE.exe Found the W32/Klez.h@MM virus !!! > > > > How could this be done? I believe it must come from ProcessMcAfeeOutput > > in sweep.pl, I guess we would have to modify $lastline =~ s/$BaseDir//; > > for something else containing the message ID, but what? > > My two cents : > > Some time ago I was on a similar problem, i didn't want to reveal the path > to the message, so I modified with this extremely simple trick the > f-protwrapper shell script (Hence, you don't have to touch any mailscanner > core perl-function) : > > hiddenpath=/usr/local/mailscanner/var > exec ${PackageDir}/$Scanner $ScanOptions "$@" | sed "s%$hiddenpath%%g" > > You can always make a different regular expression to suit your needs. > For example that one should work for your needs : > "s%\/[a-zA-Z0-9]*\/\(.*\)%\1%" > > Hope this helps to you. > > -- > Marc Perea - System Administration Staff > Mail: marc.perea@electronic-group.com > Tel: (+34) 93 600 23 23 > Fax: (+34) 93 600 23 10 > ---------------- > Electronic Group - http://www.electronic-group.com > -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From dml at UNB.CA Fri Jul 12 20:57:39 2002 From: dml at UNB.CA (David Lancaster) Date: Thu Jan 12 21:15:13 2006 Subject: more/all_spam_to In-Reply-To: Message-ID: Interesting. That might be a better location, might be easier to manage. I'll have to look into it. D. On Fri, 12 Jul 2002, Jack Briody wrote: > The more_spam_to and all_spam_to seemed to work fine on our site. But I > added the directives in the SA .cf file itself, ours is at > /usr/share/spamassassin/60_whitelist.cf > > Any reason why, if SA is only being used in conjunction with mail > scanner, not to use these .cf files as opposed to the root user file? > > Jack > > >>> mkettler@EVI-INC.COM 07/12/02 02:11PM >>> > Which SA config file did you add your "more_spam_to" directives? Be > aware > that without a bit of extra work spamassassin is always called as user > root > by mailscanner so /home/username/.spamassassin/user_prefs is not the > proper > place. /etc/mail/mailscanner is a good spot, or > /root/.spamassassin/user_prefs. > > These seem to work fine for me, but make sure that mailscanner isn't > doing > RBL checks, let SA do them. Otherwise the more_spam_to will apply to > SA > scoring, but it could still be tagged by mailscanner doing a RBL > check. > > At 03:39 PM 7/12/2002 -0300, David Lancaster wrote: > >Julian et all, > > > >Question: > >I'm using MailScanner and Spamassassin to scan incoming mail, flag it, > and > >pass it off to a server for delivery. Most of our users will be > extermely > >happy to be able to filter their spam out. > > > >Figuring that some users will (for whatever reason) be disgruntled by > the > >addition of {SPAM??} to the subject, I'm looking for a way to > >"opt-out" certain users. SA has a "more_spam_to and > >all_spam_to" directive, but those don't seem to work when SA is being > >called by MailScanner. > > > >Am I missing a simple way to configure this? (I can't just setup user > >accounts and procmail scripts, too many users...) Could MailScanner > obey > >SA's more/all_spam_to directives? Is this (or adding a recipient > >whitelist) an option that could be added simply? > > > >TIA, > >D. > > > > > >=========================================================== > >David Lancaster > >ITS ESS > =========================================================== David Lancaster ITS ESS From gerry at DORFAM.CA Fri Jul 12 21:10:37 2002 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:15:14 2006 Subject: MailScanner sudden failure! In-Reply-To: <5.1.0.14.2.20020712191730.02fd76c8@imap.ecs.soton.ac.uk> Message-ID: On Fri, 12 Jul 2002, Julian Field wrote: > Are you using the "osirusoft" DNSBL (in a "Spam List" configuration line)? > There seem to be distinct problems with osirusoft today, and it may be > making things run slowly. > -- > Julian Field Teaching Systems Manager Well, something strange was happening today. This morning I found that most of my mail including the MailScanner list was being marked as spam. Checking the headers showed that Spam.cop was the culprit. It all seems back to normal now??? -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From davidclosson at MSN.COM Fri Jul 12 21:52:27 2002 From: davidclosson at MSN.COM (David Closson) Date: Thu Jan 12 21:15:14 2006 Subject: MailScanner sudden failure! Message-ID: Thank you for the rapid response. No, I am not using the "osirusoft" DNSBL. I had to config mailscanner to not use spamassassin -this worked but I was just curious why spamassassin would stop functioning. Dave Closson >From: Julian Field >Reply-To: MailScanner mailing list >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: MailScanner sudden failure! >Date: Fri, 12 Jul 2002 19:19:54 +0100 >MIME-Version: 1.0 >Received: from cpimssmtpoa04.msn.com ([207.46.181.44]) by >mc2-f15.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.4905); Fri, 12 >Jul 2002 12:07:17 -0700 >Received: from cpimssmtpa23.msn.com ([207.46.181.28]) by >cpimssmtpoa04.msn.com with Microsoft SMTPSVC(5.0.2195.4905); Fri, 12 Jul >2002 11:57:51 -0700 >Received: from jiscmail.ac.uk ([130.246.192.48]) by cpimssmtpa23.msn.com >with Microsoft SMTPSVC(5.0.2195.4905); Fri, 12 Jul 2002 11:52:09 -0700 >Received: from jiscmaila (jiscmail.ac.uk) by jiscmail.ac.uk (LSMTP for >Windows NT v1.1b) with SMTP id <0.001D798F@jiscmail.ac.uk>; Fri, 12 Jul >2002 19:52:57 +0100 >Received: from JISCMAIL.AC.UK by JISCMAIL.AC.UK (LISTSERV-TCP/IP release >1.8e) with spool id 12552304 for MAILSCANNER@JISCMAIL.AC.UK; Fri, >12 Jul 2002 19:52:56 +0100 >Received: from ori.rl.ac.uk by jiscmail.ac.uk (LSMTP for Windows NT v1.1b) >with SMTP id <2.00111971@jiscmail.ac.uk>; Fri, 12 Jul 2002 >19:52:55 +0100 >Received: from gadolinium.btinternet.com (gadolinium.btinternet.com > [194.73.73.111]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id >g6CIqsB28277 for ; Fri, 12 Jul 2002 >19:52:54 +0100 >Received: from host217-35-166-19.in-addr.btopenworld.com ([217.35.166.19] > helo=thief.ecs.soton.ac.uk) by gadolinium.btinternet.com with esmtp > (Exim 3.22 #8) id 17T5XC-00059S-00 for >MAILSCANNER@JISCMAIL.AC.UK; Fri, 12 Jul 2002 19:52:54 +0100 >X-Sender: (Unverified) >X-Mailer: QUALCOMM Windows Eudora Version 5.1 >Message-ID: <5.1.0.14.2.20020712191730.02fd76c8@imap.ecs.soton.ac.uk> >Sender: MailScanner mailing list >In-Reply-To: >Precedence: list >Return-Path: owner-mailscanner@JISCMAIL.AC.UK >X-OriginalArrivalTime: 12 Jul 2002 18:52:09.0650 (UTC) >FILETIME=[39EE8120:01C229D5] > >At 18:57 12/07/2002, you wrote: >>I came into work this morning and found that my Redhat 7.3 Server >>(Sendmail 11.6) running stock Mailscanner 3.20-7 (from RPM) stopped >>working. >> Sendmail accepts mail and places it in the /var/spool/queue.in as normal >>but mailscanner stopped processing them. This setup was working fine for >>almost 1 month. >> >>The process list show mailscanner as follows: >>(1st) >>root 8754 0.1 3.5 19600 17992 ? S 10:33 0:02 /usr/bin/perl >>/usr/local/MailScanner/bin/mailscanner >>/usr/local/MailScanner/etc/mailscanner.conf >> >>(2nd) >>root 11544 4.4 0.0 0 0 ? Z 10:55 0:00 [mailscanner ] > >What did you syslog/maillog say? >Are you using the "osirusoft" DNSBL (in a "Spam List" configuration line)? >There seem to be distinct problems with osirusoft today, and it may be >making things run slowly. > >The next feature I am going to add is a "Ignore Spam List entry after n >timeouts" feature, so that the failure of one of the RBL's doesn't cause >MailScanner to run slowly for very long. It will restore it to the list >when it next restarts itself, but until then it won't try to use it. >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ _________ Sincerely, David Closson 209-728-8199 _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx From david.fry at ifrsys.com Fri Jul 12 22:54:06 2002 From: david.fry at ifrsys.com (David W. Fry) Date: Thu Jan 12 21:15:14 2006 Subject: Unparsable TNEF woes after upgrade to 3.21-1 Message-ID: Greetings All! I upgraded to MailScanner ver. #3.21-1 without incident last week but then started getting complaints about problems with nemesis Outlook and attachments that were getting mangled into oblivion. Here is the deal .. I use Sophos; so in the mailscanner.conf file I have left the TNEF expansion settings at: Expand TNEF = no Deliver unparsable TNEF = yes .... to accomodate those users who were having issues ... this worked fine until the upgrade to 3.21-1 FYI, I am using my mailscanner.conf file from the previous version which was 3.15 Here is an example of what I saw this afternoon for an end-user who was sending out 3 word documents (her Outlook client is set to rich text format) Jul 12 15:04:13 mailscanner[3187]: Cannot parse /var/spool/MailScanner/incoming/g6CK49m08326.header and /var/spool/MailScanner/incoming/dfg6CK49m08326, write-open /var/spool/MailScanner/incoming/winmail.dat: No such file or directory at /usr/lib/perl5/site_perl/5.6.0/MIME/Body.pm line 414. Jul 12 15:04:17 mailscanner[3187]: Scanned 3 messages, 168027 bytes in 4 seconds Jul 12 15:04:17 mailscanner[3187]: Saved entire message to /var/spool/ MailScanner/quarantine/20020712/g6CK49m08326 Jul 12 15:04:17 mailscanner[3187]: Failed to link message body between queues (/var/spool/mqueue/dfg6CK3nm08303 --> /var/spool/mqueue.in/dfg6CK3nm08303) Jul 12 15:04:17 mailscanner[3187]: Failed to link message body between queues (/var/spool/mqueue/dfg6CK3nm08301 --> /var/spool/mqueue.in/dfg6CK3nm08301) Jul 12 15:04:17 mailscanner[3187]: Deleting unparsable message g6CK49m08326 Again, I am using my ver. # 3.15 mailscanner.conf file with this new version but I did 'diff' them and really didn't seeing anything that should be a showstopper. The above is just one log example of what is going on. I see in the new mailscanner.conf file that there is an option to use the internal TNEF expander but I was under the impression that since I am using Sophos .. that point is moot. or is it?? Any ideas? I have grumbling users massing. :-) Of course I would love to have a policy that everyone jettison the rich text format and use plain-text but that that won't be happening anytime soon! I would appreciate any comments or suggestions. Thank you in advance! Sincerely, David Fry Lan Analyst IFR Systems From nwp at LEMON-COMPUTING.COM Sat Jul 13 00:05:10 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:15:14 2006 Subject: NFS mount failure strangles mailscanner In-Reply-To: References: Message-ID: <20020712230510.GO8825@hoiho.nz.lemon-computing.com> On Fri, Jul 12, 2002 at 09:09:46AM -0400, Jeff A. Earickson wrote: > down mailscanner, rotates the syslogs, restarts mailscanner. At that time, > the startup blurb said there were 2728 messages waiting to be scanned. > Mailscanner ran for about two minutes, then nothing. The process was still > there all night (I saw it via "ps"), just not doing anything. After I got NFS > service going on my workstation, and restarted mailscanner (4377 msgs waiting), > things are fine again. Did ps show mailscanner or any subprocess to be in disk wait? -- Nick Phillips -- nwp@lemon-computing.com Try to relax and enjoy the crisis. From nwp at LEMON-COMPUTING.COM Sat Jul 13 00:10:48 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:15:14 2006 Subject: sendmail sometimes refuses connections.. anyone have simular problem In-Reply-To: References: Message-ID: <20020712231048.GP8825@hoiho.nz.lemon-computing.com> On Fri, Jul 12, 2002 at 10:35:50AM -0400, Matt Doherty wrote: > I'm not quite sure why this happens. I have read my maillogs, xfer logs, > kernal messages, and find nothing to conclude this issue. This morning I > started to receive calls that sendmail was down. Our web based email could > send mail but client email programs were being refused.. Obviousley that > ment sendmail was running fine right? Nope. Sendmail for sending local messages is completely separate from sendmail for listening for incoming messages. > I restarted Mailscanner for the hell > of it, and now both web based mail and client email clients can send.. So > its gotta be sendmail right? or maybe it had some effect on the xinitd? > Anyone here know this problem? This has been happening on and off ever since > I installed mailscanner. Though it could be a coincidence that it started > after the install, I'm not sure. When do the mail logs show that sendmail stopped listening for incoming connections? When was the last successful one? Does anything show up in any of the other system logs around that time that might indicate problems? What version of sendmail are you running? When you mention xinitd, do you mean you are running sendmail from xinetd to listen for incoming connections? If so, xinetd will probably have been logging connections somewhere different to where sendmail logs... and any xinetd problems would also be logged elsewhere. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Good day to deal with people in high places; particularly lonely stewardesses. From LISTSERV at JISCMAIL.AC.UK Fri Jul 12 09:37:23 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:14 2006 Subject: MAILSCANNER: antonio@DESCOM.ES left the list Message-ID: <200207120837.JAA09793@magpie.ecs.soton.ac.uk> Fri, 12 Jul 2002 09:37:23 Antonio Coloma has just left the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Fri Jul 12 21:37:31 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:14 2006 Subject: MAILSCANNER: kevin.freels@WILDBRAIN.COM left the list Message-ID: <200207122037.VAA19355@magpie.ecs.soton.ac.uk> Fri, 12 Jul 2002 21:37:31 Kevin Freels has just left the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Thu Jul 11 14:52:54 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:14 2006 Subject: MAILSCANNER: tcarrez@SCORT.COM requested to join Message-ID: <200207111352.OAA01244@magpie.ecs.soton.ac.uk> Thu, 11 Jul 2002 14:52:54 A request for to join the MAILSCANNER list (MailScanner mailing list) has been received from Thierry Carrez . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER tcarrez@SCORT.COM Thierry Carrez The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+tcarrez%40SCORT.COM+Thierry+Carrez&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Thu Jul 11 22:27:47 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:14 2006 Subject: MAILSCANNER: mailgroup@ATTBI.COM requested to join Message-ID: <200207112127.WAA24649@magpie.ecs.soton.ac.uk> Thu, 11 Jul 2002 22:27:47 A request for to join the MAILSCANNER list (MailScanner mailing list) has been received from Stone Stone . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER mailgroup@ATTBI.COM Stone Stone The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+mailgroup%40ATTBI.COM+Stone+Stone&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Fri Jul 12 14:52:36 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:14 2006 Subject: MAILSCANNER: steve@AVALON.DARTMOUTH.EDU requested to join Message-ID: <200207121352.OAA25981@magpie.ecs.soton.ac.uk> Fri, 12 Jul 2002 14:52:36 A request for to join the MAILSCANNER list (MailScanner mailing list) has been received from Stephen Campbell . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER steve@AVALON.DARTMOUTH.EDU Stephen Campbell The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+steve%40AVALON.DARTMOUTH.EDU+Stephen+Campbell&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Fri Jul 12 16:02:23 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:14 2006 Subject: MAILSCANNER: steve@BASSI.COM requested to join Message-ID: <200207121502.QAA12855@magpie.ecs.soton.ac.uk> Fri, 12 Jul 2002 16:02:23 A request for to join the MAILSCANNER list (MailScanner mailing list) has been received from Steve Bassi . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER steve@BASSI.COM Steve Bassi The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+steve%40BASSI.COM+Steve+Bassi&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Sat Jul 13 01:48:50 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:14 2006 Subject: MAILSCANNER: lists@COFFEEHOUSELTD.COM requested to join Message-ID: <200207130048.BAA06115@magpie.ecs.soton.ac.uk> Sat, 13 Jul 2002 01:48:50 A request for to join the MAILSCANNER list (MailScanner mailing list) has been received from Ken B . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER lists@COFFEEHOUSELTD.COM Ken B The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+lists%40COFFEEHOUSELTD.COM+Ken+B&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Sat Jul 13 08:12:45 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:14 2006 Subject: MAILSCANNER: mailscanner@BARENDSE.TO requested to join Message-ID: <200207130712.IAA23199@magpie.ecs.soton.ac.uk> Sat, 13 Jul 2002 08:12:45 A request for to join the MAILSCANNER list (MailScanner mailing list) has been received from Remco Barendse . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER mailscanner@BARENDSE.TO Remco Barendse The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+mailscanner%40BARENDSE.TO+Remco+Barendse&L=MAILSCANNER ------------------------- Original mail header -------------------------- Return-Path: Received: from ori.rl.ac.uk by jiscmail.ac.uk (LSMTP for Windows NT v1.1b) with SMTP id <6.00111AFB@jiscmail.ac.uk>; Sat, 13 Jul 2002 8:12:44 +0100 Received: from raveon.barendse.to (IDENT:root@node-d-4188.a2000.nl [62.195.65.136]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g6D7ChB12445 for ; Sat, 13 Jul 2002 08:12:44 +0100 Received: from localhost (mailscanner@localhost) by raveon.barendse.to (8.11.6/8.11.6) with ESMTP id g6D7Chi23257 for ; Sat, 13 Jul 2002 09:12:43 +0200 Date: Sat, 13 Jul 2002 09:12:43 +0200 (CEST) From: Remco Barendse To: "L-Soft list server at JISCMAIL (1.8e)" Subject: Re: Command confirmation request (5F677DF3) In-Reply-To: <200207130711.g6D7BT423248@raveon.barendse.to> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII From steve at BASSI.COM Sat Jul 13 12:08:00 2002 From: steve at BASSI.COM (Steve Bassi) Date: Thu Jan 12 21:15:14 2006 Subject: Cobalt Mailscanner/F-Prot PKG Message-ID: <200207131108.MAA07315@magpie.ecs.soton.ac.uk> I have spoken personnally to Mr Weldon Thompson, The Director of Corporate Relations in Iceland, the home of Frisk, who has asked me to quote his name. He has kindly confirmed that he is happy with the pkg for cobalt users on the basis that their software is free for non commercial use. Frisk is happy if their server is not being used commercially. I want to make it perfectly clear that you should not be dishonest and use my package in a commercial environment. F-Prot do allow a 30 day free trial for evaluation, and if you are happy with the product, I would urge commercial users to purchase the product from Frisk. Mr Weldon asked me to mail him with the pkg for possible inclusion on their site, which I have done. I have emailed Julian more than once on this matter and I have had no reply todate. As I have F-Prots permission, and I took the trouble to emphasise clearly the licensing requirements, I am most upset with the suggestion that this is legally dubious. I find this less dubious that the uk2raq.com site that clearly states mailscanner and F-Prot are free and makes no mention of any F-Prot licensing requirements. I know that Julian has been involved with Tom Worley on this and find the condemnation of my pkg as legally dubious, quite strange and indeed personally damaging to my reputation. I would have thought, it would have been wise to check with me first or Frisk to see if I did have the permission , (which I have) before publically proclaiming , my activities as legally dubious. Bassi From steve at BASSI.COM Sat Jul 13 12:08:00 2002 From: steve at BASSI.COM (Steve Bassi) Date: Thu Jan 12 21:15:14 2006 Subject: Cobalt Mailscanner/F-Prot PKG Message-ID: I have spoken personnally to Mr Weldon Thompson, The Director of Corporate Relations in Iceland, the home of Frisk, who has asked me to quote his name. He has kindly confirmed that he is happy with the pkg for cobalt users on the basis that their software is free for non commercial use. Frisk is happy if their server is not being used commercially. I want to make it perfectly clear that you should not be dishonest and use my package in a commercial environment. F-Prot do allow a 30 day free trial for evaluation, and if you are happy with the product, I would urge commercial users to purchase the product from Frisk. Mr Weldon asked me to mail him with the pkg for possible inclusion on their site, which I have done. I have emailed Julian more than once on this matter and I have had no reply todate. As I have F-Prots permission, and I took the trouble to emphasise clearly the licensing requirements, I am most upset with the suggestion that this is legally dubious. I find this less dubious that the uk2raq.com site that clearly states mailscanner and F-Prot are free and makes no mention of any F-Prot licensing requirements. I know that Julian has been involved with Tom Worley on this and find the condemnation of my pkg as legally dubious, quite strange and indeed personally damaging to my reputation. I would have thought, it would have been wise to check with me first or Frisk to see if I did have the permission , (which I have) before publically proclaiming , my activities as legally dubious. Bassi From mailscanner at ecs.soton.ac.uk Sat Jul 13 11:37:34 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:14 2006 Subject: Maybe virus wrapper should hide path? In-Reply-To: <3D29EB2F.F70F3A2D@dcg.com> Message-ID: <5.1.0.14.2.20020713113404.03d7eaa0@imap.ecs.soton.ac.uk> At 20:42 08/07/2002, you wrote: >I've noticed that the virus alert messages contain the entire path of the >virus. For example: > >At Mon Jul 8 15:59:01 2002 the virus scanner said: > /opt/mailscanner/var/incoming/g68Jwc328189/Xht.pif Infection: >W32/Klez.H@mm > >This seems odd to me -- I would think that, in general, it isn't something >that you'd want/need to pass along to the person getting the virus alert. In >fact, I can see it confusing some of our users. Maybe the wrapper could parse >out the path? I think it would make much more sense for user's notifications >to just look like: > >At Mon Jul 8 15:59:01 2002 the virus scanner said: > Xht.pif Infection: W32/Klez.H@mm > >...since that makes more sense to users that might get an infected >attachment. From their eyes, I think they should just think of it as being IN >their mail still -- not a file in a filesystem somewhere. You need to include at least the message ID in the path, or you won't know where to find the file in the quarantine directories. But I guess I could remove the path elements before that. Unfortunately it is not trivial to change, but I will consider it for a future release. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sat Jul 13 12:57:46 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:14 2006 Subject: NFS mount failure strangles mailscanner In-Reply-To: Message-ID: <5.1.0.14.2.20020713125153.03df1bc8@imap.ecs.soton.ac.uk> At 14:09 12/07/2002, you wrote: >Julian, > > I'm scratching my head over something very, very weird that happened >last night... First, my question: at the top of mailscanner.conf you >have the comment: > ># Note: If your directories are symlinked (soft-linked) in any way, ># please put their *real* location in here, not a path that ># includes any links. You may get some very strange error ># messages from some of the virus scanners if you don't. > >Which virus scanners? What? Why? My setup of /opt/mailscanner does >use symlinks, and I use the symlink paths in my conf file. My >/opt/mailscanner looks like thus: It's mostly a problem with the incoming work dir and McAfee. McAfee prints out the true path to infected files, not the path that was traversed to get there. So if you traverse a softlink on your way to the directory in which it expands all the MIME messages, then McAfee will report a different path and will break the parser. >lrwxrwxrwx 1 root daemon 10 Jun 27 11:33 bin -> bin-3.21-1/ >drwxr-xr-x 2 root none 1024 Jun 14 09:42 bin-3.20-6/ >drwxr-xr-x 2 root none 1024 Jun 27 11:09 bin-3.21-1/ >lrwxrwxrwx 1 root daemon 10 Jun 27 11:33 etc -> etc-3.21-1/ >drwxr-xr-x 2 root none 1024 Jun 14 09:44 etc-3.20-6/ >drwxr-xr-x 2 root none 1024 Jun 27 11:16 etc-3.21-1/ >drwxr-xr-x 3 root none 512 May 2 11:52 man/ >drwxr-xr-x 5 jaearick jaearick 512 Jul 3 14:00 src/ >drwx------ 4 root none 512 May 3 09:38 var/ Doing bin and etc like this isn't a problem, it's what I do too. >So I can easily switch between versions of mailscanner. I use Sophos. >Mailscanner has been working great, except... > > For my weird problem... Last night I rebooted my workstation at >16:45 and headed home. A startup process in /etc/rc3.d locked up, which >happened to be before /etc/rc3.d/S15nfs.server. My home directory from >my workstation is NFS auto-mounted to a lot of other systems, including >our mail server. So, my home directory was unavailable to the mail server >from late yesterday afternoon until this morning. > > The last mailscanner syslog happened at exactly 17:00 yesterday afternoon, >then nothing until midnight. Check_mailscanner runs via cron at 10, 30, 50 >minutes after the hour, every hour. At midnight, I have a cron job that shuts >down mailscanner, rotates the syslogs, restarts mailscanner. At that time, >the startup blurb said there were 2728 messages waiting to be scanned. >Mailscanner ran for about two minutes, then nothing. The process was still >there all night (I saw it via "ps"), just not doing anything. After I got NFS >service going on my workstation, and restarted mailscanner (4377 msgs >waiting), >things are fine again. > > My homedir path is not in root, nor is it used anyplace in the mailscanner >conf. I'm still wondering if spamassassin may be using it, but the >spamassassin >config stuff all belongs to root and resides in local file systems on the >mail server. I'm stumped as to why lack of an NFS mount for my homedir >on the mail server would lock up mailscanner like this... SpamAssassin does use root's home directory, certainly. But I'm stumped for ideas on this one at the moment, sorry. If it happens again, drop me another note, as I'm trying to catch up on over 1000 emails from being away for a week and so can't spend too long on each one, as otherwise I'll never do anything else this weekend and it's nice and sunny outside! -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jgoggan at DCG.COM Sat Jul 13 16:15:37 2002 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:15:14 2006 Subject: Maybe virus wrapper should hide path? References: <5.1.0.14.2.20020713113404.03d7eaa0@imap.ecs.soton.ac.uk> Message-ID: <3D304419.C58962AD@dcg.com> Julian Field wrote: > You need to include at least the message ID in the path, or you won't know > where to find the file in the quarantine directories. But I guess I could > remove the path elements before that. Unfortunately it is not trivial to > change, but I will consider it for a future release. Well, I was thinking that, if possible, the log and admin copy of the email would have the full path -- just the emails that were sent to the sender and/or recipient would only have the filename. Just seems like extra/confusing information for them otherwise. Unfortunately, I've already had one not-so-bright person go looking for that path on their machine and were confused why they couldn't find it. :) In any case, just a suggestion -- thanks for considering it for later inclusion. - John... From mailscanner at ecs.soton.ac.uk Sat Jul 13 15:43:34 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:14 2006 Subject: df2mbox problem? In-Reply-To: <3D2A1AE3.D209CB82@dcg.com> References: Message-ID: <5.1.0.14.2.20020713154201.02a6ec18@imap.ecs.soton.ac.uk> I have posted fixed versions for both sendmail and Exim on the web site. Linked through the FAQ as before. sendmail version is at http://www.sng.ecs.soton.ac.uk/mailscanner/files/df2mbox Exim version is at http://www.sng.ecs.soton.ac.uk/mailscanner/files/d2mbox At 00:06 09/07/2002, you wrote: >"Rose, Bobby" wrote: > > > > Hah that explains it. I had noticed it also but thought maybe I had > > change updated something else that broke it. > >Indeed! I happened to update pine and MailScanner last week -- so I was >convinced that it was something in one of those. I kept checking all kinds of >weird things. Then I finally realized that it was the df2mbox script. >Apparently, in the past, I happened to run it at times that were close enough >to the mbox format to work... > > - John... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sat Jul 13 15:38:54 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:14 2006 Subject: Stop messages to console? In-Reply-To: Message-ID: <5.1.0.14.2.20020713153827.03c81f80@imap.ecs.soton.ac.uk> This is something I will take a look at. Don't expect an immediate fix (it's a pretty minor point) but I will take a look at some point. At 15:27 08/07/2002, you wrote: >Hello, > > I just started using mailscanner and I'm very please with the system. > Thanks for all the hard work, it should make our lives a lot easier! > > However, whenever I pop up a root window on our mailserver, it will > receive messages about detected viruses. I haven't tested to see > if these go to every root window or just to the first one since I'm > not actually logged in at the console. How can I change this behavior? > I like messages going to the logs but not to my root window. Should > I just redirect stdout and/or stderr to /dev/null when I start mailscanner? > > TIA, Tom Combs > >-- >Tom Combs E-mail: combs@magnet.fsu.edu >National High Magnetic Field Laboratory Phone: (850) 644-1657 >1800 E. Paul Dirac Drive Tallahassee, FL 32310 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sat Jul 13 15:35:41 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:14 2006 Subject: SV: SV: SV: Changing konfiguration....... Warning!! In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263EA73@lkl22.ltkalmar.se > Message-ID: <5.1.0.14.2.20020713153011.039a6ee8@imap.ecs.soton.ac.uk> Warning! Sorry, but this patch is fundamentally broken. Messages are handled in batches, and in your code the commercial virus checker is called if scanning switched on and NoScanOnFile = off and number of infections found by filename.rules for whole batch of messages = 0 So if *any* of the messages were caught by filename.rules.conf, the expression above will be false and hence the commercial checkers will not be called for any message in the batch. So if you get 5 messages in a batch, and 1 of them triggers a filename.rules.conf trap, then *none* of them will be scanned for viruses! As a result viruses will get through MailScanner whenever your server is put under any significant load. At 15:19 09/07/2002, you wrote: >Hi >I havent had time to try it yet.....I was gona mail back and ask >you how to apply it but been to busy at work >As I said, Im newbie at unix so I really need a howto aproach =) > >Im still doing some fine fixing on mailscann but I have to >put my normal work in prority =) > >/Anders > > > -----Ursprungligt meddelande----- > > Fr?n: tal@MUSICGENOME.COM [mailto:tal@MUSICGENOME.COM] > > Skickat: den 9 juli 2002 16:15 > > Till: MAILSCANNER@JISCMAIL.AC.UK > > ?mne: Re: SV: SV: Changing konfiguration....... > > > > > > Security warning. Details in WARNING.TXT about the possible problem. > > -------------------------------------------------------------------- > > btw... did that patch work properly, or does it need fixing? > > -- > > Tal Kelrich > > > > PGP Fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69 > > PGP key-id: 12B9AA69 > > > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sat Jul 13 15:48:57 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:14 2006 Subject: SV: .exe and .com files --- Warning In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263EA6F@lkl22.ltkalmar.se > Message-ID: <5.1.0.14.2.20020713154747.043d6f80@imap.ecs.soton.ac.uk> And I hope they all read my posting just now on the subject of your patch. Otherwise MailScanner's reputation is going to be badly hit by people getting viruses and not knowing how/why it happened, blaming it on MailScanner :-( At 13:58 09/07/2002, you wrote: > > -----Ursprungligt meddelande----- > > Fr?n: Denis Beauchemin [mailto:Denis.Beauchemin@USHERBROOKE.CA] > > Skickat: den 9 juli 2002 14:47 > > Till: MAILSCANNER@JISCMAIL.AC.UK > > ?mne: .exe and .com files > > > > > > Hi, > > > > I just started testing MailScanner and so far it is quite promising. > > > > I would like to deny .exe and .com extensions (I know it can > > be done in > > filename.rules.conf) but I would like them to be scanned anyways by my > > antivirus (McAfee) so people would know that the files were > > infected (if > > they were). > >As far as I figured out all mail will be scanned before file rules. > > > > > That way we would get much less calls from people requesting > > their files > > back. > > > > Could this be done? > > > > Thanks! > > -- > > Denis Beauchemin, analyste > > Universit? de Sherbrooke, S.T.I. > > T: 819.821.8000x2252 F: 819.821.8045 > >I prefer the other way that first check file rules and then do the scann >Since we have an averige of 3-500 mails an hour I prefer to do it >in that order, rather use my cpu for the files we accept then >having it virusscan files we dont accept >I also changed the messages not to say Ive saved the files and they can call >helpdesk. >Even though I save them for trials and virus test. >In our current system I also added a link to Trends-housecall for ppl on the >net >that might not have their own virusdefense. Its a little slow for ppl on >modem but >Ive got a lot of nice mails from ppl thanking me for the help. >Ups, this got out of hand but maybe it might help somone -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sat Jul 13 15:41:38 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:14 2006 Subject: Messages scanned twice In-Reply-To: Message-ID: <5.1.0.14.2.20020713153930.03b715f0@imap.ecs.soton.ac.uk> At 23:33 08/07/2002, you wrote: >I have installed MailScanner on my server. I am very impressed. I'm >running Debian "Woody", Exim and Sophos. Currently, it's scanning >approximately 300 messages per day. > >I have one question- Is there any way to tell MailScanner to only scan >messages once? I run a mailing list for a local Linux Users Group, and >when a message to the list is received it gets scanned. So far, so >good. When it gets delivered, it gets scanned again. There is no foolproof way of deciding that a message has already been scanned. Anything in the content of the message could have been faked by someone. >It's not a major problem, but I have the inline text signature enabled >because I want people to easily see that the message was scanned. Each >time the message is scanned, the signature gets appended to the message. Unfortunately it's pretty much impossible to detect that the signature has already been added as well :-( The simplest solution is to use a different server to handle outbound mail, separately from internal mail. I have one pair of servers handling incoming mail, one pair handling outgoing mail, and about 4 or 5 in the middle that deliver mail to users and handle all internal mail. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sat Jul 13 16:13:42 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:14 2006 Subject: more/all_spam_to In-Reply-To: References: <1026497552.6809.14.camel@dbeauchemin.si.usherb.ca> Message-ID: <5.1.0.14.2.20020713161050.043f0cc0@imap.ecs.soton.ac.uk> This will be possible in the next release. I have expanded the "Spam White List" feature so that it checks both the sender and recipient's address against the contents of this file. Also, the addresses contained in the file can be any of the following forms: me@Jules.fm JulianField.net *.soton.ac.uk So you don't need to fight with complicated SpamAssassin setups to do this,. Hopefully that will make things a bit simpler for you. BTW the reason that with MailScanner, SA behaves the way it does is that it is always run as root (or whatever user you are running MailScanner as). At 19:39 12/07/2002, you wrote: >Julian et all, > >Question: >I'm using MailScanner and Spamassassin to scan incoming mail, flag it, and >pass it off to a server for delivery. Most of our users will be extermely >happy to be able to filter their spam out. > >Figuring that some users will (for whatever reason) be disgruntled by the >addition of {SPAM??} to the subject, I'm looking for a way to >"opt-out" certain users. SA has a "more_spam_to and >all_spam_to" directive, but those don't seem to work when SA is being >called by MailScanner. > >Am I missing a simple way to configure this? (I can't just setup user >accounts and procmail scripts, too many users...) Could MailScanner obey >SA's more/all_spam_to directives? Is this (or adding a recipient >whitelist) an option that could be added simply? > >TIA, >D. > > >=========================================================== >David Lancaster >ITS ESS -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sat Jul 13 16:05:46 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:14 2006 Subject: sendmail sometimes refuses connections.. anyone have simular problem In-Reply-To: <20020712165951.2195a9c7.marc.perea@electronic-group.com> References: Message-ID: <5.1.0.14.2.20020713160452.043dec68@imap.ecs.soton.ac.uk> At 15:59 12/07/2002, you wrote: >On Fri, 12 Jul 2002 10:35:50 -0400 >Matt Doherty wrote: > > I know mailscanner runs a script every hour via cron to check its pid.. > > I'm wondering if it sometimes has difficulty starting the sendmail > > daemon if it had to.. > >My understood is that mailscanner doesn't do anything with sendmail every >hour. It only restarts himself to prevent memory leaks. (Correct me if I'm >wrong) The cron job is just to check that MailScanner hasn't completely died. By default it also restarts itself every 4 hours to prevent resource leaks. > > I'm not quite sure why this happens. I have read my maillogs, xfer logs, > > kernal messages, and find nothing to conclude this issue. This morning I > > started to receive calls that sendmail was down. Our web based email > > could send mail but client email programs were being refused.. > > Obviousley that ment sendmail was running fine right? I restarted > > Mailscanner for the hell of it, and now both web based mail and client > > email clients can send.. So its gotta be sendmail right? or maybe it had > > some effect on the xinitd? Anyone here know this problem? This has been > > happening on and off ever since I installed mailscanner. Though it could > > be a coincidence that it started after the install, I'm not sure. > > > >That probably means that your sendmail stopped to be in background >listening for connections in port 25, that's why the client email programs >cannot remotely access to it, but the webmail program (that I suppose it >was running on the same machine) was still able to send emails directly >invoking /usr/sbin/sendmail in foreground mode. > >The next time it happens to you, try to list the listening sockets, and >the processes ... I'm sure it will help you to diagnose the problem! :) > >Hope that helps you. > >Cheers, > >-- >Marc Perea - System Administration Staff >Mail: marc.perea@electronic-group.com >Tel: (+34) 93 600 23 23 >Fax: (+34) 93 600 23 10 >---------------- >Electronic Group - http://www.electronic-group.com -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sat Jul 13 15:56:52 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:14 2006 Subject: Logger.pl in 3.15 In-Reply-To: Message-ID: <5.1.0.14.2.20020713155553.03b1b408@imap.ecs.soton.ac.uk> I think this is caused by not running "h2ph" on your Perl installation, so it doesn't know what the numbers are for these constants. Read the man page for h2ph as it shows you how to run it. And don't forget the man page for it is in the Perl manpages so may not be on your manpath. At 20:38 10/07/2002, you wrote: >Dear all, > >I am not sure if this problem is been solved. I just upgarded from v.3.14 >to V3.21 with Perl 5.6.0 build for sun4-solaris, and get the same error. >The turn around way is as Sergio's suggestion. Any idea or suggestion? > >Thanks, > >Bruce > > >On Fri, 24 May 2002 12:53:38 +0200, Rabellino Sergio > wrote: > > >Julian Field wrote: > >> > >> At 10:00 24/05/2002, you wrote: > >> >Dear list, > >> > i've updated mailscanner to the latest release, but launching it I > >> > obtain the follow error > >> > > >> >"Your vendor has not defined the Sys::Syslog macro _PATH_LOG at > >> >/opt/perl/lib/5.6.0/sun4-solaris/Sys/Syslog.pm line 277." > >> > > >> >So i've erased in logger.pl the eval line in the start sub > >> > > # Do this in an eval so it can fail quietly if setlogsock > >> > > # is not supported in the installed version of Sys::Syslog > >> > > eval { Sys::Syslog::setlogsock('unix'); }; # Doesn't need syslogd -r > >> > > >> >And mailscanner is doing it's work fine as usual. Any hints about it ? > >> > >> How old is your version of Perl? "perl -v". > >> > >This is perl, v5.6.0 built for sun4-solaris > > > >Copyright 1987-2000, Larry Wall > > > >Perl may be copied only under the terms of either the Artistic License or >the > >GNU General Public License, which may be found in the Perl 5.0 source kit. > > > >Complete documentation for Perl, including FAQ lists, should be found on > >this system using `man perl' or `perldoc perl'. If you have access to the > >Internet, point your browser at http://www.perl.com/, the Perl Home Page. > > > >> >Ps. For SpamAssassin, i've done a minor change, so I can store the > >> >SpamAssassin prefs under the mailscanner etc directory. I believe it's a > >> >better choice than using the .spamassassin directory in the homedir of >the > >> >mailscanner user ... > >> > >I'll wait for your solution > >-- > >Dott. Sergio Rabellino > > > > Technical Staff > > Department of Computer Science > > University of Torino (Italy) > > Member of the Internet Society > > > >http://www.di.unito.it/~rabser > >Tel. +39-0116706701 > >Fax. +39-011751603 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sat Jul 13 16:19:12 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:14 2006 Subject: Unparsable TNEF woes after upgrade to 3.21-1 In-Reply-To: Message-ID: <5.1.0.14.2.20020713161644.029e9ee8@imap.ecs.soton.ac.uk> Check you haven't got 2 MailScanners running at the same time. As you are using Sophos you don't need to use a separate TNEF parser at all, as the "-TNEF" option is passed to sophoswrapper which in turn calls Sophos. When you upgraded, make sure you are using the right version of sophoswrapper (I can't quite remember when it was last changed). At 22:54 12/07/2002, you wrote: >Greetings All! > >I upgraded to MailScanner ver. #3.21-1 without >incident last week but then started getting >complaints about problems with nemesis Outlook >and attachments that were getting mangled into oblivion. > >Here is the deal .. I use Sophos; so in the mailscanner.conf >file I have left the TNEF expansion settings at: > >Expand TNEF = no > >Deliver unparsable TNEF = yes > >.... to accomodate those users who were having >issues ... > >this worked fine until the upgrade to 3.21-1 >FYI, I am using my mailscanner.conf file from >the previous version which was 3.15 > >Here is an example of what I saw this afternoon >for an end-user who was sending out 3 word documents >(her Outlook client is set to rich text format) > >Jul 12 15:04:13 mailscanner[3187]: Cannot parse >/var/spool/MailScanner/incoming/g6CK49m08326.header and >/var/spool/MailScanner/incoming/dfg6CK49m08326, write-open >/var/spool/MailScanner/incoming/winmail.dat: No such file or >directory at /usr/lib/perl5/site_perl/5.6.0/MIME/Body.pm line 414. > >Jul 12 15:04:17 mailscanner[3187]: Scanned 3 messages, >168027 bytes in 4 seconds > >Jul 12 15:04:17 mailscanner[3187]: Saved entire message to /var/spool/ >MailScanner/quarantine/20020712/g6CK49m08326 > >Jul 12 15:04:17 mailscanner[3187]: Failed to link message body between >queues (/var/spool/mqueue/dfg6CK3nm08303 --> >/var/spool/mqueue.in/dfg6CK3nm08303) > >Jul 12 15:04:17 mailscanner[3187]: Failed to link message body between >queues (/var/spool/mqueue/dfg6CK3nm08301 --> >/var/spool/mqueue.in/dfg6CK3nm08301) > >Jul 12 15:04:17 mailscanner[3187]: Deleting unparsable message g6CK49m08326 > >Again, I am using my ver. # 3.15 mailscanner.conf file with this new version >but I did 'diff' them and really didn't seeing anything that should be a >showstopper. The above is just one log example of what is going on. > >I see in the new mailscanner.conf file that there is an option to use the >internal TNEF expander but I was under the impression that since I am >using Sophos .. that point is moot. or is it?? > >Any ideas? I have grumbling users massing. :-) > >Of course I would love to have a policy that everyone jettison >the rich text format and use plain-text but that that won't be >happening anytime soon! > >I would appreciate any comments or suggestions. Thank you in advance! > >Sincerely, > >David Fry >Lan Analyst >IFR Systems -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sat Jul 13 16:03:45 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:14 2006 Subject: sendmail sometimes refuses connections.. anyone have simular problem In-Reply-To: Message-ID: <5.1.0.14.2.20020713160249.043e9e48@imap.ecs.soton.ac.uk> At 15:35 12/07/2002, you wrote: >I know mailscanner runs a script every hour via cron to check its pid.. >I'm wondering if it sometimes has difficulty starting the sendmail daemon >if it had to.. The hourly cron job doesn't do anything with sendmail at all. >I'm not quite sure why this happens. I have read my maillogs, xfer logs, >kernal messages, and find nothing to conclude this issue. This morning I >started to receive calls that sendmail was down. Our web based email could >send mail but client email programs were being refused.. Obviousley that >ment sendmail was running fine right? I restarted Mailscanner for the hell >of it, and now both web based mail and client email clients can send.. So >its gotta be sendmail right? or maybe it had some effect on the xinitd? >Anyone here know this problem? This has been happening on and off ever >since I installed mailscanner. Though it could be a coincidence that it >started after the install, I'm not sure. > >Thanks For your Help! > >In a world without walls or fences, who needs Windows and Gates? > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020713/78262877/attachment.html From jaearick at COLBY.EDU Fri Jul 12 14:09:46 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:15:14 2006 Subject: NFS mount failure strangles mailscanner Message-ID: Julian, I'm scratching my head over something very, very weird that happened last night... First, my question: at the top of mailscanner.conf you have the comment: # Note: If your directories are symlinked (soft-linked) in any way, # please put their *real* location in here, not a path that # includes any links. You may get some very strange error # messages from some of the virus scanners if you don't. Which virus scanners? What? Why? My setup of /opt/mailscanner does use symlinks, and I use the symlink paths in my conf file. My /opt/mailscanner looks like thus: lrwxrwxrwx 1 root daemon 10 Jun 27 11:33 bin -> bin-3.21-1/ drwxr-xr-x 2 root none 1024 Jun 14 09:42 bin-3.20-6/ drwxr-xr-x 2 root none 1024 Jun 27 11:09 bin-3.21-1/ lrwxrwxrwx 1 root daemon 10 Jun 27 11:33 etc -> etc-3.21-1/ drwxr-xr-x 2 root none 1024 Jun 14 09:44 etc-3.20-6/ drwxr-xr-x 2 root none 1024 Jun 27 11:16 etc-3.21-1/ drwxr-xr-x 3 root none 512 May 2 11:52 man/ drwxr-xr-x 5 jaearick jaearick 512 Jul 3 14:00 src/ drwx------ 4 root none 512 May 3 09:38 var/ So I can easily switch between versions of mailscanner. I use Sophos. Mailscanner has been working great, except... For my weird problem... Last night I rebooted my workstation at 16:45 and headed home. A startup process in /etc/rc3.d locked up, which happened to be before /etc/rc3.d/S15nfs.server. My home directory from my workstation is NFS auto-mounted to a lot of other systems, including our mail server. So, my home directory was unavailable to the mail server from late yesterday afternoon until this morning. The last mailscanner syslog happened at exactly 17:00 yesterday afternoon, then nothing until midnight. Check_mailscanner runs via cron at 10, 30, 50 minutes after the hour, every hour. At midnight, I have a cron job that shuts down mailscanner, rotates the syslogs, restarts mailscanner. At that time, the startup blurb said there were 2728 messages waiting to be scanned. Mailscanner ran for about two minutes, then nothing. The process was still there all night (I saw it via "ps"), just not doing anything. After I got NFS service going on my workstation, and restarted mailscanner (4377 msgs waiting), things are fine again. My homedir path is not in root, nor is it used anyplace in the mailscanner conf. I'm still wondering if spamassassin may be using it, but the spamassassin config stuff all belongs to root and resides in local file systems on the mail server. I'm stumped as to why lack of an NFS mount for my homedir on the mail server would lock up mailscanner like this... ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ---------------------------------------------------------------------------- From mailscanner at ecs.soton.ac.uk Sat Jul 13 16:55:58 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:14 2006 Subject: Maybe virus wrapper should hide path? In-Reply-To: <3D304419.C58962AD@dcg.com> References: <5.1.0.14.2.20020713113404.03d7eaa0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020713165513.03983930@imap.ecs.soton.ac.uk> I realised it wasn't as hard as I thought. Consider it done (but not tested yet!). At 16:15 13/07/2002, you wrote: >Julian Field wrote: > > You need to include at least the message ID in the path, or you won't know > > where to find the file in the quarantine directories. But I guess I could > > remove the path elements before that. Unfortunately it is not trivial to > > change, but I will consider it for a future release. > >Well, I was thinking that, if possible, the log and admin copy of the email >would have the full path -- just the emails that were sent to the sender >and/or recipient would only have the filename. Just seems like >extra/confusing information for them otherwise. Unfortunately, I've already >had one not-so-bright person go looking for that path on their machine and >were confused why they couldn't find it. :) > >In any case, just a suggestion -- thanks for considering it for later >inclusion. > > - John... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Sat Jul 13 17:25:49 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:14 2006 Subject: MAILSCANNER: janapoli@CAPITOL-COLLEGE.EDU requested to join Message-ID: <200207131625.RAA21733@magpie.ecs.soton.ac.uk> Sat, 13 Jul 2002 17:25:49 A request for to join the MAILSCANNER list (MailScanner mailing list) has been received from Jason Napoli . The following membership options have been requested: NOMIME DIGEST. You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER janapoli@CAPITOL-COLLEGE.EDU Jason Napoli The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+janapoli%40CAPITOL-COLLEGE.EDU+Jason+Napoli&L=MAILSCANNER This first link will add the member to the list. You can then set the membership options for this individual with this link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=SET+MAILSCANNER+NOMIME+DIGEST+FOR+janapoli%40CAPITOL-COLLEGE.EDU&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From ralloway at CHARTERPA.NET Sat Jul 13 18:48:35 2002 From: ralloway at CHARTERPA.NET (Richard D Alloway) Date: Thu Jan 12 21:15:14 2006 Subject: more/all_spam_to In-Reply-To: <5.1.0.14.2.20020713161050.043f0cc0@imap.ecs.soton.ac.uk> Message-ID: On Sat, 13 Jul 2002, Julian Field wrote: > This will be possible in the next release. > I have expanded the "Spam White List" feature so that it checks both the > sender and recipient's address against the contents of this file. Also, the > addresses contained in the file can be any of the following forms: > me@Jules.fm > JulianField.net > *.soton.ac.uk How about items like abuse@* ?? Thanks! -Rich From gerry at DORFAM.CA Sat Jul 13 19:23:26 2002 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:15:14 2006 Subject: autoupdate.f-prot working Message-ID: Well, whatever was wrong with the F-Prot autoupdate script and their website is now fixed. -- Gerry "The lyfe so short, the craft so long to learne" Chaucer ---------- Forwarded message ---------- Date: Sat, 13 Jul 2002 13:00:04 -0400 From: Cron Daemon To: root@tiger.dorfam.ca Subject: Cron /home/gerry/autoupdate.f-prot FTP address for retrieving files is ftp://eu-3.updates.f-prot.com/pub/ F-Prot signature file update script There is a new version of SIGN.DEF, starting download. Download completed. Updated SIGN.DEF. There is a new version of SIGN2.DEF, starting download. Updated SIGN2.DEF. File MACRO.DEF is already up to date. Update completed. From LISTSERV at JISCMAIL.AC.UK Sat Jul 13 18:47:27 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:14 2006 Subject: MAILSCANNER: raymond@PROLOCATION.NET requested to join Message-ID: <200207131747.SAA26254@magpie.ecs.soton.ac.uk> Sat, 13 Jul 2002 18:47:27 A request for to join the MAILSCANNER list (MailScanner mailing list) has been received from Raymond Dijkxhoorn . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER raymond@PROLOCATION.NET Raymond Dijkxhoorn The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+raymond%40PROLOCATION.NET+Raymond+Dijkxhoorn&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Sun Jul 14 00:48:19 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:14 2006 Subject: MAILSCANNER: jmcgill_maillists@NETFOCUS-SUPPORT.CO.UK requested to join Message-ID: <200207132348.AAA15697@magpie.ecs.soton.ac.uk> Sun, 14 Jul 2002 00:48:19 A request for to join the MAILSCANNER list (MailScanner mailing list) has been received from John McGill . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER jmcgill_maillists@NETFOCUS-SUPPORT.CO.UK John McGill The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+jmcgill_maillists%40NETFOCUS-SUPPORT.CO.UK+John+McGill&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From mailscanner at ecs.soton.ac.uk Sun Jul 14 13:22:48 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:14 2006 Subject: autoupdate.f-prot working In-Reply-To: Message-ID: <5.1.0.14.2.20020714132143.02b46f38@imap.ecs.soton.ac.uk> At 19:23 13/07/2002, you wrote: >Well, whatever was wrong with the F-Prot autoupdate script and their >website is now fixed. They had the string "DEF" inside one of the file checksums, so their "grep" was pulling out a line it shouldn't have. I have fixed my "autoupdate" script (which does all the proper file locking as well) and attached it to a posting you will see in a minute. >---------- Forwarded message ---------- >Date: Sat, 13 Jul 2002 13:00:04 -0400 >From: Cron Daemon >To: root@tiger.dorfam.ca >Subject: Cron /home/gerry/autoupdate.f-prot > >FTP address for retrieving files is ftp://eu-3.updates.f-prot.com/pub/ >F-Prot signature file update script >There is a new version of SIGN.DEF, starting download. >Download completed. >Updated SIGN.DEF. >There is a new version of SIGN2.DEF, starting download. >Updated SIGN2.DEF. >File MACRO.DEF is already up to date. >Update completed. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sun Jul 14 13:21:06 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:14 2006 Subject: f-prot script update error In-Reply-To: <20020712024510.GC8825@hoiho.nz.lemon-computing.com> References: Message-ID: <5.1.0.14.2.20020714131845.0312fc58@imap.ecs.soton.ac.uk> At 03:45 12/07/2002, you wrote: >On Thu, Jul 11, 2002 at 07:24:04PM -0400, Gerry Doris wrote: > > I've started getting the following error when running the autoupdate.fprot > > script. I thought it was related to the ^M that was reported and fixed > > around line 131 but putting in that fix didn't help. > > > > Any ideas what has gone wrong??? > >No, but I have to install it myself now, so I'll be forced to work it out ;) I have fixed the autoupdate script in line with F-Prot's fixed check-updates.sh script. They had a "DEF" where they needed a "DEF=". This will be included in the next release. It is also attached to this message. -------------- next part -------------- A non-text attachment was scrubbed... Name: autoupdate Type: application/octet-stream Size: 8975 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020714/cb31e42d/autoupdate.obj -------------- next part -------------- -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sun Jul 14 14:03:11 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:14 2006 Subject: more/all_spam_to In-Reply-To: References: <5.1.0.14.2.20020713161050.043f0cc0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020714140217.02fc4db8@imap.ecs.soton.ac.uk> At 18:48 13/07/2002, you wrote: >On Sat, 13 Jul 2002, Julian Field wrote: > > > This will be possible in the next release. > > I have expanded the "Spam White List" feature so that it checks both the > > sender and recipient's address against the contents of this file. Also, the > > addresses contained in the file can be any of the following forms: > > me@Jules.fm > > JulianField.net > > *.soton.ac.uk > >How about items like abuse@* ?? What a good idea! Why didn't I think of that? I have changed all the wildcard lists so they now support address@* as well as *.domain.com. Will be in the next release. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sun Jul 14 16:07:26 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:14 2006 Subject: Timeouts Message-ID: <5.1.0.14.2.20020714160056.038ce1b8@imap.ecs.soton.ac.uk> Due to recent "unreliable" performance of the RBL's used by both MailScanner and SpamAssassin, I have improved the timeout code for both of these functions. There are an additional 2 configuration variables in the mailscanner.conf file, one for "Spam List" entries and one for SpamAssassin. If there are more than the given number of *consecutive* timeouts with any particular "Spam List" entry, or with SpamAssassin, then that function is disabled until the next time MailScanner restarts itself (within 4 hours by default). This will mean that if one of the RBL's becomes unreachable, MailScanner won't slow to a crawl due to all the timeouts. But temporary problems reaching them will be ignored, only prolonged outages will have any effect. The default value for each of these configuration variables is 20. To disable the protection, set the value to 0. This will be in the next release, along with a whole host of other stuff I've been working on... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sun Jul 14 21:09:47 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:14 2006 Subject: Beta testers urgently wanted Message-ID: <5.1.0.14.2.20020714210056.0473ae90@imap.ecs.soton.ac.uk> Hi folks! I'm preparing a new version for release, but there's a few things in it that are difficult for me to test thoroughly. As you can see below, I've done some testing on most of it, but would like a few other people to try it. A particular area of interest is the "spam@*" style wildcards which are now supported in every conf file that could handle wildcard domain names. So if you are particularly interested in any of the following, please give me a shout and I'll send you the latest code. Features: "Spam White List" (tested) configuration option now gives a filename whose contents are checked against both the sender's address and the recipients' addresses. "Max Spam List Timeouts" (tested) configuration value gives the threshold for the number of consecutive times a single "Spam List" or "Spam Domain" entry can timeout before it is removed from the list of places to be checked. It will be restored to the list at the next restart (every 4 hours by default). "Max SpamAssassin Timeouts" (tested) configuration value works the same way as "Max Spam List Timeouts" except it applies to SpamAssassin instead. "Hide Incoming Work Dir" (tested) configuration option allows you to hide the full directory pathname from the messages sent to users. Improvements: Old core files are now deleted from the virus scanning work directory to speed up scanning if something dumps core in there. MailScanner RedHat RPM init.d script extended to allow use of make within /etc/mail. If RBL checks time out then error message logged says which DNSBL timed out. (Not tested -- V.Important) All conf files that accept wildcards like "*.soton.ac.uk" now also accept wildcards like "abuse@*". Fixes: Changed assumed installation directory for RAV to /usr/local/rav8/bin which is where RAV 8.x puts it. High scoring spam messages are now logged. F-Prot autoupdate script now copes better with stray ^M characters. F-Prot autoupdate script fixed in line with fixed shell script from F-Prot (my script is better than theirs as it ensures no scanning will take place while the virus defs are being updated). Thanks a lot! Jules. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Sun Jul 14 21:27:07 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:14 2006 Subject: MAILSCANNER: msmith645@HOTMAIL.COM requested to join Message-ID: <200207142027.VAA12245@magpie.ecs.soton.ac.uk> Sun, 14 Jul 2002 21:27:07 A request for to join the MAILSCANNER list (MailScanner mailing list) has been received from Mike Smith . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER msmith645@HOTMAIL.COM Mike Smith The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+msmith645%40HOTMAIL.COM+Mike+Smith&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From P.G.M.Peters at civ.utwente.nl Mon Jul 15 07:31:45 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:14 2006 Subject: MailScanner sudden failure! In-Reply-To: References: <5.1.0.14.2.20020712191730.02fd76c8@imap.ecs.soton.ac.uk> Message-ID: On Fri, 12 Jul 2002 16:10:37 -0400, you wrote: >Well, something strange was happening today. This morning I found that >most of my mail including the MailScanner list was being marked as spam. >Checking the headers showed that Spam.cop was the culprit. Spamcop has some "strange" ways to consider a source as a spamsource. It calculates the number of received spams in regard to the total ammount of normal mail from that source. If no other mails were received the spampercentage is 100% and the source is included in the LBR. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From P.G.M.Peters at civ.utwente.nl Mon Jul 15 07:35:46 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:14 2006 Subject: more/all_spam_to In-Reply-To: References: <1026497552.6809.14.camel@dbeauchemin.si.usherb.ca> Message-ID: On Fri, 12 Jul 2002 15:39:46 -0300, you wrote: >Figuring that some users will (for whatever reason) be disgruntled by the >addition of {SPAM??} to the subject, I'm looking for a way to >"opt-out" certain users. SA has a "more_spam_to and >all_spam_to" directive, but those don't seem to work when SA is being >called by MailScanner. We don't change anything in the Subject: header. We scan everything (for most of our domains) and add the X-headers. The users scan on the parts of the header they want. So one user can use only SpamAssassin while anothe user also uses some RFC-IGNORANT BL's. We don't do BL-checking in SpamAssassin to be able to distinguish between the different BL's. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From P.G.M.Peters at civ.utwente.nl Mon Jul 15 07:46:06 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:14 2006 Subject: Beta testers urgently wanted In-Reply-To: <5.1.0.14.2.20020714210056.0473ae90@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020714210056.0473ae90@imap.ecs.soton.ac.uk> Message-ID: <3qr4ju0kgh89qt3haio55lg1im0rh15e0m@4ax.com> On Sun, 14 Jul 2002 21:09:47 +0100, you wrote: >So if you are particularly interested in any of the following, please give >me a shout and I'll send you the latest code. I have a machine on which I normally try and test any new software (or major updates) so I could easily test the new stuff. Can you send me the tar? I am using Suse and I am not (yet) confident with the rpm-implementation. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From andersan at LTKALMAR.SE Mon Jul 15 08:30:39 2002 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:15:14 2006 Subject: SV: SV: SV: SV: Changing konfiguration....... Warning!! Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EA7D@lkl22.ltkalmar.se> > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Skickat: den 13 juli 2002 16:36 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: SV: SV: SV: Changing konfiguration....... Warning!! > > > Warning! > > Sorry, but this patch is fundamentally broken. > Messages are handled in batches, and in your code the > commercial virus > checker is called > if scanning switched on > and NoScanOnFile = off > and number of infections found by filename.rules for > whole batch > of messages = 0 > So if *any* of the messages were caught by filename.rules.conf, the > expression above will be false and hence the commercial > checkers will not > be called for any message in the batch. > > So if you get 5 messages in a batch, and 1 of them triggers a > filename.rules.conf trap, then *none* of them will be scanned > for viruses! > > As a result viruses will get through MailScanner whenever > your server is > put under any significant load. Hmm, so I guess I have to live how it works for now then and wait until you want to make that change. Sometimes its good to be a newbie. > > At 15:19 09/07/2002, you wrote: > >Hi > >I havent had time to try it yet.....I was gona mail back and ask > >you how to apply it but been to busy at work > >As I said, Im newbie at unix so I really need a howto aproach =) > > > >Im still doing some fine fixing on mailscann but I have to > >put my normal work in prority =) > > > >/Anders > > > > > -----Ursprungligt meddelande----- > > > Fr?n: tal@MUSICGENOME.COM [mailto:tal@MUSICGENOME.COM] > > > Skickat: den 9 juli 2002 16:15 > > > Till: MAILSCANNER@JISCMAIL.AC.UK > > > ?mne: Re: SV: SV: Changing konfiguration....... > > > > > > > > > Security warning. Details in WARNING.TXT about the > possible problem. > > > > -------------------------------------------------------------------- > > > btw... did that patch work properly, or does it need fixing? > > > -- > > > Tal Kelrich > > > > > > PGP Fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC > 12B9 AA69 > > > PGP key-id: 12B9AA69 > > > > > > > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From tcarrez at SCORT.COM Mon Jul 15 08:42:54 2002 From: tcarrez at SCORT.COM (Thierry Carrez) Date: Thu Jan 12 21:15:14 2006 Subject: Yet another spamassassin strange timeout Message-ID: <3D327CFE.3050206@scort.com> This may be of interest for everyone : -------------- next part -------------- An embedded message was scrubbed... From: Thierry Carrez Subject: Re: Yet another spamassassin strange timeout Date: Mon, 15 Jul 2002 09:41:14 +0200 Size: 3519 Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020715/06c1ae6b/Yetanotherspamassassinstrangetimeout.mht From rabellino at DI.UNITO.IT Mon Jul 15 09:01:16 2002 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:15:14 2006 Subject: Logger.pl in 3.15 References: <5.1.0.14.2.20020713155553.03b1b408@imap.ecs.soton.ac.uk> Message-ID: <3D32814C.581D245A@di.unito.it> Julian Field wrote: > > I think this is caused by not running "h2ph" on your Perl installation, so > it doesn't know what the numbers are for these constants. Read the man page > for h2ph as it shows you how to run it. And don't forget the man page for > it is in the Perl manpages so may not be on your manpath. > I've searched in my perl dir and found many (system .h) .ph in /opt/perl/lib/site_perl/5.6.0/sun4-solaris ... as my machine is a sparc solaris ... Ps. Obiously, the subject of the mail was a mistake .... "logger.pl" in 3.21 .... -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From LISTSERV at JISCMAIL.AC.UK Mon Jul 15 01:17:39 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:14 2006 Subject: MAILSCANNER: timw@OBJECTIF.COM.AU requested to join Message-ID: <200207150017.BAA23276@magpie.ecs.soton.ac.uk> Mon, 15 Jul 2002 01:17:39 A request for to join the MAILSCANNER list (MailScanner mailing list) has been received from Tim White . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER timw@OBJECTIF.COM.AU Tim White The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+timw%40OBJECTIF.COM.AU+Tim+White&L=MAILSCANNER ------------------------- Original mail header -------------------------- Return-Path: Received: from ori.rl.ac.uk by jiscmail.ac.uk (LSMTP for Windows NT v1.1b) with SMTP id <4.0011223C@jiscmail.ac.uk>; Mon, 15 Jul 2002 1:17:38 +0100 Received: from tojo.objectif.com.au (IDENT:root@ns.objectif.com.au [203.202.71.77]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g6F0HaB02572 for ; Mon, 15 Jul 2002 01:17:36 +0100 Received: from timw ([172.16.0.76]) by tojo.objectif.com.au (8.11.6/8.11.6) with SMTP id g6F0HN806427 for ; Mon, 15 Jul 2002 10:17:23 +1000 Message-ID: <013c01c22b95$018aa4a0$4c0010ac@timw> From: "Tim White" To: "L-Soft list server at JISCMAIL \(1.8e\)" References: <200207150012.g6F0C7806287@tojo.objectif.com.au> Subject: Re: Command confirmation request (AF6AC55E) Date: Mon, 15 Jul 2002 10:17:29 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 X-MailScanner: Found to be clean From LISTSERV at JISCMAIL.AC.UK Mon Jul 15 08:02:07 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:14 2006 Subject: MAILSCANNER: mojahed@AGNI.COM requested to join Message-ID: <200207150702.IAA11832@magpie.ecs.soton.ac.uk> Mon, 15 Jul 2002 08:02:07 A request for to join the MAILSCANNER list (MailScanner mailing list) has been received from Mojahedul-Hoque Abul-Hasanat . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER mojahed@AGNI.COM Mojahedul-Hoque Abul-Hasanat The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+mojahed%40AGNI.COM+Mojahedul-Hoque+Abul-Hasanat&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Mon Jul 15 08:46:36 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:14 2006 Subject: MAILSCANNER: jsidro@ANALCO.COM left the list Message-ID: <200207150746.IAA14450@magpie.ecs.soton.ac.uk> Mon, 15 Jul 2002 08:46:36 Jose Sidro has just left the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From mailscanner at ecs.soton.ac.uk Mon Jul 15 10:27:53 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:14 2006 Subject: more/all_spam_to In-Reply-To: References: <1026497552.6809.14.camel@dbeauchemin.si.usherb.ca> Message-ID: <5.1.0.14.2.20020715102720.03e46848@imap.ecs.soton.ac.uk> At 07:35 15/07/2002, you wrote: >On Fri, 12 Jul 2002 15:39:46 -0300, you wrote: > > >Figuring that some users will (for whatever reason) be disgruntled by the > >addition of {SPAM??} to the subject, I'm looking for a way to > >"opt-out" certain users. SA has a "more_spam_to and > >all_spam_to" directive, but those don't seem to work when SA is being > >called by MailScanner. Easy to do in the new version (due out very soon). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Jul 15 10:31:59 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:14 2006 Subject: Logger.pl in 3.15 In-Reply-To: <3D32814C.581D245A@di.unito.it> References: <5.1.0.14.2.20020713155553.03b1b408@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020715103016.03e4cb60@imap.ecs.soton.ac.uk> At 09:01 15/07/2002, you wrote: >Julian Field wrote: > > > > I think this is caused by not running "h2ph" on your Perl installation, so > > it doesn't know what the numbers are for these constants. Read the man page > > for h2ph as it shows you how to run it. And don't forget the man page for > > it is in the Perl manpages so may not be on your manpath. > > >I've searched in my perl dir and found many (system .h) .ph in > >/opt/perl/lib/site_perl/5.6.0/sun4-solaris Are you running Perl 5.6.0? If so, it should all be okay. You can always comment out the line of logger.pl that has "setlogsock" in it. The idea of the "eval" was to stop this producing errors on systems where it didn't work. It's obviously not working as intended... >... as my machine is a sparc solaris ... > >Ps. Obiously, the subject of the mail was a mistake .... "logger.pl" in >3.21 .... >-- >Dott. Sergio Rabellino > > Technical Staff > Department of Computer Science > University of Torino (Italy) > Member of the Internet Society > >http://www.di.unito.it/~rabser >Tel. +39-0116706701 >Fax. +39-011751603 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From howard at harper-adams.ac.uk Mon Jul 15 11:24:09 2002 From: howard at harper-adams.ac.uk (Howard Robinson) Date: Thu Jan 12 21:15:14 2006 Subject: Possibly Old News Message-ID: <200207151018.g6FAIZO32596@blackhole.harper-adams.ac.uk> Picked this up from an emailed newsletter. Not sure wether this is old news - If it is sorry. McAFEE ANTI-VIRUS SOFTWARE FAILS TO BLOCK KLEZ VIRUS Which kind of defies the point... http://www.silicon.com/a54540 Regards Howard Robinson (Senior Technical Development Officer) Harper Adams University College Edgmond Newport Shropshire TF10 8NB UK E-mail: hrobinson@harper-adams.ac.uk Tel. : +44(0)1952 820280 Via switchboard : +44(0)1952 815253 Direct line Fax. : +44(0)1952 814783 College Web site http://www.harper-adams.ac.uk From nwp at LEMON-COMPUTING.COM Mon Jul 15 11:06:16 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:15:14 2006 Subject: Logger.pl in 3.15 In-Reply-To: <3D32814C.581D245A@di.unito.it> References: <5.1.0.14.2.20020713155553.03b1b408@imap.ecs.soton.ac.uk> <3D32814C.581D245A@di.unito.it> Message-ID: <20020715100616.GP8825@hoiho.nz.lemon-computing.com> On Mon, Jul 15, 2002 at 10:01:16AM +0200, Rabellino Sergio wrote: > I've searched in my perl dir and found many (system .h) .ph in > > /opt/perl/lib/site_perl/5.6.0/sun4-solaris I've noticed a couple of people mentioning in this thread that they're using perl 5.6.0. Perl 5.6.0 seems to be generally regarded as a Bad Thing to be using -- it has a particularly bad reputation as far as perl releases go. See the perldelta at http://www.perlpod.com/5.6.1/perldelta.html for an "official" list. Just thought that might be worth mentioning... -- Nick Phillips -- nwp@lemon-computing.com Artistic ventures highlighted. Rob a museum. From rabellino at DI.UNITO.IT Mon Jul 15 11:49:55 2002 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:15:14 2006 Subject: Logger.pl in 3.15 References: <5.1.0.14.2.20020713155553.03b1b408@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020715103016.03e4cb60@imap.ecs.soton.ac.uk> Message-ID: <3D32A8D3.63DEFC67@di.unito.it> Julian Field wrote: > > At 09:01 15/07/2002, you wrote: > >Julian Field wrote: > > > > > > I think this is caused by not running "h2ph" on your Perl installation, so > > > it doesn't know what the numbers are for these constants. Read the man page > > > for h2ph as it shows you how to run it. And don't forget the man page for > > > it is in the Perl manpages so may not be on your manpath. > > > > >I've searched in my perl dir and found many (system .h) .ph in > > > >/opt/perl/lib/site_perl/5.6.0/sun4-solaris > > Are you running Perl 5.6.0? If so, it should all be okay. > You can always comment out the line of logger.pl that has "setlogsock" in > it. The idea of the "eval" was to stop this producing errors on systems > where it didn't work. It's obviously not working as intended... > Yes, the eval stops mailscanner anyway, if you need some help to search the solution, feel free to contact me directly... > >... as my machine is a sparc solaris ... > > > >Ps. Obiously, the subject of the mail was a mistake .... "logger.pl" in > >3.21 .... > >-- > >Dott. Sergio Rabellino > > > > Technical Staff > > Department of Computer Science > > University of Torino (Italy) > > Member of the Internet Society > > > >http://www.di.unito.it/~rabser > >Tel. +39-0116706701 > >Fax. +39-011751603 > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From martinh at SOLID-STATE-LOGIC.COM Mon Jul 15 12:34:55 2002 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:15:14 2006 Subject: Possibly Old News References: <200207151018.g6FAIZO32596@blackhole.harper-adams.ac.uk> Message-ID: <3D32B35F.3060101@solid-state-logic.com> Howard Robinson wrote: > Picked this up from an emailed newsletter. Not sure wether this is > old news - If it is sorry. > > > McAFEE ANTI-VIRUS SOFTWARE FAILS TO BLOCK KLEZ > VIRUS > Which kind of defies the point... > http://www.silicon.com/a54540 > > > Regards > > Howard Robinson Which is why it's always better to have a mutlilayer A/V system. Ie different A/V solutions at different places. We use Sophos on the mail gateway and file servers, with Norton on the desktop. -- Martin Hepworth Senior Systems Administrator Solid State Logic Ltd +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From marc.perea at ELECTRONIC-GROUP.COM Mon Jul 15 12:45:26 2002 From: marc.perea at ELECTRONIC-GROUP.COM (Marc Perea) Date: Thu Jan 12 21:15:14 2006 Subject: Minor problems with messages to users In-Reply-To: <1026503198.6696.31.camel@dbeauchemin.si.usherb.ca> References: <1026396277.22101.43.camel@dbeauchemin.si.usherb.ca> <20020711174114.53812bfe.marc.perea@electronic-group.com> <1026503198.6696.31.camel@dbeauchemin.si.usherb.ca> Message-ID: <20020715134526.6a2429d4.marc.perea@electronic-group.com> On Fri, 12 Jul 2002 15:46:37 -0400 Denis Beauchemin wrote: > Marc, > > I tried to modify mcafeewrapper: > exec ${PackageDir}/$prog -d $datDIR "$@" | sed 's-^.*/--' > > It worked OK at the command line (got the file name and the virus found) > but the line disappeared altogether in MailScanner... not what I > wanted... Hmmm .... strange then, it works for me in both two ways (command line and mailscanner). Be sure of taking care of the special characters escaping them. Anyway ... good luck with your modifs! :-) Cheers > > I also tried to modify sweep.pl: > $lastline =~ s/$BaseDir\/*\w+\///; > but it didn't work either (I still got the last dir part). > > Denis > On Thu, 2002-07-11 at 11:41, Marc Perea wrote: > > On Thu, 11 Jul 2002 10:04:37 -0400 > > Denis Beauchemin wrote: > > > > > Hi, > > > > > > I am experimenting with MailScanner and I have a few problems: > > > > > > 1- using McAfee, when a virus is found I get a line saying so but > > > the line contains the message ID part of the PATH: > > > R?sultats de l'antivirus: > > > /g69IuTY08361/VALUE.exe Found the W32/Klez.h@MM virus !!! > > > > > > I would like it to read: > > > VALUE.exe Found the W32/Klez.h@MM virus !!! > > > > > > How could this be done? I believe it must come from > > > ProcessMcAfeeOutput in sweep.pl, I guess we would have to modify > > > $lastline =~ s/$BaseDir//; for something else containing the message > > > ID, but what? > > > > My two cents : > > > > Some time ago I was on a similar problem, i didn't want to reveal the > > path to the message, so I modified with this extremely simple trick > > the f-protwrapper shell script (Hence, you don't have to touch any > > mailscanner core perl-function) : > > > > hiddenpath=/usr/local/mailscanner/var > > exec ${PackageDir}/$Scanner $ScanOptions "$@" | sed "s%$hiddenpath%%g" > > > > You can always make a different regular expression to suit your needs. > > For example that one should work for your needs : > > "s%\/[a-zA-Z0-9]*\/\(.*\)%\1%" > > > > Hope this helps to you. -- Marc Perea - System Administration Staff Mail: marc.perea@electronic-group.com Tel: (+34) 93 600 23 23 Fax: (+34) 93 600 23 10 ---------------- Electronic Group - http://www.electronic-group.com From LISTSERV at JISCMAIL.AC.UK Mon Jul 15 13:26:16 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:14 2006 Subject: MAILSCANNER: janusz.orlowski@DEFCOMP.COM.PL left the list Message-ID: <200207151226.NAA07641@magpie.ecs.soton.ac.uk> Mon, 15 Jul 2002 13:26:16 Janusz Orlowski has just left the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- Return-Path: Received: from ori.rl.ac.uk by jiscmail.ac.uk (LSMTP for Windows NT v1.1b) with SMTP id <7.0011259D@jiscmail.ac.uk>; Mon, 15 Jul 2002 12:31:09 +0100 Received: from woodpecker.defcomp.com.pl (woodpecker.defcomp.com.pl [217.96.68.24]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g6FBV7B30417 for ; Mon, 15 Jul 2002 12:31:07 +0100 Received: from janusz (wolf.defcomp.com.pl [217.96.68.62]) (authenticated bits=0) by woodpecker.defcomp.com.pl (8.12.5/8.12.5) with ESMTP id g6FBZxNi026836 for ; Mon, 15 Jul 2002 13:35:59 +0200 (CEST) (envelope-from janusz.orlowski@defcomp.com.pl) X-Authentication-Warning: woodpecker.defcomp.com.pl: Host wolf.defcomp.com.pl [217.96.68.62] claimed to be janusz Date: Mon, 15 Jul 2002 13:30:59 +0200 From: =?ISO-8859-2?B?SmFudXN6IE9ys293c2tp?= X-Mailer: The Bat! (v1.60m) UNREG / CD5BF9353B3B7091 Reply-To: =?ISO-8859-2?B?SmFudXN6IE9ys293c2tp?= Organization: DefComp X-Priority: 3 (Normal) Message-ID: <57433824606.20020715133059@defcomp.com.pl> To: LISTSERV@JISCMAIL.AC.UK MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-2 Content-Transfer-Encoding: 8bit X-MailScanner: Found to be clean From tcarrez at SCORT.COM Mon Jul 15 13:36:39 2002 From: tcarrez at SCORT.COM (Thierry Carrez) Date: Thu Jan 12 21:15:14 2006 Subject: SpamAssassin Hangup References: <20020715100505.GA5284@venus.agni.com> Message-ID: <3D32C1D7.7020707@scort.com> Mojahedul Hoque Abul Hasanat wrote: > I switched to MailScanner from a milter based scanner and it really > rocks! LoadAvg has gone down substantially and we are from nasty milter > problems. > > Unfortunately, I am having a hard time with SpamAssasin. For most of > the mails it's working fine, but it gets hung up for some of the mails. > I have stopped all DNS based lookups except the MX check from SA. DNS > blacklists are off in MailScanner too. MailScanner has to kill SA after > the timeout. > > The list archive suggests this may be due to DNS lookups, but I think in > our case this is not true. Besides, mailscanner takes 100% cpu when SA > gets stuck with those mails. I have changed spamassassin timeout to 0 > to see how long it takes. It consumes 100% cpu until I kill it. I am > on Slackware, mail traffic around 30K per day. > > Any ideas on what could be wrong? Is there any easy way to debug this? Looks like the same problem I have... (see "Yet another strange SA timeout" mail). I'm currently trying to reproduce with more traces to check where it's lost. Stay tuned... Just to know : what kind of a setup do you have ? (sendmail, mcafee... + versions used). Characteristics of the machine you use (CPU,RAM...) Thanks ! -- Thierry Carrez From mike at CAMAROSS.NET Mon Jul 15 14:05:25 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:14 2006 Subject: SpamAssassin Hangup References: <20020715100505.GA5284@venus.agni.com> Message-ID: <006001c22c00$4b0adb20$6501a8c0@home.wideopenthrottle.org> Jul 15 07:54:43 www mailscanner[8204]: RBL Checks timed out and were killed Jul 15 08:01:34 www mailscanner[8204]: SpamAssassin timed out and was killed I get these all the time on a RAQ4. All of my other RH 7.x machines work fine. ANyone know what could be causing this? It's not DNS timeouts because if I do a query to bl.spamcop.net, the result is returned immediately. Mike ----- Original Message ----- From: "Mojahedul Hoque Abul Hasanat" To: Sent: Monday, July 15, 2002 5:05 AM Subject: SpamAssassin Hangup > Hello All, > > I switched to MailScanner from a milter based scanner and it really > rocks! LoadAvg has gone down substantially and we are from nasty milter > problems. > > Unfortunately, I am having a hard time with SpamAssasin. For most of > the mails it's working fine, but it gets hung up for some of the mails. > I have stopped all DNS based lookups except the MX check from SA. DNS > blacklists are off in MailScanner too. MailScanner has to kill SA after > the timeout. > > The list archive suggests this may be due to DNS lookups, but I think in > our case this is not true. Besides, mailscanner takes 100% cpu when SA > gets stuck with those mails. I have changed spamassassin timeout to 0 > to see how long it takes. It consumes 100% cpu until I kill it. I am > on Slackware, mail traffic around 30K per day. > > Any ideas on what could be wrong? Is there any easy way to debug this? > > > -- > Mojahed > System Administrator, Agni Systems Limited > From mailscanner at ecs.soton.ac.uk Mon Jul 15 14:07:02 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:15 2006 Subject: SpamAssassin Hangup In-Reply-To: <20020715100505.GA5284@venus.agni.com> Message-ID: <5.1.0.14.2.20020715140415.04afdd10@imap.ecs.soton.ac.uk> At 11:05 15/07/2002, you wrote: >I switched to MailScanner from a milter based scanner and it really >rocks! LoadAvg has gone down substantially and we are from nasty milter >problems. Glad to hear it. Out of personal interest, how big was the change in load? >Unfortunately, I am having a hard time with SpamAssasin. For most of >the mails it's working fine, but it gets hung up for some of the mails. >I have stopped all DNS based lookups except the MX check from SA. DNS >blacklists are off in MailScanner too. MailScanner has to kill SA after >the timeout. > >The list archive suggests this may be due to DNS lookups, but I think in >our case this is not true. Besides, mailscanner takes 100% cpu when SA >gets stuck with those mails. I have changed spamassassin timeout to 0 >to see how long it takes. It consumes 100% cpu until I kill it. I am >on Slackware, mail traffic around 30K per day. Are you using the very latest SpamAssassin (2.31)? Did installing it upgrade your version of Perl? If it did, then you will need to re-install SpamAssassin. What version of Perl are you using? (5.6.0 is a bit dodgy). >Any ideas on what could be wrong? Is there any easy way to debug this? I'm afraid I'm not too hot on debugging the internals of SpamAssassin, it's a very complicated beast. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Jul 15 14:08:49 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:15 2006 Subject: f-protwrapper modification ? In-Reply-To: <20020417183106.7d8b1de2.marc.perea@electronic-group.com> References: <20020404112736.11550fba.marc.perea@electronic-group.com> <3CAB7076.2010508@southwestern.edu> <20020403230005.GI22344@hoiho.nz.lemon-computing.com> <008201c1db8e$5f391520$1400a8c0@gangfam.com> <20020404045319.GC3518@hoiho.nz.lemon-computing.com> <20020404112736.11550fba.marc.perea@electronic-group.com> Message-ID: <5.1.0.14.2.20020715140831.04ceeec0@imap.ecs.soton.ac.uk> At 17:31 17/04/2002, you wrote: >On Thu, 4 Apr 2002 11:27:36 +0200 >Marc Perea wrote: > > > > > Here I copy an example output : > > > > At Thu Apr 4 02:56:10 2002 the virus scanner said: > > /opt/mailscanner/var/incoming/g340ti715079/enano.exe Infection: > W32/Hybris.worm.B > > > > I'm looking for a way to easyly remove the path to the file, so just > appears as "file.ext" instead of /opt/mailscanner/var/incoming/XXXXXXX/file.ext > > > > Cheers, > > > >Hello guys. > >This mail is only for f-prot users (I have no experience with any other >Anti Viruses) > >To solve the problem above exposed, I've modified the f-protwrapper file >that comes by default with the mailscanner package in this way : > >I've added this variable : >HiddenPath=/opt/mailscanner/var > >And replaced the first line by the second one : >exec ${PackageDir}/$Scanner $ScanOptions "$@" >exec ${PackageDir}/$Scanner $ScanOptions "$@" | sed "s%$HiddenPath%%g" > >And voila! no more path revealing to anyone :-) > >Dear Julian Field : What do you think about including this option into the >next f-protwrapper version ? It's a configurable option in the new version (due out shortly). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mojahed at AGNI.COM Mon Jul 15 14:11:17 2002 From: mojahed at AGNI.COM (Mojahedul Hoque Abul Hasanat) Date: Thu Jan 12 21:15:15 2006 Subject: More on SpamAssasin Hangup Message-ID: <20020715131117.GA11794@venus.agni.com> Dear List, I have got a certian juicy spam that SpamAssassin chokes on every time, without failure! I mean every time (already seen hundreds) this spam comes into the queue, SA times out. I am trying to find out where the bug is. I request anyone with two minutes spare time to put these df and qf files into their incoming sendmail queue and see if SA times out. SA does fine if I run it from the command line on a message constructed from the *.header and df file. Thanks in advance. -- Mojahed System Administrator, Agni Systems Limited -------------- next part -------------- A non-text attachment was scrubbed... Name: spam.tar.gz Type: application/octet-stream Size: 3468 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020715/7706ef3e/spam.tar.obj From tcarrez at SCORT.COM Mon Jul 15 14:32:52 2002 From: tcarrez at SCORT.COM (Thierry Carrez) Date: Thu Jan 12 21:15:15 2006 Subject: SpamAssassin Hangup References: <20020715100505.GA5284@venus.agni.com> <006001c22c00$4b0adb20$6501a8c0@home.wideopenthrottle.org> Message-ID: <3D32CF04.502@scort.com> Mike Kercher wrote: > Jul 15 07:54:43 www mailscanner[8204]: RBL Checks timed out and were killed > Jul 15 08:01:34 www mailscanner[8204]: SpamAssassin timed out and was killed > > I get these all the time on a RAQ4. All of my other RH 7.x machines work > fine. ANyone know what could be causing this? It's not DNS timeouts > because if I do a query to bl.spamcop.net, the result is returned > immediately. It can be DNS timeouts because response times can vary a lot. The only way to be sure is to try Mailscanner+SA without ANY network tests (no Razor, no MX check, no RBL) and see if you still have SA timeouts. Most of the people here are just having DNS response time problems, but a few still experience SA timeouts without any network tests enabled... so I think there is still something wrong in the SA child (currently investigating this one). -- Thierry Carrez From mkettler at EVI-INC.COM Mon Jul 15 14:33:20 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:15:15 2006 Subject: SpamAssassin Hangup In-Reply-To: <20020715100505.GA5284@venus.agni.com> Message-ID: <5.1.0.14.0.20020715092603.022284c0@192.168.50.2> Probably your best "first stab" is to get the email (or several emails) in an otherwise plain text format (ie: from /var/spool/mail) and run SpamAssassin from the command line: spamassassin -tD < /var/spool/mail/mkettler -t puts SpamAssassin in test mode, so the email is just piped through to the console with some status info -D turns on debug output. This will let you watch which part of SA's evaluation is taking too long and also see if it's complaining about any corrupted rules. As some side notes: The "MX check" is likely the longest part of a SA test. By default SA will try 3 times, waiting 5 seconds each try, to perform the MX check, which means any email without an MX for from will timeout under MailScanner (MailScanner only gives SA 10 seconds to run). In any event MailScanner should kill SpamAssassin after 10 seconds by default and log a message that it timed out. Also how did you turn off the DNS Blacklist checks in SA? (just a side-check to make sure you really did turn them off) At 04:05 PM 7/15/2002 +0600, you wrote: >Hello All, > >I switched to MailScanner from a milter based scanner and it really >rocks! LoadAvg has gone down substantially and we are from nasty milter >problems. > >Unfortunately, I am having a hard time with SpamAssasin. For most of >the mails it's working fine, but it gets hung up for some of the mails. >I have stopped all DNS based lookups except the MX check from SA. DNS >blacklists are off in MailScanner too. MailScanner has to kill SA after >the timeout. > >The list archive suggests this may be due to DNS lookups, but I think in >our case this is not true. Besides, mailscanner takes 100% cpu when SA >gets stuck with those mails. I have changed spamassassin timeout to 0 >to see how long it takes. It consumes 100% cpu until I kill it. I am >on Slackware, mail traffic around 30K per day. > >Any ideas on what could be wrong? Is there any easy way to debug this? > > >-- >Mojahed >System Administrator, Agni Systems Limited From dcooper at UKMATRIX.NET Mon Jul 15 14:44:52 2002 From: dcooper at UKMATRIX.NET (Dan Cooper) Date: Thu Jan 12 21:15:15 2006 Subject: File Blocking Message-ID: <035501c22c05$cbe9f000$415e7bc1@401wkstn> Hi, Is there any way to get mailscanner to reject files that have a certain extension based on the incoming domain? i.e. if the mail is to domain1.com, then dont allow .exe .scr .vbs etc. Many thanks. Regards, Dan Cooper -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020715/47640dfd/attachment.html From mailscanner at ecs.soton.ac.uk Mon Jul 15 14:47:23 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:15 2006 Subject: Minor problems with messages to users In-Reply-To: <20020715134526.6a2429d4.marc.perea@electronic-group.com> References: <1026503198.6696.31.camel@dbeauchemin.si.usherb.ca> <1026396277.22101.43.camel@dbeauchemin.si.usherb.ca> <20020711174114.53812bfe.marc.perea@electronic-group.com> <1026503198.6696.31.camel@dbeauchemin.si.usherb.ca> Message-ID: <5.1.0.14.2.20020715144643.04ab0f58@imap.ecs.soton.ac.uk> This will be a configurable feature in the new release, which is due out shortly. So if you can wait a few days, you can save yourselves a lot of work. If you want to beta-test the new version (and hence get this feature early) then give me a shout. Jules. At 12:45 15/07/2002, you wrote: >On Fri, 12 Jul 2002 15:46:37 -0400 >Denis Beauchemin wrote: > > > Marc, > > > > I tried to modify mcafeewrapper: > > exec ${PackageDir}/$prog -d $datDIR "$@" | sed 's-^.*/--' > > > > It worked OK at the command line (got the file name and the virus found) > > but the line disappeared altogether in MailScanner... not what I > > wanted... > >Hmmm .... strange then, it works for me in both two ways (command line and >mailscanner). Be sure of taking care of the special characters escaping >them. > >Anyway ... good luck with your modifs! :-) > >Cheers > > > > > I also tried to modify sweep.pl: > > $lastline =~ s/$BaseDir\/*\w+\///; > > but it didn't work either (I still got the last dir part). > > > > Denis > > On Thu, 2002-07-11 at 11:41, Marc Perea wrote: > > > On Thu, 11 Jul 2002 10:04:37 -0400 > > > Denis Beauchemin wrote: > > > > > > > Hi, > > > > > > > > I am experimenting with MailScanner and I have a few problems: > > > > > > > > 1- using McAfee, when a virus is found I get a line saying so but > > > > the line contains the message ID part of the PATH: > > > > R?sultats de l'antivirus: > > > > /g69IuTY08361/VALUE.exe Found the W32/Klez.h@MM virus !!! > > > > > > > > I would like it to read: > > > > VALUE.exe Found the W32/Klez.h@MM virus !!! > > > > > > > > How could this be done? I believe it must come from > > > > ProcessMcAfeeOutput in sweep.pl, I guess we would have to modify > > > > $lastline =~ s/$BaseDir//; for something else containing the message > > > > ID, but what? > > > > > > My two cents : > > > > > > Some time ago I was on a similar problem, i didn't want to reveal the > > > path to the message, so I modified with this extremely simple trick > > > the f-protwrapper shell script (Hence, you don't have to touch any > > > mailscanner core perl-function) : > > > > > > hiddenpath=/usr/local/mailscanner/var > > > exec ${PackageDir}/$Scanner $ScanOptions "$@" | sed "s%$hiddenpath%%g" > > > > > > You can always make a different regular expression to suit your needs. > > > For example that one should work for your needs : > > > "s%\/[a-zA-Z0-9]*\/\(.*\)%\1%" > > > > > > Hope this helps to you. > > >-- >Marc Perea - System Administration Staff >Mail: marc.perea@electronic-group.com >Tel: (+34) 93 600 23 23 >Fax: (+34) 93 600 23 10 >---------------- >Electronic Group - http://www.electronic-group.com -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Jul 15 15:10:41 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:15 2006 Subject: File Blocking In-Reply-To: <035501c22c05$cbe9f000$415e7bc1@401wkstn> Message-ID: <5.1.0.14.2.20020715151022.04b4f2d0@imap.ecs.soton.ac.uk> At 14:44 15/07/2002, you wrote: >Is there any way to get mailscanner to reject files that have a certain >extension based on the incoming domain? > >i.e. if the mail is to domain1.com, then dont allow .exe .scr .vbs etc. Not currently, no. The filename.rules.conf file applies to all domains. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mojahed at AGNI.COM Mon Jul 15 15:16:54 2002 From: mojahed at AGNI.COM (Mojahedul Hoque Abul Hasanat) Date: Thu Jan 12 21:15:15 2006 Subject: SpamAssassin Hangup In-Reply-To: <3D32CF04.502@scort.com> References: <20020715100505.GA5284@venus.agni.com> <006001c22c00$4b0adb20$6501a8c0@home.wideopenthrottle.org> <3D32CF04.502@scort.com> Message-ID: <20020715141654.GB12944@venus.agni.com> On Mon, Jul 15, 2002 at 03:32:52PM +0200, Thierry Carrez wrote: > > It can be DNS timeouts because response times can vary a lot. > The only way to be sure is to try Mailscanner+SA without ANY network > tests (no Razor, no MX check, no RBL) and see if you still have SA > timeouts. I have stopped all network checks, even the MX check. Same problem. Please note that cpu utilization goes 100%, this is certainly no DNS check. -- Mojahed System Administrator, Agni Systems Limited From mojahed at AGNI.COM Mon Jul 15 15:10:00 2002 From: mojahed at AGNI.COM (Mojahedul Hoque Abul Hasanat) Date: Thu Jan 12 21:15:15 2006 Subject: SpamAssassin Hangup In-Reply-To: <5.1.0.14.2.20020715140415.04afdd10@imap.ecs.soton.ac.uk> References: <20020715100505.GA5284@venus.agni.com> <5.1.0.14.2.20020715140415.04afdd10@imap.ecs.soton.ac.uk> Message-ID: <20020715141000.GA12944@venus.agni.com> On Mon, Jul 15, 2002 at 02:07:02PM +0100, Julian Field wrote: > At 11:05 15/07/2002, you wrote: > >rocks! LoadAvg has gone down substantially and we are from nasty milter > >problems. > > Glad to hear it. Out of personal interest, how big was the change in load? Most of the day it used to hop between 0.7 to a bit over 1.0. But when some mailing list gods blasted us 2-4 times a day, LoadAvg would shoot up to 8-12 and sendmail would start spewing out 4xx temporary errors. With MailScanner + uvscan it's less than 0.2. Only very rarely have I spotted it more than 0.7, only for a batch or two. I almost can't believe it! Milter is really not the right place to do a heavy job. > >to see how long it takes. It consumes 100% cpu until I kill it. I am > >on Slackware, mail traffic around 30K per day. > > Are you using the very latest SpamAssassin (2.31)? Yes. > Did installing it upgrade your version of Perl? No. I am a hands on type of guy. Installed all the pre-requisites manually. > What version of Perl are you using? (5.6.0 is a bit dodgy). 5.6.1. -- Mojahed System Administrator, Agni Systems Limited From mojahed at AGNI.COM Mon Jul 15 15:25:06 2002 From: mojahed at AGNI.COM (Mojahedul Hoque Abul Hasanat) Date: Thu Jan 12 21:15:15 2006 Subject: SpamAssassin Hangup In-Reply-To: <3D32C1D7.7020707@scort.com> References: <20020715100505.GA5284@venus.agni.com> <3D32C1D7.7020707@scort.com> Message-ID: <20020715142506.GC12944@venus.agni.com> On Mon, Jul 15, 2002 at 02:36:39PM +0200, Thierry Carrez wrote: [snip] > Just to know : what kind of a setup do you have ? (sendmail, mcafee... > + versions used). Characteristics of the machine you use (CPU,RAM...) sendmail 8.12.4, latest uvscan engine and dat file. Platform is Slackware Linux 8.0 running on a fine Dell box with P-III 800MHz and 384MB RAM. All SCSI of course. -- Mojahed System Administrator, Agni Systems Limited From combs at MAGNET.FSU.EDU Mon Jul 15 18:41:53 2002 From: combs at MAGNET.FSU.EDU (Tom Combs) Date: Thu Jan 12 21:15:15 2006 Subject: MAPS RBL+ worth it? Message-ID: Hello, I'm considering purchasing the RBL+ service from mail-abuse.org and I was wondering if people thought it was worth having. We get the educational discount so it is only ~$150/yr. I was thinking about getting it in transfer mode, thinking that would save time/resources over the query mode. Does anyone have experience of comments about the maps service? Thanks, --Tom Combs From COMBSTM at APPSTATE.EDU Mon Jul 15 19:07:54 2002 From: COMBSTM at APPSTATE.EDU (T. Combs) Date: Thu Jan 12 21:15:15 2006 Subject: MAPS RBL+ worth it? In-Reply-To: "Your message dated Mon, 15 Jul 2002 18:41:53 +0100" Message-ID: <01KK4KFS23UWCK81OJ@appstate.edu> > Hello, > I'm considering purchasing the RBL+ service from mail-abuse.org > and I was wondering if people thought it was worth having. We > get the educational discount so it is only ~$150/yr. I was > thinking about getting it in transfer mode, thinking that would > save time/resources over the query mode. Does anyone have experience > of comments about the maps service? Thanks, > --Tom Combs Tom, We have been using the product for a little while and it seems to help with the SPAM problem. My take is if it blocks any email sites doing this it is worth the price. We use it in the transfer mode so the local nameservers are queried for the authentication instaed of going across internet. -- Combstm@appstate.edu Appalachian State University (828)262-6297 Information Technology Services FAX: (828)262-2236 From combs at magnet.fsu.edu Mon Jul 15 19:17:30 2002 From: combs at magnet.fsu.edu (Tom Combs) Date: Thu Jan 12 21:15:15 2006 Subject: MAPS RBL+ worth it? Message-ID: <200207151817.g6FIHU027710@osprey.magnet.fsu.edu> Thanks a lot. Confused me for a minute when I saw that I got mail from T. Combs.... >MIME-version: 1.0 >X-MailScanner: Found to be clean, Found to be clean, Found to be clean >Date: Mon, 15 Jul 2002 14:07:54 -0400 >From: "T. Combs" >Subject: Re: MAPS RBL+ worth it? >To: MAILSCANNER@JISCMAIL.AC.UK >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-3.5, required 8, IN_REP_TO, SUBJ_ENDS_IN_Q_MARK) > >> Hello, > >> I'm considering purchasing the RBL+ service from mail-abuse.org >> and I was wondering if people thought it was worth having. We >> get the educational discount so it is only ~$150/yr. I was >> thinking about getting it in transfer mode, thinking that would >> save time/resources over the query mode. Does anyone have experience >> of comments about the maps service? Thanks, > >> --Tom Combs >Tom, >We have been using the product for a little while and it seems to help with >the SPAM problem. My take is if it blocks any email sites doing this it is >worth the price. We use it in the transfer mode so the local nameservers >are queried for the authentication instaed of going across internet. >-- > Combstm@appstate.edu > Appalachian State University (828)262-6297 > Information Technology Services FAX: (828)262-2236 -- Tom Combs E-mail: combs@magnet.fsu.edu National High Magnetic Field Laboratory Phone: (850) 644-1657 1800 E. Paul Dirac Drive Tallahassee, FL 32310 From mailscanner at ecs.soton.ac.uk Mon Jul 15 19:46:18 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:15 2006 Subject: MAPS RBL+ worth it? In-Reply-To: Message-ID: <5.1.0.14.2.20020715193716.0322ee88@imap.ecs.soton.ac.uk> I have just processed the stats for our site from the beginning of this month, so you've got a pretty random 2 weeks worth. I have separated out the figures for each of the 5 RBL's I use and SpamAssassin, so the following are the number of messages detected *only* by the RBL listed: 82 Infinite-Monkeys 81 MAPS-RBL+ 101 ORDB 9351 SpamAssassin 1001 osirusoft.com 693 spamcop.net The total number of spam messages in this time was 20,231. 8922 of these were detected by more than 1 spam trap. So there were only 81 messages which were *only* detected by MAPS-RBL+, whereas over 9000 were detected *only* by SpamAssassin. So having MAPS-RBL+ only saved us from 81 pieces of spam in the last 2 weeks. But $150 is very few hours of someone's time, especially spread over an entire year. At $30 per hour (cost to the university for 1 person), 5 hours per year is only 49 seconds per day. So $150 really isn't very much money. I hope that helps you a bit! Jules. At 18:41 15/07/2002, you wrote: >Hello, > > I'm considering purchasing the RBL+ service from mail-abuse.org > and I was wondering if people thought it was worth having. We > get the educational discount so it is only ~$150/yr. I was > thinking about getting it in transfer mode, thinking that would > save time/resources over the query mode. Does anyone have experience > of comments about the maps service? Thanks, > > --Tom Combs -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From combs at magnet.fsu.edu Mon Jul 15 20:44:14 2002 From: combs at magnet.fsu.edu (Tom Combs) Date: Thu Jan 12 21:15:15 2006 Subject: MAPS RBL+ worth it? Message-ID: <200207151944.g6FJiE028169@osprey.magnet.fsu.edu> >X-Sender: (Unverified) >Mime-Version: 1.0 >Date: Mon, 15 Jul 2002 19:46:18 +0100 >From: Julian Field >Subject: Re: MAPS RBL+ worth it? >To: MAILSCANNER@JISCMAIL.AC.UK >X-MailScanner: Found to be clean, Found to be clean >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-2.4, required 8, IN_REP_TO, SUBJ_ENDS_IN_Q_MARK, DOUBLE_CAPSWORD) > >I have just processed the stats for our site from the beginning of this >month, so you've got a pretty random 2 weeks worth. > >I have separated out the figures for each of the 5 RBL's I use and >SpamAssassin, so the following are the number of messages detected *only* >by the RBL listed: > 82 Infinite-Monkeys > 81 MAPS-RBL+ > 101 ORDB > 9351 SpamAssassin > 1001 osirusoft.com > 693 spamcop.net > >The total number of spam messages in this time was 20,231. 8922 of these >were detected by more than 1 spam trap. > >So there were only 81 messages which were *only* detected by MAPS-RBL+, >whereas over 9000 were detected *only* by SpamAssassin. > >So having MAPS-RBL+ only saved us from 81 pieces of spam in the last 2 weeks. > Julian, Thanks for the info. How did you generate your report, using MTGR or whatever that tool is called? I suspect that my RBL check is not working. All I see in the log is that RBL checks have timed out. I only have Spam List = ORDB-RBL, relays.ordb.org set and I can resolve relays.ordb.org quickly. How can I tell if I'm getting any RBL service? Thanks, Tom Combs -- Tom Combs E-mail: combs@magnet.fsu.edu National High Magnetic Field Laboratory Phone: (850) 644-1657 1800 E. Paul Dirac Drive Tallahassee, FL 32310 From thomas_duvally at BROWN.EDU Mon Jul 15 20:54:30 2002 From: thomas_duvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:15:15 2006 Subject: SpamAssassin Hangup In-Reply-To: <20020715141000.GA12944@venus.agni.com> References: <20020715100505.GA5284@venus.agni.com> <5.1.0.14.2.20020715140415.04afdd10@imap.ecs.soton.ac.uk> <20020715141000.GA12944@venus.agni.com> Message-ID: <1026762871.1600.34.camel@toms> On Mon, 2002-07-15 at 10:10, Mojahedul Hoque Abul Hasanat wrote: > On Mon, Jul 15, 2002 at 02:07:02PM +0100, Julian Field wrote: > > At 11:05 15/07/2002, you wrote: > > >rocks! LoadAvg has gone down substantially and we are from nasty milter > > >problems. > > > > Glad to hear it. Out of personal interest, how big was the change in load? > > Most of the day it used to hop between 0.7 to a bit over 1.0. But when > some mailing list gods blasted us 2-4 times a day, LoadAvg would shoot > up to 8-12 and sendmail would start spewing out 4xx temporary errors. > Any info online about milters and resource usage? I've never heard of any info (good or bad) and would love to have something to reference when it comes up. > With MailScanner + uvscan it's less than 0.2. Only very rarely have I > spotted it more than 0.7, only for a batch or two. I almost can't > believe it! Milter is really not the right place to do a heavy job. > > > >to see how long it takes. It consumes 100% cpu until I kill it. I am > > >on Slackware, mail traffic around 30K per day. > > > > Are you using the very latest SpamAssassin (2.31)? > > Yes. > > > Did installing it upgrade your version of Perl? > > No. I am a hands on type of guy. Installed all the pre-requisites > manually. > > > What version of Perl are you using? (5.6.0 is a bit dodgy). > > 5.6.1. > > > -- > Mojahed > System Administrator, Agni Systems Limited -- Tom DuVally Lead Sys. Programmer CIS, Brown University p 401-863-9466 From mailscanner at ecs.soton.ac.uk Mon Jul 15 21:12:12 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:15 2006 Subject: MAPS RBL+ worth it? In-Reply-To: <200207151944.g6FJiE028169@osprey.magnet.fsu.edu> Message-ID: <5.1.0.14.2.20020715210908.0304dd68@imap.ecs.soton.ac.uk> At 20:44 15/07/2002, you wrote: > >I have just processed the stats for our site from the beginning of this > >month, so you've got a pretty random 2 weeks worth. > > > >I have separated out the figures for each of the 5 RBL's I use and > >SpamAssassin, so the following are the number of messages detected *only* > >by the RBL listed: > > 82 Infinite-Monkeys > > 81 MAPS-RBL+ > > 101 ORDB > > 9351 SpamAssassin > > 1001 osirusoft.com > > 693 spamcop.net > > > >The total number of spam messages in this time was 20,231. 8922 of these > >were detected by more than 1 spam trap. > > > >So there were only 81 messages which were *only* detected by MAPS-RBL+, > >whereas over 9000 were detected *only* by SpamAssassin. > > > >So having MAPS-RBL+ only saved us from 81 pieces of spam in the last 2 > weeks. > > > >Julian, > > Thanks for the info. How did you generate your report, using MTGR or > whatever that tool is called? 2 weeks worth of maillog files, "egrep", "egrep -v", "wc -l" and about 10 minutes :-) > I suspect that my RBL check is not working. All I see in the log is > that RBL checks have timed out. I only have > > Spam List = ORDB-RBL, relays.ordb.org I think you will find my example entries have a "." on the end. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mojahed at AGNI.COM Tue Jul 16 07:12:30 2002 From: mojahed at AGNI.COM (Mojahedul Hoque Abul Hasanat) Date: Thu Jan 12 21:15:15 2006 Subject: Follow-up to SpamAssassin Hangup Message-ID: <20020716061230.GA17234@venus.agni.com> Dear List, This is a miracle! Once MailScanner re-executed itself after the default 4 hours, the spamassassin hangup problem just vanished. The log shows gobbles of "SpamAssassin timed out..." before the first restart, after that it's clean like a baby. This is the second time I witnessed this miracle. If I kill MailScanner and start it, hangups start showing up until the first re-exec. Any scientific explanations? -- Mojahed System Administrator, Agni Systems Limited From P.G.M.Peters at civ.utwente.nl Tue Jul 16 07:30:53 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:15 2006 Subject: SpamAssassin Hangup In-Reply-To: <5.1.0.14.0.20020715092603.022284c0@192.168.50.2> References: <20020715100505.GA5284@venus.agni.com> <5.1.0.14.0.20020715092603.022284c0@192.168.50.2> Message-ID: On Mon, 15 Jul 2002 09:33:20 -0400, you wrote: >The "MX check" is likely the longest part of a SA test. By default SA will >try 3 times, waiting 5 seconds each try, to perform the MX check, which >means any email without an MX for from will timeout under MailScanner >(MailScanner only gives SA 10 seconds to run). In any event MailScanner >should kill SpamAssassin after 10 seconds by default and log a message that >it timed out. MX testing is one of the things I still do in Sendmail itself (4xx error). These are the only mails that have truely no right to enter our system. Nobody can respond to such an e-mail so why accept it. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From P.G.M.Peters at civ.utwente.nl Tue Jul 16 07:43:32 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:15 2006 Subject: MAPS RBL+ worth it? In-Reply-To: <200207151944.g6FJiE028169@osprey.magnet.fsu.edu> References: <200207151944.g6FJiE028169@osprey.magnet.fsu.edu> Message-ID: On Mon, 15 Jul 2002 15:44:14 -0400, you wrote: > Thanks for the info. How did you generate your report, using MTGR or > whatever that tool is called? I have written one perl-scripts to generate output like: |Total recipients: 11018 |Total virusses detected: 74 |Total spams tagged: 1569 | |Total SpamAssassin : 1192 |Total SpamAssassin score: 17164.5 | |Total Infinite-Monkeys: 302 |Total Osurisoft 0 |Total ORDB-RBL: 168 |Total SPEWS: 204 |Total WIREHUB-DNSBL: 162 |Total RFC-IGNORANT-IPWHOIS: 0 |Total RFC-IGNORANT-DSN: 65 |Total RFC-IGNORANT-POSTMASTER: 339 |Total RFC-IGNORANT-ABUSE: 563 |Total RFC-IGNORANT-WHOIS: 122 And one that generates about the same information but in csv-format. Every morning the csv-file is included in a excel spreadsheet, converted to a graph and printed to show the latest stats. You can get them from: http://home.student.utwente.nl/p.g.m.peters/analog4mailscanner.pl http://home.student.utwente.nl/p.g.m.peters/mailscanner2csv.pl -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ -------------- next part -------------- A non-text attachment was scrubbed... Name: mailscanner2csv.pl Type: application/octet-stream Size: 2287 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020716/3988250f/mailscanner2csv.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: analog4mailscanner.pl Type: application/octet-stream Size: 2773 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020716/3988250f/analog4mailscanner.obj From mkettler at EVI-INC.COM Tue Jul 16 07:46:58 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:15:15 2006 Subject: SpamAssassin Hangup In-Reply-To: References: <5.1.0.14.0.20020715092603.022284c0@192.168.50.2> <20020715100505.GA5284@venus.agni.com> <5.1.0.14.0.20020715092603.022284c0@192.168.50.2> Message-ID: <5.1.0.14.0.20020716024322.025d6c70@192.168.50.2> At 08:30 AM 7/16/2002 +0200, Peter Peters wrote: >MX testing is one of the things I still do in Sendmail itself (4xx >error). These are the only mails that have truely no right to enter our >system. Nobody can respond to such an e-mail so why accept it. I agree wholeheartedly, and I do the same here, I was just speaking from the "default install" case. I've seen some legitimate emails coming from domains with really lousy DNS service get denied, but they generally make it through after a couple retries so it's not a huge concern. From LISTSERV at JISCMAIL.AC.UK Tue Jul 16 02:49:11 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:15 2006 Subject: MAILSCANNER: tiger@EBS.AU.COM requested to join Message-ID: <200207160149.CAA09557@magpie.ecs.soton.ac.uk> Tue, 16 Jul 2002 02:49:10 A request for to join the MAILSCANNER list (MailScanner mailing list) has been received from David Woodfield . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER tiger@EBS.AU.COM David Woodfield The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+tiger%40EBS.AU.COM+David+Woodfield&L=MAILSCANNER ------------------------- Original mail header -------------------------- Return-Path: Received: from ori.rl.ac.uk by jiscmail.ac.uk (LSMTP for Windows NT v1.1b) with SMTP id <0.001D8D85@jiscmail.ac.uk>; Tue, 16 Jul 2002 2:29:53 +0100 Received: from penguin.ebs.au.com (ppp57.adsl137.pacific.net.au [210.23.137.57] (may be forged)) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g6G1ToB05589 for ; Tue, 16 Jul 2002 02:29:51 +0100 Received: from tiger (woody [10.0.1.42]) by penguin.ebs.au.com (8.11.6/8.11.2) with ESMTP id g6G1T3020874 for ; Tue, 16 Jul 2002 11:29:03 +1000 From: "David Woodfield" To: "'L-Soft list server at JISCMAIL \(1.8e\)'" Subject: RE: Command confirmation request (A420218C) Date: Tue, 16 Jul 2002 11:26:27 +1000 Organization: EBS Computer Services Message-ID: <003601c22c67$ce5bede0$2a01000a@tiger> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 In-Reply-To: <200207160126.g6G1QP020849@penguin.ebs.au.com> X-MailScanner: Found to be clean From LISTSERV at JISCMAIL.AC.UK Tue Jul 16 08:19:52 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:15 2006 Subject: MAILSCANNER: is@OMNIS.NET requested to join Message-ID: <200207160719.IAA28661@magpie.ecs.soton.ac.uk> Tue, 16 Jul 2002 08:19:52 A request for to join the MAILSCANNER list (MailScanner mailing list) has been received from Dan Cawdery . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER is@OMNIS.NET Dan Cawdery The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+is%40OMNIS.NET+Dan+Cawdery&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From mojahed at AGNI.COM Tue Jul 16 08:36:39 2002 From: mojahed at AGNI.COM (Mojahedul Hoque Abul Hasanat) Date: Thu Jan 12 21:15:15 2006 Subject: SpamAssassin Hangup In-Reply-To: References: <20020715100505.GA5284@venus.agni.com> <5.1.0.14.0.20020715092603.022284c0@192.168.50.2> Message-ID: <20020716073639.GB17234@venus.agni.com> On Tue, Jul 16, 2002 at 08:30:53AM +0200, Peter Peters wrote: > > MX testing is one of the things I still do in Sendmail itself (4xx > error). These are the only mails that have truely no right to enter our > system. Nobody can respond to such an e-mail so why accept it. Ouch! You will reject some legitimate mails. If no MX is defined for a host, mail will go directly to that host if it has an A record. I have lots of legit mails coming/going to such hosts. These are mostly in east Asia. -- Mojahed System Administrator, Agni Systems Limited From tcarrez at SCORT.COM Tue Jul 16 08:38:11 2002 From: tcarrez at SCORT.COM (Thierry Carrez) Date: Thu Jan 12 21:15:15 2006 Subject: Follow-up to SpamAssassin Hangup References: <20020716061230.GA17234@venus.agni.com> Message-ID: <3D33CD63.1090103@scort.com> Mojahedul Hoque Abul Hasanat wrote: > > This is a miracle! Once MailScanner re-executed itself after the > default 4 hours, the spamassassin hangup problem just vanished. The log > shows gobbles of "SpamAssassin timed out..." before the first restart, > after that it's clean like a baby. > > This is the second time I witnessed this miracle. If I kill MailScanner > and start it, hangups start showing up until the first re-exec. > > Any scientific explanations? No idea. On my own setup : 8 SA "timeouts" observed, 7 in the first 4 hours after a restart and 1 outside this scope. Mojahedul : Did all your SA kills occur during the four hours after a restart or do you have any strange occurence ? Since I am in a testing phase I killed/restarted mailscanner a lot, but I confirm that once I let it run the SA "timeouts" don't seem to occur... Weird. -- Thierry Carrez From dave at ESI.COM.AU Tue Jul 16 08:44:40 2002 From: dave at ESI.COM.AU (Dave Horsfall) Date: Thu Jan 12 21:15:15 2006 Subject: SpamAssassin Hangup In-Reply-To: <20020716073639.GB17234@venus.agni.com> Message-ID: On Tue, 16 Jul 2002, Mojahedul Hoque Abul Hasanat wrote: > Ouch! You will reject some legitimate mails. If no MX is defined for a > host, mail will go directly to that host if it has an A record. If they don't have an MX record, the DNS administrator is incompetent, and they're likely to have other problems (open relay, open proxy, etc). > I have lots of legit mails coming/going to such hosts. These are mostly > in east Asia. Quite. I get buckets of spam from them, too. -- Dave Horsfall DTM VK2KFU dave@esi.com.au Ph: +61 2 9906-3377 Fx: 9906-3468 (Unix Guru) Pacific ESI, Unit 22, 8 Campbell St, Artarmon, NSW 2065, Australia From mailscanner at ecs.soton.ac.uk Tue Jul 16 08:41:55 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:15 2006 Subject: Follow-up to SpamAssassin Hangup In-Reply-To: <3D33CD63.1090103@scort.com> References: <20020716061230.GA17234@venus.agni.com> Message-ID: <5.1.0.14.2.20020716084019.0527af38@imap.ecs.soton.ac.uk> At 08:38 16/07/2002, you wrote: >Mojahedul Hoque Abul Hasanat wrote: >> >>This is a miracle! Once MailScanner re-executed itself after the >>default 4 hours, the spamassassin hangup problem just vanished. The log >>shows gobbles of "SpamAssassin timed out..." before the first restart, >>after that it's clean like a baby. >> >>This is the second time I witnessed this miracle. If I kill MailScanner >>and start it, hangups start showing up until the first re-exec. >> >>Any scientific explanations? > >No idea. > >On my own setup : 8 SA "timeouts" observed, 7 in the first 4 hours after >a restart and 1 outside this scope. > >Mojahedul : >Did all your SA kills occur during the four hours after a restart or do >you have any strange occurence ? > >Since I am in a testing phase I killed/restarted mailscanner a lot, but >I confirm that once I let it run the SA "timeouts" don't seem to occur... > >Weird. No brilliant ideas on this one, I'm afraid, but the new version will stop using SpamAssassin (or any particular Spam List entry) once it has failed consecutively a certain number of times. So if one of the RBL's goes down, or SA starts hanging for no apparent reason, your mail throughput won't turn to sludge. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mojahed at AGNI.COM Tue Jul 16 09:16:58 2002 From: mojahed at AGNI.COM (Mojahedul Hoque Abul Hasanat) Date: Thu Jan 12 21:15:15 2006 Subject: Follow-up to SpamAssassin Hangup In-Reply-To: <3D33CD63.1090103@scort.com> References: <20020716061230.GA17234@venus.agni.com> <3D33CD63.1090103@scort.com> Message-ID: <20020716081658.GC21393@venus.agni.com> On Tue, Jul 16, 2002 at 09:38:11AM +0200, Thierry Carrez wrote: > On my own setup : 8 SA "timeouts" observed, 7 in the first 4 hours after > a restart and 1 outside this scope. For me, after the last manual restart of mailscanner, 776 kills in the first 4 hours, 0 (zero) kills after the first auto re-exec. Already passed over 15K mails after that point. > Did all your SA kills occur during the four hours after a restart or > do you have any strange occurence ? Exactly during the first 4 hours. Something magical happens at the re-exec point. Your data matches with mine. That 1 kill outside scope was probably due to DNS timeouts or SA really taking more than its allotted time. See what happens if you increase the SA timout. Mine is set at 25 now. -- Mojahed System Administrator, Agni Systems Limited From mojahed at AGNI.COM Mon Jul 15 11:05:05 2002 From: mojahed at AGNI.COM (Mojahedul Hoque Abul Hasanat) Date: Thu Jan 12 21:15:15 2006 Subject: SpamAssassin Hangup Message-ID: <20020715100505.GA5284@venus.agni.com> Hello All, I switched to MailScanner from a milter based scanner and it really rocks! LoadAvg has gone down substantially and we are from nasty milter problems. Unfortunately, I am having a hard time with SpamAssasin. For most of the mails it's working fine, but it gets hung up for some of the mails. I have stopped all DNS based lookups except the MX check from SA. DNS blacklists are off in MailScanner too. MailScanner has to kill SA after the timeout. The list archive suggests this may be due to DNS lookups, but I think in our case this is not true. Besides, mailscanner takes 100% cpu when SA gets stuck with those mails. I have changed spamassassin timeout to 0 to see how long it takes. It consumes 100% cpu until I kill it. I am on Slackware, mail traffic around 30K per day. Any ideas on what could be wrong? Is there any easy way to debug this? -- Mojahed System Administrator, Agni Systems Limited From mailscanner at ecs.soton.ac.uk Tue Jul 16 09:22:16 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:15 2006 Subject: Follow-up to SpamAssassin Hangup In-Reply-To: <20020716081658.GC21393@venus.agni.com> References: <3D33CD63.1090103@scort.com> <20020716061230.GA17234@venus.agni.com> <3D33CD63.1090103@scort.com> Message-ID: <5.1.0.14.2.20020716092150.055627c8@imap.ecs.soton.ac.uk> At 09:16 16/07/2002, you wrote: >On Tue, Jul 16, 2002 at 09:38:11AM +0200, Thierry Carrez wrote: > > On my own setup : 8 SA "timeouts" observed, 7 in the first 4 hours after > > a restart and 1 outside this scope. > >For me, after the last manual restart of mailscanner, 776 kills in the >first 4 hours, 0 (zero) kills after the first auto re-exec. Already >passed over 15K mails after that point. I really can't explain this one. Obviously it runs the same code before the restart as after it, so why the difference? > > Did all your SA kills occur during the four hours after a restart or > > do you have any strange occurence ? > >Exactly during the first 4 hours. Something magical happens at the >re-exec point. > >Your data matches with mine. That 1 kill outside scope was probably due >to DNS timeouts or SA really taking more than its allotted time. See >what happens if you increase the SA timout. Mine is set at 25 now. > >-- >Mojahed >System Administrator, Agni Systems Limited -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mike at ZANKER.ORG Tue Jul 16 10:04:53 2002 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:15:15 2006 Subject: SpamAssassin Hangup In-Reply-To: <20020716073639.GB17234@venus.agni.com> References: <20020716073639.GB17234@venus.agni.com> Message-ID: <91565875.1026813892@mallard.open.ac.uk> On 16 July 2002 13:36 +0600 Mojahedul Hoque Abul Hasanat wrote: > Ouch! You will reject some legitimate mails. If no MX is defined > for a host, mail will go directly to that host if it has an A record. That's OK - sendmail checks for an A record, too. > I have lots of legit mails coming/going to such hosts. These are > mostly in east Asia. I only ever get spam from that part of the world. Mike -- Mike Zanker Northampton, UK PGP Public Key: pgp@zanker.org From Denis.Pugnere at IGH.CNRS.FR Tue Jul 16 10:17:04 2002 From: Denis.Pugnere at IGH.CNRS.FR (Denis Pugnere) Date: Thu Jan 12 21:15:15 2006 Subject: pb MS 3.21-1 & "W32 Frethem.K mm" virus & .exe files Message-ID: Hello, Due to the fact that a variant of the "W32 Frethem" virus in the file decrypt-password.exe has not been stopped by mailscanner 3.10 (with my configuration ;-) I decided to upgrade from Mailscanner 3.10 to 3.21-1 and have a pb with near all infected messages : configuration : - McAfee Virus Scan (Scan engine v4.1.60 for Linux) - perl 5.005_03 (Redhat) - MIME::Base64 : 2.11 - File::Spec : 0.82 - File::Temp : 0.12 - Convert-TNEF-0.17 - IO-stringy-1.211 - MIME-tools-5.411 + patch - MailTools-1.46 Because of the fresh (J or K) variant of "W32 Frethem" I added the following line in the filename.rules.conf file : deny \.exe$ Executables are not allowed directly In the syslog file, here are the messages from 2 mailscanner outputs (note the "usr" messages) : Jul 16 07:15:42 pegase mailscanner[21911]: "W32 Frethem.K mm" virus in decrypt-password.exe Jul 16 07:15:42 pegase mailscanner[21911]: Found 3 viruses in messages HAA23830,usr Jul 16 07:15:42 pegase mailscanner[21911]: Scanned 1 messages, 67486 bytes in 1 seconds Jul 16 07:15:42 pegase mailscanner[21911]: Saved infections to /usr/local/mailscanner/var/quarantine/20020716/HAA23830 Jul 16 07:15:42 pegase mailscanner[21911]: Saved infections to /usr/local/mailscanner/var/quarantine/20020716/usr Jul 16 07:15:42 pegase mailscanner[21911]: Deleting unparsable message usr from queue Jul 16 07:15:43 pegase mailscanner[21911]: Notified senders about 1 infections Jul 16 07:15:43 pegase mailscanner[21911]: Notified antivirus@igh.cnrs.fr about 2 infections Jul 16 07:15:45 pegase mailscanner[21911]: Commercial disinfector mcafee returned 13 Jul 16 07:15:46 pegase mailscanner[21911]: Skipping renamed/deleted attachment decrypt-password.exe Jul 16 07:15:46 pegase mailscanner[21911]: Skipping renamed/deleted attachment local ... Jul 16 10:31:40 pegase mailscanner[23943]: Scanning 3 messages, 147015 bytes Jul 16 10:31:43 pegase mailscanner[23943]: "W32 Frethem.K mm" virus in decrypt-password.exe Jul 16 10:31:43 pegase mailscanner[23943]: Found 3 viruses in messages usr,KAA31279 Jul 16 10:31:43 pegase mailscanner[23943]: Scanned 3 messages, 147015 bytes in 3 seconds Jul 16 10:31:43 pegase mailscanner[23943]: Saved infections to /usr/local/mailscanner/var/quarantine/20020716/usr Jul 16 10:31:43 pegase mailscanner[23943]: Saved infections to /usr/local/mailscanner/var/quarantine/20020716/KAA31279 Jul 16 10:31:43 pegase mailscanner[23943]: Deleting unparsable message usr from queue Jul 16 10:31:43 pegase mailscanner[23943]: Notified senders about 1 infections Jul 16 10:31:43 pegase mailscanner[23943]: Notified antivirus@igh.cnrs.fr about 2 infections Jul 16 10:31:46 pegase mailscanner[23943]: Commercial disinfector mcafee returned 13 Jul 16 10:31:47 pegase mailscanner[23943]: Skipping renamed/deleted attachment local Jul 16 10:31:47 pegase mailscanner[23943]: Skipping renamed/deleted attachment decrypt-password.exe the postmaster received the following messages : ************************************************ The following e-mail messages were found to have viruses in them: Sender: Recipient: Subject: MessageID: usr Report: /usr/local/MailScanner-3.21-1/var/incoming/JAA29174/setup.exe Found the W32/Klez.h@MM virus !!! -- MailScanner Email Virus Scanner ************************************************ I can't figure out what is the matter. If you have an idea, I would be very gratefull. Regards. -- Denis Pugn?re | IGH/CNRS UPR 1142, 141 Rue de la Cardonille Tel : +33 (0)4 9961.9909 | 34396 Montpellier Cedex 5, France Fax : +33 (0)4 9961.9901 | http://www.igh.cnrs.fr From P.G.M.Peters at civ.utwente.nl Tue Jul 16 10:31:16 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:15 2006 Subject: SpamAssassin Hangup In-Reply-To: <20020716073639.GB17234@venus.agni.com> References: <20020715100505.GA5284@venus.agni.com> <5.1.0.14.0.20020715092603.022284c0@192.168.50.2> <20020716073639.GB17234@venus.agni.com> Message-ID: <1tp7jusvu8qfpfuoun4hm5qufgcrvq3ui6@4ax.com> On Tue, 16 Jul 2002 13:36:39 +0600, you wrote: >> MX testing is one of the things I still do in Sendmail itself (4xx >> error). These are the only mails that have truely no right to enter our >> system. Nobody can respond to such an e-mail so why accept it. > >Ouch! You will reject some legitimate mails. If no MX is defined for a >host, mail will go directly to that host if it has an A record. It is called MX-checking because 99% of the domain parts in e-mail addresses point to MX-records. But if an A-record is returned the mail is accepted too. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Tue Jul 16 11:18:45 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:15 2006 Subject: pb MS 3.21-1 & "W32 Frethem.K mm" virus & .exe files In-Reply-To: Message-ID: <5.1.0.14.2.20020716111641.05543f68@imap.ecs.soton.ac.uk> It seems to think you have a message whose message id is "usr". This is presumably being pulled out of the pathname to the file. Is your incoming work directory really at the path given in mailscanner.conf, or does the path in mailscanner.conf follow any links to get to the directory? You need to put in the real directory path. At 10:17 16/07/2002, you wrote: >Hello, > >Due to the fact that a variant of the "W32 Frethem" virus in the file >decrypt-password.exe has not been stopped by mailscanner 3.10 (with my >configuration ;-) I decided to upgrade from Mailscanner 3.10 to 3.21-1 and >have a pb with near all infected messages : > >configuration : > - McAfee Virus Scan (Scan engine v4.1.60 for Linux) > - perl 5.005_03 (Redhat) > - MIME::Base64 : 2.11 > - File::Spec : 0.82 > - File::Temp : 0.12 > - Convert-TNEF-0.17 > - IO-stringy-1.211 > - MIME-tools-5.411 + patch > - MailTools-1.46 > >Because of the fresh (J or K) variant of "W32 Frethem" I added the >following line in the filename.rules.conf file : >deny \.exe$ Executables are not allowed directly > > >In the syslog file, here are the messages from 2 mailscanner outputs >(note the "usr" messages) : > >Jul 16 07:15:42 pegase mailscanner[21911]: "W32 Frethem.K mm" virus in >decrypt-password.exe >Jul 16 07:15:42 pegase mailscanner[21911]: Found 3 viruses in messages >HAA23830,usr >Jul 16 07:15:42 pegase mailscanner[21911]: Scanned 1 messages, 67486 bytes >in 1 seconds >Jul 16 07:15:42 pegase mailscanner[21911]: Saved infections to >/usr/local/mailscanner/var/quarantine/20020716/HAA23830 >Jul 16 07:15:42 pegase mailscanner[21911]: Saved infections to >/usr/local/mailscanner/var/quarantine/20020716/usr >Jul 16 07:15:42 pegase mailscanner[21911]: Deleting unparsable message usr >from queue >Jul 16 07:15:43 pegase mailscanner[21911]: Notified senders about 1 infections >Jul 16 07:15:43 pegase mailscanner[21911]: Notified antivirus@igh.cnrs.fr >about 2 infections >Jul 16 07:15:45 pegase mailscanner[21911]: Commercial disinfector mcafee >returned 13 >Jul 16 07:15:46 pegase mailscanner[21911]: Skipping renamed/deleted >attachment decrypt-password.exe >Jul 16 07:15:46 pegase mailscanner[21911]: Skipping renamed/deleted >attachment local >... >Jul 16 10:31:40 pegase mailscanner[23943]: Scanning 3 messages, 147015 bytes >Jul 16 10:31:43 pegase mailscanner[23943]: "W32 Frethem.K mm" virus in >decrypt-password.exe >Jul 16 10:31:43 pegase mailscanner[23943]: Found 3 viruses in messages >usr,KAA31279 >Jul 16 10:31:43 pegase mailscanner[23943]: Scanned 3 messages, 147015 >bytes in 3 seconds >Jul 16 10:31:43 pegase mailscanner[23943]: Saved infections to >/usr/local/mailscanner/var/quarantine/20020716/usr >Jul 16 10:31:43 pegase mailscanner[23943]: Saved infections to >/usr/local/mailscanner/var/quarantine/20020716/KAA31279 >Jul 16 10:31:43 pegase mailscanner[23943]: Deleting unparsable message usr >from queue >Jul 16 10:31:43 pegase mailscanner[23943]: Notified senders about 1 infections >Jul 16 10:31:43 pegase mailscanner[23943]: Notified antivirus@igh.cnrs.fr >about 2 infections >Jul 16 10:31:46 pegase mailscanner[23943]: Commercial disinfector mcafee >returned 13 >Jul 16 10:31:47 pegase mailscanner[23943]: Skipping renamed/deleted >attachment local >Jul 16 10:31:47 pegase mailscanner[23943]: Skipping renamed/deleted >attachment decrypt-password.exe > >the postmaster received the following messages : >************************************************ >The following e-mail messages were found to have viruses in them: > > Sender: >Recipient: > Subject: >MessageID: usr > Report: > /usr/local/MailScanner-3.21-1/var/incoming/JAA29174/setup.exe > Found the W32/Klez.h@MM virus !!! > >-- >MailScanner >Email Virus Scanner >************************************************ > >I can't figure out what is the matter. >If you have an idea, I would be very gratefull. >Regards. > >-- >Denis Pugn?re | IGH/CNRS UPR 1142, 141 Rue de la Cardonille >Tel : +33 (0)4 9961.9909 | 34396 Montpellier Cedex 5, France >Fax : +33 (0)4 9961.9901 | http://www.igh.cnrs.fr -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Jul 16 11:24:48 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:15 2006 Subject: pb MS 3.21-1 & "W32 Frethem.K mm" virus & .exe files In-Reply-To: <5.1.0.14.2.20020716111641.05543f68@imap.ecs.soton.ac.uk> References: Message-ID: <5.1.0.14.2.20020716112221.055e6758@imap.ecs.soton.ac.uk> At 11:18 16/07/2002, you wrote: >It seems to think you have a message whose message id is "usr". This is >presumably being pulled out of the pathname to the file. > >Is your incoming work directory really at the path given in >mailscanner.conf, or does the path in mailscanner.conf follow any links to >get to the directory? You need to put in the real directory path. If you aren't sure, change sweep.pl so that it says (at line 566) print STDERR "Whole line is \"$lastline\"\n"; $lastline =~ s/$BaseDir//; print STDERR "Whole line is now \"$lastline\"\n"; insead of the original line 566 (which should be the same as the middle line of the 3 above). Then stop and restart MailScanner and you should see the incoming work dir being removed from the lines output by McAfee. >At 10:17 16/07/2002, you wrote: >>Hello, >> >>Due to the fact that a variant of the "W32 Frethem" virus in the file >>decrypt-password.exe has not been stopped by mailscanner 3.10 (with my >>configuration ;-) I decided to upgrade from Mailscanner 3.10 to 3.21-1 and >>have a pb with near all infected messages : >> >>configuration : >> - McAfee Virus Scan (Scan engine v4.1.60 for Linux) >> - perl 5.005_03 (Redhat) >> - MIME::Base64 : 2.11 >> - File::Spec : 0.82 >> - File::Temp : 0.12 >> - Convert-TNEF-0.17 >> - IO-stringy-1.211 >> - MIME-tools-5.411 + patch >> - MailTools-1.46 >> >>Because of the fresh (J or K) variant of "W32 Frethem" I added the >>following line in the filename.rules.conf file : >>deny \.exe$ Executables are not allowed directly >> >> >>In the syslog file, here are the messages from 2 mailscanner outputs >>(note the "usr" messages) : >> >>Jul 16 07:15:42 pegase mailscanner[21911]: "W32 Frethem.K mm" virus in >>decrypt-password.exe >>Jul 16 07:15:42 pegase mailscanner[21911]: Found 3 viruses in messages >>HAA23830,usr >>Jul 16 07:15:42 pegase mailscanner[21911]: Scanned 1 messages, 67486 >>bytes in 1 seconds >>Jul 16 07:15:42 pegase mailscanner[21911]: Saved infections to >>/usr/local/mailscanner/var/quarantine/20020716/HAA23830 >>Jul 16 07:15:42 pegase mailscanner[21911]: Saved infections to >>/usr/local/mailscanner/var/quarantine/20020716/usr >>Jul 16 07:15:42 pegase mailscanner[21911]: Deleting unparsable message >>usr from queue >>Jul 16 07:15:43 pegase mailscanner[21911]: Notified senders about 1 >>infections >>Jul 16 07:15:43 pegase mailscanner[21911]: Notified antivirus@igh.cnrs.fr >>about 2 infections >>Jul 16 07:15:45 pegase mailscanner[21911]: Commercial disinfector mcafee >>returned 13 >>Jul 16 07:15:46 pegase mailscanner[21911]: Skipping renamed/deleted >>attachment decrypt-password.exe >>Jul 16 07:15:46 pegase mailscanner[21911]: Skipping renamed/deleted >>attachment local >>... >>Jul 16 10:31:40 pegase mailscanner[23943]: Scanning 3 messages, 147015 bytes >>Jul 16 10:31:43 pegase mailscanner[23943]: "W32 Frethem.K mm" virus in >>decrypt-password.exe >>Jul 16 10:31:43 pegase mailscanner[23943]: Found 3 viruses in messages >>usr,KAA31279 >>Jul 16 10:31:43 pegase mailscanner[23943]: Scanned 3 messages, 147015 >>bytes in 3 seconds >>Jul 16 10:31:43 pegase mailscanner[23943]: Saved infections to >>/usr/local/mailscanner/var/quarantine/20020716/usr >>Jul 16 10:31:43 pegase mailscanner[23943]: Saved infections to >>/usr/local/mailscanner/var/quarantine/20020716/KAA31279 >>Jul 16 10:31:43 pegase mailscanner[23943]: Deleting unparsable message >>usr from queue >>Jul 16 10:31:43 pegase mailscanner[23943]: Notified senders about 1 >>infections >>Jul 16 10:31:43 pegase mailscanner[23943]: Notified antivirus@igh.cnrs.fr >>about 2 infections >>Jul 16 10:31:46 pegase mailscanner[23943]: Commercial disinfector mcafee >>returned 13 >>Jul 16 10:31:47 pegase mailscanner[23943]: Skipping renamed/deleted >>attachment local >>Jul 16 10:31:47 pegase mailscanner[23943]: Skipping renamed/deleted >>attachment decrypt-password.exe >> >>the postmaster received the following messages : >>************************************************ >>The following e-mail messages were found to have viruses in them: >> >> Sender: >>Recipient: >> Subject: >>MessageID: usr >> Report: /usr/local/MailScanner-3.21-1/var/incoming/JAA29174/setup.exe >> Found the W32/Klez.h@MM virus !!! >> >>-- >>MailScanner >>Email Virus Scanner >>************************************************ >> >>I can't figure out what is the matter. >>If you have an idea, I would be very gratefull. >>Regards. >> >>-- >>Denis Pugn?re | IGH/CNRS UPR 1142, 141 Rue de la Cardonille >>Tel : +33 (0)4 9961.9909 | 34396 Montpellier Cedex 5, France >>Fax : +33 (0)4 9961.9901 | http://www.igh.cnrs.fr > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gerry at DORFAM.CA Tue Jul 16 12:00:37 2002 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:15:15 2006 Subject: SpamAssassin Hangup In-Reply-To: Message-ID: On Tue, 16 Jul 2002, Dave Horsfall wrote: > On Tue, 16 Jul 2002, Mojahedul Hoque Abul Hasanat wrote: > > > Ouch! You will reject some legitimate mails. If no MX is defined for a > > host, mail will go directly to that host if it has an A record. > > If they don't have an MX record, the DNS administrator is incompetent, > and they're likely to have other problems (open relay, open proxy, etc). > > > I have lots of legit mails coming/going to such hosts. These are mostly > > in east Asia. > > Quite. I get buckets of spam from them, too. > > -- > Dave Horsfall DTM VK2KFU dave@esi.com.au Ph: +61 2 9906-3377 Fx: 9906-3468 > (Unix Guru) Pacific ESI, Unit 22, 8 Campbell St, Artarmon, NSW 2065, Australia I have a home network so I can get away with it but I have dropped all emails originating in Asia. I got so tired of all the porn/scams I just toss them all. -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From gerry at DORFAM.CA Tue Jul 16 12:07:26 2002 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:15:15 2006 Subject: zombie Message-ID: I noticed that I have a mailscanner line showing up when I do a ps. Somewhere along the line mailscanner has zombied out. It's running ok from the automatic restart though. I wouldn't bother mentioning it other than I remember seeing another message about the same thing. Also, when I first noticed it last night I was sure it had a different pid than the one it now has. The zombie's current pid is quite recent??? -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From mailscanner at ecs.soton.ac.uk Tue Jul 16 12:24:03 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:15 2006 Subject: zombie In-Reply-To: Message-ID: <5.1.0.14.2.20020716122332.05605908@imap.ecs.soton.ac.uk> At 12:07 16/07/2002, you wrote: >I noticed that I have a mailscanner line showing up when I do a >ps. Somewhere along the line mailscanner has zombied out. It's running >ok from the automatic restart though. > >I wouldn't bother mentioning it other than I remember seeing another >message about the same thing. Also, when I first noticed it last night I >was sure it had a different pid than the one it now has. The zombie's >current pid is quite recent??? If something has timed out, then you will get a zombie before it is killed completely. The pid of the zombie shouldn't hang around very long. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From trooster at INTERSTROOM.NL Tue Jul 16 12:38:56 2002 From: trooster at INTERSTROOM.NL (Joris Trooster / Interstroom) Date: Thu Jan 12 21:15:15 2006 Subject: MAPS RBL+ worth it? References: <200207151944.g6FJiE028169@osprey.magnet.fsu.edu> Message-ID: <044d01c22cbd$5e590a90$5500a8c0@loki> Hello Peter, Thanks for the script. There's a small error in analog4mailscanner.pl: $TotalOsurisoft++ should be $TotalOsirusoft++ I am using exim and have my mailscanner logs seperated from the exim/mailserver logs. I changed to script to calculate the number of scanned e-mails from the mailscanner log only: while() { chomp; if (/mailscanner/) { $TotalMails += $1 if /Scanning (\d+)/; $TotalViruses += $1 if /found (\d+) viruses in/i; if (/is spam according to/) { $TotalSpam++; $TotalMonkeys++ if /Infinite-Monkeys/; $TotalOsirusoft++ if /osirusoft\.com/; $TotalORDB_RBL++ if /ORDB-RBL/; $TotalSPEWS++ if /SPEWS/; $TotalWIREHUB_DNSBL++ if /WIREHUB-DNSBL/; $TotalRFC_IGNORANT_IPWHOIS++ if /RFC-IGNORANT-IPWHOIS/; $TotalRFC_IGNORANT_DSN++ if /RFC-IGNORANT-DSN/; $TotalRFC_IGNORANT_POSTMASTER++ if /RFC-IGNORANT-POSTMASTER/; $TotalRFC_IGNORANT_ABUSE++ if /RFC-IGNORANT-ABUSE/; $TotalRFC_IGNORANT_WHOIS++ if /RFC-IGNORANT-WHOIS/; if (/SpamAssassin/) { $TotalAssassinScore += $1+($2/10) if /score=(\d+)\.(\d+),/; $TotalAssassin++; } } } } Remember that one e-mail message will be scanned twice (if the disinfected/scanned message is forwarded to the user). --- I also changed to function CleanAndDirty in sweep.pl to log the virusscan output in the mailscanner logfile. The output depends on the virusscanner you are using. With a script one should be able to create statistics about individual viruses. Just check for: Found application ..... Found the ..... virus (mcafee output) in email in ..... sub CleanAndDirty { my($Reports, $IdList, $Clean, $Dirty, $Silent) = @_; my(%clean, %dirty, %silent, $key, $id, $value, $part, $text, $name); map { $clean{$_} = 1 } @$IdList; #foreach $id (keys %$Reports) { while(($id,$value) = each %$Reports) { delete $clean{$id}; # It isn't clean $dirty{$id} = 1; # It is dirty unless it needs to be silent while(($part, $text) = each %$value) { Log::InfoLog("Virus - ".$text); next unless @Config::SilentVirusNames; # for speed foreach $name (@Config::SilentVirusNames) { if ($text =~ /\Q$name\E/) { # We got a virus name match, so this virus should be silent $silent{$id} = 1; delete $dirty{$id}; } } } } @$Clean = keys %clean; @$Dirty = keys %dirty; @$Silent = keys %silent; } Regards, Joris Trooster Interstroom ----- Original Message ----- From: "Peter Peters" To: Sent: Tuesday, July 16, 2002 8:43 AM Subject: Re: MAPS RBL+ worth it? > On Mon, 15 Jul 2002 15:44:14 -0400, you wrote: > > > Thanks for the info. How did you generate your report, using MTGR or > > whatever that tool is called? > > I have written one perl-scripts to generate output like: > |Total recipients: 11018 > |Total virusses detected: 74 > |Total spams tagged: 1569 > | > |Total SpamAssassin : 1192 > |Total SpamAssassin score: 17164.5 > | > |Total Infinite-Monkeys: 302 > |Total Osurisoft 0 > |Total ORDB-RBL: 168 > |Total SPEWS: 204 > |Total WIREHUB-DNSBL: 162 > |Total RFC-IGNORANT-IPWHOIS: 0 > |Total RFC-IGNORANT-DSN: 65 > |Total RFC-IGNORANT-POSTMASTER: 339 > |Total RFC-IGNORANT-ABUSE: 563 > |Total RFC-IGNORANT-WHOIS: 122 > > And one that generates about the same information but in csv-format. > Every morning the csv-file is included in a excel spreadsheet, converted > to a graph and printed to show the latest stats. > > You can get them from: > http://home.student.utwente.nl/p.g.m.peters/analog4mailscanner.pl > http://home.student.utwente.nl/p.g.m.peters/mailscanner2csv.pl > > -- > Peter Peters > senior netwerkbeheerder, Centrum voor Informatievoorziening, > Universiteit Twente, Postbus 217, 7500 AE Enschede > telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ > From P.G.M.Peters at civ.utwente.nl Tue Jul 16 13:08:45 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:15 2006 Subject: MAPS RBL+ worth it? In-Reply-To: <044d01c22cbd$5e590a90$5500a8c0@loki> References: <200207151944.g6FJiE028169@osprey.magnet.fsu.edu> <044d01c22cbd$5e590a90$5500a8c0@loki> Message-ID: Hai Joris, >Thanks for the script. There's a small error in analog4mailscanner.pl: >$TotalOsurisoft++ should be $TotalOsirusoft++ I noticed the same error in the text of the result. >Remember that one e-mail message will be scanned twice (if the >disinfected/scanned message is forwarded to the user). I count the number of recipients. That is the number of people profiting from the scanner. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From leet at LEENX.CO.ZA Tue Jul 16 13:23:15 2002 From: leet at LEENX.CO.ZA (C.Lee Taylor) Date: Thu Jan 12 21:15:15 2006 Subject: OT:Sendmail Question ... References: <200207102345.g6ANjBs12278@zeus.scania.co.za> Message-ID: <3D341033.7000702@leenx.co.za> Greetings ... I know this is not the list to ask, but I don't wish to subscribe to another list ( already receive 200 messages day ) ... I am virual-hosting a domain for a friend, but one of the users are not local and I can't seem to find a way stop there domain from try to deliever it locally, is there a quick way for me to tell sendmail that a user@domain should not be deliever locally? Thanks Mailed Lee From leet at LEENX.CO.ZA Tue Jul 16 13:19:48 2002 From: leet at LEENX.CO.ZA (C.Lee Taylor) Date: Thu Jan 12 21:15:15 2006 Subject: rpms ... References: <200207102345.g6ANjBs12278@zeus.scania.co.za> Message-ID: <3D340F64.7020208@leenx.co.za> Greetings ... A quick question ... or suggestion, depending on your view ... Could it be possible to spilt the supported Anti-Virus packages into different rpms, so that you can download MailScanner and seperate Anti-Virus updates. The reason I ask, is because every time I update mailscanner I have to track down the Sophos files and change them for the McAffe files. I know they are not many changes, but it would make updates a little easier, as well as installation. Thanks. Mailed Lee From mailscanner at ecs.soton.ac.uk Tue Jul 16 13:52:30 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:15 2006 Subject: MAPS RBL+ worth it? In-Reply-To: <044d01c22cbd$5e590a90$5500a8c0@loki> References: <200207151944.g6FJiE028169@osprey.magnet.fsu.edu> Message-ID: <5.1.0.14.2.20020716134937.0552f5e0@imap.ecs.soton.ac.uk> Remember that this won't give you figures showing the improvement made by having 1 particular RBL, as it increments some/all of the counters for 1 message if it was spotted by more than 1 RBL. At 12:38 16/07/2002, you wrote: >Hello Peter, > >Thanks for the script. There's a small error in analog4mailscanner.pl: >$TotalOsurisoft++ should be $TotalOsirusoft++ > >I am using exim and have my mailscanner logs seperated from the >exim/mailserver logs. I changed to script to calculate the number of >scanned e-mails from the mailscanner log only: > >while() { > chomp; > if (/mailscanner/) { > $TotalMails += $1 if /Scanning (\d+)/; > $TotalViruses += $1 if /found (\d+) viruses in/i; > if (/is spam according to/) { > $TotalSpam++; > $TotalMonkeys++ if /Infinite-Monkeys/; > $TotalOsirusoft++ if /osirusoft\.com/; > $TotalORDB_RBL++ if /ORDB-RBL/; > $TotalSPEWS++ if /SPEWS/; > $TotalWIREHUB_DNSBL++ if /WIREHUB-DNSBL/; > $TotalRFC_IGNORANT_IPWHOIS++ if /RFC-IGNORANT-IPWHOIS/; > $TotalRFC_IGNORANT_DSN++ if /RFC-IGNORANT-DSN/; > $TotalRFC_IGNORANT_POSTMASTER++ if /RFC-IGNORANT-POSTMASTER/; > $TotalRFC_IGNORANT_ABUSE++ if /RFC-IGNORANT-ABUSE/; > $TotalRFC_IGNORANT_WHOIS++ if /RFC-IGNORANT-WHOIS/; > if (/SpamAssassin/) { > $TotalAssassinScore += $1+($2/10) if /score=(\d+)\.(\d+),/; > $TotalAssassin++; > } > } > } >} -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Jul 16 13:54:26 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:15 2006 Subject: OT:Sendmail Question ... In-Reply-To: <3D341033.7000702@leenx.co.za> References: <200207102345.g6ANjBs12278@zeus.scania.co.za> Message-ID: <5.1.0.14.2.20020716135400.05607448@imap.ecs.soton.ac.uk> At 13:23 16/07/2002, you wrote: >Greetings ... > > I know this is not the list to ask, but I don't wish to subscribe > to another >list ( already receive 200 messages day ) ... > > I am virual-hosting a domain for a friend, but one of the users > are not >local and I can't seem to find a way stop there domain from try to deliever >it locally, is there a quick way for me to tell sendmail that a user@domain >should not be deliever locally? Read www.sendmail.org on the subject of: FEATURE(`virtusertable', dbm -o /etc/mail/virtual.users) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Tue Jul 16 13:24:34 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:15 2006 Subject: MAILSCANNER: stevew@CWAZY.CO.UK requested to join Message-ID: <200207161224.NAA25431@magpie.ecs.soton.ac.uk> Tue, 16 Jul 2002 13:24:34 A request for to join the MAILSCANNER list (MailScanner mailing list) has been received from Steven Wright . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER stevew@CWAZY.CO.UK Steven Wright The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+stevew%40CWAZY.CO.UK+Steven+Wright&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Tue Jul 16 14:18:59 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:15 2006 Subject: MAILSCANNER: wkuiters@FREE.FR left the list Message-ID: <200207161319.OAA00371@magpie.ecs.soton.ac.uk> Tue, 16 Jul 2002 14:18:59 Willem Kuiters has just left the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- Return-Path: Received: from ori.rl.ac.uk by jiscmail.ac.uk (LSMTP for Windows NT v1.1b) with SMTP id <7.00113218@jiscmail.ac.uk>; Tue, 16 Jul 2002 14:18:21 +0100 Received: from mallaury.noc.nerim.net (mallaury.noc.nerim.net [62.4.17.82]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g6GDILB05750 for ; Tue, 16 Jul 2002 14:18:21 +0100 Received: from bragann (aboukir-101-1-9-wkuiters.adsl.nerim.net [62.212.97.132]) by mallaury.noc.nerim.net (Postfix) with ESMTP id 871BB62D30 for ; Tue, 16 Jul 2002 15:18:19 +0200 (CEST) Received: from willem by bragann with local (Exim 3.33 #1 (Debian)) id 17USDK-0000Ub-00 for ; Tue, 16 Jul 2002 15:18:02 +0200 Date: Tue, 16 Jul 2002 15:18:02 +0200 From: "W.G.J Kuiters" To: "L-Soft list server at JISCMAIL (1.8e)" Subject: Re: Command confirmation request (9756D7C6) Message-ID: <20020716131802.GA1883@bragann> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.25i Sender: Willem Kuiters X-MailScanner: Found to be clean From P.G.M.Peters at civ.utwente.nl Tue Jul 16 14:30:23 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:15 2006 Subject: MAPS RBL+ worth it? In-Reply-To: <5.1.0.14.2.20020716134937.0552f5e0@imap.ecs.soton.ac.uk> References: <200207151944.g6FJiE028169@osprey.magnet.fsu.edu> <044d01c22cbd$5e590a90$5500a8c0@loki> <5.1.0.14.2.20020716134937.0552f5e0@imap.ecs.soton.ac.uk> Message-ID: On Tue, 16 Jul 2002 13:52:30 +0100, you wrote: >Remember that this won't give you figures showing the improvement made by >having 1 particular RBL, as it increments some/all of the counters for 1 >message if it was spotted by more than 1 RBL. The intention was to show people how much of the total ammount of "spam" was detected by the different methodes. I had no intentions to show how much you could gain by adding an other methode. I offer as much methodes as possible to allow the recipient the ability to filter on the methodes he wants. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From smohan at VSNL.COM Tue Jul 16 14:35:44 2002 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:15:15 2006 Subject: OT:Sendmail Question ... In-Reply-To: <5.1.0.14.2.20020716135400.05607448@imap.ecs.soton.ac.uk> Message-ID: <006101c22ccd$b114bf80$6300a8c0@smohan> Virtusertable can deliver to a different domain/email id. If you want mail meant for non-existant users on local domains to be routed out to a smart host, use the LUSER_RELAY feature in sendmail.mc and do a m4 compilation. LUSER_RELAY takes an argument of a hostname to which the unknown local user mail is routed to. define(`LUSER_RELAY',`SMTP:HOST.FQDN')dnl is the line to use. Hope this helps. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: 16 July, 2002 6:24 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: OT:Sendmail Question ... At 13:23 16/07/2002, you wrote: >Greetings ... > > I know this is not the list to ask, but I don't wish to >subscribe to another list ( already receive 200 messages day ) ... > > I am virual-hosting a domain for a friend, but one of the users >are not local and I can't seem to find a way stop there domain from try >to deliever it locally, is there a quick way for me to tell sendmail >that a user@domain should not be deliever locally? Read www.sendmail.org on the subject of: FEATURE(`virtusertable', dbm -o /etc/mail/virtual.users) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Jul 16 15:01:18 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:15 2006 Subject: F-Prot Enterprise Daemon Message-ID: <5.1.0.14.2.20020716145438.05270570@imap.ecs.soton.ac.uk> Tests done on a totally quiet 2x1GHz Pentium 3 box with 1Gb RAM, with 10,000 copies of the SirCam-A virus. Using the daemon to check 10,000 copies took 39 seconds. Using the command-line scanner to scan 10,000 copies as one batch took 3 - 4 seconds. Using the command-line scanner to scan 10,000 copies (in batches of 200 at a time) took 8 seconds. So I see little point implementing support for the daemon scanner. Daemon Test Code =============== #!/usr/bin/perl use LWP::Simple; $start = time; foreach $f (1..10000) { $fullurl = 'http://localhost:10200/tmp/100/' . urlencode($f) . '?-old%20-archive%20-dumb'; $results = get($fullurl); die "No results" unless $results; } $end = time - $start; print "That took " . $end . " seconds for 10000 files."; sub urlencode { my $text = shift; $text =~ s/([^A-Za-z0-9\/_-])/ $_=sprintf("%%%2.2X", ord($1))/ge; return $text; } Command-Line Test Code for 1 Batch of 10,000 =================================== time /usr/local/f-prot/f-protwrapper -old -archive -dumb /tmp/10000 >/dev/null Command-Line Test Code for 50 Batches of 200 ==================================== #!/usr/bin/perl $start = time; foreach $f (1..50) { system("/usr/local/f-prot/f-protwrapper -old -archive -dumb /tmp/200"); } $end = time - $start; print STDERR "That took $end seconds\n"; -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Tue Jul 16 15:29:18 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:15 2006 Subject: MAILSCANNER: dviggiani@TISCALI.IT requested to join Message-ID: <200207161429.PAA06867@magpie.ecs.soton.ac.uk> Tue, 16 Jul 2002 15:29:18 A request for to join the MAILSCANNER list (MailScanner mailing list) has been received from Mimmo Viggiani . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER dviggiani@TISCALI.IT Mimmo Viggiani The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+dviggiani%40TISCALI.IT+Mimmo+Viggiani&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From bill at DISTMIRR.COM Tue Jul 16 18:33:51 2002 From: bill at DISTMIRR.COM (Bill Omer) Date: Thu Jan 12 21:15:15 2006 Subject: Beta testers urgently wanted In-Reply-To: <5.1.0.14.2.20020714210056.0473ae90@imap.ecs.soton.ac.uk> Message-ID: <001f01c22cee$f31c4530$40713ed0@billslaptop> > Hi folks! Hey Julian, > So if you are particularly interested in any of the following, please give > me a shout and I'll send you the latest code. I'd be happy to help test out the new release. Currently my mail filter is handling over 14k messages a day, and right now the load is very high due to me running spamd and the spamass-milter. Hopefully now that you have the new timeout options set, I would be able to experience better performance this time around. Either way, I would be happy to test out the new code and let you know what I find. Regards, Bill Omer From LISTSERV at JISCMAIL.AC.UK Tue Jul 16 18:36:19 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:15 2006 Subject: MAILSCANNER: jhaynes@HAYNESWORLD.NET left the list Message-ID: <200207161736.SAA24260@magpie.ecs.soton.ac.uk> Tue, 16 Jul 2002 18:36:19 Joe Haynes has just left the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- Return-Path: Received: from ori.rl.ac.uk by jiscmail.ac.uk (LSMTP for Windows NT v1.1b) with SMTP id <1.0011339F@jiscmail.ac.uk>; Tue, 16 Jul 2002 18:35:58 +0100 Received: from pent166.haynesworld.net ([66.62.246.162]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g6GHZuB26147 for ; Tue, 16 Jul 2002 18:35:56 +0100 Received: from localhost (jhaynes@localhost) by pent166.haynesworld.net (8.11.4/8.11.4) with ESMTP id g6GBUuv01095 for ; Tue, 16 Jul 2002 05:30:56 -0600 Date: Tue, 16 Jul 2002 05:30:55 -0600 (MDT) From: jhaynes@pent166.haynesworld.net To: "L-Soft list server at JISCMAIL (1.8e)" Subject: Re: Command confirmation request (121634E3) In-Reply-To: <200207161122.g6GBMPG01009@pent166.haynesworld.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII From Matthew_doherty at DATAWATCH.COM Tue Jul 16 21:56:24 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:16 2006 Subject: Beta testers urgently wanted Message-ID: Any chance of an RPM made for it?? Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Bill Omer [mailto:bill@DISTMIRR.COM] Sent: Tuesday, July 16, 2002 4:45 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Beta testers urgently wanted > Hi folks! Hey Julian, > So if you are particularly interested in any of the following, please give > me a shout and I'll send you the latest code. I'd be happy to help test out the new release. Currently my mail filter is handling over 14k messages a day, and right now the load is very high due to me running spamd and the spamass-milter. Hopefully now that you have the new timeout options set, I would be able to experience better performance this time around. Either way, I would be happy to test out the new code and let you know what I find. Regards, Bill Omer -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020716/5e05bd7c/attachment.html From Denis.Pugnere at IGH.CNRS.FR Wed Jul 17 07:50:49 2002 From: Denis.Pugnere at IGH.CNRS.FR (Denis Pugnere) Date: Thu Jan 12 21:15:16 2006 Subject: pb MS 3.21-1 & "W32 Frethem.K mm" virus & .exe files Message-ID: >At 11:18 16/07/2002, you wrote: >>It seems to think you have a message whose message id is "usr". This is=20 >>presumably being pulled out of the pathname to the file. >> >>Is your incoming work directory really at the path given in=20 >>mailscanner.conf, or does the path in mailscanner.conf follow any links to= >=20 >>get to the directory? You need to put in the real directory path. > >If you aren't sure, change sweep.pl so that it says (at line 566) > print STDERR "Whole line is \"$lastline\"\n"; > $lastline =3D~ s/$BaseDir//; > print STDERR "Whole line is now \"$lastline\"\n"; >insead of the original line 566 (which should be the same as the middle=20 >line of the 3 above). Goal ! True Julian, In order to go back if the upgrade goes bad, I created a symbolic link : mailscanner -> MailScanner-3.21-1 My conf files refers to the "mailscanner" directory. That was my fault... Best regards. Denis > >Then stop and restart MailScanner and you should see the incoming work dir= >=20 >being removed from the lines output by McAfee. > > >>At 10:17 16/07/2002, you wrote: >>>Hello, >>> >>>Due to the fact that a variant of the "W32 Frethem" virus in the file >>>decrypt-password.exe has not been stopped by mailscanner 3.10 (with my >>>configuration ;-) I decided to upgrade from Mailscanner 3.10 to 3.21-1 and >>>have a pb with near all infected messages : >>> >>>configuration : >>> - McAfee Virus Scan (Scan engine v4.1.60 for Linux) >>> - perl 5.005_03 (Redhat) >>> - MIME::Base64 : 2.11 >>> - File::Spec : 0.82 >>> - File::Temp : 0.12 >>> - Convert-TNEF-0.17 >>> - IO-stringy-1.211 >>> - MIME-tools-5.411 + patch >>> - MailTools-1.46 >>> >>>Because of the fresh (J or K) variant of "W32 Frethem" I added the >>>following line in the filename.rules.conf file : >>>deny \.exe$ Executables are not allowed directly >>> >>> >>>In the syslog file, here are the messages from 2 mailscanner outputs >>>(note the "usr" messages) : >>> >>>Jul 16 07:15:42 pegase mailscanner[21911]: "W32 Frethem.K mm" virus in=20 >>>decrypt-password.exe >>>Jul 16 07:15:42 pegase mailscanner[21911]: Found 3 viruses in messages=20 >>>HAA23830,usr >>>Jul 16 07:15:42 pegase mailscanner[21911]: Scanned 1 messages, 67486=20 >>>bytes in 1 seconds >>>Jul 16 07:15:42 pegase mailscanner[21911]: Saved infections to=20 >>>/usr/local/mailscanner/var/quarantine/20020716/HAA23830 >>>Jul 16 07:15:42 pegase mailscanner[21911]: Saved infections to=20 >>>/usr/local/mailscanner/var/quarantine/20020716/usr >>>Jul 16 07:15:42 pegase mailscanner[21911]: Deleting unparsable message=20 >>>usr from queue >>>Jul 16 07:15:43 pegase mailscanner[21911]: Notified senders about 1=20 >>>infections >>>Jul 16 07:15:43 pegase mailscanner[21911]: Notified antivirus@igh.cnrs.fr= >=20 >>>about 2 infections >>>Jul 16 07:15:45 pegase mailscanner[21911]: Commercial disinfector mcafee= >=20 >>>returned 13 >>>Jul 16 07:15:46 pegase mailscanner[21911]: Skipping renamed/deleted=20 >>>attachment decrypt-password.exe >>>Jul 16 07:15:46 pegase mailscanner[21911]: Skipping renamed/deleted=20 >>>attachment local >>>... >>>Jul 16 10:31:40 pegase mailscanner[23943]: Scanning 3 messages, 147015= > bytes >>>Jul 16 10:31:43 pegase mailscanner[23943]: "W32 Frethem.K mm" virus in=20 >>>decrypt-password.exe >>>Jul 16 10:31:43 pegase mailscanner[23943]: Found 3 viruses in messages=20 >>>usr,KAA31279 >>>Jul 16 10:31:43 pegase mailscanner[23943]: Scanned 3 messages, 147015=20 >>>bytes in 3 seconds >>>Jul 16 10:31:43 pegase mailscanner[23943]: Saved infections to=20 >>>/usr/local/mailscanner/var/quarantine/20020716/usr >>>Jul 16 10:31:43 pegase mailscanner[23943]: Saved infections to=20 >>>/usr/local/mailscanner/var/quarantine/20020716/KAA31279 >>>Jul 16 10:31:43 pegase mailscanner[23943]: Deleting unparsable message=20 >>>usr from queue >>>Jul 16 10:31:43 pegase mailscanner[23943]: Notified senders about 1=20 >>>infections >>>Jul 16 10:31:43 pegase mailscanner[23943]: Notified antivirus@igh.cnrs.fr= >=20 >>>about 2 infections >>>Jul 16 10:31:46 pegase mailscanner[23943]: Commercial disinfector mcafee= >=20 >>>returned 13 >>>Jul 16 10:31:47 pegase mailscanner[23943]: Skipping renamed/deleted=20 >>>attachment local >>>Jul 16 10:31:47 pegase mailscanner[23943]: Skipping renamed/deleted=20 >>>attachment decrypt-password.exe >>> >>>the postmaster received the following messages : >>>************************************************ >>>The following e-mail messages were found to have viruses in them: >>> >>> Sender: >>>Recipient: >>> Subject: >>>MessageID: usr >>> Report: /usr/local/MailScanner-3.21-1/var/incoming/JAA29174/setup.exe= >=20 >>> Found the W32/Klez.h@MM virus !!! >>> >>>-- >>>MailScanner >>>Email Virus Scanner >>>************************************************ >>> >>>I can't figure out what is the matter. >>>If you have an idea, I would be very gratefull. >>>Regards. >>> >>>-- >>>Denis Pugn=E8re | IGH/CNRS UPR 1142, 141 Rue de la Cardonille >>>Tel : +33 (0)4 9961.9909 | 34396 Montpellier Cedex 5, France >>>Fax : +33 (0)4 9961.9901 | http://www.igh.cnrs.fr >> >>-- >>Julian Field Teaching Systems Manager >>jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >>Tel. 023 8059 2817 University of Southampton From P.G.M.Peters at civ.utwente.nl Wed Jul 17 08:04:24 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:16 2006 Subject: MAPS RBL+ worth it? In-Reply-To: References: <200207151944.g6FJiE028169@osprey.magnet.fsu.edu> Message-ID: On Tue, 16 Jul 2002 08:43:32 +0200, you wrote: >I have written one perl-scripts to generate output like: I had some strange results for yesterday. >|Total SpamAssassin score: -1 After examining lots of logs I conluded the SpamAssassin score has only one decimal. But yesterday I got a score of 7.19999999999999. I am wondering whether I should rewrite the code. Or could it be possible for MailScanner to limit the output to 1 decimal digit? >You can get them from: >http://home.student.utwente.nl/p.g.m.peters/analog4mailscanner.pl >http://home.student.utwente.nl/p.g.m.peters/mailscanner2csv.pl These versions are now without the errors in Osurisoft/Osirusoft. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From leet at LEENX.CO.ZA Wed Jul 17 09:18:25 2002 From: leet at LEENX.CO.ZA (C.Lee Taylor) Date: Thu Jan 12 21:15:16 2006 Subject: OT:Sendmail Question ... References: <200207162358.g6GNw7E01597@zeus.scania.co.za> Message-ID: <3D352851.4050600@leenx.co.za> Thanks for the responce everybody ... > Read www.sendmail.org on the subject of: > FEATURE(`virtusertable', dbm -o /etc/mail/virtual.users) I spent three hours yesterday playing with different ways of doing before e-mailing the list, I also tried the mailtabler stuff, seeing that I hope a few domains ... ( hoping body might know what I am tring to do and had done it ... ) ... Thanks again ... > From: S Mohan > > Virtusertable can deliver to a different domain/email id. If you want That is what I figured ... > mail meant for non-existant users on local domains to be routed out to a > smart host, use the LUSER_RELAY feature in sendmail.mc and do a m4 > compilation. LUSER_RELAY takes an argument of a hostname to which the > unknown local user mail is routed to. I will look into this ... > define(`LUSER_RELAY',`SMTP:HOST.FQDN')dnl is the line to use. Hope this > helps. I hope so too, other wise I am going to ask a friend if I can put an aliases on his server and use the virtusertable between the two server ... sound like alot of trouble for one small thing ... > Mohan Thanks again. >> I am virual-hosting a domain for a friend, but one of the users >>are not >>local and I can't seem to find a way stop there domain from try to deliever >>it locally, is there a quick way for me to tell sendmail that a user@domain >>should not be deliever locally? Mailed Lee From LISTSERV at JISCMAIL.AC.UK Tue Jul 16 22:31:07 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:16 2006 Subject: MAILSCANNER: emily_post@HOTMAIL.COM requested to join Message-ID: <200207162131.WAA12072@magpie.ecs.soton.ac.uk> Tue, 16 Jul 2002 22:31:07 A request for to join the MAILSCANNER list (MailScanner mailing list) has been received from Emily Yau . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER emily_post@HOTMAIL.COM Emily Yau The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+emily_post%40HOTMAIL.COM+Emily+Yau&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Tue Jul 16 22:39:38 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:16 2006 Subject: MAILSCANNER: michael@NOMENNESCIO.NET left the list Message-ID: <200207162139.WAA12622@magpie.ecs.soton.ac.uk> Tue, 16 Jul 2002 22:39:38 Mike Klinkert has just left the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- Return-Path: Received: from ori.rl.ac.uk by jiscmail.ac.uk (LSMTP for Windows NT v1.1b) with SMTP id <2.001134E7@jiscmail.ac.uk>; Tue, 16 Jul 2002 22:39:20 +0100 Received: from nnlx001.nomennescio (IDENT:1026855612@nn.xs4all.nl [194.109.39.71]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g6GLdJB19234 for ; Tue, 16 Jul 2002 22:39:19 +0100 Received: from nomennescio.net (nnws001.nomennescio [10.240.100.1]) by nnlx001.nomennescio (8.11.6/8.11.6) with ESMTP id g6GLdSV25683 (using TLSv1/SSLv3 with cipher RC4-MD5 (128 bits) verified OK) for ; Tue, 16 Jul 2002 23:39:30 +0200 Message-ID: <3D349290.8090803@nomennescio.net> Date: Tue, 16 Jul 2002 23:39:28 +0200 From: Mike Klinkert Organization: Nomen Nescio User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1a) Gecko/20020610 X-Accept-Language: en, nl MIME-Version: 1.0 To: jiscmail@JISCMAIL.AC.UK Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-MailScanner: Found to be clean X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin () From LISTSERV at JISCMAIL.AC.UK Wed Jul 17 09:26:39 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:16 2006 Subject: MAILSCANNER: dviggiani@TISCALI.IT left the list Message-ID: <200207170826.JAA19643@magpie.ecs.soton.ac.uk> Wed, 17 Jul 2002 09:26:39 Mimmo Viggiani has just left the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From gerry at DORFAM.CA Wed Jul 17 11:51:20 2002 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:15:16 2006 Subject: MAPS RBL+ worth it? In-Reply-To: Message-ID: On Wed, 17 Jul 2002, Peter Peters wrote: > On Tue, 16 Jul 2002 08:43:32 +0200, you wrote: > > >I have written one perl-scripts to generate output like: > > I had some strange results for yesterday. > > >|Total SpamAssassin score: -1 > > After examining lots of logs I conluded the SpamAssassin score has only > one decimal. But yesterday I got a score of 7.19999999999999. > > These versions are now without the errors in Osurisoft/Osirusoft. > > -- > Peter Peters > senior netwerkbeheerder, Centrum voor Informatievoorziening, > Universiteit Twente, Postbus 217, 7500 AE Enschede > telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ I saw a score the other day that was in exponetial format. -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From P.G.M.Peters at civ.utwente.nl Wed Jul 17 12:41:57 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:16 2006 Subject: MAPS RBL+ worth it? In-Reply-To: References: Message-ID: On Wed, 17 Jul 2002 06:51:20 -0400 (EDT), you wrote: >> >|Total SpamAssassin score: -1 >> >> After examining lots of logs I conluded the SpamAssassin score has only >> one decimal. But yesterday I got a score of 7.19999999999999. > >I saw a score the other day that was in exponetial format. I didn't have time to dig deep (I am now writing a report script for providers who's users abuse our formmail script). For now I have changed the code to discard the decimal part. It gives an error of about 5% but as a purely indicative report that is not that bad. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From pcraven at LGU.AC.UK Wed Jul 17 12:35:23 2002 From: pcraven at LGU.AC.UK (Philip Craven) Date: Thu Jan 12 21:15:16 2006 Subject: Syslog patch problem on Solaris 8? Message-ID: <3D35567B.AABE1C1@lgu.ac.uk> We've just built a new server for a new domain and it looks like the latest syslogd patch (110945-06) may stop mailscanner logging to syslog. Can anyone else confirm this? The symptoms are that sendmail logs as normal but mailscanner though running and processing normally, logs absolutely nothing. We are using the perl (5.005_03) which comes with Solaris 8 and have used sucessfully on other servers. Backing out the syslogd patch appears to cure the problem. -- Philip Craven Senior Systems Officer (UNIX) ICT Services, Academic Services London Guildhall University 100 Minories, Tower Hill, London EC3N 1JY 020 7320 3156 From dave at ESI.COM.AU Wed Jul 17 12:59:07 2002 From: dave at ESI.COM.AU (Dave Horsfall) Date: Thu Jan 12 21:15:16 2006 Subject: MAPS RBL+ worth it? In-Reply-To: Message-ID: On Wed, 17 Jul 2002, Peter Peters wrote: > I didn't have time to dig deep (I am now writing a report script for > providers who's users abuse our formmail script). Please say you meant to write "try to abuse our formmail script"... If they really are abusing it, then by now you will have been black-listed at the monkeys.com FormMail RBL list, and that is a *permanent* list i.e. your mail-server's IP address never comes off it... A secure replacement for Matt Wright's awful script has been available for some months. -- Dave Horsfall DTM VK2KFU dave@esi.com.au Ph: +61 2 9906-3377 Fx: 9906-3468 (Unix Guru) Pacific ESI, Unit 22, 8 Campbell St, Artarmon, NSW 2065, Australia From jaearick at COLBY.EDU Wed Jul 17 13:16:00 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:15:16 2006 Subject: Syslog patch problem on Solaris 8? In-Reply-To: <3D35567B.AABE1C1@lgu.ac.uk> Message-ID: Howdy, I have patch 110945-06 installed on my mailserver, and mailscannner is happily chattering away to syslog for me. I replaced Sun's perl with 5.6.1. See mailscanner FAQ #1, make sure "-t" isn't a syslog option. Maybe stop and restart syslog and see if that clears the problem? ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ---------------------------------------------------------------------------- On Wed, 17 Jul 2002, Philip Craven wrote: > Date: Wed, 17 Jul 2002 12:35:23 +0100 > From: Philip Craven > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Syslog patch problem on Solaris 8? > > We've just built a new server for a new domain and it looks like the > latest syslogd patch (110945-06) may stop mailscanner logging to syslog. > Can anyone else confirm this? > > The symptoms are that sendmail logs as normal but mailscanner though > running and processing normally, logs absolutely nothing. > > We are using the perl (5.005_03) which comes with Solaris 8 and have > used sucessfully on other servers. Backing out the syslogd patch appears > to cure the problem. > > -- > Philip Craven > Senior Systems Officer (UNIX) > ICT Services, Academic Services > London Guildhall University > 100 Minories, Tower Hill, London EC3N 1JY > > 020 7320 3156 > From mailscanner at ecs.soton.ac.uk Wed Jul 17 13:30:51 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:16 2006 Subject: Syslog patch problem on Solaris 8? In-Reply-To: <3D35567B.AABE1C1@lgu.ac.uk> Message-ID: <5.1.0.14.2.20020717132630.02e7e238@imap.ecs.soton.ac.uk> Are you using a recent version of MailScanner that sets the "setlogsock" option? (search logger.pl for "setlogsock" to find out). If you aren't then I suspect the Solaris patch has replaced the /etc/init.d/syslog script, and has changed the command-line options to syslogd. If you haven't got a recent enough version of MailScanner, then you will need to remove the "-t" command-line option to syslogd: -t Disable the syslogd UDP port to turn off logging of remote messages. You may need to enable the UDP port. At 12:35 17/07/2002, you wrote: > We've just built a new server for a new domain and it looks like the >latest syslogd patch (110945-06) may stop mailscanner logging to syslog. >Can anyone else confirm this? > > The symptoms are that sendmail logs as normal but mailscanner though >running and processing normally, logs absolutely nothing. > > We are using the perl (5.005_03) which comes with Solaris 8 and have >used sucessfully on other servers. Backing out the syslogd patch appears >to cure the problem. > >-- >Philip Craven >Senior Systems Officer (UNIX) >ICT Services, Academic Services >London Guildhall University >100 Minories, Tower Hill, London EC3N 1JY > >020 7320 3156 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Matthew_doherty at DATAWATCH.COM Wed Jul 17 13:47:02 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:16 2006 Subject: Syslog patch problem on Solaris 8? Message-ID: Why dont you put linux in the sun box :) and run mailscanner.. get the sparc iso! Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Philip Craven [mailto:pcraven@LGU.AC.UK] Sent: Wednesday, July 17, 2002 9:01 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Syslog patch problem on Solaris 8? We've just built a new server for a new domain and it looks like the latest syslogd patch (110945-06) may stop mailscanner logging to syslog. Can anyone else confirm this? The symptoms are that sendmail logs as normal but mailscanner though running and processing normally, logs absolutely nothing. We are using the perl (5.005_03) which comes with Solaris 8 and have used sucessfully on other servers. Backing out the syslogd patch appears to cure the problem. -- Philip Craven Senior Systems Officer (UNIX) ICT Services, Academic Services London Guildhall University 100 Minories, Tower Hill, London EC3N 1JY 020 7320 3156 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020717/f91592a8/attachment.html From rabellino at DI.UNITO.IT Wed Jul 17 14:34:13 2002 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:15:16 2006 Subject: Syslog & Perl on Solaris Message-ID: <3D357255.2AF357E0@di.unito.it> Dear list, i've found that in the normal distribution of perl 5.6.0 (and maybe the bundled perl on solaris) there is a little bug as follow > If you get this error from mailscanner: > > Usage: Sys::Syslog::_PATH_LOG() at /usr/../Sys/Syslog.pm > > Then the solution is: > > You should change line 277 of your Syslog.pm from : > my $syslog = &_PATH_LOG || croak "_PATH_LOG not found in syslog.ph"; > > to > my $syslog = &_PATH_LOG() || croak "_PATH_LOG not found in syslog.ph"; These instruction were ripped from the Sympa FAQ (www.sympa.org)... More bigger is the following bug: > "Your vendor has not defined the Sys::Syslog macro _PATH_LOG at > /opt/lib/perl5/5. > 6.0/sun4-solaris/Sys/Syslog.pm line 277, CONF line 275." > > This is a Solaris-specific problem that is worth reporting to Sun. > Perl 5.6.0's behaviour has changed compared to perl 5.005 : if setlogsock('unix') failed it would retry with 'inet' ; Perl 5.6.0 won't try it. Perl developpers told > us it will be corrected with Perl 5.6.1. > The bug related to &_PATH_LOG() will also be corrected in Perl 5.6.1 > > See proposed bug fix on Perl.org : http://bugs.perl.org/perlbug.cgi?req=bidmids&bidmids=20000522.003 > If you can't manage to fix this bug on your system, you can avoid > it using UDP to communicate with SyslogD. > So set inet in Logger.pl instead of unix Hope this can help someone.... -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From P.G.M.Peters at civ.utwente.nl Wed Jul 17 14:38:07 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:16 2006 Subject: MAPS RBL+ worth it? In-Reply-To: References: Message-ID: <41sajucp7vcjprtndsap2v5ppn10rmn7f7@4ax.com> On Wed, 17 Jul 2002 21:59:07 +1000, you wrote: >> I didn't have time to dig deep (I am now writing a report script for >> providers who's users abuse our formmail script). > >Please say you meant to write "try to abuse our formmail script"... This is wat I meant. >If they really are abusing it, then by now you will have been black-listed >at the monkeys.com FormMail RBL list, and that is a *permanent* list >i.e. your mail-server's IP address never comes off it... > >A secure replacement for Matt Wright's awful script has been available >for some months. We are using formmail 1.9s which sends a warning to postmaster. But I want to process those automatically. I have the script that does the reporting but I don't want to overload the abuse desk of the provider when some spammer tries our formmail thousands of times. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Wed Jul 17 16:53:59 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:16 2006 Subject: Multiple "clean" signatures --- Fixed Message-ID: <5.1.0.14.2.20020717164101.02fa8498@imap.ecs.soton.ac.uk> I have finally come up with a fix for the people who like to "Sign Clean Messages", but don't want lots of them on each messages. This happens when mail passes through their MailScanner more than once (e.g. on its way to/from a mailing list server), or when mail passes through more than one MailScanner server. It now uses the presence of the "X-MailScanner:" header to work out if it should sign it or not. If the header is already there, it will assume it has already been signed and will not sign it again. I know this is easy to defeat by users adding fake "X-MailScanner:" headers to their mail, but since signing is not a vital function I didn't think it really mattered, and there is no way to do it otherwise (if you have messages passing through more than 1 MailScanner server). If you have changed the "X-MailScanner:" header to some other name, you will obviously need to be consistent across your site for this feature to work. (Otherwise it doesn't know what header to look for!) You can of course disable this new feature if you want it to work the way it did before (giving you a separate signature every time the message is scanned). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Jul 17 16:56:04 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:16 2006 Subject: Attention beta testers Message-ID: <5.1.0.14.2.20020717165417.048ff2c8@imap.ecs.soton.ac.uk> Folks, To use the latest version incorporating the "Sign Messages Already Processed" feature, replace the relevant bit of your URLs with "-4". Hit any problems yet? Or does it all work as intended? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jaearick at COLBY.EDU Wed Jul 17 20:05:55 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:15:16 2006 Subject: sendmail 8.12 and mailscanner Message-ID: Gang, I need to ask some dumb questions here... I run sendmail 8.11.6 on my mail server (Solaris 8), where mailscanner lives. Before mailscanner, I just had one queue to worry about, /var/spool/mqueue. After mailscanner, two queues (/var/spool/mqueue.in and /var/spool/mqueue). Simple. I have been upgrading my client systems to 8.12.5, and dealing with the MSP complications there (submit.cf and /var/spool/clientmqueue). So if I upgrade my mail server to 8.12.5, I will now have three queues. Mailscanner only seems to watch /var/spool/mqueue and not clientmqueue. I haven't figured out which queue (mqueue or clientmqueue) sendmail uses for what mail, or why. The only thing I found was "The .cf file is based on the operation mode. For -bm (default), -bs, and -t it is submit.cf (if it exists), for all others it is sendmail.cf." Hunh??? Can anbody explain the flow of email thru these two queues? With 8.12.5, will I have inbound email (via ports 25 or 587) landing in clientmqueue instead of mqueue, and thus escaping the clutches of mailscanner? How about for outbound email? Why doesn't mailscanner look at /var/spool/clientmqueue (or does it need to)? What is going on here? ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ---------------------------------------------------------------------------- From mailscanner at ecs.soton.ac.uk Wed Jul 17 21:40:50 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:16 2006 Subject: sendmail 8.12 and mailscanner In-Reply-To: Message-ID: <5.1.0.14.2.20020717212521.030032d8@imap.ecs.soton.ac.uk> At 20:05 17/07/2002, you wrote: > I have been upgrading my client systems to 8.12.5, and dealing with the >MSP complications there (submit.cf and /var/spool/clientmqueue). So if >I upgrade my mail server to 8.12.5, I will now have three queues. >Mailscanner only seems to watch /var/spool/mqueue and not clientmqueue. >I haven't figured out which queue (mqueue or clientmqueue) sendmail uses >for what mail, or why. The only thing I found was "The .cf file is based >on the operation mode. For -bm (default), -bs, and -t it is submit.cf >(if it exists), for all others it is sendmail.cf." Hunh??? Can anbody >explain the flow of email thru these two queues? > > With 8.12.5, will I have inbound email (via ports 25 or 587) landing >in clientmqueue instead of mqueue, and thus escaping the clutches of >mailscanner? How about for outbound email? Why doesn't mailscanner look at >/var/spool/clientmqueue (or does it need to)? What is going on here? I am using my init.d script that briefly does sendmail -bd + options to set queue directory to /var/spool/mqueue.in sendmail -q15m check_mailscanner with the usual queue directory settings in mailscanner.conf (mqueue and mqueue.in)... It all appears to work fine for me. telnet localhost 25 puts the mail into /var/spool/mqueue.in just as the sendmail -bd command line said it should. MailScanner then picks it up, processes it and puts it into /var/spool/mqueue. In batch mode the sendmail -qI commands then trigger delivery from /var/spool/mqueue just as it should do. In queue mode the sendmail -q15m process (started by the init.d script) picks up the mail and delivers it. So it doesn't use the clientmqueue directory at all. As far as I can see the clientmqueue directory is only used for messages submitted by invoking the sendmail binary directly. MailScanner has *never* supported the sendmail binary being invoked directly, and probably never will. As far as I can see everything should work just as it did before. If you have upgraded and things have broken, then I suggest you do this to turn off your new sendmail init.d script and restart MailScanner: /etc/rc.d/init.d/sendmail stop chkconfig --level 2345 sendmail off /etc/rc.d/init.d/mailscanner restart Fortunately my current init.d script happily works with the new version of sendmail. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From emily_post at HOTMAIL.COM Wed Jul 17 23:30:31 2002 From: emily_post at HOTMAIL.COM (Emily Yau) Date: Thu Jan 12 21:15:16 2006 Subject: How to increase scanning efficiency? Too many messages in mqueue.in Message-ID: Hi, With the recent run of viruses and spam, our Mailscanner is having a tough time keeping up with amount of incoming messages. mqueue.in gets rather large at times. Our current setup: Mailscanner version 3.11-1 runs on a E450, Solaris 8 (4 CPU's, but only 1 is utilized by Mailscanner) This server is the user's incoming and outgoing mailserver. Perhaps we can move mailscanning to a separate machine? Multiple instances of mailscanner on one mailserver is not possible at this point (I've read?) Was hoping people could share some info about their current set ups, and/or give any architectural suggestions. Thank you in advance, Emily _________________________________________________________________ Join the world’s largest e-mail service with MSN Hotmail. http://www.hotmail.com From mojahed at AGNI.COM Thu Jul 18 06:02:23 2002 From: mojahed at AGNI.COM (Mojahedul Hoque Abul Hasanat) Date: Thu Jan 12 21:15:16 2006 Subject: sendmail 8.12 and mailscanner In-Reply-To: <5.1.0.14.2.20020717212521.030032d8@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020717212521.030032d8@imap.ecs.soton.ac.uk> Message-ID: <20020718050223.GD17675@venus.agni.com> On Wed, Jul 17, 2002 at 09:40:50PM +0100, Julian Field wrote: [snip] > So it doesn't use the clientmqueue directory at all. As far as I can > see the clientmqueue directory is only used for messages submitted by > invoking the sendmail binary directly. MailScanner has *never* > supported the sendmail binary being invoked directly Umm, but doesn't it call sendmail to send the notifications? clientmqueue is used by the submission agent when it can not deliver a mail immediately, e.g. DNS timeouts and other temporary problems. You have to run a separate queue runner to flush the mails from clientmqueue periodically. A typical way to run it is: /usr/sbin/sendmail -L sm-msp-queue -Ac -q20m As far as I know, this queue runner will send the mails to the sendmail daemon running on the local machine through SMTP. So, you don't need to worry, your mails will end up in mailscanners incoming queue. Just remember to run this queue runner if you have locally generated mails. -- Mojahed System Administrator, Agni Systems Limited From smohan at VSNL.COM Thu Jul 18 07:02:25 2002 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:15:16 2006 Subject: sendmail 8.12 and mailscanner Message-ID: <003701c22e20$b1226e10$6300a8c0@smohan> Mailscanner configures sendmail in queued mode to store incoming mails in /var/mail/mqueue.in. This instance listens to port 25. Mailscanner then examines these files and moves them to /var/spool/mqueue so that the second instance of sendmail doing the dequeuing to deliver mail. Clientmqueue in new to me now. What do you mean by upgrading client systems to 8.12.5? I guess they are departmental servers. If so, would not the same as above hold good? If mail comes to mqueue.in, then from there goes to mqueue and is then delivered to clientqueue by some other program, why bother? Can you clarify what your setup actually is? Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jeff A. Earickson Sent: 18 July, 2002 12:36 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: sendmail 8.12 and mailscanner Gang, I need to ask some dumb questions here... I run sendmail 8.11.6 on my mail server (Solaris 8), where mailscanner lives. Before mailscanner, I just had one queue to worry about, /var/spool/mqueue. After mailscanner, two queues (/var/spool/mqueue.in and /var/spool/mqueue). Simple. I have been upgrading my client systems to 8.12.5, and dealing with the MSP complications there (submit.cf and /var/spool/clientmqueue). So if I upgrade my mail server to 8.12.5, I will now have three queues. Mailscanner only seems to watch /var/spool/mqueue and not clientmqueue. I haven't figured out which queue (mqueue or clientmqueue) sendmail uses for what mail, or why. The only thing I found was "The .cf file is based on the operation mode. For -bm (default), -bs, and -t it is submit.cf (if it exists), for all others it is sendmail.cf." Hunh??? Can anbody explain the flow of email thru these two queues? With 8.12.5, will I have inbound email (via ports 25 or 587) landing in clientmqueue instead of mqueue, and thus escaping the clutches of mailscanner? How about for outbound email? Why doesn't mailscanner look at /var/spool/clientmqueue (or does it need to)? What is going on here? ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ------------------------------------------------------------------------ ---- From LISTSERV at JISCMAIL.AC.UK Wed Jul 17 23:01:18 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:16 2006 Subject: MAILSCANNER: timw@OBJECTIF.COM.AU left the list Message-ID: <200207172201.XAA00322@magpie.ecs.soton.ac.uk> Wed, 17 Jul 2002 23:01:18 Tim White has just left the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- Return-Path: Received: from ori.rl.ac.uk by jiscmail.ac.uk (LSMTP for Windows NT v1.1b) with SMTP id <2.00113E0D@jiscmail.ac.uk>; Wed, 17 Jul 2002 23:00:51 +0100 Received: from tojo.objectif.com.au (IDENT:root@ns.objectif.com.au [203.202.71.77]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g6HM0nB02926 for ; Wed, 17 Jul 2002 23:00:50 +0100 Received: from timw ([172.16.0.76]) by tojo.objectif.com.au (8.11.6/8.11.6) with SMTP id g6HM0Gg20531 for ; Thu, 18 Jul 2002 08:00:16 +1000 Message-ID: <008001c22ddd$5633c190$4c0010ac@timw> From: "Tim White" To: Subject: Date: Thu, 18 Jul 2002 08:00:17 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 X-MailScanner: Found to be clean From LISTSERV at JISCMAIL.AC.UK Wed Jul 17 23:22:06 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:16 2006 Subject: MAILSCANNER: adminlists@OBJECTIF.COM.AU requested to join Message-ID: <200207172222.XAA01697@magpie.ecs.soton.ac.uk> Wed, 17 Jul 2002 23:22:06 A request for to join the MAILSCANNER list (MailScanner mailing list) has been received from Tim White . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER adminlists@OBJECTIF.COM.AU Tim White The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+adminlists%40OBJECTIF.COM.AU+Tim+White&L=MAILSCANNER ------------------------- Original mail header -------------------------- Return-Path: Received: from ori.rl.ac.uk by jiscmail.ac.uk (LSMTP for Windows NT v1.1b) with SMTP id <6.00113D84@jiscmail.ac.uk>; Wed, 17 Jul 2002 23:22:05 +0100 Received: from tojo.objectif.com.au (IDENT:root@ns.objectif.com.au [203.202.71.77]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g6HMM3B04557 for ; Wed, 17 Jul 2002 23:22:03 +0100 Received: from timw ([172.16.0.76]) by tojo.objectif.com.au (8.11.6/8.11.6) with SMTP id g6HMLvg20880 for ; Thu, 18 Jul 2002 08:21:57 +1000 Message-ID: <00c301c22de0$5d4b5ee0$4c0010ac@timw> From: "Tim White" To: "L-Soft list server at JISCMAIL \(1.8e\)" References: <200207172219.g6HMJ3g20818@tojo.objectif.com.au> Subject: Re: Command confirmation request (FE5B965E) Date: Thu, 18 Jul 2002 08:21:57 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 X-MailScanner: Found to be clean From tal at MUSICGENOME.COM Thu Jul 18 09:37:43 2002 From: tal at MUSICGENOME.COM (Tal Kelrich) Date: Thu Jan 12 21:15:16 2006 Subject: Multiple "clean" signatures --- Fixed In-Reply-To: <5.1.0.14.2.20020717164101.02fa8498@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020717164101.02fa8498@imap.ecs.soton.ac.uk> Message-ID: <1026981464.1416.9.camel@johnny5> On Wed, 2002-07-17 at 18:53, Julian Field wrote: > It now uses the presence of the "X-MailScanner:" header to work out if it > should sign it or not. If the header is already there, it will assume it > has already been signed and will not sign it again. > > I know this is easy to defeat by users adding fake "X-MailScanner:" headers > to their mail, but since signing is not a vital function I didn't think it > really mattered, and there is no way to do it otherwise (if you have > messages passing through more than 1 MailScanner server). If you have > changed the "X-MailScanner:" header to some other name, you will obviously > need to be consistent across your site for this feature to work. (Otherwise > it doesn't know what header to look for!) just as a clarification, it now works like this? 1. header: Clean, message clean, doesn't sign. 2. header: clean, message infected, sign infected. 3. header: infected, message clean, sign clean. 4. header: infected, message infected, doesn't sign. 4. no header, clean, sign clean. 5. no header, infected, sign infected. -- Tal Kelrich PGP Fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69 PGP key-id: 12B9AA69 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020718/f153283d/attachment.bin From marc.perea at ELECTRONIC-GROUP.COM Thu Jul 18 10:10:34 2002 From: marc.perea at ELECTRONIC-GROUP.COM (Marc Perea) Date: Thu Jan 12 21:15:16 2006 Subject: F-prot & Frethem Virus Message-ID: <20020718111034.6a95c946.marc.perea@electronic-group.com> Hi to everybody, Does anyone using f-prot 3.12 can do an "f-prot -virlist | grep -i Frethem" please ? Because I have the most updated signature files, but they doesn't seem to be aware of the Frethem virus :-/ Or maybe it is shown with other codename ? I don't know ... just worried about that, because this worm is currently on the wild. Does it happens to anyone else ? Thank you very much, Cheers, -- Marc Perea - System Administration Staff Mail: marc.perea@electronic-group.com Tel: (+34) 93 600 23 23 Fax: (+34) 93 600 23 10 ---------------- Electronic Group - http://www.electronic-group.com From mailscanner at ecs.soton.ac.uk Thu Jul 18 11:14:08 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:16 2006 Subject: F-prot & Frethem Virus In-Reply-To: <20020718111034.6a95c946.marc.perea@electronic-group.com> Message-ID: <5.1.0.14.2.20020718111402.02d197a8@imap.ecs.soton.ac.uk> At 10:10 18/07/2002, you wrote: >Hi to everybody, > >Does anyone using f-prot 3.12 can do an "f-prot -virlist | grep -i >Frethem" please ? > >Because I have the most updated signature files, but they doesn't seem to >be aware of the Frethem virus :-/ > >Or maybe it is shown with other codename ? I don't know ... just worried >about that, because this worm is currently on the wild. > >Does it happens to anyone else ? Yes. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Jul 18 10:16:34 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:16 2006 Subject: Multiple "clean" signatures --- Fixed In-Reply-To: <1026981464.1416.9.camel@johnny5> References: <5.1.0.14.2.20020717164101.02fa8498@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020717164101.02fa8498@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020718101413.04c39e48@imap.ecs.soton.ac.uk> At 09:37 18/07/2002, you wrote: >On Wed, 2002-07-17 at 18:53, Julian Field wrote: > > It now uses the presence of the "X-MailScanner:" header to work out if it > > should sign it or not. If the header is already there, it will assume it > > has already been signed and will not sign it again. > > > > I know this is easy to defeat by users adding fake "X-MailScanner:" headers > > to their mail, but since signing is not a vital function I didn't think it > > really mattered, and there is no way to do it otherwise (if you have > > messages passing through more than 1 MailScanner server). If you have > > changed the "X-MailScanner:" header to some other name, you will obviously > > need to be consistent across your site for this feature to work. (Otherwise > > it doesn't know what header to look for!) >just as a clarification, it now works like this? Header exists --> don't sign No header --> sign if scanned and clean -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Jul 18 10:13:29 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:16 2006 Subject: sendmail 8.12 and mailscanner In-Reply-To: <20020718050223.GD17675@venus.agni.com> References: <5.1.0.14.2.20020717212521.030032d8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020717212521.030032d8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020718101210.049ebc80@imap.ecs.soton.ac.uk> At 06:02 18/07/2002, you wrote: >On Wed, Jul 17, 2002 at 09:40:50PM +0100, Julian Field wrote: >[snip] > > So it doesn't use the clientmqueue directory at all. As far as I can > > see the clientmqueue directory is only used for messages submitted by > > invoking the sendmail binary directly. MailScanner has *never* > > supported the sendmail binary being invoked directly > >Umm, but doesn't it call sendmail to send the notifications? Yes, I meant that it doesn't support mail input by invoking sendmail directly. >clientmqueue is used by the submission agent when it can not deliver a >mail immediately, e.g. DNS timeouts and other temporary problems. You >have to run a separate queue runner to flush the mails from clientmqueue >periodically. A typical way to run it is: > > /usr/sbin/sendmail -L sm-msp-queue -Ac -q20m > >As far as I know, this queue runner will send the mails to the sendmail >daemon running on the local machine through SMTP. So, you don't need to >worry, your mails will end up in mailscanners incoming queue. Just >remember to run this queue runner if you have locally generated mails. Thanks for the info. So clientmqueue will only get used once a delivery attempt has been made (and hence long after MailScanner has processed the message). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Jul 18 11:11:55 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:16 2006 Subject: sendmail 8.12 and mailscanner In-Reply-To: References: <5.1.0.14.2.20020717212521.030032d8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020718102117.02c29c80@imap.ecs.soton.ac.uk> The sendmail that handles the incoming mail specifies the QueueDirectory on the command-line (while starting up the daemon process). This forces it to use mqueue.in. Also the submit.cf is not used when starting sendmail with the "-bd" switch. This is from the "SECURITY" file in the sendmail docs: >The .cf file is chosen based on the operation mode. For -bm (default), >-bs, and -t it is submit.cf (if it exists) for all others it is >sendmail.cf. So the incoming one uses mqueue just like it always did. So input to MailScanner should work. Once MailScanner has done its job, it moves the message to mqueue. "Batch" mode then tries to trigger the message delivery. If this fails, then the message stays in mqueue (it certainly does on my system running 8.12.3). So the clientmqueue doesn't appear to be involved with this functionality at all. From my experiments "queue" mode basically works the same way (but without the initial delivery attempt). At 02:50 18/07/2002, you wrote: > Are you **sure** nothing is sneaking thru clientmqueue? Is there >any traffic there, according to "mailstats -c"? I had to RTFM (and the >source code) for sendmail to figure out that sendmail statistics for >/var/spool/clientmqueue is stored in the file > >/var/spool/clientmqueue/sm-client.st > >which is *not* created by default when you install 8.12. If you don't >have this file, do the following on your mail servers running 8.12: > > cd /var/spool/clientmqueue > touch sm-client.st > chown smmsp:smmsp sm-client.st > chmod 664 sm-client.st > >and then let things run for a while. The usual "mailstats" command >shows the MTA traffic going thru /var/spool/mqueue, via sendmail.cf. >The "mailstats -c" command shows the MSP traffic going thru >clientmqueue via submit.cf. If these stats aren't zero, then it is >time to investigate. > > While I haven't gotten to 8.12 on my mail server yet, my clients >running 8.12 in null-client mode (no daemon running) show all locally >generated email going via submit.cf, and all nothing via MTA. I'm >hoping that any mail server running 8.12 will be zero traffic via MSP, >everything via MTA -- so mailscanner doesn't have to worry about MSP. > > I hate to be a rain cloud on your horizon, but... > >** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 >** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu >** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 >** Waterville ME, 04901-8842 >---------------------------------------------------------------------------- > >On Wed, 17 Jul 2002, Julian Field wrote: > > > Date: Wed, 17 Jul 2002 21:40:50 +0100 > > From: Julian Field > > Reply-To: MailScanner mailing list > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: sendmail 8.12 and mailscanner > > > > At 20:05 17/07/2002, you wrote: > > > I have been upgrading my client systems to 8.12.5, and dealing > with the > > >MSP complications there (submit.cf and /var/spool/clientmqueue). So if > > >I upgrade my mail server to 8.12.5, I will now have three queues. > > >Mailscanner only seems to watch /var/spool/mqueue and not clientmqueue. > > >I haven't figured out which queue (mqueue or clientmqueue) sendmail uses > > >for what mail, or why. The only thing I found was "The .cf file is based > > >on the operation mode. For -bm (default), -bs, and -t it is submit.cf > > >(if it exists), for all others it is sendmail.cf." Hunh??? Can anbody > > >explain the flow of email thru these two queues? > > > > > > With 8.12.5, will I have inbound email (via ports 25 or 587) landing > > >in clientmqueue instead of mqueue, and thus escaping the clutches of > > >mailscanner? How about for outbound email? Why doesn't mailscanner > look at > > >/var/spool/clientmqueue (or does it need to)? What is going on here? > > > > I am using my init.d script that briefly does > > sendmail -bd + options to set queue directory to > /var/spool/mqueue.in > > sendmail -q15m > > check_mailscanner > > with the usual queue directory settings in mailscanner.conf (mqueue and > > mqueue.in)... > > > > It all appears to work fine for me. > > > > telnet localhost 25 puts the mail into /var/spool/mqueue.in just as the > > sendmail -bd command line said it should. MailScanner then picks it up, > > processes it and puts it into /var/spool/mqueue. In batch mode the sendmail > > -qI commands then trigger delivery from /var/spool/mqueue just as it should > > do. In queue mode the sendmail -q15m process (started by the init.d script) > > picks up the mail and delivers it. > > > > So it doesn't use the clientmqueue directory at all. As far as I can see > > the clientmqueue directory is only used for messages submitted by invoking > > the sendmail binary directly. MailScanner has *never* supported the > > sendmail binary being invoked directly, and probably never will. > > > > As far as I can see everything should work just as it did before. If you > > have upgraded and things have broken, then I suggest you do this to turn > > off your new sendmail init.d script and restart MailScanner: > > > > /etc/rc.d/init.d/sendmail stop > > chkconfig --level 2345 sendmail off > > /etc/rc.d/init.d/mailscanner restart > > > > Fortunately my current init.d script happily works with the new version of > > sendmail. > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From P.G.M.Peters at civ.utwente.nl Thu Jul 18 11:56:47 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:16 2006 Subject: F-prot & Frethem Virus In-Reply-To: <20020718111034.6a95c946.marc.perea@electronic-group.com> References: <20020718111034.6a95c946.marc.perea@electronic-group.com> Message-ID: On Thu, 18 Jul 2002 11:10:34 +0200, you wrote: >Does anyone using f-prot 3.12 can do an "f-prot -virlist | grep -i >Frethem" please ? I don't get any result. >Or maybe it is shown with other codename ? I don't know ... just worried >about that, because this worm is currently on the wild. I know they use another name for Yaha also. We have had a storm of virusses a few days ago (the first day) but after that nothing. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From P.G.M.Peters at civ.utwente.nl Thu Jul 18 12:35:01 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:16 2006 Subject: Multiple "clean" signatures --- Fixed In-Reply-To: <5.1.0.14.2.20020718101413.04c39e48@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020717164101.02fa8498@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020717164101.02fa8498@imap.ecs.soton.ac.uk> <1026981464.1416.9.camel@johnny5> <5.1.0.14.2.20020718101413.04c39e48@imap.ecs.soton.ac.uk> Message-ID: On Thu, 18 Jul 2002 10:16:34 +0100, you wrote: >> > It now uses the presence of the "X-MailScanner:" header to work out if it >> > should sign it or not. If the header is already there, it will assume it >> > has already been signed and will not sign it again. >> > >> > I know this is easy to defeat by users adding fake "X-MailScanner:" headers >> > to their mail, but since signing is not a vital function I didn't think it >> > really mattered, and there is no way to do it otherwise (if you have >> > messages passing through more than 1 MailScanner server). If you have >> > changed the "X-MailScanner:" header to some other name, you will obviously >> > need to be consistent across your site for this feature to work. (Otherwise >> > it doesn't know what header to look for!) >>just as a clarification, it now works like this? > >Header exists --> don't sign But what if the header says not infected but the current virusscanner detects a virus (because it is another one or it is updated in the meantime). >No header --> sign if scanned and clean And offcourse "sign if scanned and not clean". -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From marc.perea at ELECTRONIC-GROUP.COM Thu Jul 18 12:57:28 2002 From: marc.perea at ELECTRONIC-GROUP.COM (Marc Perea) Date: Thu Jan 12 21:15:16 2006 Subject: F-prot & Frethem Virus In-Reply-To: References: <20020718111034.6a95c946.marc.perea@electronic-group.com> Message-ID: <20020718135728.29d79b61.marc.perea@electronic-group.com> On Thu, 18 Jul 2002 12:56:47 +0200 Peter Peters wrote: > On Thu, 18 Jul 2002 11:10:34 +0200, you wrote: > > >Does anyone using f-prot 3.12 can do an "f-prot -virlist | grep -i > >Frethem" please ? > > I don't get any result. > > >Or maybe it is shown with other codename ? I don't know ... just > >worried about that, because this worm is currently on the wild. > > I know they use another name for Yaha also. > > We have had a storm of virusses a few days ago (the first day) but after > that nothing. > I cannot find Yaha in the virlist either ... So if both Frethem and Yaha are not shown in the virlist, should we assume that F-Prot is not detecting them, and therefore, mailscanner is letting the virus pass through ? Does anyone have a copy of the virus just to test ? Cheers, Worried Marc .... -- Marc Perea - System Administration Staff Mail: marc.perea@electronic-group.com Tel: (+34) 93 600 23 23 Fax: (+34) 93 600 23 10 ---------------- Electronic Group - http://www.electronic-group.com From rabellino at DI.UNITO.IT Thu Jul 18 12:26:17 2002 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:15:16 2006 Subject: SpamAssassin 2.31 Message-ID: <3D36A5D9.55394233@di.unito.it> Dear list, anyone is using spamassassin 2.31 with the latest mailscanner and perl 5.6.1 ?? I've installed it, but i'm receiving a lot of errors like these: > Bareword found where operator expected at (eval 39) line 940, near "25FREEMEGS_URL_body_test" > (Missing operator before FREEMEGS_URL_body_test?) > Bareword found where operator expected at (eval 39) line 2934, near "25FREEMEGS_URL_body_test" > (Missing operator before FREEMEGS_URL_body_test?) > Failed to compile body SpamAssassin tests, skipping: > (syntax error at (eval 39) line 940, near "25FREEMEGS_URL_body_test " > Can't use global $_ in "my" at (eval 39) line 942, near "; > $_ " > syntax error at (eval 39) line 2934, near "25FREEMEGS_URL_body_test" > syntax error at (eval 39) line 3647, near "; > }" > ) > Failed to run DIFFERENT_REPLY_TO SpamAssassin test, skipping: > (Can't locate object method "check_for_spam_reply_to" via package "Mail::SpamAssassin::PerMsgStatus" (perhaps you forgot to load "Mail::SpamAssassin::PerMsgStatus"?) at /opt/perl/lib/site_perl/5.6.1/Mail/SpamAssassin/PerMsgStatus.pm line 1701. > ) -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From trooster at INTERSTROOM.NL Thu Jul 18 13:13:33 2002 From: trooster at INTERSTROOM.NL (Joris Trooster / Interstroom) Date: Thu Jan 12 21:15:16 2006 Subject: Mailscanner statistics References: <200207151944.g6FJiE028169@osprey.magnet.fsu.edu> Message-ID: <018d01c22e54$8a2d4b70$5500a8c0@loki> Hello, I changed the script from Peter Peters (thanks!), to include virus statistics. Example output: mailscannerstats.pl /var/log/mail.log ------------------------------------------------ Virus / spam statistics Period Jul 14 06:48:23 -> Jul 18 13:50:03 Total e-mails scanned : 1132 Total bytes scanned : 12230878 Total seconds : 96 Total virusses detected : 82 Total spams tagged : 91 Timespan (seconds) : 370900 Total SpamAssassin : 79 Total SpamAssassin score : 1003 Total Infinite-Monkeys : 3 Total Osirusoft : 13 Total ORDB-RBL : 7 Total WIREHUB-DNSBL : 2 Viruses found (top 10): Exploit-MIME.gen.b.: 23 W32/Klez.h@MM: 21 W32/Yaha.g@MM: 10 goldfish.mp3.scr: 5 VALUE.pif: 2 TYPE.pif: 2 Ilvd.scr: 1 NAME.bat: 1 new.bat: 1 align.scr: 1 ------------------------------------------------ To have the virus information included you need add a few lines to sweep.pl as explained in the file (attachment). The script only extracts information from the mailscanner log, so the script should work with both exim and sendmail. Regards, Joris -------------- next part -------------- A non-text attachment was scrubbed... Name: mailscannerstats.pl Type: application/octet-stream Size: 4936 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020718/f9b9285c/mailscannerstats.obj From munafo at PREZZEMOLO.POLITO.IT Thu Jul 18 13:37:10 2002 From: munafo at PREZZEMOLO.POLITO.IT (Maurizio Matteo Munafo') Date: Thu Jan 12 21:15:16 2006 Subject: F-prot & Frethem Virus In-Reply-To: <20020718111034.6a95c946.marc.perea@electronic-group.com> References: <20020718111034.6a95c946.marc.perea@electronic-group.com> Message-ID: <02071814371001.32435@prezzemolo.polito.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 18 July 2002 11:10, Marc Perea wrote: > Hi to everybody, > > Does anyone using f-prot 3.12 can do an "f-prot -virlist | grep -i > Frethem" please ? > > Because I have the most updated signature files, but they doesn't seem to > be aware of the Frethem virus :-/ > > Or maybe it is shown with other codename ? I don't know ... just worried > about that, because this worm is currently on the wild. > > Does it happens to anyone else ? > F-Prot with MS identifies Frethem a 'backdoor program'. It was included in the signature files on July 15th. FSAV identifies it an unknown infection. Regards, M. - -- ______ / Maurizio M. Munafo' / dMMMMMMMMb dMMMMb / Dip. di Elettronica - Politecnico di Torino / dMP"dMP"dMP "dMP / Corso Duca degli Abruzzi 24 / dMP dMP dMP dMMK" / I-10129 Torino (Italia) / dMP dMP dMP dMF / Tel: +39 011 5644128 Fax: +39 011 5644099 / dMP dMP dMP dMMMMP" / E-mail: munafo@polito.it /__________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9NrZ2tgCCNnfQWWkRArSIAKD1ktOmPR2AVzwCOWTbZtINDE7GXwCfXXn2 bYKmth9lBwhwLMEXeASIPHE= =g2RV -----END PGP SIGNATURE----- From x.mailscanner.mail at MELLONI.COM Thu Jul 18 13:52:28 2002 From: x.mailscanner.mail at MELLONI.COM (Bruno Melloni) Date: Thu Jan 12 21:15:16 2006 Subject: Security Considerations Message-ID: Hello, The server running Mailscanner will normally be the first point of contact for the SMTP protocol after crossing a site's firewall. Also, by blocking spam it will likely attract unwanted attention from less than honorable spammers, who may decide this is a desirable target for hacking and relaying. Therefore, the server must be made as secure as possible. With that in mind I have 2 questions/concerns: 1) When using Mailscanner in a proxy configuration (i.e.: when your real mail server is a Windows mail server, or in a different firewalled zone), one of the requirements is to go to the access file and enable relaying for the local domain (i.e.: mydomain.com). Is this safe? Or in other words, do sendmail/mailscanner/spamassassin already have sufficient built-in protections to prevent a hacker from passing itself as being in the domain mydomain.com? It is a logical thing for a hacker to try, and if successful he'd be able to use my mail proxy as a relay agent for his spam to other sites. 2) If a true spam is received, it is desirable to delete it with no reply so that no hints are given to the spammers that they should try to camouflage their spam better. On the other hand when a good email is received it should be delivered. Nothing special so far. But what about when a spam is questionable? Should the message be dropped silently, dropped with a notification to the sender, delivered to the recipient with a "possible spam" indication,...? I am sure a lot of thinking and discussion has been done in this arena. Could you share what today's "common wisdom" is in handling this issue? And perhaps some pointers as to which configuration files/items to modify to accomplish it? 3) Although it is best to have a separate outbound SMTP server, I am considering using the same box that has mailscanner for outbound SMTP as well, to avoid having to install yet another box. I am aware that this will probably cause mailscanner to scan outgoing as well as inbound email but my mail load is low. Is there any reason other than processor load why I should not do this? 4) Once I finish setting up my mail proxy I intend to secure it quite tightly and test it for vulnerabilities before opening the inbound SMTP firewall port to it. I have collected a list of vulnerability-testing tools, but I was wondering if there is one that is particularly good at testing for SMTP vulnerabilities. Can you recommend one? If you are uncomfortable posting this kind of information to a mailing list, feel free to email it directly to me. Thanks. Bruno x.mailscanner.mail@melloni.com From LISTSERV at JISCMAIL.AC.UK Thu Jul 18 14:11:51 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:16 2006 Subject: MAILSCANNER: Douglas.Hall@PROQUEST.CO.UK requested to join Message-ID: <200207181311.OAA02873@magpie.ecs.soton.ac.uk> Thu, 18 Jul 2002 14:11:51 A request for to join the MAILSCANNER list (MailScanner mailing list) has been received from Douglas Hall . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER Douglas.Hall@PROQUEST.CO.UK Douglas Hall The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+Douglas.Hall%40PROQUEST.CO.UK+Douglas+Hall&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Thu Jul 18 15:01:00 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:16 2006 Subject: MAILSCANNER: carl.boberg@NRM.SE requested to join Message-ID: <200207181401.PAA07857@magpie.ecs.soton.ac.uk> Thu, 18 Jul 2002 15:01:00 A request for to join the MAILSCANNER list (MailScanner mailing list) has been received from Carl Boberg . The following membership options have been requested: CONCEAL. You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER carl.boberg@NRM.SE Carl Boberg The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+carl.boberg%40NRM.SE+Carl+Boberg&L=MAILSCANNER This first link will add the member to the list. You can then set the membership options for this individual with this link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=SET+MAILSCANNER+CONCEAL+FOR+carl.boberg%40NRM.SE&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From P.G.M.Peters at civ.utwente.nl Thu Jul 18 13:53:19 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:16 2006 Subject: F-prot & Frethem Virus In-Reply-To: <20020718135728.29d79b61.marc.perea@electronic-group.com> References: <20020718111034.6a95c946.marc.perea@electronic-group.com> <20020718135728.29d79b61.marc.perea@electronic-group.com> Message-ID: <6gedjuogtc9p9mvcuif3fnfkv06e4q7ofc@4ax.com> On Thu, 18 Jul 2002 13:57:28 +0200, you wrote: >> We have had a storm of virusses a few days ago (the first day) but after >> that nothing. > >I cannot find Yaha in the virlist either ... F-prot calls it Lentin instead of Yaha. They were one of the first detecting and cleaning it. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From P.G.M.Peters at civ.utwente.nl Thu Jul 18 13:54:44 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:16 2006 Subject: SpamAssassin 2.31 In-Reply-To: <3D36A5D9.55394233@di.unito.it> References: <3D36A5D9.55394233@di.unito.it> Message-ID: On Thu, 18 Jul 2002 13:26:17 +0200, you wrote: > anyone is using spamassassin 2.31 with the latest mailscanner and perl 5.6.1 ?? > >I've installed it, but i'm receiving a lot of errors like these: > >> Bareword found where operator expected at (eval 39) line 940, near "25FREEMEGS_URL_body_test" I have seen the same errors with MailScanner 3.22 and perl 5.6.0. The messages disappeared after the automatic restart. Manual restart did not help. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From joan.bryan at KCL.AC.UK Thu Jul 18 14:06:01 2002 From: joan.bryan at KCL.AC.UK (Joan Bryan) Date: Thu Jan 12 21:15:16 2006 Subject: F-prot & Frethem Virus In-Reply-To: <5.1.0.14.2.20020718111402.02d197a8@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020718111402.02d197a8@imap.ecs.soton.ac.uk> <20020718111034.6a95c946.marc.perea@electronic-group.com> Message-ID: FYI You can stop the Frethem Virus with mailscanner by adding deny decrypt-password.exe$ "Frethem" virus "Frethem" virus to filename.rules.conf Joan On Thu, 18 Jul 2002 11:14:08 +0100 Julian Field wrote: > At 10:10 18/07/2002, you wrote: > >Hi to everybody, > > > >Does anyone using f-prot 3.12 can do an "f-prot -virlist | grep -i > >Frethem" please ? > > > >Because I have the most updated signature files, but they doesn't seem to > >be aware of the Frethem virus :-/ > > > >Or maybe it is shown with other codename ? I don't know ... just worried > >about that, because this worm is currently on the wild. > > > >Does it happens to anyone else ? > > Yes. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ ---------------------- Joan Bryan joan.bryan@kcl.ac.uk From mailscanner at ecs.soton.ac.uk Thu Jul 18 14:04:43 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:16 2006 Subject: Multiple "clean" signatures --- Fixed In-Reply-To: References: <5.1.0.14.2.20020718101413.04c39e48@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020717164101.02fa8498@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020717164101.02fa8498@imap.ecs.soton.ac.uk> <1026981464.1416.9.camel@johnny5> <5.1.0.14.2.20020718101413.04c39e48@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020718140146.04a3c4f0@imap.ecs.soton.ac.uk> At 12:35 18/07/2002, you wrote: >On Thu, 18 Jul 2002 10:16:34 +0100, you wrote: > >> > It now uses the presence of the "X-MailScanner:" header to work out > if it > >> > should sign it or not. If the header is already there, it will assume it > >> > has already been signed and will not sign it again. > >> > > >> > I know this is easy to defeat by users adding fake "X-MailScanner:" > headers > >> > to their mail, but since signing is not a vital function I didn't > think it > >> > really mattered, and there is no way to do it otherwise (if you have > >> > messages passing through more than 1 MailScanner server). If you have > >> > changed the "X-MailScanner:" header to some other name, you will > obviously > >> > need to be consistent across your site for this feature to work. > (Otherwise > >> > it doesn't know what header to look for!) > >>just as a clarification, it now works like this? > > > >Header exists --> don't sign > >But what if the header says not infected but the current virusscanner >detects a virus (because it is another one or it is updated in the >meantime). > > >No header --> sign if scanned and clean > >And offcourse "sign if scanned and not clean". No, it does not sign messages which are not clean (it shouldn't anyway!). It does the 2 rules I stated. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Janssen at RZ.UNI-FRANKFURT.DE Thu Jul 18 14:27:13 2002 From: Janssen at RZ.UNI-FRANKFURT.DE (Michael Janssen) Date: Thu Jan 12 21:15:16 2006 Subject: Mailscanner statistics In-Reply-To: <018d01c22e54$8a2d4b70$5500a8c0@loki> Message-ID: Dear list, I've found that it isn't enough just to count the numbers from the "found XX viruses"-lines , because these line frequently (not always) occours twice (at least on our system): .... Scanning 1 messages, 135716 bytes >>> Virus 'W32/Klez-H' found in file ./17FkWw-0004hX-00/class.bat Found 1 viruses in messages 17FkWw-0004hX-00 Scanned 1 messages, 135716 bytes in 1 seconds Notified senders about 1 infections Notified exim-scanl@rz.uni-frankfurt.de about 1 infections Commercial disinfector sophos returned 768 >>> Virus 'W32/Klez-H' found in file ./17FkWw-0004hX-00/class.bat Found 1 viruses in messages 17FkWw-0004hX-00 Scanning 2 messages, 7233 bytes .... instead of: $TotalViruses += $1 if /found (\d+) viruses in/i; you need to remember the mail-id plus filename and ignore the next occourence of it (this might give you slightly less numbers, when your MTA often produces the same ids). you might compare it to my script: http://www.rz.uni-frankfurt.de/~mjanssen/logstats/logstats.py (15kb) (written in python, therefor usage is: "python logstats.py [-help]". A bit tricky, cause it does some more jobs than just counting. No spamdetection yet) cheers Michael University of Frankfurt On Thu, 18 Jul 2002, Joris Trooster / Interstroom wrote: > Hello, > > I changed the script from Peter Peters (thanks!), to include virus > statistics. Example output: > > mailscannerstats.pl /var/log/mail.log > ------------------------------------------------ > Virus / spam statistics > Period Jul 14 06:48:23 -> Jul 18 13:50:03 > > Total e-mails scanned : 1132 > Total bytes scanned : 12230878 > Total seconds : 96 > Total virusses detected : 82 > Total spams tagged : 91 > Timespan (seconds) : 370900 > > Total SpamAssassin : 79 > Total SpamAssassin score : 1003 > Total Infinite-Monkeys : 3 > Total Osirusoft : 13 > Total ORDB-RBL : 7 > Total WIREHUB-DNSBL : 2 > > Viruses found (top 10): > > Exploit-MIME.gen.b.: 23 > W32/Klez.h@MM: 21 > W32/Yaha.g@MM: 10 > goldfish.mp3.scr: 5 > VALUE.pif: 2 > TYPE.pif: 2 > Ilvd.scr: 1 > NAME.bat: 1 > new.bat: 1 > align.scr: 1 > ------------------------------------------------ > > To have the virus information included you need add a few lines to > sweep.pl as explained in the file (attachment). The script only extracts > information from the mailscanner log, so the script should work with > both exim and sendmail. > > Regards, > Joris > From fizz at BOMB.NET Thu Jul 18 14:29:03 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:15:16 2006 Subject: Mailscanner statistics In-Reply-To: <018d01c22e54$8a2d4b70$5500a8c0@loki> Message-ID: <000001c22e5f$15751280$483cd842@fizz> Something aint right :) Here is your output.. Virus / spam statistics Period Jul 18 00:10:04 -> Jul 18 09:47:09 Total e-mails scanned : 5143 Total bytes scanned : 82572529 Total seconds : 2554 Total virusses detected : 151 Total spams tagged : Timespan (seconds) : 34625 Total SpamAssassin : Total SpamAssassin score : Total Infinite-Monkeys : Total Osirusoft : Total ORDB-RBL : Total WIREHUB-DNSBL : Viruses found (top 10): sunline.pif: 4 .pif: 4 CONTRI.pif: 2 target.pif: 2 Dmixs.pif: 2 bgcolor.pif: 2 WIDTH.pif: 2 without.pif: 2 of: 2 this: 2 Heres my output.. *********************************** --Total Mail: 33027 --Total Spam: 11590 --Total Virii: 748 *********************************** ////// ( o o ) +--.oooO--(_)--Oooo.-----------------+ | [Kelly Hamlin] | support@cyberstreet.com | http://www.cyberstreet.com | .oooO | ( ) Oooo. +--- (----( )----------------------------+ \_) ) / (_/ -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Joris Trooster / Interstroom Sent: Thursday, July 18, 2002 8:14 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Mailscanner statistics Hello, I changed the script from Peter Peters (thanks!), to include virus statistics. Example output: mailscannerstats.pl /var/log/mail.log ------------------------------------------------ Virus / spam statistics Period Jul 14 06:48:23 -> Jul 18 13:50:03 Total e-mails scanned : 1132 Total bytes scanned : 12230878 Total seconds : 96 Total virusses detected : 82 Total spams tagged : 91 Timespan (seconds) : 370900 Total SpamAssassin : 79 Total SpamAssassin score : 1003 Total Infinite-Monkeys : 3 Total Osirusoft : 13 Total ORDB-RBL : 7 Total WIREHUB-DNSBL : 2 Viruses found (top 10): Exploit-MIME.gen.b.: 23 W32/Klez.h@MM: 21 W32/Yaha.g@MM: 10 goldfish.mp3.scr: 5 VALUE.pif: 2 TYPE.pif: 2 Ilvd.scr: 1 NAME.bat: 1 new.bat: 1 align.scr: 1 ------------------------------------------------ To have the virus information included you need add a few lines to sweep.pl as explained in the file (attachment). The script only extracts information from the mailscanner log, so the script should work with both exim and sendmail. Regards, Joris From P.G.M.Peters at civ.utwente.nl Thu Jul 18 14:44:34 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:16 2006 Subject: Proper way to handle misidentifiedspamsite-wide? In-Reply-To: <5.1.0.14.2.20020627201910.03783b38@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020626162716.04605398@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020626180457.038b2488@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627095659.044aa008@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627181108.0343b948@imap.ecs.soton.ac.uk> <3D1B50E3.9F6A642B@dcg.com> <5.1.0.14.2.20020627201910.03783b38@imap.ecs.soton.ac.uk> Message-ID: On Thu, 27 Jun 2002 20:36:08 +0100, you wrote: >Its syntax is: > df2mbox dirname [ dirname ... ] >i.e. you can cd into your quarantine directory and do > df2mbox * >to process all your quarantine directories, or you can just do the >directory that corresponds to yesterday's mail, e.g. > df2mbox 20020622 Today I had to send a (incorrectly) quarantined message to the intended recipient. When I looked in the quaranti directories I found a complete message and not the df and qf files. Is there a difference between saved/stored/quarantined spam and quarantined virusmessages? -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From fizz at BOMB.NET Thu Jul 18 14:48:00 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:15:16 2006 Subject: Mailscanner statistics In-Reply-To: <018d01c22e54$8a2d4b70$5500a8c0@loki> Message-ID: <000101c22e61$bb2bcaf0$483cd842@fizz> Ok, I think I figured out half of whats wronge.. I forgot to change that sweep function in sweep.pl. Also, is there more then one line for sophos scan, I added this. $Virus{$1}++ if /Virus (\S+) found in file/; but my output still isn't totally right, but I think its because I need to wait for the output from AFTER I made that change to sweep.pl ////// ( o o ) +--.oooO--(_)--Oooo.-----------------+ | [Kelly Hamlin] | support@cyberstreet.com | http://www.cyberstreet.com | .oooO | ( ) Oooo. +--- (----( )----------------------------+ \_) ) / (_/ -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Joris Trooster / Interstroom Sent: Thursday, July 18, 2002 8:14 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Mailscanner statistics Hello, I changed the script from Peter Peters (thanks!), to include virus statistics. Example output: mailscannerstats.pl /var/log/mail.log ------------------------------------------------ Virus / spam statistics Period Jul 14 06:48:23 -> Jul 18 13:50:03 Total e-mails scanned : 1132 Total bytes scanned : 12230878 Total seconds : 96 Total virusses detected : 82 Total spams tagged : 91 Timespan (seconds) : 370900 Total SpamAssassin : 79 Total SpamAssassin score : 1003 Total Infinite-Monkeys : 3 Total Osirusoft : 13 Total ORDB-RBL : 7 Total WIREHUB-DNSBL : 2 Viruses found (top 10): Exploit-MIME.gen.b.: 23 W32/Klez.h@MM: 21 W32/Yaha.g@MM: 10 goldfish.mp3.scr: 5 VALUE.pif: 2 TYPE.pif: 2 Ilvd.scr: 1 NAME.bat: 1 new.bat: 1 align.scr: 1 ------------------------------------------------ To have the virus information included you need add a few lines to sweep.pl as explained in the file (attachment). The script only extracts information from the mailscanner log, so the script should work with both exim and sendmail. Regards, Joris From Janssen at RZ.UNI-FRANKFURT.DE Thu Jul 18 14:56:35 2002 From: Janssen at RZ.UNI-FRANKFURT.DE (Michael Janssen) Date: Thu Jan 12 21:15:16 2006 Subject: SpamAssassin 2.31 In-Reply-To: <3D36A5D9.55394233@di.unito.it> Message-ID: On Thu, 18 Jul 2002, Rabellino Sergio wrote: > Dear list, > anyone is using spamassassin 2.31 with the latest mailscanner and > perl 5.6.1 ?? yes. without such errors. we've installed SA from tarball. MS from rpm. perl with OS (SUSE-Linux 8.0). Michael University of Frankfurt From fizz at BOMB.NET Thu Jul 18 15:03:45 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:15:16 2006 Subject: Mailscanner statistics In-Reply-To: <018d01c22e54$8a2d4b70$5500a8c0@loki> Message-ID: <000001c22e63$ee637290$483cd842@fizz> One last thing :) I Have my MTA Do the RBL lists, could I easily add a if (/sendmail/) { $TotalSPAMCOP++ if /spamcop/; $TotalOsirusoft++ if /osirusoft/; } to the list there? I tried with no success, I know a bit of php, but perl is wacky :P thanks in advance. ////// ( o o ) +--.oooO--(_)--Oooo.-----------------+ | [Kelly Hamlin] | support@cyberstreet.com | http://www.cyberstreet.com | .oooO | ( ) Oooo. +--- (----( )----------------------------+ \_) ) / (_/ -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Joris Trooster / Interstroom Sent: Thursday, July 18, 2002 8:14 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Mailscanner statistics Hello, I changed the script from Peter Peters (thanks!), to include virus statistics. Example output: mailscannerstats.pl /var/log/mail.log ------------------------------------------------ Virus / spam statistics Period Jul 14 06:48:23 -> Jul 18 13:50:03 Total e-mails scanned : 1132 Total bytes scanned : 12230878 Total seconds : 96 Total virusses detected : 82 Total spams tagged : 91 Timespan (seconds) : 370900 Total SpamAssassin : 79 Total SpamAssassin score : 1003 Total Infinite-Monkeys : 3 Total Osirusoft : 13 Total ORDB-RBL : 7 Total WIREHUB-DNSBL : 2 Viruses found (top 10): Exploit-MIME.gen.b.: 23 W32/Klez.h@MM: 21 W32/Yaha.g@MM: 10 goldfish.mp3.scr: 5 VALUE.pif: 2 TYPE.pif: 2 Ilvd.scr: 1 NAME.bat: 1 new.bat: 1 align.scr: 1 ------------------------------------------------ To have the virus information included you need add a few lines to sweep.pl as explained in the file (attachment). The script only extracts information from the mailscanner log, so the script should work with both exim and sendmail. Regards, Joris From mailscanner at ecs.soton.ac.uk Thu Jul 18 15:26:40 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:16 2006 Subject: Security Considerations In-Reply-To: Message-ID: <5.1.0.14.2.20020718152328.04cf2bf8@imap.ecs.soton.ac.uk> At 13:52 18/07/2002, you wrote: >1) When using Mailscanner in a proxy configuration (i.e.: when your real >mail server is a Windows mail server, or in a different firewalled zone), >one of the requirements is to go to the access file and enable relaying for >the local domain (i.e.: mydomain.com). Is this safe? Or in other words, do >sendmail/mailscanner/spamassassin already have sufficient built-in >protections to prevent a hacker from passing itself as being in the domain >mydomain.com? It is a logical thing for a hacker to try, and if successful >he'd be able to use my mail proxy as a relay agent for his spam to other >sites. This should be safe. The security is all down to sendmail, MailScanner doesn't get involved with the mail security or delivery at all (I designed it that way to give you less things to have to worry about). >2) If a true spam is received, it is desirable to delete it with no reply so >that no hints are given to the spammers that they should try to camouflage >their spam better. On the other hand when a good email is received it >should be delivered. Nothing special so far. But what about when a spam is >questionable? Should the message be dropped silently, dropped with a >notification to the sender, delivered to the recipient with a "possible >spam" indication,...? I am sure a lot of thinking and discussion has been >done in this arena. Could you share what today's "common wisdom" is in >handling this issue? And perhaps some pointers as to which configuration >files/items to modify to accomplish it? You could use SpamAssassin, and set the "High Score" action to "delete", but set the normal spam action to "deliver". That way questionable spam will be tagged and delivered, but mail which is *definitely* spam will be quietly deleted. The sender will have no indication to say it wasn't delivered, so they will think it got through successfully. >3) Although it is best to have a separate outbound SMTP server, I am >considering using the same box that has mailscanner for outbound SMTP as >well, to avoid having to install yet another box. I am aware that this will >probably cause mailscanner to scan outgoing as well as inbound email but my >mail load is low. Is there any reason other than processor load why I >should not do this? Personally, I don't think there's anything very dangerous about doing that. >4) Once I finish setting up my mail proxy I intend to secure it quite >tightly and test it for vulnerabilities before opening the inbound SMTP >firewall port to it. I have collected a list of vulnerability-testing >tools, but I was wondering if there is one that is particularly good at >testing for SMTP vulnerabilities. Can you recommend one? If you are >uncomfortable posting this kind of information to a mailing list, feel free >to email it directly to me. I use "Nessus" which is available from "www.nessus.org". That currently knows about 995 different vulnerabilities, which is more than the commerical products... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Thu Jul 18 17:52:47 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:16 2006 Subject: MAILSCANNER: fcaen@CI.LAKEWOOD.WA.US left the list Message-ID: <200207181652.RAA24632@magpie.ecs.soton.ac.uk> Thu, 18 Jul 2002 17:52:47 Francois Caen has just left the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- [WWW request received from 63.168.175.3] From LISTSERV at JISCMAIL.AC.UK Thu Jul 18 18:22:25 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:16 2006 Subject: MAILSCANNER: mailscanner@SPIDERMAKER.COM requested to join Message-ID: <200207181722.SAA26947@magpie.ecs.soton.ac.uk> Thu, 18 Jul 2002 18:22:25 A request for to join the MAILSCANNER list (MailScanner mailing list) has been received from Francois Caen . The following membership options have been requested: CONCEAL. You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER mailscanner@SPIDERMAKER.COM Francois Caen The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+mailscanner%40SPIDERMAKER.COM+Francois+Caen&L=MAILSCANNER This first link will add the member to the list. You can then set the membership options for this individual with this link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=SET+MAILSCANNER+CONCEAL+FOR+mailscanner%40SPIDERMAKER.COM&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From davidclosson at MSN.COM Thu Jul 18 22:17:59 2002 From: davidclosson at MSN.COM (David Closson) Date: Thu Jan 12 21:15:16 2006 Subject: Spamassassin w/mailscanner Message-ID: I have recently upgraded Mailscanner to 3.21-1 (from 3.18) and Spamassassin to 2.31 (from 2.20-1). I have now noticed that spamassassin will hang while processing certain messages and cause the incoming mail queue to build (Some messages get through while many do not). I was forced to turn off spamassassin for now. I was going to go ahead and manually process some messages to see it I can find one that will hang it. I know that there was a discussion thread that pertained to this but I must have missed the resolution. _________ Sincerely, David Closson 209-728-8199 _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com From davidclosson at msn.com Fri Jul 19 00:17:08 2002 From: davidclosson at msn.com (David Closson) Date: Thu Jan 12 21:15:16 2006 Subject: Spamassassin w/mailscanner Message-ID: I think I found the problem...I failed to update the rules for Spamassassin after updating the installed distribution. I have now done so and mail seems to be moving OK now. >From: David Closson >Reply-To: MailScanner mailing list >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Spamassassin w/mailscanner >Date: Thu, 18 Jul 2002 14:17:59 -0700 >MIME-Version: 1.0 >X-Originating-IP: [206.171.171.20] >Received: from cpimssmtpa15.msn.com ([207.46.181.32]) by >mc1-f21.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.4905); Thu, 18 >Jul 2002 14:21:47 -0700 >Received: from jiscmail.ac.uk ([130.246.192.48]) by cpimssmtpa15.msn.com >with Microsoft SMTPSVC(5.0.2195.4905); Thu, 18 Jul 2002 14:18:16 -0700 >Received: from jiscmaila (jiscmail.ac.uk) by jiscmail.ac.uk (LSMTP for >Windows NT v1.1b) with SMTP id <1.0011460D@jiscmail.ac.uk>; Thu, 18 Jul >2002 22:19:07 +0100 >Received: from JISCMAIL.AC.UK by JISCMAIL.AC.UK (LISTSERV-TCP/IP release >1.8e) with spool id 12696691 for MAILSCANNER@JISCMAIL.AC.UK; Thu, >18 Jul 2002 22:19:06 +0100 >Received: from ori.rl.ac.uk by jiscmail.ac.uk (LSMTP for Windows NT v1.1b) >with SMTP id <9.001146BB@jiscmail.ac.uk>; Thu, 18 Jul 2002 >22:19:06 +0100 >Received: from hotmail.com (f4.pav3.hotmail.com [64.4.39.4]) by >ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g6ILJ5B15419 for > ; Thu, 18 Jul 2002 22:19:05 +0100 >Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; >Thu, 18 Jul 2002 14:17:59 -0700 >Received: from 206.171.171.20 by pv3fd.pav3.hotmail.msn.com with HTTP; Thu, >18 Jul 2002 21:17:59 GMT >X-OriginalArrivalTime: 18 Jul 2002 21:17:59.0841 (UTC) > FILETIME=[97EE3110:01C22EA0] >Message-ID: >Sender: MailScanner mailing list >Precedence: list >Return-Path: owner-mailscanner@JISCMAIL.AC.UK > >I have recently upgraded Mailscanner to 3.21-1 (from 3.18) and Spamassassin >to 2.31 (from 2.20-1). >I have now noticed that spamassassin will hang while processing certain >messages and cause the incoming mail queue to build (Some messages get >through while many do not). I was forced to turn off spamassassin for now. >I was going to go ahead and manually process some messages to see it I can >find one that will hang it. > >I know that there was a discussion thread that pertained to this but I must >have missed the resolution. > >_________ >Sincerely, >David Closson >209-728-8199 > > >_________________________________________________________________ >Send and receive Hotmail on your mobile device: http://mobile.msn.com _________ Sincerely, David Closson 209-728-8199 _________________________________________________________________ Join the world’s largest e-mail service with MSN Hotmail. http://www.hotmail.com From carl.boberg at NRM.SE Fri Jul 19 08:29:37 2002 From: carl.boberg at NRM.SE (Carl Boberg) Date: Thu Jan 12 21:15:16 2006 Subject: Spamassassin rpms In-Reply-To: Message-ID: <001601c22ef6$09519810$010110ac@nrm.se> Hi, Does anyone know if there are any RPMs for the latest Spamassassin release? Or, if not, whe they might be released? I can only find v. 2.20-1 Regards --------------------------------- Carl Boberg System & N?tverksadministrat?r Enheten f?r informationsteknologi Naturhistoriska Riksmuseet carl.boberg@nrm.se --------------------------------- From mailscanner at ecs.soton.ac.uk Fri Jul 19 09:13:00 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:16 2006 Subject: Spamassassin w/mailscanner In-Reply-To: Message-ID: <5.1.0.14.2.20020719091204.02acb388@imap.ecs.soton.ac.uk> At 00:17 19/07/2002, you wrote: >I think I found the problem...I failed to update the rules for Spamassassin >after updating the installed distribution. I have now done so and mail >seems to be moving OK now. The new version will also count the number of consecutives timeouts from SpamAssassin and stop using it for the next few hours if SpamAssassin repeatedly fails. So this failure would have far less impact on your mail traffic in the new version. >>From: David Closson >>Reply-To: MailScanner mailing list >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Spamassassin w/mailscanner >>Date: Thu, 18 Jul 2002 14:17:59 -0700 >>MIME-Version: 1.0 >>X-Originating-IP: [206.171.171.20] >>Received: from cpimssmtpa15.msn.com ([207.46.181.32]) by >>mc1-f21.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.4905); Thu, 18 >>Jul 2002 14:21:47 -0700 >>Received: from jiscmail.ac.uk ([130.246.192.48]) by cpimssmtpa15.msn.com >>with Microsoft SMTPSVC(5.0.2195.4905); Thu, 18 Jul 2002 14:18:16 -0700 >>Received: from jiscmaila (jiscmail.ac.uk) by jiscmail.ac.uk (LSMTP for >>Windows NT v1.1b) with SMTP id <1.0011460D@jiscmail.ac.uk>; Thu, 18 Jul >>2002 22:19:07 +0100 >>Received: from JISCMAIL.AC.UK by JISCMAIL.AC.UK (LISTSERV-TCP/IP release >>1.8e) with spool id 12696691 for MAILSCANNER@JISCMAIL.AC.UK; Thu, >>18 Jul 2002 22:19:06 +0100 >>Received: from ori.rl.ac.uk by jiscmail.ac.uk (LSMTP for Windows NT v1.1b) >>with SMTP id <9.001146BB@jiscmail.ac.uk>; Thu, 18 Jul 2002 >>22:19:06 +0100 >>Received: from hotmail.com (f4.pav3.hotmail.com [64.4.39.4]) by >>ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g6ILJ5B15419 for >> ; Thu, 18 Jul 2002 22:19:05 +0100 >>Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; >>Thu, 18 Jul 2002 14:17:59 -0700 >>Received: from 206.171.171.20 by pv3fd.pav3.hotmail.msn.com with HTTP; Thu, >>18 Jul 2002 21:17:59 GMT >>X-OriginalArrivalTime: 18 Jul 2002 21:17:59.0841 (UTC) >> FILETIME=[97EE3110:01C22EA0] >>Message-ID: >>Sender: MailScanner mailing list >>Precedence: list >>Return-Path: owner-mailscanner@JISCMAIL.AC.UK >> >>I have recently upgraded Mailscanner to 3.21-1 (from 3.18) and Spamassassin >>to 2.31 (from 2.20-1). >>I have now noticed that spamassassin will hang while processing certain >>messages and cause the incoming mail queue to build (Some messages get >>through while many do not). I was forced to turn off spamassassin for now. >>I was going to go ahead and manually process some messages to see it I can >>find one that will hang it. >> >>I know that there was a discussion thread that pertained to this but I must >>have missed the resolution. >> >>_________ >>Sincerely, >>David Closson >>209-728-8199 >> >> >>_________________________________________________________________ >>Send and receive Hotmail on your mobile device: http://mobile.msn.com > > > > >_________ >Sincerely, >David Closson >209-728-8199 > > >_________________________________________________________________ >Join the world's largest e-mail service with MSN Hotmail. >http://www.hotmail.com -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Fri Jul 19 11:22:15 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:16 2006 Subject: MAILSCANNER: Heinz.Knutzen@DZSH.DE left the list Message-ID: <200207191022.LAA02705@magpie.ecs.soton.ac.uk> Fri, 19 Jul 2002 11:22:15 Heinz Knutzen has just left the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- Return-Path: Received: from ori.rl.ac.uk by jiscmail.ac.uk (LSMTP for Windows NT v1.1b) with SMTP id <3.00114A3B@jiscmail.ac.uk>; Fri, 19 Jul 2002 10:16:25 +0100 Received: from firewall.landsh.de (firewall.landsh.de [193.101.67.2]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g6J9GOB03870 for ; Fri, 19 Jul 2002 10:16:24 +0100 Received: from dzshmailconn1.DZSH (dzsh_mail [10.1.3.182]) by firewall.landsh.de (Postfix) with ESMTP id BA21FBDC7E for ; Fri, 19 Jul 2002 11:11:45 +0200 (CEST) Received: by DZSHMAILCONN1 with Internet Mail Service (5.5.2653.19) id <34Q9LW6Z>; Fri, 19 Jul 2002 11:15:05 +0200 Message-ID: <096F8FA588BAD211844C0090272F2307017FB95E@DZSHMAILSRV2> From: "Knutzen, Heinz" To: "'jiscmail@jiscmail.ac.uk'" Subject: Date: Fri, 19 Jul 2002 11:15:00 +0200 Return-Receipt-To: "Knutzen, Heinz" MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" From rob.moore at POWERDISK.CO.UK Fri Jul 19 10:51:16 2002 From: rob.moore at POWERDISK.CO.UK (Rob Moore) Date: Thu Jan 12 21:15:16 2006 Subject: mailscanner / cobalt raq3 or 4 Message-ID: Hi I installed the current 3.21-2 mailscanner on a sun cobalt raq4 and have a few questions. It is all working to spec and catching those damm virii but... I see the current installation script in the rpm removes sendmail from the chkconfig list and replaces with mailscanner. That's neat and I suspect will stop an awful lot of headaches :) My questions are:- 1. On the cobalt raq's there's a process monitor called swatch that watches relevant services and if they are down tries to automatically restart them. Hidden away in /etc/cobalt/swatch/services/smtp is the line "restart = /etc/rc.d/init.d/sendmail hard-restart" so if the system monitor detects sendmail down it will execute the line above. To stop the system monitor freaking I renamed /etc/rc.d/init.d/mailscanner to sendmail, and moved the old sendmail file out of the way. For the sake of completeness I also altered the line above to just "restart". I also double-checked the chkconfig entry for sendmail to make sure it was right. 2. As I say mailscanner performs fine when it starts but when I stop it, I get an error, and have to manually kill the mailscanner process:- [root@raq4 root]# /etc/rc.d/init.d/sendmail stop Shutting down MailScanner daemons: MailScanner: ERROR! incoming sendmail: sendmail ok outgoing sendmail: sendmail ok [root@raq4 root]# ps -ax | grep mailscanner 24834 ? S 0:01 /usr/bin/perl /usr/local/MailScanner/bin/mailscanner Could anyone shed any light on what could be happening? My first note above is really cobalt-specific as the system monitor expects to execute /etc/rc.d/init.d/sendmail and nothing else. The second one, well, dunno. Thanks in advance Rob From P.G.M.Peters at civ.utwente.nl Fri Jul 19 12:54:25 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:16 2006 Subject: mailscanner / cobalt raq3 or 4 In-Reply-To: References: Message-ID: On Fri, 19 Jul 2002 10:51:16 +0100, you wrote: >I see the current installation script in the rpm removes sendmail >from the chkconfig list and replaces with mailscanner. That's neat and >I suspect will stop an awful lot of headaches :) > >My questions are:- > >1. On the cobalt raq's there's a process monitor called swatch that >watches relevant services and if they are down tries to automatically >restart them. >Hidden away in /etc/cobalt/swatch/services/smtp is the line >"restart = /etc/rc.d/init.d/sendmail hard-restart" >so if the system monitor detects sendmail down it will execute the line >above. It shouldn't restart sendmail if it is removed from the chkconfig. That is the whole purpose of chkconfig. If it does it is a big bug you should report to Cobalt. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From combs at MAGNET.FSU.EDU Fri Jul 19 15:01:26 2002 From: combs at MAGNET.FSU.EDU (Tom Combs) Date: Thu Jan 12 21:15:16 2006 Subject: SA DNS log question Message-ID: Hello, I get the following in my log: Jul 18 19:17:57 magnet mailscanner[28306]: Message g6INHZh17262 from 12.64.128.192 (magnet.fsu.edu) is spam according to osirusoft.com ... My question is why is magnet.fsu.edu listed as the reverse lookup for 12.64.128.192? Magnet.fsu.edu is my server and it is 146.201.250.2. Am I not be interpretting the log correctly? Thanks, Tom Combs From henrik at LEWANDER.COM Fri Jul 19 15:02:14 2002 From: henrik at LEWANDER.COM (Henrik Lewander) Date: Thu Jan 12 21:15:16 2006 Subject: Problems with mail generated locally Message-ID: <0e9201c22f2c$e3718790$05c6a8c0@gbg.bluelabs.se> Hi! Lately it has come to my attention that locally originated mail to local mail recipients does not get delivered. This is what it looks like: 2002-07-19 15:37:23 17VXwh-0006SD-00 <= henrik@lewander.com U=henrik P=local-esmtp S=477 id=Pine.LNX.4.44.0207191537130.24794-100000 @newton.lewander.com 2002-07-19 15:37:26 17VXwh-0006SD-00 == henrik@lewander.com D=defer_director defer (-1): forced defer: All deliveries are deferred 2002-07-19 15:37:26 17VXwh-0006SD-00 ** henrik@lewander.com: retry timeout exceeded 2002-07-19 15:37:31 17VXwp-0006SR-00 <= <> R=17VXwh-0006SD-00 U=mail P=local S=1325 2002-07-19 15:37:31 17VXwh-0006SD-00 Error message sent to henrik@lewander.com 2002-07-19 15:37:32 17VXwh-0006SD-00 Completed I have added the defer lines as seen on http://www.sng.ecs.soton.ac.uk/mailscanner/install/exim.shtml I just removed them for now, most mail come in from remote anyway. Any ideas? //Henrik From dz at siameserescue.org Fri Jul 19 15:17:57 2002 From: dz at siameserescue.org (Darrell) Date: Thu Jan 12 21:15:16 2006 Subject: mailscanner / cobalt raq3 or 4 In-Reply-To: <200207191147.g6JBkxl14906@www.siameserescue.net> Message-ID: You need to change the pid location in mailscanner.conf to: /var/run/mailscanner.pid for it to work on a RaQ. Z -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Rob Moore Sent: Friday, July 19, 2002 5:51 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: mailscanner / cobalt raq3 or 4 Hi I installed the current 3.21-2 mailscanner on a sun cobalt raq4 and have a few questions. It is all working to spec and catching those damm virii but... I see the current installation script in the rpm removes sendmail from the chkconfig list and replaces with mailscanner. That's neat and I suspect will stop an awful lot of headaches :) My questions are:- 1. On the cobalt raq's there's a process monitor called swatch that watches relevant services and if they are down tries to automatically restart them. Hidden away in /etc/cobalt/swatch/services/smtp is the line "restart = /etc/rc.d/init.d/sendmail hard-restart" so if the system monitor detects sendmail down it will execute the line above. To stop the system monitor freaking I renamed /etc/rc.d/init.d/mailscanner to sendmail, and moved the old sendmail file out of the way. For the sake of completeness I also altered the line above to just "restart". I also double-checked the chkconfig entry for sendmail to make sure it was right. 2. As I say mailscanner performs fine when it starts but when I stop it, I get an error, and have to manually kill the mailscanner process:- [root@raq4 root]# /etc/rc.d/init.d/sendmail stop Shutting down MailScanner daemons: MailScanner: ERROR! incoming sendmail: sendmail ok outgoing sendmail: sendmail ok [root@raq4 root]# ps -ax | grep mailscanner 24834 ? S 0:01 /usr/bin/perl /usr/local/MailScanner/bin/mailscanner Could anyone shed any light on what could be happening? My first note above is really cobalt-specific as the system monitor expects to execute /etc/rc.d/init.d/sendmail and nothing else. The second one, well, dunno. Thanks in advance Rob From mailscanner at ecs.soton.ac.uk Fri Jul 19 16:53:39 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:16 2006 Subject: Beta testers? Getting on okay? Message-ID: <5.1.0.14.2.20020719165124.02c36e70@imap.ecs.soton.ac.uk> My beta-testers, how are you folks getting on? Is it all working so far? No-one has been in touch, so I am assuming that no news is good news. I just installed the latest release on a new server here, too, and that went flawlessly. So unless someone comes up with some reports by Sunday or so, I'll release it to the world. Thanks guys! Jules. P.S. Just got a new Eizo 17" TFT monitor at work, *very* nice, hmmmmm....... :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Jul 19 18:38:31 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:16 2006 Subject: SA DNS log question In-Reply-To: Message-ID: <5.1.0.14.2.20020719183618.02fc4e78@imap.ecs.soton.ac.uk> At 15:01 19/07/2002, you wrote: >I get the following in my log: > >Jul 18 19:17:57 magnet mailscanner[28306]: Message g6INHZh17262 from >12.64.128.192 (magnet.fsu.edu) is spam according to osirusoft.com ... > >My question is why is magnet.fsu.edu listed as the reverse lookup >for 12.64.128.192? Magnet.fsu.edu is my server and it is 146.201.250.2. >Am I not be interpretting the log correctly? The IP address is that of the far end of the SMTP connection. The domain name given is taken from the sender's address in the message envelope (the real "From" address). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From davidclosson at MSN.COM Fri Jul 19 19:07:05 2002 From: davidclosson at MSN.COM (David Closson) Date: Thu Jan 12 21:15:17 2006 Subject: Spamassassin w/mailscanner Message-ID: Thank you Julian...you are a gem. >From: Julian Field >Reply-To: MailScanner mailing list >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Spamassassin w/mailscanner >Date: Fri, 19 Jul 2002 09:13:00 +0100 >MIME-Version: 1.0 >Received: from [207.46.181.40] by hotmail.com (3.2) with ESMTP id >MHotMailBF012AA3006E4004214CCF2EB52806AC2; Fri, 19 Jul 2002 02:45:08 -0700 >Received: from jiscmail.ac.uk ([130.246.192.48]) by cpimssmtpa45.msn.com >with Microsoft SMTPSVC(5.0.2195.4453); Fri, 19 Jul 2002 02:45:09 -0700 >Received: from jiscmaila (jiscmail.ac.uk) by jiscmail.ac.uk (LSMTP for >Windows NT v1.1b) with SMTP id <4.0011497A@jiscmail.ac.uk>; Fri, 19 Jul >2002 10:44:54 +0100 >Received: from JISCMAIL.AC.UK by JISCMAIL.AC.UK (LISTSERV-TCP/IP release >1.8e) with spool id 12703177 for MAILSCANNER@JISCMAIL.AC.UK; Fri, >19 Jul 2002 10:44:53 +0100 >Received: from ori.rl.ac.uk by jiscmail.ac.uk (LSMTP for Windows NT v1.1b) >with SMTP id <1.0011480D@jiscmail.ac.uk>; Fri, 19 Jul 2002 9:16:01 >+0100 >Received: from raven.ecs.soton.ac.uk (raven.ecs.soton.ac.uk [152.78.70.1]) >by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g6J8G1B00524 for > ; Fri, 19 Jul 2002 09:16:01 +0100 >Received: from roadrunner.ecs.soton.ac.uk (roadrunner.ecs.soton.ac.uk > [152.78.68.161]) by raven.ecs.soton.ac.uk (8.9.3/8.9.3) with ESMTP id > JAA05359 for ; Fri, 19 Jul 2002 >09:16:00 +0100 (BST) >Received: from tailor.ecs.soton.ac.uk (tailor.ecs.soton.ac.uk >[152.78.69.139]) by roadrunner.ecs.soton.ac.uk (8.12.3/8.12.3) >with ESMTP id g6J8G0UV009197 for ; >Fri, 19 Jul 2002 09:16:00 +0100 >From owner-mailscanner@JISCMAIL.AC.UK Fri, 19 Jul 2002 02:47:02 -0700 >X-Sender: (Unverified) >X-Mailer: QUALCOMM Windows Eudora Version 5.1 >Message-ID: <5.1.0.14.2.20020719091204.02acb388@imap.ecs.soton.ac.uk> >Sender: MailScanner mailing list >In-Reply-To: >Precedence: list >Return-Path: owner-mailscanner@JISCMAIL.AC.UK >X-OriginalArrivalTime: 19 Jul 2002 09:45:09.0187 (UTC) >FILETIME=[F84D8930:01C22F08] > >At 00:17 19/07/2002, you wrote: >>I think I found the problem...I failed to update the rules for >>Spamassassin >>after updating the installed distribution. I have now done so and mail >>seems to be moving OK now. > >The new version will also count the number of consecutives timeouts from >SpamAssassin and stop using it for the next few hours if SpamAssassin >repeatedly fails. > >So this failure would have far less impact on your mail traffic in the new >version. > >>>From: David Closson >>>Reply-To: MailScanner mailing list >>>To: MAILSCANNER@JISCMAIL.AC.UK >>>Subject: Spamassassin w/mailscanner >>>Date: Thu, 18 Jul 2002 14:17:59 -0700 >>>MIME-Version: 1.0 >>>X-Originating-IP: [206.171.171.20] >>>Received: from cpimssmtpa15.msn.com ([207.46.181.32]) by >>>mc1-f21.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.4905); Thu, 18 >>>Jul 2002 14:21:47 -0700 >>>Received: from jiscmail.ac.uk ([130.246.192.48]) by cpimssmtpa15.msn.com >>>with Microsoft SMTPSVC(5.0.2195.4905); Thu, 18 Jul 2002 14:18:16 -0700 >>>Received: from jiscmaila (jiscmail.ac.uk) by jiscmail.ac.uk (LSMTP for >>>Windows NT v1.1b) with SMTP id <1.0011460D@jiscmail.ac.uk>; Thu, 18 Jul >>>2002 22:19:07 +0100 >>>Received: from JISCMAIL.AC.UK by JISCMAIL.AC.UK (LISTSERV-TCP/IP release >>>1.8e) with spool id 12696691 for MAILSCANNER@JISCMAIL.AC.UK; >>>Thu, >>>18 Jul 2002 22:19:06 +0100 >>>Received: from ori.rl.ac.uk by jiscmail.ac.uk (LSMTP for Windows NT >>>v1.1b) >>>with SMTP id <9.001146BB@jiscmail.ac.uk>; Thu, 18 Jul 2002 >>>22:19:06 +0100 >>>Received: from hotmail.com (f4.pav3.hotmail.com [64.4.39.4]) by >>>ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g6ILJ5B15419 for >>> ; Thu, 18 Jul 2002 22:19:05 +0100 >>>Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; >>>Thu, 18 Jul 2002 14:17:59 -0700 >>>Received: from 206.171.171.20 by pv3fd.pav3.hotmail.msn.com with HTTP; >>>Thu, >>>18 Jul 2002 21:17:59 GMT >>>X-OriginalArrivalTime: 18 Jul 2002 21:17:59.0841 (UTC) >>> FILETIME=[97EE3110:01C22EA0] >>>Message-ID: >>>Sender: MailScanner mailing list >>>Precedence: list >>>Return-Path: owner-mailscanner@JISCMAIL.AC.UK >>> >>>I have recently upgraded Mailscanner to 3.21-1 (from 3.18) and >>>Spamassassin >>>to 2.31 (from 2.20-1). >>>I have now noticed that spamassassin will hang while processing certain >>>messages and cause the incoming mail queue to build (Some messages get >>>through while many do not). I was forced to turn off spamassassin for >>>now. >>>I was going to go ahead and manually process some messages to see it I >>>can >>>find one that will hang it. >>> >>>I know that there was a discussion thread that pertained to this but I >>>must >>>have missed the resolution. >>> >>>_________ >>>Sincerely, >>>David Closson >>>209-728-8199 >>> >>> >>>_________________________________________________________________ >>>Send and receive Hotmail on your mobile device: http://mobile.msn.com >> >> >> >> >>_________ >>Sincerely, >>David Closson >>209-728-8199 >> >> >>_________________________________________________________________ >>Join the world's largest e-mail service with MSN Hotmail. >>http://www.hotmail.com > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ _________ Sincerely, David Closson 209-728-8199 _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com From brose at MED.WAYNE.EDU Fri Jul 19 19:13:03 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:17 2006 Subject: SA DNS log question Message-ID: >From my side, I show Name: slip-12-64-128-192.mis.prserv.net Address: 12.64.128.192 And Name: magnet.fsu.edu Address: 146.201.250.2 What is in the header of that message if you still have it around? Shouldn't mailscanner be saying that a system is an open-relay since that's what most of the DNSBLs are. -----Original Message----- From: Tom Combs [mailto:combs@MAGNET.FSU.EDU] Sent: Friday, July 19, 2002 10:01 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: SA DNS log question Hello, I get the following in my log: Jul 18 19:17:57 magnet mailscanner[28306]: Message g6INHZh17262 from 12.64.128.192 (magnet.fsu.edu) is spam according to osirusoft.com ... My question is why is magnet.fsu.edu listed as the reverse lookup for 12.64.128.192? Magnet.fsu.edu is my server and it is 146.201.250.2. Am I not be interpretting the log correctly? Thanks, Tom Combs From trooster at INTERSTROOM.NL Fri Jul 19 19:25:36 2002 From: trooster at INTERSTROOM.NL (Joris Trooster) Date: Thu Jan 12 21:15:17 2006 Subject: Problems with mail generated locally In-Reply-To: <0e9201c22f2c$e3718790$05c6a8c0@gbg.bluelabs.se> Message-ID: Probably your exim_outgoing.conf is misconfigured. Is exim_outgoing.conf accepting lewander.com as a local domain? Regards, Joris On 19-07-2002 16:02, "Henrik Lewander" wrote: > Hi! > > Lately it has come to my attention that locally originated mail to local > mail recipients does not get delivered. This is what it looks like: > > 2002-07-19 15:37:23 17VXwh-0006SD-00 <= henrik@lewander.com U=henrik > P=local-esmtp S=477 id=Pine.LNX.4.44.0207191537130.24794-100000 > @newton.lewander.com > 2002-07-19 15:37:26 17VXwh-0006SD-00 == henrik@lewander.com D=defer_director > defer (-1): forced defer: All deliveries are deferred > 2002-07-19 15:37:26 17VXwh-0006SD-00 ** henrik@lewander.com: retry timeout > exceeded > 2002-07-19 15:37:31 17VXwp-0006SR-00 <= <> R=17VXwh-0006SD-00 U=mail P=local > S=1325 > 2002-07-19 15:37:31 17VXwh-0006SD-00 Error message sent to > henrik@lewander.com > 2002-07-19 15:37:32 17VXwh-0006SD-00 Completed > > I have added the defer lines as seen on > http://www.sng.ecs.soton.ac.uk/mailscanner/install/exim.shtml > I just removed them for now, most mail come in from remote anyway. > > Any ideas? > > //Henrik From fredd at CI.ASPEN.CO.US Fri Jul 19 22:44:24 2002 From: fredd at CI.ASPEN.CO.US (Fred Dick) Date: Thu Jan 12 21:15:17 2006 Subject: Not finding viruses but reporting clean Message-ID: <4.2.0.58.20020719153454.00aa1a10@argus> Gurus, Problem: Sendmail reports -- X-ECS-MailScanner: Found to be clean but Mailscanner not detecting any viruses in enterprise. Thanks, Fred ++++++++++++++++++++++++++++++ Sendmail ver: Sendmail 8.8.8+Sun/8.8.8; ++++++++++++++++++++++++++++++ Sophos ver: xxxx:/opt/mailscanner/etc*> sweep -v SWEEP virus detection utility Copyright (c) 1989,2002 Sophos Plc, www.sophos.com System time 15:39:15, System date 19 July 2002 Product version : 3.59 Engine version : 2.5 User interface version : 2.03.076 Platform : Solaris/SPARC Released : 01 July 2002 Total viruses (with IDEs) : 74471 ++++++++++++++++++++++++++++++ xxxx:/opt/mailscanner/bin*> check_mailscanner Running with pid 20624 ++++++++++++++++++++++++++++++ xxxx:/etc/init.d*> /opt/sophos/bin/sophoswrapper /opt/sophos SWEEP virus detection utility Version 3.59, July 2002 [Solaris/SPARC] Includes detection for 74506 viruses, trojans and worms Copyright (c) 1989,2002 Sophos Plc, www.sophos.com System time 15:26:55, System date 19 July 2002 IDE directory is: /opt/sophos/ide Using IDE file kitro-d.ide Using IDE file fret-fam.ide Using IDE file opey-bc.ide Using IDE file tinit-b.ide Using IDE file nahata-f.ide Using IDE file momac-a.ide Using IDE file datom-a.ide Using IDE file gunsan-a.ide Using IDE file mark-kr.ide Using IDE file floodo.ide Using IDE file calil.ide Using IDE file kwbot-a.ide Using IDE file duni-a.ide Using IDE file bajar.ide Using IDE file metrion.ide Using IDE file zoek-d.ide Using IDE file scalper.ide Using IDE file dotor.ide Using IDE file dest-j.ide Using IDE file yaha-e.ide Using IDE file higuy-a.ide Using IDE file fishleta.ide Using IDE file perrun-a.ide Using IDE file chir-a.ide Using IDE file cup-a.ide Using IDE file chickf.ide Quick Sweeping 3 files swept in 1 second. No viruses were discovered. End of Sweep. From henrik at LEWANDER.COM Fri Jul 19 23:28:50 2002 From: henrik at LEWANDER.COM (Henrik Lewander) Date: Thu Jan 12 21:15:17 2006 Subject: Problems with mail generated locally References: Message-ID: <04ec01c22f73$bfc79db0$4bf90bc1@hemmet.chalmers.se> lewander.com is in the local domains in exim_outgoing.conf, yes. I don't think it has something to do with the outgoing exim at all because the mail bounces immediately, it doesn't wait for the exim outgoing queue run. Regards, Henrik From: "Joris Trooster" > > Probably your exim_outgoing.conf is misconfigured. Is exim_outgoing.conf > accepting lewander.com as a local domain? > > Regards, > Joris > > > On 19-07-2002 16:02, "Henrik Lewander" wrote: > > > Hi! > > > > Lately it has come to my attention that locally originated mail to local > > mail recipients does not get delivered. This is what it looks like: > > > > 2002-07-19 15:37:23 17VXwh-0006SD-00 <= henrik@lewander.com U=henrik > > P=local-esmtp S=477 id=Pine.LNX.4.44.0207191537130.24794-100000 > > @newton.lewander.com > > 2002-07-19 15:37:26 17VXwh-0006SD-00 == henrik@lewander.com D=defer_director > > defer (-1): forced defer: All deliveries are deferred > > 2002-07-19 15:37:26 17VXwh-0006SD-00 ** henrik@lewander.com: retry timeout > > exceeded > > 2002-07-19 15:37:31 17VXwp-0006SR-00 <= <> R=17VXwh-0006SD-00 U=mail P=local > > S=1325 > > 2002-07-19 15:37:31 17VXwh-0006SD-00 Error message sent to > > henrik@lewander.com > > 2002-07-19 15:37:32 17VXwh-0006SD-00 Completed > > > > I have added the defer lines as seen on > > http://www.sng.ecs.soton.ac.uk/mailscanner/install/exim.shtml > > I just removed them for now, most mail come in from remote anyway. > > > > Any ideas? > > > > //Henrik > From ralloway at CHARTERPA.NET Sat Jul 20 04:43:46 2002 From: ralloway at CHARTERPA.NET (Richard D Alloway) Date: Thu Jan 12 21:15:17 2006 Subject: Beta testers? Getting on okay? In-Reply-To: <5.1.0.14.2.20020719165124.02c36e70@imap.ecs.soton.ac.uk> Message-ID: Jules, Congrats on the monitor! As far as the beta test is concerned, no real problems here! The "whitelist to" option (or whatever it's called) seems to be working just fine with the exception of case sensitivity. I have 'mailer-daemon@*' in spam.whitelist.com so I can test, but mail to MAILER-DAEMON@mydomain.com is still being flagged. Otherwise, I've been getting compliments on how well it works. Of course, I always credit you and the others who have contributed so much to the cause! Thanks! -Rich On Fri, 19 Jul 2002, Julian Field wrote: > My beta-testers, how are you folks getting on? Is it all working so far? > No-one has been in touch, so I am assuming that no news is good news. > I just installed the latest release on a new server here, too, and that > went flawlessly. > > So unless someone comes up with some reports by Sunday or so, I'll release > it to the world. > > Thanks guys! > Jules. > > P.S. Just got a new Eizo 17" TFT monitor at work, *very* nice, > hmmmmm....... :-) > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From mojahed at AGNI.COM Sat Jul 20 06:35:13 2002 From: mojahed at AGNI.COM (Mojahedul Hoque Abul Hasanat) Date: Thu Jan 12 21:15:17 2006 Subject: sendmail 8.12 and mailscanner In-Reply-To: <5.1.0.14.2.20020718101210.049ebc80@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020717212521.030032d8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020717212521.030032d8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020718101210.049ebc80@imap.ecs.soton.ac.uk> Message-ID: <20020720053513.GH23638@venus.agni.com> On Thu, Jul 18, 2002 at 10:13:29AM +0100, Julian Field wrote: > >clientmqueue is used by the submission agent when it can not deliver a > >mail immediately, e.g. DNS timeouts and other temporary problems. You > >have to run a separate queue runner to flush the mails from clientmqueue > >periodically. A typical way to run it is: > > > > /usr/sbin/sendmail -L sm-msp-queue -Ac -q20m > > > >As far as I know, this queue runner will send the mails to the sendmail > >daemon running on the local machine through SMTP. So, you don't need to > >worry, your mails will end up in mailscanners incoming queue. Just > >remember to run this queue runner if you have locally generated mails. > > Thanks for the info. So clientmqueue will only get used once a delivery > attempt has been made (and hence long after MailScanner has processed the > message). Sorry I wasn't clear enough. The order is a bit wrong. For locally generated mail, the submission agent firs tries to send the mail to the local daemon through SMTP. If it succeeds, the mail will go to mqueue.in. If it fails for a temporary error (e.g. DNS timeout in trying to canonicalize sender/recipient domain), the mail will be put in clientmqueue. The clientmqueue queue runner will pickup the mail later and deliver it to the local daemon. So the mail will end up in mqueue.in anyway. -- Mojahed System Administrator, Agni Systems Limited From nwp at LEMON-COMPUTING.COM Sat Jul 20 06:11:02 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:15:17 2006 Subject: Problems with mail generated locally In-Reply-To: <04ec01c22f73$bfc79db0$4bf90bc1@hemmet.chalmers.se> References: <04ec01c22f73$bfc79db0$4bf90bc1@hemmet.chalmers.se> Message-ID: <20020720051102.GC4572@hoiho.nz.lemon-computing.com> On Sat, Jul 20, 2002 at 12:28:50AM +0200, Henrik Lewander wrote: > lewander.com is in the local domains in exim_outgoing.conf, yes. I don't > think it has something to do with the outgoing exim at all because the mail > bounces immediately, it doesn't wait for the exim outgoing queue run. You aren't clearing your retry db. Have a look at the web page documenting Exim installation again, and look for exim_tidydb. This won't bite until you have a message that for whatever reason has been sitting in the queue for longer than your retry timeout, so I didn't notice it for a while (I have usually have a (very) long retry timeout). Oh, you should also make sure that you're not trying to deliver messages from the incoming queue from any lingering cron jobs (with debian, for example, even when you are running exim as daemons with a daemon queue-running every so often, there is still a cron job to queue-run every 15 min, which you need/want to disable). Essentially this problem arises because exim treats even the explicit forced defer as a delivery failure, and notes this accordingly in the retry db. I'm hoping Exim 4 will have a neater way of "not delivering anything" once I get round to trying it. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Be security conscious -- National defense is at stake. From henrik at LEWANDER.COM Sat Jul 20 10:34:17 2002 From: henrik at LEWANDER.COM (Henrik Lewander) Date: Thu Jan 12 21:15:17 2006 Subject: Problems with mail generated locally References: <04ec01c22f73$bfc79db0$4bf90bc1@hemmet.chalmers.se> <20020720051102.GC4572@hoiho.nz.lemon-computing.com> Message-ID: <05d601c22fd0$9ee9f130$4bf90bc1@hemmet.chalmers.se> From: "Nick Phillips" > On Sat, Jul 20, 2002 at 12:28:50AM +0200, Henrik Lewander wrote: > > lewander.com is in the local domains in exim_outgoing.conf, yes. I don't > > think it has something to do with the outgoing exim at all because the mail > > bounces immediately, it doesn't wait for the exim outgoing queue run. > > You aren't clearing your retry db. Have a look at the web page documenting > Exim installation again, and look for exim_tidydb. > > This won't bite until you have a message that for whatever reason has been > sitting in the queue for longer than your retry timeout, so I didn't notice > it for a while (I have usually have a (very) long retry timeout). Thanks a lot Nick, I had missed that exim_tidydb part of the installation. Regards, Henrik From mailscanner at ecs.soton.ac.uk Sat Jul 20 12:32:27 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:17 2006 Subject: Not finding viruses but reporting clean In-Reply-To: <4.2.0.58.20020719153454.00aa1a10@argus> Message-ID: <5.1.0.14.2.20020720123131.03449c98@imap.ecs.soton.ac.uk> Please can you tell us rather more about your problem? All you have shown is that "sophoswrapper" is apparently set up okay. At 22:44 19/07/2002, you wrote: >Gurus, > >Problem: > >Sendmail reports -- X-ECS-MailScanner: Found to be clean >but Mailscanner not detecting any viruses in enterprise. > >Thanks, > >Fred > >++++++++++++++++++++++++++++++ > >Sendmail ver: Sendmail 8.8.8+Sun/8.8.8; > >++++++++++++++++++++++++++++++ > >Sophos ver: > >xxxx:/opt/mailscanner/etc*> sweep -v >SWEEP virus detection utility >Copyright (c) 1989,2002 Sophos Plc, www.sophos.com > >System time 15:39:15, System date 19 July 2002 > >Product version : 3.59 >Engine version : 2.5 >User interface version : 2.03.076 >Platform : Solaris/SPARC >Released : 01 July 2002 >Total viruses (with IDEs) : 74471 > >++++++++++++++++++++++++++++++ > >xxxx:/opt/mailscanner/bin*> check_mailscanner >Running with pid 20624 > >++++++++++++++++++++++++++++++ > >xxxx:/etc/init.d*> /opt/sophos/bin/sophoswrapper /opt/sophos >SWEEP virus detection utility >Version 3.59, July 2002 [Solaris/SPARC] >Includes detection for 74506 viruses, trojans and worms >Copyright (c) 1989,2002 Sophos Plc, www.sophos.com > >System time 15:26:55, System date 19 July 2002 > >IDE directory is: /opt/sophos/ide > >Using IDE file kitro-d.ide >Using IDE file fret-fam.ide >Using IDE file opey-bc.ide >Using IDE file tinit-b.ide >Using IDE file nahata-f.ide >Using IDE file momac-a.ide >Using IDE file datom-a.ide >Using IDE file gunsan-a.ide >Using IDE file mark-kr.ide >Using IDE file floodo.ide >Using IDE file calil.ide >Using IDE file kwbot-a.ide >Using IDE file duni-a.ide >Using IDE file bajar.ide >Using IDE file metrion.ide >Using IDE file zoek-d.ide >Using IDE file scalper.ide >Using IDE file dotor.ide >Using IDE file dest-j.ide >Using IDE file yaha-e.ide >Using IDE file higuy-a.ide >Using IDE file fishleta.ide >Using IDE file perrun-a.ide >Using IDE file chir-a.ide >Using IDE file cup-a.ide >Using IDE file chickf.ide > >Quick Sweeping > > >3 files swept in 1 second. >No viruses were discovered. >End of Sweep. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sat Jul 20 13:08:35 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:17 2006 Subject: Beta testers? Getting on okay? In-Reply-To: References: <5.1.0.14.2.20020719165124.02c36e70@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020720130425.047e8558@imap.ecs.soton.ac.uk> I've just tested a couple of messages with this setup, and it works fine on my version of perl. To be sure to be case-insensitive, it 1) converts the contents of spam.whitelist.conf to lower-case as it stores it 2) converts the addresses being tested to lower-case before testing them 3) does the tests as case-insensitive comparisons. So at least 2 of those must be failing on your Perl! :-( There's not much I can do to fix that as I already do everything I can to make it work robustly. Are you sure you spelled mailer-daemon correctly? At 04:43 20/07/2002, you wrote: >Jules, > >Congrats on the monitor! > >As far as the beta test is concerned, no real problems here! > >The "whitelist to" option (or whatever it's called) seems to be working >just fine with the exception of case sensitivity. > >I have 'mailer-daemon@*' in spam.whitelist.com so I can test, but mail to >MAILER-DAEMON@mydomain.com is still being flagged. > >Otherwise, I've been getting compliments on how well it works. Of course, >I always credit you and the others who have contributed so much to the >cause! > >Thanks! > >-Rich > >On Fri, 19 Jul 2002, Julian Field wrote: > > > My beta-testers, how are you folks getting on? Is it all working so far? > > No-one has been in touch, so I am assuming that no news is good news. > > I just installed the latest release on a new server here, too, and that > > went flawlessly. > > > > So unless someone comes up with some reports by Sunday or so, I'll release > > it to the world. > > > > Thanks guys! > > Jules. > > > > P.S. Just got a new Eizo 17" TFT monitor at work, *very* nice, > > hmmmmm....... :-) > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sat Jul 20 13:11:14 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:17 2006 Subject: sendmail 8.12 and mailscanner In-Reply-To: <20020720053513.GH23638@venus.agni.com> References: <5.1.0.14.2.20020718101210.049ebc80@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020717212521.030032d8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020717212521.030032d8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020718101210.049ebc80@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020720131012.0481e848@imap.ecs.soton.ac.uk> At 06:35 20/07/2002, you wrote: >On Thu, Jul 18, 2002 at 10:13:29AM +0100, Julian Field wrote: > > >clientmqueue is used by the submission agent when it can not deliver a > > >mail immediately, e.g. DNS timeouts and other temporary problems. You > > >have to run a separate queue runner to flush the mails from clientmqueue > > >periodically. A typical way to run it is: > > > > > > /usr/sbin/sendmail -L sm-msp-queue -Ac -q20m > > > > > >As far as I know, this queue runner will send the mails to the sendmail > > >daemon running on the local machine through SMTP. So, you don't need to > > >worry, your mails will end up in mailscanners incoming queue. Just > > >remember to run this queue runner if you have locally generated mails. > > > > Thanks for the info. So clientmqueue will only get used once a delivery > > attempt has been made (and hence long after MailScanner has processed the > > message). > >Sorry I wasn't clear enough. The order is a bit wrong. > >For locally generated mail, the submission agent firs tries to send the >mail to the local daemon through SMTP. If it succeeds, the mail will go >to mqueue.in. If it fails for a temporary error (e.g. DNS timeout in >trying to canonicalize sender/recipient domain), the mail will be put in >clientmqueue. The clientmqueue queue runner will pickup the mail later >and deliver it to the local daemon. So the mail will end up in >mqueue.in anyway. Thanks for clearing that up. I understand now! :) So the net result is that MailScanner should indeed still work just the way it has in the past. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From henrik at LEWANDER.COM Sat Jul 20 13:39:26 2002 From: henrik at LEWANDER.COM (Henrik Lewander) Date: Thu Jan 12 21:15:17 2006 Subject: DCC is not used Message-ID: <067101c22fea$7c74b030$4bf90bc1@hemmet.chalmers.se> Hello! It seems DCC is not used by spamassassin when called from mailscanner, although I have "score DCC_CHECK 4.0" in spam.assassin.prefs.conf. I also tried adding it to the user_prefs file used but no luck. The DCC check works fine when I call spamassassin from the command line. Now that I look at it not one single spam has RAZOR_CHECK added either although razor1 is installed. I use Mailscanner 3.21-1 & Spamassassin 2.31 on Debian. Another question: when spamassassin times out, do you get an empty report then? I see that a number of times a day ie X-MailScanner-SpamCheck: not spam, SpamAssassin () Regards, Henrik From mailscanner at ecs.soton.ac.uk Sat Jul 20 14:10:15 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:17 2006 Subject: DCC is not used In-Reply-To: <067101c22fea$7c74b030$4bf90bc1@hemmet.chalmers.se> Message-ID: <5.1.0.14.2.20020720140944.0308e550@imap.ecs.soton.ac.uk> At 13:39 20/07/2002, you wrote: >Another question: when spamassassin times out, do you get an empty report >then? I see that a number of times a day ie >X-MailScanner-SpamCheck: not spam, SpamAssassin () This has been fixed and will be in the next release (a couple of days or so). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Sat Jul 20 14:36:16 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:17 2006 Subject: MAILSCANNER: mailscanner@ROSEHILL-1.IRC.GR requested to join Message-ID: <200207201336.OAA29539@magpie.ecs.soton.ac.uk> Sat, 20 Jul 2002 14:36:16 A request for to join the MAILSCANNER list (MailScanner mailing list) has been received from Sotiris Tsimbonis . The following membership options have been requested: CONCEAL. You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER mailscanner@ROSEHILL-1.IRC.GR Sotiris Tsimbonis The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+mailscanner%40ROSEHILL-1.IRC.GR+Sotiris+Tsimbonis&L=MAILSCANNER This first link will add the member to the list. You can then set the membership options for this individual with this link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=SET+MAILSCANNER+CONCEAL+FOR+mailscanner%40ROSEHILL-1.IRC.GR&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From mailscanner at BARENDSE.TO Sat Jul 20 23:22:35 2002 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:15:17 2006 Subject: df2mbox In-Reply-To: Message-ID: Hi all! I tried the df2mbox script on the folder that contains archived messages. (RedHat box with sendmail) This is the error message I get: [root@linuxgw MailArchive]# /tmp/df2mbox * bash: /tmp/df2mbox: /bin/sh: bad interpreter: Argument list too long Could it be that the script or any of the utilities it calls cannot handle the fairly large amount of files in that directory? Thanks for any help! Remco From sevans at FOUNDATION.SDSU.EDU Sat Jul 20 23:57:23 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:15:17 2006 Subject: df2mbox Message-ID: <6214C3F9233D764C9E7029396C355015331274@mail.foundation.sdsu.edu> Specify a specific directory. For example I have the script in the quarantine directory and I run the command ./df2mbox *20 if I want to create an mbox file for 20020720. Steve Evans Computing Services (619) 594-0653 -----Original Message----- From: Remco Barendse [mailto:mailscanner@BARENDSE.TO] Sent: Saturday, July 20, 2002 3:23 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: df2mbox Hi all! I tried the df2mbox script on the folder that contains archived messages. (RedHat box with sendmail) This is the error message I get: [root@linuxgw MailArchive]# /tmp/df2mbox * bash: /tmp/df2mbox: /bin/sh: bad interpreter: Argument list too long Could it be that the script or any of the utilities it calls cannot handle the fairly large amount of files in that directory? Thanks for any help! Remco From LISTSERV at JISCMAIL.AC.UK Sun Jul 21 15:09:10 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:17 2006 Subject: MAILSCANNER: ombraun@GMX.DE requested to join Message-ID: <200207211409.PAA19081@magpie.ecs.soton.ac.uk> Sun, 21 Jul 2002 15:09:10 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Otto-Michael BRAUN . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER ombraun@GMX.DE Otto-Michael BRAUN The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+ombraun%40GMX.DE+Otto-Michael+BRAUN&L=MAILSCANNER ------------------------- Original mail header -------------------------- Return-Path: Received: from ori.rl.ac.uk by smtp.jiscmail.ac.uk (LSMTP for Windows NT v1.1b) with SMTP id <2.00115405@smtp.jiscmail.ac.uk>; 21 Jul 2002 15:08:04 +0100 Received: from mail.gmx.net (mail.gmx.de [213.165.64.20]) by ori.rl.ac.uk (8.11.1/8.11.1) with SMTP id g6LDpNw10724 for ; Sun, 21 Jul 2002 14:51:23 +0100 Received: (qmail 22787 invoked by uid 0); 21 Jul 2002 13:51:12 -0000 Received: from dsl-213-023-021-241.arcor-ip.net (HELO lunchbox.gmx.de) (213.23.21.241) by mail.gmx.net (mp001-rz3) with SMTP; 21 Jul 2002 13:51:12 -0000 Message-Id: <5.1.0.14.2.20020721155017.0178fc48@pop.gmx.de> X-Sender: ombraun@gmx.de@pop.gmx.de X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sun, 21 Jul 2002 15:50:30 +0200 To: "L-Soft list server at JISCMAIL (1.8e)" From: Otto-Michael BRAUN Subject: Re: Command confirmation request (597ED2C9) In-Reply-To: <20020721133541.1866gmx1@mx004-rz3.gmx.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed From LISTSERV at JISCMAIL.AC.UK Sun Jul 21 17:48:40 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:17 2006 Subject: MAILSCANNER: diels.iscam@ICT-TOULOUSE.ASSO.FR requested to join Message-ID: <200207211648.RAA25881@magpie.ecs.soton.ac.uk> Sun, 21 Jul 2002 17:48:39 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Christiaan DIELS . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER diels.iscam@ICT-TOULOUSE.ASSO.FR Christiaan DIELS The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+diels.iscam%40ICT-TOULOUSE.ASSO.FR+Christiaan+DIELS&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From dcooper at UKMATRIX.NET Sun Jul 21 23:30:14 2002 From: dcooper at UKMATRIX.NET (Dan Cooper) Date: Thu Jan 12 21:15:17 2006 Subject: Administrator Emails Message-ID: <001901c23106$2f552830$0100a8c0@dcooper> Is it possible to set an admin email address for different domains? i.e. any viruses sent to domain1.com (which is in domains.to.scan.conf) notifies the sender, the recipient and administrator@domain1.com... any viruses sent to domain2.com does the same, but emails admin information to administrator@domain2.com Also, is there a planned release date for the next version of Mailscanner containing the support for file-blocking based on the recipient domain? Many thanks. Regards, Dan Cooper -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020721/eb6c45b8/attachment.html From mojahed at AGNI.COM Mon Jul 22 07:31:59 2002 From: mojahed at AGNI.COM (Mojahedul Hoque Abul Hasanat) Date: Thu Jan 12 21:15:17 2006 Subject: SpamAssassin SQL Support Message-ID: <20020722063159.GB30084@venus.agni.com> Julian, Are there any plans to support SpamAssassins sql feature in MailScanner? Perhaps, it's already in the beta version? -- Mojahed System Administrator, Agni Systems Limited From LISTSERV at JISCMAIL.AC.UK Mon Jul 22 08:49:20 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:17 2006 Subject: MAILSCANNER: andrew@EON.COM.AU requested to join Message-ID: <200207220749.IAA07548@magpie.ecs.soton.ac.uk> Mon, 22 Jul 2002 08:49:20 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Andrew Donehue . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER andrew@EON.COM.AU Andrew Donehue The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+andrew%40EON.COM.AU+Andrew+Donehue&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From mailscanner at ecs.soton.ac.uk Mon Jul 22 10:16:22 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:17 2006 Subject: SpamAssassin SQL Support In-Reply-To: <20020722063159.GB30084@venus.agni.com> Message-ID: <5.1.0.14.2.20020722101456.031bc400@imap.ecs.soton.ac.uk> At 07:31 22/07/2002, you wrote: >Are there any plans to support SpamAssassins sql feature in MailScanner? >Perhaps, it's already in the beta version? What's stopping you doing it now? I thought that the sql feature was completely internal to SpamAssassin? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Jul 22 10:13:58 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:17 2006 Subject: Administrator Emails In-Reply-To: <001901c23106$2f552830$0100a8c0@dcooper> Message-ID: <5.1.0.14.2.20020722101237.0310f9a8@imap.ecs.soton.ac.uk> At 23:30 21/07/2002, you wrote: >Is it possible to set an admin email address for different domains? >i.e. any viruses sent to domain1.com (which is in domains.to.scan.conf) >notifies the sender, the recipient and >administrator@domain1.com... any viruses >sent to domain2.com does the same, but emails admin information to >administrator@domain2.com You can't do that yet, but the next major release (which won't be very soon, I'm afraid, we've got some big re-writes to do first!) will have much better per-domain support. I might decide to do it completely differently from the way the limited per-domain support is done now. >Also, is there a planned release date for the next version of Mailscanner >containing the support for file-blocking based on the recipient domain? As above. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020722/b662fd73/attachment.html From mojahed at AGNI.COM Mon Jul 22 10:13:50 2002 From: mojahed at AGNI.COM (Mojahedul Hoque Abul Hasanat) Date: Thu Jan 12 21:15:17 2006 Subject: SpamAssassin SQL Support In-Reply-To: <20020722063159.GB30084@venus.agni.com> References: <20020722063159.GB30084@venus.agni.com> Message-ID: <20020722091350.GA3430@venus.agni.com> On Mon, Jul 22, 2002 at 12:31:59PM +0600, Mojahedul Hoque Abul Hasanat wrote: > > Are there any plans to support SpamAssassins sql feature in > MailScanner? Replying to my own question: If SpamAssassin is run by MailScanner, per user customization (sql or whatever) can not be applied, at least not cleanly. The problem is, when MailScanner sees the queue file, it still does not know what the actual recipient name will be. Alias and virtuser expansion has not been done yet at that point. If someone wants SA's per user customization, SA has to be taken out from MailScanner and moved to somewhere after sendmails local mailer in the delivery chain. -- Mojahed System Administrator, Agni Systems Limited From fredd at CI.ASPEN.CO.US Mon Jul 22 17:01:41 2002 From: fredd at CI.ASPEN.CO.US (Fred Dick) Date: Thu Jan 12 21:15:17 2006 Subject: Not finding viruses but reporting clean In-Reply-To: <5.1.0.14.2.20020720123131.03449c98@imap.ecs.soton.ac.uk> References: <4.2.0.58.20020719153454.00aa1a10@argus> Message-ID: <4.2.0.58.20020722094923.00a994a0@argus> I sent a test message with a virus (Klez) attached from an outside ISP to myself at the Mailscanner protected site. The mail showed it had an attachment before I opened it. When I opened it there was no attachment. It also said, Found to be clean. I also do not receive any system email alerts regarding that or any other virus. Went to /var/spool/MailScanner/quarantine/20020722 and found some other viruses but not my test virus. Where do I go from here with troubleshooting? Test virus has gone into a black hole and I'm not getting any email notifications. Thanks, Fred At 12:32 PM 7/20/02 +0100, you wrote: >Please can you tell us rather more about your problem? >All you have shown is that "sophoswrapper" is apparently set up okay. > >At 22:44 19/07/2002, you wrote: >>Gurus, >> >>Problem: >> >>Sendmail reports -- X-ECS-MailScanner: Found to be clean >>but Mailscanner not detecting any viruses in enterprise. >> >>Thanks, >> >>Fred >> >>++++++++++++++++++++++++++++++ >> >>Sendmail ver: Sendmail 8.8.8+Sun/8.8.8; >> >>++++++++++++++++++++++++++++++ >> >>Sophos ver: >> >>xxxx:/opt/mailscanner/etc*> sweep -v >>SWEEP virus detection utility >>Copyright (c) 1989,2002 Sophos Plc, www.sophos.com >> >>System time 15:39:15, System date 19 July 2002 >> >>Product version : 3.59 >>Engine version : 2.5 >>User interface version : 2.03.076 >>Platform : Solaris/SPARC >>Released : 01 July 2002 >>Total viruses (with IDEs) : 74471 >> >>++++++++++++++++++++++++++++++ >> >>xxxx:/opt/mailscanner/bin*> check_mailscanner >>Running with pid 20624 >> >>++++++++++++++++++++++++++++++ >> >>xxxx:/etc/init.d*> /opt/sophos/bin/sophoswrapper /opt/sophos >>SWEEP virus detection utility >>Version 3.59, July 2002 [Solaris/SPARC] >>Includes detection for 74506 viruses, trojans and worms >>Copyright (c) 1989,2002 Sophos Plc, www.sophos.com >> >>System time 15:26:55, System date 19 July 2002 >> >>IDE directory is: /opt/sophos/ide >> >>Using IDE file kitro-d.ide >>Using IDE file fret-fam.ide >>Using IDE file opey-bc.ide >>Using IDE file tinit-b.ide >>Using IDE file nahata-f.ide >>Using IDE file momac-a.ide >>Using IDE file datom-a.ide >>Using IDE file gunsan-a.ide >>Using IDE file mark-kr.ide >>Using IDE file floodo.ide >>Using IDE file calil.ide >>Using IDE file kwbot-a.ide >>Using IDE file duni-a.ide >>Using IDE file bajar.ide >>Using IDE file metrion.ide >>Using IDE file zoek-d.ide >>Using IDE file scalper.ide >>Using IDE file dotor.ide >>Using IDE file dest-j.ide >>Using IDE file yaha-e.ide >>Using IDE file higuy-a.ide >>Using IDE file fishleta.ide >>Using IDE file perrun-a.ide >>Using IDE file chir-a.ide >>Using IDE file cup-a.ide >>Using IDE file chickf.ide >> >>Quick Sweeping >> >> >>3 files swept in 1 second. >>No viruses were discovered. >>End of Sweep. > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Jul 23 12:21:29 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:17 2006 Subject: ANNOUNCE: Version 3.22-5 released Message-ID: <5.1.0.14.2.20020723121611.02cc07e8@imap.ecs.soton.ac.uk> I have just released Version 3.22-5. Many thanks to the beta testers for finding the odd obscure bug. A few new features this time: * Spam White List configuration option now gives a filename whose contents are checked against both the sender's address and the recipients' addresses. * Max Spam List Timeouts configuration value gives the threshold for the number of consecutive times a single "Spam List" or "Spam Domain" entry can timeout before it is removed from the list of places to be checked. It will be restored to the list at the next restart (every 4 hours by default). * Max SpamAssassin Timeouts configuration value works the same way as "Max Spam List Timeouts" except it applies to SpamAssassin instead. * Hide Incoming Work Dir configuration option allows you to hide the full directory pathname from the messages sent to users. * Sign Messages Already Processed configuration option allow you to only sign messages once, regardless of how many times it has been scanned by your site. There are also a few improvements, such as * automatic cleanup of core files, * improvements to the RedHat init.d script to ease upgrading, * improved logging of RBL timeouts, and * another form of wildcard in all the files that take addresses and domains. You can now have wildcards like "spam@*" as well as "*.domain.com". * The RAV installation directory has been changed to /usr/local/rav8/bin which is where the RAV 8.x installation program puts it. * The F-Prot autoupdate script now handles stray ^M characters properly, and incorporates the fix recently published by F-Prot. Please use my version and not the check-updates.sh as my version correctly locks out MailScanner while the upgrading is taking place. Failure to do this could let viruses through while it is being upgraded. * The "Multple Headers = replace" option is now more robust against bugs in some versions of Perl. Download, as usual, from http://www.mailscanner.info/ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From rabellino at DI.UNITO.IT Tue Jul 23 13:26:38 2002 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:15:17 2006 Subject: ANNOUNCE: Version 3.22-5 released References: <5.1.0.14.2.20020723121611.02cc07e8@imap.ecs.soton.ac.uk> Message-ID: <3D3D4B7E.76A7542F@di.unito.it> Julian Field wrote: > > I have just released Version 3.22-5. > Just installed .... I've upgraded my perl to 5.8.0 (All perl-tests are ok on my solaris8 box...), but launching mailscanner, I got this warning: "unix passed to setlogsock, but path not available at logger.pl line 44" Mailscanner now does not hang on this call, but changing the "unix" in >logger.pl:44 eval { Sys::Syslog::setlogsock('unix'); }; # Doesn't need syslogd -r to "inet" as follow >logger.pl:44 eval { Sys::Syslog::setlogsock('inet'); }; # Doesn't need syslogd -r the annoying warning disappear and the mailscanner logs goes to syslogd as usual (maybe slower than unix socket). Could be a good idea to set the logtype under mailscanner.conf in either unix/inet, maybe around the facility setting ??? Tks. -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From mailscanner at ecs.soton.ac.uk Tue Jul 23 14:16:51 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:17 2006 Subject: ANNOUNCE: Version 3.22-5 released In-Reply-To: <3D3D4B7E.76A7542F@di.unito.it> References: <5.1.0.14.2.20020723121611.02cc07e8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020723141547.04bc6fb0@imap.ecs.soton.ac.uk> At 13:26 23/07/2002, you wrote: >Just installed .... >I've upgraded my perl to 5.8.0 (All perl-tests are ok on my solaris8 >box...), but launching mailscanner, I got this warning: > "unix passed to setlogsock, but path not available at logger.pl line 44" > >Mailscanner now does not hang on this call, but changing the "unix" in > >logger.pl:44 eval { Sys::Syslog::setlogsock('unix'); }; # Doesn't need > syslogd -r >to "inet" as follow > >logger.pl:44 eval { Sys::Syslog::setlogsock('inet'); }; # Doesn't need > syslogd -r >the annoying warning disappear and the mailscanner logs goes to syslogd as >usual (maybe slower than unix socket). > >Could be a good idea to set the logtype under mailscanner.conf in either >unix/inet, maybe around the facility setting ??? The "unix" setlogsock works for nearly everyone, I think it's just a few OS's where the "inet" is needed. The point of the exercise was to try to *not* need anyone to edit their syslogd init.d script to edit the command-line parameters to make inet work. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From bill at DISTMIRR.COM Tue Jul 23 13:18:46 2002 From: bill at DISTMIRR.COM (Bill Omer) Date: Thu Jan 12 21:15:17 2006 Subject: slow down with Use SpamAssassin = yes Message-ID: <001701c23243$1882ad10$0400a8c0@billslaptop> I'm still having problems with MailScanner running very slowly when I have 'Use SpamAssassin = yes' in my mailscanner.conf file. I have 'skip_rbl_checks 1' in my spam.assassin.prefs.conf file. I have also downloaded and installed SpamAssassin again, just to make sure it wasn't a problem with it. I also have all RBL lines commented out. I'm not sure where the problem may be. For an idea on what I mean by "very slowly", here's a snippet of my logs: root@mail-server:/usr/local/MailScanner/etc# tail -f /var/log/messages | grep scanner Jul 23 07:14:22 mail-server mailscanner[31122]: MailScanner E-Mail Virus Scanner version 3.22 starting. Jul 23 07:14:22 mail-server mailscanner[31122]: Configuring mailscanner for sendmail... Jul 23 07:14:23 mail-server mailscanner[31122]: Using locktype = flock Jul 23 07:14:26 mail-server mailscanner[31123]: Startup: found 1515 messages waiting Jul 23 07:14:41 mail-server mailscanner[31123]: Forwarding 53 clean/unscanned messages, 411969 bytes Jul 23 07:14:41 mail-server mailscanner[31123]: Scanning 100 messages, 855578 bytes Jul 23 07:22:17 mail-server mailscanner[31123]: Scanned 100 messages, 855578 bytes in 15 seconds Jul 23 07:22:19 mail-server mailscanner[31123]: Forwarding 100 clean/unscanned messages, 1288695 bytes Jul 23 07:22:19 mail-server mailscanner[31123]: Scanning 100 messages, 1139850 bytes About 8 minutes to scan 100 messages. That's hurting me. However, when I use spamass-milter, it's screaming fast, but you must sacrifice functionality for speed (in my case, I'm not able to delete 'high scoring' spam while using the milter). I have contacted the authors of spamass-milter, and they have given me pointers on how to get this functionality, however my C skills are not well enough developed to complete the task. If anyone would be interested in pushing spamass-milter in to MailScanner, I'd be happy to post the information that I have been given. Either way, I was hoping that someone might be able to point me to the right direction as to where I should look on how to correct the speed problems that I'm experiencing. Thanks in advance, Bill Omer -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020723/d54155e2/attachment.html From Matthew_doherty at DATAWATCH.COM Tue Jul 23 15:06:17 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:17 2006 Subject: ANNOUNCE: Version 3.22-5 released Message-ID: dont ya just love SUN. lol Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Tuesday, July 23, 2002 10:37 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ANNOUNCE: Version 3.22-5 released At 13:26 23/07/2002, you wrote: >Just installed .... >I've upgraded my perl to 5.8.0 (All perl-tests are ok on my solaris8 >box...), but launching mailscanner, I got this warning: > "unix passed to setlogsock, but path not available at logger.pl line 44" > >Mailscanner now does not hang on this call, but changing the "unix" in > >logger.pl:44 eval { Sys::Syslog::setlogsock('unix'); }; # Doesn't need > syslogd -r >to "inet" as follow > >logger.pl:44 eval { Sys::Syslog::setlogsock('inet'); }; # Doesn't need > syslogd -r >the annoying warning disappear and the mailscanner logs goes to syslogd as >usual (maybe slower than unix socket). > >Could be a good idea to set the logtype under mailscanner.conf in either >unix/inet, maybe around the facility setting ??? The "unix" setlogsock works for nearly everyone, I think it's just a few OS's where the "inet" is needed. The point of the exercise was to try to *not* need anyone to edit their syslogd init.d script to edit the command-line parameters to make inet work. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020723/d649da77/attachment.html From mailscanner at ecs.soton.ac.uk Tue Jul 23 15:04:52 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:17 2006 Subject: slow down with Use SpamAssassin = yes In-Reply-To: <001701c23243$1882ad10$0400a8c0@billslaptop> Message-ID: <5.1.0.14.2.20020723150317.04dd2090@imap.ecs.soton.ac.uk> What version of MailScanner are you using? Do you have a setting Compile SpamAssassin Once = yes in your mailscanner.conf file? If you are running an old version that doesn't have this setting, then I advise you upgrade. Using either a spamc/spamd solution or a milter solution won't go any faster than new versions of MailScanner (in the end of the day, the underlying SpamAssassin engine is all perl). At 13:18 23/07/2002, you wrote: >I m still having problems with MailScanner running very slowly when I have >Use SpamAssassin = yes in my mailscanner.conf file. I have >skip_rbl_checks 1 in my spam.assassin.prefs.conf file. I have also >downloaded and installed SpamAssassin again, just to make sure it wasn t a >problem with it. I also have all RBL lines commented out. I m not sure >where the problem may be. > > > >For an idea on what I mean by very slowly , here s a snippet of my logs: > > > >root@mail-server:/usr/local/MailScanner/etc# tail -f /var/log/messages | >grep scanner > >Jul 23 07:14:22 mail-server mailscanner[31122]: MailScanner E-Mail Virus >Scanner version 3.22 starting. > >Jul 23 07:14:22 mail-server mailscanner[31122]: Configuring mailscanner >for sendmail... > >Jul 23 07:14:23 mail-server mailscanner[31122]: Using locktype = flock > >Jul 23 07:14:26 mail-server mailscanner[31123]: Startup: found 1515 >messages waiting > >Jul 23 07:14:41 mail-server mailscanner[31123]: Forwarding 53 >clean/unscanned messages, 411969 bytes > >Jul 23 07:14:41 mail-server mailscanner[31123]: Scanning 100 messages, >855578 bytes > >Jul 23 07:22:17 mail-server mailscanner[31123]: Scanned 100 messages, >855578 bytes in 15 seconds > >Jul 23 07:22:19 mail-server mailscanner[31123]: Forwarding 100 >clean/unscanned messages, 1288695 bytes > >Jul 23 07:22:19 mail-server mailscanner[31123]: Scanning 100 messages, >1139850 bytes > > > >About 8 minutes to scan 100 messages. That s hurting me. However, when I >use spamass-milter, it s screaming fast, but you must sacrifice >functionality for speed (in my case, I m not able to delete high scoring >spam while using the milter). > > > >I have contacted the authors of spamass-milter, and they have given me >pointers on how to get this functionality, however my C skills are not >well enough developed to complete the task. If anyone would be interested >in pushing spamass-milter in to MailScanner, I d be happy to post the >information that I have been given. > > > >Either way, I was hoping that someone might be able to point me to the >right direction as to where I should look on how to correct the speed >problems that I m experiencing. > > > >Thanks in advance, > >Bill Omer > > > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mike at CAMAROSS.NET Tue Jul 23 15:20:21 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:17 2006 Subject: ANNOUNCE: Version 3.22-5 released References: <5.1.0.14.2.20020723121611.02cc07e8@imap.ecs.soton.ac.uk> Message-ID: <00c801c23254$15b1f120$6501a8c0@home.wideopenthrottle.org> Only thing I noticed so far: **** Please look for any new options in mailscaner.conf.rpmnew **** and update your mailscanner.conf file appropriately. **** mailscanner.conf.rpmnew is spelled incorrectly :) Mike ----- Original Message ----- From: "Julian Field" To: Sent: Tuesday, July 23, 2002 6:21 AM Subject: ANNOUNCE: Version 3.22-5 released > I have just released Version 3.22-5. > > Many thanks to the beta testers for finding the odd obscure bug. > > A few new features this time: > > * Spam White List configuration option now gives a filename whose contents > are checked against both the sender's address and the recipients' addresses. > * Max Spam List Timeouts configuration value gives the threshold for the > number of consecutive times a single "Spam List" or "Spam Domain" entry can > timeout before it is removed from the list of places to be checked. It will > be restored to the list at the next restart (every 4 hours by default). > * Max SpamAssassin Timeouts configuration value works the same way as "Max > Spam List Timeouts" except it applies to SpamAssassin instead. > * Hide Incoming Work Dir configuration option allows you to hide the full > directory pathname from the messages sent to users. > * Sign Messages Already Processed configuration option allow you to only > sign messages once, regardless of how many times it has been scanned by > your site. > > There are also a few improvements, such as > * automatic cleanup of core files, > * improvements to the RedHat init.d script to ease upgrading, > * improved logging of RBL timeouts, and > * another form of wildcard in all the files that take addresses and > domains. You can now have wildcards like "spam@*" as well as "*.domain.com". > > * The RAV installation directory has been changed to /usr/local/rav8/bin > which is where the RAV 8.x installation program puts it. > * The F-Prot autoupdate script now handles stray ^M characters properly, > and incorporates the fix recently published by F-Prot. Please use my > version and not the check-updates.sh as my version correctly locks out > MailScanner while the upgrading is taking place. Failure to do this could > let viruses through while it is being upgraded. > * The "Multple Headers = replace" option is now more robust against bugs in > some versions of Perl. > > Download, as usual, from > http://www.mailscanner.info/ > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From rabellino at DI.UNITO.IT Tue Jul 23 15:23:51 2002 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:15:17 2006 Subject: ANNOUNCE: Version 3.22-5 released References: <5.1.0.14.2.20020723121611.02cc07e8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020723141547.04bc6fb0@imap.ecs.soton.ac.uk> Message-ID: <3D3D66F7.17652861@di.unito.it> Julian Field wrote: > > At 13:26 23/07/2002, you wrote: > >Just installed .... > >I've upgraded my perl to 5.8.0 (All perl-tests are ok on my solaris8 > >box...), but launching mailscanner, I got this warning: > > "unix passed to setlogsock, but path not available at logger.pl line 44" > > > >Mailscanner now does not hang on this call, but changing the "unix" in > > >logger.pl:44 eval { Sys::Syslog::setlogsock('unix'); }; # Doesn't need > > syslogd -r > >to "inet" as follow > > >logger.pl:44 eval { Sys::Syslog::setlogsock('inet'); }; # Doesn't need > > syslogd -r > >the annoying warning disappear and the mailscanner logs goes to syslogd as > >usual (maybe slower than unix socket). > > > >Could be a good idea to set the logtype under mailscanner.conf in either > >unix/inet, maybe around the facility setting ??? > > The "unix" setlogsock works for nearly everyone, I think it's just a few > OS's where the "inet" is needed. The point of the exercise was to try to > *not* need anyone to edit their syslogd init.d script to edit the > command-line parameters to make inet work. hmmm... My syslogd script is untouched and inetd works automagically .... Obviously You must have a loghost defined in your hosts file. Boh. for now I change my logger.pl :-) -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From LISTSERV at JISCMAIL.AC.UK Tue Jul 23 15:30:32 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:17 2006 Subject: MAILSCANNER: brandon@TRAINIX.COM left the list Message-ID: <200207231430.PAA22703@magpie.ecs.soton.ac.uk> Tue, 23 Jul 2002 15:30:32 Brandon Rich has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From fredd at CI.ASPEN.CO.US Tue Jul 23 15:50:54 2002 From: fredd at CI.ASPEN.CO.US (Fred Dick) Date: Thu Jan 12 21:15:17 2006 Subject: Not finding viruses but reporting clean In-Reply-To: <4.2.0.58.20020722094923.00a994a0@argus> References: <5.1.0.14.2.20020720123131.03449c98@imap.ecs.soton.ac.uk> <4.2.0.58.20020719153454.00aa1a10@argus> Message-ID: <4.2.0.58.20020723084937.00aa31a8@argus> Traced the no mail to an alias problem after updating Sendmail. FD At 10:01 AM 7/22/02 -0600, you wrote: >I sent a test message with a virus (Klez) attached from an outside ISP to >myself at the Mailscanner protected site. > >The mail showed it had an attachment before I opened it. When I opened it >there was no attachment. It also said, Found to be clean. > >I also do not receive any system email alerts regarding that or any other >virus. > >Went to /var/spool/MailScanner/quarantine/20020722 and found some other >viruses but not my test virus. > >Where do I go from here with troubleshooting? Test virus has gone into a >black hole and I'm not getting any email notifications. > >Thanks, Fred > >At 12:32 PM 7/20/02 +0100, you wrote: > >>Please can you tell us rather more about your problem? >>All you have shown is that "sophoswrapper" is apparently set up okay. >> >>At 22:44 19/07/2002, you wrote: >>>Gurus, >>> >>>Problem: >>> >>>Sendmail reports -- X-ECS-MailScanner: Found to be clean >>>but Mailscanner not detecting any viruses in enterprise. >>> >>>Thanks, >>> >>>Fred >>> >>>++++++++++++++++++++++++++++++ >>> >>>Sendmail ver: Sendmail 8.8.8+Sun/8.8.8; >>> >>>++++++++++++++++++++++++++++++ >>> >>>Sophos ver: >>> >>>xxxx:/opt/mailscanner/etc*> sweep -v >>>SWEEP virus detection utility >>>Copyright (c) 1989,2002 Sophos Plc, www.sophos.com >>> >>>System time 15:39:15, System date 19 July 2002 >>> >>>Product version : 3.59 >>>Engine version : 2.5 >>>User interface version : 2.03.076 >>>Platform : Solaris/SPARC >>>Released : 01 July 2002 >>>Total viruses (with IDEs) : 74471 >>> >>>++++++++++++++++++++++++++++++ >>> >>>xxxx:/opt/mailscanner/bin*> check_mailscanner >>>Running with pid 20624 >>> >>>++++++++++++++++++++++++++++++ >>> >>>xxxx:/etc/init.d*> /opt/sophos/bin/sophoswrapper /opt/sophos >>>SWEEP virus detection utility >>>Version 3.59, July 2002 [Solaris/SPARC] >>>Includes detection for 74506 viruses, trojans and worms >>>Copyright (c) 1989,2002 Sophos Plc, www.sophos.com >>> >>>System time 15:26:55, System date 19 July 2002 >>> >>>IDE directory is: /opt/sophos/ide >>> >>>Using IDE file kitro-d.ide >>>Using IDE file fret-fam.ide >>>Using IDE file opey-bc.ide >>>Using IDE file tinit-b.ide >>>Using IDE file nahata-f.ide >>>Using IDE file momac-a.ide >>>Using IDE file datom-a.ide >>>Using IDE file gunsan-a.ide >>>Using IDE file mark-kr.ide >>>Using IDE file floodo.ide >>>Using IDE file calil.ide >>>Using IDE file kwbot-a.ide >>>Using IDE file duni-a.ide >>>Using IDE file bajar.ide >>>Using IDE file metrion.ide >>>Using IDE file zoek-d.ide >>>Using IDE file scalper.ide >>>Using IDE file dotor.ide >>>Using IDE file dest-j.ide >>>Using IDE file yaha-e.ide >>>Using IDE file higuy-a.ide >>>Using IDE file fishleta.ide >>>Using IDE file perrun-a.ide >>>Using IDE file chir-a.ide >>>Using IDE file cup-a.ide >>>Using IDE file chickf.ide >>> >>>Quick Sweeping >>> >>> >>>3 files swept in 1 second. >>>No viruses were discovered. >>>End of Sweep. >> >>-- >>Julian Field Teaching Systems Manager >>jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >>Tel. 023 8059 2817 University of Southampton >> Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Jul 23 16:12:05 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:17 2006 Subject: ANNOUNCE: Version 3.22-5 released In-Reply-To: <00c801c23254$15b1f120$6501a8c0@home.wideopenthrottle.org> References: <5.1.0.14.2.20020723121611.02cc07e8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020723161156.04e7aa20@imap.ecs.soton.ac.uk> At 15:20 23/07/2002, you wrote: >Only thing I noticed so far: > >**** Please look for any new options in mailscaner.conf.rpmnew >**** and update your mailscanner.conf file appropriately. >**** > >mailscanner.conf.rpmnew is spelled incorrectly :) Fixed. Thanks. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mojahed at AGNI.COM Tue Jul 23 16:28:28 2002 From: mojahed at AGNI.COM (Mojahedul Hoque Abul Hasanat) Date: Thu Jan 12 21:15:17 2006 Subject: SpamAssassin SQL Support In-Reply-To: <5.1.0.14.2.20020722101456.031bc400@imap.ecs.soton.ac.uk> References: <20020722063159.GB30084@venus.agni.com> <5.1.0.14.2.20020722101456.031bc400@imap.ecs.soton.ac.uk> Message-ID: <20020723152828.GA4902@venus.agni.com> On Mon, Jul 22, 2002 at 10:16:22AM +0100, Julian Field wrote: > At 07:31 22/07/2002, you wrote: > >Are there any plans to support SpamAssassins sql feature in MailScanner? > >Perhaps, it's already in the beta version? > > What's stopping you doing it now? I thought that the sql feature was > completely internal to SpamAssassin? I wanted to do "per recipient" customization. SpamAssassin must know the recpients name to do that. MailScanner runs right after sendmail puts the received mail in the queue. You could take the recipient name from the qf* file, but unfortunately, this may not be the "final" recipient name. Alias and virtuser table expansion happens when the local mailer is run. -- Mojahed System Administrator, Agni Systems Limited From munafo at PREZZEMOLO.POLITO.IT Tue Jul 23 16:46:35 2002 From: munafo at PREZZEMOLO.POLITO.IT (Maurizio Matteo Munafo') Date: Thu Jan 12 21:15:17 2006 Subject: ANNOUNCE: Version 3.22-5 released In-Reply-To: <5.1.0.14.2.20020723121611.02cc07e8@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020723121611.02cc07e8@imap.ecs.soton.ac.uk> Message-ID: <02072317463501.13711@prezzemolo.polito.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 23 July 2002 13:21, Julian Field wrote: > I have just released Version 3.22-5. > > Many thanks to the beta testers for finding the odd obscure bug. > > A few new features this time: > > * Spam White List configuration option now gives a filename whose contents > are checked against both the sender's address and the recipients' > addresses. This is VERY misleading. I had my domain polito.it in the whitelist to accept all the messages coming from people in the domain (so to avoid false positives) and now all the messages where whitelisted since polito.it is always the destination domain! I do not know how easy is to work around, since I should now list all the possible local domains The previous content was *.polito.it polito.it I'm afraid @polito.it will not be sufficient, since people often uses their full email address (the one name@machine) and there are lots of possible addresses in our domain (not all under my control). Is there a problem in my configuration or this is a more serious problem? Thanks, Maurizio Munafo' - -- ______ / Maurizio M. Munafo' / dMMMMMMMMb dMMMMb / Dip. di Elettronica - Politecnico di Torino / dMP"dMP"dMP "dMP / Corso Duca degli Abruzzi 24 / dMP dMP dMP dMMK" / I-10129 Torino (Italia) / dMP dMP dMP dMF / Tel: +39 011 5644128 Fax: +39 011 5644099 / dMP dMP dMP dMMMMP" / E-mail: munafo@polito.it /__________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9PXpctgCCNnfQWWkRAhWpAJwNH32fuVOPQMNvcgvsAHsKg1AdbQCfUv9R 9gE27EXPQ2l08114qkLi9ek= =3Cqn -----END PGP SIGNATURE----- From mailscanner at ecs.soton.ac.uk Tue Jul 23 16:56:17 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:17 2006 Subject: ANNOUNCE: Version 3.22-5 released In-Reply-To: <02072317463501.13711@prezzemolo.polito.it> References: <5.1.0.14.2.20020723121611.02cc07e8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020723121611.02cc07e8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020723165507.02d138b8@imap.ecs.soton.ac.uk> At 16:46 23/07/2002, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On Tuesday 23 July 2002 13:21, Julian Field wrote: > > I have just released Version 3.22-5. > > > > Many thanks to the beta testers for finding the odd obscure bug. > > > > A few new features this time: > > > > * Spam White List configuration option now gives a filename whose contents > > are checked against both the sender's address and the recipients' > > addresses. > >This is VERY misleading. I had my domain polito.it in the whitelist >to accept all the messages coming from people in the domain (so to avoid >false positives) and now all the messages where whitelisted since polito.it >is always the destination domain! The solution is very simple. Use "Accept Spam From" to define the net blocks your local network lives in, whitelisting all your local hosts. Use "Spam WhiteList" to define all the named domains which you want to accept spam from. >I do not know how easy is to work around, since I should now list all the >possible local domains > >The previous content was > >*.polito.it >polito.it > >I'm afraid @polito.it will not be sufficient, since people often uses their >full email address (the one name@machine) and there are lots of possible >addresses in our domain (not all under my control). > >Is there a problem in my configuration or this is a more serious problem? > >Thanks, > >Maurizio Munafo' > >- -- >______ > / Maurizio M. Munafo' / dMMMMMMMMb dMMMMb > / Dip. di Elettronica - Politecnico di Torino / dMP"dMP"dMP "dMP > / Corso Duca degli Abruzzi 24 / dMP dMP dMP dMMK" > / I-10129 Torino (Italia) / dMP dMP dMP dMF > / Tel: +39 011 5644128 Fax: +39 011 5644099 / dMP dMP dMP dMMMMP" >/ E-mail: munafo@polito.it /__________________________ >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.0.5 (GNU/Linux) >Comment: For info see http://www.gnupg.org > >iD8DBQE9PXpctgCCNnfQWWkRAhWpAJwNH32fuVOPQMNvcgvsAHsKg1AdbQCfUv9R >9gE27EXPQ2l08114qkLi9ek= >=3Cqn >-----END PGP SIGNATURE----- -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Tue Jul 23 17:23:33 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:17 2006 Subject: MAILSCANNER: chris.campbell@FAC.COM requested to join Message-ID: <200207231623.RAA03505@magpie.ecs.soton.ac.uk> Tue, 23 Jul 2002 17:23:33 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Chris Campbell . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER chris.campbell@FAC.COM Chris Campbell The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+chris.campbell%40FAC.COM+Chris+Campbell&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From rabellino at DI.UNITO.IT Tue Jul 23 17:23:22 2002 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:15:17 2006 Subject: ANNOUNCE: Version 3.22-5 released References: <5.1.0.14.2.20020723121611.02cc07e8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020723121611.02cc07e8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020723165507.02d138b8@imap.ecs.soton.ac.uk> Message-ID: <3D3D82FA.6FE07F4A@di.unito.it> Julian Field wrote: > > At 16:46 23/07/2002, you wrote: > >-----BEGIN PGP SIGNED MESSAGE----- > >Hash: SHA1 > > > >On Tuesday 23 July 2002 13:21, Julian Field wrote: > > > I have just released Version 3.22-5. > > > > > > Many thanks to the beta testers for finding the odd obscure bug. > > > > > > A few new features this time: > > > > > > * Spam White List configuration option now gives a filename whose contents > > > are checked against both the sender's address and the recipients' > > > addresses. > > > >This is VERY misleading. I had my domain polito.it in the whitelist > >to accept all the messages coming from people in the domain (so to avoid > >false positives) and now all the messages where whitelisted since polito.it > >is always the destination domain! > > The solution is very simple. Use "Accept Spam From" to define the net > blocks your local network lives in, whitelisting all your local hosts. Use > "Spam WhiteList" to define all the named domains which you want to accept > spam from. > Maybe it's an Italian problem ( :- )) , but I had the same solution used by munafo' into my mailscanner configuration. Now your solution it's a simple breakout for the problem, but I have to add 52 rules to my configuration and their maintenance it's not so simple as my university network sometimes change without any advise to me.... Could be a simpler solution create two files for the spam whitelisting ? One file for the To addresses check and one file for the From addresses ? So I could leave the "from" whitelist as now and the "to" whitelist without any domain listed. Tks. -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From mailscanner at ecs.soton.ac.uk Tue Jul 23 17:24:06 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:17 2006 Subject: ANNOUNCE: Version 3.22-5 released In-Reply-To: <02072318185903.13711@prezzemolo.polito.it> References: <5.1.0.14.2.20020723165507.02d138b8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020723121611.02cc07e8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020723165507.02d138b8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020723172248.04bc7a48@imap.ecs.soton.ac.uk> At 17:18 23/07/2002, you wrote: > > The solution is very simple. Use "Accept Spam From" to define the net > > blocks your local network lives in, whitelisting all your local hosts. Use > > "Spam WhiteList" to define all the named domains which you want to accept > > spam from. > > > >Thanks. In fact I already noticed that the really local messages (coming from >the machines in the subnets under my control and so in 'Accept Spam From') >where whitelisted and I put the whole subnet in the Accept Spam From. >BTW, is it possible to indicate a masked subnet, perhaps in a future version? That would have been a good idea. Currently you can only do 8/16/24 bit subnets. Never thought of it... >My concert was also that, like me, there could be a lot of other users >putting their domain in spam.whitelist.conf and who cannot easily define >their incoming domain using Accept Spam From. True. Next version... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Chris.Campbell at FAC.COM Tue Jul 23 17:32:58 2002 From: Chris.Campbell at FAC.COM (Chris Campbell) Date: Thu Jan 12 21:15:18 2006 Subject: secretly copy message feature in new version? Message-ID: Am I reading the conf right? Is this an optiion..and if so, what is the syntax in secretly.copy.mail.conf? Thanks! ..................................... Christopher S. Campbell UNIX Admin From munafo at PREZZEMOLO.POLITO.IT Tue Jul 23 18:19:08 2002 From: munafo at PREZZEMOLO.POLITO.IT (Maurizio Matteo Munafo') Date: Thu Jan 12 21:15:18 2006 Subject: From/To Whitelist (was Re: ANNOUNCE: Version 3.22-5 released) In-Reply-To: <5.1.0.14.2.20020723172248.04bc7a48@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020723165507.02d138b8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020723172248.04bc7a48@imap.ecs.soton.ac.uk> Message-ID: <02072319190805.13711@prezzemolo.polito.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 23 July 2002 18:24, Julian Field wrote: > At 17:18 23/07/2002, you wrote: > > > The solution is very simple. Use "Accept Spam From" to define the net > > > blocks your local network lives in, whitelisting all your local hosts. > > > Use "Spam WhiteList" to define all the named domains which you want to > > > accept spam from. > > > >Thanks. In fact I already noticed that the really local messages (coming > > from the machines in the subnets under my control and so in 'Accept Spam > > From') where whitelisted and I put the whole subnet in the Accept Spam > > From. BTW, is it possible to indicate a masked subnet, perhaps in a > > future version? > > That would have been a good idea. Currently you can only do 8/16/24 bit > subnets. Never thought of it... > After some checking, looks like the generic 'Accept Spam From' is not a solution for me, since the main mail server of our domain (the one receiving the mail xxx@polito.it and delivering to my subnet) was included in 'Accept Spam From', so all the incoming mail were marked as whitelisted. Back to the restricted 'Accept Spam From'. Regards, Maurizio - -- ______ / Maurizio M. Munafo' / dMMMMMMMMb dMMMMb / Dip. di Elettronica - Politecnico di Torino / dMP"dMP"dMP "dMP / Corso Duca degli Abruzzi 24 / dMP dMP dMP dMMK" / I-10129 Torino (Italia) / dMP dMP dMP dMF / Tel: +39 011 5644128 Fax: +39 011 5644099 / dMP dMP dMP dMMMMP" / E-mail: munafo@polito.it /__________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9PZAMtgCCNnfQWWkRAtF+AJ9GcwbnHwWVoaH6t+7qkwn7arOgxQCfWKia at0S5+Y9V8MSJHQ+1/f+TgQ= =GBfj -----END PGP SIGNATURE----- From brose at MED.WAYNE.EDU Tue Jul 23 18:33:01 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:18 2006 Subject: SpamAssassin SQL Support Message-ID: Can you even do this using the spamassassinb + spamass-milter? -----Original Message----- From: Mojahedul Hoque Abul Hasanat [mailto:mojahed@AGNI.COM] Sent: Tuesday, July 23, 2002 11:28 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SpamAssassin SQL Support On Mon, Jul 22, 2002 at 10:16:22AM +0100, Julian Field wrote: > At 07:31 22/07/2002, you wrote: > >Are there any plans to support SpamAssassins sql feature in > >MailScanner? Perhaps, it's already in the beta version? > > What's stopping you doing it now? I thought that the sql feature was > completely internal to SpamAssassin? I wanted to do "per recipient" customization. SpamAssassin must know the recpients name to do that. MailScanner runs right after sendmail puts the received mail in the queue. You could take the recipient name from the qf* file, but unfortunately, this may not be the "final" recipient name. Alias and virtuser table expansion happens when the local mailer is run. -- Mojahed System Administrator, Agni Systems Limited From LISTSERV at JISCMAIL.AC.UK Tue Jul 23 18:06:13 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:18 2006 Subject: MAILSCANNER: shawn@QCOMINC.COM left the list Message-ID: <200207231706.SAA07258@magpie.ecs.soton.ac.uk> Tue, 23 Jul 2002 18:06:13 Shawn Boyce has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Tue, 23 Jul 2002 18:05:32 +0100 Received: from nexus.qcominc.com ([209.236.143.254]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g6NH5Wr17926 for ; Tue, 23 Jul 2002 18:05:32 +0100 Received: from qcominc.com (firewall.qcominc.com [209.236.143.226]) by nexus.qcominc.com (8.12.3/8.12.3) with ESMTP id g6NH7IEo022689 for ; Tue, 23 Jul 2002 13:07:18 -0400 (EDT) Message-ID: <3D3D8CAF.4090108@qcominc.com> Date: Tue, 23 Jul 2002 13:04:47 -0400 From: Shawn Boyce Organization: QCOM Inc. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0rc2) Gecko/20020512 Netscape/7.0b1 X-Accept-Language: en-us, en MIME-Version: 1.0 To: jiscmail@JISCMAIL.AC.UK X-Enigmail-Version: 0.49.5.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-MailScanner: Found to be clean X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=2.4, required 5, SUBJ_MISSING) From mailscanner at ecs.soton.ac.uk Tue Jul 23 19:00:04 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:18 2006 Subject: secretly copy message feature in new version? In-Reply-To: Message-ID: <5.1.0.14.2.20020723185721.02f037a0@imap.ecs.soton.ac.uk> At 17:32 23/07/2002, you wrote: >Am I reading the conf right? Is this an optiion..and if so, what is the >syntax in secretly.copy.mail.conf? Please don't use this yet, I haven't finished it. It shouldn't have been in the conf files. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Jul 23 18:57:03 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:18 2006 Subject: ANNOUNCE: Version 3.22-5 released In-Reply-To: <3D3D82FA.6FE07F4A@di.unito.it> References: <5.1.0.14.2.20020723121611.02cc07e8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020723121611.02cc07e8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020723165507.02d138b8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020723185604.02f7da08@imap.ecs.soton.ac.uk> At 17:23 23/07/2002, you wrote: >Julian Field wrote: > > > > At 16:46 23/07/2002, you wrote: > > >-----BEGIN PGP SIGNED MESSAGE----- > > >Hash: SHA1 > > > > > >On Tuesday 23 July 2002 13:21, Julian Field wrote: > > > > I have just released Version 3.22-5. > > > > > > > > Many thanks to the beta testers for finding the odd obscure bug. > > > > > > > > A few new features this time: > > > > > > > > * Spam White List configuration option now gives a filename whose > contents > > > > are checked against both the sender's address and the recipients' > > > > addresses. > > > > > >This is VERY misleading. I had my domain polito.it in the whitelist > > >to accept all the messages coming from people in the domain (so to avoid > > >false positives) and now all the messages where whitelisted since > polito.it > > >is always the destination domain! > > > > The solution is very simple. Use "Accept Spam From" to define the net > > blocks your local network lives in, whitelisting all your local hosts. Use > > "Spam WhiteList" to define all the named domains which you want to accept > > spam from. > > >Maybe it's an Italian problem ( :- )) , but I had the same solution used >by munafo' into my mailscanner configuration. >Now your solution it's a simple breakout for the problem, but I have to >add 52 rules to my configuration and their maintenance it's not so >simple as my university network sometimes change without any advise to me.... > >Could be a simpler solution create two files for the spam whitelisting ? >One file for the To addresses check and one file for the From >addresses ? > >So I could leave the "from" whitelist as now and the "to" whitelist >without any domain listed. That sounds quite a good solution. Should be easy to implement too :-) (which means you folks get the feature more quickly). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Jul 23 19:36:35 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:18 2006 Subject: From/To Whitelist (was Re: ANNOUNCE: Version 3.22-5 released) In-Reply-To: <02072319190805.13711@prezzemolo.polito.it> References: <5.1.0.14.2.20020723172248.04bc7a48@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020723165507.02d138b8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020723172248.04bc7a48@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020723190036.02e80f28@imap.ecs.soton.ac.uk> At 18:19 23/07/2002, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On Tuesday 23 July 2002 18:24, Julian Field wrote: > > At 17:18 23/07/2002, you wrote: > > > > The solution is very simple. Use "Accept Spam From" to define the net > > > > blocks your local network lives in, whitelisting all your local hosts. > > > > Use "Spam WhiteList" to define all the named domains which you want to > > > > accept spam from. > > > > > >Thanks. In fact I already noticed that the really local messages (coming > > > from the machines in the subnets under my control and so in 'Accept Spam > > > From') where whitelisted and I put the whole subnet in the Accept Spam > > > From. BTW, is it possible to indicate a masked subnet, perhaps in a > > > future version? > > > > That would have been a good idea. Currently you can only do 8/16/24 bit > > subnets. Never thought of it... > > > >After some checking, looks like the generic 'Accept Spam From' is not a >solution for me, since the main mail server of our domain (the one receiving >the mail xxx@polito.it and delivering to my subnet) was included in 'Accept >Spam From', so all the incoming mail were marked as whitelisted. > >Back to the restricted 'Accept Spam From'. What I have done is this: I have extended the syntax of the spam.whitelist.conf file and left the configuration keywords as they are. Instead of an "address" per line, it now has "To" or "From" plus an address on each line. Backwards compatibility is provided by recognising it when there is only 1 word on the line, not the 2 in the new syntax. Take a look at version 3.22-6 which is in the downloads directory (but not linked from the web site yet). Please can you give this one a go and see if it solves the problem for you. I need to do some more testing before publicly releasing it, so all feedback is much appreciated. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Jul 23 20:36:45 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:18 2006 Subject: From/To Whitelist (was Re: ANNOUNCE: Version 3.22-5 released) In-Reply-To: <5.1.0.14.2.20020723190036.02e80f28@imap.ecs.soton.ac.uk> References: <02072319190805.13711@prezzemolo.polito.it> <5.1.0.14.2.20020723172248.04bc7a48@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020723165507.02d138b8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020723172248.04bc7a48@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020723203559.031b08d0@imap.ecs.soton.ac.uk> At 19:36 23/07/2002, you wrote: >Take a look at version 3.22-6 which is in the downloads directory (but not >linked from the web site yet). Please can you give this one a go and see if >it solves the problem for you. I need to do some more testing before >publicly releasing it, so all feedback is much appreciated. It is now linked from www.mailscanner.info so let me know what you think of this solution. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From pkoinange at SWIFTKENYA.COM Wed Jul 24 06:26:30 2002 From: pkoinange at SWIFTKENYA.COM (Peter Koinange) Date: Thu Jan 12 21:15:18 2006 Subject: Mailscanner 3.22-5 and Antivir Version 2.0.3 In-Reply-To: <5.1.0.14.2.20020723141547.04bc6fb0@imap.ecs.soton.ac.uk> References: <3D3D4B7E.76A7542F@di.unito.it> <5.1.0.14.2.20020723121611.02cc07e8@imap.ecs.soton.ac.uk> Message-ID: <5.1.1.6.0.20020724080505.0236e6a0@mail.swiftkenya.com> I have just installed Mailscanner 3.22-5 and Antivir Version 2.0.3 (H+BEDV ) using sendmail and I am getting a couple of errors. According to the mailscanner.conf file antivir is supported however when Minimum Code Status is set to supported or beta or alpha i get the following error Jul 24 08:08:28 mailscanner[4064]: FATAL: *Please go and READ* http://www.sng.ecs.soton.ac.uk/mailscanner/install/codestatus.shtml and mailscanner exits When Minimum Code Status is set to unsupported mailscanner scans the message but the log reports the following :- Jul 24 08:13:54 mailscanner[4436]: Either you've found a bug in MailScanner's AntiVir output parser, or AntiVir's output format has changed! ..... This message is repeated for every line from the the output of antivir listed below :- AntiVir / Linux Version 2.0.3 Copyright (C) 1994-2002 by H+BEDV Datentechnik GmbH. All rights reserved. Loading /usr/lib/AntiVir/antivir.vdf ... VDF version: 6.14.0.15 created 23 Jul 2002 AntiVir license: xxxxxxx for Peter Koinange, Nairobi checking drive/path (cwd): /root ----- scan results ----- directories: 1 files: 0 infected: 0 scan time: 00:00:01 ------------------------ Thank you for using AntiVir. I--- I have set my sweep to Sweep = /usr/lib/AntiVir/antivir -e -z Can somebody please help me out here: Thanks Peter Koinange From LISTSERV at JISCMAIL.AC.UK Wed Jul 24 09:52:55 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:18 2006 Subject: MAILSCANNER: klaus.strebel@EIGNER.COM requested to join Message-ID: <200207240853.JAA02876@magpie.ecs.soton.ac.uk> Wed, 24 Jul 2002 09:52:55 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Klaus Strebel . The following subscription options have been requested: NOHTML MIME DIGEST. You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER klaus.strebel@EIGNER.COM Klaus Strebel The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+klaus.strebel%40EIGNER.COM+Klaus+Strebel&L=MAILSCANNER This first link will add the subscriber to the list. You can then set the subscription options with this link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=SET+MAILSCANNER+NOHTML+MIME+DIGEST+FOR+klaus.strebel%40EIGNER.COM&L=MAILSCANNER ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Wed, 24 Jul 2002 08:17:30 +0100 Received: from akira.ep-ka.de (akira.ep-ag.com [194.120.231.250]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g6O7HTr23925 for ; Wed, 24 Jul 2002 08:17:29 +0100 Received: from eigner.com ([194.120.231.18]) by akira.ep-ka.de (8.9.1/8.9.3) with ESMTP id JAA32245 for ; Wed, 24 Jul 2002 09:17:16 +0200 Message-ID: <3D3E547C.7090304@eigner.com> Date: Wed, 24 Jul 2002 09:17:16 +0200 From: Klaus Strebel Organization: EIGNER User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020529 X-Accept-Language: de, en MIME-Version: 1.0 To: "L-Soft list server at JISCMAIL (1.8e)" Subject: Re: Command confirmation request (11209A57) References: <200207240700.JAA31696@akira.ep-ka.de> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-MailScanner: Found to be clean From LISTSERV at JISCMAIL.AC.UK Wed Jul 24 10:28:26 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:18 2006 Subject: MAILSCANNER: thc@SCORT.COM left the list Message-ID: <200207240928.KAA06363@magpie.ecs.soton.ac.uk> Wed, 24 Jul 2002 10:28:26 Thierry Carrez has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- [WWW request received from 213.41.103.70] From ombraun at GMX.DE Wed Jul 24 08:58:57 2002 From: ombraun at GMX.DE (Otto-Michael BRAUN) Date: Thu Jan 12 21:15:18 2006 Subject: UUCP, sendmail, mailscanner Message-ID: <5.1.0.14.2.20020724085857.023843f0@pop.snafu.de> We use UUCP for mail transport in many schools and there is obviously the need to scan incoming and outgoing e-mails. There is however a problem with UUCP and the sendmail queue. Has anyone succeeded in installing mailscanner and UUCP and could give some advice, please ? Any help appreciated! Otto-Michael BRAUN Supervisory School Authority KorBIT Berlin, Germany From rabellino at DI.UNITO.IT Wed Jul 24 09:37:51 2002 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:15:18 2006 Subject: From/To Whitelist (was Re: ANNOUNCE: Version 3.22-5 released) References: <02072319190805.13711@prezzemolo.polito.it> <5.1.0.14.2.20020723172248.04bc7a48@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020723165507.02d138b8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020723172248.04bc7a48@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020723203559.031b08d0@imap.ecs.soton.ac.uk> Message-ID: <3D3E675F.6769A9E6@di.unito.it> Julian Field wrote: > > At 19:36 23/07/2002, you wrote: > >Take a look at version 3.22-6 which is in the downloads directory (but not > >linked from the web site yet). Please can you give this one a go and see if > >it solves the problem for you. I need to do some more testing before > >publicly releasing it, so all feedback is much appreciated. > > It is now linked from www.mailscanner.info so let me know what you think of > this solution. > -- Just downloaded, installed and running now .... It's seems a good solution, very well done. Tks. -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From mojahed at AGNI.COM Wed Jul 24 13:49:33 2002 From: mojahed at AGNI.COM (Mojahedul Hoque Abul Hasanat) Date: Thu Jan 12 21:15:18 2006 Subject: UUCP, sendmail, mailscanner In-Reply-To: <5.1.0.14.2.20020724085857.023843f0@pop.snafu.de> References: <5.1.0.14.2.20020724085857.023843f0@pop.snafu.de> Message-ID: <20020724124933.GA25973@venus.agni.com> On Wed, Jul 24, 2002 at 09:58:57AM +0200, Otto-Michael BRAUN wrote: > We use UUCP for mail transport in many schools and there is obviously > the need to scan incoming and outgoing e-mails. There is however a > problem with UUCP and the sendmail queue. > > Has anyone succeeded in installing mailscanner and UUCP and could give some > advice, please ? We use UUCP extensively. You should use sendmail 8.12.x with the submission agent stuff. Otherwise mails coming from the UUCP systems can not be MailScanned easily. -- Mojahed System Administrator, Agni Systems Limited From LISTSERV at JISCMAIL.AC.UK Wed Jul 24 14:55:21 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:18 2006 Subject: MAILSCANNER: viers@UNILIM.FR left the list Message-ID: <200207241355.OAA28249@magpie.ecs.soton.ac.uk> Wed, 24 Jul 2002 14:55:21 Nicolas Viers - Univ Limoges has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From mailscanner at ecs.soton.ac.uk Wed Jul 24 15:17:59 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:18 2006 Subject: ANNOUNCE: F-Prot users Message-ID: <5.1.0.14.2.20020724151434.03018ea8@imap.ecs.soton.ac.uk> I have just released version 3.22-7. This addresses the fact that F-Prot have changed their output format (again) when detecting mass--mailing worms. Note: I strongly advise all F-Prot users to upgrade to this version to ensure their continued virus protection. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020724/28fb4c31/attachment.html From marc.perea at ELECTRONIC-GROUP.COM Wed Jul 24 15:53:47 2002 From: marc.perea at ELECTRONIC-GROUP.COM (Marc Perea) Date: Thu Jan 12 21:15:18 2006 Subject: ANNOUNCE: F-Prot users In-Reply-To: <5.1.0.14.2.20020724151434.03018ea8@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020724151434.03018ea8@imap.ecs.soton.ac.uk> Message-ID: <20020724165347.474e8ce3.marc.perea@electronic-group.com> On Wed, 24 Jul 2002 15:17:59 +0100 Julian Field wrote: > I have just released version 3.22-7. > > This addresses the fact that F-Prot have changed their output format > (again) when detecting mass--mailing worms. > > Note: I strongly advise all F-Prot users to upgrade to this version to > ensure their continued virus protection. Hi Julian, A question : - Does mailscanner has backwards compatibility with previous versions of f-prot (And other Virus Scanners by the way) ? Because there can be situations in which you update mailscanner but not the virus scanner (You keep updating the virus definition files, but not the binary itself). Thanks in advance, Cheers, -- Marc Perea - System Administration Staff Mail: marc.perea@electronic-group.com Tel: (+34) 93 600 23 23 Fax: (+34) 93 600 23 10 ---------------- Electronic Group - http://www.electronic-group.com From mailscanner at ecs.soton.ac.uk Wed Jul 24 16:23:42 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:18 2006 Subject: ANNOUNCE: F-Prot users In-Reply-To: <20020724165347.474e8ce3.marc.perea@electronic-group.com> References: <5.1.0.14.2.20020724151434.03018ea8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020724151434.03018ea8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020724162141.02f55c28@imap.ecs.soton.ac.uk> At 15:53 24/07/2002, you wrote: >On Wed, 24 Jul 2002 15:17:59 +0100 >Julian Field wrote: > > This addresses the fact that F-Prot have changed their output format > > (again) when detecting mass--mailing worms. > >- Does mailscanner has backwards compatibility with previous versions of >f-prot (And other Virus Scanners by the way) ? Because there can be >situations in which you update mailscanner but not the virus scanner (You >keep updating the virus definition files, but not the binary itself). As far as I can remember, I don't think backwards compatibility has ever been broken. The parsers are always just extended to handle any output changes. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mike at CAMAROSS.NET Wed Jul 24 18:10:43 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:18 2006 Subject: New Error Message-ID: <032a01c23335$0b827ee0$6501a8c0@home.wideopenthrottle.org> I don't have a submit.cf on this system. sendmail.cf is world readable though. Mike ----- Original Message ----- From: "Jeff A. Earickson" To: Sent: Wednesday, July 24, 2002 11:45 AM Subject: Re: New Error > Gee... I saw the same thing yesterday when I upgraded from sendmail > 8.11.6 to 8.12.5 on my mail server. The errors below have nothing to > do with mailscanner, just your sendmail configuration. In my case, > my mess was caused by trying to modify sendmail's submit.cf file to > something nonstandard. If you are running 8.12.x, make sure that > your .cf files (sendmail.cf and submit.cf) are world-readable. > > ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 > ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu > ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 > ** Waterville ME, 04901-8842 > -------------------------------------------------------------------------- -- > > On Wed, 24 Jul 2002, Mike Kercher wrote: > > > Date: Wed, 24 Jul 2002 11:33:26 -0500 > > From: Mike Kercher > > Reply-To: MailScanner mailing list > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: New Error > > > > I started getting this error last night. Anyone seen it before or know a > > fix? > > > > Jul 24 11:30:06 redhat sendmail[3390]: g6OGU6K03390: Losing > > ./qfg6OGU6K03390: savemail panic > > Jul 24 11:30:06 redhat sendmail[3390]: g6OGU6K03390: SYSERR(root): savemail: > > cannot save rejected email anywhere > > > > Mike > > > From jaearick at COLBY.EDU Wed Jul 24 17:45:46 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:15:18 2006 Subject: New Error In-Reply-To: <02ff01c2332f$d69b0bc0$6501a8c0@home.wideopenthrottle.org> Message-ID: Gee... I saw the same thing yesterday when I upgraded from sendmail 8.11.6 to 8.12.5 on my mail server. The errors below have nothing to do with mailscanner, just your sendmail configuration. In my case, my mess was caused by trying to modify sendmail's submit.cf file to something nonstandard. If you are running 8.12.x, make sure that your .cf files (sendmail.cf and submit.cf) are world-readable. ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ---------------------------------------------------------------------------- On Wed, 24 Jul 2002, Mike Kercher wrote: > Date: Wed, 24 Jul 2002 11:33:26 -0500 > From: Mike Kercher > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: New Error > > I started getting this error last night. Anyone seen it before or know a > fix? > > Jul 24 11:30:06 redhat sendmail[3390]: g6OGU6K03390: Losing > ./qfg6OGU6K03390: savemail panic > Jul 24 11:30:06 redhat sendmail[3390]: g6OGU6K03390: SYSERR(root): savemail: > cannot save rejected email anywhere > > Mike > From Matthew_doherty at DATAWATCH.COM Wed Jul 24 17:54:27 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:18 2006 Subject: Kelly, can you please attach that script you created once again? Message-ID: Can you please attach and send to this list, that script you created, once again? Mailscanner statistics.... Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Kelly Hamlin [mailto:fizz@BOMB.NET] Sent: Thursday, July 18, 2002 1:20 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mailscanner statistics One last thing :) I Have my MTA Do the RBL lists, could I easily add a if (/sendmail/) { $TotalSPAMCOP++ if /spamcop/; $TotalOsirusoft++ if /osirusoft/; } to the list there? I tried with no success, I know a bit of php, but perl is wacky :P thanks in advance. ////// ( o o ) +--.oooO--(_)--Oooo.-----------------+ | [Kelly Hamlin] | support@cyberstreet.com | http://www.cyberstreet.com | .oooO | ( ) Oooo. +--- (----( )----------------------------+ \_) ) / (_/ -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Joris Trooster / Interstroom Sent: Thursday, July 18, 2002 8:14 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Mailscanner statistics Hello, I changed the script from Peter Peters (thanks!), to include virus statistics. Example output: mailscannerstats.pl /var/log/mail.log ------------------------------------------------ Virus / spam statistics Period Jul 14 06:48:23 -> Jul 18 13:50:03 Total e-mails scanned : 1132 Total bytes scanned : 12230878 Total seconds : 96 Total virusses detected : 82 Total spams tagged : 91 Timespan (seconds) : 370900 Total SpamAssassin : 79 Total SpamAssassin score : 1003 Total Infinite-Monkeys : 3 Total Osirusoft : 13 Total ORDB-RBL : 7 Total WIREHUB-DNSBL : 2 Viruses found (top 10): Exploit-MIME.gen.b.: 23 W32/Klez.h@MM: 21 W32/Yaha.g@MM: 10 goldfish.mp3.scr: 5 VALUE.pif: 2 TYPE.pif: 2 Ilvd.scr: 1 NAME.bat: 1 new.bat: 1 align.scr: 1 ------------------------------------------------ To have the virus information included you need add a few lines to sweep.pl as explained in the file (attachment). The script only extracts information from the mailscanner log, so the script should work with both exim and sendmail. Regards, Joris -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020724/9ccb009d/attachment.html From lbergman at abi.tconline.net Wed Jul 24 17:24:37 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:15:18 2006 Subject: ANNOUNCE: F-Prot users In-Reply-To: <5.1.0.14.2.20020724151434.03018ea8@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020724151434.03018ea8@imap.ecs.soton.ac.uk> Message-ID: <200207241124.37329.lbergman@abi.tconline.net> On Wednesday 24 July 2002 09:17 am, Julian Field wrote: > I have just released version 3.22-7. > > This addresses the fact that F-Prot have changed their output format > (again) when detecting mass--mailing worms. > > Note: I strongly advise all F-Prot users to upgrade to this version to > ensure their continued virus protection. When did this happen? I checked the f-prot site and it says the latest is June 3rd 2002 version 3.12a which I already have installed. Sould I reinstall that for some reason? -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From Matthew_doherty at DATAWATCH.COM Wed Jul 24 17:24:09 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:18 2006 Subject: Not sure if this is mailscanner related "EMail read error! [-" Message-ID: In my message body from Darrol's first letter to mailscanner list. Also some other previouse emails I get from other peeps, I get only "EMail read error! [-" in the message body and that it. Has this been seen before to anyone? I have checked my logs and can't quite figure out why. Thanks! Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020724/b6b17f82/attachment.html From Stephane.Lentz at ANSF.ALCATEL.FR Wed Jul 24 18:29:24 2002 From: Stephane.Lentz at ANSF.ALCATEL.FR (Stephane Lentz) Date: Thu Jan 12 21:15:18 2006 Subject: New Error In-Reply-To: <032a01c23335$0b827ee0$6501a8c0@home.wideopenthrottle.org> References: <032a01c23335$0b827ee0$6501a8c0@home.wideopenthrottle.org> Message-ID: <20020724172924.GA19051@iww.netfr.alcatel.fr> On Wed, Jul 24, 2002 at 12:10:43PM -0500, Mike Kercher wrote: > I don't have a submit.cf on this system. sendmail.cf is world readable > though. > > Mike > It might be your sendmail's access file. For 8.12.x make sure you have : Connect:127.0.0.1 RELAY Connect:localhost.localdomain RELAY and rebuild some indexed version of the acces map (makemap hash access < access if using Berkeley DB). SL/ --- Stephane Lentz / Alcanet International - Internet Services From mike at CAMAROSS.NET Wed Jul 24 17:33:26 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:18 2006 Subject: New Error References: Message-ID: <02ff01c2332f$d69b0bc0$6501a8c0@home.wideopenthrottle.org> I started getting this error last night. Anyone seen it before or know a fix? Jul 24 11:30:06 redhat sendmail[3390]: g6OGU6K03390: Losing ./qfg6OGU6K03390: savemail panic Jul 24 11:30:06 redhat sendmail[3390]: g6OGU6K03390: SYSERR(root): savemail: cannot save rejected email anywhere Mike From mike at ZANKER.ORG Wed Jul 24 18:51:32 2002 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:15:18 2006 Subject: Sign Messages Already Processed Message-ID: <381573483.1027536692@jemima.zanker.org> Tried using this new option but it doesn't seem to be working. Messages I send to mailing lists (which go through my mail server twice) still have > X-MailScanner: Found to be clean, Found to be clean or am I misunderstanding what the option is for? Thanks, Mike -- Mike Zanker Northampton, UK PGP Public Key: pgp@zanker.org From mailscanner at ecs.soton.ac.uk Wed Jul 24 18:59:25 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:18 2006 Subject: Sign Messages Already Processed In-Reply-To: <381573483.1027536692@jemima.zanker.org> Message-ID: <5.1.0.14.2.20020724185806.026ee758@imap.ecs.soton.ac.uk> At 18:51 24/07/2002, you wrote: >Tried using this new option but it doesn't seem to be working. Messages >I send to mailing lists (which go through my mail server twice) still >have > >>X-MailScanner: Found to be clean, Found to be clean > >or am I misunderstanding what the option is for? Yes you are :-) The option is to stop it adding the Inline Signature more than once. It will still get the extra bit in the header, but not an extra "This message has been scanned by MailScanner..." on the bottom of the message. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mike at ZANKER.ORG Wed Jul 24 19:03:37 2002 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:15:18 2006 Subject: Sign Messages Already Processed In-Reply-To: <5.1.0.14.2.20020724185806.026ee758@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020724185806.026ee758@imap.ecs.soton.ac.uk> Message-ID: <382298486.1027537416@jemima.zanker.org> On 24 July 2002 18:59 +0100 Julian Field wrote: > Yes you are :-) I suspected as much :) > The option is to stop it adding the Inline Signature more than once. > It will still get the extra bit in the header, but not an extra "This > message has been scanned by MailScanner..." on the bottom of the > message. Is there any advantage to having extra "Found to be clean"s tagged on the header? On one of my mailing lists I end up with it three times! Mike -- Mike Zanker Northampton, UK PGP Public Key: pgp@zanker.org From mailscanner at ecs.soton.ac.uk Wed Jul 24 19:09:41 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:18 2006 Subject: Sign Messages Already Processed In-Reply-To: <382298486.1027537416@jemima.zanker.org> References: <5.1.0.14.2.20020724185806.026ee758@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020724185806.026ee758@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020724190752.03b60ae8@imap.ecs.soton.ac.uk> At 19:03 24/07/2002, you wrote: >On 24 July 2002 18:59 +0100 Julian Field >wrote: >Is there any advantage to having extra "Found to be clean"s tagged on >the header? On one of my mailing lists I end up with it three times! Maybe little advantage that we can think of now, but I don't regard anything in a header as superfluous. My sysadmin nature says "log everything, just in case you need it". -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From nathan at TCPNETWORKS.NET Wed Jul 24 19:50:24 2002 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:15:18 2006 Subject: ANNOUNCE: F-Prot users References: <5.1.0.14.2.20020724151434.03018ea8@imap.ecs.soton.ac.uk> <200207241124.37329.lbergman@abi.tconline.net> Message-ID: <001101c23342$f8e042a0$2400a8c0@johanson> I am equally confused... I've been running f-prot v. 3.12a since it was released. Is the "changed output format" issue relevant to this version? If so, is the recent release of Mailscanner v. 3.22-5 the only version impacted by this issue? I'm currently running 3.20-6 (which seems to be working fine with version 3.12a of f-prot) and wasn't planning on upgrading until this weekend. Am I currently at risk (or have I been at risk all this time)? Nathan ----- Original Message ----- From: "Lewis Bergman" To: Sent: Wednesday, July 24, 2002 9:24 AM Subject: Re: ANNOUNCE: F-Prot users > On Wednesday 24 July 2002 09:17 am, Julian Field wrote: > > I have just released version 3.22-7. > > > > This addresses the fact that F-Prot have changed their output format > > (again) when detecting mass--mailing worms. > > > > Note: I strongly advise all F-Prot users to upgrade to this version to > > ensure their continued virus protection. > When did this happen? I checked the f-prot site and it says the latest is June > 3rd 2002 version 3.12a which I already have installed. Sould I reinstall that > for some reason? > -- > Lewis Bergman > Texas Communications > 4309 Maple St. > Abilene, TX 79602-8044 > 915-695-6962 ext 115 From mike at ZANKER.ORG Wed Jul 24 19:55:45 2002 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:15:18 2006 Subject: Sign Messages Already Processed In-Reply-To: <5.1.0.14.2.20020724190752.03b60ae8@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020724190752.03b60ae8@imap.ecs.soton.ac.uk> Message-ID: <385427555.1027540545@jemima.zanker.org> On 24 July 2002 19:09 +0100 Julian Field wrote: > Maybe little advantage that we can think of now, but I don't regard > anything in a header as superfluous. My sysadmin nature says "log > everything, just in case you need it". Yes, good point... Mike -- Mike Zanker Northampton, UK PGP Public Key: pgp@zanker.org From evertjan at VANRAMSELAAR.NL Wed Jul 24 20:06:32 2002 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:15:18 2006 Subject: Backwards compatibility (was: ANNOUNCE: F-Prot users) In-Reply-To: <5.1.0.14.2.20020724162141.02f55c28@imap.ecs.soton.ac.uk> Message-ID: <002b01c23345$39108860$65020a0a@galaxy> Hello, FYI: I had to remove '--mime' in the McAfee section in sweep.pl to get it to work with my version of uvscan. # uvscan --version Virus Scan for Linux v4.0.4 Scan engine v4.0.50 for Linux. -- Evert Jan van Ramselaar Van Ramselaar Info Tech > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: Wednesday, July 24, 2002 5:24 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: ANNOUNCE: F-Prot users > > > At 15:53 24/07/2002, you wrote: > >On Wed, 24 Jul 2002 15:17:59 +0100 > >Julian Field wrote: > > > This addresses the fact that F-Prot have changed their output format > > > (again) when detecting mass--mailing worms. > > > >- Does mailscanner has backwards compatibility with previous versions of > >f-prot (And other Virus Scanners by the way) ? Because there can be > >situations in which you update mailscanner but not the virus scanner (You > >keep updating the virus definition files, but not the binary itself). > > As far as I can remember, I don't think backwards compatibility has ever > been broken. The parsers are always just extended to handle any > output changes. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From mailscanner at ecs.soton.ac.uk Wed Jul 24 20:07:26 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:18 2006 Subject: Security Alert Message-ID: <5.1.0.14.2.20020724200447.0446c008@imap.ecs.soton.ac.uk> There has been a posting on NTBugtraq today, highlighting a newly discovered security vulnerability in Eudora. The attack involves meta-refresh tags and *.mhtml files. I would advise all MailScanner users to add a "deny" rule for \.mhtml$ in their filename.rules.conf file, along with suitable explanations for the log and for users. Don't forget that fields in this file are separated with tab characters, not spaces! -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Jul 24 20:39:16 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:18 2006 Subject: ANNOUNCE: F-Prot users In-Reply-To: <001101c23342$f8e042a0$2400a8c0@johanson> References: <5.1.0.14.2.20020724151434.03018ea8@imap.ecs.soton.ac.uk> <200207241124.37329.lbergman@abi.tconline.net> Message-ID: <5.1.0.14.2.20020724203037.04351578@imap.ecs.soton.ac.uk> At 19:50 24/07/2002, you wrote: >I am equally confused... >I've been running f-prot v. 3.12a since it was released. Is the "changed >output format" issue relevant to this version? >If so, is the recent release of Mailscanner v. 3.22-5 the only version >impacted by this issue? >I'm currently running 3.20-6 (which seems to be working fine with version >3.12a of f-prot) and wasn't planning on upgrading until this weekend. Am I >currently at risk (or have I been at risk all this time)? Search your MailScanner logs for "mass-mailing worm" and see if it produces anything. I have just checked my version of F-Prot (3.12a) and it produces this warning. However, if you really don't want to upgrade, the patch is very simple: 817,818c817,819 < if ($line =~ /(is|could be) a( boot sector)? virus dropper/) { < # Reparse the rest of the line to turn it into an infection report --- > if ($line =~ /(is|could be) a mass-mailing worm/) { > $line =~ s/(is|could be) a mass-mailing worm.*$/Infection: /; > } elsif ($line =~ /(is|could be) a( boot sector)? virus dropper/) { -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From nathan at TCPNETWORKS.NET Wed Jul 24 21:26:14 2002 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:15:18 2006 Subject: ANNOUNCE: F-Prot users References: <5.1.0.14.2.20020724151434.03018ea8@imap.ecs.soton.ac.uk> <200207241124.37329.lbergman@abi.tconline.net> <5.1.0.14.2.20020724203037.04351578@imap.ecs.soton.ac.uk> Message-ID: <007501c23350$5bbfec60$2400a8c0@johanson> I searched for th string and didn't find it. We're not a high traffic site, so it's possible we haven't received anything to trigger it. I'll go ahead and upgrade this evening. Thanks Julian. -Nathan ----- Original Message ----- From: "Julian Field" To: Sent: Wednesday, July 24, 2002 12:39 PM Subject: Re: ANNOUNCE: F-Prot users > At 19:50 24/07/2002, you wrote: > >I am equally confused... > >I've been running f-prot v. 3.12a since it was released. Is the "changed > >output format" issue relevant to this version? > >If so, is the recent release of Mailscanner v. 3.22-5 the only version > >impacted by this issue? > >I'm currently running 3.20-6 (which seems to be working fine with version > >3.12a of f-prot) and wasn't planning on upgrading until this weekend. Am I > >currently at risk (or have I been at risk all this time)? > > Search your MailScanner logs for "mass-mailing worm" and see if it produces > anything. > I have just checked my version of F-Prot (3.12a) and it produces this warning. > > However, if you really don't want to upgrade, the patch is very simple: > > 817,818c817,819 > < if ($line =~ /(is|could be) a( boot sector)? virus dropper/) { > < # Reparse the rest of the line to turn it into an infection report > --- > > if ($line =~ /(is|could be) a mass-mailing worm/) { > > $line =~ s/(is|could be) a mass-mailing worm.*$/Infection: /; > > } elsif ($line =~ /(is|could be) a( boot sector)? virus dropper/) { > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From jason at jnj.org Wed Jul 24 22:15:23 2002 From: jason at jnj.org (Jason) Date: Thu Jan 12 21:15:18 2006 Subject: help diagnose a mis-tagged email (not spam, tagged as spam) Message-ID: <20020724211523.GA14909@jnj.org> howdy I'm posting this to both the mailscanner and spamassassin lists since I'm not sure where the problem lies. A user forwarded me a non-spam email that was tagged as spam. Here's the spamcheck header: X-MailScanner-SpamCheck: SpamAssassin (score=11.9, required 9, FROM_NAME_NO_SPACES, AWL) this is from an internal user, to an internal user, and the subject and body look like: ------------- Subject: {PROBABLY SPAM} come to server room pretty please we need to put a cd in edi-dev, cabinet looks locked? ------------- anyone have any idea how that happened? And is there a way with mailscanner + spamassassin to not scan mail originating from my network? -- Jason Burnett jason@jnj.org ~ No witty signature available at this time ~ From mkettler at EVI-INC.COM Wed Jul 24 22:27:15 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:15:18 2006 Subject: help diagnose a mis-tagged email (not spam, tagged as spam) In-Reply-To: <20020724211523.GA14909@jnj.org> Message-ID: <5.1.0.14.0.20020724171827.03376780@192.168.50.2> I'm not positive, but from a glance it looks like it got bumped up by the auto-whitelist feature of SpamAssassin, which despite its name, acts more commonly as an auto-black/greylist. What the AWL really does is try to push the score of an email towards the historical average for that user. If that user sent some email that got tagged for legit reasons, they probably have a high average and thus get their score bumped up. Recommendations to get around this: 1) don't use the AWL, or reduce the AWL factor. 2) don't SA scan emails that were actually delivered from IPs in your local domain. (use MailScanner's "accept spam from" to prevent local users mail from being scanned.) 3) delete that user's AWL entry using spamassassin -R and hope they don't send more spam-like mail. At 04:15 PM 7/24/2002 -0500, Jason wrote: >howdy > >I'm posting this to both the mailscanner and spamassassin lists since I'm >not sure where the problem lies. > >A user forwarded me a non-spam email that was tagged as spam. Here's the >spamcheck header: > >X-MailScanner-SpamCheck: SpamAssassin (score=11.9, required 9, >FROM_NAME_NO_SPACES, AWL) > >this is from an internal user, to an internal user, and the subject and >body look like: > >------------- >Subject: {PROBABLY SPAM} come to server room pretty please > > >we need to put a cd in edi-dev, cabinet looks locked? >------------- > >anyone have any idea how that happened? And is there a way with >mailscanner + spamassassin to not scan mail originating from my network? > >-- >Jason Burnett >jason@jnj.org >~ No witty signature available at this time ~ From jason at jnj.org Wed Jul 24 23:20:44 2002 From: jason at jnj.org (Jason Burnett) Date: Thu Jan 12 21:15:18 2006 Subject: help diagnose a mis-tagged email (not spam, tagged as spam) In-Reply-To: <5.1.0.14.0.20020724171827.03376780@192.168.50.2> References: <20020724211523.GA14909@jnj.org> <5.1.0.14.0.20020724171827.03376780@192.168.50.2> Message-ID: <20020724222044.GA15074@jnj.org> On Wed, Jul 24, 2002 at 05:27:15PM -0400, Matt Kettler wrote: > I'm not positive, but from a glance it looks like it got bumped up by the > auto-whitelist feature of SpamAssassin, which despite its name, acts more > commonly as an auto-black/greylist. > > What the AWL really does is try to push the score of an email towards the > historical average for that user. If that user sent some email that got > tagged for legit reasons, they probably have a high average and thus get > their score bumped up. > > Recommendations to get around this: > > 1) don't use the AWL, or reduce the AWL factor. > 2) don't SA scan emails that were actually delivered from IPs in your local > domain. (use MailScanner's "accept spam from" to prevent local users mail > from being scanned.) > 3) delete that user's AWL entry using spamassassin -R and hope they don't > send more spam-like mail. > It didn't dawn on me until reading this, but I've had all the users involved in the Spamassassin/Mailscanner evaluation here send me all false-positives and false-negatives, which were getting rescanned and added to their AWL score. Mystery solved. Thanks for the "accept spam from" tip. -- Jason Burnett jason@jnj.org ~ No witty signature available at this time ~ From nathan at TCPNETWORKS.NET Thu Jul 25 02:37:08 2002 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:15:18 2006 Subject: "Hide Incoming Work Dir" Option Not Working References: <20020724211523.GA14909@jnj.org> <5.1.0.14.0.20020724171827.03376780@192.168.50.2> <20020724222044.GA15074@jnj.org> Message-ID: <022c01c2337b$ca12d120$2400a8c0@johanson> I just upgraded to Mailscanner v 3.22-7. This is the first time I've used the "Hide Incoming Work Dir" option. Unfortunately, it doesn't seem to work (unless I'm missing something). This option was enabled by default, but when I sent myself an eicar test message, the notices didn't appear any different. I decided to test it further. I disabled the option, sent a virus to myself. Restarted mailscanner, enabled the option again and sent the same virus. There are no differences in the notices either to the sender or the recipient of the virus. Is this option broken, or am I misunderstanding the functionality? From ralloway at CHARTERPA.NET Thu Jul 25 06:08:24 2002 From: ralloway at CHARTERPA.NET (Richard D Alloway) Date: Thu Jan 12 21:15:18 2006 Subject: Beta testers? Getting on okay? In-Reply-To: <5.1.0.14.2.20020720130425.047e8558@imap.ecs.soton.ac.uk> Message-ID: On Sat, 20 Jul 2002, Julian Field wrote: > I've just tested a couple of messages with this setup, and it works fine on > my version of perl. To be sure to be case-insensitive, it > 1) converts the contents of spam.whitelist.conf to lower-case as it stores it > 2) converts the addresses being tested to lower-case before testing them > 3) does the tests as case-insensitive comparisons. > > So at least 2 of those must be failing on your Perl! :-( That's possible...the machine mailscanner is running on did have a failed perl upgrade at one time, though everything else works fine. Thank goodness this isn't the production box :) > There's not much I can do to fix that as I already do everything I can to > make it work robustly. Are you sure you spelled mailer-daemon correctly? Sure did :) I won't worry until we're in production. Thanks for all the support! -Rich > At 04:43 20/07/2002, you wrote: > >Jules, > > > >Congrats on the monitor! > > > >As far as the beta test is concerned, no real problems here! > > > >The "whitelist to" option (or whatever it's called) seems to be working > >just fine with the exception of case sensitivity. > > > >I have 'mailer-daemon@*' in spam.whitelist.com so I can test, but mail to > >MAILER-DAEMON@mydomain.com is still being flagged. > > > >Otherwise, I've been getting compliments on how well it works. Of course, > >I always credit you and the others who have contributed so much to the > >cause! > > > >Thanks! > > > >-Rich > > > >On Fri, 19 Jul 2002, Julian Field wrote: > > > > > My beta-testers, how are you folks getting on? Is it all working so far? > > > No-one has been in touch, so I am assuming that no news is good news. > > > I just installed the latest release on a new server here, too, and that > > > went flawlessly. > > > > > > So unless someone comes up with some reports by Sunday or so, I'll release > > > it to the world. > > > > > > Thanks guys! > > > Jules. > > > > > > P.S. Just got a new Eizo 17" TFT monitor at work, *very* nice, > > > hmmmmm....... :-) > > > -- > > > Julian Field Teaching Systems Manager > > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > > Tel. 023 8059 2817 University of Southampton > > > Southampton SO17 1BJ > > > > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From LISTSERV at JISCMAIL.AC.UK Thu Jul 25 08:38:03 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:18 2006 Subject: MAILSCANNER: f.rotondo@TESEO.IT requested to join Message-ID: <200207250738.IAA09162@magpie.ecs.soton.ac.uk> Thu, 25 Jul 2002 08:38:03 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Francesco Rotondo . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER f.rotondo@TESEO.IT Francesco Rotondo The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+f.rotondo%40TESEO.IT+Francesco+Rotondo&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From tcarrez at SCORT.COM Thu Jul 25 08:44:58 2002 From: tcarrez at SCORT.COM (Thierry Carrez) Date: Thu Jan 12 21:15:18 2006 Subject: Improving speed in picking up messages from incoming queue References: Message-ID: <3D3FAC7A.4060402@scort.com> Hello all, I would like to know if there is a way to improve the speed of the "pick up messages from incoming queue" phase of the mailscanner process. Timings for example : 09:31:58 Message received by SMTP and written to incoming queue 09:32:07 Mailscanner scanning starts 09:32:08 Mailscanner scanning ends 09:32:08 Message is in outgoing queue et processed I observe timings like 5-12 seconds for the "pickup" phase. Is this normal ? Is there a setting I can tweak ? My setup : exim/incoming + mailscanner3.21 + mcafee + SA + exim/outgoing My machine : RH Linux 7.3 on a 1GHz PIII with 512MB RAM -- Thierry Carrez From mailscanner at ecs.soton.ac.uk Thu Jul 25 09:04:07 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:18 2006 Subject: Improving speed in picking up messages from incoming queue In-Reply-To: <3D3FAC7A.4060402@scort.com> References: Message-ID: <5.1.0.14.2.20020725090136.04cbccc8@imap.ecs.soton.ac.uk> Are you running this on a test server to try it out, or on a busy production server? If on a test server, then what you are seeing is this: MailScanner checks the incoming mail spool for any new messages, and goes away and processes them. However, if there were no new messages when it checked, it sleeps for 30 seconds and then tries again. So if you have a very low traffic server it is possible you are seeing the 30 second delay. Once your server is busy enough that there are always new messages coming in while the previous ones are being processed, the delay will never happen and your message latency will drop to a second or two. At 08:44 25/07/2002, you wrote: >Hello all, > >I would like to know if there is a way to improve the speed of the "pick >up messages from incoming queue" phase of the mailscanner process. > >Timings for example : >09:31:58 Message received by SMTP and written to incoming queue >09:32:07 Mailscanner scanning starts >09:32:08 Mailscanner scanning ends >09:32:08 Message is in outgoing queue et processed > >I observe timings like 5-12 seconds for the "pickup" phase. Is this >normal ? Is there a setting I can tweak ? > >My setup : exim/incoming + mailscanner3.21 + mcafee + SA + exim/outgoing >My machine : RH Linux 7.3 on a 1GHz PIII with 512MB RAM > >-- >Thierry Carrez -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Jul 25 09:00:44 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:18 2006 Subject: Beta testers? Getting on okay? In-Reply-To: References: <5.1.0.14.2.20020720130425.047e8558@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020725085922.02d40af8@imap.ecs.soton.ac.uk> At 06:08 25/07/2002, you wrote: >On Sat, 20 Jul 2002, Julian Field wrote: > > I've just tested a couple of messages with this setup, and it works fine on > > my version of perl. To be sure to be case-insensitive, it > > 1) converts the contents of spam.whitelist.conf to lower-case as it > stores it > > 2) converts the addresses being tested to lower-case before testing them > > 3) does the tests as case-insensitive comparisons. > > > > So at least 2 of those must be failing on your Perl! :-( > >That's possible...the machine mailscanner is running on did have a failed >perl upgrade at one time, though everything else works fine. Thank >goodness this isn't the production box :) > > > There's not much I can do to fix that as I already do everything I can to > > make it work robustly. Are you sure you spelled mailer-daemon correctly? > >Sure did :) > >I won't worry until we're in production. > >Thanks for all the support! I finally managed to re-create this problem on our site (of all people, our head of department hit it). I have put a fix in place and tested it several hundred times now, and it hasn't failed once since I put in the fix. So you should upgrade to the latest code and then hopefully the problem will have gone. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Jul 25 08:56:49 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:18 2006 Subject: ANNOUNCE: F-Prot users In-Reply-To: <007501c23350$5bbfec60$2400a8c0@johanson> References: <5.1.0.14.2.20020724151434.03018ea8@imap.ecs.soton.ac.uk> <200207241124.37329.lbergman@abi.tconline.net> <5.1.0.14.2.20020724203037.04351578@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020725085554.04ce3db8@imap.ecs.soton.ac.uk> At 21:26 24/07/2002, you wrote: >I searched for th string and didn't find it. We're not a high traffic site, >so it's possible we haven't received anything to trigger it. >I'll go ahead and upgrade this evening. Thanks Julian. By the mere fact that no-one else has reported it before, it must only appear very rarely. Unfortunately, getting the definitive list of strings out of F-Prot is a non-trivial task (involves the Zip of Death and a core dump :-) >-Nathan >----- Original Message ----- >From: "Julian Field" >To: >Sent: Wednesday, July 24, 2002 12:39 PM >Subject: Re: ANNOUNCE: F-Prot users > > > > At 19:50 24/07/2002, you wrote: > > >I am equally confused... > > >I've been running f-prot v. 3.12a since it was released. Is the "changed > > >output format" issue relevant to this version? > > >If so, is the recent release of Mailscanner v. 3.22-5 the only version > > >impacted by this issue? > > >I'm currently running 3.20-6 (which seems to be working fine with version > > >3.12a of f-prot) and wasn't planning on upgrading until this weekend. Am >I > > >currently at risk (or have I been at risk all this time)? > > > > Search your MailScanner logs for "mass-mailing worm" and see if it >produces > > anything. > > I have just checked my version of F-Prot (3.12a) and it produces this >warning. > > > > However, if you really don't want to upgrade, the patch is very simple: > > > > 817,818c817,819 > > < if ($line =~ /(is|could be) a( boot sector)? virus dropper/) { > > < # Reparse the rest of the line to turn it into an infection report > > --- > > > if ($line =~ /(is|could be) a mass-mailing worm/) { > > > $line =~ s/(is|could be) a mass-mailing worm.*$/Infection: /; > > > } elsif ($line =~ /(is|could be) a( boot sector)? virus dropper/) { > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From P.G.M.Peters at civ.utwente.nl Thu Jul 25 09:09:15 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:18 2006 Subject: secretly copy message feature in new version? In-Reply-To: <5.1.0.14.2.20020723185721.02f037a0@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020723185721.02f037a0@imap.ecs.soton.ac.uk> Message-ID: <1ecvju83no3h1eu1r718khcrbdamk6brbs@4ax.com> On Tue, 23 Jul 2002 19:00:04 +0100, you wrote: >>Am I reading the conf right? Is this an optiion..and if so, what is the >>syntax in secretly.copy.mail.conf? > >Please don't use this yet, I haven't finished it. It shouldn't have been in >the conf files. I have checked the code in the other files too. If it is ment to be "secret" that will never work the way it is implemented (or can easily be implemented). The sender can still request DSN-messages and get them from the "secret" addresses too. Problems with delivering to "secret" addresses will be reported to the sender. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From tcarrez at SCORT.COM Thu Jul 25 09:13:54 2002 From: tcarrez at SCORT.COM (Thierry Carrez) Date: Thu Jan 12 21:15:18 2006 Subject: Improving speed in picking up messages from incoming queue References: <5.1.0.14.2.20020725090136.04cbccc8@imap.ecs.soton.ac.uk> Message-ID: <3D3FB342.4060703@scort.com> Julian Field wrote: > Are you running this on a test server to try it out, or on a busy > production server? > > If on a test server, then what you are seeing is this: > > MailScanner checks the incoming mail spool for any new messages, and goes > away and processes them. However, if there were no new messages when it > checked, it sleeps for 30 seconds and then tries again. So if you have a > very low traffic server it is possible you are seeing the 30 second delay. > Once your server is busy enough that there are always new messages coming > in while the previous ones are being processed, the delay will never happen > and your message latency will drop to a second or two. Thanks Julian, It is a test server going into production today. "Now go elsewhere, viruses and spam !" -- Thierry Carrez From mailscanner at ecs.soton.ac.uk Thu Jul 25 09:17:43 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:18 2006 Subject: "Hide Incoming Work Dir" Option Not Working In-Reply-To: <022c01c2337b$ca12d120$2400a8c0@johanson> References: <20020724211523.GA14909@jnj.org> <5.1.0.14.0.20020724171827.03376780@192.168.50.2> <20020724222044.GA15074@jnj.org> Message-ID: <5.1.0.14.2.20020725091330.04df41a0@imap.ecs.soton.ac.uk> Nathan, You are absolutely right, I forgot to make the option affect the message to the sender (it does also affect the report in VirusWarning.txt (sent to the recipient) if your virus scanner puts the complete path to the infected file in there. Fortunately, the patch is very simple. I won't bother with another release for this right now, unless a lot of people are using it... Add a couple of lines to sendmail.pl: *** 1300,1309 **** --- 1300,1311 ---- #$to =~ s/^\s*\<(.+)\>\s*$/$1/; $parts = $Reports->{$id}; $type1 = $InfectionTypes->{$id}; $type = join("", values %$type1); $report = join("Report: ", values %$parts); + # Hide working dir? + $report =~ s/\Q$Config::SrcDir\E\///gm if $Config::HideSrcDir; # Don't send a message to "" or "<>" next if $from eq "" || $from eq "<>"; # Don't send a message to non-local addresses if we don't want to Jules. At 02:37 25/07/2002, you wrote: >I just upgraded to Mailscanner v 3.22-7. This is the first time I've used >the "Hide Incoming Work Dir" option. >Unfortunately, it doesn't seem to work (unless I'm missing something). > >This option was enabled by default, but when I sent myself an eicar test >message, the notices didn't appear any different. I decided to test it >further. I disabled the option, sent a virus to myself. Restarted >mailscanner, enabled the option again and sent the same virus. There are no >differences in the notices either to the sender or the recipient of the >virus. Is this option broken, or am I misunderstanding the functionality? > From the looks of it, the path is still there whether I enable the option or >not, and the message IDis the only thing that changes. > >See below. > >With Hide Incoming Work Dir = yes >==> > >Snippet from notice sent to "sender" >==== > >The virus detector said this about the message: >Report: /var/spool/MailScanner/incoming/g6P1F1l05412/EICAR.COM Infection: >EICAR_Test_File >===== > >Snippet from "VirusWarning.txt" sent to recipient: >===== >At Wed Jul 24 18:15:23 2002 the virus scanner said: >g6P1F1l05412/EICAR.COM Infection: EICAR_Test_File > >Note to Help Desk: Look on the MailScanner in >/var/spool/MailScanner/quarantine (message g6P1F1l05412). >===== > >With >Hide Incoming Work Dir = no > >Snippet from notice sent to "sender" >==== > >The virus detector said this about the message: >Report: /var/spool/MailScanner/incoming/g6P1Ie405526/EICAR.COM Infection: >EICAR_Test_File >===== > >Snippet from "VirusWarning.txt" sent to recipient: > >===== >At Wed Jul 24 18:18:50 2002 the virus scanner said: >g6P1Ie405526/EICAR.COM Infection: EICAR_Test_File > >Note to Help Desk: Look on the MailScanner in >/var/spool/MailScanner/quarantine (message g6P1Ie405526). >===== > >Thanks, > >Nathan Johanson >nathan@tcpnetworks.net -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From P.G.M.Peters at civ.utwente.nl Thu Jul 25 09:37:22 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:18 2006 Subject: Kelly, can you please attach that script you created once again? In-Reply-To: References: Message-ID: On Wed, 24 Jul 2002 12:54:27 -0400, you wrote: >Can you please attach and send to this list, that script you created, once >again? Mailscanner statistics.... I think Kelly was refering to extending my scripts. Mine are on http://home.student.utwente.nl/p.g.m.peters/analog4mailscanner.pl and http://home.student.utwente.nl/p.g.m.peters/mailscanner2csv.pl. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From P.G.M.Peters at civ.utwente.nl Thu Jul 25 09:39:39 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:18 2006 Subject: Sign Messages Already Processed In-Reply-To: <382298486.1027537416@jemima.zanker.org> References: <5.1.0.14.2.20020724185806.026ee758@imap.ecs.soton.ac.uk> <382298486.1027537416@jemima.zanker.org> Message-ID: On Wed, 24 Jul 2002 19:03:37 +0100, you wrote: >> The option is to stop it adding the Inline Signature more than once. >> It will still get the extra bit in the header, but not an extra "This >> message has been scanned by MailScanner..." on the bottom of the >> message. > >Is there any advantage to having extra "Found to be clean"s tagged on >the header? On one of my mailing lists I end up with it three times! I have once seen a "found to be clean" followed by a "found to be infected". It turned out the site (not mine) that inserted the clean message had an error downloading the latest virus signatures. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Thu Jul 25 09:44:18 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:19 2006 Subject: Sign Messages Already Processed In-Reply-To: References: <382298486.1027537416@jemima.zanker.org> <5.1.0.14.2.20020724185806.026ee758@imap.ecs.soton.ac.uk> <382298486.1027537416@jemima.zanker.org> Message-ID: <5.1.0.14.2.20020725094346.04e6b480@imap.ecs.soton.ac.uk> At 09:39 25/07/2002, you wrote: >I have once seen a "found to be clean" followed by a "found to be >infected". It turned out the site (not mine) that inserted the clean >message had an error downloading the latest virus signatures. Another very good argument in favour of using multiple virus scanners. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From f.rotondo at TESEO.IT Thu Jul 25 10:24:23 2002 From: f.rotondo at TESEO.IT (Francesco Rotondo) Date: Thu Jan 12 21:15:19 2006 Subject: Problem stopping mailscanner Message-ID: <00c501c233bd$10affe00$0464a8c0@teseo.net> Hi all, I'm using mailscanner on a RedHat Linux 6.2 and discovered that stopping mailscanner using the init.d script during the scanning of some messages causes the messages will not be delivered. Does anyone else faced the same problem or did I made some mistakes during installation? Thank you. +----------------------------------------------------------+ | Francesco Rotondo E-mail: f.rotondo@teseo.it | +----------------------------------------------------------+ | Teseo Internet Provider, Srl | | C.so A. De Gasperi, 344 Web: http://www.teseo.it | | 70125 - Bari Tel: +39(080)5036970 | | Italy Fax: +39(080)5008672 | +----------------------------------------------------------+ From tcarrez at SCORT.COM Thu Jul 25 13:05:14 2002 From: tcarrez at SCORT.COM (Thierry Carrez) Date: Thu Jan 12 21:15:19 2006 Subject: Improving speed in picking up messages from incoming queue References: <5.1.0.14.2.20020725090136.04cbccc8@imap.ecs.soton.ac.uk> Message-ID: <3D3FE97A.2060501@scort.com> Julian Field wrote: > MailScanner checks the incoming mail spool for any new messages, and goes > away and processes them. However, if there were no new messages when it > checked, it sleeps for 30 seconds and then tries again. So if you have a > very low traffic server it is possible you are seeing the 30 second delay. > Once your server is busy enough that there are always new messages coming > in while the previous ones are being processed, the delay will never happen > and your message latency will drop to a second or two. I don't have many users, but they were used to get messages emailed to themselves almost immediately... On a small-workload setup (around 1 message every 40 seconds), is there a danger to reduce the 30-second delay to, say, a 10-second delay ? I don't have enough messages (about 50 users) to benefit from the high-load = no-latency effect... If I understand your code correctly, I would have to change the line : # Wait and go round again if nothing to scan sleep(30), next unless @MessagesIn; Any do's and don't before I crash my production server ? Thanks in advance -- Thierry Carrez From P.G.M.Peters at civ.utwente.nl Thu Jul 25 13:23:01 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:19 2006 Subject: Improving speed in picking up messages from incoming queue In-Reply-To: <3D3FE97A.2060501@scort.com> References: <5.1.0.14.2.20020725090136.04cbccc8@imap.ecs.soton.ac.uk> <3D3FE97A.2060501@scort.com> Message-ID: On Thu, 25 Jul 2002 14:05:14 +0200, you wrote: >I don't have many users, but they were used to get messages emailed to >themselves almost immediately... > >On a small-workload setup (around 1 message every 40 seconds), is there >a danger to reduce the 30-second delay to, say, a 10-second delay ? >I don't have enough messages (about 50 users) to benefit from the >high-load = no-latency effect... I don't think it will crash but you will have to keep in mind you changed this. And you have to keep doing this everytime you upgrade. Instead I would tell the users it is a small price to pay for the extra features and safety scanning the mail gives them. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From lbergman at abi.tconline.net Thu Jul 25 14:06:05 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:15:19 2006 Subject: ANNOUNCE: F-Prot users In-Reply-To: <5.1.0.14.2.20020725085554.04ce3db8@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020724151434.03018ea8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020724203037.04351578@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020725085554.04ce3db8@imap.ecs.soton.ac.uk> Message-ID: <200207250806.05659.lbergman@abi.tconline.net> On Thursday 25 July 2002 02:56 am, Julian Field wrote: > At 21:26 24/07/2002, you wrote: > >I searched for th string and didn't find it. We're not a high traffic > > site, so it's possible we haven't received anything to trigger it. > >I'll go ahead and upgrade this evening. Thanks Julian. > > By the mere fact that no-one else has reported it before, it must only > appear very rarely. Unfortunately, getting the definitive list of strings > out of F-Prot is a non-trivial task (involves the Zip of Death and a core > dump :-) I wonder if customer pudh on this matter might be helpful. Not that my complaint was the reason but just 2 days after I filed a support request for the check-update.sh script they came out with a new patched one. If you make a clear case as to what you need to see I would (as well I am sure the other f-prot users on the list) be willing to pound on their door a bit to have them publish what you need. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From carl.boberg at NRM.SE Thu Jul 25 15:12:12 2002 From: carl.boberg at NRM.SE (Carl Boberg) Date: Thu Jan 12 21:15:19 2006 Subject: Error logged to console? Message-ID: <17c001c233e5$457fb580$010110ac@nrm.se> Can anyone tell what this means? Malformed UTF-8 character (unexpected continuation byte 0xa3) in substitution iterator at /usr/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/PerMsgStatus.pm line 828. It has popped upp on my console a few times cince I installed the latest rpm of MailScanner. Has anyone else seen this? Regards --------------------------------- Carl Boberg System & N?tverksadministrat?r Enheten f?r informationsteknologi Naturhistoriska Riksmuseet carl.boberg@nrm.se Tel: 08-519 551 16 Mob: 0701-82 40 55 --------------------------------- From mailscanner at ecs.soton.ac.uk Thu Jul 25 15:26:14 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:19 2006 Subject: Error logged to console? In-Reply-To: <17c001c233e5$457fb580$010110ac@nrm.se> Message-ID: <5.1.0.14.2.20020725152547.02d461e0@imap.ecs.soton.ac.uk> At 15:12 25/07/2002, you wrote: >Can anyone tell what this means? > >Malformed UTF-8 character (unexpected continuation byte 0xa3) in >substitution iterator at >/usr/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/PerMsgStatus.pm line 828. > >It has popped upp on my console a few times cince I installed the latest rpm >of MailScanner. >Has anyone else seen this? This is caused by a bug in Perl, which they claim will be fixed in the next version. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Jul 25 13:38:13 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:19 2006 Subject: Improving speed in picking up messages from incoming queue In-Reply-To: <3D3FE97A.2060501@scort.com> References: <5.1.0.14.2.20020725090136.04cbccc8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020725133712.04fbe708@imap.ecs.soton.ac.uk> At 13:05 25/07/2002, you wrote: >On a small-workload setup (around 1 message every 40 seconds), is there >a danger to reduce the 30-second delay to, say, a 10-second delay ? >I don't have enough messages (about 50 users) to benefit from the >high-load = no-latency effect... > >If I understand your code correctly, I would have to change the line : > > # Wait and go round again if nothing to scan > sleep(30), next unless @MessagesIn; > >Any do's and don't before I crash my production server ? That's fine. On a quiet machine you could quite safely reduce it by a factor of 10. After all, 30 is a number I pulled out of thin air anyway :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From tcarrez at SCORT.COM Thu Jul 25 15:55:42 2002 From: tcarrez at SCORT.COM (Thierry Carrez) Date: Thu Jan 12 21:15:19 2006 Subject: Improving speed in picking up messages from incoming queue References: <5.1.0.14.2.20020725090136.04cbccc8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020725133712.04fbe708@imap.ecs.soton.ac.uk> Message-ID: <3D40116E.8010303@scort.com> Julian Field wrote: > That's fine. On a quiet machine you could quite safely reduce it by a > factor of 10. After all, 30 is a number I pulled out of thin air anyway :-) Could you please include this as a configurable parameter in a next release (no hurry at all) ? My little help, diffs from 3.22-7, from my understanding, should not break anything... [packager@boomer bin]$ diff mailscanner.orig mailscanner 265c265 < sleep(30), next unless @MessagesIn; --- > sleep($Config::PickUpTimer), next unless @MessagesIn; [packager@boomer bin]$ diff config.orig config.pl 158a159 > $Config::PickUpTimer = 30; 289c290 < --- > $Config::PickUpTimer = $value if $key =~ /^pickuptimer$/i; Thanks in advance... it will help my future upgrades. -- Thierry Carrez From mailscanner at ecs.soton.ac.uk Thu Jul 25 18:11:07 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:19 2006 Subject: Improving speed in picking up messages from incoming queue In-Reply-To: <3D40116E.8010303@scort.com> References: <5.1.0.14.2.20020725090136.04cbccc8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020725133712.04fbe708@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020725180917.04bdaf28@imap.ecs.soton.ac.uk> At 15:55 25/07/2002, you wrote: >Julian Field wrote: > >>That's fine. On a quiet machine you could quite safely reduce it by a >>factor of 10. After all, 30 is a number I pulled out of thin air anyway :-) > >Could you please include this as a configurable parameter in a next >release (no hurry at all) ? Adding the code is the easy bit... The trouble is working out how to explain it in 2 lines of text. It's such a "techie" tweak, and it never affects people with busy servers, that it's hard to justify the extra config parameter for it. What I might do is just drop it to 5 seconds in the next release. The busy servers never use it anyway, and the quiet ones will suddenly appear to work faster. >My little help, diffs from 3.22-7, from my understanding, should not >break anything... > >[packager@boomer bin]$ diff mailscanner.orig mailscanner >265c265 >< sleep(30), next unless @MessagesIn; >--- > > sleep($Config::PickUpTimer), next unless @MessagesIn; > > >[packager@boomer bin]$ diff config.orig config.pl >158a159 > > $Config::PickUpTimer = 30; >289c290 >< >--- > > $Config::PickUpTimer = $value if $key =~ /^pickuptimer$/i; > > >Thanks in advance... it will help my future upgrades. > >-- >Thierry Carrez -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From henrik at LEWANDER.COM Thu Jul 25 19:13:53 2002 From: henrik at LEWANDER.COM (Henrik Lewander) Date: Thu Jan 12 21:15:19 2006 Subject: Error logged to console? References: <17c001c233e5$457fb580$010110ac@nrm.se> Message-ID: <00d901c23407$096b2f30$4bf90bc1@hemmet.chalmers.se> I also been getting these on the console lately: ndbm store returned -1, errno 0, key "siilly@msn.com" at /usr/share/perl5/Mail/SpamAssassin/DBBasedAddrList.pm line 160. Looks like a problem with the AWL? I?ve also seen several lockfiles laying around in the AWL-dir. Could they be from when mailscanner kills spamassassin because of a timeout? Regards, Henrik ----- Original Message ----- From: "Carl Boberg" To: Sent: Thursday, July 25, 2002 4:12 PM Subject: Error logged to console? Can anyone tell what this means? Malformed UTF-8 character (unexpected continuation byte 0xa3) in substitution iterator at /usr/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/PerMsgStatus.pm line 828. It has popped upp on my console a few times cince I installed the latest rpm of MailScanner. Has anyone else seen this? Regards --------------------------------- Carl Boberg System & N?tverksadministrat?r Enheten f?r informationsteknologi Naturhistoriska Riksmuseet carl.boberg@nrm.se Tel: 08-519 551 16 Mob: 0701-82 40 55 --------------------------------- From gerry at dorfam.ca Thu Jul 25 19:28:44 2002 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:15:19 2006 Subject: Two Questions Message-ID: <65533.129.80.22.134.1027621724.squirrel@tiger.dorfam.ca> I have two questions that I can't find answers for: 1. I turned on spam logging and see the kind of message below. Notice that it says that the IP address the message came from is 66.187.233.211 and the domain is dorfam.ca. Well, dorfam.ca is my domain and it definitely isn't that IP address. My concern is that my domain is going to be automatically sent off to some of the RBL sites (ie razor) when I receive a spam message with a count over 30 (I believe that's a default). Unusual System Events =-=-=-=-=-=-=-=-=-=-= Jul 25 10:44:57 tiger mailscanner[10140]: Message g6PEiSC12183 from 66.187.233.211 (dorfam.ca) is spam according to SpamAssassin (score=5.2, required 5, RCVD_IN_OSIRUSOFT_COM, X_OSIRU_SPAM_SRC, AWL) 2. mailscanner always appears as a zombie process when I do a ps aux. I've tried booting the server without mailscanner enabled and then manually starting it. As soon as I start mailscanner I have it listed as a zombie. Restarting mailscanner only changes the pid...I still end up with a zombie. Inspite of this mailscanner seems to be working perfectly. However, I have no idea where/how to fix this??? I'm not even sure it's worth the effort of trying to fix it??? Gerry From mailscanner at ecs.soton.ac.uk Thu Jul 25 19:58:39 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:19 2006 Subject: Error logged to console? In-Reply-To: <00d901c23407$096b2f30$4bf90bc1@hemmet.chalmers.se> References: <17c001c233e5$457fb580$010110ac@nrm.se> Message-ID: <5.1.0.14.2.20020725195803.02e71ec8@imap.ecs.soton.ac.uk> At 19:13 25/07/2002, you wrote: >I also been getting these on the console lately: >ndbm store returned -1, errno 0, key "siilly@msn.com" at >/usr/share/perl5/Mail/SpamAssassin/DBBasedAddrList.pm line 160. > >Looks like a problem with the AWL? I?ve also seen several lockfiles laying >around in the AWL-dir. Could they be from when mailscanner kills >spamassassin because of a timeout? Sounds a distinct possibility. Do the stray lockfiles actually do any harm? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Jul 25 20:02:32 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:19 2006 Subject: Two Questions In-Reply-To: <65533.129.80.22.134.1027621724.squirrel@tiger.dorfam.ca> Message-ID: <5.1.0.14.2.20020725195941.02b53c98@imap.ecs.soton.ac.uk> At 19:28 25/07/2002, you wrote: >2. mailscanner always appears as a zombie process when I do a ps aux. >I've tried booting the server without mailscanner enabled and then >manually starting it. As soon as I start mailscanner I have it listed as >a zombie. Restarting mailscanner only changes the pid...I still end up >with a zombie. > >Inspite of this mailscanner seems to be working perfectly. However, I >have no idea where/how to fix this??? I'm not even sure it's worth the >effort of trying to fix it??? The only thing I can think of is that the daemonising code isn't working 100% correctly on your system. The zombie is almost certainly the process started by the shell. If you kill mailscanner and restart it using ./mailscanner /opt/mailscanner/etc/mailscanner.conf (put the relevant path to mailscanner.conf in there, obviously) do you still get the zombie. And if you do, what is the zombie's parent's pid? I would guess it will be the shell you ran it from. I haven't heard any reports of the daemonising code failing on anyone else's system :-( -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From henrik at LEWANDER.COM Thu Jul 25 20:27:54 2002 From: henrik at LEWANDER.COM (Henrik Lewander) Date: Thu Jan 12 21:15:19 2006 Subject: Error logged to console? References: <17c001c233e5$457fb580$010110ac@nrm.se> <5.1.0.14.2.20020725195803.02e71ec8@imap.ecs.soton.ac.uk> Message-ID: <014601c23411$60a1a590$4bf90bc1@hemmet.chalmers.se> From: "Julian Field" > At 19:13 25/07/2002, you wrote: > >I also been getting these on the console lately: > >ndbm store returned -1, errno 0, key "siilly@msn.com" at > >/usr/share/perl5/Mail/SpamAssassin/DBBasedAddrList.pm line 160. > > > >Looks like a problem with the AWL? I?ve also seen several lockfiles laying > >around in the AWL-dir. Could they be from when mailscanner kills > >spamassassin because of a timeout? > > Sounds a distinct possibility. Do the stray lockfiles actually do any harm? Well not too much it seems. I had three of them yesterday, so one wonders how SA use them... Don't know if the above printed error is when SA leaves the lock file behind or when it encounters the old lock file. Is there some way to turn on debug logs for SA? Regards, Henrik From mailscanner at ecs.soton.ac.uk Thu Jul 25 20:36:13 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:19 2006 Subject: Error logged to console? In-Reply-To: <014601c23411$60a1a590$4bf90bc1@hemmet.chalmers.se> References: <17c001c233e5$457fb580$010110ac@nrm.se> <5.1.0.14.2.20020725195803.02e71ec8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020725203539.03205098@imap.ecs.soton.ac.uk> At 20:27 25/07/2002, you wrote: >From: "Julian Field" > > At 19:13 25/07/2002, you wrote: > > >I also been getting these on the console lately: > > >ndbm store returned -1, errno 0, key "siilly@msn.com" at > > >/usr/share/perl5/Mail/SpamAssassin/DBBasedAddrList.pm line 160. > > > > > >Looks like a problem with the AWL? I?ve also seen several lockfiles >laying > > >around in the AWL-dir. Could they be from when mailscanner kills > > >spamassassin because of a timeout? > > > > Sounds a distinct possibility. Do the stray lockfiles actually do any >harm? > >Well not too much it seems. I had three of them yesterday, so one wonders >how SA use them... Don't know if the above printed error is when SA leaves >the lock file behind or when it encounters the old lock file. Is there some >way to turn on debug logs for SA? I suggest you take this problem to the satalk list... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mkettler at EVI-INC.COM Thu Jul 25 21:18:39 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:15:19 2006 Subject: Two Questions In-Reply-To: <65533.129.80.22.134.1027621724.squirrel@tiger.dorfam.ca> Message-ID: <5.1.0.14.0.20020725160716.031888a0@192.168.50.2> Julian answered your question 2, so I'll answer question 1. 1) turn off the auto-report feature of SpamAssassin. The razor dev's pointed out that auto reporting after reaching a given score in SA is probably a bad idea, and results in lots of bugtraq postings, etc being reported to razor. The newest versions of SA have had this feature disabled for that reason. The only emails which should be auto-reported to razor are emails sent to troll addresses. All others should be hand confirmed. Also, for what it's worth, razor isn't an RBL. It does not block domains, but instead generates hashes of the body of a given message, if it matches the hash of a message previously reported, it's spam. So razor will never block your domain, since it never even looks at headers, but if you send a message which has a body which is identical to a previous email reported as spam, razor will hit it. As for the rest of the RBLs, such as ORDB, MAPS, etc. They are mostly relay check based, or confirmed spam source based. These systems generally work on an IP address basis, and nobody is likely to be fooled by that spoofed HELO. There are some that are domain based, but they aren't likely to be fooled by this either.. spoofed HELO's claiming to be hotmail.com, etc are super common. I generally treat that part of the header with the same grain of salt I treat the FROM: line with. It's most likely falsified in the case of spam. Look at the IP in the received from and ignore the alleged name that comes from the HELO entirely. At 02:28 PM 7/25/2002 -0400, Gerry Doris wrote: >1. I turned on spam logging and see the kind of message below. >Notice that it says that the IP address the message came from is >66.187.233.211 and the domain is dorfam.ca. > >Well, dorfam.ca is my domain and it definitely isn't that IP address. My >concern is that my domain is going to be automatically sent off to some of >the RBL sites (ie razor) when I receive a spam message with a count over >30 (I believe that's a default). From mdchaney at MICHAELCHANEY.COM Thu Jul 25 21:34:37 2002 From: mdchaney at MICHAELCHANEY.COM (Michael Chaney) Date: Thu Jan 12 21:15:19 2006 Subject: sed! Message-ID: <20020725153437.B3219@michaelchaney.com> sed lives in /usr/bin on FreeBSD. While it doesn't seem like a good candidate for a configuration option, it's a pain to remember to edit mta-specific.pl for each upgrade. Any ideas? (besides the status quo :) Michael -- Michael Darrin Chaney mdchaney@michaelchaney.com http://www.michaelchaney.com/ From mdchaney at MICHAELCHANEY.COM Thu Jul 25 21:36:05 2002 From: mdchaney at MICHAELCHANEY.COM (Michael Chaney) Date: Thu Jan 12 21:15:19 2006 Subject: ANNOUNCE: F-Prot users In-Reply-To: <5.1.0.14.2.20020725085554.04ce3db8@imap.ecs.soton.ac.uk>; from mailscanner@ECS.SOTON.AC.UK on Thu, Jul 25, 2002 at 08:56:49AM +0100 References: <5.1.0.14.2.20020724151434.03018ea8@imap.ecs.soton.ac.uk> <200207241124.37329.lbergman@abi.tconline.net> <5.1.0.14.2.20020724203037.04351578@imap.ecs.soton.ac.uk> <007501c23350$5bbfec60$2400a8c0@johanson> <5.1.0.14.2.20020725085554.04ce3db8@imap.ecs.soton.ac.uk> Message-ID: <20020725153605.C3219@michaelchaney.com> On Thu, Jul 25, 2002 at 08:56:49AM +0100, Julian Field wrote: > At 21:26 24/07/2002, you wrote: > >I searched for th string and didn't find it. We're not a high traffic site, > >so it's possible we haven't received anything to trigger it. > >I'll go ahead and upgrade this evening. Thanks Julian. > > By the mere fact that no-one else has reported it before, it must only > appear very rarely. Unfortunately, getting the definitive list of strings > out of F-Prot is a non-trivial task (involves the Zip of Death and a core > dump :-) Have you asked the company behind F-Prot? While hacking around with a ZOD and core dump is more fun, they should be able to provide that information. Michael -- Michael Darrin Chaney mdchaney@michaelchaney.com http://www.michaelchaney.com/ From LISTSERV at JISCMAIL.AC.UK Thu Jul 25 21:29:11 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:19 2006 Subject: MAILSCANNER: rlong@MAIL.WVNET.EDU requested to join Message-ID: <200207252029.VAA10265@magpie.ecs.soton.ac.uk> Thu, 25 Jul 2002 21:29:11 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Randall Long . The following subscription options have been requested: NOHTML INDEX. You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER rlong@MAIL.WVNET.EDU Randall Long The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+rlong%40MAIL.WVNET.EDU+Randall+Long&L=MAILSCANNER This first link will add the subscriber to the list. You can then set the subscription options with this link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=SET+MAILSCANNER+NOHTML+INDEX+FOR+rlong%40MAIL.WVNET.EDU&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From mailscanner at ecs.soton.ac.uk Thu Jul 25 22:33:52 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:19 2006 Subject: sed! In-Reply-To: <20020725153437.B3219@michaelchaney.com> Message-ID: <5.1.0.14.2.20020725223259.02ef5a58@imap.ecs.soton.ac.uk> At 21:34 25/07/2002, you wrote: >sed lives in /usr/bin on FreeBSD. While it doesn't seem like a good >candidate for a configuration option, it's a pain to remember to edit >mta-specific.pl for each upgrade. Any ideas? (besides the status quo :) This is another one for the auto-configuration which we are working on. Don't hold your breath though, it's going to be a while... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Jul 25 22:34:32 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:19 2006 Subject: ANNOUNCE: F-Prot users In-Reply-To: <20020725153605.C3219@michaelchaney.com> References: <5.1.0.14.2.20020725085554.04ce3db8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020724151434.03018ea8@imap.ecs.soton.ac.uk> <200207241124.37329.lbergman@abi.tconline.net> <5.1.0.14.2.20020724203037.04351578@imap.ecs.soton.ac.uk> <007501c23350$5bbfec60$2400a8c0@johanson> <5.1.0.14.2.20020725085554.04ce3db8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020725223407.02fa3e28@imap.ecs.soton.ac.uk> At 21:36 25/07/2002, you wrote: >Have you asked the company behind F-Prot? While hacking around with a >ZOD and core dump is more fun, they should be able to provide that >information. Yes I have, am awaiting a response. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Thu Jul 25 23:12:35 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:19 2006 Subject: MAILSCANNER: bteed@SLA.COM requested to join Message-ID: <200207252212.XAA16551@magpie.ecs.soton.ac.uk> Thu, 25 Jul 2002 23:12:35 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Brad Teed . The following subscription options have been requested: NOMIME DIGEST. You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER bteed@SLA.COM Brad Teed The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+bteed%40SLA.COM+Brad+Teed&L=MAILSCANNER This first link will add the subscriber to the list. You can then set the subscription options with this link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=SET+MAILSCANNER+NOMIME+DIGEST+FOR+bteed%40SLA.COM&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Fri Jul 26 08:27:51 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:19 2006 Subject: MAILSCANNER: pclarke@RMPLC.NET requested to join Message-ID: <200207260727.IAA25001@magpie.ecs.soton.ac.uk> Fri, 26 Jul 2002 08:27:51 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Phil Clarke . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER pclarke@RMPLC.NET Phil Clarke The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+pclarke%40RMPLC.NET+Phil+Clarke&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From jaearick at COLBY.EDU Fri Jul 26 14:39:48 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:15:19 2006 Subject: null "Clean Header" multi-times gags sendmail Message-ID: Julian, Setup: ------ Solaris 8, sendmail 8.12.5, mailscanner 3.22-7, Sophos, spamassassin MailScanner Config Setting that triggers the problem: ----------------------------------------------------- Changing the mailscanner.conf line Clean Header = Found to be clean to just be Clean Header = ie, nothing after the equals sign. Putting something after the equals sign fixes the problem, but there's a bug here. The Problem: ------------ Running a piece of email thru mailscanner multiple times with a blank "clean header" setup causes sendmail to give the following syslog complaints: SYSERR(root): readqf: ./qf.....: incomplete queue file read Any piece of email in /var/spool/mqueue generating this complaint will not be delivered by sendmail, but just sit there -- stuck. Analysis: --------- I spent some time staring at the qf files for multi-scanned messages that ended up in /var/spool/mqueue, for both messages with a blank and nonblank "Clean Header" settings. For a blank "Clean Header" line, the bottom of the qf file looked like: H??X-MailScanner: , . For a qf file with a nonblank "Clean Header = ftbc" line, the bottom of the file looked like: H??X-MailScanner: ftbc, ftbc . Note the placement of the period, which signifies to sendmail where the end of the qf file is supposed to be. For the blank header, it does not end up by itself as the last line, hence sendmail complains that the queue file is incomplete. I found that I could unjam the problem qf files in my queue by editing them and sticking a period at the bottom, then rerunning the queue on that message by hand to get it delivered. And of course I can chase this problem away by making sure that "Clean Header" is not empty. But this looks like a mailscanner bug -- it puts the final period in the wrong place for multi-scanned messages and an empty "clean headers" setting. ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ---------------------------------------------------------------------------- From mailscanner at ecs.soton.ac.uk Fri Jul 26 15:23:43 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:19 2006 Subject: null "Clean Header" multi-times gags sendmail In-Reply-To: Message-ID: <5.1.0.14.2.20020726152252.04d50ea8@imap.ecs.soton.ac.uk> I've never know anyone not want to tell their users that a message is clean. If you don't mark it as clean, how is the recipient supposed to know whether it has been scanned or not? Setting this configuration option to nothing seems a mite strange to me... At 14:39 26/07/2002, you wrote: >Julian, > >Setup: >------ >Solaris 8, sendmail 8.12.5, mailscanner 3.22-7, Sophos, spamassassin > >MailScanner Config Setting that triggers the problem: >----------------------------------------------------- >Changing the mailscanner.conf line > Clean Header = Found to be clean >to just be > Clean Header = >ie, nothing after the equals sign. Putting something after the >equals sign fixes the problem, but there's a bug here. > >The Problem: >------------ >Running a piece of email thru mailscanner multiple times >with a blank "clean header" setup causes sendmail to give the following >syslog complaints: > >SYSERR(root): readqf: ./qf.....: incomplete queue file read > >Any piece of email in /var/spool/mqueue generating this complaint will >not be delivered by sendmail, but just sit there -- stuck. > >Analysis: >--------- >I spent some time staring at the qf files for multi-scanned messages >that ended up in /var/spool/mqueue, for both messages with a blank and >nonblank "Clean Header" settings. For a blank "Clean Header" line, >the bottom of the qf file looked like: > >H??X-MailScanner: , . > >For a qf file with a nonblank "Clean Header = ftbc" line, the bottom of the >file looked like: > >H??X-MailScanner: ftbc, ftbc >. > >Note the placement of the period, which signifies to sendmail where the >end of the qf file is supposed to be. For the blank header, it does not >end up by itself as the last line, hence sendmail complains that the queue >file is incomplete. I found that I could unjam the problem qf files in >my queue by editing them and sticking a period at the bottom, then >rerunning the queue on that message by hand to get it delivered. And >of course I can chase this problem away by making sure that "Clean >Header" is not empty. But this looks like a mailscanner bug -- it puts >the final period in the wrong place for multi-scanned messages and an >empty "clean headers" setting. > >** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 >** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu >** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 >** Waterville ME, 04901-8842 >---------------------------------------------------------------------------- -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jaearick at COLBY.EDU Fri Jul 26 16:03:46 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:15:19 2006 Subject: null "Clean Header" multi-times gags sendmail In-Reply-To: <5.1.0.14.2.20020726152252.04d50ea8@imap.ecs.soton.ac.uk> Message-ID: Julian, I know, I know. My user community complained "what is this found to be clean clutter in my email messages?" after I started using mailscanner this Spring. So my quick fix was to null out the clean header message. A big chunk of my community uses Eudora, which shows the X-MailScanner message at the top as part of the mail message (Outlook doesn't as I remember, Pine doesn't either). At least the line "X-MailScanner:" tells *me* that mailscanner touched the message. Things worked fine until this week, when I went from sendmail 8.11.6 to 8.12.5, and went from mailscanner 3.21.1 to 3.22.7. Then I started noticing this corner-case problem for stuff that goes thru our server twice. Sheesh, listen to user complaints and open up a can 'o worms. I don't know if you consider this a mailscanner bug or misuse on my part, but it did choke sendmail. ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ---------------------------------------------------------------------------- On Fri, 26 Jul 2002, Julian Field wrote: > Date: Fri, 26 Jul 2002 15:23:43 +0100 > From: Julian Field > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: null "Clean Header" multi-times gags sendmail > > I've never know anyone not want to tell their users that a message is clean. > If you don't mark it as clean, how is the recipient supposed to know > whether it has been scanned or not? > Setting this configuration option to nothing seems a mite strange to me... > > At 14:39 26/07/2002, you wrote: > >Julian, > > > >Setup: > >------ > >Solaris 8, sendmail 8.12.5, mailscanner 3.22-7, Sophos, spamassassin > > > >MailScanner Config Setting that triggers the problem: > >----------------------------------------------------- > >Changing the mailscanner.conf line > > Clean Header = Found to be clean > >to just be > > Clean Header = > >ie, nothing after the equals sign. Putting something after the > >equals sign fixes the problem, but there's a bug here. > > > >The Problem: > >------------ > >Running a piece of email thru mailscanner multiple times > >with a blank "clean header" setup causes sendmail to give the following > >syslog complaints: > > > >SYSERR(root): readqf: ./qf.....: incomplete queue file read > > > >Any piece of email in /var/spool/mqueue generating this complaint will > >not be delivered by sendmail, but just sit there -- stuck. > > > >Analysis: > >--------- > >I spent some time staring at the qf files for multi-scanned messages > >that ended up in /var/spool/mqueue, for both messages with a blank and > >nonblank "Clean Header" settings. For a blank "Clean Header" line, > >the bottom of the qf file looked like: > > > >H??X-MailScanner: , . > > > >For a qf file with a nonblank "Clean Header = ftbc" line, the bottom of the > >file looked like: > > > >H??X-MailScanner: ftbc, ftbc > >. > > > >Note the placement of the period, which signifies to sendmail where the > >end of the qf file is supposed to be. For the blank header, it does not > >end up by itself as the last line, hence sendmail complains that the queue > >file is incomplete. I found that I could unjam the problem qf files in > >my queue by editing them and sticking a period at the bottom, then > >rerunning the queue on that message by hand to get it delivered. And > >of course I can chase this problem away by making sure that "Clean > >Header" is not empty. But this looks like a mailscanner bug -- it puts > >the final period in the wrong place for multi-scanned messages and an > >empty "clean headers" setting. > > > >** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 > >** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu > >** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 > >** Waterville ME, 04901-8842 > >---------------------------------------------------------------------------- > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From mailscanner at ecs.soton.ac.uk Fri Jul 26 16:22:08 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:19 2006 Subject: null "Clean Header" multi-times gags sendmail In-Reply-To: References: <5.1.0.14.2.20020726152252.04d50ea8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020726161829.02d3d318@imap.ecs.soton.ac.uk> At 16:03 26/07/2002, you wrote: > I know, I know. My user community complained "what is this found to >be clean clutter in my email messages?" after I started using mailscanner >this Spring. So my quick fix was to null out the clean header message. >A big chunk of my community uses Eudora, which shows the X-MailScanner >message at the top as part of the mail message (Outlook doesn't as I >remember, Pine doesn't either). At least the line "X-MailScanner:" >tells *me* that mailscanner touched the message. > >Things worked fine until this week, when I went from sendmail 8.11.6 to >8.12.5, and went from mailscanner 3.21.1 to 3.22.7. Then I started >noticing this corner-case problem for stuff that goes thru our server >twice. Sheesh, listen to user complaints and open up a can 'o worms. >I don't know if you consider this a mailscanner bug or misuse on my >part, but it did choke sendmail. I guess it's really a bug, but it's a pretty minor one :-) The trouble is that it has taken many attempts and a lot of work to make all versions of Perl accept the regular expressions I have to use in AppendHeader() and ReplaceHeader(), I am extremely reluctant to change them. How about you set the message to be "." or something like that? Personally, I would recommend advising your users that this extra header in their mail messages is there to assure them that the mail has been virus-checked, and that they should be wary of any email message they see that does not have this header in it. If you sell it right, they should end up being grateful for it. They certainly will the first time they get a message that had a virus in it! >** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 >** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu >** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 >** Waterville ME, 04901-8842 >---------------------------------------------------------------------------- > >On Fri, 26 Jul 2002, Julian Field wrote: > > > Date: Fri, 26 Jul 2002 15:23:43 +0100 > > From: Julian Field > > Reply-To: MailScanner mailing list > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: null "Clean Header" multi-times gags sendmail > > > > I've never know anyone not want to tell their users that a message is > clean. > > If you don't mark it as clean, how is the recipient supposed to know > > whether it has been scanned or not? > > Setting this configuration option to nothing seems a mite strange to me... > > > > At 14:39 26/07/2002, you wrote: > > >Julian, > > > > > >Setup: > > >------ > > >Solaris 8, sendmail 8.12.5, mailscanner 3.22-7, Sophos, spamassassin > > > > > >MailScanner Config Setting that triggers the problem: > > >----------------------------------------------------- > > >Changing the mailscanner.conf line > > > Clean Header = Found to be clean > > >to just be > > > Clean Header = > > >ie, nothing after the equals sign. Putting something after the > > >equals sign fixes the problem, but there's a bug here. > > > > > >The Problem: > > >------------ > > >Running a piece of email thru mailscanner multiple times > > >with a blank "clean header" setup causes sendmail to give the following > > >syslog complaints: > > > > > >SYSERR(root): readqf: ./qf.....: incomplete queue file read > > > > > >Any piece of email in /var/spool/mqueue generating this complaint will > > >not be delivered by sendmail, but just sit there -- stuck. > > > > > >Analysis: > > >--------- > > >I spent some time staring at the qf files for multi-scanned messages > > >that ended up in /var/spool/mqueue, for both messages with a blank and > > >nonblank "Clean Header" settings. For a blank "Clean Header" line, > > >the bottom of the qf file looked like: > > > > > >H??X-MailScanner: , . > > > > > >For a qf file with a nonblank "Clean Header = ftbc" line, the bottom > of the > > >file looked like: > > > > > >H??X-MailScanner: ftbc, ftbc > > >. > > > > > >Note the placement of the period, which signifies to sendmail where the > > >end of the qf file is supposed to be. For the blank header, it does not > > >end up by itself as the last line, hence sendmail complains that the queue > > >file is incomplete. I found that I could unjam the problem qf files in > > >my queue by editing them and sticking a period at the bottom, then > > >rerunning the queue on that message by hand to get it delivered. And > > >of course I can chase this problem away by making sure that "Clean > > >Header" is not empty. But this looks like a mailscanner bug -- it puts > > >the final period in the wrong place for multi-scanned messages and an > > >empty "clean headers" setting. > > > > > >** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 > > >** Senior UNIX Sysadmin, Information Technology EMAIL: > jaearick@colby.edu > > >** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 > > >** Waterville ME, 04901-8842 > > >----------------------------------------------------------------------- > ----- > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From rlong at MAIL.WVNET.EDU Fri Jul 26 16:19:39 2002 From: rlong at MAIL.WVNET.EDU (Randall Long) Date: Thu Jan 12 21:15:19 2006 Subject: Missing f-protwrapper Message-ID: <3D41688B.2000509@mail.wvnet.edu> Hello... I have a feeling this is a stupid question because no one else is posting about it (and I've searched the archives) if so...I apologize... I'm running RedHat Linux 7.3 and have installed MailScanner version 3.22-7. I'm trying to use F-prot as the virus scanner (version 3.12a). Both were installed using the RPM. In the mailscanner.conf file, I changed the 'Virus Scanner' entry from 'sophos' to 'f-prot'. I want to change the 'Sweep' entry to the correct wrapper, however, there was no 'f-protwrapper' file in this f-prot distribution. If I comment out the 'Sweep' line, this message is displayed: MailScanner: Configuration file /opt/sophos/bin/sophoswrapper could not be opened for reading! at /usr/local/MailScanner/bin/logger.pl line 64. and MailScanner fails to start. If I leave the 'Sweep' line pointing to the non-existent sophoswrapper, MailScanner starts but then MailScanner complains that it can not execute sophoswrapper. We've tested MailScanner and it seems to work. It detected and cleaned email with attachments we knew to be infected. How should MailScanner be configured without the f-protwrapper file? From rlong at MAIL.WVNET.EDU Fri Jul 26 16:28:14 2002 From: rlong at MAIL.WVNET.EDU (Randall Long) Date: Thu Jan 12 21:15:19 2006 Subject: Missing f-protwrapper Message-ID: <200207261528.g6QFSMr18473@ori.rl.ac.uk> Hello... I have a feeling this is a stupid question because no one else is posting about it (and I've searched the archives) if so...I apologize... I'm running RedHat Linux 7.3 and have installed MailScanner version 3.22-7. I'm trying to use F-prot as the virus scanner (version 3.12a). Both were installed using the RPM. In the mailscanner.conf file, I changed the 'Virus Scanner' entry from 'sophos' to 'f-prot'. I want to change the 'Sweep' entry to the correct wrapper, however, there was no 'f-protwrapper' file in this f-prot distribution. If I comment out the 'Sweep' line, this message is displayed: MailScanner: Configuration file /opt/sophos/bin/sophoswrapper could not be opened for reading! at /usr/local/MailScanner/bin/logger.pl line 64. and MailScanner fails to start. If I leave the 'Sweep' line pointing to the non-existent sophoswrapper, MailScanner starts but then MailScanner complains that it can not execute sophoswrapper. We've tested MailScanner and it seems to work. It detected and cleaned email with attachments we knew to be infected. How should MailScanner be configured without the f-protwrapper file? From mailscanner at ecs.soton.ac.uk Fri Jul 26 16:44:20 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:19 2006 Subject: Missing f-protwrapper In-Reply-To: <200207261528.g6QFSMr18473@ori.rl.ac.uk> Message-ID: <5.1.0.14.2.20020726164253.04eb1000@imap.ecs.soton.ac.uk> The f-protwrapper is installed by the MailScanner RPM, and can be found in /usr/local/f-prot/f-protwrapper However, do read this: http://www.sng.ecs.soton.ac.uk/mailscanner/faq.shtml#24 At 16:28 26/07/2002, you wrote: >Hello... >I have a feeling this is a stupid question >because no one else is posting about it >(and I've searched the archives) > >if so...I apologize... > > >I'm running RedHat Linux 7.3 and have installed >MailScanner version 3.22-7. I'm trying to use F-prot >as the virus scanner (version 3.12a). > >Both were installed using the RPM. > >In the mailscanner.conf file, I changed the 'Virus Scanner' >entry from 'sophos' to 'f-prot'. I want to change the 'Sweep' >entry to the correct wrapper, however, there was no 'f-protwrapper' >file in this f-prot distribution. > >If I comment out the 'Sweep' line, this message is displayed: > >MailScanner: Configuration file /opt/sophos/bin/sophoswrapper could >not be opened for reading! at /usr/local/MailScanner/bin/logger.pl line 64. > >and MailScanner fails to start. > >If I leave the 'Sweep' line pointing to the non-existent sophoswrapper, >MailScanner starts >but then MailScanner complains that it can not execute sophoswrapper. > >We've tested MailScanner and it seems to work. It detected and cleaned >email with attachments we knew to be infected. > > >How should MailScanner be configured without the f-protwrapper file? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Fri Jul 26 16:56:55 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:19 2006 Subject: MAILSCANNER: r.zimmermann@SIEGNETZ.DE left the list Message-ID: <200207261556.QAA11416@magpie.ecs.soton.ac.uk> Fri, 26 Jul 2002 16:56:55 Ralf Zimmermann has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From leduc at CTS.COM Fri Jul 26 17:10:42 2002 From: leduc at CTS.COM (Gene LeDuc) Date: Thu Jan 12 21:15:19 2006 Subject: null "Clean Header" multi-times gags sendmail In-Reply-To: <5.1.0.14.2.20020726161829.02d3d318@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020726152252.04d50ea8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020726161829.02d3d318@imap.ecs.soton.ac.uk> Message-ID: <200207260910.42670.leduc@cts.com> My take on this is that it is a minor bug in MS. It seems like the routine is printing the "X-MailScanner: " amd then printing the result with an endline. Would it fix the problem if you printed the newline after the result is printed? If this is unclear, I'm thinking of something like: print "X-MailScanner: "; if [ $ok ] then { print "$ok_string" } else { print "$dirty_string" } print "\n"; instead of print "X-MailScanner: "; if [ $ok ] then { print "$ok_string\n" } else { print "$dirty_string\n" } I haven't looked at the code at all, but the description of the qf files would match my guess as to the code logic. On Friday 26 July 2002 08:22 am, Julian wrote: > At 16:03 26/07/2002, you wrote: > > I know, I know. My user community complained "what is this found to > >be clean clutter in my email messages?" after I started using mailscanner > >this Spring. So my quick fix was to null out the clean header message. > >A big chunk of my community uses Eudora, which shows the X-MailScanner > >message at the top as part of the mail message (Outlook doesn't as I > >remember, Pine doesn't either). At least the line "X-MailScanner:" > >tells *me* that mailscanner touched the message. > > > >Things worked fine until this week, when I went from sendmail 8.11.6 to > >8.12.5, and went from mailscanner 3.21.1 to 3.22.7. Then I started > >noticing this corner-case problem for stuff that goes thru our server > >twice. Sheesh, listen to user complaints and open up a can 'o worms. > >I don't know if you consider this a mailscanner bug or misuse on my > >part, but it did choke sendmail. > > I guess it's really a bug, but it's a pretty minor one :-) > The trouble is that it has taken many attempts and a lot of work to make > all versions of Perl accept the regular expressions I have to use in > AppendHeader() and ReplaceHeader(), I am extremely reluctant to change > them. > > How about you set the message to be "." or something like that? > > Personally, I would recommend advising your users that this extra header in > their mail messages is there to assure them that the mail has been > virus-checked, and that they should be wary of any email message they see > that does not have this header in it. If you sell it right, they should end > up being grateful for it. They certainly will the first time they get a > message that had a virus in it! > > >** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 > >** Senior UNIX Sysadmin, Information Technology EMAIL: > > jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, > > FAX: 207-872-3076 ** Waterville ME, 04901-8842 > >-------------------------------------------------------------------------- > >-- > > > >On Fri, 26 Jul 2002, Julian Field wrote: > > > Date: Fri, 26 Jul 2002 15:23:43 +0100 > > > From: Julian Field > > > Reply-To: MailScanner mailing list > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: null "Clean Header" multi-times gags sendmail > > > > > > I've never know anyone not want to tell their users that a message is > > > > clean. > > > > > If you don't mark it as clean, how is the recipient supposed to know > > > whether it has been scanned or not? > > > Setting this configuration option to nothing seems a mite strange to > > > me... > > > > > > At 14:39 26/07/2002, you wrote: > > > >Julian, > > > > > > > >Setup: > > > >------ > > > >Solaris 8, sendmail 8.12.5, mailscanner 3.22-7, Sophos, spamassassin > > > > > > > >MailScanner Config Setting that triggers the problem: > > > >----------------------------------------------------- > > > >Changing the mailscanner.conf line > > > > Clean Header = Found to be clean > > > >to just be > > > > Clean Header = > > > >ie, nothing after the equals sign. Putting something after the > > > >equals sign fixes the problem, but there's a bug here. > > > > > > > >The Problem: > > > >------------ > > > >Running a piece of email thru mailscanner multiple times > > > >with a blank "clean header" setup causes sendmail to give the > > > > following syslog complaints: > > > > > > > >SYSERR(root): readqf: ./qf.....: incomplete queue file read > > > > > > > >Any piece of email in /var/spool/mqueue generating this complaint will > > > >not be delivered by sendmail, but just sit there -- stuck. > > > > > > > >Analysis: > > > >--------- > > > >I spent some time staring at the qf files for multi-scanned messages > > > >that ended up in /var/spool/mqueue, for both messages with a blank and > > > >nonblank "Clean Header" settings. For a blank "Clean Header" line, > > > >the bottom of the qf file looked like: > > > > > > > >H??X-MailScanner: , . > > > > > > > >For a qf file with a nonblank "Clean Header = ftbc" line, the bottom > > > > of the > > > > > >file looked like: > > > > > > > >H??X-MailScanner: ftbc, ftbc > > > >. > > > > > > > >Note the placement of the period, which signifies to sendmail where > > > > the end of the qf file is supposed to be. For the blank header, it > > > > does not end up by itself as the last line, hence sendmail complains > > > > that the queue file is incomplete. I found that I could unjam the > > > > problem qf files in my queue by editing them and sticking a period at > > > > the bottom, then rerunning the queue on that message by hand to get > > > > it delivered. And of course I can chase this problem away by making > > > > sure that "Clean Header" is not empty. But this looks like a > > > > mailscanner bug -- it puts the final period in the wrong place for > > > > multi-scanned messages and an empty "clean headers" setting. > > > > > > > >** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 > > > >** Senior UNIX Sysadmin, Information Technology EMAIL: > > > > jaearick@colby.edu > > > > > >** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 > > > >** Waterville ME, 04901-8842 > > > >---------------------------------------------------------------------- > > > >- > > > > ----- > > > > > -- > > > Julian Field Teaching Systems Manager > > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > > Tel. 023 8059 2817 University of Southampton > > > Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Jul 26 17:29:04 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:19 2006 Subject: null "Clean Header" multi-times gags sendmail In-Reply-To: <200207260910.42670.leduc@cts.com> References: <5.1.0.14.2.20020726161829.02d3d318@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020726152252.04d50ea8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020726161829.02d3d318@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020726172840.033e60d0@imap.ecs.soton.ac.uk> I'm afraid that isn't how it is implemented at all. Nice try though... :) At 17:10 26/07/2002, you wrote: >My take on this is that it is a minor bug in MS. It seems like the routine is >printing the "X-MailScanner: " amd then printing the result with an endline. >Would it fix the problem if you printed the newline after the result is >printed? If this is unclear, I'm thinking of something like: > >print "X-MailScanner: "; >if [ $ok ] then { print "$ok_string" } > else { print "$dirty_string" } >print "\n"; > >instead of > >print "X-MailScanner: "; >if [ $ok ] then { print "$ok_string\n" } > else { print "$dirty_string\n" } > >I haven't looked at the code at all, but the description of the qf files would >match my guess as to the code logic. > >On Friday 26 July 2002 08:22 am, Julian wrote: > > At 16:03 26/07/2002, you wrote: > > > I know, I know. My user community complained "what is this found to > > >be clean clutter in my email messages?" after I started using mailscanner > > >this Spring. So my quick fix was to null out the clean header message. > > >A big chunk of my community uses Eudora, which shows the X-MailScanner > > >message at the top as part of the mail message (Outlook doesn't as I > > >remember, Pine doesn't either). At least the line "X-MailScanner:" > > >tells *me* that mailscanner touched the message. > > > > > >Things worked fine until this week, when I went from sendmail 8.11.6 to > > >8.12.5, and went from mailscanner 3.21.1 to 3.22.7. Then I started > > >noticing this corner-case problem for stuff that goes thru our server > > >twice. Sheesh, listen to user complaints and open up a can 'o worms. > > >I don't know if you consider this a mailscanner bug or misuse on my > > >part, but it did choke sendmail. > > > > I guess it's really a bug, but it's a pretty minor one :-) > > The trouble is that it has taken many attempts and a lot of work to make > > all versions of Perl accept the regular expressions I have to use in > > AppendHeader() and ReplaceHeader(), I am extremely reluctant to change > > them. > > > > How about you set the message to be "." or something like that? > > > > Personally, I would recommend advising your users that this extra header in > > their mail messages is there to assure them that the mail has been > > virus-checked, and that they should be wary of any email message they see > > that does not have this header in it. If you sell it right, they should end > > up being grateful for it. They certainly will the first time they get a > > message that had a virus in it! > > > > >** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 > > >** Senior UNIX Sysadmin, Information Technology EMAIL: > > > jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, > > > FAX: 207-872-3076 ** Waterville ME, 04901-8842 > > >-------------------------------------------------------------------------- > > >-- > > > > > >On Fri, 26 Jul 2002, Julian Field wrote: > > > > Date: Fri, 26 Jul 2002 15:23:43 +0100 > > > > From: Julian Field > > > > Reply-To: MailScanner mailing list > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: Re: null "Clean Header" multi-times gags sendmail > > > > > > > > I've never know anyone not want to tell their users that a message is > > > > > > clean. > > > > > > > If you don't mark it as clean, how is the recipient supposed to know > > > > whether it has been scanned or not? > > > > Setting this configuration option to nothing seems a mite strange to > > > > me... > > > > > > > > At 14:39 26/07/2002, you wrote: > > > > >Julian, > > > > > > > > > >Setup: > > > > >------ > > > > >Solaris 8, sendmail 8.12.5, mailscanner 3.22-7, Sophos, spamassassin > > > > > > > > > >MailScanner Config Setting that triggers the problem: > > > > >----------------------------------------------------- > > > > >Changing the mailscanner.conf line > > > > > Clean Header = Found to be clean > > > > >to just be > > > > > Clean Header = > > > > >ie, nothing after the equals sign. Putting something after the > > > > >equals sign fixes the problem, but there's a bug here. > > > > > > > > > >The Problem: > > > > >------------ > > > > >Running a piece of email thru mailscanner multiple times > > > > >with a blank "clean header" setup causes sendmail to give the > > > > > following syslog complaints: > > > > > > > > > >SYSERR(root): readqf: ./qf.....: incomplete queue file read > > > > > > > > > >Any piece of email in /var/spool/mqueue generating this complaint will > > > > >not be delivered by sendmail, but just sit there -- stuck. > > > > > > > > > >Analysis: > > > > >--------- > > > > >I spent some time staring at the qf files for multi-scanned messages > > > > >that ended up in /var/spool/mqueue, for both messages with a blank and > > > > >nonblank "Clean Header" settings. For a blank "Clean Header" line, > > > > >the bottom of the qf file looked like: > > > > > > > > > >H??X-MailScanner: , . > > > > > > > > > >For a qf file with a nonblank "Clean Header = ftbc" line, the bottom > > > > > > of the > > > > > > > >file looked like: > > > > > > > > > >H??X-MailScanner: ftbc, ftbc > > > > >. > > > > > > > > > >Note the placement of the period, which signifies to sendmail where > > > > > the end of the qf file is supposed to be. For the blank header, it > > > > > does not end up by itself as the last line, hence sendmail complains > > > > > that the queue file is incomplete. I found that I could unjam the > > > > > problem qf files in my queue by editing them and sticking a period at > > > > > the bottom, then rerunning the queue on that message by hand to get > > > > > it delivered. And of course I can chase this problem away by making > > > > > sure that "Clean Header" is not empty. But this looks like a > > > > > mailscanner bug -- it puts the final period in the wrong place for > > > > > multi-scanned messages and an empty "clean headers" setting. > > > > > > > > > >** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 > > > > >** Senior UNIX Sysadmin, Information Technology EMAIL: > > > > > > jaearick@colby.edu > > > > > > > >** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 > > > > >** Waterville ME, 04901-8842 > > > > >---------------------------------------------------------------------- > > > > >- > > > > > > ----- > > > > > > > -- > > > > Julian Field Teaching Systems Manager > > > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > > > Tel. 023 8059 2817 University of Southampton > > > > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From rlong at MAIL.WVNET.EDU Fri Jul 26 18:19:24 2002 From: rlong at MAIL.WVNET.EDU (Randall Long) Date: Thu Jan 12 21:15:19 2006 Subject: Missing f-protwrapper In-Reply-To: <5.1.0.14.2.20020726164253.04eb1000@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020726164253.04eb1000@imap.ecs.soton.ac.uk> Message-ID: <1027703964.1548.0.camel@rlong> Thank you... I knew it had to be a problem on my end. On Fri, 2002-07-26 at 11:44, Julian Field wrote: > The f-protwrapper is installed by the MailScanner RPM, and can be found in > /usr/local/f-prot/f-protwrapper > > However, do read this: > http://www.sng.ecs.soton.ac.uk/mailscanner/faq.shtml#24 > > At 16:28 26/07/2002, you wrote: > >Hello... > >I have a feeling this is a stupid question > >because no one else is posting about it > >(and I've searched the archives) > > > >if so...I apologize... > > > > > >I'm running RedHat Linux 7.3 and have installed > >MailScanner version 3.22-7. I'm trying to use F-prot > >as the virus scanner (version 3.12a). > > > >Both were installed using the RPM. > > > >In the mailscanner.conf file, I changed the 'Virus Scanner' > >entry from 'sophos' to 'f-prot'. I want to change the 'Sweep' > >entry to the correct wrapper, however, there was no 'f-protwrapper' > >file in this f-prot distribution. > > > >If I comment out the 'Sweep' line, this message is displayed: > > > >MailScanner: Configuration file /opt/sophos/bin/sophoswrapper could > >not be opened for reading! at /usr/local/MailScanner/bin/logger.pl line 64. > > > >and MailScanner fails to start. > > > >If I leave the 'Sweep' line pointing to the non-existent sophoswrapper, > >MailScanner starts > >but then MailScanner complains that it can not execute sophoswrapper. > > > >We've tested MailScanner and it seems to work. It detected and cleaned > >email with attachments we knew to be infected. > > > > > >How should MailScanner be configured without the f-protwrapper file? > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From leduc at CTS.COM Fri Jul 26 19:39:52 2002 From: leduc at CTS.COM (Gene LeDuc) Date: Thu Jan 12 21:15:19 2006 Subject: null "Clean Header" multi-times gags sendmail In-Reply-To: <5.1.0.14.2.20020726172840.033e60d0@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020726161829.02d3d318@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020726172840.033e60d0@imap.ecs.soton.ac.uk> Message-ID: <200207261139.52248.leduc@cts.com> Rats, back to lurking... On Friday 26 July 2002 09:29 am, Julian wrote: > I'm afraid that isn't how it is implemented at all. Nice try though... :) > > At 17:10 26/07/2002, you wrote: > >My take on this is that it is a minor bug in MS. It seems like the > > routine is printing the "X-MailScanner: " amd then printing the result > > with an endline. Would it fix the problem if you printed the newline > > after the result is printed? If this is unclear, I'm thinking of > > something like: > > > >print "X-MailScanner: "; > >if [ $ok ] then { print "$ok_string" } > > else { print "$dirty_string" } > >print "\n"; > > > >instead of > > > >print "X-MailScanner: "; > >if [ $ok ] then { print "$ok_string\n" } > > else { print "$dirty_string\n" } > > > >I haven't looked at the code at all, but the description of the qf files > > would match my guess as to the code logic. > > > >On Friday 26 July 2002 08:22 am, Julian wrote: > > > At 16:03 26/07/2002, you wrote: > > > > I know, I know. My user community complained "what is this found > > > > to be clean clutter in my email messages?" after I started using > > > > mailscanner this Spring. So my quick fix was to null out the clean > > > > header message. A big chunk of my community uses Eudora, which shows > > > > the X-MailScanner message at the top as part of the mail message > > > > (Outlook doesn't as I remember, Pine doesn't either). At least the > > > > line "X-MailScanner:" tells *me* that mailscanner touched the > > > > message. > > > > > > > >Things worked fine until this week, when I went from sendmail 8.11.6 > > > > to 8.12.5, and went from mailscanner 3.21.1 to 3.22.7. Then I > > > > started noticing this corner-case problem for stuff that goes thru > > > > our server twice. Sheesh, listen to user complaints and open up a > > > > can 'o worms. I don't know if you consider this a mailscanner bug or > > > > misuse on my part, but it did choke sendmail. > > > > > > I guess it's really a bug, but it's a pretty minor one :-) > > > The trouble is that it has taken many attempts and a lot of work to > > > make all versions of Perl accept the regular expressions I have to use > > > in AppendHeader() and ReplaceHeader(), I am extremely reluctant to > > > change them. > > > > > > How about you set the message to be "." or something like that? > > > > > > Personally, I would recommend advising your users that this extra > > > header in their mail messages is there to assure them that the mail has > > > been virus-checked, and that they should be wary of any email message > > > they see that does not have this header in it. If you sell it right, > > > they should end up being grateful for it. They certainly will the first > > > time they get a message that had a virus in it! > > > > > > >** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 > > > >** Senior UNIX Sysadmin, Information Technology EMAIL: > > > > jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, > > > > FAX: 207-872-3076 ** Waterville ME, 04901-8842 > > > >---------------------------------------------------------------------- > > > >---- -- > > > > > > > >On Fri, 26 Jul 2002, Julian Field wrote: > > > > > Date: Fri, 26 Jul 2002 15:23:43 +0100 > > > > > From: Julian Field > > > > > Reply-To: MailScanner mailing list > > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > > Subject: Re: null "Clean Header" multi-times gags sendmail > > > > > > > > > > I've never know anyone not want to tell their users that a message > > > > > is > > > > > > > > clean. > > > > > > > > > If you don't mark it as clean, how is the recipient supposed to > > > > > know whether it has been scanned or not? > > > > > Setting this configuration option to nothing seems a mite strange > > > > > to me... > > > > > > > > > > At 14:39 26/07/2002, you wrote: > > > > > >Julian, > > > > > > > > > > > >Setup: > > > > > >------ > > > > > >Solaris 8, sendmail 8.12.5, mailscanner 3.22-7, Sophos, > > > > > > spamassassin > > > > > > > > > > > >MailScanner Config Setting that triggers the problem: > > > > > >----------------------------------------------------- > > > > > >Changing the mailscanner.conf line > > > > > > Clean Header = Found to be clean > > > > > >to just be > > > > > > Clean Header = > > > > > >ie, nothing after the equals sign. Putting something after the > > > > > >equals sign fixes the problem, but there's a bug here. > > > > > > > > > > > >The Problem: > > > > > >------------ > > > > > >Running a piece of email thru mailscanner multiple times > > > > > >with a blank "clean header" setup causes sendmail to give the > > > > > > following syslog complaints: > > > > > > > > > > > >SYSERR(root): readqf: ./qf.....: incomplete queue file read > > > > > > > > > > > >Any piece of email in /var/spool/mqueue generating this complaint > > > > > > will not be delivered by sendmail, but just sit there -- stuck. > > > > > > > > > > > >Analysis: > > > > > >--------- > > > > > >I spent some time staring at the qf files for multi-scanned > > > > > > messages that ended up in /var/spool/mqueue, for both messages > > > > > > with a blank and nonblank "Clean Header" settings. For a blank > > > > > > "Clean Header" line, the bottom of the qf file looked like: > > > > > > > > > > > >H??X-MailScanner: , . > > > > > > > > > > > >For a qf file with a nonblank "Clean Header = ftbc" line, the > > > > > > bottom > > > > > > > > of the > > > > > > > > > >file looked like: > > > > > > > > > > > >H??X-MailScanner: ftbc, ftbc > > > > > >. > > > > > > > > > > > >Note the placement of the period, which signifies to sendmail > > > > > > where the end of the qf file is supposed to be. For the blank > > > > > > header, it does not end up by itself as the last line, hence > > > > > > sendmail complains that the queue file is incomplete. I found > > > > > > that I could unjam the problem qf files in my queue by editing > > > > > > them and sticking a period at the bottom, then rerunning the > > > > > > queue on that message by hand to get it delivered. And of course > > > > > > I can chase this problem away by making sure that "Clean Header" > > > > > > is not empty. But this looks like a mailscanner bug -- it puts > > > > > > the final period in the wrong place for multi-scanned messages > > > > > > and an empty "clean headers" setting. > > > > > > > > > > > >** Jeff A. Earickson, Ph.D PHONE: > > > > > > 207-872-3659 ** Senior UNIX Sysadmin, Information Technology > > > > > > EMAIL: > > > > > > > > jaearick@colby.edu > > > > > > > > > >** Colby College, 4214 Mayflower Hill, FAX: > > > > > > 207-872-3076 ** Waterville ME, 04901-8842 > > > > > >------------------------------------------------------------------ > > > > > >---- - > > > > > > > > ----- > > > > > > > > > -- > > > > > Julian Field Teaching Systems Manager > > > > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > > > > Tel. 023 8059 2817 University of Southampton > > > > > Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Fri Jul 26 19:22:47 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:19 2006 Subject: MAILSCANNER: rlong@MAIL.WVNET.EDU left the list Message-ID: <200207261822.TAA21513@magpie.ecs.soton.ac.uk> Fri, 26 Jul 2002 19:22:47 Randall Long has just signed off the MAILSCANNER list (MailScanner mailing list). ------------------------- Original mail header -------------------------- [WWW request received from 129.71.3.98] From miguelk at KONSULTEX.COM.BR Fri Jul 26 21:13:02 2002 From: miguelk at KONSULTEX.COM.BR (Miguel Koren O'Brien de Lacy) Date: Thu Jan 12 21:15:19 2006 Subject: Removing only Windows executables Message-ID: <3D41AD4E.7080908@konsultex.com.br> Excuse my ignorance in this. I have mail scanner running perfectly for about 10 months now (did not upgrade yet) and since there were no problems with it (set and forget), I have gotten "rusty" in my mail scanner skills. I have a situation in a network where it is desired to scan all mails but to completely block Windows executable files. Don't even need to scan them, just to remove them. Management has decided that no one should receive executables The important fact here is that this is valid even if they are zipped or renamed. I'm not talking about a batch file but just EXE or COM for example. I would need to determine from the file header if it is an executable Windows binary or not. Is this possible with mail scanner in the current version? If not does anyone have a suggestion? Thanks. Miguel From Matthew_doherty at DATAWATCH.COM Fri Jul 26 21:26:44 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:19 2006 Subject: Removing only Windows executables Message-ID: hint: filename.rules.conf Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Miguel Koren O'Brien de Lacy [mailto:miguelk@KONSULTEX.COM.BR] Sent: Friday, July 26, 2002 5:15 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Removing only Windows executables Excuse my ignorance in this. I have mail scanner running perfectly for about 10 months now (did not upgrade yet) and since there were no problems with it (set and forget), I have gotten "rusty" in my mail scanner skills. I have a situation in a network where it is desired to scan all mails but to completely block Windows executable files. Don't even need to scan them, just to remove them. Management has decided that no one should receive executables The important fact here is that this is valid even if they are zipped or renamed. I'm not talking about a batch file but just EXE or COM for example. I would need to determine from the file header if it is an executable Windows binary or not. Is this possible with mail scanner in the current version? If not does anyone have a suggestion? Thanks. Miguel -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020726/b1fb7b60/attachment.html From miguelk at KONSULTEX.COM.BR Fri Jul 26 21:57:50 2002 From: miguelk at KONSULTEX.COM.BR (Miguel Koren O'Brien de Lacy) Date: Thu Jan 12 21:15:19 2006 Subject: Removing only Windows executables References: Message-ID: <3D41B7CE.1060505@konsultex.com.br> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020726/859b8fc3/attachment.html From sevans at FOUNDATION.SDSU.EDU Fri Jul 26 22:02:16 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:15:19 2006 Subject: Removing only Windows executables Message-ID: <6214C3F9233D764C9E7029396C3550153312CE@mail.foundation.sdsu.edu> If someone changes the extension it won't block it even if it is an executable. This works pretty well though because there's not to many viruses that were written which hope that the user will change the extension and then execute it. The only anti-virus software I've ever seen that blocks executables not based on file extension is Antigen from Sybari, but that's for Exchange. Steve Evans Computing Services (619) 594-0653 -----Original Message----- From: Miguel Koren O'Brien de Lacy [mailto:miguelk@KONSULTEX.COM.BR] Sent: Friday, July 26, 2002 1:58 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Removing only Windows executables Thanks for the idea. After reviewing this file I see that I would remove EXE and COM by these lines: deny \.exe$ deny \.com$ Is this true? But I don't really understand how I would detect the EXE if the sender renames it to say 'ccx' for example. Or am I missing something? I would like to know if it's an executable by the information in the attachment itself (even if zipped). Miguel Matt Doherty wrote: hint: filename.rules.conf Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Miguel Koren O'Brien de Lacy [mailto:miguelk@KONSULTEX.COM.BR] Sent: Friday, July 26, 2002 5:15 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Removing only Windows executables Excuse my ignorance in this. I have mail scanner running perfectly for about 10 months now (did not upgrade yet) and since there were no problems with it (set and forget), I have gotten "rusty" in my mail scanner skills. I have a situation in a network where it is desired to scan all mails but to completely block Windows executable files. Don't even need to scan them, just to remove them. Management has decided that no one should receive executables The important fact here is that this is valid even if they are zipped or renamed. I'm not talking about a batch file but just EXE or COM for example. I would need to determine from the file header if it is an executable Windows binary or not. Is this possible with mail scanner in the current version? If not does anyone have a suggestion? Thanks. Miguel -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020726/8514f185/attachment.html From rob.moore at POWERDISK.CO.UK Fri Jul 26 23:47:30 2002 From: rob.moore at POWERDISK.CO.UK (Rob Moore) Date: Thu Jan 12 21:15:19 2006 Subject: Removing only Windows executables In-Reply-To: <6214C3F9233D764C9E7029396C3550153312CE@mail.foundation.sdsu.edu> Message-ID: >> The only anti-virus software I've ever seen that blocks executables not >> based on file extension is Antigen from Sybari, but that's for Exchange. There is another commercial product (Win32 only) called MAILsweeper that will do the same thing as well. I understand it inspects the headers of each file to determine the filetype and whether or not to block it based upon the policies you set. The drawbacks are a) its commercial (thanks Julian for your excellent product) b) its a Win32 platform only c) it can be quite expensive as the license is based upon users protected. Rob From brose at MED.WAYNE.EDU Sat Jul 27 00:22:05 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:19 2006 Subject: Mailscanner Spam Whitelisting Message-ID: I'm whitelisting some stuff but I'm still seeing items get tagged. What am I missing here? Example In spam.whitelist.conf From: reports@marketwatchmail.com >From reports@marketwatchmail.com Fri Jul 26 17:06:18 2002 Return-Path: <$g> Received: from q4.marketwatchmail.com (q4.marketwatchmail.com [206.146.143.89]) by eeyore.med.wayne.edu (8.12.2/8.12.2) with SMTP id g6QL5n9S026281 for ; Fri, 26 Jul 2002 17:05:50 -0400 (EDT) Message-Id: <200207262105.g6QL5n9S026281@eeyore.med.wayne.edu> Received: (qmail 97393 invoked from network); 26 Jul 2002 21:20:47 -0000 Received: from unknown (206.146.143.85) by q4.marketwatchmail.com with QMQP; 26 Jul 2002 21:20:47 -0000 Mailing-List: contact reports@marketwatchmail.com X-No-Archive: yes List-Help: List-Unsubscribe: List-Subscribe: From: CBS MarketWatcher To: hcartwri@med.wayne.edu Delivered-To: mailing list afterthebell-html@marketwatchmail.com Delivered-To: moderator for afterthebell-html@marketwatchmail.com Received: (qmail 13628 invoked from network); 26 Jul 2002 21:01:11 -0000 Date: Fri, 26 Jul 2002 21:01:11 (GMT) X-MSMail-Priority: Normal X-mailer: AspMail 3.53 (SMTP546388) Subject: *****SPAM***** CBSMW After The Bell Report: Senate confirms SEC nominees Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-DCC-servers-Metrics: eeyore 1049; Body=1 Fuz1=2 Fuz2=2 X-Spam-Status: Yes, hits=9.2 required=5.0 tests=FWD_MSG,INVALID_DATE,FORGED_RCVD_FOUND,COPYRIGHT_CLAIMED, OPT_IN,CLICK_BELOW,ONLY_COST,LINES_OF_YELLING, HTML_WITH_BGCOLOR,CLICK_HERE_LINK,MIME_LONG_LINE_QP, WEIRD_PORT,CTYPE_JUST_HTML,MSG_ID_ADDED_BY_MTA_2, MISSING_MIMEOLE,MISSING_OUTLOOK_NAME,AWL version=2.40 X-Spam-Flag: YES X-Spam-Level: ********* X-Spam-Checker-Version: SpamAssassin 2.40 (devel $Id: SpamAssassin.pm,v 1.102 2002/07/18 15:18:39 jmason Exp $) X-Spam-Prev-Content-Type: text/html X-Spam-Prev-Content-Transfer-Encoding: quoted-printable From mrlynx at LAING.E-TARLAC.COM Sat Jul 27 01:39:06 2002 From: mrlynx at LAING.E-TARLAC.COM (JOSEPH BAUTISTA) Date: Thu Jan 12 21:15:19 2006 Subject: problem after upgrading to mailscanner3.22-7 Message-ID: pls read the attached files... has anyone seen this problem before? I start seeing that logs when I upgraded to v3.22-7... Is that really a pain in the ass? any help will be appreciated!!! PS. and pls urgent! thnx in advanced -- - \|/ - (@ @) +----------oOO---------(_)------------+ | Mr. Joseph C. Bautista | | NOC, e-Tarlac.com | | email add: mrlynx@e-tarlac.com | | URL: http://www.e-tarlac.com | +------------------------oOO----------+ |__|__| | | | | ooO Ooo -- It takes more learning, before you learn how little you've learned -- -------------- next part -------------- Jul 25 14:38:08 laing sendmail[25708]: g6P6b3925708: collect: premature EOM: Error 0 Jul 25 14:38:08 laing sendmail[25708]: g6P6b3925708: collect: unexpected close on connection from [202.138.138.4], sender=: Error 0 Jul 25 14:38:08 laing sendmail[25708]: g6P6b3925708: from=, size=5, class=0, nrcpts=1, proto=ESMTP, daemon=MTA, relay=[202.138.138.4] 9540 ? S 0:00 /usr/sbin/sendmail -q15m 29552 ? S 0:01 /usr/bin/perl /usr/local/MailScanner/bin/mailscanner 29557 tty1 S 0:00 -bash 29741 ? S 0:00 sendmail: server [202.138.138.7] child wait 29755 ? S 0:00 sendmail: ./g6P8C7M29755 [202.138.138.7]: DATA 29780 ? S 0:00 sendmail: server [202.138.138.4] child wait 29787 ? S 0:00 sendmail: ./g6P8EQM29787 [202.138.138.4]: DATA 29885 ? S 0:00 sendmail: ./g6P73Q927538 bulacan.ph.: client DATA 354 29950 tty5 S 0:00 vim 29996 ? S 0:00 sendmail: server [202.138.138.4] child wait 29997 ? S 0:00 sendmail: server [202.138.138.4] child wait 30006 ? S 0:00 sendmail: ./g6P8S1M30006 [202.138.138.4]: DATA 30016 ? S 0:00 sendmail: server [202.138.138.4] cmd read 30017 ? S 0:00 sendmail: server [202.138.138.4] cmd read 30018 tty3 R 0:00 ps ax From Stephane.Lentz at ANSF.ALCATEL.FR Sat Jul 27 09:15:12 2002 From: Stephane.Lentz at ANSF.ALCATEL.FR (Stephane Lentz) Date: Thu Jan 12 21:15:19 2006 Subject: Removing only Windows executables In-Reply-To: References: <6214C3F9233D764C9E7029396C3550153312CE@mail.foundation.sdsu.edu> Message-ID: <20020727081512.GB2060@iww.netfr.alcatel.fr> On Fri, Jul 26, 2002 at 11:47:30PM +0100, Rob Moore wrote: > >> The only anti-virus software I've ever seen that blocks executables not > >> based on file extension is Antigen from Sybari, but that's for Exchange. > > There is another commercial product (Win32 only) called MAILsweeper that > will do the same thing as well. I understand it inspects the headers of each > file to determine the filetype and whether or not to block it based upon > the policies you set. > > The drawbacks are a) its commercial (thanks Julian for your excellent > product) > b) its a Win32 platform only c) it can be quite expensive as the license is > based upon users protected. > There is a perl module called File::MMagic that makes it possible to guess a file type : http://search.cpan.org/search?dist=File-MMagic http://search.cpan.org/doc/KNOK/File-MMagic-1.15/MMagic.pm It should be able to find .exe which are renamed. regards, SL/ -- --- Stephane Lentz / Alcanet International - Internet Services From LISTSERV at JISCMAIL.AC.UK Sat Jul 27 07:42:42 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:19 2006 Subject: MAILSCANNER: daniel.lists@WESTCO.CO.NZ requested to join Message-ID: <200207270642.HAA24344@magpie.ecs.soton.ac.uk> Sat, 27 Jul 2002 07:42:42 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Daniel Myall . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER daniel.lists@WESTCO.CO.NZ Daniel Myall The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+daniel.lists%40WESTCO.CO.NZ+Daniel+Myall&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From mailscanner at ecs.soton.ac.uk Sat Jul 27 09:46:37 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:19 2006 Subject: Mailscanner Spam Whitelisting In-Reply-To: Message-ID: <5.1.0.14.2.20020727094550.031e8ce0@imap.ecs.soton.ac.uk> At 00:22 27/07/2002, you wrote: >I'm whitelisting some stuff but I'm still seeing items get tagged. What >am I missing here? You are running SpamAssassin from procmail or something like that. You are not running SpamAssassin from MailScanner. If you were, you wouldn't get most of those headers. I suggest you ask on the SpamAssassin satalk mailing list. >Example > >In spam.whitelist.conf >From: reports@marketwatchmail.com > > >From reports@marketwatchmail.com Fri Jul 26 17:06:18 2002 >Return-Path: <$g> >Received: from q4.marketwatchmail.com (q4.marketwatchmail.com >[206.146.143.89]) > by eeyore.med.wayne.edu (8.12.2/8.12.2) with SMTP id >g6QL5n9S026281 > for ; Fri, 26 Jul 2002 17:05:50 -0400 >(EDT) >Message-Id: <200207262105.g6QL5n9S026281@eeyore.med.wayne.edu> >Received: (qmail 97393 invoked from network); 26 Jul 2002 21:20:47 -0000 >Received: from unknown (206.146.143.85) > by q4.marketwatchmail.com with QMQP; 26 Jul 2002 21:20:47 -0000 >Mailing-List: contact reports@marketwatchmail.com >X-No-Archive: yes >List-Help: >List-Unsubscribe: > >List-Subscribe: >From: CBS MarketWatcher >To: hcartwri@med.wayne.edu >Delivered-To: mailing list afterthebell-html@marketwatchmail.com >Delivered-To: moderator for afterthebell-html@marketwatchmail.com >Received: (qmail 13628 invoked from network); 26 Jul 2002 21:01:11 -0000 >Date: Fri, 26 Jul 2002 21:01:11 (GMT) >X-MSMail-Priority: Normal >X-mailer: AspMail 3.53 (SMTP546388) >Subject: *****SPAM***** CBSMW After The Bell Report: Senate confirms SEC >nominees >Mime-Version: 1.0 >Content-Type: text/plain >Content-Transfer-Encoding: 7bit >X-DCC-servers-Metrics: eeyore 1049; Body=1 Fuz1=2 Fuz2=2 >X-Spam-Status: Yes, hits=9.2 required=5.0 > tests=FWD_MSG,INVALID_DATE,FORGED_RCVD_FOUND,COPYRIGHT_CLAIMED, > OPT_IN,CLICK_BELOW,ONLY_COST,LINES_OF_YELLING, > HTML_WITH_BGCOLOR,CLICK_HERE_LINK,MIME_LONG_LINE_QP, > WEIRD_PORT,CTYPE_JUST_HTML,MSG_ID_ADDED_BY_MTA_2, > MISSING_MIMEOLE,MISSING_OUTLOOK_NAME,AWL > version=2.40 >X-Spam-Flag: YES >X-Spam-Level: ********* >X-Spam-Checker-Version: SpamAssassin 2.40 (devel $Id: SpamAssassin.pm,v >1.102 2002/07/18 15:18:39 jmason Exp $) >X-Spam-Prev-Content-Type: text/html >X-Spam-Prev-Content-Transfer-Encoding: quoted-printable -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sat Jul 27 09:48:34 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:19 2006 Subject: problem after upgrading to mailscanner3.22-7 In-Reply-To: Message-ID: <5.1.0.14.2.20020727094734.03481418@imap.ecs.soton.ac.uk> As they are all messages from sendmail, how do you know they are MailScanner-related? Jul 25 14:38:08 laing sendmail[25708]: g6P6b3925708: collect: premature EOM: Error 0 Jul 25 14:38:08 laing sendmail[25708]: g6P6b3925708: collect: unexpected close on connection from [202.138.138.4], sender=: Error 0 Jul 25 14:38:08 laing sendmail[25708]: g6P6b3925708: from=, size=5, class=0, nrcpts=1, proto=ESMTP, daemon=MTA, relay=[202.138.138.4] This looks like a problem with your sendmail receiving a message from 202.138.138.4, which is a process completely unrelated to MailScanner. At 01:39 27/07/2002, you wrote: >pls read the attached files... >has anyone seen this problem before? >I start seeing that logs when I upgraded to v3.22-7... >Is that really a pain in the ass? >any help will be appreciated!!! > >PS. >and pls urgent! > >thnx in advanced >-- >- \|/ - > (@ @) >+----------oOO---------(_)------------+ > | Mr. Joseph C. Bautista | > | NOC, e-Tarlac.com | > | email add: mrlynx@e-tarlac.com | > | URL: http://www.e-tarlac.com | >+------------------------oOO----------+ > |__|__| > | | | | > ooO Ooo > >-- It takes more learning, before you learn > how little you've learned -- -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sat Jul 27 09:49:41 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:19 2006 Subject: Removing only Windows executables In-Reply-To: <20020727081512.GB2060@iww.netfr.alcatel.fr> References: <6214C3F9233D764C9E7029396C3550153312CE@mail.foundation.sdsu.edu> Message-ID: <5.1.0.14.2.20020727094846.03259598@imap.ecs.soton.ac.uk> At 09:15 27/07/2002, you wrote: >On Fri, Jul 26, 2002 at 11:47:30PM +0100, Rob Moore wrote: > > >> The only anti-virus software I've ever seen that blocks executables not > > >> based on file extension is Antigen from Sybari, but that's for Exchange. > > > > There is another commercial product (Win32 only) called MAILsweeper that > > will do the same thing as well. I understand it inspects the headers of > each > > file to determine the filetype and whether or not to block it based upon > > the policies you set. > > > > The drawbacks are a) its commercial (thanks Julian for your excellent > > product) > > b) its a Win32 platform only c) it can be quite expensive as the license is > > based upon users protected. > > >There is a perl module called File::MMagic that makes it possible to >guess a file type : > >http://search.cpan.org/search?dist=File-MMagic >http://search.cpan.org/doc/KNOK/File-MMagic-1.15/MMagic.pm > >It should be able to find .exe which are renamed. To do this within zip files (which was one of the requirements), you will need to write all your own archive-unpacking code, which is an area I have deliberately avoided. This isn't going to be an easy job. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mrlynx at LAING.E-TARLAC.COM Sat Jul 27 11:35:44 2002 From: mrlynx at LAING.E-TARLAC.COM (JOSEPH BAUTISTA) Date: Thu Jan 12 21:15:19 2006 Subject: problem after upgrading to mailscanner3.22-7 In-Reply-To: <5.1.0.14.2.20020727094734.03481418@imap.ecs.soton.ac.uk> Message-ID: I figured that out after stopping my mailscanner and let the sendmail do the dirty job. thnx anyway... PS. still any help will be appreciated... c",) On Sat, 27 Jul 2002, Julian Field wrote: > As they are all messages from sendmail, how do you know they are > MailScanner-related? > > Jul 25 14:38:08 laing sendmail[25708]: g6P6b3925708: collect: premature > EOM: Error 0 > Jul 25 14:38:08 laing sendmail[25708]: g6P6b3925708: collect: unexpected > close on connection from [202.138.138.4], sender=: > Error 0 > Jul 25 14:38:08 laing sendmail[25708]: g6P6b3925708: > from=, size=5, class=0, nrcpts=1, proto=ESMTP, > daemon=MTA, relay=[202.138.138.4] > > This looks like a problem with your sendmail receiving a message from > 202.138.138.4, which is a process completely unrelated to MailScanner. > > At 01:39 27/07/2002, you wrote: > >pls read the attached files... > >has anyone seen this problem before? > >I start seeing that logs when I upgraded to v3.22-7... > >Is that really a pain in the ass? > >any help will be appreciated!!! > > > >PS. > >and pls urgent! > > > >thnx in advanced > >-- > >- \|/ - > > (@ @) > >+----------oOO---------(_)------------+ > > | Mr. Joseph C. Bautista | > > | NOC, e-Tarlac.com | > > | email add: mrlynx@e-tarlac.com | > > | URL: http://www.e-tarlac.com | > >+------------------------oOO----------+ > > |__|__| > > | | | | > > ooO Ooo > > > >-- It takes more learning, before you learn > > how little you've learned -- > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > -- - \|/ - (@ @) +----------oOO---------(_)------------+ | Mr. Joseph C. Bautista | | NOC, e-Tarlac.com | | email add: mrlynx@e-tarlac.com | | URL: http://www.e-tarlac.com | +------------------------oOO----------+ |__|__| | | | | ooO Ooo -- It takes more learning, before you learn how little you've learned -- From jaearick at COLBY.EDU Sat Jul 27 12:53:58 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:15:20 2006 Subject: 3.22.7: all spam from my own domain? Message-ID: Julian, I went from 3.22.5 to 3.22.7 on Thursday, and I just noticed that now SpamAssassin puts my domain name after the IP number for the spam in the syslog message, eg Message g6RBkRu6016747 from 64.156.187.130 (colby.edu) is spam according to SpamAssassin... What gives? ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ---------------------------------------------------------------------------- From jaearick at COLBY.EDU Sat Jul 27 13:13:43 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:15:20 2006 Subject: 3.22.7: all spam from my own domain? In-Reply-To: Message-ID: Julian, Hmmm, noticed the whitelist stuff in this area of the code. I had these three lines (recently added as of 3.22.7) in whitlist.conf: To: spam@colby.edu To: abuse@colby.edu To: postmaster@colby.edu I commented them out and the domains started looking right in the SA output. Bug? More misuse on my part? ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ---------------------------------------------------------------------------- On Sat, 27 Jul 2002, Jeff A. Earickson wrote: > Date: Sat, 27 Jul 2002 07:53:58 -0400 > From: Jeff A. Earickson > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: 3.22.7: all spam from my own domain? > > Julian, > > I went from 3.22.5 to 3.22.7 on Thursday, and I just noticed that now > SpamAssassin puts my domain name after the IP number for the spam in > the syslog message, eg > > Message g6RBkRu6016747 from 64.156.187.130 (colby.edu) is spam according > to SpamAssassin... > > What gives? > > ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 > ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu > ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 > ** Waterville ME, 04901-8842 > ---------------------------------------------------------------------------- > From brose at MED.WAYNE.EDU Sat Jul 27 14:59:55 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:20 2006 Subject: Mailscanner Spam Whitelisting Message-ID: Where do you see that? I'm running SA from Mailscanner. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Saturday, July 27, 2002 4:47 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mailscanner Spam Whitelisting At 00:22 27/07/2002, you wrote: >I'm whitelisting some stuff but I'm still seeing items get tagged. >What am I missing here? You are running SpamAssassin from procmail or something like that. You are not running SpamAssassin from MailScanner. If you were, you wouldn't get most of those headers. I suggest you ask on the SpamAssassin satalk mailing list. >Example > >In spam.whitelist.conf >From: reports@marketwatchmail.com > > >From reports@marketwatchmail.com Fri Jul 26 17:06:18 2002 >Return-Path: <$g> >Received: from q4.marketwatchmail.com (q4.marketwatchmail.com >[206.146.143.89]) > by eeyore.med.wayne.edu (8.12.2/8.12.2) with SMTP id >g6QL5n9S026281 > for ; Fri, 26 Jul 2002 17:05:50 -0400 >(EDT) >Message-Id: <200207262105.g6QL5n9S026281@eeyore.med.wayne.edu> >Received: (qmail 97393 invoked from network); 26 Jul 2002 21:20:47 >-0000 >Received: from unknown (206.146.143.85) > by q4.marketwatchmail.com with QMQP; 26 Jul 2002 21:20:47 -0000 >Mailing-List: contact reports@marketwatchmail.com >X-No-Archive: yes >List-Help: >List-Unsubscribe: > >List-Subscribe: >From: CBS MarketWatcher >To: hcartwri@med.wayne.edu >Delivered-To: mailing list afterthebell-html@marketwatchmail.com >Delivered-To: moderator for afterthebell-html@marketwatchmail.com >Received: (qmail 13628 invoked from network); 26 Jul 2002 21:01:11 -0000 >Date: Fri, 26 Jul 2002 21:01:11 (GMT) >X-MSMail-Priority: Normal >X-mailer: AspMail 3.53 (SMTP546388) >Subject: *****SPAM***** CBSMW After The Bell Report: Senate confirms SEC >nominees >Mime-Version: 1.0 >Content-Type: text/plain >Content-Transfer-Encoding: 7bit >X-DCC-servers-Metrics: eeyore 1049; Body=1 Fuz1=2 Fuz2=2 >X-Spam-Status: Yes, hits=9.2 required=5.0 > tests=FWD_MSG,INVALID_DATE,FORGED_RCVD_FOUND,COPYRIGHT_CLAIMED, > OPT_IN,CLICK_BELOW,ONLY_COST,LINES_OF_YELLING, > HTML_WITH_BGCOLOR,CLICK_HERE_LINK,MIME_LONG_LINE_QP, > WEIRD_PORT,CTYPE_JUST_HTML,MSG_ID_ADDED_BY_MTA_2, > MISSING_MIMEOLE,MISSING_OUTLOOK_NAME,AWL > version=2.40 >X-Spam-Flag: YES >X-Spam-Level: ********* >X-Spam-Checker-Version: SpamAssassin 2.40 (devel $Id: SpamAssassin.pm,v >1.102 2002/07/18 15:18:39 jmason Exp $) >X-Spam-Prev-Content-Type: text/html >X-Spam-Prev-Content-Transfer-Encoding: quoted-printable -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sat Jul 27 15:41:55 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:20 2006 Subject: ANNOUNCE: Version 3.22-8 Message-ID: <5.1.0.14.2.20020727153446.031612c0@imap.ecs.soton.ac.uk> I have just released 3.22-8. This is just a bug-fix release: * New forking code in mailscanner to avoid zombie processes on a few systems. * Fixed domain reported in spam log entries. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sat Jul 27 15:28:07 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:20 2006 Subject: Mailscanner Spam Whitelisting In-Reply-To: Message-ID: <5.1.0.14.2.20020727152610.030df0a8@imap.ecs.soton.ac.uk> At 14:59 27/07/2002, you wrote: >Where do you see that? I'm running SA from Mailscanner. These are all created by SA running from something other than MailScanner. If it's not you running it this way, then someone in the path from the sender to you must be running it this way. > >Subject: *****SPAM***** CBSMW After The Bell Report: Senate confirms >SEC > >nominees > >X-DCC-servers-Metrics: eeyore 1049; Body=1 Fuz1=2 Fuz2=2 > >X-Spam-Status: Yes, hits=9.2 required=5.0 > > >tests=FWD_MSG,INVALID_DATE,FORGED_RCVD_FOUND,COPYRIGHT_CLAIMED, > > OPT_IN,CLICK_BELOW,ONLY_COST,LINES_OF_YELLING, > > HTML_WITH_BGCOLOR,CLICK_HERE_LINK,MIME_LONG_LINE_QP, > > WEIRD_PORT,CTYPE_JUST_HTML,MSG_ID_ADDED_BY_MTA_2, > > MISSING_MIMEOLE,MISSING_OUTLOOK_NAME,AWL > > version=2.40 > >X-Spam-Flag: YES > >X-Spam-Level: ********* > >X-Spam-Checker-Version: SpamAssassin 2.40 (devel $Id: SpamAssassin.pm,v > >1.102 2002/07/18 15:18:39 jmason Exp $) > >X-Spam-Prev-Content-Type: text/html > >X-Spam-Prev-Content-Transfer-Encoding: quoted-printable -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sat Jul 27 15:43:00 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:20 2006 Subject: 3.22.7: all spam from my own domain? In-Reply-To: References: Message-ID: <5.1.0.14.2.20020727154252.0315ce70@imap.ecs.soton.ac.uk> Fixed in 3.22-8. At 13:13 27/07/2002, you wrote: >Julian, > > Hmmm, noticed the whitelist stuff in this area of the code. I had >these three lines (recently added as of 3.22.7) in whitlist.conf: > >To: spam@colby.edu >To: abuse@colby.edu >To: postmaster@colby.edu > >I commented them out and the domains started looking right in the SA >output. Bug? More misuse on my part? > >** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 >** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu >** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 >** Waterville ME, 04901-8842 >---------------------------------------------------------------------------- > >On Sat, 27 Jul 2002, Jeff A. Earickson wrote: > > > Date: Sat, 27 Jul 2002 07:53:58 -0400 > > From: Jeff A. Earickson > > Reply-To: MailScanner mailing list > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: 3.22.7: all spam from my own domain? > > > > Julian, > > > > I went from 3.22.5 to 3.22.7 on Thursday, and I just noticed that now > > SpamAssassin puts my domain name after the IP number for the spam in > > the syslog message, eg > > > > Message g6RBkRu6016747 from 64.156.187.130 (colby.edu) is spam according > > to SpamAssassin... > > > > What gives? > > > > ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 > > ** Senior UNIX Sysadmin, Information Technology EMAIL: > jaearick@colby.edu > > ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 > > ** Waterville ME, 04901-8842 > > > ---------------------------------------------------------------------------- > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From brose at MED.WAYNE.EDU Sat Jul 27 17:27:13 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:20 2006 Subject: Mailscanner Spam Whitelisting Message-ID: I see the confusion but this is a report file. In sender.pl, I have some extra code that if $SaResult is true, I then get the score and if its < 30 then I get the whole rewite ($spamness->rewrite_mail ()) and send that to a file called spr$mID. I do this so I can watch for false positives and report to razor. The output that you are seeing is from that code which only runs if $SAResult = ($spamness->is_spam())?1:0; is true It shouldn't be true if the message has a trigger that's whitelisted though correct? Or are you running everything thru SA and then checking the whitelist? -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Saturday, July 27, 2002 10:28 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mailscanner Spam Whitelisting At 14:59 27/07/2002, you wrote: >Where do you see that? I'm running SA from Mailscanner. These are all created by SA running from something other than MailScanner. If it's not you running it this way, then someone in the path from the sender to you must be running it this way. > >Subject: *****SPAM***** CBSMW After The Bell Report: Senate confirms >SEC > >nominees > >X-DCC-servers-Metrics: eeyore 1049; Body=1 Fuz1=2 Fuz2=2 > >X-Spam-Status: Yes, hits=9.2 required=5.0 > > >tests=FWD_MSG,INVALID_DATE,FORGED_RCVD_FOUND,COPYRIGHT_CLAIMED, > > OPT_IN,CLICK_BELOW,ONLY_COST,LINES_OF_YELLING, > > HTML_WITH_BGCOLOR,CLICK_HERE_LINK,MIME_LONG_LINE_QP, > > WEIRD_PORT,CTYPE_JUST_HTML,MSG_ID_ADDED_BY_MTA_2, > > MISSING_MIMEOLE,MISSING_OUTLOOK_NAME,AWL > > version=2.40 > >X-Spam-Flag: YES > >X-Spam-Level: ********* > >X-Spam-Checker-Version: SpamAssassin 2.40 (devel $Id: > >SpamAssassin.pm,v 1.102 2002/07/18 15:18:39 jmason Exp $) > >X-Spam-Prev-Content-Type: text/html > >X-Spam-Prev-Content-Transfer-Encoding: quoted-printable -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Sat Jul 27 17:28:01 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:20 2006 Subject: MAILSCANNER: novirus@CARLO65.DE requested to join Message-ID: <200207271628.RAA17813@magpie.ecs.soton.ac.uk> Sat, 27 Jul 2002 17:28:01 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Roland Ehle . The following subscription options have been requested: SUBJECTHDR. You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER novirus@CARLO65.DE Roland Ehle The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+novirus%40CARLO65.DE+Roland+Ehle&L=MAILSCANNER This first link will add the subscriber to the list. You can then set the subscription options with this link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=SET+MAILSCANNER+SUBJECTHDR+FOR+novirus%40CARLO65.DE&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From mailscanner at ecs.soton.ac.uk Sat Jul 27 17:34:23 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:20 2006 Subject: Mailscanner Spam Whitelisting In-Reply-To: Message-ID: <5.1.0.14.2.20020727173212.02f0d238@imap.ecs.soton.ac.uk> At 17:27 27/07/2002, you wrote: >I see the confusion but this is a report file. In sender.pl, I have >some extra code So now I'm supporting your code, not mine? That's novel... > that if $SaResult is true, I then get the score and if >its < 30 then I get the whole rewite ($spamness->rewrite_mail ()) and >send that to a file called spr$mID. I do this so I can watch for false >positives and report to razor. > >The output that you are seeing is from that code which only runs if > $SAResult = ($spamness->is_spam())?1:0; is true And if you study my code, you'll discover that I don't use is_spam(). There's a reason: it's very unreliable. >It shouldn't be true if the message has a trigger that's whitelisted >though correct? Or are you running everything thru SA and then checking >the whitelist? > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Saturday, July 27, 2002 10:28 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Mailscanner Spam Whitelisting > > >At 14:59 27/07/2002, you wrote: > >Where do you see that? I'm running SA from Mailscanner. > >These are all created by SA running from something other than >MailScanner. If it's not you running it this way, then someone in the >path from the sender to you must be running it this way. > > > >Subject: *****SPAM***** CBSMW After The Bell Report: Senate confirms > >SEC > > >nominees > > >X-DCC-servers-Metrics: eeyore 1049; Body=1 Fuz1=2 Fuz2=2 > > >X-Spam-Status: Yes, hits=9.2 required=5.0 > > > > >tests=FWD_MSG,INVALID_DATE,FORGED_RCVD_FOUND,COPYRIGHT_CLAIMED, > > > OPT_IN,CLICK_BELOW,ONLY_COST,LINES_OF_YELLING, > > > HTML_WITH_BGCOLOR,CLICK_HERE_LINK,MIME_LONG_LINE_QP, > > > WEIRD_PORT,CTYPE_JUST_HTML,MSG_ID_ADDED_BY_MTA_2, > > > MISSING_MIMEOLE,MISSING_OUTLOOK_NAME,AWL > > > version=2.40 > > >X-Spam-Flag: YES > > >X-Spam-Level: ********* > > >X-Spam-Checker-Version: SpamAssassin 2.40 (devel $Id: > > >SpamAssassin.pm,v 1.102 2002/07/18 15:18:39 jmason Exp $) > > >X-Spam-Prev-Content-Type: text/html > > >X-Spam-Prev-Content-Transfer-Encoding: quoted-printable > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From brose at MED.WAYNE.EDU Sat Jul 27 18:10:46 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:20 2006 Subject: Mailscanner Spam Whitelisting Message-ID: Well I can take it out and the message will still get tagged so technically you are supporting your code. If you aren't using this then wouldn't it be wise to remove it to speed SA calls up then because $SAResult = ($spamness->is_spam())?1:0; is in sender.pl and is occurring even if $SAResult isn't being used for anything. Regardless of all that, if an address is in the whitelist, should SAForkAndTest even be called? That's the point of the issue. If it is getting called for even whitelistings, then wouldn't it be better not todo that to speed things up. If it's not supposed to get called for a whitelisting, then why is it. This is the 3.22.7 code. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Saturday, July 27, 2002 12:34 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mailscanner Spam Whitelisting At 17:27 27/07/2002, you wrote: >I see the confusion but this is a report file. In sender.pl, I have >some extra code So now I'm supporting your code, not mine? That's novel... > that if $SaResult is true, I then get the score and if >its < 30 then I get the whole rewite ($spamness->rewrite_mail ()) and >send that to a file called spr$mID. I do this so I can watch for false >positives and report to razor. > >The output that you are seeing is from that code which only runs if > $SAResult = ($spamness->is_spam())?1:0; is true And if you study my code, you'll discover that I don't use is_spam(). There's a reason: it's very unreliable. >It shouldn't be true if the message has a trigger that's whitelisted >though correct? Or are you running everything thru SA and then >checking the whitelist? > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Saturday, July 27, 2002 10:28 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Mailscanner Spam Whitelisting > > >At 14:59 27/07/2002, you wrote: > >Where do you see that? I'm running SA from Mailscanner. > >These are all created by SA running from something other than >MailScanner. If it's not you running it this way, then someone in the >path from the sender to you must be running it this way. > > > >Subject: *****SPAM***** CBSMW After The Bell Report: Senate > > >confirms > >SEC > > >nominees > > >X-DCC-servers-Metrics: eeyore 1049; Body=1 Fuz1=2 Fuz2=2 > > >X-Spam-Status: Yes, hits=9.2 required=5.0 > > > > >tests=FWD_MSG,INVALID_DATE,FORGED_RCVD_FOUND,COPYRIGHT_CLAIMED, > > > OPT_IN,CLICK_BELOW,ONLY_COST,LINES_OF_YELLING, > > > HTML_WITH_BGCOLOR,CLICK_HERE_LINK,MIME_LONG_LINE_QP, > > > WEIRD_PORT,CTYPE_JUST_HTML,MSG_ID_ADDED_BY_MTA_2, > > > MISSING_MIMEOLE,MISSING_OUTLOOK_NAME,AWL > > > version=2.40 > > >X-Spam-Flag: YES > > >X-Spam-Level: ********* > > >X-Spam-Checker-Version: SpamAssassin 2.40 (devel $Id: > > >SpamAssassin.pm,v 1.102 2002/07/18 15:18:39 jmason Exp $) > > >X-Spam-Prev-Content-Type: text/html > > >X-Spam-Prev-Content-Transfer-Encoding: quoted-printable > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sat Jul 27 18:21:49 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:20 2006 Subject: Mailscanner Spam Whitelisting In-Reply-To: Message-ID: <5.1.0.14.2.20020727181521.02ed5008@imap.ecs.soton.ac.uk> At 18:10 27/07/2002, you wrote: >Well I can take it out and the message will still get tagged so >technically you are supporting your code. If you aren't using this then >wouldn't it be wise to remove it to speed SA calls up then because >$SAResult = ($spamness->is_spam())?1:0; is in sender.pl and is occurring >even if $SAResult isn't being used for anything. You're right, there is 1 line of redundant code. If there's only 1 in 6,500 I'll be surprised :) >Regardless of all that, if an address is in the whitelist, should >SAForkAndTest even be called? That's the point of the issue. If it is >getting called for even whitelistings, then wouldn't it be better not >todo that to speed things up. If it's not supposed to get called for a >whitelisting, then why is it. This is the 3.22.7 code. Because of the "if" statement: if ($Info ne "" && $Config::SpamAssassin && (!$IsOnWhiteList || $Config::IncludeSpamHeader)) which I hope answers your question. It is called, even though it is whitelisted, *if* the mailscanner.conf file is set to always include the SpamAssassin header. >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Saturday, July 27, 2002 12:34 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Mailscanner Spam Whitelisting > > >At 17:27 27/07/2002, you wrote: > >I see the confusion but this is a report file. In sender.pl, I have > >some extra code > >So now I'm supporting your code, not mine? That's novel... > > > that if $SaResult is true, I then get the score and if > >its < 30 then I get the whole rewite ($spamness->rewrite_mail ()) and > >send that to a file called spr$mID. I do this so I can watch for false > > >positives and report to razor. > > > >The output that you are seeing is from that code which only runs if > > $SAResult = ($spamness->is_spam())?1:0; is true > >And if you study my code, you'll discover that I don't use is_spam(). >There's a reason: it's very unreliable. > > >It shouldn't be true if the message has a trigger that's whitelisted > >though correct? Or are you running everything thru SA and then > >checking the whitelist? > > > >-----Original Message----- > >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > >Sent: Saturday, July 27, 2002 10:28 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Mailscanner Spam Whitelisting > > > > > >At 14:59 27/07/2002, you wrote: > > >Where do you see that? I'm running SA from Mailscanner. > > > >These are all created by SA running from something other than > >MailScanner. If it's not you running it this way, then someone in the > >path from the sender to you must be running it this way. > > > > > >Subject: *****SPAM***** CBSMW After The Bell Report: Senate > > > >confirms > > >SEC > > > >nominees > > > >X-DCC-servers-Metrics: eeyore 1049; Body=1 Fuz1=2 Fuz2=2 > > > >X-Spam-Status: Yes, hits=9.2 required=5.0 > > > > > > >tests=FWD_MSG,INVALID_DATE,FORGED_RCVD_FOUND,COPYRIGHT_CLAIMED, > > > > OPT_IN,CLICK_BELOW,ONLY_COST,LINES_OF_YELLING, > > > > HTML_WITH_BGCOLOR,CLICK_HERE_LINK,MIME_LONG_LINE_QP, > > > > WEIRD_PORT,CTYPE_JUST_HTML,MSG_ID_ADDED_BY_MTA_2, > > > > MISSING_MIMEOLE,MISSING_OUTLOOK_NAME,AWL > > > > version=2.40 > > > >X-Spam-Flag: YES > > > >X-Spam-Level: ********* > > > >X-Spam-Checker-Version: SpamAssassin 2.40 (devel $Id: > > > >SpamAssassin.pm,v 1.102 2002/07/18 15:18:39 jmason Exp $) > > > >X-Spam-Prev-Content-Type: text/html > > > >X-Spam-Prev-Content-Transfer-Encoding: quoted-printable > > > >-- > >Julian Field Teaching Systems Manager > >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > >Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Sat Jul 27 19:59:09 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:20 2006 Subject: MAILSCANNER: michael@NOMENNESCIO.NET requested to join Message-ID: <200207271859.TAA24585@magpie.ecs.soton.ac.uk> Sat, 27 Jul 2002 19:59:09 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Mike Klinkert . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER michael@NOMENNESCIO.NET Mike Klinkert The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+michael%40NOMENNESCIO.NET+Mike+Klinkert&L=MAILSCANNER ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Sat, 27 Jul 2002 19:59:09 +0100 Received: from nnlx001.nomennescio (IDENT:1027796355@nn.xs4all.nl [194.109.39.71]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g6RIx8r23403 for ; Sat, 27 Jul 2002 19:59:08 +0100 Received: from nomennescio.net (nnws001.nomennescio [10.240.100.1]) by nnlx001.nomennescio (8.11.6/8.11.6) with ESMTP id g6RIwuR13083 (using TLSv1/SSLv3 with cipher RC4-MD5 (128 bits) verified OK) for ; Sat, 27 Jul 2002 20:58:58 +0200 Message-ID: <3D42ED70.9040202@nomennescio.net> Date: Sat, 27 Jul 2002 20:58:56 +0200 From: Mike Klinkert Organization: Nomen Nescio User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1a) Gecko/20020610 X-Accept-Language: en, nl MIME-Version: 1.0 To: "L-Soft list server at JISCMAIL (1.8e)" Subject: Re: Command confirmation request (560D381D) References: <200207271830.g6RIU5ra030034@mxzilla4.xs4all.nl> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-MailScanner: Found to be clean X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=1.1, required 5, AWL) From brose at MED.WAYNE.EDU Sat Jul 27 20:41:47 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:20 2006 Subject: Mailscanner Spam Whitelisting Message-ID: Duh, that's right. Forgot about that new feature. Thanks. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Saturday, July 27, 2002 1:22 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mailscanner Spam Whitelisting At 18:10 27/07/2002, you wrote: >Well I can take it out and the message will still get tagged so >technically you are supporting your code. If you aren't using this >then wouldn't it be wise to remove it to speed SA calls up then because >$SAResult = ($spamness->is_spam())?1:0; is in sender.pl and is >occurring even if $SAResult isn't being used for anything. You're right, there is 1 line of redundant code. If there's only 1 in 6,500 I'll be surprised :) >Regardless of all that, if an address is in the whitelist, should >SAForkAndTest even be called? That's the point of the issue. If it is >getting called for even whitelistings, then wouldn't it be better not >todo that to speed things up. If it's not supposed to get called for a >whitelisting, then why is it. This is the 3.22.7 code. Because of the "if" statement: if ($Info ne "" && $Config::SpamAssassin && (!$IsOnWhiteList || $Config::IncludeSpamHeader)) which I hope answers your question. It is called, even though it is whitelisted, *if* the mailscanner.conf file is set to always include the SpamAssassin header. >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Saturday, July 27, 2002 12:34 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Mailscanner Spam Whitelisting > > >At 17:27 27/07/2002, you wrote: > >I see the confusion but this is a report file. In sender.pl, I have > >some extra code > >So now I'm supporting your code, not mine? That's novel... > > > that if $SaResult is true, I then get the score and if > >its < 30 then I get the whole rewite ($spamness->rewrite_mail ()) and > >send that to a file called spr$mID. I do this so I can watch for > >false > > >positives and report to razor. > > > >The output that you are seeing is from that code which only runs if > > $SAResult = ($spamness->is_spam())?1:0; is true > >And if you study my code, you'll discover that I don't use is_spam(). >There's a reason: it's very unreliable. > > >It shouldn't be true if the message has a trigger that's whitelisted > >though correct? Or are you running everything thru SA and then > >checking the whitelist? > > > >-----Original Message----- > >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > >Sent: Saturday, July 27, 2002 10:28 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Mailscanner Spam Whitelisting > > > > > >At 14:59 27/07/2002, you wrote: > > >Where do you see that? I'm running SA from Mailscanner. > > > >These are all created by SA running from something other than > >MailScanner. If it's not you running it this way, then someone in the > >path from the sender to you must be running it this way. > > > > > >Subject: *****SPAM***** CBSMW After The Bell Report: Senate > > > >confirms > > >SEC > > > >nominees > > > >X-DCC-servers-Metrics: eeyore 1049; Body=1 Fuz1=2 Fuz2=2 > > > >X-Spam-Status: Yes, hits=9.2 required=5.0 > > > > > > >tests=FWD_MSG,INVALID_DATE,FORGED_RCVD_FOUND,COPYRIGHT_CLAIMED, > > > > OPT_IN,CLICK_BELOW,ONLY_COST,LINES_OF_YELLING, > > > > HTML_WITH_BGCOLOR,CLICK_HERE_LINK,MIME_LONG_LINE_QP, > > > > WEIRD_PORT,CTYPE_JUST_HTML,MSG_ID_ADDED_BY_MTA_2, > > > > MISSING_MIMEOLE,MISSING_OUTLOOK_NAME,AWL > > > > version=2.40 > > > >X-Spam-Flag: YES > > > >X-Spam-Level: ********* > > > >X-Spam-Checker-Version: SpamAssassin 2.40 (devel $Id: > > > >SpamAssassin.pm,v 1.102 2002/07/18 15:18:39 jmason Exp $) > > > >X-Spam-Prev-Content-Type: text/html > > > >X-Spam-Prev-Content-Transfer-Encoding: quoted-printable > > > >-- > >Julian Field Teaching Systems Manager > >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > >Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From brose at MED.WAYNE.EDU Sat Jul 27 21:50:13 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:20 2006 Subject: Solaris Syslog Message-ID: Has anyone applied that beast of Solaris patches? After applying to my test system, I've discovered that Mailscanner isn't logging anymore. I check syslogd on my test box against the syslogd on the production box and it is now newer. It logs sendmail info, but not mailscanner. If I replace it with the old version then it works again. The new version is 1.90 and the old one is 1.89. Did this happen to anyone else? Is there a better fix other than rolling back? From vanhorn at whidbey.com Sun Jul 28 08:22:13 2002 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Thu Jan 12 21:15:20 2006 Subject: Removing only Windows executables References: <3D41AD4E.7080908@konsultex.com.br> Message-ID: <3D439BA5.BDB58ADF@whidbey.com> Miguel, I'd love to be doing support on your network! If a user in the Oak Harbor office of one of my clients needs an executable file installed on his machine, I normally confirm that he will be at his desk for ten minutes, e-mail the file to him, and then walk him through the installation over the phone. Total billable time, probably fifteen minutes. Under your management, I would make sure I had the user's password in case he wasn't there when I got to his office, burn the executable to a CD, drive the 50 miles to Oak Harbor, install the software, probably get stuck for an extra half hour dealing with other trivial issues, and then drive home. Totable billable time, at least three hours. So it's easy to understand why this policy would be a really good idea. Of course, from the perspective of the stockholders the managers sponsoring this policy should be taken out and shot, but that's hardly a reason for us SysAdmins to oppose it. Van Van Horn Miguel Koren O'Brien de Lacy wrote: > Excuse my ignorance in this. I have mail scanner running perfectly for > about 10 months now (did not upgrade yet) and since there were no > problems with it (set and forget), I have gotten "rusty" in my mail > scanner skills. I have a situation in a network where it is desired to > scan all mails but to completely block Windows executable files. Don't > even need to scan them, just to remove them. Management has decided that > no one should receive executables The important fact here is that this > is valid even if they are zipped or renamed. I'm not talking about a > batch file but just EXE or COM for example. I would need to determine > from the file header if it is an executable Windows binary or not. Is > this possible with mail scanner in the current version? If not does > anyone have a suggestion? > > Thanks. > > Miguel -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For web hosting and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ---------------------------------------------------------- From vanhorn at whidbey.com Sun Jul 28 08:52:14 2002 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Thu Jan 12 21:15:20 2006 Subject: Avoid scanning local mail References: <5.1.0.14.2.20020727153446.031612c0@imap.ecs.soton.ac.uk> Message-ID: <3D43A2AE.4F88456A@whidbey.com> I'm running MailScanner 3.13-2 and Kaspersky AV on my primary mail server. I also send out about 5500 pieces of mail (Quotes of the Day by subscription) every night. I save two text files to the server, one is the body of the text version, the other is the HTML version, along with lists of subscribers to each version. A pair of Perl scripts mails the copy to each address in turn using "/usr/sbin/sendmail -t" - which I think would count as invoking sendmail directly from the command line rather than via SMTP. Contrary to what the FAQ says I should expect, the delivered mail is being scanned. This is a particular problem since MailScanner uses the command-line version of Kaspersky instead of the daemonized version - by the time I've sent a couple of hundred messages my load average is up to 6, and the mailrun takes at least three times as long as before I installed MailScanner. The performance is completely fine during the day when we just have the typical load from 120 users. Is there another way to keep MailScanner from going through the outgoing mail? Van Van Horn -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For web hosting and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ---------------------------------------------------------- From rishi at THEARGONCOMPANY.COM Sun Jul 28 11:01:22 2002 From: rishi at THEARGONCOMPANY.COM (Rishi Gangoly) Date: Thu Jan 12 21:15:20 2006 Subject: Can spam checks be disabled if sent TO a certain domain or email address? References: <5.1.0.14.2.20020727153446.031612c0@imap.ecs.soton.ac.uk> Message-ID: <033801c2361d$c0d792e0$1500a8c0@gangfam.com> Hi Can spam checks be disabled if sent TO a certain domain or email address? Regards Rishi From rishi at THEARGONCOMPANY.COM Sun Jul 28 11:18:10 2002 From: rishi at THEARGONCOMPANY.COM (Rishi Gangoly) Date: Thu Jan 12 21:15:20 2006 Subject: Viruses To Quietly Delete = /usr/local/MailScanner/etc/viruses.to.delete.conf file / feature not working on Cobalt RaQ4 server References: <5.1.0.14.2.20020727153446.031612c0@imap.ecs.soton.ac.uk> <033801c2361d$c0d792e0$1500a8c0@gangfam.com> Message-ID: <034d01c23620$16f05de0$1500a8c0@gangfam.com> Hi I just noticed that the Viruses To Quietly Delete = /usr/local/MailScanner/etc/viruses.to.delete.conf file / feature not working on Cobalt RaQ4 server Has anyone has the same problem? Any tips on where to look to diagnose the problem? Version Info MailScanner: 3.20 Release: 7 F-prot: 3.12a SIGN.DEF created 25. July 2002 SIGN2.DEF created 25. July 2002 MACRO.DEF created 4. July 2002 Regards Rishi From andrew at EON.COM.AU Sun Jul 28 10:54:33 2002 From: andrew at EON.COM.AU (Andrew) Date: Thu Jan 12 21:15:20 2006 Subject: problems running auto-update.... Message-ID: <3D43BF59.6040306@eon.com.au> Hi - when I run autoupdate (and the latest version of Sophos.autoupdate) - I get the following error... [root@localhost bin]# ./autoupdate Could not calculate Sophos version number, Bad file descriptor at ./autoupdate line 77. Any suggestions? Thanks, Andrew. From LISTSERV at JISCMAIL.AC.UK Sun Jul 28 08:03:07 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:20 2006 Subject: MAILSCANNER: garner@GARNET.ACNS.FSU.EDU requested to join Message-ID: <200207280703.IAA15830@magpie.ecs.soton.ac.uk> Sun, 28 Jul 2002 08:03:07 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Lee Garner . The following subscription options have been requested: NOMIME DIGEST CONCEAL. You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER garner@GARNET.ACNS.FSU.EDU Lee Garner The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+garner%40GARNET.ACNS.FSU.EDU+Lee+Garner&L=MAILSCANNER This first link will add the subscriber to the list. You can then set the subscription options with this link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=SET+MAILSCANNER+NOMIME+DIGEST+CONCEAL+FOR+garner%40GARNET.ACNS.FSU.EDU&L=MAILSCANNER ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Sun, 28 Jul 2002 08:03:06 +0100 Received: from garnet.acns.fsu.edu (garnet.acns.fsu.edu [146.201.2.25]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g6S737r10319 for ; Sun, 28 Jul 2002 08:03:08 +0100 Received: (from garner@localhost) by garnet.acns.fsu.edu (AIX4.3/8.9.3/8.9.3) id DAA29010 for LISTSERV@JISCMAIL.AC.UK; Sun, 28 Jul 2002 03:02:59 -0400 From: Lee Garner Message-Id: <200207280702.DAA29010@garnet.acns.fsu.edu> Subject: Re: Command confirmation request (672772F2) To: LISTSERV@JISCMAIL.AC.UK ("L-Soft list server at JISCMAIL (1.8e)") Date: Sun, 28 Jul 2002 03:02:58 -0400 (EDT) In-Reply-To: <200207280701.DAA58910@garnet.acns.fsu.edu> from "L-Soft list server at JISCMAIL (1.8e)" at Jul 28, 2002 08:01:48 AM Organization: Florida State University, Academic Computing & Network Services X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From mailscanner at ecs.soton.ac.uk Sun Jul 28 12:04:18 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:20 2006 Subject: problems running auto-update.... In-Reply-To: <3D43BF59.6040306@eon.com.au> Message-ID: <5.1.0.14.2.20020728120316.0442d4c8@imap.ecs.soton.ac.uk> Is your version of Sophos more than 2 or 3 months old? If so, you need to download a new one and install it using /usr/local/MailScanner/bin/Sophos.install. I assume you installed Sophos using my Sophos.install script in the first place... At 10:54 28/07/2002, you wrote: >Hi - when I run autoupdate (and the latest version of Sophos.autoupdate) >- I get the following error... > >[root@localhost bin]# ./autoupdate >Could not calculate Sophos version number, Bad file descriptor at >./autoupdate line 77. > > >Any suggestions? > > >Thanks, > Andrew. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sun Jul 28 12:02:46 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:20 2006 Subject: Avoid scanning local mail (& the daemon debate) In-Reply-To: <3D43A2AE.4F88456A@whidbey.com> References: <5.1.0.14.2.20020727153446.031612c0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020728115211.0444f008@imap.ecs.soton.ac.uk> At 08:52 28/07/2002, you wrote: >I'm running MailScanner 3.13-2 and Kaspersky AV on my primary mail server. >I also >send out about 5500 pieces of mail (Quotes of the Day by subscription) every >night. I save two text files to the server, one is the body of the text >version, >the other is the HTML version, along with lists of subscribers to each >version. A >pair of Perl scripts mails the copy to each address in turn using >"/usr/sbin/sendmail -t" - which I think would count as invoking sendmail >directly >from the command line rather than via SMTP. How many recipients are you using per message? You should be able to do 100 recips per message quite happily. MailScanner will then only have to scan the message once for 100 users. If you are invoking sendmail separately for each recipient, then it's no wonder your scanning load is so high! >Contrary to what the FAQ says I should expect, the delivered mail is being >scanned. You must be using sendmail 8.12, where the way sendmail queuing is done has changed. > This is a particular problem since MailScanner uses the command-line >version of Kaspersky instead of the daemonized version I have very recently speed tested one (sorry, but I'm not going to get in a flame war by telling you which one) of the very big commercial virus scanners, who provide a daemon and a command-line scanner. Obviously the only time the speed difference between the 2 matters is when the message batch size has grown quite large (i.e. when the server is battling to keep up). I ran with a test set of 10,000 messages. The command-line approach took 11 seconds (processing in batches of about 50-100, whereas the daemon took 39 seconds. The difference is mostly down to the communication overhead in talking to the daemon. You have to generate an HTTP GET request for each individual file, sending that to a socket. The daemon then scans the file and sends back XML saying whether the file was infected, again communicating via the socket. All that communication overhead is much slower than starting up the command-line scanner a few times. If you want any more reasons why I don't support daemon scanners, then please read the Installation FAQ on the website, which contains some more info. > - by the time I've sent a >couple of hundred messages my load average is up to 6, and the mailrun >takes at >least three times as long as before I installed MailScanner. How many recipients per message? 5,500 subscribers shouldn't generate more than about 55 messages. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sun Jul 28 12:05:02 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:20 2006 Subject: Can spam checks be disabled if sent TO a certain domain or email address? In-Reply-To: <033801c2361d$c0d792e0$1500a8c0@gangfam.com> References: <5.1.0.14.2.20020727153446.031612c0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020728120427.0442d358@imap.ecs.soton.ac.uk> At 11:01 28/07/2002, you wrote: >Can spam checks be disabled if sent TO a certain domain or email address? Yes. Upgrade to a more recent version and look in the spam.whitelist.conf file. You should see lines starting "To" and "From". -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From joe at QITC.CO.UK Sun Jul 28 12:44:56 2002 From: joe at QITC.CO.UK (Joe Quinn) Date: Thu Jan 12 21:15:20 2006 Subject: Help installing Spamassassin References: <5.1.0.14.2.20020727153446.031612c0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020728120427.0442d358@imap.ecs.soton.ac.uk> Message-ID: <028801c2362c$3220da70$01730550@T20> Can someone point me in the direction of a detailed set of instructions for installing Spamassassin on a RaQ3 please? I had a look at the FAQ but it wasn't very explicit. Thanks, Joe From mike at CAMAROSS.NET Sun Jul 28 14:42:48 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:20 2006 Subject: Help installing Spamassassin References: <5.1.0.14.2.20020727153446.031612c0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020728120427.0442d358@imap.ecs.soton.ac.uk> <028801c2362c$3220da70$01730550@T20> Message-ID: <022301c2363c$ab82f820$6501a8c0@home.wideopenthrottle.org> You might try here: http://www.uk2raq.com/raqfaq/raqfaqshow.php?faq=96 Mike ----- Original Message ----- From: "Joe Quinn" To: Sent: Sunday, July 28, 2002 6:44 AM Subject: Help installing Spamassassin > Can someone point me in the direction of a detailed set of instructions for > installing Spamassassin on a RaQ3 please? I had a look at the FAQ but it > wasn't very explicit. > > Thanks, > > Joe > From mike at CAMAROSS.NET Sun Jul 28 14:49:44 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:20 2006 Subject: Help installing Spamassassin References: <5.1.0.14.2.20020727153446.031612c0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020728120427.0442d358@imap.ecs.soton.ac.uk> <028801c2362c$3220da70$01730550@T20> Message-ID: <022701c2363d$a176fd30$6501a8c0@home.wideopenthrottle.org> Actually, here's Julain's reply from a couple of months ago: The raqfaq about installing MailScanner on a RAQ system has a slight error in it where it describes the differences for a RAQ4. The raqfaq itself is at http://www.uk2raq.com/raqfaq/raqfaqshow.php?faq=96 Here's what you need to fix: 1. Edit /etc/mail/sendmail.cf Search for "QueueDirectory" and change the line to O QueueDirectory=/var/spool/mqueue 2. Edit /usr/local/MailScanner/mailscanner.conf Search for "Outgoing Queue Dir" and change the line to Outgoing Queue Dir = /var/spool/mqueue 3. Move any remaining queue files into the updated queue directory mv /var/spool/mqueue/q*/* /var/spool/mqueue 4. Delete the old queue subdirectories rmdir /var/spool/mqueue/q* 5. Kill sendmail /etc/rc.d/init.d/mailscanner stop (this will kill all the sendmail processes if you happen to have more than 1 running!) 6. Kill MailScanner and restart it /usr/local/MailScanner/bin/check_mailscanner (Then kill the process whose number it prints) /etc/rc.d/init.d/mailscanner start 7. Check it's all okay: ps ax | grep mail should produce output like this: 1680 ? S 0:00 sendmail: accepting connections 1682 ? S 0:00 /usr/sbin/sendmail -q15m 1692 ? S 0:00 perl /usr/local/MailScanner/bin/mailscanner /usr/loca Mike ----- Original Message ----- From: "Joe Quinn" To: Sent: Sunday, July 28, 2002 6:44 AM Subject: Help installing Spamassassin > Can someone point me in the direction of a detailed set of instructions for > installing Spamassassin on a RaQ3 please? I had a look at the FAQ but it > wasn't very explicit. > > Thanks, > > Joe > From LISTSERV at JISCMAIL.AC.UK Sun Jul 28 15:04:01 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:20 2006 Subject: MAILSCANNER: etate01@SUN.HAZELWOOD.K12.MO.US requested to join Message-ID: <200207281404.PAA29535@magpie.ecs.soton.ac.uk> Sun, 28 Jul 2002 15:04:01 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Ed Tate . The following subscription options have been requested: NOMIME DIGEST NOACK NOREPRO CONCEAL. You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER etate01@SUN.HAZELWOOD.K12.MO.US Ed Tate The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+etate01%40SUN.HAZELWOOD.K12.MO.US+Ed+Tate&L=MAILSCANNER This first link will add the subscriber to the list. You can then set the subscription options with this link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=SET+MAILSCANNER+NOMIME+DIGEST+NOACK+NOREPRO+CONCEAL+FOR+etate01%40SUN.HAZELWOOD.K12.MO.US&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From vanhorn at whidbey.com Sun Jul 28 19:52:04 2002 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Thu Jan 12 21:15:20 2006 Subject: Avoid scanning local mail (& the daemon debate) References: <5.1.0.14.2.20020727153446.031612c0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020728115211.0444f008@imap.ecs.soton.ac.uk> Message-ID: <3D443D54.EE98D674@whidbey.com> Julian Field wrote: > At 08:52 28/07/2002, you wrote: > >pair of Perl scripts mails the copy to each address in turn using > >"/usr/sbin/sendmail -t" - which I think would count as invoking sendmail > >directly from the command line rather than via SMTP. > > How many recipients are you using per message? You should be able to do 100 > recips per message quite happily. MailScanner will then only have to scan > the message once for 100 users. If you are invoking sendmail separately for > each recipient, then it's no wonder your scanning load is so high! There is one message per subscriber, a fundamental part of the design of the project. I have dealt with mailing lists in the past where the messages could not be identified, and I'll not do it a again. Particularly not in the current anti-spam environment. It is essential that you can identify bounces, and when someone claims you are spamming them that you can say when and how they subscribed. It is simply good customer service that the message include some variant on "this message was sent to subscriber@some.com" right in the text. For various reasons I had to rebuild the server in February of this year. Same CPU and RAM, new motherboard and drives, switched from RedHat 6.2 to 7.2. (Yes, that meant an upgrade in Sendmail to 8.12.) I never could get AMaViS to work in the new environment, which is when I found MailScanner. > >Contrary to what the FAQ says I should expect, the delivered mail is being > >scanned. > > You must be using sendmail 8.12, where the way sendmail queuing is done has > changed. With all the attacks on Sendmail you can hardly afford to not stay pretty much up-to-date. I can't tell exactly when 8.12.0 shipped, it's close to a year now, and I'm not at all sure what version of Sendmail was included in RedHat 7.2. Regardless of what I started with on this system, 8.12.3 was important enough from the security perspective so that I installed it in April. > > This is a particular problem since MailScanner uses the command-line > >version of Kaspersky instead of the daemonized version > > I have very recently speed tested one (sorry, but I'm not going to get in a > flame war by telling you which one) of the very big commercial virus > scanners, who provide a daemon and a command-line scanner. Obviously the > only time the speed difference between the 2 matters is when the message > batch size has grown quite large (i.e. when the server is battling to keep up). > > I ran with a test set of 10,000 messages. The command-line approach took 11 > seconds (processing in batches of about 50-100, whereas the daemon took 39 > seconds. The difference is mostly down to the communication overhead in > talking to the daemon. You have to generate an HTTP GET request for each > individual file, sending that to a socket. The daemon then scans the file > and sends back XML saying whether the file was infected, again > communicating via the socket. You know the low-level details far better than I do, but it appears to me from watching the system performance that the daemon version loads when the server restarts and the command line version loads once for every message. Is there a way to tell MailScanner how many messages to handle in a batch? There certainly are plenty of messages available in the queues when the script is running. But it sounds like the real distinction is not command-line vs daemon, but that the current Sendmail has a different architecture. (I'd rev Sendmail again if it weren't for the fact that the more restrictive permissions in 8.12.4 might lead to problems I couldn't quickly solve.) As I said in my original message, the current system gracefully handles all the incoming mail and probably wouldn't start breathing hard with a five-fold increase in volume. But I couldn't handle much of an increase in outbound mail with the current setup. Is there a change I can make? Would reving MailScanner cure any of this? MailScanner is a marvelous piece of work. It installed easily and is extremely flexible. Based on the way it incorporates different AV tools, blocklists, and SpamAssassin I have to give it high grades on what I regard as the most important measure of any software: Works and plays well with other children. I recommend it to all my friends that are running Sendmail, since they aren't publishing lists. I don't have an urgent problem here, but it seems that growth would require either throwing more horsepower at the system (it's a K6-2/400 now, so I could triple the speed without spending too much money) or moving back to AMaViS, probably with Postfix. I'd really like to hear there's a simple fix on the current system. Van -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For web hosting and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ---------------------------------------------------------- From mailscanner at ecs.soton.ac.uk Sun Jul 28 20:14:15 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:20 2006 Subject: Avoid scanning local mail (& the daemon debate) In-Reply-To: <3D443D54.EE98D674@whidbey.com> References: <5.1.0.14.2.20020727153446.031612c0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020728115211.0444f008@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020728200514.02f3ccb0@imap.ecs.soton.ac.uk> At 19:52 28/07/2002, you wrote: >You know the low-level details far better than I do, but it appears to me from >watching the system performance that the daemon version loads when the server >restarts and the command line version loads once for every message. Is >there a way >to tell MailScanner how many messages to handle in a batch? There >certainly are >plenty of messages available in the queues when the script is running. MailScanner does *not* load the virus scanner separately for every message. That's one of its great advantages over things like Amavis. Using the numbers near the top of mailscanner.conf, you can configure the maximum size of a batch. The size is otherwise determined by the number of messages that appeared in the queue while the previous batch was being processed. >But it sounds like the real distinction is not command-line vs daemon, but >that the >current Sendmail has a different architecture. The main difference is that, when invoked directly, new mail messages end up in the mqueue.in, rather than the mqueue. > (I'd rev Sendmail again if it >weren't for the fact that the more restrictive permissions in 8.12.4 might >lead to >problems I couldn't quickly solve.) As I said in my original message, the >current >system gracefully handles all the incoming mail and probably wouldn't start >breathing hard with a five-fold increase in volume. But I couldn't handle >much of >an increase in outbound mail with the current setup. Still sounds odd to me. I have quite a few users who ship over 100,000 messages per day without any problem. Have you thought of using a perl script to talk SMTP to locahost rather than invoking sendmail for every message? Probably faster as it doesn't involve the process-startup overhead for every message. Fork is a relatively cheap operation compared to starting a new process. Take a look at your MailScanner logs (in maillog probably) to see how big the message batches are. If they are always running at their maximum size (by default it is 100), then consider increasing that value in mailscanner.conf to 200 or even 300. Something in your setup is hampering the performance, and I can't see it from here, just suggest ideas. MailScanner shouldn't even notice a load of 5500 messages :-) >Is there a change I can make? Would reving MailScanner cure any of this? > >MailScanner is a marvelous piece of work. It installed easily and is extremely >flexible. Based on the way it incorporates different AV tools, blocklists, and >SpamAssassin I have to give it high grades on what I regard as the most >important >measure of any software: Works and plays well with other children. I >recommend it >to all my friends that are running Sendmail, since they aren't publishing >lists. > >I don't have an urgent problem here, but it seems that growth would >require either >throwing more horsepower at the system (it's a K6-2/400 now, so I could >triple the >speed without spending too much money) or moving back to AMaViS, probably with >Postfix. I'd really like to hear there's a simple fix on the current system. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Mon Jul 29 09:11:32 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:20 2006 Subject: MAILSCANNER: domeng@STII.DOST.GOV.PH requested to join Message-ID: <200207290811.JAA14866@magpie.ecs.soton.ac.uk> Mon, 29 Jul 2002 09:11:32 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Domingo Tamayo . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER domeng@STII.DOST.GOV.PH Domingo Tamayo The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+domeng%40STII.DOST.GOV.PH+Domingo+Tamayo&L=MAILSCANNER ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Mon, 29 Jul 2002 09:11:32 +0100 Received: from itdgate.stii.dost.gov.ph ([202.163.226.36]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g6T8BFr12392 for ; Mon, 29 Jul 2002 09:11:17 +0100 Received: from stii.dost.gov.ph (localhost.localdomain [127.0.0.1]) by itdgate.stii.dost.gov.ph (Postfix) with SMTP id DCA94150015 for ; Mon, 29 Jul 2002 16:14:56 +0800 (PHT) Received: from 165.220.14.11 (SquirrelMail authenticated user domeng) by itdgate.stii.dost.gov.ph with HTTP; Mon, 29 Jul 2002 16:14:56 +0800 (PHT) Message-ID: <2030.165.220.14.11.1027930496.squirrel@itdgate.stii.dost.gov.ph> Date: Mon, 29 Jul 2002 16:14:56 +0800 (PHT) Subject: Re: Command confirmation request (164570C5) From: To: In-Reply-To: <20020729071728.940F715001D@itdgate.stii.dost.gov.ph> References: <20020729071728.940F715001D@itdgate.stii.dost.gov.ph> X-Priority: 3 Importance: Normal X-MSMail-Priority: Normal X-Mailer: SquirrelMail (version 1.2.6) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit From LISTSERV at JISCMAIL.AC.UK Mon Jul 29 13:24:59 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:20 2006 Subject: MAILSCANNER: m.anderlini@DATABASE.IT requested to join Message-ID: <200207291224.NAA05462@magpie.ecs.soton.ac.uk> Mon, 29 Jul 2002 13:24:59 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Marcello Anderlini . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER m.anderlini@DATABASE.IT Marcello Anderlini The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+m.anderlini%40DATABASE.IT+Marcello+Anderlini&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From mailscanner at ecs.soton.ac.uk Mon Jul 29 14:49:28 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:20 2006 Subject: SpamAssassin installation guide Message-ID: <5.1.0.14.2.20020729144756.042c4820@imap.ecs.soton.ac.uk> As the instructions for installing SpamAssassin are rather too brief for some people, I have written a short installation guide for it that explains how to build it and use it. As it happened the guide was written while I was installing it on a Raq system, but it will be about the same for everyone. The new guide is at http://www.sng.ecs.soton.ac.uk/mailscanner/install/spamassassin.shtml -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jon at XNEXT.COM Mon Jul 29 15:09:13 2002 From: jon at XNEXT.COM (Jonothon Ortiz) Date: Thu Jan 12 21:15:20 2006 Subject: SpamAssassin installation guide In-Reply-To: <5.1.0.14.2.20020729144756.042c4820@imap.ecs.soton.ac.uk> Message-ID: 404? =( -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Monday, July 29, 2002 9:49 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: SpamAssassin installation guide As the instructions for installing SpamAssassin are rather too brief for some people, I have written a short installation guide for it that explains how to build it and use it. As it happened the guide was written while I was installing it on a Raq system, but it will be about the same for everyone. The new guide is at http://www.sng.ecs.soton.ac.uk/mailscanner/install/spamassassin.shtml -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Jul 29 15:23:56 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:20 2006 Subject: SpamAssassin installation guide In-Reply-To: References: <5.1.0.14.2.20020729144756.042c4820@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020729152345.041ca078@imap.ecs.soton.ac.uk> At 15:09 29/07/2002, you wrote: >404? =( The link works fine for me! >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Julian Field >Sent: Monday, July 29, 2002 9:49 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: SpamAssassin installation guide > > >As the instructions for installing SpamAssassin are rather too brief for >some people, I have written a short installation guide for it that explains >how to build it and use it. As it happened the guide was written while I >was installing it on a Raq system, but it will be about the same for >everyone. > >The new guide is at > >http://www.sng.ecs.soton.ac.uk/mailscanner/install/spamassassin.shtml >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From chicks at CHICKS.NET Mon Jul 29 15:30:17 2002 From: chicks at CHICKS.NET (Christopher Hicks) Date: Thu Jan 12 21:15:20 2006 Subject: SpamAssassin installation guide In-Reply-To: <5.1.0.14.2.20020729152345.041ca078@imap.ecs.soton.ac.uk> Message-ID: On Mon, 29 Jul 2002, Julian Field wrote: > The link works fine for me! And me. -- There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies. - - C.A.R. Hoare From thomas.zajic at NEO.AT Mon Jul 29 15:38:01 2002 From: thomas.zajic at NEO.AT (Thomas Zajic) Date: Thu Jan 12 21:15:20 2006 Subject: SpamAssassin installation guide In-Reply-To: References: <5.1.0.14.2.20020729152345.041ca078@imap.ecs.soton.ac.uk> Message-ID: <20020729143801.GC592@thomas.neo.at> On Mon, Jul 29, 2002 at 10:30:17AM -0400, Christopher Hicks wrote: > On Mon, 29 Jul 2002, Julian Field wrote: > > The link works fine for me! > > And me. Me too! Thomas -- ----------------------------- Thomas Zajic System Administrator neo Software Produktions GmbH A T2 Company email: thomas.zajic@neo.at web: http://www.neo.at From dahlberg at bucknell.edu Mon Jul 29 16:24:44 2002 From: dahlberg at bucknell.edu (Michael Dahlberg) Date: Thu Jan 12 21:15:20 2006 Subject: OT - Sendmail and Unqualified addresses Message-ID: <20020729152444.GA232@bucknell.edu> My apologies for an off-topic question, but I thought someone on this list might have solved this problem. We are running Mailscanner on server1 with a mostly default configuration. The MX record for our domain points to server1. Once messages have been scanned for viruses on server1, the messages are sent to the primary mail server, server2, which either delivers the local mail or sends mail to the appropriate mail server. Server1 is used exclusively for virus scanning; it does not try to send mail to any other system other than server2. This is done using the MAIL_HUB and SMART_HOST defines (which point to server2) in the sendmail.mc. Occasionally, users will send mail out with unqualified addresses for local delivery. Sendmail running on the Mailscanner system will add the fully qualified host address to the header/envelope, which confuses our users. We'd like the header/envelope to be either left alone or rewritten from "user" to "user@localdomain.edu" (rather than "user@server1.localdomain.edu"). Unfortunately, the nocanonify feature does not correct this problem. Masquerading does solve it but we have to use the allmasquerade feature, which rewrites everything, preventing ultimate delivery to any other system on campus. Has anyone looked at this problem, and if so, how did you solve it? Thanks, Mike Michael Dahlberg Systems Integrator Bucknell University dahlberg@bucknell.edu From mailscanner at ecs.soton.ac.uk Mon Jul 29 16:50:31 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:20 2006 Subject: ANNOUNCE: Version 3.22-9 Message-ID: <5.1.0.14.2.20020729163059.042e1660@imap.ecs.soton.ac.uk> I have had a couple of instability problems reported to me, involving the new forking code I released in 3.22-8. It works fine on most systems, but can cause MailScanner to silently die on a few systems, notably some Solaris versions. I have therefore backed out the new forking code, hence the release of 3.22-9. If you don't want to upgrade but are happy applying simple patches, then edit /usr/local/MailScanner/bin/mailscanner or /opt/mailscanner/bin/mailscanner (depending on where you have it installed) and apply this: 106,119c106,119 < #fork && exit; < #setsid(); < $SIG{CHLD} = \&REAPER; < if (fork) { < wait; # Ensure child has exited < exit 0; < } < # This new child's parent is perl < # Close output streams to break connection to handin server < close(STDIN); < close(STDOUT); < close(STDERR); < fork && exit 0; < # This new grand-child's parent is init --- > fork && exit; > setsid(); > #$SIG{CHLD} = \&REAPER; > #if (fork) { > # wait; # Ensure child has exited > # exit 0; > #} > ## This new child's parent is perl > ## Close output streams to break connection to handin server > #close(STDIN); > #close(STDOUT); > #close(STDERR); > #fork && exit 0; > ## This new grand-child's parent is init i.e. un-comment the first 2 lines and comment out the others. I'm really sorry about this folks :-( Isn't it a good thing most people are on holiday... You can of course download 3.22-9 from the usual location: www.mailscanner.info -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gerry at dorfam.ca Mon Jul 29 17:05:13 2002 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:15:20 2006 Subject: ANNOUNCE: Version 3.22-9 In-Reply-To: <5.1.0.14.2.20020729163059.042e1660@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020729163059.042e1660@imap.ecs.soton.ac.uk> Message-ID: <48947.129.80.22.134.1027958713.squirrel@tiger.dorfam.ca> > I have had a couple of instability problems reported to me, involving > the new forking code I released in 3.22-8. It works fine on most > systems, but can cause MailScanner to silently die on a few systems, > notably some Solaris versions. > > I have therefore backed out the new forking code, hence the release of > 3.22-9. > > If you don't want to upgrade but are happy applying simple patches, then > edit /usr/local/MailScanner/bin/mailscanner or > /opt/mailscanner/bin/mailscanner (depending on where you have it > installed) and apply this: > > 106,119c106,119 > < #fork && exit; > < #setsid(); > < $SIG{CHLD} = \&REAPER; > < if (fork) { > < wait; # Ensure child has exited > < exit 0; > < } > < # This new child's parent is perl > < # Close output streams to break connection to handin server > < close(STDIN); > < close(STDOUT); > < close(STDERR); > < fork && exit 0; > < # This new grand-child's parent is init > --- > > fork && exit; > > setsid(); > > #$SIG{CHLD} = \&REAPER; > > #if (fork) { > > # wait; # Ensure child has exited > > # exit 0; > > #} > > ## This new child's parent is perl > > ## Close output streams to break connection to handin server > > #close(STDIN); > > #close(STDOUT); > > #close(STDERR); > > #fork && exit 0; > > ## This new grand-child's parent is init > > i.e. un-comment the first 2 lines and comment out the others. > > I'm really sorry about this folks :-( > > Isn't it a good thing most people are on holiday... > > You can of course download 3.22-9 from the usual location: > www.mailscanner.info > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. > 023 8059 2817 University of Southampton > Southampton SO17 1BJ Hmmm, that's a shame. It's working perfectly on my Redhat system...no more zombies at all with the 3.22-8 code. Gerry From Douglas.Hall at PROQUEST.CO.UK Mon Jul 29 16:40:20 2002 From: Douglas.Hall at PROQUEST.CO.UK (Hall, Douglas) Date: Thu Jan 12 21:15:20 2006 Subject: problems running auto-update.... Message-ID: Andrew @ eon.com.au writes: > Hi - when I run autoupdate (and the latest version of > Sophos.autoupdate) > - I get the following error... > > [root@localhost bin]# ./autoupdate > Could not calculate Sophos version number, Bad file descriptor at > ./autoupdate line 77. Talking of autoupdate, I note that the autoupdate script for mcafee changed significantly since 3.15 release. The older script did various bits of sanity checking to ensure that there was always a valid set of dat files, even if the autoupdate failed. Not so with the new version. I just wondered what the reason behind the change was? -Douglas From Matthew_doherty at DATAWATCH.COM Mon Jul 29 17:24:27 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:20 2006 Subject: What exactly did the new forking code do for us anyway? Message-ID: What exactly did the new forking code do anyway? Sorry, Im not a programmer. Wish I was,.. I will keep version 3.29.8!! for now. Because in RedHat 7.2 Mailscanner/Spamassassin are working very nicely !!! Matt Doherty IT Dept Datawatch Corp >>In a world without walls or fences, who needs Windows and Gates?<< -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Monday, July 29, 2002 12:59 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: ANNOUNCE: Version 3.22-9 I have had a couple of instability problems reported to me, involving the new forking code I released in 3.22-8. It works fine on most systems, but can cause MailScanner to silently die on a few systems, notably some Solaris versions. I have therefore backed out the new forking code, hence the release of 3.22-9. If you don't want to upgrade but are happy applying simple patches, then edit /usr/local/MailScanner/bin/mailscanner or /opt/mailscanner/bin/mailscanner (depending on where you have it installed) and apply this: 106,119c106,119 < #fork && exit; < #setsid(); < $SIG{CHLD} = \&REAPER; < if (fork) { < wait; # Ensure child has exited < exit 0; < } < # This new child's parent is perl < # Close output streams to break connection to handin server < close(STDIN); < close(STDOUT); < close(STDERR); < fork && exit 0; < # This new grand-child's parent is init --- > fork && exit; > setsid(); > #$SIG{CHLD} = \&REAPER; > #if (fork) { > # wait; # Ensure child has exited > # exit 0; > #} > ## This new child's parent is perl > ## Close output streams to break connection to handin server > #close(STDIN); > #close(STDOUT); > #close(STDERR); > #fork && exit 0; > ## This new grand-child's parent is init i.e. un-comment the first 2 lines and comment out the others. I'm really sorry about this folks :-( Isn't it a good thing most people are on holiday... You can of course download 3.22-9 from the usual location: www.mailscanner.info -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020729/d5964b24/attachment.html From mailscanner at ecs.soton.ac.uk Mon Jul 29 17:55:54 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:20 2006 Subject: What exactly did the new forking code do for us anyway? In-Reply-To: Message-ID: <5.1.0.14.2.20020729175310.030a4580@imap.ecs.soton.ac.uk> At 17:24 29/07/2002, you wrote: >What exactly did the new forking code do anyway? It stopped some systems leaving a zombie process running that lasted for the life of the mailscanner process. Unfortunately it broke more systems than it fixed :( > Sorry, Im not a programmer. Wish I was,.. I'm glad I'm not. Might end up as a code monkey... >I will keep version 3.29.8!! for now. Because in RedHat 7.2 >Mailscanner/Spamassassin are working very nicely !!! If -8 is working fine for you (and you should be able to find out in about an hour) then there is no point upgrading, > > >Matt Doherty >IT Dept >Datawatch Corp > > >>In a world without walls or fences, who needs Windows and Gates?<< >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Monday, July 29, 2002 12:59 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: ANNOUNCE: Version 3.22-9 > >I have had a couple of instability problems reported to me, involving the >new forking code I released in 3.22-8. It works fine on most systems, but >can cause MailScanner to silently die on a few systems, notably some >Solaris versions. > >I have therefore backed out the new forking code, hence the release of >3.22-9. > >If you don't want to upgrade but are happy applying simple patches, then >edit /usr/local/MailScanner/bin/mailscanner or >/opt/mailscanner/bin/mailscanner (depending on where you have it installed) >and apply this: > >106,119c106,119 >< #fork && exit; >< #setsid(); >< $SIG{CHLD} = \&REAPER; >< if (fork) { >< wait; # Ensure child has exited >< exit 0; >< } >< # This new child's parent is perl >< # Close output streams to break connection to handin server >< close(STDIN); >< close(STDOUT); >< close(STDERR); >< fork && exit 0; >< # This new grand-child's parent is init >--- > > fork && exit; > > setsid(); > > #$SIG{CHLD} = \&REAPER; > > #if (fork) { > > # wait; # Ensure child has exited > > # exit 0; > > #} > > ## This new child's parent is perl > > ## Close output streams to break connection to handin server > > #close(STDIN); > > #close(STDOUT); > > #close(STDERR); > > #fork && exit 0; > > ## This new grand-child's parent is init > >i.e. un-comment the first 2 lines and comment out the others. > >I'm really sorry about this folks :-( > >Isn't it a good thing most people are on holiday... > >You can of course download 3.22-9 from the usual location: >www.mailscanner.info >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton >Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mark at TIPPINGMAR.COM Mon Jul 29 18:28:37 2002 From: mark at TIPPINGMAR.COM (Mark Nienberg) Date: Thu Jan 12 21:15:20 2006 Subject: OT - Sendmail and Unqualified addresses In-Reply-To: <20020729152444.GA232@bucknell.edu> Message-ID: <3D4518D5.20156.38B7EF@localhost> I had this problem. I think I fixed it by turning off the feature FEATURE(always_add_domain) that is, add dnl in front of it in sendmail.mc, then m4 it again. On 29 Jul 2002, at 11:24, Michael Dahlberg wrote: > We are running Mailscanner on server1 with a mostly default > configuration. The MX record for our domain points to server1. > Once messages have been scanned for viruses on server1, the > messages are sent to the primary mail server, server2, which > either delivers the local mail or sends mail to the appropriate > mail server. Server1 is used exclusively for virus scanning; it > does not try to send mail to any other system other than server2. > This is done using the MAIL_HUB and SMART_HOST defines (which > point to server2) in the sendmail.mc. > > Occasionally, users will send mail out with unqualified > addresses for local delivery. Sendmail running on the > Mailscanner system will add the fully qualified host address to > the header/envelope, which confuses our users. We'd like the > header/envelope to be either left alone or rewritten from "user" > to "user@localdomain.edu" (rather than > "user@server1.localdomain.edu"). Unfortunately, the nocanonify > feature does not correct this problem. Masquerading does solve > it but we have to use the allmasquerade feature, which rewrites > everything, preventing ultimate delivery to any other system on > campus. Mark W. Nienberg, SE Tipping Mar + associates Berkeley, CA visit our website at http://www.tippingmar.com From LISTSERV at JISCMAIL.AC.UK Mon Jul 29 19:59:27 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:20 2006 Subject: MAILSCANNER: magi@HTCINC.NET requested to join Message-ID: <200207291859.TAA04851@magpie.ecs.soton.ac.uk> Mon, 29 Jul 2002 19:59:27 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Mark Gillis . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER magi@HTCINC.NET Mark Gillis The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+magi%40HTCINC.NET+Mark+Gillis&L=MAILSCANNER ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Mon, 29 Jul 2002 19:58:37 +0100 Received: from asp.sccoast.net (asp.sccoast.net [66.153.203.150]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g6TIwZr05676 for ; Mon, 29 Jul 2002 19:58:35 +0100 Received: from asp.sccoast.net (root@localhost) by asp.sccoast.net with ESMTP id g6TJ0ki26704 for ; Mon, 29 Jul 2002 15:00:46 -0400 (EDT) Received: from htc.com (htcsweeper.htc.com [172.21.253.101]) by asp.sccoast.net with ESMTP id g6TJ0kP26700 for ; Mon, 29 Jul 2002 15:00:46 -0400 (EDT) Received: from mailserver.htc.com (unverified) by htc.com (Content Technologies SMTPRS 4.2.1) with ESMTP id for ; Mon, 29 Jul 2002 13:54:20 -0400 Received: by mailserver.htc.com with Internet Mail Service (5.5.2656.59) id ; Mon, 29 Jul 2002 13:59:01 -0400 Message-ID: From: "Gillis, Mark" To: "'L-Soft list server at JISCMAIL (1.8e)'" Subject: RE: Command confirmation request (FA61B265) Date: Mon, 29 Jul 2002 13:59:00 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2656.59) Content-Type: text/plain; charset="iso-8859-1" From LISTSERV at JISCMAIL.AC.UK Mon Jul 29 20:40:43 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:20 2006 Subject: MAILSCANNER: dbaker@DKBURNAP.COM requested to join Message-ID: <200207291940.UAA07633@magpie.ecs.soton.ac.uk> Mon, 29 Jul 2002 20:40:43 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from David Baker . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER dbaker@DKBURNAP.COM David Baker The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+dbaker%40DKBURNAP.COM+David+Baker&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From garner at GARNET.ACNS.FSU.EDU Mon Jul 29 21:42:28 2002 From: garner at GARNET.ACNS.FSU.EDU (Lee Garner) Date: Thu Jan 12 21:15:20 2006 Subject: Stopping MailScanner (gracefully?) Message-ID: <200207292042.QAA165868@garnet.acns.fsu.edu> Is it "safe" to stop MailScanner by just doing a `kill '? I.e. does MailScanner do any signal trapping and graceful exiting on the receipt of a TERM signal? Or, if killed as above will things be left half-done and intermediate files left behind, etc.? In that case, I suppose the safest way to stop MailScanner would be to first stop the SMTP daemon (the one filling the mqueue.in directory), wait for MailScanner to go idle and then kill it. If MailScanner *does* pay attention to signals, can you do a `kill -HUP ' to make it re-read the configuration file? Thanks, - Lee Garner Systems Group Academic Computing & Network Services Florida State University From james at PCXPERIENCE.COM Mon Jul 29 22:33:19 2002 From: james at PCXPERIENCE.COM (James A. Pattie) Date: Thu Jan 12 21:15:20 2006 Subject: DansGuardian Anti-Virus Plugin Patch Available (based off the MailScanner!) Message-ID: <3D45B49F.7000603@pcxperience.com> Hello everyone. Just announcing that I've made available for beta testing the first version of my Anti-Virus plugin for DansGuardian (www.dansguardian.org) that is based largely off of the scanning code and support scripts that MailScanner uses. DansGuardian is a web proxy that does content filtering, PICS ratings, etc. You can get the patch from www.pcxperience.org Currently I have only tested F-Prot and so would appreciate any debug help from those users that are using other virus engines. Thanks Julian for making such a great product! -- James A. Pattie james@pcxperience.com Linux -- SysAdmin / Programmer Xperience, Inc. http://www.pcxperience.com/ http://www.xperienceinc.com/ -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From brose at MED.WAYNE.EDU Mon Jul 29 22:45:11 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:20 2006 Subject: Whitelisting again (unmodified code) Message-ID: Here's what I have in spam.whitelist.conf From: reports@marketwatchmail.com Here's the header from the Mailscanner processed message. Why isn't the whitelisting not working. If I remove the "From:" it's still not whitelisted. Microsoft Mail Internet Headers Version 2.0 Received: from med.core01.med.wayne.edu ([146.9.19.198] RDNS failed) by MED-CORE06.med.wayne.edu with Microsoft SMTPSVC(5.0.2195.4905); Mon, 29 Jul 2002 17:18:21 -0400 Received: from eeyore.med.wayne.edu ([146.9.19.19]) by med.core01.med.wayne.edu with Microsoft SMTPSVC(5.0.2195.4905); Mon, 29 Jul 2002 17:18:21 -0400 Received: from q3.marketwatchmail.com (q3.marketwatchmail.com [206.146.143.88]) by eeyore.med.wayne.edu (8.12.2/8.12.2) with SMTP id g6TL6p9S019213 for ; Mon, 29 Jul 2002 17:07:03 -0400 (EDT) Message-Id: <200207292107.g6TL6p9S019213@eeyore.med.wayne.edu> Received: (qmail 29205 invoked from network); 29 Jul 2002 21:07:48 -0000 Received: from unknown (206.146.143.85) by q3.marketwatchmail.com with QMQP; 29 Jul 2002 21:07:48 -0000 Mailing-List: contact reports@marketwatchmail.com X-No-Archive: yes List-Help: List-Unsubscribe: List-Subscribe: From: CBS MarketWatcher To: jscochin@med.wayne.edu Delivered-To: mailing list afterthebell-html@marketwatchmail.com Delivered-To: moderator for afterthebell-html@marketwatchmail.com Received: (qmail 28581 invoked from network); 29 Jul 2002 21:01:09 -0000 Date: Mon, 29 Jul 2002 21:01:09 (GMT) X-MSMail-Priority: Normal X-mailer: AspMail 3.53 (SMTP546388) Subject: {SPAM?} CBSMW After The Bell Report: Wall Street gets a bull stampede Mime-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: quoted-printable X-DCC-servers-Metrics: eeyore 1049; Body=1 Fuz1=1 Fuz2=1 X-MailScanner: Found to be clean X-MailScanner-SpamCheck: SpamAssassin (score=8.8, required 5, FWD_MSG, INVALID_DATE, FORGED_RCVD_FOUND, COPYRIGHT_CLAIMED, OPT_IN, CLICK_BELOW, ONLY_COST, HTML_WITH_BGCOLOR, MIME_LONG_LINE_QP, WEIRD_PORT, CTYPE_JUST_HTML, MSG_ID_ADDED_BY_MTA_2, MISSING_MIMEOLE, MISSING_OUTLOOK_NAME, AWL) Return-Path: afterthebell-html-return-466-jscochin=med.wayne.edu@marketwatchmail.com X-OriginalArrivalTime: 29 Jul 2002 21:18:21.0747 (UTC) FILETIME=[77880830:01C23745] From sevans at FOUNDATION.SDSU.EDU Mon Jul 29 22:48:12 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:15:20 2006 Subject: Whitelisting again (unmodified code) Message-ID: <6214C3F9233D764C9E7029396C3550153312E1@mail.foundation.sdsu.edu> White list the reply-to address. Steve Evans Computing Services (619) 594-0653 -----Original Message----- From: Rose, Bobby [mailto:brose@MED.WAYNE.EDU] Sent: Monday, July 29, 2002 2:45 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Whitelisting again (unmodified code) Here's what I have in spam.whitelist.conf From: reports@marketwatchmail.com Here's the header from the Mailscanner processed message. Why isn't the whitelisting not working. If I remove the "From:" it's still not whitelisted. Microsoft Mail Internet Headers Version 2.0 Received: from med.core01.med.wayne.edu ([146.9.19.198] RDNS failed) by MED-CORE06.med.wayne.edu with Microsoft SMTPSVC(5.0.2195.4905); Mon, 29 Jul 2002 17:18:21 -0400 Received: from eeyore.med.wayne.edu ([146.9.19.19]) by med.core01.med.wayne.edu with Microsoft SMTPSVC(5.0.2195.4905); Mon, 29 Jul 2002 17:18:21 -0400 Received: from q3.marketwatchmail.com (q3.marketwatchmail.com [206.146.143.88]) by eeyore.med.wayne.edu (8.12.2/8.12.2) with SMTP id g6TL6p9S019213 for ; Mon, 29 Jul 2002 17:07:03 -0400 (EDT) Message-Id: <200207292107.g6TL6p9S019213@eeyore.med.wayne.edu> Received: (qmail 29205 invoked from network); 29 Jul 2002 21:07:48 -0000 Received: from unknown (206.146.143.85) by q3.marketwatchmail.com with QMQP; 29 Jul 2002 21:07:48 -0000 Mailing-List: contact reports@marketwatchmail.com X-No-Archive: yes List-Help: List-Unsubscribe: List-Subscribe: From: CBS MarketWatcher To: jscochin@med.wayne.edu Delivered-To: mailing list afterthebell-html@marketwatchmail.com Delivered-To: moderator for afterthebell-html@marketwatchmail.com Received: (qmail 28581 invoked from network); 29 Jul 2002 21:01:09 -0000 Date: Mon, 29 Jul 2002 21:01:09 (GMT) X-MSMail-Priority: Normal X-mailer: AspMail 3.53 (SMTP546388) Subject: {SPAM?} CBSMW After The Bell Report: Wall Street gets a bull stampede Mime-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: quoted-printable X-DCC-servers-Metrics: eeyore 1049; Body=1 Fuz1=1 Fuz2=1 X-MailScanner: Found to be clean X-MailScanner-SpamCheck: SpamAssassin (score=8.8, required 5, FWD_MSG, INVALID_DATE, FORGED_RCVD_FOUND, COPYRIGHT_CLAIMED, OPT_IN, CLICK_BELOW, ONLY_COST, HTML_WITH_BGCOLOR, MIME_LONG_LINE_QP, WEIRD_PORT, CTYPE_JUST_HTML, MSG_ID_ADDED_BY_MTA_2, MISSING_MIMEOLE, MISSING_OUTLOOK_NAME, AWL) Return-Path: afterthebell-html-return-466-jscochin=med.wayne.edu@marketwatchmail.com X-OriginalArrivalTime: 29 Jul 2002 21:18:21.0747 (UTC) FILETIME=[77880830:01C23745] From rishi at THEARGONCOMPANY.COM Tue Jul 30 08:51:15 2002 From: rishi at THEARGONCOMPANY.COM (Rishi Gangoly) Date: Thu Jan 12 21:15:20 2006 Subject: Should I modify spam.whitelist.conf or not? References: <5.1.0.14.2.20020727153446.031612c0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020728120427.0442d358@imap.ecs.soton.ac.uk> Message-ID: <01d301c2379d$e186dba0$1b02a8c0@theargoncompany.com> Hi, Just needs some advise... This is the headers from a message that got marked as spam... The spam.whitelist.conf contains the word bulkregister.com Since I've upgraded mailscanner to 3.22-8, should it be changed FROM bulkregister.com TO From: bulkregister.com OR Should I add bulkcorp.com in the spam.whitelist.conf file? ------------------------------ Return-Path: Received: from localhost (IDENT:tss@localhost [127.0.0.1]) by theargonserver.theargoncompany.com (8.9.3/8.9.3) with ESMTP id KAA16833 for ; Tue, 30 Jul 2002 10:51:34 +0530 Received: from theargoncompany.com [66.109.239.73] by localhost with POP3 (fetchmail-5.9.0) for tss@localhost (single-drop); Tue, 30 Jul 2002 10:51:34 +0530 (IST) Received: from ns.bulkcorp.com (IDENT:root@unassigned.alabanza.com [64.176.91.209] (may be forged)) by domain.theargoncompany.com (8.10.2/8.10.2) with ESMTP id g6U5Gda19033 for ; Tue, 30 Jul 2002 10:46:39 +0530 Received: (from rnotice@localhost) by ns.bulkcorp.com (8.11.6/linuxconf) id g6U4xHO19711 for tss@TheArgonCompany.com; Tue, 30 Jul 2002 00:59:17 -0400 Message-Id: <200207300459.g6U4xHO19711@ns.bulkcorp.com> Subject: {SPAM?} Second Renewal Notice from BulkRegister.com From: renewals@bulkregister.com (BulkRegister) Date: Tue, 30 Jul 2002 00:59:13 -0400 (EDT) Reply-To: renewals@bulkregister.com To: tss@TheArgonCompany.com X-Mailer: fastmail [version 2.5 PL3] X-MailScanner: Found to be clean X-MailScanner-SpamCheck: ORDB-RBL, SpamAssassin (score=3.9, required 5, MAY_BE_FORGED, DEAR_SOMEBODY, CALL_FREE, RCVD_IN_RELAYS_ORDB_ORG) X-UIDL: (<,"!k"F"!_3A!!RN?!! X-Logged: Logged by theargonserver.theargoncompany.com as KAA16833 at Tue Jul 30 10:51:34 2002 Status: ------------------------------ Regards Rishi Gangoly Manager - Technical Operations The Argon Company Mobile: +91-98205-04274 From mailscanner at ecs.soton.ac.uk Tue Jul 30 08:52:30 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:20 2006 Subject: Stopping MailScanner (gracefully?) In-Reply-To: <200207292042.QAA165868@garnet.acns.fsu.edu> Message-ID: <5.1.0.14.2.20020730085036.04eeb928@imap.ecs.soton.ac.uk> At 21:42 29/07/2002, you wrote: >Is it "safe" to stop MailScanner by just doing a `kill '? Yes. >I.e. does MailScanner do any signal trapping and graceful exiting >on the receipt of a TERM signal? No, but it takes great care at startup to clear up from any previous stoppage (which could have been a power-out or a reboot). > Or, if killed as above will things >be left half-done and intermediate files left behind, etc.? It will clear up and pick up where it left off. No messages will be missed at all. >If MailScanner *does* pay attention to signals, can you do a >`kill -HUP ' to make it re-read the configuration file? This is one of the features on the wishlist already. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Jul 30 08:56:34 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:20 2006 Subject: Whitelisting again (unmodified code) In-Reply-To: Message-ID: <5.1.0.14.2.20020730085349.04eee928@imap.ecs.soton.ac.uk> At 22:45 29/07/2002, you wrote: >Here's what I have in spam.whitelist.conf > >From: reports@marketwatchmail.com > >Here's the header from the Mailscanner processed message. Why isn't the >whitelisting not working. If I remove the "From:" it's still not >whitelisted. MailScanner doesn't use the headers at all for this, it uses the envelope. So either take a guess at what the envelope "From" address is (it might be the same as the return-path address) or take a look in your mail logs to determine the real envelope "From" address. At a guess the envelope From address will vary for every message from this list, so you may have to whitelist the whole domain using From: marketwatchmail.com >Microsoft Mail Internet Headers Version 2.0 >Received: from med.core01.med.wayne.edu ([146.9.19.198] RDNS failed) by >MED-CORE06.med.wayne.edu with Microsoft SMTPSVC(5.0.2195.4905); > Mon, 29 Jul 2002 17:18:21 -0400 >Received: from eeyore.med.wayne.edu ([146.9.19.19]) by >med.core01.med.wayne.edu with Microsoft SMTPSVC(5.0.2195.4905); > Mon, 29 Jul 2002 17:18:21 -0400 >Received: from q3.marketwatchmail.com (q3.marketwatchmail.com >[206.146.143.88]) > by eeyore.med.wayne.edu (8.12.2/8.12.2) with SMTP id >g6TL6p9S019213 > for ; Mon, 29 Jul 2002 17:07:03 -0400 >(EDT) >Message-Id: <200207292107.g6TL6p9S019213@eeyore.med.wayne.edu> >Received: (qmail 29205 invoked from network); 29 Jul 2002 21:07:48 -0000 >Received: from unknown (206.146.143.85) > by q3.marketwatchmail.com with QMQP; 29 Jul 2002 21:07:48 -0000 >Mailing-List: contact reports@marketwatchmail.com >X-No-Archive: yes >List-Help: >List-Unsubscribe: > >List-Subscribe: >From: CBS MarketWatcher >To: jscochin@med.wayne.edu >Delivered-To: mailing list afterthebell-html@marketwatchmail.com >Delivered-To: moderator for afterthebell-html@marketwatchmail.com >Received: (qmail 28581 invoked from network); 29 Jul 2002 21:01:09 -0000 >Date: Mon, 29 Jul 2002 21:01:09 (GMT) >X-MSMail-Priority: Normal >X-mailer: AspMail 3.53 (SMTP546388) >Subject: {SPAM?} CBSMW After The Bell Report: Wall Street gets a bull >stampede >Mime-Version: 1.0 >Content-Type: text/html >Content-Transfer-Encoding: quoted-printable >X-DCC-servers-Metrics: eeyore 1049; Body=1 Fuz1=1 Fuz2=1 >X-MailScanner: Found to be clean >X-MailScanner-SpamCheck: SpamAssassin (score=8.8, required 5, FWD_MSG, > INVALID_DATE, FORGED_RCVD_FOUND, COPYRIGHT_CLAIMED, OPT_IN, > CLICK_BELOW, ONLY_COST, HTML_WITH_BGCOLOR, MIME_LONG_LINE_QP, > WEIRD_PORT, CTYPE_JUST_HTML, MSG_ID_ADDED_BY_MTA_2, >MISSING_MIMEOLE, > MISSING_OUTLOOK_NAME, AWL) >Return-Path: >afterthebell-html-return-466-jscochin=med.wayne.edu@marketwatchmail.com >X-OriginalArrivalTime: 29 Jul 2002 21:18:21.0747 (UTC) >FILETIME=[77880830:01C23745] -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Jul 30 08:58:56 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:20 2006 Subject: Should I modify spam.whitelist.conf or not? In-Reply-To: <01d301c2379d$e186dba0$1b02a8c0@theargoncompany.com> References: <5.1.0.14.2.20020727153446.031612c0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020728120427.0442d358@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020730085723.04fa35c8@imap.ecs.soton.ac.uk> At 08:51 30/07/2002, you wrote: >Just needs some advise... This is the headers from a message that got marked >as spam... >The spam.whitelist.conf contains the word bulkregister.com >Since I've upgraded mailscanner to 3.22-8, should it be changed >FROM > bulkregister.com >TO > From: bulkregister.com > >OR >Should I add > bulkcorp.com >in the spam.whitelist.conf file? The Return-Path: is probably the envelope From address (I say "probably" because you have to remember that any header can be faked). I would add From: ns.bulkcorp.com to the spam.whitelist.conf file. >------------------------------ >Return-Path: >Received: from localhost (IDENT:tss@localhost [127.0.0.1]) > by theargonserver.theargoncompany.com (8.9.3/8.9.3) with ESMTP id KAA16833 > for ; Tue, 30 Jul 2002 10:51:34 +0530 >Received: from theargoncompany.com [66.109.239.73] > by localhost with POP3 (fetchmail-5.9.0) > for tss@localhost (single-drop); Tue, 30 Jul 2002 10:51:34 +0530 (IST) >Received: from ns.bulkcorp.com (IDENT:root@unassigned.alabanza.com >[64.176.91.209] (may be forged)) > by domain.theargoncompany.com (8.10.2/8.10.2) with ESMTP id g6U5Gda19033 > for ; Tue, 30 Jul 2002 10:46:39 +0530 >Received: (from rnotice@localhost) > by ns.bulkcorp.com (8.11.6/linuxconf) id g6U4xHO19711 > for tss@TheArgonCompany.com; Tue, 30 Jul 2002 00:59:17 -0400 >Message-Id: <200207300459.g6U4xHO19711@ns.bulkcorp.com> >Subject: {SPAM?} Second Renewal Notice from BulkRegister.com >From: renewals@bulkregister.com (BulkRegister) >Date: Tue, 30 Jul 2002 00:59:13 -0400 (EDT) >Reply-To: renewals@bulkregister.com >To: tss@TheArgonCompany.com >X-Mailer: fastmail [version 2.5 PL3] >X-MailScanner: Found to be clean >X-MailScanner-SpamCheck: ORDB-RBL, SpamAssassin (score=3.9, required 5, > MAY_BE_FORGED, DEAR_SOMEBODY, CALL_FREE, RCVD_IN_RELAYS_ORDB_ORG) >X-UIDL: (<,"!k"F"!_3A!!RN?!! >X-Logged: Logged by theargonserver.theargoncompany.com as KAA16833 at Tue >Jul 30 10:51:34 2002 >Status: >------------------------------ > > >Regards > >Rishi Gangoly >Manager - Technical Operations >The Argon Company >Mobile: +91-98205-04274 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From P.G.M.Peters at civ.utwente.nl Tue Jul 30 14:33:37 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:20 2006 Subject: timeout with mailscanner Message-ID: <985dkusu6f0v7l7dh5dnibu7grt8dpr16t@4ax.com> I don't have any timeouts (yet) but somebody who expects 28MB+ messages in the future was asking what happens when a timeout occurs. He is used to accessing SpamAssassin in ways that a timeout gives a temp-error to sendmail resulting in requeueing and a new attempt some time later. What does MailScanner when some check times out? -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From P.G.M.Peters at civ.utwente.nl Tue Jul 30 14:38:13 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:21 2006 Subject: Too many open files Message-ID: <6g5dku8ipocnqnii766t7b1tav9a401c0m@4ax.com> I installed MailScanner 3.22-7 on friday. Saturday the mailserver started running out of open files. The logging seems to indicate problems in Sendmail but nothing changed regarding sendmail. The problem seems to be related to large numbers of UDP sessions to nameservers. Anybody experiencing this kind of problems? Information: 20.000 - 30.000 messages a day 4.000 - 5.000 spams a day 10 BL's active in MailScanner (0 in SpamAssassin) 8.000 Open files maximum -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From thomas_duvally at BROWN.EDU Tue Jul 30 14:39:52 2002 From: thomas_duvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:15:21 2006 Subject: Solaris Syslog In-Reply-To: References: Message-ID: <1028036393.1716.8.camel@toms> Did your patches update Sendmail? Sun's sendmail sucks, and can likely mess up the logging you had setup. I wouldn't think a minor . release would change much in syslogd. On Sat, 2002-07-27 at 16:50, Rose, Bobby wrote: > Has anyone applied that beast of Solaris patches? After applying to my > test system, I've discovered that Mailscanner isn't logging anymore. I > check syslogd on my test box against the syslogd on the production box > and it is now newer. It logs sendmail info, but not mailscanner. If I > replace it with the old version then it works again. The new version is > 1.90 and the old one is 1.89. Did this happen to anyone else? Is there > a better fix other than rolling back? -- Tom DuVally Lead Sys. Programmer CIS, Brown University From mailscanner at ecs.soton.ac.uk Tue Jul 30 14:43:18 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:21 2006 Subject: timeout with mailscanner In-Reply-To: <985dkusu6f0v7l7dh5dnibu7grt8dpr16t@4ax.com> Message-ID: <5.1.0.14.2.20020730143936.04ddacc0@imap.ecs.soton.ac.uk> At 14:33 30/07/2002, you wrote: >I don't have any timeouts (yet) but somebody who expects 28MB+ messages >in the future was asking what happens when a timeout occurs. It depends what times out. If the virus scanner times out, then the message will get quarantined. You can solve that by simply making the virus scanner timeout big enough. The default supplied value for this is 300 seconds (5 minutes) which is much longer than it would take to scan 28Mb of data, so that won't be a problem. Messages that large will be bigger than the "Max SpamAssassin Size" value, so they won't ever get passed to SpamAssassin anyway. So the answer to his problem is that it won't be a problem at all and MailScanner will handle it just fine. > He is used >to accessing SpamAssassin in ways that a timeout gives a temp-error to >sendmail resulting in requeueing and a new attempt some time later. Yuck! -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Chris.Campbell at FAC.COM Tue Jul 30 14:49:19 2002 From: Chris.Campbell at FAC.COM (Chris Campbell) Date: Thu Jan 12 21:15:21 2006 Subject: evite.com Message-ID: I need to whitelist evite's mail, yet I still have not found the way to do it. The problem is that is comes from the originator's personal email address, not from a evite.com domain. I have tried reducing the EVITE rule score to -50, but in the logs it looks like this is not even one of the rules being caught. Has anyone else found a solution for this? I really do not want to reduce one of the other rules that is catching it........ Thanks, ..................................... Christopher S. Campbell UNIX Admin First Albany Corp From LISTSERV at JISCMAIL.AC.UK Tue Jul 30 15:05:36 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:21 2006 Subject: MAILSCANNER: Mark.Gillis@HTCINC.NET requested to join Message-ID: <200207301405.PAA16411@magpie.ecs.soton.ac.uk> Tue, 30 Jul 2002 15:05:36 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from mark Gillis . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER Mark.Gillis@HTCINC.NET mark Gillis The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+Mark.Gillis%40HTCINC.NET+mark+Gillis&L=MAILSCANNER ------------------------- Original mail header -------------------------- Return-Path: Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0f) with TCP; Tue, 30 Jul 2002 15:05:36 +0100 Received: from asp.sccoast.net (asp.sccoast.net [66.153.203.150]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g6UE5Zr25076 for ; Tue, 30 Jul 2002 15:05:35 +0100 Received: from asp.sccoast.net (root@localhost) by asp.sccoast.net with ESMTP id g6UE7lY03364 for ; Tue, 30 Jul 2002 10:07:47 -0400 (EDT) Received: from htc.com (htcsweeper.htc.com [172.21.253.101]) by asp.sccoast.net with ESMTP id g6UE7lP03360 for ; Tue, 30 Jul 2002 10:07:47 -0400 (EDT) Received: from mailserver.htc.com (unverified) by htc.com (Content Technologies SMTPRS 4.2.1) with ESMTP id for ; Tue, 30 Jul 2002 10:00:53 -0400 Received: by mailserver.htc.com with Internet Mail Service (5.5.2656.59) id ; Tue, 30 Jul 2002 10:05:34 -0400 Message-ID: From: "Gillis, Mark" To: "'L-Soft list server at JISCMAIL (1.8e)'" Subject: RE: Command confirmation request (8C3AAB30) Date: Tue, 30 Jul 2002 10:05:33 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2656.59) Content-Type: text/plain; charset="iso-8859-1" From Mark.Gillis at HTCINC.NET Tue Jul 30 15:13:04 2002 From: Mark.Gillis at HTCINC.NET (Gillis, Mark) Date: Thu Jan 12 21:15:21 2006 Subject: Size Limit on spam.actions.conf? Message-ID: > Greetings to the List. > > Summary: To describe MailScanner as "adequate software" would be akin to > saying global thermonuclear warfare would be "mildly unpleasant". > > That said, I have a question, which I hope is on-topic for this List: Is > there a practical limit on the number of entries in the spam.actions.conf > file? > > I envision using this file as a home-grown blacklist, so to speak. But I > hesitate before I break the whole system. > > Thanks in advance. > > > _____________________________________________ > Mark Gillis > Sr. Systems Administrator > HORRY TELEPHONE COOPERATIVE, INC. (HTC) > INFORMATION SERVICES > 3480 Highway 701 North > Conway, SC 29526 > 843.369.8145 > mark.gillis@htcinc.net > > HTC Disclaimer: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. From sevans at FOUNDATION.SDSU.EDU Tue Jul 30 15:40:38 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:15:21 2006 Subject: Whitelisting again (unmodified code) Message-ID: <6214C3F9233D764C9E7029396C3550153312E4@mail.foundation.sdsu.edu> Aah, so that's how it works. It just seems to me that if I whitelist the reply-to I get it every time while the from doesn't always work. I guess I'll just check the logs now. Steve Evans Computing Services (619) 594-0653 -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Tuesday, July 30, 2002 12:57 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Whitelisting again (unmodified code) At 22:45 29/07/2002, you wrote: >Here's what I have in spam.whitelist.conf > >From: reports@marketwatchmail.com > >Here's the header from the Mailscanner processed message. Why isn't >the whitelisting not working. If I remove the "From:" it's still not >whitelisted. MailScanner doesn't use the headers at all for this, it uses the envelope. So either take a guess at what the envelope "From" address is (it might be the same as the return-path address) or take a look in your mail logs to determine the real envelope "From" address. At a guess the envelope From address will vary for every message from this list, so you may have to whitelist the whole domain using From: marketwatchmail.com >Microsoft Mail Internet Headers Version 2.0 >Received: from med.core01.med.wayne.edu ([146.9.19.198] RDNS failed) by >MED-CORE06.med.wayne.edu with Microsoft SMTPSVC(5.0.2195.4905); > Mon, 29 Jul 2002 17:18:21 -0400 >Received: from eeyore.med.wayne.edu ([146.9.19.19]) by >med.core01.med.wayne.edu with Microsoft SMTPSVC(5.0.2195.4905); > Mon, 29 Jul 2002 17:18:21 -0400 >Received: from q3.marketwatchmail.com (q3.marketwatchmail.com >[206.146.143.88]) > by eeyore.med.wayne.edu (8.12.2/8.12.2) with SMTP id >g6TL6p9S019213 > for ; Mon, 29 Jul 2002 17:07:03 -0400 >(EDT) >Message-Id: <200207292107.g6TL6p9S019213@eeyore.med.wayne.edu> >Received: (qmail 29205 invoked from network); 29 Jul 2002 21:07:48 >-0000 >Received: from unknown (206.146.143.85) > by q3.marketwatchmail.com with QMQP; 29 Jul 2002 21:07:48 -0000 >Mailing-List: contact reports@marketwatchmail.com >X-No-Archive: yes >List-Help: >List-Unsubscribe: > >List-Subscribe: >From: CBS MarketWatcher >To: jscochin@med.wayne.edu >Delivered-To: mailing list afterthebell-html@marketwatchmail.com >Delivered-To: moderator for afterthebell-html@marketwatchmail.com >Received: (qmail 28581 invoked from network); 29 Jul 2002 21:01:09 -0000 >Date: Mon, 29 Jul 2002 21:01:09 (GMT) >X-MSMail-Priority: Normal >X-mailer: AspMail 3.53 (SMTP546388) >Subject: {SPAM?} CBSMW After The Bell Report: Wall Street gets a bull >stampede >Mime-Version: 1.0 >Content-Type: text/html >Content-Transfer-Encoding: quoted-printable >X-DCC-servers-Metrics: eeyore 1049; Body=1 Fuz1=1 Fuz2=1 >X-MailScanner: Found to be clean >X-MailScanner-SpamCheck: SpamAssassin (score=8.8, required 5, FWD_MSG, > INVALID_DATE, FORGED_RCVD_FOUND, COPYRIGHT_CLAIMED, OPT_IN, > CLICK_BELOW, ONLY_COST, HTML_WITH_BGCOLOR, MIME_LONG_LINE_QP, > WEIRD_PORT, CTYPE_JUST_HTML, MSG_ID_ADDED_BY_MTA_2, >MISSING_MIMEOLE, > MISSING_OUTLOOK_NAME, AWL) >Return-Path: >afterthebell-html-return-466-jscochin=med.wayne.edu@marketwatchmail.com >X-OriginalArrivalTime: 29 Jul 2002 21:18:21.0747 (UTC) >FILETIME=[77880830:01C23745] -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Jul 30 16:22:45 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:21 2006 Subject: Size Limit on spam.actions.conf? In-Reply-To: Message-ID: <5.1.0.14.2.20020730161924.0513abb0@imap.ecs.soton.ac.uk> At 15:13 30/07/2002, you wrote: > > Summary: To describe MailScanner as "adequate software" would be akin to > > saying global thermonuclear warfare would be "mildly unpleasant". Aw, thanks... > > That said, I have a question, which I hope is on-topic for this List: Is > > there a practical limit on the number of entries in the spam.actions.conf > > file? Adding rules that do not contain a "*" will have no impact on the speed whatsoever (they are held in a hash table so the access speed does not depend on the size of the table). Adding rules that do contain a "*" will gradually slow it down (they are held in a list and have to all checked for every address in each message). So thousands of non-"*" entries are no problem, but I would avoid having thousands of entries with a "*" in them. You probably won't notice a couple of hundred or so. > > I envision using this file as a home-grown blacklist, so to speak. But I > > hesitate before I break the whole system. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From x.mailscanner.mail at MELLONI.COM Tue Jul 30 16:35:01 2002 From: x.mailscanner.mail at MELLONI.COM (Bruno Melloni) Date: Thu Jan 12 21:15:21 2006 Subject: SpamAssassin installation guide Message-ID: <200207301535.g6UFZ1r09274@ori.rl.ac.uk> For those people likely to need a detailed spam assassin install guide, don't forget that spam assassin also has RPMs. Yes, they are usually older than the raw install, but they should work for most people and they do make life easier even if you are capable to do the manual install. I used them myself without problems. bruno From brose at MED.WAYNE.EDU Tue Jul 30 16:42:23 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:21 2006 Subject: Solaris Syslog Message-ID: Yeh it did. It rolled it back to 8.11 which really messed up my milters plus my custom ldap lookup for Active directory for delivery to our Exchange system. Good thing it was just my test system and not prod otherwise I would have been really ticked. -----Original Message----- From: Thomas DuVally [mailto:thomas_duvally@BROWN.EDU] Sent: Tuesday, July 30, 2002 9:40 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Solaris Syslog Did your patches update Sendmail? Sun's sendmail sucks, and can likely mess up the logging you had setup. I wouldn't think a minor . release would change much in syslogd. On Sat, 2002-07-27 at 16:50, Rose, Bobby wrote: > Has anyone applied that beast of Solaris patches? After applying to > my test system, I've discovered that Mailscanner isn't logging > anymore. I check syslogd on my test box against the syslogd on the > production box and it is now newer. It logs sendmail info, but not > mailscanner. If I replace it with the old version then it works > again. The new version is 1.90 and the old one is 1.89. Did this > happen to anyone else? Is there a better fix other than rolling back? -- Tom DuVally Lead Sys. Programmer CIS, Brown University From brose at MED.WAYNE.EDU Tue Jul 30 00:50:16 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:21 2006 Subject: Whitelisting again (unmodified code) Message-ID: There isn't a reply to though. There's a return-path but that would be a mess to whitelist since it would different for every person. -----Original Message----- From: Steve Evans [mailto:sevans@FOUNDATION.SDSU.EDU] Sent: Monday, July 29, 2002 5:48 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Whitelisting again (unmodified code) White list the reply-to address. Steve Evans Computing Services (619) 594-0653 -----Original Message----- From: Rose, Bobby [mailto:brose@MED.WAYNE.EDU] Sent: Monday, July 29, 2002 2:45 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Whitelisting again (unmodified code) Here's what I have in spam.whitelist.conf From: reports@marketwatchmail.com Here's the header from the Mailscanner processed message. Why isn't the whitelisting not working. If I remove the "From:" it's still not whitelisted. Microsoft Mail Internet Headers Version 2.0 Received: from med.core01.med.wayne.edu ([146.9.19.198] RDNS failed) by MED-CORE06.med.wayne.edu with Microsoft SMTPSVC(5.0.2195.4905); Mon, 29 Jul 2002 17:18:21 -0400 Received: from eeyore.med.wayne.edu ([146.9.19.19]) by med.core01.med.wayne.edu with Microsoft SMTPSVC(5.0.2195.4905); Mon, 29 Jul 2002 17:18:21 -0400 Received: from q3.marketwatchmail.com (q3.marketwatchmail.com [206.146.143.88]) by eeyore.med.wayne.edu (8.12.2/8.12.2) with SMTP id g6TL6p9S019213 for ; Mon, 29 Jul 2002 17:07:03 -0400 (EDT) Message-Id: <200207292107.g6TL6p9S019213@eeyore.med.wayne.edu> Received: (qmail 29205 invoked from network); 29 Jul 2002 21:07:48 -0000 Received: from unknown (206.146.143.85) by q3.marketwatchmail.com with QMQP; 29 Jul 2002 21:07:48 -0000 Mailing-List: contact reports@marketwatchmail.com X-No-Archive: yes List-Help: List-Unsubscribe: List-Subscribe: From: CBS MarketWatcher To: jscochin@med.wayne.edu Delivered-To: mailing list afterthebell-html@marketwatchmail.com Delivered-To: moderator for afterthebell-html@marketwatchmail.com Received: (qmail 28581 invoked from network); 29 Jul 2002 21:01:09 -0000 Date: Mon, 29 Jul 2002 21:01:09 (GMT) X-MSMail-Priority: Normal X-mailer: AspMail 3.53 (SMTP546388) Subject: {SPAM?} CBSMW After The Bell Report: Wall Street gets a bull stampede Mime-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: quoted-printable X-DCC-servers-Metrics: eeyore 1049; Body=1 Fuz1=1 Fuz2=1 X-MailScanner: Found to be clean X-MailScanner-SpamCheck: SpamAssassin (score=8.8, required 5, FWD_MSG, INVALID_DATE, FORGED_RCVD_FOUND, COPYRIGHT_CLAIMED, OPT_IN, CLICK_BELOW, ONLY_COST, HTML_WITH_BGCOLOR, MIME_LONG_LINE_QP, WEIRD_PORT, CTYPE_JUST_HTML, MSG_ID_ADDED_BY_MTA_2, MISSING_MIMEOLE, MISSING_OUTLOOK_NAME, AWL) Return-Path: afterthebell-html-return-466-jscochin=med.wayne.edu@marketwatchmail.com X-OriginalArrivalTime: 29 Jul 2002 21:18:21.0747 (UTC) FILETIME=[77880830:01C23745] From mailscanner at ecs.soton.ac.uk Tue Jul 30 16:37:10 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:21 2006 Subject: Minor bug in spam identification Message-ID: <5.1.0.14.2.20020730163220.051cde38@imap.ecs.soton.ac.uk> If you are seeing messages being reported as spam when they should be matched by rules in the spam.whitelist.conf file, apply this patch to your "sendmail.pl" file (in /usr/local/MailScanner/bin or /opt/mailscanner/bin): 287d286 < # Check to ensure the relay isn't in the acceptable list of spam relays. 289c288,290 < $fromdomain = $from; --- > $fromdomain = lc($from); > $fromdomain =~ s/^ $fromdomain =~ s/>$//; # trailing <> 291c292,294 < if $from =~ /@/; --- > if $fromdomain =~ /@/; > > # Check to ensure the relay isn't in the acceptable list of spam relays. I'll release a 3.22-10 in a few minutes once I've tested this properly. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From x.mailscanner.mail at MELLONI.COM Tue Jul 30 18:00:07 2002 From: x.mailscanner.mail at MELLONI.COM (Bruno Melloni) Date: Thu Jan 12 21:15:21 2006 Subject: SpamAssassin default rules Message-ID: <200207301700.g6UH08r25399@ori.rl.ac.uk> This might seem a dumb question, but I suspect most new MailScanner users ponders it: Mailscanner's default install assumes the presence of SpamAssassin, and SpamAssassins default install comes with a set of filtering rules. Although you can (and should) become an expert at adjusting the rules to your needs, is the default set of rules "good enough" for the first few months of MailScanner use? Or should the rules be modified immediately? Bruno From mailscanner at ecs.soton.ac.uk Tue Jul 30 19:27:40 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:21 2006 Subject: SpamAssassin default rules In-Reply-To: <200207301700.g6UH08r25399@ori.rl.ac.uk> Message-ID: <5.1.0.14.2.20020730192454.02de7c68@imap.ecs.soton.ac.uk> At 18:00 30/07/2002, you wrote: >This might seem a dumb question, but I suspect most new MailScanner users >ponders it: > >Mailscanner's default install assumes the presence of SpamAssassin No it doesn't. The default value is Use SpamAssassin = no >, and >SpamAssassins default install comes with a set of filtering rules. Although >you can (and should) become an expert at adjusting the rules to your needs, >is the default set of rules "good enough" for the first few months of >MailScanner use? Or should the rules be modified immediately? I wouldn't dream of touching them personally, the SA development guys put a lot of work into getting the scores right. The only thing I would do is increase the "required_hits" value to 9 instead of 5. That produces pretty much 0 false positives. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Tue Jul 30 22:56:49 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:21 2006 Subject: MAILSCANNER: jeff@EZCLICK.NET requested to join Message-ID: <200207302156.WAA21855@magpie.ecs.soton.ac.uk> Tue, 30 Jul 2002 22:56:49 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Jeff Gavin . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER jeff@EZCLICK.NET Jeff Gavin The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+jeff%40EZCLICK.NET+Jeff+Gavin&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From LISTSERV at JISCMAIL.AC.UK Wed Jul 31 07:22:37 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:21 2006 Subject: MAILSCANNER: tomn-mailscanner@SNEAKY.NET requested to join Message-ID: <200207310622.HAA16432@magpie.ecs.soton.ac.uk> Wed, 31 Jul 2002 07:22:37 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Tom Neville . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER tomn-mailscanner@SNEAKY.NET Tom Neville The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+tomn-mailscanner%40SNEAKY.NET+Tom+Neville&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From P.G.M.Peters at civ.utwente.nl Wed Jul 31 09:13:36 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:21 2006 Subject: SpamAssassin default rules In-Reply-To: <5.1.0.14.2.20020730192454.02de7c68@imap.ecs.soton.ac.uk> References: <200207301700.g6UH08r25399@ori.rl.ac.uk> <5.1.0.14.2.20020730192454.02de7c68@imap.ecs.soton.ac.uk> Message-ID: <5r6fkugkshvrpubvn78aojv4uc5q9ust9d@4ax.com> On Tue, 30 Jul 2002 19:27:40 +0100, you wrote: >I wouldn't dream of touching them personally, the SA development guys put a >lot of work into getting the scores right. The only thing I would do is >increase the "required_hits" value to 9 instead of 5. That produces pretty >much 0 false positives. The only thing I did was disable blocklisting. I use an extended set of BL's from within MailScanner. In regard to increasing the required hits: I kept it at 5 and the only false positives I get are complaints about spam which include the spam-body. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From LISTSERV at JISCMAIL.AC.UK Wed Jul 31 11:30:35 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:21 2006 Subject: MAILSCANNER: dbird@SGHMS.AC.UK requested to join Message-ID: <200207311030.LAA03685@magpie.ecs.soton.ac.uk> Wed, 31 Jul 2002 11:30:35 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Daniel Bird . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER dbird@SGHMS.AC.UK Daniel Bird The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+dbird%40SGHMS.AC.UK+Daniel+Bird&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From Q.G.Campbell at NEWCASTLE.AC.UK Wed Jul 31 13:09:42 2002 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:15:21 2006 Subject: SpamAssassin default rules Message-ID: > -----Original Message----- > From: Peter Peters [mailto:P.G.M.Peters@civ.utwente.nl] > Sent: 31 July 2002 09:14 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: SpamAssassin default rules > > > On Tue, 30 Jul 2002 19:27:40 +0100, you wrote: > > >I wouldn't dream of touching them personally, the SA > development guys > >put a lot of work into getting the scores right. The only > thing I would > >do is increase the "required_hits" value to 9 instead of 5. That > >produces pretty much 0 false positives. > > The only thing I did was disable blocklisting. I use an > extended set of BL's from within MailScanner. > > In regard to increasing the required hits: I kept it at 5 and > the only false positives I get are complaints about spam > which include the spam-body. > Since the issue of local SpamAssassin rules has been raised I have some comments. I have built up an extensive range of local rules, some of which have the effect of adding a negative score to counteract certain default rules *if* special local conditions apply. Other local rules extend the spam checking to areas that the default rules do not cover. The local overide rules and scores are in /etc/mail/spamassassin/local.cf. As well as the rules described above this file also includes local overides such as for "required_hits", which was raised today from 6 to 9, and for disabling blacklisting by SA as Peter Peters has done. If you maintain local rules in the way recommended by the SpamAssassin docs, and described above, BEWARE of the new "spam.assassin.prefs.conf" file provided by MailScanner. This file will overide any other local changes that you have made in the places recommended by the SpamAssassin docs. In our case the "spam.assassin.prefs.conf" file should be empty OR all lines should be comments OR the "SpamAssassin Pref File =" entry in mailscanner.conf should be null OR should point at (for this site) "/etc/mail/spamassassin/local.cf". I would welcome Julian's comment/advice on this. I believe that the entry in mailscanner.conf for the "SpamAssassin Pref File" should have a "Health Warning" comment added and/or a bit more explanation about why/when it is needed. One final point. Although this will be obvious to most, I do my testing of changes to local SpamAssassin rules as a non-root user and by using "spamassassin -t" for applying the new rules aginst test messages. The rules file for development are in the file ~myloginid/.spamassassin/user_prefs. This way the rules I am developing are not seen by the production MailScanner/SpamAssassin which runs as root. However note that when doing the testing as the non-root user the local rules in /etc/mail/spamassassin/local.cf *are* visible to "spamassassin -t". Make sure that this file is "read" to everyone for this to be the case. Quentin --- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." From mailscanner at ecs.soton.ac.uk Wed Jul 31 13:33:57 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:21 2006 Subject: SpamAssassin default rules In-Reply-To: Message-ID: <5.1.0.14.2.20020731133017.0323ad70@imap.ecs.soton.ac.uk> At 13:09 31/07/2002, you wrote: >The local overide rules and scores are in >/etc/mail/spamassassin/local.cf. As well as the rules described above >this file also includes local overides such as for "required_hits", >which was raised today from 6 to 9, and for disabling blacklisting by SA >as Peter Peters has done. > >If you maintain local rules in the way recommended by the SpamAssassin >docs, and described above, BEWARE of the new "spam.assassin.prefs.conf" >file provided by MailScanner. This file will overide any other local >changes that you have made in the places recommended by the SpamAssassin >docs. > >In our case the "spam.assassin.prefs.conf" file should be empty OR all >lines should be comments OR the "SpamAssassin Pref File =" entry in >mailscanner.conf should be null OR should point at (for this site) >"/etc/mail/spamassassin/local.cf". > >I would welcome Julian's comment/advice on this. I believe that the >entry in mailscanner.conf for the "SpamAssassin Pref File" should have a >"Health Warning" comment added and/or a bit more explanation about >why/when it is needed. That sounds like a very good idea. I had never quite got to the bottom of what files SA uses from where and when. The spam.assassin.prefs.conf file is mostly there for when you use "Compile SpamAssassin Once = yes", as you then have to tell SA what file to load its config from. At the time I couldn't work out where SA was looking for its files, and I couldn't be sure they wouldn't vary between different OS's/versions, so there was no single correct answer to which file to use. So I supplied my own in a place I could safely predict. Most people never change the SA rules anyway, so my solution worked for most people, most of the time. But I agree that it's less than perfect if you want to change the SA rules. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Wed Jul 31 13:54:56 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:21 2006 Subject: MAILSCANNER: rob@CSCONSULTANTS.NET requested to join Message-ID: <200207311254.NAA16042@magpie.ecs.soton.ac.uk> Wed, 31 Jul 2002 13:54:56 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Rob Lundberg . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER rob@CSCONSULTANTS.NET Rob Lundberg The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+rob%40CSCONSULTANTS.NET+Rob+Lundberg&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1] From dbird at SGHMS.AC.UK Wed Jul 31 14:38:15 2002 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:15:21 2006 Subject: not logging ">>> Virus", only "Found 1 viruses" Message-ID: <200207311338.g6VDcGr16487@ori.rl.ac.uk> Dear All, I am having the same problem, any ideas???? regards Dan On Mon, 3 Jun 2002 16:48:37 -0500, Paul Rossman wrote: >Hi everyone, > >I'm going crazy trying to figure out why I'm not getting log reports for >detected viruses.... To be more specific, I'm am getting these: > >Jun 3 16:38:18 glacier mailscanner[17266]: Found 1 viruses in messages >g53Lbt217631 > >but not these types: > >May 28 21:42:53 quicksilver.ukc.ac.uk mailscanner[27921]: >>> Virus >'W32/Klez-H' found in file ./17Cnnb-0001PL-00/install.exe > >I've looked every where for the keywords "found in" and ">>>" but to no >relevant success. Looked at the src, in the howto/faq, in my mail archives >since Jan 2002, and in the online mailing list archives. > >I'm using Mcafee: > >Virus Scan for Linux v4.16.0 >Copyright (c) 1992-2001 Networks Associates Technology Inc. All rights reserved. >(408) 988-3832 LICENSED COPY - Nov 13 2001 > >Scan engine v4.1.60 for Linux. >Virus data file v4205 created May 29 2002 >Scanning for 60684 viruses, trojans and variants. > >Is that type of specific virus report to syslog a result of the virus scanner >(some thing other than mcafee?). > >I've included my syslog info below just in case. > >Any help would be much appreciated. > >Thanks! >-paul > >------- > >syslog.conf file on mailserver contains: > >## >## Everything to loghost >## >*.* @loghost > >------- > >syslog.conf file on loghost server contains the following line for mail: > >mail.warning;mail.emerg;mail.alert;mail.crit;mail.info;mail.err;mail.notice ;mail.debug;mail.* > /var/log/maillog > >------- From rob at CSCONSULTANTS.NET Wed Jul 31 16:26:30 2002 From: rob at CSCONSULTANTS.NET (Rob Lundberg) Date: Thu Jan 12 21:15:21 2006 Subject: Kaspersky 4.0.1.0 & MailScanner 3.22-10 ? Message-ID: I read a few threads in the list archive regarding Kaspersky but none seemed to resolve my problem. First of all I have to say that MailScanner is wonderful. I have been using it for about a month now with a 30 day demo of Sophos. That of course was easy to setup and ran flawlessley since it is the default. My organization already uses Kaspersky on the desktops and file servers so we need to go with Kaspersky on the mail server based on our discount with our reseller. Today I decided to switch the AV scanner to Kaspersky, when I changed the .conf to reflect Kaspersky instead of Sophos, the virus scanner effectively died. I tested using an Eicar test file, and had the following message in my maillog Jul 30 17:34:39 bushwood mailscanner[14674]: Commercial scanner kaspersky timed out! Switched back to Sophos and sent the Eicar test file again everything works fine. Back and forth a few times double checking... In my mailscanner.conf Virus Scanner = kaspersky Sweep = /usr/local/kaspersky/kasperskywrapper Minimum Code Status = alpha Everything else in the mailscanner.conf is stock from the install defaults. Am I missing something here, aside from the fact that it is still alpha? Anyone else have success or failure with Kaspersky and MailScanner care to spike my learning curve? From hugo.1000 at GMX.NET Wed Jul 31 20:28:54 2002 From: hugo.1000 at GMX.NET (Alf Gunz) Date: Thu Jan 12 21:15:21 2006 Subject: Kaspersky 4.0.1.0 & MailScanner 3.22-10 ? In-Reply-To: Message-ID: Hi, > Sweep = /usr/local/kaspersky/kasperskywrapper > Everything else in the mailscanner.conf is stock from the install defaults. > Am I missing something here, aside from the fact that it is still alpha? Check if kavscanner works correctly. Try kavscanner . That's what didn't work for me first. It said something about "nothing to scan". And I've disabled the use of the profile in the kasperskywrapper so that kavscanner uses the same settings on the console as the kav in mailscanner. -- mfg alf From kvue at WADSNET.COM Wed Jul 31 20:51:50 2002 From: kvue at WADSNET.COM (Kham Vue) Date: Thu Jan 12 21:15:21 2006 Subject: safesasl failed References: Message-ID: <08a501c238cb$b82e3df0$fe00010a@backup> I'm getting the following error in my logs. Any one got a clue of why and how to fix it? ---- Jul 31 15:51:15 www sendmail[19898]: error: safesasl(/etc/sasldb) failed: Group readable file ---- Running Cobalt RAQ4 -------------------------------------------------------------- Kham Vue Internet Admin WADSNET.COM Wadsworth Internet Service kvue@wadsnet.com "Never try to out run an angry bear. Just out run the other people." From hugo.1000 at GMX.NET Wed Jul 31 21:16:13 2002 From: hugo.1000 at GMX.NET (Alf Gunz) Date: Thu Jan 12 21:15:21 2006 Subject: safesasl failed In-Reply-To: <08a501c238cb$b82e3df0$fe00010a@backup> Message-ID: Hi, > ---- Jul 31 15:51:15 www sendmail[19898]: error: safesasl(/etc/sasldb) > failed: Group readable file ---- > > Running Cobalt RAQ4 Try chmod g-r /etc/sasldb or show as a "ls -al /etc/sasldb" -- MfG alf From kvue at WADSNET.COM Wed Jul 31 21:33:16 2002 From: kvue at WADSNET.COM (Kham Vue) Date: Thu Jan 12 21:15:21 2006 Subject: safesasl failed References: Message-ID: <090c01c238d1$b0388690$fe00010a@backup> here's what I got: -------------------------------------------------- [root /etc]# ls -all sas* -rw-r--r-- 1 root root 20480 Jul 31 16:11 sasldb [root /etc]# chmod g-r /etc/sasldb [root /etc]# ls -all sas* -rw----r-- 1 root root 20480 Jul 31 16:11 sasldb [root /etc]# ------------------------------------- And it seems to work. I sent 5 emails from yahoo and no errors Thank you. -------------------------------------------------------------- Kham Vue Internet Admin WADSNET.COM Wadsworth Internet Service kvue@wadsnet.com "Never try to out run an angry bear. Just out run the other people." ----- Original Message ----- From: "Alf Gunz" To: Sent: Wednesday, July 31, 2002 4:16 PM Subject: Re: safesasl failed > Hi, > > > ---- Jul 31 15:51:15 www sendmail[19898]: error: safesasl(/etc/sasldb) > > failed: Group readable file ---- > > > > Running Cobalt RAQ4 > > Try chmod g-r /etc/sasldb > or show as a "ls -al /etc/sasldb" > > -- > MfG alf > > From rob at CSCONSULTANTS.NET Wed Jul 31 22:32:40 2002 From: rob at CSCONSULTANTS.NET (Rob Lundberg) Date: Thu Jan 12 21:15:21 2006 Subject: Kaspersky 4.0.1.0 & MailScanner 3.22-10 ? In-Reply-To: Message-ID: > Check if kavscanner works correctly. Try kavscanner . > That's what didn't work for me first. It said something about "nothing to > scan". > And I've disabled the use of the profile in the kasperskywrapper so that > kavscanner uses the same settings on the console as the kav in > mailscanner. > kavscanner works fine detecting the eicar test file "kavscanner /tmp/eicar.com" I think the problem lies between the MailScanner default kasperskywrapper and kaspersky.prf I am no expert on the kavscanner for linux but two lines in the kaspersky.prf seem to cause a problem: #InfectedAction=1 InfectedAction= With this object being blank I get an error "Profile contain wrong value for property InfectedAction" when I run kasperskywrapper by hand #Names=*/home;*/tmp;*/var/tmp;/usr/src;/mnt/cdrom Obviously this tells kavscanner where to scan, and it is commented out so MailScanner can specifically tell it what to scan. If I run kasperskywrapper by hand it yields "Nothing to Scan. You should select at least one directory to scan." In the kasperskywrapper: #ScanOptions="$ScanOptions -Y" # no confirmations (will need once the rest is right) Perhaps a confirmation box is tying up the process since this is commented out? Anyone have a customized and working kasperskywrapper and kaspersky.prf they care to share? From LISTSERV at JISCMAIL.AC.UK Wed Jul 31 22:42:39 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:15:21 2006 Subject: MAILSCANNER: riemer@PALSTRA.COM requested to join Message-ID: <200207312142.WAA27790@magpie.ecs.soton.ac.uk> Wed, 31 Jul 2002 22:42:39 A request for subscription to the MAILSCANNER list (MailScanner mailing list) has been received from Riemer Palstra . You can, at your discretion, send the following command to LISTSERV@JISCMAIL.AC.UK to add this person to the list: ADD MAILSCANNER riemer@PALSTRA.COM Riemer Palstra The simplest way to do this is to click on the following link: http://jiscmail.ac.uk/cgi-bin/wa.exe?LCMD=ADD+MAILSCANNER+riemer%40PALSTRA.COM+Riemer+Palstra&L=MAILSCANNER ------------------------- Original mail header -------------------------- [Request submitted through anonymous TCP/IP interface from 127.0.0.1]