From ucs_rat at SHSU.EDU Sat Jun 1 02:17:49 2002 From: ucs_rat at SHSU.EDU (Robert A. Thompson) Date: Thu Jan 12 21:14:54 2006 Subject: Klez.H In-Reply-To: <1022861418.8288.15.camel@service.darksaber.com> References: <1022861418.8288.15.camel@service.darksaber.com> Message-ID: <1022894269.1939.0.camel@localhost.localdomain> I might get some corn from you one day, but we'll eat the shrimp when we come visit you. --ro On Fri, 2002-05-31 at 11:10, Thom Paine wrote: > I just received a phone call from a site running mailscanner and > apparently a klez.h virus got through to a workstation. It was picked up > there by PC Cillin and halted. > > The site is running mailscanner with Mcafee 4.1.6 and just autoupdated > the defs yesterday to 4205. > > Anyone else experience something similar? > > -- > -=/>Thom > Red Hat Linux release 7.3 (Valhalla) running Linux Kernel 2.4.18-4 > Uptime: 12:08pm up 8 days, 18:31, 2 users, load average: 1.31, 1.28, > 1.33 > Registered Linux User 214499 From thom at DARKSABER.COM Sat Jun 1 13:45:23 2002 From: thom at DARKSABER.COM (Thom Paine) Date: Thu Jan 12 21:14:54 2006 Subject: Klez.H In-Reply-To: <1022894269.1939.0.camel@localhost.localdomain> References: <1022861418.8288.15.camel@service.darksaber.com> <1022894269.1939.0.camel@localhost.localdomain> Message-ID: <1022935524.9704.2.camel@service.darksaber.com> You lost me on that one. On Fri, 2002-05-31 at 21:17, Robert A. Thompson wrote: > I might get some corn from you one day, but we'll eat the shrimp when we > come visit you. > > --ro > -- -=/>Thom Red Hat Linux release 7.3 (Valhalla) running Linux Kernel 2.4.18-4 Uptime: 8:44am up 9 days, 15:07, 1 user, load average: 1.07, 1.18, 1.22 Registered Linux User 214499 From jkf at ecs.soton.ac.uk Sat Jun 1 20:23:38 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:54 2006 Subject: Any one else notice... In-Reply-To: <5.1.1.2.2.20020531143305.027f1a70@pop3.tulsaconnect.com> References: <002101c208d7$34202d30$48cf75cc@fizz> <008c01c207d9$4f5f52a0$48cf75cc@fizz> <5.1.0.14.2.20020530090433.0470a320@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020530172219.045f8e10@imap.ecs.soton.ac.uk> <3CF7C0F4.2030007@spawar.navy.mil> Message-ID: <5.1.0.14.2.20020601202259.02a98a38@imap.ecs.soton.ac.uk> At 20:38 31/05/2002, you wrote: >still enabled in SA). It would print the "SpamAssassin has timed out and >will be killed" multiple times and it seemed to never finish. Simply >changing the number of messages to scan per batch to 15, it processed that >same batch of 100 messages very quickly, without a single "SpamAssassin has >timed out and will be killed". That's curious, because the SpamAssassin timeout is per *message*, not per batch. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Sat Jun 1 20:22:34 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:54 2006 Subject: Any one else notice... In-Reply-To: References: <3CF7C0F4.2030007@spawar.navy.mil> Message-ID: <5.1.0.14.2.20020601202143.02a50c70@imap.ecs.soton.ac.uk> At 20:49 31/05/2002, you wrote: > I'll weigh in on this thread too. Last Monday, I moved our mail service >to a Sun E220R, 2 cpus, running Solaris 8. I'm running mailscanner with >spamassassin turned on. I have all of the "Spam List" options in >mailscanner.conf commented out. I have Spamcop assigned a non-zero score >in spamassassin, so I hope/think SA is using spamcop (I'm not sure yet). >We use RBL+ in sendmail, and we subscribe to it transfer mode, so RBL+ >mail gets rejected before getting to mailscanner. I have the delivery >mode in mailscanner set to "queue". We use Sophos. We process roughly >20K messages a day. Result: the system works great, no slowdowns, no >clogged queues, nothing but bliss. Julian should be knighted, IMHO. Aw, shucks. Arise, Sir Me! :-) Jules. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Sat Jun 1 20:20:05 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:54 2006 Subject: Any one else notice... In-Reply-To: <002401c208e0$538b74a0$48cf75cc@fizz> Message-ID: <5.1.0.14.2.20020601201352.02ab52f0@imap.ecs.soton.ac.uk> I've spent the whole day staring at code today... and I *think* I have found the problem. What changed between the 2 versions Kelly first reported was that the code was doing 2 extra "-f" checks on each message. It's quite possible that some OS's don't cache directory metadata (i.e. the data about the files in the dir) very cleverly when that data is constantly changing, as it does when I am processing the queue. So I've optimised out those "-f" checks, and have also been through the whole of the rest of the code optimising all the "-f" (file existence) checks and all the "-d" (directory existence) checks. So if I'm right, it should now run faster than it ever did :-) All I need now is a willing tester who has got a nice heavily loaded mail server. Kelly perhaps? If Kelly can't then any other offers for testing would be very much appreciated. Another thing I've been working on is a much-improved RPM. It will now only install any needed Perl modules if you don't have a recent-enough version installed already. And if you find that the TNEF expander isn't coping with a lot of your Outlook attachments, you now have the option to use a Perl module TNEF expander instead of the external binary one. I think there's one or two other things as well, but that's enough to keep you happy for now :-) Jules. At 21:18 31/05/2002, you wrote: >unfortunatly were already running a name server on the same machine, and >have 512megs ram in it. Its only a p3 500, but it was keeping up with the >load great before. I have my sendmail set to do rbl checks, i have spam >assassin's user_prefs set with skip_rbl_checks 1 and ignore_rbl_checks 1 and >commented the rbl checks out in mailscanner (this is how i was running >already) Something changed in the code in the last release or so which >changed some timing. Julian mentioned to me that spam checking is now done >on seprate forks (seprate processes) and hes not sure if thats where the >bottleneck is. Although i did some testing with spam checks = no and it >improved a little but not as much as it should. In version 3.13-2 witrh spam >checks off i can process 2000 messages in like 5 minutes, or less. with the >new version it took well over 15 minutes. > >Just some more information for you guys. >thanks. > >----- Original Message ----- >From: "Jeff A. Earickson" >To: >Sent: Friday, May 31, 2002 3:49 PM >Subject: Re: Any one else notice... > > > > Hi, > > > > I'll weigh in on this thread too. Last Monday, I moved our mail >service > > to a Sun E220R, 2 cpus, running Solaris 8. I'm running mailscanner with > > spamassassin turned on. I have all of the "Spam List" options in > > mailscanner.conf commented out. I have Spamcop assigned a non-zero score > > in spamassassin, so I hope/think SA is using spamcop (I'm not sure yet). > > We use RBL+ in sendmail, and we subscribe to it transfer mode, so RBL+ > > mail gets rejected before getting to mailscanner. I have the delivery > > mode in mailscanner set to "queue". We use Sophos. We process roughly > > 20K messages a day. Result: the system works great, no slowdowns, no > > clogged queues, nothing but bliss. Julian should be knighted, IMHO. > > > > Most of what I see in this thread sounds like DNS slowdowns. Here's > > my advice: > > > > * run a modern version bind on your mail server, at least in caching >mode, > > to handle the DNS lookups for you. If you use RBL+ or other >zone-transfer > > mode DNS blocklists, do the zone transfers to the mail server, so > > DNS queries never leave the box for RBL+. You will probably have to > > pay money to get zone transfers. As a part of running bind on your >mail > > server, make sure /etc/resolv.conf is configured so that the first >entry > > is the external interface (not loopback) of the mail server. Here is >my > > resolv.conf for my server, emerald: > > > > domain colby.edu > > nameserver 137.146.210.52 # emerald, this host, not loopback -- for RBL+ > > nameserver 137.146.210.46 # opal > > nameserver 137.146.210.45 # ruby > > nameserver 139.140.1.1 # polar.bowdoin.edu > > nameserver 204.70.128.1 # ns.cw.net > > > > Any DNS lookup on emerald goes to the local cache first, then other > > local machines, then remotely. > > > > * Have lots of memory in the machine for named to use. Named is using > > about 140 MB of resident memory on my machine right now. If you are > > using bind 9.X (you should be) and have a multi-cpu machine, let bind > > run threads on all cpus. > > > > * If you are doing DNS spam-blocking, do it in sendmail. Reject the > > stuff before it gets to mailscanner or spamassassin. > > > > * Comment out some the "Spam List" lookups in mailscanner and see if > > that helps. Fewer DNS lookups, especially to a remote site that is > > overloaded (like relays.ordb.org perhaps), may be a bottleneck. >Likewise, > > check the config for SA and try to control DNS lookups there too. > > > > * If you are running Solaris, shut off nscd!! This code is a real > > DNS bottleneck for a system doing beaucoup lookups. When we first > > moved our Apache web server to Sun, we were getting glacial response > > times to webpage requests. I found a technote at the Apache site >about > > nscd problems. Turned it off, and things ran fast after that. > > The same advice applies to other Solaris apps doing massive DNS, > > and nscd could appear on other versions of UNIX. Let bind do the > > work instead. > > > > Of course our students are gone right now. The system could blow up when > > they return next Fall. > > > > ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 > > ** Senior UNIX Sysadmin, Information Technology EMAIL: >jaearick@colby.edu > > ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 > > ** Waterville ME, 04901-8842 > > -------------------------------------------------------------------------- >-- > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Sat Jun 1 20:29:16 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:54 2006 Subject: Klez.H In-Reply-To: <200205311952.g4VJqDE15449@central.acyc.com> References: <1022871242.3924.6.camel@ab1-1-26.shsu.edu> <1022861418.8288.15.camel@service.darksaber.com> <1022871215.15410.28.camel@service.darksaber.com> <1022871242.3924.6.camel@ab1-1-26.shsu.edu> Message-ID: <5.1.0.14.2.20020601202717.0364b4d0@imap.ecs.soton.ac.uk> Is there a consensus that the mcafee wrapper and autoupdate scripts should be changed to use new locations? If so, what would you all like? I can always put some checking code in the RPM so that it spits a big warning if the old directory still exists, so you get told to move your copy of McAfee to the new location. Any suggestions welcome! Jules. At 20:47 31/05/2002, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >El Vie 31 May 2002 12:54, escribiste: > > I have not bought a new version of mcafee in a while but the one I > > use installs by default into a directory named uvscan and puts the > > dat files in the same folder. This has caused me problems several > > times with the rpm install of mailscanner, and I always have to > > remember to go fix the mcafeewrapper. > > > > I've thought about creating a source rpm for mailscanner that > > builds a more "truely" binary set of rpm's (as apposed to the > > script based rpm taht builds the perl modules and etc on install > > now) that just drop the files in the correct location and then > > tries to dynamically generate a more proper config however, I'm not > > sure if this would be of any use to anyone. Or if this would be to > > specialized for one platform(and rejected on that basis) > > > > --robert > >I have the same problem. I would appreciate a copy of the modified >mcafeewrapper script, if at all possible. > > >- -- >Alfredo J. Cole >http://www.acyc.com (Accounting Systems) >http://www.clshonduras.com (Linux Hardware) >PGP Key available from certserver.pgp.com >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.0.6 (GNU/Linux) >Comment: For info see http://www.gnupg.org > >iD8DBQE899Nku5DxuPWE298RAvYwAKCCRMVCRiScs3t1q/uy/lYW9rcP1wCfdNz+ >fkruml4RiJePPbpw2LbmIWk= >=axMV >-----END PGP SIGNATURE----- -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Sun Jun 2 17:04:45 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:54 2006 Subject: MAILSCANNER: jonc@HAHT.COM requested to join Message-ID: <200206021604.RAA25889@magpie.ecs.soton.ac.uk> Sun, 2 Jun 2002 17:04:45 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Jon Carnes The following membership options have been requested: CONCEAL. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER jonc@HAHT.COM Jon Carnes PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER jonc@HAHT.COM Jon Carnes SET MAILSCANNER CONCEAL FOR jonc@HAHT.COM // EOJ From LISTSERV at JISCMAIL.AC.UK Sun Jun 2 19:50:31 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:54 2006 Subject: MAILSCANNER: jonc@HAHT.COM requested to join Message-ID: <200206021850.TAA03898@magpie.ecs.soton.ac.uk> Sun, 2 Jun 2002 19:50:31 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Jon Carnes The following membership options have been requested: CONCEAL. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER jonc@HAHT.COM Jon Carnes PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER jonc@HAHT.COM Jon Carnes SET MAILSCANNER CONCEAL FOR jonc@HAHT.COM // EOJ From ron at SPAWAR.NAVY.MIL Mon Jun 3 01:40:08 2002 From: ron at SPAWAR.NAVY.MIL (Ron Broersma) Date: Thu Jan 12 21:14:54 2006 Subject: Klez.H References: <1022871242.3924.6.camel@ab1-1-26.shsu.edu> <1022861418.8288.15.camel@service.darksaber.com> <1022871215.15410.28.camel@service.darksaber.com> <1022871242.3924.6.camel@ab1-1-26.shsu.edu> <5.1.0.14.2.20020601202717.0364b4d0@imap.ecs.soton.ac.uk> Message-ID: <3CFABAE8.1060805@spawar.navy.mil> Julian, McAfee likes to live in /usr/local/uvscan. The McAfee "install-uvscan" script puts it there be default... # Default installation location default_dir="/usr/local/uvscan" If you remember to override the default and have it install in /usr/local/mcafee instead (where mailscanner expects it), then it works just fine. However, to avoid potential confusion for those installing it the first time or for those that already installed mcafee in its default location, it would be best for mailscanner to be consistent with the mcafee default of /usr/local/uvscan. --Ron Julian Field wrote: > Is there a consensus that the mcafee wrapper and autoupdate scripts > should > be changed to use new locations? > If so, what would you all like? > > I can always put some checking code in the RPM so that it spits a big > warning if the old directory still exists, so you get told to move your > copy of McAfee to the new location. > > Any suggestions welcome! > > Jules. > > At 20:47 31/05/2002, you wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> El Vie 31 May 2002 12:54, escribiste: >> > I have not bought a new version of mcafee in a while but the one I >> > use installs by default into a directory named uvscan and puts the >> > dat files in the same folder. This has caused me problems several >> > times with the rpm install of mailscanner, and I always have to >> > remember to go fix the mcafeewrapper. >> > >> > I've thought about creating a source rpm for mailscanner that >> > builds a more "truely" binary set of rpm's (as apposed to the >> > script based rpm taht builds the perl modules and etc on install >> > now) that just drop the files in the correct location and then >> > tries to dynamically generate a more proper config however, I'm not >> > sure if this would be of any use to anyone. Or if this would be to >> > specialized for one platform(and rejected on that basis) >> > >> > --robert >> >> I have the same problem. I would appreciate a copy of the modified >> mcafeewrapper script, if at all possible. >> >> >> - -- >> Alfredo J. Cole >> http://www.acyc.com (Accounting Systems) >> http://www.clshonduras.com (Linux Hardware) >> PGP Key available from certserver.pgp.com >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.0.6 (GNU/Linux) >> Comment: For info see http://www.gnupg.org >> >> iD8DBQE899Nku5DxuPWE298RAvYwAKCCRMVCRiScs3t1q/uy/lYW9rcP1wCfdNz+ >> fkruml4RiJePPbpw2LbmIWk= >> =axMV >> -----END PGP SIGNATURE----- > > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3469 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020602/42438607/smime.bin From nwp at LEMON-COMPUTING.COM Mon Jun 3 11:09:43 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:54 2006 Subject: Testers needed... Message-ID: <20020603100943.GA10500@hoiho.nz.lemon-computing.com> I need a few people to test use of some new locking code running mailscanner with Exim on various OSes.... Any volunteers, please email me. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Everything will be just tickety-boo today. From nwp at LEMON-COMPUTING.COM Mon Jun 3 11:15:01 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:54 2006 Subject: Exim users... Message-ID: <20020603101501.GB10500@hoiho.nz.lemon-computing.com> I need to collar anyone who is using mailscanner with Exim on an 'unusual' OS - that is to say something other than Linux, Solaris, *BSD, IRIX or AIX. If you are using mailscanner with Exim on a platform other than one of those listed above, *SHOUT NOW* or an upcoming release of mailscanner will stop working on your system. (I just need a little info from your manpages to make it work)... Apart from this, I would appreciate a little testing from anyone able to use anything other than Linux to run mailscanner+Exim on (I only have access to Linux at the moment)... Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Today is the tomorrow you worried about yesterday. From fizz at BOMB.NET Mon Jun 3 13:29:05 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:14:54 2006 Subject: Any one else notice... References: <5.1.0.14.2.20020601201352.02ab52f0@imap.ecs.soton.ac.uk> Message-ID: <006c01c20afa$408eb030$48cf75cc@fizz> ill test :) ----- Original Message ----- From: "Julian Field" To: Sent: Saturday, June 01, 2002 3:20 PM Subject: Re: Any one else notice... > I've spent the whole day staring at code today... > and I *think* I have found the problem. What changed between the 2 versions > Kelly first reported was that the code was doing 2 extra "-f" checks on > each message. It's quite possible that some OS's don't cache directory > metadata (i.e. the data about the files in the dir) very cleverly when that > data is constantly changing, as it does when I am processing the queue. > > So I've optimised out those "-f" checks, and have also been through the > whole of the rest of the code optimising all the "-f" (file existence) > checks and all the "-d" (directory existence) checks. > > So if I'm right, it should now run faster than it ever did :-) > > All I need now is a willing tester who has got a nice heavily loaded mail > server. > Kelly perhaps? > If Kelly can't then any other offers for testing would be very much > appreciated. > > Another thing I've been working on is a much-improved RPM. It will now only > install any needed Perl modules if you don't have a recent-enough version > installed already. And if you find that the TNEF expander isn't coping with > a lot of your Outlook attachments, you now have the option to use a Perl > module TNEF expander instead of the external binary one. > > I think there's one or two other things as well, but that's enough to keep > you happy for now :-) > > Jules. > > At 21:18 31/05/2002, you wrote: > >unfortunatly were already running a name server on the same machine, and > >have 512megs ram in it. Its only a p3 500, but it was keeping up with the > >load great before. I have my sendmail set to do rbl checks, i have spam > >assassin's user_prefs set with skip_rbl_checks 1 and ignore_rbl_checks 1 and > >commented the rbl checks out in mailscanner (this is how i was running > >already) Something changed in the code in the last release or so which > >changed some timing. Julian mentioned to me that spam checking is now done > >on seprate forks (seprate processes) and hes not sure if thats where the > >bottleneck is. Although i did some testing with spam checks = no and it > >improved a little but not as much as it should. In version 3.13-2 witrh spam > >checks off i can process 2000 messages in like 5 minutes, or less. with the > >new version it took well over 15 minutes. > > > >Just some more information for you guys. > >thanks. > > > >----- Original Message ----- > >From: "Jeff A. Earickson" > >To: > >Sent: Friday, May 31, 2002 3:49 PM > >Subject: Re: Any one else notice... > > > > > > > Hi, > > > > > > I'll weigh in on this thread too. Last Monday, I moved our mail > >service > > > to a Sun E220R, 2 cpus, running Solaris 8. I'm running mailscanner with > > > spamassassin turned on. I have all of the "Spam List" options in > > > mailscanner.conf commented out. I have Spamcop assigned a non-zero score > > > in spamassassin, so I hope/think SA is using spamcop (I'm not sure yet). > > > We use RBL+ in sendmail, and we subscribe to it transfer mode, so RBL+ > > > mail gets rejected before getting to mailscanner. I have the delivery > > > mode in mailscanner set to "queue". We use Sophos. We process roughly > > > 20K messages a day. Result: the system works great, no slowdowns, no > > > clogged queues, nothing but bliss. Julian should be knighted, IMHO. > > > > > > Most of what I see in this thread sounds like DNS slowdowns. Here's > > > my advice: > > > > > > * run a modern version bind on your mail server, at least in caching > >mode, > > > to handle the DNS lookups for you. If you use RBL+ or other > >zone-transfer > > > mode DNS blocklists, do the zone transfers to the mail server, so > > > DNS queries never leave the box for RBL+. You will probably have to > > > pay money to get zone transfers. As a part of running bind on your > >mail > > > server, make sure /etc/resolv.conf is configured so that the first > >entry > > > is the external interface (not loopback) of the mail server. Here is > >my > > > resolv.conf for my server, emerald: > > > > > > domain colby.edu > > > nameserver 137.146.210.52 # emerald, this host, not loopback -- for RBL+ > > > nameserver 137.146.210.46 # opal > > > nameserver 137.146.210.45 # ruby > > > nameserver 139.140.1.1 # polar.bowdoin.edu > > > nameserver 204.70.128.1 # ns.cw.net > > > > > > Any DNS lookup on emerald goes to the local cache first, then other > > > local machines, then remotely. > > > > > > * Have lots of memory in the machine for named to use. Named is using > > > about 140 MB of resident memory on my machine right now. If you are > > > using bind 9.X (you should be) and have a multi-cpu machine, let bind > > > run threads on all cpus. > > > > > > * If you are doing DNS spam-blocking, do it in sendmail. Reject the > > > stuff before it gets to mailscanner or spamassassin. > > > > > > * Comment out some the "Spam List" lookups in mailscanner and see if > > > that helps. Fewer DNS lookups, especially to a remote site that is > > > overloaded (like relays.ordb.org perhaps), may be a bottleneck. > >Likewise, > > > check the config for SA and try to control DNS lookups there too. > > > > > > * If you are running Solaris, shut off nscd!! This code is a real > > > DNS bottleneck for a system doing beaucoup lookups. When we first > > > moved our Apache web server to Sun, we were getting glacial response > > > times to webpage requests. I found a technote at the Apache site > >about > > > nscd problems. Turned it off, and things ran fast after that. > > > The same advice applies to other Solaris apps doing massive DNS, > > > and nscd could appear on other versions of UNIX. Let bind do the > > > work instead. > > > > > > Of course our students are gone right now. The system could blow up when > > > they return next Fall. > > > > > > ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 > > > ** Senior UNIX Sysadmin, Information Technology EMAIL: > >jaearick@colby.edu > > > ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 > > > ** Waterville ME, 04901-8842 > > > -------------------------------------------------------------------------- > >-- > > > > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From jkf at ecs.soton.ac.uk Mon Jun 3 14:08:13 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:54 2006 Subject: Klez.H In-Reply-To: <3CFABAE8.1060805@spawar.navy.mil> Message-ID: On Sun, 2 Jun 2002, Ron Broersma wrote: > McAfee likes to live in /usr/local/uvscan. The McAfee "install-uvscan" > script puts it there be default... > > # Default installation location > default_dir="/usr/local/uvscan" > > If you remember to override the default and have it install in > /usr/local/mcafee instead (where mailscanner expects it), then it works > just fine. However, to avoid potential confusion for those installing > it the first time or for those that already installed mcafee in its > default location, it would be best for mailscanner to be consistent with > the mcafee default of /usr/local/uvscan. Does it put the DAT files in that directory as well, or in a subdirectory of it? > Julian Field wrote: > > > Is there a consensus that the mcafee wrapper and autoupdate scripts > > should > > be changed to use new locations? > > If so, what would you all like? > > > > I can always put some checking code in the RPM so that it spits a big > > warning if the old directory still exists, so you get told to move your > > copy of McAfee to the new location. > > > > Any suggestions welcome! > > > > Jules. > > > > At 20:47 31/05/2002, you wrote: > > > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> El Vie 31 May 2002 12:54, escribiste: > >> > I have not bought a new version of mcafee in a while but the one I > >> > use installs by default into a directory named uvscan and puts the > >> > dat files in the same folder. This has caused me problems several > >> > times with the rpm install of mailscanner, and I always have to > >> > remember to go fix the mcafeewrapper. > >> > > >> > I've thought about creating a source rpm for mailscanner that > >> > builds a more "truely" binary set of rpm's (as apposed to the > >> > script based rpm taht builds the perl modules and etc on install > >> > now) that just drop the files in the correct location and then > >> > tries to dynamically generate a more proper config however, I'm not > >> > sure if this would be of any use to anyone. Or if this would be to > >> > specialized for one platform(and rejected on that basis) > >> > > >> > --robert > >> > >> I have the same problem. I would appreciate a copy of the modified > >> mcafeewrapper script, if at all possible. > >> > >> > >> - -- > >> Alfredo J. Cole > >> http://www.acyc.com (Accounting Systems) > >> http://www.clshonduras.com (Linux Hardware) > >> PGP Key available from certserver.pgp.com > >> -----BEGIN PGP SIGNATURE----- > >> Version: GnuPG v1.0.6 (GNU/Linux) > >> Comment: For info see http://www.gnupg.org > >> > >> iD8DBQE899Nku5DxuPWE298RAvYwAKCCRMVCRiScs3t1q/uy/lYW9rcP1wCfdNz+ > >> fkruml4RiJePPbpw2LbmIWk= > >> =axMV > >> -----END PGP SIGNATURE----- > > > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > > Jules jkf@ecs.soton.ac.uk From ron at SPAWAR.NAVY.MIL Mon Jun 3 14:41:30 2002 From: ron at SPAWAR.NAVY.MIL (Ron Broersma) Date: Thu Jan 12 21:14:54 2006 Subject: Klez.H References: Message-ID: <3CFB720A.8070908@spawar.navy.mil> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3469 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020603/396e02dd/smime.bin From alfredo at ACYC.COM Mon Jun 3 14:38:23 2002 From: alfredo at ACYC.COM (Alfredo Cole) Date: Thu Jan 12 21:14:54 2006 Subject: Klez.H In-Reply-To: References: Message-ID: <200206031342.g53Dgfq01412@central.acyc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 El Lun 03 Jun 2002 07:08, escribiste: > On Sun, 2 Jun 2002, Ron Broersma wrote: > > McAfee likes to live in /usr/local/uvscan. The McAfee > > "install-uvscan" script puts it there be default... > > > > # Default installation location > > default_dir="/usr/local/uvscan" > > > > If you remember to override the default and have it install in > > /usr/local/mcafee instead (where mailscanner expects it), then it > > works just fine. However, to avoid potential confusion for those > > installing it the first time or for those that already installed > > mcafee in its default location, it would be best for mailscanner > > to be consistent with the mcafee default of /usr/local/uvscan. I also have to do the update by hand, because the autoupdate script seems to need that dat files in a subdirectory, which is not what the mcaffee installation does. So, the default script erases the /usr/local/uvscan directory every time. If anybody has a modified script that solves this problem, I would appreciate a copy. Thank you. - -- Alfredo J. Cole http://www.acyc.com (Accounting Systems) http://www.clshonduras.com (Linux Hardware) PGP Key available from certserver.pgp.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8+3FTu5DxuPWE298RAh0+AJ4jJO0bIab81DKTUKbJ6jDCefLZTACdGd71 Gi1/VefUjf+H3qkKyf3cgnE= =jyq8 -----END PGP SIGNATURE----- From thom at DARKSABER.COM Mon Jun 3 16:01:43 2002 From: thom at DARKSABER.COM (Thom Paine) Date: Thu Jan 12 21:14:54 2006 Subject: Klez.H In-Reply-To: <5.1.0.14.2.20020601202717.0364b4d0@imap.ecs.soton.ac.uk> References: <1022871242.3924.6.camel@ab1-1-26.shsu.edu> <1022861418.8288.15.camel@service.darksaber.com> <1022871215.15410.28.camel@service.darksaber.com> <1022871242.3924.6.camel@ab1-1-26.shsu.edu> <5.1.0.14.2.20020601202717.0364b4d0@imap.ecs.soton.ac.uk> Message-ID: <1023116503.8344.1.camel@service.darksaber.com> I wouldn't mind the mcafeewrapper having the dats in the same dir that mcafee is located in. The default location mcafee installs is /usr/local/uvscan. I have an update scripts that runs automatically to pull the dats and install them. Take a consensus though. I'm all for /usr/local/uvscan mcafeewrapper DATS=$PackageDir On Sat, 2002-06-01 at 15:29, Julian Field wrote: > Is there a consensus that the mcafee wrapper and autoupdate scripts should > be changed to use new locations? > If so, what would you all like? > > I can always put some checking code in the RPM so that it spits a big > warning if the old directory still exists, so you get told to move your > copy of McAfee to the new location. > > Any suggestions welcome! > > Jules. > > At 20:47 31/05/2002, you wrote: > >-----BEGIN PGP SIGNED MESSAGE----- > >Hash: SHA1 > > > >El Vie 31 May 2002 12:54, escribiste: > > > I have not bought a new version of mcafee in a while but the one I > > > use installs by default into a directory named uvscan and puts the > > > dat files in the same folder. This has caused me problems several > > > times with the rpm install of mailscanner, and I always have to > > > remember to go fix the mcafeewrapper. > > > > > > I've thought about creating a source rpm for mailscanner that > > > builds a more "truely" binary set of rpm's (as apposed to the > > > script based rpm taht builds the perl modules and etc on install > > > now) that just drop the files in the correct location and then > > > tries to dynamically generate a more proper config however, I'm not > > > sure if this would be of any use to anyone. Or if this would be to > > > specialized for one platform(and rejected on that basis) > > > > > > --robert > > > >I have the same problem. I would appreciate a copy of the modified > >mcafeewrapper script, if at all possible. > > > > > >- -- > >Alfredo J. Cole > >http://www.acyc.com (Accounting Systems) > >http://www.clshonduras.com (Linux Hardware) > >PGP Key available from certserver.pgp.com > >-----BEGIN PGP SIGNATURE----- > >Version: GnuPG v1.0.6 (GNU/Linux) > >Comment: For info see http://www.gnupg.org > > > >iD8DBQE899Nku5DxuPWE298RAvYwAKCCRMVCRiScs3t1q/uy/lYW9rcP1wCfdNz+ > >fkruml4RiJePPbpw2LbmIWk= > >=axMV > >-----END PGP SIGNATURE----- > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From thom at DARKSABER.COM Mon Jun 3 16:03:12 2002 From: thom at DARKSABER.COM (Thom Paine) Date: Thu Jan 12 21:14:54 2006 Subject: Klez.H In-Reply-To: References: Message-ID: <1023116593.8344.3.camel@service.darksaber.com> Dats live with the packagedir. On Mon, 2002-06-03 at 09:08, Julian Field wrote: > > Does it put the DAT files in that directory as well, or in a subdirectory > of it? > > > Julian Field wrote: From ucs_rat at SHSU.EDU Mon Jun 3 15:55:49 2002 From: ucs_rat at SHSU.EDU (Robert A. Thompson) Date: Thu Jan 12 21:14:54 2006 Subject: Klez.H In-Reply-To: <1023116503.8344.1.camel@service.darksaber.com> References: <1022871242.3924.6.camel@ab1-1-26.shsu.edu> <1022861418.8288.15.camel@service.darksaber.com> <1022871215.15410.28.camel@service.darksaber.com> <1022871242.3924.6.camel@ab1-1-26.shsu.edu> <5.1.0.14.2.20020601202717.0364b4d0@imap.ecs.soton.ac.uk> <1023116503.8344.1.camel@service.darksaber.com> Message-ID: <1023116149.1770.0.camel@ab1-1-26.shsu.edu> that is the way my system is also. --robert On Mon, 2002-06-03 at 10:01, Thom Paine wrote: > I wouldn't mind the mcafeewrapper having the dats in the same dir that > mcafee is located in. The default location mcafee installs is > /usr/local/uvscan. I have an update scripts that runs automatically to > pull the dats and install them. > > Take a consensus though. > > I'm all for > > /usr/local/uvscan > > mcafeewrapper > > DATS=$PackageDir > > > On Sat, 2002-06-01 at 15:29, Julian Field wrote: > > Is there a consensus that the mcafee wrapper and autoupdate scripts should > > be changed to use new locations? > > If so, what would you all like? > > > > I can always put some checking code in the RPM so that it spits a big > > warning if the old directory still exists, so you get told to move your > > copy of McAfee to the new location. > > > > Any suggestions welcome! > > > > Jules. > > > > At 20:47 31/05/2002, you wrote: > > >-----BEGIN PGP SIGNED MESSAGE----- > > >Hash: SHA1 > > > > > >El Vie 31 May 2002 12:54, escribiste: > > > > I have not bought a new version of mcafee in a while but the one I > > > > use installs by default into a directory named uvscan and puts the > > > > dat files in the same folder. This has caused me problems several > > > > times with the rpm install of mailscanner, and I always have to > > > > remember to go fix the mcafeewrapper. > > > > > > > > I've thought about creating a source rpm for mailscanner that > > > > builds a more "truely" binary set of rpm's (as apposed to the > > > > script based rpm taht builds the perl modules and etc on install > > > > now) that just drop the files in the correct location and then > > > > tries to dynamically generate a more proper config however, I'm not > > > > sure if this would be of any use to anyone. Or if this would be to > > > > specialized for one platform(and rejected on that basis) > > > > > > > > --robert > > > > > >I have the same problem. I would appreciate a copy of the modified > > >mcafeewrapper script, if at all possible. > > > > > > > > >- -- > > >Alfredo J. Cole > > >http://www.acyc.com (Accounting Systems) > > >http://www.clshonduras.com (Linux Hardware) > > >PGP Key available from certserver.pgp.com > > >-----BEGIN PGP SIGNATURE----- > > >Version: GnuPG v1.0.6 (GNU/Linux) > > >Comment: For info see http://www.gnupg.org > > > > > >iD8DBQE899Nku5DxuPWE298RAvYwAKCCRMVCRiScs3t1q/uy/lYW9rcP1wCfdNz+ > > >fkruml4RiJePPbpw2LbmIWk= > > >=axMV > > >-----END PGP SIGNATURE----- > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ From thom at DARKSABER.COM Mon Jun 3 16:10:39 2002 From: thom at DARKSABER.COM (Thom Paine) Date: Thu Jan 12 21:14:54 2006 Subject: Klez.H In-Reply-To: <200206031342.g53Dgfq01412@central.acyc.com> References: <200206031342.g53Dgfq01412@central.acyc.com> Message-ID: <1023117040.8344.8.camel@service.darksaber.com> Here are my 2 update files that I use. Put them in the directory of the user you want to run as (prollie root) and have the cron run the sigupdate script every wednesday at 2pm EDT. That should retrieve the most recent dat as it is put out on wednesdays at around noon. HTH On Mon, 2002-06-03 at 09:38, Alfredo Cole wrote: > I also have to do the update by hand, because the autoupdate script > seems to need that dat files in a subdirectory, which is not what the > mcaffee installation does. So, the default script erases the > /usr/local/uvscan directory every time. If anybody has a modified > script that solves this problem, I would appreciate a copy. -- -=/>Thom Red Hat Linux release 7.3 (Valhalla) running Linux Kernel 2.4.18-4 Uptime: 11:08am up 11 days, 17:31, 1 user, load average: 1.27, 1.20, 1.18 Registered Linux User 214499 -------------- next part -------------- A non-text attachment was scrubbed... Name: sigupdate Type: text/x-sh Size: 698 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020603/2bffdd87/sigupdate.bin -------------- next part -------------- machine ftp.nai.com login anonymous password thom@darksaber.com macdef init cd pub/antivirus/datfiles/4.x bin prompt mget dat-*.tar close bye From yelsir at MAGNATECHONLINE.COM Mon Jun 3 16:34:03 2002 From: yelsir at MAGNATECHONLINE.COM (Yussef ElSirgany) Date: Thu Jan 12 21:14:54 2006 Subject: Exim users... In-Reply-To: <20020603101501.GB10500@hoiho.nz.lemon-computing.com> Message-ID: Dear Nick, Should this be time that I should SHOUT that I am using exim in sco 5.0.6 boxes along side with my trusty spam/virus eating Mailscanner. :) Yussef M. ElSirgany Magnatech Business Systems Phone: 516-931-4444 Ext.105 Fax: 516-931-1264 Email: yelsir@magnatechonline.com On Mon, 3 Jun 2002, Nick Phillips wrote: > I need to collar anyone who is using mailscanner with Exim on an 'unusual' > OS - that is to say something other than Linux, Solaris, *BSD, IRIX or AIX. > > If you are using mailscanner with Exim on a platform other than one of those > listed above, *SHOUT NOW* or an upcoming release of mailscanner will stop > working on your system. > > (I just need a little info from your manpages to make it work)... > > > Apart from this, I would appreciate a little testing from anyone able to use > anything other than Linux to run mailscanner+Exim on (I only have access to > Linux at the moment)... > > > Cheers, > > > Nick > -- > Nick Phillips -- nwp@lemon-computing.com > Today is the tomorrow you worried about yesterday. > From LISTSERV at JISCMAIL.AC.UK Mon Jun 3 00:39:11 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:54 2006 Subject: MAILSCANNER: shanson@CRUISKEEN.COM requested to join Message-ID: <200206022339.AAA17719@magpie.ecs.soton.ac.uk> Mon, 3 Jun 2002 00:39:11 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Steve Hanson You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER shanson@CRUISKEEN.COM Steve Hanson PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER shanson@CRUISKEEN.COM Steve Hanson // EOJ From LISTSERV at JISCMAIL.AC.UK Mon Jun 3 15:45:28 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:54 2006 Subject: MAILSCANNER: george@CMHCSYS.COM requested to join Message-ID: <200206031445.PAA01617@magpie.ecs.soton.ac.uk> Mon, 3 Jun 2002 15:45:28 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from George Westbrook You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER george@CMHCSYS.COM George Westbrook PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER george@CMHCSYS.COM George Westbrook // EOJ From LISTSERV at JISCMAIL.AC.UK Mon Jun 3 15:51:19 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:54 2006 Subject: MAILSCANNER: rfilgue@CINTERFOR.ORG.UY requested to join Message-ID: <200206031451.PAA01981@magpie.ecs.soton.ac.uk> Mon, 3 Jun 2002 15:51:19 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Rodrigo Filgueira You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER rfilgue@CINTERFOR.ORG.UY Rodrigo Filgueira PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER rfilgue@CINTERFOR.ORG.UY Rodrigo Filgueira // EOJ From LISTSERV at JISCMAIL.AC.UK Mon Jun 3 16:16:38 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:54 2006 Subject: MAILSCANNER: jozef.novikmec@LYNX.SK requested to join Message-ID: <200206031516.QAA03791@magpie.ecs.soton.ac.uk> Mon, 3 Jun 2002 16:16:38 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Jozef Novikmec You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER jozef.novikmec@LYNX.SK Jozef Novikmec PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER jozef.novikmec@LYNX.SK Jozef Novikmec // EOJ From alfredo at ACYC.COM Mon Jun 3 17:10:07 2002 From: alfredo at ACYC.COM (Alfredo Cole) Date: Thu Jan 12 21:14:54 2006 Subject: Klez.H In-Reply-To: <1023117040.8344.8.camel@service.darksaber.com> References: <200206031342.g53Dgfq01412@central.acyc.com> <1023117040.8344.8.camel@service.darksaber.com> Message-ID: <200206031614.g53GENG02205@central.acyc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thank you! I'll give them a try. El Lun 03 Jun 2002 09:10, escribiste: > Here are my 2 update files that I use. > > Put them in the directory of the user you want to run as (prollie > root) and have the cron run the sigupdate script every wednesday at > 2pm EDT. That should retrieve the most recent dat as it is put out > on wednesdays at around noon. > > HTH - -- Alfredo J. Cole http://www.acyc.com (Accounting Systems) http://www.clshonduras.com (Linux Hardware) PGP Key available from certserver.pgp.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8+5Tgu5DxuPWE298RAjA1AKCAelrLwcl81jlBNWNcZTaAoRFHywCdHwZb 1i4WKAbjccYIqaqd+r0tmZk= =6k/G -----END PGP SIGNATURE----- From jozef.novikmec at LYNX.SK Mon Jun 3 17:17:19 2002 From: jozef.novikmec at LYNX.SK (Jozef Novikmec) Date: Thu Jan 12 21:14:54 2006 Subject: Nod32 and compressed attachments scanning Message-ID: <1023121039.6177.8.camel@matrix> Hello, I tried to use Nod32 as virus scanner engine for running with Mailscanner. I had to change some source code lines (if somebody works on nod32 support I can send to him), and it seems to work but there is problem with compressed attachments scanning. Normal (non compressed attachments are processed OK) When I send mail message, on terminal from which I run mailscanner I got this message, matrix:/usr/local/mailscanner# /bin/cat: /var/spool/mailscanner/var/incoming/.header: No such file or directory /bin/cat: /var/spool/mqueue.in/df: No such file or directory and mail is delivered with virus, even when virus scanner suports scanning of compresed files (archives) and I add apporpiate option to the sweep.pl. Can somebody help me? Thanks. -- -------------------------------------------------------------- Ing. Jozef Novikmec Linux system administrator LYNX, spol. s r. o. Masarykova 10 040 01, Kosice Tel.: +421 55 633 55 11 Fax: +421 55 633 55 20 E-mail: jozef.novikmec@lynx.sk http: http://www.lynx.sk --------------------------------------------------------------- From fizz at BOMB.NET Mon Jun 3 18:52:47 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:14:54 2006 Subject: Can this be explained? :) Message-ID: <000801c20b27$78dc9fb0$48cf75cc@fizz> why would the following come through as whitelisted? I have one accept spam entry in mailscanner.conf and i know this isnt in spam.whitelist.conf :) 3.17-1 ms version Return-Path: Delivered-To: fizz@bomb.net Received: (qmail 3169 invoked by uid 1009); 3 Jun 2002 18:01:49 -0000 Received: from unknown (HELO sairys.mydomain.com) (204.117.207.15) by webmail.bomb.net with SMTP; 3 Jun 2002 18:01:49 -0000 Received: from pegasus.mydomain.com (pegasus.mydomain.com [204.x.x.7]) by sairys.mydomain.com (8.12.3/8.12.3) with ESMTP id g53Hkak8032159 for ; Mon, 3 Jun 2002 13:46:36 -0400 Resent-To: fizz@BOMB.NET, debbieh@mydomain.com, walterp@mydomain.com Resent-From: BILLING@mydomain.com Resent-Message-Id: Resent-Date: Mon, 3 Jun 2002 13:26:59 -0400 Received: from sairys.mydomain.com (unverified [204.x.x.15]) by pegasus.mydomain.com (Vircom SMTPRS 5.1.202) with ESMTP id for ; Mon, 3 Jun 2002 13:26:59 -0400 Received: from pmail02.impulsive.com (pmail02.impulsive.com [63.111.24.232]) by sairys.cyberstreet.com (8.12.3/8.12.3) with ESMTP id g53Hffk8031622 for ; Mon, 3 Jun 2002 13:41:46 -0400 Received: from localhost (localhost [127.0.0.1]) by pmail02.impulsive.com (Postfix) with SMTP id 8D9C3389F3 for ; Mon, 3 Jun 2002 13:33:05 -0400 (EDT) To: BILLING@mydomain From: "Anna Reese" X-Mailer: Perl+Mail::Sender 0.7.10 by Jan Krynicky MIME-Version: 1.0 Content-type: text/html Content-Transfer-Encoding: 7bit Reply-To: staff@absolutefreesmut.com Errors-To: bounce-afs@tigger.absolutefreesmut.com Subject: More P*ssy Than You Can Shake A D*ck At!!! Get Instant Access!!! Message-Id: <20020603173305.8D9C3389F3@pmail02.impulsive.com> Date: Mon, 3 Jun 2002 13:33:05 -0400 (EDT) X-MailScanner: Found to be clean, Found to be clean X-MailScanner-SpamCheck: not spam, SpamAssassin () X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin () ////// ( o o ) +--.oooO--(_)--Oooo.-----------------+ | [Kelly Hamlin] | kellyh@cyberstreet.com | http://www.bomb.net | .oooO | ( ) Oooo. +--- \ (----( )----------------------------+ \_) ) / (_/ From sevans at FOUNDATION.SDSU.EDU Mon Jun 3 19:54:14 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:14:54 2006 Subject: iPlanet Support Message-ID: <6214C3F9233D764C9E7029396C355015115A50@mail.foundation.sdsu.edu> Any plans to support the iPlanet Messaging Server spooler? Right now we're using MailScanner on a Sendmail front end but it would be great if we could use it on the iPlanet box itself and scan mail between users. Steve Evans Computing Services SDSU Foundation 619 594-0653 From davidclosson at MSN.COM Mon Jun 3 20:54:54 2002 From: davidclosson at MSN.COM (David Closson) Date: Thu Jan 12 21:14:54 2006 Subject: mailscanner problems on BSD/OS w/PERL version 5.004_02 Message-ID: OS: BSD/OS BSDI v4.01 PERL: 5.004_02 All PERL modules installed This is the error output after firing "/opt/mailscanner/bin/check_mailscanner" Can't declare undef operator in my at /usr/libdata/perl5/site_perl/IO/InnerFile.pm line 193, near ") =" BEGIN failed--compilation aborted at /usr/libdata/perl5/site_perl/MIME/Parser.pm line 139. BEGIN failed--compilation aborted at /opt/mailscanner/bin/explode.pl line 36. _________ Sincerely, David Closson 209-728-8199 _________________________________________________________________ Join the world’s largest e-mail service with MSN Hotmail. http://www.hotmail.com From pdr at EVANSTON.FLUENT.COM Mon Jun 3 22:48:37 2002 From: pdr at EVANSTON.FLUENT.COM (Paul Rossman) Date: Thu Jan 12 21:14:54 2006 Subject: not logging ">>> Virus", only "Found 1 viruses" Message-ID: <3CFBE435.7080307@evanston.fluent.com> Hi everyone, I'm going crazy trying to figure out why I'm not getting log reports for detected viruses.... To be more specific, I'm am getting these: Jun 3 16:38:18 glacier mailscanner[17266]: Found 1 viruses in messages g53Lbt217631 but not these types: May 28 21:42:53 quicksilver.ukc.ac.uk mailscanner[27921]: >>> Virus 'W32/Klez-H' found in file ./17Cnnb-0001PL-00/install.exe I've looked every where for the keywords "found in" and ">>>" but to no relevant success. Looked at the src, in the howto/faq, in my mail archives since Jan 2002, and in the online mailing list archives. I'm using Mcafee: Virus Scan for Linux v4.16.0 Copyright (c) 1992-2001 Networks Associates Technology Inc. All rights reserved. (408) 988-3832 LICENSED COPY - Nov 13 2001 Scan engine v4.1.60 for Linux. Virus data file v4205 created May 29 2002 Scanning for 60684 viruses, trojans and variants. Is that type of specific virus report to syslog a result of the virus scanner (some thing other than mcafee?). I've included my syslog info below just in case. Any help would be much appreciated. Thanks! -paul ------- syslog.conf file on mailserver contains: ## ## Everything to loghost ## *.* @loghost ------- syslog.conf file on loghost server contains the following line for mail: mail.warning;mail.emerg;mail.alert;mail.crit;mail.info;mail.err;mail.notice;mail.debug;mail.* /var/log/maillog ------- From davidclosson at MSN.COM Tue Jun 4 01:12:06 2002 From: davidclosson at MSN.COM (David Closson) Date: Thu Jan 12 21:14:54 2006 Subject: Spamassassin w/mailscanner & whitelist_to feature Message-ID: RE: Spamassassin w/mailscanner & whitelist_to feature I have tried to white list a few users that do not want spam filtered and have tried both the spammassassin user pref config file and the mailscanner config file with no luck...still processes those user whitelisted users. _________ Sincerely, David Closson 209-728-8199 _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com From mike at CAMAROSS.NET Tue Jun 4 03:18:02 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:14:54 2006 Subject: MIME::Tools Perl module and virus scanners References: <3CFBE435.7080307@evanston.fluent.com> Message-ID: <009101c20b6e$12c1e400$6c01a8c0@home.wideopenthrottle.org> Anyone see this one Bugtraq? Does this apply to Mailscanner? Background ---------- MIME::Tools is a very nice Perl module for parsing and constructing MIME-encoded mail messages. The latest stable version is 5.411a. MIME::Tools works very well on valid MIME messages. However, there are a number of problems if you use it to implement server-based mail scanning. Problems -------- Problem 1: RFC 2231 encoding not supported. http://www.ietf.org/rfc/rfc2231.txt specifies (yet another) way to encode filenames in MIME messages. MIME::Tools will not correctly recognize this attachment as "foo.exe": Content-Disposition: attachment; filename*1="foo."; filename*2="exe" Problem 2: Rejection of "obvious" interpretation of malformed MIME. The following MIME header is valid: Content-Type: application/octet-stream; name="bad boy.exe" But this header is not: Content-Type: application/octet-stream; name=bad boy.exe MIME::Tools interprets the name field as "bad" in this case, and throws away the " boy.exe" part. Unfortunately, most Windoze mail clients make the "obvious" interpretation and recognize the name as "bad boy.exe" Problem 3: Incorrect concatenation of encoded MIME words. MIME::Tools does not remove the space from this example: (=?ISO-8859-1?Q?a?= =?ISO-8859-1?Q?b?=) to yield (ab); instead, it yields "(a b)" Some MUA's use encoded MIME words in the Content-Type or Content-Disposition fields. Although this is specifically disallowed by RFC 2047, again, some Windoze mail clients may make the "obvious" interpretation and decode the words. Summary ------- Problems 1 and 3 are real deficiencies in MIME::Tools. Problem 2 is not a deficiency in MIME::Tools itself, but that's cold comfort if a virus slips through your server-based scanner. Patch ----- A patch which corrects problems 1-3 and does not break any MIME::Tools regression tests is at http://www.roaringpenguin.com/mimedefang/mime-tools-patch.txt Caveat ------ I make no guarantee that the above patch will catch all forms of malformed MIME which could be interpreted differently by an MUA. In fact, I'm willing to bet there are lots of ways to evade server-based scanners using MIME::Tools or practically any other MIME scanner. Users of MIMEDefang ------------------- If you use MIMEDefang (which uses MIME::Tools), you may want to unconditionally call action_rebuild in filter_begin(). This forces the MIME message to be rebuilt by MIME::Tools, resulting in a valid MIME message. This should guarantee that the MUA interprets the message exactly as MIME::Tools did, but it may introduce unacceptable processing overhead. Vendor Status ------------- eryq@zeegee.com contacted 30 May; no response yet. -- David F. Skoll From nwp at LEMON-COMPUTING.COM Tue Jun 4 04:03:12 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:54 2006 Subject: MIME::Tools Perl module and virus scanners In-Reply-To: <009101c20b6e$12c1e400$6c01a8c0@home.wideopenthrottle.org> References: <3CFBE435.7080307@evanston.fluent.com> <009101c20b6e$12c1e400$6c01a8c0@home.wideopenthrottle.org> Message-ID: <20020604030311.GF18801@hoiho.nz.lemon-computing.com> On Mon, Jun 03, 2002 at 09:18:02PM -0500, Mike Kercher wrote: > Anyone see this one Bugtraq? Does this apply to Mailscanner? We've had a bit of a discussion about this before; essentially there is no way to be sure that you are decoding everything that *any* MUA will decode in a similar way to that in which they will decode them. You basically have a few options: 1) Reject anything that appears to have attachments of any kind; 2) Decode and scan as much as you are able to and accept that some MUAs may decode things that you do not - try to fix your system to catch these when you find them; 3) Reject anything that appears to violate the standards for MIME in any way whatsoever, aggressively reporting bugs against agents that create it. Currently we do 2). ISTR it is, or would be, fairly simple to do something more like 3), although this would likely annoy a whole lot of people. Some people like to do 1). I'm not sure how easy it is to do that with mailscanner at the moment. Has anyone out there tried the patched MIME tools? Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Let me put it this way: today is going to be a learning experience. From nwp at LEMON-COMPUTING.COM Tue Jun 4 06:40:53 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:54 2006 Subject: Exim users... In-Reply-To: References: <20020603101501.GB10500@hoiho.nz.lemon-computing.com> Message-ID: <20020604054053.GG18801@hoiho.nz.lemon-computing.com> On Mon, Jun 03, 2002 at 11:34:03AM -0400, Yussef ElSirgany wrote: > Should this be time that I should SHOUT that I am using exim in sco 5.0.6 > boxes along side with my trusty spam/virus eating Mailscanner. :) Yup. I'll need to gather a little information from you, if you don't mind. There a a few things I need to know: 1) Usage of the 'ps' command; is it POSIX? i.e. what is the output of 'ps -ef'? Does it truncate the output lines if the process name + args are too long to fit on the terminal? Does it use the COLUMNS environment variable to allow you to specify the desired output width? If you could send me example output of 'ps -ef' whilst a process with a long command line (such as mailscanner) is running, both with and without setting 'COLUMNS' to something large beforehand, that would be great. Alternatively, your system's man page for ps would do fine. 2) output of 'uname' and 'uname -a' 3) output of `perl -e 'print $^O . "\n";'` 4) the definition(s) of "struct flock" on your system. This can usually be found in the 'fcntl' man page in section 2 of the manpages (either that or the location in which you can find it should be mentioned there). It can also be found in your system's /usr/include directory somewhere (often more than once) - grep for "struct flock" in that directory and you should be able to find it. 5) does your 'grep' have a POSIX-compliant "-F" option (which makes it treat the arguments as fixed strings a la 'fgrep')? I think that'll do for now. I'll add support for SCO using the answers to those questions, and then ask you to test it, most likely. Thanks, Nick -- Nick Phillips -- nwp@lemon-computing.com You're definitely on their list. The question to ask next is what list it is. From P.G.M.Peters at civ.utwente.nl Tue Jun 4 10:43:37 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:14:54 2006 Subject: domain based RBLs Message-ID: I have been looking at name based RBLs like RFC-ignorant. With the current MailScanner only IP-based zones are supported (through "Spam List"). I have been hacking away in config.pl and sendmail.pl to try to get the other RBLs at rfc-ignorant.org to work. I have introduced a new config "Spam Domain List" with the same format as "Spam List". At this moment it seems to work on my test-system. In mailscanner.conf: Spam Domain List = RFC-IGNORANT-DSN, dsn.rfc-ignorant.org. Spam Domain List = RFC-IGNORANT-POSTMASTER, postmaster.rfc-ignorant.org. Spam Domain List = RFC-IGNORANT-ABUSE, abuse.rfc-ignorant.org. Spam Domain List = RFC-IGNORANT-WHOIS, whois.rfc-ignorant.org. My diffs: diff -u sendmail.pl sendmail.pl-new --- sendmail.pl Wed May 29 13:59:12 2002 +++ sendmail.pl-new Tue Jun 4 11:31:12 2002 @@ -233,6 +233,17 @@ if ($RBLEntry =~ /^127\.[01]\.0\.[1234567]$/); } } + + # Check domain based RBLs + for ($i=0; $i<@Config::SpamDNames; $i++) { + # Look up $fromdomain in each of the @Config::SpamDDomains we have + $RBLEntry = gethostbyname("$fromdomain." . $Config::SpamDDomains[$i]); + if ($RBLEntry) { + $RBLEntry = Socket::inet_ntoa($RBLEntry); + push @RBLs, $Config::SpamDNames[$i] + if ($RBLEntry =~ /^127\.[01]\.0\.[1234567]$/); + } + } if (@RBLs) { $SpamHeader = join(', ', @RBLs); $IsSpam->{$mID} = 1; diff -u config.pl config.pl-new --- config.pl Wed May 29 13:59:12 2002 +++ config.pl-new Tue Jun 4 11:29:24 2002 @@ -267,6 +267,15 @@ push @Config::SpamNames, $spamn; push @Config::SpamDomains, $spamd; } + # Build up the list of spam RBL lists based on domain names (e.g. + # "RFC-IGNORANT-DSN, dsn.rfc-ignorant.org.") out of multiple + # "spamdomainlist" configuration lines + if ($key =~ /^spamdomainlist/i) { + my($spamn, $spamd); + ($spamn, $spamd) = split(/[, ]+/, $value); + push @Config::SpamDNames, $spamn; + push @Config::SpamDDomains, $spamd; + } } close CONF; -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From dpowell at LSSI.NET Tue Jun 4 14:24:22 2002 From: dpowell at LSSI.NET (Darrin Powell) Date: Thu Jan 12 21:14:55 2006 Subject: Error in autoupdate Message-ID: <1023197063.16386.22.camel@powell> Has anyone experienced this error before? Lynx failed with error return 1 , Bad file descriptor at /usr/local/Sophos/bin/autoupdate line 77. [root@www:/root]# Any help would be greatly appreciated Thanks -- Darrin Powell System Administrator LSSi, Corp. (919) 466-6803 From gerry at dorfam.ca Tue Jun 4 15:04:08 2002 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:14:55 2006 Subject: Error in autoupdate In-Reply-To: <1023197063.16386.22.camel@powell> References: <1023197063.16386.22.camel@powell> Message-ID: <27544.129.80.22.134.1023199448.squirrel@tiger.dorfam.ca> Your version of Sophos is out of date. Gerry > Has anyone experienced this error before? > > Lynx failed with error return 1 > , Bad file descriptor at /usr/local/Sophos/bin/autoupdate line 77. > [root@www:/root]# > > Any help would be greatly appreciated > > > > > Thanks > -- > Darrin Powell > System Administrator > LSSi, Corp. > (919) 466-6803 -- "The lyfe so short, the craft so long to learne" Chaucer From wkuiters at FREE.FR Tue Jun 4 15:26:10 2002 From: wkuiters at FREE.FR (Willem Kuiters) Date: Thu Jan 12 21:14:55 2006 Subject: "^M" Message-ID: <20020604142610.GA2267@bragann> Hello, Since a few days "^M" gets attached at the end of the header lines of the mail I receive on this machine. They don't seem to cause any harm but I still want to know what they mean. I suspect they have something to do with the interpretation of signs indicating the end of a line or a carriage return. Is that right? I use Linux (Debian) with the latest version of Mailscanner packaged for Woody. Can this have something to do with Mailscanner or should I look completely elswhere? Willem -- ???`????,??,????`????,??,????`????,??,????`????,??,????`????,??,????`???? ** "Getting out of bed in the morning is an act of ** ** false confidence" -- J. Feiffer ** ???`????,??,????`????,??,????`????,??,????`????,??,????`????,??,????`???? ** htag 0.0.19 ** From sysadmin at DMS.UMONTREAL.CA Tue Jun 4 15:43:36 2002 From: sysadmin at DMS.UMONTREAL.CA (Administrateur Systeme) Date: Thu Jan 12 21:14:55 2006 Subject: "^M" In-Reply-To: <20020604142610.GA2267@bragann> References: <20020604142610.GA2267@bragann> Message-ID: <20020604104336.B18368@leonard.DMS.UMontreal.CA> On Tue, Jun 04, 2002 at 04:26:10PM +0200, Willem Kuiters wrote: > Hello, > > Since a few days "^M" gets attached at the end of the header lines of the > mail I receive on this machine. They don't seem to cause any harm but I > still want to know what they mean. I suspect they have something to do > with the interpretation of signs indicating the end of a line or a > carriage return. Is that right? I use Linux (Debian) with the latest > version of Mailscanner packaged for Woody. > > Can this have something to do with Mailscanner or should I look completely > elswhere? > > Willem If you just upgraded this is probably because the text files in mailscanner/etc were written on a windows machine. Try running dos2unix on them that should ger rid of the symbol. Chris -- -------------------------------------------------------------------- Christopher Albert Responsable des services informatiques Departement de mathematiques et de statistique Universite de Montreal bureau 6188, Pavillon Andre-Aisenstadt Tel: (514) 343-2281 Fax: (514) 343-5700 -------------------------------------------------------------------- From nwp at LEMON-COMPUTING.COM Tue Jun 4 15:47:29 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:55 2006 Subject: "^M" In-Reply-To: <20020604142610.GA2267@bragann> References: <20020604142610.GA2267@bragann> Message-ID: <20020604144729.GN18801@hoiho.nz.lemon-computing.com> On Tue, Jun 04, 2002 at 04:26:10PM +0200, Willem Kuiters wrote: > Hello, > > Since a few days "^M" gets attached at the end of the header lines of the > mail I receive on this machine. So, what changed "a few days" ago? -- Nick Phillips -- nwp@lemon-computing.com You will be Told about it Tomorrow. Go Home and Prepare Thyself. From jkf at ecs.soton.ac.uk Tue Jun 4 16:53:15 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:55 2006 Subject: mailscanner problems on BSD/OS w/PERL version 5.004_02 In-Reply-To: Message-ID: On Mon, 3 Jun 2002, David Closson wrote: > OS: BSD/OS BSDI v4.01 > PERL: 5.004_02 > All PERL modules installed I have seen problems before with Perl 5.004. I strongly suggest upgrading to 5.005. > > This is the error output after firing > "/opt/mailscanner/bin/check_mailscanner" > > > Can't declare undef operator in my at > /usr/libdata/perl5/site_perl/IO/InnerFile.pm line 193, near ") =" > BEGIN failed--compilation aborted at > /usr/libdata/perl5/site_perl/MIME/Parser.pm line 139. > BEGIN failed--compilation aborted at /opt/mailscanner/bin/explode.pl line > 36. > > > _________ > Sincerely, > David Closson > 209-728-8199 > > > _________________________________________________________________ > Join the world’s largest e-mail service with MSN Hotmail. > http://www.hotmail.com > Jules jkf@ecs.soton.ac.uk From kylist at SHCORP.COM Tue Jun 4 16:56:58 2002 From: kylist at SHCORP.COM (Kurt Yoder) Date: Thu Jan 12 21:14:55 2006 Subject: scanner not picking up messages from mqueue.in Message-ID: <48770.10.10.1.95.1023206218.squirrel@webmail.shcorp.com> Hello list I have a successful instance of mailscanner running on one of my machines. Now I've set up another machine for spam scanning only, but mailscanner doesn't pick up messages that get dropped into /var/spool/mqueue.in. I've looked through my mailscanner.conf file several times, but everything looks OK to me. I've attached my config at the end of this message. I've verified that mailscanner is running. I also see the queue files in /var/spool/mqueue.in. What could be the problem? Thanks -- Kurt Yoder Sport & Health network administrator -------------- next part -------------- A non-text attachment was scrubbed... Name: mailscanner.conf Type: application/octet-stream Size: 3537 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020604/5056b960/mailscanner.obj From davidclosson at MSN.COM Tue Jun 4 16:58:29 2002 From: davidclosson at MSN.COM (David Closson) Date: Thu Jan 12 21:14:55 2006 Subject: mailscanner problems on BSD/OS w/PERL version 5.004_02 Message-ID: OK, thank you kindly. >From: Julian Field >Reply-To: MailScanner mailing list >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: mailscanner problems on BSD/OS w/PERL version 5.004_02 >Date: Tue, 4 Jun 2002 16:53:15 +0100 >MIME-Version: 1.0 >Received: from [207.46.181.105] by hotmail.com (3.2) with ESMTP id >MHotMailBEC62D790014400421BBCF2EB569093720; Tue, 04 Jun 2002 08:54:07 -0700 >Received: from jiscmail.ac.uk ([130.246.192.48]) by cpimssmtpa26.msn.com >with Microsoft SMTPSVC(5.0.2195.4905); Tue, 4 Jun 2002 08:52:35 -0700 >Received: from jiscmaila (jiscmail.ac.uk) by jiscmail.ac.uk (LSMTP for >Windows NT v1.1b) with SMTP id <8.000FD0F4@jiscmail.ac.uk>; Tue, 4 Jun 2002 >16:53:18 +0100 >Received: from JISCMAIL.AC.UK by JISCMAIL.AC.UK (LISTSERV-TCP/IP release >1.8d) with spool id 12045546 for MAILSCANNER@JISCMAIL.AC.UK; Tue, >4 Jun 2002 16:53:17 +0100 >Received: from ori.rl.ac.uk by jiscmail.ac.uk (LSMTP for Windows NT v1.1b) >with SMTP id <7.000FD0F2@jiscmail.ac.uk>; Tue, 4 Jun 2002 16:53:17 >+0100 >Received: from raven.ecs.soton.ac.uk (raven.ecs.soton.ac.uk [152.78.70.1]) >by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g54FrGg24533 for > ; Tue, 4 Jun 2002 16:53:16 +0100 >Received: from roadrunner.ecs.soton.ac.uk (roadrunner.ecs.soton.ac.uk > [152.78.68.161]) by raven.ecs.soton.ac.uk (8.9.3/8.9.3) with ESMTP id > QAA21875 for ; Tue, 4 Jun 2002 16:53:16 > +0100 (BST) >Received: from login >(IDENT:SR/HJuxcFcEuhxbRG3BtaLMkRdMnIcrj@login.ecs.soton.ac.uk >[152.78.68.149]) by roadrunner.ecs.soton.ac.uk (8.12.3/8.12.3) with > ESMTP id g54FrF9N007845 for ; Tue, 4 Jun > 2002 16:53:15 +0100 >From owner-mailscanner@JISCMAIL.AC.UK Tue, 04 Jun 2002 08:54:17 -0700 >Message-ID: > >Sender: MailScanner mailing list >In-Reply-To: >Return-Path: owner-mailscanner@JISCMAIL.AC.UK >X-OriginalArrivalTime: 04 Jun 2002 15:52:35.0425 (UTC) >FILETIME=[D84BBD10:01C20BDF] > >On Mon, 3 Jun 2002, David Closson wrote: > > OS: BSD/OS BSDI v4.01 > > PERL: 5.004_02 > > All PERL modules installed > >I have seen problems before with Perl 5.004. I strongly suggest upgrading >to 5.005. > > > > > This is the error output after firing > > "/opt/mailscanner/bin/check_mailscanner" > > > > > > Can't declare undef operator in my at > > /usr/libdata/perl5/site_perl/IO/InnerFile.pm line 193, near ") =" > > BEGIN failed--compilation aborted at > > /usr/libdata/perl5/site_perl/MIME/Parser.pm line 139. > > BEGIN failed--compilation aborted at /opt/mailscanner/bin/explode.pl >line > > 36. > > > > > > _________ > > Sincerely, > > David Closson > > 209-728-8199 > > > > > > _________________________________________________________________ > > Join the world’s largest e-mail service with MSN Hotmail. > > http://www.hotmail.com > > > >Jules >jkf@ecs.soton.ac.uk _________ Sincerely, David Closson 209-728-8199 _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com From thom at DARKSABER.COM Tue Jun 4 17:15:22 2002 From: thom at DARKSABER.COM (Thom Paine) Date: Thu Jan 12 21:14:55 2006 Subject: Attempt to hide real filename extention Message-ID: <1023207323.12981.28.camel@service.darksaber.com> I got an error on one site running mailscanner. Report: Attempt to hide real filename extension in Body_Rtf.rtf.ent What does this mean exactly? I checked the filename rules file, and couldn't see an entry about .ent. Could someone shed some light on this? Thanks. -- -=/>Thom Red Hat Linux release 7.3 (Valhalla) running Linux Kernel 2.4.18-4 Uptime: 10:20am up 12 days, 16:43, 2 users, load average: 1.32, 1.33, 1.26 Registered Linux User 214499 From tal at MUSICGENOME.COM Tue Jun 4 17:20:58 2002 From: tal at MUSICGENOME.COM (Tal Kelrich) Date: Thu Jan 12 21:14:55 2006 Subject: Attempt to hide real filename extention In-Reply-To: <1023207323.12981.28.camel@service.darksaber.com> References: <1023207323.12981.28.camel@service.darksaber.com> Message-ID: <1023207658.3261.24.camel@johnny> On Tue, 2002-06-04 at 19:15, Thom Paine wrote: > Report: Attempt to hide real filename extension in Body_Rtf.rtf.ent > > What does this mean exactly? I checked the filename rules file, and > couldn't see an entry about .ent. There's a rule that checks for double extensions, it's this one deny \.[a-z][a-z0-9]{2,3}\.[a-z0-9]{3}$ -- Tal Kelrich PGP Fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69 PGP key-id: 12B9AA69 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020604/91a83351/attachment.bin From FCaen at CI.LAKEWOOD.WA.US Tue Jun 4 17:20:21 2002 From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen) Date: Thu Jan 12 21:14:55 2006 Subject: Attempt to hide real filename extention Message-ID: It's because there are 2 extensions: filename.extension1.extension2 Some viruses had attachments such as: zippedfiles.zip.exe to trick not-so-savvy users. Hence the rule, which you can kill if you need to. ------------------------------------------------ Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 -----Original Message----- From: thom@DARKSABER.COM I got an error on one site running mailscanner. Report: Attempt to hide real filename extension in Body_Rtf.rtf.ent What does this mean exactly? I checked the filename rules file, and couldn't see an entry about .ent. From mike at CAMAROSS.NET Tue Jun 4 17:27:53 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:14:55 2006 Subject: Attempt to hide real filename extention References: <1023207323.12981.28.camel@service.darksaber.com> Message-ID: <011501c20be4$ca38e310$6c01a8c0@home.wideopenthrottle.org> I think it was referring to the .rtf.ent extensions. Lots of times, junk would come with an extension like .doc.scr and Windoze machines would not show the .scr extension...and the .scr script attachment was malicious. ----- Original Message ----- From: "Thom Paine" To: Sent: Tuesday, June 04, 2002 11:15 AM Subject: Attempt to hide real filename extention > I got an error on one site running mailscanner. > > Report: Attempt to hide real filename extension in Body_Rtf.rtf.ent > > What does this mean exactly? I checked the filename rules file, and > couldn't see an entry about .ent. > > Could someone shed some light on this? > > Thanks. > -- > -=/>Thom > Red Hat Linux release 7.3 (Valhalla) running Linux Kernel 2.4.18-4 > Uptime: 10:20am up 12 days, 16:43, 2 users, load average: 1.32, > 1.33, 1.26 > Registered Linux User 214499 > From thom at DARKSABER.COM Tue Jun 4 17:34:00 2002 From: thom at DARKSABER.COM (Thom Paine) Date: Thu Jan 12 21:14:55 2006 Subject: Attempt to hide real filename extention In-Reply-To: References: Message-ID: <1023208440.10014.31.camel@service.darksaber.com> Could I create a rule to allow .ent files? I figured out why the double extention. The .ent is an ENTRUST file that is encrypted. I'm not sure if I need to add .ent or rem out the rule blocking double extentions. Thanks, On Tue, 2002-06-04 at 12:20, Francois Caen wrote: > It's because there are 2 extensions: > filename.extension1.extension2 > > Some viruses had attachments such as: > zippedfiles.zip.exe > to trick not-so-savvy users. > > Hence the rule, which you can kill if you need to. -- -=/>Thom Red Hat Linux release 7.3 (Valhalla) running Linux Kernel 2.4.18-4 Uptime: 10:20am up 12 days, 16:43, 2 users, load average: 1.32, 1.33, 1.26 Registered Linux User 214499 From paul at CWIE.NET Tue Jun 4 18:13:10 2002 From: paul at CWIE.NET (Paul Fries) Date: Thu Jan 12 21:14:55 2006 Subject: spamc/spamd In-Reply-To: <1023207323.12981.28.camel@service.darksaber.com> Message-ID: <002101c20beb$1ac98630$d900000a@paul01> Mailscanner bros, I know that this has been mentioned on this list before, but here it is again. :) I went through the archives but wasn't able to locate where anyone had already posted an answer to this. Has anyone patched mailscanner to use spamassassin through the spamd/spamc pair instead of the perl API? I do not use procmail so "pre-scanning" the message before handing it off to mailscanner is not an option for me unfortunately. It looks like the patch needs to occur in sendmail.pl. However, before I spend a lot of time on it, I just wanted to see if anyone else has already been through this. :) Thanks! Regards, Paul Fries paul@cwie.net CWIE LLC From FCaen at CI.LAKEWOOD.WA.US Tue Jun 4 18:33:03 2002 From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen) Date: Thu Jan 12 21:14:55 2006 Subject: spamc/spamd Message-ID: -----Original Message----- From: paul@CWIE.NET > Has anyone patched mailscanner to use spamassassin through the > spamd/spamc pair instead of the perl API? What would be the benefit of that? Aren't those 2 programs based on the same SpamAssassin Perl API anyway? Is there some sort of gain from compiling or something similar? ------------------------------------------------ Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 From pdr at EVANSTON.FLUENT.COM Tue Jun 4 18:40:49 2002 From: pdr at EVANSTON.FLUENT.COM (Paul Rossman) Date: Thu Jan 12 21:14:55 2006 Subject: MailScanner and SA separate deliver/delete or the SA SQL option Message-ID: <3CFCFBA1.9010204@evanston.fluent.com> Hi, I'd like to be able to set a spam action based on the results of both the internal RBL result and the SpamAssassin result. The reason for this, it that I trust the internal RBL check 100%, but I don't trust the SpamAssassin result 100%. Could an option be added to separate both of those based on email or domain in the spam action file? -OR- The other option I was thinking of was to use the SQL support built in to SA, but in their docs, it mentions that this only works when calling the SA daemon. I'd rather not separate MailScanner and SA into two processes. Using the SQL option, our users could set their spam threshold to 100, which will cause SA to never mark their mail as spam from SA and still be able to get RBL based deletion, plus other combinations of deliver / delete. Has anyone tried the SQL option in SA with MailScanner? Thanks, paul From paul at CWIE.NET Tue Jun 4 18:50:26 2002 From: paul at CWIE.NET (Paul Fries) Date: Thu Jan 12 21:14:55 2006 Subject: spamc/spamd In-Reply-To: Message-ID: <002b01c20bf0$4f52d3c0$d900000a@paul01> Yes. Spamd/spamc provides a huge speed improvement. I maintain 4 very busy mail servers. 2 of them use sendmail/mailscanner/spamassassin and the other 2 use qmail/qmail-scanner/spamassassin. The systems that use qmail-scanner use the daemonized (spamd/spamc) version of spamassassin, and they routinely process a message in about .4 to .8 seconds. On my mailscanner systems, this usually goes way above that. If I tail my maillog, I regularly see the "Spamassassin timed out..." message (my timeout is 10 seconds!) I have even installed a DNS caching server on the sendmail boxes to see if DNS was where the bottleneck was (even though I am not doing any RBL checks with spamassassin OR mailscanner). No dice. Spamassassin still takes waaay to long to process through the perl API. Once I tell mailscanner not to check for spam the mail moves along just fine. My >250000 messages in mqueue.in was processed fairly quickly at that point. I really think that calling the spamc binary from mailscanner instead of the perl API will provide a huge speed improvement. I would be happy to beta-test any new code if someone has written something for this. :) Regards, Paul Fries paul@cwie.net CWIE LLC -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Francois Caen Sent: Tuesday, June 04, 2002 10:33 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: spamc/spamd -----Original Message----- From: paul@CWIE.NET > Has anyone patched mailscanner to use spamassassin through the > spamd/spamc pair instead of the perl API? What would be the benefit of that? Aren't those 2 programs based on the same SpamAssassin Perl API anyway? Is there some sort of gain from compiling or something similar? ------------------------------------------------ Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 From wkuiters at FREE.FR Tue Jun 4 18:54:10 2002 From: wkuiters at FREE.FR (Willem Kuiters) Date: Thu Jan 12 21:14:55 2006 Subject: "^M" In-Reply-To: <20020604144729.GN18801@hoiho.nz.lemon-computing.com> References: <20020604142610.GA2267@bragann> <20020604144729.GN18801@hoiho.nz.lemon-computing.com> Message-ID: <20020604175410.GA2637@bragann> Hoi MailScanner, On Wed, Jun 05, 2002 at 02:47:29AM +1200, Nick Phillips wrote: > > On Tue, Jun 04, 2002 at 04:26:10PM +0200, Willem Kuiters wrote: > > Hello, > > > > Since a few days "^M" gets attached at the end of the header lines of the > > mail I receive on this machine. > > So, what changed "a few days" ago? Ouch, well I tend to be in a constant state of experimentation. The change occurred on 30 May. I know that I've been writing a shell script for automatically updating the Sophos ide files. That works now (it is still rather simple but if there are people interested they cn drop me a line). Quite honestly, I can't remember exactly what else I changed. Definitely not the mailscanner conf files, I checked that. Neither have I touched Exim, Procmail or Mutt. I am quite confused as to where these "^M" things come from! Thanks for any hints, -- |\ /| Willem G.J. Kuiters |0 0| (/"\) --- "Learning is the art of ignoring" -- E. --- / \ --- Canetti --- (( U U )) --- --- " " " " --(Htag.pl 0.0.19)-- From fizz at BOMB.NET Tue Jun 4 18:56:42 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:14:55 2006 Subject: spamc/spamd References: <002b01c20bf0$4f52d3c0$d900000a@paul01> Message-ID: <000701c20bf1$2f0adc60$48cf75cc@fizz> im willing to test provided there is good documentation reguarding this setup :) ----- Original Message ----- From: "Paul Fries" To: Sent: Tuesday, June 04, 2002 1:50 PM Subject: Re: spamc/spamd > Yes. Spamd/spamc provides a huge speed improvement. > > I maintain 4 very busy mail servers. 2 of them use > sendmail/mailscanner/spamassassin and the other 2 use > qmail/qmail-scanner/spamassassin. > > The systems that use qmail-scanner use the daemonized (spamd/spamc) > version of spamassassin, and they routinely process a message in about > .4 to .8 seconds. On my mailscanner systems, this usually goes way above > that. If I tail my maillog, I regularly see the "Spamassassin timed > out..." message (my timeout is 10 seconds!) I have even installed a DNS > caching server on the sendmail boxes to see if DNS was where the > bottleneck was (even though I am not doing any RBL checks with > spamassassin OR mailscanner). No dice. Spamassassin still takes waaay to > long to process through the perl API. Once I tell mailscanner not to > check for spam the mail moves along just fine. My >250000 messages in > mqueue.in was processed fairly quickly at that point. > > I really think that calling the spamc binary from mailscanner instead of > the perl API will provide a huge speed improvement. I would be happy to > beta-test any new code if someone has written something for this. :) > > Regards, > Paul Fries > paul@cwie.net > CWIE LLC > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Francois Caen > Sent: Tuesday, June 04, 2002 10:33 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: spamc/spamd > > -----Original Message----- > From: paul@CWIE.NET > > > Has anyone patched mailscanner to use spamassassin through the > > spamd/spamc pair instead of the perl API? > > What would be the benefit of that? > Aren't those 2 programs based on the same SpamAssassin Perl API anyway? > Is there some sort of gain from compiling or something similar? > > ------------------------------------------------ > Francois Caen > Network Information Systems Engineer - Webmaster > City of Lakewood, WA > (253) 512-2269 > From lbergman at abi.tconline.net Tue Jun 4 19:52:41 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:14:55 2006 Subject: spamc/spamd In-Reply-To: <002101c20beb$1ac98630$d900000a@paul01> References: <002101c20beb$1ac98630$d900000a@paul01> Message-ID: <200206041352.41595.lbergman@abi.tconline.net> > I know that this has been mentioned on this list before, but here it is > again. :) I went through the archives but wasn't able to locate where > anyone had already posted an answer to this. Julian has told me that the way he does it is faster than using spamd/spamc. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From ucs_rat at SHSU.EDU Tue Jun 4 20:16:07 2002 From: ucs_rat at SHSU.EDU (Robert A. Thompson) Date: Thu Jan 12 21:14:55 2006 Subject: stats Message-ID: <1023218167.1770.131.camel@ab1-1-26.shsu.edu> Is it possible, or has anyone worked on anything to allow for better stats from mailscanner? I had put a couple extra lines in amavis so that it would report virs, from, to, date, msgid to a file. I could then easily process this file and generate reports(most frequent virus, top virus senders, who was getting the most, and etc). I've been watching what mailscanner generates in the syslog and there is nothing indicating that user z sent user y sircam or what ever. I was looking through the sweep.pl file and this looks like it is possible(the info is gathered), but not logged. --robert From nwp at LEMON-COMPUTING.COM Wed Jun 5 01:17:41 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:55 2006 Subject: scanner not picking up messages from mqueue.in In-Reply-To: <48770.10.10.1.95.1023206218.squirrel@webmail.shcorp.com> References: <48770.10.10.1.95.1023206218.squirrel@webmail.shcorp.com> Message-ID: <20020605001741.GT18801@hoiho.nz.lemon-computing.com> On Tue, Jun 04, 2002 at 11:56:58AM -0400, Kurt Yoder wrote: > I've verified that mailscanner is running. I also see the queue files in > /var/spool/mqueue.in. What could be the problem? Getting anything in your logs? -- Nick Phillips -- nwp@lemon-computing.com Everything will be just tickety-boo today. From nwp at LEMON-COMPUTING.COM Wed Jun 5 01:25:33 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:55 2006 Subject: spamc/spamd In-Reply-To: <002b01c20bf0$4f52d3c0$d900000a@paul01> References: <002b01c20bf0$4f52d3c0$d900000a@paul01> Message-ID: <20020605002533.GV18801@hoiho.nz.lemon-computing.com> On Tue, Jun 04, 2002 at 10:50:26AM -0700, Paul Fries wrote: > Yes. Spamd/spamc provides a huge speed improvement. > > I maintain 4 very busy mail servers. 2 of them use > sendmail/mailscanner/spamassassin and the other 2 use > qmail/qmail-scanner/spamassassin. > > The systems that use qmail-scanner use the daemonized (spamd/spamc) > version of spamassassin, and they routinely process a message in about > 4 to .8 seconds. On my mailscanner systems, this usually goes way above > that. If I tail my maillog, I regularly see the "Spamassassin timed > out..." message (my timeout is 10 seconds!) I have even installed a DNS > caching server on the sendmail boxes to see if DNS was where the > bottleneck was (even though I am not doing any RBL checks with > spamassassin OR mailscanner). No dice. Spamassassin still takes waaay to > long to process through the perl API. Once I tell mailscanner not to > check for spam the mail moves along just fine. My >250000 messages in > mqueue.in was processed fairly quickly at that point. The discrepancy is likely caused by the fact that we have commented out the "compile_now" in the initialisation of SA in sendmail.pl: # JKF 7/1/2002 Commented out due to it causing false positives #$SAspamtest->compile_now(); # Saves me recompiling all the modules every time As it was causing problems. You could try uncommenting it and see whether the bugs in SA that were being tickled by it have gone away... Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Beware the one behind you. From LISTSERV at JISCMAIL.AC.UK Tue Jun 4 19:19:13 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:55 2006 Subject: MAILSCANNER: ryan@DLUGOSZ.NET left the JISCmail list Message-ID: <200206041819.TAA08548@magpie.ecs.soton.ac.uk> Tue, 4 Jun 2002 19:19:13 Ryan Dlugosz has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From LISTSERV at JISCMAIL.AC.UK Tue Jun 4 19:20:16 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:55 2006 Subject: MAILSCANNER: adam@DEXAGON.NET requested to join Message-ID: <200206041820.TAA08642@magpie.ecs.soton.ac.uk> Tue, 4 Jun 2002 19:20:16 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Adam Tworkowski You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER adam@DEXAGON.NET Adam Tworkowski PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER adam@DEXAGON.NET Adam Tworkowski // EOJ From LISTSERV at JISCMAIL.AC.UK Tue Jun 4 23:14:39 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:55 2006 Subject: MAILSCANNER: fxjwk@AURORA.UAF.EDU requested to join Message-ID: <200206042214.XAA23213@magpie.ecs.soton.ac.uk> Tue, 4 Jun 2002 23:14:39 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Jo Knox You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER fxjwk@AURORA.UAF.EDU Jo Knox PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER fxjwk@AURORA.UAF.EDU Jo Knox // EOJ From LISTSERV at JISCMAIL.AC.UK Wed Jun 5 10:30:55 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:55 2006 Subject: MAILSCANNER: robert@STEEN.TELEBYTE.NL requested to join Message-ID: <200206050930.KAA28084@magpie.ecs.soton.ac.uk> Wed, 5 Jun 2002 10:30:55 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Robert Joosten You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER robert@STEEN.TELEBYTE.NL Robert Joosten PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER robert@STEEN.TELEBYTE.NL Robert Joosten // EOJ From jkf at ecs.soton.ac.uk Wed Jun 5 13:43:38 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:55 2006 Subject: "^M" In-Reply-To: <20020604175410.GA2637@bragann> References: <20020604144729.GN18801@hoiho.nz.lemon-computing.com> <20020604142610.GA2267@bragann> <20020604144729.GN18801@hoiho.nz.lemon-computing.com> Message-ID: <5.1.0.14.2.20020605134246.0624a118@imap.ecs.soton.ac.uk> At 18:54 04/06/2002, you wrote: >I know that I've been writing a shell script for >automatically updating the Sophos ide files. Why? What's wrong with the one in the MailScanner distribution? Works for everyone else... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Wed Jun 5 13:44:54 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:55 2006 Subject: spamc/spamd In-Reply-To: <20020605002533.GV18801@hoiho.nz.lemon-computing.com> References: <002b01c20bf0$4f52d3c0$d900000a@paul01> <002b01c20bf0$4f52d3c0$d900000a@paul01> Message-ID: <5.1.0.14.2.20020605134421.06255ef0@imap.ecs.soton.ac.uk> At 01:25 05/06/2002, you wrote: >On Tue, Jun 04, 2002 at 10:50:26AM -0700, Paul Fries wrote: > > Yes. Spamd/spamc provides a huge speed improvement. > > > > I maintain 4 very busy mail servers. 2 of them use > > sendmail/mailscanner/spamassassin and the other 2 use > > qmail/qmail-scanner/spamassassin. > >The discrepancy is likely caused by the fact that we have commented out >the "compile_now" in the initialisation of SA in sendmail.pl: > ># JKF 7/1/2002 Commented out due to it causing false positives >#$SAspamtest->compile_now(); # Saves me recompiling all the modules every time > >As it was causing problems. You could try uncommenting it and see whether the >bugs in SA that were being tickled by it have gone away... I would be very grateful if a few people could test this please. If the bugs in SA have gone away, I can re-enable this line and speed it all up again. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From kylist at SHCORP.COM Wed Jun 5 13:56:24 2002 From: kylist at SHCORP.COM (Kurt Yoder) Date: Thu Jan 12 21:14:55 2006 Subject: scanner not picking up messages from mqueue.in In-Reply-To: <20020605001741.GT18801@hoiho.nz.lemon-computing.com> References: <20020605001741.GT18801@hoiho.nz.lemon-computing.com> Message-ID: <50957.10.10.1.95.1023281784.squirrel@webmail.shcorp.com> Nick Phillips said: > On Tue, Jun 04, 2002 at 11:56:58AM -0400, Kurt Yoder wrote: > >> I've verified that mailscanner is running. I also see the queue files >> in /var/spool/mqueue.in. What could be the problem? > > Getting anything in your logs? Nope. Actually, I found the problem: the /var/spool/mqueue.in was not owned by the user/group that was specified in mailscanner.conf. Is there some way to have mailscanner gripe about this and refuse to start up? Or is there already a "debugging" mode somewhere that I missed that does this? -- Kurt Yoder Sport & Health network administrator From wkuiters at FREE.FR Wed Jun 5 14:32:57 2002 From: wkuiters at FREE.FR (Willem Kuiters) Date: Thu Jan 12 21:14:55 2006 Subject: "^M" In-Reply-To: <5.1.0.14.2.20020605134246.0624a118@imap.ecs.soton.ac.uk> References: <20020604144729.GN18801@hoiho.nz.lemon-computing.com> <20020604142610.GA2267@bragann> <20020604144729.GN18801@hoiho.nz.lemon-computing.com> <5.1.0.14.2.20020605134246.0624a118@imap.ecs.soton.ac.uk> Message-ID: <20020605133257.GA2330@bragann> Hoi MailScanner, On Wed, Jun 05, 2002 at 01:43:38PM +0100, Julian Field wrote: > > At 18:54 04/06/2002, you wrote: > >I know that I've been writing a shell script for > >automatically updating the Sophos ide files. > > Why? > > What's wrong with the one in the MailScanner distribution? Works for > everyone else... Oh nothing Julian. It's just that I do not master perl quite well enough yet and just wanted to see if I could write a short shell script myself and drop it in /etc/cron.weekly or trigger it with procmail on the receipt of mail from Sophos. I still can't find where these "^M" strings come from. The header added by mailscanner: "X-Mailscanner: Found to be clean" does not show the "^M". I'd be happy with any clues. -- () () --- "Getting out of bed in the morning is an act of --- (? ?) --- false confidence" -- J. Feiffer --- /\ /\ --- --- ( " ) " "-----/ --- (Htag.pl 0.0.19) --- From lbergman at abi.tconline.net Wed Jun 5 14:24:23 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:14:55 2006 Subject: "^M" In-Reply-To: <20020605133257.GA2330@bragann> References: <20020604144729.GN18801@hoiho.nz.lemon-computing.com> <5.1.0.14.2.20020605134246.0624a118@imap.ecs.soton.ac.uk> <20020605133257.GA2330@bragann> Message-ID: <200206050824.23262.lbergman@abi.tconline.net> > I still can't find where these "^M" strings come from. The header added by > mailscanner: "X-Mailscanner: Found to be clean" does not show the "^M". Are you writing this script on a windows machine foe dome reason? If so, run dos2unix -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From jkf at ecs.soton.ac.uk Wed Jun 5 14:38:54 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:55 2006 Subject: "^M" In-Reply-To: <20020605133257.GA2330@bragann> References: <5.1.0.14.2.20020605134246.0624a118@imap.ecs.soton.ac.uk> <20020604144729.GN18801@hoiho.nz.lemon-computing.com> <20020604142610.GA2267@bragann> <20020604144729.GN18801@hoiho.nz.lemon-computing.com> <5.1.0.14.2.20020605134246.0624a118@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020605143704.062a1720@imap.ecs.soton.ac.uk> At 14:32 05/06/2002, you wrote: >On Wed, Jun 05, 2002 at 01:43:38PM +0100, Julian Field wrote: > > At 18:54 04/06/2002, you wrote: > > >I know that I've been writing a shell script for > > >automatically updating the Sophos ide files. > > > > Why? > >Oh nothing Julian. It's just that I do not master perl quite well enough >yet and just wanted to see if I could write a short shell script myself >and drop it in /etc/cron.weekly or trigger it with procmail on the >receipt of mail from Sophos. If you do write your own, be sure to lock the /tmp/SophosBusy.lock file while you are updating Sophos, or you could be writing new IDE files at the same time as MailScanner is trying to use them, resulting in a duff set of IDE files for that pass, which could allow a virus through. I'm not convinced you can do that with sh (which is exactly why I wrote it in perl in the first place). But, hey, it's your users.... :) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Wed Jun 5 14:51:44 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:55 2006 Subject: scanner not picking up messages from mqueue.in In-Reply-To: <50957.10.10.1.95.1023281784.squirrel@webmail.shcorp.com> References: <20020605001741.GT18801@hoiho.nz.lemon-computing.com> <20020605001741.GT18801@hoiho.nz.lemon-computing.com> Message-ID: <5.1.0.14.2.20020605145123.062143a0@imap.ecs.soton.ac.uk> At 13:56 05/06/2002, you wrote: >Nope. Actually, I found the problem: the /var/spool/mqueue.in was not owned >by the user/group that was specified in mailscanner.conf. Is there some way >to have mailscanner gripe about this and refuse to start up? Or is there >already a "debugging" mode somewhere that I missed that does this? Good idea. Done. Will be in the next release. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Wed Jun 5 14:52:36 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:55 2006 Subject: "^M" In-Reply-To: <200206050824.23262.lbergman@abi.tconline.net> References: <20020605133257.GA2330@bragann> <20020604144729.GN18801@hoiho.nz.lemon-computing.com> <5.1.0.14.2.20020605134246.0624a118@imap.ecs.soton.ac.uk> <20020605133257.GA2330@bragann> Message-ID: <5.1.0.14.2.20020605145208.06213548@imap.ecs.soton.ac.uk> I've just been through all the messages files and done a dos2unix on them all. At 14:24 05/06/2002, you wrote: > > I still can't find where these "^M" strings come from. The header added by > > mailscanner: "X-Mailscanner: Found to be clean" does not show the "^M". >Are you writing this script on a windows machine foe dome reason? If so, run >dos2unix > >-- >Lewis Bergman >Texas Communications >4309 Maple St. >Abilene, TX 79602-8044 >915-695-6962 ext 115 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Wed Jun 5 15:21:52 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:55 2006 Subject: Your removal from the MAILSCANNER JISCmail list Message-ID: <200206051421.PAA22348@magpie.ecs.soton.ac.uk> Wed, 5 Jun 2002 15:21:52 You have been removed from the MAILSCANNER JISCmail list (MailScanner mailing list) by JISCmail Support . From fizz at BOMB.NET Wed Jun 5 16:01:58 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:14:55 2006 Subject: Quick easy question i hope Message-ID: <000f01c20ca1$f0a41bb0$48cf75cc@fizz> in mailscanner.conf there is the part where you put Local Domains and you can point to a localdomains or a sendmail mailertable file, but what exactly is this used for as i have a * smtp[bounce.domain.com] to defer all bounced messages to another server. Will this cuse any problems if i point that to mailertable with that entry in there? just wondering what exactly its used for in mailscanner. thanks ////// ( o o ) +--.oooO--(_)--Oooo.-----------------+ | [Kelly Hamlin] | kellyh@cyberstreet.com | http://www.bomb.net | .oooO | ( ) Oooo. +--- \ (----( )----------------------------+ \_) ) / (_/ From jkf at ecs.soton.ac.uk Wed Jun 5 16:07:42 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:55 2006 Subject: Quick easy question i hope In-Reply-To: <000f01c20ca1$f0a41bb0$48cf75cc@fizz> Message-ID: <5.1.0.14.2.20020605160542.0427ce98@imap.ecs.soton.ac.uk> At 16:01 05/06/2002, you wrote: >in mailscanner.conf there is the part where you put Local Domains and you >can point to a localdomains or a sendmail mailertable file, but what exactly >is this used for as i have a * smtp[bounce.domain.com] to defer >all bounced messages to another server. Will this cuse any problems if i >point that to mailertable with that entry in there? >just wondering what exactly its used for in mailscanner. It is used by the "Deliver From Local Domains" feature. If there is a virus in a message from any of the "Local Domains" then it won't send out any virus warnings so you don't accidentally tell the rest of the world you have a virus problem on your site (a lot of "corporates" like this feature, as it saves face :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From HancockS at MORGANCO.COM Wed Jun 5 21:54:41 2002 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:14:55 2006 Subject: Exim help. Scan outgoing Message-ID: Hello all, Is anyone out there scanning both incoming smtp mail and outgoing smtp mail with exim and mailscanner on the same server? Mailscanner is working for incoming.. wait, this is my definition of incoming [internet]--->[exim-mailscanner on debian]-->[exim on debian host] and this is my definition of outgoing. [exim on debian host]-->[exim-mailscanner on debian]-->[internet] My problem is how do I configure exim to know that mail from [exim on debian host] is to be delivered to the non-local host the is the [internet] and not the non-local host that is [exim on debian host]. This is the project goal. [internet]--->[Firewall (smarthost)]-->[exim-mailscanner / debian]-->[exchange] [exchange]-->[exim-mailscanner / debian]-->[Firewall (smarthost)]-->[internet] Obviously, I can scan incoming mail with the current setup but I'd like to do both. I believe my problems are in the exim.conf files for incoming and outgoing. I'm wondering if I can accomplish the above with only 2 exim queues and one mailscanner. exim_outgoing.conf is standard except for this entry in the Router section. send_to_gateway: driver = domainlist transport = remote_smtp route_list = * my.domain.com byname I'm new to Exim and pretty green on MTA's in general for that matter. Thanks in advance for any pointers. I'll be reading exim.org in the meantime. Scott Hancock Morgan From sjaaknabuurs at CITYTOWER.COM Wed Jun 5 22:21:03 2002 From: sjaaknabuurs at CITYTOWER.COM (sjaak nabuurs) Date: Thu Jan 12 21:14:55 2006 Subject: Shell account References: Message-ID: <003d01c20cd6$e6a1e720$1e01a8c0@SJAAK> Hi I've testing spamassassin But I didn't get it to work till I give a user a shell account. Is it possible without a shell account or do i do something wrong. Thanks Sjaak From nwp at LEMON-COMPUTING.COM Thu Jun 6 03:03:09 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:55 2006 Subject: Exim help. Scan outgoing In-Reply-To: References: Message-ID: <20020606020308.GL18801@hoiho.nz.lemon-computing.com> On Wed, Jun 05, 2002 at 04:54:41PM -0400, Hancock, Scott wrote: > Is anyone out there scanning both incoming smtp mail and outgoing smtp mail > with exim and mailscanner on the same server? Yes, of course... > Mailscanner is working for incoming.. wait, this is my definition of > incoming > > [internet]--->[exim-mailscanner on debian]-->[exim on debian host] > > and this is my definition of outgoing. > > [exim on debian host]-->[exim-mailscanner on debian]-->[internet] *My* definition of incoming is "coming into Exim either from port 25 or the command line", and outgoing is "being delivered either to another host or a local user". Re-read the install doc with that in mind and it should make sense. > My problem is how do I configure exim to know that mail from [exim on debian > host] is to be delivered to the non-local host the is the [internet] and not > the non-local host that is [exim on debian host]. You sound horribly confused. The way to make it work is to configure Exim with no mailscanner at all. Then add mailscanner. Mail is generally not routed on the basis of where it is from (as you seem to think you want above), but on where it is supposed to end up. This usually makes sense. > This is the project goal. > > [internet]--->[Firewall (smarthost)]-->[exim-mailscanner / > debian]-->[exchange] > > [exchange]-->[exim-mailscanner / debian]-->[Firewall > (smarthost)]-->[internet] OK, what you probably want (vaguely, I don't want to go into details like "where do you want mail for root on the mailscanner box to go?") is no local domains on the mailscanner box, with and a router using the domainlist driver to route mail for to the internal box, and everything else to the external box. For example: smarthosts: driver = domainlist transport = remote_smtp route_list = *.internal.domain name.of.exchange.server byname; \ ! *.internal.domain name.of.smarthost byname But don't just trust me; make sure you understand it. Once you have exim set up right, add mailscanner. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Communicate! It can't make things any worse. From jkf at ecs.soton.ac.uk Thu Jun 6 08:57:20 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:55 2006 Subject: Shell account In-Reply-To: <003d01c20cd6$e6a1e720$1e01a8c0@SJAAK> References: Message-ID: <5.1.0.14.2.20020606085606.02c5ceb0@imap.ecs.soton.ac.uk> At 22:21 05/06/2002, you wrote: >I've testing spamassassin >But I didn't get it to work till I give a user a shell account. >Is it possible without a shell account or do i do something wrong. If you are using Exim, then the user specified in the "Run As User" configuration option in mailscanner.conf must have a home directory, as that is where SpamAssassin wants to store its "user_prefs" file by default. In the latest version (or possibly the one I haven't released yet :-) you can specify exactly where SpamAssassin should look for its preferences file. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From HancockS at MORGANCO.COM Thu Jun 6 14:14:59 2002 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:14:55 2006 Subject: Exim help. Scan outgoing Message-ID: Thank you Nick, I added the definition because I knew it clashed with the documentation. I'm just so new to Exim, Linux, and mail systems (even exchange), that I have trouble communicating using the proper, precise, language (hence the diagram). I'm a learning newbie but I'm not as confused as I sound. > smarthosts: > driver = domainlist > transport = remote_smtp > route_list = *.internal.domain name.of.exchange.server byname; \ > ! *.internal.domain name.of.smarthost byname This is exactly the pointer I was looking for. I will read up on the smarthosts and domainlist driver entries. I AM horribly confused about adding innoculate support. I saw the comments in sweep.pl but my eyes immediately crossed . I can't even figure out which of our licensed innoculate 6.0 install files to use. F-prot was pretty straight forward however and tested successfully against the sample files at eicar.com. All of my configurations are tested first. I'm hoping to find a mail generating script to test the installation. Thanks for the help and patience. Thanks to the mailscanner crew. Scott From P.G.M.Peters at civ.utwente.nl Thu Jun 6 15:05:37 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:14:55 2006 Subject: Mailscanner stops scanning Message-ID: In our testserver I have a constant "tail -f" running on the maillog so I can keep an eye on what is happening. Lately I notice Mailscanner stops scanning. Normally I see the "scanning"-message every minute or so. But sometimes I don't see those messages for minutes even when new mail keeps arriving. When I do a "ps axf" I can see a sendmail process hanging in a "user open". That sendmail process is a child of mailscanner. When I kill that sendmail process mailscanner immediatly starts scanning the new messages. Can mailscanner be configured to run the sendmail processes in the background? (sendmail -ODeliveryMode=b) -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From jkf at ecs.soton.ac.uk Thu Jun 6 15:13:21 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:55 2006 Subject: Mailscanner stops scanning In-Reply-To: Message-ID: <5.1.0.14.2.20020606151244.0477a830@imap.ecs.soton.ac.uk> At 15:05 06/06/2002, you wrote: >Can mailscanner be configured to run the sendmail processes in the >background? (sendmail -ODeliveryMode=b) Deliver In Background = yes -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Thu Jun 6 15:45:33 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:55 2006 Subject: MAILSCANNER: wright@MAILBOX.SC.EDU requested to join Message-ID: <200206061445.PAA02880@magpie.ecs.soton.ac.uk> Thu, 6 Jun 2002 15:45:33 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Steve Wright You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER wright@MAILBOX.SC.EDU Steve Wright PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER wright@MAILBOX.SC.EDU Steve Wright // EOJ From P.G.M.Peters at civ.utwente.nl Fri Jun 7 10:00:02 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:14:55 2006 Subject: Mailscanner stops scanning In-Reply-To: <5.1.0.14.2.20020606151244.0477a830@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020606151244.0477a830@imap.ecs.soton.ac.uk> Message-ID: On Thu, 6 Jun 2002 15:13:21 +0100, you wrote: >>Can mailscanner be configured to run the sendmail processes in the >>background? (sendmail -ODeliveryMode=b) > >Deliver In Background = yes Yes, offcourse. In my mind I had the idea it was possible so I scanned the conf-file and somehow I this setting didn't register as the solution. BTW: Have you had time to look at my idea about using name based blacklists? -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From jkf at ecs.soton.ac.uk Fri Jun 7 11:32:11 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:55 2006 Subject: ANNOUNCE: MIME-Tools security patch Message-ID: <5.1.0.14.2.20020607112540.02d2b590@imap.ecs.soton.ac.uk> A very nice person on the Bugtraq mailing list has found some potential security problems with the current stable release of the MIME-Tools module which is used by MailScanner. These are likely to be exploited fairly soon as the hackers all read Bugtraq too. A patch to correct these problems is attached to this message. You should find that the command patch -p0 < mime-tools-patch.txt will install the patch, but it will probably ask you to locate the 2 files it needs to patch. Have a hunt round your Perl installation for the site_perl directory and take a look in there. If you can't find your site_perl directory anywhere, then run this perl script: #!/usr/bin/perl print join("\n", @INC); and the output of that will tell you where to look for it. Please don't ask me for more advice on using the patch command, there's a perfectly good man page about it and patch is very intelligent anyway, so you shouldn't have much problem. Jules. -------------- next part -------------- diff -c -r MIME-tools-5.411-ORIG/lib/MIME/Field/ParamVal.pm MIME-tools-5.411/lib/MIME/Field/ParamVal.pm *** MIME-tools-5.411-ORIG/lib/MIME/Field/ParamVal.pm Sat Nov 4 14:54:49 2000 --- MIME-tools-5.411/lib/MIME/Field/ParamVal.pm Mon May 27 13:55:40 2002 *************** *** 9,50 **** =head1 SYNOPSIS # Create an object for a content-type field: ! $field = new Mail::Field 'Content-type'; ! # Set some attributes: $field->param('_' => 'text/html'); $field->param('charset' => 'us-ascii'); $field->param('boundary' => '---ABC---'); ! # Same: $field->set('_' => 'text/html', 'charset' => 'us-ascii', 'boundary' => '---ABC---'); ! # Get an attribute, or undefined if not present: print "no id!" if defined($field->param('id')); ! # Same, but use empty string for missing values: print "no id!" if ($field->paramstr('id') eq ''); ! # Output as string: print $field->stringify, "\n"; =head1 DESCRIPTION ! This is an abstract superclass of most MIME fields. It handles fields with a general syntax like this: Content-Type: Message/Partial; ! number=2; total=3; ! id="oc=jpbe0M2Yt4s@thumper.bellcore.com" Comments are supported I items, like this: Content-Type: Message/Partial; (a comment) ! number=2 (another comment) ; (yet another comment) total=3; ! id="oc=jpbe0M2Yt4s@thumper.bellcore.com" =head1 PUBLIC INTERFACE --- 9,50 ---- =head1 SYNOPSIS # Create an object for a content-type field: ! $field = new Mail::Field 'Content-type'; ! # Set some attributes: $field->param('_' => 'text/html'); $field->param('charset' => 'us-ascii'); $field->param('boundary' => '---ABC---'); ! # Same: $field->set('_' => 'text/html', 'charset' => 'us-ascii', 'boundary' => '---ABC---'); ! # Get an attribute, or undefined if not present: print "no id!" if defined($field->param('id')); ! # Same, but use empty string for missing values: print "no id!" if ($field->paramstr('id') eq ''); ! # Output as string: print $field->stringify, "\n"; =head1 DESCRIPTION ! This is an abstract superclass of most MIME fields. It handles fields with a general syntax like this: Content-Type: Message/Partial; ! number=2; total=3; ! id="oc=jpbe0M2Yt4s@thumper.bellcore.com" Comments are supported I items, like this: Content-Type: Message/Partial; (a comment) ! number=2 (another comment) ; (yet another comment) total=3; ! id="oc=jpbe0M2Yt4s@thumper.bellcore.com" =head1 PUBLIC INTERFACE *************** *** 100,105 **** --- 100,108 ---- # token = 1* # my $TSPECIAL = '()<>@,;:\ 3, 'id' => "ocj=pbe0M2"); ! Note that a single argument is taken to be a I to a paramhash, while multiple args are taken to be the elements of the paramhash themselves. --- 139,145 ---- 'total' => 3, 'id' => "ocj=pbe0M2"); ! Note that a single argument is taken to be a I to a paramhash, while multiple args are taken to be the elements of the paramhash themselves. *************** *** 160,175 **** it as a hash reference. For example, here is a field with parameters: Content-Type: Message/Partial; ! number=2; total=3; ! id="oc=jpbe0M2Yt4s@thumper.bellcore.com" Here is how you'd extract them: $params = $class->parse_params('content-type'); if ($$params{'_'} eq 'message/partial') { ! $number = $$params{'number'}; ! $total = $$params{'total'}; ! $id = $$params{'id'}; } Like field names, parameter names are coerced to lowercase. --- 166,181 ---- it as a hash reference. For example, here is a field with parameters: Content-Type: Message/Partial; ! number=2; total=3; ! id="oc=jpbe0M2Yt4s@thumper.bellcore.com" Here is how you'd extract them: $params = $class->parse_params('content-type'); if ($$params{'_'} eq 'message/partial') { ! $number = $$params{'number'}; ! $total = $$params{'total'}; ! $id = $$params{'id'}; } Like field names, parameter names are coerced to lowercase. *************** *** 181,190 **** --- 187,226 ---- =cut + sub rfc2231decode { + my($val) = @_; + my($enc, $lang, $rest); + + if ($val =~ m/^([^\']*)\'([^\']*)\'(.*)$/) { + # SHOULD REALLY DO SOMETHING MORE INTELLIGENT WITH ENCODING!!! + $enc = $1; + $lang = $2; + $rest = $3; + $rest = rfc2231percent($rest); + } elsif ($val =~ m/^([^\']*)\'([^\']*)$/) { + $enc = $1; + $rest = $2; + $rest = rfc2231percent($rest); + } else { + $rest = rfc2231percent($val); + } + return $rest; + } + + sub rfc2231percent { + # Do percent-subsitution + my($str) = @_; + $str =~ s/%([0-9a-fA-F]{2})/pack("c", hex($1))/ge; + return $str; + } + sub parse_params { my ($self, $raw) = @_; my %params = (); + my %rfc2231params = (); my $param; + my $val; + my $part; # Get raw field, and unfold it: defined($raw) or $raw = ''; *************** *** 200,208 **** $raw =~ m/\G$SPCZ\;$SPCZ/og or last; # skip leading separator $raw =~ m/\G($PARAMNAME)\s*=\s*/og or last; # give up if not a param $param = lc($1); ! $raw =~ m/\G(\"([^\"]+)\")|\G($TOKEN)|\G($ENCTOKEN)/g or last; # give up if no value ! my ($qstr, $str, $token, $enctoken) = ($1, $2, $3, $4); ! $params{$param} = defined($qstr) ? $str : (defined($token) ? $token : $enctoken); debug " field param <$param> = <$params{$param}>"; } --- 236,282 ---- $raw =~ m/\G$SPCZ\;$SPCZ/og or last; # skip leading separator $raw =~ m/\G($PARAMNAME)\s*=\s*/og or last; # give up if not a param $param = lc($1); ! $raw =~ m/\G(\"([^\"]+)\")|\G($ENCTOKEN)|\G($BADTOKEN)|\G($TOKEN)/g or last; # give up if no value" ! my ($qstr, $str, $enctoken, $badtoken, $token) = ($1, $2, $3, $4, $5); ! if (defined($badtoken)) { ! # Strip leading/trailing whitespace from badtoken ! $badtoken =~ s/^\s*//; ! $badtoken =~ s/\s*$//; ! } ! $val = defined($qstr) ? $str : ! (defined($enctoken) ? $enctoken : ! (defined($badtoken) ? $badtoken : $token)); ! ! # Do RFC 2231 processing ! if ($param =~ /\*/) { ! my($name, $num); ! # Pick out the parts of the parameter ! if ($param =~ m/^([^*]+)\*([^*]+)\*?$/) { ! # We have param*number* or param*number ! $name = $1; ! $num = $2; ! } else { ! # Fake a part of zero... not sure how to handle this properly ! $param =~ s/\*//g; ! $name = $param; ! $num = 0; ! } ! # Decode the value unless it was a quoted string ! if (!defined($qstr)) { ! $val = rfc2231decode($val); ! } ! $rfc2231params{$name}{$num} .= $val; ! } else { ! # Make a fake "part zero" for non-RFC2231 params ! $rfc2231params{$param}{"0"} = $val; ! } ! } ! ! # Extract reconstructed parameters ! foreach $param (keys %rfc2231params) { ! foreach $part (sort { $a <=> $b } keys %{$rfc2231params{$param}}) { ! $params{$param} .= $rfc2231params{$param}{$part}; ! } debug " field param <$param> = <$params{$param}>"; } *************** *** 227,233 **** # Allow use as constructor, for MIME::Head: ref($self) or $self = bless({}, $self); ! # Get params, and stuff them into the self object: $self->set($self->parse_params($string)); } --- 301,307 ---- # Allow use as constructor, for MIME::Head: ref($self) or $self = bless({}, $self); ! # Get params, and stuff them into the self object: $self->set($self->parse_params($string)); } diff -c -r MIME-tools-5.411-ORIG/lib/MIME/Words.pm MIME-tools-5.411/lib/MIME/Words.pm *** MIME-tools-5.411-ORIG/lib/MIME/Words.pm Fri Nov 10 11:45:12 2000 --- MIME-tools-5.411/lib/MIME/Words.pm Mon May 27 14:07:22 2002 *************** *** 186,192 **** $@ = ''; ### error-return ### Collapse boundaries between adjacent encoded words: ! $encstr =~ s{(\?\=)\r?\n[ \t](\=\?)}{$1$2}gs; pos($encstr) = 0; ### print STDOUT "ENC = [", $encstr, "]\n"; --- 186,192 ---- $@ = ''; ### error-return ### Collapse boundaries between adjacent encoded words: ! $encstr =~ s{(\?\=)\s*(\=\?)}{$1$2}gs; pos($encstr) = 0; ### print STDOUT "ENC = [", $encstr, "]\n"; -------------- next part -------------- -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From paul_houselander at BRISTOL-CITY.GOV.UK Fri Jun 7 10:59:07 2002 From: paul_houselander at BRISTOL-CITY.GOV.UK (Paul Houselander) Date: Thu Jan 12 21:14:55 2006 Subject: ANNOUNCE: MIME-Tools security patch (Im on leave) Message-ID: I am on leave from the 7th June and returning on 10 June 2002, if its urgent contact the Education IT helpdesk on 01179037999 From chorlian at CBR.MED.HARVARD.EDU Fri Jun 7 13:25:05 2002 From: chorlian at CBR.MED.HARVARD.EDU (Henry C. Chorlian) Date: Thu Jan 12 21:14:55 2006 Subject: ANNOUNCE: MIME-Tools security patch Message-ID: <200206071225.g57CP5Ql015295@cbr.med.harvard.edu> When run I get the following: patch -p0 < mime-tools-patch.txt Looks like a new-style context diff. Malformed patch at line 286: patch: Line must begin with '+ ', ' ', or '! '. Not sure what this means? On Friday, June 07, 2002 at 11:32:11 AM, MailScanner mailing list wrote: > A very nice person on the Bugtraq mailing list has found some potential > security problems with the current stable release of the MIME-Tools module > which is used by MailScanner. These are likely to be exploited fairly soon > as the hackers all read Bugtraq too. > > A patch to correct these problems is attached to this message. > > You should find that the command > patch -p0 < mime-tools-patch.txt > will install the patch, but it will probably ask you to locate the 2 files > it needs to patch. Have a hunt round your Perl installation for the > site_perl directory and take a look in there. If you can't find your > site_perl directory anywhere, then run this perl script: > #!/usr/bin/perl > print join("\n", @INC); > and the output of that will tell you where to look for it. > > Please don't ask me for more advice on using the patch command, there's a > perfectly good man page about it and patch is very intelligent anyway, so > you shouldn't have much problem. > > Jules. > ------------------------------------------ Henry C. Chorlian Director of Information Technology Center for Blood Research 800 Huntington Avenue Boston, MA 02115-6303 Harvard Medical School Affiliate chorlian@cbr.med.harvard.edu Voice: (617) 278-3425 Fax: (617) 278-3493 From chorlian at CBR.MED.HARVARD.EDU Fri Jun 7 13:28:37 2002 From: chorlian at CBR.MED.HARVARD.EDU (Henry C. Chorlian) Date: Thu Jan 12 21:14:55 2006 Subject: ANNOUNCE: MIME-Tools security patch Message-ID: <200206071228.g57CSbQl015379@cbr.med.harvard.edu> Opps, forgot to say I'm running Solaris 8.... On Friday, June 07, 2002 at 08:25:05 AM, MailScanner mailing list wrote: > When run I get the following: > > patch -p0 < mime-tools-patch.txt > Looks like a new-style context diff. > Malformed patch at line 286: > patch: Line must begin with '+ ', ' ', or '! '. > > Not sure what this means? > > > On Friday, June 07, 2002 at 11:32:11 AM, MailScanner mailing list wrote: > > > A very nice person on the Bugtraq mailing list has found some potential > > security problems with the current stable release of the MIME-Tools module > > which is used by MailScanner. These are likely to be exploited fairly soon > > as the hackers all read Bugtraq too. > > > > A patch to correct these problems is attached to this message. > > > > You should find that the command > > patch -p0 < mime-tools-patch.txt > > will install the patch, but it will probably ask you to locate the 2 files > > it needs to patch. Have a hunt round your Perl installation for the > > site_perl directory and take a look in there. If you can't find your > > site_perl directory anywhere, then run this perl script: > > #!/usr/bin/perl > > print join("\n", @INC); > > and the output of that will tell you where to look for it. > > > > Please don't ask me for more advice on using the patch command, there's a > > perfectly good man page about it and patch is very intelligent anyway, so > > you shouldn't have much problem. > > > > Jules. > > > > ------------------------------------------ > Henry C. Chorlian > Director of Information Technology > Center for Blood Research > 800 Huntington Avenue > Boston, MA 02115-6303 > > Harvard Medical School Affiliate > chorlian@cbr.med.harvard.edu > Voice: (617) 278-3425 > Fax: (617) 278-3493 > > ------------------------------------------ Henry C. Chorlian Director of Information Technology Center for Blood Research 800 Huntington Avenue Boston, MA 02115-6303 Harvard Medical School Affiliate chorlian@cbr.med.harvard.edu Voice: (617) 278-3425 Fax: (617) 278-3493 From LISTSERV at JISCMAIL.AC.UK Fri Jun 7 08:25:21 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:56 2006 Subject: MAILSCANNER: kdelinux@KDELINUX.NET requested to join Message-ID: <200206070725.IAA02290@magpie.ecs.soton.ac.uk> Fri, 7 Jun 2002 08:25:21 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Alejandro Bitran You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER kdelinux@KDELINUX.NET Alejandro Bitran PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER kdelinux@KDELINUX.NET Alejandro Bitran // EOJ From jkf at ecs.soton.ac.uk Fri Jun 7 13:54:05 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:56 2006 Subject: ANNOUNCE: MIME-Tools security patch In-Reply-To: <200206071225.g57CP5Ql015295@cbr.med.harvard.edu> Message-ID: <5.1.0.14.2.20020607135253.047eb968@imap.ecs.soton.ac.uk> At 13:25 07/06/2002, you wrote: >When run I get the following: > >patch -p0 < mime-tools-patch.txt > Looks like a new-style context diff. >Malformed patch at line 286: >patch: Line must begin with '+ ', ' ', or '! '. > >Not sure what this means? You need a newer version of "patch". Try http://www.sunfreeware.com/ I must admit I ended up patching the 2 files on a Linux box (much better "patch") and then copying them over to the Solaris box :-) >On Friday, June 07, 2002 at 11:32:11 AM, MailScanner mailing list wrote: > > > A very nice person on the Bugtraq mailing list has found some potential > > security problems with the current stable release of the MIME-Tools module > > which is used by MailScanner. These are likely to be exploited fairly soon > > as the hackers all read Bugtraq too. > > > > A patch to correct these problems is attached to this message. > > > > You should find that the command > > patch -p0 < mime-tools-patch.txt > > will install the patch, but it will probably ask you to locate the 2 files > > it needs to patch. Have a hunt round your Perl installation for the > > site_perl directory and take a look in there. If you can't find your > > site_perl directory anywhere, then run this perl script: > > #!/usr/bin/perl > > print join("\n", @INC); > > and the output of that will tell you where to look for it. > > > > Please don't ask me for more advice on using the patch command, there's a > > perfectly good man page about it and patch is very intelligent anyway, so > > you shouldn't have much problem. > > > > Jules. > > > >------------------------------------------ >Henry C. Chorlian >Director of Information Technology >Center for Blood Research >800 Huntington Avenue >Boston, MA 02115-6303 > >Harvard Medical School Affiliate >chorlian@cbr.med.harvard.edu >Voice: (617) 278-3425 >Fax: (617) 278-3493 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From fizz at BOMB.NET Fri Jun 7 14:03:24 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:14:56 2006 Subject: Performance Improvements Inside! Message-ID: <001301c20e23$b4e05480$48cf75cc@fizz> I thought id pass on some suggestions/improvments that were passed to me. First off. In sendmail.cf, try reducing your logging from loglevel 9 to 7 this will eliminate all the deferred messages from occuring in your logs which was on my system making syslogd take up over 60% of my cpu. Switching off disinfection would now make it run considerably quicker. Other than those things, the reason for the slowdown is unfortunately the addition of new features, many of which you are using. A good example is the virus subject line tagging ({VIRUS?}). This involves checking the entire headers for a subject line already including this text, as you never want it tagged more than once, and then modifying the string of headers to include the new text. One point of note: I would question (in the current "Klez" climate) whether trying to disinfect viruses from messages is even worth the bother any more. It's very expensive (involves calling the virus scanner 2 more times) and it very rarely creates any useful results. Word macro viruses (which it can disinfect) are few and far between compared to things like Klez. The vast majority of your CPU time is being stolen by syslogd, logging useless info to /var/log/mail/maillog about users who are over their quota. If you decrease the LogLevel in your sendmail.cf, or increase the logging "priority" of mail in /etc/syslog.conf, you could drastically reduce this. I would also question using "sendmail -q1m" in your rc.M file. This is forcing a run of the entire outgoing queue every 1 minute, which is contributing to the load (by starting a queue run before the previous queue run has finished) and also is contributing to the syslog load, by creating yet more "message would exceed their quota" log entries. You will also find, in Linux, that appending to the end of a small file is quicker than appending to a huge file (which your maillog is). If you roll your logs more frequently, that will again help reduce your syslog load ////// ( o o ) +--.oooO--(_)--Oooo.-----------------+ | [Kelly Hamlin] | kellyh@cyberstreet.com | http://www.bomb.net | .oooO | ( ) Oooo. +--- \ (----( )----------------------------+ \_) ) / (_/ From t.d.lee at durham.ac.uk Fri Jun 7 14:43:28 2002 From: t.d.lee at durham.ac.uk (David Lee) Date: Thu Jan 12 21:14:56 2006 Subject: ANNOUNCE: MIME-Tools security patch In-Reply-To: <5.1.0.14.2.20020607112540.02d2b590@imap.ecs.soton.ac.uk> Message-ID: On Fri, 7 Jun 2002, Julian Field wrote: > A very nice person on the Bugtraq mailing list has found some potential > security problems with the current stable release of the MIME-Tools module > which is used by MailScanner. These are likely to be exploited fairly soon > as the hackers all read Bugtraq too. > > A patch to correct these problems is attached to this message. > [...] Thanks. Presumably CPAN's MIME::Tools will be updated to incorporate such a patch? Was there an indication of timescale for any such updates? -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 374 2882 U.K. : From t.d.lee at DURHAM.AC.UK Fri Jun 7 14:43:28 2002 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:14:56 2006 Subject: ANNOUNCE: MIME-Tools security patch In-Reply-To: <5.1.0.14.2.20020607112540.02d2b590@imap.ecs.soton.ac.uk> Message-ID: On Fri, 7 Jun 2002, Julian Field wrote: > A very nice person on the Bugtraq mailing list has found some potential > security problems with the current stable release of the MIME-Tools module > which is used by MailScanner. These are likely to be exploited fairly soon > as the hackers all read Bugtraq too. > > A patch to correct these problems is attached to this message. > [...] Thanks. Presumably CPAN's MIME::Tools will be updated to incorporate such a patch? Was there an indication of timescale for any such updates? -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 374 2882 U.K. : From jkf at ecs.soton.ac.uk Fri Jun 7 15:46:02 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:56 2006 Subject: ANNOUNCE: MIME-Tools security patch In-Reply-To: References: <5.1.0.14.2.20020607112540.02d2b590@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020607153910.02bb8950@imap.ecs.soton.ac.uk> At 14:43 07/06/2002, you wrote: >On Fri, 7 Jun 2002, Julian Field wrote: > > > A very nice person on the Bugtraq mailing list has found some potential > > security problems with the current stable release of the MIME-Tools module > > which is used by MailScanner. These are likely to be exploited fairly soon > > as the hackers all read Bugtraq too. > > > > A patch to correct these problems is attached to this message. > > [...] > >Thanks. > >Presumably CPAN's MIME::Tools will be updated to incorporate such a patch? >Was there an indication of timescale for any such updates? There has so far been no response published by the author. Keep an eye on www.zeegee.com to see whether he has anything to say on the subject. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From chorlian at CBR.MED.HARVARD.EDU Fri Jun 7 16:31:53 2002 From: chorlian at CBR.MED.HARVARD.EDU (Henry C. Chorlian) Date: Thu Jan 12 21:14:56 2006 Subject: ANNOUNCE: MIME-Tools security patch Message-ID: <200206071531.g57FVrQl021515@cbr.med.harvard.edu> Same error after updating patch: patch -p0 < mime-tools-patch.txt Looks like a new-style context diff. Malformed patch at line 286: patch: Line must begin with '+ ', ' ', or '! '. Sorry. Appreciate your help! On Friday, June 07, 2002 at 01:54:05 PM, MailScanner mailing list wrote: > At 13:25 07/06/2002, you wrote: > >When run I get the following: > > > >patch -p0 < mime-tools-patch.txt > > Looks like a new-style context diff. > >Malformed patch at line 286: > >patch: Line must begin with '+ ', ' ', or '! '. > > > >Not sure what this means? > > You need a newer version of "patch". Try http://www.sunfreeware.com/ > > I must admit I ended up patching the 2 files on a Linux box (much better > "patch") and then copying them over to the Solaris box :-) > > >On Friday, June 07, 2002 at 11:32:11 AM, MailScanner mailing list wrote: > > > > > A very nice person on the Bugtraq mailing list has found some potential > > > security problems with the current stable release of the MIME-Tools module > > > which is used by MailScanner. These are likely to be exploited fairly soon > > > as the hackers all read Bugtraq too. > > > > > > A patch to correct these problems is attached to this message. > > > > > > You should find that the command > > > patch -p0 < mime-tools-patch.txt > > > will install the patch, but it will probably ask you to locate the 2 files > > > it needs to patch. Have a hunt round your Perl installation for the > > > site_perl directory and take a look in there. If you can't find your > > > site_perl directory anywhere, then run this perl script: > > > #!/usr/bin/perl > > > print join("\n", @INC); > > > and the output of that will tell you where to look for it. > > > > > > Please don't ask me for more advice on using the patch command, there's a > > > perfectly good man page about it and patch is very intelligent anyway, so > > > you shouldn't have much problem. > > > > > > Jules. > > > > > > >------------------------------------------ > >Henry C. Chorlian > >Director of Information Technology > >Center for Blood Research > >800 Huntington Avenue > >Boston, MA 02115-6303 > > > >Harvard Medical School Affiliate > >chorlian@cbr.med.harvard.edu > >Voice: (617) 278-3425 > >Fax: (617) 278-3493 > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > ------------------------------------------ Henry C. Chorlian Director of Information Technology Center for Blood Research 800 Huntington Avenue Boston, MA 02115-6303 Harvard Medical School Affiliate chorlian@cbr.med.harvard.edu Voice: (617) 278-3425 Fax: (617) 278-3493 From jkf at ecs.soton.ac.uk Fri Jun 7 16:48:48 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:56 2006 Subject: ANNOUNCE: MIME-Tools security patch In-Reply-To: <200206071531.g57FVrQl021515@cbr.med.harvard.edu> Message-ID: <5.1.0.14.2.20020607164722.02b82660@imap.ecs.soton.ac.uk> Okay, for all the people who having got a working copy of "patch", I've attached the 2 patched files for you. Note these are for MIME-Tools 5.411 *only*. The directory structure is intact so you will see where you need to drop the files. -------------- next part -------------- A non-text attachment was scrubbed... Name: mime-tools-patch.tar.gz Type: application/octet-stream Size: 7879 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020607/4793d8ce/mime-tools-patch.tar.obj -------------- next part -------------- -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From brose at MED.WAYNE.EDU Fri Jun 7 17:15:51 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:14:56 2006 Subject: ANNOUNCE: MIME-Tools security patch Message-ID: <6D60AC042221344095A0EBBC56EEE79A0A8F20@med-core03.med.wayne.edu> You are still using the Sun provided patch. After installing the GNU rev from sunfreeware, use /usr/local/bin/patch Installing gnu rev isn't going to replace Sun's or change your search path. -----Original Message----- From: Henry C. Chorlian [mailto:chorlian@CBR.MED.HARVARD.EDU] Sent: Friday, June 07, 2002 11:32 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ANNOUNCE: MIME-Tools security patch Same error after updating patch: patch -p0 < mime-tools-patch.txt Looks like a new-style context diff. Malformed patch at line 286: patch: Line must begin with '+ ', ' ', or '! '. Sorry. Appreciate your help! On Friday, June 07, 2002 at 01:54:05 PM, MailScanner mailing list wrote: > At 13:25 07/06/2002, you wrote: > >When run I get the following: > > > >patch -p0 < mime-tools-patch.txt > > Looks like a new-style context diff. > >Malformed patch at line 286: > >patch: Line must begin with '+ ', ' ', or '! '. > > > >Not sure what this means? > > You need a newer version of "patch". Try http://www.sunfreeware.com/ > > I must admit I ended up patching the 2 files on a Linux box (much > better > "patch") and then copying them over to the Solaris box :-) > > >On Friday, June 07, 2002 at 11:32:11 AM, MailScanner mailing list > >wrote: > > > > > A very nice person on the Bugtraq mailing list has found some > > > potential security problems with the current stable release of the > > > MIME-Tools module which is used by MailScanner. These are likely > > > to be exploited fairly soon as the hackers all read Bugtraq too. > > > > > > A patch to correct these problems is attached to this message. > > > > > > You should find that the command > > > patch -p0 < mime-tools-patch.txt > > > will install the patch, but it will probably ask you to locate the > > > 2 files it needs to patch. Have a hunt round your Perl > > > installation for the site_perl directory and take a look in there. > > > If you can't find your site_perl directory anywhere, then run this perl script: > > > #!/usr/bin/perl > > > print join("\n", @INC); > > > and the output of that will tell you where to look for it. > > > > > > Please don't ask me for more advice on using the patch command, > > > there's a perfectly good man page about it and patch is very > > > intelligent anyway, so you shouldn't have much problem. > > > > > > Jules. > > > > > > >------------------------------------------ > >Henry C. Chorlian > >Director of Information Technology > >Center for Blood Research > >800 Huntington Avenue > >Boston, MA 02115-6303 > > > >Harvard Medical School Affiliate chorlian@cbr.med.harvard.edu > >Voice: (617) 278-3425 > >Fax: (617) 278-3493 > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > ------------------------------------------ Henry C. Chorlian Director of Information Technology Center for Blood Research 800 Huntington Avenue Boston, MA 02115-6303 Harvard Medical School Affiliate chorlian@cbr.med.harvard.edu Voice: (617) 278-3425 Fax: (617) 278-3493 From chorlian at CBR.MED.HARVARD.EDU Fri Jun 7 17:23:48 2002 From: chorlian at CBR.MED.HARVARD.EDU (Henry C. Chorlian) Date: Thu Jan 12 21:14:56 2006 Subject: Fwd: [Fwd: Re: ANNOUNCE: MIME-Tools security patch] Message-ID: <200206071623.g57GNmQl011621@cbr.med.harvard.edu> Used Philip's suggestion which worked for Solaris 8..... ----------------------- Henry, Remove the 2 lines which begin "diff -c" and some blank lines at the end. This works for me with Solaris 8. "Henry C. Chorlian" wrote: > > Same error after updating patch: > > patch -p0 < mime-tools-patch.txt > Looks like a new-style context diff. > Malformed patch at line 286: > patch: Line must begin with '+ ', ' ', or '! '. > > Sorry. Appreciate your help! > > > ------------------------------------------ > Henry C. Chorlian > Director of Information Technology > Center for Blood Research > 800 Huntington Avenue > Boston, MA 02115-6303 > > Harvard Medical School Affiliate > chorlian@cbr.med.harvard.edu > Voice: (617) 278-3425 > Fax: (617) 278-3493 -- Philip Craven Senior Systems Officer (UNIX) ICT Services, Academic Services London Guildhall University 100 Minories, Tower Hill, London EC3N 1JY 020 7320 3156 ------------------------------------------ Henry C. Chorlian Director of Information Technology Center for Blood Research 800 Huntington Avenue Boston, MA 02115-6303 Harvard Medical School Affiliate chorlian@cbr.med.harvard.edu Voice: (617) 278-3425 Fax: (617) 278-3493 From LISTSERV at JISCMAIL.AC.UK Fri Jun 7 17:21:40 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:56 2006 Subject: MAILSCANNER: mrl@GENSTEAM.COM left the JISCmail list Message-ID: <200206071621.RAA13071@magpie.ecs.soton.ac.uk> Fri, 7 Jun 2002 17:21:40 Mary Ross Lynch has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From fizz at BOMB.NET Fri Jun 7 20:10:37 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:14:56 2006 Subject: DNS BlackLists Message-ID: <000701c20e57$0211f4b0$48cf75cc@fizz> Does anyone know of any more DNS Blacklists i can add? Aside from what i listed here is whats in my sendmail.cf. I added the spamcop.net one thismorning, and this drastically cut down on the number of spam. # DNS based IP address spam list blackholes.mail-abuse.org R$* $: $&{client_addr} R$-.$-.$-.$- $: $(dnsbl $4.$3.$2.$1.blackholes.mail-abuse.org. $: OK $) ROK $: OKSOFAR R$+ $: TMPOK R$+ $#error $@ 5.7.1 $: Mail from $&{client_addr} rejected, see http://mail-abuse.org/cgi-bin/lookup?$& {client_addr} # DNS based IP address spam list relays.mail-abuse.org R$* $: $&{client_addr} R$-.$-.$-.$- $: $(dnsbl $4.$3.$2.$1.relays.mail-abuse.org. $: OK $) ROK $: OKSOFAR R$+ $: TMPOK R$+ $#error $@ 5.7.1 $: Mail from $&{client_addr} rejected; see http://mail-abuse.org/cgi-bin/nph-rss?$& {client_addr} # DNS based IP address spam list dialups.mail-abuse.org R$* $: $&{client_addr} R$-.$-.$-.$- $: $(dnsbl $4.$3.$2.$1.dialups.mail-abuse.org. $: OK $) ROK $: OKSOFAR R$+ $: TMPOK R$+ $#error $@ 5.7.1 $: Mail from dial-up rejected; see http://mail-abuse.org/dul/enduser.htm #DNS Based IP Address spam list relays.ordb.org R$* $: $&{client_addr} R$-.$-.$-.$- $: $(dnsbl $4.$3.$2.$1.relays.ordb.org. $: OK $) ROK $: OKSOFAR R$+ $: TMPOK R$+ $#error $@ 5.7.1 $: Mail from $&{client_addr} rejected; see http://www.ordb.org for more information #DNS Based IP Address spam list bl.spamcop.net R$* $: $&{client_addr} R$-.$-.$-.$- $: $(dnsbl $4.$3.$2.$1.bl.spamcop.net. $: OK $) ROK $: OKSOFAR R$+ $: TMPOK R$+ $#error $@ 5.7.1 $: Mail from $&{client_addr} rejected; see http://www.spamcop.net for more information ////// ( o o ) +--.oooO--(_)--Oooo.-----------------+ | [Kelly Hamlin] | kellyh@cyberstreet.com | http://www.bomb.net | .oooO | ( ) Oooo. +--- \ (----( )----------------------------+ \_) ) / (_/ From jkf at ecs.soton.ac.uk Fri Jun 7 20:44:54 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:56 2006 Subject: DNS BlackLists In-Reply-To: <000701c20e57$0211f4b0$48cf75cc@fizz> Message-ID: <5.1.0.14.2.20020607204409.035e4aa8@imap.ecs.soton.ac.uk> Kelly, Thanks for the pointer to spamcop.net, I'll put it in the MailScanner distribution. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From chorlian at CBR.MED.HARVARD.EDU Fri Jun 7 20:55:02 2002 From: chorlian at CBR.MED.HARVARD.EDU (Henry C. Chorlian) Date: Thu Jan 12 21:14:56 2006 Subject: DNS BlackLists Message-ID: <200206071955.g57Jt21Q005665@cbr.med.harvard.edu> Were do you put this configuration in sendmail? I'm running sendmail8.12.3 Tnx On Friday, June 07, 2002 at 03:10:37 PM, MailScanner mailing list wrote: > Does anyone know of any more DNS Blacklists i can add? Aside from what i > listed here is whats in my sendmail.cf. I added the spamcop.net one > thismorning, and this drastically cut down on the number of spam. > > # DNS based IP address spam list blackholes.mail-abuse.org > R$* $: $&{client_addr} > R$-.$-.$-.$- $: $(dnsbl > $4.$3.$2.$1.blackholes.mail-abuse.org. $: OK $) > ROK $: OKSOFAR > R$+ $: TMPOK > R$+ $#error $@ 5.7.1 $: Mail from $&{client_addr} > rejected, see http://mail-abuse.org/cgi-bin/lookup?$& {client_addr} > > # DNS based IP address spam list relays.mail-abuse.org > R$* $: $&{client_addr} > R$-.$-.$-.$- $: $(dnsbl $4.$3.$2.$1.relays.mail-abuse.org. $: > OK $) > ROK $: OKSOFAR > R$+ $: TMPOK > R$+ $#error $@ 5.7.1 $: Mail from $&{client_addr} > rejected; see http://mail-abuse.org/cgi-bin/nph-rss?$& {client_addr} > > # DNS based IP address spam list dialups.mail-abuse.org > R$* $: $&{client_addr} > R$-.$-.$-.$- $: $(dnsbl $4.$3.$2.$1.dialups.mail-abuse.org. > $: OK $) > ROK $: OKSOFAR > R$+ $: TMPOK > R$+ $#error $@ 5.7.1 $: Mail from dial-up rejected; see > http://mail-abuse.org/dul/enduser.htm > > #DNS Based IP Address spam list relays.ordb.org > R$* $: $&{client_addr} > R$-.$-.$-.$- $: $(dnsbl $4.$3.$2.$1.relays.ordb.org. $: OK $) > ROK $: OKSOFAR > R$+ $: TMPOK > R$+ $#error $@ 5.7.1 $: Mail from $&{client_addr} > rejected; see http://www.ordb.org for more information > > #DNS Based IP Address spam list bl.spamcop.net > R$* $: $&{client_addr} > R$-.$-.$-.$- $: $(dnsbl $4.$3.$2.$1.bl.spamcop.net. $: OK $) > ROK $: OKSOFAR > R$+ $: TMPOK > R$+ $#error $@ 5.7.1 $: Mail from $&{client_addr} > rejected; see http://www.spamcop.net for more information > > > ////// > ( o o ) > +--.oooO--(_)--Oooo.-----------------+ > | [Kelly Hamlin] > | kellyh@cyberstreet.com > | http://www.bomb.net > | .oooO > | ( ) Oooo. > +--- \ (----( )----------------------------+ > \_) ) / > (_/ > > ------------------------------------------ Henry C. Chorlian Director of Information Technology Center for Blood Research 800 Huntington Avenue Boston, MA 02115-6303 Harvard Medical School Affiliate chorlian@cbr.med.harvard.edu Voice: (617) 278-3425 Fax: (617) 278-3493 From richard.siddall at ELIRION.NET Fri Jun 7 21:00:48 2002 From: richard.siddall at ELIRION.NET (Richard Siddall) Date: Thu Jan 12 21:14:56 2006 Subject: DNS BlackLists References: <000701c20e57$0211f4b0$48cf75cc@fizz> Message-ID: <3D0110F0.523179C2@elirion.net> Kelly Hamlin wrote: > > Does anyone know of any more DNS Blacklists i can add? Aside from what i > listed here is whats in my sendmail.cf. I added the spamcop.net one > thismorning, and this drastically cut down on the number of spam. > There's a reasonably comprehensive list at ORDB. Do a database lookup and then click on "Look up this host in non-ORDB RBL's," for example: http://www.ordb.org/lookup/rbls/?host=pegasus.cyberstreet.com UXN Spam Combat (http://combat.uxn.com) also has "M?nsted's DNSBL Check," which is a link to: http://moensted.dk/spam/ Also, OSIRUSOFT provides a lookup on other DNSBLs it knows about at http://relays.osirusoft.com/, for example: http://relays.osirusoft.com/cgi-bin/rbcheck.cgi?addr=204.117.207.7 There's a link on the bottom of the Osirusoft page to: http://www.sdsc.edu/~jeff/spam/cbc.html which actually does a comparison of some DNSBLs. The point I should be making is that there are plenty of DNSBLs you could add. It would result in you rejecting mail from everyone. Don't use a DNSBL you don't trust. We're currently using ORDB (relays.ordb.org), Spamhaus (sbl.spamhaus.org), and Spews (spews.relays.osirusoft.com). Spews is a little overzealous and keeps blocking Topica. Oh, I found sendmail dropped and added spaces in the reject message unless I put quotes around fixed text, e.g.: R$+ $#error $@ 5.7.1 $: "550 Mail from " $&{client_name} " rejected - see http://ordb.org/lookup/" (Unfortunately the database search for most of the DNSBLs doesn't seem to handle the client name or client address format sendmail generates, so you can't generate useful URLs for the poor sysadmin who has to deal with your reject.) Regards, Richard Siddall From fizz at BOMB.NET Fri Jun 7 21:23:56 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:14:56 2006 Subject: DNS BlackLists References: <200206071955.g57Jt21Q005665@cbr.med.harvard.edu> Message-ID: <001701c20e61$400410a0$48cf75cc@fizz> unfortunatly there isnt an easy way to insert it into sendmail.cf, if you have your sendmail.mc file should make like a bit easier, but if your feeling brace, open sendmail.cf, and search for mail-abuse there should be 3 of them there, follow that format and add them there. NOTE: the white space should be TABS otherwise sendmail will complain when u restart it. ----- Original Message ----- From: "Henry C. Chorlian" To: Sent: Friday, June 07, 2002 3:55 PM Subject: Re: DNS BlackLists > Were do you put this configuration in sendmail? I'm running > sendmail8.12.3 > > Tnx > > On Friday, June 07, 2002 at 03:10:37 PM, MailScanner mailing list wrote: > > > Does anyone know of any more DNS Blacklists i can add? Aside from what i > > listed here is whats in my sendmail.cf. I added the spamcop.net one > > thismorning, and this drastically cut down on the number of spam. > > > > # DNS based IP address spam list blackholes.mail-abuse.org > > R$* $: $&{client_addr} > > R$-.$-.$-.$- $: $(dnsbl > > $4.$3.$2.$1.blackholes.mail-abuse.org. $: OK $) > > ROK $: OKSOFAR > > R$+ $: TMPOK > > R$+ $#error $@ 5.7.1 $: Mail from $&{client_addr} > > rejected, see http://mail-abuse.org/cgi-bin/lookup?$& {client_addr} > > > > # DNS based IP address spam list relays.mail-abuse.org > > R$* $: $&{client_addr} > > R$-.$-.$-.$- $: $(dnsbl $4.$3.$2.$1.relays.mail-abuse.org. $: > > OK $) > > ROK $: OKSOFAR > > R$+ $: TMPOK > > R$+ $#error $@ 5.7.1 $: Mail from $&{client_addr} > > rejected; see http://mail-abuse.org/cgi-bin/nph-rss?$& {client_addr} > > > > # DNS based IP address spam list dialups.mail-abuse.org > > R$* $: $&{client_addr} > > R$-.$-.$-.$- $: $(dnsbl $4.$3.$2.$1.dialups.mail-abuse.org. > > $: OK $) > > ROK $: OKSOFAR > > R$+ $: TMPOK > > R$+ $#error $@ 5.7.1 $: Mail from dial-up rejected; see > > http://mail-abuse.org/dul/enduser.htm > > > > #DNS Based IP Address spam list relays.ordb.org > > R$* $: $&{client_addr} > > R$-.$-.$-.$- $: $(dnsbl $4.$3.$2.$1.relays.ordb.org. $: OK $) > > ROK $: OKSOFAR > > R$+ $: TMPOK > > R$+ $#error $@ 5.7.1 $: Mail from $&{client_addr} > > rejected; see http://www.ordb.org for more information > > > > #DNS Based IP Address spam list bl.spamcop.net > > R$* $: $&{client_addr} > > R$-.$-.$-.$- $: $(dnsbl $4.$3.$2.$1.bl.spamcop.net. $: OK $) > > ROK $: OKSOFAR > > R$+ $: TMPOK > > R$+ $#error $@ 5.7.1 $: Mail from $&{client_addr} > > rejected; see http://www.spamcop.net for more information > > > > > > ////// > > ( o o ) > > +--.oooO--(_)--Oooo.-----------------+ > > | [Kelly Hamlin] > > | kellyh@cyberstreet.com > > | http://www.bomb.net > > | .oooO > > | ( ) Oooo. > > +--- \ (----( )----------------------------+ > > \_) ) / > > (_/ > > > > > > ------------------------------------------ > Henry C. Chorlian > Director of Information Technology > Center for Blood Research > 800 Huntington Avenue > Boston, MA 02115-6303 > > Harvard Medical School Affiliate > chorlian@cbr.med.harvard.edu > Voice: (617) 278-3425 > Fax: (617) 278-3493 > From kwang at UCALGARY.CA Fri Jun 7 21:30:00 2002 From: kwang at UCALGARY.CA (Kai Wang) Date: Thu Jan 12 21:14:56 2006 Subject: the warning message invisible again Message-ID: <3D0117C8.95769D7B@ucalgary.ca> After Julian upgraded MailScanner to version 3.14, the warning message invisible thing didn't bother us for a while. It showed up again. Some of the infected messages with the content type like the following were not converted to "multipart/mixed". ------------------------------------------------------------------ ...... MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="====_ABC1234567890DEF_====" X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 X-MailScanner: Found to be infected, Found to be clean ...... ------------------------------------------------------------------ Kai From richard.siddall at ELIRION.NET Fri Jun 7 21:32:15 2002 From: richard.siddall at ELIRION.NET (Richard Siddall) Date: Thu Jan 12 21:14:56 2006 Subject: DNS BlackLists References: <200206071955.g57Jt21Q005665@cbr.med.harvard.edu> Message-ID: <3D01184F.267BF84F@elirion.net> "Henry C. Chorlian" wrote: > > Were do you put this configuration in sendmail? I'm running > sendmail8.12.3 > Henry, You don't ;> Kelly posted a snippet from sendmail.cf. Editing sendmail.cf was so error-prone that sendmail went to generating the sendmail.cf from a sendmail.mc file using a macro processing program called m4. Unless there's a good reason to hand-edit your sendmail.cf, make a backup copy of your sendmail.mc file and insert something like the following: FEATURE(dnsbl,`relays.ordb.org',`Mail from $&{client_addr} rejected - see http://ordb.org/')dnl for each of the blacklists you wish to use. Then rebuild your sendmail.cf file. (Actually, I'd recommend checking you can generate a sendmail.cf from your original sendmail.mc before making any changes.) WARNING: The name and parameters of the feature may have changed from the version of sendmail I'm using and the one you are. You're telling m4 to use the DNSBL macro, which expands to code to check a DNS blacklist. The first parameter is the DNS server to check, the second the (hopefully useful) error message to send when you reject a message. I think this is a sendmail FAQ. Have a look at the sendmail site. http://www.sendmail.org/ Regards, Richard Siddall. From mike at ZANKER.ORG Fri Jun 7 22:14:55 2002 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:14:56 2006 Subject: DNS BlackLists In-Reply-To: <5.1.0.14.2.20020607204409.035e4aa8@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020607204409.035e4aa8@imap.ecs.soton.ac.uk> Message-ID: <562874180.1023488095@jemima.zanker.org> On 07 June 2002 20:44 +0100 Julian Field wrote: > Thanks for the pointer to spamcop.net, I'll put it in the MailScanner > distribution. Be careful with spamcop.net, though. Their algorithms aren't foolproof - our university primary MX host ended up in spamcop.net's black list owing to a member of staff reporting some spam and spamcop picking the wrong Received: header! Mike -- Mike Zanker Northampton, UK PGP Public Key: pgp@zanker.org From mailscanner-sub at WIREHUB.NET Sat Jun 8 01:01:34 2002 From: mailscanner-sub at WIREHUB.NET (Ben C. O. Grimm) Date: Thu Jan 12 21:14:56 2006 Subject: DNS BlackLists In-Reply-To: References: Message-ID: <89i2gu891qlj6fkb3mutk10486ich92of1@hail.bengrimm.net> On 7 Jun 2002 21:31:06 +0200, Kelly Hamlin wrote: > Does anyone know of any more DNS Blacklists i can add? Check out the .sig and the documentation. -- Wirehub! Internet Abuse Handling Dept. - abuse@wirehub.net -- - Blacklists/DNSBLs: http://basic.wirehub.nl/spamstats.html - --AUP: http://www.wirehub.net/pub/av/aup-nl (Dutch) --------- --AUP: http://www.wirehub.net/pub/av/aup-en (English) ------- From nwp at LEMON-COMPUTING.COM Sat Jun 8 01:11:33 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:56 2006 Subject: DNS BlackLists In-Reply-To: <000701c20e57$0211f4b0$48cf75cc@fizz> References: <000701c20e57$0211f4b0$48cf75cc@fizz> Message-ID: <20020608001133.GX18801@hoiho.nz.lemon-computing.com> On Fri, Jun 07, 2002 at 03:10:37PM -0400, Kelly Hamlin wrote: > Does anyone know of any more DNS Blacklists i can add? Aside from what i > listed here is whats in my sendmail.cf. I added the spamcop.net one > thismorning, and this drastically cut down on the number of spam. Personally I'd only tag rather than reject based on spamcop; last time I looked they were IMHO a little over-keen in their definition of spam. YMMV... Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com You will be Told about it Tomorrow. Go Home and Prepare Thyself. From nathan at tcpnetworks.net Sat Jun 8 03:34:48 2002 From: nathan at tcpnetworks.net (Nathan Johanson) Date: Thu Jan 12 21:14:56 2006 Subject: Confirming Mime::Tools Version? Message-ID: <200206080234.g582Ym704729@ns2.tcpnetworks.com> Hello, I saw the posts on the mailing list (and on the web site) regarding the Mime::Tools patch. Can someone tell me how to confirm which version of MIME::Tools I'm running? I fished around for some docs and even made my way to the associated files in the site-perl directory, but can't seem to uncover the version number. Is there a command I can run that'll tell me? I'm running RedHat 7.2 fully updated, with Perl 5.6.1. Thanks in advance! Nathan Johanson nathan@johansonweb.com From nathan at tcpnetworks.net Sat Jun 8 04:49:09 2002 From: nathan at tcpnetworks.net (Nathan Johanson) Date: Thu Jan 12 21:14:56 2006 Subject: Nevermind... :) Message-ID: <200206080349.g583n9K05589@ns2.tcpnetworks.com> I was able to confirm the version of MIME::Tools by checking the time stamps noted in the patch file against the time stamps of the corresponding files on my system. I unpacked 5.411 and checked against that as well. Still curious though... is there some way to get the version number of an installed perl module using a command, or by checking a file or notation somewhere on the file system? -- Nathan Johanson nathan@johansonweb.com From nwp at LEMON-COMPUTING.COM Sat Jun 8 06:11:41 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:56 2006 Subject: Nevermind... :) In-Reply-To: <200206080349.g583n9K05589@ns2.tcpnetworks.com> References: <200206080349.g583n9K05589@ns2.tcpnetworks.com> Message-ID: <20020608051141.GZ18801@hoiho.nz.lemon-computing.com> > Still curious though... is there some way to get the version number of an > installed perl module using a command, or by checking a file or notation > somewhere on the file system? perl -e 'use MIME::Tools; print $MIME::Tools::VERSION . "\n";' Similar should work for all well-made modules. -- Nick Phillips -- nwp@lemon-computing.com You have been selected for a secret mission. From LISTSERV at JISCMAIL.AC.UK Sun Jun 9 03:51:00 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:56 2006 Subject: MAILSCANNER: moacyrs@AKADNYX.COM.BR requested to join Message-ID: <200206090251.DAA23631@magpie.ecs.soton.ac.uk> Sun, 9 Jun 2002 03:51:00 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Moacyr Silva You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER moacyrs@AKADNYX.COM.BR Moacyr Silva PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER moacyrs@AKADNYX.COM.BR Moacyr Silva // EOJ From wkuiters at FREE.FR Sun Jun 9 17:44:25 2002 From: wkuiters at FREE.FR (Willem Kuiters) Date: Thu Jan 12 21:14:56 2006 Subject: sophos autoupdate Message-ID: <20020609164425.GA1858@bragann> I've been trying the sophos auto-update script that comes with mailscanner. (Julian got me scared about locking sophos while updating). Everything seems to work, a new directory is made with a fresh set of ide files, but the symlink directing towards it seems to have problems and when I launch sweep after running the script it complains that it can't find the .dat file. What could be the cause? -- ///// Willem Kuiters \\ - - // ( @ @ ) ----oOOo--(_)-oOOo-------------------------------------------- ** "In general those who nothing have to say, contrive to ** ** spend the longest time in doing it" -- James R. Lowell ** ---------------Ooooo------------------------------------------ ( ) ooooO ) / ( ) (_/ \ ( \_) --(Htag.pl 0.0.19)-- From jkf at ecs.soton.ac.uk Sun Jun 9 17:57:37 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:56 2006 Subject: sophos autoupdate In-Reply-To: <20020609164425.GA1858@bragann> Message-ID: <5.1.0.14.2.20020609175531.034ba0b8@imap.ecs.soton.ac.uk> At 17:44 09/06/2002, you wrote: >I've been trying the sophos auto-update script that comes with >mailscanner. (Julian got me scared about locking sophos while updating). >Everything seems to work, a new directory is made with a fresh set of ide >files, but the symlink directing towards it seems to have problems and >when I launch sweep after running the script it complains that it can't >find the .dat file. What could be the cause? What sort of a problem? You should end up with a symlink "ide" pointing to a directory named . for example 356.200206090402 And when it has run, don't run sweep, run "sophoswrapper" which sets up the environment variables to point to the directory it has created (via the "ide" symlink). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From wkuiters at FREE.FR Sun Jun 9 20:36:03 2002 From: wkuiters at FREE.FR (Willem Kuiters) Date: Thu Jan 12 21:14:56 2006 Subject: sophos autoupdate In-Reply-To: <5.1.0.14.2.20020609175531.034ba0b8@imap.ecs.soton.ac.uk> References: <20020609164425.GA1858@bragann> <5.1.0.14.2.20020609175531.034ba0b8@imap.ecs.soton.ac.uk> Message-ID: <20020609193603.GA2281@bragann> Hello again, On Sun, Jun 09, 2002 at 05:57:37PM +0100, Julian Field wrote: > > At 17:44 09/06/2002, you wrote: > >I've been trying the sophos auto-update script that comes with > >mailscanner. (Julian got me scared about locking sophos while updating). > >Everything seems to work, a new directory is made with a fresh set of ide > >files, but the symlink directing towards it seems to have problems and > >when I launch sweep after running the script it complains that it can't > >find the .dat file. What could be the cause? > > What sort of a problem? You should end up with a symlink "ide" pointing to > a directory named > . > for example > 356.200206090402 > > And when it has run, don't run sweep, run "sophoswrapper" which sets up the > environment variables to point to the directory it has created (via the > "ide" symlink). OK, I did that, I put the sophoswrapper script, like sweep, in /usr/local/bin and changed /etc/mailscanner.conf to use it instead of sweep. I changed /etc/sav.conf to point to /usr/local/ide so that the sweep command when launched by me on the command line also takes the new ide files into account. Next step is to link the autoupdate script to a procmail recipe so that it is launched upon warnings coming from Sophos Is all this OK or will I run into problems? Running sweep shows me that it uses the updated ide files (through the output on the screen). Is there any way to see that the sophoswrapper script does so as well? (Now that I got truly paranoid, this would be reassuring). Many thanks for your help, Willem -- ???`????,??,????`????,??,????`????,??,????`????,??,????`????,??,????`???? ** "Success generally depends upon knowing how ** ** long it takes to succeed" -- Montesquieu ** ???`????,??,????`????,??,????`????,??,????`????,??,????`????,??,????`???? ** htag 0.0.19 ** From jkf at ecs.soton.ac.uk Sun Jun 9 21:12:48 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:56 2006 Subject: sophos autoupdate In-Reply-To: <20020609193603.GA2281@bragann> References: <5.1.0.14.2.20020609175531.034ba0b8@imap.ecs.soton.ac.uk> <20020609164425.GA1858@bragann> <5.1.0.14.2.20020609175531.034ba0b8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020609210930.03252620@imap.ecs.soton.ac.uk> At 20:36 09/06/2002, you wrote: >OK, I did that, I put the sophoswrapper script, like sweep, in >/usr/local/bin and changed /etc/mailscanner.conf to use it instead of >sweep. I changed /etc/sav.conf to point to /usr/local/ide so that the >sweep command when launched by me on the command line also takes the new >ide files into account. Next step is to link the autoupdate script to a >procmail recipe so that it is launched upon warnings coming from Sophos > >Is all this OK or will I run into problems? Why not just leave everything where I put it? To install Sophos, put the downloaded .tar.Z file into, say, /tmp, then cd /tmp /usr/local/MailScanner.bin/Sophos.install then /usr/local/Sophos/bin/sophoswrapper You don't need to move *anything*. Put Sweep = /usr/local/Sophos/bin/sophoswrapper into your mailscanner.conf file (which would normally be in /usr/local/MailScanner/etc unless you've moved that too :-) If you want to run autoupdate from a procmail recipe, that's fine, you can run it whenever you like. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From wkuiters at FREE.FR Sun Jun 9 21:32:04 2002 From: wkuiters at FREE.FR (Willem Kuiters) Date: Thu Jan 12 21:14:56 2006 Subject: sophos autoupdate In-Reply-To: <5.1.0.14.2.20020609210930.03252620@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020609175531.034ba0b8@imap.ecs.soton.ac.uk> <20020609164425.GA1858@bragann> <5.1.0.14.2.20020609175531.034ba0b8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020609210930.03252620@imap.ecs.soton.ac.uk> Message-ID: <20020609203204.GA2464@bragann> Hello, On Sun, Jun 09, 2002 at 09:12:48PM +0100, Julian Field wrote: > > At 20:36 09/06/2002, you wrote: > >OK, I did that, I put the sophoswrapper script, like sweep, in > >/usr/local/bin and changed /etc/mailscanner.conf to use it instead of > >sweep. I changed /etc/sav.conf to point to /usr/local/ide so that the > >sweep command when launched by me on the command line also takes the new > >ide files into account. Next step is to link the autoupdate script to a > >procmail recipe so that it is launched upon warnings coming from Sophos > > > >Is all this OK or will I run into problems? > > Why not just leave everything where I put it? > To install Sophos, put the downloaded .tar.Z file into, say, /tmp, then > cd /tmp > /usr/local/MailScanner.bin/Sophos.install > then > /usr/local/Sophos/bin/sophoswrapper > > You don't need to move *anything*. Put > Sweep = /usr/local/Sophos/bin/sophoswrapper > into your mailscanner.conf file (which would normally be in > /usr/local/MailScanner/etc unless you've moved that too :-) Well, I use the Debian Woody package of mailscanner and mailscanner.conf thus lives in /etc/mailscanner ;) I don't know where the Sophos.install script is but it is not in /usr/local. To install Sophos I use their install.sh script which puts things in /usr/local. I adapted the autoupdate script and that now runs fine with the defaults of the Sophos install script. Thanks for your quick replies. Willem -- () () --- "I'm not young enough to know everything" -- --- (? ?) --- J.M. Barrie --- /\ /\ --- --- ( " ) " "-----/ --- (Htag.pl 0.0.19) --- From jkf at ecs.soton.ac.uk Mon Jun 10 10:19:16 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:56 2006 Subject: sophos autoupdate In-Reply-To: <20020609203204.GA2464@bragann> References: <5.1.0.14.2.20020609210930.03252620@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020609175531.034ba0b8@imap.ecs.soton.ac.uk> <20020609164425.GA1858@bragann> <5.1.0.14.2.20020609175531.034ba0b8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020609210930.03252620@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020610101736.03447b68@imap.ecs.soton.ac.uk> At 21:32 09/06/2002, you wrote: >Well, I use the Debian Woody package of mailscanner and mailscanner.conf >thus lives in /etc/mailscanner ;) I don't know where the Sophos.install >script is but it is not in /usr/local. To install Sophos I use their >install.sh script which puts things in /usr/local. I adapted the >autoupdate script and that now runs fine with the defaults of the Sophos >install script. As this turned out to be a Debian packaging problem (and therefore beyond my control), please can you forward you suggested changes to the Debian folks so that their package can be improved. The last thing anyone wants is for them to be accidentally shipping a broken package. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mdchaney at MICHAELCHANEY.COM Mon Jun 10 14:06:44 2002 From: mdchaney at MICHAELCHANEY.COM (Michael Chaney) Date: Thu Jan 12 21:14:56 2006 Subject: sophos autoupdate In-Reply-To: <20020609203204.GA2464@bragann>; from wkuiters@FREE.FR on Sun, Jun 09, 2002 at 10:32:04PM +0200 References: <5.1.0.14.2.20020609175531.034ba0b8@imap.ecs.soton.ac.uk> <20020609164425.GA1858@bragann> <5.1.0.14.2.20020609175531.034ba0b8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020609210930.03252620@imap.ecs.soton.ac.uk> <20020609203204.GA2464@bragann> Message-ID: <20020610080644.B20826@michaelchaney.com> On Sun, Jun 09, 2002 at 10:32:04PM +0200, Willem Kuiters wrote: > Well, I use the Debian Woody package of mailscanner and mailscanner.conf > thus lives in /etc/mailscanner ;) I don't know where the Sophos.install > script is but it is not in /usr/local. To install Sophos I use their > install.sh script which puts things in /usr/local. I adapted the > autoupdate script and that now runs fine with the defaults of the Sophos > install script. Sigh. What is it with Debian users? Mailscanner is updated way too often for you to rely on the Debian folks to give it to you. Get it straight from the tap, and use the default install locations. It'll make your life way easier, I promise. Michael -- Michael Darrin Chaney mdchaney@michaelchaney.com http://www.michaelchaney.com/ From jkf at ecs.soton.ac.uk Mon Jun 10 14:22:28 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:56 2006 Subject: sophos autoupdate In-Reply-To: <20020610080644.B20826@michaelchaney.com> References: <20020609203204.GA2464@bragann> <5.1.0.14.2.20020609175531.034ba0b8@imap.ecs.soton.ac.uk> <20020609164425.GA1858@bragann> <5.1.0.14.2.20020609175531.034ba0b8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020609210930.03252620@imap.ecs.soton.ac.uk> <20020609203204.GA2464@bragann> Message-ID: <5.1.0.14.2.20020610142202.02b96960@imap.ecs.soton.ac.uk> At 14:06 10/06/2002, you wrote: >Mailscanner is updated way too often for you to rely on the Debian folks >to give it to you. My apologies, I'll try to be lazier in future :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From wkuiters at FREE.FR Mon Jun 10 14:25:13 2002 From: wkuiters at FREE.FR (Willem Kuiters) Date: Thu Jan 12 21:14:56 2006 Subject: sophos autoupdate In-Reply-To: <20020610080644.B20826@michaelchaney.com> References: <5.1.0.14.2.20020609175531.034ba0b8@imap.ecs.soton.ac.uk> <20020609164425.GA1858@bragann> <5.1.0.14.2.20020609175531.034ba0b8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020609210930.03252620@imap.ecs.soton.ac.uk> <20020609203204.GA2464@bragann> <20020610080644.B20826@michaelchaney.com> Message-ID: <20020610132513.GA3429@bragann> Guten Tag MailScanner On Mon, Jun 10, 2002 at 08:06:44AM -0500, Michael Chaney wrote: > > On Sun, Jun 09, 2002 at 10:32:04PM +0200, Willem Kuiters wrote: > > Well, I use the Debian Woody package of mailscanner and mailscanner.conf > > thus lives in /etc/mailscanner ;) I don't know where the Sophos.install > > script is but it is not in /usr/local. To install Sophos I use their > > install.sh script which puts things in /usr/local. I adapted the > > autoupdate script and that now runs fine with the defaults of the Sophos > > install script. > > Sigh. What is it with Debian users? I guess we're all addicted to "apt";) > Mailscanner is updated way too > often for you to rely on the Debian folks to give it to you. Get it > straight from the tap, and use the default install locations. It'll > make your life way easier, I promise. OK, I'll think about it. There's something about having a "clean" system though. (Especially with "apt"). -- ///// Willem Kuiters \\ - - // ( @ @ ) ----oOOo--(_)-oOOo-------------------------------------------- ** "The greatest enemy of creativity is good taste" -- ** ** Picasso ** ---------------Ooooo------------------------------------------ ( ) ooooO ) / ( ) (_/ \ ( \_) --(Htag.pl 0.0.19)-- From lbergman at abi.tconline.net Mon Jun 10 14:45:13 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:14:56 2006 Subject: sophos autoupdate In-Reply-To: <20020610132513.GA3429@bragann> References: <5.1.0.14.2.20020609175531.034ba0b8@imap.ecs.soton.ac.uk> <20020610080644.B20826@michaelchaney.com> <20020610132513.GA3429@bragann> Message-ID: <200206100845.13529.lbergman@abi.tconline.net> > > Sigh. What is it with Debian users? > > I guess we're all addicted to "apt";) > Amen to that brother. > > Mailscanner is updated way too > > often for you to rely on the Debian folks to give it to you. Get it > > straight from the tap, and use the default install locations. It'll > > make your life way easier, I promise. > > OK, I'll think about it. There's something about having a "clean" system > though. (Especially with "apt"). It is nice to type a one line command and update your entire system. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From David.Sullivan at BARNET.AC.UK Mon Jun 10 15:47:47 2002 From: David.Sullivan at BARNET.AC.UK (David Sullivan) Date: Thu Jan 12 21:14:56 2006 Subject: sophos autoupdate In-Reply-To: <20020610132513.GA3429@bragann> References: <20020610080644.B20826@michaelchaney.com> Message-ID: <3D04C9E3.5785.7C569325@localhost> On 10 Jun 2002 at 15:25, Willem Kuiters wrote: > > On Mon, Jun 10, 2002 at 08:06:44AM -0500, Michael Chaney wrote: > > > > On Sun, Jun 09, 2002 at 10:32:04PM +0200, Willem Kuiters wrote: > > > Well, I use the Debian Woody package of mailscanner and mailscanner.conf > > > thus lives in /etc/mailscanner ;) I don't know where the Sophos.install > > > script is but it is not in /usr/local. To install Sophos I use their > > > install.sh script which puts things in /usr/local. I adapted the > > > autoupdate script and that now runs fine with the defaults of the Sophos > > > install script. > > > > Sigh. What is it with Debian users? > > I guess we're all addicted to "apt";) > > > Mailscanner is updated way too > > often for you to rely on the Debian folks to give it to you. Get it > > straight from the tap, and use the default install locations. It'll > > make your life way easier, I promise. Woody has been frozen since it'll be the "stable" version of Debian RSN, you'd only really find the very latest version updates in the "unstable" distribution fork (sid). It's the price you pay for trying to have a "stable" distribution of pre- packaged applications. -- David Sullivan IT Services, Barnet College, London David.Sullivan@barnet.ac.uk 020 8275 5036 ============================================================== This communication may contain privileged or confidential information which is for the exclusive use of the intended recipient. If you are not the intended recipient, please note that you may not distribute or use this communication or the information it contains. If this e-mail has reached you in error, please delete it and any attachment. Internet communications are not secure and Barnet College does not accept legal responsibility for the content of this message. Any views or opinions expressed are those of the author and not necessarily those of Barnet College. Please note that Barnet College reserves the right to monitor the source/destinations of all incoming or outgoing e-mail communications. ============================================================== From arthur at HILJO.NL Mon Jun 10 17:02:59 2002 From: arthur at HILJO.NL (Arthur Groen) Date: Thu Jan 12 21:14:56 2006 Subject: sendmail debian Message-ID: <010201c21098$4c597640$02f9dddd@hildom> He.. there are more woody users with mailscanner!!. > OK, I'll think about it. There's something about having a "clean" system > though. (Especially with "apt"). In the installation notes on Mailscanner there is a line telling me to start the two sendmail's in the /etc/init.d/sendmail script. But Debian/Woody is using help some "helper" files in: datadir="/usr/share"; . ${datadir}/sendmail/sm_helper.sh; I have send a mail to Richard Nelson, the writer of the sendmail script with no results. How did you insert the start of the two sendmails without breaking the other functionalitie of the sendmail scripts.. (I have send a mail to Richard Nelson, the writer of the sendmail script with no results.) rgds /Arthur ICQ 155318156 MSN arthur@hiljo.nl TEL 0297-355776 From wkuiters at FREE.FR Mon Jun 10 17:14:24 2002 From: wkuiters at FREE.FR (Willem Kuiters) Date: Thu Jan 12 21:14:56 2006 Subject: sophos autoupdate In-Reply-To: <3D04C9E3.5785.7C569325@localhost> References: <20020610080644.B20826@michaelchaney.com> <3D04C9E3.5785.7C569325@localhost> Message-ID: <20020610161424.GA4404@bragann> Guten Tag MailScanner On Mon, Jun 10, 2002 at 03:47:47PM +0100, David Sullivan wrote: > > > > Sigh. What is it with Debian users? > > > > I guess we're all addicted to "apt";) > > > > > Mailscanner is updated way too > > > often for you to rely on the Debian folks to give it to you. Get it > > > straight from the tap, and use the default install locations. It'll > > > make your life way easier, I promise. > > Woody has been frozen since it'll be the "stable" version of Debian RSN, you'd > only really find the very latest version updates in the "unstable" distribution > fork (sid). > It's the price you pay for trying to have a "stable" distribution of pre- > packaged applications. Well, Woody is still in "testing" as yet I believe. When Woody becomes stable, Sid will become the "testing" distribution. I have "testing" in my /etc/apt/sources.list so I guess I will continue to have a relatively up-to-date version on running apt-get install mailscanner. But, well, we're getting off-topic here. Willem -- ???`????,??,????`????,??,????`????,??,????`????,??,????`????,??,????`???? ** "Strange to see how a good dinner and feasting ** ** reconciles everybody" -- Samuel Pepys ** ???`????,??,????`????,??,????`????,??,????`????,??,????`????,??,????`???? ** htag 0.0.19 ** From LISTSERV at JISCMAIL.AC.UK Mon Jun 10 17:48:25 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:56 2006 Subject: MAILSCANNER: jbriody@ALA.ORG requested to join Message-ID: <200206101648.RAA29438@magpie.ecs.soton.ac.uk> Mon, 10 Jun 2002 17:48:24 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from jbriody@ALA.ORG The following membership options have been requested: SUBJECTHDR. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER jbriody@ALA.ORG (no name available) PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER jbriody@ALA.ORG (no name available) SET MAILSCANNER SUBJECTHDR FOR jbriody@ALA.ORG // EOJ From LISTSERV at JISCMAIL.AC.UK Mon Jun 10 18:00:17 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:56 2006 Subject: MAILSCANNER: scouty@BROMBERG.DEMON.NL requested to join Message-ID: <200206101700.SAA00523@magpie.ecs.soton.ac.uk> Mon, 10 Jun 2002 18:00:17 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Matthijs Althoff You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER scouty@BROMBERG.DEMON.NL Matthijs Althoff PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER scouty@BROMBERG.DEMON.NL Matthijs Althoff // EOJ From jaearick at colby.edu Mon Jun 10 20:26:30 2002 From: jaearick at colby.edu (Jeff A. Earickson) Date: Thu Jan 12 21:14:56 2006 Subject: DNS BlackLists In-Reply-To: <5.1.0.14.2.20020607204409.035e4aa8@imap.ecs.soton.ac.uk> Message-ID: Y'all, The definitive list of blacklists is at: http://www.declude.com/JunkMail/Support/ip4r.htm Enjoy. ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ---------------------------------------------------------------------------- On Fri, 7 Jun 2002, Julian Field wrote: > Date: Fri, 7 Jun 2002 20:44:54 +0100 > From: Julian Field > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: DNS BlackLists > > Kelly, > > Thanks for the pointer to spamcop.net, I'll put it in the MailScanner > distribution. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From jaearick at COLBY.EDU Mon Jun 10 20:26:30 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:14:56 2006 Subject: DNS BlackLists In-Reply-To: <5.1.0.14.2.20020607204409.035e4aa8@imap.ecs.soton.ac.uk> Message-ID: Y'all, The definitive list of blacklists is at: http://www.declude.com/JunkMail/Support/ip4r.htm Enjoy. ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ---------------------------------------------------------------------------- On Fri, 7 Jun 2002, Julian Field wrote: > Date: Fri, 7 Jun 2002 20:44:54 +0100 > From: Julian Field > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: DNS BlackLists > > Kelly, > > Thanks for the pointer to spamcop.net, I'll put it in the MailScanner > distribution. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From isp-list at TULSACONNECT.COM Mon Jun 10 23:45:59 2002 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:14:56 2006 Subject: base64 encoding/klez? Message-ID: <5.1.1.6.2.20020610174223.02899b60@securemail.tulsaconnect.com> When a customer receives a message that had the Klez virus that I am assuming was base64 encoded, the user gets the usual "virus found" message and the attached virusfound.txt file, that says: /17HXoY-000AMo-00/bgcolor.pif Found the W32/Klez.h@MM virus Shortcuts to MS-Dos programs are very dangerous in email in bgcolor.pif However, in the *body* of the email, this appears: Content-Type: application/octet-stream; name=PerformFlightSearch[1].htm Content-Transfer-Encoding: base64 Content-ID: CjwhZG9jdHlwZSBodG1sIHB1YmxpYyAiLS8vVzNDLy9EVEQgSFRNTCA0LjAgVHJhbnNpdGlv bmFsLy9FTiI+CjxodG1sPgo8aGVhZD4KPHRpdGxlPk9yYml0ejogRmxpZ2h0IFNlYXJjaCBS ZXN1bHRzLSBEb21lc3RpYzwvdGl0bGU+CjxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0 IiBsYW5ndWFnZT0iSmF2YVNjcmlwdCIgc3JjPSIvaW5jbHVkZS9icm93c2VyX2RldGVjdC5q (rest is truncated). Any ideas why this is occuring? --Mike From mdchaney at MICHAELCHANEY.COM Tue Jun 11 02:45:11 2002 From: mdchaney at MICHAELCHANEY.COM (Michael Chaney) Date: Thu Jan 12 21:14:56 2006 Subject: base64 encoding/klez? In-Reply-To: <5.1.1.6.2.20020610174223.02899b60@securemail.tulsaconnect.com>; from isp-list@TULSACONNECT.COM on Mon, Jun 10, 2002 at 05:45:59PM -0500 References: <5.1.1.6.2.20020610174223.02899b60@securemail.tulsaconnect.com> Message-ID: <20020610204511.E23933@michaelchaney.com> On Mon, Jun 10, 2002 at 05:45:59PM -0500, ISP List wrote: > When a customer receives a message that had the Klez virus that I am > assuming was base64 encoded, the user gets the usual "virus found" message > and the attached virusfound.txt file, that says: > > /17HXoY-000AMo-00/bgcolor.pif Found the W32/Klez.h@MM virus > Shortcuts to MS-Dos programs are very dangerous in email in bgcolor.pif > > However, in the *body* of the email, this appears: > > Content-Type: application/octet-stream; > name=PerformFlightSearch[1].htm > Content-Transfer-Encoding: base64 > Content-ID: > > CjwhZG9jdHlwZSBodG1sIHB1YmxpYyAiLS8vVzNDLy9EVEQgSFRNTCA0LjAgVHJhbnNpdGlv > bmFsLy9FTiI+CjxodG1sPgo8aGVhZD4KPHRpdGxlPk9yYml0ejogRmxpZ2h0IFNlYXJjaCBS > ZXN1bHRzLSBEb21lc3RpYzwvdGl0bGU+CjxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0 > IiBsYW5ndWFnZT0iSmF2YVNjcmlwdCIgc3JjPSIvaW5jbHVkZS9icm93c2VyX2RldGVjdC5q If you'll check it you'll find that it isn't infected. Klez seems to attach a couple of files, and (at least with F-Prot) the infected one is cleaned and sent on. Michael -- Michael Darrin Chaney mdchaney@michaelchaney.com http://www.michaelchaney.com/ From nwp at LEMON-COMPUTING.COM Tue Jun 11 02:59:01 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:56 2006 Subject: sophos autoupdate In-Reply-To: <20020610080644.B20826@michaelchaney.com> References: <5.1.0.14.2.20020609175531.034ba0b8@imap.ecs.soton.ac.uk> <20020609164425.GA1858@bragann> <5.1.0.14.2.20020609175531.034ba0b8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020609210930.03252620@imap.ecs.soton.ac.uk> <20020609203204.GA2464@bragann> <20020610080644.B20826@michaelchaney.com> Message-ID: <20020611015901.GZ18801@hoiho.nz.lemon-computing.com> On Mon, Jun 10, 2002 at 08:06:44AM -0500, Michael Chaney wrote: > On Sun, Jun 09, 2002 at 10:32:04PM +0200, Willem Kuiters wrote: > > Well, I use the Debian Woody package of mailscanner and mailscanner.conf > > thus lives in /etc/mailscanner ;) I don't know where the Sophos.install > > script is but it is not in /usr/local. To install Sophos I use their > > install.sh script which puts things in /usr/local. I adapted the > > autoupdate script and that now runs fine with the defaults of the Sophos > > install script. > > Sigh. What is it with Debian users? Mailscanner is updated way too > often for you to rely on the Debian folks to give it to you. Get it > straight from the tap, and use the default install locations. It'll > make your life way easier, I promise. For what it's worth, I'll probably be taking over the Debian mailscanner package after the next big release of mailscanner. At that point I will be making the packages available both through the normal Debian repositories, and also through a mailscanner-only repository to enable those of you who run Woody (which will then be stable) to update mailscanner without having to learn how to use apt pinning. The specific problem with Debian and mailscanner in this particular case is that as far as Debian is concerned, the mailscanner package shouldn't really be including bits relating to all sorts of other packages (e.g. tnef, perl modules, AV scanners etc.). There isn't really a great solution to this at the moment. Um, the next big version of mailscanner will also have all the autoconf gunk that I've been playing with, which will make it nice and easy for you to keep it up-to-date and separate from your system's preinstalled stuff, too, should you so desire (I have both the Debian package installed and the autoconf'ed stuff - I'm using the autoconf-installed bits while I develop stuff). If a few people want to volunteer to test the autoconfiscation, please email me privately and I'll send you a tarball of what I'm working on. Be warned that this will also include one or two other things that are currently being tested. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Your lucky number is 3552664958674928. Watch for it everywhere. From isp-list at TULSACONNECT.COM Tue Jun 11 03:58:48 2002 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:14:56 2006 Subject: base64 encoding/klez? In-Reply-To: <20020610204511.E23933@michaelchaney.com> References: <5.1.1.6.2.20020610174223.02899b60@securemail.tulsaconnect.com> <5.1.1.6.2.20020610174223.02899b60@securemail.tulsaconnect.com> Message-ID: <5.1.1.6.2.20020610215749.02dc2848@securemail.tulsaconnect.com> >If you'll check it you'll find that it isn't infected. Klez seems to >attach a couple of files, and (at least with F-Prot) the infected one is >cleaned and sent on. > >Michael I don't doubt that it has been cleaned, but the odd thing is that it appears in the *body* of the message and is not an attachment at all. It only happens with Klez it seems. I don't understand why it isn't being treated like any other attachment. --Mike From nwp at LEMON-COMPUTING.COM Tue Jun 11 04:28:31 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:56 2006 Subject: base64 encoding/klez? In-Reply-To: <5.1.1.6.2.20020610215749.02dc2848@securemail.tulsaconnect.com> References: <5.1.1.6.2.20020610174223.02899b60@securemail.tulsaconnect.com> <5.1.1.6.2.20020610174223.02899b60@securemail.tulsaconnect.com> <5.1.1.6.2.20020610215749.02dc2848@securemail.tulsaconnect.com> Message-ID: <20020611032831.GC18801@hoiho.nz.lemon-computing.com> On Mon, Jun 10, 2002 at 09:58:48PM -0500, ISP List wrote: > I don't doubt that it has been cleaned, but the odd thing is that it > appears in the *body* of the message and is not an attachment at all. It > only happens with Klez it seems. I don't understand why it isn't being > treated like any other attachment. Klez does weird things and, it seems, often doesn't do MIME properly. It could be that Klez has randomly inserted the file into the body rather than as an attachment, and then been cleaned from wherever it was, leaving just its debris. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Tomorrow, you can be anywhere. From randyf at SIBERNET.COM Tue Jun 11 05:15:21 2002 From: randyf at SIBERNET.COM (Randy Fishel) Date: Thu Jan 12 21:14:56 2006 Subject: base64 encoding/klez? In-Reply-To: <20020611032831.GC18801@hoiho.nz.lemon-computing.com> Message-ID: Klez mostly works by making the mailer decode an HTML document, and hence automatically executing the attached virus. No need to click on the attachment as Outlook (at least an unpatched one) will choose to decode the file and run any programs associated with it. So most Outlook users won't even know they have already infected themselves. If you decoded the attachment, you should see how this works (another fine reason to NOT use HTML encoding in e-mail). On Tue, 11 Jun 2002, Nick Phillips wrote: > On Mon, Jun 10, 2002 at 09:58:48PM -0500, ISP List wrote: > > > I don't doubt that it has been cleaned, but the odd thing is that it > > appears in the *body* of the message and is not an attachment at all. It > > only happens with Klez it seems. I don't understand why it isn't being > > treated like any other attachment. > > Klez does weird things and, it seems, often doesn't do MIME properly. > > It could be that Klez has randomly inserted the file into the body rather > than as an attachment, and then been cleaned from wherever it was, leaving > just its debris. > > > Cheers, > > > Nick > -- > Nick Phillips -- nwp@lemon-computing.com > Tomorrow, you can be anywhere. > From LISTSERV at JISCMAIL.AC.UK Tue Jun 11 01:39:58 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:56 2006 Subject: MAILSCANNER: chris@HARVESTROAD.COM requested to join Message-ID: <200206110040.BAA02433@magpie.ecs.soton.ac.uk> Tue, 11 Jun 2002 01:39:58 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Chris Waltham You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER chris@HARVESTROAD.COM Chris Waltham PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER chris@HARVESTROAD.COM Chris Waltham // EOJ From jkf at ecs.soton.ac.uk Tue Jun 11 09:14:34 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:56 2006 Subject: base64 encoding/klez? In-Reply-To: <5.1.1.6.2.20020610215749.02dc2848@securemail.tulsaconnect. com> References: <20020610204511.E23933@michaelchaney.com> <5.1.1.6.2.20020610174223.02899b60@securemail.tulsaconnect.com> <5.1.1.6.2.20020610174223.02899b60@securemail.tulsaconnect.com> Message-ID: <5.1.0.14.2.20020611091253.053b1710@imap.ecs.soton.ac.uk> At 03:58 11/06/2002, you wrote: >>If you'll check it you'll find that it isn't infected. Klez seems to >>attach a couple of files, and (at least with F-Prot) the infected one is >>cleaned and sent on. >> >>Michael > >I don't doubt that it has been cleaned, but the odd thing is that it >appears in the *body* of the message and is not an attachment at all. It >only happens with Klez it seems. I don't understand why it isn't being >treated like any other attachment. Can I just stress that in every one of the few hundred cases of Klez I have seen, the remnants of the message are totally harmless once MailScanner has removed the dangerous content (which is always does). The SMTP/MIME engine built into Klez doesn't create MIME messages properly, which is why you get the remnants. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From chorlian at CBR.MED.HARVARD.EDU Tue Jun 11 14:03:14 2002 From: chorlian at CBR.MED.HARVARD.EDU (Henry C. Chorlian) Date: Thu Jan 12 21:14:56 2006 Subject: sophos autoupdate Message-ID: <200206111303.g5BD3EnL002315@cbr.med.harvard.edu> Good morning, Thanks very very much for the excellent MailScanner program. It's working great! Now for my problem with autoupdate. I've been manually updating the sophos ide section but would really like the autoupdate script to work. I'm sure you'll see this right away, extra pair of eyes... I have sophos and mailscanner running from /opt2 instead of the defaults but on the same filesystem. When I run autoupdates the sophos directory ends up look like this: cbr:/opt2/sophos-> ls -la total 14 drwxr-xr-x 7 root other 512 Jun 11 08:47 ./ drwxr-xr-x 16 root root 512 Jun 11 08:33 ../ drwxr-xr-x 2 root other 512 Jun 11 08:47 358.200206110847/ drwxr-xr-x 2 root root 512 Jun 11 08:46 bin/ drwxr-xr-x 2 root root 512 Jun 11 08:49 ide/ drwxr-xr-x 2 root root 512 Jun 11 08:33 lib/ drwxr-xr-x 4 root root 512 Jun 11 08:33 man/ A link to the 358.200206110847/ doesn't appear to happen, and I end up downloading the latest 358_ides.zip file into the ide directory manually and unzipping it there for the updates to work. Please help on this simple problem. I know I'm in the Twilight Zone on this one.... Thanks, Henry ------------------------------------------ Henry C. Chorlian Director of Information Technology Center for Blood Research 800 Huntington Avenue Boston, MA 02115-6303 Harvard Medical School Affiliate chorlian@cbr.med.harvard.edu Voice: (617) 278-3425 Fax: (617) 278-3493 From kylist at SHCORP.COM Tue Jun 11 14:37:56 2002 From: kylist at SHCORP.COM (Kurt Yoder) Date: Thu Jan 12 21:14:56 2006 Subject: sendmail debian In-Reply-To: <010201c21098$4c597640$02f9dddd@hildom> References: <010201c21098$4c597640$02f9dddd@hildom> Message-ID: <45962.10.10.1.95.1023802676.squirrel@webmail.shcorp.com> Arthur Groen said: > He.. there are more woody users with mailscanner!!. > >> OK, I'll think about it. There's something about having a "clean" >> system though. (Especially with "apt"). > > In the installation notes on Mailscanner there is a line telling me to > start the two sendmail's in the /etc/init.d/sendmail script. > > But Debian/Woody is using help some "helper" files in: > datadir="/usr/share"; > . ${datadir}/sendmail/sm_helper.sh; > > I have send a mail to Richard Nelson, the writer of the sendmail script > with no results. > > How did you insert the start of the two sendmails > without breaking the other functionalitie of the sendmail scripts.. > > (I have send a mail to Richard Nelson, the writer of the sendmail > script > with no results.) > > > rgds > /Arthur > ICQ 155318156 > MSN arthur@hiljo.nl > TEL 0297-355776 I was *not* able to get the mailscanner setup to work using /etc/mail/sendmail.conf settings. I made some changes to this file and ran "sendmailconfig". I saw the two daemon processes running as expected: one to deliver to the mqueue.in folder, one to send outgoing messages. Messages were delivered as desired to /var/spool/mqueue.in. However, I left them there without mailscanner running to see if they'd stay there. They did *not* stay there; after about 10 minutes, something picked them up and delivered them out of *mqueue.in*. I don't understand how that could have happened. Anyway, I ended up using my own init script that manually starts the daemons, and so far this seems to have worked. Too bad, since now I can't upgrade this package with apt or I will break my setup. -- Kurt Yoder Sport & Health network administrator From gerry at dorfam.ca Tue Jun 11 15:32:13 2002 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:14:56 2006 Subject: F-Prot Update Script Available Message-ID: <65472.129.80.22.134.1023805933.squirrel@tiger.dorfam.ca> For those that are using F-Prot but not checking the F-Prot website there have been several updates to the program over that last few weeks. These include changes to both the virus engine and the virus files. Also, they now provide a very nice update script that can be run as a cron job. I've been very impressed with this package. Gerry -- "The lyfe so short, the craft so long to learne" Chaucer From LISTSERV at JISCMAIL.AC.UK Tue Jun 11 15:42:41 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:56 2006 Subject: MAILSCANNER: cmarin@PR.GOV.BR requested to join Message-ID: <200206111442.PAA22623@magpie.ecs.soton.ac.uk> Tue, 11 Jun 2002 15:42:40 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from "Carlos A. Marin" You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER cmarin@PR.GOV.BR Carlos A. Marin PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER cmarin@PR.GOV.BR Carlos A. Marin // EOJ From jkf at ecs.soton.ac.uk Tue Jun 11 16:28:24 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:56 2006 Subject: sophos autoupdate In-Reply-To: <200206111303.g5BD3EnL002315@cbr.med.harvard.edu> Message-ID: <5.1.0.14.2.20020611162730.053af900@imap.ecs.soton.ac.uk> What happens if you check through the autoupdate script for any mention of /opt/sophos and change it to /opt2/sophos, then rm -rf /opt2/ide /opt2/sophos/bin/autoupdate At 14:03 11/06/2002, you wrote: >Good morning, > >Thanks very very much for the excellent MailScanner program. >It's working great! > >Now for my problem with autoupdate. I've been manually >updating the sophos ide section but would really like the >autoupdate script to work. I'm sure you'll see this right >away, extra pair of eyes... > >I have sophos and mailscanner running from /opt2 instead of >the defaults but on the same filesystem. When I run autoupdates >the sophos directory ends up look like this: > >cbr:/opt2/sophos-> ls -la >total 14 >drwxr-xr-x 7 root other 512 Jun 11 08:47 ./ >drwxr-xr-x 16 root root 512 Jun 11 08:33 ../ >drwxr-xr-x 2 root other 512 Jun 11 08:47 358.200206110847/ >drwxr-xr-x 2 root root 512 Jun 11 08:46 bin/ >drwxr-xr-x 2 root root 512 Jun 11 08:49 ide/ >drwxr-xr-x 2 root root 512 Jun 11 08:33 lib/ >drwxr-xr-x 4 root root 512 Jun 11 08:33 man/ > >A link to the 358.200206110847/ doesn't appear to happen, >and I end up downloading the latest 358_ides.zip file into >the ide directory manually and unzipping it there for the >updates to work. > >Please help on this simple problem. I know I'm in the Twilight >Zone on this one.... > >Thanks, > >Henry > >------------------------------------------ >Henry C. Chorlian >Director of Information Technology >Center for Blood Research >800 Huntington Avenue >Boston, MA 02115-6303 > >Harvard Medical School Affiliate >chorlian@cbr.med.harvard.edu >Voice: (617) 278-3425 >Fax: (617) 278-3493 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Tue Jun 11 16:55:03 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:56 2006 Subject: MAILSCANNER: jhaynes@HAYNESWORLD.NET requested to join Message-ID: <200206111555.QAA07933@magpie.ecs.soton.ac.uk> Tue, 11 Jun 2002 16:55:03 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Joe Haynes The following membership options have been requested: DUALHDR. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER jhaynes@HAYNESWORLD.NET Joe Haynes PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER jhaynes@HAYNESWORLD.NET Joe Haynes SET MAILSCANNER DUALHDR FOR jhaynes@HAYNESWORLD.NET // EOJ From jkf at ecs.soton.ac.uk Tue Jun 11 17:25:20 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:56 2006 Subject: Sneak preview of 3.20 Message-ID: <5.1.0.14.2.20020611172218.0598afb8@imap.ecs.soton.ac.uk> Just to give you some advance warning, 3.20 is due out "Real Soon Now(TM)". List of changes looks roughly like this: Features: ======== Moved McAfee support from "mcafee" directory to "uvscan" to make McAfee installation simpler Added configuration option to control logging of spam messages Added configuration option to control compilation of SpamAssassin code for speed Added support for RBL lists that work by domain name rather than by IP number *** Added configuration option to list viruses that should be quietly deleted without informing the sender or recipient. A good example is the "Klez" worm. Added optional internal TNEF expansion using CPAN Perl Convert::TNEF module Added support for Panda and RAV virus scanners, bringing total supported to 10 Improvements: =========== Many minor speed improvements Improvement to warning message placing in multipart/related messages Improved speed via optimisation of file+dir existence checks Optimised code in various important places Updated version of MIME-tools module shipped and included mime-tools-patch.txt from Bugtraq Fixed: ===== Now requires at least Perl 5.005 due to bugs in previous versions of Perl Fixed bug (according to a user) in the Inoculan output parser. Not verified yet. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Wed Jun 12 02:23:44 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:56 2006 Subject: MAILSCANNER: cmiller@TIGERBYTE.COM requested to join Message-ID: <200206120123.CAA19534@magpie.ecs.soton.ac.uk> Wed, 12 Jun 2002 02:23:44 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Clint Miller You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER cmiller@TIGERBYTE.COM Clint Miller PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER cmiller@TIGERBYTE.COM Clint Miller // EOJ From LISTSERV at JISCMAIL.AC.UK Wed Jun 12 09:24:34 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:56 2006 Subject: MAILSCANNER: marc@ODTSL.COM left the JISCmail list Message-ID: <200206120824.JAA11393@magpie.ecs.soton.ac.uk> Wed, 12 Jun 2002 09:24:34 Marc Balcells has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From paul-w at BLUEYONDER.CO.UK Wed Jun 12 10:28:41 2002 From: paul-w at BLUEYONDER.CO.UK (Paul Welsh) Date: Thu Jan 12 21:14:56 2006 Subject: MAILSCANNER Digest - 10 Jun 2002 to 11 Jun 2002 (#2002-14) References: <00e640528230b62PCOW025M@blueyonder.co.uk> Message-ID: <001c01c211f3$8acc86e0$6a0110ac@sbsplc.com> ----- Original Message ----- > Date: Tue, 11 Jun 2002 10:32:13 -0400 > From: Gerry Doris > Subject: F-Prot Update Script Available > > For those that are using F-Prot but not checking the F-Prot website ... they > now provide a very nice update script that can be run as a cron job. Hi Gerry, can you pls let me know where this script is located on their web site? From gerry at DORFAM.CA Wed Jun 12 13:17:38 2002 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:14:56 2006 Subject: MAILSCANNER Digest - 10 Jun 2002 to 11 Jun 2002 (#2002-14) In-Reply-To: <001c01c211f3$8acc86e0$6a0110ac@sbsplc.com> Message-ID: On Wed, 12 Jun 2002, Paul Welsh wrote: > ----- Original Message ----- > > Date: Tue, 11 Jun 2002 10:32:13 -0400 > > From: Gerry Doris > > Subject: F-Prot Update Script Available > > > > For those that are using F-Prot but not checking the F-Prot website ... > they > > now provide a very nice update script that can be run as a cron job. > > Hi Gerry, can you pls let me know where this script is located on their web > site? > Go to the F-Prot website and download the latest version of F-Prot for linux. This is the actual virus program not the virus signatures. This is a .gz file. When expanded it contains the new version of F-Prot and the update script. There have been a couple of updates of the virus program in the few weeks. Gerry -- From chorlian at CBR.MED.HARVARD.EDU Wed Jun 12 13:47:00 2002 From: chorlian at CBR.MED.HARVARD.EDU (Henry C. Chorlian) Date: Thu Jan 12 21:14:56 2006 Subject: sophos autoupdate Message-ID: <200206121247.g5CCl0nL000982@cbr.med.harvard.edu> Figured out the problem. When manually installing sophos and mailscanner to a different directory, make sure one makes the /opt2/sophos/ide directory a soft link and call the actual directory whatever you like except ide. Then when running the autoupdate script, the updates will progress from there. Initially, you need the idewhatever directory so the sophos version can be calculated. On Tuesday, June 11, 2002 at 04:28:24 PM, MailScanner mailing list wrote: > What happens if you check through the autoupdate script for any mention of > /opt/sophos and change it to /opt2/sophos, then > rm -rf /opt2/ide > /opt2/sophos/bin/autoupdate > > At 14:03 11/06/2002, you wrote: > >Good morning, > > > >Thanks very very much for the excellent MailScanner program. > >It's working great! > > > >Now for my problem with autoupdate. I've been manually > >updating the sophos ide section but would really like the > >autoupdate script to work. I'm sure you'll see this right > >away, extra pair of eyes... > > > >I have sophos and mailscanner running from /opt2 instead of > >the defaults but on the same filesystem. When I run autoupdates > >the sophos directory ends up look like this: > > > >cbr:/opt2/sophos-> ls -la > >total 14 > >drwxr-xr-x 7 root other 512 Jun 11 08:47 ./ > >drwxr-xr-x 16 root root 512 Jun 11 08:33 ../ > >drwxr-xr-x 2 root other 512 Jun 11 08:47 358.200206110847/ > >drwxr-xr-x 2 root root 512 Jun 11 08:46 bin/ > >drwxr-xr-x 2 root root 512 Jun 11 08:49 ide/ > >drwxr-xr-x 2 root root 512 Jun 11 08:33 lib/ > >drwxr-xr-x 4 root root 512 Jun 11 08:33 man/ > > > >A link to the 358.200206110847/ doesn't appear to happen, > >and I end up downloading the latest 358_ides.zip file into > >the ide directory manually and unzipping it there for the > >updates to work. > > > >Please help on this simple problem. I know I'm in the Twilight > >Zone on this one.... > > > >Thanks, > > > >Henry > > > >------------------------------------------ > >Henry C. Chorlian > >Director of Information Technology > >Center for Blood Research > >800 Huntington Avenue > >Boston, MA 02115-6303 > > > >Harvard Medical School Affiliate > >chorlian@cbr.med.harvard.edu > >Voice: (617) 278-3425 > >Fax: (617) 278-3493 > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > ------------------------------------------ Henry C. Chorlian Director of Information Technology Center for Blood Research 800 Huntington Avenue Boston, MA 02115-6303 Harvard Medical School Affiliate chorlian@cbr.med.harvard.edu Voice: (617) 278-3425 Fax: (617) 278-3493 From LISTSERV at JISCMAIL.AC.UK Wed Jun 12 14:02:21 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:57 2006 Subject: MAILSCANNER: dz@SIAMESERESCUE.ORG requested to join Message-ID: <200206121302.OAA06259@magpie.ecs.soton.ac.uk> Wed, 12 Jun 2002 14:02:21 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Darrell Zwemke The following membership options have been requested: SHORTHDR. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER dz@SIAMESERESCUE.ORG Darrell Zwemke PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER dz@SIAMESERESCUE.ORG Darrell Zwemke SET MAILSCANNER SHORTHDR FOR dz@SIAMESERESCUE.ORG // EOJ From LISTSERV at JISCMAIL.AC.UK Wed Jun 12 11:40:33 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:57 2006 Subject: MAILSCANNER: pao@UKC.AC.UK left the JISCmail list Message-ID: <200206121040.LAA23514@magpie.ecs.soton.ac.uk> Wed, 12 Jun 2002 11:40:33 Paul Osborne has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From isp-list at TULSACONNECT.COM Wed Jun 12 15:36:30 2002 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:14:57 2006 Subject: Problem with MIME-Tools security patch In-Reply-To: <5.1.0.14.2.20020607112540.02d2b590@imap.ecs.soton.ac.uk> Message-ID: <5.1.1.6.2.20020612093119.02e04e10@securemail.tulsaconnect.com> At 11:32 AM 6/7/2002 +0100, you wrote: >A very nice person on the Bugtraq mailing list has found some potential >security problems with the current stable release of the MIME-Tools module >which is used by MailScanner. These are likely to be exploited fairly soon >as the hackers all read Bugtraq too. After applying the patch (on MIME-Tools 5.411), it seems the filename of on *some* virus-laden attachments is being truncated: Jun 12 09:31:00 mx10 mailscanner[4540]: Notified senders about 1 infections Jun 12 09:31:00 mx10 mailscanner[4540]: Commercial disinfector mcafee returned 3072 Jun 12 09:31:00 mx10 mailscanner[4540]: Skipping renamed attachment .pif and a grep of the maillog: Jun 12 09:21:30 mx10 mailscanner[4540]: Skipping renamed attachment mail..pif Jun 12 09:23:19 mx10 mailscanner[4540]: Skipping renamed attachment salir,.bat Jun 12 09:24:48 mx10 mailscanner[4540]: Skipping renamed attachment Start Up Procedures.doc.bat Jun 12 09:27:18 mx10 mailscanner[4540]: Skipping renamed attachment .pif Jun 12 09:27:54 mx10 mailscanner[4540]: Skipping renamed attachment .exe Jun 12 09:31:00 mx10 mailscanner[4540]: Skipping renamed attachment .pif Jun 12 09:31:23 mx10 mailscanner[4540]: Skipping renamed attachment shape.exe Jun 12 09:32:20 mx10 mailscanner[4540]: Skipping renamed attachment install.exe Could be from Klez which I've been told doesn't properly MIME encode the attachment in the first place. Anyone else seeing this? --Mike From LISTSERV at JISCMAIL.AC.UK Wed Jun 12 10:39:14 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:57 2006 Subject: MAILSCANNER: leet@LEENX.CO.ZA requested to join Message-ID: <200206120939.KAA17830@magpie.ecs.soton.ac.uk> Wed, 12 Jun 2002 10:39:14 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from "C.Lee Taylor" The following membership options have been requested: NOMIME DIGEST SUBJECTHDR. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER leet@LEENX.CO.ZA C.Lee Taylor PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER leet@LEENX.CO.ZA C.Lee Taylor SET MAILSCANNER NOMIME DIGEST SUBJECTHDR FOR leet@LEENX.CO.ZA // EOJ From FCaen at CI.LAKEWOOD.WA.US Wed Jun 12 17:11:24 2002 From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen) Date: Thu Jan 12 21:14:57 2006 Subject: F-Prot Update Script Available Message-ID: -----Original Message----- From: Gerry Doris > For those that are using F-Prot but not checking the F-Prot website there > have been several updates to the program over that last few weeks. These > include changes to both the virus engine and the virus files. Also, they > now provide a very nice update script that can be run as a cron job. Have you given that script a shot? Is it working well for you? Did you use a different one before? I looked at it briefly, it seemed more "complicated" than the previous ones listed on here. ------------------------------------------------ Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 From lbergman at abi.tconline.net Wed Jun 12 17:03:45 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:14:57 2006 Subject: F-Prot Update Script Available In-Reply-To: References: Message-ID: <200206121103.45318.lbergman@abi.tconline.net> > > For those that are using F-Prot but not checking the F-Prot website there > > have been several updates to the program over that last few weeks. These > > include changes to both the virus engine and the virus files. Also, they > > now provide a very nice update script that can be run as a cron job. > > Have you given that script a shot? Is it working well for you? Did you use > a different one before? > > I looked at it briefly, it seemed more "complicated" than the previous ones > listed on here. It also doesn't work. I downloaded 3.12a and it had the script. It said all was updated successfully but when I ran the other one I had used previously it found a later macro def and installed it. So, even though it says it worked it did not. At least not on my Linux box. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From siewwu.tan at EDGEMATRIX.COM Wed Jun 12 19:29:26 2002 From: siewwu.tan at EDGEMATRIX.COM (Tan Siew Wu) Date: Thu Jan 12 21:14:57 2006 Subject: F-Prot Update Script Available Message-ID: On Wed, 12 Jun 2002 11:03:45 -0500, Lewis Bergman wrote: >> > For those that are using F-Prot but not checking the F-Prot website there >> > have been several updates to the program over that last few weeks. These >> > include changes to both the virus engine and the virus files. Also, they >> > now provide a very nice update script that can be run as a cron job. >> >> Have you given that script a shot? Is it working well for you? Did you use >> a different one before? >> >> I looked at it briefly, it seemed more "complicated" than the previous ones >> listed on here. >It also doesn't work. I downloaded 3.12a and it had the script. It said all >was updated successfully but when I ran the other one I had used previously >it found a later macro def and installed it. So, even though it says it >worked it did not. At least not on my Linux box. > I downloaded it few days ago and the shell script runs fine on a RedHat 7.2 system. You may have to set your wget configuration correctly if you need to go through a proxy server to do the ftp download. I added the wget option --proxy=on and set appropriate /etc/wgetrc settings. Do note that old version wget may not support ftp get through a http proxy server. Also notice error when trying to run on a RedHat 6.0 system. The problem is that the script uses some features that only exist in Bash version 2. If your "bash -version" gives you version 1.xx then you will most likely face problem with the script. Some systems do have both bash and bash2 installed. I notice one of my RedHat 6.2 has both version of bash i.e. /bin/bash and /bin/bash2. The basic functions of the script is to get a url response with the checksum of the definition files and compare with the one on the system and if checksum is different, download the new one to replace it. The checksum is down with the "checksum" program that comes with the package. Siew Wu From jkf at ecs.soton.ac.uk Wed Jun 12 19:40:23 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:57 2006 Subject: F-Prot Update Script Available In-Reply-To: Message-ID: <5.1.0.14.2.20020612193801.0346bda8@imap.ecs.soton.ac.uk> I would also advise you to wrap it in a script which creates and locks the file /tmp/FProtBusy.lock while the update is in progress. Otherwise your system could be exposed while you replace the virus definitions. At 19:29 12/06/2002, you wrote: >On Wed, 12 Jun 2002 11:03:45 -0500, Lewis Bergman > wrote: > > >> > For those that are using F-Prot but not checking the F-Prot website >there > >> > have been several updates to the program over that last few weeks. >These > >> > include changes to both the virus engine and the virus files. Also, >they > >> > now provide a very nice update script that can be run as a cron job. > >> > >> Have you given that script a shot? Is it working well for you? Did you >use > >> a different one before? > >> > >> I looked at it briefly, it seemed more "complicated" than the previous >ones > >> listed on here. > >It also doesn't work. I downloaded 3.12a and it had the script. It said all > >was updated successfully but when I ran the other one I had used previously > >it found a later macro def and installed it. So, even though it says it > >worked it did not. At least not on my Linux box. > > >I downloaded it few days ago and the shell script runs fine on a RedHat 7.2 >system. You may have to set your wget configuration correctly if you need >to go through a proxy server to do the ftp download. I added the wget >option --proxy=on and set appropriate /etc/wgetrc settings. Do note that >old version wget may not support ftp get through a http proxy server. > >Also notice error when trying to run on a RedHat 6.0 system. The problem is >that the script uses some features that only exist in Bash version 2. >If your "bash -version" gives you version 1.xx then you will most likely >face problem with the script. Some systems do have both bash and bash2 >installed. I notice one of my RedHat 6.2 has both version of bash i.e. >/bin/bash and /bin/bash2. > >The basic functions of the script is to get a url response with the checksum >of the definition files and compare with the one on the system and if >checksum is different, download the new one to replace it. The checksum >is down with the "checksum" program that comes with the package. > >Siew Wu -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From lbergman at abi.tconline.net Wed Jun 12 21:23:41 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:14:57 2006 Subject: F-Prot Update Script Available In-Reply-To: <5.1.0.14.2.20020612193801.0346bda8@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020612193801.0346bda8@imap.ecs.soton.ac.uk> Message-ID: <200206121523.41328.lbergman@abi.tconline.net> The hint about bash2 was it. I changed it to #!/bin/bash2 and it works fine now. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From FCaen at CI.LAKEWOOD.WA.US Wed Jun 12 23:39:56 2002 From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen) Date: Thu Jan 12 21:14:57 2006 Subject: Spam Assassin going commercial Message-ID: Check out this press release: http://www.businesswire.com/cgi-bin/f_headline.cgi?bw.061202/221630053 ------------------------------------------------ Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 From martinh at SOLID-STATE-LOGIC.COM Thu Jun 13 09:13:41 2002 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:14:57 2006 Subject: Spam Assassin going commercial References: Message-ID: <3D085435.6070708@solid-state-logic.com> Francois Caen wrote: > Check out this press release: > http://www.businesswire.com/cgi-bin/f_headline.cgi?bw.061202/221630053 > > ------------------------------------------------ > Francois Caen > Network Information Systems Engineer - Webmaster > City of Lakewood, WA > (253) 512-2269 > > Hmm only thing is that Deersoft.com's product is an Outlook plugin - ie it sits one the PC not the mail gateway. -- Martin Hepworth Senior Systems Administrator Solid State Logic Ltd +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From jkf at ecs.soton.ac.uk Thu Jun 13 09:32:39 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:57 2006 Subject: Spam Assassin going commercial In-Reply-To: Message-ID: <5.1.0.14.2.20020613092107.02c80eb0@imap.ecs.soton.ac.uk> At 23:39 12/06/2002, you wrote: >Check out this press release: >http://www.businesswire.com/cgi-bin/f_headline.cgi?bw.061202/221630053 Fortunately for us, the press release also states "Deersoft is committed to supporting the open source community, and is pleased to announce the release today of SpamAssassin(TM) 2.3.0." It doesn't exactly explain quite how committed he is, or what the implications are for the free version of SpamAssassin. Hopefully all they are trying to do is make money out of an Outlook filter based on SpamAssassin (this is SpamAssassin Pro), but the press release also mentions an "Enterprise" version, but the Deersoft web site doesn't seem to mention that yet. No signs of 2.3 on their web site yet, but I will try it out once it appears... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Thu Jun 13 10:59:44 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:57 2006 Subject: MAILSCANNER: tgc@STATSBIBLIOTEKET.DK requested to join Message-ID: <200206130959.KAA06534@magpie.ecs.soton.ac.uk> Thu, 13 Jun 2002 10:59:44 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from "Tom G. Christensen" You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER tgc@STATSBIBLIOTEKET.DK Tom G. Christensen PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER tgc@STATSBIBLIOTEKET.DK Tom G. Christensen // EOJ From LISTSERV at JISCMAIL.AC.UK Thu Jun 13 12:39:42 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:57 2006 Subject: MAILSCANNER: mjs@BLITZ-TECHNOLOGY.NET requested to join Message-ID: <200206131139.MAA15682@magpie.ecs.soton.ac.uk> Thu, 13 Jun 2002 12:39:42 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Mitchell Smith You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER mjs@BLITZ-TECHNOLOGY.NET Mitchell Smith PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER mjs@BLITZ-TECHNOLOGY.NET Mitchell Smith // EOJ From rishi at THEARGONCOMPANY.COM Thu Jun 13 15:20:32 2002 From: rishi at THEARGONCOMPANY.COM (Rishi Gangoly) Date: Thu Jan 12 21:14:57 2006 Subject: F-Prot Update Script Available References: <5.1.0.14.2.20020612193801.0346bda8@imap.ecs.soton.ac.uk> <200206121523.41328.lbergman@abi.tconline.net> Message-ID: <005101c212e6$4120ec90$73488eca@protocol> I somehow love my update script. /usr/local/f-prot/update --------- #!/bin/bash cd /usr/local/f-prot ncftpget -F ftp://ftp.f-prot.com/pub/fp-def.zip ncftpget -F ftp://ftp.f-prot.com/pub/macrdef2.zip ncftpget -F ftp://ftp.f-prot.com/pub/sign2.zip unzip -o fp-def.zip unzip -o macrdef2.zip unzip -o sign2.zip --------- and then add this line in your crontab --------- 22 * * * * /usr/local/f-prot/update > /dev/null 2> /dev/null --------- It works. ;-) Regards Rishi ----- Original Message ----- From: "Lewis Bergman" To: Sent: Thursday, June 13, 2002 1:53 AM Subject: Re: F-Prot Update Script Available > The hint about bash2 was it. I changed it to #!/bin/bash2 and it works fine > now. > -- > Lewis Bergman > Texas Communications > 4309 Maple St. > Abilene, TX 79602-8044 > 915-695-6962 ext 115 > From jkf at ecs.soton.ac.uk Thu Jun 13 15:35:27 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:57 2006 Subject: F-Prot Update Script Available In-Reply-To: <005101c212e6$4120ec90$73488eca@protocol> References: <5.1.0.14.2.20020612193801.0346bda8@imap.ecs.soton.ac.uk> <200206121523.41328.lbergman@abi.tconline.net> Message-ID: <5.1.0.14.2.20020613153406.04aca9b0@imap.ecs.soton.ac.uk> At 15:20 13/06/2002, you wrote: >I somehow love my update script. > >It works. ;-) But what if MailScanner happens to call your copy of F-Prot while it is half way through unpacking the zip files? That batch of messages won't be scanned properly and so a virus could easily slip through the net. This is why my autoupdate scripts use a lockfile in /tmp (which interacts with MailScanner). >----- Original Message ----- >From: "Lewis Bergman" >To: >Sent: Thursday, June 13, 2002 1:53 AM >Subject: Re: F-Prot Update Script Available > > > > The hint about bash2 was it. I changed it to #!/bin/bash2 and it works fine > > now. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From ray at MATRIX-DATANET.CO.UK Thu Jun 13 15:50:11 2002 From: ray at MATRIX-DATANET.CO.UK (Ray Healy (Data Net Services)) Date: Thu Jan 12 21:14:57 2006 Subject: F-Prot Update Script Available References: <5.1.0.14.2.20020612193801.0346bda8@imap.ecs.soton.ac.uk> <200206121523.41328.lbergman@abi.tconline.net> <005101c212e6$4120ec90$73488eca@protocol> Message-ID: <002301c212e9$b79265e0$630aa8c0@server> Dear Rishi Hope do not mind me asking but with your new update script, I assume it checks every day but does it only download if the definitions at F-Prot are newer than whats on your server - like the other script does from RAQFAQ (but that always comes up with /etc/cron.daily/AVupdate.sh: : Ambiguous redirect but it does work) Thanks for your help Ray Healy ----- Original Message ----- From: "Rishi Gangoly" To: Sent: Thursday, June 13, 2002 3:20 PM Subject: Re: F-Prot Update Script Available > I somehow love my update script. > > /usr/local/f-prot/update > > --------- > #!/bin/bash > > cd /usr/local/f-prot > ncftpget -F ftp://ftp.f-prot.com/pub/fp-def.zip > ncftpget -F ftp://ftp.f-prot.com/pub/macrdef2.zip > ncftpget -F ftp://ftp.f-prot.com/pub/sign2.zip > unzip -o fp-def.zip > unzip -o macrdef2.zip > unzip -o sign2.zip > > --------- > > and then add this line in your crontab > > --------- > 22 * * * * /usr/local/f-prot/update > /dev/null 2> /dev/null > > --------- > > It works. ;-) > > Regards > > Rishi > > ----- Original Message ----- > From: "Lewis Bergman" > To: > Sent: Thursday, June 13, 2002 1:53 AM > Subject: Re: F-Prot Update Script Available > > > > The hint about bash2 was it. I changed it to #!/bin/bash2 and it works > fine > > now. > > -- > > Lewis Bergman > > Texas Communications > > 4309 Maple St. > > Abilene, TX 79602-8044 > > 915-695-6962 ext 115 > > > > From jonc at haht.com Thu Jun 13 16:17:52 2002 From: jonc at haht.com (Jon Carnes) Date: Thu Jan 12 21:14:57 2006 Subject: F-Prot Update Script Available References: <5.1.0.14.2.20020612193801.0346bda8@imap.ecs.soton.ac.uk> <200206121523.41328.lbergman@abi.tconline.net> <005101c212e6$4120ec90$73488eca@protocol> <002301c212e9$b79265e0$630aa8c0@server> Message-ID: <009e01c212ed$7cbb8b50$0b04010a@JCARNES> "ncftp" automagically checks to see if the files are different. If they are the same, then it does not download them. Of course the rest of the script chugs merrily along... ----- Original Message ----- From: "Ray Healy (Data Net Services)" To: Sent: Thursday, June 13, 2002 10:50 AM Subject: Re: F-Prot Update Script Available > Dear Rishi > > Hope do not mind me asking but with your new update script, I assume it > checks every day but does it only download if the definitions at F-Prot are > newer than whats on your server - like the other script does from RAQFAQ > (but that always comes up with /etc/cron.daily/AVupdate.sh: : Ambiguous > redirect but it does work) > > Thanks for your help > > Ray Healy > ----- Original Message ----- > From: "Rishi Gangoly" > To: > Sent: Thursday, June 13, 2002 3:20 PM > Subject: Re: F-Prot Update Script Available > > > > I somehow love my update script. > > > > /usr/local/f-prot/update > > > > --------- > > #!/bin/bash > > > > cd /usr/local/f-prot > > ncftpget -F ftp://ftp.f-prot.com/pub/fp-def.zip > > ncftpget -F ftp://ftp.f-prot.com/pub/macrdef2.zip > > ncftpget -F ftp://ftp.f-prot.com/pub/sign2.zip > > unzip -o fp-def.zip > > unzip -o macrdef2.zip > > unzip -o sign2.zip > > > > --------- > > > > and then add this line in your crontab > > > > --------- > > 22 * * * * /usr/local/f-prot/update > /dev/null 2> /dev/null > > > > --------- > > > > It works. ;-) > > > > Regards > > > > Rishi > > > > ----- Original Message ----- > > From: "Lewis Bergman" > > To: > > Sent: Thursday, June 13, 2002 1:53 AM > > Subject: Re: F-Prot Update Script Available > > > > > > > The hint about bash2 was it. I changed it to #!/bin/bash2 and it works > > fine > > > now. > > > -- > > > Lewis Bergman > > > Texas Communications > > > 4309 Maple St. > > > Abilene, TX 79602-8044 > > > 915-695-6962 ext 115 > > > > > > > From LISTSERV at JISCMAIL.AC.UK Thu Jun 13 18:12:57 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:57 2006 Subject: MAILSCANNER: mhammer@SYSTIME.COM requested to join Message-ID: <200206131712.SAA18714@magpie.ecs.soton.ac.uk> Thu, 13 Jun 2002 18:12:57 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Mike Hammerberg You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER mhammer@SYSTIME.COM Mike Hammerberg PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER mhammer@SYSTIME.COM Mike Hammerberg // EOJ From LISTSERV at JISCMAIL.AC.UK Thu Jun 13 18:22:43 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:57 2006 Subject: MAILSCANNER: munafo@POLITO.IT requested to join Message-ID: <200206131722.SAA19696@magpie.ecs.soton.ac.uk> Thu, 13 Jun 2002 18:22:43 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Maurizio Munafo' You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER munafo@POLITO.IT Maurizio Munafo' PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER munafo@POLITO.IT Maurizio Munafo' // EOJ From nwp at LEMON-COMPUTING.COM Thu Jun 13 23:43:59 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:57 2006 Subject: F-Prot Update Script Available In-Reply-To: <5.1.0.14.2.20020613153406.04aca9b0@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020612193801.0346bda8@imap.ecs.soton.ac.uk> <200206121523.41328.lbergman@abi.tconline.net> <5.1.0.14.2.20020613153406.04aca9b0@imap.ecs.soton.ac.uk> Message-ID: <20020613224359.GN12326@hoiho.nz.lemon-computing.com> On Thu, Jun 13, 2002 at 03:35:27PM +0100, Julian Field wrote: > This is why my autoupdate scripts use a lockfile in /tmp (which interacts > with MailScanner). We really need to come up with a way for the update scripts to use the directory configured for lock files in mailscanner.conf... Hmmm... -- Nick Phillips -- nwp@lemon-computing.com A day for firm decisions!!!!! Or is it? From Tristan at SUN.MARMOT.ORG Thu Jun 13 23:43:06 2002 From: Tristan at SUN.MARMOT.ORG (Tristan Rhodes) Date: Thu Jan 12 21:14:57 2006 Subject: What is the cheapest Anti-virus for Solaris and MailScanner? References: <5.1.0.14.2.20020612193801.0346bda8@imap.ecs.soton.ac.uk> <200206121523.41328.lbergman@abi.tconline.net> <5.1.0.14.2.20020613153406.04aca9b0@imap.ecs.soton.ac.uk> Message-ID: <019b01c2132b$b85513a0$993df5c0@marmot.org> Greetings, I have been watching this mailing list for a while now, and I am very excited to try MailScanner. I have a few questions that can be easily answered. First, what is the cheapest anti-virus product that will run with MailScanner on Solaris? (F-Prot is designed for Linux, and the tech didn't think Solaris is validated with it.) Second, what is the advantage of using Mailscanner and anti-virus product over just a "made for email-server" antivirus product? Is it a cheaper solution? (I understand that Mailscanner also does great SPAM filtering.) My budget is almost non-existant for this project, so I wanted to find the cheapest way to implement basic virus checking and SPAM filtering. Thanks in advance, Tristan Rhodes - System Operator (970) 242-3331 x10 Marmot Library Network, Inc. From LISTSERV at JISCMAIL.AC.UK Thu Jun 13 23:11:47 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:57 2006 Subject: MAILSCANNER: mjs@BLITZ-TECHNOLOGY.NET left the JISCmail list Message-ID: <200206132211.XAA14326@magpie.ecs.soton.ac.uk> Thu, 13 Jun 2002 23:11:47 Mitchell Smith has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From paul-w at BLUEYONDER.CO.UK Fri Jun 14 09:22:02 2002 From: paul-w at BLUEYONDER.CO.UK (Paul Welsh) Date: Thu Jan 12 21:14:57 2006 Subject: F-Prot Update Script Available References: <0bd885333230d62PCOW024M@blueyonder.co.uk> Message-ID: <003f01c2137c$8f83d7d0$6a0110ac@sbsplc.com> When I run the f-prot update script I get: /usr/local/f-prot/check-updates.sh: ${HTTPRETURN:0:1}: bad substitution /usr/local/f-prot/check-updates.sh: [: integer expression expected before -ne Nothing to be done... Does anyone else get this? I currently run the script at http://uk2raq.com/updates/f-prot-zip-update.sh which works fine and only updates if files have changed. From jkf at ecs.soton.ac.uk Fri Jun 14 09:24:33 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:57 2006 Subject: What is the cheapest Anti-virus for Solaris and MailScanner? In-Reply-To: <019b01c2132b$b85513a0$993df5c0@marmot.org> References: <5.1.0.14.2.20020612193801.0346bda8@imap.ecs.soton.ac.uk> <200206121523.41328.lbergman@abi.tconline.net> <5.1.0.14.2.20020613153406.04aca9b0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020614092329.02c1d508@imap.ecs.soton.ac.uk> At 23:43 13/06/2002, you wrote: >Second, what is the advantage of using Mailscanner and anti-virus product >over just a "made for email-server" antivirus product? Is it a cheaper >solution? (I understand that Mailscanner also does great SPAM filtering.) >My budget is almost non-existant for this project, so I wanted to find the >cheapest way to implement basic virus checking and SPAM filtering. The obvious answers that come to mind are 1) Features 2) Cost 3) Spam filtering 4) If you want it to do something different, you've got the source -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From vincent at DUKE-INTERACTIVE.COM Fri Jun 14 10:53:47 2002 From: vincent at DUKE-INTERACTIVE.COM (Vincent Meoc) Date: Thu Jan 12 21:14:57 2006 Subject: README.exim installation instructions make error mails Message-ID: <20020614095347.GC24447@terre> Hello, I'm using mailscanner(debian package 3.13.2-2) with exim (Debian package, version 3.35) on 3 different servers since few times (2 weeks) and on each of them after 2 days of production I got some errors about the defer director. Here is an example : /var/log/exim/mainlog/ 2002-06-13 07:40:01 17INKp-0004YI-00 == userx@duke-interactive.com D=defer_director defer (-1): forced defer: All deliveries are deferred 2002-06-13 07:40:01 17INKp-0004YI-00 ** userx@duke-interactive.com: retry timeout exceeded 2002-06-13 07:40:01 17INKz-0004cu-00 <= <> R=17INKp-0004YI-00 U=mail P=local S=31327 2002-06-13 07:40:01 17INKp-0004YI-00 Error message sent to alerte@lesechos.fr or in the same file : 2002-06-13 11:50:01 17IREs-0006LI-00 == some_users@yahoo.fr R=defer_router defer (-1): remote host address is the local host 2002-06-13 11:50:01 17IREs-0006LI-00 ** some_users@yahoo.fr: retry timeout exceeded 2002-06-13 11:50:01 17IREv-0006LS-00 <= <> R=17IREs-0006LI-00 U=mail P=local S=3108 2002-06-13 11:50:01 17IREs-0006LI-00 Error message sent to yuser@duke-interactive.com I join at this mail my exim.conf and mailscanner.conf files. Obviously, it's a problem with the exim's defer director handling. I was surprise to see that in the README.exim it is saying to put queue_only = true and the defer director and router But in the Exim HTML installation guide it is "set queue_only" to be true, or add the following director:" Is it the source of the problem to put queue_only with defer ? Since 24H, I'm using queue_only with no defer and have no errors. I've not tested defer without queue_only. Maybe you can help me to understand how the second exim handle the queue put in /var/spool/exim_incoming/. How does exim_outgoing know where is this queue ? Another question about something strange that happen this night. A lot of mail get this error : 2002-06-14 03:08:02 17IfZ5-000292-00 ** iuser@duke-interactive.com: unrouteable mail domain "duke-interactive.com" 2002-06-14 03:08:02 17IfZK-0002Aa-00 <= <> R=17IfZ5-000292-00 U=mail P=local S=1718 2002-06-14 03:08:02 17IfZ5-000292-00 Error message sent to intranet@duke-interactive.com 2002-06-14 03:08:02 17IfZ5-000292-00 Completed 2002-06-14 03:08:02 17IfZ6-000293-00 failed to open database lock file /var/spool/exim_incoming/db/retry.lockfile: Permission denied (euid=8 egid=8) This file retry.lockfile, and other in the directory db, was owned by root. I look at in my history and I've find this normal lines : mkdir -p /var/spool/exim_incoming/{db,input,msglog} chown -R mail.mail /var/spool/exim_incoming and after nothing about a change in the db Directory. Something similar appear in another server : vincent@anotherserver:~$ l /var/spool/exim_incoming/db/ total 25 drwxr-x--- 2 mail mail 184 May 16 06:25 . drwxr-x--- 5 mail mail 120 May 16 09:45 .. -rw-r----- 1 mail mail 20480 Jun 14 06:25 retry -rw-r----- 1 mail mail 0 May 15 21:53 retry.lockfile -rw-r----- 1 root root 4096 May 16 06:25 wait-remote_smtp -rw-r----- 1 root root 0 May 16 06:25 wait-remote_smtp.lockfil Someone have any solutions for all this question :) ? -- Vincent Meoc Administrateur syst?me et r?seau DUKE - Digital Age Agency T : 01 53 44 19 00 F : 01 53 44 19 20 e-mail : vincent@duke-interactive.com www.duke-interactive.com -------------- next part -------------- # This is the main exim configuration file. # It was originally generated by `eximconfig', part of the exim package # distributed with Debian, but it may edited by the mail system administrator. # This file originally generated by eximconfig at Mon Dec 4 11:41:30 CET 2000 # See exim info section for details of the things that can be configured here. # Please see the manual for a complete list # of all the runtime configuration options that can be included in a # configuration file. # This file is divided into several parts, all but the last of which are # terminated by a line containing the word "end". The parts must appear # in the correct order, and all must be present (even if some of them are # in fact empty). Blank lines, and lines starting with # are ignored. ###################################################################### # MAIN CONFIGURATION SETTINGS # ###################################################################### primary_hostname = mail.duke-interactive.com # Specify the domain you want to be added to all unqualified addresses # here. Unqualified addresses are accepted only from local callers by # default. See the receiver_unqualified_{hosts,nets} options if you want # to permit unqualified addresses from remote sources. If this option is # not set, the primary_hostname value is used for qualification. qualify_domain = duke-interactive.com # If you want unqualified recipient addresses to be qualified with a different # domain to unqualified sender addresses, specify the recipient domain here. # If this option is not set, the qualify_domain value is used. # qualify_recipient = # Specify your local domains as a colon-separated list here. If this option # is not set (i.e. not mentioned in the configuration file), the # qualify_recipient value is used as the only local domain. If you do not want # to do any local deliveries, uncomment the following line, but do not supply # any data for it. This sets local_domains to an empty string, which is not # the same as not mentioning it at all. An empty string specifies that there # are no local domains; not setting it at all causes the default value (the # setting of qualify_recipient) to be used. local_domains = duke-interactive.com:localhost # Allow mail addressed to our hostname, or to our IP address. local_domains_include_host = true local_domains_include_host_literals = true # Domains we relay for; that is domains that aren't considered local but we # accept mail for them. #relay_domains = # If this is uncommented, we accept and relay mail for all domains we are # in the DNS as an MX for. relay_domains_include_local_mx = true # No local deliveries will ever be run under the uids of these users (a colon- # separated list). An attempt to do so gets changed so that it runs under the # uid of "nobody" instead. This is a paranoic safety catch. Note the default # setting means you cannot deliver mail addressed to root as if it were a # normal user. This isn't usually a problem, as most sites have an alias for # root that redirects such mail to a human administrator. never_users = root # The setting below causes Exim to do a reverse DNS lookup on all incoming # IP calls, in order to get the true host name. If you feel this is too # expensive, you can specify the networks for which a lookup is done, or # remove the setting entirely. #host_lookup = * # The setting below would, if uncommented, cause Exim to check the syntax of # all the headers that are supposed to contain email addresses (To:, From:, # etc). This reduces the level of bounced bounces considerably. # headers_check_syntax # Exim contains support for the Realtime Blocking List (RBL) that is being # maintained as part of the DNS. See http://maps.vix.com/rbl/ for # background. Uncommenting the following line will make Exim reject mail # from any host whose IP address is blacklisted in the RBL at maps.vix.com. #rbl_domains = rbl.maps.vix.com #rbl_reject_recipients = false #rbl_warn_header = true # The setting below allows your host to be used as a mail relay only by # localhost: it locks out the use of your host as a mail relay by any # other host. See the section of the manual entitled "Control of relaying" # for more info. host_accept_relay = localhost:192.168.0.0/24 # If you want Exim to support the "percent hack" for all your local domains, # uncomment the following line. This is the feature by which mail addressed # to x%y@z (where z is one of your local domains) is locally rerouted to # x@y and sent on. Otherwise x%y is treated as an ordinary local part # percent_hack_domains=* # If this option is set, then any process that is running as one of the # listed users may pass a message to Exim and specify the sender's # address using the "-f" command line option, without Exim's adding a # "Sender" header. trusted_users = mail #trusted_users = mail:amavis # If this option is true, the SMTP command VRFY is supported on incoming # SMTP connections; otherwise it is not. smtp_verify = false # Some operating systems use the "gecos" field in the system password file # to hold other information in addition to users' real names. Exim looks up # this field when it is creating "sender" and "from" headers. If these options # are set, exim uses "gecos_pattern" to parse the gecos field, and then # expands "gecos_name" as the user's name. $1 etc refer to sub-fields matched # by the pattern. gecos_pattern = ^([^,:]*) gecos_name = $1 # This sets the maximum number of messages that will be accepted in one # connection. The default is 10, which is probably enough for most purposes, # but is too low on dialup SMTP systems, which often have many more mails # queued for them when they connect. smtp_accept_queue_per_connection = 100 # Send a mail to the postmaster when a message is frozen. There are many # reasons this could happen; one is if exim cannot deliver a mail with no # return address (normally a bounce) another that may be common on dialup # systems is if a DNS lookup of a smarthost fails. Read the documentation # for more details: you might like to look at the auto_thaw option freeze_tell_mailmaster = true auto_thaw = 0s # This string defines the contents of the \`Received' message header that # is added to each message, except for the timestamp, which is automatically # added on at the end, preceded by a semicolon. The string is expanded each # time it is used. received_header_text = "Received: \ ${if def:sender_rcvhost {from ${sender_rcvhost}\n\t}\ {${if def:sender_ident {from ${sender_ident} }}\ ${if def:sender_helo_name {(helo=${sender_helo_name})\n\t}}}}\ by ${primary_hostname} \ ${if def:received_protocol {with ${received_protocol}}} \ (Exim ${version_number} #${compile_number} (Debian))\n\t\ id ${message_id}\ ${if def:received_for {\n\tfor <$received_for>}}" #maiscanner config spool_directory = /var/spool/exim_incoming queue_only = true #protection serveur #message_size_limit = 5000000 #return_size_limit = 4000000 #deliver_load_max = 4.0 #queue_only = true deliver_queue_load_max = 4.0 queue_only_load = 2.0 message_filter = /etc/exim/big_file_filter end ###################################################################### # TRANSPORTS CONFIGURATION # ###################################################################### # ORDER DOES NOT MATTER # # Only one appropriate transport is called for each delivery. # ###################################################################### # This transport is used for local delivery to user mailboxes. On debian # systems group mail is used so we can write to the /var/spool/mail # directory. (The alternative, which most other unixes use, is to deliver # as the user's own group, into a sticky-bitted directory) local_delivery: driver = appendfile group = mail mode = 0660 mode_fail_narrower = false envelope_to_add = true file = /var/spool/mail/${local_part} # This transport is used for handling pipe addresses generated by # alias or .forward files. If the pipe generates any standard output, # it is returned to the sender of the message as a delivery error. Set # return_fail_output instead if you want this to happen only when the # pipe fails to complete normally. address_pipe: driver = pipe return_output # This transport is used for handling file addresses generated by alias # or .forward files. address_file: driver = appendfile # This transport is used for handling file addresses generated by alias # or .forward files if the path ends in "/", which causes it to be treated # as a directory name rather than a file name. Each message is then delivered # to a unique file in the directory. If instead you want all such deliveries to # be in the "maildir" format that is used by some other mail software, # uncomment the final option below. If this is done, the directory specified # in the .forward or alias file is the base maildir directory. # # Should you want to be able to specify either maildir or non-maildir # directory-style deliveries, then you must set up yet another transport, # called address_directory2. This is used if the path ends in "//" so should # be the one used for maildir, as the double slash suggests another level # of directory. In the absence of address_directory2, paths ending in // # are passed to address_directory. address_directory: driver = appendfile no_from_hack prefix = "" suffix = "" # maildir_format # This transport is used for handling autoreplies generated by the filtering # option of the forwardfile director. address_reply: driver = autoreply # This transport is used for procmail procmail_pipe: driver = pipe command = "/usr/bin/procmail -d ${local_part}" return_path_add delivery_date_add envelope_to_add check_string = "From " escape_string = ">From " user = $local_part group = mail # This transport is used for delivering messages over SMTP connections. remote_smtp: driver = smtp # vacation program #user_vacation: #driver = autoreply #user = ${local_part} #to = "${sender_address}" #from = "${local_part}@duke-interactive.com" #file = /var/local/exim/msg.txt #subject = "${if def:h_Subject: {Autoreply: ${local_part}@duke-interactive.com} {Notification}}" #subject = "${if def:h_Subject: {Autoreply: $h_Subject:} {Notification}}" end ###################################################################### # DIRECTORS CONFIGURATION # # Specifies how local addresses are handled # ###################################################################### # ORDER DOES MATTER # # A local address is passed to each in turn until it is accepted. # ###################################################################### #mailscanner config defer_director: driver = smartuser new_address = :defer: All deliveries are deferred # This allows local delivery to be forced, avoiding alias files and # forwarding. real_local: prefix = real- driver = localuser transport = local_delivery # This director handles aliasing using a traditional /etc/aliases file. # If any of your aliases expand to pipes or files, you will need to set # up a user and a group for these deliveries to run under. You can do # this by uncommenting the "user" option below (changing the user name # as appropriate) and adding a "group" option if necessary. system_aliases: driver = aliasfile file_transport = address_file pipe_transport = address_pipe include_domain = true file = /etc/aliases search_type = lsearch user = list # Uncomment the above line if you are running smartlist # This director runs procmail for users who have a .procmailrc file procmail: driver = localuser transport = procmail_pipe require_files = ${local_part}:+${home}:+${home}/.procmailrc:+/usr/bin/procmail no_verify # This director handles forwarding using traditional .forward files. # It also allows mail filtering when a forward file starts with the # string "# Exim filter": to disable filtering, uncomment the "filter" # option. The check_ancestor option means that if the forward file # generates an address that is an ancestor of the current one, the # current one gets passed on instead. This covers the case where A is # aliased to B and B has a .forward file pointing to A. # For standard debian setup of one group per user, it is acceptable---normal # even---for .forward to be group writable. If you have everyone in one # group, you should comment out the "modemask" line. Without it, the exim # default of 022 will apply, which is probably what you want. userforward: driver = forwardfile file_transport = address_file pipe_transport = address_pipe reply_transport = address_reply no_verify check_ancestor file = .forward modemask = 002 filter # This director matches local user mailboxes. localuser: driver = localuser transport = local_delivery # For a satellite sytem, all mail sent to local users is re-directed to # their accounts on duke-interactive.com #smart: # driver = smartuser # new_address = ${local_part}@stimpy.duke end ###################################################################### # ROUTERS CONFIGURATION # # Specifies how remote addresses are handled # ###################################################################### # ORDER DOES MATTER # # A remote address is passed to each in turn until it is accepted. # ###################################################################### #mailscanner config defer_router: driver = domainlist self = defer route_list = "* 127.0.0.1 byname" lookuphost: driver = lookuphost transport = remote_smtp # Remote addresses are those with a domain that does not match any item # in the "local_domains" setting above. # Send all mail to a smarthost # #smarthost: # driver = domainlist # transport = remote_smtp # route_list = "* mail.duke-interactive.com bydns_a" # # This router routes to remote hosts over SMTP using a DNS lookup with # default options. # This router routes to remote hosts over SMTP by explicit IP address, # given as a "domain literal" in the form [nnn.nnn.nnn.nnn]. The RFCs # require this facility, which is why it is enabled by default in Exim. # If you want to lock it out, set forbid_domain_literals in the main # configuration section above. literal: driver = ipliteral transport = remote_smtp end ###################################################################### # RETRY CONFIGURATION # ###################################################################### # This single retry rule applies to all domains and all errors. It specifies # retries every 15 minutes for 2 hours, then increasing retry intervals, # starting at 2 hours and increasing each time by a factor of 1.5, up to 16 # hours, then retries every 8 hours until 4 days have passed since the first # failed delivery. # Domain Error Retries # ------ ----- ------- * * F,2h,2m; G,16h,2h,1.5; F,4d,8h end ###################################################################### # REWRITE CONFIGURATION # ###################################################################### # These rewriters make sure the mail messages appear to have originated # from the real mail-reading host. ^(?i)(root|postmaster|mailer-daemon)@stimpy.duke ${1}@in.limbo Ffr *@stimpy.duke ${1}@duke-interactive.com Ffr ^(?i)(root|postmaster|mailer-daemon)@localhost ${1}@in.limbo Ffr *@localhost ${1}@duke-interactive.com Ffr *@in.limbo vincent@duke-interactive.com Ffr # This rewriting rule is particularly useful for dialup users who # don't have their own domain, but could be useful for anyone. # It looks up the real address of all local users in a file *@stimpy.duke ${lookup{$1}lsearch{/etc/email-addresses}\ {$value}fail} bcfrF # End of Exim configuration file -------------- next part -------------- # Configuration file for MailScanner E-Mail Virus Scanner # This file assumes everything is in the default locations provided # by the MailScanner and RedHat 6.2 and upwards. # # Note: If your directories are symlinked (soft-linked) in any way, # please put their *real* location in here, not a path that # includes any links. You may get some very strange error # messages from some of the virus scanners if you don't. # User to run as (provided for Exim users) Run As User = mail # Group to run as (provided for Exim users) Run As Group = mail # In every batch of virus-scanning, limit the maximum # a) number of text-only messages to deliver # b) number of potentially infected messages to unpack and scan # c) total size of text-only messages to deliver # d) total size of potentially infected messages to unpack and scan Max Safe Messages Per Scan = 500 Max Unsafe Messages Per Scan = 100 Max Safe Bytes Per Scan = 100000000 Max Unsafe Bytes Per Scan = 50000000 # To avoid resource leaks, re-start periodically. Restart Every = 14400 # 4 hours # Name of this host, or just "the MailScanner" if you want to hide this info. # It can be placed in the Help Desk note contained in virus warnings sent to users. Host name = Duke MailScanner # Add this extra header to all mail as it is scanned. # (this must *include* terminating colon). Mail Header = X-MailScanner: # Set the mail header to these values for clean/infected messages. Clean Header = Found to be clean Infected Header = Found to be infected Disinfected Header = Disinfected # Set where to unpack incoming messages before scanning them Incoming Work Dir = /var/spool/mailscanner/incoming # Set where to store infected message attachments (if they are kept) Quarantine Dir = /var/spool/mailscanner/quarantine # Set where to store the process id so you can easily stop the scanner Pid File = /var/run/mailscanner/mailscanner.pid # Set where to find the attachment filename ruleset. # The structure of this file is explained elsewhere, but it is used to # accept or reject file attachments based on their name, regardless of # whether they are infected or not. Filename Rules = /etc/mailscanner/filename.rules.conf # Set where to find the message text sent to users when one of their # attachments has been quarantined. Stored Virus Message Report = /etc/mailscanner/stored.virus.message.txt Stored Bad Filename Message Report = /etc/mailscanner/stored.filename.message.txt # Set where to find the message text sent to users when one of their # attachments has been deleted. Deleted Virus Message Report = /etc/mailscanner/deleted.virus.message.txt Deleted Bad Filename Message Report = /etc/mailscanner/deleted.filename.message.txt # Set where to find the message text sent to users explaining about the # attached disinfected documents. Disinfected Report = /etc/mailscanner/disinfected.report.txt # Set location of incoming mail queue # and location of outgoing mail queue. Incoming Queue Dir = /var/spool/exim_incoming/input Outgoing Queue Dir = /var/spool/exim/input # Set whether to use sendmail or exim (default is sendmail) MTA = exim # Set how to invoke MTA when sending created message # (e.g. to sender/recipient saying "found a virus in your message") Sendmail = /usr/sbin/exim # Sendmail2 is provided for Exim users. # It defaults to the value supplied for Sendmail. # It is the command used to attempt delivery of outgoing # (scanned/cleaned) messages. # This is not usually required for sendmail. Sendmail2 = /usr/sbin/exim -C /etc/exim/exim_outgoing.conf # Do you want to scan email for viruses? # A few people have wanted to disable the entire virus scanning. Virus Scanning = yes # Which Virus Scanning package to use: # sophos from www.sophos.com, or # mcafee from www.mcafee.com, or # command from www.command.co.uk, or # kaspersky from www.kaspersky.com, or # inoculate from www.cai.com/products/inoculateit.htm, or # f-secure from www.f-secure.com, or # f-prot from www.f-prot.com (which is *free* for Linux as of 1/1/2002) # # Note: If you want to use multiple virus scanners, then this should be a # comma-separated list of virus scanners. For example: # Virus Scanner = sophos, f-prot # Virus Scanner = sophos # Where the Virus scanner is installed. This is the command needed to run it. # # Note: If you want to use multiple virus scanners, then this should be a # comma-separated list of commands, **in the same order** as they are listed # in the "Virus Scanner" keyword just above. For example: # Sweep = /etc/mailscanner/wrapper/sophoswrapper, /etc/mailscanner/wrapper/f-protwrapper # Sweep = /etc/mailscanner/wrapper/sophoswrapper # The maximum length of time the commercial virus scanner is allowed to run # for 1 batch of messages (in seconds). Virus Scanner Timeout = 300 # Expand TNEF attachments using an external program? # This should be "yes" except for Sophos (when it should be "no") # as Sophos has the facility built-in. Expand TNEF = yes # Where the MS-TNEF expander is installed. # The new --maxsize option limits the maximum size that any expanded attachment # may be. It helps protect against Denial Of Service attacks in TNEF files. TNEF Expander = /usr/bin/tnef --maxsize=100000000 # The maximum length of time the TNEF Expander is allowed to run for 1 message. # (in seconds) TNEF Timeout = 120 # What should the attachments be called that replace virus-infected files? Attachment Warning Filename = VirusWarning.txt # Should we scan all messages, including plain-text messages which are normally # harmless? This should be "yes" since the MyParty message appeared. Scan All Messages = yes # Once we have removed viruses from an email message and replaced them with # VirusWarning.txt attachments, should we deliver the clean result to the # original recipients (or just delete them if "no")? Deliver To Recipients = yes # Deliver messages with viruses removed to their original recipients # if they came from a local address, or just delete them so no-one knows # we have a virus outbreak on our site? Deliver From Local Domains = no # Notify the senders of infected messages that they should check out # their systems? Notify Senders = yes # Set where to find the message text sent to the senders of infected # messages. #Sender Report = /etc/mailscanner/sender.report.txt Sender Virus Report = /etc/mailscanner/sender.virus.report.txt Sender Bad Filename Report = /etc/mailscanner/sender.filename.report.txt Sender Error Report = /etc/mailscanner/sender.error.report.txt # Notify the local postmaster when any infections are found? Notify Local Postmaster = yes # Include the full headers of each message in the postmaster notification? Postmaster Gets Full Headers = yes # Set email address of who to notify about any infections found. # Should put your full domain name here too, # e.g. postmaster@your.domain.com Local Postmaster = postmaster # Set what to do with infected attachments or messages. # keep ==> Store under the "Quarantine Dir" # delete ==> Just delete them #Action = delete Action = keep # Should I attempt to disinfect infected attachments and then deliver # the clean ones Deliver Disinfected Files = yes # Local domain name, or filename containing a list of local domain names # The file supports blank entries, '#' and ';' comment characters and # uses the first word off each line. This should be compatible with all # such lines in a sendmail or Exim configuration file. Local Domains = /etc/mailscanner/localdomains.conf #Local Domains = put.your.domain.name.here # Mark infected messages in the message body. # There can now be more than 1 of these configuration lines here, so you can # break the warning message over multiple lines. Mark Infected Messages = yes Inline Text Warning = Warning: This message has had one or more attachments removed. Inline Text Warning = Warning: Please read the "VirusWarning.txt" attachment(s) for more information. Inline HTML Warning =

Warning: This message has had one or more attachments removed. Please read the "VirusWarning.txt" attachment(s) for more information.

# Sign clean messages in the message body. # There can be more than 1 of these configuration lines here, so you can # break the signature message over multiple lines. # Note that enabling this option will add to the overall system load as some # major optimisations will no longer be possible! Sign Clean Messages = no Inline Text Signature = -- Inline Text Signature = This message has been scanned for viruses and Inline Text Signature = dangerous content by MailScanner, and is Inline Text Signature = believed to be clean. Inline HTML Signature =
-- Inline HTML Signature =
This message has been scanned for viruses and Inline HTML Signature =
dangerous content by Inline HTML Signature = MailScanner, Inline HTML Signature = and is
believed to be clean. # Do you want to archive all mail in a directory for later inspection? # Be warned if you are in the UK: this may well be illegal due to RIPA # and DPA restrictions! Archive Mail = no # Where to store the mail archive. # Be warned: this is likely to get big very quickly. Archive Mail Dir = /var/spool/mailscanner/archive # # Per-Domain Scanning and Spam Detection # # Do we want to only scan certain named domains for viruses and spam? Scanning By Domain = no # Filename listing all the domains we want to scan Domains To Scan = /etc/mailscanner/domains.to.scan.conf # Do we want to add a MailScanner header to messages we have not scanned Sign Unscanned Messages = yes # What do we want to put in the header Unscanned Header = not scanned: please contact your email provider for details # # Spam Detection # # Should the anti-spam checks be done on all incoming messages? Spam Checks = no # Set the name of the extra header to add to all messages found to be # likely spam. Spam Header = X-MailScanner-SpamCheck: # Do you want to put some text on the front of the subject line when # we think it is spam? Spam Modify Subject = yes # What text do we want to put on the front (gets followed by a " ") Spam Subject Text = {SPAM?} # Do we have the SpamAssassin package installed? # This is a very good, very clever heuristics-based spam checker. # For more info and installation instructions, see http://spamassassin.taint.org/ Use SpamAssassin = no # Set the maximum size of message which we will check with SpamAssassin # Don't set this too large as your system load will get very high processing # huge messages. Max SpamAssassin Size = 100000 # Set the maximum time to allow SpamAssassin to process 1 message SpamAssassin Timeout = 10 # Set the list of database names and their corresponding DNS domains. # All of these databases work in a similar way, allowing the simple use # of multiple databases. # See www.ordb.org and www.mail-abuse.org for more information. Spam List = ORDB-RBL, relays.ordb.org. # MAPS now charge for their services, so you'll have to buy a contract before # attempting to use the next 3 lines. #Spam List = MAPS-RBL, blackholes.mail-abuse.org. #Spam List = MAPS-DUL, dialups.mail-abuse.org. #Spam List = MAPS-RSS, relays.mail-abuse.org. # This next line works for JANET UK Academic sites only #Spam List = MAPS-RBL+, rbl-plus.mail-abuse.ja.net. # Define local networks from whom you should always accept mail, and # never mark it as spam. This is useful in case your own mail servers # are ever in the ORBS or MAPS lists. #Accept Spam From = 152.78. #Accept Spam From = 139.166. # Define a list of email addresses and email domains from whom you should # always accept mail, and never mark it as spam. This is useful in case # someone you correspond with a lot has their mail servers in the ORBS or # MAPS lists. Spam White List = /etc/mailscanner/spam.whitelist.conf # # Advanced Features # ================= # # Don't bother changing anything below this unless you really know what # you are doing. # # Set Debug to 1 to stop it running as a daemon # and produce more verbose output Debug = 0 # Attempt immediate delivery of messages, or just place them in the outgoing # queue for the MTA to deliver at a time of its own choosing? # If attempting immediate delivery, do them one at a time, # or do them in batches of 30 at a time? Delivery Method = queue # Delivery Method = individual #Delivery Method = batch # How to lock spool files. # Don't set this unless you *know* you need to. # For sendmail, it defaults to "flock". # For Exim, it defaults to "posix". # No other type is implemented. #Lock Type = flock # Where to put the virus scanning engine lock files. # These lock files are used between MailScanner and the virus signature # "autoupdate" scripts, to ensure that they aren't both working at the # same time (which could cause MailScanner to let a virus through). Lock File Dir = /tmp # What to do when you get several MailScanner headers in one message, # from multiple MailScanner servers. Values are # "append" : Append the new data to the existing header # "add" : Add a new header # "replace" : Replace the old data with the new data # Default is "append" Multiple Headers = append # Some versions of Microsoft Outlook generate unparsable Rich Text # format attachments. Do we want to deliver these bad attachments anyway? # Setting this to yes introduces the slight risk of a virus getting through, # but if you have a lot of troubled Outlook users you might need to do this. # We are working on a replacement for the TNEF decoder. Deliver Unparsable TNEF = no # When attempting delivery of outgoing messages, should we do it in the # background or wait for it to complete? The danger of doing it in the # background is that the machine load goes ever upwards while all the # slow sendmail processes run to completion. However, running it in the # foreground may cause the mail server to run too slowly. Deliver In Background = no # Minimum acceptable code stability status -- if we come across code # that's not at least as stable as this, we barf. # This is currently only used to check that you don't end up using untested # virus scanner support code without realising it. # Levels used are: # none - there may not even be any code. # unsupported - code may be completely untested, a contributed dirty hack, # anything, really. # alpha - code is pretty well untested. Don't assume it will work. # beta - code is tested a bit. It should work. # supported - code *should* be reliable. # # Don't even *think* about setting this to anything other than "beta" or # "supported" on a system that receives real mail until you have tested it # yourself and are happy that it is all working as you expect it to. # Don't set it to anything other than "supported" on a system that could # ever receive important mail. Minimum Code Status = supported From jkf at ecs.soton.ac.uk Fri Jun 14 14:30:23 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:57 2006 Subject: ANNOUNCE: Version 3.20-1 released Message-ID: <5.1.0.14.2.20020614141321.02d0d890@imap.ecs.soton.ac.uk> Hi folks, It's release time again. Loads of goodies for you all in this new version :-) As usual, you can download it from http://www.mailscanner.info/ Jules. Features: ======== -- Moved McAfee support from "mcafee" directory to "uvscan" to make McAfee installation simpler -- Added configuration option to control logging of spam messages -- Added configuration option to control compilation of SpamAssassin code for speed -- Added support for RBL lists that work by domain name rather than by IP number -- Added configuration option to list viruses that should be quietly deleted without informing the sender or recipient. A good example is the "Klez" worm -- Added configuration option to allow the "VirusWarning.txt" message to be inline or an attachment -- Added configuration option to enable SpamAssassin's "auto-whitelist" functionality -- Added optional internal TNEF expansion using CPAN Perl Convert::TNEF module -- Added support for Panda and RAV virus scanners, bringing total supported to 10 -- Added a per-message timeout for the RBL checks -- Added facility to quarantine copy of entire message as well as just infected attachments Improvements: =========== -- Many optimisations and speed improvements -- Improvement to warning message placing in multipart/related messages -- Updated version of MIME-tools module shipped and included mime-tools-patch.txt from Bugtraq -- RPM installation will automatically patch MIME-tools as it is installed -- RPM installation will only install Perl modules that are not present or need upgrading -- RPM installation changed so upgrading should be easier now -- Won't call SpamAssassin on every message when it doesn't need to -- Added MIME scanning option to McAfee scanner command-line Fixes: ===== -- Now requires at least Perl 5.005 due to bugs in previous versions of Perl -- Signatures on clean messages can now have a space at the end of a line -- Fixed bug (according to a user) in the Inoculan output parser. Not verified yet. -- Hopefully the "not spam" entries appear in the right messages now -- Fixed bug where some unscanned messages were being marked as clean -- Fixed bug where some "%" signs could disappear from Subject: headers -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From dml at UNB.CA Fri Jun 14 14:40:29 2002 From: dml at UNB.CA (David Lancaster) Date: Thu Jan 12 21:14:57 2006 Subject: ANNOUNCE: Version 3.20-1 released In-Reply-To: <5.1.0.14.2.20020614141321.02d0d890@imap.ecs.soton.ac.uk> Message-ID: RedHat 7.2 [root@spamfilter root]# rpm -Uvh mailscanner-3.20-1.i386.rpm error: failed dependencies: /usr/local/bin/perl is needed by mailscanner-3.20-1 ln'ing or copy'ing /usr/bin/perl to /usr/local/bin/perl doesn't help... D. On Fri, 14 Jun 2002, Julian Field wrote: > Hi folks, > > It's release time again. > Loads of goodies for you all in this new version :-) > As usual, you can download it from > http://www.mailscanner.info/ > > Jules. > > Features: > ======== > -- Moved McAfee support from "mcafee" directory to "uvscan" to make McAfee > installation simpler > -- Added configuration option to control logging of spam messages > -- Added configuration option to control compilation of SpamAssassin code > for speed > -- Added support for RBL lists that work by domain name rather than by IP > number > -- Added configuration option to list viruses that should be quietly > deleted without informing the sender or recipient. A good example is the > "Klez" worm > -- Added configuration option to allow the "VirusWarning.txt" message to be > inline or an attachment > -- Added configuration option to enable SpamAssassin's "auto-whitelist" > functionality > -- Added optional internal TNEF expansion using CPAN Perl Convert::TNEF module > -- Added support for Panda and RAV virus scanners, bringing total supported > to 10 > -- Added a per-message timeout for the RBL checks > -- Added facility to quarantine copy of entire message as well as just > infected attachments > > Improvements: > =========== > -- Many optimisations and speed improvements > -- Improvement to warning message placing in multipart/related messages > -- Updated version of MIME-tools module shipped and included > mime-tools-patch.txt from Bugtraq > -- RPM installation will automatically patch MIME-tools as it is installed > -- RPM installation will only install Perl modules that are not present or > need upgrading > -- RPM installation changed so upgrading should be easier now > -- Won't call SpamAssassin on every message when it doesn't need to > -- Added MIME scanning option to McAfee scanner command-line > > Fixes: > ===== > -- Now requires at least Perl 5.005 due to bugs in previous versions of Perl > -- Signatures on clean messages can now have a space at the end of a line > -- Fixed bug (according to a user) in the Inoculan output parser. Not > verified yet. > -- Hopefully the "not spam" entries appear in the right messages now > -- Fixed bug where some unscanned messages were being marked as clean > -- Fixed bug where some "%" signs could disappear from Subject: headers > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > =========================================================== David Lancaster ITS ESS From fizz at BOMB.NET Fri Jun 14 14:46:41 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:14:57 2006 Subject: ANNOUNCE: Version 3.20-1 released References: <5.1.0.14.2.20020614141321.02d0d890@imap.ecs.soton.ac.uk> Message-ID: <000701c213a9$e9f2cf00$483cd842@fizz> /me claps wildly You'be been a busy jules! :) ----- Original Message ----- From: "Julian Field" To: Sent: Friday, June 14, 2002 9:30 AM Subject: ANNOUNCE: Version 3.20-1 released > Hi folks, > > It's release time again. > Loads of goodies for you all in this new version :-) > As usual, you can download it from > http://www.mailscanner.info/ > > Jules. > > Features: > ======== > -- Moved McAfee support from "mcafee" directory to "uvscan" to make McAfee > installation simpler > -- Added configuration option to control logging of spam messages > -- Added configuration option to control compilation of SpamAssassin code > for speed > -- Added support for RBL lists that work by domain name rather than by IP > number > -- Added configuration option to list viruses that should be quietly > deleted without informing the sender or recipient. A good example is the > "Klez" worm > -- Added configuration option to allow the "VirusWarning.txt" message to be > inline or an attachment > -- Added configuration option to enable SpamAssassin's "auto-whitelist" > functionality > -- Added optional internal TNEF expansion using CPAN Perl Convert::TNEF module > -- Added support for Panda and RAV virus scanners, bringing total supported > to 10 > -- Added a per-message timeout for the RBL checks > -- Added facility to quarantine copy of entire message as well as just > infected attachments > > Improvements: > =========== > -- Many optimisations and speed improvements > -- Improvement to warning message placing in multipart/related messages > -- Updated version of MIME-tools module shipped and included > mime-tools-patch.txt from Bugtraq > -- RPM installation will automatically patch MIME-tools as it is installed > -- RPM installation will only install Perl modules that are not present or > need upgrading > -- RPM installation changed so upgrading should be easier now > -- Won't call SpamAssassin on every message when it doesn't need to > -- Added MIME scanning option to McAfee scanner command-line > > Fixes: > ===== > -- Now requires at least Perl 5.005 due to bugs in previous versions of Perl > -- Signatures on clean messages can now have a space at the end of a line > -- Fixed bug (according to a user) in the Inoculan output parser. Not > verified yet. > -- Hopefully the "not spam" entries appear in the right messages now > -- Fixed bug where some unscanned messages were being marked as clean > -- Fixed bug where some "%" signs could disappear from Subject: headers > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From LISTSERV at JISCMAIL.AC.UK Fri Jun 14 14:39:12 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:57 2006 Subject: MAILSCANNER: smf@LBSLTD.CO.UK requested to join Message-ID: <200206141339.OAA20760@magpie.ecs.soton.ac.uk> Fri, 14 Jun 2002 14:39:12 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Steve Freegard You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER smf@LBSLTD.CO.UK Steve Freegard PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER smf@LBSLTD.CO.UK Steve Freegard // EOJ From jkf at ecs.soton.ac.uk Fri Jun 14 14:52:54 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:57 2006 Subject: ANNOUNCE: Version 3.20-1 released In-Reply-To: References: <5.1.0.14.2.20020614141321.02d0d890@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020614145146.04841400@imap.ecs.soton.ac.uk> Fixed. This was a minor bug in a user-contributed script to support RAV, which I couldn't test as I haven't got a copy of RAV to test it against :-( Version 3.20-2 released. At 14:40 14/06/2002, you wrote: >RedHat 7.2 > >[root@spamfilter root]# rpm -Uvh mailscanner-3.20-1.i386.rpm >error: failed dependencies: > /usr/local/bin/perl is needed by mailscanner-3.20-1 > >ln'ing or copy'ing /usr/bin/perl to /usr/local/bin/perl doesn't help... > >On Fri, 14 Jun 2002, Julian Field wrote: > > Hi folks, > > > > It's release time again. > > Loads of goodies for you all in this new version :-) > > As usual, you can download it from > > http://www.mailscanner.info/ > > > > Jules. > > > > Features: > > ======== > > -- Moved McAfee support from "mcafee" directory to "uvscan" to make McAfee > > installation simpler > > -- Added configuration option to control logging of spam messages > > -- Added configuration option to control compilation of SpamAssassin code > > for speed > > -- Added support for RBL lists that work by domain name rather than by IP > > number > > -- Added configuration option to list viruses that should be quietly > > deleted without informing the sender or recipient. A good example is the > > "Klez" worm > > -- Added configuration option to allow the "VirusWarning.txt" message to be > > inline or an attachment > > -- Added configuration option to enable SpamAssassin's "auto-whitelist" > > functionality > > -- Added optional internal TNEF expansion using CPAN Perl Convert::TNEF > module > > -- Added support for Panda and RAV virus scanners, bringing total supported > > to 10 > > -- Added a per-message timeout for the RBL checks > > -- Added facility to quarantine copy of entire message as well as just > > infected attachments > > > > Improvements: > > =========== > > -- Many optimisations and speed improvements > > -- Improvement to warning message placing in multipart/related messages > > -- Updated version of MIME-tools module shipped and included > > mime-tools-patch.txt from Bugtraq > > -- RPM installation will automatically patch MIME-tools as it is installed > > -- RPM installation will only install Perl modules that are not present or > > need upgrading > > -- RPM installation changed so upgrading should be easier now > > -- Won't call SpamAssassin on every message when it doesn't need to > > -- Added MIME scanning option to McAfee scanner command-line > > > > Fixes: > > ===== > > -- Now requires at least Perl 5.005 due to bugs in previous versions of > Perl > > -- Signatures on clean messages can now have a space at the end of a line > > -- Fixed bug (according to a user) in the Inoculan output parser. Not > > verified yet. > > -- Hopefully the "not spam" entries appear in the right messages now > > -- Fixed bug where some unscanned messages were being marked as clean > > -- Fixed bug where some "%" signs could disappear from Subject: headers -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gerry at dorfam.ca Fri Jun 14 14:58:38 2002 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:14:57 2006 Subject: ANNOUNCE: Version 3.20-1 released In-Reply-To: <5.1.0.14.2.20020614141321.02d0d890@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020614141321.02d0d890@imap.ecs.soton.ac.uk> Message-ID: <51565.129.80.22.134.1024063118.squirrel@tiger.dorfam.ca> My but you've been a busy little fellow!!! I have a few questions about your changes... > -- Added configuration option to list viruses that should be quietly > deleted without informing the sender or recipient. A good example is > the "Klez" worm Why would I want to do this??? Whey wouldn't I want to tell the sender/recipient that their mail had a virus?? > -- Added optional internal TNEF expansion using CPAN Perl Convert::TNEF > module I know nothing about TNEF expansion. Which to you recommend...the old external one or the CPAN one? > -- Won't call SpamAssassin on every message when it doesn't need to This is excellent. It's the reason I've been running spamassassin via procmail instead of mailscanner since most of my messages come in via mail lists and don't need to be spam scanned. Gerry -- "The lyfe so short, the craft so long to learne" Chaucer From LISTSERV at JISCMAIL.AC.UK Fri Jun 14 15:02:13 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:57 2006 Subject: MAILSCANNER: akhan@SGHMS.AC.UK requested to join Message-ID: <200206141402.PAA01052@magpie.ecs.soton.ac.uk> Fri, 14 Jun 2002 15:02:13 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Asim Khan You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER akhan@SGHMS.AC.UK Asim Khan PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER akhan@SGHMS.AC.UK Asim Khan // EOJ From thom at DARKSABER.COM Fri Jun 14 15:05:42 2002 From: thom at DARKSABER.COM (Thom Paine) Date: Thu Jan 12 21:14:57 2006 Subject: ANNOUNCE: Version 3.20-1 released In-Reply-To: <51565.129.80.22.134.1024063118.squirrel@tiger.dorfam.ca> References: <5.1.0.14.2.20020614141321.02d0d890@imap.ecs.soton.ac.uk> <51565.129.80.22.134.1024063118.squirrel@tiger.dorfam.ca> Message-ID: <1024063542.454.16.camel@service.darksaber.com> Because klez fakes the senders address and sending a reply back to the sender does not necessarily mean they have the virus. I've received an email about a virus from one email account to another that I had sent the klez virus. What made it so funny is that I run Linux both at work and home. Kinda hard to send a klez virus that way. A nice feature would be to find the real sender that is contained in the mail header. But I don't want to make unnecessary work for anyone. Quietly deleting the email is a nice feature. On Fri, 2002-06-14 at 09:58, Gerry Doris wrote: > My but you've been a busy little fellow!!! > > I have a few questions about your changes... > > > > -- Added configuration option to list viruses that should be quietly > > deleted without informing the sender or recipient. A good example is > > the "Klez" worm > > Why would I want to do this??? Whey wouldn't I want to tell the > sender/recipient that their mail had a virus?? -- -=/>Thom Red Hat Linux release 7.3 (Valhalla) running Linux Kernel 2.4.18-4 Uptime: 10:02am up 1 day, 16:15, 1 user, load average: 1.40, 1.18, 1.16 Registered Linux User #214499 http://counter.li.org From jkf at ecs.soton.ac.uk Fri Jun 14 15:23:54 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:57 2006 Subject: ANNOUNCE: Version 3.20-1 released In-Reply-To: <51565.129.80.22.134.1024063118.squirrel@tiger.dorfam.ca> References: <5.1.0.14.2.20020614141321.02d0d890@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020614141321.02d0d890@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020614151202.02ccbb58@imap.ecs.soton.ac.uk> At 14:58 14/06/2002, you wrote: > > -- Added configuration option to list viruses that should be quietly > > deleted without informing the sender or recipient. A good example is > > the "Klez" worm > >Why would I want to do this??? Whey wouldn't I want to tell the >sender/recipient that their mail had a virus?? The Klez worm is just about the first virus to create useless messages with fake From: and To: addresses. The net result is that there is no point in telling either the sender (as they almost certainly didn't send it) or the recipient (who never wanted the virus anyway). So you might as well just ditch it. > > -- Added optional internal TNEF expansion using CPAN Perl Convert::TNEF > > module > >I know nothing about TNEF expansion. Which to you recommend...the old >external one or the CPAN one? Personally I'm sticking with the old one, as it seems to work okay. However, if you have a lot of Outlook users whose winmail.dat attachments (Microsoft Outlook Rich Text Format attachments) can't be expanded/decoded and scanned, then you *may* find the internal Perl module manages to decode more of them. So stick as you are unless you have a good reason to change. > > -- Won't call SpamAssassin on every message when it doesn't need to Not sure I can remember the finer points of that one any more, it was a few weeks ago... >This is excellent. It's the reason I've been running spamassassin via >procmail instead of mailscanner since most of my messages come in via mail >lists and don't need to be spam scanned. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From isp-list at TULSACONNECT.COM Fri Jun 14 15:36:47 2002 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:14:57 2006 Subject: ANNOUNCE: Version 3.20-1 released In-Reply-To: <5.1.0.14.2.20020614141321.02d0d890@imap.ecs.soton.ac.uk> Message-ID: <5.1.1.6.2.20020614093625.02ed8138@securemail.tulsaconnect.com> At 02:30 PM 6/14/2002 +0100, you wrote: >Hi folks, > >It's release time again. >Loads of goodies for you all in this new version :-) >As usual, you can download it from > http://www.mailscanner.info/ > >Jules. Does this include Nick's new lock.pl code for *BSD? --Mike From SMF at LBSLTD.CO.UK Fri Jun 14 15:28:06 2002 From: SMF at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:14:57 2006 Subject: Mailscanner 3.20-2 RPM probs Message-ID: <67D9E7698329D411936E00508B6590B9A5B343@neelix.lbsltd.co.uk> Hi all, I've just tried installing 3.20-2 from the RPM and hit the following error. I suspect it is unrelated to mailscanner and is a problem with MIME::Tools - < [root@trip root]# rpm -ivh mailscanner-3.20-2.i386.rpm Preparing... ########################################### [100%] 1:mailscanner ########################################### [100%] Shutting down sendmail: [ OK ] MailScanner: About to install Perl modules you do not already have MailScanner: Module IO::Stringy 1.211 already installed MailScanner: Module MIME::Base64 2.11 already installed MailScanner: Installing Perl Module IsABundle Checking for Net::SMTP...ok Checking for Net::Domain...ok Checking for IO::Handle...ok Checking if your kit is complete... Looks good Writing Makefile for Mail cp Mail/Field/AddrList.pm blib/lib/Mail/Field/AddrList.pm cp Mail/Mailer/rfc822.pm blib/lib/Mail/Mailer/rfc822.pm cp Mail/Util.pm blib/lib/Mail/Util.pm AutoSplitting blib/lib/Mail/Util.pm (blib/lib/auto/Mail/Util) cp Mail/Mailer/sendmail.pm blib/lib/Mail/Mailer/sendmail.pm cp Mail/Mailer/smtp.pm blib/lib/Mail/Mailer/smtp.pm cp Mail/Mailer/test.pm blib/lib/Mail/Mailer/test.pm cp Mail/Field.pm blib/lib/Mail/Field.pm cp Mail/Mailer.pm blib/lib/Mail/Mailer.pm cp Mail/Mailer/mail.pm blib/lib/Mail/Mailer/mail.pm cp Mail/Address.pm blib/lib/Mail/Address.pm cp Mail/Filter.pm blib/lib/Mail/Filter.pm cp Mail/Alias.pm blib/lib/Mail/Alias.pm cp Mail/Send.pm blib/lib/Mail/Send.pm cp Mail/Header.pm blib/lib/Mail/Header.pm cp Mail/Field/Date.pm blib/lib/Mail/Field/Date.pm cp Mail/Internet.pm blib/lib/Mail/Internet.pm AutoSplitting blib/lib/Mail/Internet.pm (blib/lib/auto/Mail/Internet) cp Mail/Cap.pm blib/lib/Mail/Cap.pm Manifying blib/man3/Mail::Field::AddrList.3pm Manifying blib/man3/Mail::Address.3pm Manifying blib/man3/Mail::Filter.3pm Manifying blib/man3/Mail::Alias.3pm Manifying blib/man3/Mail::Util.3pm Manifying blib/man3/Mail::Send.3pm Manifying blib/man3/Mail::Header.3pm Manifying blib/man3/Mail::Internet.3pm Manifying blib/man3/Mail::Field.3pm Manifying blib/man3/Mail::Mailer.3pm Manifying blib/man3/Mail::Cap.3pm *** ERROR: unterminated C<...> at line 143 in file Mail/Cap.pm PERL_DL_NONLAZY=1 /usr/bin/perl -Iblib/arch -Iblib/lib -I/usr/lib/perl5/5.6.1/i 86-linux -I/usr/lib/perl5/5.6.1 -e 'use Test::Harness qw(&runtests $verbose); $ erbose=0; runtests @ARGV;' t/*.t t/extract...........ok t/header............ok t/internet..........ok t/mailcap...........ok t/mailer............ok t/require...........ok t/send..............ok All tests successful. Files=7, Tests=95, 1 wallclock secs ( 0.74 cusr + 0.08 csys = 0.82 CPU) Installing /usr/share/man/man3/Mail::Field::AddrList.3pm Installing /usr/share/man/man3/Mail::Address.3pm Installing /usr/share/man/man3/Mail::Filter.3pm Installing /usr/share/man/man3/Mail::Alias.3pm Installing /usr/share/man/man3/Mail::Util.3pm Installing /usr/share/man/man3/Mail::Send.3pm Installing /usr/share/man/man3/Mail::Header.3pm Installing /usr/share/man/man3/Mail::Internet.3pm Installing /usr/share/man/man3/Mail::Field.3pm Installing /usr/share/man/man3/Mail::Mailer.3pm Installing /usr/share/man/man3/Mail::Cap.3pm Writing /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Mail/.packlist Appending installation info to /usr/lib/perl5/5.6.1/i386-linux/perllocal.pod MailScanner: Module File::Spec 0.82 already installed MailScanner: Installing Perl Module MIME::Tools ==== Patching MIME::Tools module (see Bugtraq) /var/tmp/rpm-tmp.21813: mime-tools-patch.txt: No such file or directory /var/tmp/rpm-tmp.21813: cd: MIME-tools-5.411a: No such file or directory Can't open perl script "Makefile.PL": No such file or directory make: *** No targets specified and no makefile found. Stop. make: *** No rule to make target `test'. Stop. make: *** No rule to make target `install'. Stop. MailScanner: Module File::Temp 0.12 already installed MailScanner: Module Convert::TNEF 0.17 already installed MailScanner: Perl modules installed <> I'm running MailScanner on RedHat Linux 7.3. Any ideas?? Kind regards, Steve Freegard Systems Manager Littlehampton Book Services Ltd. DDI: +44 1903 82 8594 FAX: +44 1903 82 8620 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.lbsltd.co.uk ********************************************************************** From wkuiters at FREE.FR Fri Jun 14 15:41:16 2002 From: wkuiters at FREE.FR (Willem Kuiters) Date: Thu Jan 12 21:14:57 2006 Subject: README.exim installation instructions make error mails In-Reply-To: <20020614095347.GC24447@terre> References: <20020614095347.GC24447@terre> Message-ID: <20020614144116.GA2335@bragann> Hello On Fri, Jun 14, 2002 at 11:53:47AM +0200, Vincent Meoc wrote: > Hello, > > I'm using mailscanner(debian package 3.13.2-2) with exim (Debian package, version 3.35) on 3 different servers since few times (2 weeks) > and on each of them after 2 days of production I got some errors about > the defer director. > Here is an example : > > /var/log/exim/mainlog/ > 2002-06-13 07:40:01 17INKp-0004YI-00 == userx@duke-interactive.com > D=defer_director defer (-1): forced defer: All deliveries are deferred > 2002-06-13 07:40:01 17INKp-0004YI-00 ** userx@duke-interactive.com: > retry timeout exceeded > 2002-06-13 07:40:01 17INKz-0004cu-00 <= <> R=17INKp-0004YI-00 U=mail > P=local S=31327 > 2002-06-13 07:40:01 17INKp-0004YI-00 Error message sent to > alerte@lesechos.fr > > or in the same file : > 2002-06-13 11:50:01 17IREs-0006LI-00 == some_users@yahoo.fr > R=defer_router defer (-1): remote host address is the local host > 2002-06-13 11:50:01 17IREs-0006LI-00 ** some_users@yahoo.fr: > retry timeout exceeded > 2002-06-13 11:50:01 17IREv-0006LS-00 <= <> R=17IREs-0006LI-00 U=mail > P=local S=3108 > 2002-06-13 11:50:01 17IREs-0006LI-00 Error message sent to > yuser@duke-interactive.com OK, this looks like a DNS related problem. I recently had the same error messages and somehow fixed them by changing /etc/hosts. I am terribly sorry that I do not remember exactly what I did. That should teach me to be more precise in the future and keep records of the solutions I sometimes find! Willem -- () () --- "Definition of "creativity": To see what --- (? ?) --- everyone else sees but to have different --- /\ /\ --- thoughts about it" -- Einstein --- ( " ) " "-----/ --- (Htag.pl 0.0.19) --- From jaearick at COLBY.EDU Fri Jun 14 15:39:13 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:14:57 2006 Subject: ANNOUNCE: Version 3.20-1 released In-Reply-To: <5.1.0.14.2.20020614141321.02d0d890@imap.ecs.soton.ac.uk> Message-ID: Julian, Installed, working great so far. I love the fact that the IP number and domain name now appear in the spamassassin syslogs. Here's yet another suggestion from the peanut gallery to make things even better: * I wish there was an (initially empty) "etc-local" directory in /opt/mailscanner for my tweeks to the configuration files in /opt/mailscanner/etc. The idea here is that your default configuration files go into /opt/mailscanner/etc, and my modifications to one of your config files goes into etc-local. For instance, I have several mods to /opt/mailscanner/etc/mailscanner.conf.solaris. Installing a new version of mailscanner is painful because I have to go thru the config files and re-tweek my changes before starting things up again. This takes time, and mail stacks up in the queue meanwhile. If there were: /opt/mailscanner/etc/mailscanner.conf.solaris (your config, untouched) and /opt/mailscanner/etc-local/mailscanner.conf.solaris (lines containing my mods) where the settings in etc-local override the setting for the corresponding file in etc, then I can keep my mods separated from your defaults. The logic of "read etc config file, read etc-local config file for override settings" could apply to any file in /opt/majordomo/etc at startup. ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ---------------------------------------------------------------------------- From isp-list at TULSACONNECT.COM Fri Jun 14 15:45:15 2002 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:14:57 2006 Subject: ANNOUNCE: Version 3.20-1 released In-Reply-To: <5.1.0.14.2.20020614141321.02d0d890@imap.ecs.soton.ac.uk> Message-ID: <5.1.1.6.2.20020614093903.02ebf7b8@securemail.tulsaconnect.com> At 02:30 PM 6/14/2002 +0100, you wrote: >Hi folks, > >It's release time again. >Loads of goodies for you all in this new version :-) >As usual, you can download it from > http://www.mailscanner.info/ > >Jules. in mailscanner.conf: # Expand TNEF attachments using an external program? # This should be "yes" except for Sophos (when it should be "no") # as Sophos has the facility built-in. should be updated to: # Expand TNEF attachments using an external program? # This should be "yes" except when using McAfee/uvscan or Sophos (when it should be "no") # as they have the facility built-in. Also, it would be useful to define mailscanner's default directory prefix as a global variable at the top of the conf file, (e.g. "/opt"), so for folks like me that use "/usr/local/bin/" instead, I don't have to go and change every reference in the conf file. --Mike From jaearick at COLBY.EDU Fri Jun 14 15:46:43 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:14:57 2006 Subject: ANNOUNCE: Version 3.20-1 released In-Reply-To: <5.1.0.14.2.20020614141321.02d0d890@imap.ecs.soton.ac.uk> Message-ID: Julian, Yet another suggestion... If spamassassin is used and the spam score on a piece of email is greater than some defined number in mailscanner.conf, then delete it -- even if the "Spam Action" says "deliver". IMHO, anything with a spam score greater than 15 isn't worth tagging and delivering... ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ---------------------------------------------------------------------------- From mdchaney at MICHAELCHANEY.COM Fri Jun 14 15:56:57 2002 From: mdchaney at MICHAELCHANEY.COM (Michael Chaney) Date: Thu Jan 12 21:14:57 2006 Subject: ANNOUNCE: Version 3.20-1 released In-Reply-To: <5.1.1.6.2.20020614093625.02ed8138@securemail.tulsaconnect.com>; from isp-list@TULSACONNECT.COM on Fri, Jun 14, 2002 at 09:36:47AM -0500 References: <5.1.0.14.2.20020614141321.02d0d890@imap.ecs.soton.ac.uk> <5.1.1.6.2.20020614093625.02ed8138@securemail.tulsaconnect.com> Message-ID: <20020614095657.A7503@michaelchaney.com> On Fri, Jun 14, 2002 at 09:36:47AM -0500, ISP List wrote: > At 02:30 PM 6/14/2002 +0100, you wrote: > >Hi folks, > > > >It's release time again. > >Loads of goodies for you all in this new version :-) > >As usual, you can download it from > > http://www.mailscanner.info/ > > > >Jules. > > Does this include Nick's new lock.pl code for *BSD? Write to me if you need it. Michael -- Michael Darrin Chaney mdchaney@michaelchaney.com http://www.michaelchaney.com/ From isp-list at TULSACONNECT.COM Fri Jun 14 15:57:03 2002 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:14:57 2006 Subject: ANNOUNCE: Version 3.20-1 released In-Reply-To: <20020614095657.A7503@michaelchaney.com> References: <5.1.1.6.2.20020614093625.02ed8138@securemail.tulsaconnect.com> <5.1.0.14.2.20020614141321.02d0d890@imap.ecs.soton.ac.uk> <5.1.1.6.2.20020614093625.02ed8138@securemail.tulsaconnect.com> Message-ID: <5.1.1.6.2.20020614095604.02c0bd18@securemail.tulsaconnect.com> >Write to me if you need it. > >Michael Michael, Looks like he did include it: lock.pl -> # $^O returns: # Linux: "linux" # OpenBSD: "openbsd" # Solaris: "solaris" # SunOS4: "sunos" # AIX: "aix" # IRIX: "irix" # if (/bsd/) { Log::InfoLog("Creating hardcoded struct_flock subroutine for $^O (BSD-type)"); # from "man fcntl" and /usr/include/sys/fcntl.h on OBSD 2.7: # struct flock { # off_t l_start; /* starting offset */ # off_t l_len; /* len = 0 means until end of file */ # pid_t l_pid; /* lock owner */ # short l_type; /* lock type: read/write, etc. */ # short l_whence; /* type of l_start */ # }; # # FreeBSD exim.tulsaconnect.com 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Sun May # 19 23:53:40 CDT 2002 # # from /usr/include/sys/fcntl.h: # # /* # * Advisory file segment locking data type - # * information passed to system by user # */ # struct flock { # off_t l_start; /* starting offset */ # off_t l_len; /* len = 0 means until end of file */ # pid_t l_pid; /* lock owner */ # short l_type; /* lock type: read/write, etc. */ # short l_whence; /* type of l_start */ # }; Up till now I was using the lock.pl that (you?) or someone posted to the list a while back. --Mike From akhan at SGHMS.AC.UK Fri Jun 14 16:40:54 2002 From: akhan at SGHMS.AC.UK (Asim Khan) Date: Thu Jan 12 21:14:57 2006 Subject: error with netscape6 Message-ID: <3D0A0E86.2060700@sghms.ac.uk> ..My netscape6 seems to give errors like: 'An error occurred while sending mail. The mail server responded : Unexpected failure, please try later. Please verify that your email address is correct in your mail preferences and try again' the only setting I've changed on my mail account in netscape6 is 'My Outgoing Server (SMTP): mancity:sghsms.ac.uk' - my local unix box from 'mail.sghms.ac.uk' - the mail mail server.. mancity is the host with mailscanner/exim running on it.. the screen freezes and no email is sent...? BUT if I use /usr/lib/sendmail -v username@sghms.ac.uk as root the user recieves the email..? ..Any suggestions would be much appreciated...? Asim Khan Unix System Administrator Computing Services St George's Hospital Medical School Tel: 020 8725 5453 From COMBSTM at APPSTATE.EDU Fri Jun 14 16:08:56 2002 From: COMBSTM at APPSTATE.EDU (T. Combs) Date: Thu Jan 12 21:14:57 2006 Subject: ANNOUNCE: Version 3.20-1 released In-Reply-To: "Your message dated Fri, 14 Jun 2002 09:58:38 -0400" <51565.129.80.22.134.1024063118.squirrel@tiger.dorfam.ca> References: <5.1.0.14.2.20020614141321.02d0d890@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020614141321.02d0d890@imap.ecs.soton.ac.uk> Message-ID: <01KIX4HVCA46CMKMR1@appstate.edu> > > -- Added configuration option to list viruses that should be quietly > > deleted without informing the sender or recipient. A good example is > > the "Klez" worm > Why would I want to do this??? Whey wouldn't I want to tell the > sender/recipient that their mail had a virus?? The idea that every piece of email is generated by a valid user is no longer a rule we can rely on. Normally this is true, but in the case of virus generated email, I choose to drop the email completely without notifying the sender or the receiver. We do this by looking at the virus description, and then drop by the name of the virus so as not to confuse, spam, or confuse users. By dropping the email, I can protect the users who have had their documents (some of them sensitive) sent to people in their addressbooks. Sometimes the From: envelope is not correct in virus generated email, and would cause a bounced piece of email to go to the wrong person. In order to assist the users, we look at the headers of virus email originated at our site and contact the user directly. Most of the time they have no clue they are hosting a virus. This process has been performed for over a year at our site with no complaints. The complaints usually are asking why email was sent to them from someone they don't know, with a message that a virus was removed. -- Combstm@appstate.edu Appalachian State University (828)262-6297 Information Technology Services FAX: (828)262-2236 From FCaen at CI.LAKEWOOD.WA.US Fri Jun 14 17:59:15 2002 From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen) Date: Thu Jan 12 21:14:57 2006 Subject: ANNOUNCE: Version 3.20-1 released Message-ID: -----Original Message----- From: jkf@ECS.SOTON.AC.UK > The Klez worm is just about the first virus to create useless messages with > fake From: and To: addresses. The net result is that there is no point in > telling either the sender (as they almost certainly didn't send it) or the > recipient (who never wanted the virus anyway). So you might as well just > ditch it. Actually, there is a point in notifying the recipient: it makes you / your IT dept. look good to your users / customers :-) Even though this is more political than technical, it can be very useful: "See all those viruses we saved you from? Now you understand why we need a bigger IT budget?" ------------------------------------------------ Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 From gerry at dorfam.ca Fri Jun 14 19:50:45 2002 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:14:57 2006 Subject: F-Prot Update Script Message-ID: <15241.129.80.22.134.1024080645.squirrel@tiger.dorfam.ca> For all of those who were asking if the F-Prot update script now included with their virus engine actually works check out my cron message below. I've been running it as a cron job without the -cron flag to be sure it's working properly. BTW, this is on a redhat 7.3 host. Gerry -------- Original Message -------- Subject: Cron /usr/local/f-prot/check-updates.sh Date: Fri, June 14, 2002 1:00 pm To: gerry@dorfam.ca *************************************** * F-Prot signature file update script * *************************************** There's a new version of SIGN.DEF on the web. Starting to download... Download completed. SIGN.DEF has been installed. There's a new version of SIGN2.DEF on the web. Starting to download... SIGN2.DEF has been installed. ********************************** * Update completed successfully. * ********************************** From mailscanner-sub at WIREHUB.NET Fri Jun 14 22:08:25 2002 From: mailscanner-sub at WIREHUB.NET (Ben C. O. Grimm) Date: Thu Jan 12 21:14:57 2006 Subject: ANNOUNCE: Version 3.20-1 released In-Reply-To: References: Message-ID: On 14 Jun 2002 15:33:29 +0200, Julian Field wrote: > Hi folks, > > It's release time again. > Loads of goodies for you all in this new version :-) Looking better all the time ;) One question though. One of our clients is running TrendMicro on his mail after receiving mail from our mailservers (which are all running FreeBSD/Perl5/Mailscanner/McAfee). This one seems to slip through on a consistent basis: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_MAGISTR.A Is it McAfee or Mailscanner (or a Perl-Mime module) that keeps missing this one? It is probably one of those curiously malformed attachments designed to fool the Outlook parser (if it deserves to be called that). From Stephane.Lentz at ANSF.ALCATEL.FR Sat Jun 15 00:01:59 2002 From: Stephane.Lentz at ANSF.ALCATEL.FR (Stephane Lentz) Date: Thu Jan 12 21:14:57 2006 Subject: ANNOUNCE: Version 3.20-1 released In-Reply-To: References: Message-ID: <20020614230158.GA5416@iww.netfr.alcatel.fr> Hi, On Fri, Jun 14, 2002 at 11:08:25PM +0200, Ben C. O. Grimm wrote: > > One question though. One of our clients is running TrendMicro on his mail > after receiving mail from our mailservers (which are all running > FreeBSD/Perl5/Mailscanner/McAfee). This one seems to slip through on a > consistent basis: > > http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_MAGISTR.A > > Is it McAfee or Mailscanner (or a Perl-Mime module) that keeps missing this > one? It is probably one of those curiously malformed attachments designed > to fool the Outlook parser (if it deserves to be called that). => Yes, I heard that some PE_MAGISTR.A variants come in some malformed MIME encoded message (that can be decoded by Outlook though). I don't remember where exactly though. Anybody knows what kind of incorrect Mime stuff is used (double headers or \r only or something else) ? Ben, BTW have you applied David F Skoll 's patch for Mime::Tools ? regards, SL/ PS: adding support in Mailscanner for Trend Micro vscan (included in Interscan or the Free filescanner) should be great. I once had a look at it quickly but couldn't figure out all the code changes. Maybe in the future I will have a look at it again or somebody else (Nick ?) will. The tricky port is that the exit codes are not well documented. --- Stephane Lentz / Alcanet International - Internet Services From miguelk at KONSULTEX.COM.BR Fri Jun 14 22:43:38 2002 From: miguelk at KONSULTEX.COM.BR (Miguel Koren O'Brien de Lacy) Date: Thu Jan 12 21:14:57 2006 Subject: error with netscape6 References: <3D0A0E86.2060700@sghms.ac.uk> Message-ID: <3D0A638A.8090006@konsultex.com.br> I noticed the same type of error since I switched to Netscape 6. With Netscape 4.7x I never had this problem. What I do in these cases is close Netscape and open it again and the problem goes away. Another situation that causes this error (I'm not sure if it's the same messga, though) is when I attach a file that is on a network drive, not on my local machine. In those cases I first copy it over and then attach. I attributed these problems to Netscape and/or WinXP (unfortunately my new notebook came with it). I'm hoping that Netscape 7 will solve this.... Miguel Asim Khan wrote: > ..My netscape6 seems to give errors like: > > 'An error occurred while sending mail. > The mail server responded : > Unexpected failure, please try later. > Please verify that your email address is correct > in your mail preferences and try again' > > the only setting I've changed on my mail account in netscape6 > is 'My Outgoing Server (SMTP): mancity:sghsms.ac.uk' - my local unix > box from 'mail.sghms.ac.uk' - the mail mail server.. > > mancity is the host with mailscanner/exim running on it.. > > the screen freezes and no email is sent...? > > BUT if I use /usr/lib/sendmail -v username@sghms.ac.uk as root > the user recieves the email..? > > ..Any suggestions would be much appreciated...? > > Asim Khan > Unix System Administrator > Computing Services > St George's Hospital Medical School > Tel: 020 8725 5453 From nwp at LEMON-COMPUTING.COM Sat Jun 15 01:42:55 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:57 2006 Subject: README.exim installation instructions make error mails In-Reply-To: <20020614144116.GA2335@bragann> References: <20020614095347.GC24447@terre> <20020614144116.GA2335@bragann> Message-ID: <20020615004255.GV12326@hoiho.nz.lemon-computing.com> On Fri, Jun 14, 2002 at 04:41:16PM +0200, Willem Kuiters wrote: > On Fri, Jun 14, 2002 at 11:53:47AM +0200, Vincent Meoc wrote: > > Hello, > > > > I'm using mailscanner(debian package 3.13.2-2) with exim (Debian package, version 3.35) on 3 different servers since few times (2 weeks) > > and on each of them after 2 days of production I got some errors about > > the defer director. > OK, this looks like a DNS related problem. I recently had the same error Not a DNS problem. It actually looks like you may not be running exim_tidydb. Do you have the most up-to-date instructions in which that is mentioned? Use "exim_tidydb -t 0d /var/spool/exim.in retry" or similar, depending on what you've called your incoming queue. And run it more often than your retry timeout (like once a day is usually good enough). Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com You have been selected for a secret mission. From nwp at LEMON-COMPUTING.COM Sat Jun 15 01:50:37 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:57 2006 Subject: ANNOUNCE: Version 3.20-1 released In-Reply-To: <5.1.1.6.2.20020614093903.02ebf7b8@securemail.tulsaconnect.com> References: <5.1.0.14.2.20020614141321.02d0d890@imap.ecs.soton.ac.uk> <5.1.1.6.2.20020614093903.02ebf7b8@securemail.tulsaconnect.com> Message-ID: <20020615005037.GW12326@hoiho.nz.lemon-computing.com> On Fri, Jun 14, 2002 at 09:45:15AM -0500, ISP List wrote: > Also, it would be useful to define mailscanner's default directory prefix > as a global variable at the top of the conf file, (e.g. "/opt"), so for > folks like me that use "/usr/local/bin/" instead, I don't have to go and > change every reference in the conf file. The autoconf'ed version will (well, does) deal with all of the paths in there... It just needs more testing before we let it loose on an unsuspecting world. Um, I thought you already had a copy of that to test with... Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Someone is speaking well of you. From nwp at LEMON-COMPUTING.COM Sat Jun 15 01:54:14 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:57 2006 Subject: ANNOUNCE: Version 3.20-1 released In-Reply-To: <5.1.0.14.2.20020614151202.02ccbb58@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020614141321.02d0d890@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020614141321.02d0d890@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020614151202.02ccbb58@imap.ecs.soton.ac.uk> Message-ID: <20020615005414.GX12326@hoiho.nz.lemon-computing.com> On Fri, Jun 14, 2002 at 03:23:54PM +0100, Julian Field wrote: > >I know nothing about TNEF expansion. Which to you recommend...the old > >external one or the CPAN one? > > Personally I'm sticking with the old one, as it seems to work okay. > However, if you have a lot of Outlook users whose winmail.dat attachments > (Microsoft Outlook Rich Text Format attachments) can't be expanded/decoded > and scanned, then you *may* find the internal Perl module manages to decode > more of them. > > So stick as you are unless you have a good reason to change. Using the internal one might well increase performance, as there would be one less process to start up. -- Nick Phillips -- nwp@lemon-computing.com Someone whom you reject today, will reject you tomorrow. From mailscanner-sub at WIREHUB.NET Sat Jun 15 03:18:58 2002 From: mailscanner-sub at WIREHUB.NET (Ben C. O. Grimm) Date: Thu Jan 12 21:14:57 2006 Subject: ANNOUNCE: Version 3.20-1 released In-Reply-To: References: Message-ID: On 15 Jun 2002 02:45:56 +0200, Stephane Lentz wrote: > => Yes, I heard that some PE_MAGISTR.A variants come in some > malformed MIME encoded message (that can be decoded by Outlook > though). I don't remember where exactly though. Anybody knows > what kind of incorrect Mime stuff is used (double headers or > \r only or something else) ? > Ben, BTW have you applied David F Skoll 's patch for Mime::Tools ? You mean http://www.roaringpenguin.com/mimedefang/mime-tools-patch.txt I just did (10 times in a row ;). See what happens. From nwp at LEMON-COMPUTING.COM Sat Jun 15 03:27:28 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:57 2006 Subject: ANNOUNCE: Version 3.20-1 released In-Reply-To: <20020614230158.GA5416@iww.netfr.alcatel.fr> References: <20020614230158.GA5416@iww.netfr.alcatel.fr> Message-ID: <20020615022728.GZ12326@hoiho.nz.lemon-computing.com> On Sat, Jun 15, 2002 at 01:01:59AM +0200, Stephane Lentz wrote: > PS: adding support in Mailscanner for Trend Micro vscan > (included in Interscan or the Free filescanner) should be > great. I once had a look at it quickly but couldn't figure out > all the code changes. Maybe in the future I will have a look at > it again or somebody else (Nick ?) will. The tricky port is that > the exit codes are not well documented. Depends on time, motivation and availability of the scanner for testing... -- Nick Phillips -- nwp@lemon-computing.com If you can read this, you're too close. From Stephane.Lentz at ANSF.ALCATEL.FR Sat Jun 15 09:48:02 2002 From: Stephane.Lentz at ANSF.ALCATEL.FR (Stephane Lentz) Date: Thu Jan 12 21:14:57 2006 Subject: ANNOUNCE: Version 3.20-1 released In-Reply-To: <20020615022728.GZ12326@hoiho.nz.lemon-computing.com> References: <20020614230158.GA5416@iww.netfr.alcatel.fr> <20020615022728.GZ12326@hoiho.nz.lemon-computing.com> Message-ID: <20020615084802.GB7051@iww.netfr.alcatel.fr> On Sat, Jun 15, 2002 at 02:27:28PM +1200, Nick Phillips wrote: > On Sat, Jun 15, 2002 at 01:01:59AM +0200, Stephane Lentz wrote: > > > PS: adding support in Mailscanner for Trend Micro vscan > > (included in Interscan or the Free filescanner) should be > > great. I once had a look at it quickly but couldn't figure out > > all the code changes. Maybe in the future I will have a look at > > it again or somebody else (Nick ?) will. The tricky port is that > > the exit codes are not well documented. > > Depends on time, motivation and availability of the scanner for testing.. Trend Micro is one of the main antivirus actors. Their scanner can be used free of charge for non commercial purposes : http://solutionbank.antivirus.com/solutions/solutionDetail.asp?solutionID=7353 One can can download Interscan from http://www.antivirus.com/download It is some intelligent scanner : it is Mime-aware. I will try to figure out how to add support for this scanner in weeks to come. regards, SL/ From LISTSERV at JISCMAIL.AC.UK Fri Jun 14 18:40:45 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:57 2006 Subject: MAILSCANNER: kristofer@KRISTOFER.COM requested to join Message-ID: <200206141740.SAA12205@magpie.ecs.soton.ac.uk> Fri, 14 Jun 2002 18:40:45 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Kristofer Einarsson You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER kristofer@KRISTOFER.COM Kristofer Einarsson PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER kristofer@KRISTOFER.COM Kristofer Einarsson // EOJ From nwp at LEMON-COMPUTING.COM Sat Jun 15 11:33:42 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:57 2006 Subject: Writing support for new scanners In-Reply-To: <20020615084802.GB7051@iww.netfr.alcatel.fr> References: <20020614230158.GA5416@iww.netfr.alcatel.fr> <20020615022728.GZ12326@hoiho.nz.lemon-computing.com> <20020615084802.GB7051@iww.netfr.alcatel.fr> Message-ID: <20020615103342.GD12326@hoiho.nz.lemon-computing.com> On Sat, Jun 15, 2002 at 10:48:02AM +0200, Stephane Lentz wrote: > I will try to figure out how to add support for this scanner in > weeks to come. Well, feel free. Here are some guidelines that I've been working on for you and any other prospective scanner-support-writers out there... * Tips for writing scanner support: * "print STDERR $line" is your friend. * Always parse *every* line of output from the scanner, and die if you don't understand it. * Be *extremely* anal when writing regexps, especially with quantities of whitespace. * Only use wildcards to match the filename part of the output, *never* to match whitespace or boilerplate text (think about what might happen if the filename has a trailing character). * At least one scanner prints "..." before outputting its results -- be *sure* what the scanner's output format really is. * Be sure that you know how your scanner reports infections within archives; they can easily be mis-parsed. * Use comments to document any oddities that could confuse your parser; that way we might be able to ensure that they don't happen in future. * Use comments to document the output format you are expecting from the scanner so that when it changes, debugging is quicker. * Watch out for scanners reporting different categories of Bad Thing - e.g. "Joke Program", "Trojan", "Virus", "Worm"... it is a good idea to run "strings" over a core dump from the scanner to get clues as to what may be reported if you're not sure. And a few more that I haven't added to that list yet: * Include examples (directly from *real output*) of output formats in comments in your code. * Aim to include only parameters which are necessary in the parameter lists in the code; put the rest in the wrapper script, with comments - see the F-Prot or Kaspersky wrapper scripts for examples. * Run the scanner in the "C" locale (clear all LC_* environment variables, and LANG -- or set LANG to "C"). * Please try to comment your code in English - that's what Jules and I speak, so it's what we need in comments when we're trying to work out what's going on (I can handle French, or some German, but anything else is likely not helpful). * Please indicate in the comments *exactly* which versions of the scanner in question your code has been tested with, which versions you expect it to work with, and which versions any example output was generated by. Err, that's all I can think of at the moment. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Tomorrow will be cancelled due to lack of interest. From jkf at ecs.soton.ac.uk Sat Jun 15 11:51:41 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:57 2006 Subject: ANNOUNCE: Version 3.20-1 released In-Reply-To: <5.1.1.6.2.20020614093625.02ed8138@securemail.tulsaconnect. com> References: <5.1.0.14.2.20020614141321.02d0d890@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020615115129.03653eb0@imap.ecs.soton.ac.uk> At 15:36 14/06/2002, you wrote: >Does this include Nick's new lock.pl code for *BSD? Yes. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Sat Jun 15 12:18:09 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:57 2006 Subject: ANNOUNCE: Version 3.20-1 released In-Reply-To: <20020615005414.GX12326@hoiho.nz.lemon-computing.com> References: <5.1.0.14.2.20020614151202.02ccbb58@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020614141321.02d0d890@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020614141321.02d0d890@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020614151202.02ccbb58@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020615121723.03672df8@imap.ecs.soton.ac.uk> At 01:54 15/06/2002, you wrote: > >Using the internal one might well increase performance, as there would be >one less process to start up. > But the internal one is Perl, the external one is C. So for big attachments the C one should be faster. All depends on the overhead of cranking up a C program... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Sat Jun 15 12:12:15 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:57 2006 Subject: ANNOUNCE: Version 3.20-1 released In-Reply-To: <5.1.1.6.2.20020614093903.02ebf7b8@securemail.tulsaconnect. com> References: <5.1.0.14.2.20020614141321.02d0d890@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020615121113.0355b780@imap.ecs.soton.ac.uk> At 15:45 14/06/2002, you wrote: >in mailscanner.conf: > ># Expand TNEF attachments using an external program? ># This should be "yes" except for Sophos (when it should be "no") ># as Sophos has the facility built-in. > >should be updated to: > ># Expand TNEF attachments using an external program? ># This should be "yes" except when using McAfee/uvscan or Sophos (when it >should be "no") ># as they have the facility built-in. Done. >Also, it would be useful to define mailscanner's default directory prefix >as a global variable at the top of the conf file, (e.g. "/opt"), so for >folks like me that use "/usr/local/bin/" instead, I don't have to go and >change every reference in the conf file. In that case you will probably find the mailscanner.conf.linux file closer to what you want. All you really need to do is a global search/replace anyway. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Sat Jun 15 12:05:15 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:57 2006 Subject: Mailscanner 3.20-2 RPM probs In-Reply-To: <67D9E7698329D411936E00508B6590B9A5B343@neelix.lbsltd.co.uk > Message-ID: <5.1.0.14.2.20020615115948.02aa59b0@imap.ecs.soton.ac.uk> Grrr... I hate building rpm specs, they're a right royal pain to get right. I've fixed these 2 faults, and will release 3.20-3 in a few minutes once I have finished checking all my mail At 15:28 14/06/2002, you wrote: >Hi all, > >I've just tried installing 3.20-2 from the RPM and hit the following error. >I suspect it is unrelated to mailscanner and is a problem with MIME::Tools - > >*** ERROR: unterminated C<...> at line 143 in file Mail/Cap.pm This one is caused by a very minor, and irrelecant fault in the embedded documentation in that file. Ignore this one. >==== Patching MIME::Tools module (see Bugtraq) >/var/tmp/rpm-tmp.21813: mime-tools-patch.txt: No such file or directory I forgot to add mime-tools-patch.txt to the RPM file :-( >/var/tmp/rpm-tmp.21813: cd: MIME-tools-5.411a: No such file or directory And MIME-tools-5.411a helpfully unpacks into a MIME-tools-5.411 directory, not 5.411a directory. Thanks Eryq :-( -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Sat Jun 15 12:07:41 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:57 2006 Subject: ANNOUNCE: Version 3.20-1 released In-Reply-To: References: <5.1.0.14.2.20020614141321.02d0d890@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020615120634.0366de90@imap.ecs.soton.ac.uk> Unfortunately it's not quite as simple as it appears. There are a few lists of things, such as the list of RBL domains, which would appear in both the etc and the etc-local files. So do I replace the RBL domains list with what appears in the etc-local file, do I add to it, what? At 15:39 14/06/2002, you wrote: >Julian, > > Installed, working great so far. I love the fact that the IP number and >domain name now appear in the spamassassin syslogs. Here's yet another >suggestion from the peanut gallery to make things even better: > >* I wish there was an (initially empty) "etc-local" directory in > /opt/mailscanner for my tweeks to the configuration files in > /opt/mailscanner/etc. The idea here is that your default configuration > files go into /opt/mailscanner/etc, and my modifications to one of > your config files goes into etc-local. For instance, I have several > mods to /opt/mailscanner/etc/mailscanner.conf.solaris. Installing > a new version of mailscanner is painful because I have to go thru the > config files and re-tweek my changes before starting things up again. > This takes time, and mail stacks up in the queue meanwhile. > If there were: > > /opt/mailscanner/etc/mailscanner.conf.solaris (your config, untouched) > > and > > /opt/mailscanner/etc-local/mailscanner.conf.solaris (lines containing > my mods) > > where the settings in etc-local override the setting for the corresponding > file in etc, then I can keep my mods separated from your defaults. The > logic of "read etc config file, read etc-local config file for override > settings" could apply to any file in /opt/majordomo/etc at startup. > >** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 >** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu >** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 >** Waterville ME, 04901-8842 >---------------------------------------------------------------------------- -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Sat Jun 15 12:32:41 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:57 2006 Subject: ANNOUNCE: Version 3.20-3 released Message-ID: <5.1.0.14.2.20020615123001.03644910@imap.ecs.soton.ac.uk> Sorry about the packaging errors :-( The .tar distribution is exactly the same as before, except for a slight change of wording in a comment in mailscanner.conf. It also now includes a copy of the mime-tools-patch.txt file so you don't have to go hunting for it. The .rpm distribution should now work properly, and install the latest MIME-tools module including the mime-tools-patch.txt from Bugtraq. Downloadable, as usual, from http://www.mailscanner.info/ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Sat Jun 15 13:53:36 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:57 2006 Subject: SpamAssassin 2.30 Message-ID: <5.1.0.14.2.20020615134502.02aeb330@imap.ecs.soton.ac.uk> A new SpamAssassin has just been released. You can download it from www.spamassassin.org. Install ======= Installing 2.30 was a bit messier than it should have been. You need to install Time-HiRes from CPAN first perl -MCPAN -e shell install Time-HiRes (or was it Time::HiRes?) and if you are using gcc on Solaris then you'll need to remove all the "-xO3 -xdepend" from all the Makefiles as you go. make test ========= And it couldn't start spamd even when I tried shutting down MailScanner first, so I don't know what's wrong there. You can skip the spamd tests by doing cd t rm spamd* cd .. before you "make test". You can quite safely skip spamd altogether as MailScanner doesn't use it anyway. In Use ====== And SpamAssassin keeps spitting out "sh: dccproc: not found" errors as I don't have the DCC system installed. But according to the SpamAssassin README, it's optional anyway. I suspect these can be stopped by adding score DCC_CHECK 0.0 to the spam.assassin.prefs.conf file. Summary ======= The good news is that once I got it installed happily, it seems to be working just fine. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From sysadmin at DMS.UMONTREAL.CA Sat Jun 15 16:01:28 2002 From: sysadmin at DMS.UMONTREAL.CA (sysadmin) Date: Thu Jan 12 21:14:57 2006 Subject: SpamAssassin 2.30 References: <5.1.0.14.2.20020615134502.02aeb330@imap.ecs.soton.ac.uk> Message-ID: <3D0B56C8.6030201@DMS.UMontreal.CA> Julian Field wrote: > A new SpamAssassin has just been released. You can download it from > www.spamassassin.org. I just upgraded my solaris 7 mail server to SA2.30 ans the latest MailScanner-3.20-3. I eliminated all the spamc/spamd/spamproxyd stuff from Makefile.PL of SA 2.30 since I have been having problems building spamd, but as Julian has pointed out many times this is not necessary with Mailscanner. I got MIME-tools-5.411 and patched it with the supplied patch, which had to broken into two parts (at line 286) for it to patch properly patch -p0 < mime-tools-patch.txt Looks like a new-style context diff. Malformed patch at line 286: patch: Line must begin with '+ ', ' ', or '! '. But then it worked fine. Perhaps this is a SA list question, but the following header from a daily NY TImes mailing that is not usually marked as spam caught my attention with the score=-95.5 . Any clues on what the problem might be? From: The New York Times Direct Reply-To: nytdirect@nytimes.com Date: Sat, 15 Jun 2002 10:37:04 -0400 To: albert@DMS.UMontreal.CA Subject: {SPAM?} Today's Headlines from NYTimes.com Saturday, June 15, 2002 Content-Type: TEXT/PLAIN; charset=US-ASCII Mime-Version: 1.0 X-MailScanner: Found to be clean X-MailScanner-SpamCheck: SpamAssassin (score=-95.5, required 5, X_NOT_PRESENT, CLICK_BELOW, DIRECT_EMAIL, USER_IN_WHITELIST, MSG_ID_ADDED_BY_MTA_2) TODAY'S HEADLINES The New York Times on the Web -- -------------------------------------------------------------------- Christopher Albert Responsable des services informatiques Departement de mathematiques et de statistique Universite de Montreal bureau 6188, Pavillon Andre-Aisenstadt Tel: (514) 343-2281 Fax: (514) 343-5700 -------------------------------------------------------------------- From jkf at ecs.soton.ac.uk Sat Jun 15 16:06:14 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:57 2006 Subject: SpamAssassin 2.30 In-Reply-To: <3D0B56C8.6030201@DMS.UMontreal.CA> References: <5.1.0.14.2.20020615134502.02aeb330@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020615160238.032c1100@imap.ecs.soton.ac.uk> At 16:01 15/06/2002, you wrote: >I got MIME-tools-5.411 and patched it with the supplied patch, which >had to broken into two parts (at line 286) for it to patch properly This is a problem with older versions of "patch". If any of you suffer similar problems, I posted the 2 patched files here some time last week. > patch -p0 < mime-tools-patch.txt > Looks like a new-style context diff. >Malformed patch at line 286: >patch: Line must begin with '+ ', ' ', or '! '. > >But then it worked fine. > >Perhaps this is a SA list question, but the following >header from a daily NY TImes mailing that is not usually marked >as spam caught my attention with the score=-95.5 . > >Any clues on what the problem might be? If an address is in the SA whitelist, it scores -100. MailScanner 2.30 supports the SA whitelist system, if you turn it on in mailscanner.conf. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From sysadmin at DMS.UMONTREAL.CA Sat Jun 15 16:28:14 2002 From: sysadmin at DMS.UMONTREAL.CA (sysadmin) Date: Thu Jan 12 21:14:57 2006 Subject: SpamAssassin 2.30 References: <5.1.0.14.2.20020615134502.02aeb330@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020615160238.032c1100@imap.ecs.soton.ac.uk> Message-ID: <3D0B5D0E.7030003@DMS.UMontreal.CA> Julian Field wrote: > At 16:01 15/06/2002, you wrote: > >> Perhaps this is a SA list question, but the following >> header from a daily NY TImes mailing that is not usually marked >> as spam caught my attention with the score=-95.5 . >> >> Any clues on what the problem might be? > > > If an address is in the SA whitelist, it scores -100. MailScanner 2.30 > supports the SA whitelist system, if you turn it on in mailscanner.conf. > -- > Do you mean "SpamAssassin Auto Whitelist = yes", which I did set given your remarks there. What I dont understand is at a score of -95.5 , why did it get marked {SPAM?} ? -- -------------------------------------------------------------------- Christopher Albert Responsable des services informatiques Departement de mathematiques et de statistique Universite de Montreal bureau 6188, Pavillon Andre-Aisenstadt Tel: (514) 343-2281 Fax: (514) 343-5700 -------------------------------------------------------------------- From jkf at ecs.soton.ac.uk Sat Jun 15 16:38:00 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:57 2006 Subject: SpamAssassin 2.30 In-Reply-To: <3D0B5D0E.7030003@DMS.UMontreal.CA> References: <5.1.0.14.2.20020615134502.02aeb330@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020615160238.032c1100@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020615163329.03477230@imap.ecs.soton.ac.uk> At 16:28 15/06/2002, you wrote: >Julian Field wrote: >>At 16:01 15/06/2002, you wrote: > >>>Perhaps this is a SA list question, but the following >>>header from a daily NY TImes mailing that is not usually marked >>>as spam caught my attention with the score=-95.5 . >>> >>>Any clues on what the problem might be? >> >> >>If an address is in the SA whitelist, it scores -100. MailScanner 2.30 >>supports the SA whitelist system, if you turn it on in mailscanner.conf. >>-- > >Do you mean "SpamAssassin Auto Whitelist = yes", which I did set given >your remarks there. Yes. >What I dont understand is >at a score of -95.5 , why did it get marked {SPAM?} ? Good point, I missed that, sorry. It shouldn't have. The code is so simple it's ridiculous that it doesn't always work on every version of Perl. Did you have the option switched on to always include the SA header? What exact version of Perl are you using? I've tried and tried to reproduce this fault on any of my systems, but I still can't :-( >-- >-------------------------------------------------------------------- > Christopher Albert > Responsable des services informatiques > Departement de mathematiques et de statistique > Universite de Montreal > > bureau 6188, Pavillon Andre-Aisenstadt > Tel: (514) 343-2281 Fax: (514) 343-5700 >-------------------------------------------------------------------- > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From sysadmin at DMS.UMONTREAL.CA Sat Jun 15 16:47:07 2002 From: sysadmin at DMS.UMONTREAL.CA (sysadmin) Date: Thu Jan 12 21:14:58 2006 Subject: SpamAssassin 2.30 References: <5.1.0.14.2.20020615134502.02aeb330@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020615160238.032c1100@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020615163329.03477230@imap.ecs.soton.ac.uk> Message-ID: <3D0B617B.9090605@DMS.UMontreal.CA> Julian Field wrote: > At 16:28 15/06/2002, you wrote: >> >> Do you mean "SpamAssassin Auto Whitelist = yes", which I did set given >> your remarks there. > > > Yes. > >> What I dont understand is >> at a score of -95.5 , why did it get marked {SPAM?} ? > > > Good point, I missed that, sorry. > It shouldn't have. The code is so simple it's ridiculous that it doesn't > always work on every version of Perl. Did you have the option switched on > to always include the SA header? > What exact version of Perl are you using? I've tried and tried to reproduce > this fault on any of my systems, but I still can't :-( > Here's what I changed in the conf file: > diff /export/local_linux/MailScanner-3.20-3/mailscanner/etc/mailscanner.conf ./mailscanner.conf 43c43 < Incoming Work Dir = /var/spool/MailScanner/incoming --- > Incoming Work Dir = /opt/mailscanner/var/incoming 46c46 < Quarantine Dir = /var/spool/MailScanner/quarantine --- > Quarantine Dir = /opt/mailscanner/var/quarantine 222c222 < Local Domains = put.your.domain.name.here --- > Local Domains = DMS.UMontreal.CA 321c321 < Use SpamAssassin = no --- > Use SpamAssassin = yes 329c329 < SpamAssassin Timeout = 10 --- > SpamAssassin Timeout = 20 344c344 < SpamAssassin Auto Whitelist = no --- > SpamAssassin Auto Whitelist = yes 365c365 < Spam List = ORDB-RBL, relays.ordb.org. --- > #Spam List = ORDB-RBL, relays.ordb.org. 393,394c393,394 < Accept Spam From = 152.78. < Accept Spam From = 139.166. --- > #Accept Spam From = 152.78. > #Accept Spam From = 139.166. uname -a SunOS euler.DMS.UMontreal.CA 5.7 Generic_106541-15 sun4u sparc SUNW,Ultra-5_10 perl -V Summary of my perl5 (revision 5.0 version 6 subversion 1) configuration: Platform: osname=solaris, osvers=2.7, archname=sun4-solaris uname='sunos dewitt.vnet.net 5.7 generic_patch sun4u sparc ' config_args='-Dcc=gcc -de' hint=recommended, useposix=true, d_sigaction=define usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=undef useperlio=undef d_sfio=undef uselargefiles=define usesocks=undef use64bitint=undef use64bitall=undef uselongdouble=undef Compiler: cc='gcc', ccflags ='-fno-strict-aliasing -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64', optimize='-O', cppflags='-fno-strict-aliasing -I/usr/local/include' ccversion='', gccversion='2.95.3 20010315 (release)', gccosandvers='solaris2.7' intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=4321 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16 ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8 alignbytes=8, usemymalloc=y, prototype=define Linker and Libraries: ld='gcc', ldflags =' -L/usr/local/lib ' libpth=/usr/local/lib /usr/lib /usr/ccs/lib libs=-lsocket -lnsl -lgdbm -ldl -lm -lc perllibs=-lsocket -lnsl -ldl -lm -lc libc=/lib/libc.so, so=so, useshrplib=false, libperl=libperl.a Dynamic Linking: dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags=' ' cccdlflags='-fPIC', lddlflags='-G -L/usr/local/lib' Characteristics of this binary (from libperl): Compile-time options: USE_LARGE_FILES Built under solaris Compiled at Apr 26 2001 16:17:32 @INC: /usr/local/lib/perl5/5.6.1/sun4-solaris /usr/local/lib/perl5/5.6.1 /usr/local/lib/perl5/site_perl/5.6.1/sun4-solaris /usr/local/lib/perl5/site_perl/5.6.1 /usr/local/lib/perl5/site_perl -- -------------------------------------------------------------------- Christopher Albert Responsable des services informatiques Departement de mathematiques et de statistique Universite de Montreal bureau 6188, Pavillon Andre-Aisenstadt Tel: (514) 343-2281 Fax: (514) 343-5700 -------------------------------------------------------------------- From sysadmin at DMS.UMONTREAL.CA Sat Jun 15 17:06:34 2002 From: sysadmin at DMS.UMONTREAL.CA (sysadmin) Date: Thu Jan 12 21:14:58 2006 Subject: SpamAssassin 2.30 References: <5.1.0.14.2.20020615134502.02aeb330@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020615160238.032c1100@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020615163329.03477230@imap.ecs.soton.ac.uk> <3D0B617B.9090605@DMS.UMontreal.CA> Message-ID: <3D0B660A.4010507@DMS.UMontreal.CA> Here is another false positive. This time quite strange since it is a logwatch message from one of my machines just a couple of iptables log entries. First here is my whitelist.conf > cat spam.whitelist.conf # This is a list of email addresses (with an @ sign in them) or entire email # domains (without an @ sign in them) from which you will accept mail without # ever marking it as spam. #jkf@ecs.soton.ac.uk #JulianField.net lists.sourceforge.net umontreal.ca crm.umontreal.ca UMontreal.CA DMS.UMontreal.CA dms.umontreal.ca spamassassin-talk@lists.sourceforge.net DAA.UMontreal.CA Here is the message that I just got. From - Sat Jun 15 12:01:33 2002 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: ^M Received: from cedric.DMS.UMontreal.CA (cedric.DMS.UMontreal.CA [132.204.53.52])^M by euler.DMS.UMontreal.CA (8.11.4/8.11.4) with ESMTP id g5FG00t13045^M for ; Sat, 15 Jun 2002 12:00:00 -0400 (EDT)^M Received: (from root@localhost)^M by cedric.DMS.UMontreal.CA (8.11.6/8.11.6) id g5FG00L22843^M for root; Sat, 15 Jun 2002 12:00:00 -0400^M Date: Sat, 15 Jun 2002 12:00:00 -0400^M From: ^M Message-Id: <200206151600.g5FG00L22843@cedric.DMS.UMontreal.CA>^M To: root@cedric.DMS.UMontreal.CA^M Subject: {SPAM?} cedric.DMS.UMontreal.CA 06/15/02:12.00 system check^M X-MailScanner: Found to be clean^M X-MailScanner-SpamCheck: SpamAssassin (score=0.3, required 8, X_NOT_PRESENT,^M NO_REAL_NAME, UPPERCASE_50_75, SUPERLONG_LINE, FROM_AND_TO_SAME,^M NO_MX_FOR_FROM, AWL)^M ^M ^M Unusual System Events^M =-=-=-=-=-=-=-=-=-=-=^M Jun 15 11:38:43 cedric kernel: PUB_IN DROP 4 IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:08:00:20:d1:f9:7b:08:00 SRC=132.204.53.40 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=1 ID=17664 DF PROTO=UDP SPT=48937 DPT=67 LEN=308 ^M Jun 15 11:38:46 cedric kernel: PUB_IN DROP 4 IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:08:00:20:d1:f9:7b:08:00 SRC=132.204.53.40 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=1 ID=17665 DF PROTO=UDP SPT=48937 DPT=67 LEN=308 ^M From jkf at ecs.soton.ac.uk Sat Jun 15 17:59:49 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:58 2006 Subject: SpamAssassin 2.30 In-Reply-To: <3D0B660A.4010507@DMS.UMontreal.CA> References: <5.1.0.14.2.20020615134502.02aeb330@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020615160238.032c1100@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020615163329.03477230@imap.ecs.soton.ac.uk> <3D0B617B.9090605@DMS.UMontreal.CA> Message-ID: <5.1.0.14.2.20020615175601.02a6b8d8@imap.ecs.soton.ac.uk> At 17:06 15/06/2002, you wrote: >Here is another false positive. This time quite >strange since it is a logwatch message from one of my machines >just a couple of iptables log entries. Try the patch I just sent you and see if it improves things. However, note that message would not have been whitelisted as it really came from and that name doesn't match any of your whitelist.conf entries. It's the real envelope address (which has been put in the Return-Path header for your convenience), not anything that someone/something happened to put in the To header. >First here is my whitelist.conf > > > cat spam.whitelist.conf ># This is a list of email addresses (with an @ sign in them) or entire email ># domains (without an @ sign in them) from which you will accept mail >without ># ever marking it as spam. >#jkf@ecs.soton.ac.uk >#JulianField.net >lists.sourceforge.net >umontreal.ca >crm.umontreal.ca >UMontreal.CA >DMS.UMontreal.CA >dms.umontreal.ca >spamassassin-talk@lists.sourceforge.net >DAA.UMontreal.CA > >Here is the message that I just got. > > From - Sat Jun 15 12:01:33 2002 >X-Mozilla-Status: 0001 >X-Mozilla-Status2: 00000000 >Return-Path: ^M >Received: from cedric.DMS.UMontreal.CA (cedric.DMS.UMontreal.CA >[132.204.53.52])^M > by euler.DMS.UMontreal.CA (8.11.4/8.11.4) with ESMTP id >g5FG00t13045^M > for ; Sat, 15 Jun 2002 12:00:00 >-0400 (EDT)^M >Received: (from root@localhost)^M > by cedric.DMS.UMontreal.CA (8.11.6/8.11.6) id g5FG00L22843^M > for root; Sat, 15 Jun 2002 12:00:00 -0400^M >Date: Sat, 15 Jun 2002 12:00:00 -0400^M >From: ^M >Message-Id: <200206151600.g5FG00L22843@cedric.DMS.UMontreal.CA>^M >To: root@cedric.DMS.UMontreal.CA^M >Subject: {SPAM?} cedric.DMS.UMontreal.CA 06/15/02:12.00 system check^M >X-MailScanner: Found to be clean^M >X-MailScanner-SpamCheck: SpamAssassin (score=0.3, required 8, >X_NOT_PRESENT,^M > NO_REAL_NAME, UPPERCASE_50_75, SUPERLONG_LINE, FROM_AND_TO_SAME,^M > NO_MX_FOR_FROM, AWL)^M >^M >^M >Unusual System Events^M >=-=-=-=-=-=-=-=-=-=-=^M >Jun 15 11:38:43 cedric kernel: PUB_IN DROP 4 IN=eth0 OUT= >MAC=ff:ff:ff:ff:ff:ff:08:00:20:d1:f9:7b:08:00 SRC=132.204.53.40 >DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=1 ID=17664 DF >PROTO=UDP SPT=48937 DPT=67 LEN=308 ^M >Jun 15 11:38:46 cedric kernel: PUB_IN DROP 4 IN=eth0 OUT= >MAC=ff:ff:ff:ff:ff:ff:08:00:20:d1:f9:7b:08:00 SRC=132.204.53.40 >DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=1 ID=17665 DF >PROTO=UDP SPT=48937 DPT=67 LEN=308 ^M -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From sysadmin at DMS.UMONTREAL.CA Sat Jun 15 18:01:01 2002 From: sysadmin at DMS.UMONTREAL.CA (sysadmin) Date: Thu Jan 12 21:14:58 2006 Subject: Problems SpamAssassin 2.30 Linux rpm version References: <5.1.0.14.2.20020615134502.02aeb330@imap.ecs.soton.ac.uk> Message-ID: <3D0B72CD.6070500@DMS.UMontreal.CA> Testing the rpm version at home gives this little error. [root@hollywood etc]# service mailscanner restart Shutting down MailScanner: [FAILED] Starting MailScanner: Configuration file /opt/mailscanner/etc/spam.assassin.prefs.conf could not be opened for reading! at /usr/local/MailScanner/bin/logger.pl line 63. It also seems that the mailscanner.conf file is not the same as the solaris version, for example, it does not include the SA autowhitelis featues nor a couple of the recent rbl lists. -- -------------------------------------------------------------------- Christopher Albert Responsable des services informatiques Departement de mathematiques et de statistique Universite de Montreal bureau 6188, Pavillon Andre-Aisenstadt Tel: (514) 343-2281 Fax: (514) 343-5700 -------------------------------------------------------------------- From jkf at ecs.soton.ac.uk Sat Jun 15 18:12:10 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:58 2006 Subject: Problems SpamAssassin 2.30 Linux rpm version In-Reply-To: <3D0B72CD.6070500@DMS.UMontreal.CA> References: <5.1.0.14.2.20020615134502.02aeb330@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020615180523.02a9c4d0@imap.ecs.soton.ac.uk> At 18:01 15/06/2002, you wrote: >Testing the rpm version at home gives this little error. > > >[root@hollywood etc]# service mailscanner restart >Shutting down MailScanner: [FAILED] >Starting MailScanner: Configuration file >/opt/mailscanner/etc/spam.assassin.prefs.conf could not be opened for >reading! at /usr/local/MailScanner/bin/logger.pl line 63. From the mailscanner.conf file: # Set the location of the SpamAssassin user_prefs file. If you want to # stop SpamAssassin doing all the RBL checks again, then you can add # "skip_rbl_checks = 1" to this file. # This must be defined if "Compile SpamAssasin Once = yes". SpamAssassin Prefs File = /usr/local/MailScanner/etc/spam.assassin.prefs.conf >It also seems that the mailscanner.conf file is not the same >as the solaris version, for example, it does not include the >SA autowhitelis featues nor a couple of the recent rbl lists. I've just diff-ed the versions in the sources. Are you 100% sure you have downloaded and diff-ed the right version. Please double-check as I don't see how you can have managed this :( It looks like your RPM-installed one is a different version to your tar-ball. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mike at ZANKER.ORG Sun Jun 16 07:58:02 2002 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:14:58 2006 Subject: False positive - SA 2.30 Message-ID: <82895527.1024214282@jemima.zanker.org> This is the first time I've ever had one of these. I installed MailScanner 3.20-3 and SpamAssassin 2.30 yesterday afternoon and received this yesterday evening: > Return-Path: > Received: from i.overslept.net (unallocated.star.net.uk > [62.231.139.252] (may be forged)) by mallard.zanker.org > (8.11.6/8.11.6-MZ) with ESMTP id g5FLjs201388; Sat, 15 Jun 2002 > 22:45:54 +0100 > Received: from i.overslept.net (localhost [127.0.0.1]) > by i.overslept.net (8.11.6/linuxconf) with ESMTP id g5FLi2I07247; > Sat, 15 Jun 2002 22:44:03 +0100 > Received: from ultra2.uk2net.com (ultra2.uk2net.com [212.4.208.102]) > by i.overslept.net (8.11.6/linuxconf) with ESMTP id g5FLhSI07225 > for ; Sat, 15 Jun 2002 22:43:28 +0100 > Received: from technetium.cix.co.uk ([194.153.0.53]) > by ultra2.uk2net.com with esmtp (Exim 0.00) > id 17JLKP-0002Ot-00 > for orange@listman.net; Sat, 15 Jun 2002 22:43:25 +0100 > Received: (from cix@localhost) > by technetium.cix.co.uk (8.11.2/8.11.2) id g5FLhRL20376 > for orange@listman.net; Sat, 15 Jun 2002 22:43:27 +0100 (BST) > X-Envelope-From: jonmorris@cix.compulink.co.uk > From: jonmorris@cix.compulink.co.uk (Jonathan Morris) > Subject: {SPAM?} Re: [ORANGE] Orange roaming in Sweden.. > To: orange@listman.net > Reply-To: jonmorris@cix.compulink.co.uk > Message-Id: > X-Ameol-Version: 2.52.2000, Windows 98 4.90.3000 ( ) > Sender: orange-admin@listman.net > Errors-To: orange-admin@listman.net > X-BeenThere: orange@listman.net > X-Mailman-Version: 2.0.6 > Precedence: bulk > List-Help: > List-Post: > List-Subscribe: , > > List-Id: Users of the Orange mobile network > List-Unsubscribe: , > > List-Archive: > X-Original-Date: Sat, 15 Jun 2002 22:43 +0100 (BST) > Date: Sat, 15 Jun 2002 22:43 +0100 (BST) > X-MailScanner: Found to be clean > X-MailScanner-SpamCheck: SpamAssassin (score=1.6, required 5, > MAY_BE_FORGED) I have Always Include SpamAssassin Report = no and Compile SpamAssassin Once = yes which I see mentions the possibility of false positives. Could this be one of those cases? Thanks, Mike -- Mike Zanker Northampton, UK PGP Public Key: pgp@zanker.org From LISTSERV at JISCMAIL.AC.UK Sat Jun 15 19:31:33 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:58 2006 Subject: MAILSCANNER: mcleoduk@TERRA.ES requested to join Message-ID: <200206151831.TAA04329@magpie.ecs.soton.ac.uk> Sat, 15 Jun 2002 19:31:33 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Ian Mcleod You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER mcleoduk@TERRA.ES Ian Mcleod PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER mcleoduk@TERRA.ES Ian Mcleod // EOJ From LISTSERV at JISCMAIL.AC.UK Sun Jun 16 11:11:23 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:58 2006 Subject: MAILSCANNER: michael@NOMENNESCIO.NET requested to join Message-ID: <200206161011.LAA14540@magpie.ecs.soton.ac.uk> Sun, 16 Jun 2002 11:11:23 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Mike Klinkert You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER michael@NOMENNESCIO.NET Mike Klinkert PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER michael@NOMENNESCIO.NET Mike Klinkert // EOJ From jkf at ecs.soton.ac.uk Sun Jun 16 12:58:17 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:58 2006 Subject: False positive - SA 2.30 In-Reply-To: <82895527.1024214282@jemima.zanker.org> Message-ID: <5.1.0.14.2.20020616125608.02a4ddc8@imap.ecs.soton.ac.uk> Please try applying the attached patch to sendmail.pl and see if it solves the problem. Something really subtle is going wrong, it looks as if 1 "if" statement is not behaving as expected in the SA code, so I've rewritten my end of it a bit. Please let me know if this fixes the problem. If so, I'll roll it into a "-4" release. At 07:58 16/06/2002, you wrote: >This is the first time I've ever had one of these. I installed >MailScanner 3.20-3 and SpamAssassin 2.30 yesterday afternoon and >received this yesterday evening: > >>Return-Path: >>Received: from i.overslept.net (unallocated.star.net.uk >>[62.231.139.252] (may be forged)) by mallard.zanker.org >>(8.11.6/8.11.6-MZ) with ESMTP id g5FLjs201388; Sat, 15 Jun 2002 >>22:45:54 +0100 >>Received: from i.overslept.net (localhost [127.0.0.1]) >> by i.overslept.net (8.11.6/linuxconf) with ESMTP id g5FLi2I07247; >> Sat, 15 Jun 2002 22:44:03 +0100 >>Received: from ultra2.uk2net.com (ultra2.uk2net.com [212.4.208.102]) >> by i.overslept.net (8.11.6/linuxconf) with ESMTP id g5FLhSI07225 >> for ; Sat, 15 Jun 2002 22:43:28 +0100 >>Received: from technetium.cix.co.uk ([194.153.0.53]) >> by ultra2.uk2net.com with esmtp (Exim 0.00) >> id 17JLKP-0002Ot-00 >> for orange@listman.net; Sat, 15 Jun 2002 22:43:25 +0100 >>Received: (from cix@localhost) >> by technetium.cix.co.uk (8.11.2/8.11.2) id g5FLhRL20376 >> for orange@listman.net; Sat, 15 Jun 2002 22:43:27 +0100 (BST) >>X-Envelope-From: jonmorris@cix.compulink.co.uk >>From: jonmorris@cix.compulink.co.uk (Jonathan Morris) >>Subject: {SPAM?} Re: [ORANGE] Orange roaming in Sweden.. >>To: orange@listman.net >>Reply-To: jonmorris@cix.compulink.co.uk >>Message-Id: >>X-Ameol-Version: 2.52.2000, Windows 98 4.90.3000 ( ) >>Sender: orange-admin@listman.net >>Errors-To: orange-admin@listman.net >>X-BeenThere: orange@listman.net >>X-Mailman-Version: 2.0.6 >>Precedence: bulk >>List-Help: >>List-Post: >>List-Subscribe: , >> >>List-Id: Users of the Orange mobile network >>List-Unsubscribe: , >> >>List-Archive: >>X-Original-Date: Sat, 15 Jun 2002 22:43 +0100 (BST) >>Date: Sat, 15 Jun 2002 22:43 +0100 (BST) >>X-MailScanner: Found to be clean >>X-MailScanner-SpamCheck: SpamAssassin (score=1.6, required 5, >>MAY_BE_FORGED) > >I have > >Always Include SpamAssassin Report = no > >and > >Compile SpamAssassin Once = yes > >which I see mentions the possibility of false positives. Could this be >one of those cases? > >Thanks, > >Mike >-- >Mike Zanker >Northampton, UK >PGP Public Key: pgp@zanker.org -------------- next part -------------- A non-text attachment was scrubbed... Name: sendmail.patch Type: application/octet-stream Size: 1402 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020616/f27b2898/sendmail.obj -------------- next part -------------- -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Sun Jun 16 13:50:29 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:58 2006 Subject: SpamAssassin 2.30 In-Reply-To: <5.1.0.14.2.20020615163329.03477230@imap.ecs.soton.ac.uk> References: <3D0B5D0E.7030003@DMS.UMontreal.CA> <5.1.0.14.2.20020615134502.02aeb330@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020615160238.032c1100@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020616134915.034f0180@imap.ecs.soton.ac.uk> At 16:38 15/06/2002, you wrote: >>What I dont understand is >>at a score of -95.5 , why did it get marked {SPAM?} ? > >What exact version of Perl are you using? I've tried and tried to reproduce >this fault on any of my systems, but I still can't :-( I have finally found an instance of this happening on my own systems. I am now running the patched version and will issue a "-4" release in the next couple of days if I don't see it happening again. Watch this space! -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From fizz at BOMB.NET Sun Jun 16 14:49:01 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:14:58 2006 Subject: SpamAssassin 2.30 References: <5.1.0.14.2.20020615134502.02aeb330@imap.ecs.soton.ac.uk> Message-ID: <000901c2153c$922d0440$483cd842@fizz> hrmm, spamassassin installed fine on my primary gateway mail server, however on my secondary, it all install fine, but when i goto restart mailscanner (3-20-3) this is what i get.. Starting virus scanner... root@grael:/opt/mailscanner/bin# Bareword found where operator expected at (eval 37) line 764, near "25FREEMEGS_URL_body_test" (Missing operator before FREEMEGS_URL_body_test?) Bareword found where operator expected at (eval 37) line 2854, near "25FREEMEGS_URL_body_test" (Missing operator before FREEMEGS_URL_body_test?) Failed to compile body SpamAssassin tests, skipping: (syntax error at (eval 37) line 764, near "25FREEMEGS_URL_body_test " Can't use global $_ in "my" at (eval 37) line 766, near "; $_ " syntax error at (eval 37) line 2854, near "25FREEMEGS_URL_body_test" syntax error at (eval 37) line 3647, near "; }" ) Failed to run DIFFERENT_REPLY_TO SpamAssassin test, skipping: (Can't locate object method "check_for_spam_reply_to" via package "Mail::SpamAssassin::PerMsgStatus" (perhaps you forgot to load "Mail::SpamAssassin::PerMsgStatus"?) at /usr/lib/perl5/site_perl/Mail/SpamAssassin/PerMsgStatus.pm line 1701. ) Not a huge deal since this server only sees about 10k mail a day.. Any ideas? ive tried redownloading, and reinstalling several times. ----- Original Message ----- From: "Julian Field" To: Sent: Saturday, June 15, 2002 8:53 AM Subject: SpamAssassin 2.30 > A new SpamAssassin has just been released. You can download it from > www.spamassassin.org. > > Install > ======= > Installing 2.30 was a bit messier than it should have been. You need to > install Time-HiRes from CPAN first > perl -MCPAN -e shell > install Time-HiRes (or was it Time::HiRes?) > and if you are using gcc on Solaris then you'll need to remove all the > "-xO3 -xdepend" from all the Makefiles as you go. > > make test > ========= > And it couldn't start spamd even when I tried shutting down MailScanner > first, so I don't know what's wrong there. You can skip the spamd tests by > doing > cd t > rm spamd* > cd .. > before you "make test". You can quite safely skip spamd altogether as > MailScanner doesn't use it anyway. > > In Use > ====== > And SpamAssassin keeps spitting out "sh: dccproc: not found" errors as I > don't have the DCC system installed. But according to the SpamAssassin > README, it's optional anyway. I suspect these can be stopped by adding > score DCC_CHECK 0.0 > to the spam.assassin.prefs.conf file. > > Summary > ======= > The good news is that once I got it installed happily, it seems to be > working just fine. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From jkf at ecs.soton.ac.uk Sun Jun 16 15:22:21 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:58 2006 Subject: SpamAssassin 2.30 In-Reply-To: <000901c2153c$922d0440$483cd842@fizz> References: <5.1.0.14.2.20020615134502.02aeb330@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020616152135.036175f0@imap.ecs.soton.ac.uk> What happened when you did a "make test" inside the 2.30 directory? At 14:49 16/06/2002, you wrote: >hrmm, spamassassin installed fine on my primary gateway mail server, however >on my secondary, it all install fine, but when i goto restart mailscanner >(3-20-3) this is what i get.. > >Starting virus scanner... >root@grael:/opt/mailscanner/bin# Bareword found where operator expected at >(eval 37) line 764, near "25FREEMEGS_URL_body_test" > (Missing operator before FREEMEGS_URL_body_test?) >Bareword found where operator expected at (eval 37) line 2854, near >"25FREEMEGS_URL_body_test" > (Missing operator before FREEMEGS_URL_body_test?) >Failed to compile body SpamAssassin tests, skipping: > (syntax error at (eval 37) line 764, near "25FREEMEGS_URL_body_test >" >Can't use global $_ in "my" at (eval 37) line 766, near "; > $_ " >syntax error at (eval 37) line 2854, near "25FREEMEGS_URL_body_test" >syntax error at (eval 37) line 3647, near "; >}" >) >Failed to run DIFFERENT_REPLY_TO SpamAssassin test, skipping: > (Can't locate object method "check_for_spam_reply_to" via package >"Mail::SpamAssassin::PerMsgStatus" (perhaps you forgot to load >"Mail::SpamAssassin::PerMsgStatus"?) at >/usr/lib/perl5/site_perl/Mail/SpamAssassin/PerMsgStatus.pm line 1701. >) > > >Not a huge deal since this server only sees about 10k mail a day.. > >Any ideas? ive tried redownloading, and reinstalling several times. > >----- Original Message ----- >From: "Julian Field" >To: >Sent: Saturday, June 15, 2002 8:53 AM >Subject: SpamAssassin 2.30 > > > > A new SpamAssassin has just been released. You can download it from > > www.spamassassin.org. > > > > Install > > ======= > > Installing 2.30 was a bit messier than it should have been. You need to > > install Time-HiRes from CPAN first > > perl -MCPAN -e shell > > install Time-HiRes (or was it Time::HiRes?) > > and if you are using gcc on Solaris then you'll need to remove all the > > "-xO3 -xdepend" from all the Makefiles as you go. > > > > make test > > ========= > > And it couldn't start spamd even when I tried shutting down MailScanner > > first, so I don't know what's wrong there. You can skip the spamd tests by > > doing > > cd t > > rm spamd* > > cd .. > > before you "make test". You can quite safely skip spamd altogether as > > MailScanner doesn't use it anyway. > > > > In Use > > ====== > > And SpamAssassin keeps spitting out "sh: dccproc: not found" errors as I > > don't have the DCC system installed. But according to the SpamAssassin > > README, it's optional anyway. I suspect these can be stopped by adding > > score DCC_CHECK 0.0 > > to the spam.assassin.prefs.conf file. > > > > Summary > > ======= > > The good news is that once I got it installed happily, it seems to be > > working just fine. > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From fizz at BOMB.NET Sun Jun 16 16:12:59 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:14:58 2006 Subject: SpamAssassin 2.30 References: <5.1.0.14.2.20020615134502.02aeb330@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020616152135.036175f0@imap.ecs.soton.ac.uk> Message-ID: <002201c21548$4cf57ae0$483cd842@fizz> all tests came back ok, except razor (1st test) cause i dont have it installed ----- Original Message ----- From: "Julian Field" To: Sent: Sunday, June 16, 2002 10:22 AM Subject: Re: SpamAssassin 2.30 > What happened when you did a "make test" inside the 2.30 directory? > > At 14:49 16/06/2002, you wrote: > >hrmm, spamassassin installed fine on my primary gateway mail server, however > >on my secondary, it all install fine, but when i goto restart mailscanner > >(3-20-3) this is what i get.. > > > >Starting virus scanner... > >root@grael:/opt/mailscanner/bin# Bareword found where operator expected at > >(eval 37) line 764, near "25FREEMEGS_URL_body_test" > > (Missing operator before FREEMEGS_URL_body_test?) > >Bareword found where operator expected at (eval 37) line 2854, near > >"25FREEMEGS_URL_body_test" > > (Missing operator before FREEMEGS_URL_body_test?) > >Failed to compile body SpamAssassin tests, skipping: > > (syntax error at (eval 37) line 764, near "25FREEMEGS_URL_body_test > >" > >Can't use global $_ in "my" at (eval 37) line 766, near "; > > $_ " > >syntax error at (eval 37) line 2854, near "25FREEMEGS_URL_body_test" > >syntax error at (eval 37) line 3647, near "; > >}" > >) > >Failed to run DIFFERENT_REPLY_TO SpamAssassin test, skipping: > > (Can't locate object method "check_for_spam_reply_to" via package > >"Mail::SpamAssassin::PerMsgStatus" (perhaps you forgot to load > >"Mail::SpamAssassin::PerMsgStatus"?) at > >/usr/lib/perl5/site_perl/Mail/SpamAssassin/PerMsgStatus.pm line 1701. > >) > > > > > >Not a huge deal since this server only sees about 10k mail a day.. > > > >Any ideas? ive tried redownloading, and reinstalling several times. > > > >----- Original Message ----- > >From: "Julian Field" > >To: > >Sent: Saturday, June 15, 2002 8:53 AM > >Subject: SpamAssassin 2.30 > > > > > > > A new SpamAssassin has just been released. You can download it from > > > www.spamassassin.org. > > > > > > Install > > > ======= > > > Installing 2.30 was a bit messier than it should have been. You need to > > > install Time-HiRes from CPAN first > > > perl -MCPAN -e shell > > > install Time-HiRes (or was it Time::HiRes?) > > > and if you are using gcc on Solaris then you'll need to remove all the > > > "-xO3 -xdepend" from all the Makefiles as you go. > > > > > > make test > > > ========= > > > And it couldn't start spamd even when I tried shutting down MailScanner > > > first, so I don't know what's wrong there. You can skip the spamd tests by > > > doing > > > cd t > > > rm spamd* > > > cd .. > > > before you "make test". You can quite safely skip spamd altogether as > > > MailScanner doesn't use it anyway. > > > > > > In Use > > > ====== > > > And SpamAssassin keeps spitting out "sh: dccproc: not found" errors as I > > > don't have the DCC system installed. But according to the SpamAssassin > > > README, it's optional anyway. I suspect these can be stopped by adding > > > score DCC_CHECK 0.0 > > > to the spam.assassin.prefs.conf file. > > > > > > Summary > > > ======= > > > The good news is that once I got it installed happily, it seems to be > > > working just fine. > > > -- > > > Julian Field Teaching Systems Manager > > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > > Tel. 023 8059 2817 University of Southampton > > > Southampton SO17 1BJ > > > > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From mike at ZANKER.ORG Sun Jun 16 16:52:22 2002 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:14:58 2006 Subject: False positive - SA 2.30 In-Reply-To: <5.1.0.14.2.20020616125608.02a4ddc8@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020616125608.02a4ddc8@imap.ecs.soton.ac.uk> Message-ID: <23578133.1024246342@jemima.zanker.org> On 16 June 2002 12:58 +0100 Julian Field wrote: > Please try applying the attached patch to sendmail.pl and see if it > solves the problem. OK, I'll give it a shot. Thanks, Mike -- Mike Zanker Northampton, UK PGP Public Key: pgp@zanker.org From jkf at ecs.soton.ac.uk Sun Jun 16 17:30:55 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:58 2006 Subject: SpamAssassin 2.30 In-Reply-To: <5.1.0.14.2.20020616134915.034f0180@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020615163329.03477230@imap.ecs.soton.ac.uk> <3D0B5D0E.7030003@DMS.UMontreal.CA> <5.1.0.14.2.20020615134502.02aeb330@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020615160238.032c1100@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020616172923.047dbd20@imap.ecs.soton.ac.uk> At 13:50 16/06/2002, you wrote: >At 16:38 15/06/2002, you wrote: >>>What I dont understand is >>>at a score of -95.5 , why did it get marked {SPAM?} ? >> >>What exact version of Perl are you using? I've tried and tried to reproduce >>this fault on any of my systems, but I still can't :-( > >I have finally found an instance of this happening on my own systems. I am >now running the patched version and will issue a "-4" release in the next >couple of days if I don't see it happening again. > >Watch this space! Things are looking good. I've been through all of today's logs, and there haven't been any false positives of this type since I started using the patched version. I've added another couple of lines to the code to line-buffer the pipe (rather than block-buffer it) to fix what looks like an occasional buffering problem. Jules. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From S.R.Patterson at SOTON.AC.UK Sun Jun 16 17:52:04 2002 From: S.R.Patterson at SOTON.AC.UK (Steven Patterson) Date: Thu Jan 12 21:14:58 2006 Subject: ANNOUNCE: Version 3.20-1 released Message-ID: <000601c21556$264ee2b0$9865fea9@sucs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jeff A. Earickson > Sent: 14 June 2002 15:39 > > Here's yet another suggestion from the peanut > gallery to make things even better: > > I have several > mods to /opt/mailscanner/etc/mailscanner.conf.solaris. Installing > a new version of mailscanner is painful because I have to > go thru the > config files and re-tweek my changes before starting things > up again. Yes, but since the options that are available to you in each version of the software increase you should go through the entire config file every time you upgrade anyway. If it helps then keep a separate copy of your local config file and simply add new lines to it by comparison with the new config file > This takes time, and mail stacks up in the queue meanwhile. If I turned off mailscanner for the fifteen to twenty minutes it takes to work through the (huge!) config file and set all of the values I'd be shot. Consider instead extracting the config file before you install the new version of mailscanner, re-writing it to suit your needs and then copying this file into place immediately after you upgrade mailscanner. - -- Steven Patterson, MSci. Tel: +44 (0)2380 595810 Electronic Information Systems Support and Development Computing Services, University of Southampton, UK. Public PGP Key: http://www.soton.ac.uk/~srp/pubkey.asc -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPQzBLq2fOiTs5+WvEQI2rwCfZA95vzAa/zF9GN33PQ/tckiIK4YAnRPv 5acS3TfccAs3lgqMPPHeow/3 =MsvH -----END PGP SIGNATURE----- From nwp at LEMON-COMPUTING.COM Sun Jun 16 23:33:53 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:58 2006 Subject: SpamAssassin 2.30 In-Reply-To: <5.1.0.14.2.20020615160238.032c1100@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020615134502.02aeb330@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020615160238.032c1100@imap.ecs.soton.ac.uk> Message-ID: <20020616223353.GN12326@hoiho.nz.lemon-computing.com> On Sat, Jun 15, 2002 at 04:06:14PM +0100, Julian Field wrote: > If an address is in the SA whitelist, it scores -100. MailScanner 2.30 > supports the SA whitelist system, if you turn it on in mailscanner.conf. /me slaps Julian with a wet fish... *3.20* Wake Up! It's 2002 now, and we're not on 2.xx any more ;) -- Nick Phillips -- nwp@lemon-computing.com You have the body of a 19 year old. Please return it before it gets wrinkled. From LISTSERV at JISCMAIL.AC.UK Mon Jun 17 02:23:51 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:58 2006 Subject: MAILSCANNER: gt@DIAPASON.COM requested to join Message-ID: <200206170123.CAA27263@magpie.ecs.soton.ac.uk> Mon, 17 Jun 2002 02:23:51 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from "Georges A. Tomazi" You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER gt@DIAPASON.COM Georges A. Tomazi PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER gt@DIAPASON.COM Georges A. Tomazi // EOJ From LISTSERV at JISCMAIL.AC.UK Mon Jun 17 06:59:35 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:58 2006 Subject: MAILSCANNER: vincent@DUKE-INTERACTIVE.COM left the JISCmail list Message-ID: <200206170559.GAA09447@magpie.ecs.soton.ac.uk> Mon, 17 Jun 2002 06:59:35 vincent M?oc has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From jkf at ecs.soton.ac.uk Mon Jun 17 09:19:42 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:58 2006 Subject: ANNOUNCE: Version 3.20-4 released Message-ID: <5.1.0.14.2.20020617091706.036ec170@imap.ecs.soton.ac.uk> Hi folks, I have just released 3.20-4. This should fix the problem with SpamAssassin generating false positives, where a bug in SpamAssassin was causing messages to be marked as spam even though hits Hey guys, I just checked... f-prot does not detect it as a virus so it's their problem. They need to check it out.... Mailscanner is fine .. I guess.. [root /tmp]# f-prot /tmp/decrypt-password.exe Virus scanning report - 17. June 2002 13:48 F-PROT 3.12a SIGN.DEF created 14. June 2002 SIGN2.DEF created 14. June 2002 MACRO.DEF created 11. June 2002 Search: /tmp/decrypt-password.exe Action: Report only Files: Attempt to identify files Switches: Results of virus scanning: Files: 1 MBRs: 0 Boot sectors: 0 Objects scanned: 1 Time: 0:01 No viruses or suspicious files/boot sectors were found. ----- Original Message ----- From: Rishi Gangoly To: MAILSCANNER@JISCMAIL.AC.UK Cc: technology@woi.biz ; tss@theargoncompany.com Sent: Monday, June 17, 2002 1:55 PM Subject: f-prot / aves detects this as a virus !! I think Hi Guys, I think f-prot with aves (whatever that is) detects this as a virus but f-prot with mailscanner does not. do you know why? Regards Rishi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020617/df0a52a2/attachment.html From akhan at SGHMS.AC.UK Mon Jun 17 11:46:38 2002 From: akhan at SGHMS.AC.UK (Asim Khan) Date: Thu Jan 12 21:14:58 2006 Subject: error with netscape6 References: <3D0A0E86.2060700@sghms.ac.uk> <3D0A638A.8090006@konsultex.com.br> Message-ID: <3D0DBE0E.9080501@sghms.ac.uk> ...Thanks for the advice but I still get the errors on netscape 4.72..? ..Could it be that I require a local unix account for akhan as my address is akhan@sghms.ac.uk whereas the IMAP mail server is mail.sghms.ac.uk but outgoing SMTP is mancity (but I don't think you need a local unix account if you're using netscape with IMAP..?) ...any advice much apprecaited.. Miguel Koren O'Brien de Lacy wrote: > I noticed the same type of error since I switched to Netscape 6. With > Netscape 4.7x I never had this problem. What I do in these cases is > close Netscape and open it again and the problem goes away. Another > situation that causes this error (I'm not sure if it's the same messga, > though) is when I attach a file that is on a network drive, not on my > local machine. In those cases I first copy it over and then attach. I > attributed these problems to Netscape and/or WinXP (unfortunately my new > notebook came with it). > > I'm hoping that Netscape 7 will solve this.... > > Miguel > > Asim Khan wrote: > >> ..My netscape6 seems to give errors like: >> >> 'An error occurred while sending mail. >> The mail server responded : >> Unexpected failure, please try later. >> Please verify that your email address is correct >> in your mail preferences and try again' >> >> the only setting I've changed on my mail account in netscape6 >> is 'My Outgoing Server (SMTP): mancity.sghsms.ac.uk' - my local unix >> box from 'mail.sghms.ac.uk' - the mail mail server.. >> >> mancity is the host with mailscanner/exim running on it.. >> >> the screen freezes and no email is sent...? >> >> BUT if I use /usr/lib/sendmail -v username@sghms.ac.uk as root >> the user recieves the email..? >> >> ..Any suggestions would be much appreciated...? >> >> Asim Khan >> Unix System Administrator >> Computing Services >> St George's Hospital Medical School >> Tel: 020 8725 5453 > -- Asim Khan Unix System Administrator Computing Services St George's Hospital Medical School Tel: 020 8725 5453 From LISTSERV at JISCMAIL.AC.UK Mon Jun 17 11:46:31 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:58 2006 Subject: MAILSCANNER: mohren@SS20.MPI-SEEWIESEN.MPG.DE requested to join Message-ID: <200206171046.LAA00215@magpie.ecs.soton.ac.uk> Mon, 17 Jun 2002 11:46:31 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Werner Mohren You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER mohren@SS20.MPI-SEEWIESEN.MPG.DE Werner Mohren PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER mohren@SS20.MPI-SEEWIESEN.MPG.DE Werner Mohren // EOJ From mike at ZANKER.ORG Mon Jun 17 12:20:53 2002 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:14:58 2006 Subject: ANNOUNCE: Version 3.20-4 released In-Reply-To: <5.1.0.14.2.20020617091706.036ec170@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020617091706.036ec170@imap.ecs.soton.ac.uk> Message-ID: <273527203.1024316453@mallard.open.ac.uk> On 17 June 2002 09:19 +0100 Julian Field wrote: > I have just released 3.20-4. This should fix the problem with > SpamAssassin generating false positives, where a bug in SpamAssassin > was causing messages to be marked as spam even though > hits <3D0A638A.8090006@konsultex.com.br> <3D0DBE0E.9080501@sghms.ac.uk> Message-ID: <3D0DD6AF.5050900@konsultex.com.br> Well, all I can think of at the moment is to look at the log files on the server to see if they have some meaningful information. Miguel Asim Khan wrote: > ...Thanks for the advice but I still get the errors on netscape 4.72..? > ..Could it be that I require a local unix account for akhan as my > address is akhan@sghms.ac.uk whereas the IMAP mail server is > mail.sghms.ac.uk but outgoing SMTP is mancity (but I don't think > you need a local unix account if you're using netscape > with IMAP..?) > ...any advice much apprecaited.. > > Miguel Koren O'Brien de Lacy wrote: > >> I noticed the same type of error since I switched to Netscape 6. With >> Netscape 4.7x I never had this problem. What I do in these cases is >> close Netscape and open it again and the problem goes away. Another >> situation that causes this error (I'm not sure if it's the same messga, >> though) is when I attach a file that is on a network drive, not on my >> local machine. In those cases I first copy it over and then attach. I >> attributed these problems to Netscape and/or WinXP (unfortunately my new >> notebook came with it). >> >> I'm hoping that Netscape 7 will solve this.... >> >> Miguel >> >> Asim Khan wrote: >> >>> ..My netscape6 seems to give errors like: >>> >>> 'An error occurred while sending mail. >>> The mail server responded : >>> Unexpected failure, please try later. >>> Please verify that your email address is correct >>> in your mail preferences and try again' >>> >>> the only setting I've changed on my mail account in netscape6 >>> is 'My Outgoing Server (SMTP): mancity.sghsms.ac.uk' - my local unix >>> box from 'mail.sghms.ac.uk' - the mail mail server.. >>> >>> mancity is the host with mailscanner/exim running on it.. >>> >>> the screen freezes and no email is sent...? >>> >>> BUT if I use /usr/lib/sendmail -v username@sghms.ac.uk as root >>> the user recieves the email..? >>> >>> ..Any suggestions would be much appreciated...? >>> >>> Asim Khan >>> Unix System Administrator >>> Computing Services >>> St George's Hospital Medical School >>> Tel: 020 8725 5453 >> >> > > > -- > Asim Khan > Unix System Administrator > Computing Services > St George's Hospital Medical School > Tel: 020 8725 5453 From gt at DIAPASON.COM Mon Jun 17 13:27:27 2002 From: gt at DIAPASON.COM (Georges A. Tomazi) Date: Thu Jan 12 21:14:58 2006 Subject: Permanent white listing Message-ID: <5.0.2.1.2.20020617133251.00b41778@pobox.diapason.com> Hi, I just installed on a Solaris 8 / SPARC box MailScanner-3.20-3 (upgraded this morning to 3.20-4) with Sophos + Mail-SpamAssassin-2.30 (including razor-agents-2.07 and dcc-dccproc-1.1.2). I had no problems at all for installing / configuring the whole stuff, mail processing throught MailScanner and Sophos is just fine (is there any way to test its efficiency with a file including a test virus signature ?). However, spam filtering doesn't work as expected. No matter the contents of a message, it gets always marked as "whitelisted" - and I'm not using any white listing. For example, these are the headers with a test spam sent from some external account : [...] X-MailScanner: Found to be clean X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=12.5, required 5, PLING, DOUBLE_CAPSWORD, ONCE_IN_LIFETIME, CALL_FREE, REMOVE_SUBJ, LINES_OF_YELLING, FREQ_SPAM_PHRASE, DCC_CHECK, X_RCVD_IN_UNCONFIRMED_DSBL) [...] The spam section of my mailscanner.conf file is pretty straighforward : [...] Spam Checks = yes Spam Header = X-MailScanner-SpamCheck: Spam Modify Subject = yes Spam Subject Text = {SPAM?} Spam Action = deliver Log Spam = yes Use SpamAssassin = yes Max SpamAssassin Size = 100000 SpamAssassin Timeout = 30 SpamAssassin Prefs File = /opt/mailscanner/etc/spam.assassin.prefs.conf SpamAssassin Auto Whitelist = no Compile SpamAssassin Once = yes Always Include SpamAssassin Report = yes Spam List Timeout = 15 Accept Spam From = [...] The "Spam White List" parameter is no defined here, but I tried also to define it as "/opt/mailscanner/etc/spam.whitelist.conf" and that file was just empty (or with all lines commented out). It doesn't change anything... Is there something I'm missing ? Thanks for your help, Georges -- Georges A. Tomazi - gt@diapason.com From jkf at ecs.soton.ac.uk Mon Jun 17 13:38:34 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:58 2006 Subject: ANNOUNCE: Version 3.20-4 released In-Reply-To: <273527203.1024316453@mallard.open.ac.uk> References: <5.1.0.14.2.20020617091706.036ec170@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020617091706.036ec170@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020617133709.0489be58@imap.ecs.soton.ac.uk> At 12:20 17/06/2002, you wrote: >On 17 June 2002 09:19 +0100 Julian Field wrote: > >>I have just released 3.20-4. This should fix the problem with >>SpamAssassin generating false positives, where a bug in SpamAssassin >>was causing messages to be marked as spam even though >>hits >Does this contain anything new other than the sendmail.pl patch you >asked me to try? I changed the buffering in one of the child processes, and added a test for the rare case where SA returns absolutely nothing. But all you need to do is drop a new sendmail.pl (from 3.20-4) into your current (3.20) setup. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Mon Jun 17 13:48:19 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:58 2006 Subject: Permanent white listing In-Reply-To: <5.0.2.1.2.20020617133251.00b41778@pobox.diapason.com> Message-ID: <5.1.0.14.2.20020617134614.04802520@imap.ecs.soton.ac.uk> At 13:27 17/06/2002, you wrote: >I had no problems at all for installing / configuring the whole stuff, mail >processing throught MailScanner and Sophos is just fine (is there any way >to test its efficiency with a file including a test virus signature ?). Look at www.eicar.org. >However, spam filtering doesn't work as expected. No matter the contents of >a message, it gets always marked as "whitelisted" - and I'm not using any >white listing. For example, these are the headers with a test spam sent >from some external account : > >Accept Spam From = Try commenting out all the "Accept Spam From" lines, rather than leaving them blank. I suspect the configuration file reader is seeing that as 'any network whose IP addresses match ""' which is all of them. I'll change the behaviour of this line for the next release. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gt at DIAPASON.COM Mon Jun 17 14:38:52 2002 From: gt at DIAPASON.COM (Georges A. Tomazi) Date: Thu Jan 12 21:14:58 2006 Subject: Permanent white listing In-Reply-To: <5.1.0.14.2.20020617134614.04802520@imap.ecs.soton.ac.uk> References: <5.0.2.1.2.20020617133251.00b41778@pobox.diapason.com> Message-ID: <5.0.2.1.2.20020617152031.00b6b458@pobox.diapason.com> Hi, A 13:48 17/06/2002 +0100, Julian Field a ?crit : [...] >Look at www.eicar.org. Thx. >>However, spam filtering doesn't work as expected. No matter the contents of >>a message, it gets always marked as "whitelisted" - and I'm not using any >>white listing. For example, these are the headers with a test spam sent >>from some external account : >> >>Accept Spam From = > >Try commenting out all the "Accept Spam From" lines, rather than leaving >them blank. I suspect the configuration file reader is seeing that as 'any >network whose IP addresses match ""' which is all of them. Much better, this time I get in the headers (for the same message) : [...] Subject: {SPAM?} This is a SPAM ! X-MailScanner: Found to be clean X-MailScanner-SpamCheck: SpamAssassin (score=11.3, required 5, PLING_PLING, PLING, DOUBLE_CAPSWORD, ONCE_IN_LIFETIME, CALL_FREE, REMOVE_SUBJ, LINES_OF_YELLING, FREQ_SPAM_PHRASE, X_RCVD_IN_UNCONFIRMED_DSBL) [...] However I don't get the usual SpamAssassin behaviour such (for the same message again) : Subject: *****SPAM***** X-Spam-Status: Yes, hits=12.7 required=5.0 tests=DATE_MISSING,X_NOT_PRESENT,FROM_MISSING,SUBJ_MISSING, INVALID_DATE,DOUBLE_CAPSWORD,ONCE_IN_LIFETIME,CALL_FREE, REMOVE_SUBJ,LINES_OF_YELLING,FREQ_SPAM_PHRASE, MISSING_HEADERS version=2.30 X-Spam-Flag: YES X-Spam-Level: ************ X-Spam-Checker-Version: SpamAssassin 2.30 (devel $Id: SpamAssassin.pm,v 1.94 2002/06/14 23:17:15 hughescr Exp $) SPAM: -------------------- Start SpamAssassin results ---------------------- SPAM: This mail is probably spam. The original message has been altered SPAM: so you can recognise or block similar unwanted mail in future. SPAM: See http://spamassassin.org/tag/ for more details. SPAM: SPAM: Content analysis details: (12.7 hits, 5 required) SPAM: DATE_MISSING (-2.1 points) Missing Date: header SPAM: X_NOT_PRESENT (-1.9 points) Message has no X- headers SPAM: FROM_MISSING (4.3 points) Missing From: header SPAM: SUBJ_MISSING (1.4 points) Subject: is empty or missing SPAM: INVALID_DATE (0.5 points) Invalid Date: header (not RFC 822) SPAM: DOUBLE_CAPSWORD (1.1 points) BODY: A word in all caps repeated on the line SPAM: ONCE_IN_LIFETIME (1.8 points) BODY: Once in a lifetime, apparently SPAM: CALL_FREE (0.7 points) BODY: Contains a tollfree number SPAM: REMOVE_SUBJ (3.4 points) BODY: List removal information SPAM: LINES_OF_YELLING (-0.0 points) BODY: A WHOLE LINE OF YELLING DETECTED SPAM: FREQ_SPAM_PHRASE (2.4 points) Contains phrases frequently found in spam SPAM: [score: 17, hits: all information, are you,] SPAM: [federal legislation, for your, from our, future] SPAM: [mailings, mail address, our company, permanently] SPAM: [removed, please send, remove the, removed from,] SPAM: [subject line, that can, the subject, word] SPAM: [remove, you for, you like, you need, you not,] SPAM: [you with, your mail] SPAM: MISSING_HEADERS (1.1 points) Missing To: header SPAM: SPAM: -------------------- End of SpamAssassin results --------------------- My main interest is in the "X-Spam-*" headers. I didn't disable any option in my "spam.assassin.prefs.conf" : required_hits 5 auto_report_threshold 30 ok_locales en score RCVD_IN_BL_SPAMCOP_NET 4 score RCVD_IN_RBL 10 score RCVD_IN_RSS 1 score RCVD_IN_DUL 1 Can I get the "regular" SpamAssassin headers and comments ? One more question : before trying to use MailScanner / SpamAssassin, I had quite a lot of filtering rules (headers consistency, RBL, some virus signature checking, address ans domain lookups, etc...). I guess that I should disable them since MailScanner/SpamAssassin are doing pretty much the same job and as two sendmail are running all checks will be redundant. Am I right ? [...] Thanks again ! Georges -- Georges A. Tomazi - gt@diapason.com From jkf at ecs.soton.ac.uk Mon Jun 17 14:52:02 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:58 2006 Subject: Permanent white listing In-Reply-To: <5.0.2.1.2.20020617152031.00b6b458@pobox.diapason.com> References: <5.1.0.14.2.20020617134614.04802520@imap.ecs.soton.ac.uk> <5.0.2.1.2.20020617133251.00b41778@pobox.diapason.com> Message-ID: <5.1.0.14.2.20020617145030.04b1df90@imap.ecs.soton.ac.uk> At 14:38 17/06/2002, you wrote: >Can I get the "regular" SpamAssassin headers and comments ? No, not very easily. This involves really messing around with the message, which slows everything down and confuses most users anyway. >One more question : before trying to use MailScanner / SpamAssassin, I had >quite a lot of filtering rules (headers consistency, RBL, some virus >signature checking, address ans domain lookups, etc...). I guess that I >should disable them since MailScanner/SpamAssassin are doing pretty much >the same job and as two sendmail are running all checks will be redundant. >Am I right ? The only advantage of having sendmail do them is that it can reject the message a lot "earlier" than MailScanner and SpamAssassin. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gt at DIAPASON.COM Mon Jun 17 15:10:22 2002 From: gt at DIAPASON.COM (Georges A. Tomazi) Date: Thu Jan 12 21:14:58 2006 Subject: Permanent white listing In-Reply-To: <5.1.0.14.2.20020617145030.04b1df90@imap.ecs.soton.ac.uk> References: <5.0.2.1.2.20020617152031.00b6b458@pobox.diapason.com> <5.1.0.14.2.20020617134614.04802520@imap.ecs.soton.ac.uk> <5.0.2.1.2.20020617133251.00b41778@pobox.diapason.com> Message-ID: <5.0.2.1.2.20020617155929.00b7cb30@pobox.diapason.com> Hi, A 14:52 17/06/2002 +0100, Julian Field a ?crit : >At 14:38 17/06/2002, you wrote: >>Can I get the "regular" SpamAssassin headers and comments ? > >No, not very easily. This involves really messing around with the message, >which slows everything down and confuses most users anyway. OK, but what about having at least the very useful header "X-Spam-Flag: YES|NO". IMHO it's easier to instruct the MUA to filter that boolean string rather than using the Subject: field {SPAM?} or the X-MailScanner-SpamCheck: header for "not spam". >>One more question : before trying to use MailScanner / SpamAssassin, I had >>quite a lot of filtering rules (headers consistency, RBL, some virus >>signature checking, address ans domain lookups, etc...). I guess that I >>should disable them since MailScanner/SpamAssassin are doing pretty much >>the same job and as two sendmail are running all checks will be redundant. >>Am I right ? > >The only advantage of having sendmail do them is that it can reject the >message a lot "earlier" than MailScanner and SpamAssassin. OK, but on the other hand all the lookups will be made twice (the two sendmail instances) of not three times for some tests (RBL, ...). An option perhaps would be to add a third layer such smtpd to do some prefiltering that MailScanner/SpamAssassin can't do, or do slower. Do you agree ? One more note : your own default configuration is based on sophos. So why did you enable by default the external TNEF in the mailscanner.conf file ? Is there any reason to crosscheck ? Thanks again ! Georges -- Georges A. Tomazi - gt@diapason.com From LISTSERV at JISCMAIL.AC.UK Mon Jun 17 15:22:03 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:58 2006 Subject: MAILSCANNER: yalko@CDCOVERS.CC requested to join Message-ID: <200206171422.PAA19923@magpie.ecs.soton.ac.uk> Mon, 17 Jun 2002 15:22:03 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Yalko Yalko You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER yalko@CDCOVERS.CC Yalko Yalko PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER yalko@CDCOVERS.CC Yalko Yalko // EOJ From jkf at ecs.soton.ac.uk Mon Jun 17 15:24:07 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:58 2006 Subject: Permanent white listing In-Reply-To: <5.0.2.1.2.20020617155929.00b7cb30@pobox.diapason.com> References: <5.1.0.14.2.20020617145030.04b1df90@imap.ecs.soton.ac.uk> <5.0.2.1.2.20020617152031.00b6b458@pobox.diapason.com> <5.1.0.14.2.20020617134614.04802520@imap.ecs.soton.ac.uk> <5.0.2.1.2.20020617133251.00b41778@pobox.diapason.com> Message-ID: <5.1.0.14.2.20020617151708.02c4dda0@imap.ecs.soton.ac.uk> At 15:10 17/06/2002, you wrote: >A 14:52 17/06/2002 +0100, Julian Field a ?crit : >>At 14:38 17/06/2002, you wrote: >>>Can I get the "regular" SpamAssassin headers and comments ? >> >>No, not very easily. This involves really messing around with the message, >>which slows everything down and confuses most users anyway. > >OK, but what about having at least the very useful header "X-Spam-Flag: >YES|NO". Then someone else asks for per-user and per-domain configuration of all this, and all of a sudden it's code-bloat time again :( >IMHO it's easier to instruct the MUA to filter that boolean string rather >than using the Subject: field {SPAM?} or the X-MailScanner-SpamCheck: >header for "not spam". I'm afraid I disagree there. Ever tried it with MS Outlook or Eudora? I don't doubt for a second that it can be done, but testing the Subject: line is something both of those packages expect a user to want to do. And anyway, you've got the source so you can change it to do anything you like :) Just don't expect me to support it... >>>One more question : before trying to use MailScanner / SpamAssassin, I had >>>quite a lot of filtering rules (headers consistency, RBL, some virus >>>signature checking, address ans domain lookups, etc...). I guess that I >>>should disable them since MailScanner/SpamAssassin are doing pretty much >>>the same job and as two sendmail are running all checks will be redundant. >>>Am I right ? >> >>The only advantage of having sendmail do them is that it can reject the >>message a lot "earlier" than MailScanner and SpamAssassin. > >OK, but on the other hand all the lookups will be made twice (the two >sendmail instances) of not three times for some tests (RBL, ...). An option >perhaps would be to add a third layer such smtpd to do some prefiltering >that MailScanner/SpamAssassin can't do, or do slower. Do you agree ? All sounds horribly complicated. Part of the core aims of MailScanner were that it should be easy to install. Setting up an entire smtpd just to do this would send half my users running for cover. >One more note : your own default configuration is based on sophos. So why >did you enable by default the external TNEF in the mailscanner.conf file ? >Is there any reason to crosscheck ? In general, people change the minimum amount possible from the configuration I supply. So I play it safe and enable the TNEF decoder. That way when people change Sophos to something else, there aren't any other options that have to be set separately to make it work. Most people only change about 3 or 4 lines from the configuration I supply. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gt at DIAPASON.COM Mon Jun 17 15:50:27 2002 From: gt at DIAPASON.COM (Georges A. Tomazi) Date: Thu Jan 12 21:14:58 2006 Subject: Permanent white listing In-Reply-To: <5.1.0.14.2.20020617151708.02c4dda0@imap.ecs.soton.ac.uk> References: <5.0.2.1.2.20020617155929.00b7cb30@pobox.diapason.com> <5.1.0.14.2.20020617145030.04b1df90@imap.ecs.soton.ac.uk> <5.0.2.1.2.20020617152031.00b6b458@pobox.diapason.com> <5.1.0.14.2.20020617134614.04802520@imap.ecs.soton.ac.uk> <5.0.2.1.2.20020617133251.00b41778@pobox.diapason.com> Message-ID: <5.0.2.1.2.20020617163510.00b41e68@pobox.diapason.com> Julian, A 15:24 17/06/2002 +0100, Julian Field a ?crit : [...] >>IMHO it's easier to instruct the MUA to filter that boolean string rather >>than using the Subject: field {SPAM?} or the X-MailScanner-SpamCheck: >>header for "not spam". > >I'm afraid I disagree there. Ever tried it with MS Outlook or Eudora? I >don't doubt for a second that it can be done, but testing the Subject: >line is something both of those packages expect a user to want to do. True, however using the Subject: field have some caveats : - The worse is when the string filtered by the MUA is in a non-spam mail subject field so it get dumped. Not likely but still possible. - If sorting messages based on the subject field is required it can be an issue. - In a non IT environment, you can be sure that users will ask what is that string ;-) I believe - generally speaking - that everything that involve some system stuff should be kept away from the user. >And anyway, you've got the source so you can change it to do anything you >like :) Just don't expect me to support it... I wish I could... but ... perl (and PHP) are my black beasts ;-) I came from the "old" school : shell and C ! [...] Thanks again very much for your efficient and quick help, Georges -- Georges A. Tomazi - gt@diapason.com From SMF at LBSLTD.CO.UK Mon Jun 17 16:00:37 2002 From: SMF at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:14:58 2006 Subject: Signing messages by domain/MRTG Message-ID: <67D9E7698329D411936E00508B6590B9A5B34A@neelix.lbsltd.co.uk> Hi All, I'm trying to pursuade the IT director to get rid of our existing SMTP gateway (WinNT+MIMEsweeper for SMTP+Sophos) and to replace it with RedHat Linux, Sophos, MailScanner and SpamAssassin and there were a couple of things that I was wondering about MailScanner: 1) Is it possible to sign messages only were 'from' certain domains - e.g. to add a legal disclaimer to all messages from my internal domains but not to mail coming in from external sources?? 2) Has anyone managed to modify the supplied MRTG script to show the number of mails processed/virus/spam by hour as well as by day/month? Kind regards, Steve Freegard Systems Manager Littlehampton Book Services Ltd. DDI: +44 1903 82 8594 FAX: +44 1903 82 8620 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.lbsltd.co.uk ********************************************************************** From jkf at ecs.soton.ac.uk Mon Jun 17 16:04:40 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:58 2006 Subject: Signing messages by domain/MRTG In-Reply-To: <67D9E7698329D411936E00508B6590B9A5B34A@neelix.lbsltd.co.uk > Message-ID: <5.1.0.14.2.20020617160315.02d14ca0@imap.ecs.soton.ac.uk> At 16:00 17/06/2002, you wrote: >1) Is it possible to sign messages only were 'from' certain domains - e.g. >to add a legal disclaimer to all messages from my internal domains but not >to mail coming in from external sources?? I use a different mail server to handle incoming mail than I do to handle outgoing mail. So I just have different MailScanner setups on them. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mdchaney at MICHAELCHANEY.COM Mon Jun 17 16:37:34 2002 From: mdchaney at MICHAELCHANEY.COM (Michael Chaney) Date: Thu Jan 12 21:14:58 2006 Subject: Signing messages by domain/MRTG In-Reply-To: <67D9E7698329D411936E00508B6590B9A5B34A@neelix.lbsltd.co.uk>; from SMF@LBSLTD.CO.UK on Mon, Jun 17, 2002 at 04:00:37PM +0100 References: <67D9E7698329D411936E00508B6590B9A5B34A@neelix.lbsltd.co.uk> Message-ID: <20020617103734.A4151@michaelchaney.com> On Mon, Jun 17, 2002 at 04:00:37PM +0100, Steve Freegard wrote: > Hi All, > > I'm trying to pursuade the IT director to get rid of our existing SMTP > gateway (WinNT+MIMEsweeper for SMTP+Sophos) and to replace it with RedHat > Linux, Sophos, MailScanner and SpamAssassin and there were a couple of > things that I was wondering about MailScanner: > > 1) Is it possible to sign messages only were 'from' certain domains - e.g. > to add a legal disclaimer to all messages from my internal domains but not > to mail coming in from external sources?? I would highly recommend talking to your legal department/lawyer about the actual validity of those "legal disclaimers". While they look good, they're likely to bring laughter from a judge were something to get that far. It's probably not worth the effort. > 2) Has anyone managed to modify the supplied MRTG script to show the number > of mails processed/virus/spam by hour as well as by day/month? Should be trivial to do that just by using awk or Perl on the mail log. Michael -- Michael Darrin Chaney mdchaney@michaelchaney.com http://www.michaelchaney.com/ From FCaen at CI.LAKEWOOD.WA.US Mon Jun 17 16:43:38 2002 From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen) Date: Thu Jan 12 21:14:58 2006 Subject: f-prot / aves detects this as a virus !! I think Message-ID: -----Original Message----- From: rishi@THEARGONCOMPANY.COM > I just checked... f-prot does not detect it as a virus so it's their problem. > They need to check it out.... Mailscanner is fine .. I guess.. > [root /tmp]# f-prot /tmp/decrypt-password.exe > Virus scanning report - 17. June 2002 13:48 > F-PROT 3.12a > SIGN.DEF created 14. June 2002 > SIGN2.DEF created 14. June 2002 > MACRO.DEF created 11. June 2002 That's weird. I had the same problem until somewhere around the 12th or 13th. On that day, they finally added W32.Frethem to their definition, at least as suspicious: # f-prot decrypt-password.exe Virus scanning report - 17. June 2002 8:39 F-PROT 3.12a SIGN.DEF created 14. June 2002 SIGN2.DEF created 14. June 2002 MACRO.DEF created 11. June 2002 Search: decrypt-password.exe Action: Report only Files: Attempt to identify files Switches: /tmp/decrypt-password.exe is a security risk or a "backdoor" program Results of virus scanning: Files: 1 MBRs: 0 Boot sectors: 0 Objects scanned: 1 Infected: 0 Suspicious: 1 Disinfected: 0 Deleted: 0 Renamed: 0 Time: 0:00 ------------------------------------------------ Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 From akhan at SGHMS.AC.UK Mon Jun 17 16:50:23 2002 From: akhan at SGHMS.AC.UK (Asim Khan) Date: Thu Jan 12 21:14:58 2006 Subject: error with netscape6 References: <3D0A0E86.2060700@sghms.ac.uk> <3D0A638A.8090006@konsultex.com.br> <3D0DBE0E.9080501@sghms.ac.uk> <3D0DD6AF.5050900@konsultex.com.br> Message-ID: <3D0E053F.60306@sghms.ac.uk> ...ok will do ..thanks.. Miguel Koren O'Brien de Lacy wrote: > Well, all I can think of at the moment is to look at the log files on > the server to see if they have some meaningful information. > > Miguel > > Asim Khan wrote: > >> ...Thanks for the advice but I still get the errors on netscape 4.72..? >> ..Could it be that I require a local unix account for akhan as my >> address is akhan@sghms.ac.uk whereas the IMAP mail server is >> mail.sghms.ac.uk but outgoing SMTP is mancity (but I don't think >> you need a local unix account if you're using netscape >> with IMAP..?) >> ...any advice much apprecaited.. >> >> Miguel Koren O'Brien de Lacy wrote: >> >>> I noticed the same type of error since I switched to Netscape 6. With >>> Netscape 4.7x I never had this problem. What I do in these cases is >>> close Netscape and open it again and the problem goes away. Another >>> situation that causes this error (I'm not sure if it's the same messga, >>> though) is when I attach a file that is on a network drive, not on my >>> local machine. In those cases I first copy it over and then attach. I >>> attributed these problems to Netscape and/or WinXP (unfortunately my new >>> notebook came with it). >>> >>> I'm hoping that Netscape 7 will solve this.... >>> >>> Miguel >>> >>> Asim Khan wrote: >>> >>>> ..My netscape6 seems to give errors like: >>>> >>>> 'An error occurred while sending mail. >>>> The mail server responded : >>>> Unexpected failure, please try later. >>>> Please verify that your email address is correct >>>> in your mail preferences and try again' >>>> >>>> the only setting I've changed on my mail account in netscape6 >>>> is 'My Outgoing Server (SMTP): mancity.sghsms.ac.uk' - my local unix >>>> box from 'mail.sghms.ac.uk' - the mail mail server.. >>>> >>>> mancity is the host with mailscanner/exim running on it.. >>>> >>>> the screen freezes and no email is sent...? >>>> >>>> BUT if I use /usr/lib/sendmail -v username@sghms.ac.uk as root >>>> the user recieves the email..? >>>> >>>> ..Any suggestions would be much appreciated...? >>>> >>>> Asim Khan >>>> Unix System Administrator >>>> Computing Services >>>> St George's Hospital Medical School >>>> Tel: 020 8725 5453 >>> >>> >>> >> >> >> -- >> Asim Khan >> Unix System Administrator >> Computing Services >> St George's Hospital Medical School >> Tel: 020 8725 5453 > -- Asim Khan Unix System Administrator Computing Services St George's Hospital Medical School Tel: 020 8725 5453 From FCaen at CI.LAKEWOOD.WA.US Mon Jun 17 16:56:08 2002 From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen) Date: Thu Jan 12 21:14:58 2006 Subject: Writing support for new scanners Message-ID: Since the question "how do I add support for anti-virus XYZ?" comes back so often and you took the time to write those instructions, maybe Julian should add them to the Mailscanner site? ------------------------------------------------ Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 -----Original Message----- From: nwp@LEMON-COMPUTING.COM Sent: Saturday, June 15, 2002 3:34 AM To: Subject: [MAILSCANNER] Writing support for new scanners On Sat, Jun 15, 2002 at 10:48:02AM +0200, Stephane Lentz wrote: > I will try to figure out how to add support for this scanner in > weeks to come. Well, feel free. Here are some guidelines that I've been working on for you and any other prospective scanner-support-writers out there... * Tips for writing scanner support: * "print STDERR $line" is your friend. * Always parse *every* line of output from the scanner, and die if you don't understand it. * Be *extremely* anal when writing regexps, especially with quantities of whitespace. * Only use wildcards to match the filename part of the output, *never* to match whitespace or boilerplate text (think about what might happen if the filename has a trailing character). * At least one scanner prints "..." before outputting its results -- be *sure* what the scanner's output format really is. * Be sure that you know how your scanner reports infections within archives; they can easily be mis-parsed. * Use comments to document any oddities that could confuse your parser; that way we might be able to ensure that they don't happen in future. * Use comments to document the output format you are expecting from the scanner so that when it changes, debugging is quicker. * Watch out for scanners reporting different categories of Bad Thing - e.g. "Joke Program", "Trojan", "Virus", "Worm"... it is a good idea to run "strings" over a core dump from the scanner to get clues as to what may be reported if you're not sure. And a few more that I haven't added to that list yet: * Include examples (directly from *real output*) of output formats in comments in your code. * Aim to include only parameters which are necessary in the parameter lists in the code; put the rest in the wrapper script, with comments - see the F-Prot or Kaspersky wrapper scripts for examples. * Run the scanner in the "C" locale (clear all LC_* environment variables, and LANG -- or set LANG to "C"). * Please try to comment your code in English - that's what Jules and I speak, so it's what we need in comments when we're trying to work out what's going on (I can handle French, or some German, but anything else is likely not helpful). * Please indicate in the comments *exactly* which versions of the scanner in question your code has been tested with, which versions you expect it to work with, and which versions any example output was generated by. Err, that's all I can think of at the moment. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Tomorrow will be cancelled due to lack of interest. From David.Sullivan at BARNET.AC.UK Mon Jun 17 17:17:26 2002 From: David.Sullivan at BARNET.AC.UK (David Sullivan) Date: Thu Jan 12 21:14:58 2006 Subject: Signing messages by domain/MRTG In-Reply-To: <67D9E7698329D411936E00508B6590B9A5B34A@neelix.lbsltd.co.uk> Message-ID: <3D0E19A3.3618.241CDDF7@localhost> On 17 Jun 2002 at 16:00, Steve Freegard wrote: > I'm trying to pursuade the IT director to get rid of our existing SMTP > gateway (WinNT+MIMEsweeper for SMTP+Sophos) and to replace it with RedHat > Linux, Sophos, MailScanner and SpamAssassin and there were a couple of > things that I was wondering about MailScanner: > > 1) Is it possible to sign messages only were 'from' certain domains - e.g. > to add a legal disclaimer to all messages from my internal domains but not > to mail coming in from external sources?? We do this using a combination of exim's ability to use a different transport based on the domain and altermime to achieve the huge chunk of disclaimer you will see at the bottom of this message. Achieving the same using sendmail (or other MTA of choice) is an exercise for the reader ... Regards -- David Sullivan IT Services, Barnet College, London David.Sullivan@barnet.ac.uk 020 8275 5036 ============================================================== This communication may contain privileged or confidential information which is for the exclusive use of the intended recipient. If you are not the intended recipient, please note that you may not distribute or use this communication or the information it contains. If this e-mail has reached you in error, please delete it and any attachment. Internet communications are not secure and Barnet College does not accept legal responsibility for the content of this message. Any views or opinions expressed are those of the author and not necessarily those of Barnet College. Please note that Barnet College reserves the right to monitor the source/destinations of all incoming or outgoing e-mail communications. ============================================================== From munafo at PREZZEMOLO.POLITO.IT Mon Jun 17 19:05:14 2002 From: munafo at PREZZEMOLO.POLITO.IT (Maurizio Matteo Munafo') Date: Thu Jan 12 21:14:58 2006 Subject: ANNOUNCE: Version 3.20-4 released In-Reply-To: <5.1.0.14.2.20020617091706.036ec170@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020617091706.036ec170@imap.ecs.soton.ac.uk> Message-ID: <02061720051402.09475@prezzemolo.polito.it> On Monday 17 June 2002 10:19, Julian Field wrote: > Hi folks, > > I have just released 3.20-4. This should fix the problem with SpamAssassin > generating false positives, where a bug in SpamAssassin was causing > messages to be marked as spam even though hits around it. > Hi. I just installed 3.20-4 (and the latest versions of SpamAssassin and Razor) and I noticed that if Log Spam is enabled, the log message contains the IP address of the last relay (and the internet name of the actual source) For example: Jun 17 19:33:19 prezzemolo mailscanner[8541]: Message g5HHWwt09427 from 130.192.2.16 (surem.co.kr) is spam according to SpamAssassin (score=16.4, required 5, KOREAN_UCE_SUBJECT, COPYRIGHT_CLAIMED, MIME_EXCESSIVE_QP, BASE64_ENC_TEXT, SUBJ_ALL_CAPS, SUBJ_FULL_OF_8BITS, CHARSET_FARAWAY_HEADERS, DATE_IN_PAST_48_96) where 130.192.2.16 (pol88b.polito.it ) is actually our main mail server (the MX for the domain) and its address appears in all the SpamAssassin logs. Shouldn't the two addresses be the same? Regards, Maurizio Munafo' -- Maurizio M. Munafo' / munafo@mail.tlc.polito.it "Consider Phlebas, who was once handsome and tall as you" (T.S.Eliot) From jaearick at COLBY.EDU Mon Jun 17 19:30:57 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:14:58 2006 Subject: ANNOUNCE: Version 3.20-4 released In-Reply-To: <02061720051402.09475@prezzemolo.polito.it> Message-ID: Julian, This feature is working correctly for me, where our mail server is also our MX record for our domain. Running on Solaris 8. BTW, I love this fix... ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ---------------------------------------------------------------------------- On Mon, 17 Jun 2002, Maurizio Matteo Munafo' wrote: > Date: Mon, 17 Jun 2002 20:05:14 +0200 > From: Maurizio Matteo Munafo' > Reply-To: munafo@polito.it > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: ANNOUNCE: Version 3.20-4 released > > On Monday 17 June 2002 10:19, Julian Field wrote: > > Hi folks, > > > > I have just released 3.20-4. This should fix the problem with SpamAssassin > > generating false positives, where a bug in SpamAssassin was causing > > messages to be marked as spam even though hits > around it. > > > > Hi. > I just installed 3.20-4 (and the latest versions of SpamAssassin and Razor) > and I noticed that if Log Spam is enabled, the log message contains the IP > address of the last relay (and the internet name of the actual source) > > For example: > > Jun 17 19:33:19 prezzemolo mailscanner[8541]: Message g5HHWwt09427 from > 130.192.2.16 (surem.co.kr) is spam according to SpamAssassin > (score=16.4, required 5, KOREAN_UCE_SUBJECT, COPYRIGHT_CLAIMED, > MIME_EXCESSIVE_QP, BASE64_ENC_TEXT, SUBJ_ALL_CAPS, SUBJ_FULL_OF_8BITS, > CHARSET_FARAWAY_HEADERS, DATE_IN_PAST_48_96) > > where 130.192.2.16 (pol88b.polito.it ) is actually our main mail server (the > MX for the domain) and its address appears in all the SpamAssassin logs. > > Shouldn't the two addresses be the same? > > Regards, > Maurizio Munafo' > > -- > Maurizio M. Munafo' / munafo@mail.tlc.polito.it > "Consider Phlebas, who was once handsome and tall as you" (T.S.Eliot) > From LISTSERV at JISCMAIL.AC.UK Mon Jun 17 19:53:32 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:58 2006 Subject: MAILSCANNER: yalko@CDCOVERS.CC left the JISCmail list Message-ID: <200206171853.TAA12462@magpie.ecs.soton.ac.uk> Mon, 17 Jun 2002 19:53:32 Yalko Yalko has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From jkf at ecs.soton.ac.uk Mon Jun 17 20:45:03 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:58 2006 Subject: ANNOUNCE: Version 3.20-4 released In-Reply-To: <02061720051402.09475@prezzemolo.polito.it> References: <5.1.0.14.2.20020617091706.036ec170@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020617091706.036ec170@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020617204252.036b04f0@imap.ecs.soton.ac.uk> At 19:05 17/06/2002, you wrote: >I just installed 3.20-4 (and the latest versions of SpamAssassin and Razor) >and I noticed that if Log Spam is enabled, the log message contains the IP >address of the last relay (and the internet name of the actual source) > >For example: > >Jun 17 19:33:19 prezzemolo mailscanner[8541]: Message g5HHWwt09427 from > 130.192.2.16 (surem.co.kr) is spam according to SpamAssassin > (score=16.4, required 5, KOREAN_UCE_SUBJECT, COPYRIGHT_CLAIMED, > MIME_EXCESSIVE_QP, BASE64_ENC_TEXT, SUBJ_ALL_CAPS, SUBJ_FULL_OF_8BITS, > CHARSET_FARAWAY_HEADERS, DATE_IN_PAST_48_96) > >where 130.192.2.16 (pol88b.polito.it ) is actually our main mail server (the >MX for the domain) and its address appears in all the SpamAssassin logs. > >Shouldn't the two addresses be the same? No. The number is the IP address of the SMTP client that made the connection to the mail server. The name is the domain name of the sender's address as read from the message envelope. I guess I should add something to the docs to explain this (assuming, just for a hypothetical moment, that anyone reads them :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gerry at dorfam.ca Mon Jun 17 21:34:53 2002 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:14:58 2006 Subject: ANNOUNCE: Version 3.20-4 released In-Reply-To: <5.1.0.14.2.20020617204252.036b04f0@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020617091706.036ec170@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020617091706.036ec170@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020617204252.036b04f0@imap.ecs.soton.ac.uk> Message-ID: <36657.129.80.22.143.1024346093.squirrel@tiger.dorfam.ca> >>Shouldn't the two addresses be the same? > > No. > The number is the IP address of the SMTP client that made the > connection to the mail server. > The name is the domain name of the sender's address as read from the > message envelope. > I guess I should add something to the docs to explain this (assuming, > just for a hypothetical moment, that anyone reads them :-) > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ I always read the doc's...after all else has failed! Gerry -- "The lyfe so short, the craft so long to learne" Chaucer From LISTSERV at JISCMAIL.AC.UK Mon Jun 17 21:32:59 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:58 2006 Subject: MAILSCANNER: christianlasprilla@HOTMAIL.COM left the JISCmail list Message-ID: <200206172032.VAA20363@magpie.ecs.soton.ac.uk> Mon, 17 Jun 2002 21:32:59 Christian Lasprilla has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From munafo at PREZZEMOLO.POLITO.IT Mon Jun 17 23:17:21 2002 From: munafo at PREZZEMOLO.POLITO.IT (Maurizio Matteo Munafo') Date: Thu Jan 12 21:14:58 2006 Subject: ANNOUNCE: Version 3.20-4 released In-Reply-To: <5.1.0.14.2.20020617204252.036b04f0@imap.ecs.soton.ac.uk> from "Julian Field" at Jun 17, 2002 08:45:03 PM Message-ID: <200206172217.g5HMHLk15676@mail.tlc.polito.it> Julian Field wrote: > > At 19:05 17/06/2002, you wrote: > >I just installed 3.20-4 (and the latest versions of SpamAssassin and Razor) > >and I noticed that if Log Spam is enabled, the log message contains the IP > >address of the last relay (and the internet name of the actual source) > > > >For example: > > > >Jun 17 19:33:19 prezzemolo mailscanner[8541]: Message g5HHWwt09427 from > > 130.192.2.16 (surem.co.kr) is spam according to SpamAssassin > > (score=16.4, required 5, KOREAN_UCE_SUBJECT, COPYRIGHT_CLAIMED, > > MIME_EXCESSIVE_QP, BASE64_ENC_TEXT, SUBJ_ALL_CAPS, SUBJ_FULL_OF_8BITS, > > CHARSET_FARAWAY_HEADERS, DATE_IN_PAST_48_96) > > > >where 130.192.2.16 (pol88b.polito.it ) is actually our main mail server (the > >MX for the domain) and its address appears in all the SpamAssassin logs. > > > >Shouldn't the two addresses be the same? > > No. > The number is the IP address of the SMTP client that made the connection to > the mail server. > The name is the domain name of the sender's address as read from the > message envelope. This can be reasonable. My only doubt was having an IP address and am Internet name side by side with two different meanings. Perhaps "from 130.192.2.16 (surem.co.kr)" should be "(apparently) from surem.co.kr via 130.192.2.16" or something similar could save some people from having to read the documentation :) Regards, Maurizio Munafo' -- Maurizio M. Munafo' / munafo@mail.tlc.polito.it "Consider Phlebas, who was once handsome and tall as you" (T.S.Eliot) From nwp at LEMON-COMPUTING.COM Mon Jun 17 23:50:02 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:58 2006 Subject: Writing support for new scanners In-Reply-To: References: Message-ID: <20020617225002.GF5888@hoiho.nz.lemon-computing.com> On Mon, Jun 17, 2002 at 08:56:08AM -0700, Francois Caen wrote: > Since the question "how do I add support for anti-virus XYZ?" comes back so often and you took the time to write those instructions, maybe Julian should add them to the Mailscanner site? Will be doing so, once we've decided exactly where, and whether we're going to do anything to make it easier first. -- Nick Phillips -- nwp@lemon-computing.com Don't read everything you believe. From chris at HARVESTROAD.COM Tue Jun 18 02:36:47 2002 From: chris at HARVESTROAD.COM (Chris Waltham) Date: Thu Jan 12 21:14:58 2006 Subject: How to upgrade from 3.14-1 to 3.20-4? Message-ID: <5.1.0.14.2.20020618093522.01ecb520@spinach.harvestroad.com> Hi guys, I'm getting a few false positives, and was wondering how I upgrade from 3.14-1 to 3.20-4? I was just going to edit the shell scripts as I would have in doing a fresh install of 3.14 (and then copying it over into /usr/local/mailscanner), but then it looks like there are files (for instance, bin/config.pl) that I might have to edit but haven't seen before. What's the go? thanks, Chris From siewwu.tan at EDGEMATRIX.COM Tue Jun 18 03:50:19 2002 From: siewwu.tan at EDGEMATRIX.COM (Tan Siew Wu) Date: Thu Jan 12 21:14:58 2006 Subject: F-Prot Update Script Available Message-ID: This is related to bash feature. The script is using bash version 2 feature. Bash version 1.xx will give this error. If you are running RedHat 6.x, check to see if you have both bash 1 and bash 2 on your system, i.e. /bin/bash and /bin/bash2. >When I run the f-prot update script I get: > >/usr/local/f-prot/check-updates.sh: ${HTTPRETURN:0:1}: bad substitution >/usr/local/f-prot/check-updates.sh: [: integer expression expected >before -ne > > Nothing to be done... > From P.G.M.Peters at civ.utwente.nl Tue Jun 18 07:28:04 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:14:58 2006 Subject: ANNOUNCE: Version 3.20-4 released In-Reply-To: <5.1.0.14.2.20020617204252.036b04f0@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020617091706.036ec170@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020617091706.036ec170@imap.ecs.soton.ac.uk> <02061720051402.09475@prezzemolo.polito.it> <5.1.0.14.2.20020617204252.036b04f0@imap.ecs.soton.ac.uk> Message-ID: On Mon, 17 Jun 2002 20:45:03 +0100, you wrote: >I guess I should add something to the docs to explain this (assuming, just >for a hypothetical moment, that anyone reads them :-) Everything is so clear I don't need to read the docs (Yes, you can read it as a compliment). -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From P.G.M.Peters at civ.utwente.nl Tue Jun 18 07:30:20 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:14:58 2006 Subject: Permanent white listing In-Reply-To: <5.0.2.1.2.20020617163510.00b41e68@pobox.diapason.com> References: <5.0.2.1.2.20020617155929.00b7cb30@pobox.diapason.com> <5.1.0.14.2.20020617145030.04b1df90@imap.ecs.soton.ac.uk> <5.0.2.1.2.20020617152031.00b6b458@pobox.diapason.com> <5.1.0.14.2.20020617134614.04802520@imap.ecs.soton.ac.uk> <5.0.2.1.2.20020617133251.00b41778@pobox.diapason.com> <5.1.0.14.2.20020617151708.02c4dda0@imap.ecs.soton.ac.uk> <5.0.2.1.2.20020617163510.00b41e68@pobox.diapason.com> Message-ID: <7pktgu877eu8evklmot0hovu0vr4e4de9u@4ax.com> On Mon, 17 Jun 2002 16:50:27 +0200, you wrote: >>And anyway, you've got the source so you can change it to do anything you >>like :) Just don't expect me to support it... > >I wish I could... but ... perl (and PHP) are my black beasts ;-) I came >from the "old" school : shell and C ! My first languages were algol and fortran. I didn't get to C that good but shell and perl are now my favorites. But I have to look into PHP sometime this summer. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From rishi at THEARGONCOMPANY.COM Tue Jun 18 07:38:57 2002 From: rishi at THEARGONCOMPANY.COM (Rishi Gangoly) Date: Thu Jan 12 21:14:58 2006 Subject: F-Prot Update Script Available References: <5.1.0.14.2.20020612193801.0346bda8@imap.ecs.soton.ac.uk> <200206121523.41328.lbergman@abi.tconline.net> <005101c212e6$4120ec90$73488eca@protocol> <002301c212e9$b79265e0$630aa8c0@server> Message-ID: <00a001c21692$dddf2420$73488eca@protocol> Yeah somehow the FTP server at F-PROT and ncftp have some kind of an understanding between each other. It only downloads if the files are different. Regards Rishi ----- Original Message ----- From: "Ray Healy (Data Net Services)" To: Sent: Thursday, June 13, 2002 8:20 PM Subject: Re: F-Prot Update Script Available > Dear Rishi > > Hope do not mind me asking but with your new update script, I assume it > checks every day but does it only download if the definitions at F-Prot are > newer than whats on your server - like the other script does from RAQFAQ > (but that always comes up with /etc/cron.daily/AVupdate.sh: : Ambiguous > redirect but it does work) > > Thanks for your help > > Ray Healy > ----- Original Message ----- > From: "Rishi Gangoly" > To: > Sent: Thursday, June 13, 2002 3:20 PM > Subject: Re: F-Prot Update Script Available > > > > I somehow love my update script. > > > > /usr/local/f-prot/update > > > > --------- > > #!/bin/bash > > > > cd /usr/local/f-prot > > ncftpget -F ftp://ftp.f-prot.com/pub/fp-def.zip > > ncftpget -F ftp://ftp.f-prot.com/pub/macrdef2.zip > > ncftpget -F ftp://ftp.f-prot.com/pub/sign2.zip > > unzip -o fp-def.zip > > unzip -o macrdef2.zip > > unzip -o sign2.zip > > > > --------- > > > > and then add this line in your crontab > > > > --------- > > 22 * * * * /usr/local/f-prot/update > /dev/null 2> /dev/null > > > > --------- > > > > It works. ;-) > > > > Regards > > > > Rishi > > > > ----- Original Message ----- > > From: "Lewis Bergman" > > To: > > Sent: Thursday, June 13, 2002 1:53 AM > > Subject: Re: F-Prot Update Script Available > > > > > > > The hint about bash2 was it. I changed it to #!/bin/bash2 and it works > > fine > > > now. > > > -- > > > Lewis Bergman > > > Texas Communications > > > 4309 Maple St. > > > Abilene, TX 79602-8044 > > > 915-695-6962 ext 115 > > > > > > > > From rishi at THEARGONCOMPANY.COM Tue Jun 18 07:55:46 2002 From: rishi at THEARGONCOMPANY.COM (Rishi Gangoly) Date: Thu Jan 12 21:14:58 2006 Subject: F-Prot Update Script Available References: <5.1.0.14.2.20020612193801.0346bda8@imap.ecs.soton.ac.uk> <200206121523.41328.lbergman@abi.tconline.net> <5.1.0.14.2.20020613153406.04aca9b0@imap.ecs.soton.ac.uk> Message-ID: <00cd01c21695$2ea88750$73488eca@protocol> ----- Original Message ----- From: "Julian Field" To: Sent: Thursday, June 13, 2002 8:05 PM Subject: Re: F-Prot Update Script Available > But what if MailScanner happens to call your copy of F-Prot while it is > half way through unpacking the zip files? That batch of messages won't be > scanned properly and so a virus could easily slip through the net. > > This is why my autoupdate scripts use a lockfile in /tmp (which interacts > with MailScanner). Oh! I did not know you had an autoupdate script. That's a good point, I hadn't thought of that. Where is your autoupdate script for f-prot? I am running version 3.20 Release 4 of MailScanner. The only file I found for f-prot is : /usr/local/f-prot/f-protwrapper Regards Rishi From LISTSERV at JISCMAIL.AC.UK Tue Jun 18 07:52:27 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:58 2006 Subject: MAILSCANNER: dave@ESI.COM.AU requested to join Message-ID: <200206180652.HAA23607@magpie.ecs.soton.ac.uk> Tue, 18 Jun 2002 07:52:27 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Dave Horsfall You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER dave@ESI.COM.AU Dave Horsfall PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER dave@ESI.COM.AU Dave Horsfall // EOJ From S.R.Patterson at SOTON.AC.UK Tue Jun 18 10:13:56 2002 From: S.R.Patterson at SOTON.AC.UK (Patterson S.R.) Date: Thu Jan 12 21:14:58 2006 Subject: error with netscape6 Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > -----Original Message----- > From: Asim Khan [mailto:akhan@SGHMS.AC.UK] > Sent: 17 June 2002 11:47 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: error with netscape6 > > ...Thanks for the advice but I still get the errors on > netscape 4.72..? > ..Could it be that I require a local unix account for akhan as my > address is akhan@sghms.ac.uk whereas the IMAP mail server is > mail.sghms.ac.uk but outgoing SMTP is mancity (but I > don't think > you need a local unix account if you're using netscape > with IMAP..?) > ...any advice much apprecaited.. Hi, In brief: - - If you're using IMAP to read your email then you must have a UNIX account on the IMAP server. This is so that the IMAP server knows how to check your username and password. This account need not be a shell account, i.e. it could be an account with /bin/true as the shell, for example. That way people can't just telnet/ssh in to the IMAP server - - This isn't a mailscanner question, I think it should be taken off the mailscanner mailing list now and directed to a more appropriate forum. Thanks, Steve - -- Steven Patterson, MSci. Tel: +44 (0)2380 595810 Electronic Information Systems Support and Development Computing Services, University of Southampton, UK. Public PGP Key: http://www.soton.ac.uk/~srp/pubkey.asc -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPQ75062fOiTs5+WvEQL/5wCeLAIrX/URXWXwbDC/eHKIYYluHyoAoLa+ AkyFqbnXQLy6MiJgGzvGooEj =0ePA -----END PGP SIGNATURE----- From jkf at ecs.soton.ac.uk Tue Jun 18 10:15:02 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:58 2006 Subject: How to upgrade from 3.14-1 to 3.20-4? In-Reply-To: <5.1.0.14.2.20020618093522.01ecb520@spinach.harvestroad.com > Message-ID: <5.1.0.14.2.20020618101410.02d1ae88@imap.ecs.soton.ac.uk> At 02:36 18/06/2002, you wrote: >I'm getting a few false positives, and was wondering how I upgrade from 3.14-1 >to 3.20-4? I was just going to edit the shell scripts as I would have in doing >a fresh install of 3.14 (and then copying it over into >/usr/local/mailscanner), >but then it looks like there are files (for instance, bin/config.pl) that I >might >have to edit but haven't seen before. Save a copy of all your config files somewhere safe. Then install the new package's contents. Then diff your old config files against the new ones to work out what changes you have made, so you can apply the same changes to the new config files. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Tue Jun 18 10:17:17 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:58 2006 Subject: F-Prot Update Script Available In-Reply-To: <00cd01c21695$2ea88750$73488eca@protocol> References: <5.1.0.14.2.20020612193801.0346bda8@imap.ecs.soton.ac.uk> <200206121523.41328.lbergman@abi.tconline.net> <5.1.0.14.2.20020613153406.04aca9b0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020618101622.02c76338@imap.ecs.soton.ac.uk> At 07:55 18/06/2002, you wrote: >----- Original Message ----- >From: "Julian Field" >To: >Sent: Thursday, June 13, 2002 8:05 PM >Subject: Re: F-Prot Update Script Available > > > > But what if MailScanner happens to call your copy of F-Prot while it is > > half way through unpacking the zip files? That batch of messages won't be > > scanned properly and so a virus could easily slip through the net. > > > > This is why my autoupdate scripts use a lockfile in /tmp (which interacts > > with MailScanner). > >Oh! I did not know you had an autoupdate script. That's a good point, I >hadn't thought of that. >Where is your autoupdate script for f-prot? I am running version 3.20 >Release 4 of MailScanner. >The only file I found for f-prot is : /usr/local/f-prot/f-protwrapper I haven't done one for F-Prot, I'm afraid. But if you take a look through the Sophos or McAfee autoupdate scripts (which I did write) you will find exactly how I do the locking. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From P.G.M.Peters at civ.utwente.nl Tue Jun 18 10:53:38 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:14:58 2006 Subject: How to upgrade from 3.14-1 to 3.20-4? In-Reply-To: <5.1.0.14.2.20020618101410.02d1ae88@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020618093522.01ecb520@spinach.harvestroad.com > <5.1.0.14.2.20020618101410.02d1ae88@imap.ecs.soton.ac.uk> Message-ID: On Tue, 18 Jun 2002 10:15:02 +0100, you wrote: >>I'm getting a few false positives, and was wondering how I upgrade from 3.14-1 >>to 3.20-4? I was just going to edit the shell scripts as I would have in doing >>a fresh install of 3.14 (and then copying it over into >>/usr/local/mailscanner), >>but then it looks like there are files (for instance, bin/config.pl) that I >>might >>have to edit but haven't seen before. > >Save a copy of all your config files somewhere safe. Then install the new >package's contents. Then diff your old config files against the new ones to >work out what changes you have made, so you can apply the same changes to >the new config files. I usually take a little different approach. I make the diff between the old distributed version and the version I changed. Those diffs I patch into the new distributed version. Patch complains about wrong linenumbers but I get it worked out easy. And I don't need to look at the changes in the distributed versions. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From LISTSERV at JISCMAIL.AC.UK Tue Jun 18 01:18:11 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:58 2006 Subject: MAILSCANNER: eyau@SPYDER.SDSU.EDU requested to join Message-ID: <200206180018.BAA05002@magpie.ecs.soton.ac.uk> Tue, 18 Jun 2002 01:18:11 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Emily Yau You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER eyau@SPYDER.SDSU.EDU Emily Yau PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER eyau@SPYDER.SDSU.EDU Emily Yau // EOJ From akhan at SGHMS.AC.UK Tue Jun 18 11:08:33 2002 From: akhan at SGHMS.AC.UK (Asim Khan) Date: Thu Jan 12 21:14:59 2006 Subject: error with netscape6 References: Message-ID: <3D0F06A1.1040107@sghms.ac.uk> ...I agree I should try the exim/netscape list instead.. the /usr/lib/sendmail -v works but the sending of email thru netscape doesn't with my local machine set as outgoing smtp server instead of the main mail server...? ..thanks for your bit of advice..:-) Patterson S.R. wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > >>-----Original Message----- >>From: Asim Khan [mailto:akhan@SGHMS.AC.UK] >>Sent: 17 June 2002 11:47 >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: error with netscape6 >> >>...Thanks for the advice but I still get the errors on >>netscape 4.72..? >> ..Could it be that I require a local unix account for akhan as >> > my > >> address is akhan@sghms.ac.uk whereas the IMAP mail server is >> mail.sghms.ac.uk but outgoing SMTP is mancity (but I >>don't think >> you need a local unix account if you're using netscape >>with IMAP..?) >> ...any advice much apprecaited.. >> > > Hi, > > In brief: > > - - If you're using IMAP to read your email then you must have a UNIX > account on the IMAP server. This is so that the IMAP server knows how > to check your username and password. This account need not be a shell > account, i.e. it could be an account with /bin/true as the shell, for > example. That way people can't just telnet/ssh in to the IMAP server > > - - This isn't a mailscanner question, I think it should be taken off > the mailscanner mailing list now and directed to a more appropriate > forum. > > Thanks, Steve > - -- > Steven Patterson, MSci. Tel: +44 (0)2380 595810 > Electronic Information Systems Support and Development > Computing Services, University of Southampton, UK. > Public PGP Key: http://www.soton.ac.uk/~srp/pubkey.asc > > -----BEGIN PGP SIGNATURE----- > Version: PGP 7.0.4 > > iQA/AwUBPQ75062fOiTs5+WvEQL/5wCeLAIrX/URXWXwbDC/eHKIYYluHyoAoLa+ > AkyFqbnXQLy6MiJgGzvGooEj > =0ePA > -----END PGP SIGNATURE----- > -- Asim Khan Unix System Administrator Computing Services St George's Hospital Medical School Tel: 020 8725 5453 From rishi at THEARGONCOMPANY.COM Tue Jun 18 11:12:35 2002 From: rishi at THEARGONCOMPANY.COM (Rishi Gangoly) Date: Thu Jan 12 21:14:59 2006 Subject: F-Prot Update Script Available References: <5.1.0.14.2.20020612193801.0346bda8@imap.ecs.soton.ac.uk> <200206121523.41328.lbergman@abi.tconline.net> <5.1.0.14.2.20020613153406.04aca9b0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020618101622.02c76338@imap.ecs.soton.ac.uk> Message-ID: <025801c216b0$adb60e80$73488eca@protocol> > I haven't done one for F-Prot, I'm afraid. But if you take a look through > the Sophos or McAfee autoupdate scripts (which I did write) you will find > exactly how I do the locking. Hi Again, I'm not very good at scripts or perl... can you tell if I just create a file like /tmp/f-protBusy.lock MailScanner will wait before I remove the lock? Regards Rishi From jkf at ecs.soton.ac.uk Tue Jun 18 11:17:25 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:59 2006 Subject: F-Prot Update Script Available In-Reply-To: <025801c216b0$adb60e80$73488eca@protocol> References: <5.1.0.14.2.20020612193801.0346bda8@imap.ecs.soton.ac.uk> <200206121523.41328.lbergman@abi.tconline.net> <5.1.0.14.2.20020613153406.04aca9b0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020618101622.02c76338@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020618111707.048032b8@imap.ecs.soton.ac.uk> At 11:12 18/06/2002, you wrote: > > I haven't done one for F-Prot, I'm afraid. But if you take a look through > > the Sophos or McAfee autoupdate scripts (which I did write) you will find > > exactly how I do the locking. > >Hi Again, > >I'm not very good at scripts or perl... can you tell if I just create a file >like >/tmp/f-protBusy.lock >MailScanner will wait before I remove the lock? No, it needs to be locked, not just exist. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Tue Jun 18 11:24:31 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:59 2006 Subject: MAILSCANNER: brandonf@BFCONSULT.CO.ZA requested to join Message-ID: <200206181024.LAA01684@magpie.ecs.soton.ac.uk> Tue, 18 Jun 2002 11:24:31 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Brandon Friedman You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER brandonf@BFCONSULT.CO.ZA Brandon Friedman PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER brandonf@BFCONSULT.CO.ZA Brandon Friedman // EOJ From jkf at ecs.soton.ac.uk Tue Jun 18 11:35:07 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:59 2006 Subject: Survey Results Message-ID: <5.1.0.14.2.20020618113126.04a47c78@imap.ecs.soton.ac.uk> First thing: I am still collecting responses to my little survey, so don't stop sending them in to me. But the basic result is this: Around the world, MailScanner protects over 1 **Billion** email messages every week! -- Jules From rishi at THEARGONCOMPANY.COM Tue Jun 18 11:48:10 2002 From: rishi at THEARGONCOMPANY.COM (Rishi Gangoly) Date: Thu Jan 12 21:14:59 2006 Subject: F-Prot Update Script Available References: <5.1.0.14.2.20020612193801.0346bda8@imap.ecs.soton.ac.uk> <200206121523.41328.lbergman@abi.tconline.net> <5.1.0.14.2.20020613153406.04aca9b0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020618101622.02c76338@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020618111707.048032b8@imap.ecs.soton.ac.uk> Message-ID: <02dd01c216b5$a66231e0$73488eca@protocol> > >I'm not very good at scripts or perl... can you tell if I just create a file > >like > >/tmp/f-protBusy.lock > >MailScanner will wait before I remove the lock? > > No, it needs to be locked, not just exist. Would it be too hard to create an f-prot-autoupdate script in your next release? (Wish List) Regards Rishi From rishi at THEARGONCOMPANY.COM Tue Jun 18 11:58:29 2002 From: rishi at THEARGONCOMPANY.COM (Rishi Gangoly) Date: Thu Jan 12 21:14:59 2006 Subject: f-prot / aves detects this as a virus !! I think References: Message-ID: <02eb01c216b7$1929c7f0$73488eca@protocol> Francois Can you give me the sum values of the files in /usr/local/f-prot ? Here is what mine are [root f-prot]# sum /usr/local/f-prot/* 49258 1 /usr/local/f-prot/CHANGES 54451 21 /usr/local/f-prot/ENGLISH.TX0 46493 3 /usr/local/f-prot/INSTALL 38393 3 /usr/local/f-prot/LICENSE 13115 455 /usr/local/f-prot/MACRO.DEF 25947 1 /usr/local/f-prot/README 28940 1 /usr/local/f-prot/SIGN.ASC 16736 1038 /usr/local/f-prot/SIGN.DEF 47624 1 /usr/local/f-prot/SIGN2.ASC 24019 381 /usr/local/f-prot/SIGN2.DEF 30967 12 /usr/local/f-prot/check-updates.sh 43536 7 /usr/local/f-prot/checksum 52218 932 /usr/local/f-prot/f-prot 53109 5 /usr/local/f-prot/f-prot.8 41567 1 /usr/local/f-prot/f-prot.sh 23276 3 /usr/local/f-prot/f-protwrapper ----- Original Message ----- From: "Francois Caen" To: Sent: Monday, June 17, 2002 9:13 PM Subject: Re: f-prot / aves detects this as a virus !! I think > -----Original Message----- > From: rishi@THEARGONCOMPANY.COM > > > I just checked... f-prot does not detect it as a virus so it's their problem. > > They need to check it out.... Mailscanner is fine .. I guess.. > > [root /tmp]# f-prot /tmp/decrypt-password.exe > > Virus scanning report - 17. June 2002 13:48 > > F-PROT 3.12a > > SIGN.DEF created 14. June 2002 > > SIGN2.DEF created 14. June 2002 > > MACRO.DEF created 11. June 2002 > > That's weird. I had the same problem until somewhere around the 12th or 13th. On that day, they finally added W32.Frethem to their definition, at least as suspicious: > > > # f-prot decrypt-password.exe > Virus scanning report - 17. June 2002 8:39 > > F-PROT 3.12a > SIGN.DEF created 14. June 2002 > SIGN2.DEF created 14. June 2002 > MACRO.DEF created 11. June 2002 > > Search: decrypt-password.exe > Action: Report only > Files: Attempt to identify files > Switches: > > /tmp/decrypt-password.exe is a security risk or a "backdoor" program > > Results of virus scanning: > > Files: 1 > MBRs: 0 > Boot sectors: 0 > Objects scanned: 1 > Infected: 0 > Suspicious: 1 > Disinfected: 0 > Deleted: 0 > Renamed: 0 > > Time: 0:00 > > ------------------------------------------------ > Francois Caen > Network Information Systems Engineer - Webmaster > City of Lakewood, WA > (253) 512-2269 > From mailscanner at ecs.soton.ac.uk Mon Jun 17 20:41:47 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:59 2006 Subject: Fwd: Re: Writing support for new scanners Message-ID: <5.1.0.14.2.20020617204136.036a7980@imap.ecs.soton.ac.uk> >X-Mailer: Novell GroupWise Internet Agent 6.0 >Date: Mon, 17 Jun 2002 08:56:08 -0700 >Reply-To: MailScanner mailing list >Sender: MailScanner mailing list >From: Francois Caen >Subject: Re: Writing support for new scanners >To: MAILSCANNER@JISCMAIL.AC.UK >X-ECS-MailScanner: Found to be clean >X-MIME-Autoconverted: from quoted-printable to 8bit by >roadrunner.ecs.soton.ac.uk id g5HFwq9M005419 > >Since the question "how do I add support for anti-virus XYZ?" comes back >so often and you took the time to write those instructions, maybe Julian >should add them to the Mailscanner site? > >------------------------------------------------ >Francois Caen >Network Information Systems Engineer - Webmaster >City of Lakewood, WA >(253) 512-2269 >-----Original Message----- >From: nwp@LEMON-COMPUTING.COM >Sent: Saturday, June 15, 2002 3:34 AM >To: >Subject: [MAILSCANNER] Writing support for new scanners > > >On Sat, Jun 15, 2002 at 10:48:02AM +0200, Stephane Lentz wrote: > > I will try to figure out how to add support for this scanner in > > weeks to come. >Well, feel free. Here are some guidelines that I've been working on for >you and any other prospective scanner-support-writers out there... > > >* Tips for writing scanner support: > * "print STDERR $line" is your friend. > * Always parse *every* line of output from the scanner, and > die if you don't understand it. > * Be *extremely* anal when writing regexps, especially with > quantities of whitespace. > * Only use wildcards to match the filename part of the output, > *never* to match whitespace or boilerplate text (think about > what might happen if the filename has a trailing character). > * At least one scanner prints "..." > before outputting its results -- be *sure* what the scanner's > output format really is. > * Be sure that you know how your scanner reports infections > within archives; they can easily be mis-parsed. > * Use comments to document any oddities that could confuse > your parser; that way we might be able to ensure that they > don't happen in future. > * Use comments to document the output format you are expecting > from the scanner so that when it changes, debugging is quicker. > * Watch out for scanners reporting different categories of Bad > Thing - e.g. "Joke Program", "Trojan", "Virus", "Worm"... it > is a good idea to run "strings" over a core dump from the scanner > to get clues as to what may be reported if you're not sure. > > >And a few more that I haven't added to that list yet: > * Include examples (directly from *real output*) of output formats > in comments in your code. > * Aim to include only parameters which are necessary in the parameter > lists in the code; put the rest in the wrapper script, with comments - > see the F-Prot or Kaspersky wrapper scripts for examples. > * Run the scanner in the "C" locale (clear all LC_* environment variables, > and LANG -- or set LANG to "C"). > * Please try to comment your code in English - that's what Jules and I > speak, so it's what we need in comments when we're trying to work out > what's going on (I can handle French, or some German, but anything else > is likely not helpful). > * Please indicate in the comments *exactly* which versions of the scanner > in question your code has been tested with, which versions you expect it > to work with, and which versions any example output was generated by. > > >Err, that's all I can think of at the moment. > > > >Cheers, > > >Nick >-- >Nick Phillips -- nwp@lemon-computing.com >Tomorrow will be cancelled due to lack of interest. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From rishi at THEARGONCOMPANY.COM Tue Jun 18 12:07:14 2002 From: rishi at THEARGONCOMPANY.COM (Rishi Gangoly) Date: Thu Jan 12 21:14:59 2006 Subject: f-prot / aves detects this as a virus !! I think Message-ID: <02f201c216b8$63eb8c50$73488eca@protocol> Just had another idea. What's the sum of the infected file that yoy have? Here is mine. [root f-prot]# sum /tmp/decrypt-password.exe 07788 35 Regards Rishi ----- Original Message ----- From: "Rishi Gangoly" To: "MailScanner mailing list" ; Sent: Tuesday, June 18, 2002 4:28 PM Subject: Re: Re: f-prot / aves detects this as a virus !! I think > Francois > > Can you give me the sum values of the files in /usr/local/f-prot ? > > Here is what mine are > > [root f-prot]# sum /usr/local/f-prot/* > 49258 1 /usr/local/f-prot/CHANGES > 54451 21 /usr/local/f-prot/ENGLISH.TX0 > 46493 3 /usr/local/f-prot/INSTALL > 38393 3 /usr/local/f-prot/LICENSE > 13115 455 /usr/local/f-prot/MACRO.DEF > 25947 1 /usr/local/f-prot/README > 28940 1 /usr/local/f-prot/SIGN.ASC > 16736 1038 /usr/local/f-prot/SIGN.DEF > 47624 1 /usr/local/f-prot/SIGN2.ASC > 24019 381 /usr/local/f-prot/SIGN2.DEF > 30967 12 /usr/local/f-prot/check-updates.sh > 43536 7 /usr/local/f-prot/checksum > 52218 932 /usr/local/f-prot/f-prot > 53109 5 /usr/local/f-prot/f-prot.8 > 41567 1 /usr/local/f-prot/f-prot.sh > 23276 3 /usr/local/f-prot/f-protwrapper > > > > > ----- Original Message ----- > From: "Francois Caen" > To: > Sent: Monday, June 17, 2002 9:13 PM > Subject: Re: f-prot / aves detects this as a virus !! I think > > > > -----Original Message----- > > From: rishi@THEARGONCOMPANY.COM > > > > > I just checked... f-prot does not detect it as a virus so it's their > problem. > > > They need to check it out.... Mailscanner is fine .. I guess.. > > > [root /tmp]# f-prot /tmp/decrypt-password.exe > > > Virus scanning report - 17. June 2002 13:48 > > > F-PROT 3.12a > > > SIGN.DEF created 14. June 2002 > > > SIGN2.DEF created 14. June 2002 > > > MACRO.DEF created 11. June 2002 > > > > That's weird. I had the same problem until somewhere around the 12th or > 13th. On that day, they finally added W32.Frethem to their definition, at > least as suspicious: > > > > > > # f-prot decrypt-password.exe > > Virus scanning report - 17. June 2002 8:39 > > > > F-PROT 3.12a > > SIGN.DEF created 14. June 2002 > > SIGN2.DEF created 14. June 2002 > > MACRO.DEF created 11. June 2002 > > > > Search: decrypt-password.exe > > Action: Report only > > Files: Attempt to identify files > > Switches: > > > > /tmp/decrypt-password.exe is a security risk or a "backdoor" program > > > > Results of virus scanning: > > > > Files: 1 > > MBRs: 0 > > Boot sectors: 0 > > Objects scanned: 1 > > Infected: 0 > > Suspicious: 1 > > Disinfected: 0 > > Deleted: 0 > > Renamed: 0 > > > > Time: 0:00 > > > > ------------------------------------------------ > > Francois Caen > > Network Information Systems Engineer - Webmaster > > City of Lakewood, WA > > (253) 512-2269 > > > From LISTSERV at JISCMAIL.AC.UK Tue Jun 18 13:39:38 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:59 2006 Subject: MAILSCANNER: pkoinange@SWIFTKENYA.COM requested to join Message-ID: <200206181239.NAA15299@magpie.ecs.soton.ac.uk> Tue, 18 Jun 2002 13:39:38 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Peter Koinange You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER pkoinange@SWIFTKENYA.COM Peter Koinange PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER pkoinange@SWIFTKENYA.COM Peter Koinange // EOJ From LISTSERV at JISCMAIL.AC.UK Tue Jun 18 13:00:14 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:59 2006 Subject: MAILSCANNER: Stefanv@NX.CO.ZA left the JISCmail list Message-ID: <200206181200.NAA11915@magpie.ecs.soton.ac.uk> Tue, 18 Jun 2002 13:00:14 Stefan Viljoen has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From m.sapsed at BANGOR.AC.UK Tue Jun 18 15:02:46 2002 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:14:59 2006 Subject: Signing messages by domain/MRTG References: <67D9E7698329D411936E00508B6590B9A5B34A@neelix.lbsltd.co.uk> <20020617103734.A4151@michaelchaney.com> Message-ID: <3D0F3D86.790E5BFD@bangor.ac.uk> Michael Chaney wrote: > I would highly recommend talking to your legal department/lawyer about > the actual validity of those "legal disclaimers". While they look good, > they're likely to bring laughter from a judge were something to get that > far. It's probably not worth the effort. I'm inclined to agree with you. So is our Data Protection person. She also pointed out that it's a bit stupid having a disclaimer at the bottom of the message. If you want to say something to the effect of "Don't read this if it's not for you", surely you should say it before the recipient has read the message? The thing that really annoys me is when you get a 3 line message with a 40 line bilingual (we're in Wales) disclaimer on the bottom! Cheers, Martin -- Martin Sapsed To have no errors Information Services Would be life without meaning University of Wales, Bangor, LL57 2UX No struggle, no joy. From brandonf at BFCONSULT.CO.ZA Tue Jun 18 15:39:20 2002 From: brandonf at BFCONSULT.CO.ZA (Brandon Friedman) Date: Thu Jan 12 21:14:59 2006 Subject: Suggestion for Sophos updates Message-ID: <3D0F4617.4040304@bfconsult.co.za> Hi Folks New to the list and enjoying mailscanner... Quick questions.... I used the rpms and installed Sophos, I see it creates a cron job in cron.daily. Would there be problem setting it up as an hourly job? -- Regards Brandon Friedman Cell:083 408 7840 E-mail: brandonf@bfconsult.co.za www.bfconsult.co.za From S.R.Patterson at SOTON.AC.UK Tue Jun 18 15:50:08 2002 From: S.R.Patterson at SOTON.AC.UK (Patterson S.R.) Date: Thu Jan 12 21:14:59 2006 Subject: Suggestion for Sophos updates Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > -----Original Message----- > From: Brandon Friedman [mailto:brandonf@BFCONSULT.CO.ZA] > Sent: 18 June 2002 15:39 > > Quick questions.... I used the rpms and installed Sophos, I > see it creates a cron job in cron.daily. > > Would there be problem setting it up as an hourly job? Not as such, but it might be a little unfair on poor old Sophos's website if every mailscanner user starts automatically downloading new virus signatures every hour (half hour? Minute?) We run the update script twice a day here, I think that 2-3 times per day is as much as is sensible and considerate. - -- Steven Patterson, MSci. Tel: +44 (0)2380 595810 Electronic Information Systems Support and Development Computing Services, University of Southampton, UK. Public PGP Key: http://www.soton.ac.uk/~srp/pubkey.asc -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPQ9Ina2fOiTs5+WvEQLD1QCgxANvwb0/5wJNWnL20bfuk+CBrjMAoJb2 97SFHC4gxBiHJrWsWP8JMdgX =1z+A -----END PGP SIGNATURE----- From brandonf at BFCONSULT.CO.ZA Tue Jun 18 16:04:53 2002 From: brandonf at BFCONSULT.CO.ZA (Brandon Friedman) Date: Thu Jan 12 21:14:59 2006 Subject: Suggestion for Sophos updates References: Message-ID: <3D0F4C15.8060907@bfconsult.co.za> Yes, but surely the Sophos update server are built to cope? How many people world wide use Sophos to update? ----- A bit off the topic - what is the licencing with Sophos is this version I download free? Patterson S.R. wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > >>-----Original Message----- >>From: Brandon Friedman [mailto:brandonf@BFCONSULT.CO.ZA] >>Sent: 18 June 2002 15:39 >> >>Quick questions.... I used the rpms and installed Sophos, I >>see it creates a cron job in cron.daily. >> >>Would there be problem setting it up as an hourly job? >> > > Not as such, but it might be a little unfair on poor old Sophos's > website if every mailscanner user starts automatically downloading new > virus signatures every hour (half hour? Minute?) We run the update > script twice a day here, I think that 2-3 times per day is as much as > is sensible and considerate. > - -- > Steven Patterson, MSci. Tel: +44 (0)2380 595810 > Electronic Information Systems Support and Development > Computing Services, University of Southampton, UK. > Public PGP Key: http://www.soton.ac.uk/~srp/pubkey.asc > > -----BEGIN PGP SIGNATURE----- > Version: PGP 7.0.4 > > iQA/AwUBPQ9Ina2fOiTs5+WvEQLD1QCgxANvwb0/5wJNWnL20bfuk+CBrjMAoJb2 > 97SFHC4gxBiHJrWsWP8JMdgX > =1z+A > -----END PGP SIGNATURE----- > > -- Regards Brandon Friedman Cell:083 408 7840 E-mail: brandonf@bfconsult.co.za www.bfconsult.co.za From s.kelly at ayrcoll.ac.uk Tue Jun 18 16:24:02 2002 From: s.kelly at ayrcoll.ac.uk (Shane Kelly) Date: Thu Jan 12 21:14:59 2006 Subject: Suggestion for Sophos updates Message-ID: <200206181524.g5IFO0T15745@ori.rl.ac.uk> There is a notification via e-mail for Sophos alerts - whenever I receive one (and it can be busy) I initiate an update then (as well as using the nightly cron job) -- Shane Kelly Network Infrastructure Manager Ayr College 01292 265184 s.kelly@ayrcoll.ac.uk =========================== Opinions expressed by me are mine. Ayr College can get their own. =========================== From brandonf at BFCONSULT.CO.ZA Tue Jun 18 16:33:59 2002 From: brandonf at BFCONSULT.CO.ZA (Brandon Friedman) Date: Thu Jan 12 21:14:59 2006 Subject: Strange Message Message-ID: <3D0F52E7.8040202@bfconsult.co.za> I tried to search in the archive but I could find anything.... I have noticed this message in the maillog : Jun 18 17:26:53 blackbox1 sendmail[10418]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon Daemon0: cannot bind: Address already in use Jun 18 17:26:53 blackbox1 sendmail[10418]: daemon Daemon0: problem creating SMTP socket Any ideas? -- Regards Brandon Friedman Cell:083 408 7840 E-mail: brandonf@bfconsult.co.za www.bfconsult.co.za From FCaen at CI.LAKEWOOD.WA.US Tue Jun 18 16:39:44 2002 From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen) Date: Thu Jan 12 21:14:59 2006 Subject: f-prot / aves detects this as a virus !! I think Message-ID: -----Original Message----- From: rishi@THEARGONCOMPANY.COM > Just had another idea. > What's the sum of the infected file that yoy have? > Here is mine. > > > [root f-prot]# sum /tmp/decrypt-password.exe > 07788 35 For all the ones I received, I get the same results: # sum decrypt-password.exe 47131 35 I typically use md5sum, dunno exactly how it differs from sum but it's a standard for software downloads. # md5sum decrypt-password.exe cc695e7e531c18843baa0731a38e969b decrypt-password.exe # sum /usr/local/f-prot/* 49258 1 /usr/local/f-prot/CHANGES 54451 21 /usr/local/f-prot/ENGLISH.TX0 46493 3 /usr/local/f-prot/INSTALL 38393 3 /usr/local/f-prot/LICENSE 13115 455 /usr/local/f-prot/MACRO.DEF 25947 1 /usr/local/f-prot/README 28940 1 /usr/local/f-prot/SIGN.ASC 16736 1038 /usr/local/f-prot/SIGN.DEF 47624 1 /usr/local/f-prot/SIGN2.ASC 24019 381 /usr/local/f-prot/SIGN2.DEF 30967 12 /usr/local/f-prot/check-updates.sh 43536 7 /usr/local/f-prot/checksum 52218 932 /usr/local/f-prot/f-prot 53109 5 /usr/local/f-prot/f-prot.8 41567 1 /usr/local/f-prot/f-prot.sh 23276 3 /usr/local/f-prot/f-protwrapper 02783 922 /usr/local/f-prot/fp-def.zip 03152 215 /usr/local/f-prot/macrdef2.zip # md5sum /usr/local/f-prot/* 2d159aceaf924853502ec97dba2414d2 /usr/local/f-prot/CHANGES ccbf77f4141f5d0775ace281bbc7452c /usr/local/f-prot/ENGLISH.TX0 edec255b29f87624b6b1c5a000d4cd91 /usr/local/f-prot/INSTALL 382c9b94925d309068907581a7ee7e7a /usr/local/f-prot/LICENSE bc26349c2892a303fed0928cc95551d3 /usr/local/f-prot/MACRO.DEF d971c388ec249a1bf699657a823f4f3d /usr/local/f-prot/README 13f975f08f9c0d0e78eda0fa39263d92 /usr/local/f-prot/SIGN.ASC fa7a8b065075fb0f43ed6073698ae2ae /usr/local/f-prot/SIGN.DEF 9abb515ed622720bfd27b17356da3c16 /usr/local/f-prot/SIGN2.ASC cbf14c505c1b904477c943bbf983ee6a /usr/local/f-prot/SIGN2.DEF f9edeccdb48ca2f51efcfcfedab8cea8 /usr/local/f-prot/check-updates.sh dc1893dcb0da9f06a718013dab94b60a /usr/local/f-prot/checksum 6dd38d416efb1b3a15e5a2abb78f038c /usr/local/f-prot/f-prot ef23f6eb09963af8917263603f665d9a /usr/local/f-prot/f-prot.8 74ac7a4872c003e2f4fbd1494bd76ed7 /usr/local/f-prot/f-prot.sh f184c6d9ff007949a466d8d78fd2a5ee /usr/local/f-prot/f-protwrapper 4dc8efd6d9daa451a1515d210664e2f4 /usr/local/f-prot/fp-def.zip c5c867208efd9d3b398c64d0df50e4e1 /usr/local/f-prot/macrdef2.zip Hope this helps :-) ------------------------------------------------ Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 From mk at quadstone.com Tue Jun 18 16:51:26 2002 From: mk at quadstone.com (Michael Keightley) Date: Thu Jan 12 21:14:59 2006 Subject: email marked as Spam when it isn't, with 3.20-4 In-Reply-To: <20020618154849.GA17770@quadstone.com> References: <20020618154849.GA17770@quadstone.com> Message-ID: <20020618155126.GB17770@quadstone.com> I've upgraded from 3.14-3 from 3.20-4, using SpamAssassin 2.30 on Solaris. I received a number of emails soon afterwards which didn't look like spam, and didn't have the usual SpamAssassin header added (with the score). The headers looked like this: X-MailScanner-SpamCheck: SpamAssassin () i.e. nothing between the brackets. Any idea what is going wrong? I've had to revert back to 3.14-3. Attached are the mailscanner.conf and spam.assassin.prefs.conf for V3.20.4. I've also attached one of the mail messages that was affected. Michael -------------- next part -------------- # Configuration file for MailScanner E-Mail Virus Scanner # This file assumes everything is in the default locations provided # by the MailScanner and Solaris (using /opt). # # Note: If your directories are symlinked (soft-linked) in any way, # please put their *real* location in here, not a path that # includes any links. You may get some very strange error # messages from some of the virus scanners if you don't. # User to run as (provided for Exim users) #Run As User = mail # Group to run as (provided for Exim users) #Run As Group = mail # In every batch of virus-scanning, limit the maximum # a) number of text-only messages to deliver # b) number of potentially infected messages to unpack and scan # c) total size of text-only messages to deliver # d) total size of potentially infected messages to unpack and scan Max Safe Messages Per Scan = 500 Max Unsafe Messages Per Scan = 100 Max Safe Bytes Per Scan = 100000000 Max Unsafe Bytes Per Scan = 50000000 # To avoid resource leaks, re-start periodically. Restart Every = 14400 # 4 hours # Name of this host, or just "the MailScanner" if you want to hide this info. # It can be placed in the Help Desk note contained in virus warnings sent to users. Host name = the MailScanner # Add this extra header to all mail as it is scanned. # (this must *include* terminating colon). Mail Header = X-MailScanner: # Set the mail header to these values for clean/infected messages. Clean Header = Found to be clean Infected Header = Suspect attachment Disinfected Header = Disinfected # Set where to unpack incoming messages before scanning them Incoming Work Dir = /var/opt/mailscanner/var/incoming # Set where to store infected message attachments (if they are kept) Quarantine Dir = /var/opt/mailscanner/var/quarantine # Set where to store the process id so you can easily stop the scanner Pid File = /var/opt/mailscanner/var/virus.pid # Set where to find the attachment filename ruleset. # The structure of this file is explained elsewhere, but it is used to # accept or reject file attachments based on their name, regardless of # whether they are infected or not. Filename Rules = /var/opt/mailscanner/etc/filename.rules.conf # Log all the filenames that are allowed by the Filename Rules, or just # the filenames that are denied? Log Permitted Filenames = no # Set where to find the message text sent to users when one of their # attachments has been quarantined. Stored Virus Message Report = /var/opt/mailscanner/etc/stored.virus.message.txt Stored Bad Filename Message Report = /var/opt/mailscanner/etc/stored.filename.message.txt # Set where to find the message text sent to users when one of their # attachments has been deleted. Deleted Virus Message Report = /var/opt/mailscanner/etc/deleted.virus.message.txt Deleted Bad Filename Message Report = /var/opt/mailscanner/etc/deleted.filename.message.txt # Set where to find the message text sent to users explaining about the # attached disinfected documents. Disinfected Report = /var/opt/mailscanner/etc/disinfected.report.txt # Set location of incoming mail queue # and location of outgoing mail queue. Incoming Queue Dir = /var/spool/mqueue.in Outgoing Queue Dir = /var/spool/mqueue # Set whether to use sendmail or exim (default is sendmail) MTA = sendmail # Set how to invoke MTA when sending created message # (e.g. to sender/recipient saying "found a virus in your message") Sendmail = /usr/lib/sendmail # Sendmail2 is provided for Exim users. # It defaults to the value supplied for Sendmail. # It is the command used to attempt delivery of outgoing # (scanned/cleaned) messages. # This is not usually required for sendmail. #Sendmail2 = /usr/sbin/exim -C /etc/exim_send.conf # Do you want to scan email for viruses? # A few people have wanted to disable the entire virus scanning. Virus Scanning = no # Which Virus Scanning package to use: # sophos from www.sophos.com, or # mcafee from www.mcafee.com, or # command from www.command.co.uk, or # kaspersky from www.kaspersky.com, or # inoculate from www.cai.com/products/inoculateit.htm, or # inoculan from ftp.ca.com/getbbs/linux.eng/inoctar.LINUX.Z, or # nod32 from www.nod32.com, or # f-secure from www.f-secure.com, or # f-prot from www.f-prot.com # panda from www.panda.com (?), or # rav from www.rav.com (?) # # Note: If you want to use multiple virus scanners, then this should be a # comma-separated list of virus scanners. For example: # Virus Scanner = sophos, f-prot # Virus Scanner = sophos # Where the Virus scanner is installed. This is the command needed to run it. # # Note: If you want to use multiple virus scanners, then this should be a # comma-separated list of commands, **in the same order** as they are listed # in the "Virus Scanner" keyword just above. For example: # Sweep = /opt/sophos/bin/sophoswrapper, /opt/f-prot/f-protwrapper # Sweep = /opt/sophos/bin/sophoswrapper # The maximum length of time the commercial virus scanner is allowed to run # for 1 batch of messages (in seconds). Virus Scanner Timeout = 300 # Expand TNEF attachments using an external program? # This should be "yes" except for Sophos and McAfee (when it can be "no") # as Sophos and McAfee have the facility built-in. Expand TNEF = yes # Where the MS-TNEF expander is installed. # This is EITHER the full command (including maxsize option) that runs # the external TNEF expander binary, # OR the keyword "internal" which will make MailScanner use the Perl # module that does the same job. # They are both provided as I am unsure which one is faster and which # one is capable of expanding more file formats (there are plenty!). # # The --maxsize option limits the maximum size that any expanded # attachment # may be. It helps protect against Denial Of Service attacks in TNEF # files. #TNEF Expander = internal TNEF Expander = /var/opt/mailscanner/bin/tnef --maxsize=100000000 # The maximum length of time the TNEF Expander is allowed to run for 1 message. # (in seconds) TNEF Timeout = 120 # What should the attachments be called that replace virus-infected files? Attachment Warning Filename = MailScanWarning.txt # Should these replacements be attachments (yes) or in the message body (no) Warning Is Attachment = no # Should we scan all messages, including plain-text messages which are normally # harmless? This should be "yes" since the MyParty message appeared. Scan All Messages = yes # Once we have removed viruses from an email message and replaced them with # VirusWarning.txt attachments, should we deliver the clean result to the # original recipients (or just delete them if "no")? Deliver To Recipients = yes # Do you want to put some text on the front of the subject line when # it contained a virus which has been removed Virus Modify Subject = yes # What text do we want to put on the front (gets followed by a " ") Virus Subject Text = {VIRUS?} # Deliver messages with viruses removed to their original recipients # if they came from a local address, or just delete them so no-one knows # we have a virus outbreak on our site? Deliver From Local Domains = yes # Notify the senders of infected messages that they should check out # their systems? Notify Senders = no # Set where to find the message text sent to the senders of infected # messages. #Sender Report = /opt/mailscanner/etc/sender.report.txt Sender Virus Report = /var/opt/mailscanner/etc/sender.virus.report.txt Sender Bad Filename Report = /var/opt/mailscanner/etc/sender.filename.report.txt Sender Error Report = /var/opt/mailscanner/etc/sender.error.report.txt # Notify the local postmaster when any infections are found? Notify Local Postmaster = yes # Include the full headers of each message in the postmaster notification? Postmaster Gets Full Headers = yes # Set email address of who to notify about any infections found. # Should put your full domain name here too, # e.g. postmaster@your.domain.com Local Postmaster = mailscanner@quadstone.com # Set what to do with infected attachments or messages. # keep ==> Store under the "Quarantine Dir" # delete ==> Just delete them #Action = delete Action = keep # Do you want to quarantine the original *entire* message as well as # just the infected attachment Quarantine Whole Message = no # Should I attempt to disinfect infected attachments and then deliver # the clean ones Deliver Disinfected Files = yes # Local domain name, or filename containing a list of local domain names # The file supports blank entries, '#' and ';' comment characters and # uses the first word off each line. This should be compatible with all # such lines in a sendmail or Exim configuration file. #Local Domains = /opt/mailscanner/etc/localdomains.conf Local Domains = /var/opt/mailscanner/etc/localdomains.conf # Filename containing a list (1 on each line) of the exact names of # viruses you want to quietly delete or quarantine without informing # either the sender or the recipient. Any email messages containing one # of the viruses listed in this file will be quietly deleted. The only # person who will be warned about the virus will be the local postmaster. # # Make the virus names in this file as specific as possible, in order # to avoid any accidents with files which both # 1) have a filename containing the name of a listed viruses, *and* # 2) are infected with viruses whose names are not listed. # # In other words, you will be just fine so long as you list the exact # names of viruses, e.g. "W32/Klez-H" and "W32/Klez-G", not just # generic names that catch many different viruses, e.g. "Klez". #Viruses To Quietly Delete = /opt/mailscanner/etc/viruses.to.delete.conf # Mark infected messages in the message body. # There can now be more than 1 of these configuration lines here, so you can # break the warning message over multiple lines. Mark Infected Messages = yes Inline Text Warning = Warning: This message has had one or more attachments removed. Inline Text Warning = Warning: Please read the "MailScanWarning.txt" attachment(s) for more information. Inline HTML Warning =

Warning: This message has had one or more attachments removed.
Please read the "MailScanWarning.txt" attachment(s) for more information.

# Sign clean messages in the message body. # There can be more than 1 of these configuration lines here, so you can # break the signature message over multiple lines. # Note that enabling this option will add to the overall system load as some # major optimisations will no longer be possible! Sign Clean Messages = no Inline Text Signature = -- Inline Text Signature = This message has been scanned for viruses and Inline Text Signature = dangerous content by MailScanner, and is Inline Text Signature = believed to be clean. Inline HTML Signature =
-- Inline HTML Signature =
This message has been scanned for viruses and Inline HTML Signature =
dangerous content by Inline HTML Signature = MailScanner, Inline HTML Signature = and is
believed to be clean. # Do you want to archive all mail in a directory for later inspection? # Be warned if you are in the UK: this may well be illegal due to RIPA # and DPA restrictions! Archive Mail = no # Where to store the mail archive. # Be warned: this is likely to get big very quickly. Archive Mail Dir = /var/spool/MailArchive # # Per-Domain Scanning and Spam Detection # # Do we want to only scan certain named domains for viruses and spam? Scanning By Domain = no # Filename listing all the domains we want to scan Domains To Scan = /var/opt/mailscanner/etc/domains.to.scan.conf # Do we want to add a MailScanner header to messages we have not scanned Sign Unscanned Messages = yes # What do we want to put in the header Unscanned Header = not scanned: please contact your email provider for details # # Spam Detection # # Should the anti-spam checks be done on all incoming messages? Spam Checks = yes # Set the name of the extra header to add to all messages found to be # likely spam. Spam Header = X-MailScanner-SpamCheck: # Do you want to put some text on the front of the subject line when # we think it is spam? Spam Modify Subject = yes # What text do we want to put on the front (gets followed by a " ") Spam Subject Text = {SPAM?} # Action to take when a message is detected as being spam: # deliver ==> Deliver it to the recipient # store ==> Move it to the quarantine # delete ==> Delete it completely # or else it can be a filename containing per-user and per-domain spam # actions. # Spam Action = /opt/mailscanner/etc/spam.actions.conf Spam Action = deliver # Do we want to log every spam message, including why it was spam? # Doing so may well slow down a busy server. Log Spam = no # Do we have the SpamAssassin package installed? # This is a very good, very clever heuristics-based spam checker. # For more info & installation instructions, see http://spamassassin.taint.org/ Use SpamAssassin = yes # Set the maximum size of message which we will check with SpamAssassin # Don't set this too large as your system load will get very high processing # huge messages. Max SpamAssassin Size = 50000 # Set the maximum time to allow SpamAssassin to process 1 message SpamAssassin Timeout = 10 # Set the location of the SpamAssassin user_prefs file. If you want to # stop SpamAssassin doing all the RBL checks again, then you can add # "skip_rbl_checks = 1" to this file. # This must be defined if "Compile SpamAssasin Once = yes". SpamAssassin Prefs File = /var/opt/mailscanner/etc/spam.assassin.prefs.conf # Set this option to yes to enable the automatic whitelisting functions # available within SpamAssassin. This will cause addresses from which you # get real mail to be marked, so that it never incorrectly tags mail from # there as being spam. # Note: Personally, I would always set this to yes, but the functionality # is quite new so I didn't want to enable it by default in case there # are problems with it. SpamAssassin Auto Whitelist = yes # Should we compile all the SpamAssassin code once, or do it separately # for every message. There certainly used to be bugs in SpamAssassin # that meant this needed to be switched off, but these may have been # fixed. It is a lot faster with it switched on. # If you get a lot of false positives from SpamAssassin, switch this off. Compile SpamAssassin Once = yes # If you set this to yes, then the SpamAssassin report header will be # included in all messages, not just those which are spam. Always Include SpamAssassin Report = no # Set the list of database names and their corresponding DNS domains. # All of these databases work in a similar way, allowing the simple use # of multiple databases. # See www.ordb.org and www.mail-abuse.org for more information. # Note: If also using SpamAssassin, it is quicker to comment out all # these and let SpamAssassin do it (which it does by default). # Note: There is a complete list of these databases at # http://www.declude.com/JunkMail/Support/ip4r.htm. Spam List = ORDB-RBL, relays.ordb.org. # You might find these 2 useful as well. #Spam List = spamcop.net, bl.spamcop.net. #Spam List = osirusoft.com, relays.osirusoft.com. # MAPS now charge for their services, so you'll have to buy a contract before # attempting to use the next 3 lines. #Spam List = MAPS-RBL, blackholes.mail-abuse.org. #Spam List = MAPS-DUL, dialups.mail-abuse.org. #Spam List = MAPS-RSS, relays.mail-abuse.org. # This next line works for JANET UK Academic sites only Spam List = MAPS-RBL+, rbl-plus.mail-abuse.org. # And build a similar list for the RBL domains that work on the name # of the domain rather than the IP address of the exact machine that # is listed. This way the RBL controllers can blacklist entire # domains very quickly and easily. # These are disabled by default, as they will slow down the spam checks. #Spam Domain List = RFC-IGNORANT-DSN, dsn.rfc-ignorant.org. #Spam Domain List = RFC-IGNORANT-POSTMASTER, postmaster.rfc-ignorant.org. #Spam Domain List = RFC-IGNORANT-ABUSE, abuse.rfc-ignorant.org. #Spam Domain List = RFC-IGNORANT-WHOIS, whois.rfc-ignorant.org. # Set the maximum total time per message to do all "Spam List" checks Spam List Timeout = 5 # Define local networks from whom you should always accept mail, and # never mark it as spam. This is useful in case your own mail servers # are ever in the ORBS or MAPS lists. Accept Spam From = 190.80.190. Accept Spam From = 192.168.192. Accept Spam From = 192.168.198. # Define a list of email addresses and email domains from whom you should # always accept mail, and never mark it as spam. This is useful in case # someone you correspond with a lot has their mail servers in the ORBS or # MAPS lists. Spam White List = /var/opt/mailscanner/etc/spam.whitelist.conf # # Advanced Features # ================= # # Don't bother changing anything below this unless you really know what # you are doing. # # Set Debug to 1 to stop it running as a daemon # and produce more verbose output Debug = 0 # Attempt immediate delivery of messages, or just place them in the outgoing # queue for the MTA to deliver at a time of its own choosing? # If attempting immediate delivery, do them one at a time, # or do them in batches of 30 at a time? # Delivery Method = queue # Delivery Method = individual Delivery Method = batch # How to lock spool files. # Don't set this unless you *know* you need to. # For sendmail, it defaults to "flock". # For Exim, it defaults to "posix". # No other type is implemented. #Lock Type = flock # Where to put the virus scanning engine lock files. # These lock files are used between MailScanner and the virus signature # "autoupdate" scripts, to ensure that they aren't both working at the # same time (which could cause MailScanner to let a virus through). Lock File Dir = /tmp # What to do when you get several MailScanner headers in one message, # from multiple MailScanner servers. Values are # "append" : Append the new data to the existing header # "add" : Add a new header # "replace" : Replace the old data with the new data # Default is "append" Multiple Headers = append # Some versions of Microsoft Outlook generate unparsable Rich Text # format attachments. Do we want to deliver these bad attachments anyway? # Setting this to yes introduces the slight risk of a virus getting through, # but if you have a lot of troubled Outlook users you might need to do this. # We are working on a replacement for the TNEF decoder. Deliver Unparsable TNEF = no # When attempting delivery of outgoing messages, should we do it in the # background or wait for it to complete? The danger of doing it in the # background is that the machine load goes ever upwards while all the # slow sendmail processes run to completion. However, running it in the # foreground may cause the mail server to run too slowly. Deliver In Background = yes # Minimum acceptable code stability status -- if we come across code # that's not at least as stable as this, we barf. # This is currently only used to check that you don't end up using untested # virus scanner support code without realising it. # Levels used are: # none - there may not even be any code. # unsupported - code may be completely untested, a contributed dirty hack, # anything, really. # alpha - code is pretty well untested. Don't assume it will work. # beta - code is tested a bit. It should work. # supported - code *should* be reliable. # # Don't even *think* about setting this to anything other than "beta" or # "supported" on a system that receives real mail until you have tested it # yourself and are happy that it is all working as you expect it to. # Don't set it to anything other than "supported" on a system that could # ever receive important mail. Minimum Code Status = supported -------------- next part -------------- # MailScanner # MailScanner users, please see the comments at the bottom of this file. # MailScanner # # SpamAssassin user preferences file. # # Format: # # required_hits n # (how many hits are required to tag a mail as spam.) # # auto_report_threshold n # (spams with this many hits or more, will be reported # as spam straightaway without requiring human verification.) # # score SYMBOLIC_TEST_NAME n # (if this is omitted, 1 is used as a default score. # Set the score to 0 to ignore the test.) # # # starts a comment, whitespace is not significant. # ########################################################################### ########################################################################### # First of all, the generally useful stuff; thresholds and the whitelist # of addresses which, for some reason or another, often trigger false # positives. required_hits 5 auto_report_threshold 30 # Whitelist and blacklist addresses are *not* patterns; they're just normal # strings. one exception is that "*@isp.com" is allowed. They should be in # lower-case. You can either add multiple addrs on one line, # whitespace-separated, or you can use multiple lines. # # Monty Solomon: he posts from an ISP that has often been the source of spam # (no fault of his own ;), and sometimes uses Bcc: when mailing. # whitelist_from monty@roscom.com # Add your blacklist entries in the same format... # # blacklist_from friend@public.com # Mail using languages used in these country codes will not be marked # as being possibly spam in a foreign language. # ok_locales en # By default, the subject lines of suspected spam will be tagged. # This can be disabled here. # # rewrite_subject 0 # By default, spamassassin will include its report in the body # of suspected spam. Enabling this causes the report to go in the # headers instead. Using 'use_terse_report' for this is recommended. # # report_header 1 # By default, SpamAssassin uses a fairly long report format. # Enabling this uses a shorter format which includes all the # information in the normal one, but without the superfluous # explanations. # # use_terse_report 0 # By default, spamassassin will change the Content-type: header of # suspected spam to "text/plain". This is a safety feature. If you # prefer to leave the Content-type header alone, set this to 0. # # defang_mime 0 # By default, SpamAssassin will run RBL checks. If your ISP already # does this, set this to 1. # skip_rbl_checks 1 ########################################################################### # Add your own customised scores for some tests below. The default scores are # read from the installed "spamassassin.cf" file, but you can override them # here. To see the list of tests and their default scores, go to # http://spamassassin.taint.org/tests.html . # MailScanner: Comment out the next line to enable DCC checking if you # have dcc installed (optional part of SpamAssassin) score DCC_CHECK 0.0 # # Added for MailScanner 14/6/2002 # If you specify these scores, SpamAssassin will do RBL checks as well as # MailScanner, which just wastes CPU power and network bandwidth. Either # do them here by uncommenting the rules below (if you have paid for them) # or else uncomment the "skip_rbl_checks" line above and let MailScanner # do the checks instead. # #score RCVD_IN_BL_SPAMCOP_NET 4 # These next 3 will cost you money, see mailscanner.conf. #score RCVD_IN_RBL 10 #score RCVD_IN_RSS 1 #score RCVD_IN_DUL 1 -------------- next part -------------- >From imp-bounces@lists.horde.org Tue Jun 18 15:44:56 2002 Return-Path: Received: from quadstone.com (postie.quadstone.co.uk [194.80.190.3]) by edinburgh.quadstone.com (8.12.3/8.12.3) with ESMTP id g5IEitTs006343 for ; Tue, 18 Jun 2002 15:44:56 +0100 (BST) Received: from vlad.horde.org (vlad.horde.org [199.175.137.148]) by quadstone.com (8.12.3/8.12.3) with ESMTP id g5IEi3qU025409 for ; Tue, 18 Jun 2002 15:44:04 +0100 (BST) Received: from vlad.horde.org (localhost [127.0.0.1]) by vlad.horde.org (Postfix) with ESMTP id 9387F6CB; Tue, 18 Jun 2002 07:43:50 -0700 (PDT) Delivered-To: imp@lists.horde.org Received: from smapps2.cdcna.com (smapps2.cdcna.com [63.66.5.42]) by vlad.horde.org (Postfix) with ESMTP id B1B065E1 for ; Tue, 18 Jun 2002 07:43:43 -0700 (PDT) Received: from cdcna.com (localhost [127.0.0.1]) by smapps2.cdcna.com (8.9.3/8.9.3) with ESMTP id KAA14402 for ; Tue, 18 Jun 2002 10:42:21 -0400 (EDT) Received: (from ssmtp@localhost) by cdcna.com (8.9.3/8.9.3) id KAA14397 for ; Tue, 18 Jun 2002 10:42:21 -0400 (EDT) From: m.ibarra@cdcixis-na.com X-Authentication-Warning: smapps2.cdcna.com: ssmtp set sender to using -f Received: from mailps2(10.90.60.67) by smapps2 via smap (V2.1) id sma014389; Tue, 18 Jun 02 10:42:07 -0400 Received: from winntsvr.cdcna.com (winntsvr [10.90.20.57]) by mailps2.cdcna.com (8.9.3/8.9.3) with ESMTP id KAA20908 for ; Tue, 18 Jun 2002 10:43:23 -0400 (EDT) Received: by winntsvr.cdcna.com with Internet Mail Service (5.5.2650.21) id ; Tue, 18 Jun 2002 10:43:27 -0400 Message-ID: <9877566273EED511A7560008C716DA06011360BF@exchcpn1.cdcna.com> To: imp@lists.horde.org Date: Tue, 18 Jun 2002 10:43:24 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Subject: {SPAM?} [imp] Errors when viewing messages X-BeenThere: imp@lists.horde.org X-Mailman-Version: 2.1b2+ Precedence: list List-Id: IMP mailing list List-Post: List-Subscribe: , List-Unsubscribe: , List-Archive: List-Help: Sender: imp-bounces@lists.horde.org Errors-To: imp-bounces@lists.horde.org X-MailScanner: Found to be clean X-SpamCheck: SpamAssassin () Status: RO Content-Length: 274 Lines: 10 Horde, imp, etc. Latest CVS as of this AM. Php-4.2.1 Notice: Undefined variable: sub in /usr/local/apache/htdocs/horde/imp/message.php on line 341 -- IMP mailing list Frequently Asked Questions: http://horde.org/faq/ To unsubscribe, mail: imp-unsubscribe@lists.horde.org From jkf at ecs.soton.ac.uk Tue Jun 18 17:12:25 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:59 2006 Subject: Strange Message In-Reply-To: <3D0F52E7.8040202@bfconsult.co.za> Message-ID: <5.1.0.14.2.20020618171131.04b81fe0@imap.ecs.soton.ac.uk> At 16:33 18/06/2002, you wrote: >I tried to search in the archive but I could find anything.... > >I have noticed this message in the maillog : >Jun 18 17:26:53 blackbox1 sendmail[10418]: NOQUEUE: SYSERR(root): >opendaemonsocket: daemon Daemon0: cannot bind: Address already in use >Jun 18 17:26:53 blackbox1 sendmail[10418]: daemon Daemon0: problem >creating SMTP socket > >Any ideas? I think you've got 2 sendmail daemons running, both trying to do a "-bd" on their command line. MailScanner requires one with "-bd" and one with something like "-q15m". You might still have a sendmail init.d script being run which is doing another "-bd". -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Tue Jun 18 17:09:45 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:59 2006 Subject: F-Prot Update Script Available In-Reply-To: <02dd01c216b5$a66231e0$73488eca@protocol> References: <5.1.0.14.2.20020612193801.0346bda8@imap.ecs.soton.ac.uk> <200206121523.41328.lbergman@abi.tconline.net> <5.1.0.14.2.20020613153406.04aca9b0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020618101622.02c76338@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020618111707.048032b8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020618170819.049d6630@imap.ecs.soton.ac.uk> At 11:48 18/06/2002, you wrote: >Would it be too hard to create an f-prot-autoupdate script in your next >release? Okay, it's written and is available at http://www.sng.ecs.soton.ac.uk/mailscanner/files/autoupdate.f-prot It's also mentioned in the News section of the home page, and will be in the next release. If you have a web proxy or cache that you need to specify, put it in the space near the top of the script (read it, you'll see where I mean). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From FCaen at CI.LAKEWOOD.WA.US Tue Jun 18 17:20:39 2002 From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen) Date: Thu Jan 12 21:14:59 2006 Subject: Strange Message Message-ID: Could be wrong, but it looks like something is already listening on sendmail's port. Could it be that default sendmail is already running, hence binding to port 25? Did you disable sendmail's startup script (chkconfig)? Mailscanner lauches its own sendmails, so you don't need the default one. Stop mailscanner and do a netstat -tanp, see who's on :25 . ------------------------------------------------ Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 -----Original Message----- From: brandonf@BFCONSULT.CO.ZA Sent: Tuesday, June 18, 2002 8:34 AM To: Subject: [MAILSCANNER] Strange Message I tried to search in the archive but I could find anything.... I have noticed this message in the maillog : Jun 18 17:26:53 blackbox1 sendmail[10418]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon Daemon0: cannot bind: Address already in use Jun 18 17:26:53 blackbox1 sendmail[10418]: daemon Daemon0: problem creating SMTP socket Any ideas? -- Regards Brandon Friedman Cell:083 408 7840 E-mail: brandonf@bfconsult.co.za www.bfconsult.co.za From jkf at ecs.soton.ac.uk Tue Jun 18 17:29:34 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:59 2006 Subject: email marked as Spam when it isn't, with 3.20-4 In-Reply-To: <20020618155126.GB17770@quadstone.com> References: <20020618154849.GA17770@quadstone.com> <20020618154849.GA17770@quadstone.com> Message-ID: <5.1.0.14.2.20020618172819.04843d48@imap.ecs.soton.ac.uk> At 16:51 18/06/2002, you wrote: >I've upgraded from 3.14-3 from 3.20-4, using SpamAssassin 2.30 on >Solaris. I received a number of emails soon afterwards which didn't >look like spam, and didn't have the usual SpamAssassin header added (with >the score). The headers looked like >this: >X-MailScanner-SpamCheck: SpamAssassin >() >i.e. nothing between the brackets. Any idea what is going wrong? I've >had to revert back to 3.14-3. Attached are the mailscanner.conf >and spam.assassin.prefs.conf for V3.20.4. I've also >attached one of the mail messages that was >affected. >Michael This looks like another Perl bug, as from the logic of the code it is impossible for it to happen. I hate "blaming the compiler" but it's hardly the first time I've run into Perl bugs. Try applying this patch to sendmail.pl and tell me if it works: *** sendmail.pl Sun Jun 16 21:30:25 2002 --- sendmail.pl.new Tue Jun 18 17:35:15 2002 *************** *** 280,289 **** --- 280,290 ---- (!$IsOnWhiteList || $Config::IncludeSpamHeader)) { my($SASaysSpam, $SAreport); $SASaysSpam = 0; $SAreport = ""; ($SASaysSpam, $SAreport) = SpamAssassinChecks($Headers, $mID); + $SASaysSpam = 0 unless $SAreport; # Solve bug with empty SAreports if ($SASaysSpam || $Config::IncludeSpamHeader) { $SpamHeader .= ", " if $SpamHeader; $SpamHeader .= "SpamAssassin ($SAreport)"; } $ThisIsSpam = 1 if $SASaysSpam && !$IsOnWhiteList; -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From wkuiters at FREE.FR Tue Jun 18 17:33:31 2002 From: wkuiters at FREE.FR (Willem Kuiters) Date: Thu Jan 12 21:14:59 2006 Subject: Suggestion for Sophos updates In-Reply-To: <200206181524.g5IFO0T15745@ori.rl.ac.uk> References: <200206181524.g5IFO0T15745@ori.rl.ac.uk> Message-ID: <20020618163331.GA2051@bragann> Hoi Shane, On Tue, Jun 18, 2002 at 04:24:02PM +0100, Shane Kelly wrote: > > There is a notification via e-mail for Sophos alerts - whenever I receive > one (and it can be busy) I initiate an update then (as well as using the > nightly cron job) I use a procmail recipe that launches the update script upon a message from sophos. Works great and you are sure always to have the latest IDE files. -- |\ /| Willem G.J. Kuiters |0 0| (/"\) --- "I give myself sometimes admirable --- / \ --- advice, but I am incapable of taking --- (( U U )) --- it" -- Lady Mary Wortley Montagu --- " " " " --(Htag.pl 0.0.19)-- From sevans at FOUNDATION.SDSU.EDU Tue Jun 18 18:10:36 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:14:59 2006 Subject: Which Version is Installed? Message-ID: <6214C3F9233D764C9E7029396C355015115AE4@mail.foundation.sdsu.edu> How can you tell which version of MailScanner is installed? Steve Evans Computing Services SDSU Foundation 619 594-0653 From FCaen at CI.LAKEWOOD.WA.US Tue Jun 18 18:21:56 2002 From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen) Date: Thu Jan 12 21:14:59 2006 Subject: Which Version is Installed? Message-ID: -----Original Message----- From: sevans@FOUNDATION.SDSU.EDU > How can you tell which version of MailScanner is installed? If you installed from RPM: # rpm -q mailscanner mailscanner-3.15-3 If not, when you (re)start it, MS logs its version in its maillog: xxxx MailScanner E-Mail Virus Scanner version 3.15 starting. Hope this helps, ------------------------------------------------ Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 From LISTSERV at JISCMAIL.AC.UK Tue Jun 18 17:51:40 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:59 2006 Subject: MAILSCANNER: valianp@SOUTHWESTERN.EDU left the JISCmail list Message-ID: <200206181651.RAA10530@magpie.ecs.soton.ac.uk> Tue, 18 Jun 2002 17:51:40 Peter Valian has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From jkf at ecs.soton.ac.uk Tue Jun 18 18:39:16 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:59 2006 Subject: Which Version is Installed? In-Reply-To: <6214C3F9233D764C9E7029396C355015115AE4@mail.foundation.sds u.edu> Message-ID: <5.1.0.14.2.20020618183816.034db9e0@imap.ecs.soton.ac.uk> At 18:10 18/06/2002, you wrote: >How can you tell which version of MailScanner is installed? It announces its version in the syslog when it starts. Otherwise do a grep -i version /usr/local/MailScanner/bin/mailscanner and you'll find it. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Tue Jun 18 18:42:29 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:59 2006 Subject: MAILSCANNER: Matthew_doherty@DATAWATCH.COM requested to join Message-ID: <200206181742.SAA14644@magpie.ecs.soton.ac.uk> Tue, 18 Jun 2002 18:42:29 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Matt Doherty You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER Matthew_doherty@DATAWATCH.COM Matt Doherty PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER Matthew_doherty@DATAWATCH.COM Matt Doherty // EOJ From LISTSERV at JISCMAIL.AC.UK Tue Jun 18 20:26:40 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:59 2006 Subject: MAILSCANNER: imark@TIPPINGMAR.COM left the JISCmail list Message-ID: <200206181926.UAA23843@magpie.ecs.soton.ac.uk> Tue, 18 Jun 2002 20:26:40 Mark Nienberg has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From mark at TIPPINGMAR.COM Tue Jun 18 20:47:43 2002 From: mark at TIPPINGMAR.COM (Mark Nienberg) Date: Thu Jan 12 21:14:59 2006 Subject: Accept spam from In-Reply-To: <5.1.0.14.2.20020618183816.034db9e0@imap.ecs.soton.ac.uk> Message-ID: <000001c21701$03874cc0$1cfea8c0@tippingmar.com> I'm setting up my first mailscanner to replace our existing standalone sendmail setup. In the sample mailscanner.conf file there are the following 2 lines: Accept Spam From = 152.78. Accept Spam From = 139.166. These are not commented out like some of the other examples in the file. Does that mean there is some reason to leave them in, rather than removing them or changing them to our own addresses? Thanks, Mark Nienberg TM+a Berkeley, CA From jkf at ecs.soton.ac.uk Tue Jun 18 21:12:11 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:59 2006 Subject: Accept spam from In-Reply-To: <000001c21701$03874cc0$1cfea8c0@tippingmar.com> References: <5.1.0.14.2.20020618183816.034db9e0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020618211109.03b71840@imap.ecs.soton.ac.uk> At 20:47 18/06/2002, you wrote: >I'm setting up my first mailscanner to replace our existing standalone >sendmail setup. In the sample mailscanner.conf file there are the >following 2 lines: > >Accept Spam From = 152.78. >Accept Spam From = 139.166. > >These are not commented out like some of the other examples in the file. >Does that mean there is some reason to leave them in, rather than >removing them or changing them to our own addresses? These are the 2 class B nets we have in Southampton. Feel free to comment out both lines or replace them. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Matthew_doherty at DATAWATCH.COM Tue Jun 18 21:13:25 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:14:59 2006 Subject: Accept spam from Message-ID: they are examples.. i commented them out -----Original Message----- From: Mark Nienberg [mailto:mark@TIPPINGMAR.COM] Sent: Tuesday, June 18, 2002 4:59 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Accept spam from I'm setting up my first mailscanner to replace our existing standalone sendmail setup. In the sample mailscanner.conf file there are the following 2 lines: Accept Spam From = 152.78. Accept Spam From = 139.166. These are not commented out like some of the other examples in the file. Does that mean there is some reason to leave them in, rather than removing them or changing them to our own addresses? Thanks, Mark Nienberg TM+a Berkeley, CA -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020618/a5eea774/attachment.html From jkf at ecs.soton.ac.uk Tue Jun 18 21:33:19 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:59 2006 Subject: email marked as Spam when it isn't, with 3.20-4 In-Reply-To: <5.1.0.14.2.20020618172819.04843d48@imap.ecs.soton.ac.uk> References: <20020618155126.GB17770@quadstone.com> <20020618154849.GA17770@quadstone.com> <20020618154849.GA17770@quadstone.com> Message-ID: <5.1.0.14.2.20020618213114.02ac2ef8@imap.ecs.soton.ac.uk> This patch is looking good. If I don't hear/see any more problems by 10:00GMT tomorrow I'll publish 3.20-5. I've also discovered how to make the .rpmnew files so that RPM will be easier to install/upgrade. I might comment out the sample "Accept Spam From" lines too. At 17:29 18/06/2002, you wrote: >At 16:51 18/06/2002, you wrote: >>I've upgraded from 3.14-3 from 3.20-4, using SpamAssassin 2.30 on >>Solaris. I received a number of emails soon afterwards which didn't >>look like spam, and didn't have the usual SpamAssassin header added (with >>the score). The headers looked like >>this: >>X-MailScanner-SpamCheck: SpamAssassin >>() >>i.e. nothing between the brackets. Any idea what is going wrong? I've >>had to revert back to 3.14-3. Attached are the mailscanner.conf >>and spam.assassin.prefs.conf for V3.20.4. I've also >>attached one of the mail messages that was >>affected. >>Michael > >This looks like another Perl bug, as from the logic of the code it is >impossible for it to happen. I hate "blaming the compiler" but it's hardly >the first time I've run into Perl bugs. > >Try applying this patch to sendmail.pl and tell me if it works: > >*** sendmail.pl Sun Jun 16 21:30:25 2002 >--- sendmail.pl.new Tue Jun 18 17:35:15 2002 >*************** >*** 280,289 **** >--- 280,290 ---- > (!$IsOnWhiteList || $Config::IncludeSpamHeader)) { > my($SASaysSpam, $SAreport); > $SASaysSpam = 0; > $SAreport = ""; > ($SASaysSpam, $SAreport) = SpamAssassinChecks($Headers, $mID); >+ $SASaysSpam = 0 unless $SAreport; # Solve bug with empty SAreports > if ($SASaysSpam || $Config::IncludeSpamHeader) { > $SpamHeader .= ", " if $SpamHeader; > $SpamHeader .= "SpamAssassin ($SAreport)"; > } > $ThisIsSpam = 1 if $SASaysSpam && !$IsOnWhiteList; > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From brandonf at BFCONSULT.CO.ZA Tue Jun 18 21:57:38 2002 From: brandonf at BFCONSULT.CO.ZA (Brandon Friedman) Date: Thu Jan 12 21:14:59 2006 Subject: Strange Message References: Message-ID: <3D0F9EC2.7030403@bfconsult.co.za> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have found the problem - I see you cannot restart sendmail by itself! You have to restart mailscanner, which will restart sendmail aswell...correct? Francois Caen wrote: > Could be wrong, but it looks like something is already listening on > sendmail's port. > Could it be that default sendmail is already running, hence binding > to port 25? Did you disable sendmail's startup script (chkconfig)? > Mailscanner lauches its own sendmails, so you don't need the > default one. Stop mailscanner and do a netstat -tanp, see who's on > :25 . > > ------------------------------------------------ > Francois Caen > Network Information Systems Engineer - Webmaster > City of Lakewood, WA > (253) 512-2269 > > -----Original Message----- > From: brandonf@BFCONSULT.CO.ZA > Sent: Tuesday, June 18, 2002 8:34 AM > To: > Subject: [MAILSCANNER] Strange Message > > > > I tried to search in the archive but I could find > anything.... > > I have noticed this message in the maillog : > Jun 18 17:26:53 blackbox1 sendmail[10418]: NOQUEUE: SYSERR(root): > opendaemonsocket: daemon Daemon0: cannot bind: Address already in > use Jun 18 17:26:53 blackbox1 sendmail[10418]: daemon Daemon0: > problem creating SMTP socket > > Any ideas? > > -- > > Regards > Brandon Friedman > Cell:083 408 7840 > E-mail: brandonf@bfconsult.co.za > www.bfconsult.co.za > > - -- Regards Brandon Friedman Cell:083 408 7840 E-mail: brandonf@bfconsult.co.za www.bfconsult.co.za -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPQ+ev32QHKNEPydkEQLjqACeLZ29ObTWKblGuQtTLPpII/5aXLYAn0VX rdQNvrLLzmkEurrSwWl8UryM =g9Op -----END PGP SIGNATURE----- From FCaen at CI.LAKEWOOD.WA.US Tue Jun 18 22:11:08 2002 From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen) Date: Thu Jan 12 21:14:59 2006 Subject: Strange Message Message-ID: -----Original Message----- From: brandonf@BFCONSULT.CO.ZA > I have found the problem - I see you cannot restart sendmail by > itself! > You have to restart mailscanner, which will restart sendmail > aswell...correct? That is correct. MS's initscript includes sendmail. Don't run sendmail's initscript itself. ------------------------------------------------ Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 From Matthew_doherty at DATAWATCH.COM Tue Jun 18 22:43:14 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:14:59 2006 Subject: Strange Message Message-ID: Does this mean we have to remove sendmail from RedHats boot up services ? Or does the rpm automatically do that during the install? -----Original Message----- From: Francois Caen [mailto:FCaen@CI.LAKEWOOD.WA.US] Sent: Tuesday, June 18, 2002 6:14 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Strange Message -----Original Message----- From: brandonf@BFCONSULT.CO.ZA > I have found the problem - I see you cannot restart sendmail by > itself! > You have to restart mailscanner, which will restart sendmail > aswell...correct? That is correct. MS's initscript includes sendmail. Don't run sendmail's initscript itself. ------------------------------------------------ Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020618/8c02043a/attachment.html From FCaen at CI.LAKEWOOD.WA.US Tue Jun 18 22:56:50 2002 From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen) Date: Thu Jan 12 21:14:59 2006 Subject: Strange Message Message-ID: -----Original Message----- From: Matthew_doherty@DATAWATCH.COM > Does this mean we have to remove sendmail from RedHats boot up services ? Yep, like I said 2 responses ago :-) on RH, use chkconfig > Or does the rpm automatically do that during the install? nope, it doesn't. ------------------------------------------------ Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 From nwp at LEMON-COMPUTING.COM Wed Jun 19 01:27:26 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:59 2006 Subject: Signing messages by domain/MRTG In-Reply-To: <3D0F3D86.790E5BFD@bangor.ac.uk> References: <67D9E7698329D411936E00508B6590B9A5B34A@neelix.lbsltd.co.uk> <20020617103734.A4151@michaelchaney.com> <3D0F3D86.790E5BFD@bangor.ac.uk> Message-ID: <20020619002726.GF5888@hoiho.nz.lemon-computing.com> On Tue, Jun 18, 2002 at 03:02:46PM +0100, Martin Sapsed wrote: > The thing that really annoys me is when you get a 3 line message with a 40 > line bilingual (we're in Wales) disclaimer on the bottom! Hmmm... a disclaimer filter... <550 mail rejected; disclaimer too long> or <550 mail rejected; you're too litigious>... ;) -- Nick Phillips -- nwp@lemon-computing.com You have the body of a 19 year old. Please return it before it gets wrinkled. From jkf at ecs.soton.ac.uk Wed Jun 19 03:21:22 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:59 2006 Subject: Strange Message In-Reply-To: Message-ID: <5.1.0.14.2.20020619031913.036ff0a8@imap.ecs.soton.ac.uk> At 22:56 18/06/2002, you wrote: >-----Original Message----- >From: Matthew_doherty@DATAWATCH.COM > > > Does this mean we have to remove sendmail from RedHats boot up services ? > >Yep, like I said 2 responses ago :-) >on RH, use chkconfig > > > Or does the rpm automatically do that during the install? > >nope, it doesn't. Oh, yes it does. (Cue Punch & Judy jokes... oh, no it doesn't... oh, yes it does... :-) From the "%post" script in the RPM spec file: >chkconfig --add mailscanner >/etc/rc.d/init.d/sendmail stop >chkconfig sendmail off >chkconfig --level 2345 sendmail off >rm -f /etc/rc.d/rc2.d/S30sendmail -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mike at ZANKER.ORG Wed Jun 19 06:12:33 2002 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:14:59 2006 Subject: Strange Message In-Reply-To: <5.1.0.14.2.20020619031913.036ff0a8@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020619031913.036ff0a8@imap.ecs.soton.ac.uk> Message-ID: <244408580.1024467153@jemima.zanker.org> On 19 June 2002 03:21 +0100 Julian Field wrote: > Oh, yes it does. (Cue Punch & Judy jokes... oh, no it doesn't... oh, > yes it does... :-) Didn't work on mine with 3.20-2 (RH 7.2) - I had to manually turn off sendmail and turn on mailscanner. 3.20-3 on the same box managed to do it automatically. Mike -- Mike Zanker Northampton, UK PGP Public Key: pgp@zanker.org From mike at CAMAROSS.NET Wed Jun 19 07:02:46 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:14:59 2006 Subject: Part of MRTG died In-Reply-To: <20020619002726.GF5888@hoiho.nz.lemon-computing.com> Message-ID: I started using MRTG a little while back to track Mailscanner performance. It has been working great until a few days ago. My Total Emails and Viruses still show the correct statistics, but the Spam is not being picked up. I don't know if this is a result of an upgrade to Mailscanner or what. Did something change? You can take a look at http://bladeware.com Thanks! From mike at CAMAROSS.NET Wed Jun 19 07:19:22 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:14:59 2006 Subject: Part of MRTG died In-Reply-To: Message-ID: I think I fixed it. Had to change 'spam' to 'Spam' in my MRTG config file. Now they're starting to show up. Must have had something to do with one of the latest updates. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Mike Kercher Sent: Wednesday, June 19, 2002 1:03 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Part of MRTG died I started using MRTG a little while back to track Mailscanner performance. It has been working great until a few days ago. My Total Emails and Viruses still show the correct statistics, but the Spam is not being picked up. I don't know if this is a result of an upgrade to Mailscanner or what. Did something change? You can take a look at http://bladeware.com Thanks! From rishi at THEARGONCOMPANY.COM Wed Jun 19 07:21:20 2002 From: rishi at THEARGONCOMPANY.COM (Rishi Gangoly) Date: Thu Jan 12 21:14:59 2006 Subject: question on spam Message-ID: <007e01c21759$89efd680$73488eca@protocol> Hi I checked by headers and this is what it said. X-MailScanner-SpamCheck: not spam, SpamAssassin () X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=17.2, required 5, MSG_ID_ADDED_BY_MTA_2, CLICK_BELOW, EXCUSE_3, REMOVE_PAGE, BIG_FONT, CLICK_HERE_LINK, CTYPE_JUST_HTML) If the score was high then why did it not get marked as spam? Should I attach my mailscanner.conf file? Regards Rishi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020619/7794693a/attachment.html From mike at CAMAROSS.NET Wed Jun 19 07:30:10 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:14:59 2006 Subject: question on spam In-Reply-To: <007e01c21759$89efd680$73488eca@protocol> Message-ID: Looks like the mailserver or sender is in your whitelist. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Rishi Gangoly Sent: Wednesday, June 19, 2002 1:21 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: question on spam Hi I checked by headers and this is what it said. X-MailScanner-SpamCheck: not spam, SpamAssassin () X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=17.2, required 5, MSG_ID_ADDED_BY_MTA_2, CLICK_BELOW, EXCUSE_3, REMOVE_PAGE, BIG_FONT, CLICK_HERE_LINK, CTYPE_JUST_HTML) If the score was high then why did it not get marked as spam? Should I attach my mailscanner.conf file? Regards Rishi From paul-w at BLUEYONDER.CO.UK Wed Jun 19 09:24:09 2002 From: paul-w at BLUEYONDER.CO.UK (Paul Welsh) Date: Thu Jan 12 21:14:59 2006 Subject: MAILSCANNER Digest - 17 Jun 2002 to 18 Jun 2002 (#2002-21) References: <0c2203922231262PCOW025M@blueyonder.co.uk> Message-ID: <002301c2176a$b19e29a0$6a0110ac@sbsplc.com> > Date: Tue, 18 Jun 2002 17:09:45 +0100 > From: Julian Field > Subject: Re: F-Prot Update Script Available > > Okay, it's written and is available at > http://www.sng.ecs.soton.ac.uk/mailscanner/files/autoupdate.f-prot > Thanks for this, Julian. The script on uk2raq.com sends an email to a specified address if the update has occurred. I guess an email on an error would also be useful. Any chance of adding this as a feature?? From LISTSERV at JISCMAIL.AC.UK Wed Jun 19 07:40:00 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:59 2006 Subject: MAILSCANNER: solomon@SWIFTKENYA.COM requested to join Message-ID: <200206190640.HAA06654@magpie.ecs.soton.ac.uk> Wed, 19 Jun 2002 07:40:00 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Solomon Odeny You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER solomon@SWIFTKENYA.COM Solomon Odeny PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER solomon@SWIFTKENYA.COM Solomon Odeny // EOJ From jkf at ecs.soton.ac.uk Wed Jun 19 09:40:53 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:59 2006 Subject: MAILSCANNER Digest - 17 Jun 2002 to 18 Jun 2002 (#2002-21) In-Reply-To: <002301c2176a$b19e29a0$6a0110ac@sbsplc.com> References: <0c2203922231262PCOW025M@blueyonder.co.uk> Message-ID: <5.1.0.14.2.20020619093920.03609e90@imap.ecs.soton.ac.uk> At 09:24 19/06/2002, you wrote: > > Date: Tue, 18 Jun 2002 17:09:45 +0100 > > From: Julian Field > > Subject: Re: F-Prot Update Script Available > > > > Okay, it's written and is available at > > http://www.sng.ecs.soton.ac.uk/mailscanner/files/autoupdate.f-prot > > >Thanks for this, Julian. > >The script on uk2raq.com sends an email to a specified address if the update >has occurred. I guess an email on an error would also be useful. Any >chance of adding this as a feature?? It already does near enough. Unless you run it with the command-line "-quiet" switch, then the cron job output will be mailed to root (assuming you put it in root's cron job list). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Wed Jun 19 09:38:48 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:59 2006 Subject: question on spam In-Reply-To: <007e01c21759$89efd680$73488eca@protocol> Message-ID: <5.1.0.14.2.20020619093821.02aa6020@imap.ecs.soton.ac.uk> At 07:21 19/06/2002, you wrote: >X-MailScanner-SpamCheck: not spam, SpamAssassin () This one is a known problem, which will be fixed in a couple of minutes. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020619/5f8462e0/attachment.html From S.R.Patterson at SOTON.AC.UK Wed Jun 19 09:58:38 2002 From: S.R.Patterson at SOTON.AC.UK (Patterson S.R.) Date: Thu Jan 12 21:14:59 2006 Subject: Accept spam from Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Or better yet... Don't :) - -- Steven Patterson, MSci. Tel: +44 (0)2380 595810 Electronic Information Systems Support and Development Computing Services, University of Southampton, UK. Public PGP Key: http://www.soton.ac.uk/~srp/pubkey.asc > -----Original Message----- > From: Julian Field [mailto:jkf@ECS.SOTON.AC.UK] > Sent: 18 June 2002 21:12 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Accept spam from > > > At 20:47 18/06/2002, you wrote: > >I'm setting up my first mailscanner to replace our existing > standalone > >sendmail setup. In the sample mailscanner.conf file there are the > >following 2 lines: > > > >Accept Spam From = 152.78. > >Accept Spam From = 139.166. > > > >These are not commented out like some of the other examples in the > >file. Does that mean there is some reason to leave them in, > rather than > >removing them or changing them to our own addresses? > > These are the 2 class B nets we have in Southampton. Feel > free to comment out both lines or replace them. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPRBHvK2fOiTs5+WvEQK6gwCgzA8E3w29E0GIpYWIMcOQxqwsLjMAoMsV f8bNYzdJtSsc9IjF5NLJZkIV =n24m -----END PGP SIGNATURE----- From S.R.Patterson at SOTON.AC.UK Wed Jun 19 10:01:21 2002 From: S.R.Patterson at SOTON.AC.UK (Patterson S.R.) Date: Thu Jan 12 21:14:59 2006 Subject: Signing messages by domain/MRTG Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 550 Do these disclaimers really have any legal meaning? :) - -- Steven Patterson, MSci. Tel: +44 (0)2380 595810 Electronic Information Systems Support and Development Computing Services, University of Southampton, UK. Public PGP Key: http://www.soton.ac.uk/~srp/pubkey.asc > -----Original Message----- > From: Nick Phillips [mailto:nwp@LEMON-COMPUTING.COM] > Sent: 19 June 2002 01:27 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Signing messages by domain/MRTG > > > On Tue, Jun 18, 2002 at 03:02:46PM +0100, Martin Sapsed wrote: > > > The thing that really annoys me is when you get a 3 line > message with > > a 40 line bilingual (we're in Wales) disclaimer on the bottom! > > Hmmm... a disclaimer filter... <550 mail rejected; disclaimer > too long> or <550 mail rejected; you're too litigious>... > > ;) > > -- > Nick Phillips -- nwp@lemon-computing.com > You have the body of a 19 year old. Please return it before > it gets wrinkled. > -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPRBIX62fOiTs5+WvEQL02ACfYyM170u7PAgmQNGwD2iiJdxerGwAoOo8 LkU62XIckqT/jJHx1pJZkoqD =d8w6 -----END PGP SIGNATURE----- From jkf at ecs.soton.ac.uk Wed Jun 19 10:07:16 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:59 2006 Subject: ANNOUNCE: Version 3.20-5 released Message-ID: <5.1.0.14.2.20020619100401.03804710@imap.ecs.soton.ac.uk> I have just released Version 3.20-5. I have added an autoupdate script for F-Prot. This is based on the check_updates.sh script provided with F-Prot, but does the proper file locking to ensure that MailScanner cannot try to use F-Prot while it is being updated, which is important. I have fixed the rare problem of a message receiving an empty SpamAssassin report. I have fixed the problem of "Accept Spam From =" on its own in mailscanner.conf causing all mail to be whitelisted. I have improved the RPM so configuration files should be handled better. Downloadable, as usual, from http://www.mailscanner.info/ Jules. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From S.R.Patterson at SOTON.AC.UK Wed Jun 19 10:14:24 2002 From: S.R.Patterson at SOTON.AC.UK (Patterson S.R.) Date: Thu Jan 12 21:14:59 2006 Subject: Filename extensions Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Anyone with half a day to spare may wish to look through http://www.silicon-alley.com/ext/ and make a list of useful filename extensions to block (i.e. anything than can execute with a double-click) and a list of those to definitely allow (i.e. anything that would require user intervention, e.g. unzipping, before it would run) The list there is by no means exhaustive. Steve - -- Steven Patterson, MSci. Tel: +44 (0)2380 595810 Electronic Information Systems Support and Development Computing Services, University of Southampton, UK. Public PGP Key: http://www.soton.ac.uk/~srp/pubkey.asc -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPRBLbq2fOiTs5+WvEQJTvQCg6c2aDSel9DZ7lvCOT6LrE4ccaPkAnjoM rtnxHB8oYYpAzM2SU9kp6CCP =0qq/ -----END PGP SIGNATURE----- From David.Sullivan at BARNET.AC.UK Wed Jun 19 10:15:34 2002 From: David.Sullivan at BARNET.AC.UK (David Sullivan) Date: Thu Jan 12 21:14:59 2006 Subject: Signing messages by domain/MRTG In-Reply-To: References: Message-ID: <59454.194.82.200.31.1024478134.squirrel@webmail.barnet.ac.uk> > 550 Do these disclaimers really have any legal meaning? :) > I believe not, but what is there to say when an auditor says "You must have a disclaimer" Arguments such as the above are just buried under "Oh we'll do it just in case ..." Regards -- David Sullivan IT Services, Barnet College, London David.Sullivan@barnet.ac.uk 020 8275 5036 ============================================================== This communication may contain privileged or confidential information which is for the exclusive use of the intended recipient. If you are not the intended recipient, please note that you may not distribute or use this communication or the information it contains. If this e-mail has reached you in error, please delete it and any attachment. Internet communications are not secure and Barnet College does not accept legal responsibility for the content of this message. Any views or opinions expressed are those of the author and not necessarily those of Barnet College. Please note that Barnet College reserves the right to monitor the source/destinations of all incoming or outgoing e-mail communications. ============================================================== From martinh at SOLID-STATE-LOGIC.COM Wed Jun 19 10:26:13 2002 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:14:59 2006 Subject: Signing messages by domain/MRTG References: <59454.194.82.200.31.1024478134.squirrel@webmail.barnet.ac.uk> Message-ID: <3D104E35.2050701@solid-state-logic.com> Hi There was an informed discussion on this very subject in the ukcrypto list a couple of years ago. I did a quick google on it but couldn't find anything that looked like the thread I remember -- Martin Hepworth Senior Systems Administrator Solid State Logic Ltd +44 (0)1865 842300 David Sullivan wrote: >>550 Do these disclaimers really have any legal meaning? :) >> > > > I believe not, but what is there to say when an auditor says "You must have > a disclaimer" Arguments such as the above are just buried under "Oh we'll > do it just in case ..." > > Regards > > -- > David Sullivan IT Services, Barnet College, London > David.Sullivan@barnet.ac.uk > 020 8275 5036 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From henrik at LEWANDER.COM Wed Jun 19 10:38:37 2002 From: henrik at LEWANDER.COM (Henrik Lewander) Date: Thu Jan 12 21:14:59 2006 Subject: Mailscanner not using latest SA? Message-ID: <023001c21775$293951b0$752211c2@gbg.bluelabs.se> Hello! I'm having a problem where mailscanner seems to not be using the latest installed version of Spamassassin. I run Debian and is autoupdating (of course! :). Mailscanner is just up to 3.14 but Spamassassin is 2.30. I get totally different reports when running spamassassin by hand and when I get mail trough mailscanner. Is it possible to have older "perl module" spamassassin or something (yes I know next to nothing about perl) hanging around? -Henrik From Q.G.Campbell at NEWCASTLE.AC.UK Wed Jun 19 11:55:33 2002 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:14:59 2006 Subject: Signing messages by domain/MRTG Message-ID: Martin Try http://www.goldmark.org/jeff/stupid-disclaimers/ for an interesting discussion on the subject and many silly examples. Quentin Campbell (Postmaster) --- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." > -----Original Message----- > From: Martin Hepworth [mailto:martinh@solid-state-logic.com] > Sent: 19 June 2002 10:26 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Signing messages by domain/MRTG > > > Hi > There was an informed discussion on this very subject in the > ukcrypto list a couple of years ago. I did a quick google on > it but couldn't find anything that looked like the thread I remember > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic Ltd > +44 (0)1865 842300 > > David Sullivan wrote: > >>550 Do these disclaimers really have any legal meaning? :) > >> > > > > > > I believe not, but what is there to say when an auditor > says "You must > > have a disclaimer" Arguments such as the above are just > buried under > > "Oh we'll do it just in case ..." > > > > Regards > > > > -- > > David Sullivan IT Services, Barnet College, London > > David.Sullivan@barnet.ac.uk > > 020 8275 5036 > > > > > > ********************************************************************** > This email and any files transmitted with it are confidential > and intended solely for the use of the individual or entity > to whom they are addressed. If you have received this email > in error please notify the system manager. > > This footnote also confirms that this email message has been > swept by MIMEsweeper for the presence of computer viruses. > www.mimesweeper.com ********************************************************************** From munafo at PREZZEMOLO.POLITO.IT Wed Jun 19 12:00:48 2002 From: munafo at PREZZEMOLO.POLITO.IT (Maurizio Matteo Munafo') Date: Thu Jan 12 21:14:59 2006 Subject: ANNOUNCE: Version 3.20-5 released In-Reply-To: <5.1.0.14.2.20020619100401.03804710@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020619100401.03804710@imap.ecs.soton.ac.uk> Message-ID: <02061913004800.23880@prezzemolo.polito.it> On Wednesday 19 June 2002 11:07, Julian Field wrote: > I have just released Version 3.20-5. > > I have added an autoupdate script for F-Prot. This is based on the > check_updates.sh script provided with F-Prot, but does the proper file > locking to ensure that MailScanner cannot try to use F-Prot while it is > being updated, which is important. > To use it, should I just drop it in cron.daily like Sophos.autoupdate? > > I have improved the RPM so configuration files should be handled better. > The RPM update insists in installing MailTools-1.1401 even if a more recent version (1.46) is already installed. This does not happen for IO::Stringy, where the installed 2.108 version is not overwritten by the 1.211 version contained in the RPM distribution. Is there a way to avoid this downgrade? MIME::Tools is also always reinstalled, even if you got the patched version with MailScanner 3.20-4, but I know that this is necessary because you can't distinguish the patched version from the orginal one from the version number. BTW, I'm using Perl 5.005_3 and RPM 4.02 on a RH6.2 system Regards, Maurizio Munafo' -- Maurizio M. Munafo' / munafo@mail.tlc.polito.it "Consider Phlebas, who was once handsome and tall as you" (T.S.Eliot) From LISTSERV at JISCMAIL.AC.UK Wed Jun 19 12:05:59 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:59 2006 Subject: MAILSCANNER: akhan@SGHMS.AC.UK left the JISCmail list Message-ID: <200206191105.MAA28694@magpie.ecs.soton.ac.uk> Wed, 19 Jun 2002 12:05:59 Asim Khan has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From martinh at SOLID-STATE-LOGIC.COM Wed Jun 19 12:08:28 2002 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:14:59 2006 Subject: Signing messages by domain/MRTG References: Message-ID: <3D10662C.4070209@solid-state-logic.com> Quentin OK this is getting kinda off topic, but from what I rememer of the ukcrypto thread the legal bods there decided is would be legally enforceable. BUT from I was taught email should be treated as a postcard. Now the local postman where I grew up (small Yorkshire village) always new where people had been on the holidays etc as he read all the postcards! -- Martin Hepworth Senior Systems Administrator Solid State Logic Ltd +44 (0)1865 842300 Quentin Campbell wrote: > Martin > > Try http://www.goldmark.org/jeff/stupid-disclaimers/ for an interesting > discussion on the subject and many silly examples. > > Quentin Campbell (Postmaster) > --- > PHONE: +44 191 222 8209 Computing Service, University of Newcastle > FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. > ------------------------------------------------------------------------ > "Any opinion expressed above is mine. The University can get its own." > > >>-----Original Message----- >>From: Martin Hepworth [mailto:martinh@solid-state-logic.com] >>Sent: 19 June 2002 10:26 >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: Signing messages by domain/MRTG >> >> >>Hi >>There was an informed discussion on this very subject in the >>ukcrypto list a couple of years ago. I did a quick google on >>it but couldn't find anything that looked like the thread I remember >> >>-- >>Martin Hepworth >>Senior Systems Administrator >>Solid State Logic Ltd >>+44 (0)1865 842300 >> >>David Sullivan wrote: >> >>>>550 Do these disclaimers really have any legal meaning? :) >>>> >>> >>> >>>I believe not, but what is there to say when an auditor >> >>says "You must >> >>>have a disclaimer" Arguments such as the above are just >> >>buried under >> >>>"Oh we'll do it just in case ..." >>> >>>Regards >>> >>>-- >>>David Sullivan IT Services, Barnet College, London >>> David.Sullivan@barnet.ac.uk >>> 020 8275 5036 >> >> > ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From jkf at ecs.soton.ac.uk Wed Jun 19 12:17:25 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:59 2006 Subject: ANNOUNCE: Version 3.20-5 released In-Reply-To: <02061913004800.23880@prezzemolo.polito.it> References: <5.1.0.14.2.20020619100401.03804710@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020619100401.03804710@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020619121155.03b0f528@imap.ecs.soton.ac.uk> At 12:00 19/06/2002, you wrote: >On Wednesday 19 June 2002 11:07, Julian Field wrote: > > I have just released Version 3.20-5. > > > > I have added an autoupdate script for F-Prot. This is based on the > > check_updates.sh script provided with F-Prot, but does the proper file > > locking to ensure that MailScanner cannot try to use F-Prot while it is > > being updated, which is important. > > > >To use it, should I just drop it in cron.daily like Sophos.autoupdate? Yes. If you need to specify a web proxy/cache then read the top of the script. Like the original, it takes "-cron" and/or "-quiet" command-line options which make it vary its output a bit. "-cron" means it only prints anything (which will get mailed to root by crond) if it actually has to do anything. "-quiet" will stop it printing anything at all. > > I have improved the RPM so configuration files should be handled better. > >The RPM update insists in installing MailTools-1.1401 even if a more recent >version (1.46) is already installed. >This does not happen for IO::Stringy, where the installed 2.108 version is >not overwritten by the 1.211 version contained in the RPM distribution. >Is there a way to avoid this downgrade? Unfortunately MailTools is a "bundle" not a module, so there doesn't appear to be any way of finding the version number of the installed copy. 1.1401 seems to work okay, but you can always re-upgrade using an RPM if you prefer. I guess I need to get MailTools 1.46 into the RPM. Next time... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Wed Jun 19 14:50:30 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:59 2006 Subject: ANNOUNCE: Version 3.20-5 released In-Reply-To: <02061913004800.23880@prezzemolo.polito.it> References: <5.1.0.14.2.20020619100401.03804710@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020619100401.03804710@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020619144907.02ab7aa8@imap.ecs.soton.ac.uk> At 12:00 19/06/2002, you wrote: >The RPM update insists in installing MailTools-1.1401 even if a more recent >version (1.46) is already installed. Okay, this is now fixed in version 3.20-6, the RPM will install MailTools-1.46. It's the only change. The tar distribution has not changed at all. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mike at ZANKER.ORG Wed Jun 19 15:08:08 2002 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:15:00 2006 Subject: ANNOUNCE: Version 3.20-5 released In-Reply-To: <5.1.0.14.2.20020619144907.02ab7aa8@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020619144907.02ab7aa8@imap.ecs.soton.ac.uk> Message-ID: <456365203.1024499288@mallard.open.ac.uk> On 19 June 2002 14:50 +0100 Julian Field wrote: > Okay, this is now fixed in version 3.20-6, the RPM will install > MailTools-1.46. It's the only change. The tar distribution has not > changed at all. Just got this when installing 3.20-6 RPM: warning: user sysjkf does not exist - using root warning: group sysjkf does not exist - using root Mike -- Mike Zanker Northampton, UK PGP Public Key: pgp@zanker.org From jkf at ecs.soton.ac.uk Wed Jun 19 15:12:55 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:00 2006 Subject: ANNOUNCE: Version 3.20-5 released In-Reply-To: <456365203.1024499288@mallard.open.ac.uk> References: <5.1.0.14.2.20020619144907.02ab7aa8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020619144907.02ab7aa8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020619151236.039e7458@imap.ecs.soton.ac.uk> At 15:08 19/06/2002, you wrote: >On 19 June 2002 14:50 +0100 Julian Field wrote: > >>Okay, this is now fixed in version 3.20-6, the RPM will install >>MailTools-1.46. It's the only change. The tar distribution has not >>changed at all. > >Just got this when installing 3.20-6 RPM: > >warning: user sysjkf does not exist - using root >warning: group sysjkf does not exist - using root Harmless, but fixed all the same. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jaearick at COLBY.EDU Wed Jun 19 16:38:08 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:15:00 2006 Subject: Suggestion for Sophos updates In-Reply-To: <20020618163331.GA2051@bragann> Message-ID: care to share this with the rest of us? ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ---------------------------------------------------------------------------- On Tue, 18 Jun 2002, Willem Kuiters wrote: > Date: Tue, 18 Jun 2002 18:33:31 +0200 > From: Willem Kuiters > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Suggestion for Sophos updates > > Hoi Shane, > > On Tue, Jun 18, 2002 at 04:24:02PM +0100, Shane Kelly wrote: > > > > There is a notification via e-mail for Sophos alerts - whenever I receive > > one (and it can be busy) I initiate an update then (as well as using the > > nightly cron job) > > I use a procmail recipe that launches the update script upon a message from > sophos. Works great and you are sure always to have the latest IDE files. > > -- > |\ /| Willem G.J. Kuiters > |0 0| > (/"\) --- "I give myself sometimes admirable --- > / \ --- advice, but I am incapable of taking --- > (( U U )) --- it" -- Lady Mary Wortley Montagu --- > " " " " > --(Htag.pl 0.0.19)-- > From Matthew_doherty at DATAWATCH.COM Wed Jun 19 17:56:40 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:00 2006 Subject: Strange Message Message-ID: RH 7.2 Sendmail 8.11.6 latest RPM fresh install of mailscanner and all perl updates When I do a chkconfig --list | grep sendmail It shows 0 - 5 runlevels as off ps -A | more shows sendmail and mailscanner running maillog is not being written to and there is no sign of a .maillog.swp either chkconfig mailscanner on (or off) shows nothing.. I just get the command prompt doing tests im lucky to say mail is being sent.. but have no idea if mailscanner is scanning due to the fact that the maillog is not being written to .. strange? my mail log is is in its default location too... /var/log/maillog so I am worried. I am sorry if this seems to be a newbie question, cuz I am :) should I execute these commands in this order? chkconfig --add mailscanner >/etc/rc.d/init.d/sendmail stop >chkconfig sendmail off >chkconfig --level 2345 sendmail off >rm -f /etc/rc.d/rc2.d/S30sendmail I have not done this yet.. I guess you could tell im abit scared to do this during a busy time at our company, but need to get mailscanner working properly at this very moment.. ahhh! lol Thank You !!! -----Original Message----- From: Julian Field [mailto:jkf@ECS.SOTON.AC.UK] Sent: Tuesday, June 18, 2002 11:18 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Strange Message At 22:56 18/06/2002, you wrote: >-----Original Message----- >From: Matthew_doherty@DATAWATCH.COM > > > Does this mean we have to remove sendmail from RedHats boot up services ? > >Yep, like I said 2 responses ago :-) >on RH, use chkconfig > > > Or does the rpm automatically do that during the install? > >nope, it doesn't. Oh, yes it does. (Cue Punch & Judy jokes... oh, no it doesn't... oh, yes it does... :-) From the "%post" script in the RPM spec From the "%post" script in the RPM spec maillog is not being written to and there is no sign of a .maillog.swp either There shouldn't be a .maillog.swp file as you don't really want to edit your logs with vi, which is what that usually implies. As your maillog isn't being written to by MailScanner, check that there is a line in your /etc/syslog.conf file that says mail.debug /var/log/maillog If there isn't one, then add it and then run the command /etc/rc.d/init.d/syslog restart If you still can't get anything from MailScanner into your maillog, then you will need to edit /etc/rc.d/init.d/syslog a little bit. There is a line that sets the value of "SYSLOGD_OPTIONS", and this should say SYSLOGD_OPTIONS="-r -m 0" (the new bit is the "-r"). If you make that change, you will need to /etc/rc.d/init.d/syslog restart again so that it makes use of the change. >chkconfig mailscanner on (or off) shows nothing.. I just get the command >prompt It doesn't print anything, but it has the effect of telling Linux whether to start MailScanner (or not) the next time the computer boots Linux. If you have done this a few times, then you need to ensure it is set to start on boot. So do chkconfig mailscanner on and then do chkconfig --list | grep mail and you should see that sendmail is switched off at all run levels, and mailscanner is switched on at levels 3,4,5. The startup script corresponding to this is /etc/rc.d/init.d/mailscanner, which actually not only starts MailScanner, but also starts the 2 sendmail processes it needs. This is why sendmail is apparently off and mailscanner is on. >doing tests im lucky to say mail is being sent.. but have no idea if >mailscanner is scanning due to the fact that the maillog is not being >written to .. strange? >my mail log is is in its default location too... /var/log/maillog so I am >worried. >I am sorry if this seems to be a newbie question, cuz I am :) >should I execute these commands in this order? >chkconfig --add mailscanner > >/etc/rc.d/init.d/sendmail stop > >chkconfig sendmail off > >chkconfig --level 2345 sendmail off > >rm -f /etc/rc.d/rc2.d/S30sendmail You can do that if your like, it won't do any harm. But if you do a chkconfig --list | grep mail first you will probably find you don't need to do them as sendmail will be off and mailscanner will be on. > I have not done this yet.. >I guess you could tell im abit scared to do this during a busy time at our >company, but need to get mailscanner working properly at this very >moment.. ahhh! A good way to test MailScanner is to send some mail through it containing the "eicar" test virus. This is a totally harmless file which you can download from www.eicar.org but which will be detected as a virus by all the virus scanners. Remember, if sending it from the same machine as the one running MailScanner, that you need to send the mail in via the SMTP port (25) and you don't just call sendmail directly. So probably best for your testing to send the mail from another PC so you can be sure it is talking to the MailScanner server by SMTP. Hopefully that's enough to get you going. And I hope a few people find this info useful in future via the mailing list archives... Jules. >-----Original Message----- >From: Julian Field [mailto:jkf@ECS.SOTON.AC.UK] >Sent: Tuesday, June 18, 2002 11:18 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Strange Message > >At 22:56 18/06/2002, you wrote: > >-----Original Message----- > >From: Matthew_doherty@DATAWATCH.COM > > > > > Does this mean we have to remove sendmail from RedHats boot up > services ? > > > >Yep, like I said 2 responses ago :-) > >on RH, use chkconfig > > > > > Or does the rpm automatically do that during the install? > > > >nope, it doesn't. > >Oh, yes it does. (Cue Punch & Judy jokes... oh, no it doesn't... oh, yes it >does... :-) > > From the "%post" script in the RPM spec From the "%post" script in the > RPM spec mail.none /var/log/maillog <" I changed it to ">mail.debug /var/log/maillog <" (none to debug) restarted syslog and still no go. Upon reading your next option I also noticed there was a missing "-r" switch in the line from /etc/rc.d/init.d/syslog .. I did a restart and unfortunately no go.. I restarted mailscanner.. then a tail -f /var/log/maillog and no action..:( at that point I can send mail still but all of a sudden I cant receive any new ones..so I tried sending mail from a remote domain over and over and got no erros on the sendees side but on my receiving end (with mailscanner) I received no new mail.. being in a panic ..lol.. I did a mailscanner stop and then a sendmail start and immediatly received all mail from 10 minutes ago from the remote domain.. These test emails have no attachments and have as little as one word of text in both subject and body..permissions for any files including the maillog have not been altered since the beginning of mailscanner install...from yesterdays fresh new install of mailscanner the only thing new today was the new version you put out on the ftp site..mailscanner-3.20-6.i386.rpm -U option was used.. that i did... (not saying this problem wasn't an issue yesturday, ,it was).. I have found something in Google about a statement in a procmail.rc file? I did a locate for it and its not on my RH7.2 system at least. apparently someone had a issue with maillog not being written to and a line in that file was the fix..oh well, I hope to get this thing working .. I like it.. As with some unix programs i have to put up a small fight..but its worth it to keep windows and gates away from my world..:) Thank You Much for speedy reply!! however I am still stuck.:( I did check all files and reread the mailscanner.conf file.. no changes to the conf file were needed.. It kept my previous settings.. sophos etc.. -----Original Message----- From: Julian Field [mailto:jkf@ECS.SOTON.AC.UK] Sent: Wednesday, June 19, 2002 3:19 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Strange Message At 17:56 19/06/2002, you wrote: >RH 7.2 >Sendmail 8.11.6 >latest RPM fresh install of mailscanner and all perl updates > >When I do a chkconfig --list | grep sendmail >It shows 0 - 5 runlevels as off Correct. You don't want sendmail to be run from the sendmail /etc/rc.d/init.d/sendmail script, which is what chkconfig --list | grep sendmail will show you. >ps -A | more shows sendmail and mailscanner running Good. There should be 2 sendmail processes running, one with something like "-q15m" on its command-line, and another accepting connections on port 25. And 1 MailScanner process running. >maillog is not being written to and there is no sign of a .maillog.swp either There shouldn't be a .maillog.swp file as you don't really want to edit your logs with vi, which is what that usually implies. As your maillog isn't being written to by MailScanner, check that there is a line in your /etc/syslog.conf file that says mail.debug /var/log/maillog If there isn't one, then add it and then run the command /etc/rc.d/init.d/syslog restart If you still can't get anything from MailScanner into your maillog, then you will need to edit /etc/rc.d/init.d/syslog a little bit. There is a line that sets the value of "SYSLOGD_OPTIONS", and this should say SYSLOGD_OPTIONS="-r -m 0" (the new bit is the "-r"). If you make that change, you will need to /etc/rc.d/init.d/syslog restart again so that it makes use of the change. >chkconfig mailscanner on (or off) shows nothing.. I just get the command >prompt It doesn't print anything, but it has the effect of telling Linux whether to start MailScanner (or not) the next time the computer boots Linux. If you have done this a few times, then you need to ensure it is set to start on boot. So do chkconfig mailscanner on and then do chkconfig --list | grep mail and you should see that sendmail is switched off at all run levels, and mailscanner is switched on at levels 3,4,5. The startup script corresponding to this is /etc/rc.d/init.d/mailscanner, which actually not only starts MailScanner, but also starts the 2 sendmail processes it needs. This is why sendmail is apparently off and mailscanner is on. >doing tests im lucky to say mail is being sent.. but have no idea if >mailscanner is scanning due to the fact that the maillog is not being >written to .. strange? >my mail log is is in its default location too... /var/log/maillog so I am >worried. >I am sorry if this seems to be a newbie question, cuz I am :) >should I execute these commands in this order? >chkconfig --add mailscanner > >/etc/rc.d/init.d/sendmail stop > >chkconfig sendmail off > >chkconfig --level 2345 sendmail off > >rm -f /etc/rc.d/rc2.d/S30sendmail You can do that if your like, it won't do any harm. But if you do a chkconfig --list | grep mail first you will probably find you don't need to do them as sendmail will be off and mailscanner will be on. > I have not done this yet.. >I guess you could tell im abit scared to do this during a busy time at our >company, but need to get mailscanner working properly at this very >moment.. ahhh! A good way to test MailScanner is to send some mail through it containing the "eicar" test virus. This is a totally harmless file which you can download from www.eicar.org but which will be detected as a virus by all the virus scanners. Remember, if sending it from the same machine as the one running MailScanner, that you need to send the mail in via the SMTP port (25) and you don't just call sendmail directly. So probably best for your testing to send the mail from another PC so you can be sure it is talking to the MailScanner server by SMTP. Hopefully that's enough to get you going. And I hope a few people find this info useful in future via the mailing list archives... Jules. >-----Original Message----- >From: Julian Field [mailto:jkf@ECS.SOTON.AC.UK] >Sent: Tuesday, June 18, 2002 11:18 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Strange Message > >At 22:56 18/06/2002, you wrote: > >-----Original Message----- > >From: Matthew_doherty@DATAWATCH.COM > > > > > Does this mean we have to remove sendmail from RedHats boot up > services ? > > > >Yep, like I said 2 responses ago :-) > >on RH, use chkconfig > > > > > Or does the rpm automatically do that during the install? > > > >nope, it doesn't. > >Oh, yes it does. (Cue Punch & Judy jokes... oh, no it doesn't... oh, yes it >does... :-) > > From the "%post" script in the RPM spec From the "%post" script in the > RPM spec $SophosRoot = "/usr/local/"; > $IDELink = "/usr/local/ide"; > $VDLDir = "../sav"; and I put it in /usr/local/bin. I use the install.sh script that comes with the Sophos package with its defaults. This is perhaps not the most elegant solution but it works and automatically updates the IDE files when a new one is put online by Sophos. Willem -- ???`????,??,????`????,??,????`????,??,????`????,??,????`????,??,????`???? ** "It infuriates me to be wrong when I know I'm ** ** right" -- Moli?re ** ???`????,??,????`????,??,????`????,??,????`????,??,????`????,??,????`???? ** htag 0.0.19 ** From Matthew_doherty at DATAWATCH.COM Wed Jun 19 21:05:57 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:00 2006 Subject: mailscanner and maillog Message-ID: Thank you for the info. There was a line in the /etc/syslog.conf file ">mail.none /var/log/maillog <" I changed it to ">mail.debug /var/log/maillog <" (none to debug) restarted syslog and still no go. Upon reading your next option I also noticed there was a missing "-r" switch in the line from /etc/rc.d/init.d/syslog .. I did a restart and unfortunately no go.. I restarted mailscanner.. then a tail -f /var/log/maillog and no action..:( at that point I can send mail still but all of a sudden I cant receive any new ones..so I tried sending mail from a remote domain over and over and got no erros on the sendees side but on my receiving end (with mailscanner) I received no new mail.. being in a panic ..lol.. I did a mailscanner stop and then a sendmail start and immediatly received all mail from 10 minutes ago from the remote domain.. These test emails have no attachments and have as little as one word of text in both subject and body..permissions for any files including the maillog have not been altered since the beginning of mailscanner install...from yesterdays fresh new install of mailscanner the only thing new today was the new version you put out on the ftp site..mailscanner-3.20-6.i386.rpm -U option was used.. that i did... (not saying this problem wasn't an issue yesturday, ,it was).. I have found something in Google about a statement in a procmail.rc file? I did a locate for it and its not on my RH7.2 system at least. apparently someone had a issue with maillog not being written to and a line in that file was the fix..oh well, I hope to get this thing working .. I like it.. As with some unix programs i have to put up a small fight..but its worth it to keep windows and gates away from my world..:) Thank You Much for speedy reply!! however I am still stuck.:( I did check all files and reread the mailscanner.conf file.. no changes to the conf file were needed.. It kept my previous settings.. sophos etc.. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020619/7272ba86/attachment.html From LISTSERV at JISCMAIL.AC.UK Wed Jun 19 21:10:02 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:00 2006 Subject: MAILSCANNER: gjm@PRYDE.2053.NET requested to join Message-ID: <200206192010.VAA24523@magpie.ecs.soton.ac.uk> Wed, 19 Jun 2002 21:10:02 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Johannes Maybaum You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER gjm@PRYDE.2053.NET Johannes Maybaum PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER gjm@PRYDE.2053.NET Johannes Maybaum // EOJ From Matthew_doherty at DATAWATCH.COM Wed Jun 19 23:06:59 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:00 2006 Subject: I found the maillog non updateing issue in the syslog.conf file Message-ID: In the : /etc/syslog.conf file I think the rpm might have modified it .. must have because i didnt.. My previouse non working line was : # Log all the mail messages in one place. mail.debug*;mailscanner.* /var/log/maillog ---==== I split them and changed it to: ====--- # Log all the mail messages in one place. mail.* /var/log/maillog # Log all the mailscanned messages to. mailscanner.* /var/log/mailscanner now when i do a tail -f /var/log/maillog its working now :) -----Original Message----- From: Julian Field [mailto:jkf@ECS.SOTON.AC.UK] Sent: Wednesday, June 19, 2002 3:19 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Strange Message At 17:56 19/06/2002, you wrote: >RH 7.2 >Sendmail 8.11.6 >latest RPM fresh install of mailscanner and all perl updates > >When I do a chkconfig --list | grep sendmail >It shows 0 - 5 runlevels as off Correct. You don't want sendmail to be run from the sendmail /etc/rc.d/init.d/sendmail script, which is what chkconfig --list | grep sendmail will show you. >ps -A | more shows sendmail and mailscanner running Good. There should be 2 sendmail processes running, one with something like "-q15m" on its command-line, and another accepting connections on port 25. And 1 MailScanner process running. >maillog is not being written to and there is no sign of a .maillog.swp either There shouldn't be a .maillog.swp file as you don't really want to edit your logs with vi, which is what that usually implies. As your maillog isn't being written to by MailScanner, check that there is a line in your /etc/syslog.conf file that says mail.debug /var/log/maillog If there isn't one, then add it and then run the command /etc/rc.d/init.d/syslog restart If you still can't get anything from MailScanner into your maillog, then you will need to edit /etc/rc.d/init.d/syslog a little bit. There is a line that sets the value of "SYSLOGD_OPTIONS", and this should say SYSLOGD_OPTIONS="-r -m 0" (the new bit is the "-r"). If you make that change, you will need to /etc/rc.d/init.d/syslog restart again so that it makes use of the change. >chkconfig mailscanner on (or off) shows nothing.. I just get the command >prompt It doesn't print anything, but it has the effect of telling Linux whether to start MailScanner (or not) the next time the computer boots Linux. If you have done this a few times, then you need to ensure it is set to start on boot. So do chkconfig mailscanner on and then do chkconfig --list | grep mail and you should see that sendmail is switched off at all run levels, and mailscanner is switched on at levels 3,4,5. The startup script corresponding to this is /etc/rc.d/init.d/mailscanner, which actually not only starts MailScanner, but also starts the 2 sendmail processes it needs. This is why sendmail is apparently off and mailscanner is on. >doing tests im lucky to say mail is being sent.. but have no idea if >mailscanner is scanning due to the fact that the maillog is not being >written to .. strange? >my mail log is is in its default location too... /var/log/maillog so I am >worried. >I am sorry if this seems to be a newbie question, cuz I am :) >should I execute these commands in this order? >chkconfig --add mailscanner > >/etc/rc.d/init.d/sendmail stop > >chkconfig sendmail off > >chkconfig --level 2345 sendmail off > >rm -f /etc/rc.d/rc2.d/S30sendmail You can do that if your like, it won't do any harm. But if you do a chkconfig --list | grep mail first you will probably find you don't need to do them as sendmail will be off and mailscanner will be on. > I have not done this yet.. >I guess you could tell im abit scared to do this during a busy time at our >company, but need to get mailscanner working properly at this very >moment.. ahhh! A good way to test MailScanner is to send some mail through it containing the "eicar" test virus. This is a totally harmless file which you can download from www.eicar.org but which will be detected as a virus by all the virus scanners. Remember, if sending it from the same machine as the one running MailScanner, that you need to send the mail in via the SMTP port (25) and you don't just call sendmail directly. So probably best for your testing to send the mail from another PC so you can be sure it is talking to the MailScanner server by SMTP. Hopefully that's enough to get you going. And I hope a few people find this info useful in future via the mailing list archives... Jules. >-----Original Message----- >From: Julian Field [mailto:jkf@ECS.SOTON.AC.UK] >Sent: Tuesday, June 18, 2002 11:18 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Strange Message > >At 22:56 18/06/2002, you wrote: > >-----Original Message----- > >From: Matthew_doherty@DATAWATCH.COM > > > > > Does this mean we have to remove sendmail from RedHats boot up > services ? > > > >Yep, like I said 2 responses ago :-) > >on RH, use chkconfig > > > > > Or does the rpm automatically do that during the install? > > > >nope, it doesn't. > >Oh, yes it does. (Cue Punch & Judy jokes... oh, no it doesn't... oh, yes it >does... :-) > > From the "%post" script in the RPM spec From the "%post" script in the > RPM spec mail.none /var/log/maillog > <" I changed it to ">mail.debug /var/log/maillog <" (none to debug) > restarted syslog and still no go. > Upon reading your next option I also noticed there was a missing "-r" switch > in the line from /etc/rc.d/init.d/syslog .. I did a restart and > unfortunately no go.. I restarted mailscanner.. then a tail -f > /var/log/maillog and no action..:( at that point I can send mail still but > all of a sudden I cant receive any new ones..so I tried sending mail from a > remote domain over and over and got no erros on the sendees side but on my > receiving end (with mailscanner) I received no new mail.. being in a panic > .lol.. I did a mailscanner stop and then a sendmail start and immediatly > received all mail from 10 minutes ago from the remote domain.. These test > emails have no attachments and have as little as one word of text in both > subject and body..permissions for any files including the maillog have not > been altered since the beginning of mailscanner install...from yesterdays > fresh new install of mailscanner the only thing new today was the new > version you put out on the ftp site..mailscanner-3.20-6.i386.rpm -U option > was used.. that i did... (not saying this problem wasn't an issue yesturday, > ,it was).. I have found something in Google about a statement in a > procmail.rc file? I did a locate for it and its not on my RH7.2 system at > least. apparently someone had a issue with maillog not being written to and > a line in that file was the fix..oh well, I hope to get this thing working > . I like it.. As with some unix programs i have to put up a small > fight..but its worth it to keep windows and gates away from my world..:) > Thank You Much for speedy reply!! however I am still stuck.:( > I did check all files and reread the mailscanner.conf file.. no changes to > the conf file were needed.. It kept my previous settings.. sophos etc.. -- Nick Phillips -- nwp@lemon-computing.com Excellent day to have a rotten day. From nathan at TCPNETWORKS.NET Thu Jun 20 01:50:57 2002 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:15:00 2006 Subject: Deliver Spam to Single Recipient? References: <200206192321.g5JNL6e06065@ns2.tcpnetworks.com> Message-ID: <00ae01c217f4$8a554ba0$2400a8c0@johanson> Hello, Is it possible to set the "Spam Action" option to deliver all tagged spam for a domain to a single recipient (instead of _all_ intended recipients)? Suppose someone wants to collect and review all "spam" for a domain from a single account. Thanks in advance! -- Nathan Johanson Email: nathan@tcpnetworks.net From wolfgang.lumpp at GMX.NET Thu Jun 20 05:36:57 2002 From: wolfgang.lumpp at GMX.NET (Wolfgang Lumpp) Date: Thu Jan 12 21:15:00 2006 Subject: Deliver Spam to Single Recipient? In-Reply-To: <00ae01c217f4$8a554ba0$2400a8c0@johanson> References: <200206192321.g5JNL6e06065@ns2.tcpnetworks.com> <00ae01c217f4$8a554ba0$2400a8c0@johanson> Message-ID: <64090.212.86.197.209.1024547817.squirrel@gateway.lumpp> Nathan Johanson sagte: > Hello, > > Is it possible to set the "Spam Action" option to deliver all tagged > spam for a domain to a single recipient (instead of _all_ intended > recipients)? Suppose someone wants to collect and review all "spam" for > a domain from a single account. > > Thanks in advance! Hello, best to do it in your MTA (exim, sendmail), not in scanner Regards Wolfgang -- www.lumpp.de From siewwu.tan at EDGEMATRIX.COM Thu Jun 20 08:11:14 2002 From: siewwu.tan at EDGEMATRIX.COM (Tan Siew Wu) Date: Thu Jan 12 21:15:00 2006 Subject: F-Prot Update Script Available Message-ID: On Tue, 18 Jun 2002 17:09:45 +0100, Julian Field wrote: >Okay, it's written and is available at >http://www.sng.ecs.soton.ac.uk/mailscanner/files/autoupdate.f-prot > Hi Julian, The script seems to contains a few bugs.. :-) I just got it down and tried it. It works but it was getting the file from the $FallbackServer. I notice this when I look at the squid cache log file. There is an entry with URL "GET http://fp-def.zip/". After carefully looking through the script, seems that $Server variable may not be defined anywhere, it should be $server? ##################################### . # Download it from the server DownloadFile($Server, $FileToCheck); . sub DownloadFile { my($host, $file) = @_; my($result); if ($file =~ /^SIGN/) { . Fetch($host, 'fp-def.zip'); . } else { . Fetch($host, 'macrdef2.zip'); . } } sub Fetch { my($ip, $filename) = @_; my($r); $r = system("wget --passive-ftp --tries=3 $ip$filename > /dev/null 2>&1"); if ($r>>8) { # Download failed so try fallback server BailOut("Download from $ip failed, exiting.") if $ip eq $FallbackServer; Fetch($FallbackServer, $filename); } } ###### Squid cache log ###### .... TCP_MISS/200 778 GET http://updates.f-prot.com/cgi-bin/check-updates? - DIRECT/updates.f-prot.com text/plain .... TCP_MISS/503 1147 GET http://fp-def.zip/ - DIRECT/fp-def.zip - .... TCP_MISS/200 943963 GET http://updates.f-prot.com/files/fp-def.zip - DIRECT/updates.f-prot.com application/zip From LISTSERV at JISCMAIL.AC.UK Thu Jun 20 08:03:32 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:00 2006 Subject: MAILSCANNER: jimmy@SWIFTKENYA.COM requested to join Message-ID: <200206200703.IAA02186@magpie.ecs.soton.ac.uk> Thu, 20 Jun 2002 08:03:32 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Jimmy Kimanzi You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER jimmy@SWIFTKENYA.COM Jimmy Kimanzi PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER jimmy@SWIFTKENYA.COM Jimmy Kimanzi // EOJ From jkf at ecs.soton.ac.uk Thu Jun 20 09:44:29 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:00 2006 Subject: F-Prot Update Script Available In-Reply-To: Message-ID: <5.1.0.14.2.20020620094330.02cb7e78@imap.ecs.soton.ac.uk> Well spotted. I've fixed in the current distribution and attached a new version to this message. At 08:11 20/06/2002, you wrote: >On Tue, 18 Jun 2002 17:09:45 +0100, Julian Field >wrote: > >Okay, it's written and is available at > >http://www.sng.ecs.soton.ac.uk/mailscanner/files/autoupdate.f-prot > > >Hi Julian, >The script seems to contains a few bugs.. :-) >I just got it down and tried it. It works but it was getting the file >from the $FallbackServer. I notice this when I look at the squid cache log >file. There is an entry with URL "GET http://fp-def.zip/". > >After carefully looking through the script, seems that >$Server variable may not be defined anywhere, it should be $server? I changed $server to $Server instead. >##################################### >. > # Download it from the server > DownloadFile($Server, $FileToCheck); >. >sub DownloadFile { > my($host, $file) = @_; > my($result); > > if ($file =~ /^SIGN/) { > . > Fetch($host, 'fp-def.zip'); > . > } else { > . > Fetch($host, 'macrdef2.zip'); > . > } >} > >sub Fetch { > my($ip, $filename) = @_; > my($r); > > $r = system("wget --passive-ftp --tries=3 $ip$filename > /dev/null 2>&1"); > if ($r>>8) { > # Download failed so try fallback server > BailOut("Download from $ip failed, exiting.") if $ip eq $FallbackServer; > Fetch($FallbackServer, $filename); > } >} > >###### Squid cache log ###### >.... TCP_MISS/200 778 GET http://updates.f-prot.com/cgi-bin/check-updates? - > DIRECT/updates.f-prot.com text/plain >.... TCP_MISS/503 1147 GET http://fp-def.zip/ - DIRECT/fp-def.zip - >.... TCP_MISS/200 943963 GET http://updates.f-prot.com/files/fp-def.zip - >DIRECT/updates.f-prot.com application/zip -------------- next part -------------- A non-text attachment was scrubbed... Name: autoupdate Type: application/octet-stream Size: 8693 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020620/4f0dbaae/autoupdate.obj -------------- next part -------------- -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jimmy at swiftkenya.com Thu Jun 20 09:53:11 2002 From: jimmy at swiftkenya.com (Jimmy Kimanzi) Date: Thu Jan 12 21:15:00 2006 Subject: Inoculate Sweep Command Message-ID: Does anyone have a working option for the Sweep command line for inoculate in mailscanner.conf. We are currently using Sweep = /usr/local/etrust/ino/bin/inocmd32 but a test with eicar.com shows the file is scanned and found to be clean. I've just installed E-trust Antivirus and it doesn't seem to be working the way it's supposed to. regards jimmy. From P.G.M.Peters at civ.utwente.nl Thu Jun 20 12:21:29 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:00 2006 Subject: Accept spam from In-Reply-To: <5.1.0.14.2.20020618211109.03b71840@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020618183816.034db9e0@imap.ecs.soton.ac.uk> <000001c21701$03874cc0$1cfea8c0@tippingmar.com> <5.1.0.14.2.20020618211109.03b71840@imap.ecs.soton.ac.uk> Message-ID: <0ke3hu424kbh3utgrk0fn27td9b1qqjrnf@4ax.com> On Tue, 18 Jun 2002 21:12:11 +0100, you wrote: >>Accept Spam From = 152.78. >>Accept Spam From = 139.166. >> >>These are not commented out like some of the other examples in the file. >>Does that mean there is some reason to leave them in, rather than >>removing them or changing them to our own addresses? > >These are the 2 class B nets we have in Southampton. Feel free to comment >out both lines or replace them. I presume anything coming from those ranges and is tagged as spam should be considered a false positive. And leaving these ranges in the conf eliminates those false positives. :-) -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From jkf at ecs.soton.ac.uk Thu Jun 20 13:55:01 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:00 2006 Subject: Accept spam from In-Reply-To: <0ke3hu424kbh3utgrk0fn27td9b1qqjrnf@4ax.com> References: <5.1.0.14.2.20020618211109.03b71840@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020618183816.034db9e0@imap.ecs.soton.ac.uk> <000001c21701$03874cc0$1cfea8c0@tippingmar.com> <5.1.0.14.2.20020618211109.03b71840@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020620135411.02cf64a8@imap.ecs.soton.ac.uk> At 12:21 20/06/2002, you wrote: >On Tue, 18 Jun 2002 21:12:11 +0100, you wrote: > > >>Accept Spam From = 152.78. > >>Accept Spam From = 139.166. > >> > >>These are not commented out like some of the other examples in the file. > >>Does that mean there is some reason to leave them in, rather than > >>removing them or changing them to our own addresses? > > > >These are the 2 class B nets we have in Southampton. Feel free to comment > >out both lines or replace them. > >I presume anything coming from those ranges and is tagged as spam should >be considered a false positive. And leaving these ranges in the conf >eliminates those false positives. :-) Yes, the basic idea is that your own network shouldn't generate any spam (assuming you're not a spammer!) and so you shouldn't mark any internal mail as spam. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Thu Jun 20 13:53:57 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:00 2006 Subject: Inoculate Sweep Command In-Reply-To: Message-ID: <5.1.0.14.2.20020620135329.04d6c358@imap.ecs.soton.ac.uk> You did also set Virus Scanner = inoculate didn't you? At 09:53 20/06/2002, you wrote: >Does anyone have a working option for the Sweep command line for inoculate >in mailscanner.conf. >We are currently using >Sweep = /usr/local/etrust/ino/bin/inocmd32 > >but a test with eicar.com shows the file is scanned and found to be clean. >I've just installed E-trust Antivirus and it doesn't seem to be working the >way it's supposed to. > >regards >jimmy. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Matthew_doherty at DATAWATCH.COM Thu Jun 20 14:11:10 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:00 2006 Subject: to julian field..off the subject. Message-ID: Thank you for your help! This is a great program and it has already saved us 19 attempts over the past 24 hours! Thank you for your speedy replies. This is great!.. -----Original Message----- From: Julian Field [mailto:jkf@ECS.SOTON.AC.UK] Sent: Thursday, June 20, 2002 10:00 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Inoculate Sweep Command You did also set Virus Scanner = inoculate didn't you? At 09:53 20/06/2002, you wrote: >Does anyone have a working option for the Sweep command line for inoculate >in mailscanner.conf. >We are currently using >Sweep = /usr/local/etrust/ino/bin/inocmd32 > >but a test with eicar.com shows the file is scanned and found to be clean. >I've just installed E-trust Antivirus and it doesn't seem to be working the >way it's supposed to. > >regards >jimmy. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020620/57e967de/attachment.html From dll at SCITOOLS.COM Thu Jun 20 14:11:26 2002 From: dll at SCITOOLS.COM (Dan Leavitt) Date: Thu Jan 12 21:15:00 2006 Subject: mailscanner status command References: <5.1.0.14.2.20020618211109.03b71840@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020618183816.034db9e0@imap.ecs.soton.ac.uk> <000001c21701$03874cc0$1cfea8c0@tippingmar.com> <5.1.0.14.2.20020618211109.03b71840@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020620135411.02cf64a8@imap.ecs.soton.ac.uk> Message-ID: <01e901c2185c$0f9b2980$1f0aa8c0@PondRoom> I've noted a few queries on this list for how to determine if mailscanner is running properly. How about augmenting /etc/rc.d/init.d/mailscanner to implement a 'status' command that does whatever is necessary to report on the various processes that mailscanner starts. Dan From jkf at ecs.soton.ac.uk Thu Jun 20 14:12:09 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:00 2006 Subject: to julian field..off the subject. In-Reply-To: Message-ID: <5.1.0.14.2.20020620141113.02ccd848@imap.ecs.soton.ac.uk> At 14:11 20/06/2002, you wrote: >Thank you for your help! >This is a great program and it has already saved us 19 attempts over the >past 24 hours! >Thank you for your speedy replies. This is great!.. Cool! Another happy customer :-) Jules. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020620/212acf83/attachment.html From jimmy at swiftkenya.com Thu Jun 20 14:49:54 2002 From: jimmy at swiftkenya.com (Jimmy Kimanzi) Date: Thu Jan 12 21:15:00 2006 Subject: Inoculate Sweep Command In-Reply-To: <5.1.0.14.2.20020620135329.04d6c358@imap.ecs.soton.ac.uk> Message-ID: Yes Virus Scanner = inoculate Jimmy. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Thursday, June 20, 2002 3:54 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Inoculate Sweep Command You did also set Virus Scanner = inoculate didn't you? At 09:53 20/06/2002, you wrote: >Does anyone have a working option for the Sweep command line for inoculate >in mailscanner.conf. >We are currently using >Sweep = /usr/local/etrust/ino/bin/inocmd32 > >but a test with eicar.com shows the file is scanned and found to be clean. >I've just installed E-trust Antivirus and it doesn't seem to be working the >way it's supposed to. > >regards >jimmy. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Thu Jun 20 14:51:57 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:00 2006 Subject: mailscanner status command In-Reply-To: <01e901c2185c$0f9b2980$1f0aa8c0@PondRoom> References: <5.1.0.14.2.20020618211109.03b71840@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020618183816.034db9e0@imap.ecs.soton.ac.uk> <000001c21701$03874cc0$1cfea8c0@tippingmar.com> <5.1.0.14.2.20020618211109.03b71840@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020620135411.02cf64a8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020620145110.04d2caa0@imap.ecs.soton.ac.uk> At 14:11 20/06/2002, you wrote: >I've noted a few queries on this list for how to determine if mailscanner is >running properly. How about augmenting /etc/rc.d/init.d/mailscanner to >implement a 'status' command that does whatever is necessary to report on >the various processes that mailscanner starts. Fancy trying the attached init.d script for me and tell me if you think it works. Goes okay on my system... -------------- next part -------------- A non-text attachment was scrubbed... Name: mailscanner Type: application/octet-stream Size: 2232 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020620/41d8c542/mailscanner.obj -------------- next part -------------- -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From dll at SCITOOLS.COM Thu Jun 20 15:12:48 2002 From: dll at SCITOOLS.COM (Dan Leavitt) Date: Thu Jan 12 21:15:00 2006 Subject: mailscanner status command References: <5.1.0.14.2.20020618211109.03b71840@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020618183816.034db9e0@imap.ecs.soton.ac.uk> <000001c21701$03874cc0$1cfea8c0@tippingmar.com> <5.1.0.14.2.20020618211109.03b71840@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020620135411.02cf64a8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020620145110.04d2caa0@imap.ecs.soton.ac.uk> Message-ID: <022801c21864$a8743720$1f0aa8c0@PondRoom> It works ok. Thanks, Dan ----- Original Message ----- From: "Julian Field" To: Sent: Thursday, June 20, 2002 9:51 AM Subject: Re: mailscanner status command > At 14:11 20/06/2002, you wrote: > >I've noted a few queries on this list for how to determine if mailscanner is > >running properly. How about augmenting /etc/rc.d/init.d/mailscanner to > >implement a 'status' command that does whatever is necessary to report on > >the various processes that mailscanner starts. > > Fancy trying the attached init.d script for me and tell me if you think it > works. Goes okay on my system... ---------------------------------------------------------------------------- ---- > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From dll at SCITOOLS.COM Thu Jun 20 15:24:36 2002 From: dll at SCITOOLS.COM (Dan Leavitt) Date: Thu Jan 12 21:15:00 2006 Subject: mailscanner status command References: <5.1.0.14.2.20020618211109.03b71840@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020618183816.034db9e0@imap.ecs.soton.ac.uk> <000001c21701$03874cc0$1cfea8c0@tippingmar.com> <5.1.0.14.2.20020618211109.03b71840@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020620135411.02cf64a8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020620145110.04d2caa0@imap.ecs.soton.ac.uk> <022801c21864$a8743720$1f0aa8c0@PondRoom> Message-ID: <028001c21866$3d8e1e10$1f0aa8c0@PondRoom> While on this topic, I thought I'd let you know that the output from the start command is missing the [ OK ] message on my system. Also, now that you've implemented the status command that reports on the three processes, perhaps it would be appropriate for the start and stop commands to do so also. Here's the start/stop output and the status output: [root-dll@server1 init.d]$ service mailscanner stop Shutting down MailScanner: [ OK ] [root-dll@server1 init.d]$ service mailscanner start Starting MailScanner: [root-dll@server1 init.d]$ service mailscanner status Checking MailScanner: [ OK ] Checking incoming sendmail: [ OK ] Checking outgoing sendmail: [ OK ] Dan ----- Original Message ----- From: "Dan Leavitt" To: Sent: Thursday, June 20, 2002 10:12 AM Subject: Re: mailscanner status command > It works ok. > > Thanks, > Dan > > ----- Original Message ----- > From: "Julian Field" > To: > Sent: Thursday, June 20, 2002 9:51 AM > Subject: Re: mailscanner status command > > > > At 14:11 20/06/2002, you wrote: > > >I've noted a few queries on this list for how to determine if mailscanner > is > > >running properly. How about augmenting /etc/rc.d/init.d/mailscanner to > > >implement a 'status' command that does whatever is necessary to report on > > >the various processes that mailscanner starts. > > > > Fancy trying the attached init.d script for me and tell me if you think it > > works. Goes okay on my system... > > > -------------------------------------------------------------------------- -- > ---- > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > From P.G.M.Peters at civ.utwente.nl Thu Jun 20 15:41:47 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:00 2006 Subject: Accept spam from In-Reply-To: <5.1.0.14.2.20020620135411.02cf64a8@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020618211109.03b71840@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020618183816.034db9e0@imap.ecs.soton.ac.uk> <000001c21701$03874cc0$1cfea8c0@tippingmar.com> <5.1.0.14.2.20020618211109.03b71840@imap.ecs.soton.ac.uk> <0ke3hu424kbh3utgrk0fn27td9b1qqjrnf@4ax.com> <5.1.0.14.2.20020620135411.02cf64a8@imap.ecs.soton.ac.uk> Message-ID: <1cq3hugfdc5neenkk2fiktcgfopp6f5e8e@4ax.com> On Thu, 20 Jun 2002 13:55:01 +0100, you wrote: >> >>Accept Spam From = 152.78. >> >>Accept Spam From = 139.166. >> >> >>I presume anything coming from those ranges and is tagged as spam should >>be considered a false positive. And leaving these ranges in the conf >>eliminates those false positives. :-) > >Yes, the basic idea is that your own network shouldn't generate any spam >(assuming you're not a spammer!) and so you shouldn't mark any internal >mail as spam. Actually I meant explicitly keeping those two ranges in the conf-file. ;-) -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From jkf at ecs.soton.ac.uk Thu Jun 20 16:20:01 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:00 2006 Subject: mailscanner status command In-Reply-To: <028001c21866$3d8e1e10$1f0aa8c0@PondRoom> References: <5.1.0.14.2.20020618211109.03b71840@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020618183816.034db9e0@imap.ecs.soton.ac.uk> <000001c21701$03874cc0$1cfea8c0@tippingmar.com> <5.1.0.14.2.20020618211109.03b71840@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020620135411.02cf64a8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020620145110.04d2caa0@imap.ecs.soton.ac.uk> <022801c21864$a8743720$1f0aa8c0@PondRoom> Message-ID: <5.1.0.14.2.20020620161939.04dc09b0@imap.ecs.soton.ac.uk> Good idea. New init.d script attached, which has much prettier output. At 15:24 20/06/2002, you wrote: >While on this topic, I thought I'd let you know that the output from the >start command is missing the [ OK ] message on my system. > >Also, now that you've implemented the status command that reports on the >three processes, perhaps it would be appropriate for the start and stop >commands to do so also. Here's the start/stop output and the status output: > >[root-dll@server1 init.d]$ service mailscanner stop >Shutting down MailScanner: [ OK ] >[root-dll@server1 init.d]$ service mailscanner start >Starting MailScanner: >[root-dll@server1 init.d]$ service mailscanner status >Checking MailScanner: [ OK ] >Checking incoming sendmail: [ OK ] >Checking outgoing sendmail: [ OK ] > >Dan > > >----- Original Message ----- >From: "Dan Leavitt" >To: >Sent: Thursday, June 20, 2002 10:12 AM >Subject: Re: mailscanner status command > > > > It works ok. > > > > Thanks, > > Dan > > > > ----- Original Message ----- > > From: "Julian Field" > > To: > > Sent: Thursday, June 20, 2002 9:51 AM > > Subject: Re: mailscanner status command > > > > > > > At 14:11 20/06/2002, you wrote: > > > >I've noted a few queries on this list for how to determine if >mailscanner > > is > > > >running properly. How about augmenting /etc/rc.d/init.d/mailscanner to > > > >implement a 'status' command that does whatever is necessary to report >on > > > >the various processes that mailscanner starts. > > > > > > Fancy trying the attached init.d script for me and tell me if you think >it > > > works. Goes okay on my system... > > > > > > -------------------------------------------------------------------------- >-- > > ---- > > > > > > > -- > > > Julian Field Teaching Systems Manager > > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > > Tel. 023 8059 2817 University of Southampton > > > Southampton SO17 1BJ > > -------------- next part -------------- A non-text attachment was scrubbed... Name: mailscanner Type: application/octet-stream Size: 2577 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020620/4a896414/mailscanner.obj -------------- next part -------------- -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Thu Jun 20 16:11:38 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:00 2006 Subject: MAILSCANNER: inako@AGORANET.ES requested to join Message-ID: <200206201511.QAA15551@magpie.ecs.soton.ac.uk> Thu, 20 Jun 2002 16:11:38 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Inako Hdez You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER inako@AGORANET.ES Inako Hdez PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER inako@AGORANET.ES Inako Hdez // EOJ From mike at ZANKER.ORG Thu Jun 20 17:16:26 2002 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:15:00 2006 Subject: mailscanner status command In-Reply-To: <5.1.0.14.2.20020620161939.04dc09b0@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020620161939.04dc09b0@imap.ecs.soton.ac.uk> Message-ID: <43238273.1024593386@jemima.zanker.org> On 20 June 2002 16:20 +0100 Julian Field wrote: > Good idea. > New init.d script attached, which has much prettier output. Nice - works fine. Mike -- Mike Zanker Northampton, UK PGP Public Key: pgp@zanker.org From mike at UNIXSECURITY.ORG Thu Jun 20 17:35:00 2002 From: mike at UNIXSECURITY.ORG (Mike Wallis) Date: Thu Jan 12 21:15:00 2006 Subject: mailscanner status command References: <5.1.0.14.2.20020618211109.03b71840@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020618183816.034db9e0@imap.ecs.soton.ac.uk> <000001c21701$03874cc0$1cfea8c0@tippingmar.com> <5.1.0.14.2.20020618211109.03b71840@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020620135411.02cf64a8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020620145110.04d2caa0@imap.ecs.soton.ac.uk> <022801c21864$a8743720$1f0aa8c0@PondRoom> <5.1.0.14.2.20020620161939.04dc09b0@imap.ecs.soton.ac.uk> Message-ID: <3D120434.3010102@unixsecurity.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: | Good idea. | New init.d script attached, which has much prettier output. I'm probably just an anal-retentive perfectionist, but I capitalized each instance of incoming/outgoing, and tacked on another 6 spaces after the : for each instance of "MailScanner: " so that all the return values would line up... But other than that, it worked beautifully. =) - -- Mike Wallis mw@unixsecurity.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6-2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAj0SBDMACgkQXes7jE7Xvgu72QCgzvCg8Oh9T0bGWNgMJvx5OvDn WAkAoIn3VEgrnnAVxhk9w0kC3St1jJqk =AtE/ -----END PGP SIGNATURE----- From jkf at ecs.soton.ac.uk Thu Jun 20 18:07:59 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:00 2006 Subject: mailscanner status command In-Reply-To: <3D120434.3010102@unixsecurity.org> References: <5.1.0.14.2.20020618211109.03b71840@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020618183816.034db9e0@imap.ecs.soton.ac.uk> <000001c21701$03874cc0$1cfea8c0@tippingmar.com> <5.1.0.14.2.20020618211109.03b71840@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020620135411.02cf64a8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020620145110.04d2caa0@imap.ecs.soton.ac.uk> <022801c21864$a8743720$1f0aa8c0@PondRoom> <5.1.0.14.2.20020620161939.04dc09b0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020620180340.03771e88@imap.ecs.soton.ac.uk> At 17:35 20/06/2002, you wrote: >I'm probably just an anal-retentive perfectionist, but I capitalized >each instance of incoming/outgoing, and tacked on another 6 spaces after >the : for each instance of "MailScanner: " so that all the return values >would line up... What return values? My RedHat 7.1 system didn't print any. I just get a neat column of "[ OK ]" entries like this: Shutting down MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [ OK ] outgoing sendmail: [ OK ] (view that in a fixed-width font) I didn't capitalise incoming and outgoing as they are not product names which are normally capitalised, and they aren't the start of a statement. If we're getting down to the number of capital letters the init.d script prints, I guess the code must be working okay... :) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Thu Jun 20 18:20:14 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:00 2006 Subject: MAILSCANNER: tmaenner@AEHR.COM left the JISCmail list Message-ID: <200206201720.SAA28917@magpie.ecs.soton.ac.uk> Thu, 20 Jun 2002 18:20:14 tmaenner@AEHR.COM has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From dll at SCITOOLS.COM Thu Jun 20 18:41:07 2002 From: dll at SCITOOLS.COM (Dan Leavitt) Date: Thu Jan 12 21:15:00 2006 Subject: mailscanner status command References: <5.1.0.14.2.20020618211109.03b71840@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020618183816.034db9e0@imap.ecs.soton.ac.uk> <000001c21701$03874cc0$1cfea8c0@tippingmar.com> <5.1.0.14.2.20020618211109.03b71840@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020620135411.02cf64a8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020620145110.04d2caa0@imap.ecs.soton.ac.uk> <022801c21864$a8743720$1f0aa8c0@PondRoom> <5.1.0.14.2.20020620161939.04dc09b0@imap.ecs.soton.ac.uk> Message-ID: <009f01c21881$a9bf4e90$170aa8c0@DELL> Very nice. FYI, twice today, after updating to 3.20-6, this script reported the outgoing sendmail as FAILED. I just restarted it both times so didn't have a chance to notice what the ps -ax command would have returned. We had not noticed any lack of mail. I'll write again if I see it again. Dan ----- Original Message ----- From: "Julian Field" To: Sent: Thursday, June 20, 2002 11:20 AM Subject: Re: mailscanner status command > Good idea. > New init.d script attached, which has much prettier output. > > At 15:24 20/06/2002, you wrote: > >While on this topic, I thought I'd let you know that the output from the > >start command is missing the [ OK ] message on my system. > > > >Also, now that you've implemented the status command that reports on the > >three processes, perhaps it would be appropriate for the start and stop > >commands to do so also. Here's the start/stop output and the status output: > > > >[root-dll@server1 init.d]$ service mailscanner stop > >Shutting down MailScanner: [ OK ] > >[root-dll@server1 init.d]$ service mailscanner start > >Starting MailScanner: > >[root-dll@server1 init.d]$ service mailscanner status > >Checking MailScanner: [ OK ] > >Checking incoming sendmail: [ OK ] > >Checking outgoing sendmail: [ OK ] > > > >Dan > > > > > >----- Original Message ----- > >From: "Dan Leavitt" > >To: > >Sent: Thursday, June 20, 2002 10:12 AM > >Subject: Re: mailscanner status command > > > > > > > It works ok. > > > > > > Thanks, > > > Dan > > > > > > ----- Original Message ----- > > > From: "Julian Field" > > > To: > > > Sent: Thursday, June 20, 2002 9:51 AM > > > Subject: Re: mailscanner status command > > > > > > > > > > At 14:11 20/06/2002, you wrote: > > > > >I've noted a few queries on this list for how to determine if > >mailscanner > > > is > > > > >running properly. How about augmenting /etc/rc.d/init.d/mailscanner to > > > > >implement a 'status' command that does whatever is necessary to report > >on > > > > >the various processes that mailscanner starts. > > > > > > > > Fancy trying the attached init.d script for me and tell me if you think > >it > > > > works. Goes okay on my system... > > > > > > > > > -------------------------------------------------------------------------- > >-- > > > ---- > > > > > > > > > > -- > > > > Julian Field Teaching Systems Manager > > > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > > > Tel. 023 8059 2817 University of Southampton > > > > Southampton SO17 1BJ > > > > ---------------------------------------------------------------------------- ---- > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From mike at UNIXSECURITY.ORG Thu Jun 20 20:38:52 2002 From: mike at UNIXSECURITY.ORG (Mike Wallis) Date: Thu Jan 12 21:15:00 2006 Subject: mailscanner status command References: <5.1.0.14.2.20020618211109.03b71840@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020618183816.034db9e0@imap.ecs.soton.ac.uk> <000001c21701$03874cc0$1cfea8c0@tippingmar.com> <5.1.0.14.2.20020618211109.03b71840@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020620135411.02cf64a8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020620145110.04d2caa0@imap.ecs.soton.ac.uk> <022801c21864$a8743720$1f0aa8c0@PondRoom> <5.1.0.14.2.20020620161939.04dc09b0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020620180340.03771e88@imap.ecs.soton.ac.uk> Message-ID: <3D122F4C.6080203@unixsecurity.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: | What return values? My RedHat 7.1 system didn't print any. I just get a | neat column of "[ OK ]" entries like this: | Shutting down MailScanner daemons: | MailScanner: [ OK ] | incoming sendmail: [ OK ] | outgoing sendmail: [ OK ] | (view that in a fixed-width font) The [OK]'s were the values to which I was referring. On my RH 7.2 system it looked like this: Shutting down MailScanner daemons: ~ MailScanner: [ OK ] ~ incoming sendmail: [ OK ] ~ outgoing sendmail: [ OK ] Adding the extra spacing caused everything to line up. Once I upgrade that box to 7.3 later this week, I'll see if it's one of those oddities that is highly version specific. | I didn't capitalise incoming and outgoing as they are not product names | which are normally capitalised, and they aren't the start of a statement. I prefer them capitalized as the beginning of a line, but we already know I'm weird. | If we're getting down to the number of capital letters the init.d script | prints, I guess the code must be working okay... :) That was kind of my point... =) But either way, thanks for taking the time to write that... I spent about 15 minutes fiddling with it when I first installed MailScanner a while back, but never really had the time to devote to actually beautifying it. - -- Mike Wallis mw@unixsecurity.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6-2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAj0SL0wACgkQXes7jE7XvgudhACdGWrRsXJrxKPknsx6acbAlIXR nGEAnj/RvUVDazqxFxRfz6Npjjyv9uKX =5Cts -----END PGP SIGNATURE----- From nathan at tcpnetworks.net Fri Jun 21 02:40:55 2002 From: nathan at tcpnetworks.net (Nathan Johanson) Date: Thu Jan 12 21:15:00 2006 Subject: Deliver Spam to Single Recipient? Message-ID: <200206210140.g5L1ete12839@ns2.tcpnetworks.com> Doh! That makes sense... Sendmail handles the delivery of the message. I do know how to forward _all_ mail for a domain to a single recipient (using the mailertable). But the clincher is that I only want this rule to effect messages tagged as spam by mailscanner. I'm assuming there is some way to tell Sendmail to check the subject of messages destined for a given domain, and if the subject contains the phrase {SPAM?}, deliver it to the postmaster (otherwise, deliver it to the intended recipient). I realize this isn't a Sendmail mailling list, but I'm hoping someone can point me in the right direction. Is there a function of sendmail (such as the mailertable) that can do this sort of thing, or does it require some fairly complex programming (I tend to avoid touching the cf file by hand, and stick with the eaiser m4 methods)? Which chapter in the bat book, or which faq at sendmail.org should I start my digging in? :) Thanks in advance. Sincerely, Nathan Johanson Email: nathan@tcpnetworks.net > Is it possible to set the "Spam Action" option to deliver all tagged spam > for a domain to a single recipient (instead of _all_ intended recipients)? > Suppose someone wants to collect and review all "spam" for a domain from a > single account. > > Thanks in advance! > > Nathan Johanson sagte: > > Hello, > > > > Is it possible to set the "Spam Action" option to deliver all tagged > > spam for a domain to a single recipient (instead of _all_ intended > > recipients)? Suppose someone wants to collect and review all "spam" for > > a domain from a single account. > > > > Thanks in advance! > > Hello, > > best to do it in your MTA (exim, sendmail), not in scanner > From roberto at MEUPROVEDOR.COM.BR Fri Jun 21 05:42:04 2002 From: roberto at MEUPROVEDOR.COM.BR (Roberto) Date: Thu Jan 12 21:15:00 2006 Subject: Queue In-Reply-To: <5.1.0.14.2.20020620161939.04dc09b0@imap.ecs.soton.ac.uk> Message-ID: Hi, How can we see which messages are queued for scaninnig by MailScanner? And how to delete one of them? Thanks. Roberto Campos _______________________________________________________________ Meu Provedor Tecnologias e Informatica ltda. Rua Camerino, 128 Gr. 302 - Centro Rio de Janeiro - RJ - CEP 20080-010 Tel.: 21 - 25181011 Fax: 21 - 25181911 From brett at BRABYS.CO.ZA Fri Jun 21 06:56:22 2002 From: brett at BRABYS.CO.ZA (Brett Geer) Date: Thu Jan 12 21:15:00 2006 Subject: Queue In-Reply-To: References: <5.1.0.14.2.20020620161939.04dc09b0@imap.ecs.soton.ac.uk> Message-ID: <20020621075622.5432cb61.brett@brabys.co.za> sendmail -bp -OQueueDir=/var/spool/mqueue.in just remove the qf and df files for the message to delete it brett > Hi, > > How can we see which messages are queued for scaninnig by MailScanner? > And how to delete one of them? > > Thanks. > > Roberto Campos > _______________________________________________________________ > Meu Provedor Tecnologias e Informatica ltda. > Rua Camerino, 128 Gr. 302 - Centro > Rio de Janeiro - RJ - CEP 20080-010 > Tel.: 21 - 25181011 Fax: 21 - 25181911 > From LISTSERV at JISCMAIL.AC.UK Thu Jun 20 19:38:55 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:00 2006 Subject: MAILSCANNER: mkettler@EVI-INC.COM requested to join Message-ID: <200206201838.TAA05478@magpie.ecs.soton.ac.uk> Thu, 20 Jun 2002 19:38:55 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Matt Kettler You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER mkettler@EVI-INC.COM Matt Kettler PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER mkettler@EVI-INC.COM Matt Kettler // EOJ From m.sapsed at BANGOR.AC.UK Fri Jun 21 11:27:59 2002 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:15:00 2006 Subject: mailscanner status command References: <5.1.0.14.2.20020618211109.03b71840@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020618183816.034db9e0@imap.ecs.soton.ac.uk> <000001c21701$03874cc0$1cfea8c0@tippingmar.com> <5.1.0.14.2.20020618211109.03b71840@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020620135411.02cf64a8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020620145110.04d2caa0@imap.ecs.soton.ac.uk> <022801c21864$a8743720$1f0aa8c0@PondRoom> <5.1.0.14.2.20020620161939.04dc09b0@imap.ecs.soton.ac.uk> Message-ID: <3D12FFAF.E9303D0@bangor.ac.uk> Julian Field wrote: > New init.d script attached, which has much prettier output. Thanks for that Jules. Only problem I have though is that my outgoing sendmail process shows up as 679 ? S 0:00 [sendmail] in a process listing so your status command doesn't see it. I've just verified that it's working by sending a message to myself. Why do ps entries sometimes go like this? Cheers, Martin -- Martin Sapsed To have no errors Information Services Would be life without meaning University of Wales, Bangor, LL57 2UX No struggle, no joy. From jkf at ecs.soton.ac.uk Fri Jun 21 11:36:11 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:00 2006 Subject: mailscanner status command In-Reply-To: <3D12FFAF.E9303D0@bangor.ac.uk> References: <5.1.0.14.2.20020618211109.03b71840@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020618183816.034db9e0@imap.ecs.soton.ac.uk> <000001c21701$03874cc0$1cfea8c0@tippingmar.com> <5.1.0.14.2.20020618211109.03b71840@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020620135411.02cf64a8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020620145110.04d2caa0@imap.ecs.soton.ac.uk> <022801c21864$a8743720$1f0aa8c0@PondRoom> <5.1.0.14.2.20020620161939.04dc09b0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020621112937.02c95dd0@imap.ecs.soton.ac.uk> Does a "mailscanner stop" kill all the 3 processes properly? If so, I'll just add "[sendmail]" as one of the things to look for in the "status" bit. Try the attached. Hopefully the 3 lines of output will all line up now too. At 11:27 21/06/2002, you wrote: >Julian Field wrote: > > New init.d script attached, which has much prettier output. > >Thanks for that Jules. Only problem I have though is that my outgoing >sendmail process shows up as > > 679 ? S 0:00 [sendmail] > >in a process listing so your status command doesn't see it. I've just >verified that it's working by sending a message to myself. Why do ps >entries sometimes go like this? > >Cheers, > >Martin > >-- >Martin Sapsed To have no errors >Information Services Would be life without meaning >University of Wales, Bangor, LL57 2UX No struggle, no joy. -------------- next part -------------- A non-text attachment was scrubbed... Name: mailscanner Type: application/octet-stream Size: 2663 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020621/0bfb657e/mailscanner.obj -------------- next part -------------- -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From nwp at LEMON-COMPUTING.COM Fri Jun 21 12:26:07 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:15:00 2006 Subject: mailscanner status command In-Reply-To: <3D12FFAF.E9303D0@bangor.ac.uk> References: <5.1.0.14.2.20020618211109.03b71840@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020618183816.034db9e0@imap.ecs.soton.ac.uk> <000001c21701$03874cc0$1cfea8c0@tippingmar.com> <5.1.0.14.2.20020618211109.03b71840@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020620135411.02cf64a8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020620145110.04d2caa0@imap.ecs.soton.ac.uk> <022801c21864$a8743720$1f0aa8c0@PondRoom> <5.1.0.14.2.20020620161939.04dc09b0@imap.ecs.soton.ac.uk> <3D12FFAF.E9303D0@bangor.ac.uk> Message-ID: <20020621112607.GG23886@hoiho.nz.lemon-computing.com> On Fri, Jun 21, 2002 at 11:27:59AM +0100, Martin Sapsed wrote: > 679 ? S 0:00 [sendmail] > > in a process listing so your status command doesn't see it. I've just > verified that it's working by sending a message to myself. Why do ps > entries sometimes go like this? In a situation where you've asked ps to show arguments etc., it goes like that to indicate that it can't, for whatever reason. That's what POSIX says it's supposed to do, anyway... -- Nick Phillips -- nwp@lemon-computing.com Today is National Existential Ennui Awareness Day. From dave at ESI.COM.AU Fri Jun 21 12:50:11 2002 From: dave at ESI.COM.AU (Dave Horsfall) Date: Thu Jan 12 21:15:00 2006 Subject: mailscanner status command In-Reply-To: <20020621112607.GG23886@hoiho.nz.lemon-computing.com> Message-ID: On Fri, 21 Jun 2002, Nick Phillips wrote: > > 679 ? S 0:00 [sendmail] > > In a situation where you've asked ps to show arguments etc., it goes like > that to indicate that it can't, for whatever reason. That's what POSIX > says it's supposed to do, anyway... Mostly because it's been swapped out. > Today is National Existential Ennui Awareness Day. Who cares :-) -- Dave Horsfall DTM VK2KFU dave@esi.com.au Ph: +61 2 9906-3377 Fx: 9906-3468 (Unix Guru) Pacific ESI, Unit 22, 8 Campbell St, Artarmon, NSW 2065, Australia From dll at SCITOOLS.COM Fri Jun 21 13:11:40 2002 From: dll at SCITOOLS.COM (Dan Leavitt) Date: Thu Jan 12 21:15:00 2006 Subject: mailscanner status command References: Message-ID: <00c101c2191c$e50899c0$1f0aa8c0@PondRoom> This [sendmail] reference is apparently a symptom of the problem that I reported yesterday when the 'status' command twice indicated FAILED. Below are both the 'status' output and a 'ps ax' output. [root-dll@server1 ~]$ service mailscanner status Checking MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [ OK ] outgoing sendmail: [FAILED] [root-dll@server1 ~]$ ps ax |grep -i mail 6472 ? S 0:00 sendmail: accepting connections 6475 ? S 0:00 [sendmail] 15233 ? S 0:05 perl /usr/local/MailScanner/bin/mailscanner /usr/loca 16960 ? S 0:00 sendmail: ./g5HEGoW29244 softwaremodeling.com.: user Then, a stop, start, status and ps again. Note that it stopped the processes ok so it's not dependant on the 'ps ax' output for that. [root-dll@server1 ~]$ service mailscanner stop Shutting down MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [ OK ] outgoing sendmail: [ OK ] [root-dll@server1 ~]$ service mailscanner start Starting MailScanner daemons: incoming sendmail: [ OK ] outgoing sendmail: [ OK ] MailScanner: [ OK ] [root-dll@server1 ~]$ service mailscanner status Checking MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [ OK ] outgoing sendmail: [ OK ] [root-dll@server1 ~]$ !ps ps ax | grep -i mail 17325 ? S 0:00 sendmail: accepting connections 17328 ? S 0:00 /usr/sbin/sendmail -q15m 17331 ? S 0:00 sendmail: ./g5HEGoW29244 alpha.armillaire.com.: user 17337 ? S 0:00 perl /usr/local/MailScanner/bin/mailscanner /usr/loca [root-dll@server1 ~]$ Dan ----- Original Message ----- From: "Dave Horsfall" To: Sent: Friday, June 21, 2002 7:50 AM Subject: Re: mailscanner status command > On Fri, 21 Jun 2002, Nick Phillips wrote: > > > > 679 ? S 0:00 [sendmail] > > > > In a situation where you've asked ps to show arguments etc., it goes like > > that to indicate that it can't, for whatever reason. That's what POSIX > > says it's supposed to do, anyway... > > Mostly because it's been swapped out. > > > Today is National Existential Ennui Awareness Day. > > Who cares :-) > > -- > Dave Horsfall DTM VK2KFU dave@esi.com.au Ph: +61 2 9906-3377 Fx: 9906-3468 > (Unix Guru) Pacific ESI, Unit 22, 8 Campbell St, Artarmon, NSW 2065, Australia > From jkf at ecs.soton.ac.uk Fri Jun 21 13:41:10 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:00 2006 Subject: mailscanner status command In-Reply-To: <00c101c2191c$e50899c0$1f0aa8c0@PondRoom> References: Message-ID: <5.1.0.14.2.20020621134056.04b40ae8@imap.ecs.soton.ac.uk> So are you saying my latest script works, or doesn't work? At 13:11 21/06/2002, you wrote: >This [sendmail] reference is apparently a symptom of the problem that I >reported yesterday when the 'status' command twice indicated FAILED. Below >are both the 'status' output and a 'ps ax' output. > >[root-dll@server1 ~]$ service mailscanner status >Checking MailScanner daemons: > MailScanner: [ OK ] > incoming sendmail: [ OK ] > outgoing sendmail: [FAILED] >[root-dll@server1 ~]$ ps ax |grep -i mail > 6472 ? S 0:00 sendmail: accepting connections > 6475 ? S 0:00 [sendmail] >15233 ? S 0:05 perl /usr/local/MailScanner/bin/mailscanner >/usr/loca >16960 ? S 0:00 sendmail: ./g5HEGoW29244 softwaremodeling.com.: >user > >Then, a stop, start, status and ps again. Note that it stopped the >processes ok so it's not dependant on the 'ps ax' output for that. > >[root-dll@server1 ~]$ service mailscanner stop >Shutting down MailScanner daemons: > MailScanner: [ OK ] > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] >[root-dll@server1 ~]$ service mailscanner start >Starting MailScanner daemons: > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] > MailScanner: [ OK ] >[root-dll@server1 ~]$ service mailscanner status >Checking MailScanner daemons: > MailScanner: [ OK ] > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] >[root-dll@server1 ~]$ !ps >ps ax | grep -i mail >17325 ? S 0:00 sendmail: accepting connections >17328 ? S 0:00 /usr/sbin/sendmail -q15m >17331 ? S 0:00 sendmail: ./g5HEGoW29244 alpha.armillaire.com.: >user >17337 ? S 0:00 perl /usr/local/MailScanner/bin/mailscanner >/usr/loca >[root-dll@server1 ~]$ > >Dan > > >----- Original Message ----- >From: "Dave Horsfall" >To: >Sent: Friday, June 21, 2002 7:50 AM >Subject: Re: mailscanner status command > > > > On Fri, 21 Jun 2002, Nick Phillips wrote: > > > > > > 679 ? S 0:00 [sendmail] > > > > > > In a situation where you've asked ps to show arguments etc., it goes >like > > > that to indicate that it can't, for whatever reason. That's what POSIX > > > says it's supposed to do, anyway... > > > > Mostly because it's been swapped out. > > > > > Today is National Existential Ennui Awareness Day. > > > > Who cares :-) > > > > -- > > Dave Horsfall DTM VK2KFU dave@esi.com.au Ph: +61 2 9906-3377 Fx: >9906-3468 > > (Unix Guru) Pacific ESI, Unit 22, 8 Campbell St, Artarmon, NSW 2065, >Australia > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Matthew_doherty at DATAWATCH.COM Fri Jun 21 14:05:21 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:01 2006 Subject: mailscanner status command Message-ID: looks to me that status failed the first time then second it worked..Before the first time around, maybe a SIGHUP to sendmail was forgotten or kill -9 sendmail before running the new script . Looks to me the second time around was perfect.. then again im a newbie :-) -----Original Message----- From: Dan Leavitt [mailto:dll@SCITOOLS.COM] Sent: Friday, June 21, 2002 9:15 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: mailscanner status command This [sendmail] reference is apparently a symptom of the problem that I reported yesterday when the 'status' command twice indicated FAILED. Below are both the 'status' output and a 'ps ax' output. [root-dll@server1 ~]$ service mailscanner status Checking MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [ OK ] outgoing sendmail: [FAILED] [root-dll@server1 ~]$ ps ax |grep -i mail 6472 ? S 0:00 sendmail: accepting connections 6475 ? S 0:00 [sendmail] 15233 ? S 0:05 perl /usr/local/MailScanner/bin/mailscanner /usr/loca 16960 ? S 0:00 sendmail: ./g5HEGoW29244 softwaremodeling.com.: user Then, a stop, start, status and ps again. Note that it stopped the processes ok so it's not dependant on the 'ps ax' output for that. [root-dll@server1 ~]$ service mailscanner stop Shutting down MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [ OK ] outgoing sendmail: [ OK ] [root-dll@server1 ~]$ service mailscanner start Starting MailScanner daemons: incoming sendmail: [ OK ] outgoing sendmail: [ OK ] MailScanner: [ OK ] [root-dll@server1 ~]$ service mailscanner status Checking MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [ OK ] outgoing sendmail: [ OK ] [root-dll@server1 ~]$ !ps ps ax | grep -i mail 17325 ? S 0:00 sendmail: accepting connections 17328 ? S 0:00 /usr/sbin/sendmail -q15m 17331 ? S 0:00 sendmail: ./g5HEGoW29244 alpha.armillaire.com.: user 17337 ? S 0:00 perl /usr/local/MailScanner/bin/mailscanner /usr/loca [root-dll@server1 ~]$ Dan ----- Original Message ----- From: "Dave Horsfall" To: Sent: Friday, June 21, 2002 7:50 AM Subject: Re: mailscanner status command > On Fri, 21 Jun 2002, Nick Phillips wrote: > > > > 679 ? S 0:00 [sendmail] > > > > In a situation where you've asked ps to show arguments etc., it goes like > > that to indicate that it can't, for whatever reason. That's what POSIX > > says it's supposed to do, anyway... > > Mostly because it's been swapped out. > > > Today is National Existential Ennui Awareness Day. > > Who cares :-) > > -- > Dave Horsfall DTM VK2KFU dave@esi.com.au Ph: +61 2 9906-3377 Fx: 9906-3468 > (Unix Guru) Pacific ESI, Unit 22, 8 Campbell St, Artarmon, NSW 2065, Australia > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020621/3b634e6b/attachment.html From dll at SCITOOLS.COM Fri Jun 21 14:08:20 2002 From: dll at SCITOOLS.COM (Dan Leavitt) Date: Thu Jan 12 21:15:01 2006 Subject: mailscanner status command References: <5.1.0.14.2.20020621134056.04b40ae8@imap.ecs.soton.ac.uk> Message-ID: <012701c21924$c786c310$1f0aa8c0@PondRoom> Sorry Julian, I missed the solution that you posted this morning. It looks like it solves the problem. Thanks again, Dan ----- Original Message ----- From: "Julian Field" To: Sent: Friday, June 21, 2002 8:41 AM Subject: Re: mailscanner status command > So are you saying my latest script works, or doesn't work? > > At 13:11 21/06/2002, you wrote: > >This [sendmail] reference is apparently a symptom of the problem that I > >reported yesterday when the 'status' command twice indicated FAILED. Below > >are both the 'status' output and a 'ps ax' output. > > > >[root-dll@server1 ~]$ service mailscanner status > >Checking MailScanner daemons: > > MailScanner: [ OK ] > > incoming sendmail: [ OK ] > > outgoing sendmail: [FAILED] > >[root-dll@server1 ~]$ ps ax |grep -i mail > > 6472 ? S 0:00 sendmail: accepting connections > > 6475 ? S 0:00 [sendmail] > >15233 ? S 0:05 perl /usr/local/MailScanner/bin/mailscanner > >/usr/loca > >16960 ? S 0:00 sendmail: ./g5HEGoW29244 softwaremodeling.com.: > >user > > > >Then, a stop, start, status and ps again. Note that it stopped the > >processes ok so it's not dependant on the 'ps ax' output for that. > > > >[root-dll@server1 ~]$ service mailscanner stop > >Shutting down MailScanner daemons: > > MailScanner: [ OK ] > > incoming sendmail: [ OK ] > > outgoing sendmail: [ OK ] > >[root-dll@server1 ~]$ service mailscanner start > >Starting MailScanner daemons: > > incoming sendmail: [ OK ] > > outgoing sendmail: [ OK ] > > MailScanner: [ OK ] > >[root-dll@server1 ~]$ service mailscanner status > >Checking MailScanner daemons: > > MailScanner: [ OK ] > > incoming sendmail: [ OK ] > > outgoing sendmail: [ OK ] > >[root-dll@server1 ~]$ !ps > >ps ax | grep -i mail > >17325 ? S 0:00 sendmail: accepting connections > >17328 ? S 0:00 /usr/sbin/sendmail -q15m > >17331 ? S 0:00 sendmail: ./g5HEGoW29244 alpha.armillaire.com.: > >user > >17337 ? S 0:00 perl /usr/local/MailScanner/bin/mailscanner > >/usr/loca > >[root-dll@server1 ~]$ > > > >Dan > > > > > >----- Original Message ----- > >From: "Dave Horsfall" > >To: > >Sent: Friday, June 21, 2002 7:50 AM > >Subject: Re: mailscanner status command > > > > > > > On Fri, 21 Jun 2002, Nick Phillips wrote: > > > > > > > > 679 ? S 0:00 [sendmail] > > > > > > > > In a situation where you've asked ps to show arguments etc., it goes > >like > > > > that to indicate that it can't, for whatever reason. That's what POSIX > > > > says it's supposed to do, anyway... > > > > > > Mostly because it's been swapped out. > > > > > > > Today is National Existential Ennui Awareness Day. > > > > > > Who cares :-) > > > > > > -- > > > Dave Horsfall DTM VK2KFU dave@esi.com.au Ph: +61 2 9906-3377 Fx: > >9906-3468 > > > (Unix Guru) Pacific ESI, Unit 22, 8 Campbell St, Artarmon, NSW 2065, > >Australia > > > > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From LISTSERV at JISCMAIL.AC.UK Fri Jun 21 16:12:45 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:01 2006 Subject: MAILSCANNER: derek@CSOLVE.NET requested to join Message-ID: <200206211512.QAA29377@magpie.ecs.soton.ac.uk> Fri, 21 Jun 2002 16:12:45 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Derek Buttineau You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER derek@CSOLVE.NET Derek Buttineau PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER derek@CSOLVE.NET Derek Buttineau // EOJ From Matthew_doherty at DATAWATCH.COM Fri Jun 21 17:36:22 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:01 2006 Subject: sending a virus from mailscanner's domain is undetected but incoming mail from either our domain or others is detected Message-ID: Sending a virus from mailscanner's domain to another is undetected, but incoming mail from either our domain or others, is detected. Is this normal? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020621/c4a43197/attachment.html From mailscanner at ecs.soton.ac.uk Fri Jun 21 18:37:06 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:01 2006 Subject: sending a virus from mailscanner's domain is undetected but incoming mail from either our domain or others is detected In-Reply-To: Message-ID: <5.1.0.14.2.20020621183405.03990618@imap.ecs.soton.ac.uk> At 17:36 21/06/2002, you wrote: >Sending a virus from mailscanner's domain to another is undetected, but >incoming mail from either our domain or others, is detected. >Is this normal? Did you run the email client program on the machine that is running MailScanner, by any chance? If so, did you make the email program talk SMTP to localhost:25 or did it invoke sendmail directly? MailScanner (when running with sendmail) can only scan mail coming in the SMTP port. There is no way (with sendmail) of scanning mail poked directly at the sendmail binary. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Matthew_doherty at DATAWATCH.COM Fri Jun 21 18:45:17 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:01 2006 Subject: sending a virus from mailscanner's domain is undetected butincoming mail from either our domain or others is detected Message-ID: Hello, No not on the machine running mailscanner, but outlook 2000 on a workstation sent an email to an outside domain with a virus to test and the outside domain received it with the virus in tact.. Its the test virus you referred me earlier to use.. when I reply (from the outside domain) and its incoming to mailscanner, it will pick it up then. only incoming scanning is taken place not outgoing. Thanks! -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Friday, June 21, 2002 2:40 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: sending a virus from mailscanner's domain is undetected butincoming mail from either our domain or others is detected At 17:36 21/06/2002, you wrote: >Sending a virus from mailscanner's domain to another is undetected, but >incoming mail from either our domain or others, is detected. >Is this normal? Did you run the email client program on the machine that is running MailScanner, by any chance? If so, did you make the email program talk SMTP to localhost:25 or did it invoke sendmail directly? MailScanner (when running with sendmail) can only scan mail coming in the SMTP port. There is no way (with sendmail) of scanning mail poked directly at the sendmail binary. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020621/ec1a27a9/attachment.html From mailscanner at ecs.soton.ac.uk Fri Jun 21 18:56:01 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:01 2006 Subject: sending a virus from mailscanner's domain is undetected butincoming mail from either our domain or others is detected In-Reply-To: Message-ID: <5.1.0.14.2.20020621185322.033d8da8@imap.ecs.soton.ac.uk> At 18:45 21/06/2002, you wrote: >Hello, >No not on the machine running mailscanner, but outlook 2000 on a >workstation sent an email to an outside domain with a virus to test and >the outside domain received it with the virus in tact.. Its the test virus >you referred me earlier to use.. when I reply (from the outside domain) >and its incoming to mailscanner, it will pick it up then. only incoming >scanning is taken place not outgoing. >Thanks! Did it get any X-MailScanner: header at all? If not, then it probably didn't go via the MailScanner server. If it did, then what did the header say? What is in your mailscanner.conf file? Unless it is told to, MailScanner doesn't care what addresses are in the email message. >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Friday, June 21, 2002 2:40 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: sending a virus from mailscanner's domain is undetected >butincoming mail from either our domain or others is detected > >At 17:36 21/06/2002, you wrote: > >Sending a virus from mailscanner's domain to another is undetected, but > >incoming mail from either our domain or others, is detected. > >Is this normal? > >Did you run the email client program on the machine that is running >MailScanner, by any chance? If so, did you make the email program talk SMTP >to localhost:25 or did it invoke sendmail directly? > >MailScanner (when running with sendmail) can only scan mail coming in the >SMTP port. There is no way (with sendmail) of scanning mail poked directly >at the sendmail binary. >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton >Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020621/e6280951/attachment.html From Matthew_doherty at DATAWATCH.COM Fri Jun 21 19:39:46 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:01 2006 Subject: sending a virus from mailscanner's domain is undetectedbutincoming mail from either our domain or others is detected Message-ID: Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: mailscanner.tar Type: application/octet-stream Size: 30720 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020621/9fcf8f01/mailscanner.obj From ray at MATRIX-DATANET.CO.UK Fri Jun 21 20:02:52 2002 From: ray at MATRIX-DATANET.CO.UK (Ray Healy (Data Net Services)) Date: Thu Jan 12 21:15:01 2006 Subject: sending a virus from mailscanner's domain is undetected butincoming mail from either our domain or others is detected References: <5.1.0.14.2.20020621185322.033d8da8@imap.ecs.soton.ac.uk> Message-ID: <001301c21956$41000f40$630aa8c0@server> I am probably wrong in your situation but I thought I would mention this I had a similar situation where emails were not being scanned by MailScanner when sent through my RAQ but incomming messages where scanned OK if sent to my RAQ by someone else. This was due to the email message being hijacked by the ISP I was connecting to and putting the message through their own mail server and not mine even though in the properties I had stated the address of my mail server. I do not know whether this is of any help or am I toytally off track Ray ----- Original Message ----- From: Julian Field To: MAILSCANNER@JISCMAIL.AC.UK Sent: Friday, June 21, 2002 6:56 PM Subject: Re: sending a virus from mailscanner's domain is undetected butincoming mail from either our domain or others is detected At 18:45 21/06/2002, you wrote: Hello, No not on the machine running mailscanner, but outlook 2000 on a workstation sent an email to an outside domain with a virus to test and the outside domain received it with the virus in tact.. Its the test virus you referred me earlier to use.. when I reply (from the outside domain) and its incoming to mailscanner, it will pick it up then. only incoming scanning is taken place not outgoing. Thanks! Did it get any X-MailScanner: header at all? If not, then it probably didn't go via the MailScanner server. If it did, then what did the header say? What is in your mailscanner.conf file? Unless it is told to, MailScanner doesn't care what addresses are in the email message. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Friday, June 21, 2002 2:40 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: sending a virus from mailscanner's domain is undetected butincoming mail from either our domain or others is detected At 17:36 21/06/2002, you wrote: >Sending a virus from mailscanner's domain to another is undetected, but >incoming mail from either our domain or others, is detected. >Is this normal? Did you run the email client program on the machine that is running MailScanner, by any chance? If so, did you make the email program talk SMTP to localhost:25 or did it invoke sendmail directly? MailScanner (when running with sendmail) can only scan mail coming in the SMTP port. There is no way (with sendmail) of scanning mail poked directly at the sendmail binary. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020621/f315a6a0/attachment.html From mailscanner at ecs.soton.ac.uk Fri Jun 21 20:16:30 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:01 2006 Subject: sending a virus from mailscanner's domain is undetected butincoming mail from either our domain or others is detected In-Reply-To: <001301c21956$41000f40$630aa8c0@server> References: <5.1.0.14.2.20020621185322.033d8da8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020621201423.033ef0a8@imap.ecs.soton.ac.uk> At 20:02 21/06/2002, you wrote: >I had a similar situation where emails were not being scanned by >MailScanner when sent through my RAQ but incomming messages where scanned >OK if sent to my RAQ by someone else. > >This was due to the email message being hijacked by the ISP I was >connecting to and putting the message through their own mail server and >not mine even though in the properties I had stated the address of my mail >server. >I do not know whether this is of any help or am I toytally off track Ray has a very good point. What are all the Received: headers on the message that is not being scanned? And what is the name of your MailScanner server? Is it ever passing through your MailScanner server? >----- Original Message ----- >From: Julian Field >To: MAILSCANNER@JISCMAIL.AC.UK >Sent: Friday, June 21, 2002 6:56 PM >Subject: Re: sending a virus from mailscanner's domain is undetected >butincoming mail from either our domain or others is detected > >At 18:45 21/06/2002, you wrote: >>Hello, >>No not on the machine running mailscanner, but outlook 2000 on a >>workstation sent an email to an outside domain with a virus to test and >>the outside domain received it with the virus in tact.. Its the test >>virus you referred me earlier to use.. when I reply (from the outside >>domain) and its incoming to mailscanner, it will pick it up then. only >>incoming scanning is taken place not outgoing. >>Thanks! >Did it get any X-MailScanner: header at all? >If not, then it probably didn't go via the MailScanner server. >If it did, then what did the header say? What is in your mailscanner.conf >file? > >Unless it is told to, MailScanner doesn't care what addresses are in the >email message. >>-----Original Message----- >>From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >>Sent: Friday, June 21, 2002 2:40 PM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: sending a virus from mailscanner's domain is undetected >>butincoming mail from either our domain or others is detected >> >>At 17:36 21/06/2002, you wrote: >> >Sending a virus from mailscanner's domain to another is undetected, but >> >incoming mail from either our domain or others, is detected. >> >Is this normal? >> >>Did you run the email client program on the machine that is running >>MailScanner, by any chance? If so, did you make the email program talk SMTP >>to localhost:25 or did it invoke sendmail directly? >> >>MailScanner (when running with sendmail) can only scan mail coming in the >>SMTP port. There is no way (with sendmail) of scanning mail poked directly >>at the sendmail binary. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020621/da365040/attachment.html From Matthew_doherty at DATAWATCH.COM Fri Jun 21 20:16:29 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:01 2006 Subject: sending a virus from mailscanner's domain is undetectedbutincoming mail from either our domain or others is detected Message-ID: Yeah that is interesting, We also have 2 RAQ cobalts.. RAQ4i.. We installed joydesk multidomain 2.61 (from virtualtek.com) and the raq got all stupid on us after a year or so..JoyDesk even uninstalled from it improperly..sad...Slowed the system down real bad.. We decided to upgrade joydesk and put it on a red hat standalone machine with 100GB drive,,etc.. Its very sweet now! especially with mailscanner, spamassassin and webmin.. tons of horsepower!.. our raq just does DNS and virtual ftp sites for us now..hehheee.. Our MX records on the dns have High priority set to the server WITH mailscanner and another MX record with Low priority sent to a remote email machine without mailscanner.. THIS WILL only takeover our mail, if the high priority email machine doesnt answer for a long period of time..So I can almost bet that its not going through their system giving me these outgoing test results.. The server with Mailscanner is not busy at all today.. maillogs are slow..:) thanks to spamassassin .. -----Original Message----- From: Ray Healy (Data Net Services) [mailto:ray@MATRIX-DATANET.CO.UK] Sent: Friday, June 21, 2002 4:06 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: sending a virus from mailscanner's domain is undetectedbutincoming mail from either our domain or others is detected I am probably wrong in your situation but I thought I would mention this I had a similar situation where emails were not being scanned by MailScanner when sent through my RAQ but incomming messages where scanned OK if sent to my RAQ by someone else. This was due to the email message being hijacked by the ISP I was connecting to and putting the message through their own mail server and not mine even though in the properties I had stated the address of my mail server. I do not know whether this is of any help or am I toytally off track Ray ----- Original Message ----- From: Julian Field To: MAILSCANNER@JISCMAIL.AC.UK Sent: Friday, June 21, 2002 6:56 PM Subject: Re: sending a virus from mailscanner's domain is undetected butincoming mail from either our domain or others is detected At 18:45 21/06/2002, you wrote: Hello, No not on the machine running mailscanner, but outlook 2000 on a workstation sent an email to an outside domain with a virus to test and the outside domain received it with the virus in tact.. Its the test virus you referred me earlier to use.. when I reply (from the outside domain) and its incoming to mailscanner, it will pick it up then. only incoming scanning is taken place not outgoing. Thanks! Did it get any X-MailScanner: header at all? If not, then it probably didn't go via the MailScanner server. If it did, then what did the header say? What is in your mailscanner.conf file? Unless it is told to, MailScanner doesn't care what addresses are in the email message. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Friday, June 21, 2002 2:40 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: sending a virus from mailscanner's domain is undetected butincoming mail from either our domain or others is detected At 17:36 21/06/2002, you wrote: >Sending a virus from mailscanner's domain to another is undetected, but >incoming mail from either our domain or others, is detected. >Is this normal? Did you run the email client program on the machine that is running MailScanner, by any chance? If so, did you make the email program talk SMTP to localhost:25 or did it invoke sendmail directly? MailScanner (when running with sendmail) can only scan mail coming in the SMTP port. There is no way (with sendmail) of scanning mail poked directly at the sendmail binary. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020621/8bc05d62/attachment.html From Matthew_doherty at DATAWATCH.COM Fri Jun 21 20:18:19 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:01 2006 Subject: sending a virus from mailscanner's domain is undetectedbutincoming mail from either our domain or others is detected Message-ID: ps HOw the heck could it be hijacked?!! weird -----Original Message----- From: Ray Healy (Data Net Services) [mailto:ray@MATRIX-DATANET.CO.UK] Sent: Friday, June 21, 2002 4:06 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: sending a virus from mailscanner's domain is undetectedbutincoming mail from either our domain or others is detected I am probably wrong in your situation but I thought I would mention this I had a similar situation where emails were not being scanned by MailScanner when sent through my RAQ but incomming messages where scanned OK if sent to my RAQ by someone else. This was due to the email message being hijacked by the ISP I was connecting to and putting the message through their own mail server and not mine even though in the properties I had stated the address of my mail server. I do not know whether this is of any help or am I toytally off track Ray ----- Original Message ----- From: Julian Field To: MAILSCANNER@JISCMAIL.AC.UK Sent: Friday, June 21, 2002 6:56 PM Subject: Re: sending a virus from mailscanner's domain is undetected butincoming mail from either our domain or others is detected At 18:45 21/06/2002, you wrote: Hello, No not on the machine running mailscanner, but outlook 2000 on a workstation sent an email to an outside domain with a virus to test and the outside domain received it with the virus in tact.. Its the test virus you referred me earlier to use.. when I reply (from the outside domain) and its incoming to mailscanner, it will pick it up then. only incoming scanning is taken place not outgoing. Thanks! Did it get any X-MailScanner: header at all? If not, then it probably didn't go via the MailScanner server. If it did, then what did the header say? What is in your mailscanner.conf file? Unless it is told to, MailScanner doesn't care what addresses are in the email message. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Friday, June 21, 2002 2:40 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: sending a virus from mailscanner's domain is undetected butincoming mail from either our domain or others is detected At 17:36 21/06/2002, you wrote: >Sending a virus from mailscanner's domain to another is undetected, but >incoming mail from either our domain or others, is detected. >Is this normal? Did you run the email client program on the machine that is running MailScanner, by any chance? If so, did you make the email program talk SMTP to localhost:25 or did it invoke sendmail directly? MailScanner (when running with sendmail) can only scan mail coming in the SMTP port. There is no way (with sendmail) of scanning mail poked directly at the sendmail binary. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020621/ef9983f0/attachment.html From ray at MATRIX-DATANET.CO.UK Fri Jun 21 20:26:43 2002 From: ray at MATRIX-DATANET.CO.UK (Ray Healy (Data Net Services)) Date: Thu Jan 12 21:15:01 2006 Subject: sending a virus from mailscanner's domain is undetectedbutincoming mail from either our domain or others is detected References: Message-ID: <008501c21959$956fa1a0$630aa8c0@server> I not sure but I believe a couple of ISP's do this for some strange reason. Which I suppose is quite good as its using their bandwith and resources and not mine. Anyway I suppose the most important thing is that all of my clients incomming mail is being scanned for a virus as they are collecting from my server. Perhaps they just want control or watching peoples e-mails !! Ray ----- Original Message ----- From: Matt Doherty To: MAILSCANNER@JISCMAIL.AC.UK Sent: Friday, June 21, 2002 8:18 PM Subject: Re: sending a virus from mailscanner's domain is undetectedbutincoming mail from either our domain or others is detected ps HOw the heck could it be hijacked?!! weird -----Original Message----- From: Ray Healy (Data Net Services) [mailto:ray@MATRIX-DATANET.CO.UK] Sent: Friday, June 21, 2002 4:06 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: sending a virus from mailscanner's domain is undetectedbutincoming mail from either our domain or others is detected I am probably wrong in your situation but I thought I would mention this I had a similar situation where emails were not being scanned by MailScanner when sent through my RAQ but incomming messages where scanned OK if sent to my RAQ by someone else. This was due to the email message being hijacked by the ISP I was connecting to and putting the message through their own mail server and not mine even though in the properties I had stated the address of my mail server. I do not know whether this is of any help or am I toytally off track Ray ----- Original Message ----- From: Julian Field To: MAILSCANNER@JISCMAIL.AC.UK Sent: Friday, June 21, 2002 6:56 PM Subject: Re: sending a virus from mailscanner's domain is undetected butincoming mail from either our domain or others is detected At 18:45 21/06/2002, you wrote: Hello, No not on the machine running mailscanner, but outlook 2000 on a workstation sent an email to an outside domain with a virus to test and the outside domain received it with the virus in tact.. Its the test virus you referred me earlier to use.. when I reply (from the outside domain) and its incoming to mailscanner, it will pick it up then. only incoming scanning is taken place not outgoing. Thanks! Did it get any X-MailScanner: header at all? If not, then it probably didn't go via the MailScanner server. If it did, then what did the header say? What is in your mailscanner.conf file? Unless it is told to, MailScanner doesn't care what addresses are in the email message. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Friday, June 21, 2002 2:40 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: sending a virus from mailscanner's domain is undetected butincoming mail from either our domain or others is detected At 17:36 21/06/2002, you wrote: >Sending a virus from mailscanner's domain to another is undetected, but >incoming mail from either our domain or others, is detected. >Is this normal? Did you run the email client program on the machine that is running MailScanner, by any chance? If so, did you make the email program talk SMTP to localhost:25 or did it invoke sendmail directly? MailScanner (when running with sendmail) can only scan mail coming in the SMTP port. There is no way (with sendmail) of scanning mail poked directly at the sendmail binary. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020621/02840044/attachment.html From mailscanner at ecs.soton.ac.uk Fri Jun 21 20:27:58 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:01 2006 Subject: sending a virus from mailscanner's domain is undetectedbutincoming mail from either our domain or others is detected In-Reply-To: Message-ID: <5.1.0.14.2.20020621202448.0369f138@imap.ecs.soton.ac.uk> At 20:18 21/06/2002, you wrote: >ps >HOw the heck could it be hijacked?!! weird Very easily. Your dialup ISP has a proxy server which redirects all port 25 traffic to their own SMTP server. FreeServe in the UK do exactly this. It doesn't matter what SMTP server you configure in your software, you always use theirs, which avoids their tech support people having to deal with mail relaying problems. So what do your Received: headers say? What you expect? >-----Original Message----- >From: Ray Healy (Data Net Services) [mailto:ray@MATRIX-DATANET.CO.UK] >Sent: Friday, June 21, 2002 4:06 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: sending a virus from mailscanner's domain is >undetectedbutincoming mail from either our domain or others is detected > >I am probably wrong in your situation but I thought I would mention this > >I had a similar situation where emails were not being scanned by >MailScanner when sent through my RAQ but incomming messages where scanned >OK if sent to my RAQ by someone else. > >This was due to the email message being hijacked by the ISP I was >connecting to and putting the message through their own mail server and >not mine even though in the properties I had stated the address of my mail >server. >I do not know whether this is of any help or am I toytally off track > >Ray > > > >----- Original Message ----- >From: Julian Field >To: MAILSCANNER@JISCMAIL.AC.UK >Sent: Friday, June 21, 2002 6:56 PM >Subject: Re: sending a virus from mailscanner's domain is undetected >butincoming mail from either our domain or others is detected > >At 18:45 21/06/2002, you wrote: >>Hello, >>No not on the machine running mailscanner, but outlook 2000 on a >>workstation sent an email to an outside domain with a virus to test and >>the outside domain received it with the virus in tact.. Its the test >>virus you referred me earlier to use.. when I reply (from the outside >>domain) and its incoming to mailscanner, it will pick it up then. only >>incoming scanning is taken place not outgoing. >>Thanks! >Did it get any X-MailScanner: header at all? >If not, then it probably didn't go via the MailScanner server. >If it did, then what did the header say? What is in your mailscanner.conf >file? > >Unless it is told to, MailScanner doesn't care what addresses are in the >email message. >>-----Original Message----- >>From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >>Sent: Friday, June 21, 2002 2:40 PM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: sending a virus from mailscanner's domain is undetected >>butincoming mail from either our domain or others is detected >> >>At 17:36 21/06/2002, you wrote: >> >Sending a virus from mailscanner's domain to another is undetected, but >> >incoming mail from either our domain or others, is detected. >> >Is this normal? >> >>Did you run the email client program on the machine that is running >>MailScanner, by any chance? If so, did you make the email program talk SMTP >>to localhost:25 or did it invoke sendmail directly? >> >>MailScanner (when running with sendmail) can only scan mail coming in the >>SMTP port. There is no way (with sendmail) of scanning mail poked directly >>at the sendmail binary. >>-- >>Julian Field Teaching Systems Manager >>jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >>Tel. 023 8059 2817 University of Southampton >>Southampton SO17 1BJ > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020621/016a1df1/attachment.html From mailscanner at ecs.soton.ac.uk Fri Jun 21 20:33:04 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:01 2006 Subject: sending a virus from mailscanner's domain is undetectedbutincoming mail from either our domain or others is detected In-Reply-To: Message-ID: <5.1.0.14.2.20020621202945.0337aea0@imap.ecs.soton.ac.uk> Can someone summarise that stream of conciousness for me? I can't quite focus... May I refer you to Nick Phillips' email of last Thursday with the subject "Re: mailscanner and maillog". Don't take it personally, it's not intended to be. At 20:16 21/06/2002, you wrote: >Yeah that is interesting, We also have 2 RAQ cobalts.. RAQ4i.. We >installed joydesk multidomain 2.61 (from virtualtek.com) and the raq got >all stupid on us after a year or so..JoyDesk even uninstalled from it >improperly..sad...Slowed the system down real bad.. We decided to upgrade >joydesk and put it on a red hat standalone machine with 100GB drive,,etc.. >Its very sweet now! especially with mailscanner, spamassassin and webmin.. >tons of horsepower!.. our raq just does DNS and virtual ftp sites for us >now..hehheee.. Our MX records on the dns have High priority set to the >server WITH mailscanner and another MX record with Low priority sent to a >remote email machine without mailscanner.. THIS WILL only takeover our >mail, if the high priority email machine doesnt answer for a long period >of time..So I can almost bet that its not going through their system >giving me these outgoing test results.. The server with Mailscanner is not >busy at all today.. maillogs are slow..:) thanks to spamassassin .. >-----Original Message----- >From: Ray Healy (Data Net Services) [mailto:ray@MATRIX-DATANET.CO.UK] >Sent: Friday, June 21, 2002 4:06 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: sending a virus from mailscanner's domain is >undetectedbutincoming mail from either our domain or others is detected > >I am probably wrong in your situation but I thought I would mention this > >I had a similar situation where emails were not being scanned by >MailScanner when sent through my RAQ but incomming messages where scanned >OK if sent to my RAQ by someone else. > >This was due to the email message being hijacked by the ISP I was >connecting to and putting the message through their own mail server and >not mine even though in the properties I had stated the address of my mail >server. >I do not know whether this is of any help or am I toytally off track > >Ray > > > >----- Original Message ----- >From: Julian Field >To: MAILSCANNER@JISCMAIL.AC.UK >Sent: Friday, June 21, 2002 6:56 PM >Subject: Re: sending a virus from mailscanner's domain is undetected >butincoming mail from either our domain or others is detected > >At 18:45 21/06/2002, you wrote: >>Hello, >>No not on the machine running mailscanner, but outlook 2000 on a >>workstation sent an email to an outside domain with a virus to test and >>the outside domain received it with the virus in tact.. Its the test >>virus you referred me earlier to use.. when I reply (from the outside >>domain) and its incoming to mailscanner, it will pick it up then. only >>incoming scanning is taken place not outgoing. >>Thanks! >Did it get any X-MailScanner: header at all? >If not, then it probably didn't go via the MailScanner server. >If it did, then what did the header say? What is in your mailscanner.conf >file? > >Unless it is told to, MailScanner doesn't care what addresses are in the >email message. >>-----Original Message----- >>From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >>Sent: Friday, June 21, 2002 2:40 PM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: sending a virus from mailscanner's domain is undetected >>butincoming mail from either our domain or others is detected >> >>At 17:36 21/06/2002, you wrote: >> >Sending a virus from mailscanner's domain to another is undetected, but >> >incoming mail from either our domain or others, is detected. >> >Is this normal? >> >>Did you run the email client program on the machine that is running >>MailScanner, by any chance? If so, did you make the email program talk SMTP >>to localhost:25 or did it invoke sendmail directly? >> >>MailScanner (when running with sendmail) can only scan mail coming in the >>SMTP port. There is no way (with sendmail) of scanning mail poked directly >>at the sendmail binary. >>-- >>Julian Field Teaching Systems Manager >>jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >>Tel. 023 8059 2817 University of Southampton >>Southampton SO17 1BJ > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020621/9a3c2b36/attachment.html From jon at XNEXT.COM Fri Jun 21 20:40:21 2002 From: jon at XNEXT.COM (Jonothon Ortiz) Date: Thu Jan 12 21:15:01 2006 Subject: This List (OT) In-Reply-To: <5.1.0.14.2.20020621202945.0337aea0@imap.ecs.soton.ac.uk> Message-ID: I have to admit that while I do not post too much I am impressed with the level of courtesy and professionalism the list has been conducting itself it. Great information and resources, even when not directly dealing with mailscanner! Great job!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020621/1448dc62/attachment.html From mailscanner at ecs.soton.ac.uk Fri Jun 21 20:47:38 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:01 2006 Subject: This List (OT) In-Reply-To: References: <5.1.0.14.2.20020621202945.0337aea0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020621204515.03321b78@imap.ecs.soton.ac.uk> At 20:40 21/06/2002, you wrote: >I have to admit that while I do not post too much I am impressed with the >level of courtesy and professionalism the list has been conducting itself it. I try to keep it civilized :-) > Great information and resources, even when not directly dealing with > mailscanner! Great job!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! There are a lot of users out there with a lot of mail admin experience, I am very grateful to them all for sharing their experience with all of us. Thanks for your kind comments, and I hope the list remains that way. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Matthew_doherty at DATAWATCH.COM Fri Jun 21 20:49:55 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:01 2006 Subject: sending a virus from mailscanner's domain isundetectedbutincoming mail from either our domain or others isdetected Message-ID: thats nice -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Friday, June 21, 2002 4:36 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: sending a virus from mailscanner's domain isundetectedbutincoming mail from either our domain or others isdetected Can someone summarise that stream of conciousness for me? I can't quite focus... May I refer you to Nick Phillips' email of last Thursday with the subject "Re: mailscanner and maillog". Don't take it personally, it's not intended to be. At 20:16 21/06/2002, you wrote: Yeah that is interesting, We also have 2 RAQ cobalts.. RAQ4i.. We installed joydesk multidomain 2.61 (from virtualtek.com) and the raq got all stupid on us after a year or so..JoyDesk even uninstalled from it improperly..sad...Slowed the system down real bad.. We decided to upgrade joydesk and put it on a red hat standalone machine with 100GB drive,,etc.. Its very sweet now! especially with mailscanner, spamassassin and webmin.. tons of horsepower!.. our raq just does DNS and virtual ftp sites for us now..hehheee.. Our MX records on the dns have High priority set to the server WITH mailscanner and another MX record with Low priority sent to a remote email machine without mailscanner.. THIS WILL only takeover our mail, if the high priority email machine doesnt answer for a long period of time..So I can almost bet that its not going through their system giving me these outgoing test results.. The server with Mailscanner is not busy at all today.. maillogs are slow..:) thanks to spamassassin .. -----Original Message----- From: Ray Healy (Data Net Services) [mailto:ray@MATRIX-DATANET.CO.UK] Sent: Friday, June 21, 2002 4:06 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: sending a virus from mailscanner's domain is undetectedbutincoming mail from either our domain or others is detected I am probably wrong in your situation but I thought I would mention this I had a similar situation where emails were not being scanned by MailScanner when sent through my RAQ but incomming messages where scanned OK if sent to my RAQ by someone else. This was due to the email message being hijacked by the ISP I was connecting to and putting the message through their own mail server and not mine even though in the properties I had stated the address of my mail server. I do not know whether this is of any help or am I toytally off track Ray ----- Original Message ----- From: Julian Field To: MAILSCANNER@JISCMAIL.AC.UK Sent: Friday, June 21, 2002 6:56 PM Subject: Re: sending a virus from mailscanner's domain is undetected butincoming mail from either our domain or others is detected At 18:45 21/06/2002, you wrote: Hello, No not on the machine running mailscanner, but outlook 2000 on a workstation sent an email to an outside domain with a virus to test and the outside domain received it with the virus in tact.. Its the test virus you referred me earlier to use.. when I reply (from the outside domain) and its incoming to mailscanner, it will pick it up then. only incoming scanning is taken place not outgoing. Thanks! Did it get any X-MailScanner: header at all? If not, then it probably didn't go via the MailScanner server. If it did, then what did the header say? What is in your mailscanner.conf file? Unless it is told to, MailScanner doesn't care what addresses are in the email message. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Friday, June 21, 2002 2:40 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: sending a virus from mailscanner's domain is undetected butincoming mail from either our domain or others is detected At 17:36 21/06/2002, you wrote: >Sending a virus from mailscanner's domain to another is undetected, but >incoming mail from either our domain or others, is detected. >Is this normal? Did you run the email client program on the machine that is running MailScanner, by any chance? If so, did you make the email program talk SMTP to localhost:25 or did it invoke sendmail directly? MailScanner (when running with sendmail) can only scan mail coming in the SMTP port. There is no way (with sendmail) of scanning mail poked directly at the sendmail binary. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020621/f36bad19/attachment.html From Matthew_doherty at DATAWATCH.COM Fri Jun 21 20:55:27 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:01 2006 Subject: sending a virus from mailscanner's domain isundetectedbutincoming mail from either our domain or others isdetected Message-ID: Ever seen the movie Office Space? Can anyone read that? -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Friday, June 21, 2002 4:36 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: sending a virus from mailscanner's domain isundetectedbutincoming mail from either our domain or others isdetected At 20:18 21/06/2002, you wrote: ps HOw the heck could it be hijacked?!! weird Very easily. Your dialup ISP has a proxy server which redirects all port 25 traffic to their own SMTP server. FreeServe in the UK do exactly this. It doesn't matter what SMTP server you configure in your software, you always use theirs, which avoids their tech support people having to deal with mail relaying problems. So what do your Received: headers say? What you expect? -----Original Message----- From: Ray Healy (Data Net Services) [mailto:ray@MATRIX-DATANET.CO.UK] Sent: Friday, June 21, 2002 4:06 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: sending a virus from mailscanner's domain is undetectedbutincoming mail from either our domain or others is detected I am probably wrong in your situation but I thought I would mention this I had a similar situation where emails were not being scanned by MailScanner when sent through my RAQ but incomming messages where scanned OK if sent to my RAQ by someone else. This was due to the email message being hijacked by the ISP I was connecting to and putting the message through their own mail server and not mine even though in the properties I had stated the address of my mail server. I do not know whether this is of any help or am I toytally off track Ray ----- Original Message ----- From: Julian Field To: MAILSCANNER@JISCMAIL.AC.UK Sent: Friday, June 21, 2002 6:56 PM Subject: Re: sending a virus from mailscanner's domain is undetected butincoming mail from either our domain or others is detected At 18:45 21/06/2002, you wrote: Hello, No not on the machine running mailscanner, but outlook 2000 on a workstation sent an email to an outside domain with a virus to test and the outside domain received it with the virus in tact.. Its the test virus you referred me earlier to use.. when I reply (from the outside domain) and its incoming to mailscanner, it will pick it up then. only incoming scanning is taken place not outgoing. Thanks! Did it get any X-MailScanner: header at all? If not, then it probably didn't go via the MailScanner server. If it did, then what did the header say? What is in your mailscanner.conf file? Unless it is told to, MailScanner doesn't care what addresses are in the email message. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Friday, June 21, 2002 2:40 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: sending a virus from mailscanner's domain is undetected butincoming mail from either our domain or others is detected At 17:36 21/06/2002, you wrote: >Sending a virus from mailscanner's domain to another is undetected, but >incoming mail from either our domain or others, is detected. >Is this normal? Did you run the email client program on the machine that is running MailScanner, by any chance? If so, did you make the email program talk SMTP to localhost:25 or did it invoke sendmail directly? MailScanner (when running with sendmail) can only scan mail coming in the SMTP port. There is no way (with sendmail) of scanning mail poked directly at the sendmail binary. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020621/98f972b9/attachment.html From kvue at WADSNET.COM Fri Jun 21 21:38:53 2002 From: kvue at WADSNET.COM (Kham Vue) Date: Thu Jan 12 21:15:01 2006 Subject: ANNOUNCE: Version 3.20-6 released References: <5.1.0.14.2.20020619144907.02ab7aa8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020619144907.02ab7aa8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020619151236.039e7458@imap.ecs.soton.ac.uk> Message-ID: <039301c21963$aa88bd60$fe00010a@backup> I upgraded from version 3.15-3 to 3.20-6 this afternoon. I also installed SPAMASSASSIN. Now my incoming emails will not send to users. I stopped MailScanner and new incoming emails work, but the old incoming emails are still in the mqueue.in I checked the etc folder and my old mailscanner.conf file was not changed -- got mailscanner.conf.rpmnew Two questions: 1. How do I force the email server to send the old incoming emails? 2. What happen? Was it because I did not delete the old config file? -------------------------------------------------------------- Kham Vue Internet Admin The City of Wadsworth WADSNET.COM High Speed Internet Service kvue@wadsnet.com "Believe that life is worth living, and your belief will help create the fact." --William James From mailscanner at ecs.soton.ac.uk Fri Jun 21 21:45:17 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:01 2006 Subject: ANNOUNCE: Version 3.20-6 released In-Reply-To: <039301c21963$aa88bd60$fe00010a@backup> References: <5.1.0.14.2.20020619144907.02ab7aa8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020619144907.02ab7aa8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020619151236.039e7458@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020621214124.035b3e90@imap.ecs.soton.ac.uk> Start by doing a diff mailscanner.conf mailscanner.conf.rpmnew and copy your local changes over to the new conf file. Have you got a load of qf and df files in /var/spool/mqueue.in? Hopefully not Qf and Df files. If you have qf and df files (in pairs) then MailScanner should pick them up and process them. At 21:38 21/06/2002, you wrote: >I upgraded from version 3.15-3 to 3.20-6 this afternoon. >I also installed SPAMASSASSIN. > >Now my incoming emails will not send to users. > >I stopped MailScanner and new incoming emails work, but the old incoming >emails are >still in the mqueue.in >I checked the etc folder and my old mailscanner.conf file was not changed >-- got >mailscanner.conf.rpmnew > >Two questions: > 1. How do I force the email server to send the old incoming emails? > 2. What happen? Was it because I did not delete the old config file? > >-------------------------------------------------------------- >Kham Vue >Internet Admin >The City of Wadsworth >WADSNET.COM High Speed Internet Service >kvue@wadsnet.com > "Believe that life is worth living, and your belief will help create the > fact." > --William James -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Fri Jun 21 21:46:34 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:01 2006 Subject: MAILSCANNER: gt@DIAPASON.COM left the JISCmail list Message-ID: <200206212046.VAA27922@magpie.ecs.soton.ac.uk> Fri, 21 Jun 2002 21:46:34 "Georges A. Tomazi" has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From Matthew_doherty at DATAWATCH.COM Fri Jun 21 21:57:11 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:01 2006 Subject: sending a virus from mailscanner's domain is undetectedbutincoming mail from either our domain or others is detected Message-ID: Our emails are being scanned for outgoing mail now. I got it working.. And It had nothing to do with our ISP or our DNS Thanks -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Friday, June 21, 2002 2:59 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: sending a virus from mailscanner's domain is undetectedbutincoming mail from either our domain or others is detected At 18:45 21/06/2002, you wrote: Hello, No not on the machine running mailscanner, but outlook 2000 on a workstation sent an email to an outside domain with a virus to test and the outside domain received it with the virus in tact.. Its the test virus you referred me earlier to use.. when I reply (from the outside domain) and its incoming to mailscanner, it will pick it up then. only incoming scanning is taken place not outgoing. Thanks! Did it get any X-MailScanner: header at all? If not, then it probably didn't go via the MailScanner server. If it did, then what did the header say? What is in your mailscanner.conf file? Unless it is told to, MailScanner doesn't care what addresses are in the email message. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Friday, June 21, 2002 2:40 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: sending a virus from mailscanner's domain is undetected butincoming mail from either our domain or others is detected At 17:36 21/06/2002, you wrote: >Sending a virus from mailscanner's domain to another is undetected, but >incoming mail from either our domain or others, is detected. >Is this normal? Did you run the email client program on the machine that is running MailScanner, by any chance? If so, did you make the email program talk SMTP to localhost:25 or did it invoke sendmail directly? MailScanner (when running with sendmail) can only scan mail coming in the SMTP port. There is no way (with sendmail) of scanning mail poked directly at the sendmail binary. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020621/376d780f/attachment.html From mailscanner at ecs.soton.ac.uk Fri Jun 21 22:04:34 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:01 2006 Subject: sending a virus from mailscanner's domain is undetectedbutincoming mail from either our domain or others is detected In-Reply-To: Message-ID: <5.1.0.14.2.20020621220325.02af72a8@imap.ecs.soton.ac.uk> At 21:57 21/06/2002, you wrote: >Our emails are being scanned for outgoing mail now. >I got it working.. >And It had nothing to do with our ISP or our DNS For my benefit, so I'll know what to suggest to people with the same symptoms in the future, what was the final cause? > > Thanks >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Friday, June 21, 2002 2:59 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: sending a virus from mailscanner's domain is >undetectedbutincoming mail from either our domain or others is detected > >At 18:45 21/06/2002, you wrote: >>Hello, >>No not on the machine running mailscanner, but outlook 2000 on a >>workstation sent an email to an outside domain with a virus to test and >>the outside domain received it with the virus in tact.. Its the test >>virus you referred me earlier to use.. when I reply (from the outside >>domain) and its incoming to mailscanner, it will pick it up then. only >>incoming scanning is taken place not outgoing. >>Thanks! >Did it get any X-MailScanner: header at all? >If not, then it probably didn't go via the MailScanner server. >If it did, then what did the header say? What is in your mailscanner.conf >file? > >Unless it is told to, MailScanner doesn't care what addresses are in the >email message. >>-----Original Message----- >>From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >>Sent: Friday, June 21, 2002 2:40 PM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: sending a virus from mailscanner's domain is undetected >>butincoming mail from either our domain or others is detected >> >>At 17:36 21/06/2002, you wrote: >> >Sending a virus from mailscanner's domain to another is undetected, but >> >incoming mail from either our domain or others, is detected. >> >Is this normal? >> >>Did you run the email client program on the machine that is running >>MailScanner, by any chance? If so, did you make the email program talk SMTP >>to localhost:25 or did it invoke sendmail directly? >> >>MailScanner (when running with sendmail) can only scan mail coming in the >>SMTP port. There is no way (with sendmail) of scanning mail poked directly >>at the sendmail binary. >>-- >>Julian Field Teaching Systems Manager >>jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >>Tel. 023 8059 2817 University of Southampton >>Southampton SO17 1BJ > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020621/ea2eb3d8/attachment.html From gerry at DORFAM.CA Fri Jun 21 23:59:56 2002 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:15:01 2006 Subject: ANNOUNCE: Version 3.20-6 released In-Reply-To: <5.1.0.14.2.20020621214124.035b3e90@imap.ecs.soton.ac.uk> Message-ID: I pulled a copy of the rpm file down this morning and installed 3.20-6. It seemed to go well but I found that mailscanner wasn't working. I was getting a message that it couldn't find /opt/mailscanner/etc/spam.assassin.prefs.conf which is correct since the file is in /usr/local/MailScanner/etc on my system. I couldn't see where to change this so I took the easy way out and just created the /opt directories and put a link in there to the correct location. That fixed it. I'm now working my way through a LOT of emails that piled up over the day. BTW, I'm running RH 7.3 Gerry -- "The lyfe so short, the craft so long to learne" Chaucer From moacyrs at AKADNYX.COM.BR Sat Jun 22 04:39:16 2002 From: moacyrs at AKADNYX.COM.BR (Moacyr Leite da Silva) Date: Thu Jan 12 21:15:01 2006 Subject: mailscanner.conf In-Reply-To: <20020621075622.5432cb61.brett@brabys.co.za> Message-ID: Hi Julian, Can you make possible to have an option in mailscanner.conf to ajust the command sendmail -q[time] in /etc/init.d/mailscanner I'm always editing that file to ajust -q15m to -q1m, maybe not just me! And if you make this available in maiscanner.conf, I will not need to do nothing when I upgrade the MailScanner (YOUR AMAZING AND GREAT TOOL)! My Best Regards, Moacyr Leite da Silva (moacyrs at akadnyx dot com dot br) kadnyx Network Services (http://www.akadnyx.com.br) +55 19 3242-4895 +55 19 9751-2964 "Time is the best teacher; unfortunately, it kills all its students." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Agora voc? pode assinar o Informativo Akadnyx enviando um email para: informativo-request@akadnyx.com.br e colocando no assunto a palavra SUBSCRIBE ou atrav?s da URL abaixo http://akadnyx.com.br/mailman/listinfo/informativo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From brandonf at BFCONSULT.CO.ZA Sat Jun 22 08:35:44 2002 From: brandonf at BFCONSULT.CO.ZA (Brandon Friedman) Date: Thu Jan 12 21:15:01 2006 Subject: Qmail Support Message-ID: <3D1428D0.10000@bfconsult.co.za> I don't want to harp on this, I see that there is mention of Qmail on the site but has anybody done any work to get Mailscanner to work with Qmail? I use Qmail quite a bit and I am very willing to help test! -- Regards Brandon Friedman Cell:083 408 7840 E-mail: brandonf@bfconsult.co.za www.bfconsult.co.za From brett at BRABYS.CO.ZA Sat Jun 22 09:06:46 2002 From: brett at BRABYS.CO.ZA (Brett Geer) Date: Thu Jan 12 21:15:02 2006 Subject: sending a virus from mailscanner's domain is undetectedbutincoming mail from either our domain or others is detected In-Reply-To: References: Message-ID: <20020622100646.1eaa642f.brett@brabys.co.za> eh its a 'usefull service' these days, I just had a client run into a similar problem where the mails from one of his clients never got to him and just dissappeared. When I got the remote to telnet to my client's mail server, he got the clients isp. a thunderous call to isp's tech support revealed they had installed some spam filter. a couple of nasty words to the tech support manager got this removed. its irritating when they just start grabbing our connections (transparent proxy is another one), and don't tell you about it. when thier work fails you spend days looking for it because you think it's your equipment basically they just add a filter on thier routers to shift the stream off to another box brett > ps > HOw the heck could it be hijacked?!! weird > -----Original Message----- > From: Ray Healy (Data Net Services) [mailto:ray@MATRIX-DATANET.CO.UK] > Sent: Friday, June 21, 2002 4:06 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: sending a virus from mailscanner's domain is > undetectedbutincoming mail from either our domain or others is detected > > > I am probably wrong in your situation but I thought I would mention this > > I had a similar situation where emails were not being scanned by > MailScanner when sent through my RAQ but incomming messages where scanned OK > if sent to my RAQ by someone else. > > This was due to the email message being hijacked by the ISP I was > connecting to and putting the message through their own mail server and not > mine even though in the properties I had stated the address of my mail > server. > I do not know whether this is of any help or am I toytally off track > > Ray > > > > ----- Original Message ----- > From: Julian Field > To: MAILSCANNER@JISCMAIL.AC.UK > Sent: Friday, June 21, 2002 6:56 PM > Subject: Re: sending a virus from mailscanner's domain is undetected > butincoming mail from either our domain or others is detected From LISTSERV at JISCMAIL.AC.UK Sat Jun 22 01:46:51 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:02 2006 Subject: MAILSCANNER: x.mailscanner.mail@MELLONI.COM requested to join Message-ID: <200206220046.BAA12008@magpie.ecs.soton.ac.uk> Sat, 22 Jun 2002 01:46:51 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Bruno Melloni The following membership options have been requested: HTML INDEX. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER x.mailscanner.mail@MELLONI.COM Bruno Melloni PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER x.mailscanner.mail@MELLONI.COM Bruno Melloni SET MAILSCANNER HTML INDEX FOR x.mailscanner.mail@MELLONI.COM // EOJ From LISTSERV at JISCMAIL.AC.UK Sat Jun 22 02:32:12 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:02 2006 Subject: MAILSCANNER: nathan@TCPNETWORKS.NET left the JISCmail list Message-ID: <200206220132.CAA14249@magpie.ecs.soton.ac.uk> Sat, 22 Jun 2002 02:32:12 Nathan Johanson has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From LISTSERV at JISCMAIL.AC.UK Sat Jun 22 02:32:31 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:02 2006 Subject: MAILSCANNER: nathan@TCPNETWORKS.NET requested to join Message-ID: <200206220132.CAA14264@magpie.ecs.soton.ac.uk> Sat, 22 Jun 2002 02:32:31 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Nathan Johanson You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER nathan@TCPNETWORKS.NET Nathan Johanson PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER nathan@TCPNETWORKS.NET Nathan Johanson // EOJ From mailscanner at ecs.soton.ac.uk Sat Jun 22 11:54:54 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:02 2006 Subject: Qmail Support In-Reply-To: <3D1428D0.10000@bfconsult.co.za> Message-ID: <5.1.0.14.2.20020622115324.037d8ee0@imap.ecs.soton.ac.uk> At 08:35 22/06/2002, you wrote: >I don't want to harp on this, I see that there is mention of Qmail on >the site but has anybody done any work to get Mailscanner to work with >Qmail? I use Qmail quite a bit and I am very willing to help test! MailScanner doesn't directly support qmail. However, following the instructions in the Installation FAQ about unsupported mail systems, it should be easy to build MailScanner into your current network setup. The setup described there is already in use by several people, including me (as we have some commercial customers whose mail is hosted on an NT server for historical reasons). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sat Jun 22 11:48:47 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:02 2006 Subject: ANNOUNCE: Version 3.20-6 released In-Reply-To: References: <5.1.0.14.2.20020621214124.035b3e90@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020622114434.038ba008@imap.ecs.soton.ac.uk> At 23:59 21/06/2002, you wrote: >I pulled a copy of the rpm file down this morning and installed 3.20-6. >It seemed to go well but I found that mailscanner wasn't working. > >I was getting a message that it couldn't find > >/opt/mailscanner/etc/spam.assassin.prefs.conf > >which is correct since the file is in /usr/local/MailScanner/etc on my >system. This is as a result of changes to the RPM file that other people asked me to make. As you have customised the mailscanner.conf file, you will now have a "mailscanner.conf.rpmnew" file in your /usr/local/MailScanner/etc directory. You need to copy your modifications from the old one to the new one and then rename it over the top of the old one (so you now have a mailscanner.conf file with all the new keywords in it). Would people prefer to use the new system, or go back to the old one where it renamed all your files to ".rpmold" or ".rpmorig" and then copied in the new ones to their default location? Or else I could take a look for any *.rpmnew files in /usr/local/MailScanner/etc and print another warning message if there were any, prompting you to copy your customizations into the new config files? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sat Jun 22 11:51:14 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:02 2006 Subject: mailscanner.conf In-Reply-To: References: <20020621075622.5432cb61.brett@brabys.co.za> Message-ID: <5.1.0.14.2.20020622114917.037b6750@imap.ecs.soton.ac.uk> At 04:39 22/06/2002, you wrote: >Can you make possible to have an option in mailscanner.conf to ajust >the command sendmail -q[time] in /etc/init.d/mailscanner Not easily, no, as then the init.d script would have to parse the whole of mailscanner.conf to find the value, which is a bit heavy for it. >I'm always editing that file to ajust -q15m to -q1m, maybe not just me! Personally I don't like setups that involve a -q1m, I feel there must be a better way. In the Installation FAQ, there are 2 notes about high-volume setups, have you looked at the 2nd one? As a further option, how about a file /etc/sysconfig/mailscanner which is optional, but will be used for sendmail and mailscanner command-line options if it exists? That way you could put -q1m into the right line in that file and it would stay across versions. I would only supply a blank template, leaving you to add options if you want to. >And if you make this available in maiscanner.conf, I will not need to >do nothing when I upgrade the MailScanner (YOUR AMAZING AND GREAT TOOL)! > >My Best Regards, > >Moacyr Leite da Silva (moacyrs at akadnyx dot com dot br) >kadnyx Network Services (http://www.akadnyx.com.br) > >+55 19 3242-4895 >+55 19 9751-2964 > >"Time is the best teacher; unfortunately, it kills all its students." > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >Agora voc? pode assinar o Informativo Akadnyx enviando um >email para: informativo-request@akadnyx.com.br e colocando >no assunto a palavra SUBSCRIBE ou atrav?s da URL abaixo >http://akadnyx.com.br/mailman/listinfo/informativo >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mike at ZANKER.ORG Sat Jun 22 12:43:55 2002 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:15:02 2006 Subject: ANNOUNCE: Version 3.20-6 released In-Reply-To: <5.1.0.14.2.20020622114434.038ba008@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020622114434.038ba008@imap.ecs.soton.ac.uk> Message-ID: <8723163.1024749835@jemima.zanker.org> On 22 June 2002 11:48 +0100 Julian Field wrote: > Would people prefer to use the new system, or go back to the old one > where it renamed all your files to ".rpmold" or ".rpmorig" and then > copied in the new ones to their default location? I much prefer the new system, personally. Mike -- Mike Zanker Northampton, UK PGP Public Key: pgp@zanker.org From gerry at DORFAM.CA Sat Jun 22 14:20:37 2002 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:15:02 2006 Subject: ANNOUNCE: Version 3.20-6 released In-Reply-To: <8723163.1024749835@jemima.zanker.org> Message-ID: On Sat, 22 Jun 2002, Mike Zanker wrote: > On 22 June 2002 11:48 +0100 Julian Field > wrote: > > > Would people prefer to use the new system, or go back to the old one > > where it renamed all your files to ".rpmold" or ".rpmorig" and then > > copied in the new ones to their default location? I don't care which one is used as long as it stops changing. Gerry -- "The lyfe so short, the craft so long to learne" Chaucer From brandonf at BFCONSULT.CO.ZA Sat Jun 22 16:21:09 2002 From: brandonf at BFCONSULT.CO.ZA (Brandon Friedman) Date: Thu Jan 12 21:15:02 2006 Subject: Qmail Support References: <5.1.0.14.2.20020622115324.037d8ee0@imap.ecs.soton.ac.uk> Message-ID: <3D1495E5.90705@bfconsult.co.za> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yes, I read the FAQ but I need direct qmail support! I was just wondering if anybody has done some work on it or if there are some pointers to try to get it to work? Julian Field wrote: > At 08:35 22/06/2002, you wrote: > >> I don't want to harp on this, I see that there is mention of Qmail >> on the site but has anybody done any work to get Mailscanner to >> work with Qmail? I use Qmail quite a bit and I am very willing to >> help test! > > MailScanner doesn't directly support qmail. However, following the > instructions in the Installation FAQ about unsupported mail > systems, it should be easy to build MailScanner into your current > network setup. The setup described there is already in use by > several people, including me (as we have some commercial customers > whose mail is hosted on an NT server for historical reasons). > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > - -- Regards Brandon Friedman Cell:083 408 7840 E-mail: brandonf@bfconsult.co.za www.bfconsult.co.za -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPRSV432QHKNEPydkEQIB+ACgqS2Syj6F8AWWNwHyGBF03Unl6fwAn291 LSAFI1zJN+emPZIBJbqd6usj =s23R -----END PGP SIGNATURE----- From LISTSERV at JISCMAIL.AC.UK Sat Jun 22 16:05:29 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:02 2006 Subject: MAILSCANNER: mailscanner-maillist@BECOBAF.COM requested to join Message-ID: <200206221505.QAA18429@magpie.ecs.soton.ac.uk> Sat, 22 Jun 2002 16:05:29 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Bas Spandaw The following membership options have been requested: NOMIME DIGEST. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER mailscanner-maillist@BECOBAF.COM Bas Spandaw PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER mailscanner-maillist@BECOBAF.COM Bas Spandaw SET MAILSCANNER NOMIME DIGEST FOR mailscanner-maillist@BECOBAF.COM // EOJ From mailscanner at ecs.soton.ac.uk Sat Jun 22 16:28:47 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:02 2006 Subject: Qmail Support In-Reply-To: <3D1495E5.90705@bfconsult.co.za> References: <5.1.0.14.2.20020622115324.037d8ee0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020622162737.0358ee70@imap.ecs.soton.ac.uk> At 16:21 22/06/2002, you wrote: >Yes, I read the FAQ but I need direct qmail support! >I was just wondering if anybody has done some work on it or if there >are some pointers to try to get it to work? As far as I know, no-one has worked on that. I might consider it once I've done a big re-write of the code to make it rather more OO in design which should make jobs like this easier. >Julian Field wrote: > > > At 08:35 22/06/2002, you wrote: > > > >> I don't want to harp on this, I see that there is mention of Qmail > >> on the site but has anybody done any work to get Mailscanner to > >> work with Qmail? I use Qmail quite a bit and I am very willing to > >> help test! > > > > MailScanner doesn't directly support qmail. However, following the > > instructions in the Installation FAQ about unsupported mail > > systems, it should be easy to build MailScanner into your current > > network setup. The setup described there is already in use by > > several people, including me (as we have some commercial customers > > whose mail is hosted on an NT server for historical reasons). > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > > > >- -- > >Regards >Brandon Friedman >Cell:083 408 7840 >E-mail: brandonf@bfconsult.co.za >www.bfconsult.co.za > >-----BEGIN PGP SIGNATURE----- >Version: PGP 7.0.4 > >iQA/AwUBPRSV432QHKNEPydkEQIB+ACgqS2Syj6F8AWWNwHyGBF03Unl6fwAn291 >LSAFI1zJN+emPZIBJbqd6usj >=s23R >-----END PGP SIGNATURE----- -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gerry at dorfam.ca Sat Jun 22 17:20:22 2002 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:15:02 2006 Subject: Recommended version of razor? In-Reply-To: <5.1.0.14.2.20020620161939.04dc09b0@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020618211109.03b71840@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020618183816.034db9e0@imap.ecs.soton.ac.uk> <000001c21701$03874cc0$1cfea8c0@tippingmar.com> <5.1.0.14.2.20020618211109.03b71840@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020620135411.02cf64a8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020620145110.04d2caa0@imap.ecs.soton.ac.uk> <022801c21864$a8743720$1f0aa8c0@PondRoom> <5.1.0.14.2.20020620161939.04dc09b0@imap.ecs.soton.ac.uk> Message-ID: <33271.10.0.10.1.1024762822.squirrel@tiger.dorfam.ca> I've been doing updates this morning and was wondering what is the recommended version of razor to be running with the new spamassassin 2.31? I noticed that there has been a LOT of changes released in June for razor. I'm still back on razor 1.19. The last time I happily put all the lastest updates together spamassassin stopped working with razor! Gerry -- "The lyfe so short, the craft so long to learne" Chaucer From brose at MED.WAYNE.EDU Sat Jun 22 20:18:54 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:02 2006 Subject: Recommended version of razor? Message-ID: <6D60AC042221344095A0EBBC56EEE79A4BC9DF@med-core03.med.wayne.edu> Doesn't matter. I found out yesterday that SA 2.31 still only uses razorv1. The changelog was incorrect. That explained why the performance with razor enabled was poor forcing me to disable it again. Having razor enabled for SA adds 2-3 seconds for every message processed so it causes mail to start backing up in mqueue.in. I'm hoping razorv2 will be better since they are planning on selling the server component so performance has to be better. -----Original Message----- From: Gerry Doris [mailto:gerry@dorfam.ca] Sent: Saturday, June 22, 2002 12:20 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Recommended version of razor? I've been doing updates this morning and was wondering what is the recommended version of razor to be running with the new spamassassin 2.31? I noticed that there has been a LOT of changes released in June for razor. I'm still back on razor 1.19. The last time I happily put all the lastest updates together spamassassin stopped working with razor! Gerry -- "The lyfe so short, the craft so long to learne" Chaucer From nathan at tcpnetworks.net Sat Jun 22 22:32:27 2002 From: nathan at tcpnetworks.net (Nathan Johanson) Date: Thu Jan 12 21:15:02 2006 Subject: Recommended version of razor? Message-ID: <200206222132.g5MLWRn09879@ns2.tcpnetworks.com> BTW, how do you disable razor or DCC in SpamAssassin once they're installed? I've been wanting to take both for a test drive, but wanted to be able to toggle them on/off should I run into problems. I went digging through SpamAssassin's documentation this morning, but couldn't find the relevant options. -Nathan Email: nathan@tcpnetworks.net > Doesn't matter. I found out yesterday that SA 2.31 still only uses > razorv1. The changelog was incorrect. That explained why the > performance with razor enabled was poor forcing me to disable it again. > Having razor enabled for SA adds 2-3 seconds for every message processed > so it causes mail to start backing up in mqueue.in. I'm hoping razorv2 > will be better since they are planning on selling the server component > so performance has to be better. > > -----Original Message----- > From: Gerry Doris [mailto:gerry@dorfam.ca] > Sent: Saturday, June 22, 2002 12:20 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Recommended version of razor? > > > I've been doing updates this morning and was wondering what is the > recommended version of razor to be running with the new spamassassin > 2.31? I noticed that there has been a LOT of changes released in June > for razor. I'm still back on razor 1.19. > > The last time I happily put all the lastest updates together > spamassassin stopped working with razor! > > Gerry > -- > "The lyfe so short, the craft so long to learne" Chaucer From brose at MED.WAYNE.EDU Sat Jun 22 22:51:36 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:02 2006 Subject: Recommended version of razor? Message-ID: <6D60AC042221344095A0EBBC56EEE79A0A8FC1@med-core03.med.wayne.edu> You should ask SA functionality questions in their list. The answer is to add a score line in your SA local.cf with a score of 0 for those rule tests. Example score RAZOR_CHECK 0.0 score DCC_CHECK 0.0 -----Original Message----- From: Nathan Johanson [mailto:nathan@tcpnetworks.net] Sent: Saturday, June 22, 2002 5:32 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Recommended version of razor? BTW, how do you disable razor or DCC in SpamAssassin once they're installed? I've been wanting to take both for a test drive, but wanted to be able to toggle them on/off should I run into problems. I went digging through SpamAssassin's documentation this morning, but couldn't find the relevant options. -Nathan Email: nathan@tcpnetworks.net > Doesn't matter. I found out yesterday that SA 2.31 still only uses > razorv1. The changelog was incorrect. That explained why the > performance with razor enabled was poor forcing me to disable it > again. Having razor enabled for SA adds 2-3 seconds for every message > processed so it causes mail to start backing up in mqueue.in. I'm > hoping razorv2 will be better since they are planning on selling the > server component so performance has to be better. > > -----Original Message----- > From: Gerry Doris [mailto:gerry@dorfam.ca] > Sent: Saturday, June 22, 2002 12:20 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Recommended version of razor? > > > I've been doing updates this morning and was wondering what is the > recommended version of razor to be running with the new spamassassin > 2.31? I noticed that there has been a LOT of changes released in June > for razor. I'm still back on razor 1.19. > > The last time I happily put all the lastest updates together > spamassassin stopped working with razor! > > Gerry > -- > "The lyfe so short, the craft so long to learne" Chaucer From nwp at LEMON-COMPUTING.COM Sun Jun 23 03:13:15 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:15:02 2006 Subject: mailscanner.conf In-Reply-To: <5.1.0.14.2.20020622114917.037b6750@imap.ecs.soton.ac.uk> References: <20020621075622.5432cb61.brett@brabys.co.za> <5.1.0.14.2.20020622114917.037b6750@imap.ecs.soton.ac.uk> Message-ID: <20020623021315.GS23886@hoiho.nz.lemon-computing.com> On Sat, Jun 22, 2002 at 11:51:14AM +0100, Julian Field wrote: > As a further option, how about a file /etc/sysconfig/mailscanner which is > optional, but will be used for sendmail and mailscanner command-line > options if it exists? That way you could put -q1m into the right line in > that file and it would stay across versions. I would only supply a blank > template, leaving you to add options if you want to. Hmmm... init.d scripts (or similar) are very OS-dependent. They are really part of the packaging of mailscanner for a particular OS. We would need to have a good think about where the break between mailscanner itself and the mailscanner package for should be, and how to structure things so as to be useful on all OSes... and most importantly to not get in the way on any OS. There are a few other similar areas to think about -- access to configuration information for update scripts, for one, and uh, I can't remember the other one that I was thinking of. Oh well... -- Nick Phillips -- nwp@lemon-computing.com Ships are safe in harbor, but they were never meant to stay there. From nwp at LEMON-COMPUTING.COM Sun Jun 23 03:01:52 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:15:02 2006 Subject: Qmail Support In-Reply-To: <3D1495E5.90705@bfconsult.co.za> References: <5.1.0.14.2.20020622115324.037d8ee0@imap.ecs.soton.ac.uk> <3D1495E5.90705@bfconsult.co.za> Message-ID: <20020623020152.GR23886@hoiho.nz.lemon-computing.com> On Sat, Jun 22, 2002 at 05:21:09PM +0200, Brandon Friedman wrote: > Yes, I read the FAQ but I need direct qmail support! > > I was just wondering if anybody has done some work on it or if there > are some pointers to try to get it to work? I don't know whether Julian has used qmail, but I certainly haven't. Without knowing how qmail handles its queues, it's difficult to know how easy (or otherwise) it would be to add support for it. If someone could point me at some documentation of qmail's queue formats and handling, then I could at least get some idea how difficult adding support for it is likely to be... Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com You feel a whole lot more like you do now than you did when you used to. From brandonf at BFCONSULT.CO.ZA Sun Jun 23 09:29:30 2002 From: brandonf at BFCONSULT.CO.ZA (Brandon Friedman) Date: Thu Jan 12 21:15:02 2006 Subject: Qmail Support References: <5.1.0.14.2.20020622115324.037d8ee0@imap.ecs.soton.ac.uk> <3D1495E5.90705@bfconsult.co.za> <20020623020152.GR23886@hoiho.nz.lemon-computing.com> Message-ID: <3D1586EA.8040900@bfconsult.co.za> Well the best place to start is the qmail website.... There are alot of links on there.. http://qmail.org Nick Phillips wrote: > On Sat, Jun 22, 2002 at 05:21:09PM +0200, Brandon Friedman wrote: > > >>Yes, I read the FAQ but I need direct qmail support! >> >>I was just wondering if anybody has done some work on it or if there >>are some pointers to try to get it to work? >> > > I don't know whether Julian has used qmail, but I certainly haven't. > Without knowing how qmail handles its queues, it's difficult to know > how easy (or otherwise) it would be to add support for it. > > If someone could point me at some documentation of qmail's queue formats > and handling, then I could at least get some idea how difficult adding > support for it is likely to be... > > > Cheers, > > > Nick > -- > Nick Phillips -- nwp@lemon-computing.com > You feel a whole lot more like you do now than you did when you used to. > > -- Regards Brandon Friedman Cell:083 408 7840 E-mail: brandonf@bfconsult.co.za www.bfconsult.co.za From LISTSERV at JISCMAIL.AC.UK Sat Jun 22 19:44:11 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:02 2006 Subject: MAILSCANNER: kris@JUMPOUT.ORG requested to join Message-ID: <200206221844.TAA00022@magpie.ecs.soton.ac.uk> Sat, 22 Jun 2002 19:44:11 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Kris Stumpner The following membership options have been requested: SUBJECTHDR. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER kris@JUMPOUT.ORG Kris Stumpner PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER kris@JUMPOUT.ORG Kris Stumpner SET MAILSCANNER SUBJECTHDR FOR kris@JUMPOUT.ORG // EOJ From mailscanner at ecs.soton.ac.uk Sun Jun 23 12:47:19 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:02 2006 Subject: ANNOUNCE: Version 3.20-7 Message-ID: <5.1.0.14.2.20020623123749.03c11b28@imap.ecs.soton.ac.uk> I have just released 3.20-7. Nothing major, just tidying up a few rough edges. Specific to the RPM: The init.d script in the RPM is prettier than it was, and supports the command /etc/rc.d/init.d/mailscanner status If you like to change the "-q15m" queue-time in the init.d script, you can now put it in /etc/sysconfig/mailscanner and your change won't get overwritten when you upgrade the RPM. Behaviour Change: Messages that contained viruses listed in the viruses.to.delete.conf file will now be delivered to the recipient as normal, it is just the *sender* who won't be notified. The result is that your users feel happy that they can see MailScanner protecting them, it's just the sender who doesn't get told (The key virus for this file is the "Klez" worm as it fakes the sender address). Bug fix: If you run MailScanner as a non-root user, the queue ownership checking should now be correct. All downloadable, as usual, from www.mailscanner.info Jules. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sun Jun 23 12:57:32 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:02 2006 Subject: mailscanner.conf In-Reply-To: <20020623021315.GS23886@hoiho.nz.lemon-computing.com> References: <5.1.0.14.2.20020622114917.037b6750@imap.ecs.soton.ac.uk> <20020621075622.5432cb61.brett@brabys.co.za> <5.1.0.14.2.20020622114917.037b6750@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020623125616.02a0de38@imap.ecs.soton.ac.uk> At 03:13 23/06/2002, you wrote: >On Sat, Jun 22, 2002 at 11:51:14AM +0100, Julian Field wrote: > > As a further option, how about a file /etc/sysconfig/mailscanner which is > > optional, but will be used for sendmail and mailscanner command-line > > options if it exists? That way you could put -q1m into the right line in > > that file and it would stay across versions. I would only supply a blank > > template, leaving you to add options if you want to. > >Hmmm... init.d scripts (or similar) are very OS-dependent. They are really >part of the packaging of mailscanner for a particular OS. Sorry, for this I was only intending the change for the RedHat RPM as it is completely OS-specific. I've now implemented it (but just in the RPM). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sun Jun 23 12:55:16 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:02 2006 Subject: Recommended version of razor? In-Reply-To: <6D60AC042221344095A0EBBC56EEE79A0A8FC1@med-core03.med.wayn e.edu> Message-ID: <5.1.0.14.2.20020623125417.03b5e520@imap.ecs.soton.ac.uk> At 22:51 22/06/2002, you wrote: >You should ask SA functionality questions in their list. The answer is >to add a score line in your SA local.cf with a score of 0 for those rule >tests. Example > >score RAZOR_CHECK 0.0 >score DCC_CHECK 0.0 The DCC_CHECK line is in the example prefs file I supply in /usr/local/MailScanner/etc/spam.assassin.prefs.conf as it keeps default SpamAssassin installs rather quieter. >-----Original Message----- >From: Nathan Johanson [mailto:nathan@tcpnetworks.net] >Sent: Saturday, June 22, 2002 5:32 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Recommended version of razor? > > >BTW, how do you disable razor or DCC in SpamAssassin once they're >installed? I've been wanting to take both for a test drive, but wanted >to be able to toggle them on/off should I run into problems. I went >digging through SpamAssassin's documentation this morning, but couldn't >find the relevant options. > >-Nathan >Email: nathan@tcpnetworks.net > > > Doesn't matter. I found out yesterday that SA 2.31 still only uses > > razorv1. The changelog was incorrect. That explained why the > > performance with razor enabled was poor forcing me to disable it > > again. Having razor enabled for SA adds 2-3 seconds for every message > > processed so it causes mail to start backing up in mqueue.in. I'm > > hoping razorv2 will be better since they are planning on selling the > > server component so performance has to be better. > > > > -----Original Message----- > > From: Gerry Doris [mailto:gerry@dorfam.ca] > > Sent: Saturday, June 22, 2002 12:20 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Recommended version of razor? > > > > > > I've been doing updates this morning and was wondering what is the > > recommended version of razor to be running with the new spamassassin > > 2.31? I noticed that there has been a LOT of changes released in June > > > for razor. I'm still back on razor 1.19. > > > > The last time I happily put all the lastest updates together > > spamassassin stopped working with razor! > > > > Gerry > > -- > > "The lyfe so short, the craft so long to learne" Chaucer -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sun Jun 23 13:58:41 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:02 2006 Subject: mailscanner.conf In-Reply-To: References: <20020621075622.5432cb61.brett@brabys.co.za> Message-ID: <5.1.0.14.2.20020623135753.02a466a0@imap.ecs.soton.ac.uk> At 04:39 22/06/2002, you wrote: >Can you make possible to have an option in mailscanner.conf to ajust >the command sendmail -q[time] in /etc/init.d/mailscanner You can now specify this in /etc/sysconfig/mailscanner (RPM only). >I'm always editing that file to ajust -q15m to -q1m, maybe not just me! > >And if you make this available in maiscanner.conf, I will not need to >do nothing when I upgrade the MailScanner (YOUR AMAZING AND GREAT TOOL)! -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sun Jun 23 14:00:00 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:02 2006 Subject: ANNOUNCE: Version 3.20-6 released In-Reply-To: References: <5.1.0.14.2.20020621214124.035b3e90@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020623135851.029d1428@imap.ecs.soton.ac.uk> Sorry about that. It shouldn't have complained about it if you weren't using SpamAssassin. Now fixed. At 23:59 21/06/2002, you wrote: >I pulled a copy of the rpm file down this morning and installed 3.20-6. >It seemed to go well but I found that mailscanner wasn't working. > >I was getting a message that it couldn't find > >/opt/mailscanner/etc/spam.assassin.prefs.conf > >which is correct since the file is in /usr/local/MailScanner/etc on my >system. I couldn't see where to change this so I took the easy way out >and just created the /opt directories and put a link in there to the >correct location. That fixed it. I'm now working my way through a LOT of >emails that piled up over the day. > >BTW, I'm running RH 7.3 > >Gerry >-- > >"The lyfe so short, the craft so long to learne" Chaucer -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From dll at SCITOOLS.COM Sun Jun 23 15:29:06 2002 From: dll at SCITOOLS.COM (Dan Leavitt) Date: Thu Jan 12 21:15:02 2006 Subject: spamassassin settings References: <20020621075622.5432cb61.brett@brabys.co.za> <5.1.0.14.2.20020623135753.02a466a0@imap.ecs.soton.ac.uk> Message-ID: <005301c21ac2$59fe70a0$170aa8c0@DELL> Do the per-user files like .spamassassin.cf work when spamassassin is used with MailScanner? I'd like users to be able to add their own whitelist entries if they choose. How do I approach that? Dan From LISTSERV at JISCMAIL.AC.UK Sun Jun 23 15:27:05 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:02 2006 Subject: MAILSCANNER: olivierguieu@YAHOO.COM requested to join Message-ID: <200206231427.PAA20350@magpie.ecs.soton.ac.uk> Sun, 23 Jun 2002 15:27:05 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Guieu Olivier The following membership options have been requested: HTML DIGEST. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER olivierguieu@YAHOO.COM Guieu Olivier PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER olivierguieu@YAHOO.COM Guieu Olivier SET MAILSCANNER HTML DIGEST FOR olivierguieu@YAHOO.COM // EOJ From mailscanner at ecs.soton.ac.uk Sun Jun 23 15:53:33 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:02 2006 Subject: spamassassin settings In-Reply-To: <005301c21ac2$59fe70a0$170aa8c0@DELL> References: <20020621075622.5432cb61.brett@brabys.co.za> <5.1.0.14.2.20020623135753.02a466a0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020623155212.04acb4b8@imap.ecs.soton.ac.uk> At 15:29 23/06/2002, you wrote: >Do the per-user files like .spamassassin.cf work when spamassassin is used >with MailScanner? Afraid not. MailScanner runs as 1 user. > I'd like users to be able to add their own whitelist >entries if they choose. How do I approach that? Try using procmail as the local delivery agent. It's documented on the SA website. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From dll at SCITOOLS.COM Sun Jun 23 16:13:03 2002 From: dll at SCITOOLS.COM (Dan Leavitt) Date: Thu Jan 12 21:15:02 2006 Subject: spamassassin settings References: <20020621075622.5432cb61.brett@brabys.co.za> <5.1.0.14.2.20020623135753.02a466a0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020623155212.04acb4b8@imap.ecs.soton.ac.uk> Message-ID: <006101c21ac8$7c2499b0$170aa8c0@DELL> We're already using procmail but that clears up my confusion. Thanks, Dan ----- Original Message ----- From: "Julian Field" To: Sent: Sunday, June 23, 2002 10:53 AM Subject: Re: spamassassin settings > At 15:29 23/06/2002, you wrote: > >Do the per-user files like .spamassassin.cf work when spamassassin is used > >with MailScanner? > > Afraid not. MailScanner runs as 1 user. > > > I'd like users to be able to add their own whitelist > >entries if they choose. How do I approach that? > > Try using procmail as the local delivery agent. It's documented on the SA > website. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From mailscanner at ecs.soton.ac.uk Sun Jun 23 19:24:08 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:02 2006 Subject: ANNOUNCE: Version 3.20-7 In-Reply-To: <5.1.0.14.2.20020623123749.03c11b28@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020623192108.038ae858@imap.ecs.soton.ac.uk> At 12:47 23/06/2002, you wrote: >Behaviour Change: >Messages that contained viruses listed in the viruses.to.delete.conf file >will now be delivered to the recipient as normal, it is just the *sender* >who won't be notified. The result is that your users feel happy that they >can see MailScanner protecting them, it's just the sender who doesn't get >told (The key virus for this file is the "Klez" worm as it fakes the sender >address). Ideally, given more thought, I would have called this "Dont Tell Senders" in the first place. Isn't hindsight a wonderful thing? :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Sun Jun 23 21:06:55 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:02 2006 Subject: MAILSCANNER: eric@AFMB.CNRS-MRS.FR requested to join Message-ID: <200206232006.VAA07527@magpie.ecs.soton.ac.uk> Sun, 23 Jun 2002 21:06:55 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Eric Blanc You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER eric@AFMB.CNRS-MRS.FR Eric Blanc PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER eric@AFMB.CNRS-MRS.FR Eric Blanc // EOJ From rishi at THEARGONCOMPANY.COM Mon Jun 24 06:02:43 2002 From: rishi at THEARGONCOMPANY.COM (Rishi Gangoly) Date: Thu Jan 12 21:15:02 2006 Subject: Qmail Support References: <5.1.0.14.2.20020622115324.037d8ee0@imap.ecs.soton.ac.uk> <3D1495E5.90705@bfconsult.co.za> <20020623020152.GR23886@hoiho.nz.lemon-computing.com> <3D1586EA.8040900@bfconsult.co.za> Message-ID: <010901c21b3c$60ded840$1500a8c0@gangfam.com> Is there a document on the NET somewhere that lists why MailScanner and Qmail don't plug right in like it does with Sendmail? If yes, can anyone give me a URL so I can read? Regards Rishi From nwp at LEMON-COMPUTING.COM Mon Jun 24 06:58:53 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:15:02 2006 Subject: Qmail Support In-Reply-To: <010901c21b3c$60ded840$1500a8c0@gangfam.com> References: <5.1.0.14.2.20020622115324.037d8ee0@imap.ecs.soton.ac.uk> <3D1495E5.90705@bfconsult.co.za> <20020623020152.GR23886@hoiho.nz.lemon-computing.com> <3D1586EA.8040900@bfconsult.co.za> <010901c21b3c$60ded840$1500a8c0@gangfam.com> Message-ID: <20020624055853.GI23886@hoiho.nz.lemon-computing.com> On Mon, Jun 24, 2002 at 10:32:43AM +0530, Rishi Gangoly wrote: > Is there a document on the NET somewhere that lists why MailScanner and > Qmail don't plug right in like it does with Sendmail? > If yes, can anyone give me a URL so I can read? No, there isn't. The reason is because we have to write a whole bunch of code to interact with each MTA, and we have plenty of other things to do besides that. Not that I wouldn't do it for qmail -- in fact if it looks relatively easy I might well consider it. But Julian originally wrote mailscanner to work with sendmail because that's what he uses, and what most people use. I added the Exim bits because that's what I use. Someone else has written Postfix bits (which we are now adding in) because that's what they use. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com You are only young once, but you can stay immature indefinitely. From brandonf at BFCONSULT.CO.ZA Mon Jun 24 07:49:34 2002 From: brandonf at BFCONSULT.CO.ZA (Brandon Friedman) Date: Thu Jan 12 21:15:02 2006 Subject: Qmail Support References: <5.1.0.14.2.20020622115324.037d8ee0@imap.ecs.soton.ac.uk> <3D1495E5.90705@bfconsult.co.za> <20020623020152.GR23886@hoiho.nz.lemon-computing.com> <3D1586EA.8040900@bfconsult.co.za> <010901c21b3c$60ded840$1500a8c0@gangfam.com> <20020624055853.GI23886@hoiho.nz.lemon-computing.com> Message-ID: <3D16C0FE.5030204@bfconsult.co.za> I use qmail but I don't have much coding experience... I would like to chat to anyone who is interested in using mailscanner for qmail..... Qmail is one of the most popular MTAs on the net. Nick Phillips wrote: > On Mon, Jun 24, 2002 at 10:32:43AM +0530, Rishi Gangoly wrote: > >>Is there a document on the NET somewhere that lists why MailScanner and >>Qmail don't plug right in like it does with Sendmail? >>If yes, can anyone give me a URL so I can read? >> > > No, there isn't. The reason is because we have to write a whole bunch > of code to interact with each MTA, and we have plenty of other things > to do besides that. > > Not that I wouldn't do it for qmail -- in fact if it looks relatively > easy I might well consider it. But Julian originally wrote mailscanner > to work with sendmail because that's what he uses, and what most people > use. I added the Exim bits because that's what I use. Someone else has > written Postfix bits (which we are now adding in) because that's what > they use. > > > Cheers, > > > Nick > > -- > Nick Phillips -- nwp@lemon-computing.com > You are only young once, but you can stay immature indefinitely. > > -- Regards Brandon Friedman Cell:083 408 7840 E-mail: brandonf@bfconsult.co.za www.bfconsult.co.za From Q.G.Campbell at NEWCASTLE.AC.UK Mon Jun 24 12:27:09 2002 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:15:02 2006 Subject: MailScanner + Sophos + McAfee Message-ID: I am running MailScanner 3.20-6 with both Sophos and McAfee A-V software. The mailscanner.conf file says: Virus Scanner = sophos, mcafee ... Sweep = /usr/local/Sophos/bin/sophoswrapper, /usr/local/uvscan/mcafeewrapper I had assumed that if a virus was _found_ by Sophos (first in list) then MailScanner would not bother calling McAfee. However it does and this behaviour pre-dates 3.30-6. Is there a reason for this? Quentin --- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." From mailscanner at ecs.soton.ac.uk Mon Jun 24 12:33:08 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:02 2006 Subject: MailScanner + Sophos + McAfee In-Reply-To: Message-ID: <5.1.0.14.2.20020624122939.04a4b6d8@imap.ecs.soton.ac.uk> At 12:27 24/06/2002, you wrote: >I am running MailScanner 3.20-6 with both Sophos and McAfee A-V >software. The mailscanner.conf file says: > > Virus Scanner = sophos, mcafee > ... > Sweep = /usr/local/Sophos/bin/sophoswrapper, >/usr/local/uvscan/mcafeewrapper > >I had assumed that if a virus was _found_ by Sophos (first in list) then >MailScanner would not bother calling McAfee. However it does and this >behaviour pre-dates 3.30-6. > >Is there a reason for this? Messages are handled in batches for efficiency (saves cranking up the anti-virus engine separately for each message). As a result the batch would have to be split and separated to avoid calling both scanners. As your machine load grows, the batches get bigger, so the overhead of calling a 2nd scanner on the 1 or 2 infected messages in the batch actually becomes less. On a very lightly loaded machine, the load is increased; but on a busy machine the change in load is nearly undetectable. So changing this behaviour (which would be quite a big mod to the code) wouldn't actually gain you anything very noticeable. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From m.sapsed at BANGOR.AC.UK Mon Jun 24 12:46:05 2002 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:15:02 2006 Subject: mailscanner status command In-Reply-To: <5.1.0.14.2.20020621112937.02c95dd0@imap.ecs.soton.ac.uk> Message-ID: On Fri, 21 Jun 2002, Julian Field wrote: > Does a "mailscanner stop" kill all the 3 processes properly? > If so, I'll just add "[sendmail]" as one of the things to look for in the > "status" bit. > > Try the attached. > Hopefully the 3 lines of output will all line up now too. Yup - fine thanks. Re: comment in mailscanner script: My system is a Mandrake one - I don't think the [sendmail] thing is RedHat specific? Cheers, Martin -- Martin Sapsed To have no errors Information Services Would be life without meaning University of Wales, Bangor, LL57 2UX No struggle, no joy. From P.G.M.Peters at civ.utwente.nl Mon Jun 24 13:12:25 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:02 2006 Subject: MailScanner + Sophos + McAfee In-Reply-To: References: Message-ID: On Mon, 24 Jun 2002 12:27:09 +0100, you wrote: >I had assumed that if a virus was _found_ by Sophos (first in list) then >MailScanner would not bother calling McAfee. However it does and this >behaviour pre-dates 3.30-6. In theory Sophos could detect a virus in one of the attachments while it doesn't detect the other one in the second attachment. And perhaps McAfee will find the one in the second attachment. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Mon Jun 24 13:53:16 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:02 2006 Subject: mailscanner status command In-Reply-To: References: <5.1.0.14.2.20020621112937.02c95dd0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020624135224.04e52e80@imap.ecs.soton.ac.uk> At 12:46 24/06/2002, you wrote: > >Re: comment in mailscanner script: My system is a Mandrake one - >I don't think the [sendmail] thing is RedHat specific? > As they say, "your mileage may vary". It might work with Mandrake, it certainly wouldn't work with Slackware (which doesn't even appear to use SysV init.d scripts at all!). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Mon Jun 24 14:31:43 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:02 2006 Subject: MAILSCANNER: thebest@XS4ALL.NL requested to join Message-ID: <200206241331.OAA08459@magpie.ecs.soton.ac.uk> Mon, 24 Jun 2002 14:31:43 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Dennis Boog You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER thebest@XS4ALL.NL Dennis Boog PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER thebest@XS4ALL.NL Dennis Boog // EOJ From lbergman at abi.tconline.net Mon Jun 24 13:06:13 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:15:02 2006 Subject: ANNOUNCE: Version 3.20-6 released In-Reply-To: <5.1.0.14.2.20020622114434.038ba008@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020621214124.035b3e90@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020622114434.038ba008@imap.ecs.soton.ac.uk> Message-ID: <200206240706.13293.lbergman@abi.tconline.net> > Would people prefer to use the new system, or go back to the old one where > it renamed all your files to ".rpmold" or ".rpmorig" and then copied in the > new ones to their default location? I sure like the new one. Upgrading was much easier this time. Thanks. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From lbergman at abi.tconline.net Mon Jun 24 13:16:50 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:15:02 2006 Subject: Qmail Support In-Reply-To: <3D16C0FE.5030204@bfconsult.co.za> References: <5.1.0.14.2.20020622115324.037d8ee0@imap.ecs.soton.ac.uk> <20020624055853.GI23886@hoiho.nz.lemon-computing.com> <3D16C0FE.5030204@bfconsult.co.za> Message-ID: <200206240716.50320.lbergman@abi.tconline.net> > I use qmail but I don't have much coding experience... > > I would like to chat to anyone who is interested in using mailscanner > for qmail..... > > Qmail is one of the most popular MTAs on the net. You know the open source community sometimes just shoots itself in the foot. People, if you can't code, pay some of these talented people who can to impliment the changes you want. We have recently done this on a couple of opensource projects. We pay the developers what they agree to be a fair price and require nothing other than the functionality be included in the source. We only ask this when we think the changes we want would be generally useful to the community. Open source doesn't mean a free lunch. If you want it, can't code it, pay for it, and give it back. Everyone benefits. The preceeding is not meant to get on any one in particular even though one persons reply was used. The "idea" of the thread is what gets me. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From brandonf at BFCONSULT.CO.ZA Mon Jun 24 14:57:50 2002 From: brandonf at BFCONSULT.CO.ZA (Brandon Friedman) Date: Thu Jan 12 21:15:02 2006 Subject: Webmin Module Message-ID: <3D17255E.4020109@bfconsult.co.za> I am also looking for a webmin module for mailscanner? Has anybody attempted this? -- Regards Brandon Friedman Cell:083 408 7840 E-mail: brandonf@bfconsult.co.za www.bfconsult.co.za From P.G.M.Peters at civ.utwente.nl Mon Jun 24 15:09:43 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:02 2006 Subject: SuSe rpm Message-ID: <4t9ehu06jbfr26aq38bgvirnmuc1pth8ia@4ax.com> I am trying to use the rpm's on a Suse system. I get some failed dependencies and I wonder whether the are really needed for MailScanner: error: failed dependencies: cpp is needed by mailscanner-3.20-7 kernel-headers is needed by mailscanner-3.20-7 They look like dependencies needed for compiling stuff and not for perl-scripts. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From Matthew_doherty at DATAWATCH.COM Mon Jun 24 15:07:31 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:02 2006 Subject: Webmin Module Message-ID: Yes I emailed Jamie (the author of Webmin) of this. He will include it in his next update. Also a facility addon, in the syslogs for mailscanner.. =) -----Original Message----- From: Brandon Friedman [mailto:brandonf@BFCONSULT.CO.ZA] Sent: Monday, June 24, 2002 11:00 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Webmin Module I am also looking for a webmin module for mailscanner? Has anybody attempted this? -- Regards Brandon Friedman Cell:083 408 7840 E-mail: brandonf@bfconsult.co.za www.bfconsult.co.za -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020624/f2c161f8/attachment.html From gerry at dorfam.ca Mon Jun 24 15:33:05 2002 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:15:02 2006 Subject: Spamassassin Scores ? Message-ID: <56033.129.80.22.134.1024929185.squirrel@tiger.dorfam.ca> If I remember correctly there was a lot of discussion a while back about whether the behaviour of spamassassin was the same whether it was called via mailscanner or run separately. I believe some folks were trying to test this out. Was there ever a conclusion? I can't find anything definitive in the archives. I've just starting using spamassassin called by mailscanner and the scores seem to be lower. Frankly, I'm not sure it really matters as long as it works but inquiring minds what to know! Gerry -- "The lyfe so short, the craft so long to learne" Chaucer From LISTSERV at JISCMAIL.AC.UK Mon Jun 24 15:35:12 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:02 2006 Subject: MAILSCANNER: martin@MJ-TECH.COM requested to join Message-ID: <200206241435.PAA14452@magpie.ecs.soton.ac.uk> Mon, 24 Jun 2002 15:35:12 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Martin Jermyn You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER martin@MJ-TECH.COM Martin Jermyn PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER martin@MJ-TECH.COM Martin Jermyn // EOJ From brose at MED.WAYNE.EDU Mon Jun 24 15:47:19 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:02 2006 Subject: Webmin Module Message-ID: <6D60AC042221344095A0EBBC56EEE79A0A8FC8@med-core03.med.wayne.edu> Wouldn't it have to be updated with every Mailscanner feature change since I assume it would be modifying the conf files. -----Original Message----- From: Matt Doherty [mailto:Matthew_doherty@DATAWATCH.COM] Sent: Monday, June 24, 2002 10:08 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Webmin Module Yes I emailed Jamie (the author of Webmin) of this. He will include it in his next update. Also a facility addon, in the syslogs for mailscanner.. =) -----Original Message----- From: Brandon Friedman [mailto:brandonf@BFCONSULT.CO.ZA] Sent: Monday, June 24, 2002 11:00 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Webmin Module I am also looking for a webmin module for mailscanner? Has anybody attempted this? -- Regards Brandon Friedman Cell:083 408 7840 E-mail: brandonf@bfconsult.co.za www.bfconsult.co.za -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020624/f68faefe/attachment.html From mailscanner at ecs.soton.ac.uk Mon Jun 24 15:12:54 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:03 2006 Subject: Webmin Module In-Reply-To: <3D17255E.4020109@bfconsult.co.za> Message-ID: <5.1.0.14.2.20020624150701.04e05318@imap.ecs.soton.ac.uk> At 14:57 24/06/2002, you wrote: >I am also looking for a webmin module for mailscanner? >Has anybody attempted this? Not as far as I am aware, no. Personally I've never used webmin. Anyone fancy having a go at this for us? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Jun 24 15:51:30 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:03 2006 Subject: SuSe rpm In-Reply-To: <4t9ehu06jbfr26aq38bgvirnmuc1pth8ia@4ax.com> Message-ID: <5.1.0.14.2.20020624155004.04e98a18@imap.ecs.soton.ac.uk> At 15:09 24/06/2002, you wrote: >I am trying to use the rpm's on a Suse system. I get some failed >dependencies and I wonder whether the are really needed for MailScanner: > >error: failed dependencies: > cpp is needed by mailscanner-3.20-7 > kernel-headers is needed by mailscanner-3.20-7 > >They look like dependencies needed for compiling stuff and not for >perl-scripts. These are needed in order to compile bits of the MIME-Base64 decoder module which is written in C for speed. You can always try forcing it with "--force" or "--nodeps" to see if you actually have the relevant stuff installed, but by differently-named RPMs. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Mon Jun 24 15:52:49 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:03 2006 Subject: Webmin Module In-Reply-To: <6D60AC042221344095A0EBBC56EEE79A0A8FC8@med-core03.med.wayn e.edu> Message-ID: <5.1.0.14.2.20020624155154.04f50ec0@imap.ecs.soton.ac.uk> At 15:47 24/06/2002, you wrote: >Wouldn't it have to be updated with every Mailscanner feature change since >I assume it would be modifying the conf files. Part of the rules for Webmin modules state that they must ignore configuration statements they don't understand. So even if the Webmin module got a bit behind MailScanner, you could still do *most* of the config with Webmin. >-----Original Message----- >From: Matt Doherty [mailto:Matthew_doherty@DATAWATCH.COM] >Sent: Monday, June 24, 2002 10:08 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Webmin Module > >Yes I emailed Jamie (the author of Webmin) of this. He will include it in >his next update. Also a facility addon, in the syslogs for mailscanner.. =) >-----Original Message----- >From: Brandon Friedman [mailto:brandonf@BFCONSULT.CO.ZA] >Sent: Monday, June 24, 2002 11:00 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Webmin Module > >I am also looking for a webmin module for mailscanner? >Has anybody attempted this? > > > >-- > >Regards >Brandon Friedman >Cell:083 408 7840 >E-mail: brandonf@bfconsult.co.za >www.bfconsult.co.za -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020624/c96dd47f/attachment.html From dml at UNB.CA Mon Jun 24 16:05:39 2002 From: dml at UNB.CA (David Lancaster) Date: Thu Jan 12 21:15:03 2006 Subject: Mailscanner and SA performance In-Reply-To: <56033.129.80.22.134.1024929185.squirrel@tiger.dorfam.ca> Message-ID: Hi all, Someone recently suggested to me that the spam-checking performance of Mailscanner and SpamAssassin could be increased by only checking a limited portion of each email. The idea being that most spam would be evident within a smaller number of lines, requiring less CPU time. While this may be true for some spam, I wonder if there would be any actual speed increase? Is there a sufficient bottleneck in SA, which could be assisted by limiting the length of each message that is checked, to make this worthwhile. Technically this is more of a SA question, but I was wondering if anybody on this list could see any issues with this suggestion. Cheers, David =========================================================== David Lancaster ITS ESS From martin at mj-tech.com Mon Jun 24 16:10:35 2002 From: martin at mj-tech.com (Martin Jermyn) Date: Thu Jan 12 21:15:03 2006 Subject: ldconfig error References: Message-ID: <017b01c21b91$4b53b4a0$0100a8c0@pc1> Hi When attempting to run install.sh I get an error regarding ldconfig however, I can see nothing about this in the installation guides etc. - how do I fix this so I can get mailscanner to install on my system? Thanks for any help. ---- Martin Jermyn martin@mj-tech.com From rishi at THEARGONCOMPANY.COM Mon Jun 24 16:52:07 2002 From: rishi at THEARGONCOMPANY.COM (Rishi Gangoly) Date: Thu Jan 12 21:15:03 2006 Subject: f-prot / aves detects this as a virus !! I think References: Message-ID: <004d01c21b97$1843bfa0$1b02a8c0@theargoncompany.com> Hi Fracois What happens when you do : f-prot -virlist | grep -i Frethem Regards Rishi ----- Original Message ----- From: "Francois Caen" To: Sent: Tuesday, June 18, 2002 9:09 PM Subject: Re: f-prot / aves detects this as a virus !! I think > -----Original Message----- > From: rishi@THEARGONCOMPANY.COM > > > Just had another idea. > > What's the sum of the infected file that yoy have? > > Here is mine. > > > > > > [root f-prot]# sum /tmp/decrypt-password.exe > > 07788 35 > > For all the ones I received, I get the same results: > > # sum decrypt-password.exe > 47131 35 > > I typically use md5sum, dunno exactly how it differs from sum but it's a standard for software downloads. > > # md5sum decrypt-password.exe > cc695e7e531c18843baa0731a38e969b decrypt-password.exe > > # sum /usr/local/f-prot/* > 49258 1 /usr/local/f-prot/CHANGES > 54451 21 /usr/local/f-prot/ENGLISH.TX0 > 46493 3 /usr/local/f-prot/INSTALL > 38393 3 /usr/local/f-prot/LICENSE > 13115 455 /usr/local/f-prot/MACRO.DEF > 25947 1 /usr/local/f-prot/README > 28940 1 /usr/local/f-prot/SIGN.ASC > 16736 1038 /usr/local/f-prot/SIGN.DEF > 47624 1 /usr/local/f-prot/SIGN2.ASC > 24019 381 /usr/local/f-prot/SIGN2.DEF > 30967 12 /usr/local/f-prot/check-updates.sh > 43536 7 /usr/local/f-prot/checksum > 52218 932 /usr/local/f-prot/f-prot > 53109 5 /usr/local/f-prot/f-prot.8 > 41567 1 /usr/local/f-prot/f-prot.sh > 23276 3 /usr/local/f-prot/f-protwrapper > 02783 922 /usr/local/f-prot/fp-def.zip > 03152 215 /usr/local/f-prot/macrdef2.zip > > # md5sum /usr/local/f-prot/* > 2d159aceaf924853502ec97dba2414d2 /usr/local/f-prot/CHANGES > ccbf77f4141f5d0775ace281bbc7452c /usr/local/f-prot/ENGLISH.TX0 > edec255b29f87624b6b1c5a000d4cd91 /usr/local/f-prot/INSTALL > 382c9b94925d309068907581a7ee7e7a /usr/local/f-prot/LICENSE > bc26349c2892a303fed0928cc95551d3 /usr/local/f-prot/MACRO.DEF > d971c388ec249a1bf699657a823f4f3d /usr/local/f-prot/README > 13f975f08f9c0d0e78eda0fa39263d92 /usr/local/f-prot/SIGN.ASC > fa7a8b065075fb0f43ed6073698ae2ae /usr/local/f-prot/SIGN.DEF > 9abb515ed622720bfd27b17356da3c16 /usr/local/f-prot/SIGN2.ASC > cbf14c505c1b904477c943bbf983ee6a /usr/local/f-prot/SIGN2.DEF > f9edeccdb48ca2f51efcfcfedab8cea8 /usr/local/f-prot/check-updates.sh > dc1893dcb0da9f06a718013dab94b60a /usr/local/f-prot/checksum > 6dd38d416efb1b3a15e5a2abb78f038c /usr/local/f-prot/f-prot > ef23f6eb09963af8917263603f665d9a /usr/local/f-prot/f-prot.8 > 74ac7a4872c003e2f4fbd1494bd76ed7 /usr/local/f-prot/f-prot.sh > f184c6d9ff007949a466d8d78fd2a5ee /usr/local/f-prot/f-protwrapper > 4dc8efd6d9daa451a1515d210664e2f4 /usr/local/f-prot/fp-def.zip > c5c867208efd9d3b398c64d0df50e4e1 /usr/local/f-prot/macrdef2.zip > > Hope this helps :-) > ------------------------------------------------ > Francois Caen > Network Information Systems Engineer - Webmaster > City of Lakewood, WA > (253) 512-2269 From rishi at THEARGONCOMPANY.COM Mon Jun 24 17:15:35 2002 From: rishi at THEARGONCOMPANY.COM (Rishi Gangoly) Date: Thu Jan 12 21:15:03 2006 Subject: f-prot / aves detects this as a virus !! I think References: <004d01c21b97$1843bfa0$1b02a8c0@theargoncompany.com> Message-ID: <013c01c21b9a$5f14afe0$1b02a8c0@theargoncompany.com> Also what's the output of f-prot -virno Here is mine: ------------------------------ SIGN.DEF created 24. June 2002 SIGN2.DEF created 24. June 2002 MACRO.DEF created 11. June 2002 DOS/Windows: 25460 viruses and 14400 Trojans Word/Excel: 7625 viruses and Trojans Java: 2 viruses and 115 Trojans BAT: 1006 viruses and Trojans IRC INI: 360 viruses and Trojans Script: 1743 viruses and Trojans INF: 4 viruses and Trojans Unix shell: 31 viruses and Trojans Ami: 2 viruses and Trojans WinBat: 4 viruses and Trojans PIF: 18 viruses and Trojans PalmOS: 4 viruses and Trojans PHP: 2 viruses and Trojans Unix: 96 viruses and Trojans In addition, over 14400 viruses are identified using generic identification, so the total number of viruses and Trojans known to F-PROT is somewhere over 65200. ------------------------------ ----- Original Message ----- From: "Rishi Gangoly" To: Sent: Monday, June 24, 2002 9:22 PM Subject: Re: f-prot / aves detects this as a virus !! I think > Hi Fracois > > What happens when you do : > > f-prot -virlist | grep -i Frethem > > > Regards > > Rishi > > > > ----- Original Message ----- > From: "Francois Caen" > To: > Sent: Tuesday, June 18, 2002 9:09 PM > Subject: Re: f-prot / aves detects this as a virus !! I think > > > > -----Original Message----- > > From: rishi@THEARGONCOMPANY.COM > > > > > Just had another idea. > > > What's the sum of the infected file that yoy have? > > > Here is mine. > > > > > > > > > [root f-prot]# sum /tmp/decrypt-password.exe > > > 07788 35 > > > > For all the ones I received, I get the same results: > > > > # sum decrypt-password.exe > > 47131 35 > > > > I typically use md5sum, dunno exactly how it differs from sum but it's a > standard for software downloads. > > > > # md5sum decrypt-password.exe > > cc695e7e531c18843baa0731a38e969b decrypt-password.exe > > > > # sum /usr/local/f-prot/* > > 49258 1 /usr/local/f-prot/CHANGES > > 54451 21 /usr/local/f-prot/ENGLISH.TX0 > > 46493 3 /usr/local/f-prot/INSTALL > > 38393 3 /usr/local/f-prot/LICENSE > > 13115 455 /usr/local/f-prot/MACRO.DEF > > 25947 1 /usr/local/f-prot/README > > 28940 1 /usr/local/f-prot/SIGN.ASC > > 16736 1038 /usr/local/f-prot/SIGN.DEF > > 47624 1 /usr/local/f-prot/SIGN2.ASC > > 24019 381 /usr/local/f-prot/SIGN2.DEF > > 30967 12 /usr/local/f-prot/check-updates.sh > > 43536 7 /usr/local/f-prot/checksum > > 52218 932 /usr/local/f-prot/f-prot > > 53109 5 /usr/local/f-prot/f-prot.8 > > 41567 1 /usr/local/f-prot/f-prot.sh > > 23276 3 /usr/local/f-prot/f-protwrapper > > 02783 922 /usr/local/f-prot/fp-def.zip > > 03152 215 /usr/local/f-prot/macrdef2.zip > > > > # md5sum /usr/local/f-prot/* > > 2d159aceaf924853502ec97dba2414d2 /usr/local/f-prot/CHANGES > > ccbf77f4141f5d0775ace281bbc7452c /usr/local/f-prot/ENGLISH.TX0 > > edec255b29f87624b6b1c5a000d4cd91 /usr/local/f-prot/INSTALL > > 382c9b94925d309068907581a7ee7e7a /usr/local/f-prot/LICENSE > > bc26349c2892a303fed0928cc95551d3 /usr/local/f-prot/MACRO.DEF > > d971c388ec249a1bf699657a823f4f3d /usr/local/f-prot/README > > 13f975f08f9c0d0e78eda0fa39263d92 /usr/local/f-prot/SIGN.ASC > > fa7a8b065075fb0f43ed6073698ae2ae /usr/local/f-prot/SIGN.DEF > > 9abb515ed622720bfd27b17356da3c16 /usr/local/f-prot/SIGN2.ASC > > cbf14c505c1b904477c943bbf983ee6a /usr/local/f-prot/SIGN2.DEF > > f9edeccdb48ca2f51efcfcfedab8cea8 /usr/local/f-prot/check-updates.sh > > dc1893dcb0da9f06a718013dab94b60a /usr/local/f-prot/checksum > > 6dd38d416efb1b3a15e5a2abb78f038c /usr/local/f-prot/f-prot > > ef23f6eb09963af8917263603f665d9a /usr/local/f-prot/f-prot.8 > > 74ac7a4872c003e2f4fbd1494bd76ed7 /usr/local/f-prot/f-prot.sh > > f184c6d9ff007949a466d8d78fd2a5ee /usr/local/f-prot/f-protwrapper > > 4dc8efd6d9daa451a1515d210664e2f4 /usr/local/f-prot/fp-def.zip > > c5c867208efd9d3b398c64d0df50e4e1 /usr/local/f-prot/macrdef2.zip > > > > Hope this helps :-) > > ------------------------------------------------ > > Francois Caen > > Network Information Systems Engineer - Webmaster > > City of Lakewood, WA > > (253) 512-2269 From mailscanner at ecs.soton.ac.uk Mon Jun 24 17:32:40 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:03 2006 Subject: Mailscanner and SA performance In-Reply-To: References: <56033.129.80.22.134.1024929185.squirrel@tiger.dorfam.ca> Message-ID: <5.1.0.14.2.20020624173134.02f578e0@imap.ecs.soton.ac.uk> Just as a side note, can I remind you that SA performance will be greatly improved by using a recent version of MailScanner and enabling the "Compile SpamAssassin Once" option. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From SJCJonker at SJC.NL Mon Jun 24 17:47:06 2002 From: SJCJonker at SJC.NL (Stijn Jonker) Date: Thu Jan 12 21:15:03 2006 Subject: Return Path, rpm start/stop script & McAfee update script Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all, I recently updated my mailscanner to 3.20-7 release, and noticed the return-path: header "error" I saw some mail previously in regards to this issue. I assumed this fix was incorporated in 3.20-7 is this correct or should i install the patch that was posted long ago anyway? (I'll have to look it up) Secondly the mcafee update script, as mentioned earlier, going with the default uvscan directory I can understand, but the removal of the option to have the dat seperatly i can't understand. Secondly the syslog loggin was removed also. For now I put back the syslog logging, I didn't have time to make the location of the dat file configurable just yet. As soon as I have that included without breaking anything, would it be possible to include this in the archive? And finally, the rpm start/stop rc.d script. As mentioned on the webpage for contrib and additional scripts this should all be included, as far as i could find this isn't included in the MailScanner-3.20-7.tar.gz. Due to the special config changes (msg in a seperate directory for one) i made i don't want to install the rpm.. But I love the rc.d script. Is it just me not looking in the right places or is it really only distributed in the rpm? That's all folks. - -- Met Vriendelijke groet/Yours Sincerely Stijn Jonker - -- Outlook Express is actually an incredibly effective virus distribution system which only pretends to be an email program. [by Eric Lee] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9F00MH0P/oLuWBrcRAkrwAKCLPuLb9dbCQ6Anq0C2/YC4wl3joQCfVnsm HRGiXUUjEA9anTJH48mZiEs= =bdvT -----END PGP SIGNATURE----- From Matthew_doherty at DATAWATCH.COM Mon Jun 24 17:40:48 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:03 2006 Subject: f-prot / aves detects this as a virus !! I think Message-ID: How can we achieve a simular output using sophos? -----Original Message----- From: Rishi Gangoly [mailto:rishi@THEARGONCOMPANY.COM] Sent: Monday, June 24, 2002 1:27 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: f-prot / aves detects this as a virus !! I think Also what's the output of f-prot -virno Here is mine: ------------------------------ SIGN.DEF created 24. June 2002 SIGN2.DEF created 24. June 2002 MACRO.DEF created 11. June 2002 DOS/Windows: 25460 viruses and 14400 Trojans Word/Excel: 7625 viruses and Trojans Java: 2 viruses and 115 Trojans BAT: 1006 viruses and Trojans IRC INI: 360 viruses and Trojans Script: 1743 viruses and Trojans INF: 4 viruses and Trojans Unix shell: 31 viruses and Trojans Ami: 2 viruses and Trojans WinBat: 4 viruses and Trojans PIF: 18 viruses and Trojans PalmOS: 4 viruses and Trojans PHP: 2 viruses and Trojans Unix: 96 viruses and Trojans In addition, over 14400 viruses are identified using generic identification, so the total number of viruses and Trojans known to F-PROT is somewhere over 65200. ------------------------------ ----- Original Message ----- From: "Rishi Gangoly" To: Sent: Monday, June 24, 2002 9:22 PM Subject: Re: f-prot / aves detects this as a virus !! I think > Hi Fracois > > What happens when you do : > > f-prot -virlist | grep -i Frethem > > > Regards > > Rishi > > > > ----- Original Message ----- > From: "Francois Caen" > To: > Sent: Tuesday, June 18, 2002 9:09 PM > Subject: Re: f-prot / aves detects this as a virus !! I think > > > > -----Original Message----- > > From: rishi@THEARGONCOMPANY.COM > > > > > Just had another idea. > > > What's the sum of the infected file that yoy have? > > > Here is mine. > > > > > > > > > [root f-prot]# sum /tmp/decrypt-password.exe > > > 07788 35 > > > > For all the ones I received, I get the same results: > > > > # sum decrypt-password.exe > > 47131 35 > > > > I typically use md5sum, dunno exactly how it differs from sum but it's a > standard for software downloads. > > > > # md5sum decrypt-password.exe > > cc695e7e531c18843baa0731a38e969b decrypt-password.exe > > > > # sum /usr/local/f-prot/* > > 49258 1 /usr/local/f-prot/CHANGES > > 54451 21 /usr/local/f-prot/ENGLISH.TX0 > > 46493 3 /usr/local/f-prot/INSTALL > > 38393 3 /usr/local/f-prot/LICENSE > > 13115 455 /usr/local/f-prot/MACRO.DEF > > 25947 1 /usr/local/f-prot/README > > 28940 1 /usr/local/f-prot/SIGN.ASC > > 16736 1038 /usr/local/f-prot/SIGN.DEF > > 47624 1 /usr/local/f-prot/SIGN2.ASC > > 24019 381 /usr/local/f-prot/SIGN2.DEF > > 30967 12 /usr/local/f-prot/check-updates.sh > > 43536 7 /usr/local/f-prot/checksum > > 52218 932 /usr/local/f-prot/f-prot > > 53109 5 /usr/local/f-prot/f-prot.8 > > 41567 1 /usr/local/f-prot/f-prot.sh > > 23276 3 /usr/local/f-prot/f-protwrapper > > 02783 922 /usr/local/f-prot/fp-def.zip > > 03152 215 /usr/local/f-prot/macrdef2.zip > > > > # md5sum /usr/local/f-prot/* > > 2d159aceaf924853502ec97dba2414d2 /usr/local/f-prot/CHANGES > > ccbf77f4141f5d0775ace281bbc7452c /usr/local/f-prot/ENGLISH.TX0 > > edec255b29f87624b6b1c5a000d4cd91 /usr/local/f-prot/INSTALL > > 382c9b94925d309068907581a7ee7e7a /usr/local/f-prot/LICENSE > > bc26349c2892a303fed0928cc95551d3 /usr/local/f-prot/MACRO.DEF > > d971c388ec249a1bf699657a823f4f3d /usr/local/f-prot/README > > 13f975f08f9c0d0e78eda0fa39263d92 /usr/local/f-prot/SIGN.ASC > > fa7a8b065075fb0f43ed6073698ae2ae /usr/local/f-prot/SIGN.DEF > > 9abb515ed622720bfd27b17356da3c16 /usr/local/f-prot/SIGN2.ASC > > cbf14c505c1b904477c943bbf983ee6a /usr/local/f-prot/SIGN2.DEF > > f9edeccdb48ca2f51efcfcfedab8cea8 /usr/local/f-prot/check-updates.sh > > dc1893dcb0da9f06a718013dab94b60a /usr/local/f-prot/checksum > > 6dd38d416efb1b3a15e5a2abb78f038c /usr/local/f-prot/f-prot > > ef23f6eb09963af8917263603f665d9a /usr/local/f-prot/f-prot.8 > > 74ac7a4872c003e2f4fbd1494bd76ed7 /usr/local/f-prot/f-prot.sh > > f184c6d9ff007949a466d8d78fd2a5ee /usr/local/f-prot/f-protwrapper > > 4dc8efd6d9daa451a1515d210664e2f4 /usr/local/f-prot/fp-def.zip > > c5c867208efd9d3b398c64d0df50e4e1 /usr/local/f-prot/macrdef2.zip > > > > Hope this helps :-) > > ------------------------------------------------ > > Francois Caen > > Network Information Systems Engineer - Webmaster > > City of Lakewood, WA > > (253) 512-2269 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020624/ed86551f/attachment.html From mailscanner at ecs.soton.ac.uk Mon Jun 24 18:19:19 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:03 2006 Subject: Return Path, rpm start/stop script & McAfee update script In-Reply-To: Message-ID: <5.1.0.14.2.20020624181435.02af8a18@imap.ecs.soton.ac.uk> At 17:47 24/06/2002, you wrote: >I recently updated my mailscanner to 3.20-7 release, and noticed the >return-path: header "error" I saw some mail previously in regards to this >issue. I assumed this fix was incorporated in 3.20-7 is this correct or >should i install the patch that was posted long ago anyway? (I'll have to >look it up) It was incorporated into the code quite a while ago. >Secondly the mcafee update script, as mentioned earlier, going with the >default uvscan directory I can understand, but the removal of the option >to have the dat seperatly i can't understand. Secondly the syslog loggin >was removed also. > >For now I put back the syslog logging, I didn't have time to make the >location of the dat file configurable just yet. As soon as I have that >included without breaking anything, would it be possible to include this >in the archive? I only want to include 1 script. I changed it to use the same locations as the default Mcafee installation, as that'w what most prople wanted. Sorry about that. >And finally, the rpm start/stop rc.d script. As mentioned on the webpage >for contrib and additional scripts this should all be included, as far as >i could find this isn't included in the MailScanner-3.20-7.tar.gz. Due to >the special config changes (msg in a seperate directory for one) i made i >don't want to install the rpm.. But I love the rc.d script. Is it just me >not looking in the right places or is it really only distributed in the >rpm? The init.d script is only included in the rpm as it is extremely OS-specific, and would be almost useless on most systems that aren't redhat linux. If you want a copy of it without having to extract it manually from the rpm, drop me a line and I'll mail it to you. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From brose at MED.WAYNE.EDU Mon Jun 24 18:26:06 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:03 2006 Subject: Mailscanner and SA performance Message-ID: <6D60AC042221344095A0EBBC56EEE79A0A8FC9@med-core03.med.wayne.edu> Also keep in mind that if you make changes to your SA rules, that you'll also have to restart Mailscanner so that it loads those changes. CompileNow() keeps SA/Mailscanner from having to reread the rules at every call in the same fashion that SpamD works. However, Mailscanner will reread the rules every 4 hours (default) when it reloads itself to clear any collected perl garbage. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Monday, June 24, 2002 12:33 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mailscanner and SA performance Just as a side note, can I remind you that SA performance will be greatly improved by using a recent version of MailScanner and enabling the "Compile SpamAssassin Once" option. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From splee at PLEXIO.COM Mon Jun 24 19:35:40 2002 From: splee at PLEXIO.COM (Stephen Lee) Date: Thu Jan 12 21:15:03 2006 Subject: init.d script for Redhat/Exim [Was: Return Path, rpm start/stop script & McAfee update script] In-Reply-To: <5.1.0.14.2.20020624181435.02af8a18@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020624181435.02af8a18@imap.ecs.soton.ac.uk> Message-ID: <1024943741.26851.6.camel@ralph.plexio.private> On Mon, 2002-06-24 at 10:19, Julian Field wrote: > > The init.d script is only included in the rpm as it is extremely > OS-specific, and would be almost useless on most systems that aren't redhat > linux. If you want a copy of it without having to extract it manually from > the rpm, drop me a line and I'll mail it to you. The init.d script is both Redhat and Sendmail specific. Has anyone modifed the script for Redhat/Exim yet? It doesn't look too difficult to do so if I get some time later this week I'll give it a try. Stephen -- splee@spl-linux.com www.spl-linux.com From ehren at PICKERING.COM Mon Jun 24 20:11:24 2002 From: ehren at PICKERING.COM (Daryl S. Ehrenheim) Date: Thu Jan 12 21:15:03 2006 Subject: f-prot / aves detects this as a virus !! I think References: Message-ID: <3D176EDC.90006@pickering.com> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020624/0f265ca7/attachment.html From randyf at SIBERNET.COM Mon Jun 24 20:28:37 2002 From: randyf at SIBERNET.COM (Randy Fishel) Date: Thu Jan 12 21:15:03 2006 Subject: Webmin Module In-Reply-To: Message-ID: Does this mean that you have actually created a webmin module that will be included in the next release? The reason I ask is that a while back I started a cut at a module, but lacking the time did not complete it. If this is actually a request for a webmin module, it might make some sense to pick it up again. rf On Mon, 24 Jun 2002, Matt Doherty wrote: > Yes I emailed Jamie (the author of Webmin) of this. He will include it in > his next update. Also a facility addon, in the syslogs for mailscanner.. =) > -----Original Message----- > From: Brandon Friedman [mailto:brandonf@BFCONSULT.CO.ZA] > Sent: Monday, June 24, 2002 11:00 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Webmin Module > > > I am also looking for a webmin module for mailscanner? > Has anybody attempted this? > > > -- > > Regards > Brandon Friedman > Cell:083 408 7840 > E-mail: brandonf@bfconsult.co.za > www.bfconsult.co.za > > From Matthew_doherty at DATAWATCH.COM Mon Jun 24 20:39:08 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:03 2006 Subject: Webmin Module Message-ID: No, not me. I never tried to create a module.. I am just a user of webmin that has given lots of feedback over the past year for some tweaks and ideas that the author has takin in consideration.. Webmin will soon have an update with mailscanner in mind.. \Thats what the author of webmin responded to me. thanks.. -----Original Message----- From: Randy Fishel [mailto:randyf@SIBERNET.COM] Sent: Monday, June 24, 2002 4:33 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Webmin Module Does this mean that you have actually created a webmin module that will be included in the next release? The reason I ask is that a while back I started a cut at a module, but lacking the time did not complete it. If this is actually a request for a webmin module, it might make some sense to pick it up again. rf On Mon, 24 Jun 2002, Matt Doherty wrote: > Yes I emailed Jamie (the author of Webmin) of this. He will include it in > his next update. Also a facility addon, in the syslogs for mailscanner.. =) > -----Original Message----- > From: Brandon Friedman [mailto:brandonf@BFCONSULT.CO.ZA] > Sent: Monday, June 24, 2002 11:00 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Webmin Module > > > I am also looking for a webmin module for mailscanner? > Has anybody attempted this? > > > -- > > Regards > Brandon Friedman > Cell:083 408 7840 > E-mail: brandonf@bfconsult.co.za > www.bfconsult.co.za > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020624/f760a20d/attachment.html From Matthew_doherty at DATAWATCH.COM Mon Jun 24 20:39:08 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:03 2006 Subject: f-prot / aves detects this as a virus !! I think Message-ID: Thank You -----Original Message----- From: Daryl S. Ehrenheim [mailto:ehren@PICKERING.COM] Sent: Monday, June 24, 2002 4:09 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: f-prot / aves detects this as a virus !! I think Matt Doherty wrote: How can we achieve a simular output using sophos? Is this the kind on info you are looking for? Try doing: sweep -vv Here is the output on my linux box. SWEEP virus detection utility Copyright (c) 1989,2002 Sophos Plc, www.sophos.com System time 12:08:13, System date 24 June 2002 Product version : 3.58 Engine version : 2.10 User interface version : 2.03.098 Platform : Linux/Intel Released : 03 June 2002 Total viruses (with IDEs) : 74067 Default executable extensions: 386, 3GR, ADD, ASP, CHM, COM, CPL, DLL, DMD, DOC, DOT, DRV, EXE, FLT, FON, FOT, I13, IFS, MOD, MPD, MSO, OCX, OV?, PDR, SCR, SYS, VXD, XL?, VB?, INI, MPP, MPT, HLP, HT?, SRC, SHS, SHB, PRC, PPS, PPT, POT, PIF, HTML, WBK, LNK, BAT, SH, PL, EML, NWS, RTF, DBX, PDF, SWF, JS, JSE Files without extensions will also be scanned by default. Archive types supported: Archive name Command line qualifier Extension(s) Arj -arj ARJ Cmz -cmz Z, TAZ Gzip -gzip GZ, TGZ Rar -rar RAR Tar -tar TAR Zip -zip ZIP Lha -lha LHA, LZH MSCompress -mscmp ??_ SfxArchives -sfx EXE MacBinary -mbin BIN BinHex -bhex HQX Uue -uue UUE -----Original Message----- From: Rishi Gangoly [mailto:rishi@THEARGONCOMPANY.COM] Sent: Monday, June 24, 2002 1:27 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: f-prot / aves detects this as a virus !! I think Also what's the output of f-prot -virno Here is mine: ------------------------------ SIGN.DEF created 24. June 2002 SIGN2.DEF created 24. June 2002 MACRO.DEF created 11. June 2002 DOS/Windows: 25460 viruses and 14400 Trojans Word/Excel: 7625 viruses and Trojans Java: 2 viruses and 115 Trojans BAT: 1006 viruses and Trojans IRC INI: 360 viruses and Trojans Script: 1743 viruses and Trojans INF: 4 viruses and Trojans Unix shell: 31 viruses and Trojans Ami: 2 viruses and Trojans WinBat: 4 viruses and Trojans PIF: 18 viruses and Trojans PalmOS: 4 viruses and Trojans PHP: 2 viruses and Trojans Unix: 96 viruses and Trojans In addition, over 14400 viruses are identified using generic identification, so the total number of viruses and Trojans known to F-PROT is somewhere over 65200. ------------------------------ ----- Original Message ----- From: "Rishi Gangoly" To: Sent: Monday, June 24, 2002 9:22 PM Subject: Re: f-prot / aves detects this as a virus !! I think > Hi Fracois > > What happens when you do : > > f-prot -virlist | grep -i Frethem > > > Regards > > Rishi > > > > ----- Original Message ----- > From: "Francois Caen" > To: > Sent: Tuesday, June 18, 2002 9:09 PM > Subject: Re: f-prot / aves detects this as a virus !! I think > > > > -----Original Message----- > > From: rishi@THEARGONCOMPANY.COM > > > > > Just had another idea. > > > What's the sum of the infected file that yoy have? > > > Here is mine. > > > > > > > > > [root f-prot]# sum /tmp/decrypt-password.exe > > > 07788 35 > > > > For all the ones I received, I get the same results: > > > > # sum decrypt-password.exe > > 47131 35 > > > > I typically use md5sum, dunno exactly how it differs from sum but it's a > standard for software downloads. > > > > # md5sum decrypt-password.exe > > cc695e7e531c18843baa0731a38e969b decrypt-password.exe > > > > # sum /usr/local/f-prot/* > > 49258 1 /usr/local/f-prot/CHANGES > > 54451 21 /usr/local/f-prot/ENGLISH.TX0 > > 46493 3 /usr/local/f-prot/INSTALL > > 38393 3 /usr/local/f-prot/LICENSE > > 13115 455 /usr/local/f-prot/MACRO.DEF > > 25947 1 /usr/local/f-prot/README > > 28940 1 /usr/local/f-prot/SIGN.ASC > > 16736 1038 /usr/local/f-prot/SIGN.DEF > > 47624 1 /usr/local/f-prot/SIGN2.ASC > > 24019 381 /usr/local/f-prot/SIGN2.DEF > > 30967 12 /usr/local/f-prot/check-updates.sh > > 43536 7 /usr/local/f-prot/checksum > > 52218 932 /usr/local/f-prot/f-prot > > 53109 5 /usr/local/f-prot/f-prot.8 > > 41567 1 /usr/local/f-prot/f-prot.sh > > 23276 3 /usr/local/f-prot/f-protwrapper > > 02783 922 /usr/local/f-prot/fp-def.zip > > 03152 215 /usr/local/f-prot/macrdef2.zip > > > > # md5sum /usr/local/f-prot/* > > 2d159aceaf924853502ec97dba2414d2 /usr/local/f-prot/CHANGES > > ccbf77f4141f5d0775ace281bbc7452c /usr/local/f-prot/ENGLISH.TX0 > > edec255b29f87624b6b1c5a000d4cd91 /usr/local/f-prot/INSTALL > > 382c9b94925d309068907581a7ee7e7a /usr/local/f-prot/LICENSE > > bc26349c2892a303fed0928cc95551d3 /usr/local/f-prot/MACRO.DEF > > d971c388ec249a1bf699657a823f4f3d /usr/local/f-prot/README > > 13f975f08f9c0d0e78eda0fa39263d92 /usr/local/f-prot/SIGN.ASC > > fa7a8b065075fb0f43ed6073698ae2ae /usr/local/f-prot/SIGN.DEF > > 9abb515ed622720bfd27b17356da3c16 /usr/local/f-prot/SIGN2.ASC > > cbf14c505c1b904477c943bbf983ee6a /usr/local/f-prot/SIGN2.DEF > > f9edeccdb48ca2f51efcfcfedab8cea8 /usr/local/f-prot/check-updates.sh > > dc1893dcb0da9f06a718013dab94b60a /usr/local/f-prot/checksum > > 6dd38d416efb1b3a15e5a2abb78f038c /usr/local/f-prot/f-prot > > ef23f6eb09963af8917263603f665d9a /usr/local/f-prot/f-prot.8 > > 74ac7a4872c003e2f4fbd1494bd76ed7 /usr/local/f-prot/f-prot.sh > > f184c6d9ff007949a466d8d78fd2a5ee /usr/local/f-prot/f-protwrapper > > 4dc8efd6d9daa451a1515d210664e2f4 /usr/local/f-prot/fp-def.zip > > c5c867208efd9d3b398c64d0df50e4e1 /usr/local/f-prot/macrdef2.zip > > > > Hope this helps :-) > > ------------------------------------------------ > > Francois Caen > > Network Information Systems Engineer - Webmaster > > City of Lakewood, WA > > (253) 512-2269 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020624/2bce935f/attachment.html From brandonf at BFCONSULT.CO.ZA Mon Jun 24 21:11:15 2002 From: brandonf at BFCONSULT.CO.ZA (Brandon Friedman) Date: Thu Jan 12 21:15:03 2006 Subject: Webmin Module References: Message-ID: <3D177CE3.4040109@bfconsult.co.za> Any idea of how soon we can expect the next release? Matt Doherty wrote: > No, not me. I never tried to create a module.. I am just a user of > webmin that has given lots of feedback over the past year for some > tweaks and ideas that the author has takin in consideration.. Webmin > will soon have an update with mailscanner in mind.. > > \Thats what the author of webmin responded to me. > > thanks.. > > -----Original Message----- > From: Randy Fishel [mailto:randyf@SIBERNET.COM] > Sent: Monday, June 24, 2002 4:33 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Webmin Module > > Does this mean that you have actually created a webmin module that will > be included in the next release? > > The reason I ask is that a while back I started a cut at a module, but > lacking the time did not complete it. If this is actually a request > for a > webmin module, it might make some sense to pick it up again. > > rf > > On Mon, 24 Jun 2002, Matt Doherty wrote: > > > Yes I emailed Jamie (the author of Webmin) of this. He will > include it in > > his next update. Also a facility addon, in the syslogs for > mailscanner.. =) > > -----Original Message----- > > From: Brandon Friedman [mailto:brandonf@BFCONSULT.CO.ZA] > > Sent: Monday, June 24, 2002 11:00 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Webmin Module > > > > > > I am also looking for a webmin module for mailscanner? > > Has anybody attempted this? > > > > > > -- > > > > Regards > > Brandon Friedman > > Cell:083 408 7840 > > E-mail: brandonf@bfconsult.co.za > > www.bfconsult.co.za > > > > > -- Regards Brandon Friedman Cell:083 408 7840 E-mail: brandonf@bfconsult.co.za www.bfconsult.co.za From brandonf at BFCONSULT.CO.ZA Mon Jun 24 22:28:11 2002 From: brandonf at BFCONSULT.CO.ZA (Brandon Friedman) Date: Thu Jan 12 21:15:03 2006 Subject: Setting up multiple postmasters Message-ID: <3D178EEB.10803@bfconsult.co.za> I want to setup a few accounts to recieve postmaster warining for viruses detected on my server but I only one to one to be visible to the normal users (ie postmaster@mydomain) How? Thanks! -- Regards Brandon Friedman Cell:083 408 7840 E-mail: brandonf@bfconsult.co.za www.bfconsult.co.za From mike at CAMAROSS.NET Mon Jun 24 22:32:41 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:03 2006 Subject: Setting up multiple postmasters References: <3D178EEB.10803@bfconsult.co.za> Message-ID: <041b01c21bc6$ac072860$6501a8c0@home.wideopenthrottle.org> /etc/aliases ----- Original Message ----- From: "Brandon Friedman" To: Sent: Monday, June 24, 2002 4:28 PM Subject: Setting up multiple postmasters > I want to setup a few accounts to recieve postmaster warining for > viruses detected on my server but I only one to one to be visible to the > normal users (ie postmaster@mydomain) > > How? > Thanks! > -- > > Regards > Brandon Friedman > Cell:083 408 7840 > E-mail: brandonf@bfconsult.co.za > www.bfconsult.co.za > From brandonf at BFCONSULT.CO.ZA Mon Jun 24 22:40:10 2002 From: brandonf at BFCONSULT.CO.ZA (Brandon Friedman) Date: Thu Jan 12 21:15:03 2006 Subject: Setting up multiple postmasters References: <3D178EEB.10803@bfconsult.co.za> <041b01c21bc6$ac072860$6501a8c0@home.wideopenthrottle.org> Message-ID: <3D1791BA.1060600@bfconsult.co.za> ooops silly me sorry.... It's late and I haven't had a second cup of coffee... So you wouldn't do it in the mailscanner.conf then? Mike Kercher wrote: > /etc/aliases > > ----- Original Message ----- > From: "Brandon Friedman" > To: > Sent: Monday, June 24, 2002 4:28 PM > Subject: Setting up multiple postmasters > > > >>I want to setup a few accounts to recieve postmaster warining for >>viruses detected on my server but I only one to one to be visible to the >>normal users (ie postmaster@mydomain) >> >>How? >>Thanks! >>-- >> >>Regards >>Brandon Friedman >>Cell:083 408 7840 >>E-mail: brandonf@bfconsult.co.za >>www.bfconsult.co.za >> >> > -- Regards Brandon Friedman Cell:083 408 7840 E-mail: brandonf@bfconsult.co.za www.bfconsult.co.za From mike at CAMAROSS.NET Mon Jun 24 22:47:05 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:03 2006 Subject: Setting up multiple postmasters References: <3D178EEB.10803@bfconsult.co.za> <041b01c21bc6$ac072860$6501a8c0@home.wideopenthrottle.org> <3D1791BA.1060600@bfconsult.co.za> Message-ID: <042f01c21bc8$af315450$6501a8c0@home.wideopenthrottle.org> In my mailscanner.conf, I put antivirus@mydomain.com rather than postmaster. Then in /etc/aliases, antivirus: goes to me and anyone else I'd like to get a copy. What I'd LIKE to see is the possibility of sending the notification to postmaster@ domain1 or domain2 since I host mail for MANY domains. That way, my technical contact at each location can know what's going on. Mike ----- Original Message ----- From: "Brandon Friedman" To: Sent: Monday, June 24, 2002 4:40 PM Subject: Re: Setting up multiple postmasters > ooops silly me sorry.... > > It's late and I haven't had a second cup of coffee... > > So you wouldn't do it in the mailscanner.conf then? > > Mike Kercher wrote: > > > /etc/aliases > > > > ----- Original Message ----- > > From: "Brandon Friedman" > > To: > > Sent: Monday, June 24, 2002 4:28 PM > > Subject: Setting up multiple postmasters > > > > > > > >>I want to setup a few accounts to recieve postmaster warining for > >>viruses detected on my server but I only one to one to be visible to the > >>normal users (ie postmaster@mydomain) > >> > >>How? > >>Thanks! > >>-- > >> > >>Regards > >>Brandon Friedman > >>Cell:083 408 7840 > >>E-mail: brandonf@bfconsult.co.za > >>www.bfconsult.co.za > >> > >> > > > > > -- > > Regards > Brandon Friedman > Cell:083 408 7840 > E-mail: brandonf@bfconsult.co.za > www.bfconsult.co.za > From mike at CAMAROSS.NET Mon Jun 24 22:51:58 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:03 2006 Subject: Setting up multiple postmasters References: <3D178EEB.10803@bfconsult.co.za> <041b01c21bc6$ac072860$6501a8c0@home.wideopenthrottle.org> <3D1791BA.1060600@bfconsult.co.za> <042f01c21bc8$af315450$6501a8c0@home.wideopenthrottle.org> Message-ID: <043701c21bc9$5d71c9f0$6501a8c0@home.wideopenthrottle.org> oops...just for clarification, I'd like notification to be sent to postmaster@ domain1 or domain2 IF the infected email was destined for domain1 or domain2 or domain37... :) ----- Original Message ----- From: "Mike Kercher" To: Sent: Monday, June 24, 2002 4:47 PM Subject: Re: Setting up multiple postmasters > In my mailscanner.conf, I put antivirus@mydomain.com rather than postmaster. > Then in /etc/aliases, antivirus: goes to me and anyone else I'd like to get > a copy. > > What I'd LIKE to see is the possibility of sending the notification to > postmaster@ domain1 or domain2 since I host mail for MANY domains. That > way, my technical contact at each location can know what's going on. > > Mike > > ----- Original Message ----- > From: "Brandon Friedman" > To: > Sent: Monday, June 24, 2002 4:40 PM > Subject: Re: Setting up multiple postmasters > > > > ooops silly me sorry.... > > > > It's late and I haven't had a second cup of coffee... > > > > So you wouldn't do it in the mailscanner.conf then? > > > > Mike Kercher wrote: > > > > > /etc/aliases > > > > > > ----- Original Message ----- > > > From: "Brandon Friedman" > > > To: > > > Sent: Monday, June 24, 2002 4:28 PM > > > Subject: Setting up multiple postmasters > > > > > > > > > > > >>I want to setup a few accounts to recieve postmaster warining for > > >>viruses detected on my server but I only one to one to be visible to the > > >>normal users (ie postmaster@mydomain) > > >> > > >>How? > > >>Thanks! > > >>-- > > >> > > >>Regards > > >>Brandon Friedman > > >>Cell:083 408 7840 > > >>E-mail: brandonf@bfconsult.co.za > > >>www.bfconsult.co.za > > >> > > >> > > > > > > > > > -- > > > > Regards > > Brandon Friedman > > Cell:083 408 7840 > > E-mail: brandonf@bfconsult.co.za > > www.bfconsult.co.za > > > From fxjwk at AURORA.UAF.EDU Mon Jun 24 22:42:43 2002 From: fxjwk at AURORA.UAF.EDU (Jo Knox) Date: Thu Jan 12 21:15:03 2006 Subject: Setting up multiple postmasters In-Reply-To: <041b01c21bc6$ac072860$6501a8c0@home.wideopenthrottle.org> Message-ID: /etc/mail/aliases if your sendmail is newer... On Mon, 24 Jun 2002, Mike Kercher wrote: > /etc/aliases > > ----- Original Message ----- > From: "Brandon Friedman" > To: > Sent: Monday, June 24, 2002 4:28 PM > Subject: Setting up multiple postmasters > > > > I want to setup a few accounts to recieve postmaster warining for > > viruses detected on my server but I only one to one to be visible to the > > normal users (ie postmaster@mydomain) > > > > How? > > Thanks! > > -- > > > > Regards > > Brandon Friedman > > Cell:083 408 7840 > > E-mail: brandonf@bfconsult.co.za > > www.bfconsult.co.za > > > From brandonf at BFCONSULT.CO.ZA Mon Jun 24 22:51:20 2002 From: brandonf at BFCONSULT.CO.ZA (Brandon Friedman) Date: Thu Jan 12 21:15:03 2006 Subject: Setting up multiple postmasters References: <3D178EEB.10803@bfconsult.co.za> <041b01c21bc6$ac072860$6501a8c0@home.wideopenthrottle.org> <3D1791BA.1060600@bfconsult.co.za> Message-ID: <3D179458.4030802@bfconsult.co.za> now that I think about it, I actually only want virus alerts! Not all postmater message? I want several admins to recieve virus warnings Brandon Friedman wrote: > ooops silly me sorry.... > > It's late and I haven't had a second cup of coffee... > > So you wouldn't do it in the mailscanner.conf then? > > Mike Kercher wrote: > >> /etc/aliases >> >> ----- Original Message ----- >> From: "Brandon Friedman" >> To: >> Sent: Monday, June 24, 2002 4:28 PM >> Subject: Setting up multiple postmasters >> >> >> >>> I want to setup a few accounts to recieve postmaster warining for >>> viruses detected on my server but I only one to one to be visible to the >>> normal users (ie postmaster@mydomain) >>> >>> How? >>> Thanks! >>> -- >>> >>> Regards >>> Brandon Friedman >>> Cell:083 408 7840 >>> E-mail: brandonf@bfconsult.co.za >>> www.bfconsult.co.za >>> >>> >> > > > -- > > Regards > Brandon Friedman > Cell:083 408 7840 > E-mail: brandonf@bfconsult.co.za > www.bfconsult.co.za > -- Regards Brandon Friedman Cell:083 408 7840 E-mail: brandonf@bfconsult.co.za www.bfconsult.co.za From mark at TIPPINGMAR.COM Tue Jun 25 00:11:17 2002 From: mark at TIPPINGMAR.COM (Mark Nienberg) Date: Thu Jan 12 21:15:03 2006 Subject: Notify Senders In-Reply-To: <20020619191018.GA2775@bragann> Message-ID: <000401c21bd4$71ebf120$1cfea8c0@tippingmar.com> I use "Notify Senders = no" because I'm a little reluctant to send automated mail to someone outside our office (possibly a client). For sensitive relationships I'd rather call the client and explain the problem personally, without implying that he or she did something stupid (even if he or she did something stupid). At the same time, I have "Deliver From Local Domain = no" because I don't want an outsider to know that one of my users tried to send them something bad. With this arrangement, if one of my users sends a message with a virus, (or more likely, a message with a poorly named attachment") the message is deleted and only I, as the postmaster, receive a warning. I guess what I would prefer is something like "Notify Senders = yes | no | local" so that my local users would know if their messages were not sent. What do you think? If you think I'm being silly and I should just set "Notify Senders = yes", then say so! I'm new to mailscanner, and I could be convinced. P.S. If I change a setting like this in mailscanner.conf do I have to restart mailscanner? From mike at CAMAROSS.NET Tue Jun 25 01:31:54 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:03 2006 Subject: Notify Senders References: <000401c21bd4$71ebf120$1cfea8c0@tippingmar.com> Message-ID: <005701c21bdf$b4ed4220$6501a8c0@home.wideopenthrottle.org> My understanding is that you can make a change and not restart mailscanner. In the .conf, there is a line that says Restart Every = 14400 # 4 hours. The changes would be picked up at that point. If you want the changes to take effect immediately, you'd have to restart mailscanner yourself. Mike ----- Original Message ----- From: "Mark Nienberg" To: Sent: Monday, June 24, 2002 6:11 PM Subject: Notify Senders > I use > > "Notify Senders = no" > > because I'm a little reluctant to send automated mail to someone outside > our office (possibly a client). For sensitive relationships I'd rather > call the client and explain the problem personally, without implying > that he or she did something stupid (even if he or she did something > stupid). At the same time, I have > > "Deliver From Local Domain = no" > > because I don't want an outsider to know that one of my users tried to > send them something bad. > > With this arrangement, if one of my users sends a message with a virus, > (or more likely, a message with a poorly named attachment") the message > is deleted and only I, as the postmaster, receive a warning. I guess > what I would prefer is something like > > "Notify Senders = yes | no | local" > > so that my local users would know if their messages were not sent. What > do you think? If you think I'm being silly and I should just set "Notify > Senders = yes", then say so! I'm new to mailscanner, and I could be > convinced. > > P.S. If I change a setting like this in mailscanner.conf do I have to > restart mailscanner? > From nwp at LEMON-COMPUTING.COM Tue Jun 25 06:30:03 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:15:03 2006 Subject: f-prot / aves detects this as a virus !! I think In-Reply-To: <3D176EDC.90006@pickering.com> References: <3D176EDC.90006@pickering.com> Message-ID: <20020625053003.GA12664@hoiho.nz.lemon-computing.com> Top tips for mailing lists #2: The following is what my mailer shows when I reply to the previous message; it's also what a lot of people will see on looking at an html message posted to a mailing list... this is not because they are clueless, either. A *lot* of people still regard html-only mail, especially to mailing lists, as an abortion -- and are either unable or disinclined to read it. Moral: if you want your mail to be read, post in PLAIN TEXT. On Mon, Jun 24, 2002 at 12:11:24PM -0700, Daryl S. Ehrenheim wrote: -- Nick Phillips -- nwp@lemon-computing.com You have been selected for a secret mission. From pipera at HRZ.UNI-MARBURG.DE Tue Jun 25 07:29:50 2002 From: pipera at HRZ.UNI-MARBURG.DE (Piper Andreas) Date: Thu Jan 12 21:15:03 2006 Subject: Mailscanner and SA performance In-Reply-To: Your message of "Mon, 24 Jun 2002 17:32:40 BST." <5.1.0.14.2.20020624173134.02f578e0@imap.ecs.soton.ac.uk> Message-ID: <200206250629.g5P6TojZ032436@pcrz109.hrz.uni-marburg.de> > Just as a side note, can I remind you that SA performance will be greatly > improved by using a recent version of MailScanner and enabling the "Compile > SpamAssassin Once" option. is this true for Perl-5.005, or will it only work correctly with Perl-5.6.1? Andreas Piper ________________________________________________________________________ Dr. Andreas Piper, Hochschulrechenzentrum der Philipps-Univ. Marburg Hans-Meerwein-Strasse, 35032 Marburg, Germany Phone: +49 6421 28-23521 Fax: -26994 Email: piper@HRZ.Uni-Marburg.DE From LISTSERV at JISCMAIL.AC.UK Mon Jun 24 20:06:38 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:03 2006 Subject: MAILSCANNER: shawn@QCOMINC.COM requested to join Message-ID: <200206241906.UAA10272@magpie.ecs.soton.ac.uk> Mon, 24 Jun 2002 20:06:38 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Shawn Boyce You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER shawn@QCOMINC.COM Shawn Boyce PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER shawn@QCOMINC.COM Shawn Boyce // EOJ From LISTSERV at JISCMAIL.AC.UK Mon Jun 24 21:27:55 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:03 2006 Subject: MAILSCANNER: gsiebrecht@WIN-4-U.COM requested to join Message-ID: <200206242027.VAA16781@magpie.ecs.soton.ac.uk> Mon, 24 Jun 2002 21:27:55 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Grant Siebrecht You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER gsiebrecht@WIN-4-U.COM Grant Siebrecht PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER gsiebrecht@WIN-4-U.COM Grant Siebrecht // EOJ From LISTSERV at JISCMAIL.AC.UK Mon Jun 24 22:23:12 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:03 2006 Subject: MAILSCANNER: bowren@DIRTYDOZENCLAN.NET requested to join Message-ID: <200206242123.WAA21113@magpie.ecs.soton.ac.uk> Mon, 24 Jun 2002 22:23:12 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Hywel Burris You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER bowren@DIRTYDOZENCLAN.NET Hywel Burris PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER bowren@DIRTYDOZENCLAN.NET Hywel Burris // EOJ From LISTSERV at JISCMAIL.AC.UK Tue Jun 25 01:31:26 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:03 2006 Subject: MAILSCANNER: mattison_ward@YAHOO.COM requested to join Message-ID: <200206250031.BAA03115@magpie.ecs.soton.ac.uk> Tue, 25 Jun 2002 01:31:26 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Mattison Ward You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER mattison_ward@YAHOO.COM Mattison Ward PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER mattison_ward@YAHOO.COM Mattison Ward // EOJ From leet at LEENX.CO.ZA Tue Jun 25 09:13:49 2002 From: leet at LEENX.CO.ZA (C.Lee Taylor) Date: Thu Jan 12 21:15:03 2006 Subject: Setting up multiple postmasters References: <200206242307.g5ON7JI22772@zeus.scania.co.za> Message-ID: <3D18263D.8020005@leenx.co.za> > oops...just for clarification, I'd like notification to be sent to > postmaster@ domain1 or domain2 IF the infected email was destined for > domain1 or domain2 or domain37... :) I would like to second that ... something I have ask before, but not been a programmer, I am going to have to find a way to pay a programmer to do it ... I saw a mention on the mail list to do this earlier ... Mailed Lee From S.R.Patterson at SOTON.AC.UK Tue Jun 25 10:13:07 2002 From: S.R.Patterson at SOTON.AC.UK (Patterson S.R.) Date: Thu Jan 12 21:15:03 2006 Subject: Why I think RBL should be done with the MTA rather than Mailscann er Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm just working through in my head the options for spam blocking and come up with the following advantages to using RBL lists on the MTA (i.e. sendmail) at point of acceptance rather than using them on Mailscanner: - - Reduced server load - you don't have to bother accepting a mail for delivery (i.e. spooling it all up) when you already know you're going to reject it anyway - - The remote user/server gets a sensible rejection message at the point of "MAIL FROM:" or "RCPT TO:" along the lines of "Your domain is black listed, please see http://useful.url" - - Perhaps of maximum importance to me, you have complete control of your mail relaying policies through sendmail itself - for example, I want to use the MAPS Dial up list to block direct mailing to my servers from diaul up users. However, I don't want to stop valid University users at home on their dialup connections from sending mail through my servers. The answer - implement SMTP Authentication (already done!) and only reject IP addresses in the MAPS Dial Up list if the user hasn't first authenticated themselves with a valid username and password. How would you do this in Mailscanner? Can anybody see any advantages to using the RBL lists on Mailscanner instead of on the MTA directly? I'd like to hear the flip side of the debate! This is by no means a dig at the product or at Julian who works very hard to implement all of the features which his userbase demands (though I somethimes think the userbase demands inappropriate features... Don't even get me started on SA...;P) Here's a feature for you Jules... How about making "plug in" module support for each MTA, spam features, Spam Assassin, Virus scanner, etc - by which I mean you only load the code which you need for the features and software that you are using. No, don't ask me how you'd do that :) Yours ramblingly, Steve - -- Steven Patterson, MSci. Tel: +44 (0)2380 595810 Electronic Information Systems Support and Development Computing Services, University of Southampton, UK. Public PGP Key: http://www.soton.ac.uk/~srp/pubkey.asc -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPRg0Ea2fOiTs5+WvEQLibwCeKwQY8ufxPTJc4yHAi2wwg4GHjToAoNYP rBipxN3ahQJmwXHHlKmPvRxY =KV8w -----END PGP SIGNATURE----- From mailscanner at ecs.soton.ac.uk Tue Jun 25 10:12:57 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:03 2006 Subject: Mailscanner and SA performance In-Reply-To: <200206250629.g5P6TojZ032436@pcrz109.hrz.uni-marburg.de> References: Message-ID: <5.1.0.14.2.20020625101232.0492d608@imap.ecs.soton.ac.uk> At 07:29 25/06/2002, you wrote: > > Just as a side note, can I remind you that SA performance will be greatly > > improved by using a recent version of MailScanner and enabling the "Compile > > SpamAssassin Once" option. > >is this true for Perl-5.005, or will it only work correctly with Perl-5.6.1? It doesn't depend on the version of Perl. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Jun 25 10:14:30 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:03 2006 Subject: Setting up multiple postmasters In-Reply-To: <3D18263D.8020005@leenx.co.za> References: <200206242307.g5ON7JI22772@zeus.scania.co.za> Message-ID: <5.1.0.14.2.20020625101344.04962408@imap.ecs.soton.ac.uk> At 09:13 25/06/2002, you wrote: >>oops...just for clarification, I'd like notification to be sent to >>postmaster@ domain1 or domain2 IF the infected email was destined for >>domain1 or domain2 or domain37... :) > I would like to second that ... something I have ask before, but > not been a >programmer, I am going to have to find a way to pay a programmer to do it >... I saw a mention on the mail list to do this earlier ... This is possible, but I would rather wait to add it until we have re-structured the code. It should be much easier to add this then. So if you can wait a bit, it will appear, but not very soon. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Jun 25 10:12:09 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:03 2006 Subject: Notify Senders In-Reply-To: <000401c21bd4$71ebf120$1cfea8c0@tippingmar.com> References: <20020619191018.GA2775@bragann> Message-ID: <5.1.0.14.2.20020625101136.02cc2b00@imap.ecs.soton.ac.uk> I think all you need do is set "Notify Senders = yes" and "Deliver From Local Domain = no" and you should get what you want. At 00:11 25/06/2002, you wrote: >I use > >"Notify Senders = no" > >because I'm a little reluctant to send automated mail to someone outside >our office (possibly a client). For sensitive relationships I'd rather >call the client and explain the problem personally, without implying >that he or she did something stupid (even if he or she did something >stupid). At the same time, I have > >"Deliver From Local Domain = no" > >because I don't want an outsider to know that one of my users tried to >send them something bad. > >With this arrangement, if one of my users sends a message with a virus, >(or more likely, a message with a poorly named attachment") the message >is deleted and only I, as the postmaster, receive a warning. I guess >what I would prefer is something like > >"Notify Senders = yes | no | local" > >so that my local users would know if their messages were not sent. What >do you think? If you think I'm being silly and I should just set "Notify >Senders = yes", then say so! I'm new to mailscanner, and I could be >convinced. > >P.S. If I change a setting like this in mailscanner.conf do I have to >restart mailscanner? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Jun 25 10:26:20 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:03 2006 Subject: Why I think RBL should be done with the MTA rather than Mailscann er In-Reply-To: Message-ID: <5.1.0.14.2.20020625102240.04923a90@imap.ecs.soton.ac.uk> At 10:13 25/06/2002, you wrote: >- - Perhaps of maximum importance to me, you have complete control of >your mail relaying policies through sendmail itself - for example, I >want to use the MAPS Dial up list to block direct mailing to my >servers from diaul up users. However, I don't want to stop valid >University users at home on their dialup connections from sending mail >through my servers. The answer - implement SMTP Authentication >(already done!) and only reject IP addresses in the MAPS Dial Up list >if the user hasn't first authenticated themselves with a valid >username and password. How would you do this in Mailscanner? "Accept Spam From = 152.78." >Can anybody see any advantages to using the RBL lists on Mailscanner >instead of on the MTA directly? I'd like to hear the flip side of the >debate! In cases where the spam traps get it wrong, the user still gets the mail. >Here's a feature for you Jules... How about making "plug in" module >support for each MTA, spam features, Spam Assassin, Virus scanner, etc >- by which I mean you only load the code which you need for the >features and software that you are using. No, don't ask me how you'd >do that :) This should appear as part of the big code-rewrite that is just about to start. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From S.R.Patterson at SOTON.AC.UK Tue Jun 25 10:31:27 2002 From: S.R.Patterson at SOTON.AC.UK (Patterson S.R.) Date: Thu Jan 12 21:15:03 2006 Subject: Why I think RBL should be done with the MTA rather than Mails cann er Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: 25 June 2002 10:26 > To: MAILSCANNER@JISCMAIL.AC.UK > > "Accept Spam From = 152.78." Only works if my dialup users dial in to the University modem pool. It doesn't help the ISP users who want to mail through smtp.soton.ac.uk for example. > In cases where the spam traps get it wrong, the user still > gets the mail. Agreed, assuming you haven't set action to delete! :) - -- Steven Patterson, MSci. Tel: +44 (0)2380 595810 Electronic Information Systems Support and Development Computing Services, University of Southampton, UK. Public PGP Key: http://www.soton.ac.uk/~srp/pubkey.asc -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPRg4bq2fOiTs5+WvEQLb8QCfYATHI1QfHUo5cNjWKAiMbv/lJtMAoJLk sK1idiKVtVWEeXQhDq47AuZj =tcC1 -----END PGP SIGNATURE----- From pipera at HRZ.UNI-MARBURG.DE Tue Jun 25 10:49:54 2002 From: pipera at HRZ.UNI-MARBURG.DE (Piper Andreas) Date: Thu Jan 12 21:15:04 2006 Subject: bogus qf-file generated by mailscanner Message-ID: <200206250949.g5P9nsjZ009581@pcrz109.hrz.uni-marburg.de> Hello, using mailscanner-3.20-6 with SA-2.30 on AIX 4.3 with sendmail-8.11 and Perl-5.005, I observe, that sometimes queue-Files in the delivering queue are renamed from qf.. to Qf.. and the corresponding message is not delivered. This happens for about 2 percent of messages marked as spam. Reason for this behaviour is, as far as I can see, that by generating the output-qf-file mailscanner seems to split the header-line for the SA-result in such a way, that a single line, containing only ')', without a leading TAB-char, is generated. The ')' should correctly be at the end of the previous line, to end the SA-report, standing alone on a single line it is not recognized by sendmail and thus the qf-file is not accepted. In the logs I found that for these messages the SA-report had an additional whitespace at its end (before the ')'), which seems to cause this behaviour. I included this patch into sendmail.pl (after line 285): $SASaysSpam = 0 unless $SAreport; # Solve bug with empty SAreports + $SAreport =~ s/\s+$// if $SAreport; to get rid of the whitespace, and it is now working correctly for half a day. Andreas Piper ________________________________________________________________________ Dr. Andreas Piper, Hochschulrechenzentrum der Philipps-Univ. Marburg Hans-Meerwein-Strasse, 35032 Marburg, Germany Phone: +49 6421 28-23521 Fax: -26994 Email: piper@HRZ.Uni-Marburg.DE From mdunder at GE.UCL.AC.UK Tue Jun 25 11:09:35 2002 From: mdunder at GE.UCL.AC.UK (Mike Dunderdale) Date: Thu Jan 12 21:15:04 2006 Subject: {SPAM?} Re: f-prot / aves detects this as a virus !! I think In-Reply-To: <3D176EDC.90006@pickering.com> Message-ID: On Mon, 24 Jun 2002, Daryl S. Ehrenheim wrote: > > > Matt Doherty wrote: > How can we achieve a simular output using sophos? > > Is this the kind on info you are looking for? If it's just a version number you are looking for then you could just look at the directory that /opt/sophos/ide is linked to - the first part is the version and the second part is the date that the ide files have been last updated: apollo (beta/mdunder) 7 > ls -l /opt/sophos/ide lrwxrwxrwx 1 root other 28 Jun 25 00:13 /opt/sophos/ide -> /opt/sophos/358.200206250013 Just a thought.. M. From mailscanner at ecs.soton.ac.uk Tue Jun 25 11:16:56 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:04 2006 Subject: bogus qf-file generated by mailscanner In-Reply-To: <200206250949.g5P9nsjZ009581@pcrz109.hrz.uni-marburg.de> Message-ID: <5.1.0.14.2.20020625111610.02ceafb0@imap.ecs.soton.ac.uk> Thanks for spotting this one. Fortunately it only affects mail that was marked as spam anyway, so it's not critical. However, I will push out a new release some time to incorporate the fix (and the one someone mentioned earlier today). At 10:49 25/06/2002, you wrote: >Hello, > >using mailscanner-3.20-6 with SA-2.30 on AIX 4.3 with sendmail-8.11 >and Perl-5.005, I observe, that sometimes queue-Files in the delivering >queue are renamed from qf.. to Qf.. and the corresponding message is >not delivered. This happens for about 2 percent of messages marked >as spam. > >Reason for this behaviour is, as far as I can see, that by generating the >output-qf-file mailscanner seems to split the header-line for the SA-result >in such a way, that a single line, containing only ')', without a leading >TAB-char, is generated. The ')' should correctly be at the end of the >previous line, to end the SA-report, standing alone on a single line it >is not recognized by sendmail and thus the qf-file is not accepted. > >In the logs I found that for these messages the SA-report had an >additional whitespace at its end (before the ')'), which seems to cause >this behaviour. I included this patch into sendmail.pl (after line 285): > > $SASaysSpam = 0 unless $SAreport; # Solve bug with empty SAreports >+ $SAreport =~ s/\s+$// if $SAreport; > >to get rid of the whitespace, and it is now working correctly for half a day. > >Andreas Piper > >________________________________________________________________________ >Dr. Andreas Piper, Hochschulrechenzentrum der Philipps-Univ. Marburg > Hans-Meerwein-Strasse, 35032 Marburg, Germany >Phone: +49 6421 28-23521 Fax: -26994 Email: piper@HRZ.Uni-Marburg.DE -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From shawn at QCOMINC.COM Tue Jun 25 12:14:47 2002 From: shawn at QCOMINC.COM (Shawn Boyce) Date: Thu Jan 12 21:15:04 2006 Subject: not scanning outgoing email Message-ID: <3D1850A7.60107@qcominc.com> I'm having trouble with our outgoing email being tagged as SPAM! How do I configure mailscanner to not scan outgoing email using spamassassin? I still want outgoing email scanned for viruses. I didn't see anything in the FAQ. -- Shawn Boyce QCOM, Inc. Quality Software is Our Business http://www.qcominc.com From mailscanner at ecs.soton.ac.uk Tue Jun 25 12:32:00 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:04 2006 Subject: not scanning outgoing email In-Reply-To: <3D1850A7.60107@qcominc.com> Message-ID: <5.1.0.14.2.20020625123142.04a98a20@imap.ecs.soton.ac.uk> At 12:14 25/06/2002, you wrote: >I'm having trouble with our outgoing email being tagged >as SPAM! > >How do I configure mailscanner to not scan outgoing email >using spamassassin? I still want outgoing email scanned for >viruses. I didn't see anything in the FAQ. See the "Accept Spam From" option. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From P.G.M.Peters at civ.utwente.nl Tue Jun 25 13:11:04 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:04 2006 Subject: Why I think RBL should be done with the MTA rather than Mailscann er In-Reply-To: References: Message-ID: On Tue, 25 Jun 2002 10:13:07 +0100, you wrote: >I'm just working through in my head the options for spam blocking and >come up with the following advantages to using RBL lists on the MTA >(i.e. sendmail) at point of acceptance rather than using them on >Mailscanner: These are all valid reasons untill the policy is to accept spam and leave it up to the client to decide on which points he wants to block. Our users want to be able to filter on "X-utwente-mailscanner-spam" and "rfc-ignorant" and not on other blacklists. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From gerry at dorfam.ca Tue Jun 25 13:29:48 2002 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:15:04 2006 Subject: not scanning outgoing email In-Reply-To: <3D1850A7.60107@qcominc.com> References: <3D1850A7.60107@qcominc.com> Message-ID: <10148.129.80.22.134.1025008188.squirrel@tiger.dorfam.ca> > I'm having trouble with our outgoing email being tagged > as SPAM! > > How do I configure mailscanner to not scan outgoing email > using spamassassin? I still want outgoing email scanned for > viruses. I didn't see anything in the FAQ. > > -- > Shawn Boyce > QCOM, Inc. > Quality Software is Our Business > http://www.qcominc.com Why does spamassassin think your mail is spam? If it thinks you're sending spam then won't all the rest of us think you're sending it too? Gerry -- "The lyfe so short, the craft so long to learne" Chaucer From LISTSERV at JISCMAIL.AC.UK Tue Jun 25 13:24:44 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:04 2006 Subject: MAILSCANNER: jason@JNJ.ORG requested to join Message-ID: <200206251225.NAA21819@magpie.ecs.soton.ac.uk> Tue, 25 Jun 2002 13:24:44 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Jason Burnett You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER jason@JNJ.ORG Jason Burnett PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER jason@JNJ.ORG Jason Burnett // EOJ From LISTSERV at JISCMAIL.AC.UK Tue Jun 25 13:27:21 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:04 2006 Subject: MAILSCANNER: mattison_ward@YAHOO.COM left the JISCmail list Message-ID: <200206251227.NAA21999@magpie.ecs.soton.ac.uk> Tue, 25 Jun 2002 13:27:21 Mattison Ward has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From jason at jnj.org Tue Jun 25 13:48:47 2002 From: jason at jnj.org (Jason) Date: Thu Jan 12 21:15:04 2006 Subject: occasional empty spamassassin reports Message-ID: <20020625124847.GB28827@jnj.org> howdy perhaps about 10% of the time (maybe a bit less), I get an email with this header: X-MailScanner-SpamCheck: not spam, SpamAssassin () I have it set to always include the spamassassin report header. This happens with both spam and non-spam. I thought maybe spamassassin was timing out, so I increased the timeoout in mailscanner.conf to 30 from 10. No love. Known bug? -- Jason Burnett jason@jnj.org ~ No witty signature available at this time ~ From mailscanner at ecs.soton.ac.uk Tue Jun 25 14:06:00 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:04 2006 Subject: occasional empty spamassassin reports In-Reply-To: <20020625124847.GB28827@jnj.org> Message-ID: <5.1.0.14.2.20020625140233.04f0aee0@imap.ecs.soton.ac.uk> I have added a test into the latest release to catch this so it doesn't think this is spam, not that that's your problem here. I have not been able to find the cause of it. Sometimes SpamAssassin seems to generate an empty report. I suspected it was due to timeout problems, but as you have seen yourself it's not that. On another note I have finally been able to reliably reproduce the bug where SpamAssassin reports that a message is spam, even though its hits < required-hits. I coded around this in MailScanner some time ago, but have just posted the bug report to the SA mailing list in the hope someone might fix it. At 13:48 25/06/2002, you wrote: >howdy > >perhaps about 10% of the time (maybe a bit less), I get an email with >this header: > >X-MailScanner-SpamCheck: not spam, SpamAssassin () > >I have it set to always include the spamassassin report header. This happens >with both spam and non-spam. I thought maybe spamassassin was timing out, >so I increased the timeoout in mailscanner.conf to 30 from 10. No love. > >Known bug? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From shawn at QCOMINC.COM Tue Jun 25 14:13:34 2002 From: shawn at QCOMINC.COM (Shawn Boyce) Date: Thu Jan 12 21:15:04 2006 Subject: not scanning outgoing email References: <3D1850A7.60107@qcominc.com> <10148.129.80.22.134.1025008188.squirrel@tiger.dorfam.ca> Message-ID: <3D186C7E.60906@qcominc.com> Gerry Doris wrote: >>I'm having trouble with our outgoing email being tagged >>as SPAM! >> >>How do I configure mailscanner to not scan outgoing email >>using spamassassin? I still want outgoing email scanned for >>viruses. I didn't see anything in the FAQ. >> >>-- >>Shawn Boyce >>QCOM, Inc. >>Quality Software is Our Business >>http://www.qcominc.com >> >> > >Why does spamassassin think your mail is spam? If it thinks you're >sending spam then won't all the rest of us think you're sending it too? > > Good point. Luckily not everyone is using SpamAssassin yet! Here is the mail header on an email in which I replied to someone else in our company. The email was actually a reply to email which contained a forwared email in it. X-MailScanner-SpamCheck: SpamAssassin (score=5.3, required 5, MAILTO_LINK, BIG_FONT, CTYPE_JUST_HTML) Besides this one, I've also seen some other company emails being marked as SPAM. >Gerry >-- >"The lyfe so short, the craft so long to learne" Chaucer > > > > -- Shawn Boyce QCOM, Inc. Quality Software is Our Business http://www.qcominc.com From shawn at QCOMINC.COM Tue Jun 25 14:16:33 2002 From: shawn at QCOMINC.COM (Shawn Boyce) Date: Thu Jan 12 21:15:04 2006 Subject: not scanning outgoing email References: <3D1850A7.60107@qcominc.com> <10148.129.80.22.134.1025008188.squirrel@tiger.dorfam.ca> <3D186C7E.60906@qcominc.com> Message-ID: <3D186D31.9090500@qcominc.com> Here's another one. The problem is usually the person is using HTML content in their email. The subject was all caps (but only two letters) and contained only HTML content. >To: Shawn Boyce >Subject: {SPAM?} JS... >Content-Type: text/html; charset=us-ascii >Content-Transfer-Encoding: 7bit >X-MailScanner: Found to be clean >X-MailScanner-SpamCheck: SpamAssassin (score=5.1, required 5, MAILTO_LINK, > CTYPE_JUST_HTML, SUBJ_ALL_CAPS) >X-UIDL: Y;`"!l09"!:+_"!?WG!! >Status: U > > > > > >One other thing you can do in the page...  In the body of the page, you can >add this:
>
><NOSCRIPT>
>Please enable JavaScript.
></NOSCRIPT>
>
>To warn people who don't have it enabled.  
>
--
>Bryan E. Sampieri
>Sofware Developer, QCOM, Inc.
>bryans@qcominc.com
>
>Any opinions are not necessarily the opinions of QCOM, Inc.
>
> > > > > > > Shawn Boyce wrote: > Gerry Doris wrote: > >>> I'm having trouble with our outgoing email being tagged >>> as SPAM! >>> >>> How do I configure mailscanner to not scan outgoing email >>> using spamassassin? I still want outgoing email scanned for >>> viruses. I didn't see anything in the FAQ. >>> >>> -- >>> Shawn Boyce >>> QCOM, Inc. >>> Quality Software is Our Business >>> http://www.qcominc.com >>> >>> >> >> Why does spamassassin think your mail is spam? If it thinks you're >> sending spam then won't all the rest of us think you're sending it too? >> >> > Good point. Luckily not everyone is using SpamAssassin yet! > > Here is the mail header on an email in which I replied to someone else > in our company. The email was actually a reply to email which contained > a forwared email in it. > > X-MailScanner-SpamCheck: SpamAssassin (score=5.3, required 5, > MAILTO_LINK, > BIG_FONT, CTYPE_JUST_HTML) > > Besides this one, I've also seen some other company emails being marked > as SPAM. > >> Gerry >> -- >> "The lyfe so short, the craft so long to learne" Chaucer >> >> >> >> > > -- > Shawn Boyce > QCOM, Inc. > Quality Software is Our Business > http://www.qcominc.com > > -- Shawn Boyce QCOM, Inc. Quality Software is Our Business http://www.qcominc.com From mailscanner at ecs.soton.ac.uk Tue Jun 25 14:23:34 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:04 2006 Subject: not scanning outgoing email In-Reply-To: <3D186D31.9090500@qcominc.com> References: <3D1850A7.60107@qcominc.com> <10148.129.80.22.134.1025008188.squirrel@tiger.dorfam.ca> <3D186C7E.60906@qcominc.com> Message-ID: <5.1.0.14.2.20020625142249.04a531e0@imap.ecs.soton.ac.uk> Apart from looking at "Accept Spam From", you might want to consider increasing your SA threshold in spam.assassin.prefs.conf. I run with a required_hits value of 9 instead of the default of 5. At 14:16 25/06/2002, you wrote: >Here's another one. The problem is usually the person is using HTML >content in their email. The subject was all caps (but only two letters) >and contained only HTML content. > >>To: Shawn Boyce >>Subject: {SPAM?} JS... >>Content-Type: text/html; charset=us-ascii >>Content-Transfer-Encoding: 7bit >>X-MailScanner: Found to be clean >>X-MailScanner-SpamCheck: SpamAssassin (score=5.1, required 5, MAILTO_LINK, >> CTYPE_JUST_HTML, SUBJ_ALL_CAPS) >>X-UIDL: Y;`"!l09"!:+_"!?WG!! >>Status: U >> >> >> >> >> >>One other thing you can do in the page...  In the body of the page, >>you can >>add this:
>>
>><NOSCRIPT>
>>Please enable JavaScript.
>></NOSCRIPT>
>>
>>To warn people who don't have it enabled.  
>>
--
>>Bryan E. Sampieri
>>Sofware Developer, QCOM, Inc.
>>>href="mailto:bryans@qcominc.com">bryans@qcominc.com
>>
>>Any opinions are not necessarily the opinions of QCOM, Inc.
>>
>> >> >> >> >> >> > > >Shawn Boyce wrote: > >>Gerry Doris wrote: >> >>>>I'm having trouble with our outgoing email being tagged >>>>as SPAM! >>>> >>>>How do I configure mailscanner to not scan outgoing email >>>>using spamassassin? I still want outgoing email scanned for >>>>viruses. I didn't see anything in the FAQ. >>>> >>>>-- >>>>Shawn Boyce >>>>QCOM, Inc. >>>>Quality Software is Our Business >>>>http://www.qcominc.com >>>> >>> >>>Why does spamassassin think your mail is spam? If it thinks you're >>>sending spam then won't all the rest of us think you're sending it too? >>> >>Good point. Luckily not everyone is using SpamAssassin yet! >> >>Here is the mail header on an email in which I replied to someone else >>in our company. The email was actually a reply to email which contained >>a forwared email in it. >> >>X-MailScanner-SpamCheck: SpamAssassin (score=5.3, required 5, >>MAILTO_LINK, >>BIG_FONT, CTYPE_JUST_HTML) >> >>Besides this one, I've also seen some other company emails being marked >>as SPAM. >> >>>Gerry >>>-- >>>"The lyfe so short, the craft so long to learne" Chaucer >>> >>> >>> >> >>-- >>Shawn Boyce >>QCOM, Inc. >>Quality Software is Our Business >>http://www.qcominc.com >> > >-- >Shawn Boyce >QCOM, Inc. >Quality Software is Our Business >http://www.qcominc.com -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gerry at dorfam.ca Tue Jun 25 14:35:59 2002 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:15:04 2006 Subject: not scanning outgoing email In-Reply-To: <3D186D31.9090500@qcominc.com> References: <3D1850A7.60107@qcominc.com> <10148.129.80.22.134.1025008188.squirrel@tiger.dorfam.ca> <3D186C7E.60906@qcominc.com> <3D186D31.9090500@qcominc.com> Message-ID: <28336.129.80.22.134.1025012159.squirrel@tiger.dorfam.ca> > Here's another one. The problem is usually the person is using HTML > content in their email. The subject was all caps (but only two letters) > and contained only HTML content. > > -- > Shawn Boyce > QCOM, Inc. > Quality Software is Our Business > http://www.qcominc.com I've found that a score threshold of 5.0 to be ultra conservative. It's very easy (too easy?) for mail to be flagged as spam. I have it still set at 5.0 and see some messages that are generally only html getting flagged with scores just over the limit. Gerry -- "The lyfe so short, the craft so long to learne" Chaucer From brose at MED.WAYNE.EDU Tue Jun 25 14:56:33 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:04 2006 Subject: not scanning outgoing email Message-ID: <6D60AC042221344095A0EBBC56EEE79A4BC9E7@med-core03.med.wayne.edu> According to the list of tests posted on SA's site, here's what these tests are header HTML-only mail, with no text version CTYPE_JUST_HTML 1.665 rawbody Includes a URL link to send an email MAILTO_LINK 0.782 header Subject is all capitals SUBJ_ALL_CAPS -0.054 Now the weird part is that this doesn't add up to 5.1. If you have the SpamAction set to the spam.actions.conf, I suggest having an entry to store spam for your address to capture some. The run spamassassin -t < filename to see if the score is the same. If the scoring is still the same then post your findings to SA. If not post them here. Also if you have compileNow() enabled, try disabling it since there used to be a bug where it would cause false positives. -----Original Message----- From: Shawn Boyce [mailto:shawn@QCOMINC.COM] Sent: Tuesday, June 25, 2002 9:17 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: not scanning outgoing email Here's another one. The problem is usually the person is using HTML content in their email. The subject was all caps (but only two letters) and contained only HTML content. >To: Shawn Boyce >Subject: {SPAM?} JS... >Content-Type: text/html; charset=us-ascii >Content-Transfer-Encoding: 7bit >X-MailScanner: Found to be clean >X-MailScanner-SpamCheck: SpamAssassin (score=5.1, required 5, MAILTO_LINK, > CTYPE_JUST_HTML, SUBJ_ALL_CAPS) >X-UIDL: Y;`"!l09"!:+_"!?WG!! >Status: U > > > > > >One other thing you can do in the page...  In the body of the >page, you can add this:

><NOSCRIPT>
>Please enable JavaScript.
></NOSCRIPT>
>
>To warn people who don't have it enabled.  
>
--
>Bryan E. Sampieri
>Sofware Developer, QCOM, Inc.
>bryans@qcominc.com
>
>Any opinions are not necessarily the opinions of QCOM, Inc.
> > > > > > > Shawn Boyce wrote: > Gerry Doris wrote: > >>> I'm having trouble with our outgoing email being tagged >>> as SPAM! >>> >>> How do I configure mailscanner to not scan outgoing email using >>> spamassassin? I still want outgoing email scanned for viruses. I >>> didn't see anything in the FAQ. >>> >>> -- >>> Shawn Boyce >>> QCOM, Inc. >>> Quality Software is Our Business >>> http://www.qcominc.com >>> >>> >> >> Why does spamassassin think your mail is spam? If it thinks you're >> sending spam then won't all the rest of us think you're sending it >> too? >> >> > Good point. Luckily not everyone is using SpamAssassin yet! > > Here is the mail header on an email in which I replied to someone else > in our company. The email was actually a reply to email which > contained a forwared email in it. > > X-MailScanner-SpamCheck: SpamAssassin (score=5.3, required 5, > MAILTO_LINK, BIG_FONT, CTYPE_JUST_HTML) > > Besides this one, I've also seen some other company emails being > marked as SPAM. > >> Gerry >> -- >> "The lyfe so short, the craft so long to learne" Chaucer >> >> >> >> > > -- > Shawn Boyce > QCOM, Inc. > Quality Software is Our Business > http://www.qcominc.com > > -- Shawn Boyce QCOM, Inc. Quality Software is Our Business http://www.qcominc.com From LISTSERV at JISCMAIL.AC.UK Tue Jun 25 15:01:24 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:04 2006 Subject: MAILSCANNER: cmarin@PR.GOV.BR left the JISCmail list Message-ID: <200206251401.PAA01315@magpie.ecs.soton.ac.uk> Tue, 25 Jun 2002 15:01:24 "Carlos A. Marin" has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From dml at UNB.CA Tue Jun 25 15:19:21 2002 From: dml at UNB.CA (David Lancaster) Date: Thu Jan 12 21:15:04 2006 Subject: not scanning outgoing email In-Reply-To: <6D60AC042221344095A0EBBC56EEE79A4BC9E7@med-core03.med.wayne.edu> Message-ID: According to /usr/share/spamassassin/50_scores.cf on my system score CTYPE_JUST_HTML 3.154 D. On Tue, 25 Jun 2002, Rose, Bobby wrote: > According to the list of tests posted on SA's site, here's what these > tests are > > header HTML-only mail, with no text version CTYPE_JUST_HTML 1.665 > rawbody Includes a URL link to send an email MAILTO_LINK 0.782 > header Subject is all capitals SUBJ_ALL_CAPS -0.054 > > Now the weird part is that this doesn't add up to 5.1. If you have the > SpamAction set to the spam.actions.conf, I suggest having an entry to > store spam for your address to capture some. The run spamassassin -t < > filename to see if the score is the same. If the scoring is still the > same then post your findings to SA. If not post them here. Also if you > have compileNow() enabled, try disabling it since there used to be a bug > where it would cause false positives. > > > -----Original Message----- > From: Shawn Boyce [mailto:shawn@QCOMINC.COM] > Sent: Tuesday, June 25, 2002 9:17 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: not scanning outgoing email > > > Here's another one. The problem is usually the person is using HTML > content in their email. The subject was all caps (but only two letters) > and contained only HTML content. > > >To: Shawn Boyce > >Subject: {SPAM?} JS... > >Content-Type: text/html; charset=us-ascii > >Content-Transfer-Encoding: 7bit > >X-MailScanner: Found to be clean > >X-MailScanner-SpamCheck: SpamAssassin (score=5.1, required 5, > MAILTO_LINK, > > CTYPE_JUST_HTML, SUBJ_ALL_CAPS) > >X-UIDL: Y;`"!l09"!:+_"!?WG!! > >Status: U > > > > > > > > > > > >One other thing you can do in the page...  In the body of the > >page, you can add this:

> ><NOSCRIPT>
> >Please enable JavaScript.
> ></NOSCRIPT>
> >
> >To warn people who don't have it enabled.  
> >
--
> >Bryan E. Sampieri
> >Sofware Developer, QCOM, Inc.
> > href="mailto:bryans@qcominc.com">bryans@qcominc.com
> >
> >Any opinions are not necessarily the opinions of QCOM, Inc.
> > > > > > > > > > > > > > > > > Shawn Boyce wrote: > > > Gerry Doris wrote: > > > >>> I'm having trouble with our outgoing email being tagged > >>> as SPAM! > >>> > >>> How do I configure mailscanner to not scan outgoing email using > >>> spamassassin? I still want outgoing email scanned for viruses. I > >>> didn't see anything in the FAQ. > >>> > >>> -- > >>> Shawn Boyce > >>> QCOM, Inc. > >>> Quality Software is Our Business > >>> http://www.qcominc.com > >>> > >>> > >> > >> Why does spamassassin think your mail is spam? If it thinks you're > >> sending spam then won't all the rest of us think you're sending it > >> too? > >> > >> > > Good point. Luckily not everyone is using SpamAssassin yet! > > > > Here is the mail header on an email in which I replied to someone else > > > in our company. The email was actually a reply to email which > > contained a forwared email in it. > > > > X-MailScanner-SpamCheck: SpamAssassin (score=5.3, required 5, > > MAILTO_LINK, BIG_FONT, CTYPE_JUST_HTML) > > > > Besides this one, I've also seen some other company emails being > > marked as SPAM. > > > >> Gerry > >> -- > >> "The lyfe so short, the craft so long to learne" Chaucer > >> > >> > >> > >> > > > > -- > > Shawn Boyce > > QCOM, Inc. > > Quality Software is Our Business > > http://www.qcominc.com > > > > > > -- > Shawn Boyce > QCOM, Inc. > Quality Software is Our Business > http://www.qcominc.com > =========================================================== David Lancaster ITS ESS From brose at MED.WAYNE.EDU Tue Jun 25 15:29:55 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:04 2006 Subject: not scanning outgoing email Message-ID: <6D60AC042221344095A0EBBC56EEE79A0A8FD8@med-core03.med.wayne.edu> What rev of SA? I have 2.31 and the score is 1.665 -----Original Message----- From: David Lancaster [mailto:dml@UNB.CA] Sent: Tuesday, June 25, 2002 10:19 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: not scanning outgoing email According to /usr/share/spamassassin/50_scores.cf on my system score CTYPE_JUST_HTML 3.154 D. On Tue, 25 Jun 2002, Rose, Bobby wrote: > According to the list of tests posted on SA's site, here's what these > tests are > > header HTML-only mail, with no text version CTYPE_JUST_HTML 1.665 > rawbody Includes a URL link to send an email MAILTO_LINK 0.782 > header Subject is all capitals SUBJ_ALL_CAPS -0.054 > > Now the weird part is that this doesn't add up to 5.1. If you have > the SpamAction set to the spam.actions.conf, I suggest having an entry > to store spam for your address to capture some. The run spamassassin > -t < filename to see if the score is the same. If the scoring is > still the same then post your findings to SA. If not post them here. > Also if you have compileNow() enabled, try disabling it since there > used to be a bug where it would cause false positives. > > > -----Original Message----- > From: Shawn Boyce [mailto:shawn@QCOMINC.COM] > Sent: Tuesday, June 25, 2002 9:17 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: not scanning outgoing email > > > Here's another one. The problem is usually the person is using HTML > content in their email. The subject was all caps (but only two > letters) and contained only HTML content. > > >To: Shawn Boyce > >Subject: {SPAM?} JS... > >Content-Type: text/html; charset=us-ascii > >Content-Transfer-Encoding: 7bit > >X-MailScanner: Found to be clean > >X-MailScanner-SpamCheck: SpamAssassin (score=5.1, required 5, > MAILTO_LINK, > > CTYPE_JUST_HTML, SUBJ_ALL_CAPS) > >X-UIDL: Y;`"!l09"!:+_"!?WG!! > >Status: U > > > > > > > > > > > >One other thing you can do in the page...  In the body of the > >page, you can add this:

<NOSCRIPT>
> >Please enable JavaScript.
> ></NOSCRIPT>
> >
> >To warn people who don't have it enabled.  
> >
--
> >Bryan E. Sampieri
> >Sofware Developer, QCOM, Inc.
> > href="mailto:bryans@qcominc.com">bryans@qcominc.com
> >
> >Any opinions are not necessarily the opinions of QCOM, Inc.
> > > > > > > > > > > > > > > Shawn Boyce wrote: > > > Gerry Doris wrote: > > > >>> I'm having trouble with our outgoing email being tagged as SPAM! > >>> > >>> How do I configure mailscanner to not scan outgoing email using > >>> spamassassin? I still want outgoing email scanned for viruses. I > >>> didn't see anything in the FAQ. > >>> > >>> -- > >>> Shawn Boyce > >>> QCOM, Inc. > >>> Quality Software is Our Business > >>> http://www.qcominc.com > >>> > >>> > >> > >> Why does spamassassin think your mail is spam? If it thinks you're > >> sending spam then won't all the rest of us think you're sending it > >> too? > >> > >> > > Good point. Luckily not everyone is using SpamAssassin yet! > > > > Here is the mail header on an email in which I replied to someone > > else > > > in our company. The email was actually a reply to email which > > contained a forwared email in it. > > > > X-MailScanner-SpamCheck: SpamAssassin (score=5.3, required 5, > > MAILTO_LINK, BIG_FONT, CTYPE_JUST_HTML) > > > > Besides this one, I've also seen some other company emails being > > marked as SPAM. > > > >> Gerry > >> -- > >> "The lyfe so short, the craft so long to learne" Chaucer > >> > >> > >> > >> > > > > -- > > Shawn Boyce > > QCOM, Inc. > > Quality Software is Our Business > > http://www.qcominc.com > > > > > > -- > Shawn Boyce > QCOM, Inc. > Quality Software is Our Business > http://www.qcominc.com > =========================================================== David Lancaster ITS ESS From dml at UNB.CA Tue Jun 25 15:41:00 2002 From: dml at UNB.CA (David Lancaster) Date: Thu Jan 12 21:15:04 2006 Subject: not scanning outgoing email In-Reply-To: <6D60AC042221344095A0EBBC56EEE79A0A8FD8@med-core03.med.wayne.edu> Message-ID: 2.20 Probably should upgrade some day. But I guess that tells us what Shawn's problem is. The scores out of my 2.20 SA score file are: CTYPE_JUST_HTML 3.2 MAILTO_LINK 0.0 SUBJ_ALL_CAPS 1.9 Totals 5.1 Wonder why 2.20 scored HTML email so highly (musta been scored in the good ol' days...sigh. ;) D. On Tue, 25 Jun 2002, Rose, Bobby wrote: > What rev of SA? I have 2.31 and the score is 1.665 > > -----Original Message----- > From: David Lancaster [mailto:dml@UNB.CA] > Sent: Tuesday, June 25, 2002 10:19 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: not scanning outgoing email > > > According to /usr/share/spamassassin/50_scores.cf on my system > score CTYPE_JUST_HTML 3.154 > > D. > > On Tue, 25 Jun 2002, Rose, Bobby wrote: > > > According to the list of tests posted on SA's site, here's what these > > tests are > > > > header HTML-only mail, with no text version CTYPE_JUST_HTML 1.665 > > rawbody Includes a URL link to send an email MAILTO_LINK 0.782 > > header Subject is all capitals SUBJ_ALL_CAPS -0.054 > > > > Now the weird part is that this doesn't add up to 5.1. If you have > > the SpamAction set to the spam.actions.conf, I suggest having an entry > > > to store spam for your address to capture some. The run spamassassin > > -t < filename to see if the score is the same. If the scoring is > > still the same then post your findings to SA. If not post them here. > > > Also if you have compileNow() enabled, try disabling it since there > > used to be a bug where it would cause false positives. > > > > > > -----Original Message----- > > From: Shawn Boyce [mailto:shawn@QCOMINC.COM] > > Sent: Tuesday, June 25, 2002 9:17 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: not scanning outgoing email > > > > > > Here's another one. The problem is usually the person is using HTML > > content in their email. The subject was all caps (but only two > > letters) and contained only HTML content. > > > > >To: Shawn Boyce > > >Subject: {SPAM?} JS... > > >Content-Type: text/html; charset=us-ascii > > >Content-Transfer-Encoding: 7bit > > >X-MailScanner: Found to be clean > > >X-MailScanner-SpamCheck: SpamAssassin (score=5.1, required 5, > > MAILTO_LINK, > > > CTYPE_JUST_HTML, SUBJ_ALL_CAPS) > > >X-UIDL: Y;`"!l09"!:+_"!?WG!! > > >Status: U > > > > > > > > > > > > > > > > > >One other thing you can do in the page...  In the body of the > > >page, you can add this:

<NOSCRIPT>
> > >Please enable JavaScript.
> > ></NOSCRIPT>
> > >
> > >To warn people who don't have it enabled.  
> > >
--
> > >Bryan E. Sampieri
> > >Sofware Developer, QCOM, Inc.
> > > > href="mailto:bryans@qcominc.com">bryans@qcominc.com
> > >
> > >Any opinions are not necessarily the opinions of QCOM, Inc.
> > > > > > > > > > > > > > > > > > > > > > > > Shawn Boyce wrote: > > > > > Gerry Doris wrote: > > > > > >>> I'm having trouble with our outgoing email being tagged as SPAM! > > >>> > > >>> How do I configure mailscanner to not scan outgoing email using > > >>> spamassassin? I still want outgoing email scanned for viruses. I > > >>> didn't see anything in the FAQ. > > >>> > > >>> -- > > >>> Shawn Boyce > > >>> QCOM, Inc. > > >>> Quality Software is Our Business > > >>> http://www.qcominc.com > > >>> > > >>> > > >> > > >> Why does spamassassin think your mail is spam? If it thinks you're > > > >> sending spam then won't all the rest of us think you're sending it > > >> too? > > >> > > >> > > > Good point. Luckily not everyone is using SpamAssassin yet! > > > > > > Here is the mail header on an email in which I replied to someone > > > else > > > > > in our company. The email was actually a reply to email which > > > contained a forwared email in it. > > > > > > X-MailScanner-SpamCheck: SpamAssassin (score=5.3, required 5, > > > MAILTO_LINK, BIG_FONT, CTYPE_JUST_HTML) > > > > > > Besides this one, I've also seen some other company emails being > > > marked as SPAM. > > > > > >> Gerry > > >> -- > > >> "The lyfe so short, the craft so long to learne" Chaucer > > >> > > >> > > >> > > >> > > > > > > -- > > > Shawn Boyce > > > QCOM, Inc. > > > Quality Software is Our Business > > > http://www.qcominc.com > > > > > > > > > > -- > > Shawn Boyce > > QCOM, Inc. > > Quality Software is Our Business > > http://www.qcominc.com > > > > > > =========================================================== > David Lancaster > ITS ESS > =========================================================== David Lancaster ITS ESS From brose at MED.WAYNE.EDU Tue Jun 25 15:47:39 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:04 2006 Subject: not scanning outgoing email Message-ID: <6D60AC042221344095A0EBBC56EEE79A4BC9E8@med-core03.med.wayne.edu> The scores are generated using a algorithm that looks at all the SPAM messages that the SA guys have (which is a lot). So depending on ruleset changes and the amount of spam that triggers that rule, the score can vary with each release. -----Original Message----- From: David Lancaster [mailto:dml@UNB.CA] Sent: Tuesday, June 25, 2002 10:41 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: not scanning outgoing email 2.20 Probably should upgrade some day. But I guess that tells us what Shawn's problem is. The scores out of my 2.20 SA score file are: CTYPE_JUST_HTML 3.2 MAILTO_LINK 0.0 SUBJ_ALL_CAPS 1.9 Totals 5.1 Wonder why 2.20 scored HTML email so highly (musta been scored in the good ol' days...sigh. ;) D. On Tue, 25 Jun 2002, Rose, Bobby wrote: > What rev of SA? I have 2.31 and the score is 1.665 > > -----Original Message----- > From: David Lancaster [mailto:dml@UNB.CA] > Sent: Tuesday, June 25, 2002 10:19 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: not scanning outgoing email > > > According to /usr/share/spamassassin/50_scores.cf on my system > score CTYPE_JUST_HTML 3.154 > > D. > > On Tue, 25 Jun 2002, Rose, Bobby wrote: > > > According to the list of tests posted on SA's site, here's what > > these tests are > > > > header HTML-only mail, with no text version CTYPE_JUST_HTML 1.665 > > rawbody Includes a URL link to send an email MAILTO_LINK 0.782 > > header Subject is all capitals SUBJ_ALL_CAPS -0.054 > > > > Now the weird part is that this doesn't add up to 5.1. If you have > > the SpamAction set to the spam.actions.conf, I suggest having an > > entry > > > to store spam for your address to capture some. The run > > spamassassin -t < filename to see if the score is the same. If the > > scoring is still the same then post your findings to SA. If not > > post them here. > > > Also if you have compileNow() enabled, try disabling it since there > > used to be a bug where it would cause false positives. > > > > > > -----Original Message----- > > From: Shawn Boyce [mailto:shawn@QCOMINC.COM] > > Sent: Tuesday, June 25, 2002 9:17 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: not scanning outgoing email > > > > > > Here's another one. The problem is usually the person is using HTML > > content in their email. The subject was all caps (but only two > > letters) and contained only HTML content. > > > > >To: Shawn Boyce > > >Subject: {SPAM?} JS... > > >Content-Type: text/html; charset=us-ascii > > >Content-Transfer-Encoding: 7bit > > >X-MailScanner: Found to be clean > > >X-MailScanner-SpamCheck: SpamAssassin (score=5.1, required 5, > > MAILTO_LINK, > > > CTYPE_JUST_HTML, SUBJ_ALL_CAPS) > > >X-UIDL: Y;`"!l09"!:+_"!?WG!! > > >Status: U > > > > > > > > > > > > > > > > > >One other thing you can do in the page...  In the body of the > > >page, you can add this:

<NOSCRIPT>
Please enable > > >JavaScript.
</NOSCRIPT>
> > >
> > >To warn people who don't have it enabled.  
> > >
--
> > >Bryan E. Sampieri
> > >Sofware Developer, QCOM, Inc.
> > > > href="mailto:bryans@qcominc.com">bryans@qcominc.com
> > >
> > >Any opinions are not necessarily the opinions of QCOM, Inc.
> > > > > > > > > > > > > > > > > > > > > > > > Shawn Boyce wrote: > > > > > Gerry Doris wrote: > > > > > >>> I'm having trouble with our outgoing email being tagged as SPAM! > > >>> > > >>> How do I configure mailscanner to not scan outgoing email using > > >>> spamassassin? I still want outgoing email scanned for viruses. I > > >>> didn't see anything in the FAQ. > > >>> > > >>> -- > > >>> Shawn Boyce > > >>> QCOM, Inc. > > >>> Quality Software is Our Business > > >>> http://www.qcominc.com > > >>> > > >>> > > >> > > >> Why does spamassassin think your mail is spam? If it thinks > > >> you're > > > >> sending spam then won't all the rest of us think you're sending > > >> it too? > > >> > > >> > > > Good point. Luckily not everyone is using SpamAssassin yet! > > > > > > Here is the mail header on an email in which I replied to someone > > > else > > > > > in our company. The email was actually a reply to email which > > > contained a forwared email in it. > > > > > > X-MailScanner-SpamCheck: SpamAssassin (score=5.3, required 5, > > > MAILTO_LINK, BIG_FONT, CTYPE_JUST_HTML) > > > > > > Besides this one, I've also seen some other company emails being > > > marked as SPAM. > > > > > >> Gerry > > >> -- > > >> "The lyfe so short, the craft so long to learne" Chaucer > > >> > > >> > > >> > > >> > > > > > > -- > > > Shawn Boyce > > > QCOM, Inc. > > > Quality Software is Our Business > > > http://www.qcominc.com > > > > > > > > > > -- > > Shawn Boyce > > QCOM, Inc. > > Quality Software is Our Business > > http://www.qcominc.com > > > > > > =========================================================== > David Lancaster > ITS ESS > =========================================================== David Lancaster ITS ESS From LISTSERV at JISCMAIL.AC.UK Tue Jun 25 15:58:26 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:04 2006 Subject: MAILSCANNER: gsiebrecht@WIN-4-U.COM left the JISCmail list Message-ID: <200206251458.PAA07005@magpie.ecs.soton.ac.uk> Tue, 25 Jun 2002 15:58:26 Grant Siebrecht has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From mailscanner at ecs.soton.ac.uk Tue Jun 25 16:06:46 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:04 2006 Subject: not scanning outgoing email In-Reply-To: <6D60AC042221344095A0EBBC56EEE79A4BC9E8@med-core03.med.wayn e.edu> Message-ID: <5.1.0.14.2.20020625160548.04f736e8@imap.ecs.soton.ac.uk> Folks, Please can we either 1) consider this thread complete, or 2) move it to the SpamAssassin satalk list. Thanks! -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Pablo.Iranzo at UV.ES Tue Jun 25 17:19:46 2002 From: Pablo.Iranzo at UV.ES (Pablo Iranzo G=?ISO-8859-1?Q?=F3mez?=) Date: Thu Jan 12 21:15:04 2006 Subject: Part of MRTG died Message-ID: I've the same problem, after updating to the last available MailScanner version, I've no spam reports in /var/log/maillog I've tried to do also with changing "spam" to "Spam" but it doesn't work. I've sent a SPAM mail throught sendmail and here are the headers: Return-Path: Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by Alufis35.uv.es (8.11.6/8.11.2) with SMTP id g5PG90512839 for Pablo.Iranzo@alufis35.uv.es; Tue, 25 Jun 2002 18:09:14 +0200 Date: Tue, 25 Jun 2002 18:09:14 +0200 From: yop@nohwere.com Message-Id: <200206251609.g5PG90512839@Alufis35.uv.es> X-Authentication-Warning: Alufis35.uv.es: localhost.localdomain [127.0.0.1] didn't use HELO protocol Subject: {SPAM?} Navega por telefonicaonline.com y ?ll?vate cientos de Puntos Travel Club! Content-type: text/html MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-MailScanner: Found to be clean X-MailScanner-SpamCheck: SpamAssassin (score=10.1, required 5, SUBJ_HAS_Q_MARK, NO_REAL_NAME, PLING, BIG_FONT, CTYPE_JUST_HTML, MISSING_HEADERS, NO_MX_FOR_FROM) (As you can see, thhe Mailscanner passed it throught SpamAssassin and gave it "Spam" status and did modified the subject) And here is the maillog "conversation": Jun 25 18:04:50 Alufis35 sendmail[12739]: g5PG4nv12739: to=yop@yop.es, delay=00: 00:01, xdelay=00:00:00, mailer=relay, pri=49438, relay=sello., dsn=2.0. 0, stat=Sent (g5PG4oJN009163 Message accepted for delivery) Jun 25 18:09:00 Alufis35 sendmail[12839]: g5PG90512839: Authentication- Warning: Alufis35.uv.es: localhost.localdomain [127.0.0.1] didn't use HELO protocol Jun 25 18:09:37 Alufis35 sendmail[12839]: g5PG90512839: from=yop@nohwere.com, si ze=19465, class=0, nrcpts=1, msgid=<200206251609.g5PG90512839@Alufis35>, b odytype=8BITMIME, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1 ] Jun 25 18:09:49 Alufis35 mailscanner[12624]: Scanning 1 messages, 20139 bytes Jun 25 18:10:12 Alufis35 mailscanner[12624]: Scanned 1 messages, 20139 bytes in 4 seconds Jun 25 18:10:13 Alufis35 sendmail[12868]: g5PG90512839: to=iranzo@amena.com, del ay=00:00:59, xdelay=00:00:00, mailer=relay, pri=139465, relay=sello. [1 47.156.1.112], dsn=5.6.0, stat=Data format error Jun 25 18:10:14 Alufis35 sendmail[12868]: g5PG90512839: to=\iranzo, delay=00:01: 00, xdelay=00:00:01, mailer=local, pri=139465, dsn=2.0.0, stat=Sent Jun 25 18:10:14 Alufis35 sendmail[12868]: g5PG90512839: g5PGADY12868: DSN: Data format error Jun 25 18:10:14 Alufis35 sendmail[12868]: g5PGADY12868: to=yop@nohwere.com, dela y=00:00:00, xdelay=00:00:00, mailer=relay, pri=49437, relay=sello., dsn =2.0.0, stat=Sent (g5PGAEJN009658 Message accepted for delivery) It Scans the message, marks it as spam but doesn't reflect that on the maillog. My syslog has the -r switch from previous versions. I'm running RedHat 7.3. ?Any idea? Thanks in advance Pablo From mailscanner at ecs.soton.ac.uk Tue Jun 25 17:35:57 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:04 2006 Subject: Part of MRTG died In-Reply-To: Message-ID: <5.1.0.14.2.20020625173536.04e77658@imap.ecs.soton.ac.uk> Check your mailscanner.conf file for "Log Spam = no". At 17:19 25/06/2002, you wrote: >I've the same problem, after updating to the last available MailScanner >version, I've no spam reports in /var/log/maillog I've tried to do also >with changing "spam" to "Spam" but it doesn't work. > I've sent a SPAM mail throught sendmail and here are the headers: > > >Return-Path: >Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) > by Alufis35.uv.es (8.11.6/8.11.2) with SMTP id g5PG90512839 > for Pablo.Iranzo@alufis35.uv.es; Tue, 25 Jun 2002 18:09:14 +0200 >Date: Tue, 25 Jun 2002 18:09:14 +0200 >From: yop@nohwere.com >Message-Id: <200206251609.g5PG90512839@Alufis35.uv.es> >X-Authentication-Warning: Alufis35.uv.es: localhost.localdomain [127.0.0.1] > didn't use HELO protocol >Subject: {SPAM?} Navega por telefonicaonline.com y ?ll?vate cientos de > Puntos Travel Club! >Content-type: text/html >MIME-Version: 1.0 >Content-Transfer-Encoding: quoted-printable >X-MailScanner: Found to be clean >X-MailScanner-SpamCheck: SpamAssassin (score=10.1, required 5, > SUBJ_HAS_Q_MARK, NO_REAL_NAME, PLING, BIG_FONT, CTYPE_JUST_HTML, > MISSING_HEADERS, NO_MX_FOR_FROM) > > >(As you can see, thhe Mailscanner passed it throught SpamAssassin and gave >it "Spam" status and did modified the subject) > >And here is the maillog "conversation": > > >Jun 25 18:04:50 Alufis35 sendmail[12739]: g5PG4nv12739: to=yop@yop.es, >delay=00: >00:01, xdelay=00:00:00, mailer=relay, pri=49438, relay=sello., dsn=2.0. >0, stat=Sent (g5PG4oJN009163 Message accepted for delivery) >Jun 25 18:09:00 Alufis35 sendmail[12839]: g5PG90512839: Authentication- >Warning: >Alufis35.uv.es: localhost.localdomain [127.0.0.1] didn't use HELO protocol >Jun 25 18:09:37 Alufis35 sendmail[12839]: g5PG90512839: >from=yop@nohwere.com, si >ze=19465, class=0, nrcpts=1, msgid=<200206251609.g5PG90512839@Alufis35>, b >odytype=8BITMIME, proto=SMTP, daemon=MTA, relay=localhost.localdomain >[127.0.0.1 >] >Jun 25 18:09:49 Alufis35 mailscanner[12624]: Scanning 1 messages, 20139 >bytes >Jun 25 18:10:12 Alufis35 mailscanner[12624]: Scanned 1 messages, 20139 >bytes in >4 seconds >Jun 25 18:10:13 Alufis35 sendmail[12868]: g5PG90512839: >to=iranzo@amena.com, del >ay=00:00:59, xdelay=00:00:00, mailer=relay, pri=139465, relay=sello. [1 >47.156.1.112], dsn=5.6.0, stat=Data format error >Jun 25 18:10:14 Alufis35 sendmail[12868]: g5PG90512839: to=\iranzo, >delay=00:01: >00, xdelay=00:00:01, mailer=local, pri=139465, dsn=2.0.0, stat=Sent >Jun 25 18:10:14 Alufis35 sendmail[12868]: g5PG90512839: g5PGADY12868: DSN: >Data >format error >Jun 25 18:10:14 Alufis35 sendmail[12868]: g5PGADY12868: to=yop@nohwere.com, >dela >y=00:00:00, xdelay=00:00:00, mailer=relay, pri=49437, relay=sello., dsn >=2.0.0, stat=Sent (g5PGAEJN009658 Message accepted for delivery) > >It Scans the message, marks it as spam but doesn't reflect that on the >maillog. > >My syslog has the -r switch from previous versions. I'm running RedHat 7.3. > > >?Any idea? >Thanks in advance >Pablo -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From FCaen at CI.LAKEWOOD.WA.US Tue Jun 25 17:56:04 2002 From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen) Date: Thu Jan 12 21:15:04 2006 Subject: Why I think RBL should be done with the MTA ratherthan Mailscanner Message-ID: -----Original Message----- From: S.R.Patterson@SOTON.AC.UK > Can anybody see any advantages to using the RBL lists on Mailscanner > instead of on the MTA directly? I'd like to hear the flip side of the > debate! You're mostly right about the benefits of RBL'ing in the MTA, especially as far as saving resources is concerned. But each level (MTA, MS, SA) has it's pros and cons. Did you read the FAQ item I wrote about the question: http://www.sng.ecs.soton.ac.uk/mailscanner/faq.shtml#20 RBL'ing in MS or SA, although more resource-intensive, gives you definitely more options (delete or tag, score tweaking,...) In the end it depends on what your (your users') needs are, what resources and email volume you have, and how strict you want to be :-) ------------------------------------------------ Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 From mkettler at EVI-INC.COM Tue Jun 25 19:34:18 2002 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:15:04 2006 Subject: Notify Senders In-Reply-To: <5.1.0.14.2.20020625101136.02cc2b00@imap.ecs.soton.ac.uk> References: <000401c21bd4$71ebf120$1cfea8c0@tippingmar.com> <20020619191018.GA2775@bragann> Message-ID: <5.1.0.14.0.20020625142832.021a9600@192.168.50.2> I don't think that will quite do what he wants. Your suggestion will still notify non-local senders that they send him a virus. He wants to notify *only* local senders. This is what he's looking for: Outside ->in notify postmaster, local recipient. No external senders notified. inside -> out notify local sender, postmaster, no external recipients notified. Your suggestion is similar, but in the outside->in case, the external senders are notified. At 10:12 AM 6/25/2002 +0100, Julian Field wrote: >I think all you need do is set "Notify Senders = yes" and "Deliver From >Local Domain = no" and you should get what you want. > >At 00:11 25/06/2002, you wrote: >>I use >> >>"Notify Senders = no" >> >>because I'm a little reluctant to send automated mail to someone outside >>our office (possibly a client). For sensitive relationships I'd rather >>call the client and explain the problem personally, without implying >>that he or she did something stupid (even if he or she did something >>stupid). At the same time, I have >> >>"Deliver From Local Domain = no" >> >>because I don't want an outsider to know that one of my users tried to >>send them something bad. >> >>With this arrangement, if one of my users sends a message with a virus, >>(or more likely, a message with a poorly named attachment") the message >>is deleted and only I, as the postmaster, receive a warning. I guess >>what I would prefer is something like >> >>"Notify Senders = yes | no | local" From mike at CAMAROSS.NET Tue Jun 25 19:44:59 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:04 2006 Subject: Part of MRTG died References: <5.1.0.14.2.20020625173536.04e77658@imap.ecs.soton.ac.uk> Message-ID: <011701c21c78$68e3ad80$6501a8c0@home.wideopenthrottle.org> I have "Log Spam = yes" in my .conf and neither Spam nor spam in my mrtg.cfg reveal any spam in my maillog. *boggle* ----- Original Message ----- From: "Julian Field" To: Sent: Tuesday, June 25, 2002 11:35 AM Subject: Re: Part of MRTG died > Check your mailscanner.conf file for "Log Spam = no". > > At 17:19 25/06/2002, you wrote: > >I've the same problem, after updating to the last available MailScanner > >version, I've no spam reports in /var/log/maillog I've tried to do also > >with changing "spam" to "Spam" but it doesn't work. > > I've sent a SPAM mail throught sendmail and here are the headers: > > > > > >Return-Path: > >Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) > > by Alufis35.uv.es (8.11.6/8.11.2) with SMTP id g5PG90512839 > > for Pablo.Iranzo@alufis35.uv.es; Tue, 25 Jun 2002 18:09:14 +0200 > >Date: Tue, 25 Jun 2002 18:09:14 +0200 > >From: yop@nohwere.com > >Message-Id: <200206251609.g5PG90512839@Alufis35.uv.es> > >X-Authentication-Warning: Alufis35.uv.es: localhost.localdomain [127.0.0.1] > > didn't use HELO protocol > >Subject: {SPAM?} Navega por telefonicaonline.com y ?ll?vate cientos de > > Puntos Travel Club! > >Content-type: text/html > >MIME-Version: 1.0 > >Content-Transfer-Encoding: quoted-printable > >X-MailScanner: Found to be clean > >X-MailScanner-SpamCheck: SpamAssassin (score=10.1, required 5, > > SUBJ_HAS_Q_MARK, NO_REAL_NAME, PLING, BIG_FONT, CTYPE_JUST_HTML, > > MISSING_HEADERS, NO_MX_FOR_FROM) > > > > > >(As you can see, thhe Mailscanner passed it throught SpamAssassin and gave > >it "Spam" status and did modified the subject) > > > >And here is the maillog "conversation": > > > > > >Jun 25 18:04:50 Alufis35 sendmail[12739]: g5PG4nv12739: to=yop@yop.es, > >delay=00: > >00:01, xdelay=00:00:00, mailer=relay, pri=49438, relay=sello., dsn=2.0. > >0, stat=Sent (g5PG4oJN009163 Message accepted for delivery) > >Jun 25 18:09:00 Alufis35 sendmail[12839]: g5PG90512839: Authentication- > >Warning: > >Alufis35.uv.es: localhost.localdomain [127.0.0.1] didn't use HELO protocol > >Jun 25 18:09:37 Alufis35 sendmail[12839]: g5PG90512839: > >from=yop@nohwere.com, si > >ze=19465, class=0, nrcpts=1, msgid=<200206251609.g5PG90512839@Alufis35>, b > >odytype=8BITMIME, proto=SMTP, daemon=MTA, relay=localhost.localdomain > >[127.0.0.1 > >] > >Jun 25 18:09:49 Alufis35 mailscanner[12624]: Scanning 1 messages, 20139 > >bytes > >Jun 25 18:10:12 Alufis35 mailscanner[12624]: Scanned 1 messages, 20139 > >bytes in > >4 seconds > >Jun 25 18:10:13 Alufis35 sendmail[12868]: g5PG90512839: > >to=iranzo@amena.com, del > >ay=00:00:59, xdelay=00:00:00, mailer=relay, pri=139465, relay=sello. [1 > >47.156.1.112], dsn=5.6.0, stat=Data format error > >Jun 25 18:10:14 Alufis35 sendmail[12868]: g5PG90512839: to=\iranzo, > >delay=00:01: > >00, xdelay=00:00:01, mailer=local, pri=139465, dsn=2.0.0, stat=Sent > >Jun 25 18:10:14 Alufis35 sendmail[12868]: g5PG90512839: g5PGADY12868: DSN: > >Data > >format error > >Jun 25 18:10:14 Alufis35 sendmail[12868]: g5PGADY12868: to=yop@nohwere.com, > >dela > >y=00:00:00, xdelay=00:00:00, mailer=relay, pri=49437, relay=sello., dsn > >=2.0.0, stat=Sent (g5PGAEJN009658 Message accepted for delivery) > > > >It Scans the message, marks it as spam but doesn't reflect that on the > >maillog. > > > >My syslog has the -r switch from previous versions. I'm running RedHat 7.3. > > > > > >?Any idea? > >Thanks in advance > >Pablo > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From mailscanner at ecs.soton.ac.uk Tue Jun 25 19:49:09 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:04 2006 Subject: Notify Senders In-Reply-To: <5.1.0.14.0.20020625142832.021a9600@192.168.50.2> References: <5.1.0.14.2.20020625101136.02cc2b00@imap.ecs.soton.ac.uk> <000401c21bd4$71ebf120$1cfea8c0@tippingmar.com> <20020619191018.GA2775@bragann> Message-ID: <5.1.0.14.2.20020625194626.0250d168@imap.ecs.soton.ac.uk> At 19:34 25/06/2002, you wrote: >I don't think that will quite do what he wants. Your suggestion will still >notify non-local senders that they send him a virus. He wants to notify >*only* local senders. > >This is what he's looking for: > >Outside ->in notify postmaster, local recipient. No external senders >notified. >inside -> out notify local sender, postmaster, no external recipients >notified. > >Your suggestion is similar, but in the outside->in case, the external >senders are notified. Agreed. At the moment you cannot run this particular setup with MailScanner. He is the first person ever to ask for it. Everyone else has considered mailing the sender of a virus to be a beneficial service to them, that helps get 1 more infected PC fixed. >At 10:12 AM 6/25/2002 +0100, Julian Field wrote: >>I think all you need do is set "Notify Senders = yes" and "Deliver From >>Local Domain = no" and you should get what you want. >> >>At 00:11 25/06/2002, you wrote: >>>I use >>> >>>"Notify Senders = no" >>> >>>because I'm a little reluctant to send automated mail to someone outside >>>our office (possibly a client). For sensitive relationships I'd rather >>>call the client and explain the problem personally, without implying >>>that he or she did something stupid (even if he or she did something >>>stupid). At the same time, I have >>> >>>"Deliver From Local Domain = no" >>> >>>because I don't want an outsider to know that one of my users tried to >>>send them something bad. >>> >>>With this arrangement, if one of my users sends a message with a virus, >>>(or more likely, a message with a poorly named attachment") the message >>>is deleted and only I, as the postmaster, receive a warning. I guess >>>what I would prefer is something like >>> >>>"Notify Senders = yes | no | local" -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Jun 25 19:51:39 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:04 2006 Subject: Part of MRTG died In-Reply-To: <011701c21c78$68e3ad80$6501a8c0@home.wideopenthrottle.org> References: <5.1.0.14.2.20020625173536.04e77658@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020625195014.0250d548@imap.ecs.soton.ac.uk> At 19:44 25/06/2002, you wrote: >I have "Log Spam = yes" in my .conf and neither Spam nor spam in my mrtg.cfg >reveal any spam in my maillog. *boggle* Spam logging is done as mail.info, I suspect that your /etc/syslog.conf isn't logging mail.info messages. >----- Original Message ----- >From: "Julian Field" >To: >Sent: Tuesday, June 25, 2002 11:35 AM >Subject: Re: Part of MRTG died > > > > Check your mailscanner.conf file for "Log Spam = no". > > > > At 17:19 25/06/2002, you wrote: > > >I've the same problem, after updating to the last available MailScanner > > >version, I've no spam reports in /var/log/maillog I've tried to do also > > >with changing "spam" to "Spam" but it doesn't work. > > > I've sent a SPAM mail throught sendmail and here are the headers: > > > > > > > > >Return-Path: > > >Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) > > > by Alufis35.uv.es (8.11.6/8.11.2) with SMTP id g5PG90512839 > > > for Pablo.Iranzo@alufis35.uv.es; Tue, 25 Jun 2002 18:09:14 +0200 > > >Date: Tue, 25 Jun 2002 18:09:14 +0200 > > >From: yop@nohwere.com > > >Message-Id: <200206251609.g5PG90512839@Alufis35.uv.es> > > >X-Authentication-Warning: Alufis35.uv.es: localhost.localdomain >[127.0.0.1] > > > didn't use HELO protocol > > >Subject: {SPAM?} Navega por telefonicaonline.com y ?ll?vate cientos de > > > Puntos Travel Club! > > >Content-type: text/html > > >MIME-Version: 1.0 > > >Content-Transfer-Encoding: quoted-printable > > >X-MailScanner: Found to be clean > > >X-MailScanner-SpamCheck: SpamAssassin (score=10.1, required 5, > > > SUBJ_HAS_Q_MARK, NO_REAL_NAME, PLING, BIG_FONT, CTYPE_JUST_HTML, > > > MISSING_HEADERS, NO_MX_FOR_FROM) > > > > > > > > >(As you can see, thhe Mailscanner passed it throught SpamAssassin and >gave > > >it "Spam" status and did modified the subject) > > > > > >And here is the maillog "conversation": > > > > > > > > >Jun 25 18:04:50 Alufis35 sendmail[12739]: g5PG4nv12739: to=yop@yop.es, > > >delay=00: > > >00:01, xdelay=00:00:00, mailer=relay, pri=49438, relay=sello., dsn=2.0. > > >0, stat=Sent (g5PG4oJN009163 Message accepted for delivery) > > >Jun 25 18:09:00 Alufis35 sendmail[12839]: g5PG90512839: Authentication- > > >Warning: > > >Alufis35.uv.es: localhost.localdomain [127.0.0.1] didn't use HELO >protocol > > >Jun 25 18:09:37 Alufis35 sendmail[12839]: g5PG90512839: > > >from=yop@nohwere.com, si > > >ze=19465, class=0, nrcpts=1, msgid=<200206251609.g5PG90512839@Alufis35>, >b > > >odytype=8BITMIME, proto=SMTP, daemon=MTA, relay=localhost.localdomain > > >[127.0.0.1 > > >] > > >Jun 25 18:09:49 Alufis35 mailscanner[12624]: Scanning 1 messages, 20139 > > >bytes > > >Jun 25 18:10:12 Alufis35 mailscanner[12624]: Scanned 1 messages, 20139 > > >bytes in > > >4 seconds > > >Jun 25 18:10:13 Alufis35 sendmail[12868]: g5PG90512839: > > >to=iranzo@amena.com, del > > >ay=00:00:59, xdelay=00:00:00, mailer=relay, pri=139465, relay=sello. [1 > > >47.156.1.112], dsn=5.6.0, stat=Data format error > > >Jun 25 18:10:14 Alufis35 sendmail[12868]: g5PG90512839: to=\iranzo, > > >delay=00:01: > > >00, xdelay=00:00:01, mailer=local, pri=139465, dsn=2.0.0, stat=Sent > > >Jun 25 18:10:14 Alufis35 sendmail[12868]: g5PG90512839: g5PGADY12868: >DSN: > > >Data > > >format error > > >Jun 25 18:10:14 Alufis35 sendmail[12868]: g5PGADY12868: >to=yop@nohwere.com, > > >dela > > >y=00:00:00, xdelay=00:00:00, mailer=relay, pri=49437, relay=sello., dsn > > >=2.0.0, stat=Sent (g5PGAEJN009658 Message accepted for delivery) > > > > > >It Scans the message, marks it as spam but doesn't reflect that on the > > >maillog. > > > > > >My syslog has the -r switch from previous versions. I'm running RedHat >7.3. > > > > > > > > >?Any idea? > > >Thanks in advance > > >Pablo > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mark at TIPPINGMAR.COM Tue Jun 25 19:56:34 2002 From: mark at TIPPINGMAR.COM (Mark Nienberg) Date: Thu Jan 12 21:15:04 2006 Subject: Notify Senders In-Reply-To: <5.1.0.14.0.20020625142832.021a9600@192.168.50.2> Message-ID: <000b01c21c7a$06bf8dc0$1cfea8c0@tippingmar.com> > I don't think that will quite do what he wants. Your > suggestion will still > notify non-local senders that they send him a virus. He wants > to notify > *only* local senders. > > This is what he's looking for: > > Outside ->in notify postmaster, local recipient. No external senders > notified. > inside -> out notify local sender, postmaster, no external > recipients > notified. Yes, I think you see what I mean. I guess it wouldn't be so bad to notify external senders if I edited the file "sender.virus.report.txt" to be more apologetic. I can see how it would be nice to have different notifications for local senders and external senders. I could read the riot act to the local senders and apologize to the external senders! Mark From mike at CAMAROSS.NET Tue Jun 25 19:58:44 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:04 2006 Subject: Part of MRTG died References: <5.1.0.14.2.20020625173536.04e77658@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020625195014.0250d548@imap.ecs.soton.ac.uk> Message-ID: <016d01c21c7a$54b633d0$6501a8c0@home.wideopenthrottle.org> I can see the spams getting logged in my maillog...it's just that MRTG (or my mrtg.cfg) isn't picking them up anymore. It was working until ONE of my upgrades :) Here is the mail. line from my syslog.conf # Log all the mail messages in one place. mail.* /var/log/maillog Mike ----- Original Message ----- From: "Julian Field" To: Sent: Tuesday, June 25, 2002 1:51 PM Subject: Re: Part of MRTG died > At 19:44 25/06/2002, you wrote: > >I have "Log Spam = yes" in my .conf and neither Spam nor spam in my mrtg.cfg > >reveal any spam in my maillog. *boggle* > > Spam logging is done as mail.info, I suspect that your /etc/syslog.conf > isn't logging mail.info messages. > > >----- Original Message ----- > >From: "Julian Field" > >To: > >Sent: Tuesday, June 25, 2002 11:35 AM > >Subject: Re: Part of MRTG died > > > > > > > Check your mailscanner.conf file for "Log Spam = no". > > > > > > At 17:19 25/06/2002, you wrote: > > > >I've the same problem, after updating to the last available MailScanner > > > >version, I've no spam reports in /var/log/maillog I've tried to do also > > > >with changing "spam" to "Spam" but it doesn't work. > > > > I've sent a SPAM mail throught sendmail and here are the headers: > > > > > > > > > > > >Return-Path: > > > >Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) > > > > by Alufis35.uv.es (8.11.6/8.11.2) with SMTP id g5PG90512839 > > > > for Pablo.Iranzo@alufis35.uv.es; Tue, 25 Jun 2002 18:09:14 +0200 > > > >Date: Tue, 25 Jun 2002 18:09:14 +0200 > > > >From: yop@nohwere.com > > > >Message-Id: <200206251609.g5PG90512839@Alufis35.uv.es> > > > >X-Authentication-Warning: Alufis35.uv.es: localhost.localdomain > >[127.0.0.1] > > > > didn't use HELO protocol > > > >Subject: {SPAM?} Navega por telefonicaonline.com y ?ll?vate cientos de > > > > Puntos Travel Club! > > > >Content-type: text/html > > > >MIME-Version: 1.0 > > > >Content-Transfer-Encoding: quoted-printable > > > >X-MailScanner: Found to be clean > > > >X-MailScanner-SpamCheck: SpamAssassin (score=10.1, required 5, > > > > SUBJ_HAS_Q_MARK, NO_REAL_NAME, PLING, BIG_FONT, CTYPE_JUST_HTML, > > > > MISSING_HEADERS, NO_MX_FOR_FROM) > > > > > > > > > > > >(As you can see, thhe Mailscanner passed it throught SpamAssassin and > >gave > > > >it "Spam" status and did modified the subject) > > > > > > > >And here is the maillog "conversation": > > > > > > > > > > > >Jun 25 18:04:50 Alufis35 sendmail[12739]: g5PG4nv12739: to=yop@yop.es, > > > >delay=00: > > > >00:01, xdelay=00:00:00, mailer=relay, pri=49438, relay=sello., dsn=2.0. > > > >0, stat=Sent (g5PG4oJN009163 Message accepted for delivery) > > > >Jun 25 18:09:00 Alufis35 sendmail[12839]: g5PG90512839: Authentication- > > > >Warning: > > > >Alufis35.uv.es: localhost.localdomain [127.0.0.1] didn't use HELO > >protocol > > > >Jun 25 18:09:37 Alufis35 sendmail[12839]: g5PG90512839: > > > >from=yop@nohwere.com, si > > > >ze=19465, class=0, nrcpts=1, msgid=<200206251609.g5PG90512839@Alufis35>, > >b > > > >odytype=8BITMIME, proto=SMTP, daemon=MTA, relay=localhost.localdomain > > > >[127.0.0.1 > > > >] > > > >Jun 25 18:09:49 Alufis35 mailscanner[12624]: Scanning 1 messages, 20139 > > > >bytes > > > >Jun 25 18:10:12 Alufis35 mailscanner[12624]: Scanned 1 messages, 20139 > > > >bytes in > > > >4 seconds > > > >Jun 25 18:10:13 Alufis35 sendmail[12868]: g5PG90512839: > > > >to=iranzo@amena.com, del > > > >ay=00:00:59, xdelay=00:00:00, mailer=relay, pri=139465, relay=sello. [1 > > > >47.156.1.112], dsn=5.6.0, stat=Data format error > > > >Jun 25 18:10:14 Alufis35 sendmail[12868]: g5PG90512839: to=\iranzo, > > > >delay=00:01: > > > >00, xdelay=00:00:01, mailer=local, pri=139465, dsn=2.0.0, stat=Sent > > > >Jun 25 18:10:14 Alufis35 sendmail[12868]: g5PG90512839: g5PGADY12868: > >DSN: > > > >Data > > > >format error > > > >Jun 25 18:10:14 Alufis35 sendmail[12868]: g5PGADY12868: > >to=yop@nohwere.com, > > > >dela > > > >y=00:00:00, xdelay=00:00:00, mailer=relay, pri=49437, relay=sello., dsn > > > >=2.0.0, stat=Sent (g5PGAEJN009658 Message accepted for delivery) > > > > > > > >It Scans the message, marks it as spam but doesn't reflect that on the > > > >maillog. > > > > > > > >My syslog has the -r switch from previous versions. I'm running RedHat > >7.3. > > > > > > > > > > > >?Any idea? > > > >Thanks in advance > > > >Pablo > > > > > > -- > > > Julian Field Teaching Systems Manager > > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > > Tel. 023 8059 2817 University of Southampton > > > Southampton SO17 1BJ > > > > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From FCaen at CI.LAKEWOOD.WA.US Tue Jun 25 20:05:12 2002 From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen) Date: Thu Jan 12 21:15:04 2006 Subject: f-prot / aves detects this as a virus !! I think Message-ID: -----Original Message----- From: rishi@THEARGONCOMPANY.COM > Hi Fracois > What happens when you do : > f prot virlist | grep i Frethem Surprisingly, no Frethem is listed in the virlist. Which could be why I get: "password.exe is a security risk or a "backdoor" program" instead of the typical "Infection: virusXYZ" ------------------------------------------------ Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 From Matthew_doherty at DATAWATCH.COM Tue Jun 25 20:07:05 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:04 2006 Subject: /etc/rc.d/init.d/mailscanner: kill: (25184) - No such pid upon restarting mailscanner Message-ID: What file should I look at to see if the path to the pid file is incorrect? the mailscanner script or config? Has anyone had this problem after installing the rpm for RH7.2?? BTW... ,This mailscanner script is the new one Julian posted 4 or five days ago for replacement of the one that came with 3.20.6. [root@datawatch root]# /etc/rc.d/init.d/mailscanner restart Shutting down MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [ OK ] outgoing sendmail: /etc/rc.d/init.d/mailscanner: kill: (10575) - No such pid /etc/rc.d/init.d/mailscanner: kill: (25184) - No such pid [ OK ] Starting MailScanner daemons: incoming sendmail: [ OK ] outgoing sendmail: [ OK ] MailScanner: [ OK ] [root@datawatch root]# P.S. would it be a good idea to add a "sleep 3" in the script before starting the daemon just after it was stopped? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020625/b716b68f/attachment.html From Matthew_doherty at DATAWATCH.COM Tue Jun 25 20:08:55 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:04 2006 Subject: Why I think RBL should be done with the MTA rather than Mailscanner Message-ID: nice signature man, ""iQA/AwUBPRg0Ea2fOiTs5+WvEQLibwCeKwQY8ufxPTJc4yHAi2wwg4GHjToAoNYP rBipxN3ahQJmwXHHlKmPvRxY =KV8w "" -----Original Message----- From: Patterson S.R. [mailto:S.R.Patterson@SOTON.AC.UK] Sent: Tuesday, June 25, 2002 6:15 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Why I think RBL should be done with the MTA rather than Mailscanner -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm just working through in my head the options for spam blocking and come up with the following advantages to using RBL lists on the MTA (i.e. sendmail) at point of acceptance rather than using them on Mailscanner: - - Reduced server load - you don't have to bother accepting a mail for delivery (i.e. spooling it all up) when you already know you're going to reject it anyway - - The remote user/server gets a sensible rejection message at the point of "MAIL FROM:" or "RCPT TO:" along the lines of "Your domain is black listed, please see http://useful.url" - - Perhaps of maximum importance to me, you have complete control of your mail relaying policies through sendmail itself - for example, I want to use the MAPS Dial up list to block direct mailing to my servers from diaul up users. However, I don't want to stop valid University users at home on their dialup connections from sending mail through my servers. The answer - implement SMTP Authentication (already done!) and only reject IP addresses in the MAPS Dial Up list if the user hasn't first authenticated themselves with a valid username and password. How would you do this in Mailscanner? Can anybody see any advantages to using the RBL lists on Mailscanner instead of on the MTA directly? I'd like to hear the flip side of the debate! This is by no means a dig at the product or at Julian who works very hard to implement all of the features which his userbase demands (though I somethimes think the userbase demands inappropriate features... Don't even get me started on SA...;P) Here's a feature for you Jules... How about making "plug in" module support for each MTA, spam features, Spam Assassin, Virus scanner, etc - by which I mean you only load the code which you need for the features and software that you are using. No, don't ask me how you'd do that :) Yours ramblingly, Steve - -- Steven Patterson, MSci. Tel: +44 (0)2380 595810 Electronic Information Systems Support and Development Computing Services, University of Southampton, UK. Public PGP Key: http://www.soton.ac.uk/~srp/pubkey.asc -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPRg0Ea2fOiTs5+WvEQLibwCeKwQY8ufxPTJc4yHAi2wwg4GHjToAoNYP rBipxN3ahQJmwXHHlKmPvRxY =KV8w -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020625/93314402/attachment.html From brose at MED.WAYNE.EDU Tue Jun 25 20:16:35 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:04 2006 Subject: Notify Senders Message-ID: <6D60AC042221344095A0EBBC56EEE79A0A8FE0@med-core03.med.wayne.edu> Why be so nice to external senders? If they send you a virus infected message how is that different than an internal virus sender? -----Original Message----- From: Mark Nienberg [mailto:mark@TIPPINGMAR.COM] Sent: Tuesday, June 25, 2002 2:57 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Notify Senders > I don't think that will quite do what he wants. Your suggestion will > still notify non-local senders that they send him a virus. He wants > to notify > *only* local senders. > > This is what he's looking for: > > Outside ->in notify postmaster, local recipient. No external senders > notified. > inside -> out notify local sender, postmaster, no external > recipients > notified. Yes, I think you see what I mean. I guess it wouldn't be so bad to notify external senders if I edited the file "sender.virus.report.txt" to be more apologetic. I can see how it would be nice to have different notifications for local senders and external senders. I could read the riot act to the local senders and apologize to the external senders! Mark From mailscanner at ecs.soton.ac.uk Tue Jun 25 20:18:37 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:04 2006 Subject: Notify Senders In-Reply-To: <000b01c21c7a$06bf8dc0$1cfea8c0@tippingmar.com> References: <5.1.0.14.0.20020625142832.021a9600@192.168.50.2> Message-ID: <5.1.0.14.2.20020625201748.038a3008@imap.ecs.soton.ac.uk> At 19:56 25/06/2002, you wrote: > > I don't think that will quite do what he wants. Your > > suggestion will still > > notify non-local senders that they send him a virus. He wants > > to notify > > *only* local senders. > > > > This is what he's looking for: > > > > Outside ->in notify postmaster, local recipient. No external senders > > notified. > > inside -> out notify local sender, postmaster, no external > > recipients > > notified. > >Yes, I think you see what I mean. I guess it wouldn't be so bad to >notify external senders if I edited the file "sender.virus.report.txt" >to be more apologetic. I can see how it would be nice to have different >notifications for local senders and external senders. I could read the >riot act to the local senders and apologize to the external senders! Don't go changing your mind now :-) I've just written it for you. Just got to test it now. How's that for quick service? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From FCaen at CI.LAKEWOOD.WA.US Tue Jun 25 20:19:24 2002 From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen) Date: Thu Jan 12 21:15:04 2006 Subject: Why I think RBL should be done with the MTArather thanMailscanner Message-ID: -----Original Message----- From: Matthew_doherty@DATAWATCH.COM > nice signature man, > ""iQA/AwUBPRg0Ea2fOiTs5+WvEQLibwCeKwQY8ufxPTJc4yHAi2wwg4GHjToAoNYP > rBipxN3ahQJmwXHHlKmPvRxY > =KV8w "" I don't get the joke. Do you not know what a PGP signature is? ------------------------------------------------ Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 From mark at TIPPINGMAR.COM Tue Jun 25 20:39:06 2002 From: mark at TIPPINGMAR.COM (Mark Nienberg) Date: Thu Jan 12 21:15:04 2006 Subject: Notify Senders In-Reply-To: <6D60AC042221344095A0EBBC56EEE79A0A8FE0@med-core03.med.wayne.edu> Message-ID: <000e01c21c7f$f7c36fc0$1cfea8c0@tippingmar.com> > Why be so nice to external senders? If they send you a virus infected > message how is that different than an internal virus sender? Just politics really. Those people sending us viruses are also buying our consulting services, so I don't want to offend them. On a related note: If you do notify both local and external senders, but you have "deliver from local domains = no" then the notification would have to be different to really explain to the sender what happened to the message. For internal senders, the message is just deleted, but for external senders, some part of the message went through. From mailscanner at ecs.soton.ac.uk Tue Jun 25 20:58:40 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:04 2006 Subject: Why I think RBL should be done with the MTArather thanMailscanner In-Reply-To: Message-ID: <5.1.0.14.2.20020625205823.030b7e98@imap.ecs.soton.ac.uk> This is OT. Please discuss it off the list. At 20:19 25/06/2002, you wrote: >-----Original Message----- >From: Matthew_doherty@DATAWATCH.COM > > > nice signature man, > > ""iQA/AwUBPRg0Ea2fOiTs5+WvEQLibwCeKwQY8ufxPTJc4yHAi2wwg4GHjToAoNYP > > rBipxN3ahQJmwXHHlKmPvRxY > > =KV8w "" > >I don't get the joke. Do you not know what a PGP signature is? > >------------------------------------------------ >Francois Caen >Network Information Systems Engineer - Webmaster >City of Lakewood, WA >(253) 512-2269 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Jun 25 20:49:57 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:04 2006 Subject: Notify Senders In-Reply-To: <5.1.0.14.2.20020625201748.038a3008@imap.ecs.soton.ac.uk> References: <000b01c21c7a$06bf8dc0$1cfea8c0@tippingmar.com> <5.1.0.14.0.20020625142832.021a9600@192.168.50.2> Message-ID: <5.1.0.14.2.20020625204854.0303dd68@imap.ecs.soton.ac.uk> At 20:18 25/06/2002, you wrote: >At 19:56 25/06/2002, you wrote: >> > I don't think that will quite do what he wants. Your >> > suggestion will still >> > notify non-local senders that they send him a virus. He wants >> > to notify >> > *only* local senders. >> > >> > This is what he's looking for: >> > >> > Outside ->in notify postmaster, local recipient. No external senders >> > notified. >> > inside -> out notify local sender, postmaster, no external >> > recipients >> > notified. >> >>Yes, I think you see what I mean. I guess it wouldn't be so bad to >>notify external senders if I edited the file "sender.virus.report.txt" >>to be more apologetic. I can see how it would be nice to have different >>notifications for local senders and external senders. I could read the >>riot act to the local senders and apologize to the external senders! > >Don't go changing your mind now :-) >I've just written it for you. Just got to test it now. >How's that for quick service? Just tested. All seems to be working okay. It puts separate entries in the logs for the number of infections for which the sender was informed, and the number for which the sender was not informed. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Jun 25 20:57:48 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:04 2006 Subject: /etc/rc.d/init.d/mailscanner: kill: (25184) - No such pid upon restarting mailscanner In-Reply-To: Message-ID: <5.1.0.14.2.20020625205423.030b8258@imap.ecs.soton.ac.uk> I have just changed the init.d script to not print those error messages. They are caused (I believe) by sendmail's child processes, which it finds when working out the pids but which have finished by the time it comes to try to kill them. On a heavily-loaded server this delay could be a couple of seconds, which is quite long enough for some of the children to complete. As per your suggestion, I have added a short "sleep" in the restart code. Thanks for the ideas! At 20:07 25/06/2002, you wrote: > What file should I look at to see if the path to the pid file is > incorrect? the mailscanner script or config? >Has anyone had this problem after installing the rpm for RH7.2?? >BTW... ,This mailscanner script is the new one Julian posted 4 or five >days ago for replacement of the one that came with 3.20.6. > > [root@datawatch root]# /etc/rc.d/init.d/mailscanner restart >Shutting down MailScanner daemons: > MailScanner: [ OK ] > incoming sendmail: [ OK ] > outgoing sendmail: /etc/rc.d/init.d/mailscanner: kill: > (10575) - No such pid >/etc/rc.d/init.d/mailscanner: kill: (25184) - No such pid > [ OK ] >Starting MailScanner daemons: > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] > MailScanner: [ OK ] >[root@datawatch root]# >P.S. would it be a good idea to add a "sleep 3" in the script before >starting the daemon just after it was stopped? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gerry at dorfam.ca Tue Jun 25 21:09:02 2002 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:15:04 2006 Subject: Empty SpamCheck line Message-ID: <57932.129.80.22.134.1025035742.squirrel@tiger.dorfam.ca> Julian, I noticed some messages earlier today about the empty SpamCheck notices. I just generated one by sending a zip file to my home system where mailscanner is running. There was nothing else in the email (no text...just the single attachment). I still have the full message/header if you have any need of it. I've included the last part of the header below. I sent this file to myself twice now with the same result. In other words, it's repeatable. Gerry -- "The lyfe so short, the craft so long to learne" Chaucer To: "'gerry@dorfam.ca'" Subject: Wiz8SpellAbility_200.zip Date: Tue, 25 Jun 2002 13:22:47 -0600 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01C21C7D.B09045D0" X-MailScanner: Found to be clean X-MailScanner-SpamCheck: not spam, SpamAssassin () From HancockS at MORGANCO.COM Tue Jun 25 21:18:17 2002 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:15:04 2006 Subject: {SPAM?} spamassassin required hits adjustment. Message-ID: <02Jun25.161042edt.119102@gateway.morganco.com> Previous posts stated that to adjust the hit rating for spamassasin with mailscanner, one should edit the /root/.spamassassin/user_prefs file This file on my system (debian 2.4.18, ms 3.13.2-2, SA 2.20) has one line. required_hits 10 Is this correct? I was hoping to find an example of this file somewhere. All of the pointers to such a file that I've found have been dead ends. Also, any chance of that sendmail config to report the hit ratings making it to exim? Thanks for your help. Scott Hancock From mailscanner at ecs.soton.ac.uk Tue Jun 25 21:18:03 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:04 2006 Subject: {SPAM?} spamassassin required hits adjustment. In-Reply-To: <02Jun25.161042edt.119102@gateway.morganco.com> Message-ID: <5.1.0.14.2.20020625211628.03241810@imap.ecs.soton.ac.uk> At 21:18 25/06/2002, you wrote: >Previous posts stated that to adjust the hit rating for spamassasin with >mailscanner, one should edit the /root/.spamassassin/user_prefs file > >This file on my system (debian 2.4.18, ms 3.13.2-2, SA 2.20) has one line. > >required_hits 10 > >Is this correct? I was hoping to find an example of this file somewhere. >All of the pointers to such a file that I've found have been dead ends. Should be. Do your SA reports indicate that it is using the new value? >Also, any chance of that sendmail config to report the hit ratings making it >to exim? If someone feels like writing it... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mike at CAMAROSS.NET Tue Jun 25 21:23:02 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:04 2006 Subject: {SPAM?} spamassassin required hits adjustment. References: <5.1.0.14.2.20020625211628.03241810@imap.ecs.soton.ac.uk> Message-ID: <01ef01c21c86$1bdcb640$6501a8c0@home.wideopenthrottle.org> I *think* mine is using /etc/mail/spamassassin/local.cf ----- Original Message ----- From: "Julian Field" To: Sent: Tuesday, June 25, 2002 3:18 PM Subject: Re: {SPAM?} spamassassin required hits adjustment. > At 21:18 25/06/2002, you wrote: > >Previous posts stated that to adjust the hit rating for spamassasin with > >mailscanner, one should edit the /root/.spamassassin/user_prefs file > > > >This file on my system (debian 2.4.18, ms 3.13.2-2, SA 2.20) has one line. > > > >required_hits 10 > > > >Is this correct? I was hoping to find an example of this file somewhere. > >All of the pointers to such a file that I've found have been dead ends. > > Should be. Do your SA reports indicate that it is using the new value? > > >Also, any chance of that sendmail config to report the hit ratings making it > >to exim? > > If someone feels like writing it... > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From Matthew_doherty at DATAWATCH.COM Tue Jun 25 21:26:25 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:04 2006 Subject: /etc/rc.d/init.d/mailscanner: kill: (25184) - No such pidupon restarting mailscanner Message-ID: Great! Thanks much! -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Tuesday, June 25, 2002 5:01 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: /etc/rc.d/init.d/mailscanner: kill: (25184) - No such pidupon restarting mailscanner I have just changed the init.d script to not print those error messages. They are caused (I believe) by sendmail's child processes, which it finds when working out the pids but which have finished by the time it comes to try to kill them. On a heavily-loaded server this delay could be a couple of seconds, which is quite long enough for some of the children to complete. As per your suggestion, I have added a short "sleep" in the restart code. Thanks for the ideas! At 20:07 25/06/2002, you wrote: > What file should I look at to see if the path to the pid file is > incorrect? the mailscanner script or config? >Has anyone had this problem after installing the rpm for RH7.2?? >BTW... ,This mailscanner script is the new one Julian posted 4 or five >days ago for replacement of the one that came with 3.20.6. > > [root@datawatch root]# /etc/rc.d/init.d/mailscanner restart >Shutting down MailScanner daemons: > MailScanner: [ OK ] > incoming sendmail: [ OK ] > outgoing sendmail: /etc/rc.d/init.d/mailscanner: kill: > (10575) - No such pid >/etc/rc.d/init.d/mailscanner: kill: (25184) - No such pid > [ OK ] >Starting MailScanner daemons: > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] > MailScanner: [ OK ] >[root@datawatch root]# >P.S. would it be a good idea to add a "sleep 3" in the script before >starting the daemon just after it was stopped? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020625/2f11f5ab/attachment.html From Pablo.Iranzo at UV.ES Tue Jun 25 21:41:28 2002 From: Pablo.Iranzo at UV.ES (Pablo Iranzo G=?ISO-8859-1?Q?=F3mez?=) Date: Thu Jan 12 21:15:05 2006 Subject: Part of MRTG died Message-ID: Mine is the same... it seems to be a problem in the sendmail.pl script that mrtg uses, but it worked without any change until the update... (but virus and mail got reported ok) On Tue, 25 Jun 2002 13:58:44 -0500, Mike Kercher wrote: >I can see the spams getting logged in my maillog...it's just that MRTG (or >my mrtg.cfg) isn't picking them up anymore. It was working until ONE of my >upgrades :) > >Here is the mail. line from my syslog.conf > ># Log all the mail messages in one place. >mail.* /var/log/maillog > >Mike > >----- Original Message ----- >From: "Julian Field" >To: >Sent: Tuesday, June 25, 2002 1:51 PM >Subject: Re: Part of MRTG died > > >> At 19:44 25/06/2002, you wrote: >> >I have "Log Spam = yes" in my .conf and neither Spam nor spam in my >mrtg.cfg >> >reveal any spam in my maillog. *boggle* >> >> Spam logging is done as mail.info, I suspect that your /etc/syslog.conf >> isn't logging mail.info messages. >> >> >----- Original Message ----- >> >From: "Julian Field" >> >To: >> >Sent: Tuesday, June 25, 2002 11:35 AM >> >Subject: Re: Part of MRTG died >> > >> > >> > > Check your mailscanner.conf file for "Log Spam = no". >> > > >> > > At 17:19 25/06/2002, you wrote: >> > > >I've the same problem, after updating to the last available >MailScanner >> > > >version, I've no spam reports in /var/log/maillog I've tried to do >also >> > > >with changing "spam" to "Spam" but it doesn't work. >> > > > I've sent a SPAM mail throught sendmail and here are the headers: >> > > > >> > > > >> > > >Return-Path: >> > > >Received: from localhost.localdomain (localhost.localdomain >[127.0.0.1]) >> > > > by Alufis35.uv.es (8.11.6/8.11.2) with SMTP id g5PG90512839 >> > > > for Pablo.Iranzo@alufis35.uv.es; Tue, 25 Jun 2002 18:09:14 >+0200 >> > > >Date: Tue, 25 Jun 2002 18:09:14 +0200 >> > > >From: yop@nohwere.com >> > > >Message-Id: <200206251609.g5PG90512839@Alufis35.uv.es> >> > > >X-Authentication-Warning: Alufis35.uv.es: localhost.localdomain >> >[127.0.0.1] >> > > > didn't use HELO protocol >> > > >Subject: {SPAM?} Navega por telefonicaonline.com y ?ll?vate cientos >de >> > > > Puntos Travel Club! >> > > >Content-type: text/html >> > > >MIME-Version: 1.0 >> > > >Content-Transfer-Encoding: quoted-printable >> > > >X-MailScanner: Found to be clean >> > > >X-MailScanner-SpamCheck: SpamAssassin (score=10.1, required 5, >> > > > SUBJ_HAS_Q_MARK, NO_REAL_NAME, PLING, BIG_FONT, >CTYPE_JUST_HTML, >> > > > MISSING_HEADERS, NO_MX_FOR_FROM) >> > > > >> > > > >> > > >(As you can see, thhe Mailscanner passed it throught SpamAssassin and >> >gave >> > > >it "Spam" status and did modified the subject) >> > > > >> > > >And here is the maillog "conversation": >> > > > >> > > > >> > > >Jun 25 18:04:50 Alufis35 sendmail[12739]: g5PG4nv12739: >to=yop@yop.es, >> > > >delay=00: >> > > >00:01, xdelay=00:00:00, mailer=relay, pri=49438, relay=sello., >dsn=2.0. >> > > >0, stat=Sent (g5PG4oJN009163 Message accepted for delivery) >> > > >Jun 25 18:09:00 Alufis35 sendmail[12839]: g5PG90512839: >Authentication- >> > > >Warning: >> > > >Alufis35.uv.es: localhost.localdomain [127.0.0.1] didn't use HELO >> >protocol >> > > >Jun 25 18:09:37 Alufis35 sendmail[12839]: g5PG90512839: >> > > >from=yop@nohwere.com, si >> > > >ze=19465, class=0, nrcpts=1, >msgid=<200206251609.g5PG90512839@Alufis35>, >> >b >> > > >odytype=8BITMIME, proto=SMTP, daemon=MTA, relay=localhost.localdomain >> > > >[127.0.0.1 >> > > >] >> > > >Jun 25 18:09:49 Alufis35 mailscanner[12624]: Scanning 1 messages, >20139 >> > > >bytes >> > > >Jun 25 18:10:12 Alufis35 mailscanner[12624]: Scanned 1 messages, >20139 >> > > >bytes in >> > > >4 seconds >> > > >Jun 25 18:10:13 Alufis35 sendmail[12868]: g5PG90512839: >> > > >to=iranzo@amena.com, del >> > > >ay=00:00:59, xdelay=00:00:00, mailer=relay, pri=139465, relay=sello. >[1 >> > > >47.156.1.112], dsn=5.6.0, stat=Data format error >> > > >Jun 25 18:10:14 Alufis35 sendmail[12868]: g5PG90512839: to=\iranzo, >> > > >delay=00:01: >> > > >00, xdelay=00:00:01, mailer=local, pri=139465, dsn=2.0.0, stat=Sent >> > > >Jun 25 18:10:14 Alufis35 sendmail[12868]: g5PG90512839: g5PGADY12868: >> >DSN: >> > > >Data >> > > >format error >> > > >Jun 25 18:10:14 Alufis35 sendmail[12868]: g5PGADY12868: >> >to=yop@nohwere.com, >> > > >dela >> > > >y=00:00:00, xdelay=00:00:00, mailer=relay, pri=49437, relay=sello., >dsn >> > > >=2.0.0, stat=Sent (g5PGAEJN009658 Message accepted for delivery) >> > > > >> > > >It Scans the message, marks it as spam but doesn't reflect that on >the >> > > >maillog. >> > > > >> > > >My syslog has the -r switch from previous versions. I'm running >RedHat >> >7.3. >> > > > >> > > > >> > > >?Any idea? >> > > >Thanks in advance >> > > >Pablo >> > > >> > > -- >> > > Julian Field Teaching Systems Manager >> > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >> > > Tel. 023 8059 2817 University of Southampton >> > > Southampton SO17 1BJ >> > > >> >> -- >> Julian Field Teaching Systems Manager >> jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >> Tel. 023 8059 2817 University of Southampton >> Southampton SO17 1BJ >> From mark at TIPPINGMAR.COM Tue Jun 25 21:46:02 2002 From: mark at TIPPINGMAR.COM (Mark Nienberg) Date: Thu Jan 12 21:15:05 2006 Subject: Notify Senders In-Reply-To: <5.1.0.14.2.20020625204854.0303dd68@imap.ecs.soton.ac.uk> Message-ID: <001101c21c89$51e73780$1cfea8c0@tippingmar.com> Sounds great. Thanks! I'm not in any hurry, so feel free to wrap it into the next release. Mark > > Just tested. All seems to be working okay. It puts separate > entries in the > logs for the number of infections for which the sender was > informed, and > the number for which the sender was not informed. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From HancockS at MORGANCO.COM Tue Jun 25 21:54:30 2002 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:15:05 2006 Subject: {SPAM?} spamassassin required hits adjustment. Message-ID: <02Jun25.164645edt.119067@gateway.morganco.com> Thanks for the "proof read" Julian. I've got bigger problems. SA suddenly started rating most of my mail at 255 (including all mail from this list). It also appears to be called twice consecutively X-MailScanner: Found to be clean, Found to be clean X-MailScanner-SpamCheck: SpamAssassin (255 hits) X-MailScanner-SpamCheck: SpamAssassin (255 hits) I turned off SA for now. I will investigate further tomorrow. > If someone feels like writing it... Ok, fair enough. I've got a long way to go before I can pitch in, but its a personal goal. Thanks again Scott Hancock > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Tuesday, June 25, 2002 4:18 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: {SPAM?} spamassassin required hits adjustment. > > > At 21:18 25/06/2002, you wrote: > >Previous posts stated that to adjust the hit rating for > spamassasin with > >mailscanner, one should edit the /root/.spamassassin/user_prefs file > > > >This file on my system (debian 2.4.18, ms 3.13.2-2, SA 2.20) > has one line. > > > >required_hits 10 > > > >Is this correct? I was hoping to find an example of this > file somewhere. > >All of the pointers to such a file that I've found have been > dead ends. > > Should be. Do your SA reports indicate that it is using the new value? > > >Also, any chance of that sendmail config to report the hit > ratings making it > >to exim? > > If someone feels like writing it... > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From mailscanner at ecs.soton.ac.uk Tue Jun 25 21:59:15 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:05 2006 Subject: Part of MRTG died In-Reply-To: Message-ID: <5.1.0.14.2.20020625215852.03ee66a0@imap.ecs.soton.ac.uk> I have just posted a new sendmail.logs.pl on the website. Works again :-) At 21:41 25/06/2002, you wrote: >Mine is the same... it seems to be a problem in the sendmail.pl script that >mrtg uses, but it worked without any change until the update... (but virus >and mail got reported ok) > >On Tue, 25 Jun 2002 13:58:44 -0500, Mike Kercher wrote: > > >I can see the spams getting logged in my maillog...it's just that MRTG (or > >my mrtg.cfg) isn't picking them up anymore. It was working until ONE of my > >upgrades :) > > > >Here is the mail. line from my syslog.conf > > > ># Log all the mail messages in one place. > >mail.* /var/log/maillog > > > >Mike > > > >----- Original Message ----- > >From: "Julian Field" > >To: > >Sent: Tuesday, June 25, 2002 1:51 PM > >Subject: Re: Part of MRTG died > > > > > >> At 19:44 25/06/2002, you wrote: > >> >I have "Log Spam = yes" in my .conf and neither Spam nor spam in my > >mrtg.cfg > >> >reveal any spam in my maillog. *boggle* > >> > >> Spam logging is done as mail.info, I suspect that your /etc/syslog.conf > >> isn't logging mail.info messages. > >> > >> >----- Original Message ----- > >> >From: "Julian Field" > >> >To: > >> >Sent: Tuesday, June 25, 2002 11:35 AM > >> >Subject: Re: Part of MRTG died > >> > > >> > > >> > > Check your mailscanner.conf file for "Log Spam = no". > >> > > > >> > > At 17:19 25/06/2002, you wrote: > >> > > >I've the same problem, after updating to the last available > >MailScanner > >> > > >version, I've no spam reports in /var/log/maillog I've tried to do > >also > >> > > >with changing "spam" to "Spam" but it doesn't work. > >> > > > I've sent a SPAM mail throught sendmail and here are the headers: > >> > > > > >> > > > > >> > > >Return-Path: > >> > > >Received: from localhost.localdomain (localhost.localdomain > >[127.0.0.1]) > >> > > > by Alufis35.uv.es (8.11.6/8.11.2) with SMTP id g5PG90512839 > >> > > > for Pablo.Iranzo@alufis35.uv.es; Tue, 25 Jun 2002 18:09:14 > >+0200 > >> > > >Date: Tue, 25 Jun 2002 18:09:14 +0200 > >> > > >From: yop@nohwere.com > >> > > >Message-Id: <200206251609.g5PG90512839@Alufis35.uv.es> > >> > > >X-Authentication-Warning: Alufis35.uv.es: localhost.localdomain > >> >[127.0.0.1] > >> > > > didn't use HELO protocol > >> > > >Subject: {SPAM?} Navega por telefonicaonline.com y ?ll?vate cientos > >de > >> > > > Puntos Travel Club! > >> > > >Content-type: text/html > >> > > >MIME-Version: 1.0 > >> > > >Content-Transfer-Encoding: quoted-printable > >> > > >X-MailScanner: Found to be clean > >> > > >X-MailScanner-SpamCheck: SpamAssassin (score=10.1, required 5, > >> > > > SUBJ_HAS_Q_MARK, NO_REAL_NAME, PLING, BIG_FONT, > >CTYPE_JUST_HTML, > >> > > > MISSING_HEADERS, NO_MX_FOR_FROM) > >> > > > > >> > > > > >> > > >(As you can see, thhe Mailscanner passed it throught SpamAssassin >and > >> >gave > >> > > >it "Spam" status and did modified the subject) > >> > > > > >> > > >And here is the maillog "conversation": > >> > > > > >> > > > > >> > > >Jun 25 18:04:50 Alufis35 sendmail[12739]: g5PG4nv12739: > >to=yop@yop.es, > >> > > >delay=00: > >> > > >00:01, xdelay=00:00:00, mailer=relay, pri=49438, relay=sello., > >dsn=2.0. > >> > > >0, stat=Sent (g5PG4oJN009163 Message accepted for delivery) > >> > > >Jun 25 18:09:00 Alufis35 sendmail[12839]: g5PG90512839: > >Authentication- > >> > > >Warning: > >> > > >Alufis35.uv.es: localhost.localdomain [127.0.0.1] didn't use HELO > >> >protocol > >> > > >Jun 25 18:09:37 Alufis35 sendmail[12839]: g5PG90512839: > >> > > >from=yop@nohwere.com, si > >> > > >ze=19465, class=0, nrcpts=1, > >msgid=<200206251609.g5PG90512839@Alufis35>, > >> >b > >> > > >odytype=8BITMIME, proto=SMTP, daemon=MTA, >relay=localhost.localdomain > >> > > >[127.0.0.1 > >> > > >] > >> > > >Jun 25 18:09:49 Alufis35 mailscanner[12624]: Scanning 1 messages, > >20139 > >> > > >bytes > >> > > >Jun 25 18:10:12 Alufis35 mailscanner[12624]: Scanned 1 messages, > >20139 > >> > > >bytes in > >> > > >4 seconds > >> > > >Jun 25 18:10:13 Alufis35 sendmail[12868]: g5PG90512839: > >> > > >to=iranzo@amena.com, del > >> > > >ay=00:00:59, xdelay=00:00:00, mailer=relay, pri=139465, relay=sello. > >[1 > >> > > >47.156.1.112], dsn=5.6.0, stat=Data format error > >> > > >Jun 25 18:10:14 Alufis35 sendmail[12868]: g5PG90512839: to=\iranzo, > >> > > >delay=00:01: > >> > > >00, xdelay=00:00:01, mailer=local, pri=139465, dsn=2.0.0, stat=Sent > >> > > >Jun 25 18:10:14 Alufis35 sendmail[12868]: g5PG90512839: >g5PGADY12868: > >> >DSN: > >> > > >Data > >> > > >format error > >> > > >Jun 25 18:10:14 Alufis35 sendmail[12868]: g5PGADY12868: > >> >to=yop@nohwere.com, > >> > > >dela > >> > > >y=00:00:00, xdelay=00:00:00, mailer=relay, pri=49437, relay=sello., > >dsn > >> > > >=2.0.0, stat=Sent (g5PGAEJN009658 Message accepted for delivery) > >> > > > > >> > > >It Scans the message, marks it as spam but doesn't reflect that on > >the > >> > > >maillog. > >> > > > > >> > > >My syslog has the -r switch from previous versions. I'm running > >RedHat > >> >7.3. > >> > > > > >> > > > > >> > > >?Any idea? > >> > > >Thanks in advance > >> > > >Pablo > >> > > > >> > > -- > >> > > Julian Field Teaching Systems Manager > >> > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > >> > > Tel. 023 8059 2817 University of Southampton > >> > > Southampton SO17 1BJ > >> > > > >> > >> -- > >> Julian Field Teaching Systems Manager > >> jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > >> Tel. 023 8059 2817 University of Southampton > >> Southampton SO17 1BJ > >> -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Tue Jun 25 22:01:59 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:05 2006 Subject: {SPAM?} spamassassin required hits adjustment. In-Reply-To: <02Jun25.164645edt.119067@gateway.morganco.com> Message-ID: <5.1.0.14.2.20020625220004.02fb7ed8@imap.ecs.soton.ac.uk> At 21:54 25/06/2002, you wrote: >Thanks for the "proof read" Julian. No worries. >I've got bigger problems. SA suddenly started rating most of my mail at 255 >(including all mail from this list). It also appears to be called twice >consecutively Eek. Never seen that one before. What SA are you running? They have produced a 2.31 in the past few days, which seems to be working okay for me. 255 hits implies the return code from SA could have been negative (it's shifted right 8 times). Test SA thoroughly with the manual "spamassassin" script in their distribution. > >X-MailScanner: Found to be clean, Found to be clean >X-MailScanner-SpamCheck: SpamAssassin (255 hits) >X-MailScanner-SpamCheck: SpamAssassin (255 hits) > > >I turned off SA for now. I will investigate further tomorrow. > > > If someone feels like writing it... > >Ok, fair enough. I've got a long way to go before I can pitch in, but its a >personal goal. > >Thanks again > >Scott Hancock > > > > -----Original Message----- > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Sent: Tuesday, June 25, 2002 4:18 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: {SPAM?} spamassassin required hits adjustment. > > > > > > At 21:18 25/06/2002, you wrote: > > >Previous posts stated that to adjust the hit rating for > > spamassasin with > > >mailscanner, one should edit the /root/.spamassassin/user_prefs file > > > > > >This file on my system (debian 2.4.18, ms 3.13.2-2, SA 2.20) > > has one line. > > > > > >required_hits 10 > > > > > >Is this correct? I was hoping to find an example of this > > file somewhere. > > >All of the pointers to such a file that I've found have been > > dead ends. > > > > Should be. Do your SA reports indicate that it is using the new value? > > > > >Also, any chance of that sendmail config to report the hit > > ratings making it > > >to exim? > > > > If someone feels like writing it... > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From sysadmin at DMS.UMONTREAL.CA Tue Jun 25 22:16:28 2002 From: sysadmin at DMS.UMONTREAL.CA (Christopher Albert) Date: Thu Jan 12 21:15:05 2006 Subject: spamassassin required hits adjustment. References: <5.1.0.14.2.20020625220004.02fb7ed8@imap.ecs.soton.ac.uk> Message-ID: <3D18DDAC.3040608@DMS.UMontreal.CA> Julian Field wrote: > At 21:54 25/06/2002, you wrote: > >> Thanks for the "proof read" Julian. > > > No worries. > >> I've got bigger problems. SA suddenly started rating most of my mail >> at 255 >> (including all mail from this list). It also appears to be called twice >> consecutively > > > Eek. Never seen that one before. What SA are you running? They have > produced a 2.31 in the past few days, which seems to be working okay for > me. 255 hits implies the return code from SA could have been negative > (it's > shifted right 8 times). Test SA thoroughly with the manual "spamassassin" > script in their distribution. > I had the same problem with 255 from the original message of this thread. SA2.31, MailScanner-3.20-6 : X-MailScanner: Found to be clean, Found to be clean X-MailScanner-SpamCheck: SpamAssassin (255 hits) Both of which I just installed yesterday. This is hard to reproduce. The sample spam comes checks out correctly. From Pablo.Iranzo at UV.ES Tue Jun 25 22:18:11 2002 From: Pablo.Iranzo at UV.ES (Pablo Iranzo G=?ISO-8859-1?Q?=F3mez?=) Date: Thu Jan 12 21:15:05 2006 Subject: Part of MRTG died Message-ID: It doesn't appear yet or it has the date not updated... does it needs the patch you released? ;) Regards On Tue, 25 Jun 2002 21:59:15 +0100, Julian Field wrote: >I have just posted a new sendmail.logs.pl on the website. >Works again :-) > >At 21:41 25/06/2002, you wrote: >>Mine is the same... it seems to be a problem in the sendmail.pl script that >>mrtg uses, but it worked without any change until the update... (but virus >>and mail got reported ok) >> >>On Tue, 25 Jun 2002 13:58:44 -0500, Mike Kercher wrote: >> >> >I can see the spams getting logged in my maillog...it's just that MRTG (or >> >my mrtg.cfg) isn't picking them up anymore. It was working until ONE of my >> >upgrades :) >> > >> >Here is the mail. line from my syslog.conf >> > >> ># Log all the mail messages in one place. >> >mail.* /var/log/maillog >> > >> >Mike >> > >> >----- Original Message ----- >> >From: "Julian Field" >> >To: >> >Sent: Tuesday, June 25, 2002 1:51 PM >> >Subject: Re: Part of MRTG died >> > >> > >> >> At 19:44 25/06/2002, you wrote: >> >> >I have "Log Spam = yes" in my .conf and neither Spam nor spam in my >> >mrtg.cfg >> >> >reveal any spam in my maillog. *boggle* >> >> >> >> Spam logging is done as mail.info, I suspect that your /etc/syslog.conf >> >> isn't logging mail.info messages. >> >> >> >> >----- Original Message ----- >> >> >From: "Julian Field" >> >> >To: >> >> >Sent: Tuesday, June 25, 2002 11:35 AM >> >> >Subject: Re: Part of MRTG died >> >> > >> >> > >> >> > > Check your mailscanner.conf file for "Log Spam = no". >> >> > > >> >> > > At 17:19 25/06/2002, you wrote: >> >> > > >I've the same problem, after updating to the last available >> >MailScanner >> >> > > >version, I've no spam reports in /var/log/maillog I've tried to do >> >also >> >> > > >with changing "spam" to "Spam" but it doesn't work. >> >> > > > I've sent a SPAM mail throught sendmail and here are the headers: >> >> > > > >> >> > > > >> >> > > >Return-Path: >> >> > > >Received: from localhost.localdomain (localhost.localdomain >> >[127.0.0.1]) >> >> > > > by Alufis35.uv.es (8.11.6/8.11.2) with SMTP id g5PG90512839 >> >> > > > for Pablo.Iranzo@alufis35.uv.es; Tue, 25 Jun 2002 18:09:14 >> >+0200 >> >> > > >Date: Tue, 25 Jun 2002 18:09:14 +0200 >> >> > > >From: yop@nohwere.com >> >> > > >Message-Id: <200206251609.g5PG90512839@Alufis35.uv.es> >> >> > > >X-Authentication-Warning: Alufis35.uv.es: localhost.localdomain >> >> >[127.0.0.1] >> >> > > > didn't use HELO protocol >> >> > > >Subject: {SPAM?} Navega por telefonicaonline.com y ?ll?vate cientos >> >de >> >> > > > Puntos Travel Club! >> >> > > >Content-type: text/html >> >> > > >MIME-Version: 1.0 >> >> > > >Content-Transfer-Encoding: quoted-printable >> >> > > >X-MailScanner: Found to be clean >> >> > > >X-MailScanner-SpamCheck: SpamAssassin (score=10.1, required 5, >> >> > > > SUBJ_HAS_Q_MARK, NO_REAL_NAME, PLING, BIG_FONT, >> >CTYPE_JUST_HTML, >> >> > > > MISSING_HEADERS, NO_MX_FOR_FROM) >> >> > > > >> >> > > > >> >> > > >(As you can see, thhe Mailscanner passed it throught SpamAssassin >>and >> >> >gave >> >> > > >it "Spam" status and did modified the subject) >> >> > > > >> >> > > >And here is the maillog "conversation": >> >> > > > >> >> > > > >> >> > > >Jun 25 18:04:50 Alufis35 sendmail[12739]: g5PG4nv12739: >> >to=yop@yop.es, >> >> > > >delay=00: >> >> > > >00:01, xdelay=00:00:00, mailer=relay, pri=49438, relay=sello., >> >dsn=2.0. >> >> > > >0, stat=Sent (g5PG4oJN009163 Message accepted for delivery) >> >> > > >Jun 25 18:09:00 Alufis35 sendmail[12839]: g5PG90512839: >> >Authentication- >> >> > > >Warning: >> >> > > >Alufis35.uv.es: localhost.localdomain [127.0.0.1] didn't use HELO >> >> >protocol >> >> > > >Jun 25 18:09:37 Alufis35 sendmail[12839]: g5PG90512839: >> >> > > >from=yop@nohwere.com, si >> >> > > >ze=19465, class=0, nrcpts=1, >> >msgid=<200206251609.g5PG90512839@Alufis35>, >> >> >b >> >> > > >odytype=8BITMIME, proto=SMTP, daemon=MTA, >>relay=localhost.localdomain >> >> > > >[127.0.0.1 >> >> > > >] >> >> > > >Jun 25 18:09:49 Alufis35 mailscanner[12624]: Scanning 1 messages, >> >20139 >> >> > > >bytes >> >> > > >Jun 25 18:10:12 Alufis35 mailscanner[12624]: Scanned 1 messages, >> >20139 >> >> > > >bytes in >> >> > > >4 seconds >> >> > > >Jun 25 18:10:13 Alufis35 sendmail[12868]: g5PG90512839: >> >> > > >to=iranzo@amena.com, del >> >> > > >ay=00:00:59, xdelay=00:00:00, mailer=relay, pri=139465, relay=sello. >> >[1 >> >> > > >47.156.1.112], dsn=5.6.0, stat=Data format error >> >> > > >Jun 25 18:10:14 Alufis35 sendmail[12868]: g5PG90512839: to=\iranzo, >> >> > > >delay=00:01: >> >> > > >00, xdelay=00:00:01, mailer=local, pri=139465, dsn=2.0.0, stat=Sent >> >> > > >Jun 25 18:10:14 Alufis35 sendmail[12868]: g5PG90512839: >>g5PGADY12868: >> >> >DSN: >> >> > > >Data >> >> > > >format error >> >> > > >Jun 25 18:10:14 Alufis35 sendmail[12868]: g5PGADY12868: >> >> >to=yop@nohwere.com, >> >> > > >dela >> >> > > >y=00:00:00, xdelay=00:00:00, mailer=relay, pri=49437, relay=sello., >> >dsn >> >> > > >=2.0.0, stat=Sent (g5PGAEJN009658 Message accepted for delivery) >> >> > > > >> >> > > >It Scans the message, marks it as spam but doesn't reflect that on >> >the >> >> > > >maillog. >> >> > > > >> >> > > >My syslog has the -r switch from previous versions. I'm running >> >RedHat >> >> >7.3. >> >> > > > >> >> > > > >> >> > > >?Any idea? >> >> > > >Thanks in advance >> >> > > >Pablo >> >> > > >> >> > > -- >> >> > > Julian Field Teaching Systems Manager >> >> > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >> >> > > Tel. 023 8059 2817 University of Southampton >> >> > > Southampton SO17 1BJ >> >> > > >> >> >> >> -- >> >> Julian Field Teaching Systems Manager >> >> jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >> >> Tel. 023 8059 2817 University of Southampton >> >> Southampton SO17 1BJ >> >> > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From mike at CAMAROSS.NET Tue Jun 25 22:25:04 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:05 2006 Subject: Part of MRTG died References: Message-ID: <020d01c21c8e$c5ec32c0$6501a8c0@home.wideopenthrottle.org> Pablo...are your mailogs being compressed when the logrotate runs? For some reason, when the sendmail.logs.pl script runs, it is to zcat the logs. If they are not compressed, I don't think anything is going to be found. I was not compressing my logs, so I changed: open(LOG, "zcat $file|") to open(LOG, "cat $file|") Now, I'm getting some activity in my spam graphs. I just don't understand why my Mail and Virus graphs were being updated and the spams were not. Thanks for the awesome effort Julian! ----- Original Message ----- From: "Pablo Iranzo G?mez" To: Sent: Tuesday, June 25, 2002 4:18 PM Subject: Re: Part of MRTG died > It doesn't appear yet or it has the date not updated... does it needs the > patch you released? ;) > > Regards > > > On Tue, 25 Jun 2002 21:59:15 +0100, Julian Field > wrote: > > >I have just posted a new sendmail.logs.pl on the website. > >Works again :-) > > > >At 21:41 25/06/2002, you wrote: > >>Mine is the same... it seems to be a problem in the sendmail.pl script > that > >>mrtg uses, but it worked without any change until the update... (but virus > >>and mail got reported ok) > >> > >>On Tue, 25 Jun 2002 13:58:44 -0500, Mike Kercher > wrote: > >> > >> >I can see the spams getting logged in my maillog...it's just that MRTG > (or > >> >my mrtg.cfg) isn't picking them up anymore. It was working until ONE > of my > >> >upgrades :) > >> > > >> >Here is the mail. line from my syslog.conf > >> > > >> ># Log all the mail messages in one place. > >> >mail.* /var/log/maillog > >> > > >> >Mike > >> > > >> >----- Original Message ----- > >> >From: "Julian Field" > >> >To: > >> >Sent: Tuesday, June 25, 2002 1:51 PM > >> >Subject: Re: Part of MRTG died > >> > > >> > > >> >> At 19:44 25/06/2002, you wrote: > >> >> >I have "Log Spam = yes" in my .conf and neither Spam nor spam in my > >> >mrtg.cfg > >> >> >reveal any spam in my maillog. *boggle* > >> >> > >> >> Spam logging is done as mail.info, I suspect that > your /etc/syslog.conf > >> >> isn't logging mail.info messages. > >> >> > >> >> >----- Original Message ----- > >> >> >From: "Julian Field" > >> >> >To: > >> >> >Sent: Tuesday, June 25, 2002 11:35 AM > >> >> >Subject: Re: Part of MRTG died > >> >> > > >> >> > > >> >> > > Check your mailscanner.conf file for "Log Spam = no". > >> >> > > > >> >> > > At 17:19 25/06/2002, you wrote: > >> >> > > >I've the same problem, after updating to the last available > >> >MailScanner > >> >> > > >version, I've no spam reports in /var/log/maillog I've tried to > do > >> >also > >> >> > > >with changing "spam" to "Spam" but it doesn't work. > >> >> > > > I've sent a SPAM mail throught sendmail and here are the > headers: > >> >> > > > > >> >> > > > > >> >> > > >Return-Path: > >> >> > > >Received: from localhost.localdomain (localhost.localdomain > >> >[127.0.0.1]) > >> >> > > > by Alufis35.uv.es (8.11.6/8.11.2) with SMTP id > g5PG90512839 > >> >> > > > for Pablo.Iranzo@alufis35.uv.es; Tue, 25 Jun 2002 > 18:09:14 > >> >+0200 > >> >> > > >Date: Tue, 25 Jun 2002 18:09:14 +0200 > >> >> > > >From: yop@nohwere.com > >> >> > > >Message-Id: <200206251609.g5PG90512839@Alufis35.uv.es> > >> >> > > >X-Authentication-Warning: Alufis35.uv.es: localhost.localdomain > >> >> >[127.0.0.1] > >> >> > > > didn't use HELO protocol > >> >> > > >Subject: {SPAM?} Navega por telefonicaonline.com y ?ll?vate > cientos > >> >de > >> >> > > > Puntos Travel Club! > >> >> > > >Content-type: text/html > >> >> > > >MIME-Version: 1.0 > >> >> > > >Content-Transfer-Encoding: quoted-printable > >> >> > > >X-MailScanner: Found to be clean > >> >> > > >X-MailScanner-SpamCheck: SpamAssassin (score=10.1, required 5, > >> >> > > > SUBJ_HAS_Q_MARK, NO_REAL_NAME, PLING, BIG_FONT, > >> >CTYPE_JUST_HTML, > >> >> > > > MISSING_HEADERS, NO_MX_FOR_FROM) > >> >> > > > > >> >> > > > > >> >> > > >(As you can see, thhe Mailscanner passed it throught SpamAssassin > >>and > >> >> >gave > >> >> > > >it "Spam" status and did modified the subject) > >> >> > > > > >> >> > > >And here is the maillog "conversation": > >> >> > > > > >> >> > > > > >> >> > > >Jun 25 18:04:50 Alufis35 sendmail[12739]: g5PG4nv12739: > >> >to=yop@yop.es, > >> >> > > >delay=00: > >> >> > > >00:01, xdelay=00:00:00, mailer=relay, pri=49438, relay=sello., > >> >dsn=2.0. > >> >> > > >0, stat=Sent (g5PG4oJN009163 Message accepted for delivery) > >> >> > > >Jun 25 18:09:00 Alufis35 sendmail[12839]: g5PG90512839: > >> >Authentication- > >> >> > > >Warning: > >> >> > > >Alufis35.uv.es: localhost.localdomain [127.0.0.1] didn't use HELO > >> >> >protocol > >> >> > > >Jun 25 18:09:37 Alufis35 sendmail[12839]: g5PG90512839: > >> >> > > >from=yop@nohwere.com, si > >> >> > > >ze=19465, class=0, nrcpts=1, > >> >msgid=<200206251609.g5PG90512839@Alufis35>, > >> >> >b > >> >> > > >odytype=8BITMIME, proto=SMTP, daemon=MTA, > >>relay=localhost.localdomain > >> >> > > >[127.0.0.1 > >> >> > > >] > >> >> > > >Jun 25 18:09:49 Alufis35 mailscanner[12624]: Scanning 1 messages, > >> >20139 > >> >> > > >bytes > >> >> > > >Jun 25 18:10:12 Alufis35 mailscanner[12624]: Scanned 1 messages, > >> >20139 > >> >> > > >bytes in > >> >> > > >4 seconds > >> >> > > >Jun 25 18:10:13 Alufis35 sendmail[12868]: g5PG90512839: > >> >> > > >to=iranzo@amena.com, del > >> >> > > >ay=00:00:59, xdelay=00:00:00, mailer=relay, pri=139465, > relay=sello. > >> >[1 > >> >> > > >47.156.1.112], dsn=5.6.0, stat=Data format error > >> >> > > >Jun 25 18:10:14 Alufis35 sendmail[12868]: g5PG90512839: > to=\iranzo, > >> >> > > >delay=00:01: > >> >> > > >00, xdelay=00:00:01, mailer=local, pri=139465, dsn=2.0.0, > stat=Sent > >> >> > > >Jun 25 18:10:14 Alufis35 sendmail[12868]: g5PG90512839: > >>g5PGADY12868: > >> >> >DSN: > >> >> > > >Data > >> >> > > >format error > >> >> > > >Jun 25 18:10:14 Alufis35 sendmail[12868]: g5PGADY12868: > >> >> >to=yop@nohwere.com, > >> >> > > >dela > >> >> > > >y=00:00:00, xdelay=00:00:00, mailer=relay, pri=49437, > relay=sello., > >> >dsn > >> >> > > >=2.0.0, stat=Sent (g5PGAEJN009658 Message accepted for delivery) > >> >> > > > > >> >> > > >It Scans the message, marks it as spam but doesn't reflect that > on > >> >the > >> >> > > >maillog. > >> >> > > > > >> >> > > >My syslog has the -r switch from previous versions. I'm running > >> >RedHat > >> >> >7.3. > >> >> > > > > >> >> > > > > >> >> > > >?Any idea? > >> >> > > >Thanks in advance > >> >> > > >Pablo > >> >> > > > >> >> > > -- > >> >> > > Julian Field Teaching Systems Manager > >> >> > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer > Science > >> >> > > Tel. 023 8059 2817 University of Southampton > >> >> > > Southampton SO17 1BJ > >> >> > > > >> >> > >> >> -- > >> >> Julian Field Teaching Systems Manager > >> >> jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > >> >> Tel. 023 8059 2817 University of Southampton > >> >> Southampton SO17 1BJ > >> >> > > > >-- > >Julian Field Teaching Systems Manager > >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > >Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > From Pablo.Iranzo at UV.ES Tue Jun 25 22:27:31 2002 From: Pablo.Iranzo at UV.ES (Pablo Iranzo G=?ISO-8859-1?Q?=F3mez?=) Date: Thu Jan 12 21:15:05 2006 Subject: Part of MRTG died Message-ID: They are not compressed but I did the change and it continues reporting "0" spam mails and at least it should indicate two... From mailscanner at ecs.soton.ac.uk Tue Jun 25 22:27:11 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:05 2006 Subject: Part of MRTG died In-Reply-To: Message-ID: <5.1.0.14.2.20020625222633.03f56008@imap.ecs.soton.ac.uk> At 22:18 25/06/2002, you wrote: >It doesn't appear yet or it has the date not updated... does it needs the >patch you released? ;) Thump refresh a few times. It's certainly there. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Pablo.Iranzo at UV.ES Tue Jun 25 22:36:31 2002 From: Pablo.Iranzo at UV.ES (Pablo Iranzo G=?ISO-8859-1?Q?=F3mez?=) Date: Thu Jan 12 21:15:05 2006 Subject: Part of MRTG died Message-ID: I've downloaded it from three different machines, with the browser's cache cleared and it reports dated as 3/1/2001... From mike at UNIXSECURITY.ORG Tue Jun 25 22:26:43 2002 From: mike at UNIXSECURITY.ORG (Mike Wallis) Date: Thu Jan 12 21:15:05 2006 Subject: Part of MRTG died References: <5.1.0.14.2.20020625173536.04e77658@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020625195014.0250d548@imap.ecs.soton.ac.uk> <016d01c21c7a$54b633d0$6501a8c0@home.wideopenthrottle.org> Message-ID: <3D18E013.4020208@unixsecurity.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike Kercher wrote: |I can see the spams getting logged in my maillog...it's just that MRTG (or |my mrtg.cfg) isn't picking them up anymore. It was working until ONE of my |upgrades :) | |Here is the mail. line from my syslog.conf | |# Log all the mail messages in one place. |mail.* /var/log/maillog The spam logging string appears to have changed in 3.20... I noticed it too, and fixed the script that was parsing the maillog. Assuming you're using the script that Julian wrote, here's my change to get it working again: # MailScanner < 3.20 # $TotalSpam++ if /message [^\s]+ is spam/i; # MailScanner >= 3.20 ~ $TotalSpam++ if /is spam according to SpamAssassin/i; - -- Mike Wallis mw@unixsecurity.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6-2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAj0Y4BIACgkQXes7jE7XvguNYgCgjdrvf4jRsG7ABbglU5czc+9l MMIAn0k+fX8kmTHAVWqQgJRmZHIXHKGG =I/cf -----END PGP SIGNATURE----- From brandonf at BFCONSULT.CO.ZA Tue Jun 25 22:40:50 2002 From: brandonf at BFCONSULT.CO.ZA (Brandon Friedman) Date: Thu Jan 12 21:15:05 2006 Subject: Spam config... Message-ID: <3D18E362.6050706@bfconsult.co.za> I haven't yet setup spamassasin.... I am try to use the spam features of Mailscanner.... In my mailscanner.conf I have specified to use my spam.action.conf file for spam rules. I added a test e-mail to it and restart mailscanner. When I send a message from the test address...nothing happens>??? Am I missing something? -- Regards Brandon Friedman Cell:083 408 7840 E-mail: brandonf@bfconsult.co.za www.bfconsult.co.za From brandonf at BFCONSULT.CO.ZA Tue Jun 25 23:51:15 2002 From: brandonf at BFCONSULT.CO.ZA (Brandon Friedman) Date: Thu Jan 12 21:15:05 2006 Subject: Spam Questions Message-ID: <3D18F3E3.5000609@bfconsult.co.za> For those who recieved my earlier post forget it.... I have installed spamassassin. A few questions: 1. I installed using CPAN....is that ok instead of downloading the tar and installing? 2. I also installed additional modules like Net::DNS, Mail:Audit, Net::SMTP...are these required or not? 3. Does the X-header for spam get added to each e-mail or only the ones with spam detected? 4. I don't quite understand the "scoring" system - where can I get more info..? Sorry about all the pesky questions! -- Regards Brandon Friedman Cell:083 408 7840 E-mail: brandonf@bfconsult.co.za www.bfconsult.co.za From todd at DECAGON.COM Wed Jun 26 00:36:05 2002 From: todd at DECAGON.COM (Todd Martin) Date: Thu Jan 12 21:15:05 2006 Subject: sendmail rules to protect internal aliases In-Reply-To: <3D18E362.6050706@bfconsult.co.za> References: <3D18E362.6050706@bfconsult.co.za> Message-ID: I hope one of you sendmail rule wizards can help me with this... We have several "internal" aliases that are really distribution list -- including one alias that goes to the whole company. Some (stinking) spammer has harvested or otherwise guessed what some of these aliases are. Now we are getting spam to the whole company through one email address. A little research sent me to here: http://www.sendmail.org/~ca/email/protected.html I can't seem to get this to work for me (any version). I'm wondering if the reason is due to running the two instances of sendmail with MailScanner. At this point I'd love to hear any confirmation of my problem, pointers to other ways, or The Answer(tm). Thanks, ~Todd From nwp at LEMON-COMPUTING.COM Wed Jun 26 02:52:28 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:15:05 2006 Subject: {SPAM?} spamassassin required hits adjustment. In-Reply-To: <5.1.0.14.2.20020625211628.03241810@imap.ecs.soton.ac.uk> References: <02Jun25.161042edt.119102@gateway.morganco.com> <5.1.0.14.2.20020625211628.03241810@imap.ecs.soton.ac.uk> Message-ID: <20020626015228.GP12664@hoiho.nz.lemon-computing.com> > >Also, any chance of that sendmail config to report the hit ratings making > >it > >to exim? > If someone feels like writing it... Ooh. Have I been missing something? What feature are we actually talking about? Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com That secret you've been guarding, isn't. From dave at ESI.COM.AU Wed Jun 26 03:18:05 2002 From: dave at ESI.COM.AU (Dave Horsfall) Date: Thu Jan 12 21:15:05 2006 Subject: Suggestion for autoupdate.f-prot Message-ID: If -cron is specified, keep quiet if nothing was updated. This is what the shell version does. Ugly, but does the job: @@ -187,7 +188,8 @@ } } } else { - print STDERR "File $FileToCheck is already up to date.\n" unless $quiet; + #print STDERR "File $FileToCheck is already up to date.\n" unless $quiet; + print STDERR "File $FileToCheck is already up to date.\n" unless ($quiet or $cron); } } -- Dave Horsfall DTM VK2KFU dave@esi.com.au Ph: +61 2 9906-3377 Fx: 9906-3468 (Unix Guru) Pacific ESI, Unit 22, 8 Campbell St, Artarmon, NSW 2065, Australia From brandonf at BFCONSULT.CO.ZA Wed Jun 26 07:49:54 2002 From: brandonf at BFCONSULT.CO.ZA (Brandon Friedman) Date: Thu Jan 12 21:15:05 2006 Subject: Problem with whitelist.... Message-ID: <3D196412.2080306@bfconsult.co.za> I add some local domains to my whitelist, to prevent them from being spam-checked. I recieved an e-mail with {SPAM} in the subject line from one of these local domains? I used the following syntax in the whitelist: @mydomain.com Is this correct? -- Regards Brandon Friedman Cell:083 408 7840 E-mail: brandonf@bfconsult.co.za www.bfconsult.co.za From brandonf at BFCONSULT.CO.ZA Wed Jun 26 07:53:27 2002 From: brandonf at BFCONSULT.CO.ZA (Brandon Friedman) Date: Thu Jan 12 21:15:05 2006 Subject: Problem with whitelist.... References: <3D196412.2080306@bfconsult.co.za> Message-ID: <3D1964E7.1060305@bfconsult.co.za> Ok folks sorry...... Yes I didn't read the texr properly....I see it says DON'T use the @ infront! ooops! Brandon Friedman wrote: > I add some local domains to my whitelist, to prevent them from being > spam-checked. I recieved an e-mail with {SPAM} in the subject line from > one of these local domains? > > I used the following syntax in the whitelist: > @mydomain.com > Is this correct? > -- > > Regards > Brandon Friedman > Cell:083 408 7840 > E-mail: brandonf@bfconsult.co.za > www.bfconsult.co.za > -- Regards Brandon Friedman Cell:083 408 7840 E-mail: brandonf@bfconsult.co.za www.bfconsult.co.za From LISTSERV at JISCMAIL.AC.UK Wed Jun 26 00:46:08 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:05 2006 Subject: MAILSCANNER: fxjwk@AURORA.UAF.EDU left the JISCmail list Message-ID: <200206252346.AAA21688@magpie.ecs.soton.ac.uk> Wed, 26 Jun 2002 00:46:08 Jo Knox has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From LISTSERV at JISCMAIL.AC.UK Wed Jun 26 01:06:44 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:05 2006 Subject: MAILSCANNER: jgoggan@DCG.COM requested to join Message-ID: <200206260006.BAA22888@magpie.ecs.soton.ac.uk> Wed, 26 Jun 2002 01:06:44 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from John Goggan You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER jgoggan@DCG.COM John Goggan PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER jgoggan@DCG.COM John Goggan // EOJ From LISTSERV at JISCMAIL.AC.UK Wed Jun 26 05:19:23 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:05 2006 Subject: MAILSCANNER: mrlynx@LAING.E-TARLAC.COM requested to join Message-ID: <200206260419.FAA04763@magpie.ecs.soton.ac.uk> Wed, 26 Jun 2002 05:19:23 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Joseph Bautista You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER mrlynx@LAING.E-TARLAC.COM Joseph Bautista PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER mrlynx@LAING.E-TARLAC.COM Joseph Bautista // EOJ From mohren at SS20.MPI-SEEWIESEN.MPG.DE Wed Jun 26 07:50:39 2002 From: mohren at SS20.MPI-SEEWIESEN.MPG.DE (mohren) Date: Thu Jan 12 21:15:05 2006 Subject: unsuscribe Message-ID: <200206260650.g5Q6odgX026915@ss20.mpi-seewiesen.mpg.de> unsuscribe Werner Mohren From mailscanner at ecs.soton.ac.uk Wed Jun 26 11:16:40 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:05 2006 Subject: Spam config... In-Reply-To: <3D18E362.6050706@bfconsult.co.za> Message-ID: <5.1.0.14.2.20020626111555.034d1848@imap.ecs.soton.ac.uk> At 22:40 25/06/2002, you wrote: >I haven't yet setup spamassasin.... I am try to use the spam features of >Mailscanner.... > >In my mailscanner.conf I have specified to use my spam.action.conf file >for spam rules. I added a test e-mail to it and restart mailscanner. > >When I send a message from the test address...nothing happens>??? Please define "nothing happens". Do you get any MailScanner headers in the message at all? Are you sending from an IP address listed in "Accept Spam From"? What results do you get? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Jun 26 11:15:19 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:05 2006 Subject: Part of MRTG died In-Reply-To: <3D18E013.4020208@unixsecurity.org> References: <5.1.0.14.2.20020625173536.04e77658@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020625195014.0250d548@imap.ecs.soton.ac.uk> <016d01c21c7a$54b633d0$6501a8c0@home.wideopenthrottle.org> Message-ID: <5.1.0.14.2.20020626111440.02b2e608@imap.ecs.soton.ac.uk> At 22:26 25/06/2002, you wrote: ># MailScanner < 3.20 ># $TotalSpam++ if /message [^\s]+ is spam/i; ># MailScanner >= 3.20 >~ $TotalSpam++ if /is spam according to SpamAssassin/i; That will only catch SpamAssassin spam, not other spam. Use the version I just reposted to the web site. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Jun 26 11:19:38 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:05 2006 Subject: Spam Questions In-Reply-To: <3D18F3E3.5000609@bfconsult.co.za> Message-ID: <5.1.0.14.2.20020626111715.035881b8@imap.ecs.soton.ac.uk> At 23:51 25/06/2002, you wrote: >For those who recieved my earlier post forget it.... I have installed >spamassassin. A few questions: >1. I installed using CPAN....is that ok instead of downloading the tar >and installing? Personally I always download the tar. Ensure you have version 2.31. >2. I also installed additional modules like Net::DNS, Mail:Audit, >Net::SMTP...are these required or not? It needs Net::DNS but the others are pretty irrelevant. >3. Does the X-header for spam get added to each e-mail or only the ones >with spam detected? Only ones detected as spam (unless you set "Always Include SpamAssassin Report = yes"). >4. I don't quite understand the "scoring" system - where can I get more >info..? Read www.spamassassin.org -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Jun 26 11:25:22 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:05 2006 Subject: sendmail rules to protect internal aliases In-Reply-To: References: <3D18E362.6050706@bfconsult.co.za> <3D18E362.6050706@bfconsult.co.za> Message-ID: <5.1.0.14.2.20020626112007.034b6680@imap.ecs.soton.ac.uk> At 00:36 26/06/2002, you wrote: >I hope one of you sendmail rule wizards can help me with this... OT. >We have several "internal" aliases that are really distribution list >-- including one alias that goes to the whole company. Some >(stinking) spammer has harvested or otherwise guessed what some of >these aliases are. Now we are getting spam to the whole company >through one email address. We have a whole bunch of aliases ending in "-all" (and sub-aliases ending in "-all-0" to "-all-9" which aren't accessible from the outside. As an example, here's an extract from one of my sendmail.mc files. # This defines the regular expression that we will match against KIsEcsList2 regex -a@MATCH ^.*-all(-[0-9])?$ LOCAL_RULESETS SLocal_check_rcpt R$* $: $>3 $1 Focus on host R$* $: $>"QualifyDomain" $1 Make fully-qualified R$* <@ $* $m. > $* $1 <@ *LOCAL* > Is recipient an ECS address? R$* <@ *LOCAL* > $* $: $(IsEcsList2 $1 $) <@ *LOCAL* > $2 ECS list? R@MATCH <@ *LOCAL* > $* $#error $@ 5.1.2 $: Please contact ECS Help Desk # If address is unqualified, add *LOCAL* as the destination hostname. SQualifyDomain R$* < @ $* > $* $@ $1 < @ $2 > $3 Already fully qualified R$+ $@ $1 < @ *LOCAL* > Add local qualification That should do the trick for you. Don't forget to separate the fields of each line with tab characters, not spaces. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From brandonf at BFCONSULT.CO.ZA Wed Jun 26 12:03:24 2002 From: brandonf at BFCONSULT.CO.ZA (Brandon Friedman) Date: Thu Jan 12 21:15:05 2006 Subject: Spam config... References: <5.1.0.14.2.20020626111555.034d1848@imap.ecs.soton.ac.uk> Message-ID: <3D199F7C.6090204@bfconsult.co.za> You have answered these questions in the next thread.... I wrote this before installing spamassassin! Julian Field wrote: > At 22:40 25/06/2002, you wrote: > >> I haven't yet setup spamassasin.... I am try to use the spam features of >> Mailscanner.... >> >> In my mailscanner.conf I have specified to use my spam.action.conf file >> for spam rules. I added a test e-mail to it and restart mailscanner. >> >> When I send a message from the test address...nothing happens>??? > > > Please define "nothing happens". > Do you get any MailScanner headers in the message at all? > Are you sending from an IP address listed in "Accept Spam From"? > What results do you get? > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > -- Regards Brandon Friedman Cell:083 408 7840 E-mail: brandonf@bfconsult.co.za www.bfconsult.co.za From jgoggan at DCG.COM Wed Jun 26 13:24:01 2002 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:15:05 2006 Subject: Displaying values of hit rules in header? Message-ID: <3D19B261.212607E2@dcg.com> Let me start by saying that I am using SpamAssassin with MailScanner -- so I apologize if this is actually a SpamAssassin question and not MailScanner. It was hard to tell exactly where this fell, so feel free to let me know I need to go ask them if that is the case. That being said... I am using MailScanner w/ SpamAssassin on a system-wide basis. I currently have them configured so that all messages get a header line describing what rules were hit for spam. So, it looks something like this: X-MailScanner-SpamCheck: SpamAssassin (score=9.9, required 7, FROM_ENDS_IN_NUMS, CLICK_BELOW, EXCUSE_7, EXCUSE_3, DOUBLE_CAPSWORD, CLICK_HERE_LINK, MAILTO_LINK, NO_MX_FOR_FROM, MSG_ID_ADDED_BY_MTA_3) What I would like is to be able to easily see the values that make up the total score. So, in other words, I'd rather see something like: X-MailScanner-SpamCheck: SpamAssassin (score=9.9, required 7, FROM_ENDS_IN_NUMS (0.382), CLICK_BELOW (1.531), EXCUSE_7 (1.305), EXCUSE_3 (1.080), DOUBLE_CAPSWORD (1.050), CLICK_HERE_LINK (0.847), MAILTO_LINK (0.782), NO_MX_FOR_FROM (1.8), MSG_ID_ADDED_BY_MTA_3 (1.107)) ...just to make it easier for me to see what the rule values are -- which is especially useful to me while I am getting used to it and trying to correct some misidentified spam on our servers. Can that be done easily? Thanks! - John... From jgoggan at DCG.COM Wed Jun 26 13:32:05 2002 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:15:05 2006 Subject: Differing Spam Actions for different thresholds? Message-ID: <3D19B445.C347E64E@dcg.com> I've just recently started using MailScanner. Almost immediately, I see a feature that seems it would be very useful, but that I do not see a way to use at this point. Hopefully someone can tell me if this is possible... Basically, I would like different Spam Actions based on the required_hits threshold. I run MailScanner (with SpamAssassin) on a site-wide basis. I've found that I'm getting too many "borderline" messages that get marked as spam that are not -- and "whitelisting" all of them I don't see as a good solution here. What I'd really like to do is set a required_hits threshold at some number (say 10) and have all messages over that have "Spam Action = delete". Then I'd like to have a lower threshold (say required_hits = 6) and have all of THOSE messages have "Spam Action = deliver" (along with the subject line modification, of course). That way, most of the obvious spam would get deleted. And the "not absolutely sure" stuff would go to the normal user but be marked as possible spam. If it happens to work accurately for them, then they can do the final filtering themselves on those messages -- but still never have to see the junk that is obviously spam. Can that be done already? If not, any chance of it being implemented later? Worst case, maybe I could somehow configure two instances of MailScanner? The first one would have a higher required_hits and delete the messages -- then it runs through a second time with a different config (with the lower required_hits) and just marks those ones? Just a thought I had in case there isn't a way yet to do it with one config. Thanks! - John... From LISTSERV at JISCMAIL.AC.UK Wed Jun 26 13:38:01 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:05 2006 Subject: MAILSCANNER: arturo.mcdonald@HARRIS.COM requested to join Message-ID: <200206261238.NAA11013@magpie.ecs.soton.ac.uk> Wed, 26 Jun 2002 13:38:01 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Artie McDonald You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER arturo.mcdonald@HARRIS.COM Artie McDonald PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER arturo.mcdonald@HARRIS.COM Artie McDonald // EOJ From HancockS at MORGANCO.COM Wed Jun 26 13:58:09 2002 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:15:05 2006 Subject: {SPAM?} spamassassin required hits adjustment. Message-ID: <02Jun26.085037edt.119107@gateway.morganco.com> Nick, I've gone back to find the post but now I'm blind. Anyway there was a script that reported the hit rating of spam assassin into the email eliminating searching the header. It was written for sendmail. Cheers Scott > -----Original Message----- > From: Nick Phillips [mailto:nwp@LEMON-COMPUTING.COM] > Sent: Tuesday, June 25, 2002 9:52 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: {SPAM?} spamassassin required hits adjustment. > > > > >Also, any chance of that sendmail config to report the hit > ratings making > > >it > > >to exim? > > > If someone feels like writing it... > > Ooh. Have I been missing something? What feature are we > actually talking > about? > > > Cheers, > > > Nick > > -- > Nick Phillips -- nwp@lemon-computing.com > That secret you've been guarding, isn't. > From Matthew_doherty at DATAWATCH.COM Wed Jun 26 14:15:33 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:05 2006 Subject: sendmail rules to protect internal aliases Message-ID: Nice! In your example, Is there any phrase, for instance "LOCAL" that should be repaced with our domain name? When you say your aliases some end in *-all., .. Does that mean this rule only applies to certain aliases with *-all? whats the 0-9 for? Is this code supposed to be inserted into the sendmail.cf file? -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Wednesday, June 26, 2002 7:43 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: sendmail rules to protect internal aliases At 00:36 26/06/2002, you wrote: >I hope one of you sendmail rule wizards can help me with this... OT. >We have several "internal" aliases that are really distribution list >-- including one alias that goes to the whole company. Some >(stinking) spammer has harvested or otherwise guessed what some of >these aliases are. Now we are getting spam to the whole company >through one email address. We have a whole bunch of aliases ending in "-all" (and sub-aliases ending in "-all-0" to "-all-9" which aren't accessible from the outside. As an example, here's an extract from one of my sendmail.mc files. # This defines the regular expression that we will match against KIsEcsList2 regex -a@MATCH ^.*-all(-[0-9])?$ LOCAL_RULESETS SLocal_check_rcpt R$* $: $>3 $1 Focus on host R$* $: $>"QualifyDomain" $1 Make fully-qualified R$* <@ $* $m. > $* $1 <@ *LOCAL* > Is recipient an ECS address? R$* <@ *LOCAL* > $* $: $(IsEcsList2 $1 $) <@ *LOCAL* > $2 ECS list? R@MATCH <@ *LOCAL* > $* $#error $@ 5.1.2 $: Please contact ECS Help Desk # If address is unqualified, add *LOCAL* as the destination hostname. SQualifyDomain R$* < @ $* > $* $@ $1 < @ $2 > $3 Already fully qualified R$+ $@ $1 < @ *LOCAL* > Add local qualification That should do the trick for you. Don't forget to separate the fields of each line with tab characters, not spaces. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020626/586ce144/attachment.html From gerry at dorfam.ca Wed Jun 26 14:42:34 2002 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:15:05 2006 Subject: sendmail rules to protect internal aliases In-Reply-To: <5.1.0.14.2.20020626112007.034b6680@imap.ecs.soton.ac.uk> References: <3D18E362.6050706@bfconsult.co.za> <3D18E362.6050706@bfconsult.co.za> <5.1.0.14.2.20020626112007.034b6680@imap.ecs.soton.ac.uk> Message-ID: <14251.129.80.22.134.1025098954.squirrel@tiger.dorfam.ca> > > We have a whole bunch of aliases ending in "-all" (and sub-aliases > ending in "-all-0" to "-all-9" which aren't accessible from the outside. > As an example, here's an extract from one of my sendmail.mc files. > > # This defines the regular expression that we will match against > KIsEcsList2 regex -a@MATCH ^.*-all(-[0-9])?$ > > LOCAL_RULESETS > SLocal_check_rcpt > R$* $: $>3 $1 Focus on host > R$* $: $>"QualifyDomain" $1 Make fully-qualified R$* > <@ $* $m. > $* $1 <@ *LOCAL* > Is recipient an ECS address? > R$* <@ *LOCAL* > $* $: $(IsEcsList2 $1 $) <@ *LOCAL* > $2 ECS > list? R@MATCH <@ *LOCAL* > $* $#error $@ 5.1.2 $: Please contact ECS > Help Desk > That should do the trick for you. Don't forget to separate the fields of > each line with tab characters, not spaces. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. > 023 8059 2817 University of Southampton > Southampton SO17 1BJ Julian, did you really mean that you have the above rules in the sendmail.mc file or are they actually in the sendmail.cf file? I didn't think you could put stuff like this in the sendmail.mc file and have it still compile. Gerry -- "The lyfe so short, the craft so long to learne" Chaucer From brandonf at BFCONSULT.CO.ZA Wed Jun 26 15:25:22 2002 From: brandonf at BFCONSULT.CO.ZA (Brandon Friedman) Date: Thu Jan 12 21:15:05 2006 Subject: Spam Questions References: <5.1.0.14.2.20020626111715.035881b8@imap.ecs.soton.ac.uk> Message-ID: <3D19CED2.1000104@bfconsult.co.za> My spam.action.conf .......is working as I have set it up? I edited my mailscanner.conf file to use it, I then entered an e-mail address and action is delete but the mail still comes through? Julian Field wrote: > At 23:51 25/06/2002, you wrote: > >> For those who recieved my earlier post forget it.... I have installed >> spamassassin. A few questions: >> 1. I installed using CPAN....is that ok instead of downloading the tar >> and installing? > > > Personally I always download the tar. Ensure you have version 2.31. > >> 2. I also installed additional modules like Net::DNS, Mail:Audit, >> Net::SMTP...are these required or not? > > > It needs Net::DNS but the others are pretty irrelevant. > >> 3. Does the X-header for spam get added to each e-mail or only the ones >> with spam detected? > > > Only ones detected as spam (unless you set "Always Include SpamAssassin > Report = yes"). > >> 4. I don't quite understand the "scoring" system - where can I get more >> info..? > > > Read www.spamassassin.org > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > -- Regards Brandon Friedman Cell:083 408 7840 E-mail: brandonf@bfconsult.co.za www.bfconsult.co.za From mailscanner at ecs.soton.ac.uk Wed Jun 26 15:21:34 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:05 2006 Subject: Displaying values of hit rules in header? In-Reply-To: <3D19B261.212607E2@dcg.com> Message-ID: <5.1.0.14.2.20020626152122.03b86010@imap.ecs.soton.ac.uk> It can't easily be done at the moment. Sorry. At 13:24 26/06/2002, you wrote: >Let me start by saying that I am using SpamAssassin with MailScanner -- so I >apologize if this is actually a SpamAssassin question and not MailScanner. It >was hard to tell exactly where this fell, so feel free to let me know I need >to go ask them if that is the case. > >That being said... I am using MailScanner w/ SpamAssassin on a system-wide >basis. I currently have them configured so that all messages get a header >line describing what rules were hit for spam. So, it looks something like >this: > >X-MailScanner-SpamCheck: SpamAssassin (score=9.9, required 7, >FROM_ENDS_IN_NUMS, CLICK_BELOW, EXCUSE_7, EXCUSE_3, DOUBLE_CAPSWORD, >CLICK_HERE_LINK, MAILTO_LINK, NO_MX_FOR_FROM, MSG_ID_ADDED_BY_MTA_3) > >What I would like is to be able to easily see the values that make up the >total score. So, in other words, I'd rather see something like: > >X-MailScanner-SpamCheck: SpamAssassin (score=9.9, required 7, >FROM_ENDS_IN_NUMS (0.382), CLICK_BELOW (1.531), EXCUSE_7 (1.305), EXCUSE_3 >(1.080), DOUBLE_CAPSWORD (1.050), CLICK_HERE_LINK (0.847), MAILTO_LINK >(0.782), NO_MX_FOR_FROM (1.8), MSG_ID_ADDED_BY_MTA_3 (1.107)) > >...just to make it easier for me to see what the rule values are -- which is >especially useful to me while I am getting used to it and trying to correct >some misidentified spam on our servers. Can that be done easily? > >Thanks! > > - John... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Jun 26 15:22:43 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:05 2006 Subject: Differing Spam Actions for different thresholds? In-Reply-To: <3D19B445.C347E64E@dcg.com> Message-ID: <5.1.0.14.2.20020626152219.03986ea8@imap.ecs.soton.ac.uk> Again, you can't do that now. But I'll consider it for a future version (won't be very soon though). At 13:32 26/06/2002, you wrote: >I've just recently started using MailScanner. Almost immediately, I see a >feature that seems it would be very useful, but that I do not see a way to use >at this point. Hopefully someone can tell me if this is possible... > >Basically, I would like different Spam Actions based on the required_hits >threshold. I run MailScanner (with SpamAssassin) on a site-wide basis. I've >found that I'm getting too many "borderline" messages that get marked as spam >that are not -- and "whitelisting" all of them I don't see as a good solution >here. > >What I'd really like to do is set a required_hits threshold at some number >(say 10) and have all messages over that have "Spam Action = delete". Then >I'd like to have a lower threshold (say required_hits = 6) and have all of >THOSE messages have "Spam Action = deliver" (along with the subject line >modification, of course). > >That way, most of the obvious spam would get deleted. And the "not absolutely >sure" stuff would go to the normal user but be marked as possible spam. If it >happens to work accurately for them, then they can do the final filtering >themselves on those messages -- but still never have to see the junk that is >obviously spam. > >Can that be done already? If not, any chance of it being implemented later? > >Worst case, maybe I could somehow configure two instances of MailScanner? The >first one would have a higher required_hits and delete the messages -- then it >runs through a second time with a different config (with the lower >required_hits) and just marks those ones? Just a thought I had in case there >isn't a way yet to do it with one config. > >Thanks! > > - John... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Jun 26 15:30:09 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:05 2006 Subject: sendmail rules to protect internal aliases In-Reply-To: <14251.129.80.22.134.1025098954.squirrel@tiger.dorfam.ca> References: <5.1.0.14.2.20020626112007.034b6680@imap.ecs.soton.ac.uk> <3D18E362.6050706@bfconsult.co.za> <3D18E362.6050706@bfconsult.co.za> <5.1.0.14.2.20020626112007.034b6680@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020626152714.03978b80@imap.ecs.soton.ac.uk> At 14:42 26/06/2002, you wrote: > > > > We have a whole bunch of aliases ending in "-all" (and sub-aliases > > ending in "-all-0" to "-all-9" which aren't accessible from the outside. > > As an example, here's an extract from one of my sendmail.mc files. > > > > # This defines the regular expression that we will match against > > KIsEcsList2 regex -a@MATCH ^.*-all(-[0-9])?$ > > > > LOCAL_RULESETS > > SLocal_check_rcpt > > R$* $: $>3 $1 Focus on host > > R$* $: $>"QualifyDomain" $1 Make fully-qualified R$* > > <@ $* $m. > $* $1 <@ *LOCAL* > Is recipient an ECS address? > > R$* <@ *LOCAL* > $* $: $(IsEcsList2 $1 $) <@ *LOCAL* > $2 ECS > > list? R@MATCH <@ *LOCAL* > $* $#error $@ 5.1.2 $: Please contact ECS > > Help Desk > > That should do the trick for you. Don't forget to separate the fields of > > each line with tab characters, not spaces. > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. > > 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > >Julian, did you really mean that you have the above rules in the >sendmail.mc file or are they actually in the sendmail.cf file? Okay, as they don't actually contain any m4 macro expansions (except the LOCAL_RULESETS line) then they can be put in either. However, I would strongly advise that you don't directly edit cf files. That's why they created mc files, to make your life easier. > I didn't >think you could put stuff like this in the sendmail.mc file and have it >still compile. Oh yes, no problem. The "compiling" process is just a macro pre-processor that expands things like "FEATURE" and "HACK" and "LOCAL_RULESETS". It's just the same as passing C source code through the C pre-processor: that one understands things like "#include" and "#define". -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Jun 26 15:26:58 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:05 2006 Subject: sendmail rules to protect internal aliases In-Reply-To: Message-ID: <5.1.0.14.2.20020626152330.0257cbb0@imap.ecs.soton.ac.uk> At 14:15 26/06/2002, you wrote: >Nice! >In your example, Is there any phrase, for instance "LOCAL" that should be >repaced with our domain name? No, it should work as given. The references to ECS in the messages are because that's the acronym of the name of our department. >When you say your aliases some end in *-all., .. Does that mean this rule >only applies to certain aliases with *-all? >whats the 0-9 for? Some of the aliases are very big, and are too big to be held in 1 alias (dbm files have a maximum record length of about 2k if I remember rightly). So, for example, staff-all = staff-all-1 + staff-all-2 + staff-all-3, and we don't want people mailing the aliases with numbers on the end, as well as the main aliases themselves. >Is this code supposed to be inserted into the sendmail.cf file? It goes in a sendmail.mc file which you then convert into a cf file with m4. Read www.sendmail.org or the bat book if you don't know what a sendmail.mc file is. But if you haven't got an mc file anywhere, just make sure the "K" lines are above the ruleset-definitions in the cf file. >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Wednesday, June 26, 2002 7:43 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: sendmail rules to protect internal aliases > >At 00:36 26/06/2002, you wrote: > >I hope one of you sendmail rule wizards can help me with this... > >OT. > > >We have several "internal" aliases that are really distribution list > >-- including one alias that goes to the whole company. Some > >(stinking) spammer has harvested or otherwise guessed what some of > >these aliases are. Now we are getting spam to the whole company > >through one email address. > >We have a whole bunch of aliases ending in "-all" (and sub-aliases ending >in "-all-0" to "-all-9" which aren't accessible from the outside. As an >example, here's an extract from one of my sendmail.mc files. > ># This defines the regular expression that we will match against >KIsEcsList2 regex -a@MATCH ^.*-all(-[0-9])?$ > >LOCAL_RULESETS >SLocal_check_rcpt >R$* $: $>3 $1 Focus on host >R$* $: $>"QualifyDomain" $1 Make fully-qualified >R$* <@ $* $m. > $* $1 <@ *LOCAL* > Is recipient an ECS address? >R$* <@ *LOCAL* > $* $: $(IsEcsList2 $1 $) <@ *LOCAL* > $2 ECS list? >R@MATCH <@ *LOCAL* > $* $#error $@ 5.1.2 $: Please contact ECS Help Desk > ># If address is unqualified, add *LOCAL* as the destination hostname. >SQualifyDomain >R$* < @ $* > $* $@ $1 < @ $2 > $3 Already fully qualified >R$+ $@ $1 < @ *LOCAL* > Add local qualification > >That should do the trick for you. Don't forget to separate the fields of >each line with tab characters, not spaces. >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton >Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From brose at MED.WAYNE.EDU Wed Jun 26 15:35:47 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:05 2006 Subject: Differing Spam Actions for different thresholds? Message-ID: <6D60AC042221344095A0EBBC56EEE79A4BC9EB@med-core03.med.wayne.edu> I had suggested something along these lines awhile back but it didn't happen so I just added it myself. It's a global threshold since it just doesn't make sense to do it for each entry in the spam.action file because of performance concerns if that list is big. I added an option to mailscanner.conf where I can change the value, then changed config.pl to read it in, then added the extra condition to the HandleSpam routine in explode.pl. So if a score is 10 or more and there is a spam.action for that message such as delete or quaranteen then the action occurs. This was mostly just for a delete threshold. -----Original Message----- From: John Goggan [mailto:jgoggan@DCG.COM] Sent: Wednesday, June 26, 2002 8:32 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Differing Spam Actions for different thresholds? I've just recently started using MailScanner. Almost immediately, I see a feature that seems it would be very useful, but that I do not see a way to use at this point. Hopefully someone can tell me if this is possible... Basically, I would like different Spam Actions based on the required_hits threshold. I run MailScanner (with SpamAssassin) on a site-wide basis. I've found that I'm getting too many "borderline" messages that get marked as spam that are not -- and "whitelisting" all of them I don't see as a good solution here. What I'd really like to do is set a required_hits threshold at some number (say 10) and have all messages over that have "Spam Action = delete". Then I'd like to have a lower threshold (say required_hits = 6) and have all of THOSE messages have "Spam Action = deliver" (along with the subject line modification, of course). That way, most of the obvious spam would get deleted. And the "not absolutely sure" stuff would go to the normal user but be marked as possible spam. If it happens to work accurately for them, then they can do the final filtering themselves on those messages -- but still never have to see the junk that is obviously spam. Can that be done already? If not, any chance of it being implemented later? Worst case, maybe I could somehow configure two instances of MailScanner? The first one would have a higher required_hits and delete the messages -- then it runs through a second time with a different config (with the lower required_hits) and just marks those ones? Just a thought I had in case there isn't a way yet to do it with one config. Thanks! - John... From mailscanner at ecs.soton.ac.uk Wed Jun 26 15:34:12 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:05 2006 Subject: Spam Questions In-Reply-To: <3D19CED2.1000104@bfconsult.co.za> References: <5.1.0.14.2.20020626111715.035881b8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020626153248.03c2aea8@imap.ecs.soton.ac.uk> At 15:25 26/06/2002, you wrote: >My spam.action.conf .......is working as I have set it up? spam.action.conf or spam.actions.conf? Check you are editing the right file. You might want to show us the contents of some of this file too... >I edited my mailscanner.conf file to use it, I then entered an e-mail >address and action is delete but the mail still comes through? Assuming you are restarting MailScanner after editing that file, remember it works off the envelope address, not whatever happens to be in the "To:" header. >Julian Field wrote: > >>At 23:51 25/06/2002, you wrote: >> >>>For those who recieved my earlier post forget it.... I have installed >>>spamassassin. A few questions: >>>1. I installed using CPAN....is that ok instead of downloading the tar >>>and installing? >> >> >>Personally I always download the tar. Ensure you have version 2.31. >> >>>2. I also installed additional modules like Net::DNS, Mail:Audit, >>>Net::SMTP...are these required or not? >> >> >>It needs Net::DNS but the others are pretty irrelevant. >> >>>3. Does the X-header for spam get added to each e-mail or only the ones >>>with spam detected? >> >> >>Only ones detected as spam (unless you set "Always Include SpamAssassin >>Report = yes"). >> >>>4. I don't quite understand the "scoring" system - where can I get more >>>info..? >> >> >>Read www.spamassassin.org >> >>-- >>Julian Field Teaching Systems Manager >>jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >>Tel. 023 8059 2817 University of Southampton >> Southampton SO17 1BJ > > >-- > >Regards >Brandon Friedman >Cell:083 408 7840 >E-mail: brandonf@bfconsult.co.za >www.bfconsult.co.za -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jgoggan at DCG.COM Wed Jun 26 15:45:34 2002 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:15:05 2006 Subject: Proper way to handle misidentified spam site-wide? Message-ID: <3D19D38E.5A05B959@dcg.com> I've just started using MailScanner and SpamAssassin this week. I am using it site-wide -- trying to reduce spam for all of our users (just a handful actually). For now, I am just having the subject lines modified. In the future, I want to be confident enough about the spam detection to actually just delete them when the rating is high enough. I guess I am confused about the "proper" way to handle currently misidentified spam. I want to correct this while I am in the "subject modified only" stage -- before I start just deleting it, of course. As an example, several of the users subscribe to OfficeDepot's "specials" mailings. These score something around an 18 -- so it is definitely marked as spam (and the rules are fairly accurate, so it isn't anything I'd want to adjust). So -- what is the proper way to handle this? Do I have each user do something and mark/whitelist their own? Should I add a whitelist_from entry to the main config for SpamAssassin to ignore the officedepot mailings? Or is there something that I'm missing... I'm just worried that it will come up more and more as people join such "specials" mailing lists since they look so much like spam sometimes. I just want to know how to handle them. Especially since when I switch to "delete", they wouldn't even SEE the emails to be able to whitelist them, right? Maybe this is what the AWL stuff should handle? If so, can someone more fully explains how this works? I really couldn't find much about it in the docs or FAQ... - John... From brose at MED.WAYNE.EDU Wed Jun 26 15:44:39 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:05 2006 Subject: Displaying values of hit rules in header? Message-ID: <6D60AC042221344095A0EBBC56EEE79A4BC9EC@med-core03.med.wayne.edu> What would be the benefit of this other than info to look? Features should be such that performs a function. I can't see a user writing a filter rule that says check the header for CLICK_BELOW (1.531), and delete. If people want the scores then go to the SA page and look at the tests and their scores instead of adding the extra overhead per each message? With all the Spam message rewrite requests, Mailscanner is going to be doing spamd's job. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Wednesday, June 26, 2002 10:22 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Displaying values of hit rules in header? It can't easily be done at the moment. Sorry. At 13:24 26/06/2002, you wrote: >Let me start by saying that I am using SpamAssassin with MailScanner -- >so I apologize if this is actually a SpamAssassin question and not >MailScanner. It was hard to tell exactly where this fell, so feel free >to let me know I need to go ask them if that is the case. > >That being said... I am using MailScanner w/ SpamAssassin on a >system-wide basis. I currently have them configured so that all >messages get a header line describing what rules were hit for spam. >So, it looks something like >this: > >X-MailScanner-SpamCheck: SpamAssassin (score=9.9, required 7, >FROM_ENDS_IN_NUMS, CLICK_BELOW, EXCUSE_7, EXCUSE_3, DOUBLE_CAPSWORD, >CLICK_HERE_LINK, MAILTO_LINK, NO_MX_FOR_FROM, MSG_ID_ADDED_BY_MTA_3) > >What I would like is to be able to easily see the values that make up >the total score. So, in other words, I'd rather see something like: > >X-MailScanner-SpamCheck: SpamAssassin (score=9.9, required 7, >FROM_ENDS_IN_NUMS (0.382), CLICK_BELOW (1.531), EXCUSE_7 (1.305), >EXCUSE_3 (1.080), DOUBLE_CAPSWORD (1.050), CLICK_HERE_LINK (0.847), >MAILTO_LINK (0.782), NO_MX_FOR_FROM (1.8), MSG_ID_ADDED_BY_MTA_3 >(1.107)) > >...just to make it easier for me to see what the rule values are -- >which is especially useful to me while I am getting used to it and >trying to correct some misidentified spam on our servers. Can that be >done easily? > >Thanks! > > - John... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Jun 26 15:42:46 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:05 2006 Subject: Differing Spam Actions for different thresholds? In-Reply-To: <6D60AC042221344095A0EBBC56EEE79A4BC9EB@med-core03.med.wayn e.edu> Message-ID: <5.1.0.14.2.20020626154127.03c15020@imap.ecs.soton.ac.uk> I am intending to implement a full system where you can specify any minimum threshold for any rule in spam.actions.conf, to give you full flexibility. I admit that's not what quite a few of you want, but there are people who do. However, you have the source, so feel free to DIY :-) At 15:35 26/06/2002, you wrote: >I had suggested something along these lines awhile back but it didn't >happen so I just added it myself. It's a global threshold since it just >doesn't make sense to do it for each entry in the spam.action file >because of performance concerns if that list is big. I added an option >to mailscanner.conf where I can change the value, then changed config.pl >to read it in, then added the extra condition to the HandleSpam routine >in explode.pl. So if a score is 10 or more and there is a spam.action >for that message such as delete or quaranteen then the action occurs. >This was mostly just for a delete threshold. > > > > >-----Original Message----- >From: John Goggan [mailto:jgoggan@DCG.COM] >Sent: Wednesday, June 26, 2002 8:32 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Differing Spam Actions for different thresholds? > > >I've just recently started using MailScanner. Almost immediately, I see >a feature that seems it would be very useful, but that I do not see a >way to use at this point. Hopefully someone can tell me if this is >possible... > >Basically, I would like different Spam Actions based on the >required_hits threshold. I run MailScanner (with SpamAssassin) on a >site-wide basis. I've found that I'm getting too many "borderline" >messages that get marked as spam that are not -- and "whitelisting" all >of them I don't see as a good solution here. > >What I'd really like to do is set a required_hits threshold at some >number (say 10) and have all messages over that have "Spam Action = >delete". Then I'd like to have a lower threshold (say required_hits = >6) and have all of THOSE messages have "Spam Action = deliver" (along >with the subject line modification, of course). > >That way, most of the obvious spam would get deleted. And the "not >absolutely sure" stuff would go to the normal user but be marked as >possible spam. If it happens to work accurately for them, then they can >do the final filtering themselves on those messages -- but still never >have to see the junk that is obviously spam. > >Can that be done already? If not, any chance of it being implemented >later? > >Worst case, maybe I could somehow configure two instances of >MailScanner? The first one would have a higher required_hits and delete >the messages -- then it runs through a second time with a different >config (with the lower >required_hits) and just marks those ones? Just a thought I had in case >there isn't a way yet to do it with one config. > >Thanks! > > - John... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jgoggan at dcg.com Wed Jun 26 15:45:34 2002 From: jgoggan at dcg.com (John Goggan) Date: Thu Jan 12 21:15:05 2006 Subject: [SAtalk] Proper way to handle misidentified spam site-wide? Message-ID: <3D19D38E.5A05B959@dcg.com> I've just started using MailScanner and SpamAssassin this week. I am using it site-wide -- trying to reduce spam for all of our users (just a handful actually). For now, I am just having the subject lines modified. In the future, I want to be confident enough about the spam detection to actually just delete them when the rating is high enough. I guess I am confused about the "proper" way to handle currently misidentified spam. I want to correct this while I am in the "subject modified only" stage -- before I start just deleting it, of course. As an example, several of the users subscribe to OfficeDepot's "specials" mailings. These score something around an 18 -- so it is definitely marked as spam (and the rules are fairly accurate, so it isn't anything I'd want to adjust). So -- what is the proper way to handle this? Do I have each user do something and mark/whitelist their own? Should I add a whitelist_from entry to the main config for SpamAssassin to ignore the officedepot mailings? Or is there something that I'm missing... I'm just worried that it will come up more and more as people join such "specials" mailing lists since they look so much like spam sometimes. I just want to know how to handle them. Especially since when I switch to "delete", they wouldn't even SEE the emails to be able to whitelist them, right? Maybe this is what the AWL stuff should handle? If so, can someone more fully explains how this works? I really couldn't find much about it in the docs or FAQ... - John... ------------------------------------------------------- This sf.net email is sponsored by: Jabber Inc. Don't miss the IM event of the season | Special offer for OSDN members! JabberConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn _______________________________________________ Spamassassin-talk mailing list Spamassassin-talk@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/spamassassin-talk From amcdonal at HARRIS.COM Wed Jun 26 15:42:31 2002 From: amcdonal at HARRIS.COM (McDonald, Arturo) Date: Thu Jan 12 21:15:05 2006 Subject: mqueue.in and chrooted virtual webs Message-ID: Hello, We are trying to get mailscanner working on a linux box that is running virtual web sites in a chrooted configuration. The problem is the system has multiple directories that can be defined as (/var/spool/mqueue.in). Is there a way to have mailscanner monitor more than one queue directory... For example we need to monitor the following directories: /var/spool/mqueue.in /home/virtual/site001/var/spool/mqueue.in ... /home/virtual/sitennn/var/spool/mqueue.in Basically the reason for this is email sent from a user of a virtual site is handled by sendmail in a chrooted environment where the root dir is really /home/virtual/siteXXX. Obviously all mail dumped there is never getting processed. So I am trying to find an elegant solution but wondered what the app can support. 1. Is it possible to have mailscanner scan multiple inbound directories? If not can mailscanner handle a wildcarded path for the Incoming Queue Dir? 2. Or is it possible to run multiple copies of mailscanner with each process responsible for watching the queue for its web site? 3. Currently the solution I'm building is to have a cron of some sort that will move any files placed in the virtual mqueue.in directories and moving them to the /var/spool/mqueue.in. Will there be a problem doing this? Ie, what if the cron is in the middle of the moving of the files and the mailscanner tries to process them at the same time? Is this preventable? Thanks in advance for your support! From sysadmin at DMS.UMONTREAL.CA Wed Jun 26 15:52:04 2002 From: sysadmin at DMS.UMONTREAL.CA (Christopher Albert) Date: Thu Jan 12 21:15:05 2006 Subject: Sendmail 8.12.5 References: <5.1.0.14.2.20020626112007.034b6680@imap.ecs.soton.ac.uk> <3D18E362.6050706@bfconsult.co.za> <3D18E362.6050706@bfconsult.co.za> <5.1.0.14.2.20020626112007.034b6680@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020626152714.03978b80@imap.ecs.soton.ac.uk> Message-ID: <3D19D514.3000700@DMS.UMontreal.CA> Greetings, I'm thinking about upgrading to sendmail 8.12.5 , which as you might know runs sendmail without SUID root and requires other changes from previous versions. Has anyone done this with (the latest) mailscanner and are there any issues to be aware of? TIA, Chris -- -------------------------------------------------------------------- Christopher Albert Responsable des services informatiques Departement de mathematiques et de statistique Universite de Montreal bureau 6188, Pavillon Andre-Aisenstadt Tel: (514) 343-2281 Fax: (514) 343-5700 -------------------------------------------------------------------- From jgoggan at DCG.COM Wed Jun 26 16:17:48 2002 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:15:05 2006 Subject: Displaying values of hit rules in header? References: <6D60AC042221344095A0EBBC56EEE79A4BC9EC@med-core03.med.wayne.edu> Message-ID: <3D19DB1C.B05BB0D4@dcg.com> "Rose, Bobby" wrote: > > What would be the benefit of this other than info to look? Because right now, being the first few days of running it, I am trying to track down why some messages are marked as spam when they shouldn't be. Therefore, not having to reference the 15 rules that got hit just to see their values (especially since some seem worthless at "0.053" and other such insignificant values). Yes, it is "just to look" -- but for a very good purpose. > Features should be such that performs a function. It does. It helps me know why THIS particular email made it to the "spam" level. And helps me know if I might need to adjust some rule values because I disagree with the defaults. > I can't see a user writing a filter rule that says check the header > for CLICK_BELOW (1.531), and delete. This isn't for filtering at the end-user side. This is so when I switch from "deliver with modified subject" to "delete", things will work as planned. > If people want the scores then go to the SA page and look at > the tests and their scores instead of adding the extra overhead per > each message? The header is ALREADY being added -- along with each rule name. It can't be THAT much more overhead to list a number along with it. It isn't like it would be a complex lookup or anything. It isn't a big deal -- I'll add it myself -- I just thought I'd ask first to make sure it wasn't already built into some debugging option. > With all the Spam message rewrite requests, Mailscanner is going to > be doing spamd's job. Again, the header with the rules is already included. It would simply be also displaying the values of the rules to avoid having to continuously look them up. - John... From mailscanner at ecs.soton.ac.uk Wed Jun 26 16:25:40 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:05 2006 Subject: mqueue.in and chrooted virtual webs In-Reply-To: Message-ID: <5.1.0.14.2.20020626162417.03bf6b78@imap.ecs.soton.ac.uk> At 15:42 26/06/2002, you wrote: >Hello, > >We are trying to get mailscanner working on a linux box that is running >virtual >web sites in a chrooted configuration. The problem is the system has multiple >directories that can be defined as (/var/spool/mqueue.in). Is there a >way to >have mailscanner monitor more than one queue directory... For example we >need to >monitor the following directories: > >/var/spool/mqueue.in >/home/virtual/site001/var/spool/mqueue.in >... >/home/virtual/sitennn/var/spool/mqueue.in > >Basically the reason for this is email sent from a user of a virtual site is >handled by sendmail in a chrooted environment where the root dir is really >/home/virtual/siteXXX. Obviously all mail dumped there is never getting >processed. > >So I am trying to find an elegant solution but wondered what the app can >support. > >1. Is it possible to have mailscanner scan multiple inbound >directories? If not >can mailscanner handle a wildcarded path for the Incoming Queue Dir? No and no. >2. Or is it possible to run multiple copies of mailscanner with each process >responsible for watching the queue for its web site? Yes. You'll need a separate mailscanner.conf for each domain as well, but if you are running chrooted you'll probably have this already so the domains can all have their own individual settings for everything. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Jun 26 16:29:33 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:05 2006 Subject: Proper way to handle misidentified spam site-wide? In-Reply-To: <3D19D38E.5A05B959@dcg.com> Message-ID: <5.1.0.14.2.20020626162716.04605398@imap.ecs.soton.ac.uk> Enable the SA auto-whitelisting in mailscanner.conf, and enable Compile SpamAssassin Once = yes as well. Then use the "spamassassin" script supplied with SA to do a "spamassassin -W" command on a sample of each message so the "From:" addresses get added to the SA auto-whitelist. Read the SA docs for the "spamassassin" script, and the SA top-level README for its short discussion of auto-whitelisting. At 15:45 26/06/2002, you wrote: >I've just started using MailScanner and SpamAssassin this week. I am using it >site-wide -- trying to reduce spam for all of our users (just a handful >actually). For now, I am just having the subject lines modified. In the >future, I want to be confident enough about the spam detection to actually >just delete them when the rating is high enough. > >I guess I am confused about the "proper" way to handle currently misidentified >spam. I want to correct this while I am in the "subject modified only" stage >-- before I start just deleting it, of course. As an example, several of the >users subscribe to OfficeDepot's "specials" mailings. These score something >around an 18 -- so it is definitely marked as spam (and the rules are fairly >accurate, so it isn't anything I'd want to adjust). > >So -- what is the proper way to handle this? Do I have each user do something >and mark/whitelist their own? Should I add a whitelist_from entry to the main >config for SpamAssassin to ignore the officedepot mailings? Or is there >something that I'm missing... > >I'm just worried that it will come up more and more as people join such >"specials" mailing lists since they look so much like spam sometimes. I just >want to know how to handle them. Especially since when I switch to "delete", >they wouldn't even SEE the emails to be able to whitelist them, right? > >Maybe this is what the AWL stuff should handle? If so, can someone more fully >explains how this works? I really couldn't find much about it in the docs or >FAQ... > > - John... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Jun 26 16:31:07 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:05 2006 Subject: Displaying values of hit rules in header? In-Reply-To: <3D19DB1C.B05BB0D4@dcg.com> References: <6D60AC042221344095A0EBBC56EEE79A4BC9EC@med-core03.med.wayne.edu> Message-ID: <5.1.0.14.2.20020626163012.03c26e50@imap.ecs.soton.ac.uk> As you are just wanting to find out the info for a handful of messages, why not use something like spamassassin -t < sample-message.txt as described in the SpamAssassin docs? That will give you the full report for the sample-message.txt file you give it. At 16:17 26/06/2002, you wrote: >"Rose, Bobby" wrote: > > > > What would be the benefit of this other than info to look? > >Because right now, being the first few days of running it, I am trying to >track down why some messages are marked as spam when they shouldn't be. >Therefore, not having to reference the 15 rules that got hit just to see their >values (especially since some seem worthless at "0.053" and other such >insignificant values). > >Yes, it is "just to look" -- but for a very good purpose. > > > Features should be such that performs a function. > >It does. It helps me know why THIS particular email made it to the "spam" >level. And helps me know if I might need to adjust some rule values because I >disagree with the defaults. > > > I can't see a user writing a filter rule that says check the header > > for CLICK_BELOW (1.531), and delete. > >This isn't for filtering at the end-user side. This is so when I switch from >"deliver with modified subject" to "delete", things will work as planned. > > > If people want the scores then go to the SA page and look at > > the tests and their scores instead of adding the extra overhead per > > each message? > >The header is ALREADY being added -- along with each rule name. It can't be >THAT much more overhead to list a number along with it. It isn't like it >would be a complex lookup or anything. > >It isn't a big deal -- I'll add it myself -- I just thought I'd ask first to >make sure it wasn't already built into some debugging option. > > > With all the Spam message rewrite requests, Mailscanner is going to > > be doing spamd's job. > >Again, the header with the rules is already included. It would simply be also >displaying the values of the rules to avoid having to continuously look them >up. > > - John... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From brose at MED.WAYNE.EDU Wed Jun 26 16:43:33 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:05 2006 Subject: Displaying values of hit rules in header? Message-ID: <6D60AC042221344095A0EBBC56EEE79A4BC9ED@med-core03.med.wayne.edu> But the scores aren't sums, they're static numbers for each test so if you know the tests, then you can look up the score assigned to that test. You could just pipe it to spamassassin and get a full report using procmail or even have Mailscanner archive the messages and pipe them to SA for the full report. The nice thing abou Mailscanner and SpamD is that each user isn't running a spamassassin process and eating your cpu cycles. It would add extra overhead because Mailscanner is using the existing SA get_names_of_tests_hit () call for the list of tests triggered which does not include scores. So it would seem to me that you would have to do a full report and parse that for the scores. Any parsing is overhead that's why just enabling SA checks adds seconds to every message because that's what SA does... Parses the message. -----Original Message----- From: John Goggan [mailto:jgoggan@DCG.COM] Sent: Wednesday, June 26, 2002 11:18 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Displaying values of hit rules in header? "Rose, Bobby" wrote: > > What would be the benefit of this other than info to look? Because right now, being the first few days of running it, I am trying to track down why some messages are marked as spam when they shouldn't be. Therefore, not having to reference the 15 rules that got hit just to see their values (especially since some seem worthless at "0.053" and other such insignificant values). Yes, it is "just to look" -- but for a very good purpose. > Features should be such that performs a function. It does. It helps me know why THIS particular email made it to the "spam" level. And helps me know if I might need to adjust some rule values because I disagree with the defaults. > I can't see a user writing a filter rule that says check the header > for CLICK_BELOW (1.531), and delete. This isn't for filtering at the end-user side. This is so when I switch from "deliver with modified subject" to "delete", things will work as planned. > If people want the scores then go to the SA page and look at the tests > and their scores instead of adding the extra overhead per each > message? The header is ALREADY being added -- along with each rule name. It can't be THAT much more overhead to list a number along with it. It isn't like it would be a complex lookup or anything. It isn't a big deal -- I'll add it myself -- I just thought I'd ask first to make sure it wasn't already built into some debugging option. > With all the Spam message rewrite requests, Mailscanner is going to be > doing spamd's job. Again, the header with the rules is already included. It would simply be also displaying the values of the rules to avoid having to continuously look them up. - John... From jgoggan at DCG.COM Wed Jun 26 18:00:08 2002 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:15:05 2006 Subject: Proper way to handle misidentified spamsite-wide? References: <5.1.0.14.2.20020626162716.04605398@imap.ecs.soton.ac.uk> Message-ID: <3D19F318.3933090C@dcg.com> Julian Field wrote: > > Enable the SA auto-whitelisting in mailscanner.conf, and enable > Compile SpamAssassin Once = yes as well. Yes, already doing that. Thanks though. > Then use the "spamassassin" script supplied with SA to do a > "spamassassin -W" command on a sample of each message so the "From:" > addresses get added to the SA auto-whitelist. I guess my concern is more in the future. As I said, right now I am just changing the subject lines -- but I plan to actually switch to "delete" action later to get rid of the spam. What I am worried about is when a user signs up for a mailing list that has not been through here yet (say he switches from Office Depot's "specials" list, which is in the whitelist now to Staple's "specials" list two weeks from now). This new list will look like spam (significantly so -- about an 18 rating). Therefore, he'll never see it, right? And therefore, not have the opportunity to add it to the whitelist. Is using the "delete" action just plain a bad idea? Or can I still do it that way and somehow handle such situations? Maybe instead of delete I could dump all of the emails system-wide that are marked as spam into a catchall that someone manually checks now and then (and then whitelists things like Staple's "specials" mailing list)? Or is there a better way to do it? Do most people running site-wide simply not use the delete action and always just deliver and modify the subject lines to allow the end-user to do the filtering at their client? Thanks. - John... From jgoggan at DCG.COM Wed Jun 26 18:02:51 2002 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:15:05 2006 Subject: Displaying values of hit rules in header? References: <6D60AC042221344095A0EBBC56EEE79A4BC9EC@med-core03.med.wayne.edu> <5.1.0.14.2.20020626163012.03c26e50@imap.ecs.soton.ac.uk> Message-ID: <3D19F3BB.490EC578@dcg.com> Julian Field wrote: > > As you are just wanting to find out the info for a handful of > messages, why not use something like > spamassassin -t < sample-message.txt > as described in the SpamAssassin docs? > That will give you the full report for the sample-message.txt file > you give it. Mainly because the messages have already made it to not-so-knowledgeable end-users at that point. They aren't that great at forwarding things with full headers so that I can more fully analyze them later. Plus, they are all using Outlook -- which makes both forwarding or bouncing with full headers almost impossible -- and what they can forward to me tends to mangle things enough that it doesn't matter any more. I simply wanted to be able to walk up to their machines, take a quick look at the email that got marked as spam, and be able to see what the main "heavy" rules were. Again, no biggie, was just asking if it happened to be in there already... - John... From mailscanner at ecs.soton.ac.uk Wed Jun 26 18:06:41 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:05 2006 Subject: Displaying values of hit rules in header? In-Reply-To: <3D19F3BB.490EC578@dcg.com> References: <6D60AC042221344095A0EBBC56EEE79A4BC9EC@med-core03.med.wayne.edu> <5.1.0.14.2.20020626163012.03c26e50@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020626180621.02503420@imap.ecs.soton.ac.uk> At 18:02 26/06/2002, you wrote: >I simply wanted to be able to walk up to their machines, take a quick look at >the email that got marked as spam, and be able to see what the main "heavy" >rules were. > >Again, no biggie, was just asking if it happened to be in there already... Afraid to say you can't at the moment. Sorry. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Wed Jun 26 18:05:49 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:05 2006 Subject: Proper way to handle misidentified spamsite-wide? In-Reply-To: <3D19F318.3933090C@dcg.com> References: <5.1.0.14.2.20020626162716.04605398@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020626180457.038b2488@imap.ecs.soton.ac.uk> At 18:00 26/06/2002, you wrote: >I guess my concern is more in the future. As I said, right now I am just >changing the subject lines -- but I plan to actually switch to "delete" action >later to get rid of the spam. What I am worried about is when a user signs up >for a mailing list that has not been through here yet (say he switches from >Office Depot's "specials" list, which is in the whitelist now to Staple's >"specials" list two weeks from now). This new list will look like spam >(significantly so -- about an 18 rating). Therefore, he'll never see it, >right? And therefore, not have the opportunity to add it to the whitelist. In which case, don't delete it. >Is using the "delete" action just plain a bad idea? Or can I still do it that >way and somehow handle such situations? Maybe instead of delete I could dump >all of the emails system-wide that are marked as spam into a catchall that >someone manually checks now and then (and then whitelists things like Staple's >"specials" mailing list)? That's what the Spam Action "store" is for. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From sevans at FOUNDATION.SDSU.EDU Wed Jun 26 18:08:40 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:15:05 2006 Subject: Filtering Spam to One E-mail Address Message-ID: <6214C3F9233D764C9E7029396C355015115AF3@mail.foundation.sdsu.edu> I know this was just asked but I was out of town and had a hard time following the thread. Did we find a way to send all spam to one address? If not will this feature be added? Steve Evans Computing Services (619) 594-0653 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020626/acc316ea/attachment.html From jgoggan at DCG.COM Wed Jun 26 18:17:37 2002 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:15:05 2006 Subject: Proper way to handle misidentifiedspamsite-wide? References: <5.1.0.14.2.20020626162716.04605398@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020626180457.038b2488@imap.ecs.soton.ac.uk> Message-ID: <3D19F731.BA34E684@dcg.com> Julian Field wrote: > In which case, don't delete it. Exactly. So I assume the answer to my question is that "delete" is a fairly bad idea for an action -- especially if on a server where people might be joining mailing lists... > >Is using the "delete" action just plain a bad idea? Or can I still > >do it that way and somehow handle such situations? Maybe instead > >of delete I could dump all of the emails system-wide that are > >marked as spam into a catchall that someone manually checks now and > >then (and then whitelists things like Staple's "specials" mailing > >list)? > > That's what the Spam Action "store" is for. Again, agreed. That's why I was asking. To see if that is what most people doing system-wide stuff are doing. So most people (doing site-wide anti-spam) are doing "store" and then manually checking for valid entries to whitelist on a regular basis, correct? - John... From brose at MED.WAYNE.EDU Wed Jun 26 18:22:22 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:05 2006 Subject: Displaying values of hit rules in header? Message-ID: <6D60AC042221344095A0EBBC56EEE79A4BC9EE@med-core03.med.wayne.edu> I added some code to SAForkAndTest routine in sender.pl that sends the message calls rewrite_mail () and >get_full_message_as_text() then writes it all out to /var/spam/queue/spr$mID if the message is considered by Spam. So basically, the system gets a copy of the message with a full rewrite. Every once in a while, I'll cat it all together into an file and review the subject lines to see if any false positives. Afterwhich, I run a script that calls spamassassin -r and reports the messages as SPAM to razor and dcc. Right now, I'm only using dcc since razorv2 is in a state of flux but I still report to razor. The handlespam script I obtained from Theo Van Dinter at Kluge.net. He frequents SA so ask for him there if you want the script. -----Original Message----- From: John Goggan [mailto:jgoggan@DCG.COM] Sent: Wednesday, June 26, 2002 1:03 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Displaying values of hit rules in header? Julian Field wrote: > > As you are just wanting to find out the info for a handful of > messages, why not use something like > spamassassin -t < sample-message.txt > as described in the SpamAssassin docs? > That will give you the full report for the sample-message.txt file you > give it. Mainly because the messages have already made it to not-so-knowledgeable end-users at that point. They aren't that great at forwarding things with full headers so that I can more fully analyze them later. Plus, they are all using Outlook -- which makes both forwarding or bouncing with full headers almost impossible -- and what they can forward to me tends to mangle things enough that it doesn't matter any more. I simply wanted to be able to walk up to their machines, take a quick look at the email that got marked as spam, and be able to see what the main "heavy" rules were. Again, no biggie, was just asking if it happened to be in there already... - John... From nathan at TCPNETWORKS.NET Wed Jun 26 18:32:34 2002 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:15:06 2006 Subject: Filtering Spam to One Email Address References: <5.1.0.14.2.20020626162716.04605398@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020626180457.038b2488@imap.ecs.soton.ac.uk> <3D19F731.BA34E684@dcg.com> Message-ID: <013601c21d37$74ff9970$2400a8c0@johanson> I asked about this last week... Apparently, this is a function of the MTA or procmail (as Julian suggested). I am currently investigating procmail . At this point, I've only gotten as far as configuring procmail per account on the destination mail server. Once I figure out how to "globalize" it, I have no doubt that it will work in most cases. Unfortunately, I don't think this will work in my situation, as it seems that procmail needs to run on the server that ultimately receives the mail. In our case, we scan mail for other domains and then simply use the mailertable to relay the mail to the receiving server (which in most cases is Exchange Server). At least one of these domain owners has asked us to forward all spam to a single address. But I'm not sure how procmail would fit into this mix as it appears to be geared more toward "local" delivery and we're simply passing the mail through. If their receiving server was running Linux (or some other Unix variant), we could use procmail to do this for them. I haven't completed my testing and I haven't even scraped the surface of procmail's funcionality, so it's possible my initial conclusions are wrong. I haven't even started to look at or test the possibilities with Sendmail. If you find a working solution for this sort of thing, please let me know. Good luck. Nathan >----- Original Message ----- >From: Steve Evans >To: MAILSCANNER@JISCMAIL.AC.UK >Sent: Wednesday, June 26, 2002 10:08 AM >Subject: Filtering Spam to One E-mail Address >I know this was just asked but I was out of town and had a hard time following the thread. Did we >find a way to send all spam to one address? If not will this feature be added? >Steve Evans >Computing Services >(619) 594-0653 From FCaen at CI.LAKEWOOD.WA.US Wed Jun 26 18:35:15 2002 From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen) Date: Thu Jan 12 21:15:06 2006 Subject: Proper way to handle misidentifiedspamsite-wide? Message-ID: -----Original Message----- From: jgoggan@DCG.COM > Again, agreed. That's why I was asking. To see if that is what most people > doing system-wide stuff are doing. So most people (doing site-wide anti-spam) > are doing "store" and then manually checking for valid entries to whitelist on > a regular basis, correct? I haven't been using SA that long, but I just tag the messages. SA is nice but I don't trust it enough to delete messages. I recommend to my users that they use message rules to direct tagged messages in a specific folder and browse thru it like once a day to make sure it's all junk. What do you all do? ------------------------------------------------ Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 From LISTSERV at JISCMAIL.AC.UK Wed Jun 26 18:54:06 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:06 2006 Subject: MAILSCANNER: amcdonal@HARRIS.COM left the JISCmail list Message-ID: <200206261754.SAA09115@magpie.ecs.soton.ac.uk> Wed, 26 Jun 2002 18:54:06 amcdonal@HARRIS.COM has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From lbergman at abi.tconline.net Wed Jun 26 19:28:45 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:15:06 2006 Subject: Proper way to handle misidentifiedspamsite-wide? In-Reply-To: <3D19F731.BA34E684@dcg.com> References: <5.1.0.14.2.20020626162716.04605398@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020626180457.038b2488@imap.ecs.soton.ac.uk> <3D19F731.BA34E684@dcg.com> Message-ID: <200206261328.45128.lbergman@abi.tconline.net> > Again, agreed. That's why I was asking. To see if that is what most > people doing system-wide stuff are doing. So most people (doing site-wide > anti-spam) are doing "store" and then manually checking for valid entries > to whitelist on a regular basis, correct? Well, I'm doing deliver site wide at the moment. When or if "stepped" actions are added I will go to something like: Really Bad Spam = 10 Really Bad Spam Action = Delete Default = deliver Meaning site wide, delete anything scoring 10 or more, otherwise deliver. No idea if this sort of thing will make it or not. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From mailscanner at ecs.soton.ac.uk Wed Jun 26 19:42:47 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:06 2006 Subject: Proper way to handle misidentifiedspamsite-wide? In-Reply-To: <200206261328.45128.lbergman@abi.tconline.net> References: <3D19F731.BA34E684@dcg.com> <5.1.0.14.2.20020626162716.04605398@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020626180457.038b2488@imap.ecs.soton.ac.uk> <3D19F731.BA34E684@dcg.com> Message-ID: <5.1.0.14.2.20020626194054.035a4828@imap.ecs.soton.ac.uk> At 19:28 26/06/2002, you wrote: >Well, I'm doing deliver site wide at the moment. When or if "stepped" actions >are added I will go to something like: >Really Bad Spam = 10 >Really Bad Spam Action = Delete >Default = deliver The only bad thing about this is that your users don't get to appreciate how much spam MailScanner is handling for them. If you tag it and deliver it (and then your users filter it) they can appreciate the amount of spam being handled. But if they never see it, they don't realise it ever existed. This of course doesn't apply to ISP's with lots of dialup customers, as they will be glad not to have to download the spam in the first place. Just a thought... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From lbergman at abi.tconline.net Wed Jun 26 20:15:22 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:15:06 2006 Subject: Proper way to handle misidentifiedspamsite-wide? In-Reply-To: <5.1.0.14.2.20020626194054.035a4828@imap.ecs.soton.ac.uk> References: <3D19F731.BA34E684@dcg.com> <5.1.0.14.2.20020626194054.035a4828@imap.ecs.soton.ac.uk> Message-ID: <200206261415.22217.lbergman@abi.tconline.net> On Wednesday 26 June 2002 01:42 pm, Julian Field wrote: > At 19:28 26/06/2002, you wrote: > >Well, I'm doing deliver site wide at the moment. When or if "stepped" > > actions are added I will go to something like: > >Really Bad Spam = 10 > >Really Bad Spam Action = Delete > >Default = deliver > > The only bad thing about this is that your users don't get to appreciate > how much spam MailScanner is handling for them. If you tag it and deliver > it (and then your users filter it) they can appreciate the amount of spam > being handled. But if they never see it, they don't realise it ever > existed. > > This of course doesn't apply to ISP's with lots of dialup customers, as > they will be glad not to have to download the spam in the first place. That's me =) -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From mike at CAMAROSS.NET Wed Jun 26 20:33:15 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:06 2006 Subject: Filtering Spam to One Email Address References: <5.1.0.14.2.20020626162716.04605398@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020626180457.038b2488@imap.ecs.soton.ac.uk> <3D19F731.BA34E684@dcg.com> <013601c21d37$74ff9970$2400a8c0@johanson> Message-ID: <01bd01c21d48$51c808f0$6501a8c0@home.wideopenthrottle.org> Your /etc/procmailrc should be the global procmail configuration Mike ----- Original Message ----- From: "Nathan Johanson" To: Sent: Wednesday, June 26, 2002 12:32 PM Subject: Re: Filtering Spam to One Email Address > I asked about this last week... > > Apparently, this is a function of the MTA or procmail (as Julian suggested). > I am currently investigating procmail . At this point, I've only gotten as > far as configuring procmail per account on the destination mail server. Once > I figure out how to "globalize" it, I have no doubt that it will work in > most cases. > > Unfortunately, I don't think this will work in my situation, as it seems > that procmail needs to run on the server that ultimately receives the mail. > In our case, we scan mail for other domains and then simply use the > mailertable to relay the mail to the receiving server (which in most cases > is Exchange Server). At least one of these domain owners has asked us to > forward all spam to a single address. But I'm not sure how procmail would > fit into this mix as it appears to be geared more toward "local" delivery > and we're simply passing the mail through. If their receiving server was > running Linux (or some other Unix variant), we could use procmail to do this > for them. > > I haven't completed my testing and I haven't even scraped the surface of > procmail's funcionality, so it's possible my initial conclusions are wrong. > I haven't even started to look at or test the possibilities with Sendmail. > > If you find a working solution for this sort of thing, please let me know. > Good luck. > > Nathan > > >----- Original Message ----- > >From: Steve Evans > >To: MAILSCANNER@JISCMAIL.AC.UK > >Sent: Wednesday, June 26, 2002 10:08 AM > >Subject: Filtering Spam to One E-mail Address > > > >I know this was just asked but I was out of town and had a hard time > following the thread. Did we >find a way to send all spam to one address? > If not will this feature be added? > > >Steve Evans > >Computing Services > >(619) 594-0653 > From jgoggan at DCG.COM Wed Jun 26 23:29:59 2002 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:15:06 2006 Subject: Proper way to handle misidentifiedspamsite-wide? References: <5.1.0.14.2.20020626162716.04605398@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020626180457.038b2488@imap.ecs.soton.ac.uk> Message-ID: <3D1A4067.F4FA3FBA@dcg.com> Julian Field wrote: > In which case, don't delete it. > > >Maybe instead of delete I could dump all of the emails system-wide > >that are marked as spam into a catchall that someone manually > >checks now and then (and then whitelists things like Staple's > >"specials" mailing list)? > > That's what the Spam Action "store" is for. Ok -- I thought I was all set until I actually switched from "deliver" to "store". I expected it to log full, near-original spam messages in the quarantine -- for me to easily go through to check for misidentified spam. I don't seem to be getting that behavior. I appear to be getting mqueue-like partial files -- i.e. no headers or anything -- certainly not the original messages that I had hoped for. Am I missing something? I looked through the configuration docs and believe that I have things configured properly -- but I'm simply not getting what I expected. Basically, I just want all of the system-wide messages detected as spam to be dumped somewhere where I can manually go through them to quickly check for misidentified non-spam (preferably in standard mbox format, I guess, so that I can use whatever reader/client I'd like). Can this be done easily? Thanks. - John... From moacyrs at AKADNYX.COM.BR Thu Jun 27 00:55:58 2002 From: moacyrs at AKADNYX.COM.BR (Moacyr Leite da Silva) Date: Thu Jan 12 21:15:06 2006 Subject: MailScanner 3.20-7 In-Reply-To: <6D60AC042221344095A0EBBC56EEE79A4BC9EE@med-core03.med.wayne.edu> Message-ID: Hi In release 3.20-6 mcafeewrapper was running from /usr/local/uvscan when I did the update of release 3.20-7 got the following error -- Starting MailScanner daemons: incoming sendmail: [ OK ] outgoing sendmail: [ OK ] MailScanner: Configuration file /usr/local/uvscan/bin/mcafeewrapper could not be opened for reading! at /usr/local/MailScanner/bin/logger.pl line 63. -- I maked an workaround to fix that here. But the /usr/local/MailScanner/bin/logger.pl line 63 has nothing about paths or whatever. Just to know! what happened?! Starting MailScanner daemons: incoming sendmail: [ OK ] outgoing sendmail: [ OK ] MailScanner: Configuration file /usr/local/uvscan/bin/mcafeewrapper could not be opened for reading! at /usr/local/MailScanner/bin/logger.pl line 63. Hei Julian, make things in /etc/sysconfig/mailscanner was great! many thanks! -- Moacyr Leite da Silva (moacyrs at akadnyx dot com dot br) kadnyx Network Services (http://www.akadnyx.com.br) +55 19 3242-4895 +55 19 9751-2964 "Time is the best teacher; unfortunately, it kills all its students." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Assine o Informativo Akadnyx http://akadnyx.com.br/mailman/listinfo/informativo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From mailscanner-sub at WIREHUB.NET Thu Jun 27 03:52:05 2002 From: mailscanner-sub at WIREHUB.NET (Ben C. O. Grimm) Date: Thu Jan 12 21:15:06 2006 Subject: Sendmail 8.12.5 In-Reply-To: References: <5.1.0.14.2.20020626112007.034b6680@imap.ecs.soton.ac.uk> <3D18E362.6050706@bfconsult.co.za> <3D18E362.6050706@bfconsult.co.za> <5.1.0.14.2.20020626112007.034b6680@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020626152714.03978b80@imap.ecs.soton.ac.uk> Message-ID: <0bvkhu8g848s0s8lcfbaht0sje722qm9sc@hail.bengrimm.net> On 26 Jun 2002 16:53:43 +0200, Christopher Albert wrote: > I'm thinking about upgrading to sendmail 8.12.5 , which as you > might know runs sendmail without SUID root and requires other > changes from previous versions. > Has anyone done this with (the latest) mailscanner and are there > any issues to be aware of? I'm running Mailscanner on ten Sendmail 8.12.4 servers, with Sendmail running sgid (smmsp user). No issues at all. -- - Ben C. O. Grimm ----------------- Ben.Grimm@wirehub.net - - Wirehub! Internet Engineering - http://www.wirehub.net/ - - Wirehub! Backbone --- http://doema.wirehub.net/wirehub/ - - Private Ponderings ----------- http://www.bengrimm.net/ - From LISTSERV at JISCMAIL.AC.UK Wed Jun 26 23:32:38 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:06 2006 Subject: MAILSCANNER: thebest@XS4ALL.NL left the JISCmail list Message-ID: <200206262232.XAA28720@magpie.ecs.soton.ac.uk> Wed, 26 Jun 2002 23:32:38 thebest@XS4ALL.NL has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From LISTSERV at JISCMAIL.AC.UK Thu Jun 27 07:46:01 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:06 2006 Subject: MAILSCANNER: jozef.novikmec@LYNX.SK left the JISCmail list Message-ID: <200206270646.HAA26437@magpie.ecs.soton.ac.uk> Thu, 27 Jun 2002 07:46:00 jozef.novikmec@LYNX.SK has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From P.G.M.Peters at civ.utwente.nl Thu Jun 27 09:45:35 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:06 2006 Subject: Sendmail 8.12.5 In-Reply-To: <3D19D514.3000700@DMS.UMontreal.CA> References: <5.1.0.14.2.20020626112007.034b6680@imap.ecs.soton.ac.uk> <3D18E362.6050706@bfconsult.co.za> <3D18E362.6050706@bfconsult.co.za> <5.1.0.14.2.20020626112007.034b6680@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020626152714.03978b80@imap.ecs.soton.ac.uk> <3D19D514.3000700@DMS.UMontreal.CA> Message-ID: On Wed, 26 Jun 2002 10:52:04 -0400, you wrote: >I'm thinking about upgrading to sendmail 8.12.5 , which as you >might know runs sendmail without SUID root and requires other >changes from previous versions. I am allready running sendmail (8.11.6) with RUN_AS_USER mail. So everything including the mqeueu-dir's are owned by mail. I configured mailscanner: # User to run as (not normally used for sendmail) Run As User = mail # Group to run as (not normally used for sendmail) Run As Group = mail -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From jkf at ecs.soton.ac.uk Thu Jun 27 10:01:57 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:06 2006 Subject: Proper way to handle misidentifiedspamsite-wide? In-Reply-To: <3D1A4067.F4FA3FBA@dcg.com> References: <5.1.0.14.2.20020626162716.04605398@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020626180457.038b2488@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020627095659.044aa008@imap.ecs.soton.ac.uk> At 23:29 26/06/2002, you wrote: >Ok -- I thought I was all set until I actually switched from "deliver" to >"store". I expected it to log full, near-original spam messages in the >quarantine -- for me to easily go through to check for misidentified spam. I >don't seem to be getting that behavior. I appear to be getting mqueue-like >partial files -- i.e. no headers or anything -- certainly not the original >messages that I had hoped for. You get the qf and df "mqueue" files so you can drop them straight back into the queue if you actually want them to be delivered. Turning them into "mbox" format messages involves throwing away all the envelope information, so if you attempted to redeliver a message you would have ended up editing it. Under European law you ain't supposed to be manually editing other people's mail, its an infringement of the Data Protection Act. >Basically, I just want all of the system-wide messages detected as spam to be >dumped somewhere where I can manually go through them to quickly check for >misidentified non-spam (preferably in standard mbox format, I guess, so that I >can use whatever reader/client I'd like). Can this be done easily? You can find most non-spam by just reading the subject lines, which are contained in the qf files. Again however, this is almost certainly a breach of the DPA. Writing code in the full knowledge that it would break laws if used is rather shaky ground, and I don't really want to go there if I can avoid it. I appreciate that many/most of you live outside the scope of these laws, but I don't and I'm the one producing the "package". -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From P.G.M.Peters at civ.utwente.nl Thu Jun 27 10:12:56 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:06 2006 Subject: Proper way to handle misidentifiedspamsite-wide? In-Reply-To: <5.1.0.14.2.20020627095659.044aa008@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020626162716.04605398@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020626180457.038b2488@imap.ecs.soton.ac.uk> <3D1A4067.F4FA3FBA@dcg.com> <5.1.0.14.2.20020627095659.044aa008@imap.ecs.soton.ac.uk> Message-ID: <9mllhuc89rhc00m1uv9bsc33bm88sommc0@4ax.com> On Thu, 27 Jun 2002 10:01:57 +0100, you wrote: >You can find most non-spam by just reading the subject lines, which are >contained in the qf files. Again however, this is almost certainly a breach >of the DPA. A provider I know wants the customer to give explicit permission to read and/or modify parts of that customers mail(box). And it is done on a one time basis. The permission is given for that one time. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Thu Jun 27 10:18:28 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:06 2006 Subject: MailScanner 3.20-7 In-Reply-To: References: <6D60AC042221344095A0EBBC56EEE79A4BC9EE@med-core03.med.wayne.edu> Message-ID: <5.1.0.14.2.20020627101227.0447f6f0@imap.ecs.soton.ac.uk> At 00:55 27/06/2002, you wrote: >Hi > >In release 3.20-6 mcafeewrapper was running from /usr/local/uvscan when >I did the update of release 3.20-7 got the following error > >-- >Starting MailScanner daemons: > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] > MailScanner: Configuration file >/usr/local/uvscan/bin/mcafeewrapper could not be opened for reading! at >/usr/local/MailScanner/bin/logger.pl line 63. Okay, ignore the logger.pl line 63 bit. However, your mailscanner.conf file specified a mcafeewrapper in a location that it isn't :-) I suspect you meant to say /usr/local/uvscan/mcafeewrapper (i.e. without the "bin"). >Hei Julian, make things in /etc/sysconfig/mailscanner was great! many >thanks! Glad that helps. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From P.G.M.Peters at civ.utwente.nl Thu Jun 27 10:36:41 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:06 2006 Subject: officiel announcement of use of MailScanner Message-ID: <60nlhu83t4kpdeblbjmkjjtamute27hdpe@4ax.com> Hi, I want to officially announce the fact that the "Universiteit Twente" is using MailScanner with f-prot and SpamAssassin on their two central mailservers. At this moment we are scanning a few of the sub-domains. The next few weeks we will start informing the users of the other sub-domains about the scanning and we will start scanning their mail shortly after that. Thank you Julian. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From eric at AFMB.CNRS-MRS.FR Thu Jun 27 10:30:33 2002 From: eric at AFMB.CNRS-MRS.FR (Eric Blanc) Date: Thu Jan 12 21:15:06 2006 Subject: Newbie.... Message-ID: <3D1ADB39.81F0F9E0@afmb.cnrs-mrs.fr> Hye, I just installed Mailscanner/Spamassassin on our Mailserver. Great improvement for my site, thanks Julian... But...I'm afraid of being a little bit confused... I would like to maintain a local blacklist/whitelist for identifying Spammers and/or correct misidentified addresses Mailscanner has its own Whitelist definition, SpamAssassin has its own configuration file in Mailscanner etc Directory, but can also manage a per user preference container file, and can use Razor to store that data into an SQL container. MailScanner cannot use Razor cause it doesn't use the "Spamd" but "spamassassin" In fact, I need to store the data into an SQL database, to allow everyone to "TAG" email addresses as "Verified SPAM" or "Certified users" Let us suppose that I create a script updating .conf files from that database... I have to store SPAMMERS into spam.assassin.pref.conf as a comma separated line following "blacklist_from" Non-SPAMMERS into spam.whitelist.conf one address per line Politics to adopt about Certified SPAMMERS into spam.actions.conf Is that right ? Thanks for any help Eric. -- -------------------------------- Eric Blanc, PhD Ingenieur d'Etudes Informatique & Reseau WWW: http://afmb.cnrs-mrs.fr/teams/eblanc.html AFMB CNRS-UMR 6098 Email: eric@afmb.cnrs-mrs.fr 31 Ch J. Aiguier Fax: 33-4-91-16-45-36 13402 Marseille CEDEX 20 Phone: 33-4-91-16-45-29 FRANCE From mailscanner at ecs.soton.ac.uk Thu Jun 27 11:04:00 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:06 2006 Subject: Newbie.... In-Reply-To: <3D1ADB39.81F0F9E0@afmb.cnrs-mrs.fr> Message-ID: <5.1.0.14.2.20020627110240.041d3c98@imap.ecs.soton.ac.uk> At 10:30 27/06/2002, you wrote: >I just installed Mailscanner/Spamassassin on our Mailserver. >Great improvement for my site, thanks Julian... Thanks! >I would like to maintain a local blacklist/whitelist for identifying >Spammers and/or correct misidentified addresses > >Mailscanner has its own Whitelist definition, SpamAssassin has its own >configuration file in Mailscanner etc Directory, but can also manage a >per user preference container file, and can use Razor to store that data >into an SQL container. >MailScanner cannot use Razor cause it doesn't use the "Spamd" but >"spamassassin" MailScanner uses neither "spamd" nor the "spamassassin" script, it directly interface with SpamAssassin using its Perl API. >In fact, I need to store the data into an SQL database, to allow >everyone to "TAG" email addresses as "Verified SPAM" or "Certified >users" >Let us suppose that I create a script updating .conf files from that >database... >I have to store >SPAMMERS into spam.assassin.pref.conf as a comma separated line >following "blacklist_from" >Non-SPAMMERS into spam.whitelist.conf one address per line >Politics to adopt about Certified SPAMMERS into spam.actions.conf You can easily blacklist addresses in your MTA, and I would advise that's where you do it. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From moacyrs at AKADNYX.COM.BR Thu Jun 27 13:33:38 2002 From: moacyrs at AKADNYX.COM.BR (Moacyr Leite da Silva) Date: Thu Jan 12 21:15:06 2006 Subject: MailScanner 3.20-7 In-Reply-To: <5.1.0.14.2.20020627101227.0447f6f0@imap.ecs.soton.ac.uk> Message-ID: On Thu, 27 Jun 2002, Julian Field wrote: > >/usr/local/uvscan/bin/mcafeewrapper could not be opened for reading! at > >/usr/local/MailScanner/bin/logger.pl line 63. > > Okay, ignore the logger.pl line 63 bit. > However, your mailscanner.conf file specified a mcafeewrapper in a location > that it isn't :-) > I suspect you meant to say /usr/local/uvscan/mcafeewrapper (i.e. without > the "bin"). That is it! I misspelled the sweep parameter in mailscanner.conf... =o) Sorry! ;o) -- Moacyr Leite da Silva (moacyrs at akadnyx dot com dot br) kadnyx Network Services (http://www.akadnyx.com.br) +55 19 3242-4895 +55 19 9751-2964 "Time is the best teacher; unfortunately, it kills all its students." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Assine o Informativo Akadnyx http://akadnyx.com.br/mailman/listinfo/informativo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From mailscanner at ecs.soton.ac.uk Thu Jun 27 13:36:25 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:06 2006 Subject: ANNOUNCE: Version 3.21-1 released Message-ID: <5.1.0.14.2.20020627120921.041cc2f0@imap.ecs.soton.ac.uk> I have just released version 3.21-1. New features and fixes are: -- "Log Facility" configuration option so syslogs can be sent to somewhere other than the maillog. -- "Notify Senders" configuration option now also accepts the value "local" so that only senders of viruses on your site are informed, not senders from outside your organisation. -- "High SpamAssassin Score" configuration option to set the minimum SpamAssassin score above which the "High Scoring Spam Action" setting applies. -- "High Scoring Spam Action" configuration option to set the action applied to all messages whose SpamAssasssin score is greater than the "High SpamAssassin Score". -- "Sweep" no longer has to be defined if "virus scanner = none" or "virus scanning = off". -- SpamAssassin reports ending in newlines no longer cause broken qf files. -- Return-Path: header is now handled better. -- SpamAssassin reports should now never be empty. Apart from minor fixes, this is probably going to be the last release for a while. Nick and I really need to do a "re-write" job on it as it has long since outgrown its initial design. Download, as usual, from www.mailscanner.info -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From gerry at dorfam.ca Thu Jun 27 14:04:17 2002 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:15:06 2006 Subject: ANNOUNCE: Version 3.21-1 released In-Reply-To: <5.1.0.14.2.20020627120921.041cc2f0@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020627120921.041cc2f0@imap.ecs.soton.ac.uk> Message-ID: <46026.129.80.22.134.1025183057.squirrel@tiger.dorfam.ca> > I have just released version 3.21-1. > > New features and fixes are: > > -- "Log Facility" configuration option so syslogs can be sent to > somewhere other than the maillog. > -- "Notify Senders" configuration option now also accepts the value > "local" so that only senders of viruses on your site are informed, not > senders from outside your organisation. > -- "High SpamAssassin Score" configuration option to set the minimum > SpamAssassin score above which the "High Scoring Spam Action" setting > applies. -- "High Scoring Spam Action" configuration option to set the > action applied to all messages whose SpamAssasssin score is greater than > the "High SpamAssassin Score". > > -- "Sweep" no longer has to be defined if "virus scanner = none" or > "virus scanning = off". > -- SpamAssassin reports ending in newlines no longer cause broken qf > files. -- Return-Path: header is now handled better. > -- SpamAssassin reports should now never be empty. > > Apart from minor fixes, this is probably going to be the last release > for a while. Nick and I really need to do a "re-write" job on it as it > has long since outgrown its initial design. > > Download, as usual, from > www.mailscanner.info > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. > 023 8059 2817 University of Southampton > Southampton SO17 1BJ Thanks Julian! BTW, I was just wondering...when do you sleep??? I see messages from you posted at all hours of the day! Gerry -- "The lyfe so short, the craft so long to learne" Chaucer From mailscanner at ecs.soton.ac.uk Thu Jun 27 14:21:28 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:06 2006 Subject: ANNOUNCE: Version 3.21-1 released In-Reply-To: <46026.129.80.22.134.1025183057.squirrel@tiger.dorfam.ca> References: <5.1.0.14.2.20020627120921.041cc2f0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627120921.041cc2f0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020627141632.03fd3008@imap.ecs.soton.ac.uk> At 14:04 27/06/2002, you wrote: > > I have just released version 3.21-1. > > > > New features and fixes are: > > > > -- "Log Facility" configuration option so syslogs can be sent to > > somewhere other than the maillog. > > -- "Notify Senders" configuration option now also accepts the value > > "local" so that only senders of viruses on your site are informed, not > > senders from outside your organisation. > > -- "High SpamAssassin Score" configuration option to set the minimum > > SpamAssassin score above which the "High Scoring Spam Action" setting > > applies. -- "High Scoring Spam Action" configuration option to set the > > action applied to all messages whose SpamAssasssin score is greater than > > the "High SpamAssassin Score". > > > > -- "Sweep" no longer has to be defined if "virus scanner = none" or > > "virus scanning = off". > > -- SpamAssassin reports ending in newlines no longer cause broken qf > > files. -- Return-Path: header is now handled better. > > -- SpamAssassin reports should now never be empty. > > > > Apart from minor fixes, this is probably going to be the last release > > for a while. Nick and I really need to do a "re-write" job on it as it > > has long since outgrown its initial design. > > > > Download, as usual, from > > www.mailscanner.info > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. > > 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > >Thanks Julian! > >BTW, I was just wondering...when do you sleep??? I see messages from you >posted at all hours of the day! I get into work about 8:30BST (= 7:30GMT) and I usually pack it in and go to bed around 10 (9pm GMT). Nick handles the night-shift from New Zealand... Oh, and I don't sleep too well, so occasionally I'll hit the list at 3-5am (2-4am GMT). And I hope you're impressed with the time from suggestion to "being published" of the "High Score" feature people wanted :-) (I was given a much appreciated financial inducement) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Matthew_doherty at DATAWATCH.COM Thu Jun 27 14:44:11 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:06 2006 Subject: ANNOUNCE: Version 3.21-1 released Message-ID: -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, June 27, 2002 9:49 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: ANNOUNCE: Version 3.21-1 released I have just released version 3.21-1. New features and fixes are: -- "Log Facility" configuration option so syslogs can be sent to somewhere other than the maillog. Will it automatically create a new file in the /var/log/? Or do we have to specify it in the mailscanner.conf file? -- "Notify Senders" configuration option now also accepts the value "local" so that only senders of viruses on your site are informed, not senders from outside your organisation. Darn, kinda liked both parties being informed. -- "High SpamAssassin Score" configuration option to set the minimum SpamAssassin score above which the "High Scoring Spam Action" setting applies. -- "High Scoring Spam Action" configuration option to set the action applied to all messages whose SpamAssasssin score is greater than the "High SpamAssassin Score". -- "Sweep" no longer has to be defined if "virus scanner = none" or "virus scanning = off". -- SpamAssassin reports ending in newlines no longer cause broken qf files. -- Return-Path: header is now handled better. -- SpamAssassin reports should now never be empty. I cannot locate the SpamAssassin reports. where are they usually? Or will this new version you wrote create one in the /var/log/ directory? Apart from minor fixes, this is probably going to be the last release for a while. Nick and I really need to do a "re-write" job on it as it has long since outgrown its initial design. Download, as usual, from www.mailscanner.info -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020627/d6739f76/attachment.html From Matthew_doherty at DATAWATCH.COM Thu Jun 27 14:56:35 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:06 2006 Subject: updating to 3.21-1 via RPM Message-ID: Will we need to reconfigure our .conf files all over again or will it be a smooth install over the 3.21.* version? (as long as the previous install was put to default locations of course) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020627/8b0d5f52/attachment.html From gerry at dorfam.ca Thu Jun 27 15:25:33 2002 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:15:06 2006 Subject: ANNOUNCE: Version 3.21-1 released In-Reply-To: <5.1.0.14.2.20020627141632.03fd3008@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020627120921.041cc2f0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627120921.041cc2f0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627141632.03fd3008@imap.ecs.soton.ac.uk> Message-ID: <59608.129.80.22.134.1025187933.squirrel@tiger.dorfam.ca> >>Thanks Julian! >> >>BTW, I was just wondering...when do you sleep??? I see messages from >> you posted at all hours of the day! > > I get into work about 8:30BST (= 7:30GMT) and I usually pack it in and > go to bed around 10 (9pm GMT). Nick handles the night-shift from New > Zealand... Oh, and I don't sleep too well, so occasionally I'll hit the > list at 3-5am (2-4am GMT). > > And I hope you're impressed with the time from suggestion to "being > published" of the "High Score" feature people wanted :-) (I was given a > much appreciated financial inducement) > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. > 023 8059 2817 University of Southampton > Southampton SO17 1BJ It's funny how financial inducements have a way of speeding things up isn't it. Says a lot for the capitalist system we work in! Gerry -- "The lyfe so short, the craft so long to learne" Chaucer From jkf at ecs.soton.ac.uk Thu Jun 27 15:25:46 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:06 2006 Subject: updating to 3.21-1 via RPM In-Reply-To: Message-ID: <5.1.0.14.2.20020627152500.03fd57d8@imap.ecs.soton.ac.uk> At 14:56 27/06/2002, you wrote: >Will we need to reconfigure our .conf files all over again or will it be a >smooth install over the 3.21.* version? (as long as the previous install >was put to default locations of course) It won't over-write your mailscanner.conf file (or any other .conf files), but you might want to diff mailscanner.conf mailscanner.conf.rpmnew so you get to see any new added keywords that you might want to set a value for in your mailscanner.conf file. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Thu Jun 27 15:24:50 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:06 2006 Subject: ANNOUNCE: Version 3.21-1 released In-Reply-To: Message-ID: <5.1.0.14.2.20020627152211.044a9548@imap.ecs.soton.ac.uk> At 14:44 27/06/2002, you wrote: >-- "Log Facility" configuration option so syslogs can be sent to somewhere >other than the maillog. >Will it automatically create a new file in the /var/log/? Or do we have to >specify it in the mailscanner.conf file? No, read your "man syslog.conf". Instead of "mail" you can now specify something like "local0". Read about syslog "facilities" and you will understand. >-- "Notify Senders" configuration option now also accepts the value >"local" so that only senders of viruses on your site are informed, not >senders from outside your organisation. >Darn, kinda liked both parties being informed. Then continue using "Notify Senders = yes". The new bit is that you can have "Notify Senders = local" so that it won't notify off-site senders, but you don't have to use that feature if you don't want to. >-- "High SpamAssassin Score" configuration option to set the minimum >SpamAssassin score above which the "High Scoring Spam Action" setting >applies. >-- "High Scoring Spam Action" configuration option to set the action >applied to all messages whose SpamAssasssin score is greater than the "High >SpamAssassin Score". > >-- "Sweep" no longer has to be defined if "virus scanner = none" or "virus >scanning = off". >-- SpamAssassin reports ending in newlines no longer cause broken qf files. >-- Return-Path: header is now handled better. >-- SpamAssassin reports should now never be empty. >I cannot locate the SpamAssassin reports. where are they usually? Or will >this new version you wrote create one in the /var/log/ directory? The SpamAssassin reports are put in the SpamCheck header of each mail message, inside "()" just after it says "SpamAssassin". -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From lbergman at abi.tconline.net Thu Jun 27 16:02:29 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:15:06 2006 Subject: ANNOUNCE: Version 3.21-1 released In-Reply-To: <5.1.0.14.2.20020627141632.03fd3008@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020627120921.041cc2f0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627141632.03fd3008@imap.ecs.soton.ac.uk> Message-ID: <200206271002.29936.lbergman@abi.tconline.net> > And I hope you're impressed with the time from suggestion to "being > published" of the "High Score" feature people wanted :-) (I was given a > much appreciated financial inducement) I know I am! -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From LISTSERV at JISCMAIL.AC.UK Thu Jun 27 16:58:16 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:06 2006 Subject: MAILSCANNER: dcooper@UKMATRIX.NET requested to join Message-ID: <200206271558.QAA14330@magpie.ecs.soton.ac.uk> Thu, 27 Jun 2002 16:58:16 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Dan Cooper You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER dcooper@UKMATRIX.NET Dan Cooper PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER dcooper@UKMATRIX.NET Dan Cooper // EOJ From dcooper at UKMATRIX.NET Thu Jun 27 17:10:18 2002 From: dcooper at UKMATRIX.NET (Dan Cooper) Date: Thu Jan 12 21:15:06 2006 Subject: Scan certain domains Message-ID: <02b401c21df5$21b0c0a0$415e7bc1@401wkstn> Hi, Is it possible to make mailscanner only work on certain domains? Say a mailserver accepts mail for 100 domains, and you only want 10 of those domains to be checked for viruses on incoming email - is that possible? I have tried this using the domains.to.scan.conf file, and enabled the option in the mailscanner.conf file but am having no joy. The system works, but it scans everything that comes in, for all domains. Mant thanks. Regards, Dan Cooper -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020627/4085e43b/attachment.html From jgoggan at DCG.COM Thu Jun 27 18:05:42 2002 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:15:06 2006 Subject: Proper way to handle misidentifiedspamsite-wide? References: <5.1.0.14.2.20020626162716.04605398@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020626180457.038b2488@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627095659.044aa008@imap.ecs.soton.ac.uk> Message-ID: <3D1B45E6.EC3997DE@dcg.com> Julian Field wrote: > You get the qf and df "mqueue" files so you can drop them straight > back into the queue if you actually want them to be delivered. Yes, but then looking through them to detect non-spam mistakes is then difficult, yes? I've suddenly got a few hundred qf files to go checking subjects in -- there must be a better way? > Under European law you ain't supposed to be manually editing other > people's mail, its an infringement of the Data Protection Act. Well, it's pretty much MY mail. Most of what I'm sending using "store" is mail to various catch-all accounts plus some admin accounts. Basically, it is all "mine" -- or at least the company's and I have full rights to go looking through it... > You can find most non-spam by just reading the subject lines, which > are contained in the qf files. This just seems odd to me. It basically seems that doing any action other than "deliver" is just a problem. If you do "delete", then you're going to lose some non-spams. If you do "store" because you want to look through it for mistakes later, it seems that just trying to wade through the hundreds of qf files is such a pain as to not be worth it. Again, I'm surprised that people are doing this... Hmmm... > Again however, this is almost certainly a breach of the DPA. Nope. Not in this instance. > Writing code in the full knowledge that it would break laws if used > is rather shaky ground, and I don't really want to go there if I can > avoid it. Assuming that certain options, if used, must be illegal just seems incorrect to me. There are certainly many legal uses for what I was planning to do. But, I understand your concern... > I appreciate that many/most of you live outside the scope of these > laws, but I don't and I'm the one producing the "package". Agreed. It is indeed your project and I therefore respect that. I just see legitimate uses for such features. Especially when the process involved as it is now seems almost worthless. I feel like "deliver" is the only usable spam option unless people are doing a lot of custom work with things that are "stored." Of course, making it "easier" would then go against your concerns for the DPA. Even though what I was doing would certainly not be against it -- even if I lived where it applied. :) Ok -- well -- I guess I'll stick with "deliver" for now and wade through it that way. :( Thanks for your time and responses! - John... From mailscanner at ecs.soton.ac.uk Thu Jun 27 18:18:17 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:06 2006 Subject: Proper way to handle misidentifiedspamsite-wide? In-Reply-To: <3D1B45E6.EC3997DE@dcg.com> References: <5.1.0.14.2.20020626162716.04605398@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020626180457.038b2488@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627095659.044aa008@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020627181108.0343b948@imap.ecs.soton.ac.uk> At 18:05 27/06/2002, you wrote: >Julian Field wrote: > > You get the qf and df "mqueue" files so you can drop them straight > > back into the queue if you actually want them to be delivered. > >Yes, but then looking through them to detect non-spam mistakes is then >difficult, yes? I've suddenly got a few hundred qf files to go checking >subjects in -- there must be a better way? grep -i subject: qf* | less That isn't too hard, surely? > > You can find most non-spam by just reading the subject lines, which > > are contained in the qf files. > >This just seems odd to me. It basically seems that doing any action other >than "deliver" is just a problem. If you do "delete", then you're going to >lose some non-spams. If you do "store" because you want to look through it >for mistakes later, it seems that just trying to wade through the hundreds of >qf files is such a pain as to not be worth it. Personally, I don't use either "store" or "delete". I tag it and deliver it all, leaving the users to filter it if they want to. My users hate the idea of other people deciding for them. And with a multi-Gb network, bandwidth for a bit of mail is hardly a problem :-) However, I see your point, and I may do something about it in the next big release, but that isn't going to be any time very soon. A feature for V4. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From rishi at THEARGONCOMPANY.COM Thu Jun 27 18:17:30 2002 From: rishi at THEARGONCOMPANY.COM (Rishi Gangoly) Date: Thu Jan 12 21:15:06 2006 Subject: Scan certain domains References: <02b401c21df5$21b0c0a0$415e7bc1@401wkstn> Message-ID: <052901c21dfe$85177180$1b02a8c0@theargoncompany.com> Are you running this on a Cobalt RaQ server? I am too and I never figured how to do it either. I was able to get it to work on a Redhat 6.2 server so I figured it's something to do with the Cobalt and not Mailscanner. Regards Rishi ----- Original Message ----- From: Dan Cooper To: MAILSCANNER@JISCMAIL.AC.UK Sent: Thursday, June 27, 2002 9:40 PM Subject: Scan certain domains Hi, Is it possible to make mailscanner only work on certain domains? Say a mailserver accepts mail for 100 domains, and you only want 10 of those domains to be checked for viruses on incoming email - is that possible? I have tried this using the domains.to.scan.conf file, and enabled the option in the mailscanner.conf file but am having no joy. The system works, but it scans everything that comes in, for all domains. Mant thanks. Regards, Dan Cooper From dll at SCITOOLS.COM Thu Jun 27 18:35:39 2002 From: dll at SCITOOLS.COM (Dan Leavitt) Date: Thu Jan 12 21:15:06 2006 Subject: Domains not to scan? References: <5.1.0.14.2.20020626162716.04605398@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020626180457.038b2488@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627095659.044aa008@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627181108.0343b948@imap.ecs.soton.ac.uk> Message-ID: <038601c21e01$5ce0c470$170aa8c0@DELL> Hi, I've opted to configure MailScanner to "Always Include SpamAssassin Report", mostly because we like being able to refer to those headers and the score that they contain when a potential spam sneaks by. Anyway, what I'd like to be able to do is prevent MailScanner from modifying the headers of outgoing messages from our users, perhaps a "domains.not.to.scan.conf" file or negative entries in "domains.to.scan.conf" is in order. Is there some way to accomplish this now? Thanks, Dan From dll at SCITOOLS.COM Thu Jun 27 18:37:10 2002 From: dll at SCITOOLS.COM (Dan Leavitt) Date: Thu Jan 12 21:15:06 2006 Subject: Scan certain domains References: <02b401c21df5$21b0c0a0$415e7bc1@401wkstn> <052901c21dfe$85177180$1b02a8c0@theargoncompany.com> Message-ID: <038701c21e01$5e8350e0$170aa8c0@DELL> Gee, this is almost the question that I just asked. ;-). Dan ----- Original Message ----- From: "Rishi Gangoly" To: Sent: Thursday, June 27, 2002 1:17 PM Subject: Re: Scan certain domains > Are you running this on a Cobalt RaQ server? I am too and I never figured > how to do it either. I was able to get it to work on a Redhat 6.2 server so > I figured it's something to do with the Cobalt and not Mailscanner. > > Regards > > Rishi > > ----- Original Message ----- > From: Dan Cooper > To: MAILSCANNER@JISCMAIL.AC.UK > Sent: Thursday, June 27, 2002 9:40 PM > Subject: Scan certain domains > > > Hi, > > Is it possible to make mailscanner only work on certain domains? > > Say a mailserver accepts mail for 100 domains, and you only want 10 of those > domains to be checked for viruses on incoming email - is that possible? I > have tried this using the domains.to.scan.conf file, and enabled the option > in the mailscanner.conf file but am having no joy. The system works, but it > scans everything that comes in, for all domains. > > Mant thanks. > > Regards, > Dan Cooper > From brose at MED.WAYNE.EDU Thu Jun 27 18:38:12 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:06 2006 Subject: Proper way to handle misidentifiedspamsite-wide? Message-ID: <6D60AC042221344095A0EBBC56EEE79A4BC9F4@med-core03.med.wayne.edu> Add this to your sendmail.pl file and it will create a single message file containing the full message and the SA headers. Then you can "cat * > ~/mail/spam" and check it with pine. You can then use to also report to razor/dcc in bulk. 465a466 > #Bobby added $mID for saving report 467c468 < = SAForkAndTest($SAspamtest, $spammail); --- > = SAForkAndTest($SAspamtest, $spammail, $mID); 476c477,478 < my($Test, $Mail) = @_; --- > #Bobby added $mID for saving report > my($Test, $Mail, $mID) = @_; 500a503,515 > #Bobby's added code > my $SAScore = $spamness->get_hits(); > my $SAReqHits = $spamness->get_required_hits(); > #Log::InfoLog("SpamAssassin score $SAScore of $SAReqHits"); > if ($SAScore >= $SAReqHits) { > $spamness->rewrite_mail (); > my $SARewrite = $spamness->get_full_message_as_text(); > local(*DOUT); > open(DOUT, ">>/var/spam/queue/spr$mID") or Log::DieLog("Failed to create copy of spam message spr$mID"); > print DOUT $SARewrite; > close DOUT; > } -----Original Message----- From: John Goggan [mailto:jgoggan@DCG.COM] Sent: Thursday, June 27, 2002 1:06 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Proper way to handle misidentifiedspamsite-wide? Julian Field wrote: > You get the qf and df "mqueue" files so you can drop them straight > back into the queue if you actually want them to be delivered. Yes, but then looking through them to detect non-spam mistakes is then difficult, yes? I've suddenly got a few hundred qf files to go checking subjects in -- there must be a better way? > Under European law you ain't supposed to be manually editing other > people's mail, its an infringement of the Data Protection Act. Well, it's pretty much MY mail. Most of what I'm sending using "store" is mail to various catch-all accounts plus some admin accounts. Basically, it is all "mine" -- or at least the company's and I have full rights to go looking through it... > You can find most non-spam by just reading the subject lines, which > are contained in the qf files. This just seems odd to me. It basically seems that doing any action other than "deliver" is just a problem. If you do "delete", then you're going to lose some non-spams. If you do "store" because you want to look through it for mistakes later, it seems that just trying to wade through the hundreds of qf files is such a pain as to not be worth it. Again, I'm surprised that people are doing this... Hmmm... > Again however, this is almost certainly a breach of the DPA. Nope. Not in this instance. > Writing code in the full knowledge that it would break laws if used is > rather shaky ground, and I don't really want to go there if I can > avoid it. Assuming that certain options, if used, must be illegal just seems incorrect to me. There are certainly many legal uses for what I was planning to do. But, I understand your concern... > I appreciate that many/most of you live outside the scope of these > laws, but I don't and I'm the one producing the "package". Agreed. It is indeed your project and I therefore respect that. I just see legitimate uses for such features. Especially when the process involved as it is now seems almost worthless. I feel like "deliver" is the only usable spam option unless people are doing a lot of custom work with things that are "stored." Of course, making it "easier" would then go against your concerns for the DPA. Even though what I was doing would certainly not be against it -- even if I lived where it applied. :) Ok -- well -- I guess I'll stick with "deliver" for now and wade through it that way. :( Thanks for your time and responses! - John... From dcooper at UKMATRIX.NET Thu Jun 27 18:38:36 2002 From: dcooper at UKMATRIX.NET (Dan Cooper) Date: Thu Jan 12 21:15:06 2006 Subject: Scan certain domains References: <02b401c21df5$21b0c0a0$415e7bc1@401wkstn> <052901c21dfe$85177180$1b02a8c0@theargoncompany.com> Message-ID: <03df01c21e01$778b1780$415e7bc1@401wkstn> Hi Rishi I actually have it working now - it was my fault, I was rushing to test to product. Rather than set up a couple of domains to point to the box, I simply created pc1.machine.com and pc1.test.machne.com as subdomains of machine.com, pointing to the IP address of the box. Then I added pc1.machine.com to domains.to.be.checked.conf only, restarted mailscanner and sent messages to both domains. They were both checked for viruses. Upon setting up 2 domains properly to point to the mailserver (VIA MX RECORDS) , and adding one to the domains.to.be.checked.conf file, the correct one got scanned and the other was just placed in the mailbox without being scanned. One point that may be useful to others, is the message placed in the syslog when emails arnt scanned is: Jun 27 18:26:00 storm mailscanner[6618]: Forwarding 1 clean messages, 10300 bytes which can be misleading. This message may or may not be clean, it hasnt been scanned. D. ----- Original Message ----- From: "Rishi Gangoly" To: Sent: Thursday, June 27, 2002 6:17 PM Subject: Re: Scan certain domains > Are you running this on a Cobalt RaQ server? I am too and I never figured > how to do it either. I was able to get it to work on a Redhat 6.2 server so > I figured it's something to do with the Cobalt and not Mailscanner. > > Regards > > Rishi > > ----- Original Message ----- > From: Dan Cooper > To: MAILSCANNER@JISCMAIL.AC.UK > Sent: Thursday, June 27, 2002 9:40 PM > Subject: Scan certain domains > > > Hi, > > Is it possible to make mailscanner only work on certain domains? > > Say a mailserver accepts mail for 100 domains, and you only want 10 of those > domains to be checked for viruses on incoming email - is that possible? I > have tried this using the domains.to.scan.conf file, and enabled the option > in the mailscanner.conf file but am having no joy. The system works, but it > scans everything that comes in, for all domains. > > Mant thanks. > > Regards, > Dan Cooper > From dcooper at UKMATRIX.NET Thu Jun 27 18:49:40 2002 From: dcooper at UKMATRIX.NET (Dan Cooper) Date: Thu Jan 12 21:15:06 2006 Subject: Setting up a Gateway References: <02b401c21df5$21b0c0a0$415e7bc1@401wkstn> <052901c21dfe$85177180$1b02a8c0@theargoncompany.com> <03df01c21e01$778b1780$415e7bc1@401wkstn> Message-ID: <03f101c21e03$0325cfa0$415e7bc1@401wkstn> We have a farily busy mailserver here, looking after quite a few domains but I only want to use mailscanner on a small number of them. Rather than set MailScanner up on the mailserver itself and use the domains.to.scan.conf option, is there a way to use another server as a gateway? i.e. the MX records for the domain are changed to point to the mail server running MailScanner. Mail scanner scans the email and then sends it to the main mailserver?? I have tried doing this via a .forward file on the mailscanner system and added the domain to the domains.to.scan.conf file, but when i send an email to the domain, it simply enters Jun 27 18:26:00 storm mailscanner[6618]: Forwarding 1 clean messages, 10300 bytes into the syslog and forwards the mesage to the main mail server. I know this seems like a 'why would you want to do that' situation but there is a good reason why we may have to go down this road. Thanks in advance, D. From jgoggan at DCG.COM Thu Jun 27 18:52:35 2002 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:15:06 2006 Subject: Proper way to handle misidentifiedspamsite-wide? References: <5.1.0.14.2.20020626162716.04605398@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020626180457.038b2488@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627095659.044aa008@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627181108.0343b948@imap.ecs.soton.ac.uk> Message-ID: <3D1B50E3.9F6A642B@dcg.com> Julian Field wrote: > >subjects in -- there must be a better way? > > grep -i subject: qf* | less > > That isn't too hard, surely? Not hard, no, but not very accurate/usable either. :) What is going on is that I'm trying to pull all the spam out of our "info" and "help" accounts before the people that have to handle such requests see them. This is why it is really all "my" mail -- I don't think there are legal problems are. The problem is that we get tons of spam at these -- because we make the email addresses so readily available on web sites and such -- crawlers pick them up repeatedly. So, I'm just trying to filter most of that out before it ever gets to them to see at all -- but want to check for errors. So, just for fun, here are some of the subjects from our quarantine (ie. marked as spam already) using your method: qfg5QM7D128287:H??Subject: help... qfg5QMBv131050:H??Subject: Offer qfg5QMOo104547:H??Subject: Re: More info? qfg5R0Jj104316:H??Subject: Here is what you requested qfg5R0Rs109645:H??Subject: YOUR ATTENTION PLEASE qfg5R2IS106590:H??Subject: Welcome New Member! Those seem "questionable" to me -- at least where I would need to read more of the information. And that is just from like an hour or two. If I check that even every day, I'd still have dozens and dozens of subjects that I'd have to research more to see if they might be customer service related in some way. Now, most of the above are indeed spam. In fact, I've already checked manually - and they are. But just checking them (having to go back and read the headers in the qf files and, in some cases, actually read the text in the df files) was not a pleasant experience. :) > Personally, I don't use either "store" or "delete". I tag it and > deliver it all, leaving the users to filter it if they want to. My > users hate the idea of other people deciding for them. And with a > multi-Gb network, bandwidth for a bit of mail is hardly a problem :-) Indeed. I wouldn't do this for "normal" users -- I'd let them handle it after just marking them for them. I just see many other legit uses for MailScanner/SpamAssassin outside of just marking things for "normal" users. It seems so close -- but just not quite -- when it comes to doing things besides "deliver." > However, I see your point, and I may do something about it in the > next big release, but that isn't going to be any time very soon. A > feature for V4. No problem -- hope to see it someday. I'll do deliver for now. Actually, I'm already more than happy -- since I requested the "two threshold levels" thing only a day or two ago, was told that it wasn't possible for now, and then suddenly have it today! So, I'll consider myself more than lucky for what I got already. To whoever paid Julian for that implementation, I thank you! :) - John... From FCaen at CI.LAKEWOOD.WA.US Thu Jun 27 18:56:12 2002 From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen) Date: Thu Jan 12 21:15:06 2006 Subject: Setting up a Gateway Message-ID: Try using mailertables (assuming you are running Sendmail) or read Julian's text on the subject at: http://www.sng.ecs.soton.ac.uk/mailscanner/faq.shtml#16 ------------------------------------------------ Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 -----Original Message----- From: dcooper@UKMATRIX.NET Sent: Thursday, June 27, 2002 10:50 AM To: Subject: [MAILSCANNER] Setting up a Gateway We have a farily busy mailserver here, looking after quite a few domains but I only want to use mailscanner on a small number of them. Rather than set MailScanner up on the mailserver itself and use the domains.to.scan.conf option, is there a way to use another server as a gateway? i.e. the MX records for the domain are changed to point to the mail server running MailScanner. Mail scanner scans the email and then sends it to the main mailserver?? I have tried doing this via a .forward file on the mailscanner system and added the domain to the domains.to.scan.conf file, but when i send an email to the domain, it simply enters Jun 27 18:26:00 storm mailscanner[6618]: Forwarding 1 clean messages, 10300 bytes into the syslog and forwards the mesage to the main mail server. I know this seems like a 'why would you want to do that' situation but there is a good reason why we may have to go down this road. Thanks in advance, D. From tal at MUSICGENOME.COM Thu Jun 27 19:06:58 2002 From: tal at MUSICGENOME.COM (Tal Kelrich) Date: Thu Jan 12 21:15:06 2006 Subject: Setting up a Gateway In-Reply-To: <03f101c21e03$0325cfa0$415e7bc1@401wkstn> References: <02b401c21df5$21b0c0a0$415e7bc1@401wkstn> <052901c21dfe$85177180$1b02a8c0@theargoncompany.com> <03df01c21e01$778b1780$415e7bc1@401wkstn> <03f101c21e03$0325cfa0$415e7bc1@401wkstn> Message-ID: <1025201221.1785.5.camel@johnny5> perhaps this helps? http://www.sng.ecs.soton.ac.uk/mailscanner/faq.shtml#16 On Thu, 2002-06-27 at 20:49, Dan Cooper wrote: > We have a farily busy mailserver here, looking after quite a few domains but > I only want to use mailscanner on a small number of them. > > Rather than set MailScanner up on the mailserver itself and use the > domains.to.scan.conf option, is there a way to use another server as a > gateway? i.e. the MX records for the domain are changed to point to the > mail server running MailScanner. Mail scanner scans the email and then sends > it to the main mailserver?? I have tried doing this via a .forward file on > the mailscanner system and added the domain to the domains.to.scan.conf > file, but when i send an email to the domain, it simply enters > Jun 27 18:26:00 storm mailscanner[6618]: Forwarding 1 clean messages, 10300 > bytes > into the syslog and forwards the mesage to the main mail server. > > I know this seems like a 'why would you want to do that' situation but there > is a good reason why we may have to go down this road. > > Thanks in advance, > > D. > -- Tal Kelrich PGP Fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69 PGP key-id: 12B9AA69 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020627/40833306/attachment.bin From mailscanner at ecs.soton.ac.uk Thu Jun 27 19:14:16 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:06 2006 Subject: Domains not to scan? In-Reply-To: <038601c21e01$5ce0c470$170aa8c0@DELL> References: <5.1.0.14.2.20020626162716.04605398@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020626180457.038b2488@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627095659.044aa008@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627181108.0343b948@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020627190717.035f78d0@imap.ecs.soton.ac.uk> At 18:35 27/06/2002, you wrote: >Anyway, what I'd like to be able to do is prevent MailScanner from modifying >the headers of outgoing messages from our users, perhaps a >"domains.not.to.scan.conf" file or negative entries in >"domains.to.scan.conf" is in order. I really must write a FAQ about this, I get asked it about once a month. Summary: it's impossible. Right, say you have domains under your control called scanme.com and dontscanme.com. There is some other domain out there on the net called other.com. You want to restrict scanning by having a "domains.not.to.scan.conf" file containing "dontscanme.com". Okay so far? Someone sends a message from other.com to scanme.com. You scan it as scanme.com isn't in the list. Now you get a message from other.com to dontscanme.com. You still scan it as other.com isn't in the list. The same arises from scanme.com and dontscanme.com *to* other.com. Last case: someone sends a message from scanme.com to dontscanme.com. Do you scan it or not? As scanme.com is not in the list, then you should scan it. The guys at scanme.com are going to get real mad at you for not scanning their incoming mail, if you decide to not scan it as dontscanme.com is in the list. So you have to scan it. So you have to give priority to domains that are *not* in the list, and these over-ride domains that *are* in the list. So you end up scanning everything. It isn't what you think you wanted to do, but it is the logical consequence of what you have to do (i.e. scan mail for people who want it scanned). So it can't be done. Must put this in a FAQ... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Jun 27 19:19:53 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:06 2006 Subject: Proper way to handle misidentifiedspamsite-wide? In-Reply-To: <3D1B50E3.9F6A642B@dcg.com> References: <5.1.0.14.2.20020626162716.04605398@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020626180457.038b2488@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627095659.044aa008@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627181108.0343b948@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020627191726.03540048@imap.ecs.soton.ac.uk> At 18:52 27/06/2002, you wrote: >Indeed. I wouldn't do this for "normal" users -- I'd let them handle it after >just marking them for them. I just see many other legit uses for >MailScanner/SpamAssassin outside of just marking things for "normal" users. >It seems so close -- but just not quite -- when it comes to doing things >besides "deliver." Good point. Some sort of spam quarantining that made an mbox format file for each day. Would you want viruses in there too, or just spam? We could have something like Quarantine spam in mbox format = yes/no I don't think I'm going to write it now, but I hope it will make it to V4. If V4 ships without it, remind me :-) >No problem -- hope to see it someday. I'll do deliver for now. Actually, I'm >already more than happy -- since I requested the "two threshold levels" thing >only a day or two ago, was told that it wasn't possible for now, and then >suddenly have it today! So, I'll consider myself more than lucky for what I >got already. To whoever paid Julian for that implementation, I thank you! :) :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From dll at SCITOOLS.COM Thu Jun 27 19:40:38 2002 From: dll at SCITOOLS.COM (Dan Leavitt) Date: Thu Jan 12 21:15:06 2006 Subject: Domains not to scan? References: <5.1.0.14.2.20020626162716.04605398@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020626180457.038b2488@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627095659.044aa008@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627181108.0343b948@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627190717.035f78d0@imap.ecs.soton.ac.uk> Message-ID: <040001c21e0a$5f57c8d0$170aa8c0@DELL> Well, perhaps my intent would be better served by running SpamAssassin via /etc/procmailrc rather than by MailScanner; thus, it would only scan mail that is being delivered to local users, which is my real goal. Doing so might also provide a solution to an earlier question of mine about whether users can control the behavior of SpamAssassin via their ~.spamassassin.cf file. Can you confirm these thoughts? Thanks, Dan ----- Original Message ----- From: "Julian Field" To: Sent: Thursday, June 27, 2002 2:14 PM Subject: Re: Domains not to scan? > At 18:35 27/06/2002, you wrote: > >Anyway, what I'd like to be able to do is prevent MailScanner from modifying > >the headers of outgoing messages from our users, perhaps a > >"domains.not.to.scan.conf" file or negative entries in > >"domains.to.scan.conf" is in order. > > I really must write a FAQ about this, I get asked it about once a month. > > Summary: it's impossible. > > Right, say you have domains under your control called scanme.com and > dontscanme.com. There is some other domain out there on the net called > other.com. > > You want to restrict scanning by having a "domains.not.to.scan.conf" file > containing "dontscanme.com". > > Okay so far? > > Someone sends a message from other.com to scanme.com. You scan it as > scanme.com isn't in the list. Now you get a message from other.com to > dontscanme.com. You still scan it as other.com isn't in the list. > > The same arises from scanme.com and dontscanme.com *to* other.com. > > Last case: someone sends a message from scanme.com to dontscanme.com. Do > you scan it or not? As scanme.com is not in the list, then you should scan > it. The guys at scanme.com are going to get real mad at you for not > scanning their incoming mail, if you decide to not scan it as > dontscanme.com is in the list. So you have to scan it. So you have to give > priority to domains that are *not* in the list, and these over-ride domains > that *are* in the list. > > So you end up scanning everything. It isn't what you think you wanted to > do, but it is the logical consequence of what you have to do (i.e. scan > mail for people who want it scanned). > > So it can't be done. > > Must put this in a FAQ... > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From Matthew_doherty at DATAWATCH.COM Thu Jun 27 19:41:01 2002 From: Matthew_doherty at DATAWATCH.COM (Matt Doherty) Date: Thu Jan 12 21:15:06 2006 Subject: updating to 3.21-1 via RPM Message-ID: Thank you Much! Excellent job!!! In a world without fences or walls, who needs Windows and Gates? -----Original Message----- From: Julian Field [mailto:jkf@ECS.SOTON.AC.UK] Sent: Thursday, June 27, 2002 11:37 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: updating to 3.21-1 via RPM At 14:56 27/06/2002, you wrote: >Will we need to reconfigure our .conf files all over again or will it be a >smooth install over the 3.21.* version? (as long as the previous install >was put to default locations of course) It won't over-write your mailscanner.conf file (or any other .conf files), but you might want to diff mailscanner.conf mailscanner.conf.rpmnew so you get to see any new added keywords that you might want to set a value for in your mailscanner.conf file. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020627/e09eabdc/attachment.html From mailscanner at ecs.soton.ac.uk Thu Jun 27 20:36:08 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:06 2006 Subject: Proper way to handle misidentifiedspamsite-wide? In-Reply-To: <3D1B50E3.9F6A642B@dcg.com> References: <5.1.0.14.2.20020626162716.04605398@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020626180457.038b2488@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627095659.044aa008@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627181108.0343b948@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020627201910.03783b38@imap.ecs.soton.ac.uk> This has taken me about an hour and a half to solve. Take a look at the attached shell script. It should do 99% of what you are trying to achieve. Its syntax is: df2mbox dirname [ dirname ... ] i.e. you can cd into your quarantine directory and do df2mbox * to process all your quarantine directories, or you can just do the directory that corresponds to yesterday's mail, e.g. df2mbox 20020622 It will create a file called "spam." in the current directory, for each directory name you pass on the command-line. Try doing cd /var/spool/MailScanner/quarantine df2mbox * and you'll see what I mean. You can then point most mail readers, everything from pine to Eudora, at the spam.* files. Read the comment at the top of the script for the things I forgot to mention here. All donations gratefully received :-) At 18:52 27/06/2002, you wrote: >Not hard, no, but not very accurate/usable either. :) What is going on is >that I'm trying to pull all the spam out of our "info" and "help" accounts >before the people that have to handle such requests see them. This is why it >is really all "my" mail -- I don't think there are legal problems are. The >problem is that we get tons of spam at these -- because we make the email >addresses so readily available on web sites and such -- crawlers pick them up >repeatedly. > >So, I'm just trying to filter most of that out before it ever gets to them to >see at all -- but want to check for errors. So, just for fun, here are some >of the subjects from our quarantine (ie. marked as spam already) using your >method: > >qfg5QM7D128287:H??Subject: help... >qfg5QMBv131050:H??Subject: Offer >qfg5QMOo104547:H??Subject: Re: More info? >qfg5R0Jj104316:H??Subject: Here is what you requested >qfg5R0Rs109645:H??Subject: YOUR ATTENTION PLEASE >qfg5R2IS106590:H??Subject: Welcome New Member! -------------- next part -------------- A non-text attachment was scrubbed... Name: df2mbox Type: application/octet-stream Size: 1282 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020627/2c191da0/df2mbox.obj -------------- next part -------------- -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Thu Jun 27 19:34:12 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:06 2006 Subject: MAILSCANNER: scott@DATONA.COM left the JISCmail list Message-ID: <200206271834.TAA27688@magpie.ecs.soton.ac.uk> Thu, 27 Jun 2002 19:34:12 Scott Broderick has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From mailscanner at ecs.soton.ac.uk Thu Jun 27 20:59:26 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:06 2006 Subject: Proper way to handle misidentifiedspamsite-wide? In-Reply-To: <5.1.0.14.2.20020627201910.03783b38@imap.ecs.soton.ac.uk> References: <3D1B50E3.9F6A642B@dcg.com> <5.1.0.14.2.20020626162716.04605398@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020626180457.038b2488@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627095659.044aa008@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627181108.0343b948@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020627205845.03f518d0@imap.ecs.soton.ac.uk> I've also just posted this to the web site (a news item for today and a new FAQ 21). At 20:36 27/06/2002, you wrote: >This has taken me about an hour and a half to solve. >Take a look at the attached shell script. >It should do 99% of what you are trying to achieve. > >Its syntax is: > df2mbox dirname [ dirname ... ] >i.e. you can cd into your quarantine directory and do > df2mbox * >to process all your quarantine directories, or you can just do the >directory that corresponds to yesterday's mail, e.g. > df2mbox 20020622 > >It will create a file called "spam." in the current directory, for >each directory name you pass on the command-line. Try doing > cd /var/spool/MailScanner/quarantine > df2mbox * >and you'll see what I mean. > >You can then point most mail readers, everything from pine to Eudora, at >the spam.* files. > >Read the comment at the top of the script for the things I forgot to >mention here. > >All donations gratefully received :-) > >At 18:52 27/06/2002, you wrote: >>Not hard, no, but not very accurate/usable either. :) What is going on is >>that I'm trying to pull all the spam out of our "info" and "help" accounts >>before the people that have to handle such requests see them. This is why it >>is really all "my" mail -- I don't think there are legal problems are. The >>problem is that we get tons of spam at these -- because we make the email >>addresses so readily available on web sites and such -- crawlers pick them up >>repeatedly. >> >>So, I'm just trying to filter most of that out before it ever gets to them to >>see at all -- but want to check for errors. So, just for fun, here are some >>of the subjects from our quarantine (ie. marked as spam already) using your >>method: >> >>qfg5QM7D128287:H??Subject: help... >>qfg5QMBv131050:H??Subject: Offer >>qfg5QMOo104547:H??Subject: Re: More info? >>qfg5R0Jj104316:H??Subject: Here is what you requested >>qfg5R0Rs109645:H??Subject: YOUR ATTENTION PLEASE >>qfg5R2IS106590:H??Subject: Welcome New Member! > > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Thu Jun 27 21:00:41 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:06 2006 Subject: Proper way to handle misidentifiedspamsite-wide? In-Reply-To: <5.1.0.14.2.20020627201910.03783b38@imap.ecs.soton.ac.uk> References: <3D1B50E3.9F6A642B@dcg.com> <5.1.0.14.2.20020626162716.04605398@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020626180457.038b2488@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627095659.044aa008@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627181108.0343b948@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020627210013.0391dd10@imap.ecs.soton.ac.uk> I spoil you folks... From FCaen at CI.LAKEWOOD.WA.US Thu Jun 27 21:18:30 2002 From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen) Date: Thu Jan 12 21:15:06 2006 Subject: Proper way to handle misidentifiedspamsite-wide? Message-ID: -----Original Message----- From: mailscanner@ECS.SOTON.AC.UK > I spoil you folks... Do you have that DVD / CD / books / whatever-I-can-order-with-my-Visa-online wishlist online yet? ------------------------------------------------ Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 From mailscanner at ecs.soton.ac.uk Thu Jun 27 21:27:12 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:06 2006 Subject: Proper way to handle misidentifiedspamsite-wide? In-Reply-To: Message-ID: <5.1.0.14.2.20020627212449.03564ca0@imap.ecs.soton.ac.uk> At 21:18 27/06/2002, you wrote: >-----Original Message----- >From: mailscanner@ECS.SOTON.AC.UK > > > I spoil you folks... > >Do you have that DVD / CD / books / >whatever-I-can-order-with-my-Visa-online wishlist online yet? No, I haven't yet. I've got a paypal account though... jkf@ecs.soton.ac.uk Otherwise, most the stuff that computergear.com, thinkgeek.com, etc. sell would go down well. You can't ever have too many T-shirts, mugs, gadgets etc... :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jgoggan at DCG.COM Thu Jun 27 21:45:56 2002 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:15:06 2006 Subject: Proper way to handle misidentifiedspamsite-wide? References: <5.1.0.14.2.20020626162716.04605398@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020626180457.038b2488@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627095659.044aa008@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627181108.0343b948@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627201910.03783b38@imap.ecs.soton.ac.uk> Message-ID: <3D1B7984.9053E1E4@dcg.com> Julian Field wrote: > > This has taken me about an hour and a half to solve. > Take a look at the attached shell script. > It should do 99% of what you are trying to achieve. > > Its syntax is: > df2mbox dirname [ dirname ... ] Thank you, thank you, thank you. Man, I am getting spoiled today! First I'm told no dual thresholds and then it appears. Then I'm told no mbox format dumping and then it appears. Tell me I can't have free money. Please. :) Thanks again, Julian! - John... From mailscanner at ecs.soton.ac.uk Thu Jun 27 21:50:41 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:06 2006 Subject: Proper way to handle misidentifiedspamsite-wide? In-Reply-To: <3D1B7984.9053E1E4@dcg.com> References: <5.1.0.14.2.20020626162716.04605398@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020626180457.038b2488@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627095659.044aa008@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627181108.0343b948@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627201910.03783b38@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020627214937.03771be0@imap.ecs.soton.ac.uk> At 21:45 27/06/2002, you wrote: >Thank you, thank you, thank you. Man, I am getting spoiled today! First I'm >told no dual thresholds and then it appears. Then I'm told no mbox format >dumping and then it appears. > >Tell me I can't have free money. Please. :) That's planned for version n+1. >Thanks again, Julian! No worries. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Thu Jun 27 22:59:46 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:07 2006 Subject: Proper way to handle misidentifiedspamsite-wide? In-Reply-To: <5.1.0.14.2.20020627201910.03783b38@imap.ecs.soton.ac.uk> References: <3D1B50E3.9F6A642B@dcg.com> <5.1.0.14.2.20020626162716.04605398@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020626180457.038b2488@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627095659.044aa008@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627181108.0343b948@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020627225743.031ae9a0@imap.ecs.soton.ac.uk> I have just posted an improved version of my df2mbox script on the website. It now puts the addresses of the real recipients (taken from the envelope, not the headers) into a X-MailScanner-Recipient: header, so you can see who to forward the message to if it's not obvious from the headers. At 20:36 27/06/2002, you wrote: >This has taken me about an hour and a half to solve. >Take a look at the attached shell script. >It should do 99% of what you are trying to achieve. > >Its syntax is: > df2mbox dirname [ dirname ... ] >i.e. you can cd into your quarantine directory and do > df2mbox * >to process all your quarantine directories, or you can just do the >directory that corresponds to yesterday's mail, e.g. > df2mbox 20020622 > >It will create a file called "spam." in the current directory, for >each directory name you pass on the command-line. Try doing > cd /var/spool/MailScanner/quarantine > df2mbox * >and you'll see what I mean. > >You can then point most mail readers, everything from pine to Eudora, at >the spam.* files. > >Read the comment at the top of the script for the things I forgot to >mention here. > >All donations gratefully received :-) > >At 18:52 27/06/2002, you wrote: >>Not hard, no, but not very accurate/usable either. :) What is going on is >>that I'm trying to pull all the spam out of our "info" and "help" accounts >>before the people that have to handle such requests see them. This is why it >>is really all "my" mail -- I don't think there are legal problems are. The >>problem is that we get tons of spam at these -- because we make the email >>addresses so readily available on web sites and such -- crawlers pick them up >>repeatedly. >> >>So, I'm just trying to filter most of that out before it ever gets to them to >>see at all -- but want to check for errors. So, just for fun, here are some >>of the subjects from our quarantine (ie. marked as spam already) using your >>method: >> >>qfg5QM7D128287:H??Subject: help... >>qfg5QMBv131050:H??Subject: Offer >>qfg5QMOo104547:H??Subject: Re: More info? >>qfg5R0Jj104316:H??Subject: Here is what you requested >>qfg5R0Rs109645:H??Subject: YOUR ATTENTION PLEASE >>qfg5R2IS106590:H??Subject: Welcome New Member! -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From x.mailscanner.mail at MELLONI.COM Fri Jun 28 00:34:39 2002 From: x.mailscanner.mail at MELLONI.COM (Bruno Melloni) Date: Thu Jan 12 21:15:07 2006 Subject: Setting up a Gateway Message-ID: I setup a box as a gateway, to minimize exposure of the internal server. Seems to work fine. But it appears necessary to define users and aliases not only on the internal server, but also on the gateway box (of course it is quite possible that I bungled somewhere). Is there a way to avoid defining users and aliases on the gateway box? Thanks, bruno From brose at MED.WAYNE.EDU Fri Jun 28 01:43:58 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:07 2006 Subject: Setting up a Gateway Message-ID: <6D60AC042221344095A0EBBC56EEE79A0A9002@med-core03.med.wayne.edu> You could use ldap and put everyone into an ldap directory. Sendmail supports ldap calls. I modified 2 m4s and created an mc that works against MS's Active Dir since everyone here has exchange mailboxes. Works great and no more alias maps getting munged. -----Original Message----- From: Bruno Melloni [mailto:x.mailscanner.mail@MELLONI.COM] Sent: Thursday, June 27, 2002 7:35 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Setting up a Gateway I setup a box as a gateway, to minimize exposure of the internal server. Seems to work fine. But it appears necessary to define users and aliases not only on the internal server, but also on the gateway box (of course it is quite possible that I bungled somewhere). Is there a way to avoid defining users and aliases on the gateway box? Thanks, bruno From jgoggan at DCG.COM Fri Jun 28 03:52:46 2002 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:15:07 2006 Subject: Proper way to handle misidentifiedspamsite-wide? References: <3D1B50E3.9F6A642B@dcg.com> <5.1.0.14.2.20020626162716.04605398@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020626180457.038b2488@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627095659.044aa008@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627181108.0343b948@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020627225743.031ae9a0@imap.ecs.soton.ac.uk> Message-ID: <3D1BCF7E.CE26E91E@dcg.com> Things are working very well so far with me doing "store" and then using the new df2mbox tool -- thanks again! However, I do have one "wish" that I'd like to see... Basically, I wish that the X-MailScanner-SpamCheck header existed in this "store"d message if I have that option on (which I do). As I'm looking through them, I would sometimes like to see the rule information in there. If that option is on, then does it make sense to include that information even in the "store"d message identified as spam and not just the delivered ones? - John... From P.G.M.Peters at civ.utwente.nl Fri Jun 28 08:04:39 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:07 2006 Subject: Proper way to handle misidentifiedspamsite-wide? In-Reply-To: <5.1.0.14.2.20020627212449.03564ca0@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020627212449.03564ca0@imap.ecs.soton.ac.uk> Message-ID: On Thu, 27 Jun 2002 21:27:12 +0100, you wrote: >> > I spoil you folks... >> >>Do you have that DVD / CD / books / >>whatever-I-can-order-with-my-Visa-online wishlist online yet? > >No, I haven't yet. I've got a paypal account though... jkf@ecs.soton.ac.uk > >Otherwise, most the stuff that computergear.com, thinkgeek.com, etc. sell >would go down well. You can't ever have too many T-shirts, mugs, gadgets >etc... :-) What should be the delivery address? -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From P.G.M.Peters at civ.utwente.nl Fri Jun 28 08:07:17 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:15:07 2006 Subject: Setting up a Gateway In-Reply-To: References: Message-ID: <6l2ohu0j9vh41evoi188igv757a82ctfev@4ax.com> On Fri, 28 Jun 2002 00:34:39 +0100, you wrote: >I setup a box as a gateway, to minimize exposure of the internal server. >Seems to work fine. > >But it appears necessary to define users and aliases not only on the >internal server, but also on the gateway box (of course it is quite possible >that I bungled somewhere). > >Is there a way to avoid defining users and aliases on the gateway box? It is not neccesary but you end up accepting everything and you will have to handle the bounces for yourself. We have about the same configuration and we manually maintain the addresses on the gateway-box. This gives us the oppertunity to block addresses used only within the university. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From dcooper at UKMATRIX.NET Fri Jun 28 08:20:51 2002 From: dcooper at UKMATRIX.NET (Dan Cooper) Date: Thu Jan 12 21:15:07 2006 Subject: PID Message-ID: <01ad01c21e74$555a5c20$0100a8c0@dcooper> Hi, I set the check_mailscanner script to run as a cron job every 20 mins and left the output to be emailed so I could check it thismorning. I noticed that after a few hours, the PID changed - does the 'restart every 4 hours' in the mailscanner.conf file completely reload mailscanner, or does it just do a -HUP? Regards, Dan Cooper -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020628/0143ad67/attachment.html From mailscanner at ecs.soton.ac.uk Fri Jun 28 08:37:55 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:07 2006 Subject: PID In-Reply-To: <01ad01c21e74$555a5c20$0100a8c0@dcooper> Message-ID: <5.1.0.14.2.20020628083737.02c7c8f0@imap.ecs.soton.ac.uk> At 08:20 28/06/2002, you wrote: >Hi, > >I set the check_mailscanner script to run as a cron job every 20 mins and >left the output to be emailed so I could check it thismorning. > >I noticed that after a few hours, the PID changed - does the 'restart >every 4 hours' in the mailscanner.conf file completely reload mailscanner, >or does it just do a -HUP? It completely re-execs itself. So yes, the PID will change. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From dcooper at UKMATRIX.NET Fri Jun 28 08:45:44 2002 From: dcooper at UKMATRIX.NET (Dan Cooper) Date: Thu Jan 12 21:15:07 2006 Subject: Setting up a Gateway References: Message-ID: <01cd01c21e77$cf9e3a30$0100a8c0@dcooper> I would be unable to follow Julians advice as layed out in the FAQ as our main mailserver has to be available to the outside world. My plan was to just make the gateway machine a higher MX priority in the DNS for a particular domain, and then have sendmail place the mail in a mailbox on the gateway. Then a .forward file could go in the users home dir on the gateway machine, sending the mail to user@main.mailserver.com on the main mailserver. This, however, did not seem to work, as the messages were not scanned by the gatweway prior to them being forwarded to the main mailserver. Any ideas why mailscanner would not scan these messages? all relevant domains were in the domains.to.check.conf file. D. ----- Original Message ----- From: "Bruno Melloni" To: Sent: Friday, June 28, 2002 12:34 AM Subject: Re: Setting up a Gateway > I setup a box as a gateway, to minimize exposure of the internal server. > Seems to work fine. > > But it appears necessary to define users and aliases not only on the > internal server, but also on the gateway box (of course it is quite possible > that I bungled somewhere). > > Is there a way to avoid defining users and aliases on the gateway box? > > Thanks, > > bruno > From mailscanner at ecs.soton.ac.uk Fri Jun 28 08:50:01 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:07 2006 Subject: Setting up a Gateway In-Reply-To: <01cd01c21e77$cf9e3a30$0100a8c0@dcooper> References: Message-ID: <5.1.0.14.2.20020628084457.02c7cc00@imap.ecs.soton.ac.uk> At 08:45 28/06/2002, you wrote: >My plan was to just make the gateway machine a higher MX priority in the DNS >for a particular domain, and then have sendmail place the mail in a mailbox >on the gateway. Then a .forward file could go in the users home dir on the >gateway machine, sending the mail to user@main.mailserver.com on the main >mailserver. That's not a very safe move. Lots of spammers, for example, target your secondary (higher MX number) MX host on the basis that it's probably not as well secured as your primary. As for your problem of it not scanning the messages, I suggest you briefly turn on "Archive Mail = yes" so you capture a few messages. Take a look at the qf file for each one, the sender address is on an "S" line and the recipient is on an "R" line. I would suspect the domains aren't quite what you think they are. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From support at INVICTANET.CO.UK Fri Jun 28 10:13:38 2002 From: support at INVICTANET.CO.UK (InvictaNet Support) Date: Thu Jan 12 21:15:07 2006 Subject: Setting up a Gateway In-Reply-To: <01cd01c21e77$cf9e3a30$0100a8c0@dcooper> Message-ID: My method (so far) is to do this: Both mailservers have live ip addresses as well as internal addresses. The external ip address on the scanner/gateway server is in dns as the MX 10 for each domain to be scanned. The internal ip address on the internal server is in dns as the MX 5 for each domain to be scanned. sendmail.cf on the internal server routes all outgoing email to the external ip address on the gateway server. What happens is: mail arriving goes first to MX 10 on the external address as it can't go direct to MX 5 on the internal address mail gets scanned or ignored per mailscanner rules scanned mail can now be relayed from MX 10 to MX 5 as both servers are on internal addresses scanned mail arrives at MX 5 and is dumped in mailboxes outgoing mail will always leave via the gateway server because of the sendmail.cf rule This all seems to work ok with one major exception. On the (original) internal server, I queue mail for several dialup customers who collect by smtp/ETRN. (at present these are not being scanned). The sendmail rule that I have used as above sends their mail back to the gateway server, which then loops it back to the internal, which then loops....... These messages never get queued and never get collected. I'm open to suggestions on how to resolve this... Martyn Routley ----------------------------------------------------- InvictaNet - The Internet in Plain English, Guaranteed http://www.invictanet.co.uk info@invictanet.co.uk phone: 08707 440180 fax: 08707 440181 ------------------------------------------------------ Please Note: All services are provided on the basis that they are business to business and that the Consumer Protection (Distance Selling) Regulations 2000 do not apply. ----------------------------------------------------- -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Dan Cooper Sent: 28 June 2002 08:46 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Setting up a Gateway I would be unable to follow Julians advice as layed out in the FAQ as our main mailserver has to be available to the outside world. My plan was to just make the gateway machine a higher MX priority in the DNS for a particular domain, and then have sendmail place the mail in a mailbox on the gateway. Then a .forward file could go in the users home dir on the gateway machine, sending the mail to user@main.mailserver.com on the main mailserver. This, however, did not seem to work, as the messages were not scanned by the gatweway prior to them being forwarded to the main mailserver. Any ideas why mailscanner would not scan these messages? all relevant domains were in the domains.to.check.conf file. D. From Declan.Grady at NUVOTEM.COM Fri Jun 28 10:54:57 2002 From: Declan.Grady at NUVOTEM.COM (Declan Grady) Date: Thu Jan 12 21:15:07 2006 Subject: mailscanner status command Message-ID: <20020628095457.GB2112@declan.nuvotem.com> I have tried the mailscanner status command, but it always tells me outgoing mailscanner is not running. >From my little knowledge, I think it is the expression it is trying to match, which is not right for my redhat7.0 system, with sendmail 8.12-3. in a 'ps ax' I get a line: 28439 ? S 0:00 sendmail: Queue runner@00:15:00 for /var/spool/mqueue so I would guess in the mailscnner script I need to change the line: pid=`ps ax | egrep '\[sendmail\]|sendmai[l] -q[0-9]*[mhd]'` to pid=`ps ax | egrep 'sendmail\: Queue runner\@[0-9]*'` Am I missing something ? Thanks, Declan -- Declan Grady Nuvotem Crolly, Letterkenny, Co. Donegal, Ireland. http://www.nuvotem.com From Declan.Grady at NUVOTEM.COM Fri Jun 28 10:47:44 2002 From: Declan.Grady at NUVOTEM.COM (Declan Grady) Date: Thu Jan 12 21:15:07 2006 Subject: Not quietly deleting (version 3.21-1) Message-ID: <20020628094744.GA2112@declan.nuvotem.com> Hi, I upgraded to version 3.21-1 using the rpm, and modified the config files. In mailscanner.conf, I have selected the option to quietly delete viruses: Viruses To Quietly Delete = /usr/local/MailScanner/etc/viruses.to.delete.conf As I am using f-prot (from frisk) I have modified the viruses.to.delete.conf file as suggested: i.e. I commented the Sophos lines, and uncommented the f-prot lines: # For F-Prot W32/Klez.H@mm W32/Klez.H However, today I got an email with the W32/Klez.H@mm ; Mailscanner notified me as postmaster, but still delivered the mail to me, marked as {VIRUS} and with the attachment removed. I assume I have amde some config error, but what I want is to quietly delete this without informing anyone except postmaster. Is this possible ? What options should I look at in the .conf file ? Thanks for the continued great development work Julian. I am very happy with mailscanner. Best Regards Declan -- Declan Grady Nuvotem Crolly, Letterkenny, Co. Donegal, Ireland. http://www.nuvotem.com From leet at LEENX.CO.ZA Fri Jun 28 11:02:58 2002 From: leet at LEENX.CO.ZA (C.Lee Taylor) Date: Thu Jan 12 21:15:07 2006 Subject: mcafeewrapper .... References: <200206272304.g5RN4dT27410@zeus.scania.co.za> Message-ID: <3D1C3452.8000907@leenx.co.za> Just a quick question, is there an advantage to using the wrapper? The reason I ask, is that I have always used a path to the anit-virus binary for mcafee and was just wondering. Thanks. Mailed Lee P.S. Greate work. From Declan.Grady at NUVOTEM.COM Fri Jun 28 11:18:07 2002 From: Declan.Grady at NUVOTEM.COM (Declan Grady) Date: Thu Jan 12 21:15:07 2006 Subject: mcafeewrapper .... In-Reply-To: <3D1C3452.8000907@leenx.co.za> References: <200206272304.g5RN4dT27410@zeus.scania.co.za> <3D1C3452.8000907@leenx.co.za> Message-ID: <20020628101807.GA2972@declan.nuvotem.com> Good Question... I am doing the same with f-prot instead of f-protwrapper ? Declan On Fri, Jun 28, 2002 at 12:02:58PM +0200, C.Lee Taylor mentioned: > Just a quick question, is there an advantage to using the wrapper? The > reason I ask, is that I have always used a path to the anit-virus binary > for mcafee and was just wondering. > -- Declan Grady Nuvotem Crolly, Letterkenny, Co. Donegal, Ireland. http://www.nuvotem.com From evertjan at VANRAMSELAAR.NL Fri Jun 28 11:14:04 2002 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:15:07 2006 Subject: Not quietly deleting (version 3.21-1) In-Reply-To: <20020628094744.GA2112@declan.nuvotem.com> References: <20020628094744.GA2112@declan.nuvotem.com> Message-ID: <40321.24.132.9.29.1025259244.squirrel@mail.vanramselaar.nl> Declan Grady said: > I upgraded to version 3.21-1 using the rpm, and modified the config > files. In mailscanner.conf, I have selected the option to quietly delete > viruses: > > Viruses To Quietly Delete = > /usr/local/MailScanner/etc/viruses.to.delete.conf The only thing the option "Viruses To Quietly Delete" does, is not send a warning to the sender of the email. Like Julian already explained, the option name is a bit wrong, but it was too late to change it... -- Evert Jan van Ramselaar Van Ramselaar Info Tech From evertjan at VANRAMSELAAR.NL Fri Jun 28 11:16:09 2002 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:15:07 2006 Subject: mcafeewrapper .... In-Reply-To: <3D1C3452.8000907@leenx.co.za> References: <200206272304.g5RN4dT27410@zeus.scania.co.za> <3D1C3452.8000907@leenx.co.za> Message-ID: <40328.24.132.9.29.1025259369.squirrel@mail.vanramselaar.nl> C.Lee Taylor said: > Just a quick question, is there an advantage to using the wrapper? The > reason I ask, is that I have always used a path to the anit-virus binary > for mcafee and was just wondering. The wrapper has some locking features. -- Evert Jan van Ramselaar Van Ramselaar Info Tech From LISTSERV at JISCMAIL.AC.UK Fri Jun 28 10:02:14 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:07 2006 Subject: MAILSCANNER: rado@INTERSALES.DE requested to join Message-ID: <200206280902.KAA17603@magpie.ecs.soton.ac.uk> Fri, 28 Jun 2002 10:02:14 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Andrej Radonic You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER rado@INTERSALES.DE Andrej Radonic PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER rado@INTERSALES.DE Andrej Radonic // EOJ From mailscanner at ecs.soton.ac.uk Fri Jun 28 12:22:12 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:07 2006 Subject: mcafeewrapper .... In-Reply-To: <20020628101807.GA2972@declan.nuvotem.com> References: <3D1C3452.8000907@leenx.co.za> <200206272304.g5RN4dT27410@zeus.scania.co.za> <3D1C3452.8000907@leenx.co.za> Message-ID: <5.1.0.14.2.20020628122117.02ccfd70@imap.ecs.soton.ac.uk> At 11:18 28/06/2002, you wrote: >Good Question... I am doing the same with f-prot instead of f-protwrapper ? If a wrapper is provided, please use it. If you want to see if the wrapper does anything important (and it will) just take a look at it, it's only a little shell script. >On Fri, Jun 28, 2002 at 12:02:58PM +0200, C.Lee Taylor mentioned: > > Just a quick question, is there an advantage to using the wrapper? The > > reason I ask, is that I have always used a path to the anit-virus binary > > for mcafee and was just wondering. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Jun 28 12:20:54 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:07 2006 Subject: mailscanner status command In-Reply-To: <20020628095457.GB2112@declan.nuvotem.com> Message-ID: <5.1.0.14.2.20020628121957.04a196f0@imap.ecs.soton.ac.uk> Unfortunately the status command is the really hard one to do, it has to be different for nearly everything since sendmail messes with "$0" in order to make something "useful" appear in ps outputs. So you may well have to tweak it for your system. Sorry, there's not much I can do about that. At 10:54 28/06/2002, you wrote: >I have tried the mailscanner status command, but it always tells me >outgoing mailscanner is not running. > > >From my little knowledge, I think it is the expression it is trying to > match, which is not right for my redhat7.0 system, with sendmail 8.12-3. > >in a 'ps ax' I get a line: > >28439 ? S 0:00 sendmail: Queue runner@00:15:00 for >/var/spool/mqueue > >so I would guess in the mailscnner script I need to change the line: > >pid=`ps ax | egrep '\[sendmail\]|sendmai[l] -q[0-9]*[mhd]'` > >to > >pid=`ps ax | egrep 'sendmail\: Queue runner\@[0-9]*'` > >Am I missing something ? > >Thanks, >Declan > >-- >Declan Grady > >Nuvotem >Crolly, Letterkenny, Co. Donegal, Ireland. >http://www.nuvotem.com -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Jun 28 12:31:31 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:07 2006 Subject: Setting up a Gateway In-Reply-To: References: <01cd01c21e77$cf9e3a30$0100a8c0@dcooper> Message-ID: <5.1.0.14.2.20020628122744.047a07d0@imap.ecs.soton.ac.uk> Can I just point out something: In order to get mail from, for example, an MX 10 server to an MX 5 server, you don't need any special sendmail rules at all. If you have a sendmail.cw file (or other way of getting entries into class w), then just put your.domain.com RELAY in there and it will all do it for you. You'll probably need to convert the file into a db or hash using makemap, but I'll leave that up to you. By definition, one of the jobs of a low priority (high number) MX server is to forward mail to a "better" MX server. You just need to give it permission, then leave it to it. Then when you are sending mail, you can do what you like. It's about time this discussion got moved to a sendmail list, it's getting rather OT for this list. At 10:13 28/06/2002, you wrote: >My method (so far) is to do this: > >Both mailservers have live ip addresses as well as internal addresses. >The external ip address on the scanner/gateway server is in dns as the MX 10 >for each domain to be scanned. >The internal ip address on the internal server is in dns as the MX 5 for >each domain to be scanned. >sendmail.cf on the internal server routes all outgoing email to the external >ip address on the gateway server. > >What happens is: >mail arriving goes first to MX 10 on the external address as it can't go >direct to MX 5 on the internal address >mail gets scanned or ignored per mailscanner rules >scanned mail can now be relayed from MX 10 to MX 5 as both servers are on >internal addresses >scanned mail arrives at MX 5 and is dumped in mailboxes >outgoing mail will always leave via the gateway server because of the >sendmail.cf rule > >This all seems to work ok with one major exception. >On the (original) internal server, I queue mail for several dialup customers >who collect by smtp/ETRN. (at present these are not being scanned). >The sendmail rule that I have used as above sends their mail back to the >gateway server, which then loops it back to the internal, which then >loops....... >These messages never get queued and never get collected. > >I'm open to suggestions on how to resolve this... > > > >Martyn Routley >----------------------------------------------------- >InvictaNet - The Internet in Plain English, Guaranteed >http://www.invictanet.co.uk >info@invictanet.co.uk >phone: 08707 440180 >fax: 08707 440181 >------------------------------------------------------ > >Please Note: >All services are provided on the basis that they are >business to business and that the >Consumer Protection (Distance Selling) Regulations 2000 >do not apply. >----------------------------------------------------- > > > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Dan Cooper >Sent: 28 June 2002 08:46 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Setting up a Gateway > > >I would be unable to follow Julians advice as layed out in the FAQ as our >main mailserver has to be available to the outside world. > >My plan was to just make the gateway machine a higher MX priority in the DNS >for a particular domain, and then have sendmail place the mail in a mailbox >on the gateway. Then a .forward file could go in the users home dir on the >gateway machine, sending the mail to user@main.mailserver.com on the main >mailserver. > >This, however, did not seem to work, as the messages were not scanned by the >gatweway prior to them being forwarded to the main mailserver. > >Any ideas why mailscanner would not scan these messages? all relevant >domains were in the domains.to.check.conf file. > >D. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From nwp at LEMON-COMPUTING.COM Fri Jun 28 12:24:23 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:15:07 2006 Subject: mcafeewrapper .... In-Reply-To: <40328.24.132.9.29.1025259369.squirrel@mail.vanramselaar.nl> References: <200206272304.g5RN4dT27410@zeus.scania.co.za> <3D1C3452.8000907@leenx.co.za> <40328.24.132.9.29.1025259369.squirrel@mail.vanramselaar.nl> Message-ID: <20020628112423.GB9628@hoiho.nz.lemon-computing.com> On Fri, Jun 28, 2002 at 12:16:09PM +0200, Evert Jan van Ramselaar wrote: > C.Lee Taylor said: > > Just a quick question, is there an advantage to using the wrapper? The > > reason I ask, is that I have always used a path to the anit-virus binary > > for mcafee and was just wondering. > > The wrapper has some locking features. Does it? My memory told me that they were in the mailscanner 'proper' and that some of the wrappers aren't always necessary, but others are (e.g. for setting up paths and LD_PRELOAD and so on) -- in any case, the wrappers will be likely to become more rather than less important as time goes by (e.g. to make sure that the scanner is running with the correct locale set, which we currently don't do). I've never used the wrapper for sophos, but I do for f-prot and I would/will for everything else (including sophos). Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com You can rent this space for only $5 a week. From jgoggan at DCG.COM Fri Jun 28 13:16:42 2002 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:15:07 2006 Subject: Not quietly deleting (version 3.21-1) References: <20020628094744.GA2112@declan.nuvotem.com> Message-ID: <3D1C53AA.F6B3DA33@dcg.com> Just to note, I appear to be getting this same behavior. I am also running 3.21 and using f-protect. And, I am fairly certain that it was working properly before I upgraded, although I guess I am not absolutely positive. I double-checked that F-Prot was detecting them as "W32/Klez.H@mm" -- and that is what I have in my ignore file. Basically, people that email Klez to me (although they really didn't, of course, since Klez fakes the from and that's why we want to ignore them) are still getting emailed back that they sent a virus our way. (Note that someone else answered you and said that Julian already explained this and that it is working properly -- I disagree. You said that you're still getting email notifications BESIDES postmaster -- which means that they aren't being deleted quietly/properly. I think he missed that. Unless I'm misunderstanding something...) - John... Declan Grady wrote: > I upgraded to version 3.21-1 using the rpm, and modified the config > files. In mailscanner.conf, I have selected the option to quietly > delete viruses: > > Viruses To Quietly Delete = /usr/local/MailScanner/etc/viruses.to.delete.conf > > As I am using f-prot (from frisk) I have modified the viruses.to.delete.conf file as suggested: > i.e. I commented the Sophos lines, and uncommented the f-prot lines: > > # For F-Prot > W32/Klez.H@mm > W32/Klez.H > > However, today I got an email with the W32/Klez.H@mm ; Mailscanner notified me as postmaster, but still delivered the mail to me, marked as {VIRUS} and with the attachment removed. > > I assume I have amde some config error, but what I want is to quietly delete this without informing anyone except postmaster. > > Is this possible ? What options should I look at in the .conf file ? > > Thanks for the continued great development work Julian. > I am very happy with mailscanner. > > Best Regards > Declan > > -- > Declan Grady > > Nuvotem > Crolly, Letterkenny, Co. Donegal, Ireland. > http://www.nuvotem.com From Declan.Grady at NUVOTEM.COM Fri Jun 28 13:29:36 2002 From: Declan.Grady at NUVOTEM.COM (Declan Grady) Date: Thu Jan 12 21:15:07 2006 Subject: Not quietly deleting (version 3.21-1) In-Reply-To: <3D1C53AA.F6B3DA33@dcg.com> References: <20020628094744.GA2112@declan.nuvotem.com> <3D1C53AA.F6B3DA33@dcg.com> Message-ID: <20020628122936.GA1285@declan.nuvotem.com> Well, I accepted the explanation, whihc I assume means : postmaster get notified local recipient gets notified with the 'VriusWanring.txt' in place of the attachment sender does *not* get notified. Does this make sense ? Declan On Fri, Jun 28, 2002 at 08:16:42AM -0400, John Goggan mentioned: > Just to note, I appear to be getting this same behavior. I am also running > 3.21 and using f-protect. And, I am fairly certain that it was working > properly before I upgraded, although I guess I am not absolutely positive. > > I double-checked that F-Prot was detecting them as "W32/Klez.H@mm" -- and that > is what I have in my ignore file. > > Basically, people that email Klez to me (although they really didn't, of > course, since Klez fakes the from and that's why we want to ignore them) are > still getting emailed back that they sent a virus our way. > > (Note that someone else answered you and said that Julian already explained > this and that it is working properly -- I disagree. You said that you're > still getting email notifications BESIDES postmaster -- which means that they > aren't being deleted quietly/properly. I think he missed that. Unless I'm > misunderstanding something...) > > - John... From mailscanner at ecs.soton.ac.uk Fri Jun 28 13:40:51 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:07 2006 Subject: Not quietly deleting (version 3.21-1) In-Reply-To: <20020628122936.GA1285@declan.nuvotem.com> References: <3D1C53AA.F6B3DA33@dcg.com> <20020628094744.GA2112@declan.nuvotem.com> <3D1C53AA.F6B3DA33@dcg.com> Message-ID: <5.1.0.14.2.20020628133803.04dfceb0@imap.ecs.soton.ac.uk> At 13:29 28/06/2002, you wrote: >Well, I accepted the explanation, whihc I assume means : > >postmaster get notified >local recipient gets notified with the 'VriusWanring.txt' in place of the >attachment >sender does *not* get notified. > >Does this make sense ? Correct. That's what it does. I've just tested this with the 3.21-1 code and it is working fine. I enabled the feature in mailscanner.conf (by uncommenting the "Viruses To Quietly Delete" line) and put "EICAR" in the viruses.to.delete.conf file. Then I sent myself 1 message containing the Eicar test file. This is what my logs say: Jun 28 13:40:26 sailor mailscanner[30972]: Scanning 1 messages, 1245 bytes Jun 28 13:40:26 sailor mailscanner[30972]: >>> Virus 'EICAR-AV-Test' found in file ./g5SCeKG30978/eicar.com Jun 28 13:40:26 sailor mailscanner[30972]: Found 1 viruses in messages g5SCeKG30978 Jun 28 13:40:26 sailor mailscanner[30972]: Scanned 1 messages, 1245 bytes in 0 seconds Jun 28 13:40:26 sailor mailscanner[30972]: Saved infections to /var/spool/MailScanner/quarantine/20020628/g5SCeKG30978 Jun 28 13:40:26 sailor mailscanner[30972]: Deleted infected messages g5SCeKG30978 Jun 28 13:40:27 sailor mailscanner[30972]: Notified postmaster about 1 infections So, as you see, it is *not* notifying the sender, which is exactly right. >On Fri, Jun 28, 2002 at 08:16:42AM -0400, John Goggan mentioned: > > Just to note, I appear to be getting this same behavior. I am also running > > 3.21 and using f-protect. And, I am fairly certain that it was working > > properly before I upgraded, although I guess I am not absolutely positive. > > > > I double-checked that F-Prot was detecting them as "W32/Klez.H@mm" -- > and that > > is what I have in my ignore file. > > > > Basically, people that email Klez to me (although they really didn't, of > > course, since Klez fakes the from and that's why we want to ignore > them) are > > still getting emailed back that they sent a virus our way. > > > > (Note that someone else answered you and said that Julian already explained > > this and that it is working properly -- I disagree. You said that you're > > still getting email notifications BESIDES postmaster -- which means > that they > > aren't being deleted quietly/properly. I think he missed that. Unless I'm > > misunderstanding something...) > > > > - John... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jgoggan at DCG.COM Fri Jun 28 14:06:33 2002 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:15:07 2006 Subject: Not quietly deleting (version 3.21-1) References: <20020628094744.GA2112@declan.nuvotem.com> <3D1C53AA.F6B3DA33@dcg.com> <20020628122936.GA1285@declan.nuvotem.com> Message-ID: <3D1C5F59.38F3338A@dcg.com> Declan Grady wrote: > > Well, I accepted the explanation, whihc I assume means : > > postmaster get notified > local recipient gets notified with the 'VriusWanring.txt' in place of the attachment > sender does *not* get notified. > > Does this make sense ? Well, I don't think even the recipient should get notified. Just the postmaster/log. However, regardless of that, as I said, it is emailing the SENDER of the "Klez" (who obviously isn't really the sender) and telling them about it. So, even if it is supposed to do what you mentioned above (notify postmaster and the recipient), that isn't what is happening. It is telling the sender for me still. - John... From jgoggan at DCG.COM Fri Jun 28 14:07:38 2002 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:15:07 2006 Subject: Not quietly deleting (version 3.21-1) References: <3D1C53AA.F6B3DA33@dcg.com> <20020628094744.GA2112@declan.nuvotem.com> <3D1C53AA.F6B3DA33@dcg.com> <5.1.0.14.2.20020628133803.04dfceb0@imap.ecs.soton.ac.uk> Message-ID: <3D1C5F9A.CCFED6C5@dcg.com> Julian Field wrote: > Correct. That's what it does. I've just tested this with the 3.21-1 > code and it is working fine. Hmmm... I'll do some more testing then. My logs show that it emailed two people that sent me Klez this morning... - John... From David.Sullivan at BARNET.AC.UK Fri Jun 28 14:11:20 2002 From: David.Sullivan at BARNET.AC.UK (David Sullivan) Date: Thu Jan 12 21:15:07 2006 Subject: Not quietly deleting (version 3.21-1) In-Reply-To: <3D1C53AA.F6B3DA33@dcg.com> Message-ID: <3D1C6E84.24227.5C186D03@localhost> On 28 Jun 2002 at 8:16, John Goggan wrote: > Just to note, I appear to be getting this same behavior. I am also running > 3.21 and using f-protect. And, I am fairly certain that it was working > properly before I upgraded, although I guess I am not absolutely positive. > > I double-checked that F-Prot was detecting them as "W32/Klez.H@mm" -- and that > is what I have in my ignore file. ^^^Here be dragons I'm wondering if perl might be unhappy with the "@" sign being in this variable at all. I've done very little perl so I may well be wrong on this. If mailscanner is just looking for these ignores as a regexp in the output you may want to try just "W32/Klez.H" or perhaps even "W32/Klez" since there are several varients of Klez. Regards -- David Sullivan IT Services, Barnet College, London David.Sullivan@barnet.ac.uk 020 8275 5036 ============================================================== This communication may contain privileged or confidential information which is for the exclusive use of the intended recipient. If you are not the intended recipient, please note that you may not distribute or use this communication or the information it contains. If this e-mail has reached you in error, please delete it and any attachment. Internet communications are not secure and Barnet College does not accept legal responsibility for the content of this message. Any views or opinions expressed are those of the author and not necessarily those of Barnet College. Please note that Barnet College reserves the right to monitor the source/destinations of all incoming or outgoing e-mail communications. ============================================================== From jgoggan at DCG.COM Fri Jun 28 14:18:56 2002 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:15:07 2006 Subject: Not quietly deleting (version 3.21-1) References: <3D1C53AA.F6B3DA33@dcg.com> <20020628094744.GA2112@declan.nuvotem.com> <3D1C53AA.F6B3DA33@dcg.com> <5.1.0.14.2.20020628133803.04dfceb0@imap.ecs.soton.ac.uk> <3D1C5F9A.CCFED6C5@dcg.com> Message-ID: <3D1C6240.4323876D@dcg.com> John Goggan wrote: > > Julian Field wrote: > > Correct. That's what it does. I've just tested this with the 3.21-1 > > code and it is working fine. > > Hmmm... I'll do some more testing then. My logs show that it > emailed two people that sent me Klez this morning... Hmmm... My current tests worked properly. Looking at the logs, it looks like Klez had done some weird changes on those ones -- where even though the person was the faked sender, the header made it look like they were the recipient. Therefore, it was just MailScanner thinking that they were the recipient and letting them know. So, I guess it is working according to the documentation then. To be honest, I think I'd like to be able to tell it to "not tell anyone but the postmaster" for certain things like Klez. Basically, I'd just like to delete all Klez completely -- without telling the sender or recipient, since the sender is fake and there isn't much the recipient could do anyhow. :) But, again, it appears to be working as intended -- so things are fine. Sorry for my confusion on that. Was just Klez being slightly different than "normal." - John... From jgoggan at DCG.COM Fri Jun 28 14:21:12 2002 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:15:07 2006 Subject: Not quietly deleting (version 3.21-1) References: <3D1C6E84.24227.5C186D03@localhost> Message-ID: <3D1C62C8.6ADC75C7@dcg.com> David Sullivan wrote: > If mailscanner is just looking for these ignores as a regexp in the > output you may want to try just "W32/Klez.H" or perhaps even > "W32/Klez" since there are several varients of Klez. Actually, the default config is both lines: W32/Klez.H@mm W32/Klez.H ...which is what I am using (and now appears to be working). So, even if thee @ is a problem, we should be fine. Although, if you want to get other variants, you could do the "W32/Klez" line. I don't think I've seen anything other than Klez.H though. Not sure that I want to strip others that I might not be familiar with... - John... From LISTSERV at JISCMAIL.AC.UK Fri Jun 28 14:35:17 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:07 2006 Subject: MAILSCANNER: horacio@CPTI.INF.BR requested to join Message-ID: <200206281335.OAA10460@magpie.ecs.soton.ac.uk> Fri, 28 Jun 2002 14:35:16 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Horacio Fernandes You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER horacio@CPTI.INF.BR Horacio Fernandes PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER horacio@CPTI.INF.BR Horacio Fernandes // EOJ From nospam at WCC.NET Fri Jun 28 15:31:35 2002 From: nospam at WCC.NET (Kip Turk) Date: Thu Jan 12 21:15:07 2006 Subject: Setting up a Gateway In-Reply-To: <01cd01c21e77$cf9e3a30$0100a8c0@dcooper> Message-ID: On Fri, 28 Jun 2002, Dan Cooper wrote: > I would be unable to follow Julians advice as layed out in the FAQ as our > main mailserver has to be available to the outside world. > > My plan was to just make the gateway machine a higher MX priority in the DNS > for a particular domain, and then have sendmail place the mail in a mailbox > on the gateway. Then a .forward file could go in the users home dir on the > gateway machine, sending the mail to user@main.mailserver.com on the main > mailserver. > > This, however, did not seem to work, as the messages were not scanned by the > gatweway prior to them being forwarded to the main mailserver. > > Any ideas why mailscanner would not scan these messages? all relevant > domains were in the domains.to.check.conf file. Are you sure it hit the gateway to be scanned? One trick we've seen spammers use lately is to grab the MX records, then send to the lowest priority server. Since we were running through an external filtering server, this effectively circumvented the filters. I solved the problem by adding the filtering server as the lowest priority MX also. This left our main server available to the world in the event that the filtering server wasn't available, but made it so that the spammers couldn't trivially avoid our filters. -- Kip Turk, RHCE spamdies@wcc.net Systems Administrator/Killer of Spam/Writer of Code/Penguin Proponent West Central Net - tel: 915.234.5678 / 800.695.9016 fax: 915.656.0071 -.-. --- -.. . / -- --- -. -.- . -.-- --..-- / .... .- -.-. -.- . .-. From mailscanner at ecs.soton.ac.uk Fri Jun 28 15:31:48 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:07 2006 Subject: Not quietly deleting (version 3.21-1) In-Reply-To: <3D1C62C8.6ADC75C7@dcg.com> References: <3D1C6E84.24227.5C186D03@localhost> Message-ID: <5.1.0.14.2.20020628153122.04d0c250@imap.ecs.soton.ac.uk> At 14:21 28/06/2002, you wrote: >David Sullivan wrote: > > If mailscanner is just looking for these ignores as a regexp in the > > output you may want to try just "W32/Klez.H" or perhaps even > > "W32/Klez" since there are several varients of Klez. > >Actually, the default config is both lines: > >W32/Klez.H@mm >W32/Klez.H > >...which is what I am using (and now appears to be working). So, even if thee >@ is a problem, we should be fine. Although, if you want to get other >variants, you could do the "W32/Klez" line. I don't think I've seen anything >other than Klez.H though. Not sure that I want to strip others that I might >not be familiar with... The @ is not a problem. I do "if ($text =~ /\Q$name\E/) {" which quotes the @ so it doesn't cause any trouble. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Fri Jun 28 15:33:08 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:07 2006 Subject: Not quietly deleting (version 3.21-1) In-Reply-To: <3D1C6240.4323876D@dcg.com> References: <3D1C53AA.F6B3DA33@dcg.com> <20020628094744.GA2112@declan.nuvotem.com> <3D1C53AA.F6B3DA33@dcg.com> <5.1.0.14.2.20020628133803.04dfceb0@imap.ecs.soton.ac.uk> <3D1C5F9A.CCFED6C5@dcg.com> Message-ID: <5.1.0.14.2.20020628153153.04e25e70@imap.ecs.soton.ac.uk> At 14:18 28/06/2002, you wrote: >So, I guess it is working according to the documentation then. To be honest, >I think I'd like to be able to tell it to "not tell anyone but the postmaster" >for certain things like Klez. Basically, I'd just like to delete all Klez >completely -- without telling the sender or recipient, since the sender is >fake and there isn't much the recipient could do anyhow. :) I stopped it doing that, as then your users don't get to appreciate all the viruses that MailScanner is stopping for them. Keeps management happy as they can see it is doing something for them (and it's more advertising for MailScanner too :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jase at SENSIS.COM Fri Jun 28 15:19:25 2002 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:15:07 2006 Subject: Proper way to handle misidentifiedspamsite-wide ? Message-ID: I have all of mail tagged as spam going to one mailbox, no matter who the mail was sent to. I do this in exim. Specifically, I have a transport defined similar to: spam_delivery: driver = appendfile no_from_hack prefix = "" suffix = "" maildir_format directory = /path/to/maildir create_directory Then I have a director defined similar to: spam_domain: domains = "domains.whos.spam.i.want" condition = ${if def:h_X-MailScanner-SpamCheck:{yes}{no}} driver = smartuser transport = spam_delivery What this is doing is checking for a X-MailScanner-SpamCheck header in the mail message. If it finds it, the mail will be delivered using the spam_delivery transport, which will just put the message in a maildir directory. I can use any maildir capable client to view the messages (or an imap server that understands maildir). Notes: * The location of the director definition is important. Any director defined before it could be used instead. * You must have Spam Action = deliver * You will probably need to have Always Include SpamAssassin Report = no I am not an exim expert, but this seems to work for me. At least this keeps the functionality out of MailScanner, so Julian doesn't have to worry about legal issues. Hope this helps someone. Jase > -----Original Message----- > From: John Goggan [mailto:jgoggan@DCG.COM] > Sent: Thursday, June 27, 2002 1:06 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [MAILSCANNER] Proper way to handle > misidentifiedspamsite-wide? > > > Julian Field wrote: > > You get the qf and df "mqueue" files so you can drop them straight > > back into the queue if you actually want them to be delivered. > > Yes, but then looking through them to detect non-spam mistakes is then > difficult, yes? I've suddenly got a few hundred qf files to > go checking > subjects in -- there must be a better way? > > > Under European law you ain't supposed to be manually editing other > > people's mail, its an infringement of the Data Protection Act. > > Well, it's pretty much MY mail. Most of what I'm sending > using "store" is > mail to various catch-all accounts plus some admin accounts. > Basically, it is > all "mine" -- or at least the company's and I have full > rights to go looking > through it... > > > You can find most non-spam by just reading the subject lines, which > > are contained in the qf files. > > This just seems odd to me. It basically seems that doing any > action other > than "deliver" is just a problem. If you do "delete", then > you're going to > lose some non-spams. If you do "store" because you want to > look through it > for mistakes later, it seems that just trying to wade through > the hundreds of > qf files is such a pain as to not be worth it. > > Again, I'm surprised that people are doing this... Hmmm... > > > Again however, this is almost certainly a breach of the DPA. > > Nope. Not in this instance. > > > Writing code in the full knowledge that it would break laws if used > > is rather shaky ground, and I don't really want to go there if I can > > avoid it. > > Assuming that certain options, if used, must be illegal just > seems incorrect > to me. There are certainly many legal uses for what I was > planning to do. > But, I understand your concern... > > > I appreciate that many/most of you live outside the scope of these > > laws, but I don't and I'm the one producing the "package". > > Agreed. It is indeed your project and I therefore respect > that. I just see > legitimate uses for such features. Especially when the > process involved as it > is now seems almost worthless. I feel like "deliver" is the > only usable spam > option unless people are doing a lot of custom work with > things that are > "stored." > > Of course, making it "easier" would then go against your > concerns for the > DPA. Even though what I was doing would certainly not be > against it -- even > if I lived where it applied. :) > > Ok -- well -- I guess I'll stick with "deliver" for now and > wade through it > that way. :( > > Thanks for your time and responses! > > - John... > From jgoggan at DCG.COM Fri Jun 28 15:43:08 2002 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:15:07 2006 Subject: Not quietly deleting (version 3.21-1) References: <3D1C53AA.F6B3DA33@dcg.com> <20020628094744.GA2112@declan.nuvotem.com> <3D1C53AA.F6B3DA33@dcg.com> <5.1.0.14.2.20020628133803.04dfceb0@imap.ecs.soton.ac.uk> <3D1C5F9A.CCFED6C5@dcg.com> <5.1.0.14.2.20020628153153.04e25e70@imap.ecs.soton.ac.uk> Message-ID: <3D1C75FC.378E7093@dcg.com> Julian Field wrote: > I stopped it doing that, as then your users don't get to appreciate > all the viruses that MailScanner is stopping for them. Keeps > management happy as they can see it is doing something for them (and > it's more advertising for MailScanner too :-) True, I figured that was why it was like that actually. :) Still, they get to see them on all kinds of other viruses. I'm just tired of people seeing Klez. heh. :) - John... From jgoggan at DCG.COM Fri Jun 28 17:37:05 2002 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:15:07 2006 Subject: No SpamAssasin Output References: <6214C3F9233D764C9E7029396C355015115B0B@mail.foundation.sdsu.edu> Message-ID: <3D1C90B1.CAC27A79@dcg.com> Steve Evans wrote: > > I have a few e-mails that have no SpamAssasin report in the headers. It > simply says Not Spam and where it lists the score it only says (). Would > this be what happens if SpamAssasin timed out? I installed Razor yesterday > so I'm worried that could be happening. Do you have the new release of MailScanner installed? If I recall, there was something on the change logs about no more "empty" SpamAssassin reports -- which I _think_ relates to this. - John... From sevans at FOUNDATION.SDSU.EDU Fri Jun 28 17:42:29 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:15:07 2006 Subject: No SpamAssasin Output Message-ID: <6214C3F9233D764C9E7029396C355015115B0D@mail.foundation.sdsu.edu> What was fixed in 3.20-5, I'm on 3.20-7 Steve Evans Computing Services (619) 594-0653 -----Original Message----- From: John Goggan [mailto:jgoggan@DCG.COM] Sent: Friday, June 28, 2002 9:37 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: No SpamAssasin Output Steve Evans wrote: > > I have a few e-mails that have no SpamAssasin report in the headers. > It simply says Not Spam and where it lists the score it only says (). > Would this be what happens if SpamAssasin timed out? I installed > Razor yesterday so I'm worried that could be happening. Do you have the new release of MailScanner installed? If I recall, there was something on the change logs about no more "empty" SpamAssassin reports -- which I _think_ relates to this. - John... From sevans at FOUNDATION.SDSU.EDU Fri Jun 28 17:24:13 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:15:07 2006 Subject: No SpamAssasin Output Message-ID: <6214C3F9233D764C9E7029396C355015115B0B@mail.foundation.sdsu.edu> I have a few e-mails that have no SpamAssasin report in the headers. It simply says Not Spam and where it lists the score it only says (). Would this be what happens if SpamAssasin timed out? I installed Razor yesterday so I'm worried that could be happening. Steve Evans Computing Services (619) 594-0653 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020628/10770927/attachment.html From gerry at dorfam.ca Fri Jun 28 18:36:29 2002 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:15:07 2006 Subject: No SpamAssasin Output In-Reply-To: <6214C3F9233D764C9E7029396C355015115B0B@mail.foundation.sdsu.edu> References: <6214C3F9233D764C9E7029396C355015115B0B@mail.foundation.sdsu.edu> Message-ID: <23245.129.80.22.134.1025285789.squirrel@tiger.dorfam.ca> > I have a few e-mails that have no SpamAssasin report in the headers. It > simply says Not Spam and where it lists the score it only says (). Would > this be what happens if SpamAssasin timed out? I installed Razor > yesterday so I'm worried that could be happening. > > > Steve Evans > Computing Services > (619) 594-0653 > > It's been fixed in the latest release. It was caused by spamassassin not running when the size of the email message was greater than the maximum specified in mailscanner.conf. The default size is 50k. Putting it too high can slow down your server...too low and spamassassin doesn't run with big messages. When spamassassin didn't run you would receive the "SpamAssassin ()" in the header. With the new release of mailscanner this has been changed to say that spamassassin didn't run. Gerry -- "The lyfe so short, the craft so long to learne" Chaucer From LISTSERV at JISCMAIL.AC.UK Fri Jun 28 18:08:52 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:07 2006 Subject: MAILSCANNER: jsidro@ANALCO.COM requested to join Message-ID: <200206281708.SAA07053@magpie.ecs.soton.ac.uk> Fri, 28 Jun 2002 18:08:52 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Jose Sidro You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER jsidro@ANALCO.COM Jose Sidro PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER jsidro@ANALCO.COM Jose Sidro // EOJ From LISTSERV at JISCMAIL.AC.UK Fri Jun 28 20:39:51 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:07 2006 Subject: MAILSCANNER: thomas_duvally@BROWN.EDU requested to join Message-ID: <200206281939.UAA18544@magpie.ecs.soton.ac.uk> Fri, 28 Jun 2002 20:39:51 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Tom DuVally You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER thomas_duvally@BROWN.EDU Tom DuVally PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER thomas_duvally@BROWN.EDU Tom DuVally // EOJ From LISTSERV at JISCMAIL.AC.UK Fri Jun 28 21:04:10 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:07 2006 Subject: MAILSCANNER: bill@DISTMIRR.COM requested to join Message-ID: <200206282004.VAA20226@magpie.ecs.soton.ac.uk> Fri, 28 Jun 2002 21:04:10 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Bill Omer You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER bill@DISTMIRR.COM Bill Omer PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER bill@DISTMIRR.COM Bill Omer // EOJ From michael at NOMENNESCIO.NET Sat Jun 29 10:08:24 2002 From: michael at NOMENNESCIO.NET (Mike Klinkert) Date: Thu Jan 12 21:15:07 2006 Subject: Problem with "Compile SpamAssassin Once" Message-ID: <3D1D7908.50500@nomennescio.net> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3315 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020629/936af119/smime.bin From mailscanner at ecs.soton.ac.uk Sat Jun 29 11:32:47 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:07 2006 Subject: Problem with "Compile SpamAssassin Once" In-Reply-To: <3D1D7908.50500@nomennescio.net> Message-ID: <5.1.0.14.2.20020629113207.0369b5b8@imap.ecs.soton.ac.uk> At 10:08 29/06/2002, you wrote: >I just upgraded to 3.21-1, but I'm getting the following error message, >when I enable "Compile SpamAssassin Once": > >----------------------------------------------------------- ># /opt/MailScanner/bin/check_mailscanner >Starting virus scanner... >Bareword found where operator expected at (eval 36) line 764, near >"25FREEMEGS_URL_body_test" > (Missing operator before FREEMEGS_URL_body_test?) >Bareword found where operator expected at (eval 36) line 2854, near >"25FREEMEGS_URL_body_test" > (Missing operator before FREEMEGS_URL_body_test?) >Failed to compile body SpamAssassin tests, skipping: > (syntax error at (eval 36) line 764, near >"25FREEMEGS_URL_body_test " >Can't use global $_ in "my" at (eval 36) line 766, near "; > $_ " >syntax error at (eval 36) line 2854, near "25FREEMEGS_URL_body_test" >syntax error at (eval 36) line 3647, near "; >}" >) >Failed to run DIFFERENT_REPLY_TO SpamAssassin test, skipping: > (Can't locate object method "check_for_spam_reply_to" via >package "Mail::SpamAssassin::PerMsgStatus" (perhaps you forgot to load >"Mail::SpamAssassin::PerMsgStatus"?) at >/usr/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/PerMsgStatus.pm line 1701. >) >----------------------------------------------------------- > >MailScanner does work when I disable "Compile SpamAssassin Once". I >attachted the mailscanner.conf.linux file for completeness. Have you tried upgrading SpamAssassin to 2.31? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From michael at NOMENNESCIO.NET Sat Jun 29 19:42:56 2002 From: michael at NOMENNESCIO.NET (Mike Klinkert) Date: Thu Jan 12 21:15:07 2006 Subject: Problem with "Compile SpamAssassin Once" References: <5.1.0.14.2.20020629113207.0369b5b8@imap.ecs.soton.ac.uk> Message-ID: <3D1DFFB0.5010808@nomennescio.net> Julian Field wrote: > Have you tried upgrading SpamAssassin to 2.31? Uhm, no. I thought 2.30 was the latest. I will try, dl now... -- Mike. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3315 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020629/bb7ad34f/smime.bin From michael at NOMENNESCIO.NET Sat Jun 29 20:05:42 2002 From: michael at NOMENNESCIO.NET (Mike Klinkert) Date: Thu Jan 12 21:15:07 2006 Subject: Problem with "Compile SpamAssassin Once" References: <5.1.0.14.2.20020629113207.0369b5b8@imap.ecs.soton.ac.uk> Message-ID: <3D1E0506.8060405@nomennescio.net> Julian Field wrote: > Have you tried upgrading SpamAssassin to 2.31? No success, same problem (line numbers are different though): # /opt/MailScanner/bin/check_mailscanner Starting virus scanner... Bareword found where operator expected at (eval 36) line 742, near "25FREEMEGS_URL_body_test" (Missing operator before FREEMEGS_URL_body_test?) Bareword found where operator expected at (eval 36) line 2844, near "25FREEMEGS_URL_body_test" (Missing operator before FREEMEGS_URL_body_test?) Failed to compile body SpamAssassin tests, skipping: (syntax error at (eval 36) line 742, near "25FREEMEGS_URL_body_test " Can't use global $_ in "my" at (eval 36) line 744, near "; $_ " syntax error at (eval 36) line 2844, near "25FREEMEGS_URL_body_test" syntax error at (eval 36) line 3647, near "; }" ) Failed to run DIFFERENT_REPLY_TO SpamAssassin test, skipping: (Can't locate object method "check_for_spam_reply_to" via package "Mail::SpamAssassin::PerMsgStatus" (perhaps you forgot to load "Mail::SpamAssassin::PerMsgStatus"?) at /usr/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/PerMsgStatus.pm line 1701. ) -- Mike. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3315 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020629/1d684c14/smime.bin From michael at NOMENNESCIO.NET Sat Jun 29 20:10:05 2002 From: michael at NOMENNESCIO.NET (Mike Klinkert) Date: Thu Jan 12 21:15:07 2006 Subject: Problem with "Compile SpamAssassin Once" (Addendum) References: <5.1.0.14.2.20020629113207.0369b5b8@imap.ecs.soton.ac.uk> <3D1E0506.8060405@nomennescio.net> Message-ID: <3D1E060D.6000801@nomennescio.net> > Julian Field wrote: > >> Have you tried upgrading SpamAssassin to 2.31? > I just noticed that the same error message is echoed to the control tty MailScanner is started from. I usually login with ssh, upgrade, start and logout. The terminal was still active when a message was sent, and I get the same message. The difference is that I now only get it when a message is sent (and SA is activated). I will have to disable SA for now... Hope this helps. BTW, I'm seeing some other strange behaviour when reporting that a virus is detected, more on that later. -- Mike. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3315 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020629/59fa9541/smime.bin From gerry at DORFAM.CA Sat Jun 29 20:27:06 2002 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:15:07 2006 Subject: Problem with "Compile SpamAssassin Once" (Addendum) In-Reply-To: <3D1E060D.6000801@nomennescio.net> Message-ID: Are these messages arriving already marked with {SPAM?} in the subject? I'm seeing them being kicked by procmail as spam in my logs. I'm not sure if the thread is marked as spam (not a good idea to retain that) or something has gone wrong with my mailscanner update! Gerry From mdm at INTERNET-TOOLS.COM Sat Jun 29 22:59:14 2002 From: mdm at INTERNET-TOOLS.COM (mark david mcCreary) Date: Thu Jan 12 21:15:07 2006 Subject: debian packages - spamassassin not getting called Message-ID: I'm starting to use Mailscanner and Spamassassin, via Debian 3.0 (Woody). Mailscanner is version 3.13 and Spamassassin is 2.20, and I am using Exim 4 (not part of Woody). Mailscanner is moving the email from one message queue to another and running Sophos at that time. However I can find no trace that SpamAssassin is ever invoked, although I have set Use SpamAssassin = yes The mailscanner logs say "Scanning 1 message, 1260 bytes", which I interpret to be the virus scan. Should there be any log entries reflecting SpamAssassin being called ? Running Mailscanner in debug mode does not shed any more light on the situation. Does anybody have any ideas on where I have gone wrong ? I will put my mailscanner.conf file below. Thanks in advance. mark # Configuration file for MailScanner E-Mail Virus Scanner # This file assumes everything is in the default locations provided # by the MailScanner and RedHat 6.2 and upwards. # # Note: If your directories are symlinked (soft-linked) in any way, # please put their *real* location in here, not a path that # includes any links. You may get some very strange error # messages from some of the virus scanners if you don't. # User to run as (provided for Exim users) Run As User = mail # Group to run as (provided for Exim users) Run As Group = mail # In every batch of virus-scanning, limit the maximum # a) number of text-only messages to deliver # b) number of potentially infected messages to unpack and scan # c) total size of text-only messages to deliver # d) total size of potentially infected messages to unpack and scan Max Safe Messages Per Scan = 500 Max Unsafe Messages Per Scan = 100 Max Safe Bytes Per Scan = 100000000 Max Unsafe Bytes Per Scan = 50000000 # To avoid resource leaks, re-start periodically. Restart Every = 14400 # 4 hours # Name of this host, or just "the MailScanner" if you want to hide this info. # It can be placed in the Help Desk note contained in virus warnings sent to users. Host name = relay.internet-tools.com # Add this extra header to all mail as it is scanned. # (this must *include* terminating colon). Mail Header = X-MailScanner: # Set the mail header to these values for clean/infected messages. Clean Header = Certified virus free by Sophos Anti-Virus Infected Header = Infected Message according to Sophos Anti-Virus Disinfected Header = Disinfected by Sophos Anti-Virus # Set where to unpack incoming messages before scanning them Incoming Work Dir = /var/spool/mailscanner/incoming # Set where to store infected message attachments (if they are kept) Quarantine Dir = /var/spool/mailscanner/quarantine # Set where to store the process id so you can easily stop the scanner Pid File = /var/run/mailscanner/mailscanner.pid # Set where to find the attachment filename ruleset. # The structure of this file is explained elsewhere, but it is used to # accept or reject file attachments based on their name, regardless of # whether they are infected or not. Filename Rules = /etc/mailscanner/filename.rules.conf # Set where to find the message text sent to users when one of their # attachments has been quarantined. Stored Virus Message Report = /etc/mailscanner/stored.virus.message.txt Stored Bad Filename Message Report = /etc/mailscanner/stored.filename.message.txt # Set where to find the message text sent to users when one of their # attachments has been deleted. Deleted Virus Message Report = /etc/mailscanner/deleted.virus.message.txt Deleted Bad Filename Message Report = /etc/mailscanner/deleted.filename.message.txt # Set where to find the message text sent to users explaining about the # attached disinfected documents. Disinfected Report = /etc/mailscanner/disinfected.report.txt # Set location of incoming mail queue # and location of outgoing mail queue. Incoming Queue Dir = /var/spool/exim_incoming/input Outgoing Queue Dir = /var/spool/exim/input # Set whether to use sendmail or exim (default is sendmail) MTA = exim # Set how to invoke MTA when sending created message # (e.g. to sender/recipient saying "found a virus in your message") Sendmail = /usr/sbin/exim # Sendmail2 is provided for Exim users. # It defaults to the value supplied for Sendmail. # It is the command used to attempt delivery of outgoing # (scanned/cleaned) messages. # This is not usually required for sendmail. Sendmail2 = /usr/sbin/exim -C /etc/exim/exim.conf.outgoing # Do you want to scan email for viruses? # A few people have wanted to disable the entire virus scanning. Virus Scanning = yes # Which Virus Scanning package to use: # sophos from www.sophos.com, or # mcafee from www.mcafee.com, or # command from www.command.co.uk, or # kaspersky from www.kaspersky.com, or # inoculate from www.cai.com/products/inoculateit.htm, or # f-secure from www.f-secure.com, or # f-prot from www.f-prot.com (which is *free* for Linux as of 1/1/2002) # # Note: If you want to use multiple virus scanners, then this should be a # comma-separated list of virus scanners. For example: # Virus Scanner = sophos, f-prot # Virus Scanner = sophos # Where the Virus scanner is installed. This is the command needed to run it. # # Note: If you want to use multiple virus scanners, then this should be a # comma-separated list of commands, **in the same order** as they are listed # in the "Virus Scanner" keyword just above. For example: # Sweep = /etc/mailscanner/wrapper/sophoswrapper, /etc/mailscanner/wrapper/f-protwrapper # Sweep = /etc/mailscanner/wrapper/sophoswrapper # The maximum length of time the commercial virus scanner is allowed to run # for 1 batch of messages (in seconds). Virus Scanner Timeout = 300 # Expand TNEF attachments using an external program? # This should be "yes" except for Sophos (when it should be "no") # as Sophos has the facility built-in. Expand TNEF = no # Where the MS-TNEF expander is installed. # The new --maxsize option limits the maximum size that any expanded attachment # may be. It helps protect against Denial Of Service attacks in TNEF files. TNEF Expander = /usr/bin/tnef --maxsize=100000000 # The maximum length of time the TNEF Expander is allowed to run for 1 message. # (in seconds) TNEF Timeout = 120 # What should the attachments be called that replace virus-infected files? Attachment Warning Filename = VirusWarning.txt # Should we scan all messages, including plain-text messages which are normally # harmless? This should be "yes" since the MyParty message appeared. Scan All Messages = yes # Once we have removed viruses from an email message and replaced them with # VirusWarning.txt attachments, should we deliver the clean result to the # original recipients (or just delete them if "no")? Deliver To Recipients = yes # Deliver messages with viruses removed to their original recipients # if they came from a local address, or just delete them so no-one knows # we have a virus outbreak on our site? Deliver From Local Domains = yes # Notify the senders of infected messages that they should check out # their systems? Notify Senders = yes # Set where to find the message text sent to the senders of infected # messages. #Sender Report = /etc/mailscanner/sender.report.txt Sender Virus Report = /etc/mailscanner/sender.virus.report.txt Sender Bad Filename Report = /etc/mailscanner/sender.filename.report.txt Sender Error Report = /etc/mailscanner/sender.error.report.txt # Notify the local postmaster when any infections are found? Notify Local Postmaster = yes # Include the full headers of each message in the postmaster notification? Postmaster Gets Full Headers = yes # Set email address of who to notify about any infections found. # Should put your full domain name here too, # e.g. postmaster@your.domain.com Local Postmaster = virusmaster@internet-tools.com # Set what to do with infected attachments or messages. # keep ==> Store under the "Quarantine Dir" # delete ==> Just delete them #Action = delete Action = keep # Should I attempt to disinfect infected attachments and then deliver # the clean ones Deliver Disinfected Files = yes # Local domain name, or filename containing a list of local domain names # The file supports blank entries, '#' and ';' comment characters and # uses the first word off each line. This should be compatible with all # such lines in a sendmail or Exim configuration file. Local Domains = internet-tools.com # Mark infected messages in the message body. # There can now be more than 1 of these configuration lines here, so you can # break the warning message over multiple lines. Mark Infected Messages = yes Inline Text Warning = Warning: This message has had one or more attachments removed. Inline Text Warning = Warning: Please read the "VirusWarning.txt" attachment(s) for more information. Inline HTML Warning =

Warning: This message has had one or more attachments removed. Please read the "VirusWarning.txt" attachment(s) for more information.

# Sign clean messages in the message body. # There can be more than 1 of these configuration lines here, so you can # break the signature message over multiple lines. # Note that enabling this option will add to the overall system load as some # major optimisations will no longer be possible! Sign Clean Messages = no Inline Text Signature = -- Inline Text Signature = This message has been scanned for viruses and Inline Text Signature = dangerous content by MailScanner, and is Inline Text Signature = believed to be clean. Inline HTML Signature =
-- Inline HTML Signature =
This message has been scanned for viruses and Inline HTML Signature =
dangerous content by Inline HTML Signature = MailScanner, Inline HTML Signature = and is
believed to be clean. # Do you want to archive all mail in a directory for later inspection? # Be warned if you are in the UK: this may well be illegal due to RIPA # and DPA restrictions! Archive Mail = no # Where to store the mail archive. # Be warned: this is likely to get big very quickly. Archive Mail Dir = /var/spool/mailscanner/archive # # Per-Domain Scanning and Spam Detection # # Do we want to only scan certain named domains for viruses and spam? Scanning By Domain = no # Filename listing all the domains we want to scan Domains To Scan = /etc/mailscanner/domains.to.scan.conf # Do we want to add a MailScanner header to messages we have not scanned Sign Unscanned Messages = no # What do we want to put in the header Unscanned Header = not scanned: please contact your email provider for details # # Spam Detection # # Should the anti-spam checks be done on all incoming messages? Spam Checks = yes # Set the name of the extra header to add to all messages found to be # likely spam. Spam Header = X-MailScanner-SpamCheck: # Do you want to put some text on the front of the subject line when # we think it is spam? Spam Modify Subject = yes # What text do we want to put on the front (gets followed by a " ") Spam Subject Text = {SPAM?} # Do we have the SpamAssassin package installed? # This is a very good, very clever heuristics-based spam checker. # For more info and installation instructions, see http://spamassassin.taint.org/ Use SpamAssassin = yes # Set the maximum size of message which we will check with SpamAssassin # Don't set this too large as your system load will get very high processing # huge messages. Max SpamAssassin Size = 100000 # Set the maximum time to allow SpamAssassin to process 1 message SpamAssassin Timeout = 10 # Set the list of database names and their corresponding DNS domains. # All of these databases work in a similar way, allowing the simple use # of multiple databases. # See www.ordb.org and www.mail-abuse.org for more information. #Spam List = ORDB-RBL, relays.ordb.org. # MAPS now charge for their services, so you'll have to buy a contract before # attempting to use the next 3 lines. #Spam List = MAPS-RBL, blackholes.mail-abuse.org. #Spam List = MAPS-DUL, dialups.mail-abuse.org. #Spam List = MAPS-RSS, relays.mail-abuse.org. # This next line works for JANET UK Academic sites only #Spam List = MAPS-RBL+, rbl-plus.mail-abuse.ja.net. # Define local networks from whom you should always accept mail, and # never mark it as spam. This is useful in case your own mail servers # are ever in the ORBS or MAPS lists. #Accept Spam From = 152.78. #Accept Spam From = 139.166. # Define a list of email addresses and email domains from whom you should # always accept mail, and never mark it as spam. This is useful in case # someone you correspond with a lot has their mail servers in the ORBS or # MAPS lists. Spam White List = /etc/mailscanner/spam.whitelist.conf # # Advanced Features # ================= # # Don't bother changing anything below this unless you really know what # you are doing. # # Set Debug to 1 to stop it running as a daemon # and produce more verbose output Debug = 0 # Attempt immediate delivery of messages, or just place them in the outgoing # queue for the MTA to deliver at a time of its own choosing? # If attempting immediate delivery, do them one at a time, # or do them in batches of 30 at a time? # Delivery Method = queue # Delivery Method = individual Delivery Method = batch # How to lock spool files. # Don't set this unless you *know* you need to. # For sendmail, it defaults to "flock". # For Exim, it defaults to "posix". # No other type is implemented. #Lock Type = flock # Where to put the virus scanning engine lock files. # These lock files are used between MailScanner and the virus signature # "autoupdate" scripts, to ensure that they aren't both working at the # same time (which could cause MailScanner to let a virus through). Lock File Dir = /tmp # What to do when you get several MailScanner headers in one message, # from multiple MailScanner servers. Values are # "append" : Append the new data to the existing header # "add" : Add a new header # "replace" : Replace the old data with the new data # Default is "append" Multiple Headers = append # Some versions of Microsoft Outlook generate unparsable Rich Text # format attachments. Do we want to deliver these bad attachments anyway? # Setting this to yes introduces the slight risk of a virus getting through, # but if you have a lot of troubled Outlook users you might need to do this. # We are working on a replacement for the TNEF decoder. Deliver Unparsable TNEF = no # When attempting delivery of outgoing messages, should we do it in the # background or wait for it to complete? The danger of doing it in the # background is that the machine load goes ever upwards while all the # slow sendmail processes run to completion. However, running it in the # foreground may cause the mail server to run too slowly. Deliver In Background = no # Minimum acceptable code stability status -- if we come across code # that's not at least as stable as this, we barf. # This is currently only used to check that you don't end up using untested # virus scanner support code without realising it. # Levels used are: # none - there may not even be any code. # unsupported - code may be completely untested, a contributed dirty hack, # anything, really. # alpha - code is pretty well untested. Don't assume it will work. # beta - code is tested a bit. It should work. # supported - code *should* be reliable. # # Don't even *think* about setting this to anything other than "beta" or # "supported" on a system that receives real mail until you have tested it # yourself and are happy that it is all working as you expect it to. # Don't set it to anything other than "supported" on a system that could # ever receive important mail. Minimum Code Status = supported From moacyrs at AKADNYX.COM.BR Sun Jun 30 07:29:35 2002 From: moacyrs at AKADNYX.COM.BR (Moacyr Leite da Silva) Date: Thu Jan 12 21:15:07 2006 Subject: MailScanner Wish List! In-Reply-To: <5.1.0.14.2.20020627120921.041cc2f0@imap.ecs.soton.ac.uk> Message-ID: Hi I don't know if these features are available in others tools, I was searching for things like "mail audit" in google and found an article about CPAN Mail::Audit modules. So what I did below is a kind of brainstorm about mail auditing features that would be great to be found in MailScanner. I'm not able to make this, so what I can do is asking for things like that to be in MailScanner Wish List. Mail Auditing Capability, is something like Mail Archive, but I thought something like: o Mail Audit = no | incoming | outgoing | both Specify the direction of scanning of messages for auditing o Mail Audit Subject Text = {Mail Audit} o Mail Auditor = Postmaster Specify the recipient of messages for auditing o Mail Audit Senders = senders.to.audit.conf Contains the domains or emails that we need to audit (it can be compared to altivore) o Mail Audit Recipients = recipients.to.audit.conf Contains the domains or emails that we need to audit (it can be compared to altivore) o Mail Audit Content = enable | disable o Mail Audit Content Config = content.to.audit.conf Contains the words or phrases that are considered unacceptable to business, it can help prevent privileged informations being shared outside of company. o Mail Audit Interval = 4h (CRON!? - cron.daily) messages would be processed in batch/background, and in lower priority My Best Regards, -- Moacyr Leite da Silva (moacyrs at akadnyx dot com dot br) kadnyx Network Services (http://www.akadnyx.com.br) +55 19 3242-4895 "Time is the best teacher; unfortunately, it kills all its students." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Assine o Informativo Akadnyx http://akadnyx.com.br/mailman/listinfo/informativo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From gerry at DORFAM.CA Sun Jun 30 07:42:36 2002 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:15:07 2006 Subject: SpamAssassin Test Message Message-ID: Testing...please ignore Gerry -- "The lyfe so short, the craft so long to learne" Chaucer From bill at DISTMIRR.COM Sun Jun 30 07:43:24 2002 From: bill at DISTMIRR.COM (Bill Omer) Date: Thu Jan 12 21:15:07 2006 Subject: EX_TEMPFAIL error Message-ID: <1025419405.2606.8.camel@linuxlaptop.spis.net> I keep seeing this error in my logs. I'm not sure what this could be or how I can get around it. None of my mail is being delivered at all. I'm running the latest version of the amavis (new-20020630), Razor 2.12, Kaspersky 3.0 and sendmail 8.12.4. Regards, Bill Omer From nwp at LEMON-COMPUTING.COM Sun Jun 30 09:03:52 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:15:07 2006 Subject: EX_TEMPFAIL error In-Reply-To: <1025419405.2606.8.camel@linuxlaptop.spis.net> References: <1025419405.2606.8.camel@linuxlaptop.spis.net> Message-ID: <20020630080352.GX1239@hoiho.nz.lemon-computing.com> On Sun, Jun 30, 2002 at 01:43:24AM -0500, Bill Omer wrote: > I keep seeing this error in my logs. I'm not sure what this could be or > how I can get around it. None of my mail is being delivered at all. > > I'm running the latest version of the amavis (new-20020630), Razor 2.12, > Kaspersky 3.0 and sendmail 8.12.4. Um, very amusing and all, but: a) You've not given us the error message, beyond saying that it was something to do with EX_TEMPFAIL; b) This is the *mailscanner* mailing list. Not Amavis. The only Amavis-related help we can give you here is to advise you to dump it and start using mailscanner... ;) Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Questionable day. Ask somebody something. From michael at NOMENNESCIO.NET Sun Jun 30 10:09:31 2002 From: michael at NOMENNESCIO.NET (Mike Klinkert) Date: Thu Jan 12 21:15:07 2006 Subject: Problem with "Compile SpamAssassin Once" (Addendum) References: Message-ID: <3D1ECACB.8030100@nomennescio.net> Gerry Doris wrote: >Are these messages arriving already marked with {SPAM?} in the subject? >I'm seeing them being kicked by procmail as spam in my logs. > No, the're not. The message I sent to the mailing list produced the error message. In fact all messages produce the error message. I've no idea what's the problem. >I'm not sure if the thread is marked as spam (not a good idea to retain >that) or something has gone wrong with my mailscanner update! > >Gerry > > -- Mike. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3315 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020630/5e8f8a77/smime.bin From michael at NOMENNESCIO.NET Sun Jun 30 10:21:17 2002 From: michael at NOMENNESCIO.NET (Mike Klinkert) Date: Thu Jan 12 21:15:08 2006 Subject: Virus repot e-mail Message-ID: <3D1ECD8D.2030103@nomennescio.net> Hi again, I've got another question. It's something that's not changed recently, it's been like this since I've start using MailScanner (couple of months). When an e-mail is sent with a double extension for instance, the recipient receives a message with all the correct data (Sender, Recipient, Subject, etc.). However, when a virus has been detected, the message that is sent to the recipient (as well as the local postmaster), does not contain all the correct data: The following e-mail messages were found to have viruses in them: Sender: Recipient: Subject: MessageID: opt Report: /opt/MailScanner-3.20-6/var/incoming/g5PHvNM14712/msg-3653-71.html Found application Exploit-MIME.gen.b. /opt/MailScanner-3.20-6/var/incoming/g5PHvNM14712/LANGSPEELPLATEN Found the W32/Yaha.g@MM virus !!! -- MailScanner Email Virus Scanner As you can see, the Sender, Recipient and Subject are all empty and the MessageID is *always* "opt". When I look in /opt/MailScanner/var/quarantine/, I also notice a directory "opt", as well as a directory which contains the viruses. I'm using mcafee (installed in /opt/mcafee, I change the mcafeewrapper script accordingly), for more details see a previous message to with I attached the mailscanner.conf.linux. BTW, the above report is an older message, since I now use MailScanner-3.21-1. -- Mike. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3315 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020630/f45f0d28/smime.bin From gerry at DORFAM.CA Sun Jun 30 13:25:47 2002 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:15:08 2006 Subject: All messages marked as spam? In-Reply-To: <3D1ECACB.8030100@nomennescio.net> Message-ID: I've now got my own problem. In an ironic twist of fate, mailscanner has started marking all messages from this mailing list with {SPAM?} in the subject line! It doesn't act this way with any other mail. I just upgraded to the lastest level and turned on auto whitelist and a couple of other features I wasn't using before. Now I have to go back and start removing things to see why this is happening. Gerry -- "The lyfe so short, the craft so long to learne" Chaucer From LISTSERV at JISCMAIL.AC.UK Sun Jun 30 01:32:04 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:15:08 2006 Subject: MAILSCANNER: dwokfur@DC.SOTE.HU requested to join Message-ID: <200206300032.BAA03465@magpie.ecs.soton.ac.uk> Sun, 30 Jun 2002 01:32:04 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from T?th Attila You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER dwokfur@DC.SOTE.HU T?th Attila PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER dwokfur@DC.SOTE.HU T?th Attila // EOJ From mailscanner at ecs.soton.ac.uk Sun Jun 30 14:56:24 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:08 2006 Subject: All messages marked as spam? In-Reply-To: References: <3D1ECACB.8030100@nomennescio.net> Message-ID: <5.1.0.14.2.20020630145556.0363ed40@imap.ecs.soton.ac.uk> At 13:25 30/06/2002, you wrote: >In an ironic twist of fate, mailscanner has started marking all messages >from this mailing list with {SPAM?} in the subject line! It doesn't act >this way with any other mail. What does the SpamCheck header say? That will tell you exactly why it thought it was spam. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sun Jun 30 14:44:17 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:08 2006 Subject: Problem with "Compile SpamAssassin Once" (Addendum) In-Reply-To: <3D1E060D.6000801@nomennescio.net> References: <5.1.0.14.2.20020629113207.0369b5b8@imap.ecs.soton.ac.uk> <3D1E0506.8060405@nomennescio.net> Message-ID: <5.1.0.14.2.20020630144018.03598c70@imap.ecs.soton.ac.uk> What version of Perl are you using? It has to be a Perl/SpamAssassin problem. Try upgrading to Perl 5.6.1 then re-install SpamAssassin and see if that cures it. The other alternative is that it is failing to read one of your "rule scores" files. If you uninstall SpamAssassin, then go round and find the spamassassin.cf files and user_prefs files and stuff like that, to ensure that you have *completely* removed it, then re-install SpamAssassin. Just upgrading SpamAssassin probably won't touch your SA config files. I have just done a little search of my SA installation and the 25FREEMEGS text is mentioned in spamassassin.cf (in /usr/lib/perl5/site-perl/5.6.1). Ensure you delete this file before re-installing SA. At 20:10 29/06/2002, you wrote: >>Julian Field wrote: >> >>>Have you tried upgrading SpamAssassin to 2.31? >I just noticed that the same error message is echoed to the control tty >MailScanner is started from. I usually login with ssh, upgrade, start >and logout. The terminal was still active when a message was sent, and I >get the same message. The difference is that I now only get it when a >message is sent (and SA is activated). I will have to disable SA for now... > >Hope this helps. BTW, I'm seeing some other strange behaviour when >reporting that a virus is detected, more on that later. > >-- >Mike. > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sun Jun 30 14:55:34 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:08 2006 Subject: Virus repot e-mail In-Reply-To: <3D1ECD8D.2030103@nomennescio.net> Message-ID: <5.1.0.14.2.20020630145036.036c8ec0@imap.ecs.soton.ac.uk> Are you using some old version of the mcafeewrapper by mistake? Check for an mcafeewrapper.rpmnew file, just in case. Also the new wrapper is designed to be put in "uvscan" and not "mcafee". Hang on, is your "incoming" directory specified in mailscanner.conf exactly the same as the directory it really is? If you have some soft-links in the path, you'll probably run into trouble. From your output below, your incoming directory should be defined as Incoming Work Dir = /opt/MailScanner-3.20-6/var/incoming At 10:21 30/06/2002, you wrote: > Hi again, > >I've got another question. It's something that's not changed recently, >it's been like this since I've start using MailScanner (couple of >months). When an e-mail is sent with a double extension for instance, >the recipient receives a message with all the correct data (Sender, >Recipient, Subject, etc.). However, when a virus has been detected, the >message that is sent to the recipient (as well as the local postmaster), >does not contain all the correct data: > >The following e-mail messages were found to have viruses in them: > > Sender: >Recipient: > Subject: >MessageID: opt > Report: > /opt/MailScanner-3.20-6/var/incoming/g5PHvNM14712/msg-3653-71.html > Found application Exploit-MIME.gen.b. >/opt/MailScanner-3.20-6/var/incoming/g5PHvNM14712/LANGSPEELPLATEN >Found the W32/Yaha.g@MM virus !!! > >-- >MailScanner >Email Virus Scanner > >As you can see, the Sender, Recipient and Subject are all empty and the >MessageID is *always* "opt". When I look in >/opt/MailScanner/var/quarantine/, I also notice a directory "opt", >as well as a directory which contains the viruses. > >I'm using mcafee (installed in /opt/mcafee, I change the mcafeewrapper >script accordingly), for more details see a previous message to with I >attached the mailscanner.conf.linux. > >BTW, the above report is an older message, since I now use >MailScanner-3.21-1. > >-- >Mike. > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sun Jun 30 14:46:57 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:08 2006 Subject: debian packages - spamassassin not getting called In-Reply-To: Message-ID: <5.1.0.14.2.20020630144543.03632040@imap.ecs.soton.ac.uk> Try sending yourself the "sample-spam.txt" file supplied with SpamAssassin. The SA header will only normally be added if something actually detecteed it as spam. If you want to always include the SA header, you'll have to upgrade to a more recent version of MailScanner. At 22:59 29/06/2002, you wrote: >I'm starting to use Mailscanner and Spamassassin, via Debian 3.0 (Woody). > >Mailscanner is version 3.13 and Spamassassin is 2.20, and I am using >Exim 4 (not part of Woody). > >Mailscanner is moving the email from one message queue to another and >running Sophos at that time. However I can find no trace that >SpamAssassin is ever invoked, although I have set Use SpamAssassin = >yes > >The mailscanner logs say "Scanning 1 message, 1260 bytes", which I >interpret to be the virus scan. > >Should there be any log entries reflecting SpamAssassin being called ? > >Running Mailscanner in debug mode does not shed any more light on the >situation. > >Does anybody have any ideas on where I have gone wrong ? > >I will put my mailscanner.conf file below. > >Thanks in advance. > >mark > > ># Configuration file for MailScanner E-Mail Virus Scanner ># This file assumes everything is in the default locations provided ># by the MailScanner and RedHat 6.2 and upwards. ># ># Note: If your directories are symlinked (soft-linked) in any way, ># please put their *real* location in here, not a path that ># includes any links. You may get some very strange error ># messages from some of the virus scanners if you don't. > ># User to run as (provided for Exim users) >Run As User = mail > ># Group to run as (provided for Exim users) >Run As Group = mail > ># In every batch of virus-scanning, limit the maximum ># a) number of text-only messages to deliver ># b) number of potentially infected messages to unpack and scan ># c) total size of text-only messages to deliver ># d) total size of potentially infected messages to unpack and scan >Max Safe Messages Per Scan = 500 >Max Unsafe Messages Per Scan = 100 >Max Safe Bytes Per Scan = 100000000 >Max Unsafe Bytes Per Scan = 50000000 > ># To avoid resource leaks, re-start periodically. >Restart Every = 14400 # 4 hours > ># Name of this host, or just "the MailScanner" if you want to hide this info. ># It can be placed in the Help Desk note contained in virus warnings >sent to users. >Host name = relay.internet-tools.com > ># Add this extra header to all mail as it is scanned. ># (this must *include* terminating colon). >Mail Header = X-MailScanner: > ># Set the mail header to these values for clean/infected messages. >Clean Header = Certified virus free by Sophos Anti-Virus >Infected Header = Infected Message according to Sophos Anti-Virus >Disinfected Header = Disinfected by Sophos Anti-Virus > ># Set where to unpack incoming messages before scanning them >Incoming Work Dir = /var/spool/mailscanner/incoming > ># Set where to store infected message attachments (if they are kept) >Quarantine Dir = /var/spool/mailscanner/quarantine > ># Set where to store the process id so you can easily stop the scanner >Pid File = /var/run/mailscanner/mailscanner.pid > ># Set where to find the attachment filename ruleset. ># The structure of this file is explained elsewhere, but it is used to ># accept or reject file attachments based on their name, regardless of ># whether they are infected or not. >Filename Rules = /etc/mailscanner/filename.rules.conf > ># Set where to find the message text sent to users when one of their ># attachments has been quarantined. >Stored Virus Message Report = /etc/mailscanner/stored.virus.message.txt >Stored Bad Filename Message Report = >/etc/mailscanner/stored.filename.message.txt > ># Set where to find the message text sent to users when one of their ># attachments has been deleted. >Deleted Virus Message Report = /etc/mailscanner/deleted.virus.message.txt >Deleted Bad Filename Message Report = >/etc/mailscanner/deleted.filename.message.txt > ># Set where to find the message text sent to users explaining about the ># attached disinfected documents. >Disinfected Report = /etc/mailscanner/disinfected.report.txt > ># Set location of incoming mail queue ># and location of outgoing mail queue. >Incoming Queue Dir = /var/spool/exim_incoming/input >Outgoing Queue Dir = /var/spool/exim/input > ># Set whether to use sendmail or exim (default is sendmail) >MTA = exim > ># Set how to invoke MTA when sending created message ># (e.g. to sender/recipient saying "found a virus in your message") >Sendmail = /usr/sbin/exim > ># Sendmail2 is provided for Exim users. ># It defaults to the value supplied for Sendmail. ># It is the command used to attempt delivery of outgoing ># (scanned/cleaned) messages. ># This is not usually required for sendmail. >Sendmail2 = /usr/sbin/exim -C /etc/exim/exim.conf.outgoing > ># Do you want to scan email for viruses? ># A few people have wanted to disable the entire virus scanning. >Virus Scanning = yes > ># Which Virus Scanning package to use: ># sophos from www.sophos.com, or ># mcafee from www.mcafee.com, or ># command from www.command.co.uk, or ># kaspersky from www.kaspersky.com, or ># inoculate from www.cai.com/products/inoculateit.htm, or ># f-secure from www.f-secure.com, or ># f-prot from www.f-prot.com (which is *free* for Linux as of 1/1/2002) ># ># Note: If you want to use multiple virus scanners, then this should be a ># comma-separated list of virus scanners. For example: ># Virus Scanner = sophos, f-prot ># >Virus Scanner = sophos > ># Where the Virus scanner is installed. This is the command needed to run it. ># ># Note: If you want to use multiple virus scanners, then this should be a ># comma-separated list of commands, **in the same order** as they are listed ># in the "Virus Scanner" keyword just above. For example: ># Sweep = /etc/mailscanner/wrapper/sophoswrapper, >/etc/mailscanner/wrapper/f-protwrapper ># >Sweep = /etc/mailscanner/wrapper/sophoswrapper > ># The maximum length of time the commercial virus scanner is allowed to run ># for 1 batch of messages (in seconds). >Virus Scanner Timeout = 300 > ># Expand TNEF attachments using an external program? ># This should be "yes" except for Sophos (when it should be "no") ># as Sophos has the facility built-in. >Expand TNEF = no > ># Where the MS-TNEF expander is installed. ># The new --maxsize option limits the maximum size that any expanded >attachment ># may be. It helps protect against Denial Of Service attacks in TNEF files. >TNEF Expander = /usr/bin/tnef --maxsize=100000000 > ># The maximum length of time the TNEF Expander is allowed to run for 1 >message. ># (in seconds) >TNEF Timeout = 120 > ># What should the attachments be called that replace virus-infected files? >Attachment Warning Filename = VirusWarning.txt > ># Should we scan all messages, including plain-text messages which are >normally ># harmless? This should be "yes" since the MyParty message appeared. >Scan All Messages = yes > ># Once we have removed viruses from an email message and replaced them with ># VirusWarning.txt attachments, should we deliver the clean result to the ># original recipients (or just delete them if "no")? >Deliver To Recipients = yes > ># Deliver messages with viruses removed to their original recipients ># if they came from a local address, or just delete them so no-one knows ># we have a virus outbreak on our site? >Deliver From Local Domains = yes > ># Notify the senders of infected messages that they should check out ># their systems? >Notify Senders = yes > ># Set where to find the message text sent to the senders of infected ># messages. >#Sender Report = /etc/mailscanner/sender.report.txt >Sender Virus Report = /etc/mailscanner/sender.virus.report.txt >Sender Bad Filename Report = /etc/mailscanner/sender.filename.report.txt >Sender Error Report = /etc/mailscanner/sender.error.report.txt > ># Notify the local postmaster when any infections are found? >Notify Local Postmaster = yes > ># Include the full headers of each message in the postmaster notification? >Postmaster Gets Full Headers = yes > ># Set email address of who to notify about any infections found. ># Should put your full domain name here too, ># e.g. postmaster@your.domain.com >Local Postmaster = virusmaster@internet-tools.com > ># Set what to do with infected attachments or messages. ># keep ==> Store under the "Quarantine Dir" ># delete ==> Just delete them >#Action = delete >Action = keep > ># Should I attempt to disinfect infected attachments and then deliver ># the clean ones >Deliver Disinfected Files = yes > ># Local domain name, or filename containing a list of local domain names ># The file supports blank entries, '#' and ';' comment characters and ># uses the first word off each line. This should be compatible with all ># such lines in a sendmail or Exim configuration file. >Local Domains = internet-tools.com > ># Mark infected messages in the message body. ># There can now be more than 1 of these configuration lines here, so you can ># break the warning message over multiple lines. >Mark Infected Messages = yes >Inline Text Warning = Warning: This message has had one or more >attachments removed. >Inline Text Warning = Warning: Please read the "VirusWarning.txt" >attachment(s) for more information. >Inline HTML Warning =

Warning: >This message has had one or more attachments removed. Please >read the "VirusWarning.txt" attachment(s) for more >information.

> ># Sign clean messages in the message body. ># There can be more than 1 of these configuration lines here, so you can ># break the signature message over multiple lines. ># Note that enabling this option will add to the overall system load as some ># major optimisations will no longer be possible! >Sign Clean Messages = no >Inline Text Signature = -- >Inline Text Signature = This message has been scanned for viruses and >Inline Text Signature = dangerous content by MailScanner, and is >Inline Text Signature = believed to be clean. >Inline HTML Signature =
-- >Inline HTML Signature =
This message has been scanned for viruses and >Inline HTML Signature =
dangerous content by >Inline HTML Signature = HREF="http://www.mailscanner.info/">MailScanner, >Inline HTML Signature = and is
believed to be clean. > ># Do you want to archive all mail in a directory for later inspection? ># Be warned if you are in the UK: this may well be illegal due to RIPA ># and DPA restrictions! >Archive Mail = no > ># Where to store the mail archive. ># Be warned: this is likely to get big very quickly. >Archive Mail Dir = /var/spool/mailscanner/archive > ># ># Per-Domain Scanning and Spam Detection ># ># Do we want to only scan certain named domains for viruses and spam? >Scanning By Domain = no > ># Filename listing all the domains we want to scan >Domains To Scan = /etc/mailscanner/domains.to.scan.conf > ># Do we want to add a MailScanner header to messages we have not scanned >Sign Unscanned Messages = no > ># What do we want to put in the header >Unscanned Header = not scanned: please contact your email provider for details > ># ># Spam Detection ># ># Should the anti-spam checks be done on all incoming messages? >Spam Checks = yes > ># Set the name of the extra header to add to all messages found to be ># likely spam. >Spam Header = X-MailScanner-SpamCheck: > ># Do you want to put some text on the front of the subject line when ># we think it is spam? >Spam Modify Subject = yes > ># What text do we want to put on the front (gets followed by a " ") >Spam Subject Text = {SPAM?} > ># Do we have the SpamAssassin package installed? ># This is a very good, very clever heuristics-based spam checker. ># For more info and installation instructions, see >http://spamassassin.taint.org/ >Use SpamAssassin = yes > ># Set the maximum size of message which we will check with SpamAssassin ># Don't set this too large as your system load will get very high processing ># huge messages. >Max SpamAssassin Size = 100000 > ># Set the maximum time to allow SpamAssassin to process 1 message >SpamAssassin Timeout = 10 > ># Set the list of database names and their corresponding DNS domains. ># All of these databases work in a similar way, allowing the simple use ># of multiple databases. ># See www.ordb.org and www.mail-abuse.org for more information. >#Spam List = ORDB-RBL, relays.ordb.org. ># MAPS now charge for their services, so you'll have to buy a contract before ># attempting to use the next 3 lines. >#Spam List = MAPS-RBL, blackholes.mail-abuse.org. >#Spam List = MAPS-DUL, dialups.mail-abuse.org. >#Spam List = MAPS-RSS, relays.mail-abuse.org. ># This next line works for JANET UK Academic sites only >#Spam List = MAPS-RBL+, rbl-plus.mail-abuse.ja.net. > ># Define local networks from whom you should always accept mail, and ># never mark it as spam. This is useful in case your own mail servers ># are ever in the ORBS or MAPS lists. >#Accept Spam From = 152.78. >#Accept Spam From = 139.166. > ># Define a list of email addresses and email domains from whom you should ># always accept mail, and never mark it as spam. This is useful in case ># someone you correspond with a lot has their mail servers in the ORBS or ># MAPS lists. >Spam White List = /etc/mailscanner/spam.whitelist.conf > ># ># Advanced Features ># ================= ># ># Don't bother changing anything below this unless you really know what ># you are doing. ># > ># Set Debug to 1 to stop it running as a daemon ># and produce more verbose output >Debug = 0 > ># Attempt immediate delivery of messages, or just place them in the outgoing ># queue for the MTA to deliver at a time of its own choosing? ># If attempting immediate delivery, do them one at a time, ># or do them in batches of 30 at a time? ># Delivery Method = queue ># Delivery Method = individual >Delivery Method = batch > ># How to lock spool files. ># Don't set this unless you *know* you need to. ># For sendmail, it defaults to "flock". ># For Exim, it defaults to "posix". ># No other type is implemented. >#Lock Type = flock > ># Where to put the virus scanning engine lock files. ># These lock files are used between MailScanner and the virus signature ># "autoupdate" scripts, to ensure that they aren't both working at the ># same time (which could cause MailScanner to let a virus through). >Lock File Dir = /tmp > ># What to do when you get several MailScanner headers in one message, ># from multiple MailScanner servers. Values are ># "append" : Append the new data to the existing header ># "add" : Add a new header ># "replace" : Replace the old data with the new data ># Default is "append" >Multiple Headers = append > ># Some versions of Microsoft Outlook generate unparsable Rich Text ># format attachments. Do we want to deliver these bad attachments anyway? ># Setting this to yes introduces the slight risk of a virus getting through, ># but if you have a lot of troubled Outlook users you might need to do this. ># We are working on a replacement for the TNEF decoder. >Deliver Unparsable TNEF = no > ># When attempting delivery of outgoing messages, should we do it in the ># background or wait for it to complete? The danger of doing it in the ># background is that the machine load goes ever upwards while all the ># slow sendmail processes run to completion. However, running it in the ># foreground may cause the mail server to run too slowly. >Deliver In Background = no > ># Minimum acceptable code stability status -- if we come across code ># that's not at least as stable as this, we barf. ># This is currently only used to check that you don't end up using untested ># virus scanner support code without realising it. ># Levels used are: ># none - there may not even be any code. ># unsupported - code may be completely untested, a contributed dirty hack, ># anything, really. ># alpha - code is pretty well untested. Don't assume it will work. ># beta - code is tested a bit. It should work. ># supported - code *should* be reliable. ># ># Don't even *think* about setting this to anything other than "beta" or ># "supported" on a system that receives real mail until you have tested it ># yourself and are happy that it is all working as you expect it to. ># Don't set it to anything other than "supported" on a system that could ># ever receive important mail. >Minimum Code Status = supported -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From brose at MED.WAYNE.EDU Sun Jun 30 15:02:30 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:15:08 2006 Subject: MailScanner Wish List! Message-ID: <6D60AC042221344095A0EBBC56EEE79A4BCA00@med-core03.med.wayne.edu> Most of this is done by MTAs already. You just have to parse the log file. I have a cron job that runs a script that parses out stuff such as sender, receiver, sending host, receiving host, hosts rejected due to RBL, hosts rejected due to local blacklists. We don't care about what people are talking about that's what Carnivore and the FBI are for. You know there could be other scripts out there that would do all this already. -----Original Message----- From: Moacyr Leite da Silva [mailto:moacyrs@AKADNYX.COM.BR] Sent: Sunday, June 30, 2002 2:30 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: MailScanner Wish List! Hi I don't know if these features are available in others tools, I was searching for things like "mail audit" in google and found an article about CPAN Mail::Audit modules. So what I did below is a kind of brainstorm about mail auditing features that would be great to be found in MailScanner. I'm not able to make this, so what I can do is asking for things like that to be in MailScanner Wish List. Mail Auditing Capability, is something like Mail Archive, but I thought something like: o Mail Audit = no | incoming | outgoing | both Specify the direction of scanning of messages for auditing o Mail Audit Subject Text = {Mail Audit} o Mail Auditor = Postmaster Specify the recipient of messages for auditing o Mail Audit Senders = senders.to.audit.conf Contains the domains or emails that we need to audit (it can be compared to altivore) o Mail Audit Recipients = recipients.to.audit.conf Contains the domains or emails that we need to audit (it can be compared to altivore) o Mail Audit Content = enable | disable o Mail Audit Content Config = content.to.audit.conf Contains the words or phrases that are considered unacceptable to business, it can help prevent privileged informations being shared outside of company. o Mail Audit Interval = 4h (CRON!? - cron.daily) messages would be processed in batch/background, and in lower priority My Best Regards, -- Moacyr Leite da Silva (moacyrs at akadnyx dot com dot br) kadnyx Network Services (http://www.akadnyx.com.br) +55 19 3242-4895 "Time is the best teacher; unfortunately, it kills all its students." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Assine o Informativo Akadnyx http://akadnyx.com.br/mailman/listinfo/informativo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From michael at NOMENNESCIO.NET Sun Jun 30 16:08:51 2002 From: michael at NOMENNESCIO.NET (Mike Klinkert) Date: Thu Jan 12 21:15:08 2006 Subject: Virus report e-mail References: <5.1.0.14.2.20020630145036.036c8ec0@imap.ecs.soton.ac.uk> Message-ID: <3D1F1F03.7060208@nomennescio.net> Julian Field wrote: > Hang on, is your "incoming" directory specified in mailscanner.conf > exactly > the same as the directory it really is? If you have some soft-links in > the > path, you'll probably run into trouble. From your output below, your > incoming directory should be defined as > Incoming Work Dir = /opt/MailScanner-3.20-6/var/incoming k, I just tested with "The EICAR Standard AntiVirus Test File" and now it shows everything correctly! Thanks. I do find it a bit strange that soft links cannot be handled properly! I create symbolic links with the generic name of *all* installed packages (/opt/mozilla points to /opt/mozilla-1.1a, etc.). I soft linked /opt/MailScanner to /opt/MailScanner-3.21-1 (in fact I still do). But I changed *all* instances of "/opt/Mailscanner/" with "/opt/MailScanner-3.21-1/" and that did idd the trick. -- Mike. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3315 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020630/d8f41c25/smime.bin From jkf at ecs.soton.ac.uk Sun Jun 30 16:16:57 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:08 2006 Subject: Virus report e-mail In-Reply-To: <3D1F1F03.7060208@nomennescio.net> References: <5.1.0.14.2.20020630145036.036c8ec0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020630161517.035f76f8@imap.ecs.soton.ac.uk> At 16:08 30/06/2002, you wrote: >Julian Field wrote: >>Hang on, is your "incoming" directory specified in mailscanner.conf >>exactly >>the same as the directory it really is? If you have some soft-links in >>the >>path, you'll probably run into trouble. From your output below, your >>incoming directory should be defined as >> Incoming Work Dir = /opt/MailScanner-3.20-6/var/incoming > >k, I just tested with "The EICAR Standard AntiVirus Test File" and now >it shows everything correctly! Thanks. I do find it a bit strange that >soft links cannot be handled properly! It's a quirk of the McAfee scanner. Rather that just printing the relative pathname of files it reports, it prints the complete path. But it reports the *real* path, rather than the route you took to get there. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From bill at DISTMIRR.COM Sun Jun 30 15:20:45 2002 From: bill at DISTMIRR.COM (Bill Omer) Date: Thu Jan 12 21:15:08 2006 Subject: EX_TEMPFAIL error In-Reply-To: <20020630080352.GX1239@hoiho.nz.lemon-computing.com> References: <1025419405.2606.8.camel@linuxlaptop.spis.net> <20020630080352.GX1239@hoiho.nz.lemon-computing.com> Message-ID: <1025446847.2606.15.camel@linuxlaptop.spis.net> > The only Amavis-related help we can give you here is to advise you to dump > it and start using mailscanner... ;) LOL Oh man do I feel like a moron!! :) I have been fighting and fighting with mailscanner and I've never been able to get it to send mail out of the queue. Which is why I'm trying amavis (and I'm not very happy with it at all, the docs are horrible and their list is total dead). The problem I'm having with mailscanner is it spits out an error message to the terminal that says to *PLEASE* go read the codestatus.shtml page, something about logger.pl line 64, then it exits out. I'm trying to use Kaspersky, I have sweep = /opt/MailScanner/kaspersky/kasperskywrapper, I have also tried to point it directly to the kaspersky scanner, no change. Any advice? Again, sorry about the late night mindless post :) Regards, Bill Omer From sysadmin at DMS.UMONTREAL.CA Sun Jun 30 16:23:55 2002 From: sysadmin at DMS.UMONTREAL.CA (sysadmin) Date: Thu Jan 12 21:15:08 2006 Subject: {SPAM?} Re: Virus report e-mail References: <5.1.0.14.2.20020630145036.036c8ec0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020630161517.035f76f8@imap.ecs.soton.ac.uk> Message-ID: <3D1F228B.1020306@DMS.UMontreal.CA> Julian Field wrote: > At 16:08 30/06/2002, you wrote: > >> Julian Field wrote: >> >>> Hang on, is your "incoming" directory specified in mailscanner.conf >>> exactly >>> the same as the directory it really is? If you have some soft-links in >>> the >>> path, you'll probably run into trouble. From your output below, your >>> incoming directory should be defined as >>> Incoming Work Dir = /opt/MailScanner-3.20-6/var/incoming >> >> >> k, I just tested with "The EICAR Standard AntiVirus Test File" and now >> it shows everything correctly! Thanks. I do find it a bit strange that >> soft links cannot be handled properly! > > > It's a quirk of the McAfee scanner. Rather that just printing the relative > pathname of files it reports, it prints the complete path. But it reports > the *real* path, rather than the route you took to get there. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ I was just testing some config options, namely adding the RFC-IGNORANT checks and this messaged got marked spam with just RFC-IGNORANT-WHOIS in the X-MailScanner-SpamCheck field , which suggests it might be a too sensitive test. Chris -- -------------------------------------------------------------------- Christopher Albert Responsable des services informatiques Departement de mathematiques et de statistique Universite de Montreal bureau 6188, Pavillon Andre-Aisenstadt Tel: (514) 343-2281 Fax: (514) 343-5700 -------------------------------------------------------------------- From michael at NOMENNESCIO.NET Sun Jun 30 16:30:51 2002 From: michael at NOMENNESCIO.NET (Mike Klinkert) Date: Thu Jan 12 21:15:08 2006 Subject: Problem with "Compile SpamAssassin Once" (Addendum) References: <5.1.0.14.2.20020629113207.0369b5b8@imap.ecs.soton.ac.uk> <3D1E0506.8060405@nomennescio.net> <5.1.0.14.2.20020630144018.03598c70@imap.ecs.soton.ac.uk> Message-ID: <3D1F242B.3060704@nomennescio.net> Julian Field wrote: > What version of Perl are you using? It has to be a Perl/SpamAssassin > problem. Try upgrading to Perl 5.6.1 then re-install SpamAssassin and see > if that cures it. 5.6.1 > The other alternative is that it is failing to read one of your "rule > scores" files. If you uninstall SpamAssassin, then go round and find the > spamassassin.cf files and user_prefs files and stuff like that, to ensure > that you have *completely* removed it, then re-install SpamAssassin. Just > upgrading SpamAssassin probably won't touch your SA config files. > > I have just done a little search of my SA installation and the 25FREEMEGS > text is mentioned in spamassassin.cf (in /usr/lib/perl5/site-perl/5.6.1). > Ensure you delete this file before re-installing SA. I completely removed SA (so I thought) and installed it again, with no success. It turned out that there was a dir in /etc/mail called spamassassin, which contained .cf files which where previously in /etc. I removed them and now it works. Thanks for the hint! Great job Julian! -- Mike. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3315 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020630/d570c333/smime.bin From mailscanner at ecs.soton.ac.uk Sun Jun 30 16:58:35 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:08 2006 Subject: {SPAM?} Re: Virus report e-mail In-Reply-To: <3D1F228B.1020306@DMS.UMontreal.CA> References: <5.1.0.14.2.20020630145036.036c8ec0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020630161517.035f76f8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020630165752.02aec818@imap.ecs.soton.ac.uk> At 16:23 30/06/2002, you wrote: >I was just testing some config options, namely adding the RFC-IGNORANT >checks and this messaged got marked spam with just >RFC-IGNORANT-WHOIS in the X-MailScanner-SpamCheck field , > >which suggests it might be a too sensitive test. I personally don't use any of the rfc-ignorant tests at all. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mailscanner at ecs.soton.ac.uk Sun Jun 30 16:57:22 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:08 2006 Subject: EX_TEMPFAIL error In-Reply-To: <1025446847.2606.15.camel@linuxlaptop.spis.net> References: <20020630080352.GX1239@hoiho.nz.lemon-computing.com> <1025419405.2606.8.camel@linuxlaptop.spis.net> <20020630080352.GX1239@hoiho.nz.lemon-computing.com> Message-ID: <5.1.0.14.2.20020630165426.03584478@imap.ecs.soton.ac.uk> At 15:20 30/06/2002, you wrote: > > The only Amavis-related help we can give you here is to advise you to dump > > it and start using mailscanner... ;) > > >LOL Oh man do I feel like a moron!! :) > >I have been fighting and fighting with mailscanner and I've never been >able to get it to send mail out of the queue. What is so hard about it? I would like to know where it or the docs need improving. > Which is why I'm trying >amavis (and I'm not very happy with it at all, the docs are horrible and >their list is total dead). > >The problem I'm having with mailscanner is it spits out an error message >to the terminal that says to *PLEASE* go read the codestatus.shtml page, >something about logger.pl line 64, then it exits out. To quote the error message: "FATAL: *Please go and READ* http://www.sng.ecs.soton.ac.uk/mailscanner/install/codestatus.shtml" Have you actually read that web page? Seems fairly clear to me (but then again it would, I wrote it). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From brandonf at BFCONSULT.CO.ZA Sun Jun 30 17:17:51 2002 From: brandonf at BFCONSULT.CO.ZA (Brandon Friedman) Date: Thu Jan 12 21:15:08 2006 Subject: Sophos Update Logs Message-ID: <3D1F2F2F.6020904@bfconsult.co.za> This isn't a mailscanner question.... Where do I find the Sophos update log? How do I know if sophos is updating and is up-to-date? -- Regards Brandon Friedman Cell:083 408 7840 E-mail: brandonf@bfconsult.co.za www.bfconsult.co.za From mailscanner at ecs.soton.ac.uk Sun Jun 30 17:25:58 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:08 2006 Subject: Sophos Update Logs In-Reply-To: <3D1F2F2F.6020904@bfconsult.co.za> Message-ID: <5.1.0.14.2.20020630172311.035f4128@imap.ecs.soton.ac.uk> At 17:17 30/06/2002, you wrote: >This isn't a mailscanner question.... > >Where do I find the Sophos update log? > >How do I know if sophos is updating and is up-to-date? Take a look at the name of the /usr/local/Sophos/ide..... directory. Its name includes the date and time of the last update, in the form ccyymmddhhmm (century, yearm month, date, hour, minute) And if you take a look in there you should find a few very recent files. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From David.Sullivan at BARNET.AC.UK Sun Jun 30 18:11:51 2002 From: David.Sullivan at BARNET.AC.UK (David Sullivan) Date: Thu Jan 12 21:15:08 2006 Subject: {SPAM?} Re: Virus report e-mail In-Reply-To: <5.1.0.14.2.20020630165752.02aec818@imap.ecs.soton.ac.uk> References: <3D1F228B.1020306@DMS.UMontreal.CA> Message-ID: <3D1F49E7.23176.4811A3@localhost> On 30 Jun 2002 at 16:58, Julian Field wrote: > At 16:23 30/06/2002, you wrote: > >I was just testing some config options, namely adding the RFC-IGNORANT > >checks and this messaged got marked spam with just > >RFC-IGNORANT-WHOIS in the X-MailScanner-SpamCheck field , > > > >which suggests it might be a too sensitive test. > > I personally don't use any of the rfc-ignorant tests at all. One good reason not to is that .uk is listed, that'll be why rfc-ignorant flagged it. David ============================================================== This communication may contain privileged or confidential information which is for the exclusive use of the intended recipient. If you are not the intended recipient, please note that you may not distribute or use this communication or the information it contains. If this e-mail has reached you in error, please delete it and any attachment. Internet communications are not secure and Barnet College does not accept legal responsibility for the content of this message. Any views or opinions expressed are those of the author and not necessarily those of Barnet College. Please note that Barnet College reserves the right to monitor the source/destinations of all incoming or outgoing e-mail communications. ============================================================== From mailscanner at ecs.soton.ac.uk Sun Jun 30 18:19:03 2002 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:15:08 2006 Subject: {SPAM?} Re: Virus report e-mail In-Reply-To: <3D1F49E7.23176.4811A3@localhost> References: <5.1.0.14.2.20020630165752.02aec818@imap.ecs.soton.ac.uk> <3D1F228B.1020306@DMS.UMontreal.CA> Message-ID: <5.1.0.14.2.20020630181758.036e4af0@imap.ecs.soton.ac.uk> At 18:11 30/06/2002, you wrote: >One good reason not to is that .uk is listed, that'll be why rfc-ignorant >flagged it. The whole country? Wow! Now that's what I call a broad brush... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From David.Sullivan at BARNET.AC.UK Sun Jun 30 18:56:46 2002 From: David.Sullivan at BARNET.AC.UK (David Sullivan) Date: Thu Jan 12 21:15:08 2006 Subject: {SPAM?} Re: Virus report e-mail In-Reply-To: <5.1.0.14.2.20020630181758.036e4af0@imap.ecs.soton.ac.uk> References: <3D1F49E7.23176.4811A3@localhost> Message-ID: <3D1F546E.25899.713674@localhost> On 30 Jun 2002 at 18:19, Julian Field wrote: > At 18:11 30/06/2002, you wrote: > >One good reason not to is that .uk is listed, that'll be why rfc-ignorant > >flagged it. > > The whole country? Wow! Now that's what I call a broad brush... http://www.rfc-ignorant.org/policy-whois.html 3.) If a TLD does not have a working, public, free of charge WHOIS registry working and providing all the necessary contact information, then by definition no domain in that TLD is RFC954-compliant, and that would make the entire TLD a viable candidate for listing. UK domains don't have any contact information (yet) in their whois listing so in it goes .. If anything it illustrates that if you're going to be using a blacklist service you need to research exactly what is listed and why. Regards David ============================================================== This communication may contain privileged or confidential information which is for the exclusive use of the intended recipient. If you are not the intended recipient, please note that you may not distribute or use this communication or the information it contains. If this e-mail has reached you in error, please delete it and any attachment. Internet communications are not secure and Barnet College does not accept legal responsibility for the content of this message. Any views or opinions expressed are those of the author and not necessarily those of Barnet College. Please note that Barnet College reserves the right to monitor the source/destinations of all incoming or outgoing e-mail communications. ============================================================== From brandonf at BFCONSULT.CO.ZA Sun Jun 30 21:25:13 2002 From: brandonf at BFCONSULT.CO.ZA (Brandon Friedman) Date: Thu Jan 12 21:15:08 2006 Subject: Sophos Update Logs References: <5.1.0.14.2.20020630172311.035f4128@imap.ecs.soton.ac.uk> Message-ID: <3D1F6929.6030703@bfconsult.co.za> I got it thanks~ However is not possible to get an e-mail of update-reports? Failure,success or whatever? Julian Field wrote: > At 17:17 30/06/2002, you wrote: > >> This isn't a mailscanner question.... >> >> Where do I find the Sophos update log? >> >> How do I know if sophos is updating and is up-to-date? > > > Take a look at the name of the /usr/local/Sophos/ide..... directory. Its > name includes the date and time of the last update, in the form > ccyymmddhhmm > (century, yearm month, date, hour, minute) > And if you take a look in there you should find a few very recent files. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > -- Regards Brandon Friedman Cell:083 408 7840 E-mail: brandonf@bfconsult.co.za www.bfconsult.co.za From mike at CAMAROSS.NET Sun Jun 30 21:30:15 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:15:08 2006 Subject: Sophos Update Logs References: <5.1.0.14.2.20020630172311.035f4128@imap.ecs.soton.ac.uk> <3D1F6929.6030703@bfconsult.co.za> Message-ID: <000901c22074$f1f55ec0$01000001@home.wideopenthrottle.org> Mine updates every morning at 4am and the results show up in my maillog. Mike ----- Original Message ----- From: "Brandon Friedman" To: Sent: Sunday, June 30, 2002 3:25 PM Subject: Re: Sophos Update Logs > I got it thanks~ > > However is not possible to get an e-mail of update-reports? > Failure,success or whatever? > > Julian Field wrote: > > > At 17:17 30/06/2002, you wrote: > > > >> This isn't a mailscanner question.... > >> > >> Where do I find the Sophos update log? > >> > >> How do I know if sophos is updating and is up-to-date? > > > > > > Take a look at the name of the /usr/local/Sophos/ide..... directory. Its > > name includes the date and time of the last update, in the form > > ccyymmddhhmm > > (century, yearm month, date, hour, minute) > > And if you take a look in there you should find a few very recent files. > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > > > > -- > > Regards > Brandon Friedman > Cell:083 408 7840 > E-mail: brandonf@bfconsult.co.za > www.bfconsult.co.za > From gerry at DORFAM.CA Sun Jun 30 21:50:10 2002 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:15:08 2006 Subject: All messages marked as spam? (fwd) Message-ID: I've attached the spam check header from your return message. Gerry -- "The lyfe so short, the craft so long to learne" Chaucer ---------- Forwarded message ---------- From: Julian Field Subject: {SPAM?} Re: All messages marked as spam? To: MAILSCANNER@JISCMAIL.AC.UK In-Reply-To: X-MailScanner: Found to be clean X-MailScanner-SpamCheck: RFC-IGNORANT-WHOIS, SpamAssassin (score=-2.1, required 5, IN_REP_TO, SUBJ_ENDS_IN_Q_MARK, RCVD_IN_MULTIHOP_DSBL, X_RCVD_IN_UNCONFIRMED_DSBL, FUDGE_MULTIHOP_RELAY, AWL) At 13:25 30/06/2002, you wrote: >In an ironic twist of fate, mailscanner has started marking all messages >from this mailing list with {SPAM?} in the subject line! It doesn't act >this way with any other mail. What does the SpamCheck header say? That will tell you exactly why it thought it was spam. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From David.Sullivan at BARNET.AC.UK Sun Jun 30 22:38:21 2002 From: David.Sullivan at BARNET.AC.UK (David Sullivan) Date: Thu Jan 12 21:15:08 2006 Subject: All messages marked as spam? (fwd) In-Reply-To: Message-ID: <3D1F885D.26880.13C1DFE@localhost> On 30 Jun 2002 at 16:50, Gerry Doris wrote: > I've attached the spam check header from your return message. > > Gerry > > X-MailScanner-SpamCheck: RFC-IGNORANT-WHOIS, SpamAssassin (score=-2.1, > required 5, IN_REP_TO, SUBJ_ENDS_IN_Q_MARK, RCVD_IN_MULTIHOP_DSBL, > X_RCVD_IN_UNCONFIRMED_DSBL, FUDGE_MULTIHOP_RELAY, AWL) See my previous messages in the "{SPAM?} Re: Virus report e-mail" thread. Any message from .uk domains will be blacklisted by rfc- ignorant including this list. Regards. David ============================================================== This communication may contain privileged or confidential information which is for the exclusive use of the intended recipient. If you are not the intended recipient, please note that you may not distribute or use this communication or the information it contains. If this e-mail has reached you in error, please delete it and any attachment. Internet communications are not secure and Barnet College does not accept legal responsibility for the content of this message. Any views or opinions expressed are those of the author and not necessarily those of Barnet College. Please note that Barnet College reserves the right to monitor the source/destinations of all incoming or outgoing e-mail communications. ============================================================== From gerry at DORFAM.CA Sun Jun 30 23:03:12 2002 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:15:08 2006 Subject: {SPAM?} Re: All messages marked as spam? (fwd) In-Reply-To: <3D1F885D.26880.13C1DFE@localhost> Message-ID: On Sun, 30 Jun 2002, David Sullivan wrote: > See my previous messages in the "{SPAM?} Re: Virus report e-mail" > thread. Any message from .uk domains will be blacklisted by rfc- > ignorant including this list. > > Regards. > > David Hmmm, the entire country!! Thanks, I've removed the rfc-ignorant lookups and will see if that fixes it. Gerry -- "The lyfe so short, the craft so long to learne" Chaucer