From LISTSERV at JISCMAIL.AC.UK Wed May 1 02:13:50 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:39 2006 Subject: MAILSCANNER: jpenner@NISA.NET requested to join Message-ID: <200205010113.CAA11206@magpie.ecs.soton.ac.uk> Wed, 1 May 2002 02:13:50 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Jamie Penner The following membership options have been requested: NOMAIL. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER jpenner@NISA.NET Jamie Penner PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER jpenner@NISA.NET Jamie Penner SET MAILSCANNER NOMAIL FOR jpenner@NISA.NET // EOJ From jkf at ecs.soton.ac.uk Wed May 1 11:13:15 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:39 2006 Subject: Is this possible? In-Reply-To: <00ae01c1f046$eebb8c10$48cf75cc@fizz> Message-ID: <5.1.0.14.2.20020501111238.035385e0@imap.ecs.soton.ac.uk> At 13:59 30/04/2002, you wrote: >To remove the DNS checking in spamassassin? >and keep the other checks.. Look through the user_prefs file in SA and you'll find something along the lines of ignore_rbl_checks, which you should un-comment and set to 1. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mike at ZANKER.ORG Wed May 1 13:55:39 2002 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:14:39 2006 Subject: Return-Path header corrupt in virus reports In-Reply-To: <5.1.0.14.2.20020429211209.03193440@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020429211209.03193440@imap.ecs.soton.ac.uk> Message-ID: <397548384.1020261339@mallard.open.ac.uk> On 29 April 2002 21:13 +0100 Julian Field wrote: > What has that bounce got to do with $g? The "unparsable" error > message is due to the TNEF decoder not being able to handle the weird > and wonderful TNEF formats that some versions of Outlook produce. > It's nothing to do with the Return-Path:, which MailScanner makes no > use of. Can MailScanner be fixed to display the Return-Path: header correctly? Thanks, Mike -- Mike Zanker Northampton, UK PGP Public Key: pgp@zanker.org From LISTSERV at JISCMAIL.AC.UK Wed May 1 14:33:29 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:39 2006 Subject: MAILSCANNER: error report from SOUTHWESTERN.EDU Message-ID: <200205011333.OAA21034@magpie.ecs.soton.ac.uk> The enclosed message, found in the MAILSCANNER mailbox and shown under the spool ID 11251735 in the system log, has been identified as a possible delivery error notice for the following reason: "Sender:", "From:" or "Reply-To:" field pointing to the list has been found in mail body. ------------------------ Message in error (219 lines) ------------------------- Return-Path: Received: from ori.rl.ac.uk by jiscmail.ac.uk (LSMTP for Windows NT v1.1b) with SMTP id <9.000ECC82@jiscmail.ac.uk>; Wed, 1 May 2002 14:33:29 +0100 Received: from ralph2.southwestern.edu (ralph2.southwestern.edu [161.13.1.122]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g41DXSg01393 for ; Wed, 1 May 2002 14:33:28 +0100 Received: from southwestern.edu (zero.southwestern.edu [161.13.2.23]) by ralph2.southwestern.edu (8.11.6/8.11.6) with ESMTP id g41DWPK04006 for ; Wed, 1 May 2002 08:32:25 -0500 Message-ID: <3CCFEE98.2030508@southwestern.edu> Date: Wed, 01 May 2002 08:33:12 -0500 From: Peter Valian Organization: Southwestern University User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020326 X-Accept-Language: en-us, en MIME-Version: 1.0 To: MailScanner mailing list Subject: Re: Return-Path header corrupt in virus reports References: <5.1.0.14.2.20020429170050.033caec0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020429211209.03193440@imap.ecs.soton.ac.uk> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-MailScanner: Found to be clean OK, that was a bad example...this may be better. It was an attempt by the mailing list smtp server to me. I am 100% M$ free. Running RedHat Linux 7.2 and using Mozilla for mail. I see you guys are running NT. From: "MailScanner" Date: Wed, 1 May 2002 05:26:55 -0500 To: virusalert@southwestern.edu Subject: Warning: E-mail viruses detected The following e-mail messages were found to have viruses in them: Sender: Recipient: Subject: Re: Is this possible? MessageID: g41AFHK24325 Report: Could not parse message g41AFHK24325 Full headers are: Return-Path: Received: from jiscmail.ac.uk (jiscmail.ac.uk [130.246.192.48]) by ralph2.southwestern.edu (8.11.6/8.11.6) with ESMTP id g41AFHK24325 for ; Wed, 1 May 2002 05:15:17 -0500 Received: from jiscmail (jiscmail.ac.uk) by jiscmail.ac.uk (LSMTP for Windows NT v1.1b) with SMTP id <0.001B2A15@jiscmail.ac.uk>; Wed, 1 May 2002 11:15:15 +0100 Received: from JISCMAIL.AC.UK by JISCMAIL.AC.UK (LISTSERV-TCP/IP release 1.8d) with spool id 11245083 for MAILSCANNER@JISCMAIL.AC.UK; Wed, 1 May 2002 11:15:15 +0100 Received: from ori.rl.ac.uk by jiscmail.ac.uk (LSMTP for Windows NT v1.1b) with SMTP id <9.000ECA50@jiscmail.ac.uk>; Wed, 1 May 2002 11:15:15 +0100 Received: from gadolinium.btinternet.com (gadolinium.btinternet.com [194.73.73.111]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id g41AFEg25054 for ; Wed, 1 May 2002 11:15:14 +0100 Received: from host217-39-170-149.in-addr.btopenworld.com ([217.39.170.149] helo=thief.ecs.soton.ac.uk) by gadolinium.btinternet.com with esmtp (Exim 3.22 #8) id 172r8j-0005P8-00 for MAILSCANNER@JISCMAIL.AC.UK; Wed, 01 May 2002 11:15:13 +0100 X-Sender: jkf@imap.ecs.soton.ac.uk (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Message-ID: <5.1.0.14.2.20020501111238.035385e0@imap.ecs.soton.ac.uk> Date: Wed, 1 May 2002 11:13:15 +0100 Reply-To: MailScanner mailing list Sender: MailScanner mailing list From: Julian Field Subject: Re: Is this possible? To: MAILSCANNER@JISCMAIL.AC.UK In-Reply-To: <00ae01c1f046$eebb8c10$48cf75cc@fizz> -- MailScanner Email Virus Scanner Julian Field wrote: > What has that bounce got to do with $g? The "unparsable" error message is > due to the TNEF decoder not being able to handle the weird and wonderful > TNEF formats that some versions of Outlook produce. It's nothing to do with > the Return-Path:, which MailScanner makes no use of. > > At 17:24 29/04/2002, you wrote: > >> Well, here's an example bounce: >> >> Date: Thu, 25 Apr 2002 12:02:52 -0500 >> From: "MailScanner" >> To: >> Subject: Warning: E-mail error detected >> X-MailScanner: Found to be clean >> >> Our virus detector failed to completely analyse a message you sent:- >> To: , , >> , >> Subject: Re: Montgomery >> Date: Thu Apr 25 12:02:52 2002 >> Any parts of the message that could not be analysed will not have been >> delivered. >> >> If you are using Microsoft Outlook, we strongly recommend you change your >> outgoing message format from "Rich Text" to "HTML" or "Plain Text". >> >> The virus detector said this about the message: >> Report: Could not parse message g3PH2oK27075 >> -- >> MailScanner >> Email Virus Scanner >> >> >> Julian Field wrote: >> >>> At 16:52 29/04/2002, you wrote: >>> >>>> If someone knows how to fix this please tell me. I have been >>>> struggling >>>> with it for several months now. I believe these messages are lost. Im >>>> getting ready to abandon mailscanner because I don't see a way to fix >>>> it. I don't want to leave mailscanner but i cannot sit here and lose >>>> mail. >>> >>> >>> >>> Can you explain why you think you might be losing mail because of >>> this? I >>> haven't seen any evidence of this happening. >>> >>>> Ben C. O. Grimm wrote: >>>> >>>>> On 27 Apr 2002 09:48:28 +0200, Mike Zanker wrote: >>>>> >>>>> >>>>>> I've noticed that the postmaster virus report always seems to have >>>>>> the >>>>>> same corrupt Return-Path header, e.g. >>>>>> >>>>>> Full headers are: >>>>>> Return-Path: >>>>>> >>>>>> Is this a bug or my misconfiguration somewhere? >>>>> >>>>> >>>>> >>>>> >>>>> It looks like soms kind of Sendmail emulation that doesn't quite work >>>>> yet. >>>>> In Sendmailese, the Return-Path has this format: >>>>> >>>>> H?P?Return-Path: <$g> >>>>> >>>>> -- >>>>> - Ben C. O. Grimm ----------------- Ben.Grimm@wirehub.net - >>>>> - Wirehub! Internet Engineering - http://www.wirehub.net/ - >>>>> - Wirehub! Backbone --- http://doema.wirehub.net/wirehub/ - >>>>> - Private Ponderings ----------- http://www.bengrimm.net/ - >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> Peter Valian >>>> Network & Systems Administrator >>>> Southwestern University >>>> Georgetown, Texas >>>> 512.863.1586 office >>>> 512.863.1605 fax >>>> -- >>> >>> >>> >>> -- >>> Julian Field Teaching Systems Manager >>> jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >>> Tel. 023 8059 2817 University of Southampton >>> Southampton SO17 1BJ >> >> >> >> >> -- >> Peter Valian >> Network & Systems Administrator >> Southwestern University >> Georgetown, Texas >> 512.863.1586 office >> 512.863.1605 fax >> -- > > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Peter Valian Network & Systems Administrator Southwestern University Georgetown, Texas 512.863.1586 office 512.863.1605 fax -- From LISTSERV at JISCMAIL.AC.UK Wed May 1 15:04:46 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:39 2006 Subject: MAILSCANNER: leva@INTERWARE.HU left the JISCmail list Message-ID: <200205011404.PAA26878@magpie.ecs.soton.ac.uk> Wed, 1 May 2002 15:04:46 "Kov?cs, Levente" has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From LISTSERV at JISCMAIL.AC.UK Wed May 1 15:24:36 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:39 2006 Subject: MAILSCANNER: arthur@HILJO.NL requested to join Message-ID: <200205011424.PAA00570@magpie.ecs.soton.ac.uk> Wed, 1 May 2002 15:24:36 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from "Arthur E. Groen" You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER arthur@HILJO.NL Arthur E. Groen PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER arthur@HILJO.NL Arthur E. Groen // EOJ From sevans at FOUNDATION.SDSU.EDU Wed May 1 19:04:07 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:14:39 2006 Subject: MailScanner Not Starting Itself Message-ID: <7E2D2700ADE29542BAFC135552997E6C0AE842@mail.foundation.sdsu.edu> I installed MailScanner with the RPM. When I reboot the machine MailScanner is not scanning for viruses. If I restart the mailscanner service though everything works fine. It always is delivering mail though. Any ideas? Steve Evans Computing Services SDSU Foundation 619 594-0653 From tal at MUSICGENOME.COM Wed May 1 19:11:14 2002 From: tal at MUSICGENOME.COM (Tal Kelrich) Date: Thu Jan 12 21:14:39 2006 Subject: MailScanner Not Starting Itself In-Reply-To: <7E2D2700ADE29542BAFC135552997E6C0AE842@mail.foundation.sdsu.edu> References: <7E2D2700ADE29542BAFC135552997E6C0AE842@mail.foundation.sdsu.edu> Message-ID: <1020276674.2031.2.camel@localhost.localdomain> Try running "chkconfig mailscanner on" and "chkconfig sendmail off" On Wed, 2002-05-01 at 21:04, Steve Evans wrote: > I installed MailScanner with the RPM. When I reboot the machine > MailScanner is not scanning for viruses. If I restart the mailscanner > service though everything works fine. It always is delivering mail > though. Any ideas? > > Steve Evans > Computing Services > SDSU Foundation > 619 594-0653 > -- Tal Kelrich PGP Fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69 PGP key-id: 12B9AA69 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020501/ef65eb76/attachment.bin From tom at TILMANT.COM Thu May 2 06:44:37 2002 From: tom at TILMANT.COM (Tom Tilmant) Date: Thu Jan 12 21:14:39 2006 Subject: MailScanner Not Starting Itself In-Reply-To: <7E2D2700ADE29542BAFC135552997E6C0AE842@mail.foundation.sdsu.edu> Message-ID: <001c01c1f19c$72367bd0$05eb14ac@doublet> Sounds like a conflict between the sendmail and MailScanner startup scripts. Make sure you have disabled the sendmail script and enabled the MailScanner script in rcX.d. Tom > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Steve Evans > Sent: Wednesday, May 01, 2002 11:04 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: MailScanner Not Starting Itself > > I installed MailScanner with the RPM. When I reboot the machine > MailScanner is not scanning for viruses. If I restart the mailscanner > service though everything works fine. It always is delivering mail > though. Any ideas? > > Steve Evans > Computing Services > SDSU Foundation > 619 594-0653 From LISTSERV at JISCMAIL.AC.UK Thu May 2 05:17:45 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:39 2006 Subject: MAILSCANNER: vanhorn@WHIDBEY.COM requested to join Message-ID: <200205020417.FAA01441@magpie.ecs.soton.ac.uk> Thu, 2 May 2002 05:17:45 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from "G. Armour Van Horn" You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER vanhorn@WHIDBEY.COM G. Armour Van Horn PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER vanhorn@WHIDBEY.COM G. Armour Van Horn // EOJ From LISTSERV at JISCMAIL.AC.UK Wed May 1 20:04:35 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:40 2006 Subject: MAILSCANNER: kerry@MAINE.EDU requested to join Message-ID: <200205011904.UAA21965@magpie.ecs.soton.ac.uk> Wed, 1 May 2002 20:04:35 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Irelann Anderson You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER kerry@MAINE.EDU Irelann Anderson PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER kerry@MAINE.EDU Irelann Anderson // EOJ From wkuiters at FREE.FR Thu May 2 11:00:26 2002 From: wkuiters at FREE.FR (Willem Kuiters) Date: Thu Jan 12 21:14:40 2006 Subject: {SPAM?} Why are all messages tagged SPAM? Message-ID: <20020502100026.GA767@bragann> I installed Mailscanner some two months ago in combination with sophos and it works fine. Thanks for the good work. Now I want to use it in combination with spamassassin as well. Here is the relevant section of my mailscanner.conf: ># Spam Detection ># ># Should the anti-spam checks be done on all incoming messages? >Spam Checks = yes ># Set the name of the extra header to add to all messages found to be ># likely spam. >Spam Header = X-MailScanner-SpamCheck: ># Do you want to put some text on the front of the subject line when ># we think it is spam? >Spam Modify Subject = yes ># What text do we want to put on the front (gets followed by a " ") >Spam Subject Text = {SPAM?} ># Do we have the SpamAssassin package installed? ># This is a very good, very clever heuristics-based spam checker. ># For more info and installation instructions, see http://spamassassin.taint.org/ >Use SpamAssassin = yes ># Set the list of database names and their corresponding DNS domains. ># All of these databases work in a similar way, allowing the simple use ># of multiple databases. ># See www.ordb.org and www.mail-abuse.org for more information. >Spam List = ORDB-RBL, relays.ordb.org. ># MAPS now charge for their services, so you'll have to buy a contract before ># attempting to use the next 3 lines. ># Define a list of email addresses and email domains from whom you should ># always accept mail, and never mark it as spam. This is useful in case ># someone you correspond with a lot has their mail servers in the ORBS or ># MAPS lists. >Spam White List = /etc/mailscanner/spam.whitelist.conf Here is my spam.whitelist.conf > This is a list of email addresses (with an @ sign in them) or entire email > domains (without an @ sign in them) from which you will accept mail without > ever marking it as spam. >*parinux.org >*earth.li >*kuiters.org I now get all my incoming mail, including mail coming from the domains listed above, with the {SPAM?} tag on the subject line. I can, of course de-activate the tagging in the mailscanner.conf file but the question remains why Mailscanner seems to suspect all my mail to be spam. The headers of my mail also display the line: >X-MailScanner-SpamCheck: SpamAssasin (255 hits) twice. Is this normal? Thanks for any leads, Willem From LISTSERV at JISCMAIL.AC.UK Thu May 2 11:46:39 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:40 2006 Subject: MAILSCANNER: gary@ARL.NET.NZ requested to join Message-ID: <200205021046.LAA11004@magpie.ecs.soton.ac.uk> Thu, 2 May 2002 11:46:39 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Gary Dick You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER gary@ARL.NET.NZ Gary Dick PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER gary@ARL.NET.NZ Gary Dick // EOJ From arthur at HILJO.NL Thu May 2 12:00:34 2002 From: arthur at HILJO.NL (Arthur E. Groen) Date: Thu Jan 12 21:14:40 2006 Subject: MAILSCANNER on firewall Message-ID: Hallo list, I have a multie homed host firewall with GOOD, BAD and a DMZ The emailserver is in the DMZ I would like to run the mailscanner on the firewall and forward to the mailserver but mails should not look like "forwarded" The firewall is debian 2.2 with ipchains and has no mail progs running now The mail server is Sun/Solaris pls advice what mail program to install mailscanner on and how to alter mailter config rgds /Arthur From LISTSERV at JISCMAIL.AC.UK Fri May 3 13:41:36 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:40 2006 Subject: MAILSCANNER: Billy.Lewis@SSA.GOV left the JISCmail list Message-ID: <200205031241.NAA21108@magpie.ecs.soton.ac.uk> Fri, 3 May 2002 13:41:36 Billy Lewis has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From LISTSERV at JISCMAIL.AC.UK Fri May 3 18:01:36 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:40 2006 Subject: MAILSCANNER: Robbo@EV1.NET requested to join Message-ID: <200205031701.SAA08746@magpie.ecs.soton.ac.uk> Fri, 3 May 2002 18:01:35 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Robert Mode You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER Robbo@EV1.NET Robert Mode PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER Robbo@EV1.NET Robert Mode // EOJ From LISTSERV at JISCMAIL.AC.UK Fri May 3 18:59:44 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:40 2006 Subject: MAILSCANNER: jaearick@COLBY.EDU requested to join Message-ID: <200205031759.SAA19233@magpie.ecs.soton.ac.uk> Fri, 3 May 2002 18:59:44 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Jeff Earickson You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER jaearick@COLBY.EDU Jeff Earickson PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER jaearick@COLBY.EDU Jeff Earickson // EOJ From kwang at UCALGARY.CA Fri May 3 23:25:06 2002 From: kwang at UCALGARY.CA (Kai Wang) Date: Thu Jan 12 21:14:40 2006 Subject: "Inline Text Warning" and "Stored Virus Message Report" invisible Message-ID: <3CD30E42.7CCAF70B@ucalgary.ca> This bothers our help desk and postmasters. Neither "Inline Text Warning" nor the "Stored Virus Message Report" is invisible some times. They were in the message. It happens often in the Klez infected messages. Is there a way to modify MailScanner so that both of them are visible anyway? Thanks Kai From jason at MED-WEB.COM Sat May 4 00:30:00 2002 From: jason at MED-WEB.COM (Jason Summers) Date: Thu Jan 12 21:14:40 2006 Subject: "Inline Text Warning" and "Stored Virus Message Report" invisible References: <3CD30E42.7CCAF70B@ucalgary.ca> Message-ID: <3CD31D78.88BFB939@med-web.com> Kai Wang wrote: > > This bothers our help desk and postmasters. Neither "Inline Text > Warning" nor the "Stored Virus Message Report" is invisible some > times. They were in the message. It happens often in the Klez > infected messages. Is there a way to modify MailScanner so that > both of them are visible anyway? (Didn't you already ask this?) I'm hoping that someone familiar with the MailScanner (or MIME-tools) code will eventually take an interest in this. In my opinion, it's a significant problem. The *immediate* problem is that the MIME-tools Perl module can't handle the messages sent by Klez. [Note: Scott G. just informed me that by "latest version", he didn't mean the 5.503beta version of MIME-tools, as I incorrectly assumed (because 5.503 is the only "latest version" listed on the MIME-tools web site). Sorry about that. I'll test 5.503 soon.] The *fundamental* problem is that MailScanner, in many cases, sends its warning as one part of a "multipart/alternative" message. As such, the email client isn't expected to show all the attachments -- it's supposed to pick the one it thinks it can handle best. Technically, it's supposed to either ask the user, or display the *last* part that it is capable of displaying. And since the MailScanner warning is inserted into the *first* part of an appropriate type, it shouldn't be surprising when an email client doesn't display the part with the MailScanner warning in it. Would it be reasonable to have MailScanner convert "multipart/alternative" messages to "multipart/mixed"? If so, how might one go about doing that? -- Jason Summers From LISTSERV at JISCMAIL.AC.UK Fri May 3 23:37:13 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:40 2006 Subject: MAILSCANNER: andrea_ferraris@LIBERO.IT requested to join Message-ID: <200205032237.XAA09178@magpie.ecs.soton.ac.uk> Fri, 3 May 2002 23:37:13 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Andrea Ferraris You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER andrea_ferraris@LIBERO.IT Andrea Ferraris PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER andrea_ferraris@LIBERO.IT Andrea Ferraris // EOJ From LISTSERV at JISCMAIL.AC.UK Sat May 4 03:03:58 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:40 2006 Subject: MAILSCANNER: hciss@HCIWS.COM requested to join Message-ID: <200205040203.DAA15863@magpie.ecs.soton.ac.uk> Sat, 4 May 2002 03:03:58 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Matthew H The following membership options have been requested: HTML INDEX NOMAIL CONCEAL. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER hciss@HCIWS.COM Matthew H PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER hciss@HCIWS.COM Matthew H SET MAILSCANNER HTML INDEX NOMAIL CONCEAL FOR hciss@HCIWS.COM // EOJ From LISTSERV at JISCMAIL.AC.UK Sat May 4 12:51:24 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:40 2006 Subject: MAILSCANNER: bruce@HOULT.ORG requested to join Message-ID: <200205041151.MAA01089@magpie.ecs.soton.ac.uk> Sat, 4 May 2002 12:51:24 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Bruce Hoult You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER bruce@HOULT.ORG Bruce Hoult PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER bruce@HOULT.ORG Bruce Hoult // EOJ From LISTSERV at JISCMAIL.AC.UK Sat May 4 14:14:21 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:40 2006 Subject: MAILSCANNER: dahlberg@BUCKNELL.EDU requested to join Message-ID: <200205041314.OAA15892@magpie.ecs.soton.ac.uk> Sat, 4 May 2002 14:14:21 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Michael Dahlberg You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER dahlberg@BUCKNELL.EDU Michael Dahlberg PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER dahlberg@BUCKNELL.EDU Michael Dahlberg // EOJ From LISTSERV at JISCMAIL.AC.UK Sun May 5 02:38:49 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:40 2006 Subject: MAILSCANNER: rob.moore@POWERDISK.CO.UK requested to join Message-ID: <200205050138.CAA29901@magpie.ecs.soton.ac.uk> Sun, 5 May 2002 02:38:49 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Rob Moore You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER rob.moore@POWERDISK.CO.UK Rob Moore PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER rob.moore@POWERDISK.CO.UK Rob Moore // EOJ From jkf at ecs.soton.ac.uk Mon May 6 10:23:21 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:40 2006 Subject: Return-Path header corrupt in virus reports In-Reply-To: <397548384.1020261339@mallard.open.ac.uk> References: <5.1.0.14.2.20020429211209.03193440@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020429211209.03193440@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020506102255.03ce59c8@imap.ecs.soton.ac.uk> At 13:55 01/05/2002, you wrote: >Can MailScanner be fixed to display the Return-Path: header correctly? If only I could work out what was causing it! -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Mon May 6 10:28:24 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:40 2006 Subject: {SPAM?} Why are all messages tagged SPAM? In-Reply-To: <20020502100026.GA767@bragann> Message-ID: <5.1.0.14.2.20020506102601.03ce5198@imap.ecs.soton.ac.uk> At 11:00 02/05/2002, you wrote: >I installed Mailscanner some two months ago in combination with sophos and >it works fine. Thanks for the good work. > >Now I want to use it in combination with spamassassin as well. > >Here is my spam.whitelist.conf > > This is a list of email addresses (with an @ sign in them) or entire email > > domains (without an @ sign in them) from which you will accept mail without > > ever marking it as spam. > > >*parinux.org > >*earth.li > >*kuiters.org The examples in the docs explicitly say "*.parinux.org" and not "*parinux.org", so you may be better trying that. Not sure if it will make a difference but I would definitely fix it anyway. >I now get all my incoming mail, including mail coming from the domains >listed above, with the {SPAM?} tag on the subject line. I can, of course >de-activate the tagging in the mailscanner.conf file but the question >remains why Mailscanner seems to suspect all my mail to be spam. > >The headers of my mail also display the line: > > >X-MailScanner-SpamCheck: SpamAssasin (255 hits) > >twice. Is this normal? SpamAssassin repoting 255 hits is definitely wrong, it should be a small number. I suggest you properly test your SpamAssassin installation using their tests and scripts, to prove it is working properly. I haven't seen this behaviour before. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Mon May 6 10:30:21 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:40 2006 Subject: MAILSCANNER on firewall In-Reply-To: Message-ID: <5.1.0.14.2.20020506102859.03ce8930@imap.ecs.soton.ac.uk> At 12:00 02/05/2002, you wrote: >I have a multie homed host firewall with GOOD, BAD and a DMZ >The emailserver is in the DMZ >I would like to run the mailscanner on the firewall >and forward to the mailserver but mails should not look >like "forwarded" As the mail will be passing through an MTA on your firewall host, then it is bound to get an extra "Received-By" header added to it. You can't avoid that. If I were you I wouldn't run something as complicated as MailScanner and an MTA on your firewall, they would be better hosted on your mail server. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From ryanw at FALSEHOPE.COM Mon May 6 12:16:18 2002 From: ryanw at FALSEHOPE.COM (Ryan Weaver) Date: Thu Jan 12 21:14:40 2006 Subject: MAILSCANNER on firewall References: <5.1.0.14.2.20020506102859.03ce8930@imap.ecs.soton.ac.uk> Message-ID: <001f01c1f4ef$7525b0d0$6501a8c0@ryan> ----- Original Message ----- From: "Julian Field" Sent: Monday, May 06, 2002 4:30 AM Subject: Re: MAILSCANNER on firewall > As the mail will be passing through an MTA on your firewall host, then it > is bound to get an extra "Received-By" header added to it. You can't avoid > that. Technically, if your running sendmail, you can modify the sendmail.cf Headers section... That could be used to prevent a Remote->Firewall Received Header... But on your mail host you'd still get a Firewall->MailHost Header... From henrik at LEWANDER.COM Mon May 6 14:44:33 2002 From: henrik at LEWANDER.COM (Henrik Lewander) Date: Thu Jan 12 21:14:40 2006 Subject: {SPAM?} Why are all messages tagged SPAM? References: <5.1.0.14.2.20020506102601.03ce5198@imap.ecs.soton.ac.uk> Message-ID: <125001c1f504$288e1900$d62211c2@gbg.bluelabs.se> From: "Julian Field" > >The headers of my mail also display the line: > > > > >X-MailScanner-SpamCheck: SpamAssasin (255 hits) > > > >twice. Is this normal? > > SpamAssassin repoting 255 hits is definitely wrong, it should be a small > number. I suggest you properly test your SpamAssassin installation using > their tests and scripts, to prove it is working properly. I haven't seen > this behaviour before. This happened to me after an Debian upgrade, also to a friend. Don't know why but i just restarted Mailscanner and it worked. -henrik -- ( [ Husaberg FE 350 ][ Honda XR 650 ] c[] Husan ?r till salu! Se http://henrik.lewander.com/husan From tal at MUSICGENOME.COM Mon May 6 14:49:12 2002 From: tal at MUSICGENOME.COM (Tal Kelrich) Date: Thu Jan 12 21:14:40 2006 Subject: Return-Path header corrupt in virus reports In-Reply-To: <5.1.0.14.2.20020506102255.03ce59c8@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020429211209.03193440@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020429211209.03193440@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020506102255.03ce59c8@imap.ecs.soton.ac.uk> Message-ID: <1020692954.26706.18.camel@localhost.localdomain> Could sendmail be substituting the header line on sending? i'm seeing this H?P?Return-Path: <<81>g> in the queue and what appears to be the correct one on an S line. -- Tal Kelrich PGP Fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69 PGP key-id: 12B9AA69 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020506/f702070b/attachment.bin From P.G.M.Peters at civ.utwente.nl Mon May 6 15:20:49 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:14:40 2006 Subject: found to be clean when not scanned Message-ID: <1f1ddukucp702pdg40asjqeuai5ceg679t@4ax.com> To test MailScanner off-line I duplicate all mail me to an address in the domain test.utwente.nl. The relevant parts (I think) of mailscanner.conf are Mail Header = X-MailScanner: Virus Scanning = yes Virus Scanner = f-prot Sweep = /opt/f-prot/f-protwrapper Scan All Messages = yes Scanning By Domain = yes Domains To Scan = /opt/mailscanner/etc/domains.to.scan.conf Sign Unscanned Messages = no In /opt/mailscanner/etc/domains.to.scan.conf I don't include test.utwente.nl. So when I send a message to address@test.utwente.nl I don't expect an X-MailScanner: header to appear. But it does with the text "Found to be clean". For the recipient it looks as if the mail is scanned and no virus was detected. In the maillog I see May 6 15:31:47 netlx803 mailscanner[20465]: Forwarding 1 clean messages, 27328 bytes When I include test.utwente.nl I get May 6 16:11:51 netlx803 mailscanner[20666]: Scanning 1 messages, 4174 bytes May 6 16:11:51 netlx803 mailscanner[20666]: Scanned 1 messages, 4174 bytes in 0 seconds And ofcourse with an X-MailScanner: header. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From jkf at ecs.soton.ac.uk Mon May 6 16:09:02 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:40 2006 Subject: found to be clean when not scanned In-Reply-To: <1f1ddukucp702pdg40asjqeuai5ceg679t@4ax.com> Message-ID: <5.1.0.14.2.20020506160815.03265770@imap.ecs.soton.ac.uk> At 15:20 06/05/2002, you wrote: >To test MailScanner off-line I duplicate all mail me to an address in >the domain test.utwente.nl. > >The relevant parts (I think) of mailscanner.conf are >Mail Header = X-MailScanner: >Virus Scanning = yes >Virus Scanner = f-prot >Sweep = /opt/f-prot/f-protwrapper >Scan All Messages = yes >Scanning By Domain = yes >Domains To Scan = /opt/mailscanner/etc/domains.to.scan.conf >Sign Unscanned Messages = no > >In /opt/mailscanner/etc/domains.to.scan.conf I don't include >test.utwente.nl. So when I send a message to address@test.utwente.nl I >don't expect an X-MailScanner: header to appear. But it does with the >text "Found to be clean". For the recipient it looks as if the mail is >scanned and no virus was detected. But is the domain you are sending *from* in domains.to.scan.conf? >In the maillog I see >May 6 15:31:47 netlx803 mailscanner[20465]: Forwarding 1 clean >messages, 27328 bytes > >When I include test.utwente.nl I get >May 6 16:11:51 netlx803 mailscanner[20666]: Scanning 1 messages, 4174 >bytes >May 6 16:11:51 netlx803 mailscanner[20666]: Scanned 1 messages, 4174 >bytes in 0 seconds > >And ofcourse with an X-MailScanner: header. > >-- >Peter Peters >senior netwerkbeheerder, Centrum voor Informatievoorziening, >Universiteit Twente, Postbus 217, 7500 AE Enschede >telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From P.G.M.Peters at civ.utwente.nl Mon May 6 16:35:29 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:14:40 2006 Subject: found to be clean when not scanned In-Reply-To: <5.1.0.14.2.20020506160815.03265770@imap.ecs.soton.ac.uk> References: <1f1ddukucp702pdg40asjqeuai5ceg679t@4ax.com> <5.1.0.14.2.20020506160815.03265770@imap.ecs.soton.ac.uk> Message-ID: On Mon, 6 May 2002 16:09:02 +0100, you wrote: >>In /opt/mailscanner/etc/domains.to.scan.conf I don't include >>test.utwente.nl. So when I send a message to address@test.utwente.nl I >>don't expect an X-MailScanner: header to appear. But it does with the >>text "Found to be clean". For the recipient it looks as if the mail is >>scanned and no virus was detected. > >But is the domain you are sending *from* in domains.to.scan.conf? No. Domains.to.scan.conf: div.utwente.nl Headers of the last message: +Return-Path: +Received: from netlx803.civ.utwente.nl (netlx803.civ.utwente.nl [130.89.1.86]) + by dinkel.civ.utwente.nl (8.9.3/MQT) with ESMTP id QAA27533 + for ; Mon, 6 May 2002 16:52:26 +0200 (METDST) +Received: from netlx010.civ.utwente.nl (netlx010.civ.utwente.nl [130.89.1.92]) + by netlx803.civ.utwente.nl (8.11.4/HKD) with ESMTP id g46Eq6k21058 + for ; Mon, 6 May 2002 16:52:06 +0200 +Received: from survis.surfnet.nl (survis.surfnet.nl [192.87.108.3]) + by netlx010.civ.utwente.nl (8.11.4/HKD) with ESMTP id g46Eq5811421 + for ; Mon, 6 May 2002 16:52:05 +0200 +Received: from x.surfnet.nl ([192.87.109.42]) + by survis.surfnet.nl with ESMTP (exPP) + id 174jqP-0006p9-00; Mon, 6 May 2002 16:52:05 +0200 +Date: Mon, 6 May 2002 16:52:05 +0200 (CDT) +From: Xander Jansen +To: Peter Peters +Subject: Re: Verbod op stemmen vanaf info@* (Was: Re: Stemresultaat nl.actualiteiten) +In-Reply-To: +Message-ID: +MIME-Version: 1.0 +Content-Type: TEXT/PLAIN; charset=US-ASCII +X-MailScanner: Found to be clean +Status: Regarding "Content-Type: TEXT/PLAIN; ": In mailscanner.conf I have: Scan All Messages = yes -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From fizz at BOMB.NET Mon May 6 20:09:09 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:14:40 2006 Subject: Question with sophos.. Message-ID: <000d01c1f531$8011d720$48cf75cc@fizz> im sure its something very simple, but ive been banging my head against the wall all day with FreeBSD, so i switched back to slackware, now ive donbe the install of Sophos, its got everything in the lib dir, but when i go to run autoupdate it tells me it cant figure out the version number. And when i run sophoswrapper it says its cant find the definitions.. any helps appriciated :P ////// ( o o ) +--.oooO--(_)--Oooo.-----------------+ | [Kelly Hamlin] | kellyh@cyberstreet.com | http://www.bomb.net | .oooO | ( ) Oooo. +--- \ (----( )----------------------------+ \_) ) / (_/ From fizz at BOMB.NET Mon May 6 21:12:07 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:14:40 2006 Subject: Question with sophos.. References: <000d01c1f531$8011d720$48cf75cc@fizz> Message-ID: <002101c1f53a$4bd3bb00$48cf75cc@fizz> figured it out... there is now a x after 357 so i made a symlink to it.. now it works :P stupid me /me slaps self ----- Original Message ----- From: "Kelly Hamlin" To: Sent: Monday, May 06, 2002 3:09 PM Subject: Question with sophos.. > im sure its something very simple, but ive been banging my head against the > wall all day with FreeBSD, so i switched back to slackware, now ive donbe > the install of Sophos, its got everything in the lib dir, but when i go to > run autoupdate it tells me it cant figure out the version number. And when i > run sophoswrapper it says its cant find the definitions.. > > any helps appriciated :P > > > ////// > ( o o ) > +--.oooO--(_)--Oooo.-----------------+ > | [Kelly Hamlin] > | kellyh@cyberstreet.com > | http://www.bomb.net > | .oooO > | ( ) Oooo. > +--- \ (----( )----------------------------+ > \_) ) / > (_/ > From nwp at LEMON-COMPUTING.COM Mon May 6 23:30:02 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:40 2006 Subject: {SPAM?} Why are all messages tagged SPAM? In-Reply-To: <125001c1f504$288e1900$d62211c2@gbg.bluelabs.se> References: <5.1.0.14.2.20020506102601.03ce5198@imap.ecs.soton.ac.uk> <125001c1f504$288e1900$d62211c2@gbg.bluelabs.se> Message-ID: <20020506223002.GM16921@hoiho.nz.lemon-computing.com> On Mon, May 06, 2002 at 03:44:33PM +0200, Henrik Lewander wrote: > From: "Julian Field" > > >The headers of my mail also display the line: > > > > > > >X-MailScanner-SpamCheck: SpamAssasin (255 hits) > > > > > >twice. Is this normal? > > > > SpamAssassin repoting 255 hits is definitely wrong, it should be a small > > number. I suggest you properly test your SpamAssassin installation using > > their tests and scripts, to prove it is working properly. I haven't seen > > this behaviour before. > > This happened to me after an Debian upgrade, also to a friend. Don't know why > but i just restarted Mailscanner and it worked. The "255 hits" appears to mean "spamassassin failed" - it does this (for example) when it can't create the .spamassassin directory that it wants to. It will fail to create the .spamassassin directory, again for example, when it is running as mail and trying to create the directory /root/.spamassassin. This happens because SpamAssassin is getting initialised at the wrong point in the mailscanner code. And because even when it gets initialised at the right point, it takes the value of $ENV{HOME} rather than using getpwnam to find the correct home directory to put .spamassassin in. I have fixed this in mailscanner CVS and once we've got through the rest of the "todo" list we'll release it. It's a reasonable-sized list, though, so don't hold your breath. The reason it happened after a Debian update is probably that spamassassin has changed the way it handles that directory. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com You have been selected for a secret mission. From fizz at BOMB.NET Tue May 7 01:32:17 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:14:40 2006 Subject: Need Help! Message-ID: <000701c1f55e$a49df1f0$48cf75cc@fizz> Its not directly mailscanner related but im hoping someone has a clue.. we had a drive crash and i was to dumb to have a current backup. I reinstalled from scratch slackware 8.0 and got everything installed/tested. Sophos - tested and working.. Mailscanner - is scanning the messages and putting them in the mqueue dir like its supposed to do. The problem im having is, it seems as if sendmail isnt even trying to deliver those messages. They just keep backing up in that directory. Im at a loss as to what the problem is. I Installed all the modules i was supposed to, i have permissions and what not the way they are supposed to (i think) but i still would think any of those would have any affect on sendmail sending its queue. any idea, clues would be most helpfull as ive been working on this for the past 5 hours.. ////// ( o o ) +--.oooO--(_)--Oooo.-----------------+ | [Kelly Hamlin] | kellyh@cyberstreet.com | http://www.bomb.net | .oooO | ( ) Oooo. +--- \ (----( )----------------------------+ \_) ) / (_/ From miguelk at KONSULTEX.COM.BR Tue May 7 01:56:06 2002 From: miguelk at KONSULTEX.COM.BR (Miguel Koren O'Brien de Lacy) Date: Thu Jan 12 21:14:40 2006 Subject: Need Help! References: <000701c1f55e$a49df1f0$48cf75cc@fizz> Message-ID: <3CD72626.8090700@konsultex.com.br> This may be too obvious and you must have looked at this, but just the same: are you sure you have the 2 instances of SendMail running? Is the instance that delivers locally waiting for thousands to que up or does it deliver at once? Kelly Hamlin wrote: >Its not directly mailscanner related but im hoping someone has a clue.. >we had a drive crash and i was to dumb to have a current backup. I >reinstalled from scratch slackware 8.0 and got everything installed/tested. >Sophos - tested and working.. >Mailscanner - is scanning the messages and putting them in the mqueue dir >like its supposed to do. > >The problem im having is, it seems as if sendmail isnt even trying to >deliver those messages. They just keep backing up in that directory. Im at a >loss as to what the problem is. I Installed all the modules i was supposed >to, i have permissions and what not the way they are supposed to (i think) >but i still would think any of those would have any affect on sendmail >sending its queue. > >any idea, clues would be most helpfull as ive been working on this for the >past 5 hours.. > > ////// > ( o o ) >+--.oooO--(_)--Oooo.-----------------+ >| [Kelly Hamlin] >| kellyh@cyberstreet.com >| http://www.bomb.net >| .oooO >| ( ) Oooo. >+--- \ (----( )----------------------------+ > \_) ) / > (_/ > From gary at ARL.NET.NZ Tue May 7 01:57:48 2002 From: gary at ARL.NET.NZ (Gary Dick) Date: Thu Jan 12 21:14:40 2006 Subject: Need Help! References: <000701c1f55e$a49df1f0$48cf75cc@fizz> Message-ID: <3CD7268C.9000709@arl.net.nz> Hi Anything in /var/log/messages or /var/log/syslog about sendmail that might give a clue to the problem ? Have you changed the way sendmail is started in rc.M ? Regards Kelly Hamlin wrote: >Its not directly mailscanner related but im hoping someone has a clue.. >we had a drive crash and i was to dumb to have a current backup. I >reinstalled from scratch slackware 8.0 and got everything installed/tested. >Sophos - tested and working.. >Mailscanner - is scanning the messages and putting them in the mqueue dir >like its supposed to do. > >The problem im having is, it seems as if sendmail isnt even trying to >deliver those messages. They just keep backing up in that directory. Im at a >loss as to what the problem is. I Installed all the modules i was supposed >to, i have permissions and what not the way they are supposed to (i think) >but i still would think any of those would have any affect on sendmail >sending its queue. > >any idea, clues would be most helpfull as ive been working on this for the >past 5 hours.. > > ////// > ( o o ) >+--.oooO--(_)--Oooo.-----------------+ >| [Kelly Hamlin] >| kellyh@cyberstreet.com >| http://www.bomb.net >| .oooO >| ( ) Oooo. >+--- \ (----( )----------------------------+ > \_) ) / > (_/ > > From jaearick at COLBY.EDU Tue May 7 03:35:41 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:14:40 2006 Subject: tuning for high volume (FAQ 11) Message-ID: Y'all, I put mailscanner into production mode on my mail server today, a two-cpu D-class HP system. I had previously tested mailscanner on both Sun and HP systems (using sophos) and it looked like the ticket for my virus woes. Since the D-class isn't the world's fastest machine for 3000 users, I spent most of the day staring at my mail queues, backlogs, thruput, etc. I tried both the default installation, and the "queue mode" suggestions of FAQ 11. I am not totally convinced that background delivery mode is working correctly, but I'll look at that more tomorrow. The I dug out the Bat Book and read more about processing queues. Here is the scheme I finally came up with for my site, following FAQ 11. * Delivery method = queue (like FAQ 11) * Deliver in Background = yes (like FAQ 11) * sendmail -bd -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in (launched via sendmail boottime start script) * sendmail -q15m, also launched via boottime start script * crontab job for local recipients only every minute (my wrinkle) The crontab entry looks like: 0-59 * * * * /usr/sbin/sendmail -qR@colby.edu ^^^^^^^^^ your domain here The idea here is to get email bound for local recipients in my domain ("colby.edu") delivered fast by processing *only* the local recipient stuff once a minute. Anything outbound to a remote site can wait for the 15 minute queue started with the boot script. The "sendmail -q1m" suggestion of FAQ 11 does not work, because email bound for local recipients is mixed in with remote sites that may not DNS resolve. So "sendmail -q1m" does not distinguish between messages that can be resolved quickly (ie, domains you have DNS control over) and those that can't. One bad remote DNS resolve hoses up the whole queue. My crontab keeps the local stuff moving, and leaves the poky remote stuff for the queue that runs less often. ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ---------------------------------------------------------------------------- From fizz at BOMB.NET Tue May 7 13:27:13 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:14:40 2006 Subject: Need Help! References: <000701c1f55e$a49df1f0$48cf75cc@fizz> Message-ID: <000c01c1f5c2$84943310$48cf75cc@fizz> Here is some extra info that i didnt see before, not sure it will help, but here goes.. (Deferred: 451-Requested action aborted: local error in proce) ... reply: read error from mx1.mail.) g470snV05720 6771 Mon May 6 20:54 MAILER-DAEMON (... reply: read err) To: Sent: Monday, May 06, 2002 8:32 PM Subject: Need Help! > Its not directly mailscanner related but im hoping someone has a clue.. > we had a drive crash and i was to dumb to have a current backup. I > reinstalled from scratch slackware 8.0 and got everything installed/tested. > Sophos - tested and working.. > Mailscanner - is scanning the messages and putting them in the mqueue dir > like its supposed to do. > > The problem im having is, it seems as if sendmail isnt even trying to > deliver those messages. They just keep backing up in that directory. Im at a > loss as to what the problem is. I Installed all the modules i was supposed > to, i have permissions and what not the way they are supposed to (i think) > but i still would think any of those would have any affect on sendmail > sending its queue. > > any idea, clues would be most helpfull as ive been working on this for the > past 5 hours.. > > ////// > ( o o ) > +--.oooO--(_)--Oooo.-----------------+ > | [Kelly Hamlin] > | kellyh@cyberstreet.com > | http://www.bomb.net > | .oooO > | ( ) Oooo. > +--- \ (----( )----------------------------+ > \_) ) / > (_/ > From john.clancy at BUSINESSANDFINANCE.IE Tue May 7 13:40:27 2002 From: john.clancy at BUSINESSANDFINANCE.IE (John Clancy) Date: Thu Jan 12 21:14:40 2006 Subject: Need Help! References: <000701c1f55e$a49df1f0$48cf75cc@fizz> <000c01c1f5c2$84943310$48cf75cc@fizz> Message-ID: <00ef01c1f5c4$5df4bd40$666078c1@businessandfinance.ie> Hi Kelly, What do you see when you invoke sendmail directly to handle a single item in the Q using the 'sendmail -qI -v' sytax? e.g. in the message below sendmail -qIgr70rop05695 -v JC > Here is some extra info that i didnt see before, not sure it will help, but > here goes.. > > (Deferred: 451-Requested action aborted: local error in > proce) > > g470rop05695 5638 Mon May 6 20:53 MAILER-DAEMON > (... reply: read error from > mx1.mail.) > > g470snV05720 6771 Mon May 6 20:54 MAILER-DAEMON > (... reply: read > err) > > g470sne05722 9004 Mon May 6 20:54 MAILER-DAEMON > (Deferred: 451-Requested action aborted: local error in > proce) > > g470sng05722 9032 Mon May 6 20:54 MAILER-DAEMON > > im seeing a whole bunch of these in "mailq" > ----- Original Message ----- > From: "Kelly Hamlin" > To: > Sent: Monday, May 06, 2002 8:32 PM > Subject: Need Help! > > > > Its not directly mailscanner related but im hoping someone has a clue.. > > we had a drive crash and i was to dumb to have a current backup. I > > reinstalled from scratch slackware 8.0 and got everything > installed/tested. > > Sophos - tested and working.. > > Mailscanner - is scanning the messages and putting them in the mqueue dir > > like its supposed to do. > > > > The problem im having is, it seems as if sendmail isnt even trying to > > deliver those messages. They just keep backing up in that directory. Im at > a > > loss as to what the problem is. I Installed all the modules i was supposed > > to, i have permissions and what not the way they are supposed to (i think) > > but i still would think any of those would have any affect on sendmail > > sending its queue. > > > > any idea, clues would be most helpfull as ive been working on this for the > > past 5 hours.. > > > > ////// > > ( o o ) > > +--.oooO--(_)--Oooo.-----------------+ > > | [Kelly Hamlin] > > | kellyh@cyberstreet.com > > | http://www.bomb.net > > | .oooO > > | ( ) Oooo. > > +--- \ (----( )----------------------------+ > > \_) ) / > > (_/ > > From LISTSERV at JISCMAIL.AC.UK Mon May 6 23:31:29 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:40 2006 Subject: MAILSCANNER: pesquive@UAZUAY.EDU.EC requested to join Message-ID: <200205062231.XAA22700@magpie.ecs.soton.ac.uk> Mon, 6 May 2002 23:31:29 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Pablo Esquivel You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER pesquive@UAZUAY.EDU.EC Pablo Esquivel PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER pesquive@UAZUAY.EDU.EC Pablo Esquivel // EOJ From brose at MED.WAYNE.EDU Tue May 7 13:51:28 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:14:40 2006 Subject: tuning for high volume (FAQ 11) Message-ID: <6D60AC042221344095A0EBBC56EEE79A0A8DFB@med-core03.med.wayne.edu> But isn't sendmail supposed to fire off more processes due to queue size anyway? In the case of a DNS resolve issue that is slowing things down should start up another process. -----Original Message----- From: Jeff A. Earickson [mailto:jaearick@COLBY.EDU] Sent: Monday, May 06, 2002 10:36 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: tuning for high volume (FAQ 11) Y'all, I put mailscanner into production mode on my mail server today, a two-cpu D-class HP system. I had previously tested mailscanner on both Sun and HP systems (using sophos) and it looked like the ticket for my virus woes. Since the D-class isn't the world's fastest machine for 3000 users, I spent most of the day staring at my mail queues, backlogs, thruput, etc. I tried both the default installation, and the "queue mode" suggestions of FAQ 11. I am not totally convinced that background delivery mode is working correctly, but I'll look at that more tomorrow. The I dug out the Bat Book and read more about processing queues. Here is the scheme I finally came up with for my site, following FAQ 11. * Delivery method = queue (like FAQ 11) * Deliver in Background = yes (like FAQ 11) * sendmail -bd -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in (launched via sendmail boottime start script) * sendmail -q15m, also launched via boottime start script * crontab job for local recipients only every minute (my wrinkle) The crontab entry looks like: 0-59 * * * * /usr/sbin/sendmail -qR@colby.edu ^^^^^^^^^ your domain here The idea here is to get email bound for local recipients in my domain ("colby.edu") delivered fast by processing *only* the local recipient stuff once a minute. Anything outbound to a remote site can wait for the 15 minute queue started with the boot script. The "sendmail -q1m" suggestion of FAQ 11 does not work, because email bound for local recipients is mixed in with remote sites that may not DNS resolve. So "sendmail -q1m" does not distinguish between messages that can be resolved quickly (ie, domains you have DNS control over) and those that can't. One bad remote DNS resolve hoses up the whole queue. My crontab keeps the local stuff moving, and leaves the poky remote stuff for the queue that runs less often. ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ------------------------------------------------------------------------ ---- From LISTSERV at JISCMAIL.AC.UK Tue May 7 14:17:46 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:40 2006 Subject: MAILSCANNER: doc@ZWECKER.DE requested to join Message-ID: <200205071317.OAA20783@magpie.ecs.soton.ac.uk> Tue, 7 May 2002 14:17:46 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Christophe Zwecker You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER doc@ZWECKER.DE Christophe Zwecker PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER doc@ZWECKER.DE Christophe Zwecker // EOJ From fizz at BOMB.NET Tue May 7 15:55:32 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:14:40 2006 Subject: Need Help! References: <000701c1f55e$a49df1f0$48cf75cc@fizz> <000c01c1f5c2$84943310$48cf75cc@fizz> <00ef01c1f5c4$5df4bd40$666078c1@businessandfinance.ie> Message-ID: <001301c1f5d7$3c4f7aa0$48cf75cc@fizz> root@sairys:/var/spool/mqueue# sendmail -qIg47EVVc01601 -v Running /var/spool/mqueue/g47EVVc01601 (sequence 1 of 1) MX list for xxxxxxxxxxx.com. points back to sairys.xxxxxxxxxxx.com ... Local configuration error uhgg.. thing i dont understand is the machine i did this from IS sairys.. to answer other questions, i do have the two sendmail processes running, the sendmail -q1m and the sendmail -bd -O etc etc.. I have my MX set to this machine, and then i have a access file which then tells it where to forward the mail.. ----- Original Message ----- From: "John Clancy" To: Sent: Tuesday, May 07, 2002 8:40 AM Subject: Re: Need Help! > Hi Kelly, > > What do you see when you invoke sendmail directly to handle a single item in > the Q using the 'sendmail -qI -v' sytax? > e.g. in the message below > sendmail -qIgr70rop05695 -v > > JC > > > Here is some extra info that i didnt see before, not sure it will help, > but > > here goes.. > > > > (Deferred: 451-Requested action aborted: local error in > > proce) > > > > > g470rop05695 5638 Mon May 6 20:53 MAILER-DAEMON > > (... reply: read error from > > mx1.mail.) > > > > g470snV05720 6771 Mon May 6 20:54 MAILER-DAEMON > > (... reply: read > > err) > > > > > g470sne05722 9004 Mon May 6 20:54 MAILER-DAEMON > > (Deferred: 451-Requested action aborted: local error in > > proce) > > > > > g470sng05722 9032 Mon May 6 20:54 MAILER-DAEMON > > > > im seeing a whole bunch of these in "mailq" > > ----- Original Message ----- > > From: "Kelly Hamlin" > > To: > > Sent: Monday, May 06, 2002 8:32 PM > > Subject: Need Help! > > > > > > > Its not directly mailscanner related but im hoping someone has a clue.. > > > we had a drive crash and i was to dumb to have a current backup. I > > > reinstalled from scratch slackware 8.0 and got everything > > installed/tested. > > > Sophos - tested and working.. > > > Mailscanner - is scanning the messages and putting them in the mqueue > dir > > > like its supposed to do. > > > > > > The problem im having is, it seems as if sendmail isnt even trying to > > > deliver those messages. They just keep backing up in that directory. Im > at > > a > > > loss as to what the problem is. I Installed all the modules i was > supposed > > > to, i have permissions and what not the way they are supposed to (i > think) > > > but i still would think any of those would have any affect on sendmail > > > sending its queue. > > > > > > any idea, clues would be most helpfull as ive been working on this for > the > > > past 5 hours.. > > > > > > ////// > > > ( o o ) > > > +--.oooO--(_)--Oooo.-----------------+ > > > | [Kelly Hamlin] > > > | kellyh@cyberstreet.com > > > | http://www.bomb.net > > > | .oooO > > > | ( ) Oooo. > > > +--- \ (----( )----------------------------+ > > > \_) ) / > > > (_/ > > > > From tal at MUSICGENOME.COM Tue May 7 16:23:13 2002 From: tal at MUSICGENOME.COM (Tal Kelrich) Date: Thu Jan 12 21:14:40 2006 Subject: Need Help! In-Reply-To: <001301c1f5d7$3c4f7aa0$48cf75cc@fizz> References: <000701c1f55e$a49df1f0$48cf75cc@fizz> <000c01c1f5c2$84943310$48cf75cc@fizz> <00ef01c1f5c4$5df4bd40$666078c1@businessandfinance.ie> <001301c1f5d7$3c4f7aa0$48cf75cc@fizz> Message-ID: <1020784994.30267.1.camel@localhost.localdomain> I think this will help you http://www.sendmail.org/faq/section4.html#4.5 On Tue, 2002-05-07 at 17:55, Kelly Hamlin wrote: > root@sairys:/var/spool/mqueue# sendmail -qIg47EVVc01601 -v > > Running /var/spool/mqueue/g47EVVc01601 (sequence 1 of 1) > MX list for xxxxxxxxxxx.com. points back to sairys.xxxxxxxxxxx.com > ... Local configuration error > > uhgg.. > thing i dont understand is the machine i did this from IS sairys.. > -- Tal Kelrich PGP Fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69 PGP key-id: 12B9AA69 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020507/117e2ecc/attachment.bin From fizz at BOMB.NET Tue May 7 17:16:11 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:14:40 2006 Subject: Need Help! References: <000701c1f55e$a49df1f0$48cf75cc@fizz> <000c01c1f5c2$84943310$48cf75cc@fizz> <00ef01c1f5c4$5df4bd40$666078c1@businessandfinance.ie> Message-ID: <001601c1f5e2$80c34760$48cf75cc@fizz> Ok, after some more investigating, ive found one VERY wierd thing. I notice certain things that sendmail tries to send for a long time if i try that command.. it shows that it goes and then on reset state it stalls for a long time. Now i also have a question. It appears that people are sending mail to a bogus address from a bogus address, so it also seems as if mail is being bounced back from our mailserver and then tries to bounce it back to the originator which doesnt exist either.. got any work arounds for that? thanks ----- Original Message ----- From: "John Clancy" To: Sent: Tuesday, May 07, 2002 8:40 AM Subject: Re: Need Help! > Hi Kelly, > > What do you see when you invoke sendmail directly to handle a single item in > the Q using the 'sendmail -qI -v' sytax? > e.g. in the message below > sendmail -qIgr70rop05695 -v > > JC > > > Here is some extra info that i didnt see before, not sure it will help, > but > > here goes.. > > > > (Deferred: 451-Requested action aborted: local error in > > proce) > > > > > g470rop05695 5638 Mon May 6 20:53 MAILER-DAEMON > > (... reply: read error from > > mx1.mail.) > > > > g470snV05720 6771 Mon May 6 20:54 MAILER-DAEMON > > (... reply: read > > err) > > > > > g470sne05722 9004 Mon May 6 20:54 MAILER-DAEMON > > (Deferred: 451-Requested action aborted: local error in > > proce) > > > > > g470sng05722 9032 Mon May 6 20:54 MAILER-DAEMON > > > > im seeing a whole bunch of these in "mailq" > > ----- Original Message ----- > > From: "Kelly Hamlin" > > To: > > Sent: Monday, May 06, 2002 8:32 PM > > Subject: Need Help! > > > > > > > Its not directly mailscanner related but im hoping someone has a clue.. > > > we had a drive crash and i was to dumb to have a current backup. I > > > reinstalled from scratch slackware 8.0 and got everything > > installed/tested. > > > Sophos - tested and working.. > > > Mailscanner - is scanning the messages and putting them in the mqueue > dir > > > like its supposed to do. > > > > > > The problem im having is, it seems as if sendmail isnt even trying to > > > deliver those messages. They just keep backing up in that directory. Im > at > > a > > > loss as to what the problem is. I Installed all the modules i was > supposed > > > to, i have permissions and what not the way they are supposed to (i > think) > > > but i still would think any of those would have any affect on sendmail > > > sending its queue. > > > > > > any idea, clues would be most helpfull as ive been working on this for > the > > > past 5 hours.. > > > > > > ////// > > > ( o o ) > > > +--.oooO--(_)--Oooo.-----------------+ > > > | [Kelly Hamlin] > > > | kellyh@cyberstreet.com > > > | http://www.bomb.net > > > | .oooO > > > | ( ) Oooo. > > > +--- \ (----( )----------------------------+ > > > \_) ) / > > > (_/ > > > > From fizz at BOMB.NET Tue May 7 20:12:39 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:14:40 2006 Subject: One last problem.. [mailscanner/spamassassin] Message-ID: <000701c1f5fb$27a25130$48cf75cc@fizz> i installed the latest 2.20 spamassassin and occaisionally get this message Malformed UTF-8 character (unexpected continuation byte 0xa9) in substitution iterator at /usr/lib/perl5/site_perl/Mail/SpamAssassin/PerMsgStatus.pm line 829. Any clues? ////// ( o o ) +--.oooO--(_)--Oooo.-----------------+ | [Kelly Hamlin] | kellyh@cyberstreet.com | http://www.bomb.net | .oooO | ( ) Oooo. +--- \ (----( )----------------------------+ \_) ) / (_/ From david.fry at IFRSYS.COM Tue May 7 20:24:14 2002 From: david.fry at IFRSYS.COM (David Fry) Date: Thu Jan 12 21:14:40 2006 Subject: Sophos autoupdate is dead jim! Message-ID: greetings list, As of 5:00 a.m. this morning, the Sophos autoupdate script has been dying across all my mailservers. Nothing has been changed on those boxes .. cron runs the autoupdate hourly. I get the following error: , Bad file descriptor at ./autoupdate line 77. One time before I got an error like this .. Sophos' website was very busy and it promptly recovered on the next hourly update. It appears this time that is not the case -- the script continues to fail over & over again. Given that nothing has changed on my end, I have to suspect something is awry with the Sophos update site. Does anyone have an idea what may be going on or seeing something similar?? Anyone know if Sophos has made changes on their end? I am perplexed! Thanks in advance for any help or direction on this guy! -david fry From sevans at FOUNDATION.SDSU.EDU Tue May 7 20:28:56 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:14:40 2006 Subject: Little OT: Block Domain with Sendmail Message-ID: <7E2D2700ADE29542BAFC135552997E6C0AE8BB@mail.foundation.sdsu.edu> I'm trying to block an entire domain using the /etc/mail/access file. I can block a certain e-mail address (user@domain.com) but how do I block an entire domain? (*@domain.com) Using a * for the user doesn't seem to work. Steve Evans Computing Services SDSU Foundation 619 594-0653 From mmiller1 at MPTOTALCARE.COM Tue May 7 20:34:34 2002 From: mmiller1 at MPTOTALCARE.COM (Matt Miller) Date: Thu Jan 12 21:14:40 2006 Subject: Little OT: Block Domain with Sendmail In-Reply-To: <7E2D2700ADE29542BAFC135552997E6C0AE8BB@mail.foundation.sdsu.edu> References: <7E2D2700ADE29542BAFC135552997E6C0AE8BB@mail.foundation.sdsu.edu> Message-ID: <1020800074.26599.42.camel@menix> On Tue, 2002-05-07 at 15:28, Steve Evans wrote: > I'm trying to block an entire domain using the /etc/mail/access file. I > can block a certain e-mail address (user@domain.com) but how do I block > an entire domain? (*@domain.com) Using a * for the user doesn't seem > to work. > > Steve Evans > Computing Services > SDSU Foundation > 619 594-0653 How about just: domain.com REJECT Then: makemap hash /etc/mail/access < /etc/mail/access Matt From freerk at MINDSWITCH.NET Tue May 7 20:35:26 2002 From: freerk at MINDSWITCH.NET (Freerk Kalsbeek) Date: Thu Jan 12 21:14:40 2006 Subject: Little OT: Block Domain with Sendmail In-Reply-To: <7E2D2700ADE29542BAFC135552997E6C0AE8BB@mail.foundation.sdsu.edu> Message-ID: Haven't checked it, but I assume you should put just @domain.com in your access file. This is also the case in the virtualusers table etc. Freerk -----Oorspronkelijk bericht----- Van: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Namens Steve Evans Verzonden: dinsdag 7 mei 2002 21:29 Aan: MAILSCANNER@JISCMAIL.AC.UK Onderwerp: Little OT: Block Domain with Sendmail I'm trying to block an entire domain using the /etc/mail/access file. I can block a certain e-mail address (user@domain.com) but how do I block an entire domain? (*@domain.com) Using a * for the user doesn't seem to work. Steve Evans Computing Services SDSU Foundation 619 594-0653 From chorlian at CBR.MED.HARVARD.EDU Tue May 7 20:34:58 2002 From: chorlian at CBR.MED.HARVARD.EDU (Henry C. Chorlian) Date: Thu Jan 12 21:14:40 2006 Subject: Little OT: Block Domain with Sendmail Message-ID: <200205071934.g47JYwIk006869@cbr.med.harvard.edu> I just did that one. The docs have you do this: domain.com REJECT Make sure you use a 'tab' after domain.com for the line then REJECT. That's it! Works great.... Henry On Tuesday, May 07, 2002 at 12:28:56 PM, MailScanner mailing list wrote: > I'm trying to block an entire domain using the /etc/mail/access file. I > can block a certain e-mail address (user@domain.com) but how do I block > an entire domain? (*@domain.com) Using a * for the user doesn't seem > to work. > > Steve Evans > Computing Services > SDSU Foundation > 619 594-0653 > > > ------------------------------------------ Henry C. Chorlian Director of Information Technology Center for Blood Research 800 Huntington Avenue Boston, MA 02115-6303 Harvard Medical School Affiliate chorlian@cbr.med.harvard.edu Voice: (617) 278-3425 Fax: (617) 278-3493 From patrick at IMPTOY.COM Tue May 7 20:37:58 2002 From: patrick at IMPTOY.COM (Pat Hall) Date: Thu Jan 12 21:14:40 2006 Subject: Little OT: Block Domain with Sendmail References: <7E2D2700ADE29542BAFC135552997E6C0AE8BB@mail.foundation.sdsu.edu> Message-ID: <000b01c1f5fe$b1393820$29000080@Ph1> try domain.com DISCARD or domain.com REJECT Pat ----- Original Message ----- From: "Steve Evans" To: Sent: Tuesday, May 07, 2002 12:28 PM Subject: Little OT: Block Domain with Sendmail I'm trying to block an entire domain using the /etc/mail/access file. I can block a certain e-mail address (user@domain.com) but how do I block an entire domain? (*@domain.com) Using a * for the user doesn't seem to work. Steve Evans Computing Services SDSU Foundation 619 594-0653 From jschlegs at TAMPABAY.RR.COM Tue May 7 20:40:27 2002 From: jschlegs at TAMPABAY.RR.COM (jim schlegel) Date: Thu Jan 12 21:14:40 2006 Subject: Sophos autoupdate is dead jim! In-Reply-To: References: Message-ID: <1020800428.6095.6.camel@molehill.ccso> I think I had that once. Turned out my Sophos was out of date. I still had 3.51 installed and they were up to 3.56. I know they have a new release each month, so 3.57 should be available now. I had to go through and reinstall the Sophos software. On Tue, 2002-05-07 at 15:24, David Fry wrote: > greetings list, > > As of 5:00 a.m. this morning, the Sophos autoupdate script has been dying > across all my mailservers. Nothing has been changed on those boxes .. cron > runs the autoupdate hourly. > > I get the following error: , Bad file descriptor at ./autoupdate line 77. > > One time before I got an error like this .. Sophos' website was very busy > and it promptly recovered on the next hourly update. It appears this time > that is not the case -- the script continues to fail over & over again. > Given that nothing has changed on my end, I have to suspect something is > awry with the Sophos update site. > > Does anyone have an idea what may be going on or seeing something > similar?? Anyone know if Sophos has made changes on their end? > > I am perplexed! > > Thanks in advance for any help or direction on this guy! > > -david fry From mattb at ZOPE.COM Tue May 7 20:32:35 2002 From: mattb at ZOPE.COM (Matt Burleigh) Date: Thu Jan 12 21:14:40 2006 Subject: Little OT: Block Domain with Sendmail References: <7E2D2700ADE29542BAFC135552997E6C0AE8BB@mail.foundation.sdsu.edu> Message-ID: <3CD82BD3.7080308@zope.com> Steve Evans wrote: >I'm trying to block an entire domain using the /etc/mail/access file. I >can block a certain e-mail address (user@domain.com) but how do I block >an entire domain? (*@domain.com) Using a * for the user doesn't seem >to work. > Just put the domain. Like: 61.151.236.188 REJECT sohu.com REJECT -- Matt Burleigh Systems Administrator, Zope Corporation http://www.zope.com http://www.zope.org From dustin.baer at IHS.COM Tue May 7 20:35:35 2002 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:14:40 2006 Subject: Little OT: Block Domain with Sendmail References: <7E2D2700ADE29542BAFC135552997E6C0AE8BB@mail.foundation.sdsu.edu> Message-ID: <3CD82C87.6CAA1490@ihs.com> Steve Evans wrote: > > I'm trying to block an entire domain using the /etc/mail/access file. I > can block a certain e-mail address (user@domain.com) but how do I block > an entire domain? (*@domain.com) Using a * for the user doesn't seem > to work. > > Steve Evans domain.com REJECT From gary at ARL.NET.NZ Tue May 7 20:52:26 2002 From: gary at ARL.NET.NZ (Gary Dick) Date: Thu Jan 12 21:14:40 2006 Subject: Little OT: Block Domain with Sendmail References: <7E2D2700ADE29542BAFC135552997E6C0AE8BB@mail.foundation.sdsu.edu> Message-ID: <3CD8307A.6090507@arl.net.nz> Checkout http://www.sendmail.org/m4/anti-spam.html Regards Steve Evans wrote: >I'm trying to block an entire domain using the /etc/mail/access file. I >can block a certain e-mail address (user@domain.com) but how do I block >an entire domain? (*@domain.com) Using a * for the user doesn't seem >to work. > >Steve Evans >Computing Services >SDSU Foundation >619 594-0653 > > From patrick at IMPTOY.COM Tue May 7 20:57:16 2002 From: patrick at IMPTOY.COM (Pat Hall) Date: Thu Jan 12 21:14:40 2006 Subject: Little OT: Block Domain with Sendmail References: <7E2D2700ADE29542BAFC135552997E6C0AE8BB@mail.foundation.sdsu.edu> <1020800074.26599.42.camel@menix> Message-ID: <000f01c1f601$635fafa0$29000080@Ph1> Isn't the .db required? # makemap hash /etc/mail/access.db < /etc/mail/access > How about just: > domain.com REJECT > > Then: > makemap hash /etc/mail/access < /etc/mail/access > > Matt From mmiller1 at MPTOTALCARE.COM Tue May 7 21:05:19 2002 From: mmiller1 at MPTOTALCARE.COM (Matthew Miller) Date: Thu Jan 12 21:14:40 2006 Subject: Little OT: Block Domain with Sendmail In-Reply-To: <000f01c1f601$635fafa0$29000080@Ph1> References: <7E2D2700ADE29542BAFC135552997E6C0AE8BB@mail.foundation.sdsu.edu> <1020800074.26599.42.camel@menix> <000f01c1f601$635fafa0$29000080@Ph1> Message-ID: <1020801924.29988.10.camel@menix> On Tue, 2002-05-07 at 15:57, Pat Hall wrote: > Isn't the .db required? > > # makemap hash /etc/mail/access.db < /etc/mail/access > > > How about just: > > domain.com REJECT > > > > Then: > > makemap hash /etc/mail/access < /etc/mail/access > > > > Matt Nope, not necessary. Give it a try. From jaearick at COLBY.EDU Wed May 8 01:53:50 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:14:40 2006 Subject: Disinfected: To provide a link to anot... (fwd) Message-ID: Hey mailscanner gurus, I got the blurb below from mailscanner telling about its good work. I wanted to know more about this message, so I grepped my syslogs for message ID g47N1Dt11680. Lo and behold, there was no record of it my my syslog at all. When "Sendmail::SendEntity($top);" is invoked in disinfect.pl, how come this message doesn't get syslogged like it should? Is mailscanner generating a lot stealth emails like this, with no record in the syslog? This is bad news... ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ---------------------------------------------------------------------------- ---------- Forwarded message ---------- Return-Path: Received: (from root@localhost) by host-11.colby.edu (8.11.6/8.11.6/1.23') id g47N1Dt11680; Tue, 7 May 2002 19:01:15 -0400 (EDT) Date: Tue, 7 May 2002 19:01:15 -0400 (EDT) Message-Id: <200205072301.g47N1Dt11680@host-11.colby.edu> Content-Type: multipart/mixed; boundary="----------=_1020812458-19972-5" Content-Transfer-Encoding: binary MIME-Version: 1.0 From: MailScanner To: Subject: Disinfected: To provide a link to anot... X-Mailer: MailScanner X-Mailscanner: Disinfected A message you recently received from "" with the subject "To provide a link to another" contained one or more viruses that could be disinfected. The viruses have been removed, and the disinfected files are attached to this message. -- MailScanner Email Virus Scanner From Q.G.Campbell at NEWCASTLE.AC.UK Wed May 8 07:53:03 2002 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:14:40 2006 Subject: Little OT: Block Domain with Sendmail Message-ID: > -----Original Message----- > From: Pat Hall [mailto:patrick@imptoy.com] > Sent: 07 May 2002 20:38 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Little OT: Block Domain with Sendmail > > > try > > domain.com DISCARD > > or > > domain.com REJECT The choice of which (REJECT or DISCARD) to use _IS_ important. If you REJECT mail it will generate an error reply back to the sender. If that address is invalid then you will find large queues building up on your mail server with all the consequential effects that brings. NEVER use REJECT when blocking against spam attacks or an attempt at denial of service. If you DISCARD mail then it is simply dropped in the bin and that is the end of it. The sender has no idea that it was binned and assumes it was successfully delivered. You do not generate extra mail traffic with error messages and you minimise resource use. Quentin From LISTSERV at JISCMAIL.AC.UK Tue May 7 20:45:08 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:41 2006 Subject: MAILSCANNER: mailscanner@VVD.COM requested to join Message-ID: <200205071945.UAA28256@magpie.ecs.soton.ac.uk> Tue, 7 May 2002 20:45:08 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from JW Smythe You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER mailscanner@VVD.COM JW Smythe PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER mailscanner@VVD.COM JW Smythe // EOJ From LISTSERV at JISCMAIL.AC.UK Wed May 8 08:03:53 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:41 2006 Subject: MAILSCANNER: antonio@DESCOM.ES requested to join Message-ID: <200205080703.IAA04854@magpie.ecs.soton.ac.uk> Wed, 8 May 2002 08:03:53 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Antonio Coloma You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER antonio@DESCOM.ES Antonio Coloma PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER antonio@DESCOM.ES Antonio Coloma // EOJ From LISTSERV at JISCMAIL.AC.UK Wed May 8 08:31:35 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:41 2006 Subject: MAILSCANNER: aalsup@USDLA.COM requested to join Message-ID: <200205080731.IAA06420@magpie.ecs.soton.ac.uk> Wed, 8 May 2002 08:31:35 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Andy Alsup The following membership options have been requested: SUBJECTHDR. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER aalsup@USDLA.COM Andy Alsup PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER aalsup@USDLA.COM Andy Alsup SET MAILSCANNER SUBJECTHDR FOR aalsup@USDLA.COM // EOJ From LISTSERV at JISCMAIL.AC.UK Wed May 8 09:44:55 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:41 2006 Subject: MAILSCANNER: ft@IT.SU.SE requested to join Message-ID: <200205080844.JAA12200@magpie.ecs.soton.ac.uk> Wed, 8 May 2002 09:44:55 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Fredrik Thulin You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER ft@IT.SU.SE Fredrik Thulin PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER ft@IT.SU.SE Fredrik Thulin // EOJ From john.clancy at BUSINESSANDFINANCE.IE Wed May 8 11:25:43 2002 From: john.clancy at BUSINESSANDFINANCE.IE (John Clancy) Date: Thu Jan 12 21:14:41 2006 Subject: Need Help! References: <000701c1f55e$a49df1f0$48cf75cc@fizz> <000c01c1f5c2$84943310$48cf75cc@fizz> <00ef01c1f5c4$5df4bd40$666078c1@businessandfinance.ie> <001301c1f5d7$3c4f7aa0$48cf75cc@fizz> Message-ID: <002f01c1f67a$b621dc80$666078c1@businessandfinance.ie> Tal Kelrich beat me to it ! JC ----- Original Message ----- From: "Kelly Hamlin" To: Sent: 07 May 2002 15:55 Subject: Re: Need Help! > root@sairys:/var/spool/mqueue# sendmail -qIg47EVVc01601 -v > > Running /var/spool/mqueue/g47EVVc01601 (sequence 1 of 1) > MX list for xxxxxxxxxxx.com. points back to sairys.xxxxxxxxxxx.com > ... Local configuration error > > uhgg.. > thing i dont understand is the machine i did this from IS sairys.. > > to answer other questions, i do have the two sendmail processes running, the > sendmail -q1m and the sendmail -bd -O etc etc.. > > I have my MX set to this machine, and then i have a access file which then > tells it where to forward the mail.. > > ----- Original Message ----- > From: "John Clancy" > To: > Sent: Tuesday, May 07, 2002 8:40 AM > Subject: Re: Need Help! > > > > Hi Kelly, > > > > What do you see when you invoke sendmail directly to handle a single item > in > > the Q using the 'sendmail -qI -v' sytax? > > e.g. in the message below > > sendmail -qIgr70rop05695 -v > > > > JC > > > > > Here is some extra info that i didnt see before, not sure it will help, > > but > > > here goes.. > > > > > > (Deferred: 451-Requested action aborted: local error in > > > proce) > > > > > > > > g470rop05695 5638 Mon May 6 20:53 MAILER-DAEMON > > > (... reply: read error from > > > mx1.mail.) > > > > > > g470snV05720 6771 Mon May 6 20:54 MAILER-DAEMON > > > (... reply: > read > > > err) > > > > > > > > g470sne05722 9004 Mon May 6 20:54 MAILER-DAEMON > > > (Deferred: 451-Requested action aborted: local error in > > > proce) > > > > > > > > g470sng05722 9032 Mon May 6 20:54 MAILER-DAEMON > > > > > > im seeing a whole bunch of these in "mailq" > > > ----- Original Message ----- > > > From: "Kelly Hamlin" > > > To: > > > Sent: Monday, May 06, 2002 8:32 PM > > > Subject: Need Help! > > > > > > > > > > Its not directly mailscanner related but im hoping someone has a > clue.. > > > > we had a drive crash and i was to dumb to have a current backup. I > > > > reinstalled from scratch slackware 8.0 and got everything > > > installed/tested. > > > > Sophos - tested and working.. > > > > Mailscanner - is scanning the messages and putting them in the mqueue > > dir > > > > like its supposed to do. > > > > > > > > The problem im having is, it seems as if sendmail isnt even trying to > > > > deliver those messages. They just keep backing up in that directory. > Im > > at > > > a > > > > loss as to what the problem is. I Installed all the modules i was > > supposed > > > > to, i have permissions and what not the way they are supposed to (i > > think) > > > > but i still would think any of those would have any affect on sendmail > > > > sending its queue. > > > > > > > > any idea, clues would be most helpfull as ive been working on this for > > the > > > > past 5 hours.. > > > > > > > > ////// > > > > ( o o ) > > > > +--.oooO--(_)--Oooo.-----------------+ > > > > | [Kelly Hamlin] > > > > | kellyh@cyberstreet.com > > > > | http://www.bomb.net > > > > | .oooO > > > > | ( ) Oooo. > > > > +--- \ (----( )----------------------------+ > > > > \_) ) / > > > > (_/ > > > > > > From jkf at ecs.soton.ac.uk Wed May 8 11:50:41 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:41 2006 Subject: Sophos autoupdate is dead jim! In-Reply-To: <1020800428.6095.6.camel@molehill.ccso> References: Message-ID: <5.1.0.14.2.20020508115006.028368b0@imap.ecs.soton.ac.uk> At 20:40 07/05/2002, you wrote: >I think I had that once. Turned out my Sophos was out of date. I still >had 3.51 installed and they were up to 3.56. I know they have a new >release each month, so 3.57 should be available now. I had to go >through and reinstall the Sophos software. Spot on. You have to install the latest version of Sophos at least once every 3 months, as they only provide IDE files for the current version and the previous 2 versions. >On Tue, 2002-05-07 at 15:24, David Fry wrote: > > greetings list, > > > > As of 5:00 a.m. this morning, the Sophos autoupdate script has been dying > > across all my mailservers. Nothing has been changed on those boxes .. cron > > runs the autoupdate hourly. > > > > I get the following error: , Bad file descriptor at ./autoupdate line 77. > > > > One time before I got an error like this .. Sophos' website was very busy > > and it promptly recovered on the next hourly update. It appears this time > > that is not the case -- the script continues to fail over & over again. > > Given that nothing has changed on my end, I have to suspect something is > > awry with the Sophos update site. > > > > Does anyone have an idea what may be going on or seeing something > > similar?? Anyone know if Sophos has made changes on their end? > > > > I am perplexed! > > > > Thanks in advance for any help or direction on this guy! > > > > -david fry -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From antonio at DESCOM.ES Wed May 8 12:19:49 2002 From: antonio at DESCOM.ES (Antonio Coloma) Date: Thu Jan 12 21:14:41 2006 Subject: Virus Klez.H and McAfee Message-ID: Hi everybody! I have Mailscanner Working with McAfee VirScan, and when it detects Klez.H worm, the virus is deleted but the message "without the virus" delivered to the user cannot be "viewed" with Outlook 2000. Outlook crashes .... Do somebody know why is this happening? Thanx a lot! From freerk at MINDSWITCH.NET Wed May 8 12:48:43 2002 From: freerk at MINDSWITCH.NET (Freerk Kalsbeek) Date: Thu Jan 12 21:14:41 2006 Subject: Virus Klez.H and McAfee In-Reply-To: Message-ID: Hi, I've seen a similar problem here. Klez is also detected in my setup with Sophos. I receive an HTML formatted email indicating that I can read details in the attachment virusalert.txt, but the attachment is not there. Any clues? Freerk > -----Oorspronkelijk bericht----- > Van: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Namens > Antonio Coloma > Verzonden: woensdag 8 mei 2002 13:20 > Aan: MAILSCANNER@JISCMAIL.AC.UK > Onderwerp: Virus Klez.H and McAfee > > > Hi everybody! > > I have Mailscanner Working with McAfee VirScan, and when it detects Klez.H > worm, the virus is deleted but the message "without the virus" > delivered to > the user cannot be "viewed" with Outlook 2000. Outlook crashes .... > Do somebody know why is this happening? > > Thanx a lot! From m.sapsed at BANGOR.AC.UK Wed May 8 13:51:35 2002 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:14:41 2006 Subject: Virus Klez.H and McAfee References: Message-ID: <3CD91F57.78CB4F56@bangor.ac.uk> Freerk Kalsbeek wrote: > I've seen a similar problem here. > Klez is also detected in my setup with Sophos. I receive an HTML formatted > email indicating that I can read details in the attachment virusalert.txt, > but the attachment is not there. I had one this morning which was disinfected but all I see (in Netscape Messenger) is a base64 encoded attachment. My guess is that the original message uses slightly iffy MIME tags and Julian's insertion of the warning doesn't quite work. I've still got what was left if anyone who understands MIME or MailScanner better than I wants to look at it? (Linux, MailScanner 3.04, Sophos, sendmail) Cheers, Martin -- Martin Sapsed To have no errors Information Services Would be life without meaning University of Wales, Bangor, LL57 2UX No struggle, no joy. Fax: +44 (0)1248 383826 From P.G.M.Peters at civ.utwente.nl Wed May 8 14:28:15 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:14:41 2006 Subject: Virus Klez.H and McAfee In-Reply-To: <3CD91F57.78CB4F56@bangor.ac.uk> References: <3CD91F57.78CB4F56@bangor.ac.uk> Message-ID: On Wed, 8 May 2002 13:51:35 +0100, you wrote: >> I've seen a similar problem here. >> Klez is also detected in my setup with Sophos. I receive an HTML formatted >> email indicating that I can read details in the attachment virusalert.txt, >> but the attachment is not there. > >I had one this morning which was disinfected but all I see (in Netscape >Messenger) is a base64 encoded attachment. My guess is that the original >message uses slightly iffy MIME tags and Julian's insertion of the warning >doesn't quite work. I've still got what was left if anyone who understands >MIME or MailScanner better than I wants to look at it? I use f-prot and in Agent the "viruswarning.txt" is visible as an attachment (and with ^R inline). But after my tests I included a colleage with outlook (with exchange) in the tests. He gets the two lines from "Inline Text Warning" and an empty attachment. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From lbergman at abi.tconline.net Wed May 8 14:19:33 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:14:41 2006 Subject: Disinfected: To provide a link to anot... (fwd) In-Reply-To: References: Message-ID: <200205081319.g48DJXk17227@lewis.abi.tconline.net> On Tuesday 07 May 2002 07:53 pm, you wrote: > Hey mailscanner gurus, > I got the blurb below from mailscanner telling about its good work. > I wanted to know more about this message, so I grepped my syslogs for > message ID g47N1Dt11680. Lo and behold, there was no record of it my > my syslog at all. When "Sendmail::SendEntity($top);" is invoked in > disinfect.pl, how come this message doesn't get syslogged like it > should? Is mailscanner generating a lot stealth emails like this, > with no record in the syslog? This is bad news... Why would you think that the syslog should contain a bunch of junk about the message? Set the switch to send a message to the Postmaster if you are curious about it. I believe it is there for just that purpose. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From P.G.M.Peters at civ.utwente.nl Wed May 8 14:33:35 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:14:41 2006 Subject: regarding my tests Message-ID: As I pointed out in my previous mail I am testing mailscanner with spamassassin and f-prot for our university. To test mailscanner I duplicate the message in our MX-server so one copy goes directly to the server with the mailbox (the normal route) and a copy is sent through the testserver. I myself use a POP-box on a unix-system and everything goes allright. But when I use an address that gets delivered to an exchange server the kopie sent through mailscanner does not appear in the mailbox. Does anybody know of things exchange might be doing? When I send directly to the "dummy" address that points to the mailscanner box exchange behaves like it should. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From brose at MED.WAYNE.EDU Wed May 8 16:21:26 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:14:41 2006 Subject: regarding my tests Message-ID: <6D60AC042221344095A0EBBC56EEE79A0A8E0C@med-core03.med.wayne.edu> Most of our mailboxes are exchange and I do the same thing for my messages for testing other stuff. I've noticed the same thing but it's not mailscanner. Exchange seems to notice that it's the same message coming from both systems and only gives you the one copy. If you delete the message from exchange before the second copy comes in then you'll see the second one. I see this occur when my test system has problems and queues mail. After I notice the problem sometimes at then end of the day and correct it, I end up with all the copies of messages that I had already read and deleted. Exchange maybe looking at the Message-ID for it's determination of creating a new message record. -----Original Message----- From: Peter Peters [mailto:P.G.M.Peters@civ.utwente.nl] Sent: Wednesday, May 08, 2002 9:34 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: regarding my tests As I pointed out in my previous mail I am testing mailscanner with spamassassin and f-prot for our university. To test mailscanner I duplicate the message in our MX-server so one copy goes directly to the server with the mailbox (the normal route) and a copy is sent through the testserver. I myself use a POP-box on a unix-system and everything goes allright. But when I use an address that gets delivered to an exchange server the kopie sent through mailscanner does not appear in the mailbox. Does anybody know of things exchange might be doing? When I send directly to the "dummy" address that points to the mailscanner box exchange behaves like it should. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From gerry at dorfam.ca Wed May 8 16:25:18 2002 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:14:41 2006 Subject: Strange sendmail errors??? Message-ID: <55001.129.80.22.134.1020871518.squirrel@tiger.dorfam.ca> Would the following sendmail errors have something to do with mailscanner??? Unusual System Events =-=-=-=-=-=-=-=-=-=-= May 8 09:32:06 tiger sendmail[6285]: g48DU6U06283: timeout waiting for input from local during Draining InputMay 8 09:32:06 tiger sendmail[6289]: g48DU6U06288: timeout waiting for input from local during Draining InputMay 8 09:32:06 tiger sendmail[6281]: g48DU6U06279: timeout waiting for input from local during Draining Input Gerry -- "The lyfe so short, the craft so long to learne" Chaucer -- "The lyfe so short, the craft so long to learne" Chaucer From mailscanner-sub at WIREHUB.NET Wed May 8 16:52:56 2002 From: mailscanner-sub at WIREHUB.NET (Ben C. O. Grimm) Date: Thu Jan 12 21:14:41 2006 Subject: Little OT: Block Domain with Sendmail In-Reply-To: References: Message-ID: <34iidu4auuumr98rsvubj4frk82k0plkp2@hail.bengrimm.net> On 8 May 2002 08:53:58 +0200, Quentin Campbell wrote: > If you REJECT mail it will generate an error reply back to the sender. > If that address is invalid then you will find large queues building up > on your mail server with all the consequential effects that brings. > NEVER use REJECT when blocking against spam attacks or an attempt at > denial of service. Sorry, but this is not true! There will not be an error reply back to the sender in the form of an e-mail message when using REJECT (or an error message like we're using, f.e. "571 5.7.1 UNWANTED HOST/DOMAIN eudoramail.com - http://doema.wirehub.nl/error/errors.html#domain."). The error is generated INSIDE/DURING the smtp transaction between the sending and the receiving server, and the connection will be dropped/reset straight after that error message is printed. If there is a bounce, it is caused by the sending server, back to the Return=Path of the person that initiated that message. -- Wirehub! Internet Abuse Handling Dept. - abuse@wirehub.net -- - Blacklists/DNSBLs: http://basic.wirehub.nl/spamstats.html - --AUP: http://www.wirehub.net/pub/av/aup-nl (Dutch) --------- --AUP: http://www.wirehub.net/pub/av/aup-en (English) ------- From jason at MED-WEB.COM Wed May 8 21:02:16 2002 From: jason at MED-WEB.COM (Jason Summers) Date: Thu Jan 12 21:14:41 2006 Subject: Virus Klez.H and McAfee References: <3CD91F57.78CB4F56@bangor.ac.uk> Message-ID: <3CD98448.F1E1B25A@med-web.com> Martin Sapsed wrote: > > Freerk Kalsbeek wrote: > > I've seen a similar problem here. > > Klez is also detected in my setup with Sophos. I receive an HTML formatted > > email indicating that I can read details in the attachment virusalert.txt, > > but the attachment is not there. > > I had one this morning which was disinfected but all I see (in Netscape > Messenger) is a base64 encoded attachment. My guess is that the original > message uses slightly iffy MIME tags Correct. (the problem is a double boundary line) > and Julian's insertion of the warning doesn't quite work. Correct. (it doesn't handle multipart/alternative messages very well) > I've still got what was left if anyone who understands > MIME or MailScanner better than I wants to look at it? The following recent threads are also about this exact same problem (actually two separate, semi-related problems): * Malformed attachments from MailScanner? * Klez Virus get Passed ! * "Inline Text Warning" and "Stored Virus Message Report" I think the only workaround to be posted so far is Miroslav Spousta's suggestion of adding a "$parser->ignore_errors(0)" instruction to explode.pl. This, apparently, will cause MailScanner to completely discard messages containing Klez. That change seems like a good thing to do in principle, but shouldn't the recipient at least receive a warning message when an unparseable message is discarded? (And in this case, it seems to me that MIME-tools ought to be able to parse the Klez messages. As of at least version 5.503, it can't, and even its fallback behavior seems rather poor.) And I'd still like to know if there's an easy way to change "multipart/alternative" messages to "multipart/mixed" if MailScanner adds a warning to them. -- Jason Summers From brose at MED.WAYNE.EDU Thu May 9 00:23:24 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:14:41 2006 Subject: Klez-G Message-ID: <6D60AC042221344095A0EBBC56EEE79A4BC930@med-core03.med.wayne.edu> Has anyone made any modifications to Mailscanner yet forward a copy of the postmaster warning message to the postmaster in the domain of the sending machine? Or is this a bad idea of attempting? Just getting annoying seeing all these Klez's coming from Comcast, Verizon and broadband provider domains. -=B From leduc at CTS.COM Thu May 9 04:18:03 2002 From: leduc at CTS.COM (Gene & Mary LeDuc) Date: Thu Jan 12 21:14:41 2006 Subject: Klez-G Message-ID: <2.2.16.20020509031803.1107ab78@crash.cts.com> At 07:23 PM 5/8/2002 -0400, brose@MED.WAYNE.EDU wrote: >Has anyone made any modifications to Mailscanner yet forward a copy of >the postmaster warning message to the postmaster in the domain of the >sending machine? Or is this a bad idea of attempting? Sophos has a product called MailMonitor that performs the same function as mailscanner with this option. When I was evaluating it I found it worked extremely well. There was a verizon account that had been spewing hundreds of sircams at us daily. That account abruptly stopped firehosing us 2 days after I installed the sophos product. Apparently several hundred abuse warning messages to the postmaster in 2 days made a difference. Before then I had sent a few pleas to the abuse address but nothing was done. The squeaky wheel got the grease in this case. This was such an effective feature that I requested it as soon as I started using mailscanner. I vote "yes" Regards, Gene From jeroen at WIJDOGEN.DHS.ORG Thu May 9 01:25:42 2002 From: jeroen at WIJDOGEN.DHS.ORG (Jeroen Wijdogen) Date: Thu Jan 12 21:14:41 2006 Subject: exporting the autoupdate syslog message to a shell script Message-ID: <20020509092542.M30572@wijdogen.dhs.org> Hello, i'm not that known with perl so i hope someone can help me with this little off topic question. How can i export the message, that is added via syslog in the message file, from the perl script that updates the Virusdefinition files? So it has to be somthing like: error_msg=Lynx failed with error...... export error_msg In the shel script i now use the error_msg for the result of the update. Regards, Jeroen W -- This message has been scanned for viruses and dangerous content by MailScanner on http://wijdogen.dhs.org and is believed to be clean. From jon at XNEXT.COM Thu May 9 04:51:06 2002 From: jon at XNEXT.COM (Jonothon Ortiz (Xnext, Inc)) Date: Thu Jan 12 21:14:41 2006 Subject: Klez-G In-Reply-To: <2.2.16.20020509031803.1107ab78@crash.cts.com> Message-ID: At 07:23 PM 5/8/2002 -0400, brose@MED.WAYNE.EDU wrote: >Has anyone made any modifications to Mailscanner yet forward a copy of >the postmaster warning message to the postmaster in the domain of the >sending machine? Or is this a bad idea of attempting? While an excellent idea, there needs to be some method for either preventing our end from unadvertently spamming the other end; usually one or two reports will do it if it's hosted on a small company but I do admit that with cases like Verizon flood mail would probably help. Maybe set up a log to keep track of senders and how many times they have sent, and when their abuse/sysadmins have been notified X number of times? feh; if I knew more c/perl I'd take up the mod challenge to do it but alas, web code is my strength =( but from what I do now I do know such a solution would be time consuming. Alas, I have rambled ;p but I do vote "yes" to add this in the future. From jkf at ecs.soton.ac.uk Thu May 9 10:18:31 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:41 2006 Subject: Virus Klez.H and McAfee In-Reply-To: <3CD91F57.78CB4F56@bangor.ac.uk> References: Message-ID: <5.1.0.14.2.20020509101546.02c7c220@imap.ecs.soton.ac.uk> At 13:51 08/05/2002, you wrote: >Freerk Kalsbeek wrote: > > I've seen a similar problem here. > > Klez is also detected in my setup with Sophos. I receive an HTML formatted > > email indicating that I can read details in the attachment virusalert.txt, > > but the attachment is not there. > >I had one this morning which was disinfected but all I see (in Netscape >Messenger) is a base64 encoded attachment. My guess is that the original >message uses slightly iffy MIME tags and Julian's insertion of the warning >doesn't quite work. I've still got what was left if anyone who understands >MIME or MailScanner better than I wants to look at it? The Klez worm creates a "multipart/alternative" email message, which is a right royal pain. I insert all the relevant bits into the email message. But the email client program (Outlook in this case) doesn't know which of the alternatives to display and so just displays the last one, which isn't the VirusWarning.txt (because the VirusWarning.txt is the replacement for the actual virus code, and so it has to be inserted there). So with this worm, depending on the email client, you might see some base64 encoded text (harmless), or a virus warning. Unfortunately I'm not prepared to get into the myre of writing code to handle one virus differently from all the others, as that is just unreliable and impossible to maintain. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Thu May 9 10:20:41 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:41 2006 Subject: Strange sendmail errors??? In-Reply-To: <55001.129.80.22.134.1020871518.squirrel@tiger.dorfam.ca> Message-ID: <5.1.0.14.2.20020509102005.02bac148@imap.ecs.soton.ac.uk> At 16:25 08/05/2002, you wrote: >Would the following sendmail errors have something to do with mailscanner??? No. They are caused by a remote mail server talking to your server too slowly. So sendmail is timing out while waiting for the message to appear. >Unusual System Events >=-=-=-=-=-=-=-=-=-=-= >May 8 09:32:06 tiger sendmail[6285]: g48DU6U06283: timeout waiting for >input from local during Draining InputMay 8 09:32:06 tiger >sendmail[6289]: g48DU6U06288: timeout waiting for >input from local during Draining InputMay 8 09:32:06 tiger >sendmail[6281]: g48DU6U06279: timeout waiting for >input from local during Draining Input > > >Gerry >-- >"The lyfe so short, the craft so long to learne" Chaucer > >-- >"The lyfe so short, the craft so long to learne" Chaucer -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Thu May 9 10:22:51 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:41 2006 Subject: Virus Klez.H and McAfee In-Reply-To: <3CD98448.F1E1B25A@med-web.com> References: <3CD91F57.78CB4F56@bangor.ac.uk> Message-ID: <5.1.0.14.2.20020509102212.02c321b8@imap.ecs.soton.ac.uk> At 21:02 08/05/2002, you wrote: >Martin Sapsed wrote: > > > > Freerk Kalsbeek wrote: > > > I've seen a similar problem here. > > > Klez is also detected in my setup with Sophos. I receive an HTML > formatted > > > email indicating that I can read details in the attachment > virusalert.txt, > > > but the attachment is not there. > > > > I had one this morning which was disinfected but all I see (in Netscape > > Messenger) is a base64 encoded attachment. My guess is that the original > > message uses slightly iffy MIME tags > >Correct. (the problem is a double boundary line) > > > and Julian's insertion of the warning doesn't quite work. > >Correct. (it doesn't handle multipart/alternative messages very well) > > > I've still got what was left if anyone who understands > > MIME or MailScanner better than I wants to look at it? > > >The following recent threads are also about this exact same problem >(actually two separate, semi-related problems): > > * Malformed attachments from MailScanner? > * Klez Virus get Passed ! > * "Inline Text Warning" and "Stored Virus Message Report" > >I think the only workaround to be posted so far is Miroslav Spousta's >suggestion of adding a "$parser->ignore_errors(0)" instruction to >explode.pl. This, apparently, will cause MailScanner to completely >discard messages containing Klez. I don't like the sound of that, it causes mail to get thrown away which is a "very bad thing". >That change seems like a good thing to do in principle, but shouldn't >the recipient at least receive a warning message when an unparseable >message is discarded? > >(And in this case, it seems to me that MIME-tools ought to be able to >parse the Klez messages. As of at least version 5.503, it can't, and >even its fallback behavior seems rather poor.) > >And I'd still like to know if there's an easy way to change >"multipart/alternative" messages to "multipart/mixed" if MailScanner >adds a warning to them. That sounds like a good idea. I'll work on that. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Thu May 9 10:23:50 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:41 2006 Subject: Klez-G In-Reply-To: <6D60AC042221344095A0EBBC56EEE79A4BC930@med-core03.med.wayn e.edu> Message-ID: <5.1.0.14.2.20020509102302.02a04b78@imap.ecs.soton.ac.uk> At 00:23 09/05/2002, you wrote: >Has anyone made any modifications to Mailscanner yet forward a copy of >the postmaster warning message to the postmaster in the domain of the >sending machine? Or is this a bad idea of attempting? I think it will just annoy a lot of postmasters who can't help much if one of their millions of customers happens to have an infected PC. Imagine the amount of mail generated to postmaster@hotmail.com if everyone started doing this! >Just getting annoying seeing all these Klez's coming from Comcast, >Verizon and broadband provider domains. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Thu May 9 10:25:38 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:41 2006 Subject: Klez-G In-Reply-To: <6D60AC042221344095A0EBBC56EEE79A4BC930@med-core03.med.wayn e.edu> Message-ID: <5.1.0.14.2.20020509102432.02bacf10@imap.ecs.soton.ac.uk> At 00:23 09/05/2002, you wrote: >Has anyone made any modifications to Mailscanner yet forward a copy of >the postmaster warning message to the postmaster in the domain of the >sending machine? Or is this a bad idea of attempting? > >Just getting annoying seeing all these Klez's coming from Comcast, >Verizon and broadband provider domains. Oh, and another problem: what happens when the sender address is fake (like it is in most spam)? Then you are just going to harass completely the wrong person, which is a good way to get blocked by them. There is absolutely no way of guaranteeing the domain name from where the email message originated. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Thu May 9 10:34:50 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:41 2006 Subject: MAILSCANNER: vvolcko@CSAS.CZ requested to join Message-ID: <200205090934.KAA09188@magpie.ecs.soton.ac.uk> Thu, 9 May 2002 10:34:50 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Vladimir Volcko You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER vvolcko@CSAS.CZ Vladimir Volcko PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER vvolcko@CSAS.CZ Vladimir Volcko // EOJ From vvolcko at CSAS.CZ Thu May 9 11:33:16 2002 From: vvolcko at CSAS.CZ (=?iso-8859-2?Q?Vol=E8ko_Vladim=EDr?=) Date: Thu Jan 12 21:14:41 2006 Subject: RedHat Linux RPM installation Message-ID: Good day!! I am trying to install MailScanner (RedHat Linux RPM package version 3.13-2) on RH 7.2 now. During rpm instalation I get one error message: *** error: unterminated C<...> at line 143 in file Mail/Cap.pm (... propably some perl mistake) ...then installation process continue. After installing Sophos, when I am trying start MailScaner (/etc/rc.d/inid.d/mailscanner start) nothing has been done (none submission daemon on 587 port). Have anybody idea whats wrong? with regard Vladimir Volcko From jaearick at COLBY.EDU Thu May 9 11:52:18 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:14:41 2006 Subject: Klez-G In-Reply-To: <5.1.0.14.2.20020509102432.02bacf10@imap.ecs.soton.ac.uk> Message-ID: Julian, I too would like to see something going back to the remote postmaster. Since I turned on the "Postmaster Gets Full Mail Headers" option, I can see the domain that Klez came from, not just the phony "From:". What I have been doing (by hand), is looking at the topmost Received line in the header, eg: Received: from mx3out.umbc.edu (mx3out.umbc.edu [130.85.253.53]) then bouncing the entire mailscanner message to "postmaster@xxx.yyy" the last two components of the domain. In this case, it would go to postmaster@umbc.edu. Maybe even postmaster@130.85.253.53 in a pinch. This logic could be automated via perl. ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ---------------------------------------------------------------------------- On Thu, 9 May 2002, Julian Field wrote: > Date: Thu, 9 May 2002 10:25:38 +0100 > From: Julian Field > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Klez-G > > At 00:23 09/05/2002, you wrote: > >Has anyone made any modifications to Mailscanner yet forward a copy of > >the postmaster warning message to the postmaster in the domain of the > >sending machine? Or is this a bad idea of attempting? > > > >Just getting annoying seeing all these Klez's coming from Comcast, > >Verizon and broadband provider domains. > > Oh, and another problem: what happens when the sender address is fake (like > it is in most spam)? Then you are just going to harass completely the wrong > person, which is a good way to get blocked by them. > > There is absolutely no way of guaranteeing the domain name from where the > email message originated. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From jkf at ecs.soton.ac.uk Thu May 9 12:06:54 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:41 2006 Subject: Virus Klez.H and McAfee In-Reply-To: <5.1.0.14.2.20020509102212.02c321b8@imap.ecs.soton.ac.uk> References: <3CD98448.F1E1B25A@med-web.com> <3CD91F57.78CB4F56@bangor.ac.uk> Message-ID: <5.1.0.14.2.20020509120502.02c5b708@imap.ecs.soton.ac.uk> At 10:22 09/05/2002, you wrote: >At 21:02 08/05/2002, you wrote: >>Martin Sapsed wrote: >> > >> > Freerk Kalsbeek wrote: >> > > I've seen a similar problem here. >> > > Klez is also detected in my setup with Sophos. I receive an HTML >>formatted >> > > email indicating that I can read details in the attachment >>virusalert.txt, >> > > but the attachment is not there. >> > >> > I had one this morning which was disinfected but all I see (in Netscape >> > Messenger) is a base64 encoded attachment. My guess is that the original >> > message uses slightly iffy MIME tags >> >>Correct. (the problem is a double boundary line) >> >> > and Julian's insertion of the warning doesn't quite work. >> >>Correct. (it doesn't handle multipart/alternative messages very well) Try this: ------------------------------------------------------------- *** /usr/local/mailscanner/mailscanner/bin/explode.pl Fri Feb 1 10:22:44 2002 --- explode.pl Thu May 9 12:07:58 2002 *************** *** 301,310 **** --- 301,315 ---- Data => $Warning, Encoding => 'quoted-printable', Charset => 'us-ascii', Top => 0; $parent->parts(\@parts); + + # And make the parent a multipart/mixed if it's a multipart/alternative + $parent->head->mime_attr("content-type" => "multipart/mixed") + if ($parent->is_multipart) && + ($parent->head->mime_attr("content-type") =~ /multipart\/alternative/i); } # Disinfect all the infected entities sub Disinfect { my($Reports, $Types, $Id2Entity, $File2Entity, $Entity2Parent, $Entity2File, $IsTNEF) = @_; ------------------------------------------------------------- If you don't understand what to do with the text above, you are probably best off not trying it! ;-) >>The following recent threads are also about this exact same problem >>(actually two separate, semi-related problems): >> >> * Malformed attachments from MailScanner? >> * Klez Virus get Passed ! >> * "Inline Text Warning" and "Stored Virus Message Report" >> >>And I'd still like to know if there's an easy way to change >>"multipart/alternative" messages to "multipart/mixed" if MailScanner >>adds a warning to them. > >That sounds like a good idea. I'll work on that. Done. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Thu May 9 12:22:45 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:41 2006 Subject: Klez-G In-Reply-To: References: <5.1.0.14.2.20020509102432.02bacf10@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020509121905.02b9b628@imap.ecs.soton.ac.uk> Parsing out the domain and then guessing at the relevant postmaster address is almost impossible to do automatically. For example, if you sent it to "postmaster@xxx.yyy" as you suggest, and the message claims to have come from us, you would miss us completely as I am postmaster@vvv.xxx.yyy.zzz. Mailing postmaster@xxx.yyy would get you nowhere, apart from annoying the administrators for the entire UK academic community. And sending it to "postmaster@130.85.253.53" will only work if they either have wildcard MX records (a very bad thing) or an MX record for every host in their domain (unnecessary). In our case, all mail leaves as foobar@ecs.soton.ac.uk and we just have MX records for ecs.soton.ac.uk, not every host.ecs.soton.ac.uk. So you see my problem... At 11:52 09/05/2002, you wrote: >Julian, > I too would like to see something going back to the remote postmaster. >Since I turned on the "Postmaster Gets Full Mail Headers" option, I can >see the domain that Klez came from, not just the phony "From:". What >I have been doing (by hand), is looking at the topmost Received line in the >header, eg: > > Received: from mx3out.umbc.edu (mx3out.umbc.edu [130.85.253.53]) > >then bouncing the entire mailscanner message to "postmaster@xxx.yyy" >the last two components of the domain. In this case, it would go to >postmaster@umbc.edu. Maybe even postmaster@130.85.253.53 in a pinch. >This logic could be automated via perl. > >** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 >** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu >** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 >** Waterville ME, 04901-8842 >---------------------------------------------------------------------------- > >On Thu, 9 May 2002, Julian Field wrote: > > > Date: Thu, 9 May 2002 10:25:38 +0100 > > From: Julian Field > > Reply-To: MailScanner mailing list > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Klez-G > > > > At 00:23 09/05/2002, you wrote: > > >Has anyone made any modifications to Mailscanner yet forward a copy of > > >the postmaster warning message to the postmaster in the domain of the > > >sending machine? Or is this a bad idea of attempting? > > > > > >Just getting annoying seeing all these Klez's coming from Comcast, > > >Verizon and broadband provider domains. > > > > Oh, and another problem: what happens when the sender address is fake (like > > it is in most spam)? Then you are just going to harass completely the wrong > > person, which is a good way to get blocked by them. > > > > There is absolutely no way of guaranteeing the domain name from where the > > email message originated. > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Thu May 9 12:17:59 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:41 2006 Subject: Broken Return-Path: header Message-ID: <5.1.0.14.2.20020509121651.02b87ec0@imap.ecs.soton.ac.uk> If you are getting weird Return-Path: <$g> headers in your mail from MailScanner, please can you try the following patch and report back to me if it works. ------------------------------------------------------ *** /usr/local/mailscanner/mailscanner/bin/mta-specific.pl Thu May 9 12:22:47 2002 --- mta-specific.pl Thu May 9 11:25:12 2002 *************** *** 551,560 **** --- 551,562 ---- $InHeader = 1 if $Line =~ /^H/; ($InHeader=0),next unless $Line =~ /^[H\t ]/; $Line =~ s/^H//; # JKF 18/04/2001 Delete ?flags? for 0 or more flags for sendmail 8.11 $Line =~ s/^\?[^?]*\?//; + # JKF 06/05/2002 Fix broken Return-Path: header bug + next if $Line =~ /^Return-Path:/i; push @results, $Line; if ($Line =~ /^Subject:\s+(\S.*)$/i) { $subject = $1; #print "Subject is \"$subject\"\n"; } ------------------------------------------------------ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From evertjan at VANRAMSELAAR.NL Thu May 9 12:39:49 2002 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:14:41 2006 Subject: Broken Return-Path: header In-Reply-To: <5.1.0.14.2.20020509121651.02b87ec0@imap.ecs.soton.ac.uk> Message-ID: <000001c1f74e$39d45110$65020a0a@galaxy> Hi Julian, I don't know what it was supposed to do, but when I apply this patch, it just deletes the Return-Path header from the warning message AND from the infected message. Clean messages still show a good Return-Path header. -- Evert Jan van Ramselaar Van Ramselaar Info Tech > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: Thursday, May 09, 2002 1:18 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Broken Return-Path: header > > > If you are getting weird > Return-Path: <$g> > headers in your mail from MailScanner, please can you try the following > patch and report back to me if it works. > > ------------------------------------------------------ > *** /usr/local/mailscanner/mailscanner/bin/mta-specific.pl Thu May 9 > 12:22:47 2002 > --- mta-specific.pl Thu May 9 11:25:12 2002 > *************** > *** 551,560 **** > --- 551,562 ---- > $InHeader = 1 if $Line =~ /^H/; > ($InHeader=0),next unless $Line =~ /^[H\t ]/; > $Line =~ s/^H//; > # JKF 18/04/2001 Delete ?flags? for 0 or more flags for > sendmail 8.11 > $Line =~ s/^\?[^?]*\?//; > + # JKF 06/05/2002 Fix broken Return-Path: header bug > + next if $Line =~ /^Return-Path:/i; > push @results, $Line; > if ($Line =~ /^Subject:\s+(\S.*)$/i) { > $subject = $1; > #print "Subject is \"$subject\"\n"; > } > ------------------------------------------------------ > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From evertjan at VANRAMSELAAR.NL Thu May 9 12:50:40 2002 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:14:41 2006 Subject: Virus Klez.H and McAfee In-Reply-To: <5.1.0.14.2.20020509120502.02c5b708@imap.ecs.soton.ac.uk> Message-ID: <000101c1f74f$bdecbbd0$65020a0a@galaxy> Hi Julian, I just applied this patch. For "non Klez.H" messages it does not change behaviour for both clean and infected messages, which is good. Now I'm just waiting for behaviour with the Klez.H virus. Lately I get one or two a day, so it's just a matter of time... Tnx for coming up with patches so soon! -- Evert Jan van Ramselaar Van Ramselaar Info Tech > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: Thursday, May 09, 2002 1:07 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Virus Klez.H and McAfee > > > At 10:22 09/05/2002, you wrote: > >At 21:02 08/05/2002, you wrote: > >>Martin Sapsed wrote: > >> > > >> > Freerk Kalsbeek wrote: > >> > > I've seen a similar problem here. > >> > > Klez is also detected in my setup with Sophos. I receive an HTML > >>formatted > >> > > email indicating that I can read details in the attachment > >>virusalert.txt, > >> > > but the attachment is not there. > >> > > >> > I had one this morning which was disinfected but all I see > (in Netscape > >> > Messenger) is a base64 encoded attachment. My guess is that > the original > >> > message uses slightly iffy MIME tags > >> > >>Correct. (the problem is a double boundary line) > >> > >> > and Julian's insertion of the warning doesn't quite work. > >> > >>Correct. (it doesn't handle multipart/alternative messages very well) > > Try this: > ------------------------------------------------------------- > *** /usr/local/mailscanner/mailscanner/bin/explode.pl Fri Feb > 1 10:22:44 > 2002 > --- explode.pl Thu May 9 12:07:58 2002 > *************** > *** 301,310 **** > --- 301,315 ---- > Data => $Warning, > Encoding => 'quoted-printable', > Charset => 'us-ascii', > Top => 0; > $parent->parts(\@parts); > + > + # And make the parent a multipart/mixed if it's a > multipart/alternative > + $parent->head->mime_attr("content-type" => "multipart/mixed") > + if ($parent->is_multipart) && > + ($parent->head->mime_attr("content-type") =~ > /multipart\/alternative/i); > } > > # Disinfect all the infected entities > sub Disinfect { > my($Reports, $Types, $Id2Entity, $File2Entity, $Entity2Parent, > $Entity2File, $IsTNEF) = @_; > ------------------------------------------------------------- > If you don't understand what to do with the text above, you are probably > best off not trying it! > ;-) > > >>The following recent threads are also about this exact same problem > >>(actually two separate, semi-related problems): > >> > >> * Malformed attachments from MailScanner? > >> * Klez Virus get Passed ! > >> * "Inline Text Warning" and "Stored Virus Message Report" > >> > >>And I'd still like to know if there's an easy way to change > >>"multipart/alternative" messages to "multipart/mixed" if MailScanner > >>adds a warning to them. > > > >That sounds like a good idea. I'll work on that. > > Done. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From richard.siddall at ELIRION.NET Thu May 9 13:58:54 2002 From: richard.siddall at ELIRION.NET (Richard Siddall) Date: Thu Jan 12 21:14:41 2006 Subject: Reporting viruses (was: Klez-G) References: <5.1.0.14.2.20020509102432.02bacf10@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020509121905.02b9b628@imap.ecs.soton.ac.uk> Message-ID: <3CDA728E.AD14874B@elirion.net> Julian Field wrote: > > Parsing out the domain and then guessing at the relevant postmaster address > is almost impossible to do automatically. For example, if you sent it to > "postmaster@xxx.yyy" as you suggest, and the message claims to have come > from us, you would miss us completely as I am postmaster@vvv.xxx.yyy.zzz. > Mailing postmaster@xxx.yyy would get you nowhere, apart from annoying the > administrators for the entire UK academic community. > > And sending it to "postmaster@130.85.253.53" will only work if they either > have wildcard MX records (a very bad thing) or an MX record for every host > in their domain (unnecessary). In our case, all mail leaves as > foobar@ecs.soton.ac.uk and we just have MX records for ecs.soton.ac.uk, not > every host.ecs.soton.ac.uk. > > So you see my problem... > Let me suggest integrating mailscanner with a distributed intrusion detection system such as DShield or myNetWatchman. They're in the business of finding the right contact (and annoying the wrong people as part of that process). Regards, Richard Siddall From jkf at ecs.soton.ac.uk Thu May 9 14:42:38 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:41 2006 Subject: Reporting viruses (was: Klez-G) In-Reply-To: <3CDA728E.AD14874B@elirion.net> References: <5.1.0.14.2.20020509102432.02bacf10@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020509121905.02b9b628@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020509144149.02c943e8@imap.ecs.soton.ac.uk> At 13:58 09/05/2002, you wrote: >Let me suggest integrating mailscanner with a distributed intrusion detection >system such as DShield or myNetWatchman. I'll promise to work on that between 11pm and 17pm :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Thu May 9 14:41:15 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:41 2006 Subject: Broken Return-Path: header In-Reply-To: <000001c1f74e$39d45110$65020a0a@galaxy> References: <5.1.0.14.2.20020509121651.02b87ec0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020509143219.02a16008@imap.ecs.soton.ac.uk> At 12:39 09/05/2002, you wrote: >I don't know what it was supposed to do, but when I apply this patch, it >just deletes the Return-Path header from the warning message AND from the >infected message. That should only happen if you are using MailScanner on the server that does the final message delivery into the user's mailbox. Is the Return-Path header any use anyway? I don't see why as it is trivial to fake. I'll try to write you a better version of the solution. >Clean messages still show a good Return-Path header. > >-- > Evert Jan van Ramselaar > Van Ramselaar Info Tech > > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Julian Field > > Sent: Thursday, May 09, 2002 1:18 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Broken Return-Path: header > > > > > > If you are getting weird > > Return-Path: <$g> > > headers in your mail from MailScanner, please can you try the following > > patch and report back to me if it works. > > > > ------------------------------------------------------ > > *** /usr/local/mailscanner/mailscanner/bin/mta-specific.pl Thu May 9 > > 12:22:47 2002 > > --- mta-specific.pl Thu May 9 11:25:12 2002 > > *************** > > *** 551,560 **** > > --- 551,562 ---- > > $InHeader = 1 if $Line =~ /^H/; > > ($InHeader=0),next unless $Line =~ /^[H\t ]/; > > $Line =~ s/^H//; > > # JKF 18/04/2001 Delete ?flags? for 0 or more flags for > > sendmail 8.11 > > $Line =~ s/^\?[^?]*\?//; > > + # JKF 06/05/2002 Fix broken Return-Path: header bug > > + next if $Line =~ /^Return-Path:/i; > > push @results, $Line; > > if ($Line =~ /^Subject:\s+(\S.*)$/i) { > > $subject = $1; > > #print "Subject is \"$subject\"\n"; > > } > > ------------------------------------------------------ > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From antonio at DESCOM.ES Thu May 9 15:16:03 2002 From: antonio at DESCOM.ES (Antonio Coloma) Date: Thu Jan 12 21:14:41 2006 Subject: Virus Klez.H and McAfee Message-ID: Hi! I have applied the "explode.pl" patch and works fine for Klez.H virus ... and I have tested it with eicar and works fine too. Thanx for all! >Try this: >------------------------------------------------------------- >*** /usr/local/mailscanner/mailscanner/bin/explode.pl Fri Feb 1 10:22:44 >2002 >--- explode.pl Thu May 9 12:07:58 2002 >*************** >*** 301,310 **** >--- 301,315 ---- > Data => $Warning, > Encoding => 'quoted-printable', > Charset => 'us-ascii', > Top => 0; > $parent->parts(\@parts); >+ >+ # And make the parent a multipart/mixed if it's a multipart/alternative >+ $parent->head->mime_attr("content-type" => "multipart/mixed") >+ if ($parent->is_multipart) && >+ ($parent->head->mime_attr("content-type") =~ >/multipart\/alternative/i); > } > > # Disinfect all the infected entities > sub Disinfect { > my($Reports, $Types, $Id2Entity, $File2Entity, $Entity2Parent, >$Entity2File, $IsTNEF) = @_; >------------------------------------------------------------- >If you don't understand what to do with the text above, you are probably >best off not trying it! >;-) > From evertjan at VANRAMSELAAR.NL Thu May 9 15:18:25 2002 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:14:41 2006 Subject: Broken Return-Path: header In-Reply-To: <5.1.0.14.2.20020509143219.02a16008@imap.ecs.soton.ac.uk> Message-ID: <003501c1f764$62370dd0$65020a0a@galaxy> > -----Original Message----- > From: Julian Field > Sent: Thursday, May 09, 2002 3:41 PM > Is the Return-Path header any use anyway? Some MTA's and apps use this field to send errors to. -- Evert Jan van Ramselaar Van Ramselaar Info Tech From jkf at ecs.soton.ac.uk Thu May 9 15:26:06 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:41 2006 Subject: Broken Return-Path: header (better solution!) In-Reply-To: <5.1.0.14.2.20020509143219.02a16008@imap.ecs.soton.ac.uk> References: <000001c1f74e$39d45110$65020a0a@galaxy> <5.1.0.14.2.20020509121651.02b87ec0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020509151858.02c946d8@imap.ecs.soton.ac.uk> At 14:41 09/05/2002, you wrote: >At 12:39 09/05/2002, you wrote: >>I don't know what it was supposed to do, but when I apply this patch, it >>just deletes the Return-Path header from the warning message AND from the >>infected message. > >That should only happen if you are using MailScanner on the server that >does the final message delivery into the user's mailbox. > >Is the Return-Path header any use anyway? I don't see why as it is trivial >to fake. > >I'll try to write you a better version of the solution. Patch required to both sendmail.pl and mta-specific.pl. These patches are a bit big, so I have attached a new sendmail.pl and mta-specific.pl to this message. Note ***THESE ARE FOR THE LATEST VERSION 3.13-2 ONLY*** If you want to add this functionality to earlier releases, you will have to insert the following patches by hand. If these work okay, they'll get rolled into the next minor release. ----------------------------------------------------------- *** /usr/local/mailscanner/mailscanner/bin/sendmail.pl Tue May 7 05:03:31 2002 --- sendmail.pl Thu May 9 15:12:28 2002 *************** *** 569,578 **** --- 569,579 ---- Lock::unlockclose($DfOut); #undef $DfOut; # Construct all the new headers $newheaders = MTA::ConstructHeaders($entities->{$id}->stringify_header); + $newheaders = MTA::FixReturnPath($newheaders); $newheaders = AddCleanHeader($newheaders) if $Clean eq 'clean'; $newheaders = AddInfectedHeader($newheaders) if $Clean eq 'dirty'; $newheaders = AddUnscannedHeader($newheaders) if $Clean eq 'unscanned'; if (defined($IsSpam->{$id})) { $newheaders = MTA::AddHeader($newheaders, $Config::SpamHeader, ----------------------------------------------------------- and ----------------------------------------------------------- *** /usr/local/mailscanner/mailscanner/bin/mta-specific.pl Thu May 9 12:24:34 2002 --- mta-specific.pl Thu May 9 15:18:35 2002 *************** *** 137,146 **** --- 137,150 ---- # Given filehandle open for reading, merge envelope data (excepting # headers) from filehandle with headers from string, and return new # envelope data in string, ready to be written back to new # envelope queue file. # + # FixReturnPath: + # In sendmail the Return-Path: header needs some flags at the start + # of the line. Exim requires no change. + # # KickMessage: # Given id, tell MTA to make a delivery attempt. # my($cat) = "/bin/cat"; *************** *** 467,476 **** --- 471,485 ---- $envelope .= $headers; return $envelope; } + sub FixReturnPath { + my($headers) = @_; + return $headers; + } + sub KickMessage { my(@ids) = @_; my($idlist); # Need to check this with Nick to discover how to attempt delivery of multiple messages *************** *** 519,529 **** sub ReadQf { my($RQf) = @_; my($InHeader, @results, $msginfo, $from, @to, $subject); my($ip); ! my($Line); $InHeader = 0; while(<$RQf>) { last if /^\./; # Bat book section 23.9.19 $Line = $_; --- 528,538 ---- sub ReadQf { my($RQf) = @_; my($InHeader, @results, $msginfo, $from, @to, $subject); my($ip); ! my($Line, $Flags); $InHeader = 0; while(<$RQf>) { last if /^\./; # Bat book section 23.9.19 $Line = $_; *************** *** 550,562 **** } $InHeader = 1 if $Line =~ /^H/; ($InHeader=0),next unless $Line =~ /^[H\t ]/; $Line =~ s/^H//; # JKF 18/04/2001 Delete ?flags? for 0 or more flags for sendmail 8.11 ! $Line =~ s/^\?[^?]*\?//; ! # JKF 06/05/2002 Fix broken Return-Path: header bug ! next if $Line =~ /^Return-Path:/i; push @results, $Line; if ($Line =~ /^Subject:\s+(\S.*)$/i) { $subject = $1; #print "Subject is \"$subject\"\n"; } --- 559,572 ---- } $InHeader = 1 if $Line =~ /^H/; ($InHeader=0),next unless $Line =~ /^[H\t ]/; $Line =~ s/^H//; # JKF 18/04/2001 Delete ?flags? for 0 or more flags for sendmail 8.11 ! $Line =~ s/^(\?[^?]*\?)//; ! $Flags = $1; ! # JKF 09/05/2002 Fix broken Return-Path: header bug ! $MTA::ReturnPathFlags = $Flags if $Line =~ /^Return-Path:/i; push @results, $Line; if ($Line =~ /^Subject:\s+(\S.*)$/i) { $subject = $1; #print "Subject is \"$subject\"\n"; } *************** *** 707,716 **** --- 717,732 ---- } $envelope .= $headers; $envelope .= ".\n"; return $envelope; + } + + sub FixReturnPath { + my($headers) = @_; + $headers =~ s/^H(Return-Path:)/H$MTA::ReturnPathFlags$1/mi; + return $headers; } sub KickMessage { my(@ids) = @_; my($idlist); ----------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: sendmail.pl Type: application/octet-stream Size: 34366 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020509/594bb399/sendmail.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: mta-specific.pl Type: application/octet-stream Size: 19529 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020509/594bb399/mta-specific.obj -------------- next part -------------- -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From brose at MED.WAYNE.EDU Thu May 9 15:42:12 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:14:41 2006 Subject: Klez-G Message-ID: <6D60AC042221344095A0EBBC56EEE79A4BC932@med-core03.med.wayne.edu> But how can the host/ip in the received from header be forged since it's being put there by the recipient system? Also the Message-ID is constructed by the recipient system so it would be hard for that to be forged as well. The only problem with the message-id is that it's replaced by whatever system picks it up so if it's a relayed message, the Message-ID would be for the relayed domain. As for nagging the remote postermaster, who here are postmasters and get nagged anyway. Probably everyone. The problem doesn't get resolved unless someone on the remote end gets involved. At least they would know the actual sender and contact them. That's what we've had to do here for people dialing into the University dialin pool. Send it to the dialin pool people to look to see who was connected at the time the virus was sent so that they can be contacted. I would assume it should be the same process for Comcase or Verizon. -----Original Message----- From: Julian Field [mailto:jkf@ECS.SOTON.AC.UK] Sent: Thursday, May 09, 2002 7:23 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Klez-G Parsing out the domain and then guessing at the relevant postmaster address is almost impossible to do automatically. For example, if you sent it to "postmaster@xxx.yyy" as you suggest, and the message claims to have come from us, you would miss us completely as I am postmaster@vvv.xxx.yyy.zzz. Mailing postmaster@xxx.yyy would get you nowhere, apart from annoying the administrators for the entire UK academic community. And sending it to "postmaster@130.85.253.53" will only work if they either have wildcard MX records (a very bad thing) or an MX record for every host in their domain (unnecessary). In our case, all mail leaves as foobar@ecs.soton.ac.uk and we just have MX records for ecs.soton.ac.uk, not every host.ecs.soton.ac.uk. So you see my problem... At 11:52 09/05/2002, you wrote: >Julian, > I too would like to see something going back to the remote >postmaster. Since I turned on the "Postmaster Gets Full Mail Headers" >option, I can see the domain that Klez came from, not just the phony >"From:". What I have been doing (by hand), is looking at the topmost >Received line in the header, eg: > > Received: from mx3out.umbc.edu (mx3out.umbc.edu [130.85.253.53]) > >then bouncing the entire mailscanner message to "postmaster@xxx.yyy" >the last two components of the domain. In this case, it would go to >postmaster@umbc.edu. Maybe even postmaster@130.85.253.53 in a pinch. >This logic could be automated via perl. > >** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 >** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu >** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 >** Waterville ME, 04901-8842 >----------------------------------------------------------------------- >----- > >On Thu, 9 May 2002, Julian Field wrote: > > > Date: Thu, 9 May 2002 10:25:38 +0100 > > From: Julian Field > > Reply-To: MailScanner mailing list > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Klez-G > > > > At 00:23 09/05/2002, you wrote: > > >Has anyone made any modifications to Mailscanner yet forward a copy > > >of the postmaster warning message to the postmaster in the domain > > >of the sending machine? Or is this a bad idea of attempting? > > > > > >Just getting annoying seeing all these Klez's coming from Comcast, > > >Verizon and broadband provider domains. > > > > Oh, and another problem: what happens when the sender address is > > fake (like it is in most spam)? Then you are just going to harass > > completely the wrong person, which is a good way to get blocked by > > them. > > > > There is absolutely no way of guaranteeing the domain name from > > where the email message originated. > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mike at ZANKER.ORG Thu May 9 15:46:47 2002 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:14:41 2006 Subject: Broken Return-Path: header (better solution!) In-Reply-To: <5.1.0.14.2.20020509151858.02c946d8@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020509151858.02c946d8@imap.ecs.soton.ac.uk> Message-ID: <18894729.1020959206@mallard.open.ac.uk> On 09 May 2002 15:26 +0100 Julian Field wrote: > Patch required to both sendmail.pl and mta-specific.pl. These patches > are a bit big, so I have attached a new sendmail.pl and > mta-specific.pl to this message. When I replace my existing sendmail.pl and mta-specific.pl with these I get the following error message in /var/log/maillog: Can't locate object method "new" via package "Mail::SpamAssassin::NoMailAudit" (perhaps you forgot to load "Mail::SpamAssassin::NoMailAudit"?) at /usr/local/MailScanner/bin/sendmail.pl line 293. Mike -- Mike Zanker Northampton, UK PGP Public Key: pgp@zanker.org From evertjan at VANRAMSELAAR.NL Thu May 9 15:47:38 2002 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:14:41 2006 Subject: Broken Return-Path: header (better solution!) In-Reply-To: <5.1.0.14.2.20020509151858.02c946d8@imap.ecs.soton.ac.uk> Message-ID: <003b01c1f768$76832450$65020a0a@galaxy> Hmmm... In the warning message it still shows up as: Full headers are: Return-Path: -- Evert Jan van Ramselaar Van Ramselaar Info Tech > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: Thursday, May 09, 2002 4:26 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Broken Return-Path: header (better solution!) > > > At 14:41 09/05/2002, you wrote: > >At 12:39 09/05/2002, you wrote: > >>I don't know what it was supposed to do, but when I apply this patch, it > >>just deletes the Return-Path header from the warning message > AND from the > >>infected message. > > > >That should only happen if you are using MailScanner on the server that > >does the final message delivery into the user's mailbox. > > > >Is the Return-Path header any use anyway? I don't see why as it > is trivial > >to fake. > > > >I'll try to write you a better version of the solution. > > Patch required to both sendmail.pl and mta-specific.pl. These > patches are a > bit big, so I have attached a new sendmail.pl and mta-specific.pl to this > message. > > Note ***THESE ARE FOR THE LATEST VERSION 3.13-2 ONLY*** > If you want to add this functionality to earlier releases, you > will have to > insert the following patches by hand. > > If these work okay, they'll get rolled into the next minor release. > > ----------------------------------------------------------- > *** /usr/local/mailscanner/mailscanner/bin/sendmail.pl Tue May > 7 05:03:31 > 2002 > --- sendmail.pl Thu May 9 15:12:28 2002 > *************** > *** 569,578 **** > --- 569,579 ---- > Lock::unlockclose($DfOut); > #undef $DfOut; > > # Construct all the new headers > $newheaders = > MTA::ConstructHeaders($entities->{$id}->stringify_header); > + $newheaders = MTA::FixReturnPath($newheaders); > $newheaders = AddCleanHeader($newheaders) if $Clean eq 'clean'; > $newheaders = AddInfectedHeader($newheaders) if $Clean eq 'dirty'; > $newheaders = AddUnscannedHeader($newheaders) if $Clean eq > 'unscanned'; > if (defined($IsSpam->{$id})) { > $newheaders = MTA::AddHeader($newheaders, $Config::SpamHeader, > ----------------------------------------------------------- > and > ----------------------------------------------------------- > *** /usr/local/mailscanner/mailscanner/bin/mta-specific.pl Thu May 9 > 12:24:34 2002 > --- mta-specific.pl Thu May 9 15:18:35 2002 > *************** > *** 137,146 **** > --- 137,150 ---- > # Given filehandle open for reading, merge envelope data (excepting > # headers) from filehandle with headers from string, and return new > # envelope data in string, ready to be written back to new > # envelope queue file. > # > + # FixReturnPath: > + # In sendmail the Return-Path: header needs some flags at the start > + # of the line. Exim requires no change. > + # > # KickMessage: > # Given id, tell MTA to make a delivery attempt. > # > > my($cat) = "/bin/cat"; > *************** > *** 467,476 **** > --- 471,485 ---- > > $envelope .= $headers; > return $envelope; > } > > + sub FixReturnPath { > + my($headers) = @_; > + return $headers; > + } > + > sub KickMessage { > my(@ids) = @_; > my($idlist); > > # Need to check this with Nick to discover how to attempt delivery > of multiple messages > *************** > *** 519,529 **** > > sub ReadQf { > my($RQf) = @_; > my($InHeader, @results, $msginfo, $from, @to, $subject); > my($ip); > ! my($Line); > > $InHeader = 0; > while(<$RQf>) { > last if /^\./; # Bat book section 23.9.19 > $Line = $_; > --- 528,538 ---- > > sub ReadQf { > my($RQf) = @_; > my($InHeader, @results, $msginfo, $from, @to, $subject); > my($ip); > ! my($Line, $Flags); > > $InHeader = 0; > while(<$RQf>) { > last if /^\./; # Bat book section 23.9.19 > $Line = $_; > *************** > *** 550,562 **** > } > $InHeader = 1 if $Line =~ /^H/; > ($InHeader=0),next unless $Line =~ /^[H\t ]/; > $Line =~ s/^H//; > # JKF 18/04/2001 Delete ?flags? for 0 or more flags for > sendmail 8.11 > ! $Line =~ s/^\?[^?]*\?//; > ! # JKF 06/05/2002 Fix broken Return-Path: header bug > ! next if $Line =~ /^Return-Path:/i; > push @results, $Line; > if ($Line =~ /^Subject:\s+(\S.*)$/i) { > $subject = $1; > #print "Subject is \"$subject\"\n"; > } > --- 559,572 ---- > } > $InHeader = 1 if $Line =~ /^H/; > ($InHeader=0),next unless $Line =~ /^[H\t ]/; > $Line =~ s/^H//; > # JKF 18/04/2001 Delete ?flags? for 0 or more flags for > sendmail 8.11 > ! $Line =~ s/^(\?[^?]*\?)//; > ! $Flags = $1; > ! # JKF 09/05/2002 Fix broken Return-Path: header bug > ! $MTA::ReturnPathFlags = $Flags if $Line =~ /^Return-Path:/i; > push @results, $Line; > if ($Line =~ /^Subject:\s+(\S.*)$/i) { > $subject = $1; > #print "Subject is \"$subject\"\n"; > } > *************** > *** 707,716 **** > --- 717,732 ---- > } > > $envelope .= $headers; > $envelope .= ".\n"; > return $envelope; > + } > + > + sub FixReturnPath { > + my($headers) = @_; > + $headers =~ s/^H(Return-Path:)/H$MTA::ReturnPathFlags$1/mi; > + return $headers; > } > > sub KickMessage { > my(@ids) = @_; > my($idlist); > ----------------------------------------------------------- > From jethro.binks at STRATH.AC.UK Thu May 9 16:15:58 2002 From: jethro.binks at STRATH.AC.UK (Jethro R Binks) Date: Thu Jan 12 21:14:41 2006 Subject: Klez-G In-Reply-To: <6D60AC042221344095A0EBBC56EEE79A4BC932@med-core03.med.wayne.edu> Message-ID: <20020509155511.O603-100000@defjam.cc.strath.ac.uk> On Thu, 9 May 2002, Rose, Bobby wrote: > But how can the host/ip in the received from header be forged since it's > being put there by the recipient system? Also the Message-ID is > constructed by the recipient system so it would be hard for that to be > forged as well. The only problem with the message-id is that it's > replaced by whatever system picks it up so if it's a relayed message, > the Message-ID would be for the relayed domain. Some spammers add fake Received: headers to throw people off the scent. Although visually it's usually easy to tell them, by doing a consistency check from one line to the next, doing it programmatically can be tricky. Probably not impossible, but tricky nonetheless. It also doesn't help that Received: headers can vary in format. > As for nagging the remote postermaster, who here are postmasters and get > nagged anyway. Probably everyone. I wouldn't call that much reason to nag them even more, then, especially when you can't guarantee that it is even the right person. As Julian mentioned, one of the fastest ways to get your email blocked is to send them a torrent of virus warnings about something they might not even be in a position to do. [I currently have Notify Senders enabled, but for some weeks have been debating the wisdom of this. The fact that now I can't even guarantee that the apparent sender of the mail is actually the guilty party is pushing me to turn this off. If they are sending loads of the stuff out, then some other system will sooner or later send them a warning. It'll cut down on my support time too] > The problem doesn't get resolved > unless someone on the remote end gets involved. Yes, the user of the machine concerned. Unfortunately, with the latest infections faking the sender address, this is now virtually impossible to determine. (Having said that, a large proportion of users who get Mailscanner warnings seem to ignore them or deny the problem anyway, so I don't think that's being much worse off). > At least they would > know the actual sender and contact them. That's what we've had to do > here for people dialing into the University dialin pool. Send it to the > dialin pool people to look to see who was connected at the time the > virus was sent so that they can be contacted. I would assume it should > be the same process for Comcase or Verizon. Yes it probably would be the same process. However, you're relying on the goodwill of the remote postmaster to (a) care enough to do so, (b) have the time to do so, and (c) have the ability to do so. As mentioned previously by Julian, the postmaster you contact might not have any connection at a direct level with the (eg) modem pool from which a message originated. It is impossible to determine with any reliability the appropriate address to use. WHOIS records often aren't accurate enough either. Those who submit spam reports to large ISPs will be familiar with the typical "automated reply" that promises they "will investigate", and that one may not "receive any further communications regarding the matter. Who knows if they act on the report half of the time? If they are having to deal with torrents of repeated Mailscanner warnings too, they will be even less inclined to do anything about them, and the software itself may get a bad reputation as a result. The proposal pushes the onus of managing the outbreak on the ISPs concerned. Although that's arguable the 'correct' thing to do, practically in the real world you can't expect them to manage that -- for the most part they don't personally know the people involved and it wouldn't be worth their while chasing people up, taking on the technical support burden of dealing with them, and then confirming that the machine has been cleaned with all the support that entails. For the most part, as long as it isn't really affecting 'their' network, they probably don't much care. That's not a great attitude to have, but ... It's slightly different for academic institions, private companies, and such, of course, but this seems to be the Way It Is for major ISPs -- and that's where most of the problems originate. I would like to suggest a rate-limiting feature be introduced, so that where warning messages are being returned to sender (or apparently responsible postmaster, per original sender), only a certain number in a given time period are generated. This will help with the present operation of the software, and should some feature as is being discussed be implemented, it would help to allay huge numbers of reports being sent to postmasters and just maybe then they might do something about it. But I think it a useful feature anyway. Or perhaps an aggregation of reports to a particular sender (or his postmaster), so they only get one mail per fer hours or whatever is appropriate. Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services Mailmaster, Listmaster, Webmaster, University Of Strathclyde, Glasgow, UK Cachemaster jethro.binks@strath.ac.uk From jkf at ecs.soton.ac.uk Thu May 9 16:20:12 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:41 2006 Subject: Broken Return-Path: header (better solution!) In-Reply-To: <18894729.1020959206@mallard.open.ac.uk> References: <5.1.0.14.2.20020509151858.02c946d8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020509151858.02c946d8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020509161936.02cc9cb8@imap.ecs.soton.ac.uk> At 15:46 09/05/2002, you wrote: >On 09 May 2002 15:26 +0100 Julian Field wrote: > >>Patch required to both sendmail.pl and mta-specific.pl. These patches >>are a bit big, so I have attached a new sendmail.pl and >>mta-specific.pl to this message. > >When I replace my existing sendmail.pl and mta-specific.pl with these I >get the following error message in /var/log/maillog: > >Can't locate object method "new" via package >"Mail::SpamAssassin::NoMailAudit" (perhaps you forgot to load >"Mail::SpamAssassin::NoMailAudit"?) at >/usr/local/MailScanner/bin/sendmail.pl line 293. You are running a version of SpamAssassin which is too old. Are you really running MailScanner 3.13-2? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Thu May 9 16:19:11 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:41 2006 Subject: Klez-G In-Reply-To: <6D60AC042221344095A0EBBC56EEE79A4BC932@med-core03.med.wayn e.edu> Message-ID: <5.1.0.14.2.20020509161657.02cb4e80@imap.ecs.soton.ac.uk> At 15:42 09/05/2002, you wrote: >But how can the host/ip in the received from header be forged since it's >being put there by the recipient system? Never seen packets with forged IP addresses? Lucky you! >As for nagging the remote postermaster, who here are postmasters and get >nagged anyway. Probably everyone. The problem doesn't get resolved >unless someone on the remote end gets involved. At least they would >know the actual sender and contact them. That's what we've had to do >here for people dialing into the University dialin pool. Send it to the >dialin pool people to look to see who was connected at the time the >virus was sent so that they can be contacted. I would assume it should >be the same process for Comcase or Verizon. Fair enough, what would you like implementing? A customisable anti-virus message sent to some customisable-address@sender-domain.com? >-----Original Message----- >From: Julian Field [mailto:jkf@ECS.SOTON.AC.UK] >Sent: Thursday, May 09, 2002 7:23 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Klez-G > > >Parsing out the domain and then guessing at the relevant postmaster >address is almost impossible to do automatically. For example, if you >sent it to "postmaster@xxx.yyy" as you suggest, and the message claims >to have come from us, you would miss us completely as I am >postmaster@vvv.xxx.yyy.zzz. Mailing postmaster@xxx.yyy would get you >nowhere, apart from annoying the administrators for the entire UK >academic community. > >And sending it to "postmaster@130.85.253.53" will only work if they >either have wildcard MX records (a very bad thing) or an MX record for >every host in their domain (unnecessary). In our case, all mail leaves >as foobar@ecs.soton.ac.uk and we just have MX records for >ecs.soton.ac.uk, not every host.ecs.soton.ac.uk. > >So you see my problem... > >At 11:52 09/05/2002, you wrote: > >Julian, > > I too would like to see something going back to the remote > >postmaster. Since I turned on the "Postmaster Gets Full Mail Headers" > >option, I can see the domain that Klez came from, not just the phony > >"From:". What I have been doing (by hand), is looking at the topmost > >Received line in the header, eg: > > > > Received: from mx3out.umbc.edu (mx3out.umbc.edu [130.85.253.53]) > > > >then bouncing the entire mailscanner message to "postmaster@xxx.yyy" > >the last two components of the domain. In this case, it would go to > >postmaster@umbc.edu. Maybe even postmaster@130.85.253.53 in a pinch. > >This logic could be automated via perl. > > > >** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 > >** Senior UNIX Sysadmin, Information Technology EMAIL: >jaearick@colby.edu > >** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 > >** Waterville ME, 04901-8842 > >----------------------------------------------------------------------- > >----- > > > >On Thu, 9 May 2002, Julian Field wrote: > > > > > Date: Thu, 9 May 2002 10:25:38 +0100 > > > From: Julian Field > > > Reply-To: MailScanner mailing list > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Klez-G > > > > > > At 00:23 09/05/2002, you wrote: > > > >Has anyone made any modifications to Mailscanner yet forward a copy > > > > >of the postmaster warning message to the postmaster in the domain > > > >of the sending machine? Or is this a bad idea of attempting? > > > > > > > >Just getting annoying seeing all these Klez's coming from Comcast, > > > >Verizon and broadband provider domains. > > > > > > Oh, and another problem: what happens when the sender address is > > > fake (like it is in most spam)? Then you are just going to harass > > > completely the wrong person, which is a good way to get blocked by > > > them. > > > > > > There is absolutely no way of guaranteeing the domain name from > > > where the email message originated. > > > -- > > > Julian Field Teaching Systems Manager > > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > > Tel. 023 8059 2817 University of Southampton > > > Southampton SO17 1BJ > > > > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Thu May 9 16:21:35 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:41 2006 Subject: Broken Return-Path: header (better solution!) In-Reply-To: <003b01c1f768$76832450$65020a0a@galaxy> References: <5.1.0.14.2.20020509151858.02c946d8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020509162014.02a61b80@imap.ecs.soton.ac.uk> At 15:47 09/05/2002, you wrote: >Hmmm... > >In the warning message it still shows up as: > >Full headers are: > Return-Path: Well all I can say is that it worked for me, and I put the Return-Path: header back exactly how I found it, flags and all. The "?" shouldn't be a "?" in the first place, it should be a "$". That bit isn't MailScanner's fault. > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Julian Field > > Sent: Thursday, May 09, 2002 4:26 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Broken Return-Path: header (better solution!) > > > > > > At 14:41 09/05/2002, you wrote: > > >At 12:39 09/05/2002, you wrote: > > >>I don't know what it was supposed to do, but when I apply this patch, it > > >>just deletes the Return-Path header from the warning message > > AND from the > > >>infected message. > > > > > >That should only happen if you are using MailScanner on the server that > > >does the final message delivery into the user's mailbox. > > > > > >Is the Return-Path header any use anyway? I don't see why as it > > is trivial > > >to fake. > > > > > >I'll try to write you a better version of the solution. > > > > Patch required to both sendmail.pl and mta-specific.pl. These > > patches are a > > bit big, so I have attached a new sendmail.pl and mta-specific.pl to this > > message. > > > > Note ***THESE ARE FOR THE LATEST VERSION 3.13-2 ONLY*** > > If you want to add this functionality to earlier releases, you > > will have to > > insert the following patches by hand. > > > > If these work okay, they'll get rolled into the next minor release. > > > > ----------------------------------------------------------- > > *** /usr/local/mailscanner/mailscanner/bin/sendmail.pl Tue May > > 7 05:03:31 > > 2002 > > --- sendmail.pl Thu May 9 15:12:28 2002 > > *************** > > *** 569,578 **** > > --- 569,579 ---- > > Lock::unlockclose($DfOut); > > #undef $DfOut; > > > > # Construct all the new headers > > $newheaders = > > MTA::ConstructHeaders($entities->{$id}->stringify_header); > > + $newheaders = MTA::FixReturnPath($newheaders); > > $newheaders = AddCleanHeader($newheaders) if $Clean eq 'clean'; > > $newheaders = AddInfectedHeader($newheaders) if $Clean eq 'dirty'; > > $newheaders = AddUnscannedHeader($newheaders) if $Clean eq > > 'unscanned'; > > if (defined($IsSpam->{$id})) { > > $newheaders = MTA::AddHeader($newheaders, $Config::SpamHeader, > > ----------------------------------------------------------- > > and > > ----------------------------------------------------------- > > *** /usr/local/mailscanner/mailscanner/bin/mta-specific.pl Thu May 9 > > 12:24:34 2002 > > --- mta-specific.pl Thu May 9 15:18:35 2002 > > *************** > > *** 137,146 **** > > --- 137,150 ---- > > # Given filehandle open for reading, merge envelope data (excepting > > # headers) from filehandle with headers from string, and return new > > # envelope data in string, ready to be written back to new > > # envelope queue file. > > # > > + # FixReturnPath: > > + # In sendmail the Return-Path: header needs some flags at the start > > + # of the line. Exim requires no change. > > + # > > # KickMessage: > > # Given id, tell MTA to make a delivery attempt. > > # > > > > my($cat) = "/bin/cat"; > > *************** > > *** 467,476 **** > > --- 471,485 ---- > > > > $envelope .= $headers; > > return $envelope; > > } > > > > + sub FixReturnPath { > > + my($headers) = @_; > > + return $headers; > > + } > > + > > sub KickMessage { > > my(@ids) = @_; > > my($idlist); > > > > # Need to check this with Nick to discover how to attempt delivery > > of multiple messages > > *************** > > *** 519,529 **** > > > > sub ReadQf { > > my($RQf) = @_; > > my($InHeader, @results, $msginfo, $from, @to, $subject); > > my($ip); > > ! my($Line); > > > > $InHeader = 0; > > while(<$RQf>) { > > last if /^\./; # Bat book section 23.9.19 > > $Line = $_; > > --- 528,538 ---- > > > > sub ReadQf { > > my($RQf) = @_; > > my($InHeader, @results, $msginfo, $from, @to, $subject); > > my($ip); > > ! my($Line, $Flags); > > > > $InHeader = 0; > > while(<$RQf>) { > > last if /^\./; # Bat book section 23.9.19 > > $Line = $_; > > *************** > > *** 550,562 **** > > } > > $InHeader = 1 if $Line =~ /^H/; > > ($InHeader=0),next unless $Line =~ /^[H\t ]/; > > $Line =~ s/^H//; > > # JKF 18/04/2001 Delete ?flags? for 0 or more flags for > > sendmail 8.11 > > ! $Line =~ s/^\?[^?]*\?//; > > ! # JKF 06/05/2002 Fix broken Return-Path: header bug > > ! next if $Line =~ /^Return-Path:/i; > > push @results, $Line; > > if ($Line =~ /^Subject:\s+(\S.*)$/i) { > > $subject = $1; > > #print "Subject is \"$subject\"\n"; > > } > > --- 559,572 ---- > > } > > $InHeader = 1 if $Line =~ /^H/; > > ($InHeader=0),next unless $Line =~ /^[H\t ]/; > > $Line =~ s/^H//; > > # JKF 18/04/2001 Delete ?flags? for 0 or more flags for > > sendmail 8.11 > > ! $Line =~ s/^(\?[^?]*\?)//; > > ! $Flags = $1; > > ! # JKF 09/05/2002 Fix broken Return-Path: header bug > > ! $MTA::ReturnPathFlags = $Flags if $Line =~ /^Return-Path:/i; > > push @results, $Line; > > if ($Line =~ /^Subject:\s+(\S.*)$/i) { > > $subject = $1; > > #print "Subject is \"$subject\"\n"; > > } > > *************** > > *** 707,716 **** > > --- 717,732 ---- > > } > > > > $envelope .= $headers; > > $envelope .= ".\n"; > > return $envelope; > > + } > > + > > + sub FixReturnPath { > > + my($headers) = @_; > > + $headers =~ s/^H(Return-Path:)/H$MTA::ReturnPathFlags$1/mi; > > + return $headers; > > } > > > > sub KickMessage { > > my(@ids) = @_; > > my($idlist); > > ----------------------------------------------------------- > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Thu May 9 16:33:03 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:41 2006 Subject: Klez-G - Warning postmaster@sender.com In-Reply-To: <20020509155511.O603-100000@defjam.cc.strath.ac.uk> References: <6D60AC042221344095A0EBBC56EEE79A4BC932@med-core03.med.wayne.edu> Message-ID: <5.1.0.14.2.20020509162415.02cc6008@imap.ecs.soton.ac.uk> At 16:15 09/05/2002, you wrote: > I have to say, I'm siding with you on this one. It's not impossible to write the postmaster@sending-domain.com message system. But if people are going to turn it on and get MailScanner a bad name as a result, then I obviously don't want to write it. I want more people to be encouraged to use my software to help reduce the number of virus-infected PC's in the world, not piss off overworked sysadmins (of which I am one, if you want proof then take a look at http://www.ecs.soton.ac.uk/~jkf/myjob.html ). With the current Klez worm, and hence most of the worms that will follow it, it is currently probably 90% likely that the sender address is false. So 90% of the time you will target the wrong postmaster, which is Not A Good Thing (tm). I agree that up until now this was probably a useful feature, but its usefulness has just been destroyed at a stroke by Klez. >I would like to suggest a rate-limiting feature be introduced, so that >where warning messages are being returned to sender (or apparently >responsible postmaster, per original sender), only a certain number in a >given time period are generated. This will help with the present >operation of the software, and should some feature as is being discussed >be implemented, it would help to allay huge numbers of reports being sent >to postmasters and just maybe then they might do something about it. But >I think it a useful feature anyway. > >Or perhaps an aggregation of reports to a particular sender (or his >postmaster), so they only get one mail per fer hours or whatever is >appropriate. This is starting to get "real hard" to implement... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mike at ZANKER.ORG Thu May 9 16:49:24 2002 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:14:41 2006 Subject: Broken Return-Path: header (better solution!) In-Reply-To: <5.1.0.14.2.20020509161936.02cc9cb8@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020509161936.02cc9cb8@imap.ecs.soton.ac.uk> Message-ID: <66787044.1020962964@jemima.zanker.org> On 09 May 2002 16:20 +0100 Julian Field wrote: > You are running a version of SpamAssassin which is too old. Version 2.20 - the latest release version. > Are you really running MailScanner 3.13-2? It's actually 3.13-1 so the code should be the same. Mike -- Mike Zanker Northampton, UK PGP Public Key: pgp@zanker.org From jkf at ecs.soton.ac.uk Thu May 9 16:54:52 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:41 2006 Subject: Broken Return-Path: header (better solution!) In-Reply-To: <66787044.1020962964@jemima.zanker.org> References: <5.1.0.14.2.20020509161936.02cc9cb8@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020509161936.02cc9cb8@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020509165322.02cb7010@imap.ecs.soton.ac.uk> At 16:49 09/05/2002, you wrote: >On 09 May 2002 16:20 +0100 Julian Field wrote: > >>You are running a version of SpamAssassin which is too old. > >Version 2.20 - the latest release version. > >>Are you really running MailScanner 3.13-2? > >It's actually 3.13-1 so the code should be the same. Try inserting the patches manually (or by using "patch"), rather than using the files I attached. It's very possible Nick has changed something else in the CVS. Sounds like I need to do a new minor release very soon. There's a couple of things I want to add for people first (such as automatic spam deletion). -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jaearick at COLBY.EDU Thu May 9 17:12:28 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:14:41 2006 Subject: "notify recipient" vs "deliver to recipient"? Message-ID: Julian, I presently have the following settings in my mailscanner.conf file: Deliver To Recipients = no Deliver From Local Domains = no Notify Senders = no Notify Local Postmaster = yes Postmaster Gets Full Headers = yes Deliver Disinfected Files = no Basically the users don't see anything if infected, just the postmaster. There is desire in my user community to have the recipient get notification, like the postmaster does, when a virus has been punted on their behalf. No delivery, just notification. This would be a good idea; it lets the users know that: a) the message they were looking for *was* sent, just not delivered because of infection, or b) mailscanner is on the job and doing good work for them (a plug for mailscanner). Can I do this now? Maybe next edition? ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ---------------------------------------------------------------------------- From LISTSERV at JISCMAIL.AC.UK Thu May 9 17:00:47 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:41 2006 Subject: MAILSCANNER: kevin.freels@WILDBRAIN.COM requested to join Message-ID: <200205091600.RAA18473@magpie.ecs.soton.ac.uk> Thu, 9 May 2002 17:00:47 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Kevin Freels You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER kevin.freels@WILDBRAIN.COM Kevin Freels PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER kevin.freels@WILDBRAIN.COM Kevin Freels // EOJ From LISTSERV at JISCMAIL.AC.UK Thu May 9 17:19:40 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:41 2006 Subject: MAILSCANNER: fcaen@CI.LAKEWOOD.WA.US requested to join Message-ID: <200205091619.RAA20695@magpie.ecs.soton.ac.uk> Thu, 9 May 2002 17:19:40 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Francois Caen The following membership options have been requested: CONCEAL. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER fcaen@CI.LAKEWOOD.WA.US Francois Caen PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER fcaen@CI.LAKEWOOD.WA.US Francois Caen SET MAILSCANNER CONCEAL FOR fcaen@CI.LAKEWOOD.WA.US // EOJ From jkf at ecs.soton.ac.uk Thu May 9 17:53:34 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:41 2006 Subject: "notify recipient" vs "deliver to recipient"? In-Reply-To: Message-ID: <5.1.0.14.2.20020509175018.02873958@imap.ecs.soton.ac.uk> At 17:12 09/05/2002, you wrote: > I presently have the following settings in my mailscanner.conf file: > >Deliver To Recipients = no >Deliver From Local Domains = no >Notify Senders = no >Notify Local Postmaster = yes >Postmaster Gets Full Headers = yes >Deliver Disinfected Files = no > >Basically the users don't see anything if infected, just the postmaster. >There is desire in my user community to have the recipient get notification, >like the postmaster does, when a virus has been punted on their behalf. >No delivery, just notification. This would be a good idea; it lets >the users know that: What about all the messages which just have things like an infected attachment? MailScanner will always endeavour to deliver as much of the message as it cleanly can (one of its advantages over products like Amavis). Not all infected mail is generated by worms. So I just recommend you set "Deliver To Recipients = yes". >a) the message they were looking for *was* sent, just not delivered > because of infection, or In the current code, they will know it was sent because they received all the uninfected parts of it, which is surely more use than just some notification that their incoming mail was thrown away on their behalf. >b) mailscanner is on the job and doing good work for them (a plug > for mailscanner). Current code achieves this already. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From brose at MED.WAYNE.EDU Thu May 9 17:58:21 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:14:41 2006 Subject: Klez-G - Warning postmaster@sender.com Message-ID: <6D60AC042221344095A0EBBC56EEE79A4BC934@med-core03.med.wayne.edu> So I guess the the virus writers have won. Machines will get infected and remain infected until the infected user's machine is struck by lightning. All I'm saying is that I'm doing my part at tracking down infected machines within my domain when I get a copy of a v-message, why shouldn't the masters of the other infected domains. I can't very well block the host addresses since the likelihood is that the addresses are dynamic. -----Original Message----- From: Julian Field [mailto:jkf@ECS.SOTON.AC.UK] Sent: Thursday, May 09, 2002 11:33 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Klez-G - Warning postmaster@sender.com At 16:15 09/05/2002, you wrote: > I have to say, I'm siding with you on this one. It's not impossible to write the postmaster@sending-domain.com message system. But if people are going to turn it on and get MailScanner a bad name as a result, then I obviously don't want to write it. I want more people to be encouraged to use my software to help reduce the number of virus-infected PC's in the world, not piss off overworked sysadmins (of which I am one, if you want proof then take a look at http://www.ecs.soton.ac.uk/~jkf/myjob.html ). With the current Klez worm, and hence most of the worms that will follow it, it is currently probably 90% likely that the sender address is false. So 90% of the time you will target the wrong postmaster, which is Not A Good Thing (tm). I agree that up until now this was probably a useful feature, but its usefulness has just been destroyed at a stroke by Klez. >I would like to suggest a rate-limiting feature be introduced, so that >where warning messages are being returned to sender (or apparently >responsible postmaster, per original sender), only a certain number in >a given time period are generated. This will help with the present >operation of the software, and should some feature as is being >discussed be implemented, it would help to allay huge numbers of >reports being sent to postmasters and just maybe then they might do >something about it. But I think it a useful feature anyway. > >Or perhaps an aggregation of reports to a particular sender (or his >postmaster), so they only get one mail per fer hours or whatever is >appropriate. This is starting to get "real hard" to implement... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Thu May 9 18:08:33 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:41 2006 Subject: Klez-G - Warning postmaster@sender.com In-Reply-To: <6D60AC042221344095A0EBBC56EEE79A4BC934@med-core03.med.wayn e.edu> Message-ID: <5.1.0.14.2.20020509180743.04d8b600@imap.ecs.soton.ac.uk> At 17:58 09/05/2002, you wrote: >So I guess the the virus writers have won. Machines will get infected >and remain infected until the infected user's machine is struck by >lightning. Something like that, yes. >All I'm saying is that I'm doing my part at tracking down infected >machines within my domain when I get a copy of a v-message, why >shouldn't the masters of the other infected domains. And I've a nasty feeling at some point fairly soon you are likely to stop doing this as most of them will be false alarms. >-----Original Message----- >From: Julian Field [mailto:jkf@ECS.SOTON.AC.UK] >Sent: Thursday, May 09, 2002 11:33 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Klez-G - Warning postmaster@sender.com > > >At 16:15 09/05/2002, you wrote: > > > >I have to say, I'm siding with you on this one. It's not impossible to >write the postmaster@sending-domain.com message system. > >But if people are going to turn it on and get MailScanner a bad name as >a result, then I obviously don't want to write it. I want more people to >be encouraged to use my software to help reduce the number of >virus-infected PC's in the world, not piss off overworked sysadmins (of >which I am one, if you want proof then take a look at >http://www.ecs.soton.ac.uk/~jkf/myjob.html ). > >With the current Klez worm, and hence most of the worms that will follow >it, it is currently probably 90% likely that the sender address is >false. So 90% of the time you will target the wrong postmaster, which is >Not A Good Thing (tm). > >I agree that up until now this was probably a useful feature, but its >usefulness has just been destroyed at a stroke by Klez. > > >I would like to suggest a rate-limiting feature be introduced, so that > >where warning messages are being returned to sender (or apparently > >responsible postmaster, per original sender), only a certain number in > >a given time period are generated. This will help with the present > >operation of the software, and should some feature as is being > >discussed be implemented, it would help to allay huge numbers of > >reports being sent to postmasters and just maybe then they might do > >something about it. But I think it a useful feature anyway. > > > >Or perhaps an aggregation of reports to a particular sender (or his > >postmaster), so they only get one mail per fer hours or whatever is > >appropriate. > >This is starting to get "real hard" to implement... >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jaearick at COLBY.EDU Thu May 9 18:03:40 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:14:41 2006 Subject: "notify recipient" vs "deliver to recipient"? In-Reply-To: <5.1.0.14.2.20020509175018.02873958@imap.ecs.soton.ac.uk> Message-ID: Julian, My other concern is privacy for the victim of the virus, in the case of the mass-mailing worms that grab files out of "My Documents" and send them on, infected. Even after cleaning, the attachment may have private information that the victim didn't want sent out. A notification to the recipient gives them a clue but doesn't divulge private information. ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ---------------------------------------------------------------------------- On Thu, 9 May 2002, Julian Field wrote: > Date: Thu, 9 May 2002 17:53:34 +0100 > From: Julian Field > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: "notify recipient" vs "deliver to recipient"? > > At 17:12 09/05/2002, you wrote: > > I presently have the following settings in my mailscanner.conf file: > > > >Deliver To Recipients = no > >Deliver From Local Domains = no > >Notify Senders = no > >Notify Local Postmaster = yes > >Postmaster Gets Full Headers = yes > >Deliver Disinfected Files = no > > > >Basically the users don't see anything if infected, just the postmaster. > >There is desire in my user community to have the recipient get notification, > >like the postmaster does, when a virus has been punted on their behalf. > >No delivery, just notification. This would be a good idea; it lets > >the users know that: > > What about all the messages which just have things like an infected > attachment? MailScanner will always endeavour to deliver as much of the > message as it cleanly can (one of its advantages over products like > Amavis). Not all infected mail is generated by worms. > > So I just recommend you set "Deliver To Recipients = yes". > > >a) the message they were looking for *was* sent, just not delivered > > because of infection, or > > In the current code, they will know it was sent because they received all > the uninfected parts of it, which is surely more use than just some > notification that their incoming mail was thrown away on their behalf. > > >b) mailscanner is on the job and doing good work for them (a plug > > for mailscanner). > > Current code achieves this already. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From aalsup at USDLA.COM Thu May 9 18:07:44 2002 From: aalsup at USDLA.COM (Andy Alsup) Date: Thu Jan 12 21:14:41 2006 Subject: TLS errors in maillog Message-ID: <008101c1f77c$1bd73aa0$0501a8c0@baflt> Does anyone know what this means from my maillog: Actually, I know what it means, but can anyone tell me how to fix it? May 9 09:56:17 www sendmail[12489]: TLS: file /etc/mail/certs/cert.pem unsafe: No such file or directory May 9 09:56:17 www sendmail[12489]: TLS: file /etc/mail/certs/key.pem unsafe: No such file or directory May 9 09:56:17 www sendmail[12489]: TLS: file /etc/mail/certs/cacert.pem unsafe: No such file or directory May 9 09:56:17 www sendmail[12489]: TLS: error: clt: 0 load verify locs /etc/mail/certs, /etc/mail/certs/cacert.pem Thanks. Absolutely love mailscanner (using with spamassassin). From evertjan at VANRAMSELAAR.NL Thu May 9 18:16:31 2002 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:14:41 2006 Subject: Broken Return-Path: header (better solution!) In-Reply-To: <5.1.0.14.2.20020509162014.02a61b80@imap.ecs.soton.ac.uk> Message-ID: > -----Original Message----- > From: Julian Field > Sent: Thursday, May 09, 2002 5:22 PM > >Full headers are: > > Return-Path: > > Well all I can say is that it worked for me, and I put the Return-Path: > header back exactly how I found it, flags and all. The "?" shouldn't be a > "?" in the first place, it should be a "$". That bit isn't > MailScanner's fault. Well it's not really a "?". When I receive the message and view it in Outlook, the character looks like a little square. (like [] but then in 1 character) When pasting it in a new message, it becomes a "?". Viewing the message source in vi, it shows up as: Full headers are: Return-Path: <~Ag> where ~A is one character. I'll attach the message in an off-list reply. -- Evert Jan van Ramselaar Van Ramselaar Info Tech From gerry at dorfam.ca Thu May 9 18:32:08 2002 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:14:41 2006 Subject: Removal of Embedded Images Message-ID: <65328.129.80.22.134.1020965528.squirrel@tiger.dorfam.ca> Lately all embedded images in emails have been replaced with a notice stating that it's been done for security reasons. I'm using the F-Prot virus engine. I'm assuming that F-Prot started doing this but I wouldn't put it past my ISP either. Am I correct? The only reservation that I've had with F-Prot is that they don't seem to provide any information about what their product updates are actually going to do. Gerry -- "The lyfe so short, the craft so long to learne" Chaucer From jaearick at COLBY.EDU Thu May 9 19:44:01 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:14:41 2006 Subject: setup for Sophos autoupdate? Message-ID: Help... I can't figure out why autoupdate won't go (error: Could not calculate Sophos version number), and I wonder if I have my directories and executable placement correct. I have Sophos SAVI 3.57x installed. The directory/file structure for my /opt/sophos looks like: (91)> ls -CFR .: bin/ ide@ lib/ man/ sav/ src/ ./bin: autoupdate* icheckd* sweep* sophoswrapper* ./lib: libsavi.so.2@ libsavi.so.2.2.03.090* ./man: man1/ man5/ ./man/man1: icheckd.1 sweep.1 ./man/man5: icheckd.conf.5 ./sav: vdl-3.57x.dat vdl.dat@ The ide symlink points to the sav directory (I put it there, trying to get autoupdate to go). My reading of the Sophos docs say that the ide files in the updates need to end up in the same directory as the dat file (directory sav). What do I set the following code variables to? $SophosRoot = "/opt/sophos"; $IDELink = "/opt/sophos/ide"; $VDLDir = "../lib"; What is wrong? ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ---------------------------------------------------------------------------- From fizz at BOMB.NET Thu May 9 19:57:32 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:14:41 2006 Subject: setup for Sophos autoupdate? References: Message-ID: <000901c1f78b$60170240$48cf75cc@fizz> make a symbolic link in the lib dir like this ln -s vdl-3.57x.dat vdl-3.57.dat should solve your problem :) ----- Original Message ----- From: "Jeff A. Earickson" To: Sent: Thursday, May 09, 2002 2:44 PM Subject: setup for Sophos autoupdate? > Help... > > I can't figure out why autoupdate won't go (error: Could not calculate > Sophos version number), and I wonder if I have my directories and executable > placement correct. I have Sophos SAVI 3.57x installed. The directory/file > structure for my /opt/sophos looks like: > > (91)> ls -CFR > .: > bin/ ide@ lib/ man/ sav/ src/ > > ./bin: > autoupdate* icheckd* sweep* sophoswrapper* > > ./lib: > libsavi.so.2@ libsavi.so.2.2.03.090* > > ./man: > man1/ man5/ > > ./man/man1: > icheckd.1 sweep.1 > > ./man/man5: > icheckd.conf.5 > > ./sav: > vdl-3.57x.dat vdl.dat@ > > The ide symlink points to the sav directory (I put it there, trying to get > autoupdate to go). My reading of the Sophos docs say that the ide files > in the updates need to end up in the same directory as the dat file > (directory sav). What do I set the following code variables to? > > $SophosRoot = "/opt/sophos"; > $IDELink = "/opt/sophos/ide"; > $VDLDir = "../lib"; > > What is wrong? > > ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 > ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu > ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 > ** Waterville ME, 04901-8842 > -------------------------------------------------------------------------- -- > From tyler at BELOIT.EDU Thu May 9 20:11:19 2002 From: tyler at BELOIT.EDU (Tim Tyler) Date: Thu Jan 12 21:14:41 2006 Subject: AIX freezing??? Message-ID: <5.1.0.14.0.20020509140215.02970af0@beloit.edu> Mailscanner experts, We are running 2.6 of Mailscanner on AIX4.3.3 systems with Sophos. About every week or two one of our AIX systems will simply freeze up on us. We really don't know why. We can't seem to identify anything through any of the running logs. We have noticed prior to the freezing up that we occassionally notice a virus that has been rejected minutes before the freeze up. Basically, access to all commands (perhaps the hard drive or filesystems) becomes unaccessible and then eventually (perhaps a few minutes) the background processes die out and the whole system is frozen. The only thing to do is to reboot. I can't say that Mailscanner necessarily has anything to do with this, but was wondering if anyone else has had this experience? Its one of our top two processes on this system from what we can tell. Is there a logging facility for Mailscanner that we might enable? Can Mailscanner possibly result in some sort of DoS preventing access to filesystems? Any thoughts are much appreciated! Tim Tyler Network Engineer - Beloit College tyler@beloit.edu From mdchaney at MICHAELCHANEY.COM Thu May 9 22:09:52 2002 From: mdchaney at MICHAELCHANEY.COM (Michael Chaney) Date: Thu Jan 12 21:14:41 2006 Subject: small config.pl change Message-ID: <20020509160952.A1103@michaelchaney.com> For config.pl: 358a359 > s/^\*\.//; # and a "*." at the beginning of line 360c361 < s/\s.*$//g; # Just use the first word --- > s/^([a-z0-9\-]+(?:\.[a-z0-9\-]+)+).*$/\1/i; # Just use the first domain When using Exim, it's common to have a local domain map file, with entries such as this: *.michaelchaney.com:michaelchaney.com So that if someone sends to mdchaney@mail.michaelchaney.com, I still get it. That file is also my only list of domain names, and I don't want to have to duplicate the data. The above minor changes to config.pl will strip off any leading "*.", and then grab only the first domain name on the line. The old code just cuts off the first space and everything after it; this code accomplishes the same thing in the opposite manner, which is to simply grab the first valid domain name on the line. However, this is far more generalized because it only looks for the first character which isn't valid in a domain name (actually, it also does some minor validation of the domain name, too). Michael -- Michael Darrin Chaney mdchaney@michaelchaney.com http://www.michaelchaney.com/ From mdchaney at MICHAELCHANEY.COM Thu May 9 22:14:53 2002 From: mdchaney at MICHAELCHANEY.COM (Michael Chaney) Date: Thu Jan 12 21:14:41 2006 Subject: setup for Sophos autoupdate? In-Reply-To: ; from jaearick@COLBY.EDU on Thu, May 09, 2002 at 02:44:01PM -0400 References: Message-ID: <20020509161453.B1103@michaelchaney.com> On Thu, May 09, 2002 at 02:44:01PM -0400, Jeff A. Earickson wrote: > Help... > > I can't figure out why autoupdate won't go (error: Could not calculate > Sophos version number), and I wonder if I have my directories and executable > placement correct. I have Sophos SAVI 3.57x installed. The directory/file > structure for my /opt/sophos looks like: There's a minor bug in the auto-updater, here's the patch: 26c26 < next unless $vdlname =~ /^vdl-(\d+)\.(\d+)(n?)\.dat$/; --- > next unless $vdlname =~ /^vdl-(\d+)\.(\d+)([a-z]?)\.dat$/; Michael -- Michael Darrin Chaney mdchaney@michaelchaney.com http://www.michaelchaney.com/ From nwp at LEMON-COMPUTING.COM Thu May 9 22:30:41 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:41 2006 Subject: Reporting viruses (was: Klez-G) In-Reply-To: <5.1.0.14.2.20020509144149.02c943e8@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020509102432.02bacf10@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020509121905.02b9b628@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020509144149.02c943e8@imap.ecs.soton.ac.uk> Message-ID: <20020509213041.GN23130@hoiho.nz.lemon-computing.com> On Thu, May 09, 2002 at 02:42:38PM +0100, Julian Field wrote: > At 13:58 09/05/2002, you wrote: > >Let me suggest integrating mailscanner with a distributed intrusion > >detection > >system such as DShield or myNetWatchman. > > I'll promise to work on that between 11pm and 17pm :-) Actually the thing to do would be to mail all the spam complaints to the relevant addresses @abuse.net... but each user has to register for this service before use. Then you just mail to and it gets forwarded to the addresses they've identified as being appropriate. That's intended for spam. Not sure whether multiple thousands of incoming Klez from a domain count ;) Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Your lucky number has been disconnected. From jkf at ecs.soton.ac.uk Fri May 10 08:18:10 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:42 2006 Subject: Broken Return-Path: header (better solution!) In-Reply-To: References: <5.1.0.14.2.20020509162014.02a61b80@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020510081726.02b93ee0@imap.ecs.soton.ac.uk> At 18:16 09/05/2002, you wrote: > > -----Original Message----- > > From: Julian Field > > Sent: Thursday, May 09, 2002 5:22 PM > > > >Full headers are: > > > Return-Path: > > > > Well all I can say is that it worked for me, and I put the Return-Path: > > header back exactly how I found it, flags and all. The "?" shouldn't be a > > "?" in the first place, it should be a "$". That bit isn't > > MailScanner's fault. > >Well it's not really a "?". When I receive the message and view it in >Outlook, the character looks like a little square. (like [] but then in 1 >character) When pasting it in a new message, it becomes a "?". > >Viewing the message source in vi, it shows up as: > >Full headers are: > Return-Path: <~Ag> > >where ~A is one character. What happens if you tell MailScanner to archive all the mail in a safe directory somewhere, then compare the qf file for this message with what gets delivered. I believe you will see the same 8-bit character. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Fri May 10 08:19:37 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:42 2006 Subject: Removal of Embedded Images In-Reply-To: <65328.129.80.22.134.1020965528.squirrel@tiger.dorfam.ca> Message-ID: <5.1.0.14.2.20020510081929.02bd2ef8@imap.ecs.soton.ac.uk> At 18:32 09/05/2002, you wrote: >Lately all embedded images in emails have been replaced with a notice >stating that it's been done for security reasons. >I'm using the F-Prot virus engine. I'm assuming that F-Prot started doing >this but I wouldn't put it past my ISP either. Am I correct? There's no reason for F-Prot to start doing this, but check your filename.rules.conf to see if images are allowed. Does the notice look like a MailScanner message? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Fri May 10 08:21:44 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:42 2006 Subject: AIX freezing??? In-Reply-To: <5.1.0.14.0.20020509140215.02970af0@beloit.edu> Message-ID: <5.1.0.14.2.20020510082036.02c97d60@imap.ecs.soton.ac.uk> At 20:11 09/05/2002, you wrote: > Mailscanner experts, > >We are running 2.6 of Mailscanner on AIX4.3.3 systems with Sophos. About >every week or two one of our AIX systems will simply freeze up on us. We >really don't know why. We can't seem to identify anything through any of >the running logs. We have noticed prior to the freezing up that we >occassionally notice a virus that has been rejected minutes before the >freeze up. Basically, access to all commands (perhaps the hard drive or >filesystems) becomes unaccessible and then eventually (perhaps a few >minutes) the background processes die out and the whole system is >frozen. The only thing to do is to reboot. I can't say that Mailscanner >necessarily has anything to do with this, but was wondering if anyone else >has had this experience? Its one of our top two processes on this system >from what we can tell. Is there a logging facility for Mailscanner that we >might enable? Can Mailscanner possibly result in some sort of DoS >preventing access to filesystems? Any thoughts are much appreciated! Check your maillog for any reports of denial of service attacks (though MailScanner happily copes with them). Also, try reducing the "Restart Every" time in mailscanner.conf to a few hours. That will protect you against any Perl resource leaks. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Fri May 10 08:28:53 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:42 2006 Subject: setup for Sophos autoupdate? In-Reply-To: <20020509161453.B1103@michaelchaney.com> References: Message-ID: <5.1.0.14.2.20020510082845.02c9dff0@imap.ecs.soton.ac.uk> This will be in the next minor release. At 22:14 09/05/2002, you wrote: >On Thu, May 09, 2002 at 02:44:01PM -0400, Jeff A. Earickson wrote: > > Help... > > > > I can't figure out why autoupdate won't go (error: Could not calculate > > Sophos version number), and I wonder if I have my directories and > executable > > placement correct. I have Sophos SAVI 3.57x installed. The directory/file > > structure for my /opt/sophos looks like: > >There's a minor bug in the auto-updater, here's the patch: > >26c26 >< next unless $vdlname =~ /^vdl-(\d+)\.(\d+)(n?)\.dat$/; >--- > > next unless $vdlname =~ /^vdl-(\d+)\.(\d+)([a-z]?)\.dat$/; > >Michael >-- >Michael Darrin Chaney >mdchaney@michaelchaney.com >http://www.michaelchaney.com/ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jethro.binks at STRATH.AC.UK Fri May 10 09:37:50 2002 From: jethro.binks at STRATH.AC.UK (Jethro R Binks) Date: Thu Jan 12 21:14:42 2006 Subject: Klez-G - Warning postmaster@sender.com In-Reply-To: <6D60AC042221344095A0EBBC56EEE79A4BC934@med-core03.med.wayne.edu> Message-ID: <20020510092600.L603-100000@defjam.cc.strath.ac.uk> On Thu, 9 May 2002, Rose, Bobby wrote: [...] > All I'm saying is that I'm doing my part at tracking down infected > machines within my domain when I get a copy of a v-message, why > shouldn't the masters of the other infected domains. Because you can't guarantee any way of contacting them any more, as mentioned previously. > I can't very well block the host addresses since the likelihood is > that the addresses are dynamic. Don't accept mail from ISP dial-up pools then, as a first step. Although that probably doesn't help much, as if a mail relay configured in the email application it probably gets used. Nevertheless, it's a first step. As a second step, keep an eye out for persistent offenders (several infected messages per hour). If they continue, block all email from them. It's ruthless, and may block legitimate email, but it will reduce your incoming infected email if that is bothering or inconveniencing in some way. -- In an ideal world, all Internet Access Providers (be they ISPs, Universities, companies, etc) would do their part and virus-scan all their outgoing email. Universities in particular (and I speak only for the UK, but it probably applies elsewhere) are pretty good at this, being concerned with their image, having had Internet connections for longer than most of the masses, and generally knowing what "the right thing" is to do. However, it isn't an ideal world, IAPs can't be bothered with such time wasting trivialities and support burdens as virus software, and hence we're in the situation we're in. I'm afraid it is irresponsible IAPs who should shoulder the blame for the extensive virus outbreaks (along with the writers of course!). The blame arguably extends further to the authors of software that can be easily exploited to mass-mail people, but let's not get into that one here ... Sorry Julian, this is starting to get off-topic for the MailScanner software list. I've had my rants now I think :) Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services Mailmaster, Listmaster, Webmaster, University Of Strathclyde, Glasgow, UK Cachemaster jethro.binks@strath.ac.uk From LISTSERV at JISCMAIL.AC.UK Fri May 10 10:00:47 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:42 2006 Subject: MAILSCANNER: gcrothers@SHELOB.NET left the JISCmail list Message-ID: <200205100900.KAA29854@magpie.ecs.soton.ac.uk> Fri, 10 May 2002 10:00:47 Garry Crothers has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From jkf at ecs.soton.ac.uk Fri May 10 10:25:18 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:42 2006 Subject: Klez-G - Warning postmaster@sender.com In-Reply-To: <20020510092600.L603-100000@defjam.cc.strath.ac.uk> References: <6D60AC042221344095A0EBBC56EEE79A4BC934@med-core03.med.wayne.edu> Message-ID: <5.1.0.14.2.20020510102409.02d2c360@imap.ecs.soton.ac.uk> At 09:37 10/05/2002, you wrote: >Don't accept mail from ISP dial-up pools then, as a first step. Although >that probably doesn't help much, as if a mail relay configured in the >email application it probably gets used. Nevertheless, it's a first step. The MAPS-RBL+ is a very easy way of achieving this. >Sorry Julian, this is starting to get off-topic for the MailScanner >software list. I've had my rants now I think :) :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jaearick at COLBY.EDU Fri May 10 14:03:47 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:14:42 2006 Subject: still confused about autoupdate Message-ID: Julian, Autoupdate for sophos, straight out of the box plus Michael Chaney's bugfix of yesterday, still fails with: Could not calculate Sophos version number because my vdl file is in /opt/sophos/sav, not /opt/sophos/lib. So I change the line in the script from: $VDLDir = "../lib"; to $VDLDir = "../sav"; and run it and it works without complaint. I end up with the ide files in a directory /opt/sophos/357.200205100853 with a symlink /opt/sophos/ide pointing to this directory. This isn't right, because the ide files have to be in the same directory as the vdl file (/opt/sophos/sav). I can see that the configuration isn't right because if I do "/opt/sophos/bin/sophoswrapper -v" all I get back is the basic information blurb for SWEEP. If I copy the ide files to /opt/sophos/sav and rerun "sophoswrapper -v" then SWEEP gives me the list of all the ide files it loads. Either I am being dense about how to configure/deploy autoupdate, or it is not working like we think it is. What is going on here? ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ---------------------------------------------------------------------------- From jkf at ecs.soton.ac.uk Fri May 10 14:25:22 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:42 2006 Subject: still confused about autoupdate In-Reply-To: Message-ID: <5.1.0.14.2.20020510142430.02cbee08@imap.ecs.soton.ac.uk> If you install Sophos with /opt/mailscanner/bin/Sophos.install, it should all work (apart from the extra letter that Sophos have just started putting on the end of the vdl filename, which was Michael Chaney's bugfix if I remember rightly). At 14:03 10/05/2002, you wrote: >Julian, > Autoupdate for sophos, straight out of the box plus Michael Chaney's >bugfix of yesterday, still fails with: > >Could not calculate Sophos version number > >because my vdl file is in /opt/sophos/sav, not /opt/sophos/lib. So I >change the line in the script from: > > $VDLDir = "../lib"; > >to > > $VDLDir = "../sav"; > >and run it and it works without complaint. I end up with the ide >files in a directory /opt/sophos/357.200205100853 with a symlink >/opt/sophos/ide pointing to this directory. This isn't right, because the >ide files have to be in the same directory as the vdl file (/opt/sophos/sav). >I can see that the configuration isn't right because if I do >"/opt/sophos/bin/sophoswrapper -v" all I get back is the basic information >blurb for SWEEP. > > If I copy the ide files to /opt/sophos/sav and rerun "sophoswrapper -v" >then SWEEP gives me the list of all the ide files it loads. Either I >am being dense about how to configure/deploy autoupdate, or it is not working >like we think it is. What is going on here? > >** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 >** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu >** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 >** Waterville ME, 04901-8842 >---------------------------------------------------------------------------- -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From fizz at BOMB.NET Fri May 10 14:22:51 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:14:42 2006 Subject: still confused about autoupdate References: Message-ID: <001401c1f825$cb3c0030$48cf75cc@fizz> It sounds as if your didnt install sophos correctly with mailscanner. If you did there woulnt be a sav directory at all. Easiest thing to do would untar sophos into a directory, cd into that dir and type /opt/sophos/bin/Sophos.install ----- Original Message ----- From: "Jeff A. Earickson" To: Sent: Friday, May 10, 2002 9:03 AM Subject: still confused about autoupdate > Julian, > Autoupdate for sophos, straight out of the box plus Michael Chaney's > bugfix of yesterday, still fails with: > > Could not calculate Sophos version number > > because my vdl file is in /opt/sophos/sav, not /opt/sophos/lib. So I > change the line in the script from: > > $VDLDir = "../lib"; > > to > > $VDLDir = "../sav"; > > and run it and it works without complaint. I end up with the ide > files in a directory /opt/sophos/357.200205100853 with a symlink > /opt/sophos/ide pointing to this directory. This isn't right, because the > ide files have to be in the same directory as the vdl file (/opt/sophos/sav). > I can see that the configuration isn't right because if I do > "/opt/sophos/bin/sophoswrapper -v" all I get back is the basic information > blurb for SWEEP. > > If I copy the ide files to /opt/sophos/sav and rerun "sophoswrapper -v" > then SWEEP gives me the list of all the ide files it loads. Either I > am being dense about how to configure/deploy autoupdate, or it is not working > like we think it is. What is going on here? > > ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 > ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu > ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 > ** Waterville ME, 04901-8842 > -------------------------------------------------------------------------- -- > From gerry at dorfam.ca Fri May 10 14:58:44 2002 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:14:42 2006 Subject: Removal of Embedded Images In-Reply-To: <5.1.0.14.2.20020510081929.02bd2ef8@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020510081929.02bd2ef8@imap.ecs.soton.ac.uk> Message-ID: <10352.129.80.22.134.1021039124.squirrel@tiger.dorfam.ca> > At 18:32 09/05/2002, you wrote: >>Lately all embedded images in emails have been replaced with a notice >>stating that it's been done for security reasons. >>I'm using the F-Prot virus engine. I'm assuming that F-Prot started >>doing this but I wouldn't put it past my ISP either. Am I correct? > > There's no reason for F-Prot to start doing this, but check your > filename.rules.conf to see if images are allowed. Does the notice look > like a MailScanner message? > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ I finally tracked this down. It is being done by the latest release of SquirrelMail, a webmail server. This is an excellent package but I don't agree with this change. They didn't make it a feature...it's hard coded into their new release and I don't like it. I also didn't see it listed in their changelog? I thought maybe F-Prot was doing it! Gerry -- "The lyfe so short, the craft so long to learne" Chaucer From jaearick at COLBY.EDU Fri May 10 15:25:28 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:14:42 2006 Subject: still confused about autoupdate In-Reply-To: <5.1.0.14.2.20020510142430.02cbee08@imap.ecs.soton.ac.uk> Message-ID: > Date: Fri, 10 May 2002 14:25:22 +0100 > From: Julian Field > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: still confused about autoupdate > > If you install Sophos with /opt/mailscanner/bin/Sophos.install, it should > all work (apart from the extra letter that Sophos have just started putting > on the end of the vdl filename, which was Michael Chaney's bugfix if I > remember rightly). > Aaarggh. Right you are. Everything works now. Thanks. - Jeff From jason at MED-WEB.COM Fri May 10 16:30:35 2002 From: jason at MED-WEB.COM (Jason Summers) Date: Thu Jan 12 21:14:42 2006 Subject: ->multipart/mixed patch (was Virus Klez.H and McAfee) References: <3CD98448.F1E1B25A@med-web.com> <3CD91F57.78CB4F56@bangor.ac.uk> <5.1.0.14.2.20020509120502.02c5b708@imap.ecs.soton.ac.uk> Message-ID: <3CDBE79B.7D1C49@med-web.com> Julian Field wrote: > > Try this: > ------------------------------------------------------------- > *** /usr/local/mailscanner/mailscanner/bin/explode.pl Fri Feb 1 10:22:44 > 2002 > --- explode.pl Thu May 9 12:07:58 2002 > *************** > *** 301,310 **** > --- 301,315 ---- > Data => $Warning, > Encoding => 'quoted-printable', > Charset => 'us-ascii', > Top => 0; > $parent->parts(\@parts); > + > + # And make the parent a multipart/mixed if it's a multipart/alternative > + $parent->head->mime_attr("content-type" => "multipart/mixed") > + if ($parent->is_multipart) && > + ($parent->head->mime_attr("content-type") =~ > /multipart\/alternative/i); > } > > # Disinfect all the infected entities > sub Disinfect { > my($Reports, $Types, $Id2Entity, $File2Entity, $Entity2Parent, > $Entity2File, $IsTNEF) = @_; > ------------------------------------------------------------- Thank you! Once that's done, it ought to be safe to change the Disposition of VirusWarning.txt to "inline". That will make email clients more likely to display the message automatically, without requiring the user to explicitly open an attachment. (Some people may not prefer that behavior, though.) At about line 301 of explode.pl, change: Disposition => 'attachment', to: Disposition => 'inline', -- Jason Summers From LISTSERV at JISCMAIL.AC.UK Fri May 10 16:24:15 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:42 2006 Subject: MAILSCANNER: k.joch@KMJEURO.COM requested to join Message-ID: <200205101524.QAA09456@magpie.ecs.soton.ac.uk> Fri, 10 May 2002 16:24:15 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Karl Joch The following membership options have been requested: SUBJECTHDR. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER k.joch@KMJEURO.COM Karl Joch PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER k.joch@KMJEURO.COM Karl Joch SET MAILSCANNER SUBJECTHDR FOR k.joch@KMJEURO.COM // EOJ From LISTSERV at JISCMAIL.AC.UK Fri May 10 16:32:57 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:42 2006 Subject: MAILSCANNER: dmcferrin@TEA.STATE.TX.US left the JISCmail list Message-ID: <200205101532.QAA10356@magpie.ecs.soton.ac.uk> Fri, 10 May 2002 16:32:57 Debie McFerrin has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From LISTSERV at JISCMAIL.AC.UK Fri May 10 16:33:16 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:42 2006 Subject: MAILSCANNER: dmcferrin@TEA.STATE.TX.US requested to join Message-ID: <200205101533.QAA10405@magpie.ecs.soton.ac.uk> Fri, 10 May 2002 16:33:16 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Debie McFerrin The following membership options have been requested: NOMIME DIGEST. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER dmcferrin@TEA.STATE.TX.US Debie McFerrin PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER dmcferrin@TEA.STATE.TX.US Debie McFerrin SET MAILSCANNER NOMIME DIGEST FOR dmcferrin@TEA.STATE.TX.US // EOJ From LISTSERV at JISCMAIL.AC.UK Fri May 10 18:08:39 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:42 2006 Subject: MAILSCANNER: jos@LEMMERLING.NET requested to join Message-ID: <200205101708.SAA20171@magpie.ecs.soton.ac.uk> Fri, 10 May 2002 18:08:39 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Jos Lemmerling You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER jos@LEMMERLING.NET Jos Lemmerling PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER jos@LEMMERLING.NET Jos Lemmerling // EOJ From ispmgr at CLAS.NET Fri May 10 18:59:21 2002 From: ispmgr at CLAS.NET (Youn Gonzales) Date: Thu Jan 12 21:14:42 2006 Subject: Virus warning References: <1020800428.6095.6.camel@molehill.ccso> Message-ID: <05db01c1f84c$6a290280$813112d0@ISPMGR> Is there a way to modify the subject line for disinfected messages? Youn Gonzales System Administrator Comptia A+, Network+, INET+, Cisco CCNA/CCDA Certified Technician Microsoft Certified Professional The basic tool for the manipulation of reality is the manipulation of words. If you can control the meaning of words, you can control the people who must use the words. Philip K. Dick From wolfgang.lumpp at GMX.NET Fri May 10 19:09:57 2002 From: wolfgang.lumpp at GMX.NET (Wolfgang Lumpp) Date: Thu Jan 12 21:14:42 2006 Subject: Removal of Embedded Images In-Reply-To: <10352.129.80.22.134.1021039124.squirrel@tiger.dorfam.ca> References: <5.1.0.14.2.20020510081929.02bd2ef8@imap.ecs.soton.ac.uk> <10352.129.80.22.134.1021039124.squirrel@tiger.dorfam.ca> Message-ID: <1844.10.10.2.77.1021054197.squirrel@gateway.lumpp> > I finally tracked this down. It is being done by the latest release of > SquirrelMail, a webmail server. This is an excellent package but I > don't agree with this change. They didn't make it a feature...it's > hard coded into their new release and I don't like it. I also didn't > see it listed in their changelog? > Since few days I also work with squirrelmail. I was also surprised about the removed images. But I normaly delete the html-mails directly (mostly spam). So I saw this "problem" a little bit late ;-)Probably its the feature named "Increased security in html message" in the changelog. Let's see, if we can downgrade this.Nice feature :-( Regards Wolfgang -- www.lumpp.de From LISTSERV at JISCMAIL.AC.UK Fri May 10 20:28:16 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:42 2006 Subject: MAILSCANNER: thom@DARKSABER.COM requested to join Message-ID: <200205101928.UAA00652@magpie.ecs.soton.ac.uk> Fri, 10 May 2002 20:28:16 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Thom Paine You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER thom@DARKSABER.COM Thom Paine PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER thom@DARKSABER.COM Thom Paine // EOJ From jkf at ecs.soton.ac.uk Fri May 10 21:17:58 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:42 2006 Subject: Virus warning In-Reply-To: <05db01c1f84c$6a290280$813112d0@ISPMGR> References: <1020800428.6095.6.camel@molehill.ccso> Message-ID: <5.1.0.14.2.20020510211718.0290d1b0@imap.ecs.soton.ac.uk> At 18:59 10/05/2002, you wrote: >Is there a way to modify the subject line for disinfected messages? Not at the moment, no. Hardly anyone has asked for it (he says, opening the proverbial floodgates :-) >Youn Gonzales >System Administrator >Comptia A+, Network+, INET+, >Cisco CCNA/CCDA Certified Technician >Microsoft Certified Professional > >The basic tool for the manipulation of reality is the manipulation of words. >If you can control the meaning of words, you can control the people who must >use the words. Philip K. Dick -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jos at LEMMERLING.NET Fri May 10 21:24:36 2002 From: jos at LEMMERLING.NET (Jos Lemmerling) Date: Thu Jan 12 21:14:42 2006 Subject: perl 5.6 needed? Message-ID: Hello list, I'm trying to install Mailscanner on an Debian Stable server, and i cannot install Perl 5.6. Is Perl 5.6 really needed? Or can i use Perl 5.0 also (with all the broken dependecies, than)? It seems to be a problem with Debian; Perl could only be upgraded with a dist-upgrade(?).... I've read a post in the archive from Nick Phillips about the installation of MailScanner on a Debian Stable Box (installing libmime-perl and libio-stringy-perl), but i can't find out how to install Perl 5.6 . If it's needed, anyway... Tia -- Jos Lemmerling on Debian GNU/Linux jos(@)lemmerling(.net) From thom at DARKSABER.COM Fri May 10 21:45:47 2002 From: thom at DARKSABER.COM (Thom Paine) Date: Thu Jan 12 21:14:42 2006 Subject: Signed Message Message-ID: <1021063547.1384.6.camel@service.darksaber.com> Is there a way to have mailscanner put a tagline on the message once it's scanned? It would be nice to have a confirmation on it. Thanks, -- -=/>Thom Red Hat Linux release 7.3 (Valhalla) running Linux Kernel 2.4.18-4 Load : 0.35 0.11 0.03, AC on-line, no system battery From ispmgr at CLAS.NET Fri May 10 22:05:51 2002 From: ispmgr at CLAS.NET (Youn Gonzales) Date: Thu Jan 12 21:14:42 2006 Subject: Virus warning References: <1020800428.6095.6.camel@molehill.ccso> <5.1.0.14.2.20020510211718.0290d1b0@imap.ecs.soton.ac.uk> Message-ID: <003e01c1f866$77d7f980$813112d0@ISPMGR> To be more accurate, the request would be that anytime a virus is found - i.e. disinfected attachment, deleted from body, etc - that the subject line be modified to begin with "{VIRUS?}" or something of that nature.. :-) Youn Gonzales System Administrator Comptia A+, Network+, INET+, Cisco CCNA/CCDA Certified Technician Microsoft Certified Professional ----- Original Message ----- From: "Julian Field" To: Sent: Friday, May 10, 2002 3:17 PM Subject: Re: Virus warning > At 18:59 10/05/2002, you wrote: > >Is there a way to modify the subject line for disinfected messages? > > Not at the moment, no. Hardly anyone has asked for it (he says, opening the > proverbial floodgates :-) > From FCaen at CI.LAKEWOOD.WA.US Fri May 10 22:00:17 2002 From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen) Date: Thu Jan 12 21:14:42 2006 Subject: Configuring SpamAssassin with Mailscanner Message-ID: Hey all, My first post on this list. Been using Mailscanner with F-Prot for a couple months and I love it. Decided to start killing some spam, so I'm now adding SpamAssassin. Does SA read the same conf files when called by MailScanner? For example, if I add "defang_mime 0" to /etc/mail/spamassassin/local.cf , will that setting be taken into account by SA? (Using RH7.2, sendmail-8.11.6-3, mailscanner-3.13-2, spamassassin 2.20 from CPAN) Thanks, Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 From FCaen at CI.LAKEWOOD.WA.US Fri May 10 22:11:43 2002 From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen) Date: Thu Jan 12 21:14:42 2006 Subject: Signed Message Message-ID: Thom, Aren't the "Mail Header" and "Sign Clean Messages" options doing what you want? ---------------------------------------------------------------------------------- Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 >>> thom@DARKSABER.COM 05/10/02 01:45PM >>> Is there a way to have mailscanner put a tagline on the message once it's scanned? It would be nice to have a confirmation on it. Thanks, -- -=/>Thom Red Hat Linux release 7.3 (Valhalla) running Linux Kernel 2.4.18-4 Load : 0.35 0.11 0.03, AC on-line, no system battery From FCaen at CI.LAKEWOOD.WA.US Fri May 10 22:24:13 2002 From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen) Date: Thu Jan 12 21:14:42 2006 Subject: Where do you RBL Message-ID: On my quest to kill spam, I am finding out that you can check an RBL at 3 levels: - MTA (Feature(dnsbl...) in Sendmail - Mailscanner - SpamAssassin Where do you check an RBL from? And why? I would think SpamAssassin is best because it adds up to the scoring system do you agree? Thanks, ---------------------------------------------------------------------------------- Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 From mdchaney at MICHAELCHANEY.COM Fri May 10 22:57:38 2002 From: mdchaney at MICHAELCHANEY.COM (Michael Chaney) Date: Thu Jan 12 21:14:42 2006 Subject: perl 5.6 needed? In-Reply-To: ; from jos@LEMMERLING.NET on Fri, May 10, 2002 at 10:24:36PM +0200 References: Message-ID: <20020510165738.B9618@michaelchaney.com> On Fri, May 10, 2002 at 10:24:36PM +0200, Jos Lemmerling wrote: > Hello list, > > I'm trying to install Mailscanner on an Debian Stable server, and i cannot > install Perl 5.6. Is Perl 5.6 really needed? Or can i use Perl > 5.0 also (with all the broken dependecies, than)? > > It seems to be a problem with Debian; Perl could only be upgraded with a > dist-upgrade(?).... I've read a post in the archive from Nick Phillips > about the installation of MailScanner on a Debian Stable Box (installing > libmime-perl and libio-stringy-perl), but i can't find out how to install > Perl 5.6 . If it's needed, anyway... I'm running mailscanner on a FreeBSD box with Perl 5.005, and it seems to be doing great, catching viruses and catching spam, no problem. Should I upgrade to 5.6? Michael -- Michael Darrin Chaney mdchaney@michaelchaney.com http://www.michaelchaney.com/ From nwp at LEMON-COMPUTING.COM Fri May 10 22:50:38 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:42 2006 Subject: perl 5.6 needed? In-Reply-To: References: Message-ID: <20020510215038.GV23130@hoiho.nz.lemon-computing.com> On Fri, May 10, 2002 at 10:24:36PM +0200, Jos Lemmerling wrote: > Hello list, > > I'm trying to install Mailscanner on an Debian Stable server, and i cannot > install Perl 5.6. Is Perl 5.6 really needed? Or can i use Perl > 5.0 also (with all the broken dependecies, than)? > > It seems to be a problem with Debian; Perl could only be upgraded with a > dist-upgrade(?).... I've read a post in the archive from Nick Phillips > about the installation of MailScanner on a Debian Stable Box (installing > libmime-perl and libio-stringy-perl), but i can't find out how to install > Perl 5.6 . If it's needed, anyway... Perl 5.6 definitely *not* wanted by mailscanner... you may need it for spamassassin, though. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Be security conscious -- National defense is at stake. From freerk at MINDSWITCH.NET Fri May 10 23:07:05 2002 From: freerk at MINDSWITCH.NET (Freerk Kalsbeek) Date: Thu Jan 12 21:14:42 2006 Subject: Where do you RBL In-Reply-To: Message-ID: Hi, I do RBL elimination in Sendmail. The reason is that I want to eliminate spam as far as possible, not oly tagging it as spam. A lot of 'tagged' spam can be false positives, but mail from open relays can safely be eliminated. Normal users use SMTP servers from there ISP's which usually are closed. In spamassassin mail only get's tagged. Freerk -----Oorspronkelijk bericht----- Van: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Namens Francois Caen Verzonden: vrijdag 10 mei 2002 23:24 Aan: MAILSCANNER@JISCMAIL.AC.UK Onderwerp: Where do you RBL On my quest to kill spam, I am finding out that you can check an RBL at 3 levels: - MTA (Feature(dnsbl...) in Sendmail - Mailscanner - SpamAssassin Where do you check an RBL from? And why? I would think SpamAssassin is best because it adds up to the scoring system do you agree? Thanks, ---------------------------------------------------------------------------- ------ Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 From freerk at MINDSWITCH.NET Fri May 10 23:10:32 2002 From: freerk at MINDSWITCH.NET (Freerk Kalsbeek) Date: Thu Jan 12 21:14:42 2006 Subject: Virus statistics Message-ID: Hi, I'd like to keep track of the amount of virusmails I receive. Is there any addon for MailScanner to record virusmails in a database? Thanx, Freerk From FCaen at CI.LAKEWOOD.WA.US Fri May 10 23:18:33 2002 From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen) Date: Thu Jan 12 21:14:42 2006 Subject: Virus statistics Message-ID: Hi, Mailscanner logs the viruses it finds in the maillog. You could count the occurences of "Found 1 viruses in messages" in the log (grep -c), or use MRTG as described in http://www.sng.ecs.soton.ac.uk/mailscanner/mrtg.shtml Or write your own script that parses the maillog and records the results into a DB. Does that answer your question? Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 >>> freerk@MINDSWITCH.NET 05/10/02 03:10PM >>> Hi, I'd like to keep track of the amount of virusmails I receive. Is there any addon for MailScanner to record virusmails in a database? Thanx, Freerk From nwp at LEMON-COMPUTING.COM Sat May 11 07:14:48 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:42 2006 Subject: perl 5.6 needed? In-Reply-To: <20020510165738.B9618@michaelchaney.com> References: <20020510165738.B9618@michaelchaney.com> Message-ID: <20020511061448.GW23130@hoiho.nz.lemon-computing.com> On Fri, May 10, 2002 at 04:57:38PM -0500, Michael Chaney wrote: > I'm running mailscanner on a FreeBSD box with Perl 5.005, and it seems > to be doing great, catching viruses and catching spam, no problem. > Should I upgrade to 5.6? No. -- Nick Phillips -- nwp@lemon-computing.com Questionable day. Ask somebody something. From LISTSERV at JISCMAIL.AC.UK Sat May 11 01:04:03 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:42 2006 Subject: MAILSCANNER: davidnorman@NTLWORLD.COM requested to join Message-ID: <200205110004.BAA19949@magpie.ecs.soton.ac.uk> Sat, 11 May 2002 01:04:03 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from David Norman You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER davidnorman@NTLWORLD.COM David Norman PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER davidnorman@NTLWORLD.COM David Norman // EOJ From LISTSERV at JISCMAIL.AC.UK Sat May 11 08:37:16 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:42 2006 Subject: MAILSCANNER: email-ian@POST1.COM requested to join Message-ID: <200205110737.IAA10894@magpie.ecs.soton.ac.uk> Sat, 11 May 2002 08:37:16 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Ian Ee You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER email-ian@POST1.COM Ian Ee PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER email-ian@POST1.COM Ian Ee // EOJ From LISTSERV at JISCMAIL.AC.UK Sat May 11 08:49:00 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:42 2006 Subject: MAILSCANNER: eejs@HAVENEDGE.NET left the JISCmail list Message-ID: <200205110749.IAA11447@magpie.ecs.soton.ac.uk> Sat, 11 May 2002 08:49:00 eejs@HAVENEDGE.NET has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From LISTSERV at JISCMAIL.AC.UK Sat May 11 08:51:49 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:42 2006 Subject: MAILSCANNER: eejs2002@VERIZONMAIL.COM requested to join Message-ID: <200205110751.IAA11617@magpie.ecs.soton.ac.uk> Sat, 11 May 2002 08:51:49 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Ian Ee You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER eejs2002@VERIZONMAIL.COM Ian Ee PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER eejs2002@VERIZONMAIL.COM Ian Ee // EOJ From LISTSERV at JISCMAIL.AC.UK Sat May 11 08:55:34 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:42 2006 Subject: MAILSCANNER: email-ian@POST1.COM requested to join Message-ID: <200205110755.IAA11912@magpie.ecs.soton.ac.uk> Sat, 11 May 2002 08:55:34 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Ian Ee You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER email-ian@POST1.COM Ian Ee PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER email-ian@POST1.COM Ian Ee // EOJ From jkf at ecs.soton.ac.uk Sat May 11 09:27:58 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:42 2006 Subject: Configuring SpamAssassin with Mailscanner In-Reply-To: Message-ID: <5.1.0.14.2.20020511092500.03670ce0@imap.ecs.soton.ac.uk> At 22:00 10/05/2002, you wrote: >Does SA read the same conf files when called by MailScanner? For example, >if I add "defang_mime 0" to /etc/mail/spamassassin/local.cf , will that >setting be taken into account by SA? Yes, but as MailScanner doesn't use the version of the mail message produced by SA, this particular option will have no effect. However, adding things like "iskip_rbl_checks 1" to /.spamassassin/user_prefs is useful. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Sat May 11 09:31:31 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:42 2006 Subject: Where do you RBL In-Reply-To: Message-ID: <5.1.0.14.2.20020511092844.036a74b8@imap.ecs.soton.ac.uk> At 22:24 10/05/2002, you wrote: >- MTA (Feature(dnsbl...) in Sendmail >- Mailscanner >- SpamAssassin > >Where do you check an RBL from? And why? I do it in MailScanner. Mail servers at some other academic institutions around the world aren't always very well configured, so blocking all mail from RBL'd servers in sendmail isn't practical as we would be blocking a few institutions who we do research with. But other than that I regard anything coming from an RBL'd server to be spam, so I don't bother with the SpamAssassin score but just tag it as spam anyway. But choosing between MailScanner and SpamAssassin is a fairly fine choice. There isn't hoestly much difference. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Sat May 11 10:06:26 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:42 2006 Subject: Virus warning In-Reply-To: <003e01c1f866$77d7f980$813112d0@ISPMGR> References: <1020800428.6095.6.camel@molehill.ccso> <5.1.0.14.2.20020510211718.0290d1b0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020511100533.036b1df8@imap.ecs.soton.ac.uk> At 22:05 10/05/2002, you wrote: >To be more accurate, the request would be that anytime a virus is found - >i.e. disinfected attachment, deleted from body, etc - that the subject line >be modified to begin with "{VIRUS?}" or something of that nature.. Done. This will be in the next minor release (currently heading for 3.14). >----- Original Message ----- >From: "Julian Field" >To: >Sent: Friday, May 10, 2002 3:17 PM >Subject: Re: Virus warning > > > > At 18:59 10/05/2002, you wrote: > > >Is there a way to modify the subject line for disinfected messages? > > > > Not at the moment, no. Hardly anyone has asked for it (he says, opening >the > > proverbial floodgates :-) > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jos at LEMMERLING.NET Sat May 11 11:27:45 2002 From: jos at LEMMERLING.NET (Jos Lemmerling) Date: Thu Jan 12 21:14:42 2006 Subject: perl 5.6 needed? In-Reply-To: <20020510215038.GV23130@hoiho.nz.lemon-computing.com> Message-ID: On Sat, 11 May 2002, Nick Phillips wrote: > On Fri, May 10, 2002 at 10:24:36PM +0200, Jos Lemmerling wrote: > > Hello list, > > > > I'm trying to install Mailscanner on an Debian Stable server, and i cannot > > install Perl 5.6. Is Perl 5.6 really needed? Or can i use Perl > > 5.0 also (with all the broken dependecies, than)? > > Perl 5.6 definitely *not* wanted by mailscanner... you may need it for > spamassassin, though. ok, i wasn't going to use spamassasin anyway... perfect! I'll try to install the mailscanner.deb package today with the "--ignore-depends=" option. Thanks! -- Jos Lemmerling on Debian GNU/Linux jos(@)lemmerling(.net) From jos at LEMMERLING.NET Sat May 11 11:44:19 2002 From: jos at LEMMERLING.NET (Jos Lemmerling) Date: Thu Jan 12 21:14:42 2006 Subject: cronjob-results aren't emailed anymore Message-ID: Hi all, First of all thank you for the quick reply on the perl 5.6-thing earlier. Not i still do have another small problem: On another Debian-box (testing/unstable) i have succesfully installed and configured MailScanner. The MTA is Exim and it's running from inet.d . Everything is working fine (as you may have seen in the header), except the messages generated by various cronjobs seem to disappear... A piece of /var/log/exim/mainlog: 2002-05-11 12:33:01 176UBR-0000i3-00 <= root@lemmerling.net U=root P=local S=725 2002-05-11 12:33:02 176UBR-0000i3-00 == jos@lemmerling.net D=defer_director defer (-1): forced defer: All deliveries are deferred 2002-05-11 12:33:02 176UBR-0000i3-00 ** jos@lemmerling.net: retry timeout exceeded 2002-05-11 12:33:02 176UBS-0000i7-00 <= <> R=176UBR-0000i3-00 U=mail P=local S=1549 2002-05-11 12:33:02 176UBS-0000i7-00 == root@lemmerling.net D=defer_director defer (-1): forced defer: All deliveries are deferred 2002-05-11 12:33:02 176UBS-0000i7-00 ** root@lemmerling.net: retry timeout exceeded 2002-05-11 12:33:02 176UBS-0000i7-00 root@lemmerling.net: error ignored 2002-05-11 12:33:02 176UBS-0000i7-00 Completed 2002-05-11 12:33:02 176UBR-0000i3-00 Error message sent to root@lemmerling.net 2002-05-11 12:33:02 176UBR-0000i3-00 Completed Mail for root is aliased to the user jos and i don't get any messages from it (the error-message seem to disappear also). PS. it worked before i installed/configured mailscanner TIA -- Jos Lemmerling on Debian GNU/Linux jos(@)lemmerling(.net) From rajesh-shriram at GMX.NET Sun May 12 22:57:58 2002 From: rajesh-shriram at GMX.NET (Rajesh Fowkar) Date: Thu Jan 12 21:14:42 2006 Subject: scanning of messages received using fetchmail Message-ID: <20020512215758.GC676@debian> Hi, Through outgoing messaging are scanned by mailscanner. The messages which I receive using fetchmail from my pop3 accounts are not scanned by mailscanner. What am I doing wrong ? I have : rajesh@debian:~/tmp$ dpkg -l |grep mailscanner ii mailscanner 3.13.2-2 An email virus scanner and spam tagger. rajesh@debian:~/tmp$ rajesh@debian:~/tmp$ dpkg -l |grep sendmail ii sendmail 8.12.3-4 A powerful, efficient, and scalable Mail Tra ii sendmail-doc 8.12.3-4 A powerful, efficient, and scalable Mail Tra rajesh@debian:~/tmp$ Thanks in advance. Peace -- Rajesh * rajesh@symonds.net * http://www.symonds.net/~rajesh/ Powered By : Debian GNU/Linux 2.2 R-3 [Kernel 2.4.18(ext3),Mutt 1.3.28i] Just don't compare it with a real language, or you'll be unhappy... :-) -- Larry Wall in <1992May12.190238.5667@netlabs.com> From jos at LEMMERLING.NET Sat May 11 19:24:38 2002 From: jos at LEMMERLING.NET (Jos Lemmerling) Date: Thu Jan 12 21:14:42 2006 Subject: scanning of messages received using fetchmail In-Reply-To: <20020512215758.GC676@debian> Message-ID: On Sun, 12 May 2002, Rajesh Fowkar wrote: > Hi, > > Through outgoing messaging are scanned by mailscanner. The messages which I > receive using fetchmail from my pop3 accounts are not scanned by > mailscanner. What am I doing wrong ? You're probarly getting the mail with fetchmail with the same user as you're reading the email... You could try to get the email as another user (purely for fetchmail) and let procmail send it to you; the emails will go through exim and should be scanned then... I hope this is a good way of solving this problem, because i'm new to the mailscanner-program. (But i'm sure someone will correct me if i'm wrong...) HTH -- Jos Lemmerling on Debian GNU/Linux jos(@)lemmerling(.net) From jkf at ecs.soton.ac.uk Sat May 11 19:27:38 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:42 2006 Subject: scanning of messages received using fetchmail In-Reply-To: <20020512215758.GC676@debian> Message-ID: <5.1.0.14.2.20020511192242.0397e760@imap.ecs.soton.ac.uk> At 22:57 12/05/2002, you wrote: >Through outgoing messaging are scanned by mailscanner. The messages which I >receive using fetchmail from my pop3 accounts are not scanned by >mailscanner. What am I doing wrong ? I'm not a fetchmail user, but what you need to do is to configure fetchmail to talk SMTP to localhost to deliver the messages it picks up from your pop3 accounts (which I believe is its default behaviour anyway). Make sure that sendmail is running, and is in daemon mode (i.e. it is listening for connections on port 25). Something like "ps ax | grep sendmail" should tell you that. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From rajesh-shriram at GMX.NET Mon May 13 01:35:42 2002 From: rajesh-shriram at GMX.NET (Rajesh Fowkar) Date: Thu Jan 12 21:14:42 2006 Subject: scanning of messages received using fetchmail In-Reply-To: <5.1.0.14.2.20020511192242.0397e760@imap.ecs.soton.ac.uk> References: <20020512215758.GC676@debian> <5.1.0.14.2.20020511192242.0397e760@imap.ecs.soton.ac.uk> Message-ID: <20020513003541.GA683@debian> On 11/05/02 at 19:27 - Julian Field said in public: >At 22:57 12/05/2002, you wrote: >>Through outgoing messaging are scanned by mailscanner. The messages which I >>receive using fetchmail from my pop3 accounts are not scanned by >>mailscanner. What am I doing wrong ? > >I'm not a fetchmail user, but what you need to do is to configure fetchmail >to talk SMTP to localhost to deliver the messages it picks up from your >pop3 accounts (which I believe is its default behaviour anyway). I am using procmail too. Hence I have got the following in /etc/fetchmailrc mda "/usr/bin/procmail -d %s" > >Make sure that sendmail is running, and is in daemon mode (i.e. it is >listening for connections on port 25). Something like "ps ax | grep >sendmail" should tell you that. rajesh@debian:~/tmp$ ps ax |grep sendmail 299 ? S 0:00 sendmail: MTA: accepting connections 302 ? S 0:00 sendmail: MTA: Queue runner@00:10:00 for /var/spool/mqueue 698 pts/5 S 0:00 grep sendmail rajesh@debian:~/tmp$ What should I do so that incoming mail is scanned. I am using fetchmail/procmail to fetch and deliver mails and sendmail to send the mails. Thanks for the replies. Peace -- Rajesh * rajesh@symonds.net * http://www.symonds.net/~rajesh/ Powered By : Debian GNU/Linux 2.2 R-3 [Kernel 2.4.18(ext3),Mutt 1.3.28i] If imprinted foil seal under cap is broken or missing when purchased, do not use. From nwp at LEMON-COMPUTING.COM Sun May 12 03:26:37 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:42 2006 Subject: scanning of messages received using fetchmail In-Reply-To: <20020513003541.GA683@debian> References: <20020512215758.GC676@debian> <5.1.0.14.2.20020511192242.0397e760@imap.ecs.soton.ac.uk> <20020513003541.GA683@debian> Message-ID: <20020512022637.GA23130@hoiho.nz.lemon-computing.com> On Mon, May 13, 2002 at 12:35:42AM +0000, Rajesh Fowkar wrote: > I am using procmail too. Hence I have got the following in /etc/fetchmailrc > > mda "/usr/bin/procmail -d %s" Which means that *instead* of passing mail to port 25 for delivery, it passes it to procmail. So sendmail is not involved, and neither is mailscanner. IIRC. So just don't tell fetchmail to use procmail. By default it will pass it to port 25... Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com This life is yours. Some of it was given to you; the rest, you made yourself. From rajesh-shriram at GMX.NET Mon May 13 16:13:23 2002 From: rajesh-shriram at GMX.NET (Rajesh Fowkar) Date: Thu Jan 12 21:14:42 2006 Subject: scanning of messages received using fetchmail In-Reply-To: <20020512022637.GA23130@hoiho.nz.lemon-computing.com> References: <20020512215758.GC676@debian> <5.1.0.14.2.20020511192242.0397e760@imap.ecs.soton.ac.uk> <20020513003541.GA683@debian> <20020512022637.GA23130@hoiho.nz.lemon-computing.com> Message-ID: <20020513151323.GA694@debian> On 12/05/02 at 14:26 - Nick Phillips said in public: >On Mon, May 13, 2002 at 12:35:42AM +0000, Rajesh Fowkar wrote: > >> I am using procmail too. Hence I have got the following in /etc/fetchmailrc >> >> mda "/usr/bin/procmail -d %s" > >Which means that *instead* of passing mail to port 25 for delivery, it passes >it to procmail. So sendmail is not involved, and neither is mailscanner. > >IIRC. > >So just don't tell fetchmail to use procmail. By default it will pass it >to port 25... Thanks. I will do that. So does that mean, If I want to scan incoming mails than I cannot use procmail for filtering the mail ? Peace -- Rajesh * rajesh@symonds.net * http://www.symonds.net/~rajesh/ Powered By : Debian GNU/Linux 2.2 R-3 [Kernel 2.4.18(ext3),Mutt 1.3.28i] Let the people think they govern and they will be governed. -- William Penn, founder of Pennsylvania From nwp at LEMON-COMPUTING.COM Sun May 12 10:52:44 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:42 2006 Subject: scanning of messages received using fetchmail In-Reply-To: <20020513151323.GA694@debian> References: <20020512215758.GC676@debian> <5.1.0.14.2.20020511192242.0397e760@imap.ecs.soton.ac.uk> <20020513003541.GA683@debian> <20020512022637.GA23130@hoiho.nz.lemon-computing.com> <20020513151323.GA694@debian> Message-ID: <20020512095244.GC23130@hoiho.nz.lemon-computing.com> On Mon, May 13, 2002 at 03:13:23PM +0000, Rajesh Fowkar wrote: > Thanks. I will do that. > > So does that mean, If I want to scan incoming mails than I cannot use > procmail for filtering the mail ? How do you think people use procmail when they aren't using fetchmail? -- Nick Phillips -- nwp@lemon-computing.com Go to a movie tonight. Darkness becomes you. From LISTSERV at JISCMAIL.AC.UK Sun May 12 10:01:11 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:42 2006 Subject: MAILSCANNER: support@INVICTANET.CO.UK requested to join Message-ID: <200205120901.KAA16053@magpie.ecs.soton.ac.uk> Sun, 12 May 2002 10:01:11 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Martyn Routley You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER support@INVICTANET.CO.UK Martyn Routley PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER support@INVICTANET.CO.UK Martyn Routley // EOJ From jos at LEMMERLING.NET Sun May 12 12:44:12 2002 From: jos at LEMMERLING.NET (Jos Lemmerling) Date: Thu Jan 12 21:14:42 2006 Subject: scanning of messages received using fetchmail In-Reply-To: <20020512022637.GA23130@hoiho.nz.lemon-computing.com> Message-ID: On Sun, 12 May 2002, Nick Phillips wrote: > On Mon, May 13, 2002 at 12:35:42AM +0000, Rajesh Fowkar wrote: > > > I am using procmail too. Hence I have got the following in /etc/fetchmailrc > > > > mda "/usr/bin/procmail -d %s" > > Which means that *instead* of passing mail to port 25 for delivery, it passes > it to procmail. So sendmail is not involved, and neither is mailscanner. > > IIRC. > > So just don't tell fetchmail to use procmail. By default it will pass it > to port 25... wow... i've never known this... And sendmail passes it to procmail by default? (i know exim does) grtz -- Jos Lemmerling on Debian GNU/Linux jos(@)lemmerling(.net) From mike at 4frontmedia.net Sun May 12 13:36:50 2002 From: mike at 4frontmedia.net (Mike Walker) Date: Thu Jan 12 21:14:42 2006 Subject: cronjob-results aren't emailed anymore In-Reply-To: Message-ID: <001901c1f9b1$b0c4ce20$0100000a@MIKES> We're also experiencing the same problem on a Red Hat box. We run multi-scanning with Sophos, Kaspersky & F-prot. If we have the auto updates all in either cron.hourly we get the Sophos response but not Kaspersky or F-Prot. If we place them all in the cron.quarter-hourly we get nothing. Even combinations of the above seem to produce non consistent e-mail notifications. Any ideas or fixes? Mike 4FrontMedia -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Jos Lemmerling Sent: 11 May 2002 11:44 To: MAILSCANNER@JISCMAIL.AC.UK Subject: cronjob-results aren't emailed anymore Hi all, First of all thank you for the quick reply on the perl 5.6-thing earlier. Not i still do have another small problem: On another Debian-box (testing/unstable) i have succesfully installed and configured MailScanner. The MTA is Exim and it's running from inet.d . Everything is working fine (as you may have seen in the header), except the messages generated by various cronjobs seem to disappear... A piece of /var/log/exim/mainlog: 2002-05-11 12:33:01 176UBR-0000i3-00 <= root@lemmerling.net U=root P=local S=725 2002-05-11 12:33:02 176UBR-0000i3-00 == jos@lemmerling.net D=defer_director defer (-1): forced defer: All deliveries are deferred 2002-05-11 12:33:02 176UBR-0000i3-00 ** jos@lemmerling.net: retry timeout exceeded 2002-05-11 12:33:02 176UBS-0000i7-00 <= <> R=176UBR-0000i3-00 U=mail P=local S=1549 2002-05-11 12:33:02 176UBS-0000i7-00 == root@lemmerling.net D=defer_director defer (-1): forced defer: All deliveries are deferred 2002-05-11 12:33:02 176UBS-0000i7-00 ** root@lemmerling.net: retry timeout exceeded 2002-05-11 12:33:02 176UBS-0000i7-00 root@lemmerling.net: error ignored 2002-05-11 12:33:02 176UBS-0000i7-00 Completed 2002-05-11 12:33:02 176UBR-0000i3-00 Error message sent to root@lemmerling.net 2002-05-11 12:33:02 176UBR-0000i3-00 Completed Mail for root is aliased to the user jos and i don't get any messages from it (the error-message seem to disappear also). PS. it worked before i installed/configured mailscanner TIA -- Jos Lemmerling on Debian GNU/Linux jos(@)lemmerling(.net) ____________________________________________________________ This message has been scanned for viruses by "VITANIUM" the multi-scan E-mail Virus Protection Service from 4FrontMedia. To safeguard your business call 01233-850906. ____________________________________________________________ This message has been scanned for viruses by "VITANIUM" the multi-scan E-mail Virus Protection Service from 4FrontMedia. To safeguard your business call 01233-850906. From LISTSERV at JISCMAIL.AC.UK Sun May 12 15:42:45 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:42 2006 Subject: MAILSCANNER: roberto@MEUPROVEDOR.COM.BR requested to join Message-ID: <200205121442.PAA29046@magpie.ecs.soton.ac.uk> Sun, 12 May 2002 15:42:45 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Roberto Campos You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER roberto@MEUPROVEDOR.COM.BR Roberto Campos PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER roberto@MEUPROVEDOR.COM.BR Roberto Campos // EOJ From jos at LEMMERLING.NET Sun May 12 19:15:14 2002 From: jos at LEMMERLING.NET (Jos Lemmerling) Date: Thu Jan 12 21:14:42 2006 Subject: cronjob-results aren't emailed anymore In-Reply-To: <001901c1f9b1$b0c4ce20$0100000a@MIKES> Message-ID: On Sun, 12 May 2002, Mike Walker wrote: > We're also experiencing the same problem on a Red Hat box. > We run multi-scanning with Sophos, Kaspersky & F-prot. > If we have the auto updates all in either cron.hourly we get > the Sophos response but not Kaspersky or F-Prot. > If we place them all in the cron.quarter-hourly we get nothing. > Even combinations of the above seem to produce non consistent > e-mail notifications. the strange thing about this is the following: yesterday i had a cronjob running every minut (whole day long for testing) and i've got (only??) 2 emails about a message that couldn't be delivered. The rest just disapeared... For anybody's info i've included one of them: Date: Sat, 11 May 2002 23:56:02 +0200 From: Mail Delivery System To: root@lemmerling.net Subject: Mail delivery failed: returning message to sender This message was created automatically by mail delivery software (Exim). A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: jos@lemmerling.net forced defer: All deliveries are deferred: retry timeout exceeded ------ This is a copy of the message, including all the headers. ------ Return-path: Received: from root by orthanc with local (Exim 3.35 #1 (Debian)) id 176eqP-000377-00 for ; Sat, 11 May 2002 23:56:01 +0200 From: root@lemmerling.net (Cron Daemon) To: jos@lemmerling.net Subject: Cron ping -c1 192.168.1.205 X-Cron-Env: X-Cron-Env: X-Cron-Env: X-Cron-Env: X-Cron-Env: Message-Id: Date: Sat, 11 May 2002 23:56:01 +0200 PING 192.168.1.205 (192.168.1.205): 56 data bytes 64 bytes from 192.168.1.205: icmp_seq=0 ttl=255 time=0.4 ms --- 192.168.1.205 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 0.4/0.4/0.4 ms TIA -- Jos Lemmerling on Debian GNU/Linux jos(@)lemmerling(.net) From nwp at LEMON-COMPUTING.COM Sun May 12 23:32:39 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:42 2006 Subject: cronjob-results aren't emailed anymore In-Reply-To: References: <001901c1f9b1$b0c4ce20$0100000a@MIKES> Message-ID: <20020512223239.GG23130@hoiho.nz.lemon-computing.com> > the strange thing about this is the following: > yesterday i had a cronjob running every minut (whole day long for > testing) and i've got (only??) 2 emails about a message that couldn't be > delivered. The rest just disapeared... OK, I've finally put 2 & 2 together and worked out what's happening here. Basically, the retry timeouts for the "incoming" exim are never getting reset. Try running "exim_tidydb -t 0m /var/spool/exim.in retry" once a day from a cronjob. It's ugly, and I'll try to find a Better Way, but it should work for now. It appears that since I generally set up my system not to send me very much from cron anyway, that I wasn't (noticeably) suffering from this. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com You can rent this space for only $5 a week. From nwp at LEMON-COMPUTING.COM Mon May 13 00:07:38 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:42 2006 Subject: cronjob-results aren't emailed anymore In-Reply-To: <20020512223239.GG23130@hoiho.nz.lemon-computing.com> References: <001901c1f9b1$b0c4ce20$0100000a@MIKES> <20020512223239.GG23130@hoiho.nz.lemon-computing.com> Message-ID: <20020512230738.GD5826@hoiho.nz.lemon-computing.com> On Mon, May 13, 2002 at 10:32:39AM +1200, Nick Phillips wrote: > It appears that since I generally set up my system not to send me very much > from cron anyway, that I wasn't (noticeably) suffering from this. Oh, and I set a *very* long retry timeout when I first started testing mailscanner. Which I'd forgotten was not the default. So in a couple of years' time it would have started to bite me. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Excellent day to have a rotten day. From LISTSERV at JISCMAIL.AC.UK Mon May 13 07:16:31 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:42 2006 Subject: MAILSCANNER: bparish@BIGFOOT.COM.AU requested to join Message-ID: <200205130616.HAA17674@magpie.ecs.soton.ac.uk> Mon, 13 May 2002 07:16:31 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Brian Parish You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER bparish@BIGFOOT.COM.AU Brian Parish PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER bparish@BIGFOOT.COM.AU Brian Parish // EOJ From LISTSERV at JISCMAIL.AC.UK Mon May 13 07:53:44 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:42 2006 Subject: MAILSCANNER: cerda@AGROPOLIS.FR left the JISCmail list Message-ID: <200205130653.HAA23984@magpie.ecs.soton.ac.uk> Mon, 13 May 2002 07:53:44 cerda@AGROPOLIS.FR has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From LISTSERV at JISCMAIL.AC.UK Mon May 13 08:35:28 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:42 2006 Subject: MAILSCANNER: pinguin@CENTRUM.CZ requested to join Message-ID: <200205130735.IAA01255@magpie.ecs.soton.ac.uk> Mon, 13 May 2002 08:35:28 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Ales Lednej You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER pinguin@CENTRUM.CZ Ales Lednej PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER pinguin@CENTRUM.CZ Ales Lednej // EOJ From freerk at MINDSWITCH.NET Mon May 13 09:46:58 2002 From: freerk at MINDSWITCH.NET (Freerk Kalsbeek) Date: Thu Jan 12 21:14:42 2006 Subject: Virus Klez.H and McAfee In-Reply-To: <5.1.0.14.2.20020509120502.02c5b708@imap.ecs.soton.ac.uk> Message-ID: Hi, I have applied the patch, but now Klez infected mails have two attachments: 1. Viruswarning 2. Plain text file with the JPG data in it. Freerk > -----Oorspronkelijk bericht----- > Van: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Namens > Julian Field > Verzonden: donderdag 9 mei 2002 13:07 > Aan: MAILSCANNER@JISCMAIL.AC.UK > Onderwerp: Re: Virus Klez.H and McAfee > > > At 10:22 09/05/2002, you wrote: > >At 21:02 08/05/2002, you wrote: > >>Martin Sapsed wrote: > >> > > >> > Freerk Kalsbeek wrote: > >> > > I've seen a similar problem here. > >> > > Klez is also detected in my setup with Sophos. I receive an HTML > >>formatted > >> > > email indicating that I can read details in the attachment > >>virusalert.txt, > >> > > but the attachment is not there. > >> > > >> > I had one this morning which was disinfected but all I see > (in Netscape > >> > Messenger) is a base64 encoded attachment. My guess is that > the original > >> > message uses slightly iffy MIME tags > >> > >>Correct. (the problem is a double boundary line) > >> > >> > and Julian's insertion of the warning doesn't quite work. > >> > >>Correct. (it doesn't handle multipart/alternative messages very well) > > Try this: > ------------------------------------------------------------- > *** /usr/local/mailscanner/mailscanner/bin/explode.pl Fri Feb > 1 10:22:44 > 2002 > --- explode.pl Thu May 9 12:07:58 2002 > *************** > *** 301,310 **** > --- 301,315 ---- > Data => $Warning, > Encoding => 'quoted-printable', > Charset => 'us-ascii', > Top => 0; > $parent->parts(\@parts); > + > + # And make the parent a multipart/mixed if it's a > multipart/alternative > + $parent->head->mime_attr("content-type" => "multipart/mixed") > + if ($parent->is_multipart) && > + ($parent->head->mime_attr("content-type") =~ > /multipart\/alternative/i); > } > > # Disinfect all the infected entities > sub Disinfect { > my($Reports, $Types, $Id2Entity, $File2Entity, $Entity2Parent, > $Entity2File, $IsTNEF) = @_; > ------------------------------------------------------------- > If you don't understand what to do with the text above, you are probably > best off not trying it! > ;-) > > >>The following recent threads are also about this exact same problem > >>(actually two separate, semi-related problems): > >> > >> * Malformed attachments from MailScanner? > >> * Klez Virus get Passed ! > >> * "Inline Text Warning" and "Stored Virus Message Report" > >> > >>And I'd still like to know if there's an easy way to change > >>"multipart/alternative" messages to "multipart/mixed" if MailScanner > >>adds a warning to them. > > > >That sounds like a good idea. I'll work on that. > > Done. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From jos at LEMMERLING.NET Mon May 13 10:20:47 2002 From: jos at LEMMERLING.NET (Jos Lemmerling) Date: Thu Jan 12 21:14:42 2006 Subject: cronjob-results aren't emailed anymore In-Reply-To: <20020512223239.GG23130@hoiho.nz.lemon-computing.com> Message-ID: On Mon, 13 May 2002, Nick Phillips wrote: > Basically, the retry timeouts for the "incoming" exim are never getting > reset. Try running "exim_tidydb -t 0m /var/spool/exim.in retry" once a > day from a cronjob. yes, it works now! > It's ugly, and I'll try to find a Better Way, but it should work for now. > > It appears that since I generally set up my system not to send me very much > from cron anyway, that I wasn't (noticeably) suffering from this. I used to get backup-results from it, so it scared me at first when i missed them... ;) But it seems to be ok now! Thanks -- Jos Lemmerling on Debian GNU/Linux jos(@)lemmerling(.net) From jkf at ecs.soton.ac.uk Mon May 13 10:54:01 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:42 2006 Subject: Virus Klez.H and McAfee In-Reply-To: References: <5.1.0.14.2.20020509120502.02c5b708@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020513105313.02412c28@imap.ecs.soton.ac.uk> At 09:46 13/05/2002, you wrote: >I have applied the patch, but now Klez infected mails have two attachments: >1. Viruswarning >2. Plain text file with the JPG data in it. The JPG data is harmless in this form. The real virus has been replaced with the VirusWarning. > > -----Oorspronkelijk bericht----- > > Van: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Namens > > Julian Field > > Verzonden: donderdag 9 mei 2002 13:07 > > Aan: MAILSCANNER@JISCMAIL.AC.UK > > Onderwerp: Re: Virus Klez.H and McAfee > > > > > > At 10:22 09/05/2002, you wrote: > > >At 21:02 08/05/2002, you wrote: > > >>Martin Sapsed wrote: > > >> > > > >> > Freerk Kalsbeek wrote: > > >> > > I've seen a similar problem here. > > >> > > Klez is also detected in my setup with Sophos. I receive an HTML > > >>formatted > > >> > > email indicating that I can read details in the attachment > > >>virusalert.txt, > > >> > > but the attachment is not there. > > >> > > > >> > I had one this morning which was disinfected but all I see > > (in Netscape > > >> > Messenger) is a base64 encoded attachment. My guess is that > > the original > > >> > message uses slightly iffy MIME tags > > >> > > >>Correct. (the problem is a double boundary line) > > >> > > >> > and Julian's insertion of the warning doesn't quite work. > > >> > > >>Correct. (it doesn't handle multipart/alternative messages very well) > > > > Try this: > > ------------------------------------------------------------- > > *** /usr/local/mailscanner/mailscanner/bin/explode.pl Fri Feb > > 1 10:22:44 > > 2002 > > --- explode.pl Thu May 9 12:07:58 2002 > > *************** > > *** 301,310 **** > > --- 301,315 ---- > > Data => $Warning, > > Encoding => 'quoted-printable', > > Charset => 'us-ascii', > > Top => 0; > > $parent->parts(\@parts); > > + > > + # And make the parent a multipart/mixed if it's a > > multipart/alternative > > + $parent->head->mime_attr("content-type" => "multipart/mixed") > > + if ($parent->is_multipart) && > > + ($parent->head->mime_attr("content-type") =~ > > /multipart\/alternative/i); > > } > > > > # Disinfect all the infected entities > > sub Disinfect { > > my($Reports, $Types, $Id2Entity, $File2Entity, $Entity2Parent, > > $Entity2File, $IsTNEF) = @_; > > ------------------------------------------------------------- > > If you don't understand what to do with the text above, you are probably > > best off not trying it! > > ;-) > > > > >>The following recent threads are also about this exact same problem > > >>(actually two separate, semi-related problems): > > >> > > >> * Malformed attachments from MailScanner? > > >> * Klez Virus get Passed ! > > >> * "Inline Text Warning" and "Stored Virus Message Report" > > >> > > >>And I'd still like to know if there's an easy way to change > > >>"multipart/alternative" messages to "multipart/mixed" if MailScanner > > >>adds a warning to them. > > > > > >That sounds like a good idea. I'll work on that. > > > > Done. > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From P.G.M.Peters at civ.utwente.nl Mon May 13 11:12:39 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:14:42 2006 Subject: Virus Klez.H and McAfee In-Reply-To: References: <5.1.0.14.2.20020509120502.02c5b708@imap.ecs.soton.ac.uk> Message-ID: On Mon, 13 May 2002 10:46:58 +0200, you wrote: >I have applied the patch, but now Klez infected mails have two attachments: >1. Viruswarning >2. Plain text file with the JPG data in it. Because of >> + # And make the parent a multipart/mixed if it's a >> multipart/alternative >> + $parent->head->mime_attr("content-type" => "multipart/mixed") >> + if ($parent->is_multipart) && >> + ($parent->head->mime_attr("content-type") =~ >> /multipart\/alternative/i); you will see all attachments where outlook in the past only showed the one outlook selected by itself. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From thom at DARKSABER.COM Mon May 13 13:43:21 2002 From: thom at DARKSABER.COM (Thom Paine) Date: Thu Jan 12 21:14:42 2006 Subject: Signed Message In-Reply-To: References: Message-ID: <1021293804.1423.5.camel@service.darksaber.com> Oh, I didn't see those. Is that in the mailscanner.conf file? Thanks, On Fri, 2002-05-10 at 17:11, Francois Caen wrote: > Thom, > > Aren't the "Mail Header" and "Sign Clean Messages" options doing what you want? > > -- -=/>Thom Red Hat Linux release 7.3 (Valhalla) running Linux Kernel 2.4.18-4 Load : 0.00 0.20 0.18, AC on-line, no system battery From evertjan at VANRAMSELAAR.NL Mon May 13 14:51:38 2002 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:14:42 2006 Subject: Broken Return-Path: header (better solution!) In-Reply-To: <5.1.0.14.2.20020510081726.02b93ee0@imap.ecs.soton.ac.uk> Message-ID: <001001c1fa85$4dc70ed0$65020a0a@galaxy> > -----Original Message----- > From: Julian Field > Sent: Friday, May 10, 2002 9:18 AM > What happens if you tell MailScanner to archive all the mail in a safe > directory somewhere, then compare the qf file for this message with what > gets delivered. I believe you will see the same 8-bit character. Hey, you are right about this! How strange. Even more because the message that is eventually sent to the recipient has a correct Return-Path header... -- Evert Jan van Ramselaar Van Ramselaar Info Tech From roberto at MEUPROVEDOR.COM.BR Mon May 13 14:52:43 2002 From: roberto at MEUPROVEDOR.COM.BR (Roberto Campos) Date: Thu Jan 12 21:14:42 2006 Subject: RES: Broken Return-Path: header (better solution!) In-Reply-To: <001001c1fa85$4dc70ed0$65020a0a@galaxy> Message-ID: Hi ALL, I've installed and configured Mail Scanner to run with McAfee and when it's starting it gives me this error message and exits: Not an ARRAY reference at /usr/local/MailScanner/bin/sweep.pl line 43 What am i doing wrong? I've been through the logs and FAQs and find nothing that could lead me to a solution. Any help? Thanks in advance. Roberto Campos From jkf at ecs.soton.ac.uk Mon May 13 15:08:10 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:42 2006 Subject: Broken Return-Path: header (better solution!) In-Reply-To: <001001c1fa85$4dc70ed0$65020a0a@galaxy> References: <5.1.0.14.2.20020510081726.02b93ee0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020513150640.02cdeda8@imap.ecs.soton.ac.uk> At 14:51 13/05/2002, you wrote: > > -----Original Message----- > > From: Julian Field > > Sent: Friday, May 10, 2002 9:18 AM > > > What happens if you tell MailScanner to archive all the mail in a safe > > directory somewhere, then compare the qf file for this message with what > > gets delivered. I believe you will see the same 8-bit character. > >Hey, you are right about this! How strange. Even more because the message >that is eventually sent to the recipient has a correct Return-Path header... Agreed that I can't do very much about this? I guess I could replace strange characters in the Return-Path with "$" signs... Worth it? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Mon May 13 14:53:57 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:42 2006 Subject: MAILSCANNER: mmabbas@LONGWOOD.LWC.EDU left the JISCmail list Message-ID: <200205131353.OAA09104@magpie.ecs.soton.ac.uk> Mon, 13 May 2002 14:53:57 Mohamed Abbas has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From LISTSERV at JISCMAIL.AC.UK Mon May 13 14:54:55 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:42 2006 Subject: MAILSCANNER: mmabbas@LONGWOOD.EDU requested to join Message-ID: <200205131354.OAA09280@magpie.ecs.soton.ac.uk> Mon, 13 May 2002 14:54:55 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from "Mohamed M. Abbas" You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER mmabbas@LONGWOOD.EDU Mohamed M. Abbas PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER mmabbas@LONGWOOD.EDU Mohamed M. Abbas // EOJ From LISTSERV at JISCMAIL.AC.UK Mon May 13 14:55:23 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:42 2006 Subject: MAILSCANNER: cobalt@SPININHETWEB.NL requested to join Message-ID: <200205131355.OAA09376@magpie.ecs.soton.ac.uk> Mon, 13 May 2002 14:55:23 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Jelmer Jellema You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER cobalt@SPININHETWEB.NL Jelmer Jellema PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER cobalt@SPININHETWEB.NL Jelmer Jellema // EOJ From evertjan at VANRAMSELAAR.NL Mon May 13 15:17:44 2002 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:14:42 2006 Subject: Broken Return-Path: header (better solution!) In-Reply-To: <5.1.0.14.2.20020513150640.02cdeda8@imap.ecs.soton.ac.uk> Message-ID: <001101c1fa88$f3703d40$65020a0a@galaxy> > -----Original Message----- > From: Julian Field > Sent: Monday, May 13, 2002 4:08 PM > >Hey, you are right about this! How strange. Even more because the message > >that is eventually sent to the recipient has a correct > Return-Path header... > > Agreed that I can't do very much about this? Yeah, I am sorry for suspecting MailScanner... ;p > I guess I could replace > strange characters in the Return-Path with "$" signs... > Worth it? I guess it would be worth to give it a try. Still makes me wonder where that strange character slips in and why it does not show up in the email client header though. -- Evert Jan van Ramselaar Van Ramselaar Info Tech From mmabbas at LONGWOOD.EDU Mon May 13 15:32:31 2002 From: mmabbas at LONGWOOD.EDU (Mohamed M. Abbas) Date: Thu Jan 12 21:14:42 2006 Subject: perl 5.6 needed? In-Reply-To: <20020510215038.GV23130@hoiho.nz.lemon-computing.com> References: <20020510215038.GV23130@hoiho.nz.lemon-computing.com> Message-ID: <1021300360.1509.7.camel@localhost.localdomain> On Fri, 2002-05-10 at 17:50, Nick Phillips wrote: > On Fri, May 10, 2002 at 10:24:36PM +0200, Jos Lemmerling wrote: > > Hello list, > > > > I'm trying to install Mailscanner on an Debian Stable server, and i cannot > > install Perl 5.6. Is Perl 5.6 really needed? Or can i use Perl > > 5.0 also (with all the broken dependecies, than)? > > > > It seems to be a problem with Debian; Perl could only be upgraded with a > > dist-upgrade(?).... I've read a post in the archive from Nick Phillips > > about the installation of MailScanner on a Debian Stable Box (installing > > libmime-perl and libio-stringy-perl), but i can't find out how to install > > Perl 5.6 . If it's needed, anyway... > > Perl 5.6 definitely *not* wanted by mailscanner... you may need it for > spamassassin, though. > You seem to emphasize that Perl 5.6 is not wanted by mailscanner. Does Perl 5.6 slow things down for mailscanner? > Cheers, > > > Nick > -- > Nick Phillips -- nwp@lemon-computing.com > Be security conscious -- National defense is at stake. > Mohamed M. Abbas mmabbas@longwood.edu From ispmgr at CLAS.NET Mon May 13 15:31:10 2002 From: ispmgr at CLAS.NET (Youn Gonzales) Date: Thu Jan 12 21:14:42 2006 Subject: Virus warning References: <1020800428.6095.6.camel@molehill.ccso> <5.1.0.14.2.20020510211718.0290d1b0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020511100533.036b1df8@imap.ecs.soton.ac.uk> Message-ID: <002b01c1fa8a$d3cd1bf0$813112d0@ISPMGR> Thanks, Julian! :-) Youn Gonzales System Administrator Comptia A+, Network+, INET+, Cisco CCNA/CCDA Certified Technician Microsoft Certified Professional The basic tool for the manipulation of reality is the manipulation of words. If you can control the meaning of words, you can control the people who must use the words. Philip K. Dick ----- Original Message ----- From: "Julian Field" To: Sent: Saturday, May 11, 2002 4:06 AM Subject: Re: Virus warning > At 22:05 10/05/2002, you wrote: > >To be more accurate, the request would be that anytime a virus is found - > >i.e. disinfected attachment, deleted from body, etc - that the subject line > >be modified to begin with "{VIRUS?}" or something of that nature.. > > Done. This will be in the next minor release (currently heading for 3.14). > > >----- Original Message ----- > >From: "Julian Field" > >To: > >Sent: Friday, May 10, 2002 3:17 PM > >Subject: Re: Virus warning > > > > > > > At 18:59 10/05/2002, you wrote: > > > >Is there a way to modify the subject line for disinfected messages? > > > > > > Not at the moment, no. Hardly anyone has asked for it (he says, opening > >the > > > proverbial floodgates :-) > > > > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Mon May 13 16:30:41 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:42 2006 Subject: MAILSCANNER: support@IQUEST.UCSB.EDU requested to join Message-ID: <200205131530.QAA25776@magpie.ecs.soton.ac.uk> Mon, 13 May 2002 16:30:41 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from iQUEST Admin You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER support@IQUEST.UCSB.EDU iQUEST Admin PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER support@IQUEST.UCSB.EDU iQUEST Admin // EOJ From jkf at ecs.soton.ac.uk Mon May 13 17:03:57 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:42 2006 Subject: perl 5.6 needed? In-Reply-To: <1021300360.1509.7.camel@localhost.localdomain> References: <20020510215038.GV23130@hoiho.nz.lemon-computing.com> <20020510215038.GV23130@hoiho.nz.lemon-computing.com> Message-ID: <5.1.0.14.2.20020513170325.068fc328@imap.ecs.soton.ac.uk> At 15:32 13/05/2002, you wrote: >On Fri, 2002-05-10 at 17:50, Nick Phillips wrote: > > On Fri, May 10, 2002 at 10:24:36PM +0200, Jos Lemmerling wrote: > > > Hello list, > > > > > > I'm trying to install Mailscanner on an Debian Stable server, and i > cannot > > > install Perl 5.6. Is Perl 5.6 really needed? Or can i use Perl > > > 5.0 also (with all the broken dependecies, than)? > > > > > > It seems to be a problem with Debian; Perl could only be upgraded with a > > > dist-upgrade(?).... I've read a post in the archive from Nick Phillips > > > about the installation of MailScanner on a Debian Stable Box (installing > > > libmime-perl and libio-stringy-perl), but i can't find out how to install > > > Perl 5.6 . If it's needed, anyway... > > > > Perl 5.6 definitely *not* wanted by mailscanner... you may need it for > > spamassassin, though. > > > >You seem to emphasize that Perl 5.6 is not wanted by mailscanner. Does >Perl 5.6 slow things down for mailscanner? No, just 5.6 (particularly 5.6.0) aren't the best products they have produced. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From support at IQUEST.UCSB.EDU Mon May 13 17:16:33 2002 From: support at IQUEST.UCSB.EDU (iQUEST Admin) Date: Thu Jan 12 21:14:42 2006 Subject: Mailscanner not scanning attatchments Message-ID: Hi, I just installed mailscanner from rpm on a RH7.2/sendmail 8.12 machine. I edited the filename.rules.conf to not allow .exe files... # my rule for not allowing .exe files deny \.exe$ Deny .exe files Executables are not allowed thru this server I restarted both sendmail and mailscanner but it still lets them thru. Virus scanning is on but I don't have sophos installed. (hmm that might be the problem????) if I do need some virus scanner to do this. I'd like to just use some freebie one. Is there anything else that I need to do???? Also this is the only thing i want mailscanner to do at this moment. Do I need virus scanning to be turned on to do this. thanx From butler at GLOBESERVER.COM Mon May 13 17:33:01 2002 From: butler at GLOBESERVER.COM (Philip L. Butler) Date: Thu Jan 12 21:14:42 2006 Subject: MailScanner hooks... Message-ID: Hi all, I am new to mailscanner and am very interested in it's use. One thing that I need to do for my application is to put in "hooks" so a script of mine is called before and another one after virus scanning, spamassasin, etc operations. The reason for this is for email logging and other processing that I do. Alternatively, is there a way that I can call mailscanner (not in daemon mode) to process emails one by one from my own scanning loop ?? I know that I can redefine the input/output queue and move a single message into the mailscanner input queue and read it from the output queue when finished. I want to make the minimal (i.e. none) mods to mailscanner so that it can be upgraded easily when Julian releases new versions. Thanks, Phil Butler From LISTSERV at JISCMAIL.AC.UK Mon May 13 17:49:04 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:42 2006 Subject: MAILSCANNER: michael@NSEC.DK requested to join Message-ID: <200205131649.RAA04770@magpie.ecs.soton.ac.uk> Mon, 13 May 2002 17:49:04 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Michael Svendsen You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER michael@NSEC.DK Michael Svendsen PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER michael@NSEC.DK Michael Svendsen // EOJ From jkf at ecs.soton.ac.uk Mon May 13 18:11:44 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:43 2006 Subject: Mailscanner not scanning attatchments In-Reply-To: Message-ID: <5.1.0.14.2.20020513181108.029d7cc8@imap.ecs.soton.ac.uk> Have you read the comment at the top of that file which says that the 4 fields of each line should be separated by **TAB** characters and not just spaces? At 17:16 13/05/2002, you wrote: >Hi, > > I just installed mailscanner from rpm on a RH7.2/sendmail 8.12 machine. > >I edited the filename.rules.conf to not allow .exe files... > > ># my rule for not allowing .exe files >deny \.exe$ Deny .exe files Executables are not allowed thru >this server > > >I restarted both sendmail and mailscanner but it still lets them thru. >Virus scanning is on but I don't have sophos installed. (hmm that might be >the problem????) > >if I do need some virus scanner to do this. I'd like to just use some >freebie one. > >Is there anything else that I need to do???? > >Also this is the only thing i want mailscanner to do at this moment. Do I >need virus scanning to be turned on to do this. > >thanx -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Mon May 13 18:13:45 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:43 2006 Subject: MailScanner hooks... In-Reply-To: Message-ID: <5.1.0.14.2.20020513181227.029950d0@imap.ecs.soton.ac.uk> At 17:33 13/05/2002, you wrote: >I am new to mailscanner and am very interested in it's use. One >thing that I need to do for my application is to put in "hooks" so a >script of mine is called before and another one after virus scanning, >spamassasin, etc operations. Take a look at the file "mailscanner" and you will see where it does all the virus scanning. You should be able to insert your code above and below that point. That file doesn't usually change much between versions so upgrading to my latest code release shouldn't be a big job. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From roberto at MEUPROVEDOR.COM.BR Mon May 13 18:56:27 2002 From: roberto at MEUPROVEDOR.COM.BR (Roberto Campos) Date: Thu Jan 12 21:14:43 2006 Subject: RES: MailScanner hooks... In-Reply-To: <5.1.0.14.2.20020513181227.029950d0@imap.ecs.soton.ac.uk> Message-ID: Hi, I did an upgrade for perl and it says the same: Not an ARRAY reference at /usr/local/MailScanner/bin/sweep.pl line 43. But i forgot something: I'm using m4 to configure my sendmail and the sendmail.cf that mailscanner installed probably has been overwritten by my configs from m4. What modifications i have to do to my m4 base file to correct it? Thanks. Roberto Campos ____________________________________________ Meu Provedor Tecnologias e Informatica Ltda. Rua Camerino, 128 Grs. 302 Centro - Rio de Janeiro - RJ - CEP 20080-010 Tel.: 55 21 25181011 (PABX/FAX) Telefone Movel - Celular: 55 21 91978284 > -----Mensagem original----- > De: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Em nome > de Julian Field > Enviada em: segunda-feira, 13 de maio de 2002 14:14 > Para: MAILSCANNER@JISCMAIL.AC.UK > Assunto: Re: MailScanner hooks... > > > At 17:33 13/05/2002, you wrote: > >I am new to mailscanner and am very interested in it's use. One > >thing that I need to do for my application is to put in "hooks" so a > >script of mine is called before and another one after virus scanning, > >spamassasin, etc operations. > > Take a look at the file "mailscanner" and you will see where it does all > the virus scanning. You should be able to insert your code above and below > that point. That file doesn't usually change much between versions so > upgrading to my latest code release shouldn't be a big job. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Mon May 13 19:38:36 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:43 2006 Subject: RES: MailScanner hooks... In-Reply-To: References: <5.1.0.14.2.20020513181227.029950d0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020513193726.02a33b38@imap.ecs.soton.ac.uk> Have you applied any patches or modifications which are intended for a more recent version than you are running? Upgrade to the latest version completely (new version due out in the next 24/48 hours) and the problem should disappear. At 18:56 13/05/2002, you wrote: >Hi, > >I did an upgrade for perl and it says the same: > > Not an ARRAY reference at /usr/local/MailScanner/bin/sweep.pl line 43. > >But i forgot something: > >I'm using m4 to configure my sendmail and the sendmail.cf that mailscanner >installed probably has been overwritten by my configs from m4. > >What modifications i have to do to my m4 base file to correct it? > >Thanks. > >Roberto Campos >____________________________________________ >Meu Provedor Tecnologias e Informatica Ltda. >Rua Camerino, 128 Grs. 302 >Centro - Rio de Janeiro - RJ - CEP 20080-010 >Tel.: 55 21 25181011 (PABX/FAX) >Telefone Movel - Celular: 55 21 91978284 > > > > -----Mensagem original----- > > De: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Em nome > > de Julian Field > > Enviada em: segunda-feira, 13 de maio de 2002 14:14 > > Para: MAILSCANNER@JISCMAIL.AC.UK > > Assunto: Re: MailScanner hooks... > > > > > > At 17:33 13/05/2002, you wrote: > > >I am new to mailscanner and am very interested in it's use. One > > >thing that I need to do for my application is to put in "hooks" so a > > >script of mine is called before and another one after virus scanning, > > >spamassasin, etc operations. > > > > Take a look at the file "mailscanner" and you will see where it does all > > the virus scanning. You should be able to insert your code above and below > > that point. That file doesn't usually change much between versions so > > upgrading to my latest code release shouldn't be a big job. > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From freerk at MINDSWITCH.NET Mon May 13 20:08:14 2002 From: freerk at MINDSWITCH.NET (Freerk Kalsbeek) Date: Thu Jan 12 21:14:43 2006 Subject: scanning of messages received using fetchmail - followup In-Reply-To: <20020515000316.GA563@debian> Message-ID: The solution is quit simple. Set the hostname of your machine to an existing hostname and all is fine. --> hostname host.ispdomain.com Sendmail will then use this hostname when sending email, so mail will be sent by postmaster@host.ispdomain.com which will be accepted by other mailhosts because it is a known domain. Hope this helps. Freerk -----Oorspronkelijk bericht----- Van: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Namens Rajesh Fowkar Verzonden: woensdag 15 mei 2002 2:03 Aan: MAILSCANNER@JISCMAIL.AC.UK Onderwerp: Re: scanning of messages received using fetchmail - followup On 12/05/02 at 21:52 - Nick Phillips said in public: >On Mon, May 13, 2002 at 03:13:23PM +0000, Rajesh Fowkar wrote: > >> Thanks. I will do that. >> >> So does that mean, If I want to scan incoming mails than I cannot use >> procmail for filtering the mail ? > >How do you think people use procmail when they aren't using fetchmail? Thanks Nick. Did all that. Now fetchmail hands over the mail to port 25 smtp than it is handed over to procmail after scanning. Everything works fine. Thanks a lot. However one problem. Whenever a virus is detected a mail is sent to the sender of the mail telling him that his machine is infected. But the mail is going as --------------------------------------------------------------------------- From: "MailScanner" Date: Tue, 14 May 2002 21:53:37 GMT To: Subject: Warning: E-mail viruses detected Our virus detector has just been triggered by a message you sent:- To: Subject: A very powful tool Date: Tue May 14 21:53:37 2002 Any infected parts of the message have not been delivered. This message is simply to warn you that your computer system may have a virus present and should be checked. The virus detector said this about the message: Report: /var/spool/mailscanner/incoming/g4ELq8pi000692/align.scr Infection: W32/Klez.H@mm --------------------------------------------------------------------------- As you can see, it is going as postmaster@debian.home ( here debian.home is a fictitous domain name on my home machine ). Due to this sendmail is not sending the mail to the actual sender but bounces back. --------------------------------------------------------------------------- Final-Recipient: RFC822; horacio@cerealesquemu.com.ar Action: failed Status: 5.5.2 Diagnostic-Code: SMTP; 501 ... Sender domain must exist Last-Attempt-Date: Tue, 14 May 2002 21:53:43 GMT --------------------------------------------------------------------------- What changes in configuration should I do to the mailscanner so that the from address domain is a valid domain. I don't seem to find the setting required for this. Can anybody help ? Thanks in advance. Sorry for the long mail. Peace -- Rajesh * rajesh@symonds.net * http://www.symonds.net/~rajesh/ Powered By : Debian GNU/Linux 2.2 R-3 [Kernel 2.4.18(ext3),Mutt 1.3.28i] Business will be either better or worse. -- Calvin Coolidge From LISTSERV at JISCMAIL.AC.UK Mon May 13 20:19:09 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:43 2006 Subject: MAILSCANNER: mailscanner@HOUSEOFCAEN.COM left the JISCmail list Message-ID: <200205131919.UAA17699@magpie.ecs.soton.ac.uk> Mon, 13 May 2002 20:19:09 Francois Caen has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From support at IQUEST.UCSB.EDU Mon May 13 20:32:52 2002 From: support at IQUEST.UCSB.EDU (Support) Date: Thu Jan 12 21:14:43 2006 Subject: Mailscanner not scanning attatchments In-Reply-To: <5.1.0.14.2.20020513181108.029d7cc8@imap.ecs.soton.ac.uk> Message-ID: yes i believe Ive tabbed them. ill try not printing to the log or email and just the rule itself If that doesn't work, does anyone have another suggestion? Thanx, -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Monday, May 13, 2002 10:12 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mailscanner not scanning attatchments Have you read the comment at the top of that file which says that the 4 fields of each line should be separated by **TAB** characters and not just spaces? At 17:16 13/05/2002, you wrote: >Hi, > > I just installed mailscanner from rpm on a RH7.2/sendmail 8.12 machine. > >I edited the filename.rules.conf to not allow .exe files... > > ># my rule for not allowing .exe files >deny \.exe$ Deny .exe files Executables are not allowed thru >this server > > >I restarted both sendmail and mailscanner but it still lets them thru. >Virus scanning is on but I don't have sophos installed. (hmm that might be >the problem????) > >if I do need some virus scanner to do this. I'd like to just use some >freebie one. > >Is there anything else that I need to do???? > >Also this is the only thing i want mailscanner to do at this moment. Do I >need virus scanning to be turned on to do this. > >thanx -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From bparish at BIGFOOT.COM.AU Tue May 14 00:11:50 2002 From: bparish at BIGFOOT.COM.AU (Brian Parish) Date: Thu Jan 12 21:14:43 2006 Subject: Clarification on use of Sophos Message-ID: <1021331511.8931.9.camel@daw.clicknowconsulting.com.au> I have just installed MailScanner, so this is a question which can probably be handled by saying RTFM. Anyway, can someone clarify for me the role that Sophos plays? I suspect that without it, MailScanner can be configured to strip attachments that seem to be executables, vbs etc., but not to recognise virus signatures within these attachments. Is that correct? i.e. Is MailScanner alone an effective virus/worm control mechanism if all suspect attachment types are stripped? TIA Brian From nwp at LEMON-COMPUTING.COM Tue May 14 02:23:49 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:43 2006 Subject: Clarification on use of Sophos In-Reply-To: <1021331511.8931.9.camel@daw.clicknowconsulting.com.au> References: <1021331511.8931.9.camel@daw.clicknowconsulting.com.au> Message-ID: <20020514012349.GK7232@hoiho.nz.lemon-computing.com> On Tue, May 14, 2002 at 09:11:50AM +1000, Brian Parish wrote: > I have just installed MailScanner, so this is a question which can > probably be handled by saying RTFM. Anyway, can someone clarify for me > the role that Sophos plays? I suspect that without it, MailScanner can > be configured to strip attachments that seem to be executables, vbs > etc., but not to recognise virus signatures within these attachments. > Is that correct? i.e. Is MailScanner alone an effective virus/worm > control mechanism if all suspect attachment types are stripped? It'll help, but you'd be better off with an anti-virus product of some description. Doesn't have to be Sophos... there are quite a few we support using now. I would mention, though, that if you (or anyone else) has had good experiences of an Open Source/Free AV system, I'd be interested to hear, with a view to adding support for it. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Of course you have a purpose -- to find a purpose. From miguelk at KONSULTEX.COM.BR Tue May 14 01:52:45 2002 From: miguelk at KONSULTEX.COM.BR (Miguel Koren O'Brien de Lacy) Date: Thu Jan 12 21:14:43 2006 Subject: Clarification on use of Sophos References: <1021331511.8931.9.camel@daw.clicknowconsulting.com.au> Message-ID: <3CE05FDD.1010303@konsultex.com.br> Brian; As far as I know, MailScanner calls the virus scanning engine which you must have. Sophos is one of them. Another good one is f-prot which seems to have a very reasonable licensing price per server. Yesterday I ran across an open source scanner, not java based as is the other one (see www.openantivirus.org ). It's called "CALM" and shows real promise ( http://www.konarski.edu.pl/~zolw/clam.html ). It uses the open source virus definition database. Now, MailScanner does not work with it right now and the developer team would like volunteers to test free scanners to see if it's worth it to include them. A good, reliable scanner is very, very important. I'm sure you'll gets lots of mail to this question. I just wanted to take the chance to point out the news in open source scanners. Miguel Brian Parish wrote: >I have just installed MailScanner, so this is a question which can >probably be handled by saying RTFM. Anyway, can someone clarify for me >the role that Sophos plays? I suspect that without it, MailScanner can >be configured to strip attachments that seem to be executables, vbs >etc., but not to recognise virus signatures within these attachments. >Is that correct? i.e. Is MailScanner alone an effective virus/worm >control mechanism if all suspect attachment types are stripped? > >TIA >Brian > From nwp at LEMON-COMPUTING.COM Tue May 14 03:36:35 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:43 2006 Subject: Clarification on use of Sophos In-Reply-To: <3CE05FDD.1010303@konsultex.com.br> References: <1021331511.8931.9.camel@daw.clicknowconsulting.com.au> <3CE05FDD.1010303@konsultex.com.br> Message-ID: <20020514023635.GM7232@hoiho.nz.lemon-computing.com> On Mon, May 13, 2002 at 09:52:45PM -0300, Miguel Koren O'Brien de Lacy wrote: > Brian; > > As far as I know, MailScanner calls the virus scanning engine which you > must have. You can just set the scanner to "none"... > Yesterday I ran > across an open source scanner, not java based as is the other one (see > www.openantivirus.org ). It's called "CALM" and shows real promise ( > http://www.konarski.edu.pl/~zolw/clam.html > ). Heh. I saw someone shouting great things about being able to use this with Amavis to get a "COMPLETELY UNENCUMBERED" (yup, they shouted ;) email AV system. Then I saw someone had run a test of Clam on their stored virus-infected mail and it missed a few, uh, important ones - Magistr, for example. But do let us know when one of them actually works. > I'm sure you'll gets lots of mail to this question. I just wanted to > take the chance to point out the news in open source scanners. The real news will be when they're worth using. I'm looking forward to it, but not holding my breath. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Caution: Keep out of reach of children. From P.G.M.Peters at civ.utwente.nl Tue May 14 08:02:17 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:14:43 2006 Subject: Mailscanner not scanning attatchments In-Reply-To: References: Message-ID: <1hd1eu467a649pehusv60mpms4qenc0db5@4ax.com> On Mon, 13 May 2002 17:16:33 +0100, you wrote: >I edited the filename.rules.conf to not allow .exe files... Have you also edited the mailscanner.conf file to point to the correct file? Filename Rules = /opt/mailscanner/etc/filename.rules.conf >if I do need some virus scanner to do this. I'd like to just use some >freebie one. We are testing f-prot and it works as a charme. We stopped the test however because on the test machine we seemed to lose messages. We want to investigate that first. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From P.G.M.Peters at civ.utwente.nl Tue May 14 08:07:55 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:14:43 2006 Subject: scanning of messages received using fetchmail - followup In-Reply-To: <20020515000316.GA563@debian> References: <20020512215758.GC676@debian> <5.1.0.14.2.20020511192242.0397e760@imap.ecs.soton.ac.uk> <20020513003541.GA683@debian> <20020512022637.GA23130@hoiho.nz.lemon-computing.com> <20020513151323.GA694@debian> <20020512095244.GC23130@hoiho.nz.lemon-computing.com> <20020515000316.GA563@debian> Message-ID: On Wed, 15 May 2002 00:03:16 +0000, you wrote: >As you can see, it is going as postmaster@debian.home ( here debian.home is >a fictitous domain name on my home machine ). Due to this sendmail is not >sending the mail to the actual sender but bounces back. Have you changed mailscanner.conf to show the correct postmaster address: # Set email address of who to notify about any infections found. # Should put your full domain name here too, # e.g. postmaster@your.domain.com Local Postmaster = postmaster@utwente.nl -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From jkf at ecs.soton.ac.uk Tue May 14 08:27:13 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:43 2006 Subject: Clarification on use of Sophos In-Reply-To: <1021331511.8931.9.camel@daw.clicknowconsulting.com.au> Message-ID: <5.1.0.14.2.20020514082536.02af6ad0@imap.ecs.soton.ac.uk> Without a scanning engine (set "Virus Scanner = none"), MailScanner will still happily block attachments containing any of the suspicious filenames contained in your ruleset ("filename.rules.conf") and will also tag spam as such. So it's still considerably better than nothing, even without a scanning engine. At 00:11 14/05/2002, you wrote: >I have just installed MailScanner, so this is a question which can >probably be handled by saying RTFM. Anyway, can someone clarify for me >the role that Sophos plays? I suspect that without it, MailScanner can >be configured to strip attachments that seem to be executables, vbs >etc., but not to recognise virus signatures within these attachments. >Is that correct? i.e. Is MailScanner alone an effective virus/worm >control mechanism if all suspect attachment types are stripped? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Tue May 14 10:36:15 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:43 2006 Subject: ANNOUNCE: Version 3.14-1 released Message-ID: <5.1.0.14.2.20020514103445.02af8320@imap.ecs.soton.ac.uk> I've just released MailScanner Version 3.14. Changes for this version are: Features: - Implemented per-user and per-domain control of what to do with spam - Added "Subject:" line modification for viruses, same as for spam - SpamAssassin report now also includes names of successful tests Improvements: - Infected "multipart/alternative" messages are converted to "multipart/mixed" so that virus warning can always be seen. - Files which pass the filename rules are now logged - Added section about "exim_tidydb" command to Exim docs - File "domains.to.scan.conf" can now be a copy of Exim domain map file - Added ".scr" to supplied list of banned filename extensions - Added another FAQ (12) about settings for high-volume mail servers Fixes: - Fixed tainting bug in ClearOutQueue() - Made documentation stylesheet a local file - Fixed handling of "Return-Path:" header - Fixed case sensitivity bug in local domains file - Fixed bug in Sophos autoupdate to account for new "vdl" filename -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Tue May 14 12:04:45 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:43 2006 Subject: MAILSCANNER: Mikael.Olofsson@OSS.TELECA.SE requested to join Message-ID: <200205141104.MAA17141@magpie.ecs.soton.ac.uk> Tue, 14 May 2002 12:04:45 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Mikael Olofsson You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER Mikael.Olofsson@OSS.TELECA.SE Mikael Olofsson PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER Mikael.Olofsson@OSS.TELECA.SE Mikael Olofsson // EOJ From Declan.Grady at NUVOTEM.COM Tue May 14 12:26:50 2002 From: Declan.Grady at NUVOTEM.COM (Declan Grady) Date: Thu Jan 12 21:14:43 2006 Subject: ANNOUNCE: Version 3.14-1 released In-Reply-To: <5.1.0.14.2.20020514103445.02af8320@imap.ecs.soton.ac.uk> Message-ID: Hi Julian, any info on the structure of the per-user and per-domain spam control file ? is it as simple as: # Filename : spam.actions.conf # Spam Control for use by mailscanner 3.14-1 # mydomain.com deliver user@mydomain.com delete me@mydomain.com delete user@anotherplace.com store * delete # end of spam.actions.conf or is there something else needed ? Thanks, Declan > > I've just released MailScanner Version 3.14. > > Changes for this version are: > > Features: > - Implemented per-user and per-domain control of what to do with spam > - Added "Subject:" line modification for viruses, same as for spam > - SpamAssassin report now also includes names of successful tests > From jkf at ecs.soton.ac.uk Tue May 14 12:29:47 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:43 2006 Subject: ANNOUNCE: Version 3.14-1 released In-Reply-To: References: <5.1.0.14.2.20020514103445.02af8320@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020514122648.02b33c48@imap.ecs.soton.ac.uk> It's documented near the top of http://www.sng.ecs.soton.ac.uk/mailscanner/install/conf.shtml Basically you've got it right, but to over-ride the default "deliver" action you'll need a line *. delete and not just * delete Sorry about that, it's just how it got implemented... For messages with multiple recipients, deliver over-rides store, which in turn over-rides delete. So if any of the recipients match a "deliver" rule, the message will be delivered (to all the recipients). Failing that, if any of the recipients match a "store" rule, the message will be stored. Failing that, if all the recipients match "delete" rules, the message will be deleted. At 12:26 14/05/2002, you wrote: >Hi Julian, >any info on the structure of the per-user and per-domain spam control file ? > >is it as simple as: > ># Filename : spam.actions.conf ># Spam Control for use by mailscanner 3.14-1 ># >mydomain.com deliver >user@mydomain.com delete >me@mydomain.com delete >user@anotherplace.com store >* delete > ># end of spam.actions.conf > > >or is there something else needed ? > >Thanks, >Declan > > > > > I've just released MailScanner Version 3.14. > > > > Changes for this version are: > > > > Features: > > - Implemented per-user and per-domain control of what to do with spam > > - Added "Subject:" line modification for viruses, same as for spam > > - SpamAssassin report now also includes names of successful tests > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mike at ZANKER.ORG Tue May 14 12:43:55 2002 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:14:43 2006 Subject: Possible bug in 3.14-1 Message-ID: <271915814.1021380235@mallard.open.ac.uk> It seems that MailScanner won't do any spam checking unless there is a "Accept Spam From" entry in the configuration file. I had commented out the example entry in the supplied configuration file and this seemed to work with 3.13 but not with 3.14. Uncommenting one of the example entries and restarting MailScanner gets it working again. Mike -- Mike Zanker Northampton, UK PGP Public Key: pgp@zanker.org From fizz at BOMB.NET Tue May 14 13:27:12 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:14:43 2006 Subject: ANNOUNCE: Version 3.14-1 released References: <5.1.0.14.2.20020514103445.02af8320@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020514122648.02b33c48@imap.ecs.soton.ac.uk> Message-ID: <004e01c1fb42$ac5e9ea0$48cf75cc@fizz> so would this be possible *. deliver paininasscustomer@domain.com delete ? :) thanks ----- Original Message ----- From: "Julian Field" To: Sent: Tuesday, May 14, 2002 7:29 AM Subject: Re: ANNOUNCE: Version 3.14-1 released > It's documented near the top of > http://www.sng.ecs.soton.ac.uk/mailscanner/install/conf.shtml > > Basically you've got it right, but to over-ride the default "deliver" > action you'll need a line > *. delete > and not just > * delete > Sorry about that, it's just how it got implemented... > > For messages with multiple recipients, deliver over-rides store, which in > turn over-rides delete. So if any of the recipients match a "deliver" rule, > the message will be delivered (to all the recipients). Failing that, if any > of the recipients match a "store" rule, the message will be stored. Failing > that, if all the recipients match "delete" rules, the message will be deleted. > > At 12:26 14/05/2002, you wrote: > >Hi Julian, > >any info on the structure of the per-user and per-domain spam control file ? > > > >is it as simple as: > > > ># Filename : spam.actions.conf > ># Spam Control for use by mailscanner 3.14-1 > ># > >mydomain.com deliver > >user@mydomain.com delete > >me@mydomain.com delete > >user@anotherplace.com store > >* delete > > > ># end of spam.actions.conf > > > > > >or is there something else needed ? > > > >Thanks, > >Declan > > > > > > > > I've just released MailScanner Version 3.14. > > > > > > Changes for this version are: > > > > > > Features: > > > - Implemented per-user and per-domain control of what to do with spam > > > - Added "Subject:" line modification for viruses, same as for spam > > > - SpamAssassin report now also includes names of successful tests > > > > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From Pablo.Iranzo at UV.ES Tue May 14 14:09:32 2002 From: Pablo.Iranzo at UV.ES (Pablo Iranzo G=?ISO-8859-1?Q?=F3mez?=) Date: Thu Jan 12 21:14:43 2006 Subject: Possible bug in 3.14-1 Message-ID: I've commented that line too (both lines containing beggining of IP's) and it detects spam and marks it, but it sent a while ago two messages that were supposed to be deleted (spam.actions.conf telling anything to that domain to be deleted if marked as spam) Regards From JVolckaert at BELLMEMORIAL.ORG Tue May 14 14:25:40 2002 From: JVolckaert at BELLMEMORIAL.ORG (Jeff Volckaert) Date: Thu Jan 12 21:14:43 2006 Subject: Can someone put [Mailscanner] in the list subjects? References: <271915814.1021380235@mallard.open.ac.uk> Message-ID: <3CE11054.1B96A4FD@BellMemorial.org> Hello Everybody, Would it be possible to get something like [Mailscanner] in the subject line of all the list messages? I subscribe to a number of mailing lists and would prefer to not have to start filtering them into individual boxes, but would like to see at a glance which list it's from. Thanks, Jeff BTW, I have to say that Mailscanner is great. I've been using it since the fall and it has been snagging virii left and right. It's been catching about 20-30 Klez/day right now. Keep up the good work. I use sophos both on the linux server & on my Win9x workstations. I have not had a virus report on the PC side since I installed Mailscanner (after the nimda farce). From fizz at BOMB.NET Tue May 14 14:38:51 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:14:43 2006 Subject: Possible bug in 3.14-1 References: <271915814.1021380235@mallard.open.ac.uk> Message-ID: <06f101c1fb4c$af4e38f0$48cf75cc@fizz> i reran a couple messages "previously" flaged as spam, and now they come through not marked... strange.. ----- Original Message ----- From: "Mike Zanker" To: Sent: Tuesday, May 14, 2002 7:43 AM Subject: Possible bug in 3.14-1 > It seems that MailScanner won't do any spam checking unless there is a > "Accept Spam From" entry in the configuration file. I had commented out > the example entry in the supplied configuration file and this seemed to > work with 3.13 but not with 3.14. Uncommenting one of the example > entries and restarting MailScanner gets it working again. > > Mike > -- > Mike Zanker > Northampton, UK > PGP Public Key: pgp@zanker.org > From jkf at ecs.soton.ac.uk Tue May 14 14:32:19 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:43 2006 Subject: Possible bug in 3.14-1 In-Reply-To: <271915814.1021380235@mallard.open.ac.uk> Message-ID: <5.1.0.14.2.20020514143021.02b90ce0@imap.ecs.soton.ac.uk> At 12:43 14/05/2002, you wrote: >It seems that MailScanner won't do any spam checking unless there is a >"Accept Spam From" entry in the configuration file. I had commented out >the example entry in the supplied configuration file and this seemed to >work with 3.13 but not with 3.14. Uncommenting one of the example >entries and restarting MailScanner gets it working again. I've just altered my config files in an attempt to reproduce this situation, and it works fine for me. Detected the message as having come from a "MAPS-RBL+" open relay. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Tue May 14 14:34:16 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:43 2006 Subject: Possible bug in 3.14-1 In-Reply-To: Message-ID: <5.1.0.14.2.20020514143224.02af1008@imap.ecs.soton.ac.uk> At 14:09 14/05/2002, you wrote: >I've commented that line too (both lines containing beggining of IP's) and >it detects spam and marks it, but it sent a while ago two messages that >were supposed to be deleted (spam.actions.conf telling anything to that >domain to be deleted if marked as spam) But as I explained, if the message has multiple recipients, it will still be delivered if *at least 1* of the recipients is set to have spam delivered. The message is only deleted if *all* the recipients are set to have spam deleted. This is done so that I don't have to split the message up into 1 for each recipient, which would add considerably more complexity to the code and increase the load on the server. Imagine what would happen if I blew out each message to 1 recipient per message on a mailing-list server! -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Tue May 14 14:36:02 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:43 2006 Subject: ANNOUNCE: Version 3.14-1 released In-Reply-To: <004e01c1fb42$ac5e9ea0$48cf75cc@fizz> References: <5.1.0.14.2.20020514103445.02af8320@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020514122648.02b33c48@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020514143431.02ad6230@imap.ecs.soton.ac.uk> At 13:27 14/05/2002, you wrote: >so would this be possible >*. deliver >paininasscustomer@domain.com delete >? >:) The default is to deliver, so if you remove the "*. deliver" line then only the domain.com line would match, resulting in spam deletion for those users. Bear in mind this is of course matched against the recipients, not the senders... >thanks > > >----- Original Message ----- >From: "Julian Field" >To: >Sent: Tuesday, May 14, 2002 7:29 AM >Subject: Re: ANNOUNCE: Version 3.14-1 released > > > > It's documented near the top of > > http://www.sng.ecs.soton.ac.uk/mailscanner/install/conf.shtml > > > > Basically you've got it right, but to over-ride the default "deliver" > > action you'll need a line > > *. delete > > and not just > > * delete > > Sorry about that, it's just how it got implemented... > > > > For messages with multiple recipients, deliver over-rides store, which in > > turn over-rides delete. So if any of the recipients match a "deliver" >rule, > > the message will be delivered (to all the recipients). Failing that, if >any > > of the recipients match a "store" rule, the message will be stored. >Failing > > that, if all the recipients match "delete" rules, the message will be >deleted. > > > > At 12:26 14/05/2002, you wrote: > > >Hi Julian, > > >any info on the structure of the per-user and per-domain spam control >file ? > > > > > >is it as simple as: > > > > > ># Filename : spam.actions.conf > > ># Spam Control for use by mailscanner 3.14-1 > > ># > > >mydomain.com deliver > > >user@mydomain.com delete > > >me@mydomain.com delete > > >user@anotherplace.com store > > >* delete > > > > > ># end of spam.actions.conf > > > > > > > > >or is there something else needed ? > > > > > >Thanks, > > >Declan > > > > > > > > > > > I've just released MailScanner Version 3.14. > > > > > > > > Changes for this version are: > > > > > > > > Features: > > > > - Implemented per-user and per-domain control of what to do with >spam > > > > - Added "Subject:" line modification for viruses, same as for spam > > > > - SpamAssassin report now also includes names of successful tests > > > > > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From fizz at BOMB.NET Tue May 14 14:50:06 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:14:43 2006 Subject: Can someone put [Mailscanner] in the list subjects? References: <271915814.1021380235@mallard.open.ac.uk> <3CE11054.1B96A4FD@BellMemorial.org> Message-ID: <000f01c1fb4e$419fff30$48cf75cc@fizz> Just make a filter based on "Who" the message is address "to" and move to folder thats what i do and it works great :) ----- Original Message ----- From: "Jeff Volckaert" To: Sent: Tuesday, May 14, 2002 9:25 AM Subject: Can someone put [Mailscanner] in the list subjects? > Hello Everybody, > > Would it be possible to get something like [Mailscanner] in the subject > line of all the list messages? I subscribe to a number of mailing lists > and would prefer to not have to start filtering them into individual > boxes, but would like to see at a glance which list it's from. > > Thanks, > Jeff > > BTW, I have to say that Mailscanner is great. I've been using it since > the fall and it has been snagging virii left and right. It's been > catching about 20-30 Klez/day right now. Keep up the good work. I use > sophos both on the linux server & on my Win9x workstations. I have not > had a virus report on the PC side since I installed Mailscanner (after the > nimda farce). > From dustin.baer at IHS.COM Tue May 14 14:56:36 2002 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:14:43 2006 Subject: Can someone put [Mailscanner] in the list subjects? References: <271915814.1021380235@mallard.open.ac.uk> <3CE11054.1B96A4FD@BellMemorial.org> <000f01c1fb4e$419fff30$48cf75cc@fizz> Message-ID: <3CE11794.8A723EE3@out-this.ihs.com> Jeff Volckaert wrote > > > Hello Everybody, > > > > I [...] would prefer to not have to start filtering them into individual > > boxes... Kelly Hamlin wrote: > > Just make a filter based on "Who" the message is address "to" and move to > folder thats what i do and it works great :) Good idea (I do it), except he doesn't want to do that. Dustin From LISTSERV at JISCMAIL.AC.UK Tue May 14 13:16:58 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:43 2006 Subject: MAILSCANNER: ibarram@CDCNA.COM requested to join Message-ID: <200205141216.NAA23795@magpie.ecs.soton.ac.uk> Tue, 14 May 2002 13:16:58 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Michael Ibarra The following membership options have been requested: SHORTHDR CONCEAL. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER ibarram@CDCNA.COM Michael Ibarra PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER ibarram@CDCNA.COM Michael Ibarra SET MAILSCANNER SHORTHDR CONCEAL FOR ibarram@CDCNA.COM // EOJ From LISTSERV at JISCMAIL.AC.UK Tue May 14 14:06:39 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:43 2006 Subject: MAILSCANNER: e.van.der.meulen@AVONDEL.NL requested to join Message-ID: <200205141306.OAA28690@magpie.ecs.soton.ac.uk> Tue, 14 May 2002 14:06:39 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Erik van der Meulen You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER e.van.der.meulen@AVONDEL.NL Erik van der Meulen PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER e.van.der.meulen@AVONDEL.NL Erik van der Meulen // EOJ From LISTSERV at JISCMAIL.AC.UK Tue May 14 14:52:08 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:43 2006 Subject: MAILSCANNER: beau@BILLBEAU.NET requested to join Message-ID: <200205141352.OAA03707@magpie.ecs.soton.ac.uk> Tue, 14 May 2002 14:52:08 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Bill Beauchemin You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER beau@BILLBEAU.NET Bill Beauchemin PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER beau@BILLBEAU.NET Bill Beauchemin // EOJ From David.Sullivan at BARNET.AC.UK Tue May 14 15:02:49 2002 From: David.Sullivan at BARNET.AC.UK (David Sullivan) Date: Thu Jan 12 21:14:43 2006 Subject: Can someone put [Mailscanner] in the list subjects? In-Reply-To: <3CE11054.1B96A4FD@BellMemorial.org> Message-ID: <3CE1274B.5186.2557665B@localhost> On 14 May 2002 at 9:25, Jeff Volckaert wrote: > Hello Everybody, > > Would it be possible to get something like [Mailscanner] in the subject > line of all the list messages? I subscribe to a number of mailing lists > and would prefer to not have to start filtering them into individual > boxes, but would like to see at a glance which list it's from. > Jiscmail lists can all be customised to do certain things on a per subscriber basis, one of which is to put the list name in the subject line: http://www.jiscmail.ac.uk/cgi-bin/wa.exe?SUBED1=mailscanner&A=1 Regards -- David Sullivan IT Services, Barnet College, London David.Sullivan@barnet.ac.uk 020 8275 5036 ============================================================== This communication may contain privileged or confidential information which is for the exclusive use of the intended recipient. If you are not the intended recipient, please note that you may not distribute or use this communication or the information it contains. If this e-mail has reached you in error, please delete it and any attachment. Internet communications are not secure and Barnet College does not accept legal responsibility for the content of this message. Any views or opinions expressed are those of the author and not necessarily those of Barnet College. Please note that Barnet College reserves the right to monitor the source/destinations of all incoming or outgoing e-mail communications. ============================================================== From Pablo.Iranzo at UV.ES Tue May 14 15:21:17 2002 From: Pablo.Iranzo at UV.ES (Pablo Iranzo G=?ISO-8859-1?Q?=F3mez?=) Date: Thu Jan 12 21:14:43 2006 Subject: Possible bug in 3.14-1 Message-ID: My situation is: I've my email redirected to an alias to send an sms to my mobile when it arrives, so: Email@server.com redirects to local account \user, and to remote account User.Mobile@server2.com, where server2 is the server in which I run mailscanner. User.Mobile@server2.com is an alias that expands to mobnumber@mobileprovider.com and then mobileprovider sends an sms to me. So, afaik, only one address involved as to the second machine (the one with mailscanner) only arrives one message that gets expanded and then goes out of the machine. I think that no spam should arrive after this point as I've in spam.actions.conf: mobileprovider.com delete My other address: There could be also another possibility, that is to receive an email to user@server2.com (the one with mailscanner) that expands to \user, and user.mobile, that expands again to mobnumber@mobileprovider.com, but in this case, afaik (again ;)) it only involves one recipient. (but in the case that the expansion of aliases is done automatically it could mean two adresses: \user and mobnumber@mobileprovider.com in the same message). In this case I think that as the actions for mailscanner are just "delete, deliver or store", if the action is delete, just is needed to rewrite the header removing the not-to-spam email, if deliver, leave at is, and if store, then store it with no rewriting. Is this possible? (Thanks in advance) Best regards From beau at BILLBEAU.NET Tue May 14 15:18:13 2002 From: beau at BILLBEAU.NET (Bill Beauchemin) Date: Thu Jan 12 21:14:43 2006 Subject: major problems with MailScanner install Message-ID: Im trying to install MailScanner on a Linux Mandrake 6.2 machine. I cannot use the current rpm file as it fails alot od dependancies. I am trying to use the tar file. When I do a check_mailscanner I get this output. Starting virus scanner... Can't locate stdarg.ph in @INC (did you run h2ph?) (@INC contains: /opt/mailscanner/bin /usr/lib/perl5/5.00503/i386-linux /usr/lib/perl5/5.00503 /usr/lib/perl5/site_perl/5.005/i386-linux /usr/lib/perl5/site_perl/5.005 .) at /usr/lib/perl5/5.00503/i386-linux/sys/syslog.ph line 7. BEGIN failed--compilation aborted at /opt/mailscanner/bin/logger.pl line 36. If I use the check_mailscanner.linux I get this output everytime. Starting virus scanner... Virus scanning report - 14. May 2002 7:18 F-PROT 3.12 SIGN.DEF created 18. March 2002 SIGN2.DEF created 18. March 2002 MACRO.DEF created 15. March 2002 Search: /opt/mailscanner/etc/mailscanner.conf Action: Report only Files: Attempt to identify files Switches: Results of virus scanning: Files: 1 MBRs: 0 Boot sectors: 0 Objects scanned: 1 Time: 0:00 No viruses or suspicious files/boot sectors were found. If I run this command again it should show a pid of the running virus scanner but does not which leads nme to believe the scanner is not running. Im using f-prot. I made sure I changed the virus scanner in the mailscanner.conf file to f-prot. If I perform a ps -aux | grep sendmail I get accepting q15m So i think I configured sendmail correctly. It does put incomming messages in the mqueue.in directory but doesnt seem to scan them and move them into the mqueue directory. HELP From LISTSERV at JISCMAIL.AC.UK Tue May 14 15:39:17 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:43 2006 Subject: MAILSCANNER: kvue@WADSNET.COM requested to join Message-ID: <200205141439.PAA08635@magpie.ecs.soton.ac.uk> Tue, 14 May 2002 15:39:17 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Kham Vue You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER kvue@WADSNET.COM Kham Vue PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER kvue@WADSNET.COM Kham Vue // EOJ From jkf at ecs.soton.ac.uk Tue May 14 15:38:22 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:43 2006 Subject: Possible bug in 3.14-1 In-Reply-To: Message-ID: <5.1.0.14.2.20020514153713.02cdfe78@imap.ecs.soton.ac.uk> At 15:21 14/05/2002, you wrote: >My situation is: >I've my email redirected to an alias to send an sms to my mobile when it >arrives, so: > >Email@server.com redirects to local account \user, and to remote account >User.Mobile@server2.com, where server2 is the server in which I run >mailscanner. User.Mobile@server2.com is an alias that expands to >mobnumber@mobileprovider.com and then mobileprovider sends an sms to me. So the recipient when the message hits the MailScanner is "User.Mobile@server2.com" and not "mobileprovider.com" as the alias is expanded on the delivery (outgoing) part of sendmail, not the incoming queueing. >So, afaik, only one address involved as to the second machine (the one with >mailscanner) only arrives one message that gets expanded and then goes out >of the machine. > >I think that no spam should arrive after this point as I've in >spam.actions.conf: > >mobileprovider.com delete > >My other address: > >There could be also another possibility, that is to receive an email to >user@server2.com (the one with mailscanner) that expands to \user, and >user.mobile, that expands again to mobnumber@mobileprovider.com, but in >this case, afaik (again ;)) it only involves one recipient. (but in the >case that the expansion of aliases is done automatically it could mean two >adresses: \user and mobnumber@mobileprovider.com in the same message). > >In this case I think that as the actions for mailscanner are just "delete, >deliver or store", if the action is delete, just is needed to rewrite the >header removing the not-to-spam email, if deliver, leave at is, and if >store, then store it with no rewriting. > >Is this possible? >(Thanks in advance) > >Best regards -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Tue May 14 15:40:26 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:43 2006 Subject: major problems with MailScanner install In-Reply-To: Message-ID: <5.1.0.14.2.20020514153914.02d04bc0@imap.ecs.soton.ac.uk> At 15:18 14/05/2002, you wrote: >Im trying to install MailScanner on a Linux Mandrake 6.2 machine. I cannot >use the current rpm file as it fails alot od dependancies. I am trying to >use the tar file. > >When I do a check_mailscanner I get this output. > >Starting virus scanner... >Can't locate stdarg.ph in @INC (did you run h2ph?) (@INC contains: >/opt/mailscanner/bin /usr/lib/perl5/5.00503/i386-linux >/usr/lib/perl5/5.00503 /usr/lib/perl5/site_perl/5.005/i386-linux >/usr/lib/perl5/site_perl/5.005 .) at >/usr/lib/perl5/5.00503/i386-linux/sys/syslog.ph line 7. >BEGIN failed--compilation aborted at /opt/mailscanner/bin/logger.pl line >36. Start by reading the docs for h2ph, as Perl can't find the perl versions of the header files it needs. Without this, MailScanner won't start at all. >If I use the check_mailscanner.linux I get this output everytime. > >Starting virus scanner... >Virus scanning report - 14. May 2002 7:18 > >F-PROT 3.12 >SIGN.DEF created 18. March 2002 >SIGN2.DEF created 18. March 2002 >MACRO.DEF created 15. March 2002 > >Search: /opt/mailscanner/etc/mailscanner.conf >Action: Report only >Files: Attempt to identify files >Switches: > > >Results of virus scanning: > >Files: 1 >MBRs: 0 >Boot sectors: 0 >Objects scanned: 1 > >Time: 0:00 > >No viruses or suspicious files/boot sectors were found. > >If I run this command again it should show a pid of the running virus >scanner but does not which leads nme to believe the scanner is not >running. Im using f-prot. I made sure I changed the virus scanner in the >mailscanner.conf file to f-prot. > >If I perform a ps -aux | grep sendmail I get > >accepting >q15m > >So i think I configured sendmail correctly. It does put incomming messages >in the mqueue.in directory but doesnt seem to scan them and move them into >the mqueue directory. > >HELP -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From roberto at MEUPROVEDOR.COM.BR Tue May 14 13:15:40 2002 From: roberto at MEUPROVEDOR.COM.BR (Roberto Campos) Date: Thu Jan 12 21:14:44 2006 Subject: RES: ANNOUNCE: Version 3.14-1 released In-Reply-To: <5.1.0.14.2.20020514122648.02b33c48@imap.ecs.soton.ac.uk> Message-ID: Hi again, One more question: Does the rpm from mailscanner alters my sendmail.cf in anyway? I ask this because i have a pretty good working m4 configuration for my sendmail and i keep altering it. I'm afraid that when changing anything the mailscanner stops working or worst starts going crazy. Thanks again. Roberto Campos ____________________________________________ Meu Provedor Tecnologias e Informatica Ltda. Rua Camerino, 128 Grs. 302 Centro - Rio de Janeiro - RJ - CEP 20080-010 Tel.: 55 21 25181011 (PABX/FAX) Telefone Movel - Celular: 55 21 91978284 > -----Mensagem original----- > De: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Em nome > de Julian Field > Enviada em: terca-feira, 14 de maio de 2002 08:30 > Para: MAILSCANNER@JISCMAIL.AC.UK > Assunto: Re: ANNOUNCE: Version 3.14-1 released > > > It's documented near the top of > http://www.sng.ecs.soton.ac.uk/mailscanner/install/conf.shtml > > Basically you've got it right, but to over-ride the default "deliver" > action you'll need a line > *. delete > and not just > * delete > Sorry about that, it's just how it got implemented... > > For messages with multiple recipients, deliver over-rides store, which in > turn over-rides delete. So if any of the recipients match a > "deliver" rule, > the message will be delivered (to all the recipients). Failing > that, if any > of the recipients match a "store" rule, the message will be > stored. Failing > that, if all the recipients match "delete" rules, the message > will be deleted. > > At 12:26 14/05/2002, you wrote: > >Hi Julian, > >any info on the structure of the per-user and per-domain spam > control file ? > > > >is it as simple as: > > > ># Filename : spam.actions.conf > ># Spam Control for use by mailscanner 3.14-1 > ># > >mydomain.com deliver > >user@mydomain.com delete > >me@mydomain.com delete > >user@anotherplace.com store > >* delete > > > ># end of spam.actions.conf > > > > > >or is there something else needed ? > > > >Thanks, > >Declan > > > > > > > > I've just released MailScanner Version 3.14. > > > > > > Changes for this version are: > > > > > > Features: > > > - Implemented per-user and per-domain control of what to do > with spam > > > - Added "Subject:" line modification for viruses, same as for spam > > > - SpamAssassin report now also includes names of successful tests > > > > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From roberto at MEUPROVEDOR.COM.BR Tue May 14 13:12:16 2002 From: roberto at MEUPROVEDOR.COM.BR (Roberto Campos) Date: Thu Jan 12 21:14:44 2006 Subject: RES: ANNOUNCE: Version 3.14-1 released In-Reply-To: <5.1.0.14.2.20020514122648.02b33c48@imap.ecs.soton.ac.uk> Message-ID: Hi, Thanks Julian. It's working now. I had to update three or four rpms to update my perl to 5.6.1 and i downloaded the new version today. Now it's working fine. Thanks. Roberto Campos ____________________________________________ Meu Provedor Tecnologias e Informatica Ltda. Rua Camerino, 128 Grs. 302 Centro - Rio de Janeiro - RJ - CEP 20080-010 Tel.: 55 21 25181011 (PABX/FAX) Telefone Movel - Celular: 55 21 91978284 > -----Mensagem original----- > De: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Em nome > de Julian Field > Enviada em: terca-feira, 14 de maio de 2002 08:30 > Para: MAILSCANNER@JISCMAIL.AC.UK > Assunto: Re: ANNOUNCE: Version 3.14-1 released > > > It's documented near the top of > http://www.sng.ecs.soton.ac.uk/mailscanner/install/conf.shtml > > Basically you've got it right, but to over-ride the default "deliver" > action you'll need a line > *. delete > and not just > * delete > Sorry about that, it's just how it got implemented... > > For messages with multiple recipients, deliver over-rides store, which in > turn over-rides delete. So if any of the recipients match a > "deliver" rule, > the message will be delivered (to all the recipients). Failing > that, if any > of the recipients match a "store" rule, the message will be > stored. Failing > that, if all the recipients match "delete" rules, the message > will be deleted. > > At 12:26 14/05/2002, you wrote: > >Hi Julian, > >any info on the structure of the per-user and per-domain spam > control file ? > > > >is it as simple as: > > > ># Filename : spam.actions.conf > ># Spam Control for use by mailscanner 3.14-1 > ># > >mydomain.com deliver > >user@mydomain.com delete > >me@mydomain.com delete > >user@anotherplace.com store > >* delete > > > ># end of spam.actions.conf > > > > > >or is there something else needed ? > > > >Thanks, > >Declan > > > > > > > > I've just released MailScanner Version 3.14. > > > > > > Changes for this version are: > > > > > > Features: > > > - Implemented per-user and per-domain control of what to do > with spam > > > - Added "Subject:" line modification for viruses, same as for spam > > > - SpamAssassin report now also includes names of successful tests > > > > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Tue May 14 15:43:31 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:44 2006 Subject: MAILSCANNER: office@COVE.COM left the JISCmail list Message-ID: <200205141443.PAA09120@magpie.ecs.soton.ac.uk> Tue, 14 May 2002 15:43:31 Bill Ostaski has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From jkf at ecs.soton.ac.uk Tue May 14 16:23:27 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:44 2006 Subject: RES: ANNOUNCE: Version 3.14-1 released In-Reply-To: References: <5.1.0.14.2.20020514122648.02b33c48@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020514162315.02ca1528@imap.ecs.soton.ac.uk> At 13:15 14/05/2002, you wrote: >Does the rpm from mailscanner alters my sendmail.cf in anyway? No. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Tue May 14 16:44:53 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:44 2006 Subject: MAILSCANNER: marcobano@YAHOO.COM left the JISCmail list Message-ID: <200205141544.QAA15658@magpie.ecs.soton.ac.uk> Tue, 14 May 2002 16:44:53 Marco Bano has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From s-luppescu at UCHICAGO.EDU Tue May 14 17:11:45 2002 From: s-luppescu at UCHICAGO.EDU (Stuart Luppescu) Date: Thu Jan 12 21:14:44 2006 Subject: ANNOUNCE: Version 3.14-1 released In-Reply-To: <5.1.0.14.2.20020514103445.02af8320@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020514103445.02af8320@imap.ecs.soton.ac.uk> Message-ID: <1021392705.16753.12.camel@musuko.uchicago.edu> On ?, 2002-05-14 at 04:36, Julian Field wrote: > I've just released MailScanner Version 3.14. > > Changes for this version are: > > Features: > - SpamAssassin report now also includes names of successful tests Is there something I have to do to turn this on? I just upgraded to 3.14, and this is all I'm getting in my mail header: X-MailScanner: Found to be clean X-MailScanner-SpamCheck: SpamAssassin (12 hits) -- Stuart Luppescu -=- s-luppescu@uchicago.edu University of Chicago -=- CCSR ???????? -=- Kernel 2.4.18-xfs-1.1 Random, n.: As in number, predictable. As in memory access, unpredictable. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020514/1aaa508d/attachment.bin From support at IQUEST.UCSB.EDU Tue May 14 17:01:20 2002 From: support at IQUEST.UCSB.EDU (Support) Date: Thu Jan 12 21:14:44 2006 Subject: Mailscanner not scanning attatchments In-Reply-To: <1hd1eu467a649pehusv60mpms4qenc0db5@4ax.com> Message-ID: Hi, I edited the filename.rules.conf file and found out that it had some bad tabs in it. When I did that and sent an executable by email it worked!. But I did the same thing today, after no changes to the configuration, and it's not working again. where is the log for mailscanner again?? thanx, -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Peter Peters Sent: Tuesday, May 14, 2002 12:02 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mailscanner not scanning attatchments On Mon, 13 May 2002 17:16:33 +0100, you wrote: >I edited the filename.rules.conf to not allow .exe files... Have you also edited the mailscanner.conf file to point to the correct file? Filename Rules = /opt/mailscanner/etc/filename.rules.conf >if I do need some virus scanner to do this. I'd like to just use some >freebie one. We are testing f-prot and it works as a charme. We stopped the test however because on the test machine we seemed to lose messages. We want to investigate that first. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From LISTSERV at JISCMAIL.AC.UK Tue May 14 17:20:13 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:44 2006 Subject: MAILSCANNER: tristan@SUN.MARMOT.ORG requested to join Message-ID: <200205141620.RAA18852@magpie.ecs.soton.ac.uk> Tue, 14 May 2002 17:20:13 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Tristan Rhodes You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER tristan@SUN.MARMOT.ORG Tristan Rhodes PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER tristan@SUN.MARMOT.ORG Tristan Rhodes // EOJ From kvue at WADSNET.COM Tue May 14 17:11:30 2002 From: kvue at WADSNET.COM (Kham Vue) Date: Thu Jan 12 21:14:44 2006 Subject: help installing on COBALT RAQ References: <20020512215758.GC676@debian> <5.1.0.14.2.20020511192242.0397e760@imap.ecs.soton.ac.uk> <20020513003541.GA683@debian> <20020512022637.GA23130@hoiho.nz.lemon-computing.com> <20020513151323.GA694@debian> <20020512095244.GC23130@hoiho.nz.lemon-computing.com> <20020515000316.GA563@debian> <20020515202819.GA1791@debian> Message-ID: <044301c1fb62$ad3f5420$fe00010a@backup> I have a RAQ4i running RedHat Linux 6. I get the following error when starting the mailscanner: >>Starting MailScanner: /var/spool/mqueue.in and /var/spool/mqueue must be on the sa >> me filesystem/partition! at /usr/local/MailScanner/bin/logger.pl line 60. The problem is /var/spool/mqueue is a SL to /home/spool/mqueue are not on the same partition. How do I go about changing this in mailscanner?? -------------------------------------------------------------- Kham Vue Internet Admin The City of Wadsworth WADSNET.COM High Speed Internet Service kvue@wadsnet.com "Believe that life is worth living, and your belief will help create the fact." --William James ----- Original Message ----- From: "Rajesh Fowkar" To: Sent: Wednesday, May 15, 2002 4:28 PM Subject: Re: scanning of messages received using fetchmail - followup > On 14/05/02 at 09:07 - Peter Peters said in public: > >On Wed, 15 May 2002 00:03:16 +0000, you wrote: > > > >>As you can see, it is going as postmaster@debian.home ( here debian.home is > >>a fictitous domain name on my home machine ). Due to this sendmail is not > >>sending the mail to the actual sender but bounces back. > > > >Have you changed mailscanner.conf to show the correct postmaster > >address: > ># Set email address of who to notify about any infections found. > ># Should put your full domain name here too, > ># e.g. postmaster@your.domain.com > >Local Postmaster = postmaster@utwente.nl > > This part is OK in my mailscanner.conf. Since I am getting the mails sent > to postmaster@debian.home which is my local machine. I am sending mail > using isp's smarthost. > > My problem is when the mail is sent to the person who has sent the virus > infected mail. The mail is sent by postmaster@debian.home which is not sent > since debian.home is not a valid domain on the net. As a result the mail > which is sent to the person who has sent the virus mail is not delivered. > > If I change my local domain from debian.home to say goatelecom.com than > yes the mail will be sent as From : postmaster@goatelecom.com which will go > through. However any mail sent to goatelecom.com will be returned back > since I will be specifying goatelecom.com as the local domain :-). See that > also I cannot do. Somehow any way there to specify From : address as say > rajesh@goatelecom.com, since if that person replies to my mail than I will > receive his reply. > > Thanks for all the replies. Hope I am clear in putting across my problem. > > Peace > > > -- > Rajesh * rajesh@symonds.net * http://www.symonds.net/~rajesh/ > Powered By : Debian GNU/Linux 2.2 R-3 [Kernel 2.4.18(ext3),Mutt 1.3.28i] > I am covered with pure vegetable oil and I am writing a best seller! > > From jkf at ecs.soton.ac.uk Tue May 14 17:27:28 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:44 2006 Subject: ANNOUNCE: Version 3.14-1 released In-Reply-To: <1021392705.16753.12.camel@musuko.uchicago.edu> References: <5.1.0.14.2.20020514103445.02af8320@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020514103445.02af8320@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020514172642.0351bec0@imap.ecs.soton.ac.uk> At 17:11 14/05/2002, you wrote: >On $B2P(B, 2002-05-14 at 04:36, Julian Field wrote: > > I've just released MailScanner Version 3.14. > > > > Changes for this version are: > > > > Features: > > - SpamAssassin report now also includes names of successful tests > >Is there something I have to do to turn this on? I just upgraded to >3.14, and this is all I'm getting in my mail header: > >X-MailScanner: Found to be clean >X-MailScanner-SpamCheck: SpamAssassin (12 hits) In which case you aren't running the code you think you are running... >-- >Stuart Luppescu -=- s-luppescu@uchicago.edu >University of Chicago -=- CCSR >$B:MJ8$HCRF`H~$NIc(B -=- Kernel 2.4.18-xfs-1.1 >Random, n.: As in number, predictable. As in > memory access, unpredictable. > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Tue May 14 17:28:00 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:44 2006 Subject: Mailscanner not scanning attatchments In-Reply-To: References: <1hd1eu467a649pehusv60mpms4qenc0db5@4ax.com> Message-ID: <5.1.0.14.2.20020514172744.029c8978@imap.ecs.soton.ac.uk> At 17:01 14/05/2002, you wrote: > I edited the filename.rules.conf file and found out that it had some bad >tabs in it. When I did that and sent an executable by email it worked!. >But I did the same thing today, after no changes to the configuration, and >it's not working again. where is the log for mailscanner again?? In your syslog's maillog. >thanx, > > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Peter Peters >Sent: Tuesday, May 14, 2002 12:02 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Mailscanner not scanning attatchments > > >On Mon, 13 May 2002 17:16:33 +0100, you wrote: > > >I edited the filename.rules.conf to not allow .exe files... > >Have you also edited the mailscanner.conf file to point to the correct >file? >Filename Rules = /opt/mailscanner/etc/filename.rules.conf > > >if I do need some virus scanner to do this. I'd like to just use some > >freebie one. > >We are testing f-prot and it works as a charme. We stopped the test >however because on the test machine we seemed to lose messages. We want >to investigate that first. > >-- >Peter Peters >senior netwerkbeheerder, Centrum voor Informatievoorziening, >Universiteit Twente, Postbus 217, 7500 AE Enschede >telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From fizz at BOMB.NET Tue May 14 17:32:41 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:14:44 2006 Subject: ANNOUNCE: Version 3.14-1 released References: <5.1.0.14.2.20020514103445.02af8320@imap.ecs.soton.ac.uk> <1021392705.16753.12.camel@musuko.uchicago.edu> Message-ID: <000b01c1fb64$f7ee5e60$48cf75cc@fizz> did u restart after upgrade? =) ----- Original Message ----- From: "Stuart Luppescu" To: Sent: Tuesday, May 14, 2002 12:11 PM Subject: Re: ANNOUNCE: Version 3.14-1 released From jkf at ecs.soton.ac.uk Tue May 14 17:31:25 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:44 2006 Subject: help installing on COBALT RAQ In-Reply-To: <044301c1fb62$ad3f5420$fe00010a@backup> References: <20020512215758.GC676@debian> <5.1.0.14.2.20020511192242.0397e760@imap.ecs.soton.ac.uk> <20020513003541.GA683@debian> <20020512022637.GA23130@hoiho.nz.lemon-computing.com> <20020513151323.GA694@debian> <20020512095244.GC23130@hoiho.nz.lemon-computing.com> <20020515000316.GA563@debian> <20020515202819.GA1791@debian> Message-ID: <5.1.0.14.2.20020514173032.035a1ea0@imap.ecs.soton.ac.uk> Do a search on google for "raqfaq" and you should find an installation guide written by the UK2Net RAQ community. It's to do with the odd filesystem layout that RAQs have. At 17:11 14/05/2002, you wrote: >I have a RAQ4i running RedHat Linux 6. > >I get the following error when starting the mailscanner: > >>Starting MailScanner: /var/spool/mqueue.in and /var/spool/mqueue > must be on the >sa > >> me filesystem/partition! at /usr/local/MailScanner/bin/logger.pl > line 60. > >The problem is /var/spool/mqueue is a SL to /home/spool/mqueue are not on >the same >partition. >How do I go about changing this in mailscanner?? > >-------------------------------------------------------------- >Kham Vue >Internet Admin >The City of Wadsworth >WADSNET.COM High Speed Internet Service >kvue@wadsnet.com > "Believe that life is worth living, and your belief will help create the > fact." > --William James > >----- Original Message ----- >From: "Rajesh Fowkar" >To: >Sent: Wednesday, May 15, 2002 4:28 PM >Subject: Re: scanning of messages received using fetchmail - followup > > > > On 14/05/02 at 09:07 - Peter Peters said in public: > > >On Wed, 15 May 2002 00:03:16 +0000, you wrote: > > > > > >>As you can see, it is going as postmaster@debian.home ( here > debian.home is > > >>a fictitous domain name on my home machine ). Due to this sendmail is not > > >>sending the mail to the actual sender but bounces back. > > > > > >Have you changed mailscanner.conf to show the correct postmaster > > >address: > > ># Set email address of who to notify about any infections found. > > ># Should put your full domain name here too, > > ># e.g. postmaster@your.domain.com > > >Local Postmaster = postmaster@utwente.nl > > > > This part is OK in my mailscanner.conf. Since I am getting the mails sent > > to postmaster@debian.home which is my local machine. I am sending mail > > using isp's smarthost. > > > > My problem is when the mail is sent to the person who has sent the virus > > infected mail. The mail is sent by postmaster@debian.home which is not sent > > since debian.home is not a valid domain on the net. As a result the mail > > which is sent to the person who has sent the virus mail is not delivered. > > > > If I change my local domain from debian.home to say goatelecom.com than > > yes the mail will be sent as From : postmaster@goatelecom.com which will go > > through. However any mail sent to goatelecom.com will be returned back > > since I will be specifying goatelecom.com as the local domain :-). See that > > also I cannot do. Somehow any way there to specify From : address as say > > rajesh@goatelecom.com, since if that person replies to my mail than I will > > receive his reply. > > > > Thanks for all the replies. Hope I am clear in putting across my problem. > > > > Peace > > > > > > -- > > Rajesh * rajesh@symonds.net * http://www.symonds.net/~rajesh/ > > Powered By : Debian GNU/Linux 2.2 R-3 [Kernel 2.4.18(ext3),Mutt 1.3.28i] > > I am covered with pure vegetable oil and I am writing a best seller! > > > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From s-luppescu at UCHICAGO.EDU Tue May 14 17:51:11 2002 From: s-luppescu at UCHICAGO.EDU (Stuart Luppescu) Date: Thu Jan 12 21:14:44 2006 Subject: ANNOUNCE: Version 3.14-1 released In-Reply-To: <5.1.0.14.2.20020514172642.0351bec0@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020514103445.02af8320@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020514103445.02af8320@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020514172642.0351bec0@imap.ecs.soton.ac.uk> Message-ID: <1021395071.16749.27.camel@musuko.uchicago.edu> On ?, 2002-05-14 at 11:27, Julian Field wrote: > At 17:11 14/05/2002, you wrote: > >On $B2P(B, 2002-05-14 at 04:36, Julian Field wrote: > > > I've just released MailScanner Version 3.14. > > > > > > Changes for this version are: > > > > > > Features: > > > - SpamAssassin report now also includes names of successful tests > > > >Is there something I have to do to turn this on? I just upgraded to > >3.14, and this is all I'm getting in my mail header: > > > >X-MailScanner: Found to be clean > >X-MailScanner-SpamCheck: SpamAssassin (12 hits) > > In which case you aren't running the code you think you are running... Sorry, my mistake (perhaps). When I did the upgrade using rpm, the instructions on the screen said to edit mailscanner.conf and then do service mailscanner start so I assumed that the upgrade had stopped the running mailscanner process. I guess the instructions apply to a new install only. -- Stuart Luppescu -=- s-luppescu@uchicago.edu University of Chicago -=- CCSR ???????? -=- Kernel 2.4.18-xfs-1.1 I don't want to live on in my work, I want to live on in my apartment. -- Woody Allen -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020514/58fe090a/attachment.bin From support at IQUEST.UCSB.EDU Tue May 14 17:54:23 2002 From: support at IQUEST.UCSB.EDU (iQUEST Admin) Date: Thu Jan 12 21:14:44 2006 Subject: mailscanner can't find sophos. Message-ID: Hi, I installed mailscanner 3.14 w/ out sophos. But I have virus checking on and sophos as the virus scanner. every few minutes this comes up at the command line... /usr/local/Sophos/bin/sophoswrapper: /usr/local/Sophos/bin/sweep: No such file or directory /usr/local/Sophos/bin/sophoswrapper: exec: /usr/local/Sophos/bin/sweep: cannot execute: No such fil Now it's obvious what is going on here, but what I don't know is do you need virus checking on in order to check incoming/outgoing attatchments??? I really just want to restrict attatchments which insn't really 'virus scanning', unless it's the same under mailscanner. thanx From jkf at ecs.soton.ac.uk Tue May 14 18:00:30 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:44 2006 Subject: mailscanner can't find sophos. In-Reply-To: Message-ID: <5.1.0.14.2.20020514175823.02a2f840@imap.ecs.soton.ac.uk> At 17:54 14/05/2002, you wrote: >I installed mailscanner 3.14 w/ out sophos. But I have virus checking on >and sophos as the virus scanner. > >every few minutes this comes up at the command line... > > /usr/local/Sophos/bin/sophoswrapper: /usr/local/Sophos/bin/sweep: No such >file or directory >/usr/local/Sophos/bin/sophoswrapper: exec: /usr/local/Sophos/bin/sweep: >cannot execute: No such fil > >Now it's obvious what is going on here, but what I don't know is do you >need virus checking on in order to check incoming/outgoing attatchments??? > >I really just want to restrict attatchments which insn't really 'virus >scanning', unless it's the same under mailscanner. You obviously need virus scanning switched on to scan attachments for viruses. But if you only want to check attachment filenames against the contents of filename.rules.conf, then you can set "Virus Scanner = none" which will stop it doing any actual virus scanning. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From m.sapsed at BANGOR.AC.UK Tue May 14 18:39:04 2002 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:14:44 2006 Subject: Can someone put [Mailscanner] in the list subjects? References: <3CE1274B.5186.2557665B@localhost> Message-ID: <3CE14BB8.7A80BBAE@bangor.ac.uk> David Sullivan wrote: > On 14 May 2002 at 9:25, Jeff Volckaert wrote: > > Would it be possible to get something like [Mailscanner] in the subject > > line of all the list messages? I subscribe to a number of mailing lists > > and would prefer to not have to start filtering them into individual > > boxes, but would like to see at a glance which list it's from. > > Jiscmail lists can all be customised to do certain things on a per subscriber > basis, one of which is to put the list name in the subject line: > > http://www.jiscmail.ac.uk/cgi-bin/wa.exe?SUBED1=mailscanner&A=1 except that then we'll probably get some messages appearing with [Mailscanner] in and some without and any hope of sensible threading will go out of the window. I've seen it happen on other lists - you sometimes end up with subjects like Re: [listname] blah and [listname] Re: blah and sometimes [listname] Re: [listname} blah ! I vote for leaving it alone and using e.g. Sender: to filter messages to a folder like I do now (if we're having a vote that is!) Cheers, Martin -- Martin Sapsed To have no errors Information Services Would be life without meaning University of Wales, Bangor, LL57 2UX No struggle, no joy. Fax: +44 (0)1248 383826 From roberto at MEUPROVEDOR.COM.BR Tue May 14 18:45:32 2002 From: roberto at MEUPROVEDOR.COM.BR (Roberto Campos) Date: Thu Jan 12 21:14:44 2006 Subject: Mailscanner and attatchments In-Reply-To: <5.1.0.14.2.20020514172744.029c8978@imap.ecs.soton.ac.uk> Message-ID: Hi, Is it possible to limit the size of the attatchments that a certain domain com receive? Or maybe for someone specific? Let's say i have a domain that wants to block every attatchments bigger then 1,5 mgs, but that manager wants to receive theirs (sic)... Thanks. Roberto Campos ____________________________________________ Meu Provedor Tecnologias e Informatica Ltda. Rua Camerino, 128 Grs. 302 Centro - Rio de Janeiro - RJ - CEP 20080-010 Tel.: 55 21 25181011 (PABX/FAX) Telefone Movel - Celular: 55 21 91978284 From jkf at ecs.soton.ac.uk Tue May 14 19:18:14 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:44 2006 Subject: Can someone put [Mailscanner] in the list subjects? In-Reply-To: <3CE14BB8.7A80BBAE@bangor.ac.uk> References: <3CE1274B.5186.2557665B@localhost> Message-ID: <5.1.0.14.2.20020514191715.00ba6e40@imap.ecs.soton.ac.uk> At 18:39 14/05/2002, you wrote: >David Sullivan wrote: > > On 14 May 2002 at 9:25, Jeff Volckaert wrote: > > > Would it be possible to get something like [Mailscanner] in the subject > > > line of all the list messages? I subscribe to a number of mailing lists > > > and would prefer to not have to start filtering them into individual > > > boxes, but would like to see at a glance which list it's from. > > > > Jiscmail lists can all be customised to do certain things on a per > subscriber > > basis, one of which is to put the list name in the subject line: > > > > http://www.jiscmail.ac.uk/cgi-bin/wa.exe?SUBED1=mailscanner&A=1 > >except that then we'll probably get some messages appearing with >[Mailscanner] in and some without and any hope of sensible threading will >go out of the window. I've seen it happen on other lists - you sometimes >end up with subjects like > >Re: [listname] blah >and >[listname] Re: blah >and sometimes >[listname] Re: [listname} blah ! > >I vote for leaving it alone and using e.g. Sender: to filter messages to a >folder like I do now (if we're having a vote that is!) Seconded (and vetoed :-) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Tue May 14 19:19:22 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:44 2006 Subject: Mailscanner and attatchments In-Reply-To: References: <5.1.0.14.2.20020514172744.029c8978@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020514191832.0360dda0@imap.ecs.soton.ac.uk> At 18:45 14/05/2002, you wrote: >Is it possible to limit the size of the attatchments that a certain >domain com receive? Or maybe for someone specific? >Let's say i have a domain that wants to block every attatchments >bigger then 1,5 mgs, but that manager wants to receive theirs (sic)... Not at the moment, no. You are the first person to ask for it. If I were you, I would put a global limit in your sendmail setup if I were you. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From scottadmin at QUADSIMIA.COM Tue May 14 20:52:36 2002 From: scottadmin at QUADSIMIA.COM (Scott Gregory) Date: Thu Jan 12 21:14:44 2006 Subject: Scan domain but not sub-domains Message-ID: How does one configure the .conf files to allow e-mails to be scanned for user@domain.com addresses but not for sub-domains like user@host1.domain.com, user@host2.domain.com addresses? From rajesh-shriram at GMX.NET Wed May 15 01:03:16 2002 From: rajesh-shriram at GMX.NET (Rajesh Fowkar) Date: Thu Jan 12 21:14:44 2006 Subject: scanning of messages received using fetchmail - followup In-Reply-To: <20020512095244.GC23130@hoiho.nz.lemon-computing.com> References: <20020512215758.GC676@debian> <5.1.0.14.2.20020511192242.0397e760@imap.ecs.soton.ac.uk> <20020513003541.GA683@debian> <20020512022637.GA23130@hoiho.nz.lemon-computing.com> <20020513151323.GA694@debian> <20020512095244.GC23130@hoiho.nz.lemon-computing.com> Message-ID: <20020515000316.GA563@debian> On 12/05/02 at 21:52 - Nick Phillips said in public: >On Mon, May 13, 2002 at 03:13:23PM +0000, Rajesh Fowkar wrote: > >> Thanks. I will do that. >> >> So does that mean, If I want to scan incoming mails than I cannot use >> procmail for filtering the mail ? > >How do you think people use procmail when they aren't using fetchmail? Thanks Nick. Did all that. Now fetchmail hands over the mail to port 25 smtp than it is handed over to procmail after scanning. Everything works fine. Thanks a lot. However one problem. Whenever a virus is detected a mail is sent to the sender of the mail telling him that his machine is infected. But the mail is going as --------------------------------------------------------------------------- From: "MailScanner" Date: Tue, 14 May 2002 21:53:37 GMT To: Subject: Warning: E-mail viruses detected Our virus detector has just been triggered by a message you sent:- To: Subject: A very powful tool Date: Tue May 14 21:53:37 2002 Any infected parts of the message have not been delivered. This message is simply to warn you that your computer system may have a virus present and should be checked. The virus detector said this about the message: Report: /var/spool/mailscanner/incoming/g4ELq8pi000692/align.scr Infection: W32/Klez.H@mm --------------------------------------------------------------------------- As you can see, it is going as postmaster@debian.home ( here debian.home is a fictitous domain name on my home machine ). Due to this sendmail is not sending the mail to the actual sender but bounces back. --------------------------------------------------------------------------- Final-Recipient: RFC822; horacio@cerealesquemu.com.ar Action: failed Status: 5.5.2 Diagnostic-Code: SMTP; 501 ... Sender domain must exist Last-Attempt-Date: Tue, 14 May 2002 21:53:43 GMT --------------------------------------------------------------------------- What changes in configuration should I do to the mailscanner so that the from address domain is a valid domain. I don't seem to find the setting required for this. Can anybody help ? Thanks in advance. Sorry for the long mail. Peace -- Rajesh * rajesh@symonds.net * http://www.symonds.net/~rajesh/ Powered By : Debian GNU/Linux 2.2 R-3 [Kernel 2.4.18(ext3),Mutt 1.3.28i] Business will be either better or worse. -- Calvin Coolidge From rajesh-shriram at GMX.NET Wed May 15 01:54:04 2002 From: rajesh-shriram at GMX.NET (Rajesh Fowkar) Date: Thu Jan 12 21:14:44 2006 Subject: scanning of messages received using fetchmail - followup In-Reply-To: References: <20020515000316.GA563@debian> Message-ID: <20020515005403.GA1348@debian> On 13/05/02 at 21:08 - Freerk Kalsbeek said in public: >The solution is quit simple. Set the hostname of your machine to an existing >hostname and all is fine. > >--> hostname host.ispdomain.com > >Sendmail will then use this hostname when sending email, so mail will be >sent by postmaster@host.ispdomain.com which will be accepted by other >mailhosts because it is a known domain. Thanks. I knew that. Just wanted to know if there is any configuration in mailscanner itself. Peace -- Rajesh * rajesh@symonds.net * http://www.symonds.net/~rajesh/ Powered By : Debian GNU/Linux 2.2 R-3 [Kernel 2.4.18(ext3),Mutt 1.3.28i] Computers are unreliable, but humans are even more unreliable. Any system which depends on human reliability is unreliable. -- Gilb From rajesh-shriram at GMX.NET Wed May 15 21:28:19 2002 From: rajesh-shriram at GMX.NET (Rajesh Fowkar) Date: Thu Jan 12 21:14:44 2006 Subject: scanning of messages received using fetchmail - followup In-Reply-To: References: <20020512215758.GC676@debian> <5.1.0.14.2.20020511192242.0397e760@imap.ecs.soton.ac.uk> <20020513003541.GA683@debian> <20020512022637.GA23130@hoiho.nz.lemon-computing.com> <20020513151323.GA694@debian> <20020512095244.GC23130@hoiho.nz.lemon-computing.com> <20020515000316.GA563@debian> Message-ID: <20020515202819.GA1791@debian> On 14/05/02 at 09:07 - Peter Peters said in public: >On Wed, 15 May 2002 00:03:16 +0000, you wrote: > >>As you can see, it is going as postmaster@debian.home ( here debian.home is >>a fictitous domain name on my home machine ). Due to this sendmail is not >>sending the mail to the actual sender but bounces back. > >Have you changed mailscanner.conf to show the correct postmaster >address: ># Set email address of who to notify about any infections found. ># Should put your full domain name here too, ># e.g. postmaster@your.domain.com >Local Postmaster = postmaster@utwente.nl This part is OK in my mailscanner.conf. Since I am getting the mails sent to postmaster@debian.home which is my local machine. I am sending mail using isp's smarthost. My problem is when the mail is sent to the person who has sent the virus infected mail. The mail is sent by postmaster@debian.home which is not sent since debian.home is not a valid domain on the net. As a result the mail which is sent to the person who has sent the virus mail is not delivered. If I change my local domain from debian.home to say goatelecom.com than yes the mail will be sent as From : postmaster@goatelecom.com which will go through. However any mail sent to goatelecom.com will be returned back since I will be specifying goatelecom.com as the local domain :-). See that also I cannot do. Somehow any way there to specify From : address as say rajesh@goatelecom.com, since if that person replies to my mail than I will receive his reply. Thanks for all the replies. Hope I am clear in putting across my problem. Peace -- Rajesh * rajesh@symonds.net * http://www.symonds.net/~rajesh/ Powered By : Debian GNU/Linux 2.2 R-3 [Kernel 2.4.18(ext3),Mutt 1.3.28i] I am covered with pure vegetable oil and I am writing a best seller! From lbergman at abi.tconline.net Tue May 14 21:11:12 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:14:44 2006 Subject: Scan domain but not sub-domains In-Reply-To: References: Message-ID: <200205141511.12684.lbergman@abi.tconline.net> On Tuesday 14 May 2002 02:52 pm, Scott Gregory wrote: > How does one configure the .conf files to allow e-mails > to be scanned for user@domain.com addresses but not for > sub-domains like user@host1.domain.com, user@host2.domain.com addresses? domain.com -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From rajesh-shriram at GMX.NET Thu May 16 12:52:02 2002 From: rajesh-shriram at GMX.NET (Rajesh Fowkar) Date: Thu Jan 12 21:14:44 2006 Subject: Can someone put [Mailscanner] in the list subjects? In-Reply-To: <3CE14BB8.7A80BBAE@bangor.ac.uk> References: <3CE1274B.5186.2557665B@localhost> <3CE14BB8.7A80BBAE@bangor.ac.uk> Message-ID: <20020516115202.GB957@debian> On 14/05/02 at 18:39 - Martin Sapsed said in public: >David Sullivan wrote: >> On 14 May 2002 at 9:25, Jeff Volckaert wrote: >> > Would it be possible to get something like [Mailscanner] in the subject >> > line of all the list messages? I subscribe to a number of mailing lists >> > and would prefer to not have to start filtering them into individual >> > boxes, but would like to see at a glance which list it's from. >> >> Jiscmail lists can all be customised to do certain things on a per subscriber >> basis, one of which is to put the list name in the subject line: >> >> http://www.jiscmail.ac.uk/cgi-bin/wa.exe?SUBED1=mailscanner&A=1 > >except that then we'll probably get some messages appearing with >[Mailscanner] in and some without and any hope of sensible threading will >go out of the window. I've seen it happen on other lists - you sometimes >end up with subjects like > >Re: [listname] blah >and >[listname] Re: blah >and sometimes >[listname] Re: [listname} blah ! > >I vote for leaving it alone and using e.g. Sender: to filter messages to a >folder like I do now (if we're having a vote that is!) That's what I do too for all the mailing lists I am subscribed to. That's the way to go. Peace -- Rajesh * rajesh@symonds.net * http://www.symonds.net/~rajesh/ Powered By : Debian GNU/Linux 2.2 R-3 [Kernel 2.4.18(ext3),Mutt 1.3.28i] Love is an obsessive delusion that is cured by marriage. -- Dr. Karl Bowman From m.sapsed at BANGOR.AC.UK Wed May 15 09:46:33 2002 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:14:44 2006 Subject: Content filtering Message-ID: <3CE22069.B6A0DD11@bangor.ac.uk> Hi all, I wonder (in the face of a lot of jdbmgr hoaxes) whether MailScanner could be enhanced to do some simple content filtering. I realise there are major pitfalls here but if perhaps MailScanner found the string "the virus has a teddy bear icon with the name jdbgmgr.exe" you can be pretty sure you've got a hoax doing the rounds. Could it replace the entire message with something to the effect that you've been sent a hoax virus warning and we've nuked it to protect you (and our mail servers) from yourself! I have heard the other side of content filtering where a message about specialist furniture was bounced because there were too many occurences of legs...! I'm thinking more of specific strings found in regular hoaxes. Would this be feasible and/or a "Good idea" (TM)? Cheers, Martin -- Martin Sapsed To have no errors Information Services Would be life without meaning University of Wales, Bangor, LL57 2UX No struggle, no joy. Fax: +44 (0)1248 383826 From LISTSERV at JISCMAIL.AC.UK Wed May 15 03:32:16 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:44 2006 Subject: MAILSCANNER: mike@CAMAROSS.NET requested to join Message-ID: <200205150232.DAA29785@magpie.ecs.soton.ac.uk> Wed, 15 May 2002 03:32:16 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Mike Kercher You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER mike@CAMAROSS.NET Mike Kercher PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER mike@CAMAROSS.NET Mike Kercher // EOJ From LISTSERV at JISCMAIL.AC.UK Wed May 15 07:09:14 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:44 2006 Subject: MAILSCANNER: davor@GRADST.HR left the JISCmail list Message-ID: <200205150609.HAA10018@magpie.ecs.soton.ac.uk> Wed, 15 May 2002 07:09:14 Davor Luksic has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From LISTSERV at JISCMAIL.AC.UK Wed May 15 07:09:28 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:44 2006 Subject: MAILSCANNER: davor@GRADST.HR requested to join Message-ID: <200205150609.HAA10023@magpie.ecs.soton.ac.uk> Wed, 15 May 2002 07:09:28 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Davor Luksic You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER davor@GRADST.HR Davor Luksic PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER davor@GRADST.HR Davor Luksic // EOJ From LISTSERV at JISCMAIL.AC.UK Wed May 15 07:44:26 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:44 2006 Subject: MAILSCANNER: arno.meijer@STEBIS.NL requested to join Message-ID: <200205150644.HAA11597@magpie.ecs.soton.ac.uk> Wed, 15 May 2002 07:44:26 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Arno Meijer You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER arno.meijer@STEBIS.NL Arno Meijer PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER arno.meijer@STEBIS.NL Arno Meijer // EOJ From P.G.M.Peters at civ.utwente.nl Wed May 15 10:40:50 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:14:44 2006 Subject: Mailscanner not scanning attatchments In-Reply-To: <5.1.0.14.2.20020514172744.029c8978@imap.ecs.soton.ac.uk> References: <1hd1eu467a649pehusv60mpms4qenc0db5@4ax.com> <5.1.0.14.2.20020514172744.029c8978@imap.ecs.soton.ac.uk> Message-ID: On Tue, 14 May 2002 17:28:00 +0100, you wrote: >At 17:01 14/05/2002, you wrote: >> I edited the filename.rules.conf file and found out that it had some bad >>tabs in it. When I did that and sent an executable by email it worked!. >>But I did the same thing today, after no changes to the configuration, and >>it's not working again. where is the log for mailscanner again?? > >In your syslog's maillog. But be sure to include "-r" in the startup of syslog or use unix-sockets. In logger.pl: sub Start { + Sys::Syslog::setlogsock('unix'); ### mj 27.Mar: enables syslog Sys::Syslog::openlog(@_, 'pid, nowait', 'mail'); } Something as an official patch for mailscanner, Julian? -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From P.G.M.Peters at civ.utwente.nl Wed May 15 10:51:52 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:14:44 2006 Subject: scanning of messages received using fetchmail - followup In-Reply-To: <20020515202819.GA1791@debian> References: <20020512215758.GC676@debian> <5.1.0.14.2.20020511192242.0397e760@imap.ecs.soton.ac.uk> <20020513003541.GA683@debian> <20020512022637.GA23130@hoiho.nz.lemon-computing.com> <20020513151323.GA694@debian> <20020512095244.GC23130@hoiho.nz.lemon-computing.com> <20020515000316.GA563@debian> <20020515202819.GA1791@debian> Message-ID: On Wed, 15 May 2002 20:28:19 +0000, you wrote: >>Have you changed mailscanner.conf to show the correct postmaster >>address: >># Set email address of who to notify about any infections found. >># Should put your full domain name here too, >># e.g. postmaster@your.domain.com >>Local Postmaster = postmaster@utwente.nl >If I change my local domain from debian.home to say goatelecom.com than >yes the mail will be sent as From : postmaster@goatelecom.com which will go >through. However any mail sent to goatelecom.com will be returned back >since I will be specifying goatelecom.com as the local domain :-). See that >also I cannot do. Somehow any way there to specify From : address as say >rajesh@goatelecom.com, since if that person replies to my mail than I will >receive his reply. Just change "Local Postmaster" to rajesh@goatelecom.com. You get the messages from mailscanner on that address and recipients who reply will also send the message to you. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From P.G.M.Peters at civ.utwente.nl Wed May 15 10:54:44 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:14:44 2006 Subject: Content filtering In-Reply-To: <3CE22069.B6A0DD11@bangor.ac.uk> References: <3CE22069.B6A0DD11@bangor.ac.uk> Message-ID: On Wed, 15 May 2002 09:46:33 +0100, you wrote: >I wonder (in the face of a lot of jdbmgr hoaxes) whether MailScanner could >be enhanced to do some simple content filtering. I realise there are major >pitfalls here but if perhaps MailScanner found the string I would put/keep that in the external scanners. If you consider hoaxes some kind of virus (which they are in my perspective) you should look for an anti-virus program that detects hoaxes. If you consider hoaxes spam (which they are in my perspective) you could have SpamAssassin updated to check for hoaxes. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From jkf at ecs.soton.ac.uk Wed May 15 11:28:05 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:44 2006 Subject: Mailscanner not scanning attatchments In-Reply-To: References: <5.1.0.14.2.20020514172744.029c8978@imap.ecs.soton.ac.uk> <1hd1eu467a649pehusv60mpms4qenc0db5@4ax.com> <5.1.0.14.2.20020514172744.029c8978@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020515112628.02a67620@imap.ecs.soton.ac.uk> At 10:40 15/05/2002, you wrote: >On Tue, 14 May 2002 17:28:00 +0100, you wrote: > > >At 17:01 14/05/2002, you wrote: > >> I edited the filename.rules.conf file and found out that it had some bad > >>tabs in it. When I did that and sent an executable by email it worked!. > >>But I did the same thing today, after no changes to the configuration, and > >>it's not working again. where is the log for mailscanner again?? > > > >In your syslog's maillog. > >But be sure to include "-r" in the startup of syslog or use >unix-sockets. > >In logger.pl: > sub Start { >+ Sys::Syslog::setlogsock('unix'); ### mj 27.Mar: enables syslog > Sys::Syslog::openlog(@_, 'pid, nowait', 'mail'); > } This will fail if the installed version of Sys::Syslog does not have the setlogsock method, which quite a few versions don't (see the Perl in a Nutshell O'Reilly book). To avoid that problem, I would do this instead: sub Start { # Do this in an eval so it can fail quietly if setlogsock # is not supported in the installed version of Sys::Syslog eval { Sys::Syslog::setlogsock('unix'); } # Doesn't need syslogd -r Sys::Syslog::openlog(@_, 'pid, nowait', 'mail'); } This code will go into the next release. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Wed May 15 11:35:10 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:44 2006 Subject: Mailscanner not scanning attatchments In-Reply-To: <5.1.0.14.2.20020515112628.02a67620@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020514172744.029c8978@imap.ecs.soton.ac.uk> <1hd1eu467a649pehusv60mpms4qenc0db5@4ax.com> <5.1.0.14.2.20020514172744.029c8978@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020515113407.029d6190@imap.ecs.soton.ac.uk> At 11:28 15/05/2002, you wrote: >This will fail if the installed version of Sys::Syslog does not have the >setlogsock method, which quite a few versions don't (see the Perl in a >Nutshell O'Reilly book). To avoid that problem, I would do this instead: > >sub Start { > # Do this in an eval so it can fail quietly if setlogsock > # is not supported in the installed version of Sys::Syslog > eval { Sys::Syslog::setlogsock('unix'); } # Doesn't need syslogd -r > Sys::Syslog::openlog(@_, 'pid, nowait', 'mail'); >} I missed the ";" off the end of the "eval" line, it should of course read eval { Sys::Syslog::setlogsock('unix'); }; # Doesn't need syslogd -r -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jaearick at COLBY.EDU Wed May 15 11:54:15 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:14:44 2006 Subject: Content filtering In-Reply-To: <3CE22069.B6A0DD11@bangor.ac.uk> Message-ID: sounds like the perfect job for procmail to do instead. Search google for "junkfilter", a procmail addition for anti-spam control, it could easily do that. Beware of "feeping creaturism". --- Jeff Earickson From m.sapsed at BANGOR.AC.UK Wed May 15 12:56:09 2002 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:14:44 2006 Subject: ANNOUNCE: Version 3.14-1 released References: <5.1.0.14.2.20020514103445.02af8320@imap.ecs.soton.ac.uk> Message-ID: <3CE24CD9.A5CEAC26@bangor.ac.uk> Hi Julian et al, Julian Field wrote: > > I've just released MailScanner Version 3.14. Can I make a suggestion for some future release? In the bin directory, instead of having a symbolic link to the solaris version in the distribution, what about having e.g. tnef as a shell script containing #!/bin/sh exec $0.`uname` $* and then having tnef.Linux and tnef.SunOS ? That way, peeps wouldn't have to fiddle with the links for the programs. I would think something similar could deal with the platform specifics in the conf file (only the path at a quick glance?) Apologies if you considered this in the past and decided it was a bad idea... Just a thought which might make installation easier for some? Cheers, Martin -- Martin Sapsed To have no errors Information Services Would be life without meaning University of Wales, Bangor, LL57 2UX No struggle, no joy. Fax: +44 (0)1248 383826 From jkf at ecs.soton.ac.uk Wed May 15 13:48:10 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:44 2006 Subject: ANNOUNCE: Version 3.14-1 released In-Reply-To: <3CE24CD9.A5CEAC26@bangor.ac.uk> References: <5.1.0.14.2.20020514103445.02af8320@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020515134628.034ea9f0@imap.ecs.soton.ac.uk> At 12:56 15/05/2002, you wrote: >Julian Field wrote: > > I've just released MailScanner Version 3.14. > >Can I make a suggestion for some future release? In the bin directory, >instead of having a symbolic link to the solaris version in the >distribution, what about having e.g. tnef as a shell script containing > >#!/bin/sh >exec $0.`uname` $* > >and then having tnef.Linux and tnef.SunOS ? That way, peeps wouldn't have >to fiddle with the links for the programs. I would think something similar >could deal with the platform specifics in the conf file (only the path at a >quick glance?) Good idea. Hadn't thought of doing that. Will increase the load a bit though as a shell will have to be started, whereas currently it is just exec'd from MailScanner with no startup overhead. The platform specifics in the conf file will be dealt with by the autoconf installer that Nick's working on. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From thom at DARKSABER.COM Wed May 15 14:02:18 2002 From: thom at DARKSABER.COM (Thom Paine) Date: Thu Jan 12 21:14:44 2006 Subject: Mailscanner with Mcafee Message-ID: <1021467739.1618.22.camel@service.darksaber.com> I'm not sure my update script is working correctly for mailscanner. It seems the default place for the dat files is in /usr/local/mcafee (according to mcafee) and the update script and mcafee wrapper file want the dat files to be in /usr/local/mcafee/dat. I'd rather have the dat files in /usr/local/mcafee. I tried editing the update script to save the files there, but mcafee then complains that the dat files are missing. Has anyone had success with this? -- -=/>Thom Red Hat Linux release 7.3 (Valhalla) running Linux Kernel 2.4.18-4 Load : 0.42 0.30 0.21, AC on-line, no system battery -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mdunder at GE.UCL.AC.UK Wed May 15 14:03:37 2002 From: mdunder at GE.UCL.AC.UK (Mike Dunderdale) Date: Thu Jan 12 21:14:44 2006 Subject: ANNOUNCE: Version 3.14-1 released In-Reply-To: <5.1.0.14.2.20020515134628.034ea9f0@imap.ecs.soton.ac.uk> Message-ID: On Wed, 15 May 2002, Julian Field wrote: > > > >#!/bin/sh > >exec $0.`uname` $* > > > >and then having tnef.Linux and tnef.SunOS ? That way, peeps wouldn't have > >to fiddle with the links for the programs. I would think something similar > >could deal with the platform specifics in the conf file (only the path at a > >quick glance?) > > Good idea. Hadn't thought of doing that. Will increase the load a bit > though as a shell will have to be started, whereas currently it is just > exec'd from MailScanner with no startup overhead. Although you could do a single uname at the beginning of the mailscanner script to set $ARCH or similar and then use exec tnef.$ARCH to avoid reshelling each time.. Make sense? M. From thomas.zajic at NEO.AT Wed May 15 14:45:36 2002 From: thomas.zajic at NEO.AT (Thomas Zajic) Date: Thu Jan 12 21:14:44 2006 Subject: Mailscanner with Mcafee In-Reply-To: <1021467739.1618.22.camel@service.darksaber.com>; from thom@DARKSABER.COM on Wed, May 15, 2002 at 09:02:18AM -0400 References: <1021467739.1618.22.camel@service.darksaber.com> Message-ID: <20020515154536.A7334@thomas.neo.at> On Wed, May 15, 2002 at 09:02:18AM -0400, Thom Paine wrote: > I'm not sure my update script is working correctly for mailscanner. > It seems the default place for the dat files is in /usr/local/mcafee > (according to mcafee) and the update script and mcafee wrapper file > want the dat files to be in /usr/local/mcafee/dat. [...] See . HTH, Thomas -- ----------------------------- Thomas Zajic System Administrator neo Software Produktions GmbH A T2 Company email: thomas.zajic@neo.at web: http://www.neo.at From P.G.M.Peters at civ.utwente.nl Wed May 15 14:32:35 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:14:44 2006 Subject: ANNOUNCE: Version 3.14-1 released In-Reply-To: <5.1.0.14.2.20020515134628.034ea9f0@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020514103445.02af8320@imap.ecs.soton.ac.uk> <3CE24CD9.A5CEAC26@bangor.ac.uk> <5.1.0.14.2.20020515134628.034ea9f0@imap.ecs.soton.ac.uk> Message-ID: On Wed, 15 May 2002 13:48:10 +0100, you wrote: >>Can I make a suggestion for some future release? In the bin directory, >>instead of having a symbolic link to the solaris version in the >>distribution, what about having e.g. tnef as a shell script containing >> >>#!/bin/sh >>exec $0.`uname` $* >> >>and then having tnef.Linux and tnef.SunOS ? That way, peeps wouldn't have >>to fiddle with the links for the programs. I would think something similar >>could deal with the platform specifics in the conf file (only the path at a >>quick glance?) > >Good idea. Hadn't thought of doing that. Will increase the load a bit >though as a shell will have to be started, whereas currently it is just >exec'd from MailScanner with no startup overhead. Isn't it possible to change the way $Config::TNEF is defined? -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From thom at DARKSABER.COM Wed May 15 15:18:13 2002 From: thom at DARKSABER.COM (Thom Paine) Date: Thu Jan 12 21:14:44 2006 Subject: Mailscanner with Mcafee In-Reply-To: <20020515154536.A7334@thomas.neo.at> References: <1021467739.1618.22.camel@service.darksaber.com> <20020515154536.A7334@thomas.neo.at> Message-ID: <1021472293.1609.27.camel@service.darksaber.com> Thanks for the reply Thomas. Now I'm getting another error. Failed compilation aborted at line 18. Can't locate Net/FTP. Does this ring a bell? On Wed, 2002-05-15 at 09:45, Thomas Zajic wrote: > On Wed, May 15, 2002 at 09:02:18AM -0400, Thom Paine wrote: > > > I'm not sure my update script is working correctly for mailscanner. > > It seems the default place for the dat files is in /usr/local/mcafee > > (according to mcafee) and the update script and mcafee wrapper file > > want the dat files to be in /usr/local/mcafee/dat. [...] > > See . > > HTH, > Thomas > -- > ----------------------------- > Thomas Zajic > System Administrator > > neo Software Produktions GmbH > A T2 Company > email: thomas.zajic@neo.at > web: http://www.neo.at -- -=/>Thom Red Hat Linux release 7.3 (Valhalla) running Linux Kernel 2.4.18-4 Uptime: 10:17am up 2:04, 4 users, load average: 0.13, 0.14, 0.05 Registered Linux User 214499 From rishi at THEARGONCOMPANY.COM Wed May 15 15:27:19 2002 From: rishi at THEARGONCOMPANY.COM (Rishi Gangoly) Date: Thu Jan 12 21:14:45 2006 Subject: mailscanner slowing the computer down Message-ID: <005401c1fc1c$9f2d1420$1b02a8c0@theargoncompany.com> Hi I just noticed my server became very slow and noticed the number of files create in /var/spool/mailscanner/incoming was huge. Hers is the output of find /var/spool/mailscanner/incoming /var/spool/MailScanner/incoming/ /var/spool/MailScanner/incoming/TAA06777.header /var/spool/MailScanner/incoming/TAA06138.header /var/spool/MailScanner/incoming/TAA07029.header /var/spool/MailScanner/incoming/TAA07605.header /var/spool/MailScanner/incoming/TAA08323.header /var/spool/MailScanner/incoming/TAA09118.header /var/spool/MailScanner/incoming/TAA06777 /var/spool/MailScanner/incoming/TAA06777/msg-10786-1.txt /var/spool/MailScanner/incoming/TAA06777/msg-10786-2.html /var/spool/MailScanner/incoming/TAA06777/Argonet.exe /var/spool/MailScanner/incoming/TAA06777/server.dat /var/spool/MailScanner/incoming/TAA06138 /var/spool/MailScanner/incoming/TAA06138/msg-10786-3.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-4.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-5.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-6.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-7.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-8.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-9.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-10.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-11.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-12.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-13.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-14.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-15.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-16.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-17.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-18.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-19.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-20.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-21.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-22.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-23.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-24.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-25.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-26.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-27.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-28.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-29.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-30.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-31.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-32.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-33.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-34.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-35.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-36.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-37.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-38.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-39.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-40.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-41.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-42.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-43.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-44.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-45.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-46.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-47.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-48.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-49.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-50.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-51.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-52.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-53.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-54.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-55.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-56.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-57.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-58.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-59.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-60.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-61.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-62.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-63.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-64.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-65.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-66.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-67.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-68.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-69.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-70.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-71.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-72.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-73.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-74.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-75.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-76.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-77.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-78.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-79.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-80.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-81.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-82.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-83.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-84.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-85.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-86.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-87.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-88.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-89.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-90.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-91.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-92.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-93.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-94.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-95.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-96.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-97.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-98.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-99.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-100.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-101.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-102.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-103.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-104.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-105.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-106.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-107.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-108.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-109.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-110.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-111.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-112.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-113.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-114.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-115.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-116.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-117.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-118.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-119.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-120.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-121.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-122.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-123.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-124.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-125.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-126.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-127.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-128.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-129.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-130.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-131.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-132.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-133.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-134.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-135.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-136.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-137.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-138.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-139.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-140.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-141.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-142.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-143.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-144.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-145.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-146.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-147.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-148.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-149.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-150.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-151.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-152.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-153.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-154.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-155.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-156.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-157.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-158.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-159.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-160.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-161.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-162.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-163.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-164.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-165.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-166.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-167.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-168.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-169.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-170.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-171.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-172.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-173.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-174.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-175.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-176.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-177.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-178.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-179.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-180.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-181.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-182.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-183.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-184.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-185.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-186.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-187.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-188.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-189.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-190.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-191.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-192.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-193.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-194.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-195.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-196.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-197.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-198.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-199.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-200.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-201.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-202.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-203.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-204.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-205.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-206.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-207.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-208.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-209.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-210.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-211.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-212.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-213.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-214.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-215.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-216.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-217.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-218.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-219.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-220.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-221.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-222.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-223.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-224.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-225.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-226.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-227.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-228.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-229.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-230.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-231.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-232.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-233.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-234.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-235.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-236.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-237.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-238.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-239.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-240.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-241.txt /var/spool/MailScanner/incoming/TAA06138/msg-10786-242.msg /var/spool/MailScanner/incoming/TAA06138/msg-10786-243.txt /var/spool/MailScanner/incoming/TAA07029 /var/spool/MailScanner/incoming/TAA07029/msg-10786-244.txt /var/spool/MailScanner/incoming/TAA07029/msg-10786-245.msg /var/spool/MailScanner/incoming/TAA07029/msg-10786-246.txt /var/spool/MailScanner/incoming/TAA07029/msg-10786-247.msg /var/spool/MailScanner/incoming/TAA07029/msg-10786-248.txt /var/spool/MailScanner/incoming/TAA07029/msg-10786-249.msg /var/spool/MailScanner/incoming/TAA07029/msg-10786-250.txt /var/spool/MailScanner/incoming/TAA07029/msg-10786-251.msg /var/spool/MailScanner/incoming/TAA07029/msg-10786-252.txt /var/spool/MailScanner/incoming/TAA07029/msg-10786-253.msg /var/spool/MailScanner/incoming/TAA07029/msg-10786-254.txt /var/spool/MailScanner/incoming/TAA07029/msg-10786-255.msg /var/spool/MailScanner/incoming/TAA07029/msg-10786-256.txt /var/spool/MailScanner/incoming/TAA07029/msg-10786-257.msg /var/spool/MailScanner/incoming/TAA07029/msg-10786-258.txt /var/spool/MailScanner/incoming/TAA07029/msg-10786-259.msg /var/spool/MailScanner/incoming/TAA07029/msg-10786-260.txt /var/spool/MailScanner/incoming/TAA07029/msg-10786-261.msg /var/spool/MailScanner/incoming/TAA07029/msg-10786-262.txt /var/spool/MailScanner/incoming/TAA07605 /var/spool/MailScanner/incoming/TAA07605/msg-10786-263.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-264.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-265.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-266.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-267.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-268.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-269.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-270.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-271.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-272.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-273.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-274.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-275.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-276.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-277.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-278.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-279.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-280.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-281.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-282.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-283.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-284.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-285.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-286.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-287.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-288.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-289.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-290.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-291.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-292.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-293.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-294.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-295.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-296.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-297.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-298.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-299.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-300.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-301.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-302.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-303.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-304.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-305.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-306.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-307.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-308.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-309.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-310.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-311.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-312.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-313.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-314.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-315.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-316.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-317.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-318.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-319.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-320.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-321.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-322.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-323.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-324.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-325.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-326.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-327.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-328.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-329.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-330.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-331.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-332.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-333.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-334.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-335.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-336.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-337.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-338.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-339.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-340.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-341.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-342.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-343.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-344.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-345.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-346.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-347.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-348.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-349.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-350.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-351.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-352.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-353.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-354.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-355.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-356.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-357.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-358.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-359.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-360.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-361.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-362.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-363.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-364.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-365.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-366.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-367.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-368.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-369.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-370.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-371.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-372.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-373.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-374.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-375.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-376.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-377.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-378.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-379.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-380.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-381.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-382.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-383.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-384.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-385.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-386.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-387.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-388.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-389.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-390.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-391.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-392.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-393.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-394.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-395.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-396.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-397.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-398.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-399.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-400.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-401.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-402.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-403.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-404.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-405.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-406.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-407.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-408.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-409.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-410.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-411.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-412.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-413.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-414.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-415.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-416.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-417.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-418.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-419.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-420.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-421.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-422.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-423.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-424.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-425.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-426.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-427.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-428.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-429.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-430.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-431.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-432.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-433.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-434.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-435.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-436.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-437.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-438.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-439.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-440.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-441.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-442.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-443.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-444.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-445.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-446.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-447.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-448.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-449.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-450.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-451.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-452.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-453.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-454.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-455.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-456.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-457.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-458.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-459.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-460.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-461.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-462.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-463.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-464.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-465.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-466.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-467.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-468.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-469.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-470.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-471.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-472.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-473.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-474.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-475.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-476.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-477.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-478.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-479.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-480.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-481.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-482.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-483.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-484.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-485.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-486.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-487.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-488.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-489.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-490.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-491.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-492.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-493.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-494.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-495.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-496.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-497.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-498.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-499.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-500.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-501.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-502.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-503.txt /var/spool/MailScanner/incoming/TAA07605/msg-10786-504.msg /var/spool/MailScanner/incoming/TAA07605/msg-10786-505.txt /var/spool/MailScanner/incoming/TAA08323 /var/spool/MailScanner/incoming/TAA08323/msg-10786-506.txt /var/spool/MailScanner/incoming/TAA08323/msg-10786-507.msg /var/spool/MailScanner/incoming/TAA08323/msg-10786-508.txt /var/spool/MailScanner/incoming/TAA08323/msg-10786-509.msg /var/spool/MailScanner/incoming/TAA08323/msg-10786-510.txt /var/spool/MailScanner/incoming/TAA08323/msg-10786-511.msg /var/spool/MailScanner/incoming/TAA08323/msg-10786-512.txt /var/spool/MailScanner/incoming/TAA08323/msg-10786-513.msg /var/spool/MailScanner/incoming/TAA08323/msg-10786-514.txt /var/spool/MailScanner/incoming/TAA08323/msg-10786-515.msg /var/spool/MailScanner/incoming/TAA08323/msg-10786-516.txt /var/spool/MailScanner/incoming/TAA08323/msg-10786-517.msg /var/spool/MailScanner/incoming/TAA08323/msg-10786-518.txt /var/spool/MailScanner/incoming/TAA08323/msg-10786-519.msg /var/spool/MailScanner/incoming/TAA08323/msg-10786-520.txt /var/spool/MailScanner/incoming/TAA08323/msg-10786-521.msg /var/spool/MailScanner/incoming/TAA08323/msg-10786-522.txt /var/spool/MailScanner/incoming/TAA08323/msg-10786-523.msg /var/spool/MailScanner/incoming/TAA08323/msg-10786-524.txt /var/spool/MailScanner/incoming/TAA08323/msg-10786-525.msg /var/spool/MailScanner/incoming/TAA08323/msg-10786-526.txt /var/spool/MailScanner/incoming/TAA09118 /var/spool/MailScanner/incoming/TAA09118/msg-10786-527.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-528.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-529.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-530.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-531.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-532.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-533.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-534.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-535.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-536.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-537.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-538.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-539.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-540.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-541.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-542.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-543.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-544.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-545.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-546.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-547.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-548.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-549.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-550.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-551.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-552.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-553.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-554.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-555.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-556.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-557.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-558.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-559.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-560.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-561.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-562.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-563.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-564.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-565.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-566.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-567.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-568.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-569.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-570.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-571.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-572.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-573.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-574.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-575.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-576.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-577.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-578.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-579.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-580.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-581.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-582.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-583.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-584.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-585.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-586.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-587.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-588.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-589.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-590.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-591.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-592.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-593.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-594.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-595.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-596.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-597.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-598.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-599.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-600.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-601.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-602.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-603.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-604.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-605.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-606.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-607.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-608.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-609.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-610.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-611.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-612.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-613.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-614.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-615.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-616.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-617.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-618.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-619.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-620.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-621.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-622.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-623.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-624.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-625.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-626.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-627.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-628.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-629.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-630.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-631.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-632.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-633.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-634.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-635.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-636.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-637.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-638.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-639.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-640.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-641.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-642.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-643.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-644.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-645.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-646.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-647.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-648.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-649.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-650.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-651.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-652.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-653.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-654.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-655.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-656.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-657.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-658.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-659.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-660.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-661.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-662.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-663.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-664.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-665.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-666.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-667.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-668.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-669.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-670.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-671.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-672.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-673.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-674.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-675.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-676.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-677.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-678.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-679.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-680.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-681.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-682.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-683.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-684.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-685.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-686.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-687.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-688.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-689.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-690.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-691.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-692.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-693.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-694.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-695.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-696.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-697.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-698.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-699.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-700.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-701.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-702.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-703.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-704.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-705.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-706.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-707.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-708.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-709.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-710.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-711.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-712.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-713.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-714.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-715.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-716.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-717.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-718.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-719.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-720.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-721.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-722.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-723.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-724.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-725.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-726.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-727.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-728.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-729.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-730.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-731.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-732.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-733.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-734.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-735.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-736.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-737.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-738.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-739.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-740.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-741.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-742.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-743.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-744.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-745.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-746.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-747.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-748.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-749.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-750.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-751.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-752.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-753.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-754.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-755.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-756.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-757.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-758.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-759.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-760.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-761.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-762.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-763.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-764.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-765.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-766.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-767.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-768.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-769.txt /var/spool/MailScanner/incoming/TAA09118/msg-10786-770.msg /var/spool/MailScanner/incoming/TAA09118/msg-10786-771.txt Can anyone tell me why this is happening? What am I doing wrong? Is there somehting to prevent this? Regards Rishi From LISTSERV at JISCMAIL.AC.UK Wed May 15 15:47:08 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:45 2006 Subject: MAILSCANNER: pelayog@CMSI2002.COM requested to join Message-ID: <200205151447.PAA24514@magpie.ecs.soton.ac.uk> Wed, 15 May 2002 15:47:07 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Pelayo Gonzalez You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER pelayog@CMSI2002.COM Pelayo Gonzalez PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER pelayog@CMSI2002.COM Pelayo Gonzalez // EOJ From jkf at ecs.soton.ac.uk Wed May 15 15:59:05 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:45 2006 Subject: mailscanner slowing the computer down In-Reply-To: <005401c1fc1c$9f2d1420$1b02a8c0@theargoncompany.com> Message-ID: <5.1.0.14.2.20020515155757.02a60c88@imap.ecs.soton.ac.uk> At 15:27 15/05/2002, you wrote: >Hi > >I just noticed my server became very slow and noticed the number of files >create in /var/spool/mailscanner/incoming was huge. > >Hers is the output of find /var/spool/mailscanner/incoming > > Did we really all need to see *all* of that? A few sample lines and a rough total would have done... >Can anyone tell me why this is happening? >What am I doing wrong? >Is there somehting to prevent this? Looks like you have a message with a huge number of attachments. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From marc.perea at ELECTRONIC-GROUP.COM Wed May 15 16:06:19 2002 From: marc.perea at ELECTRONIC-GROUP.COM (Marc Perea) Date: Thu Jan 12 21:14:45 2006 Subject: Mailscanner with Mcafee In-Reply-To: <1021472293.1609.27.camel@service.darksaber.com> References: <1021467739.1618.22.camel@service.darksaber.com> <20020515154536.A7334@thomas.neo.at> <1021472293.1609.27.camel@service.darksaber.com> Message-ID: <20020515170619.50d31c7c.marc.perea@electronic-group.com> On Wed, 15 May 2002 10:18:13 -0400 Thom Paine wrote: > Thanks for the reply Thomas. > > Now I'm getting another error. > > Failed compilation aborted at line 18. Can't locate Net/FTP. > > Does this ring a bell? > Thom, it seems that you're missing a required perl module. http://search.cpan.org/search?dist=Net-FTP-Common Cheers, -- Marc Perea - System Administration Staff Mail: marc.perea@electronic-group.com Tel: (+34) 93 600 23 23 Fax: (+34) 93 600 23 10 ---------------- Electronic Group - http://www.electronic-group.com From andrewh at CQG.COM Wed May 15 16:04:50 2002 From: andrewh at CQG.COM (Andrew Hoying) Date: Thu Jan 12 21:14:45 2006 Subject: mailscanner slowing the computer down In-Reply-To: <5.1.0.14.2.20020515155757.02a60c88@imap.ecs.soton.ac.uk> Message-ID: This is the same thing that happened to me last month. Check for a mail loop with bouncing messages between one of our e-mail recipients and some off site address. Andrew > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: Wednesday, May 15, 2002 8:59 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: mailscanner slowing the computer down > > > At 15:27 15/05/2002, you wrote: > >Hi > > > >I just noticed my server became very slow and noticed the number of files > >create in /var/spool/mailscanner/incoming was huge. > > > >Hers is the output of find /var/spool/mailscanner/incoming > > > > > > Did we really all need to see *all* of that? A few sample lines > and a rough > total would have done... > > >Can anyone tell me why this is happening? > >What am I doing wrong? > >Is there somehting to prevent this? > > Looks like you have a message with a huge number of attachments. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From LISTSERV at JISCMAIL.AC.UK Wed May 15 16:20:22 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:45 2006 Subject: MAILSCANNER: serge.slivitzky@FTI-IBIS.COM left the JISCmail list Message-ID: <200205151520.QAA28451@magpie.ecs.soton.ac.uk> Wed, 15 May 2002 16:20:22 serge.slivitzky@FTI-IBIS.COM has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From thomas.zajic at NEO.AT Wed May 15 16:23:25 2002 From: thomas.zajic at NEO.AT (Thomas Zajic) Date: Thu Jan 12 21:14:45 2006 Subject: Mailscanner with Mcafee In-Reply-To: <1021472293.1609.27.camel@service.darksaber.com>; from thom@DARKSABER.COM on Wed, May 15, 2002 at 10:18:13AM -0400 References: <1021467739.1618.22.camel@service.darksaber.com> <20020515154536.A7334@thomas.neo.at> <1021472293.1609.27.camel@service.darksaber.com> Message-ID: <20020515172325.C7334@thomas.neo.at> On Wed, May 15, 2002 at 10:18:13AM -0400, Thom Paine wrote: > Thanks for the reply Thomas. > Now I'm getting another error. > Failed compilation aborted at line 18. Can't locate Net/FTP. > Does this ring a bell? Looks like you don't have the Net::FTP Perl module installed: | [root@neo]:~# locate Net/FTP | /usr/lib/perl5/site_perl/Net/FTP | /usr/lib/perl5/site_perl/Net/FTP.pm | /usr/lib/perl5/site_perl/Net/FTP/A.pm | /usr/lib/perl5/site_perl/Net/FTP/dataconn.pm | /usr/lib/perl5/site_perl/Net/FTP/E.pm | /usr/lib/perl5/site_perl/Net/FTP/I.pm | /usr/lib/perl5/site_perl/Net/FTP/L.pm HTH, Thomas -- ----------------------------- Thomas Zajic System Administrator neo Software Produktions GmbH A T2 Company email: thomas.zajic@neo.at web: http://www.neo.at From beau at billbeau.net Wed May 15 16:23:27 2002 From: beau at billbeau.net (Bill) Date: Thu Jan 12 21:14:45 2006 Subject: newbie question Message-ID: <20020515155914.9D058207446@firebird.billbeau.net> Is there a log file showing what the mailscanner has done as far as emails scanned attachements scanned ? How do I know mailscanner is actually doing a virus scan and not just passing the email on for delivery. Im using f-prot as the virus scanner. Is there a way to test that the whole system is working correctly? From thom at DARKSABER.COM Wed May 15 16:40:02 2002 From: thom at DARKSABER.COM (Thom Paine) Date: Thu Jan 12 21:14:45 2006 Subject: newbie question In-Reply-To: <20020515155914.9D058207446@firebird.billbeau.net> References: <20020515155914.9D058207446@firebird.billbeau.net> Message-ID: <1021477202.1609.32.camel@service.darksaber.com> I can send you the klex virus I got in my yahoo mail account. I've been using that for testing. On Wed, 2002-05-15 at 11:23, Bill wrote: > Is there a log file showing what the mailscanner has done as far as emails > scanned attachements scanned ? How do I know mailscanner is actually doing a > virus scan and not just passing the email on for delivery. Im using f-prot as > the virus scanner. Is there a way to test that the whole system is working > correctly? -- -=/>Thom Red Hat Linux release 7.3 (Valhalla) running Linux Kernel 2.4.18-4 Uptime: 11:39am up 3:26, 3 users, load average: 0.04, 0.06, 0.07 Registered Linux User 214499 From m.sapsed at BANGOR.AC.UK Wed May 15 16:38:27 2002 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:14:45 2006 Subject: Content filtering References: <3CE22069.B6A0DD11@bangor.ac.uk> Message-ID: <3CE280F3.FAE8628D@bangor.ac.uk> Peter Peters wrote: > I would put/keep that in the external scanners. > > If you consider hoaxes some kind of virus (which they are in my > perspective) you should look for an anti-virus program that detects > hoaxes. > > If you consider hoaxes spam (which they are in my perspective) you could > have SpamAssassin updated to check for hoaxes. Isn't it a similar operation to refusing attachments ending in .whatever - or would you say that shouldn't be in MailScanner? Cheers, Martin -- Martin Sapsed To have no errors Information Services Would be life without meaning University of Wales, Bangor, LL57 2UX No struggle, no joy. Fax: +44 (0)1248 383826 From jkf at ecs.soton.ac.uk Wed May 15 16:44:41 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:45 2006 Subject: newbie question In-Reply-To: <1021477202.1609.32.camel@service.darksaber.com> References: <20020515155914.9D058207446@firebird.billbeau.net> <20020515155914.9D058207446@firebird.billbeau.net> Message-ID: <5.1.0.14.2.20020515164337.0355c828@imap.ecs.soton.ac.uk> At 16:40 15/05/2002, you wrote: >I can send you the klex virus I got in my yahoo mail account. I've been >using that for testing. The Eicar test file (totally harmless but detected by all the scanners) would be a better choice for this. You can download it from www.eicar.org. >On Wed, 2002-05-15 at 11:23, Bill wrote: > > Is there a log file showing what the mailscanner has done as far as emails > > scanned attachements scanned ? How do I know mailscanner is actually > doing a > > virus scan and not just passing the email on for delivery. Im using > f-prot as > > the virus scanner. Is there a way to test that the whole system is working > > correctly? >-- >-=/>Thom >Red Hat Linux release 7.3 (Valhalla) running Linux Kernel 2.4.18-4 >Uptime: 11:39am up 3:26, 3 users, load average: 0.04, 0.06, 0.07 >Registered Linux User 214499 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From support at IQUEST.UCSB.EDU Wed May 15 17:33:47 2002 From: support at IQUEST.UCSB.EDU (Support) Date: Thu Jan 12 21:14:45 2006 Subject: newbie question In-Reply-To: <1021477202.1609.32.camel@service.darksaber.com> Message-ID: could you please send that to Blaqb0x@netscape.net Id like to test also thanx, -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Thom Paine Sent: Wednesday, May 15, 2002 8:40 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: newbie question I can send you the klex virus I got in my yahoo mail account. I've been using that for testing. On Wed, 2002-05-15 at 11:23, Bill wrote: > Is there a log file showing what the mailscanner has done as far as emails > scanned attachements scanned ? How do I know mailscanner is actually doing a > virus scan and not just passing the email on for delivery. Im using f-prot as > the virus scanner. Is there a way to test that the whole system is working > correctly? -- -=/>Thom Red Hat Linux release 7.3 (Valhalla) running Linux Kernel 2.4.18-4 Uptime: 11:39am up 3:26, 3 users, load average: 0.04, 0.06, 0.07 Registered Linux User 214499 From beau at billbeau.net Wed May 15 17:45:06 2002 From: beau at billbeau.net (Bill) Date: Thu Jan 12 21:14:45 2006 Subject: newbie question In-Reply-To: <5.1.0.14.2.20020515164337.0355c828@imap.ecs.soton.ac.uk> References: <20020515155914.9D058207446@firebird.billbeau.net> <5.1.0.14.2.20020515164337.0355c828@imap.ecs.soton.ac.uk> Message-ID: <20020515172053.8E783207446@firebird.billbeau.net> there are 4 test files and I used them all. The mailscanner cought them and mailed me back sayin I sent a few viruses. Thanks for the tip! The mailscanner is working great. On Star Date Wednesday 15 May 2002 08:44 am, Julian Field sent this sub-space message. > At 16:40 15/05/2002, you wrote: > >I can send you the klex virus I got in my yahoo mail account. I've been > >using that for testing. > > The Eicar test file (totally harmless but detected by all the scanners) > would be a better choice for this. You can download it from www.eicar.org. > > >On Wed, 2002-05-15 at 11:23, Bill wrote: > > > Is there a log file showing what the mailscanner has done as far as > > > emails scanned attachements scanned ? How do I know mailscanner is > > > actually > > > > doing a > > > > > virus scan and not just passing the email on for delivery. Im using > > > > f-prot as > > > > > the virus scanner. Is there a way to test that the whole system is > > > working correctly? > > > >-- > >-=/>Thom > >Red Hat Linux release 7.3 (Valhalla) running Linux Kernel 2.4.18-4 > >Uptime: 11:39am up 3:26, 3 users, load average: 0.04, 0.06, 0.07 > >Registered Linux User 214499 From lbergman at abi.tconline.net Wed May 15 17:53:55 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:14:45 2006 Subject: Content filtering In-Reply-To: <3CE280F3.FAE8628D@bangor.ac.uk> References: <3CE22069.B6A0DD11@bangor.ac.uk> <3CE280F3.FAE8628D@bangor.ac.uk> Message-ID: <200205151153.55364.lbergman@abi.tconline.net> > Isn't it a similar operation to refusing attachments ending in .whatever - > or would you say that shouldn't be in MailScanner? It doesn't sound similiar to me. The attachment deal doesn't have to match by regex'ing an entire message. That kind of stuff would better be in a virus engine or spam monitor as mentioned IMHO -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From rabellino at DI.UNITO.IT Wed May 15 17:58:07 2002 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:14:45 2006 Subject: SpamAssassin Config & Prefs file Message-ID: <3CE2939F.EA89340@di.unito.it> There's a way to setup into mailscanner config file (mailscanner.conf) the config&prefs file for spamassassin ? This could be a better method to point spamassassin to the correct configuration files (if required) than try to figure out which files it's using currently spamassassin... Thanks. -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From jkf at ecs.soton.ac.uk Wed May 15 18:23:56 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:45 2006 Subject: SpamAssassin Config & Prefs file In-Reply-To: <3CE2939F.EA89340@di.unito.it> Message-ID: <5.1.0.14.2.20020515181356.0354ccd0@imap.ecs.soton.ac.uk> At 17:58 15/05/2002, you wrote: >There's a way to setup into mailscanner config file (mailscanner.conf) the >config&prefs file for spamassassin ? >This could be a better method to point spamassassin to the correct >configuration files (if required) than try to figure out which files it's >using currently spamassassin... It will use root's settings unless you have MailScanner running as another user. So look in ~root/.spamassassin. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From rishi at THEARGONCOMPANY.COM Wed May 15 19:36:13 2002 From: rishi at THEARGONCOMPANY.COM (Rishi Gangoly) Date: Thu Jan 12 21:14:45 2006 Subject: mailscanner slowing the computer down References: Message-ID: <027101c1fc3f$64627d80$1b02a8c0@theargoncompany.com> 1. Sorry for sending the all the lines. 2. Yes it was a mail loop. How does one prevent it from happening in future? Regards Rishi ----- Original Message ----- From: "Andrew Hoying" To: Sent: Wednesday, May 15, 2002 8:34 PM Subject: Re: mailscanner slowing the computer down > This is the same thing that happened to me last month. Check for a mail loop > with bouncing messages between one of our e-mail recipients and some off > site address. > > Andrew > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Julian Field > > Sent: Wednesday, May 15, 2002 8:59 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: mailscanner slowing the computer down > > > > > > At 15:27 15/05/2002, you wrote: > > >Hi > > > > > >I just noticed my server became very slow and noticed the number of files > > >create in /var/spool/mailscanner/incoming was huge. > > > > > >Hers is the output of find /var/spool/mailscanner/incoming > > > > > > > > > > Did we really all need to see *all* of that? A few sample lines > > and a rough > > total would have done... > > > > >Can anyone tell me why this is happening? > > >What am I doing wrong? > > >Is there somehting to prevent this? > > > > Looks like you have a message with a huge number of attachments. > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > From mailscanner at cgarvey.com Wed May 15 20:36:43 2002 From: mailscanner at cgarvey.com (Cathal Garvey) Date: Thu Jan 12 21:14:45 2006 Subject: I've been told to contact you ;) Message-ID: Hi, I've been using your MailScanner successfully until now I got the following in my mail logs .. May 15 20:02:57 www mailscanner[27354]: Either you've found a bug in MailScanner's F-Prot output parser, or F-Prot's output format has changed! F-Prot said this "/var/spool/MailScanner/incoming/UAA31532/msg-27354-7.txt contains W32/Klez.H@mm (non-working)". Please mail the author of MailScanner. f-prot v3.11b mailscanner v3.11 (# $Id: mailscanner,v 1.38 2002/02/15 09:34:34 jkf Exp $) Now it has caught loads of Klex variants successfully in the last few weeks. The message in question is (of course!) gone. I just mailed you because my logs said to!! Regards, Cathal. From mike at 4frontmedia.net Wed May 15 20:57:15 2002 From: mike at 4frontmedia.net (Mike Walker) Date: Thu Jan 12 21:14:45 2006 Subject: Klez-E Message-ID: <000b01c1fc4a$b6738cd0$0100000a@MIKES> Over the last two days we have seen several virus warnings notifications from one of our mailscanner users, we cannot quite determine whether they are infected or is it Klez-E up to tricks. Before we alarm the user and tell him that our scanner missed this one has anybody any thoughts or similar experiences? When we check the quarantined message it is implying that our user was the sender but......with Klez-E who knows? The message we as the provider get from MailScanner is as follows: *************************************************************************** The following e-mail messages were found to have viruses in them: Sender: <> Recipient: < Our users e-mail address appears here > (I've removed to protect identity) Subject: Mail delivery failed: returning message to sender MessageID: g4FEfKR17219 Report: /var/spool/MailScanner/incoming/g4FEfKR17219/msg-1060-281.txt/[From emmanuel < Our users e-mail address appears here >][Date Wed, 15 May 2002 15:40:50 +0100]/snoopy.exe infected: I-Worm.Klez.e -- MailScanner Email Virus Scanner ____________________________________________________________ This message has been scanned for viruses by "VITANIUM" the multi-scan E-mail Virus Protection Service from 4FrontMedia. To safeguard your business call 01233-850906. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020515/6c308756/attachment.html From jaearick at COLBY.EDU Wed May 15 21:46:34 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:14:45 2006 Subject: Klez-E In-Reply-To: <000b01c1fc4a$b6738cd0$0100000a@MIKES> Message-ID: Hi, I would study the full mail headers of the email (turn this on in mailscanner if you don't have them), or search your syslogs for message id g4FEfKR17219 and see what IP number the message originated from. Then go looking to see who might own the machine attached to that IP number. At my site, I search the syslogs to see who has been making POP connections from that IP number. If there are any POP connections associated with the machine, then I know who the owner is. Once I know that then I drag out the boiling oil and thumbscrews. The user's account gets locked out, their machine blacklisted in my sendmail settings -- they are dead until the machine is cleaned up. ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ---------------------------------------------------------------------------- On Wed, 15 May 2002, Mike Walker wrote: > Date: Wed, 15 May 2002 20:57:15 +0100 > From: Mike Walker > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Klez-E > > Over the last two days we have seen several virus warnings notifications > from one of our mailscanner users, we cannot quite determine > whether they are infected or is it Klez-E up to tricks. > Before we alarm the user and tell him that our scanner missed this one > has anybody any thoughts or similar experiences? > > When we check the quarantined message it is implying that our user was > the sender but......with Klez-E who knows? > The message we as the provider get from MailScanner is as follows: > *************************************************************************** > The following e-mail messages were found to have viruses in them: > > Sender: <> > Recipient: < Our users e-mail address appears here > (I've removed to > protect identity) > > Subject: Mail delivery failed: returning message to sender > > MessageID: g4FEfKR17219 > > Report: /var/spool/MailScanner/incoming/g4FEfKR17219/msg-1060-281.txt/[From > emmanuel < Our users e-mail address appears here >][Date Wed, 15 May 2002 > 15:40:50 +0100]/snoopy.exe infected: I-Worm.Klez.e > > -- > > MailScanner > > Email Virus Scanner > > > ____________________________________________________________ > This message has been scanned for viruses by "VITANIUM" the > multi-scan E-mail Virus Protection Service from 4FrontMedia. > To safeguard your business call 01233-850906. > > From LISTSERV at JISCMAIL.AC.UK Wed May 15 23:21:25 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:45 2006 Subject: MAILSCANNER: jazzbr@YAHOO.COM.BR requested to join Message-ID: <200205152221.XAA04491@magpie.ecs.soton.ac.uk> Wed, 15 May 2002 23:21:25 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from jazzbr@YAHOO.COM.BR You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER jazzbr@YAHOO.COM.BR =?iso-8859-1?q?Jazz?= PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER jazzbr@YAHOO.COM.BR =?iso-8859-1?q?Jazz?= // EOJ From mike at ZANKER.ORG Thu May 16 08:22:19 2002 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:14:45 2006 Subject: SpamAssassin Config & Prefs file In-Reply-To: <5.1.0.14.2.20020515181356.0354ccd0@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20020515181356.0354ccd0@imap.ecs.soton.ac.uk> Message-ID: <429027839.1021537338@mallard.open.ac.uk> On 15 May 2002 18:23 +0100 Julian Field wrote: > It will use root's settings unless you have MailScanner running as > another user. So look in ~root/.spamassassin. Adding my preferences to /etc/mail/spamassassin/local.cf seems to have worked. Mike -- Mike Zanker Northampton, UK PGP Public Key: pgp@zanker.org From jkf at ecs.soton.ac.uk Thu May 16 08:24:27 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:45 2006 Subject: SpamAssassin Config & Prefs file In-Reply-To: Message-ID: <5.1.0.14.2.20020516082333.02b09410@imap.ecs.soton.ac.uk> At 22:50 15/05/2002, you wrote: >-----Original Message----- >From: jkf@ECS.SOTON.AC.UK > > >>There's a way to setup into mailscanner config file (mailscanner.conf) the > >>config&prefs file for spamassassin ? > >>This could be a better method to point spamassassin to the correct > >>configuration files (if required) than try to figure out which files it's > >>using currently spamassassin... > >It will use root's settings unless you have MailScanner running as another > >user. So look in ~root/.spamassassin. > >Julian, could you please add a paragraph about that to your excellent >documentation? Isn't it really a job for the SpamAssassin docs? I'll add a FAQ about it. >I know I was asking myself similar questions when I installed >SpamAssassin. Between SA's and your doc, it's not very clear how to >configure SA for use with MS. In which case I will try to make it clearer. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From m.sapsed at BANGOR.AC.UK Thu May 16 09:17:00 2002 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:14:45 2006 Subject: mailscanner glitch Message-ID: <3CE36AFC.33543CF2@bangor.ac.uk> Hi all, I did the upgrade to 3.14 yesterday but this morning a mailscanner list message ended up in my inbox. I've copied in some of the headers below so you can recognise which message it was. Somehow the X-MailScanner header managed to eat the Sender header. Is this a one off glitch or something more serious? Did the same happen to anyone else? Cheers, Martin -- Martin Sapsed To have no errors Information Services Would be life without meaning University of Wales, Bangor, LL57 2UX No struggle, no joy. Fax: +44 (0)1248 383826 >Date: Wed, 15 May 2002 16:46:34 -0400 (EDT) >From: "Jeff A. Earickson" >To: Mike Walker >cc: MAILSCANNER@jiscmail.ac.uk >Subject: Re: Klez-E >In-Reply-To: <000b01c1fc4a$b6738cd0$0100000a@MIKES> >Message-ID: >MIME-Version: 1.0 >Content-Type: TEXT/PLAIN; charset=US-ASCII >X-MailScanner: H??Sender: owner-mailscanner@jiscmail.ac.uk, Found to be clean From m.sapsed at BANGOR.AC.UK Thu May 16 09:10:25 2002 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:14:45 2006 Subject: Content filtering References: <3CE22069.B6A0DD11@bangor.ac.uk> <3CE280F3.FAE8628D@bangor.ac.uk> <200205151153.55364.lbergman@abi.tconline.net> Message-ID: <3CE36971.229E7C3F@bangor.ac.uk> Lewis Bergman wrote: > > > Isn't it a similar operation to refusing attachments ending in .whatever - > > or would you say that shouldn't be in MailScanner? > It doesn't sound similiar to me. The attachment deal doesn't have to match by > regex'ing an entire message. That kind of stuff would better be in a virus > engine or spam monitor as mentioned IMHO OK - fair point. I lose! Cheers, Martin -- Martin Sapsed To have no errors Information Services Would be life without meaning University of Wales, Bangor, LL57 2UX No struggle, no joy. Fax: +44 (0)1248 383826 From David.Sullivan at BARNET.AC.UK Thu May 16 09:27:28 2002 From: David.Sullivan at BARNET.AC.UK (David Sullivan) Date: Thu Jan 12 21:14:45 2006 Subject: Content filtering In-Reply-To: <3CE280F3.FAE8628D@bangor.ac.uk> Message-ID: <3CE37B7E.9824.2E715271@localhost> On 15 May 2002 at 16:38, Martin Sapsed wrote: > Peter Peters wrote: > > I would put/keep that in the external scanners. > > > > If you consider hoaxes some kind of virus (which they are in my > > perspective) you should look for an anti-virus program that detects > > hoaxes. > > > > If you consider hoaxes spam (which they are in my perspective) you could > > have SpamAssassin updated to check for hoaxes. > > Isn't it a similar operation to refusing attachments ending in .whatever - > or would you say that shouldn't be in MailScanner? > That benefits of doing this are very great though and they're there to stop the propagation of actual viruses. I'm certainly willing to block certain types of attachment as the virus scanner may always lag a little behind the next ".vbs" worm since these tend to spread quite fast. As to what you're willing to block to achieve this is a matter of debate of course. -- David Sullivan IT Services, Barnet College, London David.Sullivan@barnet.ac.uk 020 8275 5036 ============================================================== This communication may contain privileged or confidential information which is for the exclusive use of the intended recipient. If you are not the intended recipient, please note that you may not distribute or use this communication or the information it contains. If this e-mail has reached you in error, please delete it and any attachment. Internet communications are not secure and Barnet College does not accept legal responsibility for the content of this message. Any views or opinions expressed are those of the author and not necessarily those of Barnet College. Please note that Barnet College reserves the right to monitor the source/destinations of all incoming or outgoing e-mail communications. ============================================================== From rabellino at DI.UNITO.IT Thu May 16 09:36:27 2002 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:14:45 2006 Subject: SpamAssassin Config & Prefs file References: <5.1.0.14.2.20020515181356.0354ccd0@imap.ecs.soton.ac.uk> Message-ID: <3CE36F8B.B6D17654@di.unito.it> Julian Field wrote: > > At 17:58 15/05/2002, you wrote: > >There's a way to setup into mailscanner config file (mailscanner.conf) the > >config&prefs file for spamassassin ? > >This could be a better method to point spamassassin to the correct > >configuration files (if required) than try to figure out which files it's > >using currently spamassassin... > > It will use root's settings unless you have MailScanner running as another > user. So look in ~root/.spamassassin. yes, I know, but using a "root" config, is not so clear in a system-wide software, so could be a better idea to limit the mailscanner-spamassassin job to a local (referred to the etc of mailscanner) configuration file. (?? spamassassinf.conf ??) ...Maybe in the release 99.33.XX .... If I do that, i'll send to you the patch... > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From kvue at WADSNET.COM Thu May 16 12:14:47 2002 From: kvue at WADSNET.COM (Kham Vue) Date: Thu Jan 12 21:14:45 2006 Subject: Customize the virus message References: <5.1.0.14.2.20020515181356.0354ccd0@imap.ecs.soton.ac.uk> <3CE36F8B.B6D17654@di.unito.it> Message-ID: <010d01c1fccb$1606ce70$fe00010a@backup> Where can I find docs on how to customize the email message to infected emails? I really would like to say something to the extend of "Please die and make my life easier"! :-) Also how do you redirect the messages and have them go to some else besides postmaster? -------------------------------------------------------------- Kham Vue Internet Admin The City of Wadsworth WADSNET.COM High Speed Internet Service kvue@wadsnet.com "Believe that life is worth living, and your belief will help create the fact." --William James From kvue at WADSNET.COM Thu May 16 12:08:28 2002 From: kvue at WADSNET.COM (Kham Vue) Date: Thu Jan 12 21:14:45 2006 Subject: Klez-E References: Message-ID: <010c01c1fccb$15f47ef0$fe00010a@backup> I'm new so excuse me. Where can I find the syslog in REDHAT 5.0? -------------------------------------------------------------- Kham Vue Internet Admin The City of Wadsworth WADSNET.COM High Speed Internet Service kvue@wadsnet.com "Believe that life is worth living, and your belief will help create the fact." --William James ----- Original Message ----- From: "Jeff A. Earickson" To: Sent: Wednesday, May 15, 2002 4:46 PM Subject: Re: Klez-E > Hi, > I would study the full mail headers of the email (turn this on in > mailscanner if you don't have them), or search your syslogs for message > id g4FEfKR17219 and see what IP number the message originated from. > Then go looking to see who might own the machine attached to that > IP number. At my site, I search the syslogs to see who has been > making POP connections from that IP number. If there are any POP > connections associated with the machine, then I know who the owner > is. Once I know that then I drag out the boiling oil and thumbscrews. > The user's account gets locked out, their machine blacklisted in my > sendmail settings -- they are dead until the machine is cleaned up. > > ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 > ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu > ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 > ** Waterville ME, 04901-8842 > ---------------------------------------------------------------------------- > > On Wed, 15 May 2002, Mike Walker wrote: > > > Date: Wed, 15 May 2002 20:57:15 +0100 > > From: Mike Walker > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Klez-E > > > > Over the last two days we have seen several virus warnings notifications > > from one of our mailscanner users, we cannot quite determine > > whether they are infected or is it Klez-E up to tricks. > > Before we alarm the user and tell him that our scanner missed this one > > has anybody any thoughts or similar experiences? > > > > When we check the quarantined message it is implying that our user was > > the sender but......with Klez-E who knows? > > The message we as the provider get from MailScanner is as follows: > > *************************************************************************** > > The following e-mail messages were found to have viruses in them: > > > > Sender: <> > > Recipient: < Our users e-mail address appears here > (I've removed to > > protect identity) > > > > Subject: Mail delivery failed: returning message to sender > > > > MessageID: g4FEfKR17219 > > > > Report: /var/spool/MailScanner/incoming/g4FEfKR17219/msg-1060-281.txt/[From > > emmanuel < Our users e-mail address appears here >][Date Wed, 15 May 2002 > > 15:40:50 +0100]/snoopy.exe infected: I-Worm.Klez.e > > > > -- > > > > MailScanner > > > > Email Virus Scanner > > > > > > ____________________________________________________________ > > This message has been scanned for viruses by "VITANIUM" the > > multi-scan E-mail Virus Protection Service from 4FrontMedia. > > To safeguard your business call 01233-850906. > > > > > > From Patricia.Keena at DIT.IE Thu May 16 12:28:14 2002 From: Patricia.Keena at DIT.IE (Patricia Keena) Date: Thu Jan 12 21:14:45 2006 Subject: Customize the virus message References: <5.1.0.14.2.20020515181356.0354ccd0@imap.ecs.soton.ac.uk> <3CE36F8B.B6D17654@di.unito.it> <010d01c1fccb$1606ce70$fe00010a@backup> Message-ID: <006e01c1fccc$c4a1f1c0$cc02fc93@patricia> You can customize the virus warning in the /Mailscanner/etc/ folder sender.virus.report.txt stored.virus.message.txt deleted.virus.message.txt Also customize the postmaster account in the mailscanner.conf file in the same folder. Look for "Notify Postmaster when any infections are found?" The variable is Local Postmaster = "postmaster address" From: "Kham Vue" To: Sent: Thursday, May 16, 2002 12:14 PM Subject: Customize the virus message Where can I find docs on how to customize the email message to infected emails? I really would like to say something to the extend of "Please die and make my life easier"! :-) Also how do you redirect the messages and have them go to some else besides postmaster? -------------------------------------------------------------- Kham Vue Internet Admin The City of Wadsworth WADSNET.COM High Speed Internet Service kvue@wadsnet.com "Believe that life is worth living, and your belief will help create the fact." --William James -- This message has been scanned for viruses by the DIT Computer Centre Mail Scanner service, and is believed to be clean. -- This message has been scanned for viruses by the DIT Computer Centre Mail Scanner service, and is believed to be clean. From henrik at LEWANDER.COM Thu May 16 13:24:01 2002 From: henrik at LEWANDER.COM (Henrik Lewander) Date: Thu Jan 12 21:14:45 2006 Subject: Spamassassin reports Message-ID: <03e701c1fcd4$90305f00$d62211c2@gbg.bluelabs.se> Hello! I've been running Mailscanner with spamassassin for some time now, works great! Thanks for that... what I miss sometimes is an option to add the X-Spamcheck-header even if it's not spam, with the spamassassin score and possibly the terse report. Then I can see what score the spam has that gets trough. Btw, nice that the reports from spamassassin work now. -henrik -- ( ][ Husaberg FE 350 ][ Honda XR 650 ][ Avancez MC ][ c[] Husan ?r till salu! Se http://henrik.lewander.com/husan From LISTSERV at JISCMAIL.AC.UK Thu May 16 12:40:00 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:45 2006 Subject: MAILSCANNER: vincent@DUKE-INTERACTIVE.COM requested to join Message-ID: <200205161140.MAA29039@magpie.ecs.soton.ac.uk> Thu, 16 May 2002 12:40:00 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from vincent M?oc You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER vincent@DUKE-INTERACTIVE.COM vincent M?oc PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER vincent@DUKE-INTERACTIVE.COM vincent M?oc // EOJ From email-ian at POST1.COM Thu May 16 15:02:39 2002 From: email-ian at POST1.COM (Ian Ee) Date: Thu Jan 12 21:14:45 2006 Subject: Mailscanner with eTrust InoculateIT 6.0 Message-ID: Julian, I'm contributing a patch for the wonderful software. I've managed to patch sweep.pl so that Mailscanner could work with CA eTrust InoculateIT 6.0 (aka. inocmd32). I traced the problems to the ProcessInoculateOutput function and found that the path returned was still not stripped clean of extra comments produced by inocmd32. The patch below works for me so far without glitches (on 4 live servers). You may need to improve on it add it to the next release. Hopefully it'll work for the rest using inocmd32. ------------------------------------------------------ *** /usr/local/mailscanner/mailscanner/bin/sweep.pl Thu May 16 20:57:01 2002 --- sweep.pl Thu May 16 21:23:47 2002 *************** *** 550,561 **** --- 550,565 ---- # ino uses instead of /files.ext/ in archives $line =~ s//\//; $report = $line; + + $line =~ s/File //; + ($line, @rest) = split(/ is infected by virus:/, $line); + $infected = $line; # $infected =~ s/^.*found\s*in\s*file\s*//i; # JKF 10/08/2000 Used to split into max 3 parts, but this doesn't handle # viruses in zip files in attachments. Now pull out first 3 parts instead. ($dot, $id, $part, @rest) = split(/\//, $infected); $infections->{"$id"}{"$part"} .= $report . "\n"; ------------------------------------------------------ Kind regards, Ian. From lbergman at abi.tconline.net Thu May 16 15:09:16 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:14:45 2006 Subject: Klez-E In-Reply-To: <010c01c1fccb$15f47ef0$fe00010a@backup> References: <010c01c1fccb$15f47ef0$fe00010a@backup> Message-ID: <200205160909.16572.lbergman@abi.tconline.net> > Where can I find the syslog in REDHAT 5.0? Have you tried /var/log? It is usually called "messages". -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From jkf at ecs.soton.ac.uk Thu May 16 15:32:27 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:45 2006 Subject: Spamassassin reports In-Reply-To: <03e701c1fcd4$90305f00$d62211c2@gbg.bluelabs.se> Message-ID: <5.1.0.14.2.20020516153211.02cab8c8@imap.ecs.soton.ac.uk> At 13:24 16/05/2002, you wrote: >Hello! > >I've been running Mailscanner with spamassassin for some time now, works >great! >Thanks for that... what I miss sometimes is an option to add the >X-Spamcheck-header even if it's not spam, with the spamassassin score and >possibly the terse report. Then I can see what score the spam has that gets >trough. Btw, nice that the reports from spamassassin work now. Yes, one or two people have asked for that. In the next release I hope... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Thu May 16 15:32:01 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:45 2006 Subject: Klez-E In-Reply-To: <010c01c1fccb$15f47ef0$fe00010a@backup> References: Message-ID: <5.1.0.14.2.20020516153130.02cb4ec0@imap.ecs.soton.ac.uk> At 12:08 16/05/2002, you wrote: >I'm new so excuse me. > >Where can I find the syslog in REDHAT 5.0? Look in /etc/syslogd.conf or /etc/syslog.conf. That file will tell you what logs go where. Type "man syslogd" and things will become clearer. >-------------------------------------------------------------- >Kham Vue >Internet Admin >The City of Wadsworth >WADSNET.COM High Speed Internet Service >kvue@wadsnet.com > "Believe that life is worth living, and your belief will help create the > fact." > --William James > >----- Original Message ----- >From: "Jeff A. Earickson" >To: >Sent: Wednesday, May 15, 2002 4:46 PM >Subject: Re: Klez-E > > > > Hi, > > I would study the full mail headers of the email (turn this on in > > mailscanner if you don't have them), or search your syslogs for message > > id g4FEfKR17219 and see what IP number the message originated from. > > Then go looking to see who might own the machine attached to that > > IP number. At my site, I search the syslogs to see who has been > > making POP connections from that IP number. If there are any POP > > connections associated with the machine, then I know who the owner > > is. Once I know that then I drag out the boiling oil and thumbscrews. > > The user's account gets locked out, their machine blacklisted in my > > sendmail settings -- they are dead until the machine is cleaned up. > > > > ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 > > ** Senior UNIX Sysadmin, Information Technology EMAIL: > jaearick@colby.edu > > ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 > > ** Waterville ME, 04901-8842 > > > ---------------------------------------------------------------------------- > > > > On Wed, 15 May 2002, Mike Walker wrote: > > > > > Date: Wed, 15 May 2002 20:57:15 +0100 > > > From: Mike Walker > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Klez-E > > > > > > Over the last two days we have seen several virus warnings notifications > > > from one of our mailscanner users, we cannot quite determine > > > whether they are infected or is it Klez-E up to tricks. > > > Before we alarm the user and tell him that our scanner missed this one > > > has anybody any thoughts or similar experiences? > > > > > > When we check the quarantined message it is implying that our user was > > > the sender but......with Klez-E who knows? > > > The message we as the provider get from MailScanner is as follows: > > > > *************************************************************************** > > > The following e-mail messages were found to have viruses in them: > > > > > > Sender: <> > > > Recipient: < Our users e-mail address appears here > (I've removed to > > > protect identity) > > > > > > Subject: Mail delivery failed: returning message to sender > > > > > > MessageID: g4FEfKR17219 > > > > > > Report: > /var/spool/MailScanner/incoming/g4FEfKR17219/msg-1060-281.txt/[From > > > emmanuel < Our users e-mail address appears here >][Date Wed, 15 May 2002 > > > 15:40:50 +0100]/snoopy.exe infected: I-Worm.Klez.e > > > > > > -- > > > > > > MailScanner > > > > > > Email Virus Scanner > > > > > > > > > ____________________________________________________________ > > > This message has been scanned for viruses by "VITANIUM" the > > > multi-scan E-mail Virus Protection Service from 4FrontMedia. > > > To safeguard your business call 01233-850906. > > > > > > > > > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From FCaen at CI.LAKEWOOD.WA.US Wed May 15 22:50:49 2002 From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen) Date: Thu Jan 12 21:14:45 2006 Subject: SpamAssassin Config & Prefs file Message-ID: -----Original Message----- From: jkf@ECS.SOTON.AC.UK >>There's a way to setup into mailscanner config file (mailscanner.conf) the >>config&prefs file for spamassassin ? >>This could be a better method to point spamassassin to the correct >>configuration files (if required) than try to figure out which files it's >>using currently spamassassin... >It will use root's settings unless you have MailScanner running as another >user. So look in ~root/.spamassassin. Julian, could you please add a paragraph about that to your excellent documentation? I know I was asking myself similar questions when I installed SpamAssassin. Between SA's and your doc, it's not very clear how to configure SA for use with MS. Thanks, ------------------------------------------------ Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 From FCaen at CI.LAKEWOOD.WA.US Wed May 15 22:50:49 2002 From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen) Date: Thu Jan 12 21:14:45 2006 Subject: SpamAssassin Config & Prefs file Message-ID: -----Original Message----- From: jkf@ECS.SOTON.AC.UK >>There's a way to setup into mailscanner config file (mailscanner.conf) the >>config&prefs file for spamassassin ? >>This could be a better method to point spamassassin to the correct >>configuration files (if required) than try to figure out which files it's >>using currently spamassassin... >It will use root's settings unless you have MailScanner running as another >user. So look in ~root/.spamassassin. Julian, could you please add a paragraph about that to your excellent documentation? I know I was asking myself similar questions when I installed SpamAssassin. Between SA's and your doc, it's not very clear how to configure SA for use with MS. Thanks, ------------------------------------------------ Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 From rajesh-shriram at GMX.NET Thu May 16 17:03:36 2002 From: rajesh-shriram at GMX.NET (Rajesh Fowkar) Date: Thu Jan 12 21:14:45 2006 Subject: scanning of messages received using fetchmail - followup In-Reply-To: References: <20020512215758.GC676@debian> <5.1.0.14.2.20020511192242.0397e760@imap.ecs.soton.ac.uk> <20020513003541.GA683@debian> <20020512022637.GA23130@hoiho.nz.lemon-computing.com> <20020513151323.GA694@debian> <20020512095244.GC23130@hoiho.nz.lemon-computing.com> <20020515000316.GA563@debian> <20020515202819.GA1791@debian> Message-ID: <20020516160336.GA926@debian> On 15/05/02 at 11:51 - Peter Peters said in public: >On Wed, 15 May 2002 20:28:19 +0000, you wrote: > >>>Have you changed mailscanner.conf to show the correct postmaster >>>address: >>># Set email address of who to notify about any infections found. >>># Should put your full domain name here too, >>># e.g. postmaster@your.domain.com >>>Local Postmaster = postmaster@utwente.nl > >>If I change my local domain from debian.home to say goatelecom.com than >>yes the mail will be sent as From : postmaster@goatelecom.com which will go >>through. However any mail sent to goatelecom.com will be returned back >>since I will be specifying goatelecom.com as the local domain :-). See that >>also I cannot do. Somehow any way there to specify From : address as say >>rajesh@goatelecom.com, since if that person replies to my mail than I will >>receive his reply. > >Just change "Local Postmaster" to rajesh@goatelecom.com. You get the >messages from mailscanner on that address and recipients who reply will >also send the message to you. Anyway I will now have to do that. So those warning mails which are supposed to be delivered to the local box now will go to rajesh@goatelecom.com and come back again. It would have been a nice feature for people like me to specify two email id's as postmaster : 1. for Local postmaster. ( The From: address here will be postmaster@debian.home in my case ) 2. for Outgoing warning sent to the actual sender of virus. ( The From: address here will be rajesh@goatelecom.com in my case ). Thus in case one mails won't go to the isp server and come back. Say If I receive around 20 such mails with viruses than all those warning mails which are suppossed to go to local box will go to rajesh@goatelecom.com. However the second case will work without problem. Thanks a lot for all the help. Peace -- Rajesh * rajesh@symonds.net * http://www.symonds.net/~rajesh/ Powered By : Debian GNU/Linux 2.2 R-3 [Kernel 2.4.18(ext3),Mutt 1.3.28i] The goys have proven the following theorem... -- Physicist John von Neumann, at the start of a classroom lecture. From LISTSERV at JISCMAIL.AC.UK Thu May 16 15:42:13 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:45 2006 Subject: MAILSCANNER: shawng@ZOPE.COM requested to join Message-ID: <200205161442.PAA16626@magpie.ecs.soton.ac.uk> Thu, 16 May 2002 15:42:13 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Shawn Gaston You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER shawng@ZOPE.COM Shawn Gaston PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER shawng@ZOPE.COM Shawn Gaston // EOJ From LISTSERV at JISCMAIL.AC.UK Thu May 16 15:55:09 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:45 2006 Subject: MAILSCANNER: eejs2002@VERIZONMAIL.COM left the JISCmail list Message-ID: <200205161455.PAA17999@magpie.ecs.soton.ac.uk> Thu, 16 May 2002 15:55:09 eejs2002@VERIZONMAIL.COM has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From LISTSERV at JISCMAIL.AC.UK Thu May 16 16:06:59 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:45 2006 Subject: MAILSCANNER: f.campbell@GLASGOW-NAUTICAL.AC.UK left the JISCmail list Message-ID: <200205161506.QAA19328@magpie.ecs.soton.ac.uk> Thu, 16 May 2002 16:06:59 f.campbell@GLASGOW-NAUTICAL.AC.UK has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From brose at MED.WAYNE.EDU Thu May 16 16:33:32 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:14:45 2006 Subject: Spamassassin reports Message-ID: <6D60AC042221344095A0EBBC56EEE79A4BC958@med-core03.med.wayne.edu> How about forwarding a copy of SPAM to another address so that it can be reported? I know it would be easy to add to the spamforkandtest routine to have SA report it automatically but that would report false positives to Razor or DCC. Currently I have it save a copy of WHOLEMESSAGE with the full SA report in a spam queue directory and then just cat all the files to single mail file so that I can delete any false positives and adjust scoring rules and then report the rest. It's no biggy if I continue doing this but it'd be nice not having to add such modifications when Mailscanner is updated. Thanks for the spam.actions function, works great but I was wondering if you could modify it a bit so that a different score could be used for queuing or deleting. Example: If SA tags it at a score of 5, have MA queue/delete at a score of 10. I added a config setting for MaxSpam hits and thru in a 'if' test in the HandleSpam routine. The higher the score the less likely it's a false positive and is safer to dump while still tagging the questionable ones. -=B -----Original Message----- From: Julian Field [mailto:jkf@ECS.SOTON.AC.UK] Sent: Thu 5/16/2002 10:32 AM To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: Re: Spamassassin reports At 13:24 16/05/2002, you wrote: >Hello! > >I've been running Mailscanner with spamassassin for some time now, works >great! >Thanks for that... what I miss sometimes is an option to add the >X-Spamcheck-header even if it's not spam, with the spamassassin score and >possibly the terse report. Then I can see what score the spam has that gets >trough. Btw, nice that the reports from spamassassin work now. Yes, one or two people have asked for that. In the next release I hope... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From kvue at WADSNET.COM Thu May 16 16:36:53 2002 From: kvue at WADSNET.COM (Kham Vue) Date: Thu Jan 12 21:14:45 2006 Subject: Klez-E References: <5.1.0.14.2.20020516153130.02cb4ec0@imap.ecs.soton.ac.uk> Message-ID: <03b101c1fcef$e0793e30$fe00010a@backup> Thanks that worked. -------------------------------------------------------------- Kham Vue Internet Admin The City of Wadsworth WADSNET.COM High Speed Internet Service kvue@wadsnet.com "Believe that life is worth living, and your belief will help create the fact." --William James ----- Original Message ----- From: "Julian Field" To: Sent: Thursday, May 16, 2002 10:32 AM Subject: Re: Klez-E > At 12:08 16/05/2002, you wrote: > >I'm new so excuse me. > > > >Where can I find the syslog in REDHAT 5.0? > > Look in /etc/syslogd.conf or /etc/syslog.conf. > That file will tell you what logs go where. > > Type "man syslogd" and things will become clearer. > > > >-------------------------------------------------------------- > >Kham Vue > >Internet Admin > >The City of Wadsworth > >WADSNET.COM High Speed Internet Service > >kvue@wadsnet.com > > "Believe that life is worth living, and your belief will help create the > > fact." > > --William James > > > >----- Original Message ----- > >From: "Jeff A. Earickson" > >To: > >Sent: Wednesday, May 15, 2002 4:46 PM > >Subject: Re: Klez-E > > > > > > > Hi, > > > I would study the full mail headers of the email (turn this on in > > > mailscanner if you don't have them), or search your syslogs for message > > > id g4FEfKR17219 and see what IP number the message originated from. > > > Then go looking to see who might own the machine attached to that > > > IP number. At my site, I search the syslogs to see who has been > > > making POP connections from that IP number. If there are any POP > > > connections associated with the machine, then I know who the owner > > > is. Once I know that then I drag out the boiling oil and thumbscrews. > > > The user's account gets locked out, their machine blacklisted in my > > > sendmail settings -- they are dead until the machine is cleaned up. > > > > > > ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 > > > ** Senior UNIX Sysadmin, Information Technology EMAIL: > > jaearick@colby.edu > > > ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 > > > ** Waterville ME, 04901-8842 > > > > > ---------------------------------------------------------------------------- > > > > > > On Wed, 15 May 2002, Mike Walker wrote: > > > > > > > Date: Wed, 15 May 2002 20:57:15 +0100 > > > > From: Mike Walker > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: Klez-E > > > > > > > > Over the last two days we have seen several virus warnings notifications > > > > from one of our mailscanner users, we cannot quite determine > > > > whether they are infected or is it Klez-E up to tricks. > > > > Before we alarm the user and tell him that our scanner missed this one > > > > has anybody any thoughts or similar experiences? > > > > > > > > When we check the quarantined message it is implying that our user was > > > > the sender but......with Klez-E who knows? > > > > The message we as the provider get from MailScanner is as follows: > > > > > > *************************************************************************** > > > > The following e-mail messages were found to have viruses in them: > > > > > > > > Sender: <> > > > > Recipient: < Our users e-mail address appears here > (I've removed to > > > > protect identity) > > > > > > > > Subject: Mail delivery failed: returning message to sender > > > > > > > > MessageID: g4FEfKR17219 > > > > > > > > Report: > > /var/spool/MailScanner/incoming/g4FEfKR17219/msg-1060-281.txt/[From > > > > emmanuel < Our users e-mail address appears here >][Date Wed, 15 May 2002 > > > > 15:40:50 +0100]/snoopy.exe infected: I-Worm.Klez.e > > > > > > > > -- > > > > > > > > MailScanner > > > > > > > > Email Virus Scanner > > > > > > > > > > > > ____________________________________________________________ > > > > This message has been scanned for viruses by "VITANIUM" the > > > > multi-scan E-mail Virus Protection Service from 4FrontMedia. > > > > To safeguard your business call 01233-850906. > > > > > > > > > > > > > > > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > From lbergman at abi.tconline.net Thu May 16 16:41:37 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:14:45 2006 Subject: Spamassassin reports In-Reply-To: <6D60AC042221344095A0EBBC56EEE79A4BC958@med-core03.med.wayne.edu> References: <6D60AC042221344095A0EBBC56EEE79A4BC958@med-core03.med.wayne.edu> Message-ID: <200205161041.37043.lbergman@abi.tconline.net> > Thanks for the spam.actions function, works great but I was wondering if > you could modify it a bit so that a different score could be used for > queuing or deleting. Example: If SA tags it at a score of 5, have MA > queue/delete at a score of 10. I added a config setting for MaxSpam hits > and thru in a 'if' test in the HandleSpam routine. The higher the score > the less likely it's a false positive and is safer to dump while still > tagging the questionable ones. That is an interesting idea. Explain in more detail how you would expect it to work and how these options might be configured. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From LISTSERV at JISCMAIL.AC.UK Thu May 16 15:42:13 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:45 2006 Subject: MAILSCANNER: shawng@ZOPE.COM requested to join Message-ID: <200205161442.PAA16626@magpie.ecs.soton.ac.uk> Thu, 16 May 2002 15:42:13 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Shawn Gaston You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER shawng@ZOPE.COM Shawn Gaston PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER shawng@ZOPE.COM Shawn Gaston // EOJ From LISTSERV at JISCMAIL.AC.UK Thu May 16 15:55:09 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:45 2006 Subject: MAILSCANNER: eejs2002@VERIZONMAIL.COM left the JISCmail list Message-ID: <200205161455.PAA17999@magpie.ecs.soton.ac.uk> Thu, 16 May 2002 15:55:09 eejs2002@VERIZONMAIL.COM has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From LISTSERV at JISCMAIL.AC.UK Thu May 16 16:06:59 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:45 2006 Subject: MAILSCANNER: f.campbell@GLASGOW-NAUTICAL.AC.UK left the JISCmail list Message-ID: <200205161506.QAA19328@magpie.ecs.soton.ac.uk> Thu, 16 May 2002 16:06:59 f.campbell@GLASGOW-NAUTICAL.AC.UK has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From rishi at THEARGONCOMPANY.COM Thu May 16 17:32:53 2002 From: rishi at THEARGONCOMPANY.COM (Rishi Gangoly) Date: Thu Jan 12 21:14:45 2006 Subject: mailscanner slowing the computer down References: <027101c1fc3f$64627d80$1b02a8c0@theargoncompany.com> Message-ID: <05af01c1fcf7$54370c60$1b02a8c0@theargoncompany.com> Hi I was going thru the mailscanner.conf file and found these lines... # In every batch of virus-scanning, limit the maximum # a) number of text-only messages to deliver # b) number of potentially infected messages to unpack and scan # c) total size of text-only messages to deliver # d) total size of potentially infected messages to unpack and scan Max Safe Messages Per Scan = 500 Max Unsafe Messages Per Scan = 100 Max Safe Bytes Per Scan = 100000000 Max Unsafe Bytes Per Scan = 50000000 Should I change it to Max Safe Messages Per Scan = 50 Max Unsafe Messages Per Scan = 10 and would that solve my hanging my server? Regards Rishi ----- Original Message ----- From: "Rishi Gangoly" To: Sent: Thursday, May 16, 2002 12:06 AM Subject: Re: mailscanner slowing the computer down > 1. Sorry for sending the all the lines. > 2. Yes it was a mail loop. How does one prevent it from happening in future? > > Regards > > Rishi > > ----- Original Message ----- > From: "Andrew Hoying" > To: > Sent: Wednesday, May 15, 2002 8:34 PM > Subject: Re: mailscanner slowing the computer down > > > > This is the same thing that happened to me last month. Check for a mail > loop > > with bouncing messages between one of our e-mail recipients and some off > > site address. > > > > Andrew > > > > > -----Original Message----- > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > Behalf Of Julian Field > > > Sent: Wednesday, May 15, 2002 8:59 AM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: mailscanner slowing the computer down > > > > > > > > > At 15:27 15/05/2002, you wrote: > > > >Hi > > > > > > > >I just noticed my server became very slow and noticed the number of > files > > > >create in /var/spool/mailscanner/incoming was huge. > > > > > > > >Hers is the output of find /var/spool/mailscanner/incoming > > > > > > > > > > > > > > Did we really all need to see *all* of that? A few sample lines > > > and a rough > > > total would have done... > > > > > > >Can anyone tell me why this is happening? > > > >What am I doing wrong? > > > >Is there somehting to prevent this? > > > > > > Looks like you have a message with a huge number of attachments. > > > -- > > > Julian Field Teaching Systems Manager > > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > > Tel. 023 8059 2817 University of Southampton > > > Southampton SO17 1BJ > > > From henrik at LEWANDER.COM Thu May 16 19:29:47 2002 From: henrik at LEWANDER.COM (Henrik Lewander) Date: Thu Jan 12 21:14:45 2006 Subject: Spamassassin reports References: <5.1.0.14.2.20020516153211.02cab8c8@imap.ecs.soton.ac.uk> Message-ID: <04be01c1fd07$b5f97ef0$4bf90bc1@hemmet.chalmers.se> From: "Julian Field" > > Yes, one or two people have asked for that. In the next release I hope... Great! Maybe mailscanner could have an option for adding the spamassassin score to the subject field to (for mail over the spam threshold). Something like [SPAM][19] or [SPAM][09] (with leading 0). Then we would be able to easily sort the new spam in the spam folder according to the score, ie get the most likely false positives at the top. I'm not following this list that closely so sorry if this has already been brought up. Regards, Henrik From kvue at WADSNET.COM Thu May 16 20:02:13 2002 From: kvue at WADSNET.COM (Kham Vue) Date: Thu Jan 12 21:14:45 2006 Subject: Klez Virus References: <027101c1fc3f$64627d80$1b02a8c0@theargoncompany.com> <05af01c1fcf7$54370c60$1b02a8c0@theargoncompany.com> Message-ID: <00ce01c1fd0c$629ebe50$fe00010a@backup> The Klez virus is attaching as HTM/JPG/PNG files and the MailScanner can not find it. Do I change that in MailScanner or my Antivirus? -------------------------------------------------------------- Kham Vue Internet Admin The City of Wadsworth WADSNET.COM High Speed Internet Service kvue@wadsnet.com "Believe that life is worth living, and your belief will help create the fact." --William James From lbergman at abi.tconline.net Thu May 16 21:39:57 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:14:46 2006 Subject: Klez Virus In-Reply-To: <00ce01c1fd0c$629ebe50$fe00010a@backup> References: <05af01c1fcf7$54370c60$1b02a8c0@theargoncompany.com> <00ce01c1fd0c$629ebe50$fe00010a@backup> Message-ID: <200205161539.58041.lbergman@abi.tconline.net> On Thursday 16 May 2002 02:02 pm, Kham Vue wrote: > The Klez virus is attaching as HTM/JPG/PNG files and the MailScanner can > not find it. Do you keep your virus engine and dat files updated? Sophos has caught tons of the klez stuff on mine. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From todd at DECAGON.COM Fri May 17 00:01:25 2002 From: todd at DECAGON.COM (Todd Martin) Date: Thu Jan 12 21:14:46 2006 Subject: Klez Virus In-Reply-To: <00ce01c1fd0c$629ebe50$fe00010a@backup> References: <027101c1fc3f$64627d80$1b02a8c0@theargoncompany.com> <05af01c1fcf7$54370c60$1b02a8c0@theargoncompany.com> <00ce01c1fd0c$629ebe50$fe00010a@backup> Message-ID: Are you sure the html, jpeg, and png files are really infected? In my experience, one of the Klez variants attaches a copy of itself _and_ a random file from the infected computer's hard drive. This random file is unaltered (i.e. "clean"). I've seen several infected emails where MailScanner with Sophos removes the virus, but passes on the extra attached file (with bad mime boundaries, but who cares). ~Todd >The Klez virus is attaching as HTM/JPG/PNG files and the MailScanner >can not find it. > >Do I change that in MailScanner or my Antivirus? >-------------------------------------------------------------- >Kham Vue >Internet Admin >The City of Wadsworth >WADSNET.COM High Speed Internet Service >kvue@wadsnet.com > "Believe that life is worth living, and your belief will help >create the fact." > --William James From brose at MED.WAYNE.EDU Fri May 17 01:32:01 2002 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:14:46 2006 Subject: Spamassassin reports Message-ID: <6D60AC042221344095A0EBBC56EEE79A4BC960@med-core03.med.wayne.edu> It's not that hard since I'm already doing it thought I had to rework it with the new release. The way I did it was added a MaxSpamHit and value in my mailscan.conf then added a few lines to config.pl to read it in with the rest of the options. All that was just to make it easy to adjust. Then %SpamInfo is passed along to the Handlespam routine so that the score can be regex'd out. Then another test (besides any other possibel test like NumScore) is done to see if the score is greater or equal to the Config::MaxSpamHits value and if so it's either queued or deleted based on the spam.action. Currently, I'm just using a single max spam score globally but I can see Julian adding it to the SpamAction array so that you can set different values in the spam.action.conf along with the various actions which might make more sense because you could then set it to queue if score is 10-15 and delete if 16 or higher. -----Original Message----- From: Lewis Bergman [mailto:lbergman@abi.tconline.net] Sent: Thursday, May 16, 2002 11:42 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Spamassassin reports > Thanks for the spam.actions function, works great but I was wondering > if you could modify it a bit so that a different score could be used > for queuing or deleting. Example: If SA tags it at a score of 5, > have MA queue/delete at a score of 10. I added a config setting for > MaxSpam hits and thru in a 'if' test in the HandleSpam routine. The > higher the score the less likely it's a false positive and is safer to > dump while still tagging the questionable ones. That is an interesting idea. Explain in more detail how you would expect it to work and how these options might be configured. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From rob.moore at POWERDISK.CO.UK Fri May 17 01:40:01 2002 From: rob.moore at POWERDISK.CO.UK (Rob Moore) Date: Thu Jan 12 21:14:46 2006 Subject: question ref. mailscanner logging Message-ID: Hi I thought I read a while back a question ref. logging mailscanner events to /var/log/messages. I installed Mailscanner a few weeks back from the rpm available and configured it for use with f-prot. Since then all messages have had a "X-MailScanner: Found to be clean" or been correctly stopped due to a virus being contained in the message. I have received a notification accordingly, so everything so far is working to spec. I receive around 600+ messages a day, with perhaps 6-10 messages stopped for viruses. The strange thing is, I have far less entries (15-20 a day) in /var/log/messages... May 17 01:19:28 raq959 mailscanner[30495]: Scanning 1 messages, 3564 bytes May 17 01:19:28 raq959 mailscanner[30495]: Scanned 1 messages, 3564 bytes in 0 seconds May 17 01:25:58 raq959 mailscanner[30495]: Scanning 1 messages, 3031 bytes ...than I have emails processed by Mailscanner Should there be entries for EVERY message scanned by Mailscanner or am I missing something? Cheers Rob From P.G.M.Peters at civ.utwente.nl Fri May 17 08:42:06 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:14:46 2006 Subject: Customize the virus message In-Reply-To: <010d01c1fccb$1606ce70$fe00010a@backup> References: <5.1.0.14.2.20020515181356.0354ccd0@imap.ecs.soton.ac.uk> <3CE36F8B.B6D17654@di.unito.it> <010d01c1fccb$1606ce70$fe00010a@backup> Message-ID: On Thu, 16 May 2002 07:14:47 -0400, you wrote: >Where can I find docs on how to customize the email message to infected emails? > >I really would like to say something to the extend of "Please die and make my life >easier"! Since the latest Klez outbreak this is not considered nice (to put it mildly) because over 90% of the sender-addresses are of innocent bystanders. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From rabellino at DI.UNITO.IT Fri May 17 08:42:49 2002 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:14:46 2006 Subject: About SpamAssassin Message-ID: <3CE4B479.6C9D3DDA@di.unito.it> Dear list, maybe this email is a bit out of list, but could be interesting. I've installed SpamAssassin 2.20, joined with mailscanner. The installation phase was very simple, following the standard procedure for perl packages (perl Makefile.pl;make; make install). Then, after checking SpamAssassin with the internal tests suggested, I've activated SpamAssassin into mailscanner. I've seen that many messages was tagged SPAM, with a score too high for the tests done, then I discover that the score list was not really the genetic driven list, but some other strange list. Only after inserting the score list found into the SA distribution in the preferences file, all the things gone right... Hope this help, because SA is very useful... -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From LISTSERV at JISCMAIL.AC.UK Fri May 17 01:40:32 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:46 2006 Subject: MAILSCANNER: dave@CLOSSONS.NET requested to join Message-ID: <200205170040.BAA10474@magpie.ecs.soton.ac.uk> Fri, 17 May 2002 01:40:32 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Your-First-Name Your-Last-Name You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER dave@CLOSSONS.NET Your-First-Name Your-Last-Name PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER dave@CLOSSONS.NET Your-First-Name Your-Last-Name // EOJ From jkf at ecs.soton.ac.uk Fri May 17 09:22:15 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:46 2006 Subject: question ref. mailscanner logging In-Reply-To: Message-ID: <5.1.0.14.2.20020517092205.04892aa0@roadrunner.ecs.soton.ac.uk> Please read "man syslog.conf". At 01:40 17/05/2002, you wrote: >Hi > >I thought I read a while back a question ref. logging mailscanner events >to /var/log/messages. I installed Mailscanner a few weeks back from the rpm >available >and configured it for use with f-prot. > >Since then all messages have had a "X-MailScanner: Found to be clean" or >been correctly >stopped due to a virus being contained in the message. I have received a >notification >accordingly, so everything so far is working to spec. > >I receive around 600+ messages a day, with perhaps 6-10 messages stopped for >viruses. > >The strange thing is, I have far less entries (15-20 a day) in >/var/log/messages... > >May 17 01:19:28 raq959 mailscanner[30495]: Scanning 1 messages, 3564 bytes >May 17 01:19:28 raq959 mailscanner[30495]: Scanned 1 messages, 3564 bytes in >0 seconds >May 17 01:25:58 raq959 mailscanner[30495]: Scanning 1 messages, 3031 bytes > >...than I have emails processed by Mailscanner > >Should there be entries for EVERY message scanned by Mailscanner or am I >missing something? > >Cheers > > >Rob -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Fri May 17 09:21:42 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:46 2006 Subject: Klez Virus In-Reply-To: References: <00ce01c1fd0c$629ebe50$fe00010a@backup> <027101c1fc3f$64627d80$1b02a8c0@theargoncompany.com> <05af01c1fcf7$54370c60$1b02a8c0@theargoncompany.com> <00ce01c1fd0c$629ebe50$fe00010a@backup> Message-ID: <5.1.0.14.2.20020517092116.04888f98@roadrunner.ecs.soton.ac.uk> At 00:01 17/05/2002, you wrote: >Are you sure the html, jpeg, and png files are really infected? > >In my experience, one of the Klez variants attaches a copy of itself >_and_ a random file from the infected computer's hard drive. This >random file is unaltered (i.e. "clean"). I've seen several infected >emails where MailScanner with Sophos removes the virus, but passes on >the extra attached file (with bad mime boundaries, but who cares). That is 100% correct. You are seeing the random file, not the infected attachment. >~Todd > >>The Klez virus is attaching as HTM/JPG/PNG files and the MailScanner >>can not find it. >> >>Do I change that in MailScanner or my Antivirus? >>-------------------------------------------------------------- >>Kham Vue >>Internet Admin >>The City of Wadsworth >>WADSNET.COM High Speed Internet Service >>kvue@wadsnet.com >> "Believe that life is worth living, and your belief will help >>create the fact." >> --William James -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From P.G.M.Peters at civ.utwente.nl Fri May 17 09:37:57 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:14:46 2006 Subject: question ref. mailscanner logging In-Reply-To: References: Message-ID: <59g9eusm98ah1ihpu7k5ir7vob5rtjjdf9@4ax.com> On Fri, 17 May 2002 01:40:01 +0100, you wrote: >The strange thing is, I have far less entries (15-20 a day) in >/var/log/messages... > >May 17 01:19:28 raq959 mailscanner[30495]: Scanning 1 messages, 3564 bytes >May 17 01:19:28 raq959 mailscanner[30495]: Scanned 1 messages, 3564 bytes in >0 seconds >May 17 01:25:58 raq959 mailscanner[30495]: Scanning 1 messages, 3031 bytes Have you checked every "scanned" line? Sometimes I get lines like May 8 11:00:01 netlx803 mailscanner[6320]: Scanning 100 messages, 1431261 bytes May 8 11:01:17 netlx803 mailscanner[6320]: Scanned 100 messages, 1431261 bytes in 5 seconds You should count field 7 to check whether the numbers match. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From jethro.binks at STRATH.AC.UK Fri May 17 09:49:49 2002 From: jethro.binks at STRATH.AC.UK (Jethro R Binks) Date: Thu Jan 12 21:14:46 2006 Subject: Customize the virus message In-Reply-To: Message-ID: <20020517094843.J603-100000@defjam.cc.strath.ac.uk> On Fri, 17 May 2002, Peter Peters wrote: > >I really would like to say something to the extend of "Please die and make my life > >easier"! > > Since the latest Klez outbreak this is not considered nice (to put it > mildly) because over 90% of the sender-addresses are of innocent > bystanders. Heh. I'd say sending "Please die and make my life easier" to anyone regardless of their infection isn't very nice (to put it mildly)! Uh-oh, it's Friday. Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services Mailmaster, Listmaster, Webmaster, University Of Strathclyde, Glasgow, UK Cachemaster jethro.binks@strath.ac.uk From vincent at DUKE-INTERACTIVE.COM Fri May 17 11:42:08 2002 From: vincent at DUKE-INTERACTIVE.COM (Vincent Meoc) Date: Thu Jan 12 21:14:46 2006 Subject: strange logs (defer) Message-ID: <20020517104208.GD27319@terre> Hello everybody, I'm using mailscanner since few times. It seems great and have a lot of very nice functionnality. But (there is often a "but") I have strange logs some time about the Routers/Director Defer in Exim. This line : == root@my.domain D=defer_director defer (-1): forced defer: All deliveries are deferred appear some times. It appear every time when a mail is send from local to local but also, some times, from remote to local. Mail are correctely delivered but I would be happy to know exactly what happened. If someone has an explanation I would greatly appreciate he share it with me. Sorry or my bad english. I'm in permanent formation :) -- Vincent Meoc Administrateur syst?me et r?seau DUKE - Digital Age Agency T : 01 53 44 19 00 F : 01 53 44 19 21 e-mail : vincent@duke-interactive.com www.duke-interactive.com From LISTSERV at JISCMAIL.AC.UK Fri May 17 13:42:46 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:46 2006 Subject: MAILSCANNER: kowolters@EMAIL.COM requested to join Message-ID: <200205171242.NAA00072@magpie.ecs.soton.ac.uk> Fri, 17 May 2002 13:42:46 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Keith Wolters You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER kowolters@EMAIL.COM Keith Wolters PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER kowolters@EMAIL.COM Keith Wolters // EOJ From jazzbr at YAHOO.COM.BR Fri May 17 14:07:36 2002 From: jazzbr at YAHOO.COM.BR (=?iso-8859-1?q?Jazz?=) Date: Thu Jan 12 21:14:46 2006 Subject: Feature suggestion Message-ID: <20020517130736.19283.qmail@web11207.mail.yahoo.com> Hy All, Is there someway to make mailscanner log in syslog the name of the viruses he finds? We're wish to make stats of it. Thank you in advance, Marcos. _______________________________________________________________________ Yahoo! Encontros O lugar certo para voc? encontrar aquela pessoa que falta na sua vida. Cadastre-se hoje mesmo! http://br.encontros.yahoo.com/ From fizz at BOMB.NET Fri May 17 14:34:01 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:14:46 2006 Subject: Feature suggestion References: <20020517130736.19283.qmail@web11207.mail.yahoo.com> Message-ID: <002301c1fda7$8163c650$48cf75cc@fizz> it already does.. [example] grep Virus /var/log/mail/maillog > Virus.Report May 17 00:38:08 sairys mailscanner[19343]: >>> Virus 'W32/Klez-G' found in file ./g4H4bxmv021797/VALIGN.exe May 17 00:38:15 sairys mailscanner[19343]: >>> Virus 'W32/Klez-G' found in file ./g4H4bxmv021797/VALIGN.exe May 17 00:49:52 sairys mailscanner[19343]: >>> Virus 'W32/Klez-G' found in file ./g4H4nfmv022972/BGDISCOV.scr May 17 00:50:21 sairys mailscanner[19343]: >>> Virus 'W32/Klez-G' found in file ./g4H4nfmv022972/BGDISCOV.scr May 17 00:51:32 sairys mailscanner[19343]: >>> Virus 'W32/Magistr-A' found in file ./g4H4pGmv023152/rnuninst.exe May 17 01:01:38 sairys mailscanner[19343]: >>> Virus 'W32/Klez-G' found in file ./g4H51Mmv024261/color.bat May 17 01:02:15 sairys mailscanner[19343]: >>> Virus 'W32/Klez-G' found in file ./g4H51Mmv024261/color.bat May 17 01:04:58 sairys mailscanner[19343]: >>> Virus 'W32/Klez-G' found in file ./g4H54hmv024580/rock.exe May 17 01:05:27 sairys mailscanner[19343]: >>> Virus 'W32/Klez-G' found in file ./g4H54hmv024580/rock.exe May 17 01:09:46 sairys mailscanner[19343]: >>> Virus 'W32/Klez-G' found in file ./g4H59Umv025095/All.pif May 17 01:10:21 sairys mailscanner[19343]: >>> Virus 'W32/Klez-G' found in file ./g4H59Umv025095/All.pif [/example] Just a small sample, it wont actually goto syslog, it will goto messages or where ever you have mail.* defined to go. Hope this helps. Kelly ----- Original Message ----- From: "Jazz" To: Sent: Friday, May 17, 2002 9:07 AM Subject: Feature suggestion > Hy All, > > Is there someway to make mailscanner log in syslog > the name of the viruses he finds? > > We're wish to make stats of it. > > Thank you in advance, > > Marcos. > > _______________________________________________________________________ > Yahoo! Encontros > O lugar certo para voc? encontrar aquela pessoa que falta na sua vida. Cadastre-se hoje mesmo! > http://br.encontros.yahoo.com/ > From jaearick at COLBY.EDU Fri May 17 14:28:51 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:14:46 2006 Subject: Feature suggestion In-Reply-To: <20020517130736.19283.qmail@web11207.mail.yahoo.com> Message-ID: The information should already be there in your system logs. If not, see FAQ 1 about syslogging. If you are seeing mailscanner output in your syslogs, then the following will summarize which virii were caught: grep ">>> Virus" $FILE | cut -f2 -d\' | sort | uniq -c | sort -nr -k1 where $FILE is the name of the logfile where mailscanner logging goes to. ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ---------------------------------------------------------------------------- On Fri, 17 May 2002, Jazz wrote: > Date: Fri, 17 May 2002 10:07:36 -0300 > From: Jazz > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Feature suggestion > > Hy All, > > Is there someway to make mailscanner log in syslog > the name of the viruses he finds? > > We're wish to make stats of it. > > Thank you in advance, > > Marcos. > > _______________________________________________________________________ > Yahoo! Encontros > O lugar certo para voc? encontrar aquela pessoa que falta na sua vida. Cadastre-se hoje mesmo! > http://br.encontros.yahoo.com/ > From nospam at WCC.NET Fri May 17 15:45:47 2002 From: nospam at WCC.NET (Kip Turk) Date: Thu Jan 12 21:14:46 2006 Subject: Upgrade issue Message-ID: I just ran the RedHat rpm to upgrade to 3.14-1. Unfortunately, your rpm doesn't follow the standard of making backups of files that it would overwrite (I think it's a standard, but maybe I'm just spoiled =). The hassle this morning is my fault for missing the directory tree on my backups, but it would be nice if the mailscanner rpm either made backups or warned the user that the files would be overwritten. The files in /usr/local/MailScanner/etc and /etc/rc.d/init.d/mailscanner are the ones I'm having to work through reconfiguring now. -- Kip Turk, RHCE spamdies@wcc.net Systems Administrator/Killer of Spam/Writer of Code/Penguin Proponent West Central Net - tel: 915.234.5678 / 800.695.9016 fax: 915.656.0071 -.-. --- -.. . / -- --- -. -.- . -.-- --..-- / .... .- -.-. -.- . .-. From Patricia.Keena at DIT.IE Fri May 17 15:52:53 2002 From: Patricia.Keena at DIT.IE (Patricia Keena) Date: Thu Jan 12 21:14:46 2006 Subject: Upgrade issue References: Message-ID: <036a01c1fdb2$85c523a0$cc02fc93@patricia> Hi All, Just a quick query regarding Upgrading Mailscanner. I installed the rpm with the upgrade option and all seemed to go well. However the mailscanner.conf file specifies spam.actions.conf but htis file wasn't installed with the upgrade. Is there an issue with creating this file myself and creating rules? Also is there a rule to delete all spam to one particular address in my domain and still deliver mail to all other addresses. Is order of rules important? Any help would be greatly appreciated. Thanks Patricia -------------------------------------------------------- Patricia Keena, Systems Administrator, Central IT, DIT, Aungier St, Dublin 2 Phone: 402 3177 email: Patricia.Keena@dit.ie -------------------------------------------------------- -- This message has been scanned for viruses by the DIT Computer Centre MailScanner Service, and is believed to be clean. From kvue at WADSNET.COM Fri May 17 15:54:05 2002 From: kvue at WADSNET.COM (Kham Vue) Date: Thu Jan 12 21:14:46 2006 Subject: Klez Virus References: <05af01c1fcf7$54370c60$1b02a8c0@theargoncompany.com> <00ce01c1fd0c$629ebe50$fe00010a@backup> <200205161539.58041.lbergman@abi.tconline.net> Message-ID: <00ca01c1fdb3$11cd11f0$fe00010a@backup> My mistake: F-port changed the KLEZ attachments to HTM and JPG files. -------------------------------------------------------------- Kham Vue Internet Admin The City of Wadsworth WADSNET.COM High Speed Internet Service kvue@wadsnet.com "Believe that life is worth living, and your belief will help create the fact." --William James ----- Original Message ----- From: "Lewis Bergman" To: Sent: Thursday, May 16, 2002 4:39 PM Subject: Re: Klez Virus > On Thursday 16 May 2002 02:02 pm, Kham Vue wrote: > > The Klez virus is attaching as HTM/JPG/PNG files and the MailScanner can > > not find it. > Do you keep your virus engine and dat files updated? Sophos has caught tons of > the klez stuff on mine. > -- > Lewis Bergman > Texas Communications > 4309 Maple St. > Abilene, TX 79602-8044 > 915-695-6962 ext 115 > > From jkf at ecs.soton.ac.uk Fri May 17 17:13:54 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:46 2006 Subject: Upgrade issue --- and spam.actions.conf In-Reply-To: <036a01c1fdb2$85c523a0$cc02fc93@patricia> References: Message-ID: <5.1.0.14.2.20020517170821.047e72d8@roadrunner.ecs.soton.ac.uk> At 15:52 17/05/2002, you wrote: >Just a quick query regarding Upgrading Mailscanner. I installed the rpm >with the upgrade option and all seemed to go well. However the >mailscanner.conf file specifies spam.actions.conf but htis file wasn't >installed with the upgrade. Is there an issue with creating this file >myself and creating rules? Also is there a rule to delete all spam to one >particular address in my domain and still deliver mail to all other >addresses. Is order of rules important? I'll produce a new RPM over the weekend at some point with these files included. I'll add a couple of very minor fixes to the code too, and try to get the RPM to save config files it is about to overwrite. The sample spam.actions.conf file (which I left out of the RPM by mistake) should say this: # This file contains instructions for what to do with messages that are # detected as spam. # Each line can contain: #
# where is either 'deliver', 'store' or 'delete' # and
is either a full email address (e.g. user@sub.domain.com) # or a domain name (e.g. sub.domain.com) # or a wildcard domain (e.g. *.domain.com) # If the message is required to be delivered to any of the recipients, # it will be delivered to all of them. # The priority of the rules is the same as the order given above, # i.e. a matching full email address will be used in preference to # a matching domain name, which will in turn be used in preference to # a matching wildcard domain name. Jules@JulianField.net deliver JulianField.net store *.spammers.com delete -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Fri May 17 17:21:03 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:46 2006 Subject: MAILSCANNER: hugh_fraser@DOFASCO.CA requested to join Message-ID: <200205171621.RAA24062@magpie.ecs.soton.ac.uk> Fri, 17 May 2002 17:21:03 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Hugh Fraser You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER hugh_fraser@DOFASCO.CA Hugh Fraser PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER hugh_fraser@DOFASCO.CA Hugh Fraser // EOJ From lbergman at abi.tconline.net Fri May 17 17:27:23 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:14:46 2006 Subject: Upgrade issue In-Reply-To: <036a01c1fdb2$85c523a0$cc02fc93@patricia> References: <036a01c1fdb2$85c523a0$cc02fc93@patricia> Message-ID: <200205171127.23532.lbergman@abi.tconline.net> On Friday 17 May 2002 09:52 am, Patricia Keena wrote: > Hi All, > > Just a quick query regarding Upgrading Mailscanner. I installed the rpm > with the upgrade option and all seemed to go well. However the > mailscanner.conf file specifies spam.actions.conf but htis file wasn't > installed with the upgrade. Is there an issue with creating this file > myself and creating rules? Also is there a rule to delete all spam to one > particular address in my domain and still deliver mail to all other > addresses. Is order of rules important? The files is created because it isn't needed unless you want to perform more than one action with spam. Just create it. domain.com deliver annoyeduser@domain.com deliver -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From LISTSERV at JISCMAIL.AC.UK Fri May 17 17:43:57 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:46 2006 Subject: MAILSCANNER: christianlasprilla@HOTMAIL.COM requested to join Message-ID: <200205171643.RAA26300@magpie.ecs.soton.ac.uk> Fri, 17 May 2002 17:43:57 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Christian Lasprilla You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER christianlasprilla@HOTMAIL.COM Christian Lasprilla PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER christianlasprilla@HOTMAIL.COM Christian Lasprilla // EOJ From LISTSERV at JISCMAIL.AC.UK Fri May 17 18:52:45 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:46 2006 Subject: MAILSCANNER: scott@DATONA.COM requested to join Message-ID: <200205171752.SAA02123@magpie.ecs.soton.ac.uk> Fri, 17 May 2002 18:52:45 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Scott Broderick You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER scott@DATONA.COM Scott Broderick PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER scott@DATONA.COM Scott Broderick // EOJ From jkf at ecs.soton.ac.uk Fri May 17 19:15:12 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:46 2006 Subject: New FAQ - Windows support Message-ID: <5.1.0.14.2.20020517191325.029ef6c8@roadrunner.ecs.soton.ac.uk> I have just added a FAQ on how you can use MailScanner with any non-supported OS or MTA, e.g. Microsoft Windows, Exchange, Postfix, Qmail, NTMail, etc. It's a trick I've employed for the past year with an NTMail server, and it works perfectly. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From christianlasprilla at HOTMAIL.COM Fri May 17 19:20:20 2002 From: christianlasprilla at HOTMAIL.COM (Christian Lasprilla) Date: Thu Jan 12 21:14:46 2006 Subject: Problem with FaxSav uuencoded messages Message-ID: Helo List! FaxSav (email to Fax / desktop to Fax) sends user's messages to "Fax servers" as uuencoded mails. We have Scan All Messages = yes Mailscanner is converting uuencoded message into multipart MIME messages for virus scanning and sending messages like that (multipart MIME). FaxSav servers seem to be waiting for uuencoded data like: begin ### file.name data.... ` end so, the Faxes are being received by final recipients as Fax pages with: The following is a multipart MIME message wich was extracted from a uuencoded message (headers...) (DATA...) (DATA...) Is there any way to make MailScanner reconvert the message to uuencoded after virus scan for final delivery? We appreciate any advice. Thanks. Christian Lasprilla christianlasprilla@hotmail.com From FCaen at CI.LAKEWOOD.WA.US Fri May 17 19:25:59 2002 From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen) Date: Thu Jan 12 21:14:46 2006 Subject: New FAQ - Windows support Message-ID: Very interesting... I am getting ready to do the same thing for a Novell Groupwise server (which is irrelevant, as long as the MTA can talk SMTP). Your MX / FW combo is an interesting trick I had not thought of. What do you think of the idea of using mailertable (in sendmail) instead? It seems to be designed for this purpose and avoids the "try highest MX and hit the firewall" phase. My tests show that mail is scanned properly and then forwarded to the MTA of my choice, but I have to add the disclaimer that the system has not entered production yet. ------------------------------------------------ Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 -----Original Message----- From: jkf@ECS.SOTON.AC.UK It's a trick I've employed for the past year with an NTMail server, and it works perfectly. -- Julian Field Teaching Systems Manager From fizz at BOMB.NET Fri May 17 19:43:20 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:14:46 2006 Subject: New FAQ - Windows support References: Message-ID: <001901c1fdd2$b7ab2250$48cf75cc@fizz> Thats what i currently do. I Use a linux box with slackware and access/mailertable combo to retreive all mail and then forward it to the appropriate server. Works like a champ :) ----- Original Message ----- From: "Francois Caen" To: Sent: Friday, May 17, 2002 2:25 PM Subject: Re: New FAQ - Windows support Very interesting... I am getting ready to do the same thing for a Novell Groupwise server (which is irrelevant, as long as the MTA can talk SMTP). Your MX / FW combo is an interesting trick I had not thought of. What do you think of the idea of using mailertable (in sendmail) instead? It seems to be designed for this purpose and avoids the "try highest MX and hit the firewall" phase. My tests show that mail is scanned properly and then forwarded to the MTA of my choice, but I have to add the disclaimer that the system has not entered production yet. ------------------------------------------------ Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 -----Original Message----- From: jkf@ECS.SOTON.AC.UK It's a trick I've employed for the past year with an NTMail server, and it works perfectly. -- Julian Field Teaching Systems Manager From FCaen at CI.LAKEWOOD.WA.US Fri May 17 19:46:55 2002 From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen) Date: Thu Jan 12 21:14:46 2006 Subject: New FAQ - Windows support Message-ID: Would you mind posting your access and mailertable files? Replace the domain by foo.com is you want to preserve anonymity :-) Thanks, ------------------------------------------------ Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 -----Original Message----- From: fizz@BOMB.NET Thats what i currently do. I Use a linux box with slackware and access/mailertable combo to retreive all mail and then forward it to the appropriate server. Works like a champ :) From jkf at ecs.soton.ac.uk Fri May 17 19:46:56 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:46 2006 Subject: New FAQ - Windows support In-Reply-To: Message-ID: <5.1.0.14.2.20020517194524.02a1df00@roadrunner.ecs.soton.ac.uk> The advantage of my version is that it cannot fail (due to misconfiuration or any other problem) into a mode where mail is not scanned. Robustness is very important when it comes to email. At 19:25 17/05/2002, you wrote: >Very interesting... > >I am getting ready to do the same thing for a Novell Groupwise server >(which is irrelevant, as long as the MTA can talk SMTP). Your MX / FW >combo is an interesting trick I had not thought of. > >What do you think of the idea of using mailertable (in sendmail) instead? >It seems to be designed for this purpose and avoids the "try highest MX >and hit the firewall" phase. > >My tests show that mail is scanned properly and then forwarded to the MTA >of my choice, but I have to add the disclaimer that the system has not >entered production yet. >------------------------------------------------ >Francois Caen >Network Information Systems Engineer - Webmaster >City of Lakewood, WA >(253) 512-2269 > > -----Original Message----- >From: jkf@ECS.SOTON.AC.UK > > > It's a trick I've employed for the past year with an NTMail > server, and it >works perfectly. >-- >Julian Field Teaching Systems Manager -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From hugh_fraser at DOFASCO.CA Fri May 17 20:06:17 2002 From: hugh_fraser at DOFASCO.CA (Hugh Fraser) Date: Thu Jan 12 21:14:46 2006 Subject: Spamassassin reports Message-ID: The changes to add some additional info to the X-MailScanner-SpamCheck header are quite simple, if changes the header rather than the message itself suffices. I used a pipe created just before the fork() statement in sendmail.pl to provide a connection to the child process, wrote back some additional information to the parent (in my case, I wanted to know the number of hits, the required number to be considered spam, and the list of tests triggered by the mail) using the Mail::SpamAssassin::PerMsgStatus object, in the same way the child currently gets the get_hits number. The only twist is that the get_hits value is returned as the exit status of the child process to the parent, and it's limited to a numeric value. Hence the use of the pipe to pass arbitrary content back. From fizz at BOMB.NET Fri May 17 20:28:20 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:14:46 2006 Subject: Spamassassin reports References: Message-ID: <001401c1fdd9$00ec6ef0$48cf75cc@fizz> I Would like that change very much :) *hint* *hint* :) ----- Original Message ----- From: "Hugh Fraser" To: Sent: Friday, May 17, 2002 3:06 PM Subject: Re: Spamassassin reports > The changes to add some additional info to the X-MailScanner-SpamCheck > header are quite simple, if changes the header rather than the message > itself suffices. I used a pipe created just before the fork() statement in > sendmail.pl to provide a connection to the child process, wrote back some > additional information to the parent (in my case, I wanted to know the > number of hits, the required number to be considered spam, and the list of > tests triggered by the mail) using the Mail::SpamAssassin::PerMsgStatus > object, in the same way the child currently gets the get_hits number. The > only twist is that the get_hits value is returned as the exit status of the > child process to the parent, and it's limited to a numeric value. Hence the > use of the pipe to pass arbitrary content back. > From jkf at ecs.soton.ac.uk Fri May 17 20:32:51 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:46 2006 Subject: Spamassassin reports In-Reply-To: Message-ID: <5.1.0.14.2.20020517203217.029baa98@roadrunner.ecs.soton.ac.uk> What do you do if the score < required_hits? At 20:06 17/05/2002, you wrote: >The changes to add some additional info to the X-MailScanner-SpamCheck >header are quite simple, if changes the header rather than the message >itself suffices. I used a pipe created just before the fork() statement in >sendmail.pl to provide a connection to the child process, wrote back some >additional information to the parent (in my case, I wanted to know the >number of hits, the required number to be considered spam, and the list of >tests triggered by the mail) using the Mail::SpamAssassin::PerMsgStatus >object, in the same way the child currently gets the get_hits number. The >only twist is that the get_hits value is returned as the exit status of the >child process to the parent, and it's limited to a numeric value. Hence the >use of the pipe to pass arbitrary content back. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From hugh_fraser at DOFASCO.CA Fri May 17 20:40:26 2002 From: hugh_fraser at DOFASCO.CA (Fraser Hugh) Date: Thu Jan 12 21:14:46 2006 Subject: Spamassassin reports Message-ID: <07309E1D8D93D211A01B00805FFE258702937B32@DFSPO01.dofasco.ca> I didn't change the logic flow at all. I simply passed back additional information from the child to the parent through the pipe. The return status is still the number of hits as it is in the code now, and the existing logic uses that to determine if the message was classified as spam or not. The parent was modified slightly to use do a read from the pipe after the wait statement to get the additional info the child wrote to the pipe, and the line where you create the header record includes the additional information returned. This is defintely a minimalist approach, but using the pipe provides me with the ability to return any info I want from the child, including the full report SpamAssassin produces. I'll post the CVS changes. > -----Original Message----- > From: Julian Field [mailto:jkf@ECS.SOTON.AC.UK] > Sent: Friday, May 17, 2002 3:33 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Spamassassin reports > > > What do you do if the score < required_hits? > > At 20:06 17/05/2002, you wrote: > >The changes to add some additional info to the > X-MailScanner-SpamCheck > >header are quite simple, if changes the header rather than > the message > >itself suffices. I used a pipe created just before the > fork() statement in > >sendmail.pl to provide a connection to the child process, > wrote back some > >additional information to the parent (in my case, I wanted > to know the > >number of hits, the required number to be considered spam, > and the list of > >tests triggered by the mail) using the > Mail::SpamAssassin::PerMsgStatus > >object, in the same way the child currently gets the > get_hits number. The > >only twist is that the get_hits value is returned as the > exit status of the > >child process to the parent, and it's limited to a numeric > value. Hence the > >use of the pipe to pass arbitrary content back. > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From jkf at ecs.soton.ac.uk Fri May 17 20:47:25 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:46 2006 Subject: Spamassassin reports In-Reply-To: <07309E1D8D93D211A01B00805FFE258702937B32@DFSPO01.dofasco.c a> Message-ID: <5.1.0.14.2.20020517204636.029c16b0@roadrunner.ecs.soton.ac.uk> I've already got a pipe, so I'll just add the required_hits to the info it passes back. At 20:40 17/05/2002, you wrote: >I didn't change the logic flow at all. I simply passed back additional >information from the child to the parent through the pipe. The return status >is still the number of hits as it is in the code now, and the existing logic >uses that to determine if the message was classified as spam or not. The >parent was modified slightly to use do a read from the pipe after the wait >statement to get the additional info the child wrote to the pipe, and the >line where you create the header record includes the additional information >returned. > >This is defintely a minimalist approach, but using the pipe provides me with >the ability to return any info I want from the child, including the full >report SpamAssassin produces. > >I'll post the CVS changes. > > > -----Original Message----- > > From: Julian Field [mailto:jkf@ECS.SOTON.AC.UK] > > Sent: Friday, May 17, 2002 3:33 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Spamassassin reports > > > > > > What do you do if the score < required_hits? > > > > At 20:06 17/05/2002, you wrote: > > >The changes to add some additional info to the > > X-MailScanner-SpamCheck > > >header are quite simple, if changes the header rather than > > the message > > >itself suffices. I used a pipe created just before the > > fork() statement in > > >sendmail.pl to provide a connection to the child process, > > wrote back some > > >additional information to the parent (in my case, I wanted > > to know the > > >number of hits, the required number to be considered spam, > > and the list of > > >tests triggered by the mail) using the > > Mail::SpamAssassin::PerMsgStatus > > >object, in the same way the child currently gets the > > get_hits number. The > > >only twist is that the get_hits value is returned as the > > exit status of the > > >child process to the parent, and it's limited to a numeric > > value. Hence the > > >use of the pipe to pass arbitrary content back. > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From kvue at WADSNET.COM Fri May 17 21:59:22 2002 From: kvue at WADSNET.COM (Kham Vue) Date: Thu Jan 12 21:14:46 2006 Subject: mqueue config error! References: <5.1.0.14.2.20020517204636.029c16b0@roadrunner.ecs.soton.ac.uk> Message-ID: <003701c1fde5$b8e380a0$fe00010a@backup> I have a COBALT RAQ4r/Redhat server. I configured my mqueue incorrectly. I used /home/spool/mqueue instead of /home/spool/mqueue/q1. All the mail from the last two hours are in the mqueue and not mqueue/q1. I have fixed this and now the server is sending. But the queued messages will not send (still in /home/spool/mqueue folder)! Does anyone know how I can get the queued messages to send? Do I just mv then to the Q1 folder?? thankx in advance. -------------------------------------------------------------- Kham Vue Internet Admin The City of Wadsworth WADSNET.COM High Speed Internet Service kvue@wadsnet.com "Believe that life is worth living, and your belief will help create the fact." --William James From jkf at ecs.soton.ac.uk Fri May 17 22:05:24 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:46 2006 Subject: mqueue config error! In-Reply-To: <003701c1fde5$b8e380a0$fe00010a@backup> References: <5.1.0.14.2.20020517204636.029c16b0@roadrunner.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020517220437.029c58b8@roadrunner.ecs.soton.ac.uk> At 21:59 17/05/2002, you wrote: >I have a COBALT RAQ4r/Redhat server. >I configured my mqueue incorrectly. >I used /home/spool/mqueue instead of /home/spool/mqueue/q1. >All the mail from the last two hours are in the mqueue and not mqueue/q1. >I have fixed this and now the server is sending. >But the queued messages will not send (still in /home/spool/mqueue folder)! > >Does anyone know how I can get the queued messages to send? >Do I just mv then to the Q1 folder?? Yes, then sendmail -q to force a queue run. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From sevans at FOUNDATION.SDSU.EDU Fri May 17 22:58:55 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:14:46 2006 Subject: Deleting Spam Marked Messages Message-ID: <7E2D2700ADE29542BAFC135552997E6C0AE927@mail.foundation.sdsu.edu> I know this came up before but is the option to delete or redirect spam marked messages to a designated account be implented in a future version? Steve Evans Computing Services SDSU Foundation 619 594-0653 From jkf at ecs.soton.ac.uk Sat May 18 00:37:51 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:46 2006 Subject: Deleting Spam Marked Messages In-Reply-To: <7E2D2700ADE29542BAFC135552997E6C0AE927@mail.foundation.sds u.edu> Message-ID: <5.1.0.14.2.20020518003440.02a2beb0@roadrunner.ecs.soton.ac.uk> At 22:58 17/05/2002, you wrote: >I know this came up before but is the option to delete or redirect spam >marked messages to a designated account be implented in a future version? Spam deletion is already there. Alternatively you can archive it, from which you could script something fairly easily to send it elsewhere. Redirecting it to another address is almost certainly illegal in the UK, as it would break the Data Potection Act. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jaearick at COLBY.EDU Sat May 18 01:48:49 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:14:46 2006 Subject: Deleting Spam Marked Messages In-Reply-To: <7E2D2700ADE29542BAFC135552997E6C0AE927@mail.foundation.sdsu.edu> Message-ID: How about using procmail to do this (ie, not Julian's problem...)? --- Jeff Earickson On Fri, 17 May 2002, Steve Evans wrote: > Date: Fri, 17 May 2002 14:58:55 -0700 > From: Steve Evans > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Deleting Spam Marked Messages > > I know this came up before but is the option to delete or redirect spam marked messages to a designated account be implented in a future version? > > Steve Evans > Computing Services > SDSU Foundation > 619 594-0653 > From jkf at ecs.soton.ac.uk Sun May 19 13:06:16 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:46 2006 Subject: ANNOUNCE: Version 3.15-1 released Message-ID: <5.1.0.14.2.20020519124011.03112c40@roadrunner.ecs.soton.ac.uk> I have just released MailScanner Version 3.15-1. No major additions this time, just a little bunch of things that people have been requesting for quite a while: - Added "Always Include SpamAssassin Header" option so you can have spam reports on non-spam messages - Added "default" rule to spam.actions.conf file. See the documentation, and the supplied file for an example - Added option to control logging of allowed attachment filenames - Most systems will no longer need "syslogd -r" for logging to work - F-Prot parser handles non-working copies of viruses - RPM file now saves config files rather than overwriting them Download it, as usual, from http://www.mailscanner.info/ Jules. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mike at ZANKER.ORG Sun May 19 13:51:03 2002 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:14:46 2006 Subject: ANNOUNCE: Version 3.15-1 released In-Reply-To: <5.1.0.14.2.20020519124011.03112c40@roadrunner.ecs.soton.ac.uk> References: <5.1.0.14.2.20020519124011.03112c40@roadrunner.ecs.soton.ac. uk> Message-ID: <99932685.1021816263@jemima.zanker.org> On 19 May 2002 13:06 +0100 Julian Field wrote: > - RPM file now saves config files rather than overwriting them After upgrading with RPM (rpm -Uvh) I found that my existing filename.rules.conf and localdomains.conf had been backed up to .rpmsave but no new ones installed. All the config files were handled correctly. Mike -- Mike Zanker Northampton, UK PGP Public Key: pgp@zanker.org From tal at MUSICGENOME.COM Sun May 19 13:52:54 2002 From: tal at MUSICGENOME.COM (Tal Kelrich) Date: Thu Jan 12 21:14:46 2006 Subject: ANNOUNCE: Version 3.15-1 released In-Reply-To: <5.1.0.14.2.20020519124011.03112c40@roadrunner.ecs.soton.ac.uk> References: <5.1.0.14.2.20020519124011.03112c40@roadrunner.ecs.soton.ac.uk> Message-ID: <1021812774.18659.21.camel@localhost.localdomain> On Sun, 2002-05-19 at 15:06, Julian Field wrote: > - Added "Always Include SpamAssassin Header" option so you can have spam > reports on non-spam messages Header is blank on non-spam, I think this ought to fix it ---------------------------------------- --- sendmail.pl.old Sat May 18 18:35:32 2002 +++ sendmail.pl Sun May 19 14:49:19 2002 @@ -334,3 +334,3 @@ $SAResult = ($spamness->is_spam())?1:0; - $SAResult = int($spamness->get_hits()) if $SAResult; + #$SAResult = int($spamness->get_hits()) if $SAResult; $HitList = $spamness->get_names_of_tests_hit(); -- Tal Kelrich PGP Fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69 PGP key-id: 12B9AA69 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020519/253445cf/attachment.bin From mike at ZANKER.ORG Sun May 19 13:53:14 2002 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:14:46 2006 Subject: ANNOUNCE: Version 3.15-1 released In-Reply-To: <99932685.1021816263@jemima.zanker.org> References: <99932685.1021816263@jemima.zanker.org> Message-ID: <100064214.1021816394@jemima.zanker.org> On 19 May 2002 13:51 +0100 Mike Zanker wrote: > All the config files were handled correctly. Erm, "all the *other* config files", I meant. Mike -- Mike Zanker Northampton, UK PGP Public Key: pgp@zanker.org From tal at MUSICGENOME.COM Sun May 19 14:23:15 2002 From: tal at MUSICGENOME.COM (Tal Kelrich) Date: Thu Jan 12 21:14:46 2006 Subject: ANNOUNCE: Version 3.15-1 released In-Reply-To: <1021812774.18659.21.camel@localhost.localdomain> References: <5.1.0.14.2.20020519124011.03112c40@roadrunner.ecs.soton.ac.uk> <1021812774.18659.21.camel@localhost.localdomain> Message-ID: <1021814596.19164.60.camel@localhost.localdomain> sorry, this doesn't help one bit, I'm currently trying to track down the problem, though... so far seems like local to local gets an empty header as long as it isn't spam. On Sun, 2002-05-19 at 15:52, Tal Kelrich wrote: > On Sun, 2002-05-19 at 15:06, Julian Field wrote: > > - Added "Always Include SpamAssassin Header" option so you can have spam > > reports on non-spam messages > Header is blank on non-spam, I think this ought to fix it -- Tal Kelrich PGP Fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69 PGP key-id: 12B9AA69 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020519/4b3c4449/attachment.bin From jkf at ecs.soton.ac.uk Sun May 19 14:21:27 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:46 2006 Subject: ANNOUNCE: Version 3.15-1 released In-Reply-To: <99932685.1021816263@jemima.zanker.org> References: <5.1.0.14.2.20020519124011.03112c40@roadrunner.ecs.soton.ac.uk> <5.1.0.14.2.20020519124011.03112c40@roadrunner.ecs.soton.ac. uk> Message-ID: <5.1.0.14.2.20020519142114.03264bd0@roadrunner.ecs.soton.ac.uk> Fixed in 3.15-2. At 13:51 19/05/2002, you wrote: >On 19 May 2002 13:06 +0100 Julian Field wrote: > >>- RPM file now saves config files rather than overwriting them > >After upgrading with RPM (rpm -Uvh) I found that my existing >filename.rules.conf and localdomains.conf had been backed up to >.rpmsave but no new ones installed. All the config files were handled >correctly. > >Mike >-- >Mike Zanker >Northampton, UK >PGP Public Key: pgp@zanker.org -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Sun May 19 14:21:39 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:46 2006 Subject: ANNOUNCE: Version 3.15-1 released In-Reply-To: <1021812774.18659.21.camel@localhost.localdomain> References: <5.1.0.14.2.20020519124011.03112c40@roadrunner.ecs.soton.ac.uk> <5.1.0.14.2.20020519124011.03112c40@roadrunner.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020519142131.0323b980@roadrunner.ecs.soton.ac.uk> Fixed in 3.15-2 At 13:52 19/05/2002, you wrote: >On Sun, 2002-05-19 at 15:06, Julian Field wrote: > > - Added "Always Include SpamAssassin Header" option so you can have spam > > reports on non-spam messages >Header is blank on non-spam, I think this ought to fix it >---------------------------------------- >--- sendmail.pl.old Sat May 18 18:35:32 2002 >+++ sendmail.pl Sun May 19 14:49:19 2002 >@@ -334,3 +334,3 @@ > $SAResult = ($spamness->is_spam())?1:0; >- $SAResult = int($spamness->get_hits()) if $SAResult; >+ #$SAResult = int($spamness->get_hits()) if $SAResult; > $HitList = $spamness->get_names_of_tests_hit(); >-- >Tal Kelrich > >PGP Fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69 >PGP key-id: 12B9AA69 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Sun May 19 14:30:34 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:46 2006 Subject: ANNOUNCE: Version 3.15-1 released In-Reply-To: <1021812774.18659.21.camel@localhost.localdomain> References: <5.1.0.14.2.20020519124011.03112c40@roadrunner.ecs.soton.ac.uk> <5.1.0.14.2.20020519124011.03112c40@roadrunner.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020519142909.03279ea8@roadrunner.ecs.soton.ac.uk> At 13:52 19/05/2002, you wrote: >On Sun, 2002-05-19 at 15:06, Julian Field wrote: > > - Added "Always Include SpamAssassin Header" option so you can have spam > > reports on non-spam messages >Header is blank on non-spam, I think this ought to fix it Not for me it's not. Given the SpamAssassin "sample-nonspam.txt" message, I get this in the headers: X-MailScanner: Found to be clean X-MailScanner-SpamCheck: SpamAssassin (score=-2.8, required 5, GAPPY_TEXT, LINES_OF_YELLING, PGP_SIGNATURE) which is exactly what I would expect to see. Note that the "Always Include SpamAssassin Header" is meaningless unless you also set "Use SpamAssassin = yes". >---------------------------------------- >--- sendmail.pl.old Sat May 18 18:35:32 2002 >+++ sendmail.pl Sun May 19 14:49:19 2002 >@@ -334,3 +334,3 @@ > $SAResult = ($spamness->is_spam())?1:0; >- $SAResult = int($spamness->get_hits()) if $SAResult; >+ #$SAResult = int($spamness->get_hits()) if $SAResult; > $HitList = $spamness->get_names_of_tests_hit(); >-- >Tal Kelrich > >PGP Fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69 >PGP key-id: 12B9AA69 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Sun May 19 18:06:41 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:46 2006 Subject: MAILSCANNER: belluz@QNET.IT left the JISCmail list Message-ID: <200205191706.SAA19818@magpie.ecs.soton.ac.uk> Sun, 19 May 2002 18:06:41 Belluz Massimo has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From s-luppescu at UCHICAGO.EDU Sun May 19 20:38:54 2002 From: s-luppescu at UCHICAGO.EDU (Stuart Luppescu) Date: Thu Jan 12 21:14:46 2006 Subject: MailScanner works for all but me! Message-ID: <1021837134.2007.39.camel@musume.snl.home> I installed MailScanner-3.15-2 on our mail server, and specified Always Include SpamAssassin Report = yes in mailscanner.conf. It seems to be doing the right thing for everybody (here's a sample of someone else's mail: X-MailScanner-SpamCheck: SpamAssassin (score=0.3, required 7, NO_REAL_NAME, DEAR_SOMEBODY, EXCUSE_13, COPYRIGHT_CLAIMED) ) except for me (in my regular, non-root account)! All I get is: X-MailScanner-SpamCheck: Is there a local config file for me that has something set so I can't get the SpamAssassin report? Could it be related to the fact that my email address is the postmaster address? (I don't know if this is related or not, but I haven't gotten any messages tagged as spam since I upgraded to 3.14, but other people's mail is correctly getting tagged.) Thanks in advance. -- Stuart Luppescu -=- s-luppescu@uchicago.edu University of Chicago -=- CCSR $B:MJ8$HCRF`H~$NIc(B -=- Kernel 2.4.18-xfs Computer programs expand so as to fill the core available. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020519/1249d37a/attachment.bin From jkf at ecs.soton.ac.uk Sun May 19 21:44:17 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:46 2006 Subject: MailScanner works for all but me! In-Reply-To: <1021837134.2007.39.camel@musume.snl.home> Message-ID: <5.1.0.14.2.20020519214250.03259f88@roadrunner.ecs.soton.ac.uk> Check your Accept Spam From list and your spam.whitelist.conf list. At 20:38 19/05/2002, you wrote: >I installed MailScanner-3.15-2 on our mail server, and specified >Always Include SpamAssassin Report = yes >in mailscanner.conf. It seems to be doing the right thing for everybody >(here's a sample of someone else's mail: >X-MailScanner-SpamCheck: SpamAssassin (score=0.3, required 7, >NO_REAL_NAME, DEAR_SOMEBODY, EXCUSE_13, COPYRIGHT_CLAIMED) >) >except for me (in my regular, non-root account)! All I get is: >X-MailScanner-SpamCheck: I still can't see how anyone gets empty headers like that, it won't do it on my systems :-( >Is there a local config file for me that has something set so I can't >get the SpamAssassin report? Could it be related to the fact that my >email address is the postmaster address? > >(I don't know if this is related or not, but I haven't gotten any >messages tagged as spam since I upgraded to 3.14, but other people's >mail is correctly getting tagged.) > >Thanks in advance. > >-- >Stuart Luppescu -=- s-luppescu@uchicago.edu >University of Chicago -=- CCSR >$B:MJ8$HCRF`H~$NIc(B -=- Kernel 2.4.18-xfs >Computer programs expand so as to fill the core available. > > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From dave at IPSMART.COM Sun May 19 22:37:18 2002 From: dave at IPSMART.COM (Dave Remien) Date: Thu Jan 12 21:14:46 2006 Subject: Watching mail queues Message-ID: After using mailscanner quite successfully for the last seven months (thanks much, Julian and Nick and everyone!), I decided that I needed an easier way to keep an eye on the size of /var/spool/mqueue and /var/spool/mqueue.in than I'd been using. So here's an X Window program (based on Jamie Zawinski's xdebt) to (simplistically) watch the queue sizes: http://bamberg.scientech.com/src/xmqueue.c or http://ipsmart.com/src/xmqueue.c I use it while ssh'd (with X forwarding turned on, obviously) into the mail server. Understands -update (seconds), -fn (font), -fg (color) and -fg (color), among others. Helps me watch for incipient email meltdowns (spam/virus attacks, etc.). Hope this might be of use to others. Feedback is welcome if I've bozo'ed something up. Cheers, Dave Remien From s-luppescu at UCHICAGO.EDU Mon May 20 03:31:42 2002 From: s-luppescu at UCHICAGO.EDU (Stuart Luppescu) Date: Thu Jan 12 21:14:46 2006 Subject: MailScanner works for all but me! In-Reply-To: <5.1.0.14.2.20020519214250.03259f88@roadrunner.ecs.soton.ac.uk> References: <5.1.0.14.2.20020519214250.03259f88@roadrunner.ecs.soton.ac.uk> Message-ID: <1021861902.2007.48.camel@musume.snl.home> On ?, 2002-05-19 at 15:44, Julian Field wrote: > Check your Accept Spam From list and your spam.whitelist.conf list. Thanks, Julian. It was the Accept Spam From setting. It was set to accept mail from our network, and I get my mail automatically forwarded from another machine on the network. > At 20:38 19/05/2002, you wrote: > >I installed MailScanner-3.15-2 on our mail server, and specified > >Always Include SpamAssassin Report = yes > >in mailscanner.conf. It seems to be doing the right thing for everybody > >(here's a sample of someone else's mail: > >X-MailScanner-SpamCheck: SpamAssassin (score=0.3, required 7, > >NO_REAL_NAME, DEAR_SOMEBODY, EXCUSE_13, COPYRIGHT_CLAIMED) > >) > >except for me (in my regular, non-root account)! All I get is: > >X-MailScanner-SpamCheck: > > I still can't see how anyone gets empty headers like that, it won't do it > on my systems > :-( What do you get on mail from networks you've set to Accept Spam From? -- Stuart Luppescu -=- s-luppescu@uchicago.edu University of Chicago -=- CCSR ???????? -=- Kernel 2.4.18-xfs Everything should be built top-down, except the first time. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020519/616c198c/attachment.bin From jkf at ecs.soton.ac.uk Mon May 20 12:05:59 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:46 2006 Subject: MailScanner works for all but me! In-Reply-To: <1021861902.2007.48.camel@musume.snl.home> References: <5.1.0.14.2.20020519214250.03259f88@roadrunner.ecs.soton.ac.uk> <5.1.0.14.2.20020519214250.03259f88@roadrunner.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020520120508.03f088a8@roadrunner.ecs.soton.ac.uk> At 03:31 20/05/2002, you wrote: > > >X-MailScanner-SpamCheck: I've finally managed to reproduce this. Expect a fix later today. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Mon May 20 13:02:10 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:46 2006 Subject: MAILSCANNER: bruce@BRIT-NET.COM requested to join Message-ID: <200205201202.NAA20722@magpie.ecs.soton.ac.uk> Mon, 20 May 2002 13:02:10 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Bruce Bennett The following membership options have been requested: NOACK NOREPRO. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER bruce@BRIT-NET.COM Bruce Bennett PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER bruce@BRIT-NET.COM Bruce Bennett SET MAILSCANNER NOACK NOREPRO FOR bruce@BRIT-NET.COM // EOJ From jkf at ecs.soton.ac.uk Mon May 20 14:26:44 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:46 2006 Subject: ANNOUNCE: 3.15-3 Message-ID: <5.1.0.14.2.20020520141320.04fe80e0@roadrunner.ecs.soton.ac.uk> I've just fixed a tiny bug where if you sent a message from a white-listed host, that wasn't spam, but you always wanted the SpamAssassin header, you would get a blank SpamCheck header. So I've just released version 3.15-3 which fixes this. Download as usual from http://www.mailscanner.info/ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From support at INVICTANET.CO.UK Mon May 20 14:39:29 2002 From: support at INVICTANET.CO.UK (InvictaNet Customer Support) Date: Thu Jan 12 21:14:46 2006 Subject: New FAQ - Windows support In-Reply-To: <001901c1fdd2$b7ab2250$48cf75cc@fizz> Message-ID: Am I missing something in my config or did I not read the instructions properly? If "somebody" sends one of my users a copy of Klez, my mailscanner/sophos setup spots the virus and kills it. However, I as postmaster get a warning message, but my user doesn't. Is this right? "The following e-mail messages were found to have viruses in them: Sender: Recipient: Subject: Topicsearch, or search MessageID: g4I9Kie04966 Report: >>> Virus 'W32/Klez-G' found in file ./g4I9Kie04966/class.exe -- MailScanner Email Virus Scanner" Can I send this message to my user as well? TIA Martyn Routley -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Kelly Hamlin Sent: 17 May 2002 19:43 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: New FAQ - Windows support Thats what i currently do. I Use a linux box with slackware and access/mailertable combo to retreive all mail and then forward it to the appropriate server. Works like a champ :) ----- Original Message ----- From: "Francois Caen" To: Sent: Friday, May 17, 2002 2:25 PM Subject: Re: New FAQ - Windows support Very interesting... I am getting ready to do the same thing for a Novell Groupwise server (which is irrelevant, as long as the MTA can talk SMTP). Your MX / FW combo is an interesting trick I had not thought of. What do you think of the idea of using mailertable (in sendmail) instead? It seems to be designed for this purpose and avoids the "try highest MX and hit the firewall" phase. My tests show that mail is scanned properly and then forwarded to the MTA of my choice, but I have to add the disclaimer that the system has not entered production yet. ------------------------------------------------ Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 -----Original Message----- From: jkf@ECS.SOTON.AC.UK It's a trick I've employed for the past year with an NTMail server, and it works perfectly. -- Julian Field Teaching Systems Manager From jkf at ecs.soton.ac.uk Mon May 20 14:59:54 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:47 2006 Subject: OT Re: New FAQ - Windows support In-Reply-To: References: <001901c1fdd2$b7ab2250$48cf75cc@fizz> Message-ID: <5.1.0.14.2.20020520145746.04a2d6e8@roadrunner.ecs.soton.ac.uk> At 14:39 20/05/2002, you wrote: >If "somebody" sends one of my users a copy of Klez, my mailscanner/sophos >setup spots the virus and kills it. >However, I as postmaster get a warning message, but my user doesn't. Is this >right? Correct. Your user gets the original mail message, with the infected attachment replaced by a text file telling the user what happened and what they can do about it if they need any help. I see little point in sending the user the nasty techie message that is sent to postmaster (mostly to allow later statistical analysis). >"The following e-mail messages were found to have viruses in them: > > Sender: >Recipient: > Subject: Topicsearch, or search >MessageID: g4I9Kie04966 > Report: >>> Virus 'W32/Klez-G' found in file ./g4I9Kie04966/class.exe > >-- >MailScanner >Email Virus Scanner" > >Can I send this message to my user as well? No. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From lbergman at abi.tconline.net Mon May 20 15:59:02 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:14:47 2006 Subject: new files saved as rpmnew or rpmwhatever? Message-ID: <200205200959.02561.lbergman@abi.tconline.net> I just upgraded to the latest 3.14.3 I think. I was wondering (just having spent a few minutes moving files around) if it would be possible to write the new config files for sender and so forth as rpmnew instead of moving the old files to rpmsave? It would save some of us a bit of cleaning up. The other question. The default was being set by ".* deliver" syntax but the new file has a "default deliver" in it. I assume this is the new way to configure the default now? -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From lbergman at abi.tconline.net Mon May 20 16:06:01 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:14:47 2006 Subject: digest spam? Message-ID: <200205201006.01963.lbergman@abi.tconline.net> Does anone have an idea of what is involved in creating a digest of mail like a mail list does and what it might take to get a script to do the same thing on quarintined mail from mailscanner. Some users might want a digested version of their spam so they can deal with all of it once a week. I know there are other ways to do the same thing but they require user knowledge. Something I am a bit short on. It might also be nice to have a seperate directory to store spam to rather than mixed in with all the virus stuff. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From jkf at ecs.soton.ac.uk Mon May 20 16:21:32 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:47 2006 Subject: digest spam? In-Reply-To: <200205201006.01963.lbergman@abi.tconline.net> Message-ID: <5.1.0.14.2.20020520162008.049d4bb0@roadrunner.ecs.soton.ac.uk> At 16:06 20/05/2002, you wrote: >It might also be nice to have a seperate directory to store spam to rather >than mixed in with all the virus stuff. You can easily extract all the spam by doing cd /var/spool/MailScanner/quarantine mv */qf* */df* /some/where/else rmdir * # This will only delete empty directories. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From sevans at FOUNDATION.SDSU.EDU Mon May 20 16:55:27 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:14:47 2006 Subject: Deleting Spam Marked Messages Message-ID: <7E2D2700ADE29542BAFC135552997E6C0AE929@mail.foundation.sdsu.edu> In the mailscanner.conf file? I couldn't find it anywhere. Steve Evans Computing Services SDSU Foundation 619 594-0653 -----Original Message----- From: Julian Field [mailto:jkf@ECS.SOTON.AC.UK] Sent: Friday, May 17, 2002 4:38 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Deleting Spam Marked Messages At 22:58 17/05/2002, you wrote: >I know this came up before but is the option to delete or redirect spam >marked messages to a designated account be implented in a future version? Spam deletion is already there. Alternatively you can archive it, from which you could script something fairly easily to send it elsewhere. Redirecting it to another address is almost certainly illegal in the UK, as it would break the Data Potection Act. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mdchaney at MICHAELCHANEY.COM Mon May 20 17:02:02 2002 From: mdchaney at MICHAELCHANEY.COM (Michael Chaney) Date: Thu Jan 12 21:14:47 2006 Subject: ANNOUNCE: 3.15-3 In-Reply-To: <5.1.0.14.2.20020520141320.04fe80e0@roadrunner.ecs.soton.ac.uk>; from jkf@ECS.SOTON.AC.UK on Mon, May 20, 2002 at 02:26:44PM +0100 References: <5.1.0.14.2.20020520141320.04fe80e0@roadrunner.ecs.soton.ac.uk> Message-ID: <20020520110202.A6184@michaelchaney.com> On Mon, May 20, 2002 at 02:26:44PM +0100, Julian Field wrote: > I've just fixed a tiny bug where if you sent a message from a white-listed > host, that wasn't spam, but you always wanted the SpamAssassin header, you > would get a blank SpamCheck header. > > So I've just released version 3.15-3 which fixes this. > > Download as usual from http://www.mailscanner.info/ Which file did you change? Michael -- Michael Darrin Chaney mdchaney@michaelchaney.com http://www.michaelchaney.com/ From lbergman at abi.tconline.net Mon May 20 16:50:31 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:14:47 2006 Subject: new files saved as rpmnew or rpmwhatever? Message-ID: <200205201050.31564.lbergman@abi.tconline.net> > >I just upgraded to the latest 3.14.3 I think. > > 3.15-3? Uhhhh ..... yea > >I was wondering (just having spent a few minutes moving files around) if > > it would be possible to write the new config files for sender and so > > forth as rpmnew instead of moving the old files to rpmsave? It would save > > some of us a bit of cleaning up. > > Whether the new ones go in as rpmnew or the old files go to rpmsave depends > on what you have customised doesn't it? The current solution is *far* > better than the previous behaviour, when it just overwrote them. If anyone > can come up with a consensus on what is the best behaviour here (and more > importantly *why*) then I'll happily code it. But I'm not sure there is a > single answer to this question that is right 100% of the time. Agreed. It is *much* better. As I see it, maybe incorrectly, moving existing files to *.rpmsaved assumes that the files are _not_ customized. If you save the new files under *.rpmnew and the files have not been customized no-one will notice. They would most likely be the same, or at least have changes you made to the files. On the other hand, saving the new files under *.rpmnew assumes that the files probably _are_ customised. The mailscanner can be immediately restarted and the other files can be diffed for changes just in case. Just one point of view. > >The other question. The default was being set by ".* deliver" syntax but > > the new file has a "default deliver" in it. I assume this is the new way > > to configure the default now? > > Yes. Read the docs. got me. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From jkf at ecs.soton.ac.uk Mon May 20 17:02:58 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:47 2006 Subject: ANNOUNCE: 3.15-3 In-Reply-To: <20020520110202.A6184@michaelchaney.com> References: <5.1.0.14.2.20020520141320.04fe80e0@roadrunner.ecs.soton.ac.uk> <5.1.0.14.2.20020520141320.04fe80e0@roadrunner.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020520170238.02bfa0c8@roadrunner.ecs.soton.ac.uk> At 17:02 20/05/2002, you wrote: >On Mon, May 20, 2002 at 02:26:44PM +0100, Julian Field wrote: > > I've just fixed a tiny bug where if you sent a message from a white-listed > > host, that wasn't spam, but you always wanted the SpamAssassin header, you > > would get a blank SpamCheck header. > > > > So I've just released version 3.15-3 which fixes this. > > > > Download as usual from http://www.mailscanner.info/ > >Which file did you change? bin/sendmail.pl bin/explode.pl bin/mailscanner -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Mon May 20 16:58:42 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:47 2006 Subject: Deleting Spam Marked Messages In-Reply-To: <7E2D2700ADE29542BAFC135552997E6C0AE929@mail.foundation.sds u.edu> Message-ID: <5.1.0.14.2.20020520165535.02d1c370@roadrunner.ecs.soton.ac.uk> At 16:55 20/05/2002, you wrote: >In the mailscanner.conf file? I couldn't find it anywhere. Spam deletion is mentioned in the mailscanner.conf file, see the "Spam Action" setting. If you want per-domain and per-user control of spam actions, read http://www.sng.ecs.soton.ac.uk/mailscanner/install/conf.shtml and the supplied sample spam.actions.conf file. >-----Original Message----- >From: Julian Field [mailto:jkf@ECS.SOTON.AC.UK] >Sent: Friday, May 17, 2002 4:38 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Deleting Spam Marked Messages > > >At 22:58 17/05/2002, you wrote: > >I know this came up before but is the option to delete or redirect spam > >marked messages to a designated account be implented in a future version? > >Spam deletion is already there. Alternatively you can archive it, from >which you could script something fairly easily to send it elsewhere. >Redirecting it to another address is almost certainly illegal in the UK, as >it would break the Data Potection Act. >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From sevans at FOUNDATION.SDSU.EDU Mon May 20 17:07:30 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:14:47 2006 Subject: Deleting Spam Marked Messages Message-ID: <7E2D2700ADE29542BAFC135552997E6C0AE92C@mail.foundation.sdsu.edu> There's my problem. I'm still back on 3.13-2 Steve Evans Computing Services SDSU Foundation 619 594-0653 -----Original Message----- From: Julian Field [mailto:jkf@ECS.SOTON.AC.UK] Sent: Monday, May 20, 2002 8:59 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Deleting Spam Marked Messages At 16:55 20/05/2002, you wrote: >In the mailscanner.conf file? I couldn't find it anywhere. Spam deletion is mentioned in the mailscanner.conf file, see the "Spam Action" setting. If you want per-domain and per-user control of spam actions, read http://www.sng.ecs.soton.ac.uk/mailscanner/install/conf.shtml and the supplied sample spam.actions.conf file. >-----Original Message----- >From: Julian Field [mailto:jkf@ECS.SOTON.AC.UK] >Sent: Friday, May 17, 2002 4:38 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Deleting Spam Marked Messages > > >At 22:58 17/05/2002, you wrote: > >I know this came up before but is the option to delete or redirect spam > >marked messages to a designated account be implented in a future version? > >Spam deletion is already there. Alternatively you can archive it, from >which you could script something fairly easily to send it elsewhere. >Redirecting it to another address is almost certainly illegal in the UK, as >it would break the Data Potection Act. >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mdchaney at MICHAELCHANEY.COM Mon May 20 17:22:11 2002 From: mdchaney at MICHAELCHANEY.COM (Michael Chaney) Date: Thu Jan 12 21:14:47 2006 Subject: lock.pl for BSD and Linux Message-ID: <20020520112211.D6184@michaelchaney.com> I'm not sure if I've sent this along before, so here it is. Here's the lock.pl that I use for FreeBSD, works with Linux also. With some minor modifications, it should be trivial to make it work with any Unix system out there. Michael -- Michael Darrin Chaney mdchaney@michaelchaney.com http://www.michaelchaney.com/ -------------- next part -------------- # MailScanner - SMTP E-Mail Virus Scanner # Copyright (C) 2001 Julian Field # # $Id: lock.pl,v 1.4 2001/08/10 12:53:44 jkf Exp $ # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # The author, Julian Field, can be contacted by email at # Jules@JulianField.net # or by paper mail at # Julian Field # Dept of Electronics & Computer Science # University of Southampton # Southampton # SO17 1BJ # United Kingdom # # Provide functions to deal with opening + locking spool files package Lock; use strict; use Fcntl qw(:DEFAULT :flock); use POSIX qw(:unistd_h :errno_h); # Open and lock a file. # # Pass in a filehandle, a filespec (including ">", "<", or # whatever on the front), and (optionally) the type of lock # you want - "r" or "s" for shared/read lock, or pretty much # anything else (but "w" or "x" really) for exclusive/write # lock. # # Lock type used (flock or fcntl/lockf/posix) depends on # config. If you're using posix locks, then don't try asking # for a write-lock on a file opened for reading - it'll fail # with EBADF (Bad file descriptor). # sub openlock { my ($fh, $fn, $rw) = @_; my ($locktype,$struct_flock); $locktype = ($Config::LockType)? $Config::LockType : $MTA::LockType; defined $rw or $rw = ((substr($fn,0,1) eq '>')?"w":"r"); $rw =~ /^[rs]/i or $rw = 'w'; unless (open($fh, $fn)) { Log::InfoLog("Could not open file $fn: %s", $!); return 0; } if ($locktype =~ /posix/i) { # HORRIBLY HARDWIRED # would like to "use File::lockf" but that would make # installation harder. # # I guess the pack() is not too bad so long as most parms # are zero ;) # # I've seen sslls, ssllll and all sorts used there... # ...not too sure what the best most portable way is :( # Log::DebugLog("Using fcntl() to lock $fn"); #$struct_flock = pack('ssx32',($rw eq 'w' ? F_WRLCK : F_RDLCK),0); $struct_flock = struct_flock(($rw eq 'w' ? F_WRLCK : F_RDLCK),SEEK_SET,0,0,0); fcntl($fh, F_SETLK, $struct_flock) and return 1; } elsif ($locktype =~ /flock/i) { Log::DebugLog("Using flock() to lock $fn"); flock($fh, ($rw eq 'w' ? LOCK_EX : LOCK_SH) + LOCK_NB) and return 1; } else { Log::DebugLog("Not locking spool file $fn"); return 1; } print "Couldn't lock $fn: $!\n"; close ($fh); Log::DebugLog("Failed to lock $fn: %s", $!); return 0; } sub unlockclose { my ($fh) = @_; my $locktype; $locktype = ($Config::LockType)? $Config::LockType : $MTA::LockType; if ($locktype =~ /posix/i) { #fcntl($fh, &F_SETLK, pack('sslls',&F_UNLCK,0,0,0,0)); fcntl($fh, F_SETLK, struct_flock(F_UNLCK,0,0,0,0)); } elsif ($locktype =~ /flock/i) { flock($fh, LOCK_UN); } # else { # default - do nothing, as we didn't lock it in the first place # } close ($fh); return 1; } BEGIN { my $FLOCK_STRUCT = 'S s L L I'; sub linux_flock { if (wantarray) { my ($type, $whence, $start, $len, $pid) = unpack($FLOCK_STRUCT, $_[0]); return ($type, $whence, $start, $len, $pid); } else { my ($type, $whence, $start, $len, $pid) = @_; return pack($FLOCK_STRUCT, $type, $whence, $start, $len, $pid); } } } BEGIN { # XXX: should be Q not LL my $FLOCK_STRUCT = 'LL LL L l s'; sub bsd_flock { if (wantarray) { my ($xxstart, $start, $xxlen, $len, $pid, $type, $whence) = unpack($FLOCK_STRUCT, $_[0]); return ($type, $whence, $start, $len, $pid); } else { my ($type, $whence, $start, $len, $pid) = @_; my ($xxstart, $xxlen) = (0,0); return pack($FLOCK_STRUCT, $xxstart, $start, $xxlen, $len, $pid, $type, $whence); } } } BEGIN { for ($^O) { if (/bsd/) { *struct_flock = \&bsd_flock } elsif (/linux/) { *struct_flock = \&linux_flock } else { die "unknown operating system: $!"; } } } 1; From butler at GLOBESERVER.COM Mon May 20 19:32:48 2002 From: butler at GLOBESERVER.COM (Philip L. Butler) Date: Thu Jan 12 21:14:47 2006 Subject: Conf file question.... Message-ID: Hi all, I am slowly absorbing all of the features that Julian has put into MailScanner. Great work Julian !! One question that I have is when the mailscanner.conf file is read. In other words, if I modify it, does MailScanner have to be restarted in order for this to take effect ?? Another question - and I haven't spent any time looking yet - I have seen the spam.whitelist.conf file. The question is - why have this file if it could be put into the spam.actions.conf file with a 'deliver' action ?? In other words, would it be just as acceptable to have the whitelist in the spam.actions.conf file with 'deliver' or is there some reason why it should go in the spam.whitelist.conf ?? While my gears are turning - one more question - Is there any way to specify what happens to a file in the filename.rules.conf file ?? In other words, I can see a desire (but a need ??) to rename certain extensions (rename .xls to .zzz) and put a message in to the recipient stating that they file was renamed since it was possibly bad. A per-line action to rename, allow, delete attachment, etc would be nice. Sorry to put so much into one message... Phil From jkf at ecs.soton.ac.uk Mon May 20 19:45:38 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:47 2006 Subject: Conf file question.... In-Reply-To: Message-ID: <5.1.0.14.2.20020520194309.034eca00@roadrunner.ecs.soton.ac.uk> At 19:32 20/05/2002, you wrote: >I am slowly absorbing all of the features that Julian has put into >MailScanner. Great work Julian !! Aw, shucks... >One question that I have is when the mailscanner.conf file is read. >In other words, if I modify it, does MailScanner have to be restarted >in order for this to take effect ?? Yes. Find the pid by running check_mailscanner then kill it then check_mailscanner again to restart it. Otherwise, wait for "Restart Every" (look in the mailscanner.conf file) and it will pick up the config file changes automatically as it restarts. >Another question - and I haven't spent any time looking yet - I have >seen the spam.whitelist.conf file. The question is - why have this >file if it could be put into the spam.actions.conf file with a >'deliver' action ?? In other words, would it be just as acceptable >to have the whitelist in the spam.actions.conf file with 'deliver' or >is there some reason why it should go in the spam.whitelist.conf ?? No reason at all. Just I implemented the simple mailscanner.conf-defined spam action before I implemented the spam.actions.conf file and couldn't see any reason to remove it. >While my gears are turning - one more question - Is there any way to >specify what happens to a file in the filename.rules.conf file ?? In >other words, I can see a desire (but a need ??) to rename certain >extensions (rename .xls to .zzz) and put a message in to the >recipient stating that they file was renamed since it was possibly >bad. A per-line action to rename, allow, delete attachment, etc >would be nice. Not currently, but if enough people ask for it then I might implement it. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From darian at BEPINC.COM Mon May 20 22:13:21 2002 From: darian at BEPINC.COM (Darian Rafie) Date: Thu Jan 12 21:14:47 2006 Subject: SpamAssassin or MailScanner problem? In-Reply-To: <5.1.0.14.2.20020520194309.034eca00@roadrunner.ecs.soton.ac.uk> Message-ID: <000001c20043$2e132290$11c9dbd1@WONDER> Do you think the following was caused by Mailscanner or SpamAssassin? X-MailScanner-SpamCheck: not spam, SpamAssassin (score=15.8, required 5, MSG_ID_ADDED_BY_MTA_2, WORK_AT_HOME, CLICK_BELOW, EXCUSE_14, EXCUSE_16, UNSUB_PAGE, SUPERLONG_LINE, CLICK_HERE_LINK, WEB_BUGS, DIFFERENT_REPLY_TO, RCVD_IN_OSIRUSOFT_COM, X_OSIRU_SPAM_SRC) Clearly it made the minimum hit requirement, but was marked as not spam. D. From LISTSERV at JISCMAIL.AC.UK Mon May 20 22:18:58 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:47 2006 Subject: MAILSCANNER: Ian.Beardsley2@BTINTERNET.COM requested to join Message-ID: <200205202118.WAA08471@magpie.ecs.soton.ac.uk> Mon, 20 May 2002 22:18:58 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Ian Beardsley You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER Ian.Beardsley2@BTINTERNET.COM Ian Beardsley PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER Ian.Beardsley2@BTINTERNET.COM Ian Beardsley // EOJ From jkf at ecs.soton.ac.uk Tue May 21 00:37:53 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:47 2006 Subject: SpamAssassin or MailScanner problem? In-Reply-To: <000001c20043$2e132290$11c9dbd1@WONDER> References: <5.1.0.14.2.20020520194309.034eca00@roadrunner.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020521003637.02a40b08@roadrunner.ecs.soton.ac.uk> At 22:13 20/05/2002, you wrote: >Do you think the following was caused by Mailscanner or SpamAssassin? Most likely cause is the mail coming from an address or a network which is listed in "Accept Spam From" or spam.whitelist.conf. If you switch off "Always Include SpamAssassin Header = no" then the X-MailScanner-SpamCheck header should disappear altogether on this message. >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=15.8, required 5, > MSG_ID_ADDED_BY_MTA_2, WORK_AT_HOME, CLICK_BELOW, EXCUSE_14, > EXCUSE_16, UNSUB_PAGE, SUPERLONG_LINE, CLICK_HERE_LINK, >WEB_BUGS, > DIFFERENT_REPLY_TO, RCVD_IN_OSIRUSOFT_COM, X_OSIRU_SPAM_SRC) > >Clearly it made the minimum hit requirement, but was marked as not spam. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From nwp at LEMON-COMPUTING.COM Tue May 21 04:29:04 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:47 2006 Subject: strange logs (defer) In-Reply-To: <20020517104208.GD27319@terre> References: <20020517104208.GD27319@terre> Message-ID: <20020521032904.GJ21911@hoiho.nz.lemon-computing.com> On Fri, May 17, 2002 at 12:42:08PM +0200, Vincent Meoc wrote: > == root@my.domain D=defer_director defer (-1): forced defer: > All deliveries are deferred > > appear some times. It appear every time when a mail is send from local to local but This happens when Exim tries to deliver a message directly from the incoming queue (or when it is told to deliver immediately from the command line). The recommended config forces that Exim instance to defer the delivery, as we don't want things to be delivered until they've been scanned. -- Nick Phillips -- nwp@lemon-computing.com Tonight's the night: Sleep in a eucalyptus tree. From nwp at LEMON-COMPUTING.COM Tue May 21 04:38:20 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:47 2006 Subject: digest spam? In-Reply-To: <5.1.0.14.2.20020520162008.049d4bb0@roadrunner.ecs.soton.ac.uk> References: <200205201006.01963.lbergman@abi.tconline.net> <5.1.0.14.2.20020520162008.049d4bb0@roadrunner.ecs.soton.ac.uk> Message-ID: <20020521033820.GL21911@hoiho.nz.lemon-computing.com> On Mon, May 20, 2002 at 04:21:32PM +0100, Julian Field wrote: > You can easily extract all the spam by doing > > cd /var/spool/MailScanner/quarantine > mv */qf* */df* /some/where/else > rmdir * # This will only delete empty directories. Assuming that you are using sendmail... Exim spool file names are a little different, but the basic idea is the same. -- Nick Phillips -- nwp@lemon-computing.com An avocado-tone refrigerator would look good on your resume. From nwp at LEMON-COMPUTING.COM Tue May 21 04:44:06 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:47 2006 Subject: lock.pl for BSD and Linux In-Reply-To: <20020520112211.D6184@michaelchaney.com> References: <20020520112211.D6184@michaelchaney.com> Message-ID: <20020521034406.GM21911@hoiho.nz.lemon-computing.com> On Mon, May 20, 2002 at 11:22:11AM -0500, Michael Chaney wrote: > I'm not sure if I've sent this along before, so here it is. > > Here's the lock.pl that I use for FreeBSD, works with Linux also. With > some minor modifications, it should be trivial to make it work with any > Unix system out there. Hmmm... I must have forgotten to deal with this, or not decided on the best answer. I'll try to get something done for the next major release, Probably try to use the CPAN locking module if it's available, if not then do something per-recognised-OS, or die horribly if OS not recognised. I have a whole bunch of documentation that I gathered last time I looked at this, with the correct struct for several OS. Maybe I didn't commit anything because it wasn't tested enough or something. Anyway, I'll have another look. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Accent on helpful side of your nature. Drain the moat. From darian at BEPINC.COM Tue May 21 06:51:04 2002 From: darian at BEPINC.COM (Darian Rafie) Date: Thu Jan 12 21:14:47 2006 Subject: SpamAssassin or MailScanner problem? References: <5.1.0.14.2.20020520194309.034eca00@roadrunner.ecs.soton.ac.uk> <5.1.0.14.2.20020521003637.02a40b08@roadrunner.ecs.soton.ac.uk> Message-ID: <000e01c2008b$7ed3f770$b675fb0c@wheaton1.il.home.com> I should have said that it came from outside our network, from a host not listed in the whitelist. If it happens again I'll let you know. d. ----- Original Message ----- From: "Julian Field" To: Sent: Monday, May 20, 2002 6:37 PM Subject: Re: SpamAssassin or MailScanner problem? > At 22:13 20/05/2002, you wrote: > >Do you think the following was caused by Mailscanner or SpamAssassin? > > Most likely cause is the mail coming from an address or a network which is > listed in "Accept Spam From" or spam.whitelist.conf. > > If you switch off "Always Include SpamAssassin Header = no" then the > X-MailScanner-SpamCheck header should disappear altogether on this message. > > >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=15.8, required 5, > > MSG_ID_ADDED_BY_MTA_2, WORK_AT_HOME, CLICK_BELOW, EXCUSE_14, > > EXCUSE_16, UNSUB_PAGE, SUPERLONG_LINE, CLICK_HERE_LINK, > >WEB_BUGS, > > DIFFERENT_REPLY_TO, RCVD_IN_OSIRUSOFT_COM, X_OSIRU_SPAM_SRC) > > > >Clearly it made the minimum hit requirement, but was marked as not spam. > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Tue May 21 01:22:38 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:47 2006 Subject: MAILSCANNER: kazoo@EMERGE.NET.AU requested to join Message-ID: <200205210022.BAA20237@magpie.ecs.soton.ac.uk> Tue, 21 May 2002 01:22:38 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Daniel Hooper You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER kazoo@EMERGE.NET.AU Daniel Hooper PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER kazoo@EMERGE.NET.AU Daniel Hooper // EOJ From LISTSERV at JISCMAIL.AC.UK Tue May 21 01:56:55 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:47 2006 Subject: MAILSCANNER: ryan@DLUGOSZ.NET requested to join Message-ID: <200205210056.BAA21981@magpie.ecs.soton.ac.uk> Tue, 21 May 2002 01:56:55 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Ryan Dlugosz You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER ryan@DLUGOSZ.NET Ryan Dlugosz PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER ryan@DLUGOSZ.NET Ryan Dlugosz // EOJ From rishi at THEARGONCOMPANY.COM Tue May 21 10:02:47 2002 From: rishi at THEARGONCOMPANY.COM (Rishi Gangoly) Date: Thu Jan 12 21:14:47 2006 Subject: Need help badly... Message-ID: <003901c200a6$48042ec0$1b02a8c0@theargoncompany.com> Hi Guys, I need your help. I have about 1400 odd messages on Cobalt RaQ4 Linux mail server in the /var/spool/mqueue folder (actually /home/spool/mqueue folder) > -rw------- 1 root root 623 May 21 01:22 dfg4KJqsW26104 > -rw------- 1 root root 60816 May 21 01:24 dfg4KJrrW26181 > -rw------- 1 root root 998 May 21 01:24 dfg4KJsTW26254 > -rw------- 1 root root 894 May 21 01:26 dfg4KJuGW26351 > -rw------- 1 root root 21429 May 21 01:26 dfg4KJuYW26377 > -rw------- 1 root root 4688 May 21 01:27 dfg4KJvEW26420 > -rw------- 1 root root 3346 May 21 01:28 dfg4KJwMW26484 > -rw------- 1 root root 5452 May 21 01:28 dfg4KJwbW26509 . . . . . > -rw------- 1 root root 2223 May 21 13:37 qfg4L87BW05113 > -rw------- 1 root root 840 May 21 13:37 qfg4L87TW05151 > -rw------- 1 root root 859 May 21 13:38 qfg4L88cW05223 All my mail from 1:22 to 13:38 is clogged up in the mail queue folder. I have stopped mailscanner and started sendmail. My mail is now working, but I wanted to know how to 1. get mailscanner to work... find out why it is not working.(how does one debug?) 2. get all these undelivered messages .... delivered. I downloaded the latest version of mailscanner : 3.15 Release 3 and modified the mailscanner.conf file to use f-prot 3.12 F-PROT 3.12 SIGN.DEF created 20. May 2002 SIGN2.DEF created 16. May 2002 MACRO.DEF created 20. May 2002 Regards Rishi From jkf at ecs.soton.ac.uk Tue May 21 10:18:43 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:47 2006 Subject: Need help badly... In-Reply-To: <003901c200a6$48042ec0$1b02a8c0@theargoncompany.com> Message-ID: <5.1.0.14.2.20020521101442.02bc6810@roadrunner.ecs.soton.ac.uk> At 10:02 21/05/2002, you wrote: >I have about 1400 odd messages on Cobalt RaQ4 Linux mail server in the >/var/spool/mqueue folder (actually /home/spool/mqueue folder) > > > -rw------- 1 root root 2223 May 21 13:37 qfg4L87BW05113 > > -rw------- 1 root root 840 May 21 13:37 qfg4L87TW05151 > > -rw------- 1 root root 859 May 21 13:38 qfg4L88cW05223 > >I have stopped mailscanner and started sendmail. My mail is now working, but >I wanted to know how to If they are all in mqueue and not mqueue.in then MailScanner is basically doing its job. I suspect you might not have any processes like "sendmail -q15m" running perhaps? >1. get mailscanner to work... find out why it is not working.(how does one >debug?) Watch the syslog. >2. get all these undelivered messages .... delivered. sendmail -q -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Tue May 21 12:09:38 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:47 2006 Subject: MAILSCANNER: richard@QUARRYHOUSE.CO.UK requested to join Message-ID: <200205211109.MAA00091@magpie.ecs.soton.ac.uk> Tue, 21 May 2002 12:09:38 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Richard Sidlin You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER richard@QUARRYHOUSE.CO.UK Richard Sidlin PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER richard@QUARRYHOUSE.CO.UK Richard Sidlin // EOJ From ryan at DLUGOSZ.NET Tue May 21 13:16:25 2002 From: ryan at DLUGOSZ.NET (Ryan Dlugosz) Date: Thu Jan 12 21:14:47 2006 Subject: mailscanner 3.15-3 proc dies without error/warning - tied to mailman? Message-ID: <50138.198.185.18.207.1021983385.squirrel@dlugosz.net> Hello, I'm new to mailscanner, but an experienced linux admin - I put in a good 6 hours with mailscanner yesterday, but couldn't solve my problem even after searching the list archives pretty extensively. Here's the situation: I'm running RedHat 7.2 with all updates + most recent RPM of mailscanner (3.15-3) on sendmail (8.11.6-3) with the latest Sophos (3.57). I also use the GNU MailMan listserv software to support a handfull of low-volume lists. The box doesn't receive too much email - just the personal mail of a few users & the lists. After installing MailScanner (and Sophos using the MS install script), I fired it up & verified that I now had two independant sendmail procs going - one listening & the other -q15m. I began tailing the maillog and started firing test emails. It worked great for a little while & then suddenly email stopped moving! The mail was just building up in the mqueue.in folder & was no longer being scanned or moved. This all seems to happen when a message is received for the Mailman email list program & it attempts to send out the messages. I strongly believe that something is going on with the mailman - mailscanner interaction that is causing the Perl script to die without warning. I've posted an annotated log snippet on the web. Please take a minute to look it over and let me know if you have any thoughts regarding my problem. http://dlugosz.net/~ryan/mailscanner_probs.html Thanks! -Ryan -- Ryan Dlugosz ryan@dlugosz.net http://dlugosz.net From dll at SCITOOLS.COM Tue May 21 13:32:35 2002 From: dll at SCITOOLS.COM (Daniel Leavitt) Date: Thu Jan 12 21:14:47 2006 Subject: Where is VirusWarning.txt? Message-ID: <031201c200c3$9c9ef100$170aa8c0@DELL> Hi, Mailscanner/sophos seems to be working fine but the recipients of the stripped message receive this warning but there are no attachments to the messages. Warning: This message has had one or more attachments removed. Please read the "VirusWarning.txt" attachment(s) for more information. Is this proper behavior? Do I have something mis-configured? This is, in fact, the only content in the message. Additionaly, I would have expected some original text (if it had any) to be included somewhere. Thanks, Dan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020521/4d8c6b70/attachment.html From jkf at ecs.soton.ac.uk Tue May 21 13:56:02 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:47 2006 Subject: mailscanner 3.15-3 proc dies without error/warning - tied to mailman? In-Reply-To: <50138.198.185.18.207.1021983385.squirrel@dlugosz.net> Message-ID: <5.1.0.14.2.20020521135318.04ad3b78@roadrunner.ecs.soton.ac.uk> If you run MailScanner with "Debug = 1" it will only do 1 pass of mqueue.in and then stop. As you are presumably normally running with "Debug = 0", check that the "check_mailscanner" script works okay for you (it should print out the PID if MailScanner is running, else it should start MailScanner up again). Also, start MailScanner (using check_mailscanner) from the command line, and leave that window open. You may get a Perl error message when it dies, which for one reason or another may not be logged into syslogd. Once you've got that error message out of it, I can investigate further. What version of Perl are you using (perl -v). Failing that, if you can give me login access to it (and the root pw) then I will take a look for you. At 13:16 21/05/2002, you wrote: >Hello, > >I'm new to mailscanner, but an experienced linux admin - I put in a good 6 >hours with mailscanner yesterday, but couldn't solve my problem even after >searching the list archives pretty extensively. Here's the situation: >I'm running RedHat 7.2 with all updates + most recent RPM of mailscanner >(3.15-3) on sendmail (8.11.6-3) with the latest Sophos (3.57). I also use >the GNU MailMan listserv software to support a handfull of low-volume >lists. The box doesn't receive too much email - just the personal mail of >a few users & the lists. >After installing MailScanner (and Sophos using the MS install script), I >fired it up & verified that I now had two independant sendmail procs going >- one listening & the other -q15m. I began tailing the maillog and >started firing test emails. >It worked great for a little while & then suddenly email stopped moving! >The mail was just building up in the mqueue.in folder & was no longer >being scanned or moved. This all seems to happen when a message is >received for the Mailman email list program & it attempts to send out the >messages. I strongly believe that something is going on with the mailman >- mailscanner interaction that is causing the Perl script to die without >warning. >I've posted an annotated log snippet on the web. Please take a minute to >look it over and let me know if you have any thoughts regarding my >problem. >http://dlugosz.net/~ryan/mailscanner_probs.html > >Thanks! >-Ryan > >-- >Ryan Dlugosz >ryan@dlugosz.net > >http://dlugosz.net -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Tue May 21 13:57:23 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:47 2006 Subject: Where is VirusWarning.txt? In-Reply-To: <031201c200c3$9c9ef100$170aa8c0@DELL> Message-ID: <5.1.0.14.2.20020521135640.02ca7f48@roadrunner.ecs.soton.ac.uk> I would start by checking you have good versions of the MIME-Tools perl modules installed. It looks as if it is failing to copy the mail body from the mqueue.in to mqueue. I haven't seen this behaviour before, has anyone else? At 13:32 21/05/2002, you wrote: >Hi, > >Mailscanner/sophos seems to be working fine but the recipients of the >stripped message receive this warning but there are no attachments to the >messages. > >Warning: This message has had one or more attachments removed. Please read >the "VirusWarning.txt" attachment(s) for more information. > >Is this proper behavior? Do I have something mis-configured? This is, in >fact, the only content in the message. Additionaly, I would have expected >some original text (if it had any) to be included somewhere. > >Thanks, >Dan > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020521/c72ac3f5/attachment.html From rishi at THEARGONCOMPANY.COM Tue May 21 13:53:04 2002 From: rishi at THEARGONCOMPANY.COM (Rishi Gangoly) Date: Thu Jan 12 21:14:47 2006 Subject: Need help badly... References: <5.1.0.14.2.20020521101442.02bc6810@roadrunner.ecs.soton.ac.uk> Message-ID: <011301c200c6$7293ab00$1b02a8c0@theargoncompany.com> HI Julian, The weird part is that if I do a mailq it does not display all these messages. but the messages are there in the mqueue folder. I tried to do a sendmail -q15m ........ no joy. it just exits. Regards Rishi ----- Original Message ----- From: "Julian Field" To: Sent: Tuesday, May 21, 2002 2:48 PM Subject: Re: Need help badly... > At 10:02 21/05/2002, you wrote: > >I have about 1400 odd messages on Cobalt RaQ4 Linux mail server in the > >/var/spool/mqueue folder (actually /home/spool/mqueue folder) > > > > > -rw------- 1 root root 2223 May 21 13:37 qfg4L87BW05113 > > > -rw------- 1 root root 840 May 21 13:37 qfg4L87TW05151 > > > -rw------- 1 root root 859 May 21 13:38 qfg4L88cW05223 > > > >I have stopped mailscanner and started sendmail. My mail is now working, but > >I wanted to know how to > > If they are all in mqueue and not mqueue.in then MailScanner is basically > doing its job. I suspect you might not have any processes like "sendmail > -q15m" running perhaps? > > >1. get mailscanner to work... find out why it is not working.(how does one > >debug?) > > Watch the syslog. > > >2. get all these undelivered messages .... delivered. > > sendmail -q > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From mike at 4frontmedia.net Tue May 21 13:50:20 2002 From: mike at 4frontmedia.net (Mike Walker) Date: Thu Jan 12 21:14:47 2006 Subject: Where is VirusWarning.txt? In-Reply-To: <5.1.0.14.2.20020521135640.02ca7f48@roadrunner.ecs.soton.ac.uk> Message-ID: <000701c200c6$115409c0$0100000a@MIKES> Yes, we experience this problem but only isolated to one user to our knowledge. Mike 4FrontMedia -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: 21 May 2002 13:57 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Where is VirusWarning.txt? I would start by checking you have good versions of the MIME-Tools perl modules installed. It looks as if it is failing to copy the mail body from the mqueue.in to mqueue. I haven't seen this behaviour before, has anyone else? At 13:32 21/05/2002, you wrote: Hi, Mailscanner/sophos seems to be working fine but the recipients of the stripped message receive this warning but there are no attachments to the messages. Warning: This message has had one or more attachments removed. Please read the "VirusWarning.txt" attachment(s) for more information. Is this proper behavior? Do I have something mis-configured? This is, in fact, the only content in the message. Additionaly, I would have expected some original text (if it had any) to be included somewhere. Thanks, Dan -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ ______________________________________________ This message has been scanned for viruses by "VITANIUM" the multi-scan E-mail Virus Protection Service from 4FrontMedia. To safeguard your business call 01233-850906. ____________________________________________________________ This message has been scanned for viruses by "VITANIUM" the multi-scan E-mail Virus Protection Service from 4FrontMedia. To safeguard your business call 01233-850906. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020521/e80b0dce/attachment.html From jkf at ecs.soton.ac.uk Tue May 21 14:07:29 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:47 2006 Subject: Need help badly... In-Reply-To: <011301c200c6$7293ab00$1b02a8c0@theargoncompany.com> References: <5.1.0.14.2.20020521101442.02bc6810@roadrunner.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020521140613.02b94708@roadrunner.ecs.soton.ac.uk> At 13:53 21/05/2002, you wrote: >HI Julian, > >The weird part is that if I do a mailq it does not display all these >messages. > >but the messages are there in the mqueue folder. You haven't broken the soft link joining /var/spool/mqueue to /home/spool/mqueue have you? If all the files are there (one df and one qf for each message) then mailq should display them. >I tried to do a sendmail -q15m ........ no joy. it just exits. In which case try sendmail -v -q15m and see what that prints. >Regards > >Rishi > > >----- Original Message ----- >From: "Julian Field" >To: >Sent: Tuesday, May 21, 2002 2:48 PM >Subject: Re: Need help badly... > > > > At 10:02 21/05/2002, you wrote: > > >I have about 1400 odd messages on Cobalt RaQ4 Linux mail server in the > > >/var/spool/mqueue folder (actually /home/spool/mqueue folder) > > > > > > > -rw------- 1 root root 2223 May 21 13:37 qfg4L87BW05113 > > > > -rw------- 1 root root 840 May 21 13:37 qfg4L87TW05151 > > > > -rw------- 1 root root 859 May 21 13:38 qfg4L88cW05223 > > > > > >I have stopped mailscanner and started sendmail. My mail is now working, >but > > >I wanted to know how to > > > > If they are all in mqueue and not mqueue.in then MailScanner is basically > > doing its job. I suspect you might not have any processes like "sendmail > > -q15m" running perhaps? > > > > >1. get mailscanner to work... find out why it is not working.(how does >one > > >debug?) > > > > Watch the syslog. > > > > >2. get all these undelivered messages .... delivered. > > > > sendmail -q > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Funk.Gabor at HUNETKFT.HU Tue May 21 14:27:50 2002 From: Funk.Gabor at HUNETKFT.HU (Funk Gabor) Date: Thu Jan 12 21:14:47 2006 Subject: Where is VirusWarning.txt? Message-ID: <01dd01c200cb$4ec50110$3364a8c0@xxxx.xxx> >>I haven't seen this behaviour before, has anyone else? I'd suspect it is a Klez and the attachment *IS* there, but it is not displayed in Outlook. "View source" should do the magic and show the rest of the Klez as well as the viruswarning texts. Based on subjects: ->multipart/mixed patch (was Virus Klez.H and McAfee) and " "Inline Text Warning" and "Stored Virus Message Report" invisible" around early May, and I guess it was fixed in 3.14. I can't confirm, since I usually get the "postmaster" type report, not the "reply to the virus sender" type report :-) :: - Infected "multipart/alternative" messages are converted to :: "multipart/mixed" so that virus warning can always be seen. I also sent a mail to you on 19th April regarding to this topic. (Subject: difference between text and html format in virusreport?) G. From dll at SCITOOLS.COM Tue May 21 14:29:25 2002 From: dll at SCITOOLS.COM (Daniel Leavitt) Date: Thu Jan 12 21:14:47 2006 Subject: Where is VirusWarning.txt? In-Reply-To: <000701c200c6$115409c0$0100000a@MIKES> Message-ID: <032c01c200cb$872c1750$170aa8c0@DELL> I did found a version string in /usr/lib/perl5/site_perl/5.6.0/MIME/Tools.pm: $VERSION = substr q$Revision: 5.411 $, 10; 5.411 seems pretty recent, perhaps only beta-5.503 is newer. Any other ideas? Dan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Mike Walker Sent: Tuesday, May 21, 2002 8:50 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Where is VirusWarning.txt? Yes, we experience this problem but only isolated to one user to our knowledge. Mike 4FrontMedia -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: 21 May 2002 13:57 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Where is VirusWarning.txt? I would start by checking you have good versions of the MIME-Tools perl modules installed. It looks as if it is failing to copy the mail body from the mqueue.in to mqueue. I haven't seen this behaviour before, has anyone else? At 13:32 21/05/2002, you wrote: Hi, Mailscanner/sophos seems to be working fine but the recipients of the stripped message receive this warning but there are no attachments to the messages. Warning: This message has had one or more attachments removed. Please read the "VirusWarning.txt" attachment(s) for more information. Is this proper behavior? Do I have something mis-configured? This is, in fact, the only content in the message. Additionaly, I would have expected some original text (if it had any) to be included somewhere. Thanks, Dan -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ ______________________________________________ This message has been scanned for viruses by "VITANIUM" the multi-scan E-mail Virus Protection Service from 4FrontMedia. To safeguard your business call 01233-850906. ______________________________________________ This message has been scanned for viruses by "VITANIUM" the multi-scan E-mail Virus Protection Service from 4FrontMedia. To safeguard your business call 01233-850906. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020521/7d62b74f/attachment.html From mike at ZANKER.ORG Tue May 21 14:41:33 2002 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:14:47 2006 Subject: mailscanner 3.15-3 proc dies without error/warning - tied to mailman? In-Reply-To: <50138.198.185.18.207.1021983385.squirrel@dlugosz.net> References: <50138.198.185.18.207.1021983385.squirrel@dlugosz.net> Message-ID: <59190892.1021992093@jemima.zanker.org> On 21 May 2002 08:16 -0400 Ryan Dlugosz wrote: > I strongly believe that something is going > on with the mailman - mailscanner interaction that is causing the > Perl script to die without warning. I have almost exactly the same platform as you - the only difference is I'm running 3.15-1 rather than 3.15-3. I've not had any problems with mailman/MailScanner. I'll upgrade to 3.15-3 and see if that breaks anything. Mike -- Mike Zanker Northampton, UK PGP Public Key: pgp@zanker.org From dll at SCITOOLS.COM Tue May 21 14:47:34 2002 From: dll at SCITOOLS.COM (Daniel Leavitt) Date: Thu Jan 12 21:14:47 2006 Subject: Where is VirusWarning.txt? In-Reply-To: <01dd01c200cb$4ec50110$3364a8c0@xxxx.xxx> Message-ID: <034201c200ce$10776bc0$170aa8c0@DELL> Ok. Outlook says "This HTML message contains script, which Outlook cannot display. This may affect how the message appears." This is Outlook 2002 and I'll be darned if I can locate the "View source" option, that was so useful in Outlook 97. Where might that be? Dan > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Funk Gabor > Sent: Tuesday, May 21, 2002 9:28 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Where is VirusWarning.txt? > > >>I haven't seen this behaviour before, has anyone else? > > I'd suspect it is a Klez and the attachment *IS* there, but it is not > displayed in Outlook. "View source" should do the magic and show > the rest of the Klez as well as the viruswarning texts. > > Based on subjects: ->multipart/mixed patch (was Virus Klez.H and McAfee) > and " "Inline Text Warning" and "Stored Virus Message Report" invisible" > around early May, and I guess it was fixed in 3.14. I can't confirm, since > I usually > get the "postmaster" type report, not the "reply to the virus sender" type > report :-) > > :: - Infected "multipart/alternative" messages are converted to > :: "multipart/mixed" so that virus warning can always be seen. > > I also sent a mail to you on 19th April regarding to this topic. > (Subject: difference between text and html format in virusreport?) > > > G. From ryan at DLUGOSZ.NET Tue May 21 14:49:37 2002 From: ryan at DLUGOSZ.NET (Ryan Dlugosz) Date: Thu Jan 12 21:14:47 2006 Subject: mailscanner 3.15-3 proc dies without error/warning - tied to mailman? In-Reply-To: <5.1.0.14.2.20020521135318.04ad3b78@roadrunner.ecs.soton.ac.uk> References: <50138.198.185.18.207.1021983385.squirrel@dlugosz.net> <5.1.0.14.2.20020521135318.04ad3b78@roadrunner.ecs.soton.ac.uk> Message-ID: <64191.198.185.18.207.1021988977.squirrel@dlugosz.net> Julian, Thanks for the quick reply. Here's some more info for you. I am running Perl v5.6.1 - I have verified that I've switched debugging back off and I was able to immediately recreate my problem. I started mailscanner directly from a console by running the script & I manually started the two sendmail procs. I received NO errors at all on the console, even when the Perl process died. I sent a few emails back and forth which all worked just fine. Then, I sent an email to "test@dlugosz.net", a test Mailman list which only has two subscribers (myself and another remote account). The email was scanned, passed to the Mailman wrapper script, then sent out again. Now, each of the 2 emails (one for each address on the list) are scanned - Boom - Perl process is gone, no errors. The mail sits in the mqueue.in folder - They appear to have actually been scanned (they contain the mailscanner headers), but MS appears to have died before it moved them into the outgoing queue. I've included the contents of my mail queues below, maybe you'll find them interesting - this 0 length file always happens to show up after MS dies... I can get you any other info that may help you out - just let me know. If necessary, I can let you have root for a little while if I can't get you the info you need. Thanks, Ryan [root@deuce spool]# ls -lR mqueue* mqueue: total 0 mqueue.in: total 0 [root@deuce spool]# ls -lR mqueue* mqueue: total 4 -rw------- 2 root root 198 May 21 09:32 dfg4LDW2k09209 -rw------- 1 root root 0 May 21 09:32 tfg4LDW2k09209 mqueue.in: total 16 -rw------- 2 root root 198 May 21 09:32 dfg4LDW2k09209 -rw------- 1 root root 198 May 21 09:32 dfg4LDW2k09211 -rw------- 1 root root 1869 May 21 09:32 qfg4LDW2k09209 -rw------- 1 root root 1871 May 21 09:32 qfg4LDW2k09211 Julian Field said: > If you run MailScanner with "Debug = 1" it will only do 1 pass of > mqueue.in and then stop. > > As you are presumably normally running with "Debug = 0", check that the > "check_mailscanner" script works okay for you (it should print out the > PID if MailScanner is running, else it should start MailScanner up > again). > > Also, start MailScanner (using check_mailscanner) from the command > line, and leave that window open. You may get a Perl error message when > it dies, which for one reason or another may not be logged into > syslogd. > > Once you've got that error message out of it, I can investigate > further. > > What version of Perl are you using (perl -v). > > Failing that, if you can give me login access to it (and the root pw) > then I will take a look for you. > > At 13:16 21/05/2002, you wrote: >>Hello, >> >>I'm new to mailscanner, but an experienced linux admin - I put in a >>good 6 hours with mailscanner yesterday, but couldn't solve my problem >>even after searching the list archives pretty extensively. Here's the >>situation: I'm running RedHat 7.2 with all updates + most recent RPM of >>mailscanner (3.15-3) on sendmail (8.11.6-3) with the latest Sophos >>(3.57). I also use the GNU MailMan listserv software to support a >>handfull of low-volume lists. The box doesn't receive too much email - >>just the personal mail of a few users & the lists. >>After installing MailScanner (and Sophos using the MS install script), >>I fired it up & verified that I now had two independant sendmail procs >>going - one listening & the other -q15m. I began tailing the maillog >>and started firing test emails. >>It worked great for a little while & then suddenly email stopped >>moving! The mail was just building up in the mqueue.in folder & was no >>longer being scanned or moved. This all seems to happen when a >>message is received for the Mailman email list program & it attempts to >>send out the messages. I strongly believe that something is going on >>with the mailman - mailscanner interaction that is causing the Perl >>script to die without warning. >>I've posted an annotated log snippet on the web. Please take a minute >>to look it over and let me know if you have any thoughts regarding my >>problem. >>http://dlugosz.net/~ryan/mailscanner_probs.html >> >>Thanks! >>-Ryan >> >>-- >>Ryan Dlugosz >>ryan@dlugosz.net >> >>http://dlugosz.net > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Ryan Dlugosz ryan@dlugosz.net http://dlugosz.net From Funk.Gabor at HUNETKFT.HU Tue May 21 14:53:00 2002 From: Funk.Gabor at HUNETKFT.HU (Funk Gabor) Date: Thu Jan 12 21:14:47 2006 Subject: Where is VirusWarning.txt? Message-ID: <022701c200ce$d2e0b540$3364a8c0@xxxx.xxx> >>Ok. Outlook says "This HTML message contains script, which Outlook >>cannot display. This may affect how the message appears." >> >>This is Outlook 2002 and I'll be darned if I can locate the "View >>source" option, that was so useful in Outlook 97. Where might that be? doubleclick on message, right click on mouse, view source? G. From dll at SCITOOLS.COM Tue May 21 15:00:55 2002 From: dll at SCITOOLS.COM (Daniel Leavitt) Date: Thu Jan 12 21:14:47 2006 Subject: Where is VirusWarning.txt? In-Reply-To: <022701c200ce$d2e0b540$3364a8c0@xxxx.xxx> Message-ID: <034601c200cf$ef7815d0$170aa8c0@DELL> Thanks. Here's what's it shows:

Warning: This message has had one or more attachments removed. Please read the "VirusWarning.txt" attachment(s) for more information.

What is "iframe"? Dan > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Funk Gabor > Sent: Tuesday, May 21, 2002 9:53 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Where is VirusWarning.txt? > > >>Ok. Outlook says "This HTML message contains script, which Outlook > >>cannot display. This may affect how the message appears." > >> > >>This is Outlook 2002 and I'll be darned if I can locate the "View > >>source" option, that was so useful in Outlook 97. Where might that be? > > doubleclick on message, right click on mouse, view source? > > G. From dll at SCITOOLS.COM Tue May 21 15:08:30 2002 From: dll at SCITOOLS.COM (Daniel Leavitt) Date: Thu Jan 12 21:14:47 2006 Subject: Where is VirusWarning.txt? In-Reply-To: <034601c200cf$ef7815d0$170aa8c0@DELL> Message-ID: <034701c200d0$fd30b320$170aa8c0@DELL> Curious, I got this note from Antigen@skywalker.sdsu.edu in response to my submitting my previous message to this list: ----- Antigen for Exchange found Unknown infected with VIRUS= HTML.MimeExploit (CA(Vet),CA(InoculateIT)) worm. The message is currently Purged. The message, " Re: Where is VirusWarning.txt?", was sent from Daniel Leavitt and was discovered in SMTP Messages\Inbound located at SDSU Foundation/SDSU_FOUNDATION/MAIL. ----- > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Daniel Leavitt > Sent: Tuesday, May 21, 2002 10:01 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Where is VirusWarning.txt? > > Thanks. Here's what's it shows: > >

Warning: This message has > had one or more attachments removed. Please read the "VirusWarning.txt" > attachment(s) for more information.

> > > > > > What is "iframe"? > > Dan > > > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of Funk Gabor > > Sent: Tuesday, May 21, 2002 9:53 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Where is VirusWarning.txt? > > > > >>Ok. Outlook says "This HTML message contains script, which Outlook > > >>cannot display. This may affect how the message appears." > > >> > > >>This is Outlook 2002 and I'll be darned if I can locate the "View > > >>source" option, that was so useful in Outlook 97. Where might that > be? > > > > doubleclick on message, right click on mouse, view source? > > > > G. From Funk.Gabor at HUNETKFT.HU Tue May 21 15:28:34 2002 From: Funk.Gabor at HUNETKFT.HU (Funk Gabor) Date: Thu Jan 12 21:14:47 2006 Subject: Where is VirusWarning.txt? Message-ID: <025e01c200d3$cae1cb90$3364a8c0@xxxx.xxx> >>Thanks. Here's what's it shows: >> >> Not enough. Should be more. Are you the original recipient, or this message was just forwarded to you? In the second case the mail could've "lost" the body and the original recipient should do the "view source". Are you using mailscanner above v3.14? >>What is "iframe"? What's IFRAME? http://www.htmlhelp.com/reference/html40/special/iframe.html What's IFRAME Buffer Overflow? http://www.kb.cert.org/vuls/id/27857 Klez uses IFRAME bof. http://www.kav.ch/avpve/worms/email/klez.stm I just used the first hits from google, so there might be better samples. G. From rishi at THEARGONCOMPANY.COM Tue May 21 15:21:52 2002 From: rishi at THEARGONCOMPANY.COM (Rishi Gangoly) Date: Thu Jan 12 21:14:47 2006 Subject: Need help badly... References: <5.1.0.14.2.20020521101442.02bc6810@roadrunner.ecs.soton.ac.uk> <5.1.0.14.2.20020521140613.02b94708@roadrunner.ecs.soton.ac.uk> Message-ID: <01a401c200d2$dbd819a0$1b02a8c0@theargoncompany.com> Hi Julian, Thanks for responding to my messages... I am still in deep trouble. I've responded below to your questions. ----- Original Message ----- From: "Julian Field" To: Sent: Tuesday, May 21, 2002 6:37 PM Subject: Re: Need help badly... > At 13:53 21/05/2002, you wrote: > >HI Julian, > > > >The weird part is that if I do a mailq it does not display all these > >messages. > > > >but the messages are there in the mqueue folder. > > You haven't broken the soft link joining /var/spool/mqueue to > /home/spool/mqueue have you? If all the files are there (one df and one qf > for each message) then mailq should display them. I don't think so... Can you see if this is what you are saying? [root spool]# pwd /var/spool [root spool]# ls -l total 12 drwxr-xr-x 4 root root 1024 May 21 01:13 MailScanner drwx------ 2 root root 1024 May 21 07:13 cron drwxrwxr-t 2 root mail 8192 May 21 19:42 mail lrwxrwxrwx 1 root root 23 Mar 16 06:52 mqueue -> ../../home/spool/mqueue lrwxrwxrwx 1 root root 21 May 21 01:20 mqueue.in -> /home/spool/mqueue.in drwxr-xr-x 2 root mail 1024 May 21 01:21 mqueue.in.old drwxrwxrwt 2 root root 1024 May 24 2001 samba I renamed the mqueue.in folder created by mailscanner to mqueue.in.old Could that have cause all the trouble? Here is the contents of /home/spool [root spool]# pwd /home/spool [root spool]# ls -l total 46 drwxrwxr-x 2 root mail 8192 May 21 10:59 mail drwxr-xr-x 6 root root 35840 May 21 13:38 mqueue drwxr-xr-x 2 root root 2048 May 21 13:38 mqueue.in Does it look ok? Here is the output of 'ls mqueue' [root spool]# ls mqueue dfg4KJqsW26104 dfg4L0iTW10067 dfg4L49FW22013 dfg4L5s2W28853 q4 qfg4L0fxW09940 qfg4L47GW21913 qfg4L5s0W28852 dfg4KJrrW26181 dfg4L0kjW10170 dfg4L4CRW22194 dfg4L5sIW28861 qfg4KJqsW26104 qfg4L0iTW10067 qfg4L49FW22013 qfg4L5s2W28853 dfg4KJsTW26254 dfg4L0lQW10202 dfg4L4CVW22204 dfg4L5sLW28864 qfg4KJrrW26181 qfg4L0kjW10170 qfg4L4CRW22194 qfg4L5sIW28861 dfg4KJuGW26351 dfg4L0lVW10222 dfg4L4CWW22206 dfg4L5sMW28880 qfg4KJsTW26254 qfg4L0lQW10202 qfg4L4CVW22204 qfg4L5sLW28864 . . . . dfg4L0OrW09053 dfg4L446W21748 dfg4L5qFW28659 dfg4L87AW05107 qfg4L0OAW09022 qfg4L426W21646 qfg4L5qDW28657 qfg4L86uW05062 dfg4L0SuW09226 dfg4L45bW21816 dfg4L5qPW28663 dfg4L87BW05113 qfg4L0OrW09053 qfg4L446W21748 qfg4L5qFW28659 qfg4L87AW05107 dfg4L0UOW09316 dfg4L45gW21818 dfg4L5qrW28728 dfg4L87TW05151 qfg4L0SuW09226 qfg4L45bW21816 qfg4L5qPW28663 qfg4L87BW05113 dfg4L0ZBW09585 dfg4L45sW21830 dfg4L5r2W28749 dfg4L88cW05223 qfg4L0UOW09316 qfg4L45gW21818 qfg4L5qrW28728 qfg4L87TW05151 dfg4L0beW09723 dfg4L46nW21878 dfg4L5rAW28753 q1 qfg4L0ZBW09585 qfg4L45sW21830 qfg4L5r2W28749 qfg4L88cW05223 dfg4L0eYW09863 dfg4L476W21911 dfg4L5rbW28802 q2 qfg4L0beW09723 qfg4L46nW21878 qfg4L5rAW28753 dfg4L0fxW09940 dfg4L47GW21913 dfg4L5s0W28852 q3 qfg4L0eYW09863 qfg4L476W21911 qfg4L5rbW28802 And here is the word count... [root spool]# ls mqueue | wc 1446 1446 21642 > > > >I tried to do a sendmail -q15m ........ no joy. it just exits. > > In which case try sendmail -v -q15m and see what that prints. I tried that..... it says nothing. If I do a mailq is shows the following output.... /var/spool/mqueue/q1 (1 request) ----Q-ID---- --Size-- -----Q-Time----- ------------Sender/Recipient--------- --- g4IIAZs26896* 262 Sat May 18 23:40 mail (Deferred: Connection timed out with forserve.com.) ftmanlfrbu@forserve.com /var/spool/mqueue/q2 is empty /var/spool/mqueue/q3 (1 request) ----Q-ID---- --Size-- -----Q-Time----- ------------Sender/Recipient--------- --- g4JHnto03977* 262 Sun May 19 23:19 mail (Deferred: Connection timed out with juserve.com.) cpwijaxi@juserve.com /var/spool/mqueue/q4 is empty Total Requests: 2 Does this help understand the problem? Regards Rishi > > > >Regards > > > >Rishi > > > > > >----- Original Message ----- > >From: "Julian Field" > >To: > >Sent: Tuesday, May 21, 2002 2:48 PM > >Subject: Re: Need help badly... > > > > > > > At 10:02 21/05/2002, you wrote: > > > >I have about 1400 odd messages on Cobalt RaQ4 Linux mail server in the > > > >/var/spool/mqueue folder (actually /home/spool/mqueue folder) > > > > > > > > > -rw------- 1 root root 2223 May 21 13:37 qfg4L87BW05113 > > > > > -rw------- 1 root root 840 May 21 13:37 qfg4L87TW05151 > > > > > -rw------- 1 root root 859 May 21 13:38 qfg4L88cW05223 > > > > > > > >I have stopped mailscanner and started sendmail. My mail is now working, > >but > > > >I wanted to know how to > > > > > > If they are all in mqueue and not mqueue.in then MailScanner is basically > > > doing its job. I suspect you might not have any processes like "sendmail > > > -q15m" running perhaps? > > > > > > >1. get mailscanner to work... find out why it is not working.(how does > >one > > > >debug?) > > > > > > Watch the syslog. > > > > > > >2. get all these undelivered messages .... delivered. > > > > > > sendmail -q > > > -- > > > Julian Field Teaching Systems Manager > > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > > Tel. 023 8059 2817 University of Southampton > > > Southampton SO17 1BJ > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From dll at SCITOOLS.COM Tue May 21 15:44:10 2002 From: dll at SCITOOLS.COM (Daniel Leavitt) Date: Thu Jan 12 21:14:47 2006 Subject: Where is VirusWarning.txt? In-Reply-To: <034701c200d0$fd30b320$170aa8c0@DELL> Message-ID: <034901c200d5$fc2b37c0$170aa8c0@DELL> I tried to submit a message twice but it was rejected apparently because of the offending html in my reply, even though it was in comments the second time. I got this message from Antigen@skywalker.sdsu.edu in response to my submittal: > ----- > Antigen for Exchange found Unknown infected with VIRUS= HTML.MimeExploit > (CA(Vet),CA(InoculateIT)) worm. > The message is currently Purged. The message, " Re: Where is > VirusWarning.txt?", was > sent from Daniel Leavitt and was discovered in SMTP Messages\Inbound > located at SDSU Foundation/SDSU_FOUNDATION/MAIL. > ----- Anyway, this is what showed up with the "View Source" function with the html and iframe tags mangled so they wouldn't be recognized as anything malicious. >

Warning: This > message has had one or more attachments removed. Please read the > VirusWarning.txt" attachment(s) for more information.

> > > > Again, any ideas? Thanks, Dan From dll at SCITOOLS.COM Tue May 21 15:51:50 2002 From: dll at SCITOOLS.COM (Daniel Leavitt) Date: Thu Jan 12 21:14:47 2006 Subject: Where is VirusWarning.txt? In-Reply-To: <025e01c200d3$cae1cb90$3364a8c0@xxxx.xxx> Message-ID: <034a01c200d7$1048f2a0$170aa8c0@DELL> I have version 3.13-2 installed on RH7.1. Do you think a mailscanner upgrade will address this? Dan > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Funk Gabor > Sent: Tuesday, May 21, 2002 10:29 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Where is VirusWarning.txt? > > >>Thanks. Here's what's it shows: > >> > >> > Not enough. Should be more. > > Are you the original recipient, or this message was just forwarded to you? > In the second case the mail could've "lost" the body and the original > recipient > should do the "view source". Are you using mailscanner above v3.14? > > >>What is "iframe"? > What's IFRAME? > http://www.htmlhelp.com/reference/html40/special/iframe.html > > What's IFRAME Buffer Overflow? > http://www.kb.cert.org/vuls/id/27857 > > Klez uses IFRAME bof. > http://www.kav.ch/avpve/worms/email/klez.stm > > I just used the first hits from google, so there might be better samples. > > G. From dll at SCITOOLS.COM Tue May 21 15:58:59 2002 From: dll at SCITOOLS.COM (Daniel Leavitt) Date: Thu Jan 12 21:14:47 2006 Subject: Where is VirusWarning.txt? In-Reply-To: <025e01c200d3$cae1cb90$3364a8c0@xxxx.xxx> Message-ID: <034b01c200d8$0ab671e0$170aa8c0@DELL> Forgot to answer the first question. -( This came into an support alias at my company that I am on and it was .forward'ed from the mail server to my desktop machine. Dan > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Funk Gabor > Sent: Tuesday, May 21, 2002 10:29 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Where is VirusWarning.txt? > > >>Thanks. Here's what's it shows: > >> > >> > Not enough. Should be more. > > Are you the original recipient, or this message was just forwarded to you? > In the second case the mail could've "lost" the body and the original > recipient > should do the "view source". Are you using mailscanner above v3.14? > > >>What is "iframe"? > What's IFRAME? > http://www.htmlhelp.com/reference/html40/special/iframe.html > > What's IFRAME Buffer Overflow? > http://www.kb.cert.org/vuls/id/27857 > > Klez uses IFRAME bof. > http://www.kav.ch/avpve/worms/email/klez.stm > > I just used the first hits from google, so there might be better samples. > > G. From sysadmin at DMS.UMONTREAL.CA Tue May 21 15:51:40 2002 From: sysadmin at DMS.UMONTREAL.CA (Christopher Albert) Date: Thu Jan 12 21:14:47 2006 Subject: Spam with forged From=To ;local domain whitelisted Message-ID: Greetings, I have been using mailscanner + sophos+spamassassin+vipul's_razor with great success for several months now. I have had to put my local domain, and well as the university domain in the spam whitelist to avoid false positives, given the amount of bulk mail taht circulates locally. This has worked fine since all the spam comes from outside. However, a couple days ago we received some spam with forged from address equal to the recipient address, and that being from the local domain were not tagged as spam. Where in the pipeline can I control for this kind of scam? TIA, Chris From Funk.Gabor at HUNETKFT.HU Tue May 21 16:02:27 2002 From: Funk.Gabor at HUNETKFT.HU (Funk Gabor) Date: Thu Jan 12 21:14:47 2006 Subject: Where is VirusWarning.txt? Message-ID: <02b801c200d8$872a7dc0$3364a8c0@xxxx.xxx> >>I have version 3.13-2 installed on RH7.1. Do you think a mailscanner >>upgrade will address this? As I mentioned earlier... http://www.sng.ecs.soton.ac.uk/mailscanner/ 14/5/2002 Released Version 3.14. Changes for this version are: ... Infected "multipart/alternative" messages are converted to "multipart/mixed" so that virus warning can always be seen. ... G. From jkf at ecs.soton.ac.uk Tue May 21 16:08:37 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:47 2006 Subject: Need help badly... In-Reply-To: <01a401c200d2$dbd819a0$1b02a8c0@theargoncompany.com> References: <5.1.0.14.2.20020521101442.02bc6810@roadrunner.ecs.soton.ac.uk> <5.1.0.14.2.20020521140613.02b94708@roadrunner.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020521160526.02c84ad8@roadrunner.ecs.soton.ac.uk> Aha! Now we have a cause for the problem. You never told me there were directories under your mqueue and/or mqueue.in directories. If you look near the top of your /etc/sendmail.cf (or possibly /etc/mail/sendmail.cf) you will find a definition for O QueueDirectory=/var/spool/mqueue/q* (it will read something like that). Knock the "/q*" off the end so it just reads O QueueDirectory=/var/spool/mqueue and restart both your sendmail processes. Then you should find it starts to deliver the messages. MailScanner still doesn't support multiple outgoing queue directories (sorry about that, haven't had the time to write support for it, which is non-trivial). At 15:21 21/05/2002, you wrote: >Hi Julian, > >Thanks for responding to my messages... I am still in deep trouble. > >I've responded below to your questions. > > >----- Original Message ----- >From: "Julian Field" >To: >Sent: Tuesday, May 21, 2002 6:37 PM >Subject: Re: Need help badly... > > > > At 13:53 21/05/2002, you wrote: > > >HI Julian, > > > > > >The weird part is that if I do a mailq it does not display all these > > >messages. > > > > > >but the messages are there in the mqueue folder. > > > > You haven't broken the soft link joining /var/spool/mqueue to > > /home/spool/mqueue have you? If all the files are there (one df and one qf > > for each message) then mailq should display them. > > >I don't think so... Can you see if this is what you are saying? > >[root spool]# pwd >/var/spool > > >[root spool]# ls -l >total 12 >drwxr-xr-x 4 root root 1024 May 21 01:13 MailScanner >drwx------ 2 root root 1024 May 21 07:13 cron >drwxrwxr-t 2 root mail 8192 May 21 19:42 mail >lrwxrwxrwx 1 root root 23 Mar 16 06:52 mqueue -> >../../home/spool/mqueue >lrwxrwxrwx 1 root root 21 May 21 01:20 mqueue.in -> >/home/spool/mqueue.in >drwxr-xr-x 2 root mail 1024 May 21 01:21 mqueue.in.old >drwxrwxrwt 2 root root 1024 May 24 2001 samba > > >I renamed the mqueue.in folder created by mailscanner to mqueue.in.old > >Could that have cause all the trouble? > > >Here is the contents of /home/spool > > >[root spool]# pwd >/home/spool > >[root spool]# ls -l >total 46 >drwxrwxr-x 2 root mail 8192 May 21 10:59 mail >drwxr-xr-x 6 root root 35840 May 21 13:38 mqueue >drwxr-xr-x 2 root root 2048 May 21 13:38 mqueue.in > > >Does it look ok? > > >Here is the output of 'ls mqueue' > >[root spool]# ls mqueue >dfg4KJqsW26104 dfg4L0iTW10067 dfg4L49FW22013 dfg4L5s2W28853 q4 >qfg4L0fxW09940 qfg4L47GW21913 qfg4L5s0W28852 >dfg4KJrrW26181 dfg4L0kjW10170 dfg4L4CRW22194 dfg4L5sIW28861 >qfg4KJqsW26104 qfg4L0iTW10067 qfg4L49FW22013 qfg4L5s2W28853 >dfg4KJsTW26254 dfg4L0lQW10202 dfg4L4CVW22204 dfg4L5sLW28864 >qfg4KJrrW26181 qfg4L0kjW10170 qfg4L4CRW22194 qfg4L5sIW28861 >dfg4KJuGW26351 dfg4L0lVW10222 dfg4L4CWW22206 dfg4L5sMW28880 >qfg4KJsTW26254 qfg4L0lQW10202 qfg4L4CVW22204 qfg4L5sLW28864 >. >. >. >. >dfg4L0OrW09053 dfg4L446W21748 dfg4L5qFW28659 dfg4L87AW05107 >qfg4L0OAW09022 qfg4L426W21646 qfg4L5qDW28657 qfg4L86uW05062 >dfg4L0SuW09226 dfg4L45bW21816 dfg4L5qPW28663 dfg4L87BW05113 >qfg4L0OrW09053 qfg4L446W21748 qfg4L5qFW28659 qfg4L87AW05107 >dfg4L0UOW09316 dfg4L45gW21818 dfg4L5qrW28728 dfg4L87TW05151 >qfg4L0SuW09226 qfg4L45bW21816 qfg4L5qPW28663 qfg4L87BW05113 >dfg4L0ZBW09585 dfg4L45sW21830 dfg4L5r2W28749 dfg4L88cW05223 >qfg4L0UOW09316 qfg4L45gW21818 qfg4L5qrW28728 qfg4L87TW05151 >dfg4L0beW09723 dfg4L46nW21878 dfg4L5rAW28753 q1 >qfg4L0ZBW09585 qfg4L45sW21830 qfg4L5r2W28749 qfg4L88cW05223 >dfg4L0eYW09863 dfg4L476W21911 dfg4L5rbW28802 q2 >qfg4L0beW09723 qfg4L46nW21878 qfg4L5rAW28753 >dfg4L0fxW09940 dfg4L47GW21913 dfg4L5s0W28852 q3 >qfg4L0eYW09863 qfg4L476W21911 qfg4L5rbW28802 > > >And here is the word count... > >[root spool]# ls mqueue | wc > 1446 1446 21642 > > > > > > > > > > > > > >I tried to do a sendmail -q15m ........ no joy. it just exits. > > > > In which case try sendmail -v -q15m and see what that prints. > > > > >I tried that..... it says nothing. > >If I do a mailq is shows the following output.... > > > /var/spool/mqueue/q1 (1 request) >----Q-ID---- --Size-- -----Q-Time----- ------------Sender/Recipient--------- >--- >g4IIAZs26896* 262 Sat May 18 23:40 mail > (Deferred: Connection timed out with forserve.com.) > ftmanlfrbu@forserve.com >/var/spool/mqueue/q2 is empty > /var/spool/mqueue/q3 (1 request) >----Q-ID---- --Size-- -----Q-Time----- ------------Sender/Recipient--------- >--- >g4JHnto03977* 262 Sun May 19 23:19 mail > (Deferred: Connection timed out with juserve.com.) > cpwijaxi@juserve.com >/var/spool/mqueue/q4 is empty > Total Requests: 2 > > > > > > > >Does this help understand the problem? > > > >Regards > >Rishi > > > > > > > > > > > > > >Regards > > > > > >Rishi > > > > > > > > >----- Original Message ----- > > >From: "Julian Field" > > >To: > > >Sent: Tuesday, May 21, 2002 2:48 PM > > >Subject: Re: Need help badly... > > > > > > > > > > At 10:02 21/05/2002, you wrote: > > > > >I have about 1400 odd messages on Cobalt RaQ4 Linux mail server in >the > > > > >/var/spool/mqueue folder (actually /home/spool/mqueue folder) > > > > > > > > > > > -rw------- 1 root root 2223 May 21 13:37 >qfg4L87BW05113 > > > > > > -rw------- 1 root root 840 May 21 13:37 >qfg4L87TW05151 > > > > > > -rw------- 1 root root 859 May 21 13:38 >qfg4L88cW05223 > > > > > > > > > >I have stopped mailscanner and started sendmail. My mail is now >working, > > >but > > > > >I wanted to know how to > > > > > > > > If they are all in mqueue and not mqueue.in then MailScanner is >basically > > > > doing its job. I suspect you might not have any processes like >"sendmail > > > > -q15m" running perhaps? > > > > > > > > >1. get mailscanner to work... find out why it is not working.(how >does > > >one > > > > >debug?) > > > > > > > > Watch the syslog. > > > > > > > > >2. get all these undelivered messages .... delivered. > > > > > > > > sendmail -q > > > > -- > > > > Julian Field Teaching Systems Manager > > > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > > > Tel. 023 8059 2817 University of Southampton > > > > Southampton SO17 1BJ > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Tue May 21 16:10:41 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:47 2006 Subject: Where is VirusWarning.txt? In-Reply-To: <034a01c200d7$1048f2a0$170aa8c0@DELL> References: <025e01c200d3$cae1cb90$3364a8c0@xxxx.xxx> Message-ID: <5.1.0.14.2.20020521160938.02c604e8@roadrunner.ecs.soton.ac.uk> At 15:51 21/05/2002, you wrote: >I have version 3.13-2 installed on RH7.1. Do you think a mailscanner >upgrade will address this? See the MailScanner news item dated 14/5/2002. More recent versions include better support for multipart/alternative infected messages, which is what this message is. Once you upgrade you should see the attachment and so on as you expect. The short answer is "yes" :-) > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of Funk Gabor > > Sent: Tuesday, May 21, 2002 10:29 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Where is VirusWarning.txt? > > > > >>Thanks. Here's what's it shows: > > >> > > >> > > Not enough. Should be more. > > > > Are you the original recipient, or this message was just forwarded to >you? > > In the second case the mail could've "lost" the body and the original > > recipient > > should do the "view source". Are you using mailscanner above v3.14? > > > > >>What is "iframe"? > > What's IFRAME? > > http://www.htmlhelp.com/reference/html40/special/iframe.html > > > > What's IFRAME Buffer Overflow? > > http://www.kb.cert.org/vuls/id/27857 > > > > Klez uses IFRAME bof. > > http://www.kav.ch/avpve/worms/email/klez.stm > > > > I just used the first hits from google, so there might be better >samples. > > > > G. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Tue May 21 16:12:41 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:47 2006 Subject: Spam with forged From=To ;local domain whitelisted In-Reply-To: Message-ID: <5.1.0.14.2.20020521161109.02c691b0@roadrunner.ecs.soton.ac.uk> At 15:51 21/05/2002, you wrote: >I have been using mailscanner + sophos+spamassassin+vipul's_razor with great >success for several months now. I have had to put my local domain, and well >as the university domain in the spam whitelist to avoid false positives, >given the amount of bulk mail taht circulates locally. This has worked fine >since all the spam comes from outside. However, a couple days ago we >received some spam with forged from address equal to the recipient address, >and that being from the local domain were not tagged as spam. > >Where in the pipeline can I control for this kind of scam? Have you tried taking yourself out of the spam.whitelist.conf (which is address-based) and adding your network to "Accept Spam From" in the mailscanner.conf file (as this is IP-number-based). Personally I would advise pushing up the SpamAssassin required_hits value to about 8 as well, I find 5 causes too many false positives. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mike at UNIXSECURITY.ORG Tue May 21 16:23:56 2002 From: mike at UNIXSECURITY.ORG (Mike Wallis) Date: Thu Jan 12 21:14:47 2006 Subject: Spam not being flagged Message-ID: <3CEA668C.2080707@unixsecurity.org> I just upgraded to 3.15-3 and noticed something odd while testing. ---begin--- X-MailScanner: Found to be clean X-MailScanner-SpamCheck: not spam, SpamAssassin (score=7, required 5, SUBJ_HAS_Q_MARK, EXCUSE_3, EXCUSE_7, OPT_IN, CLICK_BELOW, SUBJ_REMOVE) ---end--- In this particular instance, I forwarded myself some spam (the original generated a much higher score) and thought it rather odd that a score in excess of the required score would get a 'not spam' designation. Any ideas? -- Mike Wallis mw@unixsecurity.org From jaearick at COLBY.EDU Tue May 21 16:23:25 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:14:47 2006 Subject: more hung-up email In-Reply-To: <01a401c200d2$dbd819a0$1b02a8c0@theargoncompany.com> Message-ID: Julian, I have a similar problem to "need help badly", but I don't use multiple mail queues. I did an "ls -l" of my /var/spool/mqueue.in and found days-old messages in there. But when I do: /usr/sbin/sendmail -bp -OQueueDirectory=/var/spool/mqueue.in mailq just shows the current stuff in there, not the old stuff. If I stop and restart both mailscanner and sendmail, mailscanner does not pick up the old stuff, scan it, and move it to /var/spool/mqueue. It just stays. Any ideas? ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ---------------------------------------------------------------------------- From jaearick at COLBY.EDU Tue May 21 16:33:45 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:14:47 2006 Subject: more hung-up email In-Reply-To: Message-ID: I'll ad these tidbits... I'm running mailscanner 3.13.2, it is on an HPUX 11.11 system, and there is no corresponding qf file for the days-old df files left in mqueue.in. So this is the reason why the messages don't show up in the mailq output. Hmmm. Maybe this is a sendmail screw-up instead. I'm moving my mail service to a Sun/ Solaris8 boxnext Monday (with the current mailscanner), so hopefully this issue wil become moot. --- Jeff > Date: Tue, 21 May 2002 11:23:25 -0400 > From: Jeff A. Earickson > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: more hung-up email > > Julian, > > I have a similar problem to "need help badly", but I don't use multiple > mail queues. I did an "ls -l" of my /var/spool/mqueue.in and found > days-old messages in there. But when I do: > > /usr/sbin/sendmail -bp -OQueueDirectory=/var/spool/mqueue.in > > mailq just shows the current stuff in there, not the old stuff. If I > stop and restart both mailscanner and sendmail, mailscanner does not pick > up the old stuff, scan it, and move it to /var/spool/mqueue. It just > stays. Any ideas? > > ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 > ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu > ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 > ** Waterville ME, 04901-8842 > ---------------------------------------------------------------------------- > From marc.perea at ELECTRONIC-GROUP.COM Tue May 21 16:37:51 2002 From: marc.perea at ELECTRONIC-GROUP.COM (Marc Perea) Date: Thu Jan 12 21:14:47 2006 Subject: Delivering disinfected mails depending on destination e-mail address. Message-ID: <20020521173751.64155ad2.marc.perea@electronic-group.com> Hi to all. I'm going to describe a real scenario, I think there's no way to solve it with the current mailscanner version, so may be Julian could add this feature to a next version, or someone could tell me one good solution that does not depend on mailscanner. Of the dozens of e-mail aliases we have, there's one that is used to put it on all our websites as a "contact@domain.com", therefore, it's targeted by all Virus and worms on the wild. So this mail alias gets hundreds of viruses per day. What I want to do is applying the below configuration option, but based on destination e-mail address, so the "contact@domain.com" doesn't recieve the disinfected mails, but all the other aliases still recieves them. # Once we have removed viruses from an email message and replaced them with # VirusWarning.txt attachments, should we deliver the clean result to the # original recipients (or just delete them if "no")? Deliver To Recipients = yes Any help will be greatly appreciated. Thanks in advance. -- Marc Perea - System Administration Staff Mail: marc.perea@electronic-group.com Tel: (+34) 93 600 23 23 Fax: (+34) 93 600 23 10 ---------------- Electronic Group - http://www.electronic-group.com From rishi at THEARGONCOMPANY.COM Tue May 21 16:33:47 2002 From: rishi at THEARGONCOMPANY.COM (Rishi Gangoly) Date: Thu Jan 12 21:14:48 2006 Subject: Need help badly... References: <5.1.0.14.2.20020521101442.02bc6810@roadrunner.ecs.soton.ac.uk> <5.1.0.14.2.20020521140613.02b94708@roadrunner.ecs.soton.ac.uk> <5.1.0.14.2.20020521160526.02c84ad8@roadrunner.ecs.soton.ac.uk> Message-ID: <01ed01c200dc$e6931840$1b02a8c0@theargoncompany.com> Wow! ok great. So why was the Cobalt RaQ4 configured with the multiple queue directories feature to begin with? Will I putting my server at risk if I do so? Regards Rishi ----- Original Message ----- From: "Julian Field" To: Sent: Tuesday, May 21, 2002 8:38 PM Subject: Re: Need help badly... > Aha! > Now we have a cause for the problem. You never told me there were > directories under your mqueue and/or mqueue.in directories. > > If you look near the top of your /etc/sendmail.cf (or possibly > /etc/mail/sendmail.cf) you will find a definition for > O QueueDirectory=/var/spool/mqueue/q* > (it will read something like that). Knock the "/q*" off the end so it just > reads > O QueueDirectory=/var/spool/mqueue > and restart both your sendmail processes. > > Then you should find it starts to deliver the messages. > > MailScanner still doesn't support multiple outgoing queue directories > (sorry about that, haven't had the time to write support for it, which is > non-trivial). > > At 15:21 21/05/2002, you wrote: > >Hi Julian, > > > >Thanks for responding to my messages... I am still in deep trouble. > > > >I've responded below to your questions. > > > > > >----- Original Message ----- > >From: "Julian Field" > >To: > >Sent: Tuesday, May 21, 2002 6:37 PM > >Subject: Re: Need help badly... > > > > > > > At 13:53 21/05/2002, you wrote: > > > >HI Julian, > > > > > > > >The weird part is that if I do a mailq it does not display all these > > > >messages. > > > > > > > >but the messages are there in the mqueue folder. > > > > > > You haven't broken the soft link joining /var/spool/mqueue to > > > /home/spool/mqueue have you? If all the files are there (one df and one qf > > > for each message) then mailq should display them. > > > > > >I don't think so... Can you see if this is what you are saying? > > > >[root spool]# pwd > >/var/spool > > > > > >[root spool]# ls -l > >total 12 > >drwxr-xr-x 4 root root 1024 May 21 01:13 MailScanner > >drwx------ 2 root root 1024 May 21 07:13 cron > >drwxrwxr-t 2 root mail 8192 May 21 19:42 mail > >lrwxrwxrwx 1 root root 23 Mar 16 06:52 mqueue -> > >../../home/spool/mqueue > >lrwxrwxrwx 1 root root 21 May 21 01:20 mqueue.in -> > >/home/spool/mqueue.in > >drwxr-xr-x 2 root mail 1024 May 21 01:21 mqueue.in.old > >drwxrwxrwt 2 root root 1024 May 24 2001 samba > > > > > >I renamed the mqueue.in folder created by mailscanner to mqueue.in.old > > > >Could that have cause all the trouble? > > > > > >Here is the contents of /home/spool > > > > > >[root spool]# pwd > >/home/spool > > > >[root spool]# ls -l > >total 46 > >drwxrwxr-x 2 root mail 8192 May 21 10:59 mail > >drwxr-xr-x 6 root root 35840 May 21 13:38 mqueue > >drwxr-xr-x 2 root root 2048 May 21 13:38 mqueue.in > > > > > >Does it look ok? > > > > > >Here is the output of 'ls mqueue' > > > >[root spool]# ls mqueue > >dfg4KJqsW26104 dfg4L0iTW10067 dfg4L49FW22013 dfg4L5s2W28853 q4 > >qfg4L0fxW09940 qfg4L47GW21913 qfg4L5s0W28852 > >dfg4KJrrW26181 dfg4L0kjW10170 dfg4L4CRW22194 dfg4L5sIW28861 > >qfg4KJqsW26104 qfg4L0iTW10067 qfg4L49FW22013 qfg4L5s2W28853 > >dfg4KJsTW26254 dfg4L0lQW10202 dfg4L4CVW22204 dfg4L5sLW28864 > >qfg4KJrrW26181 qfg4L0kjW10170 qfg4L4CRW22194 qfg4L5sIW28861 > >dfg4KJuGW26351 dfg4L0lVW10222 dfg4L4CWW22206 dfg4L5sMW28880 > >qfg4KJsTW26254 qfg4L0lQW10202 qfg4L4CVW22204 qfg4L5sLW28864 > >. > >. > >. > >. > >dfg4L0OrW09053 dfg4L446W21748 dfg4L5qFW28659 dfg4L87AW05107 > >qfg4L0OAW09022 qfg4L426W21646 qfg4L5qDW28657 qfg4L86uW05062 > >dfg4L0SuW09226 dfg4L45bW21816 dfg4L5qPW28663 dfg4L87BW05113 > >qfg4L0OrW09053 qfg4L446W21748 qfg4L5qFW28659 qfg4L87AW05107 > >dfg4L0UOW09316 dfg4L45gW21818 dfg4L5qrW28728 dfg4L87TW05151 > >qfg4L0SuW09226 qfg4L45bW21816 qfg4L5qPW28663 qfg4L87BW05113 > >dfg4L0ZBW09585 dfg4L45sW21830 dfg4L5r2W28749 dfg4L88cW05223 > >qfg4L0UOW09316 qfg4L45gW21818 qfg4L5qrW28728 qfg4L87TW05151 > >dfg4L0beW09723 dfg4L46nW21878 dfg4L5rAW28753 q1 > >qfg4L0ZBW09585 qfg4L45sW21830 qfg4L5r2W28749 qfg4L88cW05223 > >dfg4L0eYW09863 dfg4L476W21911 dfg4L5rbW28802 q2 > >qfg4L0beW09723 qfg4L46nW21878 qfg4L5rAW28753 > >dfg4L0fxW09940 dfg4L47GW21913 dfg4L5s0W28852 q3 > >qfg4L0eYW09863 qfg4L476W21911 qfg4L5rbW28802 > > > > > >And here is the word count... > > > >[root spool]# ls mqueue | wc > > 1446 1446 21642 > > > > > > > > > > > > > > > > > > > > > > > >I tried to do a sendmail -q15m ........ no joy. it just exits. > > > > > > In which case try sendmail -v -q15m and see what that prints. > > > > > > > > > >I tried that..... it says nothing. > > > >If I do a mailq is shows the following output.... > > > > > > /var/spool/mqueue/q1 (1 request) > >----Q-ID---- --Size-- -----Q-Time----- ------------Sender/Recipient-------- - > >--- > >g4IIAZs26896* 262 Sat May 18 23:40 mail > > (Deferred: Connection timed out with forserve.com.) > > ftmanlfrbu@forserve.com > >/var/spool/mqueue/q2 is empty > > /var/spool/mqueue/q3 (1 request) > >----Q-ID---- --Size-- -----Q-Time----- ------------Sender/Recipient-------- - > >--- > >g4JHnto03977* 262 Sun May 19 23:19 mail > > (Deferred: Connection timed out with juserve.com.) > > cpwijaxi@juserve.com > >/var/spool/mqueue/q4 is empty > > Total Requests: 2 > > > > > > > > > > > > > > > >Does this help understand the problem? > > > > > > > >Regards > > > >Rishi > > > > > > > > > > > > > > > > > > > > > > > >Regards > > > > > > > >Rishi > > > > > > > > > > > >----- Original Message ----- > > > >From: "Julian Field" > > > >To: > > > >Sent: Tuesday, May 21, 2002 2:48 PM > > > >Subject: Re: Need help badly... > > > > > > > > > > > > > At 10:02 21/05/2002, you wrote: > > > > > >I have about 1400 odd messages on Cobalt RaQ4 Linux mail server in > >the > > > > > >/var/spool/mqueue folder (actually /home/spool/mqueue folder) > > > > > > > > > > > > > -rw------- 1 root root 2223 May 21 13:37 > >qfg4L87BW05113 > > > > > > > -rw------- 1 root root 840 May 21 13:37 > >qfg4L87TW05151 > > > > > > > -rw------- 1 root root 859 May 21 13:38 > >qfg4L88cW05223 > > > > > > > > > > > >I have stopped mailscanner and started sendmail. My mail is now > >working, > > > >but > > > > > >I wanted to know how to > > > > > > > > > > If they are all in mqueue and not mqueue.in then MailScanner is > >basically > > > > > doing its job. I suspect you might not have any processes like > >"sendmail > > > > > -q15m" running perhaps? > > > > > > > > > > >1. get mailscanner to work... find out why it is not working.(how > >does > > > >one > > > > > >debug?) > > > > > > > > > > Watch the syslog. > > > > > > > > > > >2. get all these undelivered messages .... delivered. > > > > > > > > > > sendmail -q > > > > > -- > > > > > Julian Field Teaching Systems Manager > > > > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > > > > Tel. 023 8059 2817 University of Southampton > > > > > Southampton SO17 1BJ > > > > > > -- > > > Julian Field Teaching Systems Manager > > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > > Tel. 023 8059 2817 University of Southampton > > > Southampton SO17 1BJ > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Tue May 21 16:43:29 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:48 2006 Subject: Spam not being flagged In-Reply-To: <3CEA668C.2080707@unixsecurity.org> Message-ID: <5.1.0.14.2.20020521164234.04af5ec0@roadrunner.ecs.soton.ac.uk> At 16:23 21/05/2002, you wrote: >I just upgraded to 3.15-3 and noticed something odd while testing. > >---begin--- >X-MailScanner: Found to be clean >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=7, required 5, > SUBJ_HAS_Q_MARK, EXCUSE_3, EXCUSE_7, OPT_IN, CLICK_BELOW, > SUBJ_REMOVE) >---end--- That's because you are in the "Accept Spam From" section or in the spam.whitelist.conf file. And you have "Always Include SpamAssassin Header" switched on. So by your configuration, you have requested that you always get the report, but actually ignore its contents. >In this particular instance, I forwarded myself some spam (the original >generated a much higher score) and thought it rather odd that a score in >excess of the required score would get a 'not spam' designation. > >Any ideas? > >-- >Mike Wallis >mw@unixsecurity.org -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Tue May 21 16:42:14 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:48 2006 Subject: Need help badly... In-Reply-To: <01ed01c200dc$e6931840$1b02a8c0@theargoncompany.com> References: <5.1.0.14.2.20020521101442.02bc6810@roadrunner.ecs.soton.ac.uk> <5.1.0.14.2.20020521140613.02b94708@roadrunner.ecs.soton.ac.uk> <5.1.0.14.2.20020521160526.02c84ad8@roadrunner.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020521164037.02c782a0@roadrunner.ecs.soton.ac.uk> At 16:33 21/05/2002, you wrote: >Wow! ok great. So why was the Cobalt RaQ4 configured with the multiple queue >directories feature to begin with? If you have absolutely enormous mail traffic, then on some OS's this can produce better performance. On Solaris it makes a difference, on Irix it makes no difference at all. I can't remember whether Linux ext2 implements directories as lists (bad) or trees (good). Irix dynamically changes between lists and 2 different types of tree depending on the number of files in a directory, and it flies as a result. >Will I putting my server at risk if I do so? No. >----- Original Message ----- >From: "Julian Field" >To: >Sent: Tuesday, May 21, 2002 8:38 PM >Subject: Re: Need help badly... > > > > Aha! > > Now we have a cause for the problem. You never told me there were > > directories under your mqueue and/or mqueue.in directories. > > > > If you look near the top of your /etc/sendmail.cf (or possibly > > /etc/mail/sendmail.cf) you will find a definition for > > O QueueDirectory=/var/spool/mqueue/q* > > (it will read something like that). Knock the "/q*" off the end so it just > > reads > > O QueueDirectory=/var/spool/mqueue > > and restart both your sendmail processes. > > > > Then you should find it starts to deliver the messages. > > > > MailScanner still doesn't support multiple outgoing queue directories > > (sorry about that, haven't had the time to write support for it, which is > > non-trivial). > > > > At 15:21 21/05/2002, you wrote: > > >Hi Julian, > > > > > >Thanks for responding to my messages... I am still in deep trouble. > > > > > >I've responded below to your questions. > > > > > > > > >----- Original Message ----- > > >From: "Julian Field" > > >To: > > >Sent: Tuesday, May 21, 2002 6:37 PM > > >Subject: Re: Need help badly... > > > > > > > > > > At 13:53 21/05/2002, you wrote: > > > > >HI Julian, > > > > > > > > > >The weird part is that if I do a mailq it does not display all these > > > > >messages. > > > > > > > > > >but the messages are there in the mqueue folder. > > > > > > > > You haven't broken the soft link joining /var/spool/mqueue to > > > > /home/spool/mqueue have you? If all the files are there (one df and >one qf > > > > for each message) then mailq should display them. > > > > > > > > >I don't think so... Can you see if this is what you are saying? > > > > > >[root spool]# pwd > > >/var/spool > > > > > > > > >[root spool]# ls -l > > >total 12 > > >drwxr-xr-x 4 root root 1024 May 21 01:13 MailScanner > > >drwx------ 2 root root 1024 May 21 07:13 cron > > >drwxrwxr-t 2 root mail 8192 May 21 19:42 mail > > >lrwxrwxrwx 1 root root 23 Mar 16 06:52 mqueue -> > > >../../home/spool/mqueue > > >lrwxrwxrwx 1 root root 21 May 21 01:20 mqueue.in -> > > >/home/spool/mqueue.in > > >drwxr-xr-x 2 root mail 1024 May 21 01:21 mqueue.in.old > > >drwxrwxrwt 2 root root 1024 May 24 2001 samba > > > > > > > > >I renamed the mqueue.in folder created by mailscanner to mqueue.in.old > > > > > >Could that have cause all the trouble? > > > > > > > > >Here is the contents of /home/spool > > > > > > > > >[root spool]# pwd > > >/home/spool > > > > > >[root spool]# ls -l > > >total 46 > > >drwxrwxr-x 2 root mail 8192 May 21 10:59 mail > > >drwxr-xr-x 6 root root 35840 May 21 13:38 mqueue > > >drwxr-xr-x 2 root root 2048 May 21 13:38 mqueue.in > > > > > > > > >Does it look ok? > > > > > > > > >Here is the output of 'ls mqueue' > > > > > >[root spool]# ls mqueue > > >dfg4KJqsW26104 dfg4L0iTW10067 dfg4L49FW22013 dfg4L5s2W28853 q4 > > >qfg4L0fxW09940 qfg4L47GW21913 qfg4L5s0W28852 > > >dfg4KJrrW26181 dfg4L0kjW10170 dfg4L4CRW22194 dfg4L5sIW28861 > > >qfg4KJqsW26104 qfg4L0iTW10067 qfg4L49FW22013 qfg4L5s2W28853 > > >dfg4KJsTW26254 dfg4L0lQW10202 dfg4L4CVW22204 dfg4L5sLW28864 > > >qfg4KJrrW26181 qfg4L0kjW10170 qfg4L4CRW22194 qfg4L5sIW28861 > > >dfg4KJuGW26351 dfg4L0lVW10222 dfg4L4CWW22206 dfg4L5sMW28880 > > >qfg4KJsTW26254 qfg4L0lQW10202 qfg4L4CVW22204 qfg4L5sLW28864 > > >. > > >. > > >. > > >. > > >dfg4L0OrW09053 dfg4L446W21748 dfg4L5qFW28659 dfg4L87AW05107 > > >qfg4L0OAW09022 qfg4L426W21646 qfg4L5qDW28657 qfg4L86uW05062 > > >dfg4L0SuW09226 dfg4L45bW21816 dfg4L5qPW28663 dfg4L87BW05113 > > >qfg4L0OrW09053 qfg4L446W21748 qfg4L5qFW28659 qfg4L87AW05107 > > >dfg4L0UOW09316 dfg4L45gW21818 dfg4L5qrW28728 dfg4L87TW05151 > > >qfg4L0SuW09226 qfg4L45bW21816 qfg4L5qPW28663 qfg4L87BW05113 > > >dfg4L0ZBW09585 dfg4L45sW21830 dfg4L5r2W28749 dfg4L88cW05223 > > >qfg4L0UOW09316 qfg4L45gW21818 qfg4L5qrW28728 qfg4L87TW05151 > > >dfg4L0beW09723 dfg4L46nW21878 dfg4L5rAW28753 q1 > > >qfg4L0ZBW09585 qfg4L45sW21830 qfg4L5r2W28749 qfg4L88cW05223 > > >dfg4L0eYW09863 dfg4L476W21911 dfg4L5rbW28802 q2 > > >qfg4L0beW09723 qfg4L46nW21878 qfg4L5rAW28753 > > >dfg4L0fxW09940 dfg4L47GW21913 dfg4L5s0W28852 q3 > > >qfg4L0eYW09863 qfg4L476W21911 qfg4L5rbW28802 > > > > > > > > >And here is the word count... > > > > > >[root spool]# ls mqueue | wc > > > 1446 1446 21642 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >I tried to do a sendmail -q15m ........ no joy. it just exits. > > > > > > > > In which case try sendmail -v -q15m and see what that prints. > > > > > > > > > > > > > > >I tried that..... it says nothing. > > > > > >If I do a mailq is shows the following output.... > > > > > > > > > /var/spool/mqueue/q1 (1 request) > > > >----Q-ID---- --Size-- -----Q-Time----- ------------Sender/Recipient-------- >- > > >--- > > >g4IIAZs26896* 262 Sat May 18 23:40 mail > > > (Deferred: Connection timed out with forserve.com.) > > > ftmanlfrbu@forserve.com > > >/var/spool/mqueue/q2 is empty > > > /var/spool/mqueue/q3 (1 request) > > > >----Q-ID---- --Size-- -----Q-Time----- ------------Sender/Recipient-------- >- > > >--- > > >g4JHnto03977* 262 Sun May 19 23:19 mail > > > (Deferred: Connection timed out with juserve.com.) > > > cpwijaxi@juserve.com > > >/var/spool/mqueue/q4 is empty > > > Total Requests: 2 > > > > > > > > > > > > > > > > > > > > > > > >Does this help understand the problem? > > > > > > > > > > > >Regards > > > > > >Rishi > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >Regards > > > > > > > > > >Rishi > > > > > > > > > > > > > > >----- Original Message ----- > > > > >From: "Julian Field" > > > > >To: > > > > >Sent: Tuesday, May 21, 2002 2:48 PM > > > > >Subject: Re: Need help badly... > > > > > > > > > > > > > > > > At 10:02 21/05/2002, you wrote: > > > > > > >I have about 1400 odd messages on Cobalt RaQ4 Linux mail server >in > > >the > > > > > > >/var/spool/mqueue folder (actually /home/spool/mqueue folder) > > > > > > > > > > > > > > > -rw------- 1 root root 2223 May 21 13:37 > > >qfg4L87BW05113 > > > > > > > > -rw------- 1 root root 840 May 21 13:37 > > >qfg4L87TW05151 > > > > > > > > -rw------- 1 root root 859 May 21 13:38 > > >qfg4L88cW05223 > > > > > > > > > > > > > >I have stopped mailscanner and started sendmail. My mail is now > > >working, > > > > >but > > > > > > >I wanted to know how to > > > > > > > > > > > > If they are all in mqueue and not mqueue.in then MailScanner is > > >basically > > > > > > doing its job. I suspect you might not have any processes like > > >"sendmail > > > > > > -q15m" running perhaps? > > > > > > > > > > > > >1. get mailscanner to work... find out why it is not working.(how > > >does > > > > >one > > > > > > >debug?) > > > > > > > > > > > > Watch the syslog. > > > > > > > > > > > > >2. get all these undelivered messages .... delivered. > > > > > > > > > > > > sendmail -q > > > > > > -- > > > > > > Julian Field Teaching Systems Manager > > > > > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer >Science > > > > > > Tel. 023 8059 2817 University of Southampton > > > > > > Southampton SO17 1BJ > > > > > > > > -- > > > > Julian Field Teaching Systems Manager > > > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > > > Tel. 023 8059 2817 University of Southampton > > > > Southampton SO17 1BJ > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From ryan at DLUGOSZ.NET Tue May 21 16:57:42 2002 From: ryan at DLUGOSZ.NET (Ryan Dlugosz) Date: Thu Jan 12 21:14:48 2006 Subject: Delivering disinfected mails depending on destination e-mail address. In-Reply-To: <20020521173751.64155ad2.marc.perea@electronic-group.com> References: <20020521173751.64155ad2.marc.perea@electronic-group.com> Message-ID: <22165.198.185.18.207.1021996662.squirrel@dlugosz.net> For this special case you could easily use a procmail recipe that will send virus-laden emails (using the {Virus?} subject tag) to /dev/null or some garbage folder. -Ryan Marc Perea said: > Hi to all. > > I'm going to describe a real scenario, I think there's no way to solve > it with the current mailscanner version, so may be Julian could add > this feature to a next version, or someone could tell me one good > solution that does not depend on mailscanner. > > Of the dozens of e-mail aliases we have, there's one that is used to > put it on all our websites as a "contact@domain.com", therefore, it's > targeted by all Virus and worms on the wild. So this mail alias gets > hundreds of viruses per day. What I want to do is applying the below > configuration option, but based on destination e-mail address, so the > "contact@domain.com" doesn't recieve the disinfected mails, but all the > other aliases still recieves them. > > # Once we have removed viruses from an email message and replaced them > with # VirusWarning.txt attachments, should we deliver the clean result > to the # original recipients (or just delete them if "no")? > Deliver To Recipients = yes > > Any help will be greatly appreciated. Thanks in advance. > > -- > Marc Perea - System Administration Staff > Mail: marc.perea@electronic-group.com > Tel: (+34) 93 600 23 23 > Fax: (+34) 93 600 23 10 > ---------------- > Electronic Group - http://www.electronic-group.com -- Ryan Dlugosz ryan@dlugosz.net http://dlugosz.net From chicks at CHICKS.NET Tue May 21 16:56:36 2002 From: chicks at CHICKS.NET (Christopher Hicks) Date: Thu Jan 12 21:14:48 2006 Subject: Need help badly... In-Reply-To: <5.1.0.14.2.20020521164037.02c782a0@roadrunner.ecs.soton.ac.uk> Message-ID: On Tue, 21 May 2002, Julian Field wrote: > I can't remember whether Linux ext2 implements > directories as lists (bad) or trees (good). This: http://web.mit.edu/tytso/www/linux/ext2intro.html seems to indicate that it's a list. > Irix dynamically changes between lists and 2 different types of tree > depending on the number of files in a directory, and it flies as a > result. You can also run xfs (Irix's filesystem) on Linux if it has performance characteristics that would be valuable. -- There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies. - - C.A.R. Hoare From LISTSERV at JISCMAIL.AC.UK Tue May 21 16:40:48 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:48 2006 Subject: MAILSCANNER: nam@STVINCENT.AC.UK requested to join Message-ID: <200205211540.QAA26313@magpie.ecs.soton.ac.uk> Tue, 21 May 2002 16:40:48 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Neil McMonagle You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER nam@STVINCENT.AC.UK Neil McMonagle PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER nam@STVINCENT.AC.UK Neil McMonagle // EOJ From kowolters at EMAIL.COM Tue May 21 16:50:27 2002 From: kowolters at EMAIL.COM (Keith Wolters) Date: Thu Jan 12 21:14:48 2006 Subject: Errors from mailscanner Message-ID: <20020521155027.15437.qmail@email.com> mailscanner was printing the following message on my console: Malformed UTF-8 character (unexpected continuation byte 0xb8) in substitution iterator at /usr/local/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/PerMsgStatus.pm line 828. I stopped mailscanner, moved files from /var/spool/mqueue.in to /var/spool/mqueue and restarted mailscanner and it seems happy now. -- _______________________________________________ Sign-up for your own FREE Personalized E-mail at Email.com http://www.email.com/?sr=signup From Q.G.Campbell at NEWCASTLE.AC.UK Tue May 21 17:00:47 2002 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:14:48 2006 Subject: more hung-up email Message-ID: Jeff We suffer the same problem with MailScanner 3.12.2 using sendmail 8.10.1 under RedHat 7.2. I get left with orphaned xf*, tf* and df* files but _no_ corresponding entry in the sendmail logs. This suggests to me that the problem lies with sendmail daemon not completing the SMTP transaction and thus not writing the qf* file. I am surprised that I do not see anything in the sendmail logs. Quentin --- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." > -----Original Message----- > From: Jeff A. Earickson [mailto:jaearick@COLBY.EDU] > Sent: 21 May 2002 16:34 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: more hung-up email > > > I'll ad these tidbits... I'm running mailscanner 3.13.2, it > is on an HPUX 11.11 system, and there is no corresponding qf > file for the days-old df files left in mqueue.in. So this is > the reason why the > messages don't show up in the mailq output. Hmmm. Maybe this is > a sendmail screw-up instead. I'm moving my mail service to a > Sun/ Solaris8 boxnext Monday (with the current mailscanner), > so hopefully this issue wil become moot. > > --- Jeff > > > Date: Tue, 21 May 2002 11:23:25 -0400 > > From: Jeff A. Earickson > > Reply-To: MailScanner mailing list > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: more hung-up email > > > > Julian, > > > > I have a similar problem to "need help badly", but I don't use > > multiple mail queues. I did an "ls -l" of my > /var/spool/mqueue.in and > > found days-old messages in there. But when I do: > > > > /usr/sbin/sendmail -bp -OQueueDirectory=/var/spool/mqueue.in > > > > mailq just shows the current stuff in there, not the old > stuff. If I > > stop and restart both mailscanner and sendmail, mailscanner > does not > > pick up the old stuff, scan it, and move it to > /var/spool/mqueue. It > > just stays. Any ideas? > > > > ** Jeff A. Earickson, Ph.D PHONE: > 207-872-3659 > > ** Senior UNIX Sysadmin, Information Technology EMAIL: > jaearick@colby.edu > > ** Colby College, 4214 Mayflower Hill, FAX: > 207-872-3076 > > ** Waterville ME, 04901-8842 > > > ---------------------------------------------------------------------- > > ------ > > > From jkf at ecs.soton.ac.uk Tue May 21 17:02:05 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:48 2006 Subject: more hung-up email In-Reply-To: References: Message-ID: <5.1.0.14.2.20020521164357.02d25c68@roadrunner.ecs.soton.ac.uk> At 16:33 21/05/2002, you wrote: >I'll ad these tidbits... I'm running mailscanner 3.13.2, it is on >an HPUX 11.11 system, and there is no corresponding qf file for the >days-old df files left in mqueue.in. So this is the reason why the >messages don't show up in the mailq output. Hmmm. Maybe this is >a sendmail screw-up instead. I'm moving my mail service to a Sun/ >Solaris8 boxnext Monday (with the current mailscanner), so hopefully >this issue wil become moot. These stray df files are nothing to worry about. They are caused by attempts to receive a message from another system, and the attempt failed for some reason (usually it timed out, or there was a temporary router failure on the path, or something like that). If you use the sendmail-starting script that www.sendmail.org provides (I think that's where I got it), then these get deleted/renamed before sendmail is actually started, so they don't cause any stray problems. Any aged df files in your mqueue.in, without corresponding qf files, can be deleted safely. These are all really sendmail problems, nothing to do with MailScanner, so they're a bit off-topic really... > > Date: Tue, 21 May 2002 11:23:25 -0400 > > From: Jeff A. Earickson > > Reply-To: MailScanner mailing list > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: more hung-up email > > > > Julian, > > > > I have a similar problem to "need help badly", but I don't use multiple > > mail queues. I did an "ls -l" of my /var/spool/mqueue.in and found > > days-old messages in there. But when I do: > > > > /usr/sbin/sendmail -bp -OQueueDirectory=/var/spool/mqueue.in > > > > mailq just shows the current stuff in there, not the old stuff. If I > > stop and restart both mailscanner and sendmail, mailscanner does not pick > > up the old stuff, scan it, and move it to /var/spool/mqueue. It just > > stays. Any ideas? > > > > ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 > > ** Senior UNIX Sysadmin, Information Technology EMAIL: > jaearick@colby.edu > > ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 > > ** Waterville ME, 04901-8842 > > > ---------------------------------------------------------------------------- > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Tue May 21 17:03:03 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:48 2006 Subject: Need help badly... In-Reply-To: References: <5.1.0.14.2.20020521164037.02c782a0@roadrunner.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020521170232.04a55a90@roadrunner.ecs.soton.ac.uk> At 16:56 21/05/2002, you wrote: >On Tue, 21 May 2002, Julian Field wrote: > > > I can't remember whether Linux ext2 implements > > directories as lists (bad) or trees (good). > >This: > http://web.mit.edu/tytso/www/linux/ext2intro.html >seems to indicate that it's a list. > > > Irix dynamically changes between lists and 2 different types of tree > > depending on the number of files in a directory, and it flies as a > > result. > >You can also run xfs (Irix's filesystem) on Linux if it has performance >characteristics that would be valuable. And while we're on the (OT) subject, how does ext3 do it? I would guess in the same way as ext2.. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mike at UNIXSECURITY.ORG Tue May 21 17:09:37 2002 From: mike at UNIXSECURITY.ORG (Mike Wallis) Date: Thu Jan 12 21:14:48 2006 Subject: Spam not being flagged References: <5.1.0.14.2.20020521164234.04af5ec0@roadrunner.ecs.soton.ac.uk> Message-ID: <3CEA7141.3000602@unixsecurity.org> Julian Field wrote: > That's because you are in the "Accept Spam From" section or in the > spam.whitelist.conf file. And you have "Always Include SpamAssassin > Header" > switched on. So by your configuration, you have requested that you always > get the report, but actually ignore its contents. Actually, I'm not in the whitelist, but upon further pondering, I realized I had forgotten that I use ssh to port forward my SMTP traffic directly to the mail server, so it all looks like it originates from that IP, which is in the "Accept Spam From" section. Now I just need to wait for some more Spam to arrive so I can test out the new directive to always include the SpamAssassin header and see if it's work keeping turned on. -- Mike Wallis mw@unixsecurity.org From mdunder at GE.UCL.AC.UK Tue May 21 17:09:05 2002 From: mdunder at GE.UCL.AC.UK (Mike Dunderdale) Date: Thu Jan 12 21:14:48 2006 Subject: Need help badly... In-Reply-To: Message-ID: We run XFS on a linux RAID server due to the lack of a need for fsck - on a 300Gb partition this used to be very painful... The per-recipient designation of whether to accept or delete spam would be useful without having to enable/setup procmail for each user though. M. On Tue, 21 May 2002, Christopher Hicks wrote: > On Tue, 21 May 2002, Julian Field wrote: > > > I can't remember whether Linux ext2 implements > > directories as lists (bad) or trees (good). > > This: > http://web.mit.edu/tytso/www/linux/ext2intro.html > seems to indicate that it's a list. > > > Irix dynamically changes between lists and 2 different types of tree > > depending on the number of files in a directory, and it flies as a > > result. > > You can also run xfs (Irix's filesystem) on Linux if it has performance > characteristics that would be valuable. > > -- > > > There are two ways of constructing a software design. One way is to make > it so simple that there are obviously no deficiencies. And the other way > is to make it so complicated that there are no obvious deficiencies. > - - C.A.R. Hoare > ------------------------------------------------------------------------- Mike Dunderdale | tel: ++44 20 7679 2756 IT Systems Manager, Geomatic Engineering | fax: ++44 20 7380 0453 mike.dunderdale@ge.ucl.ac.uk | mob: ++44 7939 455 245 From chicks at CHICKS.NET Tue May 21 17:10:54 2002 From: chicks at CHICKS.NET (Christopher Hicks) Date: Thu Jan 12 21:14:48 2006 Subject: Need help badly... In-Reply-To: <5.1.0.14.2.20020521170232.04a55a90@roadrunner.ecs.soton.ac.uk> Message-ID: On Tue, 21 May 2002, Julian Field wrote: > And while we're on the (OT) subject, how does ext3 do it? I would > guess in the same way as ext2.. ext3 is basically ext2 with journalling glued on, so I'm pretty sure you're correct. I dug around a bit and the only performance enhancments from ext3 apparently come from elevator writes (which Novell was doing 15 years ago, sigh). No mention of ext3's directory structure was made that I could find. -- There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies. - - C.A.R. Hoare From jkf at ecs.soton.ac.uk Tue May 21 17:12:29 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:48 2006 Subject: Need help badly... In-Reply-To: References: Message-ID: <5.1.0.14.2.20020521171206.02c81458@roadrunner.ecs.soton.ac.uk> At 17:09 21/05/2002, you wrote: >The per-recipient designation of whether to accept or delete spam >would be useful without having to enable/setup procmail for each user >though. See the new feature list for 3.14 / 3.15. It's already there. >On Tue, 21 May 2002, Christopher Hicks wrote: > > > On Tue, 21 May 2002, Julian Field wrote: > > > > > I can't remember whether Linux ext2 implements > > > directories as lists (bad) or trees (good). > > > > This: > > http://web.mit.edu/tytso/www/linux/ext2intro.html > > seems to indicate that it's a list. > > > > > Irix dynamically changes between lists and 2 different types of tree > > > depending on the number of files in a directory, and it flies as a > > > result. > > > > You can also run xfs (Irix's filesystem) on Linux if it has performance > > characteristics that would be valuable. > > > > -- > > > > > > There are two ways of constructing a software design. One way is to make > > it so simple that there are obviously no deficiencies. And the other way > > is to make it so complicated that there are no obvious deficiencies. > > - - C.A.R. Hoare > > > >------------------------------------------------------------------------- > Mike Dunderdale | tel: ++44 20 7679 2756 >IT Systems Manager, Geomatic Engineering | fax: ++44 20 7380 0453 > mike.dunderdale@ge.ucl.ac.uk | mob: ++44 7939 455 245 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Tue May 21 17:11:16 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:48 2006 Subject: more hung-up email In-Reply-To: Message-ID: <5.1.0.14.2.20020521171032.04b87ec0@roadrunner.ecs.soton.ac.uk> At 17:00 21/05/2002, you wrote: >Jeff > >We suffer the same problem with MailScanner 3.12.2 using sendmail 8.10.1 >under RedHat 7.2. > >I get left with orphaned xf*, tf* and df* files but _no_ corresponding >entry in the sendmail logs. This suggests to me that the problem lies >with sendmail daemon not completing the SMTP transaction and thus not >writing the qf* file. > >I am surprised that I do not see anything in the sendmail logs. If you crank sendmail's LogLevel up to about 14 or so, you should start to see the SMTP connects. Can I just re-iterate that it's *not* a MailScanner problem. >Quentin >--- >PHONE: +44 191 222 8209 Computing Service, University of Newcastle >FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. >------------------------------------------------------------------------ >"Any opinion expressed above is mine. The University can get its own." > > > -----Original Message----- > > From: Jeff A. Earickson [mailto:jaearick@COLBY.EDU] > > Sent: 21 May 2002 16:34 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: more hung-up email > > > > > > I'll ad these tidbits... I'm running mailscanner 3.13.2, it > > is on an HPUX 11.11 system, and there is no corresponding qf > > file for the days-old df files left in mqueue.in. So this is > > the reason why the > > messages don't show up in the mailq output. Hmmm. Maybe this is > > a sendmail screw-up instead. I'm moving my mail service to a > > Sun/ Solaris8 boxnext Monday (with the current mailscanner), > > so hopefully this issue wil become moot. > > > > --- Jeff > > > > > Date: Tue, 21 May 2002 11:23:25 -0400 > > > From: Jeff A. Earickson > > > Reply-To: MailScanner mailing list > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: more hung-up email > > > > > > Julian, > > > > > > I have a similar problem to "need help badly", but I don't use > > > multiple mail queues. I did an "ls -l" of my > > /var/spool/mqueue.in and > > > found days-old messages in there. But when I do: > > > > > > /usr/sbin/sendmail -bp -OQueueDirectory=/var/spool/mqueue.in > > > > > > mailq just shows the current stuff in there, not the old > > stuff. If I > > > stop and restart both mailscanner and sendmail, mailscanner > > does not > > > pick up the old stuff, scan it, and move it to > > /var/spool/mqueue. It > > > just stays. Any ideas? > > > > > > ** Jeff A. Earickson, Ph.D PHONE: > > 207-872-3659 > > > ** Senior UNIX Sysadmin, Information Technology EMAIL: > > jaearick@colby.edu > > > ** Colby College, 4214 Mayflower Hill, FAX: > > 207-872-3076 > > > ** Waterville ME, 04901-8842 > > > > > ---------------------------------------------------------------------- > > > ------ > > > > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mike at UNIXSECURITY.ORG Tue May 21 17:20:32 2002 From: mike at UNIXSECURITY.ORG (Mike Wallis) Date: Thu Jan 12 21:14:48 2006 Subject: mailscanner 3.15-3 proc dies without error/warning - tied to mailman? References: <50138.198.185.18.207.1021983385.squirrel@dlugosz.net> <5.1.0.14.2.20020521135318.04ad3b78@roadrunner.ecs.soton.ac.uk> <64191.198.185.18.207.1021988977.squirrel@dlugosz.net> Message-ID: <3CEA73D0.5040807@unixsecurity.org> Ryan Dlugosz wrote: >Julian, > >Thanks for the quick reply. Here's some more info for you. I am running >Perl v5.6.1 - I have verified that I've switched debugging back off and I >was able to immediately recreate my problem. I started mailscanner >directly from a console by running the script & I manually started the two >sendmail procs. > [snip] Just a quick note to let Julian, et al. know that I've been unable to reproduce this issue. We appear to be running a similar setup - RH 7.2 (fully updated), Sendmail 8.11.6, Perl 5.6.1, Mailscanner 3.15-3, SpamAssassin 2.01, and Mailman 2.0.8. (Although, I don't recall seeing which version of Mailman you're running.) I suppose I could upgrade Mailman to 2.0.9 and see if it starts breaking. -- Mike Wallis mw@unixsecurity.org From ryan at DLUGOSZ.NET Tue May 21 17:27:14 2002 From: ryan at DLUGOSZ.NET (Ryan Dlugosz) Date: Thu Jan 12 21:14:48 2006 Subject: mailscanner 3.15-3 proc dies without error/warning - tied to mailman? In-Reply-To: <3CEA73D0.5040807@unixsecurity.org> References: <50138.198.185.18.207.1021983385.squirrel@dlugosz.net> <5.1.0.14.2.20020521135318.04ad3b78@roadrunner.ecs.soton.ac.uk> <64191.198.185.18.207.1021988977.squirrel@dlugosz.net> <3CEA73D0.5040807@unixsecurity.org> Message-ID: <35785.198.185.18.207.1021998434.squirrel@dlugosz.net> Mike Wallis said: > We appear to be running a similar setup - RH 7.2 (fully updated), > Sendmail 8.11.6, Perl 5.6.1, Mailscanner 3.15-3, SpamAssassin 2.01, and > Mailman 2.0.8. (Although, I don't recall seeing which version of > Mailman you're running.) It's Mailman 2.0.9 actually... I upgraded the Mailman package yesterday while I was trying to fix the problem... it didn't change anything for me. Thanks to all who have been throwing ideas my way. -Ryan -- Ryan Dlugosz ryan@dlugosz.net http://dlugosz.net From jase at SENSIS.COM Tue May 21 17:44:40 2002 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:14:48 2006 Subject: SpamCheck Header Message-ID: I have been using MailScanner for several months now, and I am very happy with well it works. Thanks Julian! I have configured MailScanner to only add a header to an email if it is tagged as spam, and not to modify the subject. I have told our users how to filter their email based on this header. The header I have told them to filter on is "X-MailScanner-SpamCheck:". With the new option Always Include SpamAssassin Report, it seems that this header will now be in every message. I know that I don't have to set that configuration option in my setup, but I am finding that there are others (especially those on this list) that have it set, and so the header gets added, and then filtered as spam when it comes to my mailbox. I am probably going to have to change the header that I filter on to "X-MailScanner-SpamCheck: SpamAssassin", and tell all of my users the same thing. But, before I do all of that work, I have some questions. * Does it even make sense to check for spam in your outgoing email? Maybe it does, but do you really want the Spam Assassin report on your outgoing email? Should there be an option to always include the Spam Assassin report only on incoming email? * Is it possible that this header will change again? Rather than having to change the filtering rules again, can we have a specific header for mail that was tagged as Spam, separate from the Spam Assassin report? (X-MailScanner-FoundToBeSpam or something like that). Or maybe make this header configurable? * Is there an easier way? Thanks. Jason From marc.perea at ELECTRONIC-GROUP.COM Tue May 21 17:58:39 2002 From: marc.perea at ELECTRONIC-GROUP.COM (Marc Perea) Date: Thu Jan 12 21:14:48 2006 Subject: Delivering disinfected mails depending on destination e-mail address. In-Reply-To: <22165.198.185.18.207.1021996662.squirrel@dlugosz.net> References: <20020521173751.64155ad2.marc.perea@electronic-group.com> <22165.198.185.18.207.1021996662.squirrel@dlugosz.net> Message-ID: <20020521185839.33831f23.marc.perea@electronic-group.com> On Tue, 21 May 2002 11:57:42 -0400 Ryan Dlugosz wrote: > For this special case you could easily use a procmail recipe that will > send virus-laden emails (using the {Virus?} subject tag) to /dev/null or > some garbage folder. > -Ryan > Thank you very much Ryan, but I will use the "X-MailScanner: Found to be infected" header to identify the viurses instead of the subject. (It will have the same effect I guess) Here is the very simple procmail recipe in case someother users are interested : # cat $HOME/.procmailrc :0 * ^X-MailScanner: Found to be infected /dev/null Thanks once more!! Cheers, -- Marc Perea - System Administration Staff Mail: marc.perea@electronic-group.com Tel: (+34) 93 600 23 23 Fax: (+34) 93 600 23 10 ---------------- Electronic Group - http://www.electronic-group.com From ryan at DLUGOSZ.NET Tue May 21 18:13:07 2002 From: ryan at DLUGOSZ.NET (Ryan Dlugosz) Date: Thu Jan 12 21:14:48 2006 Subject: mailscanner 3.15-3 proc dies without error/warning - tied to mailman? - POSSIBLE SOLUTION In-Reply-To: <35785.198.185.18.207.1021998434.squirrel@dlugosz.net> References: <50138.198.185.18.207.1021983385.squirrel@dlugosz.net> <5.1.0.14.2.20020521135318.04ad3b78@roadrunner.ecs.soton.ac.uk> <64191.198.185.18.207.1021988977.squirrel@dlugosz.net> <3CEA73D0.5040807@unixsecurity.org> <35785.198.185.18.207.1021998434.squirrel@dlugosz.net> Message-ID: <56046.198.185.18.207.1022001187.squirrel@dlugosz.net> Well, I remembered one thing that I had changed yesterday when playing with the configuration... In the advanced section of mailscanner.conf, I changed the variable "Multiple Headers" from "append" to "replace"... Seeing as to how the listserv email is what's causing the breakdown & that it's primarily the only mail that'll pass through twice (and therefore have multiple headers) it seems possible that this has something to do with it. Maybe I just stumbled across a weird bug. Now that I've switched it back to "append" I don't immediately have any trouble with Mailman listserv messages. I'll be watching the system closely, however... I'll keep you posted if anything changes. Julian, if you want me to do any testing of this for you just let me know and I'll do what I can! Thanks for your help! -Ryan -- Ryan Dlugosz ryan@dlugosz.net http://dlugosz.net From dll at SCITOOLS.COM Tue May 21 18:15:06 2002 From: dll at SCITOOLS.COM (Daniel Leavitt) Date: Thu Jan 12 21:14:48 2006 Subject: Where is VirusWarning.txt? In-Reply-To: <5.1.0.14.2.20020521160938.02c604e8@roadrunner.ecs.soton.ac.uk> Message-ID: <035801c200eb$0ea6eb50$170aa8c0@DELL> I've upgraded to 3.15.3 so I guess that should be problem solved. Thanks for the all the help. Dan > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Julian Field > Sent: Tuesday, May 21, 2002 11:11 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Where is VirusWarning.txt? > > At 15:51 21/05/2002, you wrote: > >I have version 3.13-2 installed on RH7.1. Do you think a mailscanner > >upgrade will address this? > > See the MailScanner news item dated 14/5/2002. More recent versions > include > better support for multipart/alternative infected messages, which is what > this message is. Once you upgrade you should see the attachment and so on > as you expect. > > The short answer is "yes" :-) > > > > -----Original Message----- > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > > Behalf Of Funk Gabor > > > Sent: Tuesday, May 21, 2002 10:29 AM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Where is VirusWarning.txt? > > > > > > >>Thanks. Here's what's it shows: > > > >> > > > >> > > > Not enough. Should be more. > > > > > > Are you the original recipient, or this message was just forwarded to > >you? > > > In the second case the mail could've "lost" the body and the original > > > recipient > > > should do the "view source". Are you using mailscanner above v3.14? > > > > > > >>What is "iframe"? > > > What's IFRAME? > > > http://www.htmlhelp.com/reference/html40/special/iframe.html > > > > > > What's IFRAME Buffer Overflow? > > > http://www.kb.cert.org/vuls/id/27857 > > > > > > Klez uses IFRAME bof. > > > http://www.kav.ch/avpve/worms/email/klez.stm > > > > > > I just used the first hits from google, so there might be better > >samples. > > > > > > G. > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From darian at BEPINC.COM Tue May 21 19:53:52 2002 From: darian at BEPINC.COM (Darian Rafie) Date: Thu Jan 12 21:14:48 2006 Subject: UTF-8 Errors In-Reply-To: <20020521155027.15437.qmail@email.com> Message-ID: <004b01c200f8$dd543d10$11c9dbd1@WONDER> I have the same errors, I noticed them after executing a /etc/init.d/rc.d/mailscanner restart. I performed a stop then start and now they are gone. Kelly Hamlin had the same problem but I never saw any suggestions. D. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Keith Wolters Sent: Tuesday, May 21, 2002 10:50 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Errors from mailscanner mailscanner was printing the following message on my console: Malformed UTF-8 character (unexpected continuation byte 0xb8) in substitution iterator at /usr/local/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/PerMsgStatus.pm line 828. I stopped mailscanner, moved files from /var/spool/mqueue.in to /var/spool/mqueue and restarted mailscanner and it seems happy now. -- _______________________________________________ Sign-up for your own FREE Personalized E-mail at Email.com http://www.email.com/?sr=signup From fizz at BOMB.NET Tue May 21 21:02:45 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:14:48 2006 Subject: Watching mail queues References: Message-ID: <008f01c20102$796ffd20$48cf75cc@fizz> do i need to compile and run this actually on the mail server? and how do i turn on xforwarding? ----- Original Message ----- From: "Dave Remien" To: Sent: Sunday, May 19, 2002 5:37 PM Subject: Watching mail queues > After using mailscanner quite successfully for the last seven months > (thanks much, Julian and Nick and everyone!), I decided that I needed an > easier way to keep an eye on the size of /var/spool/mqueue and > /var/spool/mqueue.in than I'd been using. > > So here's an X Window program (based on Jamie Zawinski's xdebt) to > (simplistically) watch the queue sizes: > > http://bamberg.scientech.com/src/xmqueue.c > > or > > http://ipsmart.com/src/xmqueue.c > > I use it while ssh'd (with X forwarding turned on, obviously) into the > mail server. Understands -update (seconds), -fn (font), -fg (color) and > -fg (color), among others. Helps me watch for incipient email meltdowns > (spam/virus attacks, etc.). > > Hope this might be of use to others. Feedback is welcome if I've bozo'ed > something up. > > Cheers, > > Dave Remien > From fizz at BOMB.NET Tue May 21 22:12:28 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:14:48 2006 Subject: UTF-8 Errors References: <004b01c200f8$dd543d10$11c9dbd1@WONDER> Message-ID: <006901c2010c$366773a0$48cf75cc@fizz> i never found a cure, i started getting them again today, i had to switch back to 13-2 because of major problems i was having with 15-3 ----- Original Message ----- From: "Darian Rafie" To: Sent: Tuesday, May 21, 2002 2:53 PM Subject: UTF-8 Errors > I have the same errors, I noticed them after executing a > /etc/init.d/rc.d/mailscanner restart. I performed a stop then start and > now they are gone. Kelly Hamlin had the same problem but I never saw > any suggestions. > > D. > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Keith Wolters > Sent: Tuesday, May 21, 2002 10:50 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Errors from mailscanner > > > mailscanner was printing the following message on my console: > > Malformed UTF-8 character (unexpected continuation byte 0xb8) in > substitution iterator at > /usr/local/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/PerMsgStatus.pm > line 828. > > I stopped mailscanner, moved files from /var/spool/mqueue.in to > /var/spool/mqueue and restarted mailscanner and it seems happy now. > > -- > _______________________________________________ > Sign-up for your own FREE Personalized E-mail at Email.com > http://www.email.com/?sr=signup > From LISTSERV at JISCMAIL.AC.UK Tue May 21 17:57:35 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:48 2006 Subject: MAILSCANNER: gene@ERACHAMPION.COM left the JISCmail list Message-ID: <200205211657.RAA03985@magpie.ecs.soton.ac.uk> Tue, 21 May 2002 17:57:35 gene@ERACHAMPION.COM has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From LISTSERV at JISCMAIL.AC.UK Tue May 21 17:30:22 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:48 2006 Subject: MAILSCANNER: becher@WEB.LU left the JISCmail list Message-ID: <200205211630.RAA01439@magpie.ecs.soton.ac.uk> Tue, 21 May 2002 17:30:22 Luc Schiltz has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From richard at QUARRYHOUSE.CO.UK Tue May 21 23:08:29 2002 From: richard at QUARRYHOUSE.CO.UK (Richard at Quarryhouse) Date: Thu Jan 12 21:14:48 2006 Subject: Error Installing Message-ID: <5.1.0.14.2.20020521230730.0282b810@mail.quarryhouse.co.uk> On attempting to install Mailscanner on my Cobalt RaQ4R, all seemed to go OK until I got to start MailScanner. I then got the following error: [root etc]# /etc/rc.d/init.d/mailscanner start Starting MailScanner: makemap: /etc/mail/virtusertable: line 1085: key metalawca@www.jonskichov.co.uk: duplicate key /var/spool/mqueue.in and /var/spool/mqueue must be on the same filesystem/partition! at /usr/local/MailScanner/bin/logger.pl line 60. Richard From richard.siddall at ELIRION.NET Tue May 21 23:31:08 2002 From: richard.siddall at ELIRION.NET (Richard Siddall) Date: Thu Jan 12 21:14:48 2006 Subject: Error Installing References: <5.1.0.14.2.20020521230730.0282b810@mail.quarryhouse.co.uk> Message-ID: <3CEACAAC.E715FEBD@elirion.net> Richard at Quarryhouse wrote: > > On attempting to install Mailscanner on my Cobalt RaQ4R, all seemed to go > OK until I got to start MailScanner. I then got the following error: > > [root etc]# /etc/rc.d/init.d/mailscanner start > Starting MailScanner: makemap: /etc/mail/virtusertable: line 1085: key > metalawca@www.jonskichov.co.uk: duplicate key > /var/spool/mqueue.in and /var/spool/mqueue must be on the same > filesystem/partition! at /usr/local/MailScanner/bin/logger.pl line 60. > > Richard Richard, A few of us have been trying to keep notes on RaQ3/4 installation at: http://www.uk2raq.com/raqfaq/raqfaqshow.php?faq=96 The /etc/mail/virtusertable warning shouldn't stop mailscanner working. It just means you've got duplicate entries for metalawca@www.jonskichov.co.uk in your virtusertable. I think it's due to a change in the way the RaQ GUI handles that file. You should stop sendmail and hand edit the file to remove the duplicate. The second warning indicates that you don't have all the symbolic links between /var/spool and /home/spool set up correctly. See the RaQFaQ mentioned above. You probably created /var/spool/mqueue.in rather than creating /home/spool/mqueue.in and symbolically linking /var/spool/mqueue.in to it. I hope this helps. Richard Siddall. From mike at CAMAROSS.NET Tue May 21 23:29:06 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:14:48 2006 Subject: Error Installing References: <5.1.0.14.2.20020521230730.0282b810@mail.quarryhouse.co.uk> Message-ID: <020801c20116$ee7d1bc0$6c01a8c0@home.wideopenthrottle.org> http://www.cobalt.com/support/download/raq4.eng.html This is a known bug and the fix is on the page above. I fought the same battle...finally setting /etc/mail/virtusertable +i until the fix was released. Look at your virtusertable and find the duplicate entries at the bottom...most likely @domain.com or something similar. Mike ----- Original Message ----- From: "Richard at Quarryhouse" To: Sent: Tuesday, May 21, 2002 5:08 PM Subject: Error Installing > On attempting to install Mailscanner on my Cobalt RaQ4R, all seemed to go > OK until I got to start MailScanner. I then got the following error: > > [root etc]# /etc/rc.d/init.d/mailscanner start > Starting MailScanner: makemap: /etc/mail/virtusertable: line 1085: key > metalawca@www.jonskichov.co.uk: duplicate key > /var/spool/mqueue.in and /var/spool/mqueue must be on the same > filesystem/partition! at /usr/local/MailScanner/bin/logger.pl line 60. > > > Richard > From mike at CAMAROSS.NET Tue May 21 23:30:58 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:14:48 2006 Subject: Error Installing References: <5.1.0.14.2.20020521230730.0282b810@mail.quarryhouse.co.uk> Message-ID: <020c01c20117$31540260$6c01a8c0@home.wideopenthrottle.org> forgot to mention. I had to move the mqueue.in directory and then symlink it Mike ----- Original Message ----- From: "Richard at Quarryhouse" To: Sent: Tuesday, May 21, 2002 5:08 PM Subject: Error Installing > On attempting to install Mailscanner on my Cobalt RaQ4R, all seemed to go > OK until I got to start MailScanner. I then got the following error: > > [root etc]# /etc/rc.d/init.d/mailscanner start > Starting MailScanner: makemap: /etc/mail/virtusertable: line 1085: key > metalawca@www.jonskichov.co.uk: duplicate key > /var/spool/mqueue.in and /var/spool/mqueue must be on the same > filesystem/partition! at /usr/local/MailScanner/bin/logger.pl line 60. > > > Richard > From jkf at ecs.soton.ac.uk Tue May 21 23:46:21 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:48 2006 Subject: SpamCheck Header In-Reply-To: Message-ID: <5.1.0.14.2.20020521233937.02a025a0@roadrunner.ecs.soton.ac.uk> At 17:44 21/05/2002, you wrote: >I have been using MailScanner for several months now, and I am very happy >with well it works. Thanks Julian! > >I have configured MailScanner to only add a header to an email if it is >tagged as spam, and not to modify the subject. I have told our users how to >filter their email based on this header. The header I have told them to >filter on is "X-MailScanner-SpamCheck:". > >With the new option Always Include SpamAssassin Report, it seems that this >header will now be in every message. I know that I don't have to set that >configuration option in my setup, but I am finding that there are others >(especially those on this list) that have it set, and so the header gets >added, and then filtered as spam when it comes to my mailbox. > >I am probably going to have to change the header that I filter on to >"X-MailScanner-SpamCheck: SpamAssassin", and tell all of my users the same >thing. But, before I do all of that work, I have some questions. > >* Does it even make sense to check for spam in your outgoing email? Maybe >it does, but do you really want the Spam Assassin report on your outgoing >email? Should there be an option to always include the Spam Assassin report >only on incoming email? I don't bother checking outgoing mail. Checking inbound mail stops your machines getting infected by the latest worm in the first place, so you are unlikely to send out any nasties anyway. But it seems a lot of people do check outbound even so. You can always rename the header to be X-MyISP-SpamCheck: You don't have to stick to the supplied header names, feel free to personalise them a bit. Of course I prefer people to leave MailScanner in the header somewhere, as it gets me more hits (and hence publicity, and hence users) from the search engines. >* Is it possible that this header will change again? Rather than having to >change the filtering rules again, can we have a specific header for mail >that was tagged as Spam, separate from the Spam Assassin report? >(X-MailScanner-FoundToBeSpam or something like that). Or maybe make this >header configurable? If you look for "X-MailScanner-SpamCheck: not spam" then you know it isn't spam, even though it might include a SpamAssassin header. Oh, and allow for the non-spam case where there isn't a SpamCheck header at all. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Tue May 21 23:50:38 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:48 2006 Subject: UTF-8 Errors In-Reply-To: <004b01c200f8$dd543d10$11c9dbd1@WONDER> References: <20020521155027.15437.qmail@email.com> Message-ID: <5.1.0.14.2.20020521235010.02a15eb8@roadrunner.ecs.soton.ac.uk> These UTF-8 bugs are problems in SpamAssassin. Please report it to them. At 19:53 21/05/2002, you wrote: >I have the same errors, I noticed them after executing a >/etc/init.d/rc.d/mailscanner restart. I performed a stop then start and >now they are gone. Kelly Hamlin had the same problem but I never saw >any suggestions. > >D. > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Keith Wolters >Sent: Tuesday, May 21, 2002 10:50 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Errors from mailscanner > > >mailscanner was printing the following message on my console: > >Malformed UTF-8 character (unexpected continuation byte 0xb8) in >substitution iterator at >/usr/local/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/PerMsgStatus.pm >line 828. > >I stopped mailscanner, moved files from /var/spool/mqueue.in to >/var/spool/mqueue and restarted mailscanner and it seems happy now. > >-- >_______________________________________________ >Sign-up for your own FREE Personalized E-mail at Email.com >http://www.email.com/?sr=signup -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Tue May 21 23:49:22 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:48 2006 Subject: mailscanner 3.15-3 proc dies without error/warning - tied to mailman? - POSSIBLE SOLUTION In-Reply-To: <56046.198.185.18.207.1022001187.squirrel@dlugosz.net> References: <35785.198.185.18.207.1021998434.squirrel@dlugosz.net> <50138.198.185.18.207.1021983385.squirrel@dlugosz.net> <5.1.0.14.2.20020521135318.04ad3b78@roadrunner.ecs.soton.ac.uk> <64191.198.185.18.207.1021988977.squirrel@dlugosz.net> <3CEA73D0.5040807@unixsecurity.org> <35785.198.185.18.207.1021998434.squirrel@dlugosz.net> Message-ID: <5.1.0.14.2.20020521234730.02a113d8@roadrunner.ecs.soton.ac.uk> This sounds as if it is very closely related to a Perl bug I hit in this function when I wrote it. There is a limited stack size for parsing/executing regexps in Perl, and I exceeded it from the looks of it. Basically the program would always bomb out if I did s/foo/bar/i and would work fine if I did s/foo/bar. Go figure! :-( At 18:13 21/05/2002, you wrote: >Well, I remembered one thing that I had changed yesterday when playing >with the configuration... In the advanced section of mailscanner.conf, I >changed the variable "Multiple Headers" from "append" to "replace"... >Seeing as to how the listserv email is what's causing the breakdown & that >it's primarily the only mail that'll pass through twice (and therefore >have multiple headers) it seems possible that this has something to do >with it. Maybe I just stumbled across a weird bug. Now that I've >switched it back to "append" I don't immediately have any trouble with >Mailman listserv messages. I'll be watching the system closely, >however... I'll keep you posted if anything changes. >Julian, if you want me to do any testing of this for you just let me know >and I'll do what I can! Thanks for your help! >-Ryan > >-- >Ryan Dlugosz >ryan@dlugosz.net > >http://dlugosz.net -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Tue May 21 23:56:14 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:48 2006 Subject: Error Installing In-Reply-To: <3CEACAAC.E715FEBD@elirion.net> References: <5.1.0.14.2.20020521230730.0282b810@mail.quarryhouse.co.uk> Message-ID: <5.1.0.14.2.20020521235200.036cf008@roadrunner.ecs.soton.ac.uk> At 23:31 21/05/2002, you wrote: >Richard at Quarryhouse wrote: > > > > On attempting to install Mailscanner on my Cobalt RaQ4R, all seemed to go > > OK until I got to start MailScanner. I then got the following error: > > > > [root etc]# /etc/rc.d/init.d/mailscanner start > > Starting MailScanner: makemap: /etc/mail/virtusertable: line 1085: key > > metalawca@www.jonskichov.co.uk: duplicate key > > /var/spool/mqueue.in and /var/spool/mqueue must be on the same > > filesystem/partition! at /usr/local/MailScanner/bin/logger.pl line 60. > > > > Richard > >Richard, > > > >The second warning indicates that you don't have all the symbolic links >between >/var/spool and /home/spool set up correctly. See the RaQFaQ mentioned >above. You probably created /var/spool/mqueue.in rather than creating >/home/spool/mqueue.in and symbolically linking /var/spool/mqueue.in to it. This is necessary due to the fact that Sun set up their partitions somewhat less than optimally (to be kind). They didn't have enough space in the root partition for all the stuff they needed in /var, and didn't make a separate partition for /var, only /home. So various things (include the sendmail queues) were put in /home/spool with soft-links from /var/spool. MailScanner insists on the mqueue.in and mqueue directories being on the same filesystem, so you have to soft-link neither or both, but not just 1 of them. I don't know quite how to detect that I'm running on an unfixed Raq system when I install, I don't want to just test for whether /var/spool/mqueue is a link, something rather more robust than that. If I could, I would detect the system and set up the correct link for mqueue.in automatically. Any Raq users out there got any brilliany ideas on this one? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From richard.siddall at ELIRION.NET Wed May 22 00:30:38 2002 From: richard.siddall at ELIRION.NET (Richard Siddall) Date: Thu Jan 12 21:14:48 2006 Subject: Detecting a Cobalt RaQ, was: Error Installing References: <5.1.0.14.2.20020521230730.0282b810@mail.quarryhouse.co.uk> <5.1.0.14.2.20020521235200.036cf008@roadrunner.ecs.soton.ac.uk> Message-ID: <3CEAD89E.AD4DC429@elirion.net> Julian Field wrote: > [snip] > I don't know quite how to detect that I'm running on an unfixed Raq system > when I install, I don't want to just test for whether /var/spool/mqueue is > a link, something rather more robust than that. If I could, I would detect > the system and set up the correct link for mqueue.in automatically. > > Any Raq users out there got any brilliany ideas on this one? > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ I don't know, maybe: [ -f /usr/local/sbin/cobalt_gestalt ] Or some other file that only shows up on a RaQ or Qube. (I only tested this on a RaQ4i.) In Perl you could do something like: eval { require Cobalt::Meta; } I hope this helps. Richard. From jkf at ecs.soton.ac.uk Wed May 22 01:08:23 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:48 2006 Subject: Survey: Messages per day? Message-ID: <5.1.0.14.2.20020522010035.03556ec0@roadrunner.ecs.soton.ac.uk> I'm interested in working out a rough average (per site) of the number of email messages per day that pass through MailScanner. Please can you mail me (mailscanner@ecs.soton.ac.uk --- please DO NOT reply to the whole list!) your best guess of the figure for an average weekday. *Please* send me a figure. I guarantee you complete data privacy. Your number will only be used for working out an average figure, and I guarantee to completely delete all the data once I have processed it. If you would rather send me the figure anonymously, to hide the name of your site, then feel free to do so. If you scan outgoing as well as incoming, then please remember to include both figures. Remember to count all of your MailScanner servers including all your incoming MX's and outgoing relays as necessary. The ideal response will just be a number (I'm going to have to process this lot by hand). Many thanks! P.S. Once I've totted it all up I'll tell you why I'm interested, so stay tuned... Jules -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Wed May 22 01:00:30 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:48 2006 Subject: SpamCheck Header In-Reply-To: <5.1.0.14.2.20020521233937.02a025a0@roadrunner.ecs.soton.ac .uk> References: Message-ID: <5.1.0.14.2.20020522005544.02a39748@roadrunner.ecs.soton.ac.uk> At 23:46 21/05/2002, you wrote: >At 17:44 21/05/2002, you wrote: >>I have been using MailScanner for several months now, and I am very happy >>with well it works. Thanks Julian! >> >>I have configured MailScanner to only add a header to an email if it is >>tagged as spam, and not to modify the subject. I have told our users how to >>filter their email based on this header. The header I have told them to >>filter on is "X-MailScanner-SpamCheck:". >> >>With the new option Always Include SpamAssassin Report, it seems that this >>header will now be in every message. I know that I don't have to set that >>configuration option in my setup, but I am finding that there are others >>(especially those on this list) that have it set, and so the header gets >>added, and then filtered as spam when it comes to my mailbox. >> >>I am probably going to have to change the header that I filter on to >>"X-MailScanner-SpamCheck: SpamAssassin", and tell all of my users the same >>thing. But, before I do all of that work, I have some questions. >> >>* Does it even make sense to check for spam in your outgoing email? Maybe >>it does, but do you really want the Spam Assassin report on your outgoing >>email? Should there be an option to always include the Spam Assassin report >>only on incoming email? > >I don't bother checking outgoing mail. Checking inbound mail stops your >machines getting infected by the latest worm in the first place, so you are >unlikely to send out any nasties anyway. But it seems a lot of people do >check outbound even so. You can always rename the header to be > X-MyISP-SpamCheck: >You don't have to stick to the supplied header names, feel free to >personalise them a bit. Of course I prefer people to leave MailScanner in >the header somewhere, as it gets me more hits (and hence publicity, and >hence users) from the search engines. > >>* Is it possible that this header will change again? Rather than having to >>change the filtering rules again, can we have a specific header for mail >>that was tagged as Spam, separate from the Spam Assassin report? >>(X-MailScanner-FoundToBeSpam or something like that). Or maybe make this >>header configurable? > >If you look for "X-MailScanner-SpamCheck: not spam" then you know it isn't >spam, even though it might include a SpamAssassin header. Oh, and allow for >the non-spam case where there isn't a SpamCheck header at all. How about, if the SpamCheck header is going to be there (because you've asked to always get the SpamAssassin report) and the message isn't spam, then I add "not spam (whitelisted)" instead of the current "not spam", so you know why it got marked as spam? It's only about 1 line to change in the code. The following patch is *only* for the latest version of the code, and has not been completely tested. But if you are confused by the current behaviour, it should make it easier for your users to understand. ============================================= --- /usr/local/mailscanner/mailscanner/bin/sendmail.pl Mon May 20 13:50:27 2002 +++ sendmail.pl Wed May 22 00:59:13 2002 @@ -261,7 +261,9 @@ # Add "not spam, " to start of header if it isn't spam but we # have included a SpamAssassin header. - $SpamHeader = "not spam, " . $SpamHeader + $SpamHeader = "not spam" . + ($IsOnWhiteList?" (whitelisted), ":", ") . + $SpamHeader if $IsSpam->{$mID} != 1 && $SpamHeader ne ""; if ($SpamHeader ne "") { ============================================= This patch will be rolled into the next release unless anyone reports any nasty bugs. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From nwp at LEMON-COMPUTING.COM Wed May 22 01:02:28 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:48 2006 Subject: mailscanner 3.15-3 proc dies without error/warning - tied to mailman? In-Reply-To: <50138.198.185.18.207.1021983385.squirrel@dlugosz.net> References: <50138.198.185.18.207.1021983385.squirrel@dlugosz.net> Message-ID: <20020522000227.GD21929@hoiho.nz.lemon-computing.com> On Tue, May 21, 2002 at 08:16:25AM -0400, Ryan Dlugosz wrote: > http://dlugosz.net/~ryan/mailscanner_probs.html Try starting mailscanner from a terminal window. Then you may get a bit more output when it dies (e.g. segfault in perl). -- Nick Phillips -- nwp@lemon-computing.com An avocado-tone refrigerator would look good on your resume. From support at IQUEST.UCSB.EDU Wed May 22 01:26:53 2002 From: support at IQUEST.UCSB.EDU (Support) Date: Thu Jan 12 21:14:48 2006 Subject: MS not starting after SpamAssassin install Message-ID: <000201c20127$5f540790$800f6f80@iquest.ucsb.edu> Hi, I have Mailscanner running. when I installed spamassassin I tried running ./check_mailscanner and ./check_mailscanner.linux but they come up w/ this... ######################################### [root@frost bin]# ./check_mailscanner Starting virus scanner... Can't locate Mail/SpamAssassin.pm in @INC (@INC contains: /usr/local/MailScanner/bin /usr/lib/perl5/5.6.0/i386-linux /usr/lib/perl5/5.6.0 /usr/lib/perl5/site_perl/5.6.0/i386-linux /usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl .) at /usr/local/MailScanner/bin/sendmail.pl line 46. Compilation failed in require at /usr/local/MailScanner/bin/mailscanner line 77. ######################################## I found spamassassin to be here /usr/lib /perl5/site_perl/5.6.1/Mail/SpamAssassin.pm so I tried to edit the /bin/sendmail.pl file use lib '/usr/lib/perl5/site_perl/5.6.1/Mail'; use lib '/usr/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin'; And that didnt work even thought the path to the module showed up in @INC. This looks like a problem w/ Mailscanner or spam assassin install. Is there another way of fixing this? thanx From darian at BEPINC.COM Wed May 22 03:07:53 2002 From: darian at BEPINC.COM (Darian Rafie) Date: Thu Jan 12 21:14:48 2006 Subject: UTF-8 Errors References: <20020521155027.15437.qmail@email.com> <5.1.0.14.2.20020521235010.02a15eb8@roadrunner.ecs.soton.ac.uk> Message-ID: <003601c20135$7be1df50$b675fb0c@wheaton1.il.home.com> Thanks Julian ... will do. d. ----- Original Message ----- From: "Julian Field" To: Sent: Tuesday, May 21, 2002 5:50 PM Subject: Re: UTF-8 Errors > These UTF-8 bugs are problems in SpamAssassin. Please report it to them. > > At 19:53 21/05/2002, you wrote: > >I have the same errors, I noticed them after executing a > >/etc/init.d/rc.d/mailscanner restart. I performed a stop then start and > >now they are gone. Kelly Hamlin had the same problem but I never saw > >any suggestions. > > > >D. > > > > > >-----Original Message----- > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > >Behalf Of Keith Wolters > >Sent: Tuesday, May 21, 2002 10:50 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Errors from mailscanner > > > > > >mailscanner was printing the following message on my console: > > > >Malformed UTF-8 character (unexpected continuation byte 0xb8) in > >substitution iterator at > >/usr/local/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/PerMsgStatus.pm > >line 828. > > > >I stopped mailscanner, moved files from /var/spool/mqueue.in to > >/var/spool/mqueue and restarted mailscanner and it seems happy now. > > > >-- > >_______________________________________________ > >Sign-up for your own FREE Personalized E-mail at Email.com > >http://www.email.com/?sr=signup > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From sysadmin at DMS.UMONTREAL.CA Wed May 22 02:10:05 2002 From: sysadmin at DMS.UMONTREAL.CA (sysadmin) Date: Thu Jan 12 21:14:48 2006 Subject: Survey: Messages per day? References: <5.1.0.14.2.20020522010035.03556ec0@roadrunner.ecs.soton.ac.uk> Message-ID: <3CEAEFED.6070202@DMS.UMontreal.CA> Julian Field, Frankly, I dont keep statistics. Do you have a script/ a calculation I could do to send you this information. I'd be happy to, but to be honest I'm too lazy to figure out how. Chris From rishi at THEARGONCOMPANY.COM Wed May 22 06:39:43 2002 From: rishi at THEARGONCOMPANY.COM (Rishi Gangoly) Date: Thu Jan 12 21:14:48 2006 Subject: how to let mailscanner or spam assassin know this is spam Message-ID: <006501c20153$13a21d60$1500a8c0@gangfam.com> hey guys, I got this email. it there a way to let mailscanner or Spam assassin know that this email is Spam for sure. regards rishi -------------- next part -------------- An embedded message was scrubbed... From: ????????..?n?H?~?????H..@enews.com.tw Subject: =?big5?Q?=B4=A3=A8=D1=A8D=C2=BE=BB=DD=A8D20=B8U=A4H=A4~=B8=EA=AE=C6=AEw?= Date: Wed, 22 May 2002 09:34:39 +0530 Size: 2307 Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020522/1885111f/______20______.eml From mike at ZANKER.ORG Wed May 22 07:45:16 2002 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:14:48 2006 Subject: SpamCheck Header In-Reply-To: <5.1.0.14.2.20020521233937.02a025a0@roadrunner.ecs.soton.ac.uk> References: <5.1.0.14.2.20020521233937.02a025a0@roadrunner.ecs.soton.ac. uk> Message-ID: <120618900.1022053516@jemima.zanker.org> On 21 May 2002 23:46 +0100 Julian Field wrote: > If you look for "X-MailScanner-SpamCheck: not spam" then you know it > isn't spam, even though it might include a SpamAssassin header. The problem with this is that if the e-mail scores *anything* with SpamAssassin, even if it is less than the threshold, it gets the "X-MailScanner-SpamCheck: SpamAssassin" header rather than "not spam". See Mike Kercher's contributions for an example. I've had to go back to filtering on {SPAM?} at the start of the Subject: field. Mike -- Mike Zanker Northampton, UK PGP Public Key: pgp@zanker.org From jkf at ecs.soton.ac.uk Wed May 22 09:21:06 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:49 2006 Subject: Survey: Messages per day? In-Reply-To: <3CEAEFED.6070202@DMS.UMontreal.CA> References: <5.1.0.14.2.20020522010035.03556ec0@roadrunner.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020522092019.03791a08@roadrunner.ecs.soton.ac.uk> At 02:10 22/05/2002, you wrote: >Frankly, I dont keep statistics. Do you have a script/ a calculation I >could do to send you this information. I'd be happy to, but to be honest >I'm too lazy to figure out how. The sendmail "mailstats" program may help. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Wed May 22 09:19:45 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:49 2006 Subject: MS not starting after SpamAssassin install In-Reply-To: <000201c20127$5f540790$800f6f80@iquest.ucsb.edu> Message-ID: <5.1.0.14.2.20020522091843.0376e008@roadrunner.ecs.soton.ac.uk> At 01:26 22/05/2002, you wrote: > I have Mailscanner running. when I installed spamassassin I tried running >./check_mailscanner and ./check_mailscanner.linux but they come up w/ >this... In the process of installing SpamAssassin, your copy of Perl got upgraded too. The "old version hunting" that Perl does isn't quite enough for SpamAssassin to work. So you'll need to re-install SpamAssassin. Then it should go. >######################################### >[root@frost bin]# ./check_mailscanner >Starting virus scanner... >Can't locate Mail/SpamAssassin.pm in @INC (@INC contains: >/usr/local/MailScanner/bin /usr/lib/perl5/5.6.0/i386-linux >/usr/lib/perl5/5.6.0 /usr/lib/perl5/site_perl/5.6.0/i386-linux >/usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl .) at >/usr/local/MailScanner/bin/sendmail.pl line 46. >Compilation failed in require at /usr/local/MailScanner/bin/mailscanner line >77. > >######################################## > >I found spamassassin to be here /usr/lib >/perl5/site_perl/5.6.1/Mail/SpamAssassin.pm > >so I tried to edit the /bin/sendmail.pl file > >use lib '/usr/lib/perl5/site_perl/5.6.1/Mail'; >use lib '/usr/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin'; > > >And that didnt work even thought the path to the module showed up in @INC. > > This looks like a problem w/ Mailscanner or spam assassin install. > > >Is there another way of fixing this? > >thanx -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Wed May 22 09:17:29 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:49 2006 Subject: SpamCheck Header In-Reply-To: <120618900.1022053516@jemima.zanker.org> References: <5.1.0.14.2.20020521233937.02a025a0@roadrunner.ecs.soton.ac.uk> <5.1.0.14.2.20020521233937.02a025a0@roadrunner.ecs.soton.ac. uk> Message-ID: <5.1.0.14.2.20020522085406.0378d7c0@roadrunner.ecs.soton.ac.uk> At 07:45 22/05/2002, you wrote: >On 21 May 2002 23:46 +0100 Julian Field wrote: > >>If you look for "X-MailScanner-SpamCheck: not spam" then you know it >>isn't spam, even though it might include a SpamAssassin header. > >The problem with this is that if the e-mail scores *anything* with >SpamAssassin, even if it is less than the threshold, it gets the >"X-MailScanner-SpamCheck: SpamAssassin" header rather than "not spam". >See Mike Kercher's contributions for an example. (Did you mean him? I can only find 2 postings to the list from him, neither of which seem relevant) And are you definitely testing this against the latest release? I have just checked the following: Note that the spam message scores 17, the non-spam message scores -2.8, i.e. both scores are non-zero. 1) spam from "Accept Spam From" host, Always Include SA Header=yes ==> "not spam (whitelisted), SpamAssassin...." 2) non-spam from "Accept Spam From" host, Always Include SA Header=yes ==> "not spam (whitelisted), SpamAssassin...." 3) spam from non-exempt host, Always Include SA Header=no ==> "SpamAssassin...." 4) non-spam from non-exempt host, Always Include SA Header=no ==> no SpamCheck header 5) spam from exempt host, Always Include SA Header=no ==> no SpamCheck header 6) non-spam from exempt host, Always Include SA Header=no ==> no SpamCheck header 7) spam from non-exempt host, Always Include SA Header=yes ==> "SpamAssassin...." 8) non-spam from non-exempt host, Always Include SA Header=yes ==> "not spam, SpamAssassin...." All of which are exactly as I would have expected. Given non-spam messages it either doesn't put in a SpamCheck header at all, or puts in one starting with "not spam" as I intended. So what cases have I missed? It seems to be working as intended... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Wed May 22 09:21:58 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:49 2006 Subject: how to let mailscanner or spam assassin know this is spam In-Reply-To: <006501c20153$13a21d60$1500a8c0@gangfam.com> Message-ID: <5.1.0.14.2.20020522092139.0376ce38@roadrunner.ecs.soton.ac.uk> At 06:39 22/05/2002, you wrote: >I got this email. it there a way to let mailscanner or Spam assassin know >that this email is Spam for sure. Do a web search for Razor and have a read... >regards > >rishi >Return-Path: >Received: from theargonserver.theargoncompany.com ([202.88.143.72]) > by mail003.ownmail.com (8.10.2/8.10.2) with ESMTP id g4M4IVr01105 > for ; Wed, 22 May 2002 09:48:31 +0530 >Received: (from rishi@localhost) > by theargonserver.theargoncompany.com (8.9.3/8.9.3) id JAA13093 > for rishi@gangfam.com; Wed, 22 May 2002 09:50:50 +0530 >Received: from localhost (IDENT:rishi@localhost [127.0.0.1]) > by theargonserver.theargoncompany.com (8.9.3/8.9.3) with ESMTP id > JAA12267 > for ; Wed, 22 May 2002 09:50:21 +0530 >Received: from theargoncompany.com [66.109.239.73] > by localhost with POP3 (fetchmail-5.9.0) > for rishi@localhost (single-drop); Wed, 22 May 2002 09:50:22 > +0530 (IST) >Received: from formosa-1 (61-230-73-166.HINET-IP.hinet.net [61.230.73.166]) > by adsl-66-109-239-74.dejazzd.com (8.10.2/8.10.2) with SMTP id > g4M44cC11778 > for ; Wed, 22 May 2002 09:34:39 +0530 >Date: Wed, 22 May 2002 09:34:39 +0530 >Received: from seed > by tpts5.seed.net.tw with SMTP id Cd5KLmK107COhYleX; > Wed, 22 May 2002 12:17:21 +0800 >Message-ID: >From: ????????..?n?H?~?????H..@enews.com.tw >To: ?D?~?q?l?s?D??@enews.com.tw >Subject: >=?big5?Q?=B4=A3=A8=D1=A8D=C2=BE=BB=DD=A8D20=B8U=A4H=A4~=B8=EA=AE=C6=AEw?= >MIME-Version: 1.0 >Content-Type: multipart/related; > type="multipart/alternative"; > boundary="----=_NextPart_vBnSPDoXHFBFVIxJf" >X-Mailer: DaR3QFlIQfTXgu2QKwwP >X-Priority: 3 >X-MSMail-Priority: Normal >X-MailScanner: Found to be clean, Found to be clean >X-UIDL: %O,#!eS/"!-('!!K6G"! >X-Logged: Logged by theargonserver.theargoncompany.com as JAA13093 at Wed >May 22 09:50:50 2002 >Status: -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mike at ZANKER.ORG Wed May 22 09:44:26 2002 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:14:49 2006 Subject: SpamCheck Header In-Reply-To: <5.1.0.14.2.20020522085406.0378d7c0@roadrunner.ecs.soton.ac.uk> References: <5.1.0.14.2.20020522085406.0378d7c0@roadrunner.ecs.soton.ac. uk> Message-ID: <127769432.1022060666@jemima.zanker.org> On 22 May 2002 09:17 +0100 Julian Field wrote: > (Did you mean him? I can only find 2 postings to the list from him, > neither of which seem relevant) I have this header in his e-mails: > X-MailScanner-SpamCheck: SpamAssassin (score=2.7, required 5, SUBJ_HAS_SPACES) I assumed it was being added by his installation but it's obviously being added here. I thought that it would say "not spam" if the SA score was less than the threshold. > And are you definitely testing this against the latest release? 3.15-3 and SA 2.20. Mike -- Mike Zanker Northampton, UK PGP Public Key: pgp@zanker.org From support at IQUEST.UCSB.EDU Wed May 22 09:40:20 2002 From: support at IQUEST.UCSB.EDU (Support) Date: Thu Jan 12 21:14:49 2006 Subject: MS not starting after SpamAssassin install In-Reply-To: <5.1.0.14.2.20020522091843.0376e008@roadrunner.ecs.soton.ac.uk> Message-ID: I did that and it still came up w/ the same problem installed rpm -ivh --force spamassassin that didn't work so rpm -e spamassassin rpm -ivh spamassassin still no go. any suggestions or is it a spamassassin prob. thanx. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Wednesday, May 22, 2002 1:20 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MS not starting after SpamAssassin install At 01:26 22/05/2002, you wrote: > I have Mailscanner running. when I installed spamassassin I tried running >./check_mailscanner and ./check_mailscanner.linux but they come up w/ >this... In the process of installing SpamAssassin, your copy of Perl got upgraded too. The "old version hunting" that Perl does isn't quite enough for SpamAssassin to work. So you'll need to re-install SpamAssassin. Then it should go. >######################################### >[root@frost bin]# ./check_mailscanner >Starting virus scanner... >Can't locate Mail/SpamAssassin.pm in @INC (@INC contains: >/usr/local/MailScanner/bin /usr/lib/perl5/5.6.0/i386-linux >/usr/lib/perl5/5.6.0 /usr/lib/perl5/site_perl/5.6.0/i386-linux >/usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl .) at >/usr/local/MailScanner/bin/sendmail.pl line 46. >Compilation failed in require at /usr/local/MailScanner/bin/mailscanner line >77. > >######################################## > >I found spamassassin to be here /usr/lib >/perl5/site_perl/5.6.1/Mail/SpamAssassin.pm > >so I tried to edit the /bin/sendmail.pl file > >use lib '/usr/lib/perl5/site_perl/5.6.1/Mail'; >use lib '/usr/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin'; > > >And that didnt work even thought the path to the module showed up in @INC. > > This looks like a problem w/ Mailscanner or spam assassin install. > > >Is there another way of fixing this? > >thanx -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From Patricia.Keena at DIT.IE Wed May 22 09:54:12 2002 From: Patricia.Keena at DIT.IE (Patricia Keena) Date: Thu Jan 12 21:14:49 2006 Subject: MS not starting after SpamAssassin install References: Message-ID: <033101c2016e$3e91d450$cc02fc93@patricia> I think there's a problem with the latest rpm for spamassassin. I upgraded on Monday using the rpm and experienced many difficulties. I then downloaded the tar file and installed it using the instructions for perl. This worked well Patricia ----- Original Message ----- From: "Support" To: Sent: Wednesday, May 22, 2002 9:40 AM Subject: Re: MS not starting after SpamAssassin install I did that and it still came up w/ the same problem installed rpm -ivh --force spamassassin that didn't work so rpm -e spamassassin rpm -ivh spamassassin still no go. any suggestions or is it a spamassassin prob. thanx. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Wednesday, May 22, 2002 1:20 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MS not starting after SpamAssassin install At 01:26 22/05/2002, you wrote: > I have Mailscanner running. when I installed spamassassin I tried running >./check_mailscanner and ./check_mailscanner.linux but they come up w/ >this... In the process of installing SpamAssassin, your copy of Perl got upgraded too. The "old version hunting" that Perl does isn't quite enough for SpamAssassin to work. So you'll need to re-install SpamAssassin. Then it should go. >######################################### >[root@frost bin]# ./check_mailscanner >Starting virus scanner... >Can't locate Mail/SpamAssassin.pm in @INC (@INC contains: >/usr/local/MailScanner/bin /usr/lib/perl5/5.6.0/i386-linux >/usr/lib/perl5/5.6.0 /usr/lib/perl5/site_perl/5.6.0/i386-linux >/usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl .) at >/usr/local/MailScanner/bin/sendmail.pl line 46. >Compilation failed in require at /usr/local/MailScanner/bin/mailscanner line >77. > >######################################## > >I found spamassassin to be here /usr/lib >/perl5/site_perl/5.6.1/Mail/SpamAssassin.pm > >so I tried to edit the /bin/sendmail.pl file > >use lib '/usr/lib/perl5/site_perl/5.6.1/Mail'; >use lib '/usr/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin'; > > >And that didnt work even thought the path to the module showed up in @INC. > > This looks like a problem w/ Mailscanner or spam assassin install. > > >Is there another way of fixing this? > >thanx -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -- This message has been scanned for viruses by the DIT Computer Centre MailScanner Service, and is believed to be clean. -- This message has been scanned for viruses by the DIT Computer Centre MailScanner Service, and is believed to be clean. From LISTSERV at JISCMAIL.AC.UK Wed May 22 09:46:30 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:49 2006 Subject: MAILSCANNER: bruce@BRIT-NET.COM left the JISCmail list Message-ID: <200205220846.JAA02726@magpie.ecs.soton.ac.uk> Wed, 22 May 2002 09:46:30 Bruce Bennett has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From jkf at ecs.soton.ac.uk Wed May 22 10:19:48 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:49 2006 Subject: MS not starting after SpamAssassin install In-Reply-To: References: <5.1.0.14.2.20020522091843.0376e008@roadrunner.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020522101847.02aa6d20@roadrunner.ecs.soton.ac.uk> I've never tried installing spamassassin via rpm. I would recommend CPAN (as described on the SpamAssassin web site) or even a manual perl Makefile.PL make make install which is safest and is really pretty easy. At 09:40 22/05/2002, you wrote: >I did that and it still came up w/ the same problem > >installed > >rpm -ivh --force spamassassin > >that didn't work so > >rpm -e spamassassin > >rpm -ivh spamassassin > >still no go. > >any suggestions or is it a spamassassin prob. > >thanx. > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Julian Field >Sent: Wednesday, May 22, 2002 1:20 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: MS not starting after SpamAssassin install > > >At 01:26 22/05/2002, you wrote: > > I have Mailscanner running. when I installed spamassassin I tried >running > >./check_mailscanner and ./check_mailscanner.linux but they come up w/ > >this... > >In the process of installing SpamAssassin, your copy of Perl got upgraded >too. The "old version hunting" that Perl does isn't quite enough for >SpamAssassin to work. So you'll need to re-install SpamAssassin. Then it >should go. > > > > >######################################### > >[root@frost bin]# ./check_mailscanner > >Starting virus scanner... > >Can't locate Mail/SpamAssassin.pm in @INC (@INC contains: > >/usr/local/MailScanner/bin /usr/lib/perl5/5.6.0/i386-linux > >/usr/lib/perl5/5.6.0 /usr/lib/perl5/site_perl/5.6.0/i386-linux > >/usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl .) at > >/usr/local/MailScanner/bin/sendmail.pl line 46. > >Compilation failed in require at /usr/local/MailScanner/bin/mailscanner >line > >77. > > > >######################################## > > > >I found spamassassin to be here /usr/lib > >/perl5/site_perl/5.6.1/Mail/SpamAssassin.pm > > > >so I tried to edit the /bin/sendmail.pl file > > > >use lib '/usr/lib/perl5/site_perl/5.6.1/Mail'; > >use lib '/usr/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin'; > > > > > >And that didnt work even thought the path to the module showed up in @INC. > > > > This looks like a problem w/ Mailscanner or spam assassin install. > > > > > >Is there another way of fixing this? > > > >thanx > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From P.G.M.Peters at civ.utwente.nl Wed May 22 11:05:41 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:14:49 2006 Subject: mailscanner 3.15-3 proc dies without error/warning - tied to mailman? In-Reply-To: <64191.198.185.18.207.1021988977.squirrel@dlugosz.net> References: <50138.198.185.18.207.1021983385.squirrel@dlugosz.net> <5.1.0.14.2.20020521135318.04ad3b78@roadrunner.ecs.soton.ac.uk> <64191.198.185.18.207.1021988977.squirrel@dlugosz.net> Message-ID: On Tue, 21 May 2002 09:49:37 -0400, you wrote: >I received NO errors at all on the console, even when the Perl process >died. I sent a few emails back and forth which all worked just fine. >Then, I sent an email to "test@dlugosz.net", a test Mailman list which >only has two subscribers (myself and another remote account). The email >was scanned, passed to the Mailman wrapper script, then sent out again. >Now, each of the 2 emails (one for each address on the list) are scanned - >Boom - Perl process is gone, no errors. The mail sits in the mqueue.in >folder - They appear to have actually been scanned (they contain the >mailscanner headers), but MS appears to have died before it moved them >into the outgoing queue. Could it be that the mailscanner header comes from the first scan (leaves mailman those headers intact) and mailscanner doesn't now what to do when he encounters an already scanned e-mail? In what way is the output of mailman handed over to sendmail (and mailscanner for that matter)? -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From jkf at ecs.soton.ac.uk Wed May 22 11:15:59 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:49 2006 Subject: SpamCheck Header In-Reply-To: <127769432.1022060666@jemima.zanker.org> References: <5.1.0.14.2.20020522085406.0378d7c0@roadrunner.ecs.soton.ac.uk> <5.1.0.14.2.20020522085406.0378d7c0@roadrunner.ecs.soton.ac. uk> Message-ID: <5.1.0.14.2.20020522111208.03530dd0@roadrunner.ecs.soton.ac.uk> At 09:44 22/05/2002, you wrote: >I have this header in his e-mails: > >>X-MailScanner-SpamCheck: SpamAssassin (score=2.7, required 5, >SUBJ_HAS_SPACES) > >I assumed it was being added by his installation but it's obviously >being added here. I thought that it would say "not spam" if the SA >score was less than the threshold. If you are sure it is being generated by your site, then I cannot reproduce the problem. As you see from my earlier post on this, I have tested just about every combination I can think of and it is working fine. Please just check that starting at line 342 of sendmail.pl, your code reads like this: # Do the actual tests and work out the integer result $spamness = $Test->check($Mail); $SAResult = ($spamness->is_spam())?1:0; #$SAResult = int($spamness->get_hits()) if $SAResult; $HitList = $spamness->get_names_of_tests_hit(); -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From P.G.M.Peters at civ.utwente.nl Wed May 22 11:20:08 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:14:49 2006 Subject: SpamCheck Header In-Reply-To: References: Message-ID: <1ormeuovhsurvnnaskakft3s42bltlhdvk@4ax.com> On Tue, 21 May 2002 12:44:40 -0400, you wrote: >I am probably going to have to change the header that I filter on to >"X-MailScanner-SpamCheck: SpamAssassin", and tell all of my users the same >thing. But, before I do all of that work, I have some questions. > >* Does it even make sense to check for spam in your outgoing email? Maybe >it does, but do you really want the Spam Assassin report on your outgoing >email? Should there be an option to always include the Spam Assassin report >only on incoming email? It is not only outgoing mail. It could also be some intermediate mailserver (fallback MX?). >* Is it possible that this header will change again? Rather than having to >change the filtering rules again, can we have a specific header for mail >that was tagged as Spam, separate from the Spam Assassin report? >(X-MailScanner-FoundToBeSpam or something like that). Or maybe make this >header configurable? You can decide on the header yourself: # Set the name of the extra header to add to all messages found to be # likely spam. Spam Header = X-MailScanner-at-utwente.nl-SpamCheck: -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From ft at IT.SU.SE Wed May 22 11:50:01 2002 From: ft at IT.SU.SE (Fredrik Thulin) Date: Thu Jan 12 21:14:49 2006 Subject: interested in Postfix support? Message-ID: <200205221250.01823.ft@it.su.se> I have been working on Postfix support for MailScanner. I sent the first version I beleive was basically working to Julian Field 2002-04-24 but it has not been merged into MailScanner yet. Since then, I have made lots of other changes. I have gotten rid of all the passing around of hash variables and instead have a MailScannerMessageObject created for each message found in the queue. Queue scanning is done recursively, so it is possible to have multiple queues with my version. In my opinion, the code is much more readable and although I'm sure not everything works correctly (we have not started using it in a real mail environment yet) yet I beleive it is much easier to add things to this version. Since I apparently have made too many changes for Julian to merge my patches into MailScanner I am thinking of forking off a "branch" to get more people involved in the development until Julian beleives the code is of such quality that it can be put into the official MailScanner he maintains and distributes (ie. putting up a CVS repository and a mailing list). Is there any interest in this? Reply to the list or to me privately - whatever you feel is most appropriate. Fredrik Thulin, Stockholm University From mike at ZANKER.ORG Wed May 22 12:20:17 2002 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:14:49 2006 Subject: SpamCheck Header In-Reply-To: <5.1.0.14.2.20020522111208.03530dd0@roadrunner.ecs.soton.ac.uk> References: <5.1.0.14.2.20020522111208.03530dd0@roadrunner.ecs.soton.ac. uk> Message-ID: <8396573.1022070017@jemima.zanker.org> On 22 May 2002 11:15 +0100 Julian Field wrote: > If you are sure it is being generated by your site, then I cannot > reproduce the problem. Well, if the header is not appearing on your copy of his message it must be being added here. > As you see from my earlier post on this, I > have tested just about every combination I can think of and it is > working fine. Yes, weird. > Please just check that starting at line 342 of sendmail.pl, your code > reads like this: > > # Do the actual tests and work out the integer result > $spamness = $Test->check($Mail); > $SAResult = ($spamness->is_spam())?1:0; > #$SAResult = int($spamness->get_hits()) if $SAResult; > $HitList = $spamness->get_names_of_tests_hit(); Yes, that's exactly what I have but starting at line 340, not 342. Mike -- Mike Zanker Northampton, UK PGP Public Key: pgp@zanker.org From hamish.n.marson at BRITISHAIRWAYS.COM Wed May 22 12:13:18 2002 From: hamish.n.marson at BRITISHAIRWAYS.COM (Hamish Marson) Date: Thu Jan 12 21:14:50 2006 Subject: interested in Postfix support? Message-ID: An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020522/73c45ed4/attachment.html From pesquive at UAZUAY.EDU.EC Wed May 22 12:33:18 2002 From: pesquive at UAZUAY.EDU.EC (Pablo Esteban Esquivel Leon) Date: Thu Jan 12 21:14:50 2006 Subject: can mailscanner check email output? Message-ID: <200205221133.QAA17793@www.uazuay.edu.ec> can mailscanner check email output the server? thank you puede mailscanner revizar el correo que sale del servidor? gracias ________________________________ Pablo Esquivel Universidad del Azuay Cuenca - Ecuador From ft at IT.SU.SE Wed May 22 12:42:29 2002 From: ft at IT.SU.SE (Fredrik Thulin) Date: Thu Jan 12 21:14:50 2006 Subject: interested in Postfix support? In-Reply-To: References: Message-ID: <200205221342.29713.ft@it.su.se> On Wednesday 22 May 2002 13.13, Hamish Marson wrote: > I'm interested, but since there is a content_filter interface & Wietse is > really anti anyone screwing with the queue files, shouldn't it be > implemented as a postfix content_filter instead? This is true. Screwing with the queue files (I only read them, I deliver scanned mail via SMTP to a second postfix instance so there is at least less chance of really screwing them) is done at your own risk. Meaning: don't whine at Wietse when it doesn't work ;) However, content_filter means one exec() per mail. Not feasible when you are exec:ing Perl IMO. We are planning on using this on a mail-system currently delivering 1-2 GB of mail every day. Probably 2/3 of these during business hours. An alternative would of course be to have MailScanner running as a daemon and exec:ing a small C client that contacts the daemon... still feels a bit expensive though. /Fredrik From nwp at LEMON-COMPUTING.COM Wed May 22 12:39:36 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:50 2006 Subject: interested in Postfix support? In-Reply-To: <200205221250.01823.ft@it.su.se> References: <200205221250.01823.ft@it.su.se> Message-ID: <20020522113936.GC31466@hoiho.nz.lemon-computing.com> On Wed, May 22, 2002 at 12:50:01PM +0200, Fredrik Thulin wrote: > Since I apparently have made too many changes for Julian to merge my patches > into MailScanner I am thinking of forking off a "branch" to get more people > involved in the development until Julian beleives the code is of such quality > that it can be put into the official MailScanner he maintains and distributes > (ie. putting up a CVS repository and a mailing list). I will be going over the patches. Once I understand them a bit better (I'm not really familiar with postfix), I'll either merge them in or get back to you asking for more information/help/whatever. There were a few areas when I first looked that I thought I might need convincing about (as I said, I'm not familiar with how postfix works, so there may well be good reasons for some of the bits that look "odd" to me), but I'll give you a shout when I get to looking at it. Feel free to hassle me to do so; I've been showered with lots of things to do recently -- most of which are not terribly important -- so hassling me gently may well move it up the list ;) In any case, we'll be hoping to have it all integrated for the next major release of mailscanner (which will also have autoconf-based configuration and installation, and hopefully something to make updating config files easier). Um, what else is on my to-do list?... internal TNEF decoding based on the CPAN module, better/more portable locking (again probably trying to use the CPAN lockf module iff it is present), more scanners supported (and possibly making it easier for third parties to provide and maintain scanner support)... and one or two other ideas. I'm not saying I'll get all that done, or all into a state which Julian will be happy to release ;-) but that's what I'm aiming at. Priorities are autoconf (nearly done), postfix (depending on complexity), and locking at the moment. Several extra scanners are done (contributed code is merged) but I may need to get some more information from the contributors and then get some testers. Better get to work I guess... Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Don't Worry, Be Happy. From nwp at LEMON-COMPUTING.COM Wed May 22 13:01:24 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:50 2006 Subject: interested in Postfix support? In-Reply-To: <200205221342.29713.ft@it.su.se> References: <200205221342.29713.ft@it.su.se> Message-ID: <20020522120124.GE31466@hoiho.nz.lemon-computing.com> On Wed, May 22, 2002 at 01:42:29PM +0200, Fredrik Thulin wrote: > However, content_filter means one exec() per mail. Not feasible when you are > exec:ing Perl IMO. We are planning on using this on a mail-system currently > delivering 1-2 GB of mail every day. Probably 2/3 of these during business > hours. Ideally, given the philosophy behind postfix (each program does it's own one thing etc.), there would/should be a suitable reliable interface provided by postfix to enable one to suck in and blow out queue files. Seems that no-one writing an MTA ever thinks that anyone else could possibly want to do stuff to their queues, though... they're probably right *most* of the time. *shrug* -- Nick Phillips -- nwp@lemon-computing.com You will experience a strong urge to do good; but it will pass. From jaearick at COLBY.EDU Wed May 22 13:24:41 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:14:50 2006 Subject: "notify postmaster if local" feature request Message-ID: Julian, I have my "notify" flags set to: Notify Senders = no Notify Local Postmaster = yes The only postmaster notifications I care about are ones for virii coming from my domain, not the outside. With Klez, I would really like a "notify postmaster if coming from local domain" flag, where it checks against an IP number block (137.146. in my case) or the domain name specified in the "Local Domains" setting. If local, then notify, otherwise not. Any chance of this? ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ---------------------------------------------------------------------------- From P.G.M.Peters at civ.utwente.nl Wed May 22 13:37:45 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:14:50 2006 Subject: f-prot experience Message-ID: <1r3neusie7472ng1pca3bn209dk0h1lc50@4ax.com> I have been testing mailscanner with f-prot for a few weeks now. I have been using the demo version of "F-Prot Linux for Small Business". When we will start to roll out the scanning for all employees and students perhaps we will need to get the "F-Prot Linux for Enterprise Business". Anybody any experience with this version in combination with MailScanner? I believe it is arranged a bit different from the Small Business version. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From LISTSERV at JISCMAIL.AC.UK Wed May 22 13:52:42 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:50 2006 Subject: MAILSCANNER: vvolcko@CSAS.CZ left the JISCmail list Message-ID: <200205221252.NAA25534@magpie.ecs.soton.ac.uk> Wed, 22 May 2002 13:52:42 Vladimir Volcko has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From jkf at ecs.soton.ac.uk Wed May 22 13:51:30 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:50 2006 Subject: "notify postmaster if local" feature request In-Reply-To: Message-ID: <5.1.0.14.2.20020522134939.02ce3eb0@roadrunner.ecs.soton.ac.uk> Have you looked at this option in mailscanner.conf? it does something pretty close to what I think you're looking for, and may be close enough. # Deliver messages with viruses removed to their original recipients # if they came from a local address, or just delete them so no-one knows # we have a virus outbreak on our site? Deliver From Local Domains = yes Otherwise you could pretty easily write a little script (called by procmail) to grep for your domain name in the "From:" information in the body of the postmaster warning message. At 13:24 22/05/2002, you wrote: >Julian, > > I have my "notify" flags set to: > >Notify Senders = no >Notify Local Postmaster = yes > >The only postmaster notifications I care about are ones for virii coming >from my domain, not the outside. With Klez, I would really like a >"notify postmaster if coming from local domain" flag, where it checks >against an IP number block (137.146. in my case) or the domain name >specified in the "Local Domains" setting. If local, then notify, otherwise >not. Any chance of this? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Wed May 22 14:05:46 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:50 2006 Subject: interested in Postfix support? In-Reply-To: <20020522113936.GC31466@hoiho.nz.lemon-computing.com> References: <200205221250.01823.ft@it.su.se> <200205221250.01823.ft@it.su.se> Message-ID: <5.1.0.14.2.20020522140138.02d49320@roadrunner.ecs.soton.ac.uk> Fredrik, I would just like to echo what Nick has said. Between us, we *will* get time to work on your patches at some point hopefully fairly soon, and I thoroughly agree that a more OO approach would be better. The reason it isn't is historical and due to the way MailScanner was born :-) I would much prefer that the development did not fork at this point, particularly as supporting it will become a lot harder as I won't often know which version of the code people are talking about. I (very nearly) single-handedly support all 8,000 sites currently using MailScanner in my spare time at work, and so extra support load is something that I *really* care about. So, if you can, please be patient with us. I hope you appreciate the situation. Many thanks for your contribution! Jules. At 12:39 22/05/2002, you wrote: >On Wed, May 22, 2002 at 12:50:01PM +0200, Fredrik Thulin wrote: > > > Since I apparently have made too many changes for Julian to merge my > patches > > into MailScanner I am thinking of forking off a "branch" to get more people > > involved in the development until Julian beleives the code is of such > quality > > that it can be put into the official MailScanner he maintains and > distributes > > (ie. putting up a CVS repository and a mailing list). > >I will be going over the patches. Once I understand them a bit better (I'm >not really familiar with postfix), I'll either merge them in or get back to >you asking for more information/help/whatever. > >There were a few areas when I first looked that I thought I might need >convincing about (as I said, I'm not familiar with how postfix works, so >there may well be good reasons for some of the bits that look "odd" to me), >but I'll give you a shout when I get to looking at it. Feel free to hassle >me to do so; I've been showered with lots of things to do recently -- most >of which are not terribly important -- so hassling me gently may well move >it up the list ;) > >In any case, we'll be hoping to have it all integrated for the next major >release of mailscanner (which will also have autoconf-based configuration >and installation, and hopefully something to make updating config files >easier). Um, what else is on my to-do list?... internal TNEF decoding >based on the CPAN module, better/more portable locking (again probably >trying to use the CPAN lockf module iff it is present), more scanners >supported (and possibly making it easier for third parties to provide >and maintain scanner support)... and one or two other ideas. > >I'm not saying I'll get all that done, or all into a state which Julian >will be happy to release ;-) but that's what I'm aiming at. > >Priorities are autoconf (nearly done), postfix (depending on complexity), >and locking at the moment. > >Several extra scanners are done (contributed code is merged) but I may need >to get some more information from the contributors and then get some testers. > >Better get to work I guess... > > >Cheers, > > >Nick >-- >Nick Phillips -- nwp@lemon-computing.com >Don't Worry, Be Happy. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From henrik at LEWANDER.COM Wed May 22 14:10:22 2002 From: henrik at LEWANDER.COM (Henrik Lewander) Date: Thu Jan 12 21:14:50 2006 Subject: Survey: Messages per day? References: <5.1.0.14.2.20020522010035.03556ec0@roadrunner.ecs.soton.ac.uk> <5.1.0.14.2.20020522092019.03791a08@roadrunner.ecs.soton.ac.uk> Message-ID: <0eaa01c20192$0db405f0$4bf90bc1@hemmet.chalmers.se> > At 02:10 22/05/2002, you wrote: > >Frankly, I dont keep statistics. Do you have a script/ a calculation I > >could do to send you this information. I'd be happy to, but to be honest > >I'm too lazy to figure out how. > > The sendmail "mailstats" program may help. On systems with exim, try eximstats Regards, Henrik -- ( ][ Husaberg FE 350 ][ Honda XR 650 ][ Avancez MC ][ c[] Husan ?r till salu! Se http://henrik.lewander.com/husan From LISTSERV at JISCMAIL.AC.UK Wed May 22 14:13:08 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:50 2006 Subject: MAILSCANNER: srhitch@MECHENG1.UWATERLOO.CA requested to join Message-ID: <200205221313.OAA27629@magpie.ecs.soton.ac.uk> Wed, 22 May 2002 14:13:08 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Steve Hitchman You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER srhitch@MECHENG1.UWATERLOO.CA Steve Hitchman PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER srhitch@MECHENG1.UWATERLOO.CA Steve Hitchman // EOJ From ft at it.su.se Wed May 22 14:25:57 2002 From: ft at it.su.se (Fredrik Thulin) Date: Thu Jan 12 21:14:50 2006 Subject: interested in Postfix support? In-Reply-To: <5.1.0.14.2.20020522140138.02d49320@roadrunner.ecs.soton.ac.uk> References: <200205221250.01823.ft@it.su.se> <5.1.0.14.2.20020522140138.02d49320@roadrunner.ecs.soton.ac.uk> Message-ID: <200205221525.57419.ft@it.su.se> On Wednesday 22 May 2002 15.05, Julian Field wrote: > Fredrik, > > I would just like to echo what Nick has said. Between us, we *will* get > time to work on your patches at some point hopefully fairly soon, and I Sounds good. > thoroughly agree that a more OO approach would be better. The reason it > isn't is historical and due to the way MailScanner was born :-) Of course =) > I would much prefer that the development did not fork at this point, > particularly as supporting it will become a lot harder as I won't often > know which version of the code people are talking about. I agree that a fork would be suboptimal, it just seemed like there was no other solution since the difference between our versions grew so large. > I (very nearly) > single-handedly support all 8,000 sites currently using MailScanner in my > spare time at work, and so extra support load is something that I *really* > care about. Might I suggest that you set up the necessary parts to lessen the load on yourself? If you set up something (sourceforge perhaps) that allows other people anonymous read access to the CVS repository, CVS diffs via mail and CVS write access to those you feel confident in giving that to then you would not have to do it all by yourself. > So, if you can, please be patient with us. I hope you appreciate the > situation. > > Many thanks for your contribution! Thanks for all the parts you wrote ;) I would still like people interested in helping development of the Postfix support and OO rewrites to get in touch with me or the list. Someone with a hobby site running Postfix and some Perl knowledge would be ideal to start really using the code. I'm sure there are lots of bugs in there (because there is so much new code) but the framework is in place. Also people running Sendmail and Exim needs to test the code, since I could not avoid touching some of that... /Fredrik From ft at it.su.se Wed May 22 14:25:57 2002 From: ft at it.su.se (Fredrik Thulin) Date: Thu Jan 12 21:14:50 2006 Subject: interested in Postfix support? In-Reply-To: <5.1.0.14.2.20020522140138.02d49320@roadrunner.ecs.soton.ac.uk> References: <200205221250.01823.ft@it.su.se> <5.1.0.14.2.20020522140138.02d49320@roadrunner.ecs.soton.ac.uk> Message-ID: <200205221525.57419.ft@it.su.se> On Wednesday 22 May 2002 15.05, Julian Field wrote: > Fredrik, > > I would just like to echo what Nick has said. Between us, we *will* get > time to work on your patches at some point hopefully fairly soon, and I Sounds good. > thoroughly agree that a more OO approach would be better. The reason it > isn't is historical and due to the way MailScanner was born :-) Of course =) > I would much prefer that the development did not fork at this point, > particularly as supporting it will become a lot harder as I won't often > know which version of the code people are talking about. I agree that a fork would be suboptimal, it just seemed like there was no other solution since the difference between our versions grew so large. > I (very nearly) > single-handedly support all 8,000 sites currently using MailScanner in my > spare time at work, and so extra support load is something that I *really* > care about. Might I suggest that you set up the necessary parts to lessen the load on yourself? If you set up something (sourceforge perhaps) that allows other people anonymous read access to the CVS repository, CVS diffs via mail and CVS write access to those you feel confident in giving that to then you would not have to do it all by yourself. > So, if you can, please be patient with us. I hope you appreciate the > situation. > > Many thanks for your contribution! Thanks for all the parts you wrote ;) I would still like people interested in helping development of the Postfix support and OO rewrites to get in touch with me or the list. Someone with a hobby site running Postfix and some Perl knowledge would be ideal to start really using the code. I'm sure there are lots of bugs in there (because there is so much new code) but the framework is in place. Also people running Sendmail and Exim needs to test the code, since I could not avoid touching some of that... /Fredrik From P.G.M.Peters at civ.utwente.nl Wed May 22 15:07:05 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:14:50 2006 Subject: "notify postmaster if local" feature request In-Reply-To: References: Message-ID: On Wed, 22 May 2002 08:24:41 -0400, you wrote: > I have my "notify" flags set to: > >Notify Senders = no >Notify Local Postmaster = yes > >The only postmaster notifications I care about are ones for virii coming >from my domain, not the outside. With Klez, I would really like a >"notify postmaster if coming from local domain" flag, where it checks >against an IP number block (137.146. in my case) or the domain name >specified in the "Local Domains" setting. If local, then notify, otherwise >not. Any chance of this? I havew been thinking along the same line but with Notify Senders = no Notify Local Senders = yes We have a very good social community amongst the students. When anybody receives a message saying he sent a virus he checks the returned headers and warns the owner of the infected host. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From jase at SENSIS.COM Wed May 22 16:08:28 2002 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:14:50 2006 Subject: SpamCheck Header Message-ID: > I have this header in his e-mails: > > > X-MailScanner-SpamCheck: SpamAssassin (score=2.7, required 5, > SUBJ_HAS_SPACES) > > I assumed it was being added by his installation but it's obviously > being added here. I thought that it would say "not spam" if the SA > score was less than the threshold. > > > And are you definitely testing this against the latest release? > > 3.15-3 and SA 2.20. > I received the same headers here too. I also thought it was coming from his installation, because I don't have an Always Include SpamAssassin Report option in my version of MailScanner (3.14), so my installation should only put a header in when it is spam. Maybe the reason others are not seeing this is because they have Multiple Headers = replace? Jason From tal at MUSICGENOME.COM Wed May 22 16:31:38 2002 From: tal at MUSICGENOME.COM (Tal Kelrich) Date: Thu Jan 12 21:14:51 2006 Subject: Mailscanner enables sendmail on RPM install Message-ID: <1022081501.4213.63.camel@localhost.localdomain> I just noticed headers missing on some messages, apparently the system rebooted and it seems when I upgraded it reset sendmail to on via chkconfig. :/ I think the post-uninstall script is to blame, but I don't know much about RPM. -- Tal Kelrich PGP Fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69 PGP key-id: 12B9AA69 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020522/90db3966/attachment.bin From kvue at WADSNET.COM Wed May 22 16:26:41 2002 From: kvue at WADSNET.COM (Kham Vue) Date: Thu Jan 12 21:14:51 2006 Subject: Which antivirus is better References: Message-ID: <001701c201a5$5bb47560$fe00010a@backup> I'm testing both the Sophos and F-PROT antivirus. Any one out there have a preference or a reason why is one is better than the other? -------------------------------------------------------------- Kham Vue Internet Admin The City of Wadsworth WADSNET.COM High Speed Internet Service kvue@wadsnet.com "Believe that life is worth living, and your belief will help create the fact." --William James From darian at BEPINC.COM Wed May 22 16:42:52 2002 From: darian at BEPINC.COM (Darian Rafie) Date: Thu Jan 12 21:14:51 2006 Subject: Spam not being flagged revisited In-Reply-To: <3CEA668C.2080707@unixsecurity.org> Message-ID: <004501c201a7$58be06d0$11c9dbd1@WONDER> Okay, I received four more messages, where the Spamscore was greater than the threshold but the message was not marked as spam. I am including one header, as the rest are similar Everthing in spam.whitelist is commented out and only my local IP address is specified in mailscanner.conf. I don't see how this is a whitelist problem. Any ideas? I am running 3.15-3, RH 7.2, SpamAssasin 2.20, Razor 1.19 Return-Path: Received: from mail1.alluneedhosting.com ([208.46.132.87]) by vulcan.bepinc.com (8.11.6/8.11.6) with SMTP id g4M9DW103272 for ; Wed, 22 May 2002 04:13:32 -0500 To: darian@bepinc.com Date: Wed, 22 May 2002 05:11:15 -0500 Message-ID: <1022058675.2071@localhost.localdomain> X-Mailer: Becky! ver. 2.00.03 From: susanepapelej@jippii.fi Sender: X-Sender: Reply-To: Subject: INC 500 Co. Seeks Mgrs. / High $$ Paid! X-VirusScan: Found to be clean X-MailScanner-SpamCheck: not spam, SpamAssassin (score=9.8, required 5, INVALID_DATE_ODD_MONTH, PLING, CLICK_BELOW, NORMAL_HTTP_TO_IP, WEB_BUGS, CLICK_HERE_LINK, CTYPE_JUST_HTML) Status: -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Mike Wallis Sent: Tuesday, May 21, 2002 10:24 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Spam not being flagged I just upgraded to 3.15-3 and noticed something odd while testing. ---begin--- X-MailScanner: Found to be clean X-MailScanner-SpamCheck: not spam, SpamAssassin (score=7, required 5, SUBJ_HAS_Q_MARK, EXCUSE_3, EXCUSE_7, OPT_IN, CLICK_BELOW, SUBJ_REMOVE) ---end--- In this particular instance, I forwarded myself some spam (the original generated a much higher score) and thought it rather odd that a score in excess of the required score would get a 'not spam' designation. Any ideas? -- Mike Wallis mw@unixsecurity.org From LISTSERV at JISCMAIL.AC.UK Wed May 22 16:41:15 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:51 2006 Subject: MAILSCANNER: sbleau@QDOBA.COM left the JISCmail list Message-ID: <200205221541.QAA12996@magpie.ecs.soton.ac.uk> Wed, 22 May 2002 16:41:15 Scott Bleau has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From jkf at ecs.soton.ac.uk Wed May 22 16:42:38 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:51 2006 Subject: Which antivirus is better In-Reply-To: <001701c201a5$5bb47560$fe00010a@backup> References: Message-ID: <5.1.0.14.2.20020522164153.02c26748@roadrunner.ecs.soton.ac.uk> At 16:26 22/05/2002, you wrote: >I'm testing both the Sophos and F-PROT antivirus. >Any one out there have a preference or a reason why is one is better than >the other? My personal opinion is that Sophos is best. We have used it for over 3 years here, and it has proven to be a very good product. But F-Prot will probably be cheaper. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Wed May 22 16:41:48 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:51 2006 Subject: Mailscanner enables sendmail on RPM install In-Reply-To: <1022081501.4213.63.camel@localhost.localdomain> Message-ID: <5.1.0.14.2.20020522164025.048ef898@roadrunner.ecs.soton.ac.uk> At 16:31 22/05/2002, you wrote: >I just noticed headers missing on some messages, apparently the system >rebooted and it seems when I upgraded it reset sendmail to on via >chkconfig. :/ >I think the post-uninstall script is to blame, but I don't know much >about RPM. I have this horrible feeling that when you upgrade an RPM, it calls the "post-uninstall" script at a very odd time, like after it has run the new "post-install" script or something like that. I've just seen this behaviour myself this morning, and was curious about it too. Anyone know a definitive answer for where I should put the 2 "chkconfig on" and "chkconfig off" bits in the RPM? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From mdchaney at MICHAELCHANEY.COM Wed May 22 16:55:16 2002 From: mdchaney at MICHAELCHANEY.COM (Michael Chaney) Date: Thu Jan 12 21:14:51 2006 Subject: Which antivirus is better In-Reply-To: <001701c201a5$5bb47560$fe00010a@backup>; from kvue@WADSNET.COM on Wed, May 22, 2002 at 11:26:41AM -0400 References: <001701c201a5$5bb47560$fe00010a@backup> Message-ID: <20020522105516.B18022@michaelchaney.com> On Wed, May 22, 2002 at 11:26:41AM -0400, Kham Vue wrote: > I'm testing both the Sophos and F-PROT antivirus. > Any one out there have a preference or a reason why is one is better than the other? After testing them both for awhile, I've found that there's no difference in terms of the viruses that they catch. Not surprising, since they both pretty much claim the same number (~60,000). F-Prot's update was easier to script, although that's not terribly relevant since an update script for Sophos comes with mailscanner. However, F-Prot is $300/year, licensed simply per-server. I don't know how much Sophos is, but from what I've heard it's apparently quite a bit more than that. Anyway, I'm going with F-Prot. Michael -- Michael Darrin Chaney mdchaney@michaelchaney.com http://www.michaelchaney.com/ From jkf at ecs.soton.ac.uk Wed May 22 17:07:28 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:51 2006 Subject: Spam not being flagged revisited In-Reply-To: <004501c201a7$58be06d0$11c9dbd1@WONDER> References: <3CEA668C.2080707@unixsecurity.org> Message-ID: <5.1.0.14.2.20020522170127.046af008@roadrunner.ecs.soton.ac.uk> At 16:42 22/05/2002, you wrote: >I received four more messages, where the Spamscore was greater than the >threshold but the message was not marked as spam. I am including one >header, as the rest are similar Everthing in spam.whitelist is >commented out and only my local IP address is specified in >mailscanner.conf. I don't see how this is a whitelist problem. Any >ideas? I have just wiped my spam.whitelist.conf and commented out all "Accept Spam From" lines in mailscanner.conf. I then set Use SpamAssassin = yes Always Include SpamAssassin Report = yes and restarted MailScanner. Using the 2 SpamAssassin test messages sample-spam.txt and sample-nonspam.txt that they supply for the purpose, I get these results: sample-spam.txt >X-MailScanner-SpamCheck: SpamAssassin (score=17, required 5, >FROM_HAS_MIXED_NUMS, INVALID_MSGID, INVALID_DATE, MSGID_HAS_NO_AT, >SMTPD_IN_RCVD, UNDISC_RECIPS, NO_REAL_NAME, HOME_EMPLOYMENT, >ONCE_IN_LIFETIME, CALL_FREE, REMOVE_SUBJ, LINES_OF_YELLING, >LINES_OF_YELLING_2, LINES_OF_YELLING_3, RCVD_IN_OSIRUSOFT_COM) sample-nonspam.txt >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-2.8, required 5, >GAPPY_TEXT, LINES_OF_YELLING, PGP_SIGNATURE) I then set Use SpamAssassin = yes Always Include SpamAssassin Report = no and restarted MailScanner. Using the same pair of messages again, I get sample-spam.txt >X-MailScanner-SpamCheck: SpamAssassin (score=17, required 5, >FROM_HAS_MIXED_NUMS, INVALID_MSGID, INVALID_DATE, MSGID_HAS_NO_AT, >SMTPD_IN_RCVD, UNDISC_RECIPS, NO_REAL_NAME, HOME_EMPLOYMENT, >ONCE_IN_LIFETIME, CALL_FREE, REMOVE_SUBJ, LINES_OF_YELLING, >LINES_OF_YELLING_2, LINES_OF_YELLING_3, RCVD_IN_OSIRUSOFT_COM) sample-nonspam.txt >(no SpamCheck header at all) So either a) something weird is happening that is affecting your system and not mine or b) we are running different code. (b) is the most likely. I've got 1 more little feature to test out (RBL checks timeout setting), then I'll release the code again. Any of you having problems can then upgrade to that version and we'll see if your problems go away. >Return-Path: >Received: from mail1.alluneedhosting.com ([208.46.132.87]) > by vulcan.bepinc.com (8.11.6/8.11.6) with SMTP id g4M9DW103272 > for ; Wed, 22 May 2002 04:13:32 -0500 >To: darian@bepinc.com >Date: Wed, 22 May 2002 05:11:15 -0500 >Message-ID: <1022058675.2071@localhost.localdomain> >X-Mailer: Becky! ver. 2.00.03 >From: susanepapelej@jippii.fi >Sender: >X-Sender: >Reply-To: >Subject: INC 500 Co. Seeks Mgrs. / High $$ Paid! >X-VirusScan: Found to be clean >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=9.8, required 5, > INVALID_DATE_ODD_MONTH, PLING, CLICK_BELOW, NORMAL_HTTP_TO_IP, > WEB_BUGS, CLICK_HERE_LINK, CTYPE_JUST_HTML) >Status: > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Mike Wallis >Sent: Tuesday, May 21, 2002 10:24 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Spam not being flagged > > >I just upgraded to 3.15-3 and noticed something odd while testing. > >---begin--- >X-MailScanner: Found to be clean >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=7, required 5, > SUBJ_HAS_Q_MARK, EXCUSE_3, EXCUSE_7, OPT_IN, CLICK_BELOW, > SUBJ_REMOVE) >---end--- > >In this particular instance, I forwarded myself some spam (the original >generated a much higher score) and thought it rather odd that a score in >excess of the required score would get a 'not spam' designation. > >Any ideas? > >-- >Mike Wallis >mw@unixsecurity.org -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From darian at BEPINC.COM Wed May 22 17:12:40 2002 From: darian at BEPINC.COM (Darian Rafie) Date: Thu Jan 12 21:14:51 2006 Subject: UTF-8 Errors In-Reply-To: <003601c20135$7be1df50$b675fb0c@wheaton1.il.home.com> Message-ID: <006501c201ab$82c7e910$11c9dbd1@WONDER> Following up on the UTF-8 errors. It's a bug in Perl, which is supposed to be fixed in 5.8 (not yet released). However the latest CVS version of SpamAssassin has a work around and will be available in the next stable release. D. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Darian Rafie Sent: Tuesday, May 21, 2002 9:08 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: UTF-8 Errors Thanks Julian ... will do. d. ----- Original Message ----- From: "Julian Field" To: Sent: Tuesday, May 21, 2002 5:50 PM Subject: Re: UTF-8 Errors > These UTF-8 bugs are problems in SpamAssassin. Please report it to them. > > At 19:53 21/05/2002, you wrote: > >I have the same errors, I noticed them after executing a > >/etc/init.d/rc.d/mailscanner restart. I performed a stop then start and > >now they are gone. Kelly Hamlin had the same problem but I never saw > >any suggestions. > > > >D. > > > > > >-----Original Message----- > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > >Behalf Of Keith Wolters > >Sent: Tuesday, May 21, 2002 10:50 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Errors from mailscanner > > > > > >mailscanner was printing the following message on my console: > > > >Malformed UTF-8 character (unexpected continuation byte 0xb8) in > >substitution iterator at > >/usr/local/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/PerMsgStatus.pm > >line 828. > > > >I stopped mailscanner, moved files from /var/spool/mqueue.in to > >/var/spool/mqueue and restarted mailscanner and it seems happy now. > > > >-- > >_______________________________________________ > >Sign-up for your own FREE Personalized E-mail at Email.com > >http://www.email.com/?sr=signup > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From darian at BEPINC.COM Wed May 22 18:09:10 2002 From: darian at BEPINC.COM (Darian Rafie) Date: Thu Jan 12 21:14:51 2006 Subject: Spam not being flagged revisited In-Reply-To: <5.1.0.14.2.20020522170127.046af008@roadrunner.ecs.soton.ac.uk> Message-ID: <009301c201b3$6727a3a0$11c9dbd1@WONDER> I should further detail ... I have Always Include SpamAssassin Report = yes. The vast vast majority of mail that has a spam score exceeding the threshold has it's subject rewritten, as configured in mailscanner.conf. However, there are a few instances (four this morning) where messages are coming through and the SpamAssassin report indicates the score exceeds the threshold, but the subject line is not getting changed to indicate that the message is spam. That's the problem. At first I thought this had to do with spammers using my email address as the sender and thus tripping the whitelist rules. So I disabled those, but still saw a message to two getting through. So I commented out the Accept Spam From = lines, but I still see a trickle of messages getting through. It seems like a mailscanner issue where for some odd reason once in a while the subject line doesn't get re-written as it should. Is there some way for me to pipe these messages back through mailscanner and see if I can replicate the error? D. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Wednesday, May 22, 2002 11:07 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Spam not being flagged revisited At 16:42 22/05/2002, you wrote: >I received four more messages, where the Spamscore was greater than the >threshold but the message was not marked as spam. I am including one >header, as the rest are similar Everthing in spam.whitelist is >commented out and only my local IP address is specified in >mailscanner.conf. I don't see how this is a whitelist problem. Any >ideas? I have just wiped my spam.whitelist.conf and commented out all "Accept Spam From" lines in mailscanner.conf. I then set Use SpamAssassin = yes Always Include SpamAssassin Report = yes and restarted MailScanner. Using the 2 SpamAssassin test messages sample-spam.txt and sample-nonspam.txt that they supply for the purpose, I get these results: sample-spam.txt >X-MailScanner-SpamCheck: SpamAssassin (score=17, required 5, >FROM_HAS_MIXED_NUMS, INVALID_MSGID, INVALID_DATE, MSGID_HAS_NO_AT, >SMTPD_IN_RCVD, UNDISC_RECIPS, NO_REAL_NAME, HOME_EMPLOYMENT, >ONCE_IN_LIFETIME, CALL_FREE, REMOVE_SUBJ, LINES_OF_YELLING, >LINES_OF_YELLING_2, LINES_OF_YELLING_3, RCVD_IN_OSIRUSOFT_COM) sample-nonspam.txt >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-2.8, required 5, >GAPPY_TEXT, LINES_OF_YELLING, PGP_SIGNATURE) I then set Use SpamAssassin = yes Always Include SpamAssassin Report = no and restarted MailScanner. Using the same pair of messages again, I get sample-spam.txt >X-MailScanner-SpamCheck: SpamAssassin (score=17, required 5, >FROM_HAS_MIXED_NUMS, INVALID_MSGID, INVALID_DATE, MSGID_HAS_NO_AT, >SMTPD_IN_RCVD, UNDISC_RECIPS, NO_REAL_NAME, HOME_EMPLOYMENT, >ONCE_IN_LIFETIME, CALL_FREE, REMOVE_SUBJ, LINES_OF_YELLING, >LINES_OF_YELLING_2, LINES_OF_YELLING_3, RCVD_IN_OSIRUSOFT_COM) sample-nonspam.txt >(no SpamCheck header at all) So either a) something weird is happening that is affecting your system and not mine or b) we are running different code. (b) is the most likely. I've got 1 more little feature to test out (RBL checks timeout setting), then I'll release the code again. Any of you having problems can then upgrade to that version and we'll see if your problems go away. >Return-Path: >Received: from mail1.alluneedhosting.com ([208.46.132.87]) > by vulcan.bepinc.com (8.11.6/8.11.6) with SMTP id g4M9DW103272 > for ; Wed, 22 May 2002 04:13:32 -0500 >To: darian@bepinc.com >Date: Wed, 22 May 2002 05:11:15 -0500 >Message-ID: <1022058675.2071@localhost.localdomain> >X-Mailer: Becky! ver. 2.00.03 >From: susanepapelej@jippii.fi >Sender: >X-Sender: >Reply-To: >Subject: INC 500 Co. Seeks Mgrs. / High $$ Paid! >X-VirusScan: Found to be clean >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=9.8, required 5, > INVALID_DATE_ODD_MONTH, PLING, CLICK_BELOW, NORMAL_HTTP_TO_IP, > WEB_BUGS, CLICK_HERE_LINK, CTYPE_JUST_HTML) >Status: > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Mike Wallis >Sent: Tuesday, May 21, 2002 10:24 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Spam not being flagged > > >I just upgraded to 3.15-3 and noticed something odd while testing. > >---begin--- >X-MailScanner: Found to be clean >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=7, required 5, > SUBJ_HAS_Q_MARK, EXCUSE_3, EXCUSE_7, OPT_IN, CLICK_BELOW, > SUBJ_REMOVE) >---end--- > >In this particular instance, I forwarded myself some spam (the original >generated a much higher score) and thought it rather odd that a score in >excess of the required score would get a 'not spam' designation. > >Any ideas? > >-- >Mike Wallis >mw@unixsecurity.org -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Wed May 22 18:24:53 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:51 2006 Subject: Spam not being flagged revisited In-Reply-To: <009301c201b3$6727a3a0$11c9dbd1@WONDER> References: <5.1.0.14.2.20020522170127.046af008@roadrunner.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020522182239.03564c00@roadrunner.ecs.soton.ac.uk> At 18:09 22/05/2002, you wrote: >It seems like a mailscanner issue where for some odd reason once in a >while the subject line doesn't get re-written as it should. Is there >some way for me to pipe these messages back through mailscanner and see >if I can replicate the error? If you set the Archive Mail options, then it will save the qf and df files out of the queue for you. Then you can later drop them back into mqueue.in to see what happens if it has a second go at them. What's interesting is your report that it only does this sometimes, not always. Stinks of being a Perl bug, but I would like to prove it or work out how to avoid it. >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Julian Field >Sent: Wednesday, May 22, 2002 11:07 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Spam not being flagged revisited > > >At 16:42 22/05/2002, you wrote: > >I received four more messages, where the Spamscore was greater than the > >threshold but the message was not marked as spam. I am including one > >header, as the rest are similar Everthing in spam.whitelist is > >commented out and only my local IP address is specified in > >mailscanner.conf. I don't see how this is a whitelist problem. Any > >ideas? > >I have just wiped my spam.whitelist.conf and commented out all "Accept >Spam >From" lines in mailscanner.conf. >I then set > Use SpamAssassin = yes > Always Include SpamAssassin Report = yes >and restarted MailScanner. > >Using the 2 SpamAssassin test messages sample-spam.txt and >sample-nonspam.txt that they supply for the purpose, I get these >results: >sample-spam.txt > >X-MailScanner-SpamCheck: SpamAssassin (score=17, required 5, > >FROM_HAS_MIXED_NUMS, INVALID_MSGID, INVALID_DATE, MSGID_HAS_NO_AT, > >SMTPD_IN_RCVD, UNDISC_RECIPS, NO_REAL_NAME, HOME_EMPLOYMENT, > >ONCE_IN_LIFETIME, CALL_FREE, REMOVE_SUBJ, LINES_OF_YELLING, > >LINES_OF_YELLING_2, LINES_OF_YELLING_3, RCVD_IN_OSIRUSOFT_COM) > >sample-nonspam.txt > >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-2.8, required >5, > >GAPPY_TEXT, LINES_OF_YELLING, PGP_SIGNATURE) > >I then set > Use SpamAssassin = yes > Always Include SpamAssassin Report = no >and restarted MailScanner. > >Using the same pair of messages again, I get >sample-spam.txt > >X-MailScanner-SpamCheck: SpamAssassin (score=17, required 5, > >FROM_HAS_MIXED_NUMS, INVALID_MSGID, INVALID_DATE, MSGID_HAS_NO_AT, > >SMTPD_IN_RCVD, UNDISC_RECIPS, NO_REAL_NAME, HOME_EMPLOYMENT, > >ONCE_IN_LIFETIME, CALL_FREE, REMOVE_SUBJ, LINES_OF_YELLING, > >LINES_OF_YELLING_2, LINES_OF_YELLING_3, RCVD_IN_OSIRUSOFT_COM) > >sample-nonspam.txt > >(no SpamCheck header at all) > >So either > a) something weird is happening that is affecting your system >and >not mine >or b) we are running different code. > >(b) is the most likely. I've got 1 more little feature to test out (RBL >checks timeout setting), then I'll release the code again. Any of you >having problems can then upgrade to that version and we'll see if your >problems go away. > > >Return-Path: > >Received: from mail1.alluneedhosting.com ([208.46.132.87]) > > by vulcan.bepinc.com (8.11.6/8.11.6) with SMTP id g4M9DW103272 > > for ; Wed, 22 May 2002 04:13:32 -0500 > >To: darian@bepinc.com > >Date: Wed, 22 May 2002 05:11:15 -0500 > >Message-ID: <1022058675.2071@localhost.localdomain> > >X-Mailer: Becky! ver. 2.00.03 > >From: susanepapelej@jippii.fi > >Sender: > >X-Sender: > >Reply-To: > >Subject: INC 500 Co. Seeks Mgrs. / High $$ Paid! > >X-VirusScan: Found to be clean > >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=9.8, required 5, > > INVALID_DATE_ODD_MONTH, PLING, CLICK_BELOW, NORMAL_HTTP_TO_IP, > > WEB_BUGS, CLICK_HERE_LINK, CTYPE_JUST_HTML) > >Status: > > > >-----Original Message----- > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > >Behalf Of Mike Wallis > >Sent: Tuesday, May 21, 2002 10:24 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Spam not being flagged > > > > > >I just upgraded to 3.15-3 and noticed something odd while testing. > > > >---begin--- > >X-MailScanner: Found to be clean > >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=7, required 5, > > SUBJ_HAS_Q_MARK, EXCUSE_3, EXCUSE_7, OPT_IN, CLICK_BELOW, > > SUBJ_REMOVE) > >---end--- > > > >In this particular instance, I forwarded myself some spam (the original > >generated a much higher score) and thought it rather odd that a score >in > >excess of the required score would get a 'not spam' designation. > > > >Any ideas? > > > >-- > >Mike Wallis > >mw@unixsecurity.org > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From rishi at THEARGONCOMPANY.COM Wed May 22 20:46:29 2002 From: rishi at THEARGONCOMPANY.COM (Rishi Gangoly) Date: Thu Jan 12 21:14:51 2006 Subject: f-prot experience References: <1r3neusie7472ng1pca3bn209dk0h1lc50@4ax.com> Message-ID: <008701c201c9$5efa2020$1b02a8c0@theargoncompany.com> I'm an f-prot fan. I've liked f-prot for the past 7 years now. I just bought the Enterprise version as the License is per server. The Small Business version works just fine with Mail Scanner. The only additional software bundled in the Enterprise version is the f-prot daemon. (f-protd) I just got downloaded it. Will see what that's all about and keep you guys posted. The Small Business version with mailscanner works great. So far not had any major problem at all. Regards Rishi ----- Original Message ----- From: "Peter Peters" To: Sent: Wednesday, May 22, 2002 6:07 PM Subject: f-prot experience > I have been testing mailscanner with f-prot for a few weeks now. I have > been using the demo version of "F-Prot Linux for Small Business". When > we will start to roll out the scanning for all employees and students > perhaps we will need to get the "F-Prot Linux for Enterprise Business". > > Anybody any experience with this version in combination with > MailScanner? I believe it is arranged a bit different from the Small > Business version. > > -- > Peter Peters > senior netwerkbeheerder, Centrum voor Informatievoorziening, > Universiteit Twente, Postbus 217, 7500 AE Enschede > telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From jaearick at COLBY.EDU Wed May 22 21:32:19 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:14:51 2006 Subject: how to use spamassassin with mailscanner? Message-ID: Julian, A few words please about how to install and use spamassassin with mailscanner, in the HTML install docs? I already had mailscanner installed and working, so I decided to roll spamassassin into the mix. Got the tar file, did the install: tar xzvf Mail-SpamAssassin-2.20.tar.gz cd Mail-SpamAssassin-2.20 perl Makefile.PL make make install (as root) Then I went into /opt/mailscanner/etc/mailscanner.conf, turned on: Use SpamAssassin = yes Always Include SpamAssassin Report = yes Accept Spam From = [my IP netblock] Then I stopped and restarted mailscanner. Is that it??? No other twiddles? When I mail the sample-nonspam.txt and sample-spam.txt files to myself from a remote site, it seems to work -- I see the X-MailScanner-SpamCheck stuff in the headers. One thing I noticed and don't like is that spamassassin created a /.spamassassin directory in root with user_prefs therein. I don't like non-system stuff in the root directory. How to put it elsewhere, like /opt/mailscanner? ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ---------------------------------------------------------------------------- From mike at CAMAROSS.NET Wed May 22 22:41:06 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:14:51 2006 Subject: SpamCheck Header References: <5.1.0.14.2.20020521233937.02a025a0@roadrunner.ecs.soton.ac.uk> <5.1.0.14.2.20020521233937.02a025a0@roadrunner.ecs.soton.ac. uk> <5.1.0.14.2.20020522085406.0378d7c0@roadrunner.ecs.soton.ac.uk> Message-ID: <004e01c201d9$64415750$6c01a8c0@home.wideopenthrottle.org> I thought the same thing. It's a rare occasion that I have anything relevant to say :) While OT here, I'd just like to thank you Julian for a great product and I apprecite the time and effort you invest in its support! Mike ----- Original Message ----- From: "Julian Field" To: Sent: Wednesday, May 22, 2002 3:17 AM Subject: Re: SpamCheck Header > At 07:45 22/05/2002, you wrote: > >On 21 May 2002 23:46 +0100 Julian Field wrote: > > > >>If you look for "X-MailScanner-SpamCheck: not spam" then you know it > >>isn't spam, even though it might include a SpamAssassin header. > > > >The problem with this is that if the e-mail scores *anything* with > >SpamAssassin, even if it is less than the threshold, it gets the > >"X-MailScanner-SpamCheck: SpamAssassin" header rather than "not spam". > >See Mike Kercher's contributions for an example. > > (Did you mean him? I can only find 2 postings to the list from him, neither > of which seem relevant) > > And are you definitely testing this against the latest release? I have just > checked the following: > > Note that the spam message scores 17, the non-spam message scores -2.8, > i.e. both scores are non-zero. > > 1) spam from "Accept Spam From" host, Always Include SA Header=yes > ==> "not spam (whitelisted), SpamAssassin...." > 2) non-spam from "Accept Spam From" host, Always Include SA Header=yes > ==> "not spam (whitelisted), SpamAssassin...." > 3) spam from non-exempt host, Always Include SA Header=no > ==> "SpamAssassin...." > 4) non-spam from non-exempt host, Always Include SA Header=no > ==> no SpamCheck header > 5) spam from exempt host, Always Include SA Header=no > ==> no SpamCheck header > 6) non-spam from exempt host, Always Include SA Header=no > ==> no SpamCheck header > 7) spam from non-exempt host, Always Include SA Header=yes > ==> "SpamAssassin...." > 8) non-spam from non-exempt host, Always Include SA Header=yes > ==> "not spam, SpamAssassin...." > > All of which are exactly as I would have expected. Given non-spam messages > it either doesn't put in a SpamCheck header at all, or puts in one starting > with "not spam" as I intended. > > So what cases have I missed? It seems to be working as intended... > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > > From ron at SPAWAR.NAVY.MIL Thu May 23 01:49:54 2002 From: ron at SPAWAR.NAVY.MIL (Ron Broersma) Date: Thu Jan 12 21:14:51 2006 Subject: Excessive calls to SpamAssassin? Message-ID: <3CEC3CB2.50A5B6C1@spawar.navy.mil> In the most recent versions, SpamAssassin gets called for every message, even if the message is whitelisted ($IsOnWhiteList == 1) and you don't want to always include headers ($Config::IncludeSpamHeader == 0). This is an issue on busy mailservers since SpamAssassin is "expensive", especially if now processing all the whitelisted traffic. To help get some of my performance back, I put the following if clause around the statements in the continue block that calls SpamAssassinChecks... if (!$IsOnWhiteList || $Config::IncludeSpamHeader) { } Is that a reasonable thing to do, or am I missing something? --Ron From ft at IT.SU.SE Thu May 23 06:47:15 2002 From: ft at IT.SU.SE (Fredrik Thulin) Date: Thu Jan 12 21:14:51 2006 Subject: Fwd: interested in Postfix support? Message-ID: <200205230747.15293.ft@it.su.se> correction: i first contacted Julian in this matter 2002-04-24, but i did not have a working version before 2002-05-06. /Fredrik ---------- Forwarded Message ---------- Subject: interested in Postfix support? Date: Wed, 22 May 2002 12:50:01 +0200 From: Fredrik Thulin To: MAILSCANNER@JISCMAIL.AC.UK I have been working on Postfix support for MailScanner. I sent the first version I beleive was basically working to Julian Field 2002-04-24 but it has not been merged into MailScanner yet. From robert at VCT.SI Thu May 23 07:44:28 2002 From: robert at VCT.SI (Robert) Date: Thu Jan 12 21:14:51 2006 Subject: incoming and local mail Message-ID: <3CEC9DDC.30937.54F5AC3@localhost> Hi Is it possible to scan only incoming mail with MailScanner? Or maybe to scan both incoming and outgoing mail, but not local mail from one user to another? thank you robert -- Manfreda Robert -- robert@vct.si From LISTSERV at JISCMAIL.AC.UK Wed May 22 23:54:41 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:51 2006 Subject: MAILSCANNER: gregory.a.chaix@STATE.OR.US left the JISCmail list Message-ID: <200205222254.XAA23552@magpie.ecs.soton.ac.uk> Wed, 22 May 2002 23:54:41 Greg Lund-Chaix has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From jkf at ecs.soton.ac.uk Thu May 23 08:35:24 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:51 2006 Subject: can mailscanner check email output? In-Reply-To: <200205221133.QAA17793@www.uazuay.edu.ec> Message-ID: <5.1.0.14.2.20020523083406.02c3d668@roadrunner.ecs.soton.ac.uk> At 12:33 22/05/2002, you wrote: >can mailscanner check email output the server? MailScanner will check *all* mail that is received on the SMTP port (25) of the server. So if you are running, e.g. pine, on the server, you just need to configure it to send its mail using an SMTP server = "localhost" instead of it running sendmail itself directly. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Thu May 23 08:34:00 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:51 2006 Subject: SpamCheck Header In-Reply-To: <004e01c201d9$64415750$6c01a8c0@home.wideopenthrottle.org> References: <5.1.0.14.2.20020521233937.02a025a0@roadrunner.ecs.soton.ac.uk> <5.1.0.14.2.20020521233937.02a025a0@roadrunner.ecs.soton.ac. uk> <5.1.0.14.2.20020522085406.0378d7c0@roadrunner.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020523083338.046d9f70@roadrunner.ecs.soton.ac.uk> At 22:41 22/05/2002, you wrote: >I thought the same thing. It's a rare occasion that I have anything >relevant to say :) While OT here, I'd just like to thank you Julian for a >great product and I apprecite the time and effort you invest in its support! Aw, shucks... -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Thu May 23 08:40:04 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:51 2006 Subject: Excessive calls to SpamAssassin? In-Reply-To: <3CEC3CB2.50A5B6C1@spawar.navy.mil> Message-ID: <5.1.0.14.2.20020523083545.046ea390@roadrunner.ecs.soton.ac.uk> At 01:49 23/05/2002, you wrote: >In the most recent versions, SpamAssassin gets called for every message, >even if the message is whitelisted ($IsOnWhiteList == 1) and you don't >want to always include headers ($Config::IncludeSpamHeader == 0). This >is an issue on busy mailservers since SpamAssassin is "expensive", >especially if now processing all the whitelisted traffic. > >To help get some of my performance back, I put the following if clause >around the statements in the continue block that calls >SpamAssassinChecks... > >if (!$IsOnWhiteList || $Config::IncludeSpamHeader) { } > >Is that a reasonable thing to do, or am I missing something? No, I had overlooked that. Will fix. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Thu May 23 08:33:17 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:51 2006 Subject: how to use spamassassin with mailscanner? In-Reply-To: Message-ID: <5.1.0.14.2.20020523083023.02c40350@roadrunner.ecs.soton.ac.uk> At 21:32 22/05/2002, you wrote: > A few words please about how to install and use spamassassin with >mailscanner, in the HTML install docs? Sounds like that would be a good idea. I'll try to find time to write some. On the other hand, does someone else fancy contributing a paragraph or 2 of instructions, including where to set "ignore_rbl_checks = 1" in the SA user prefs? I would be really grateful! > I already had mailscanner installed and working, so I decided to roll >spamassassin into the mix. Got the tar file, did the install: > >tar xzvf Mail-SpamAssassin-2.20.tar.gz >cd Mail-SpamAssassin-2.20 >perl Makefile.PL >make >make install (as root) > >Then I went into /opt/mailscanner/etc/mailscanner.conf, turned on: > >Use SpamAssassin = yes >Always Include SpamAssassin Report = yes >Accept Spam From = [my IP netblock] > >Then I stopped and restarted mailscanner. Is that it??? Pretty much, yes. >No other twiddles? The only thing you might want to do is track down the "ignore_rbl_checks" option in its preferences file, uncomment it and set it to 1. MailScanner or SA can do the RBL checks for you, but you don't need both of them doing it. >When I mail the sample-nonspam.txt and sample-spam.txt files to myself from a >remote site, it seems to work -- I see the X-MailScanner-SpamCheck stuff >in the >headers. > >One thing I noticed and don't like is that spamassassin created a >/.spamassassin directory in root with user_prefs therein. I don't like >non-system stuff in the root directory. How to put it elsewhere, like >/opt/mailscanner? That's really an SA problem. It's running as root so SA puts its user_prefs in ~root. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Thu May 23 08:42:34 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:51 2006 Subject: incoming and local mail In-Reply-To: <3CEC9DDC.30937.54F5AC3@localhost> Message-ID: <5.1.0.14.2.20020523084137.046e4998@roadrunner.ecs.soton.ac.uk> At 07:44 23/05/2002, you wrote: >Is it possible to scan only incoming mail with MailScanner? It will scan all mail that hits it via port 25. So if you set up another server to handle your outgoing mail and don't run MailScanner on it, you'll get what you want. >Or maybe >to scan both incoming and outgoing mail, but not local mail from one >user to another? Again, I think you'll need to configure an extra server to handle internal mail only. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From S.R.Patterson at SOTON.AC.UK Thu May 23 09:16:53 2002 From: S.R.Patterson at SOTON.AC.UK (Patterson S.R.) Date: Thu Jan 12 21:14:51 2006 Subject: SpamCheck Header Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > -----Original Message----- > From: Julian Field [mailto:jkf@ECS.SOTON.AC.UK] > Sent: 23 May 2002 08:34 > > At 22:41 22/05/2002, you wrote: > >I thought the same thing. It's a rare occasion that I have anything > >relevant to say :) While OT here, I'd just like to thank you Julian > >for a great product and I apprecite the time and effort you > invest in > >its support! > > Aw, shucks... I don't, I can't keep up with all the updates... ;) I think I might go out and pay 20 grand for a scanner... ;) Cheers, Steve - -- Steven Patterson, MSci. Tel: +44 (0)2380 595810 Electronic Information Systems Support and Development Computing Services, University of Southampton, UK. Public PGP Key: http://www.soton.ac.uk/~srp/pubkey.asc -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPOyldK2fOiTs5+WvEQInvwCeMK9Gcrq1rXWXR5SpV6ntax2PRPIAn30m j8OPiSIhAnbHXfu96FV/VPmV =8cnM -----END PGP SIGNATURE----- From nwp at LEMON-COMPUTING.COM Thu May 23 09:14:10 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:51 2006 Subject: can mailscanner check email output? In-Reply-To: <5.1.0.14.2.20020523083406.02c3d668@roadrunner.ecs.soton.ac.uk> References: <200205221133.QAA17793@www.uazuay.edu.ec> <5.1.0.14.2.20020523083406.02c3d668@roadrunner.ecs.soton.ac.uk> Message-ID: <20020523081410.GF23476@hoiho.nz.lemon-computing.com> On Thu, May 23, 2002 at 08:35:24AM +0100, Julian Field wrote: > At 12:33 22/05/2002, you wrote: > >can mailscanner check email output the server? > > MailScanner will check *all* mail that is received on the SMTP port (25) of > the server. So if you are running, e.g. pine, on the server, you just need > to configure it to send its mail using an SMTP server = "localhost" instead > of it running sendmail itself directly. ...and the recommended configuration of Exim will check *all* mail regardless. -- Nick Phillips -- nwp@lemon-computing.com A day for firm decisions!!!!! Or is it? From jkf at ecs.soton.ac.uk Thu May 23 09:24:44 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:51 2006 Subject: SpamCheck Header In-Reply-To: Message-ID: <5.1.0.14.2.20020523092405.02c8dc50@roadrunner.ecs.soton.ac.uk> At 09:16 23/05/2002, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > > > -----Original Message----- > > From: Julian Field [mailto:jkf@ECS.SOTON.AC.UK] > > Sent: 23 May 2002 08:34 > > > > At 22:41 22/05/2002, you wrote: > > >I thought the same thing. It's a rare occasion that I have >anything > > >relevant to say :) While OT here, I'd just like to thank you >Julian > > >for a great product and I apprecite the time and effort you > > invest in > > >its support! > > > > Aw, shucks... > >I don't, I can't keep up with all the updates... ;) I think I might >go out and pay 20 grand for a scanner... ;) Gimme 20 grand and I'll maintain them for a year for you. How's that for a good deal! -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From howard at harper-adams.ac.uk Thu May 23 09:41:06 2002 From: howard at harper-adams.ac.uk (Howard Robinson) Date: Thu Jan 12 21:14:51 2006 Subject: incoming and local mail In-Reply-To: <3CEC9DDC.30937.54F5AC3@localhost> Message-ID: <200205230836.g4N8aFD07724@blackhole.harper-adams.ac.uk> On 23 May 02, at 7:44, Robert wrote: > Hi > > Is it possible to scan only incoming mail with MailScanner? Or maybe > to scan both incoming and outgoing mail, but not local mail from one > user to another? Can you assume that internal emails will be virus free? We are a small college (<2000 users),so the overhead of virus checking all the email it not too taxing. The cost and embarrassment of a virus being spread internally via our own email system would be too great. We do have Sophos on most Pcs with the rest have f-prot but we are changing those to Sophos asap so that reduces the risk even further but I would be very reluctant to stop the scanning of internal mail even if it relieved the load on MailScanner. > > thank you > robert > > -- > Manfreda Robert -- robert@vct.si Regards Howard Robinson (Senior Technical Development Officer) Harper Adams University College Edgmond Newport Shropshire TF10 8NB UK E-mail: hrobinson@harper-adams.ac.uk Tel. : +44(0)1952 820280 Via switchboard : +44(0)1952 815253 Direct line Fax. : +44(0)1952 814783 College Web site http://www.harper-adams.ac.uk From mdunder at GE.UCL.AC.UK Thu May 23 09:58:18 2002 From: mdunder at GE.UCL.AC.UK (Mike Dunderdale) Date: Thu Jan 12 21:14:51 2006 Subject: how to use spamassassin with mailscanner? In-Reply-To: <5.1.0.14.2.20020523083023.02c40350@roadrunner.ecs.soton.ac.uk> Message-ID: > > The only thing you might want to do is track down the "ignore_rbl_checks" > option in its preferences file, uncomment it and set it to 1. MailScanner > or SA can do the RBL checks for you, but you don't need both of them doing it. it's in /usr/local/share/spamassassin/10_misc.cf and known as skip_rbl_checks rather than ignore_rbl_checks http://www.dabsxchange.com/scripts/datapreferences.asp Hope this helps. M. > > >When I mail the sample-nonspam.txt and sample-spam.txt files to myself from a > >remote site, it seems to work -- I see the X-MailScanner-SpamCheck stuff > >in the > >headers. > > > >One thing I noticed and don't like is that spamassassin created a > >/.spamassassin directory in root with user_prefs therein. I don't like > >non-system stuff in the root directory. How to put it elsewhere, like > >/opt/mailscanner? > > That's really an SA problem. It's running as root so SA puts its user_prefs > in ~root. > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > ------------------------------------------------------------------------- Mike Dunderdale | tel: ++44 20 7679 2756 IT Systems Manager, Geomatic Engineering | fax: ++44 20 7380 0453 mike.dunderdale@ge.ucl.ac.uk | mob: ++44 7939 455 245 From mdunder at GE.UCL.AC.UK Thu May 23 10:03:14 2002 From: mdunder at GE.UCL.AC.UK (Mike Dunderdale) Date: Thu Jan 12 21:14:51 2006 Subject: how to use spamassassin with mailscanner? In-Reply-To: Message-ID: On Thu, 23 May 2002, Mike Dunderdale wrote: > > > > The only thing you might want to do is track down the "ignore_rbl_checks" > > option in its preferences file, uncomment it and set it to 1. MailScanner > > or SA can do the RBL checks for you, but you don't need both of them doing it. > > it's in /usr/local/share/spamassassin/10_misc.cf > > and known as skip_rbl_checks rather than ignore_rbl_checks > sorry about the extra link. Mishit copy and paste methinks... Should I be included as a spammer now ;) ? From LISTSERV at JISCMAIL.AC.UK Thu May 23 10:03:47 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:51 2006 Subject: MAILSCANNER: fermin@VENUSBBW.NET requested to join Message-ID: <200205230903.KAA29611@magpie.ecs.soton.ac.uk> Thu, 23 May 2002 10:03:47 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Ferm?n Conde You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER fermin@VENUSBBW.NET Ferm?n Conde PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER fermin@VENUSBBW.NET Ferm?n Conde // EOJ From LISTSERV at JISCMAIL.AC.UK Thu May 23 13:25:01 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:51 2006 Subject: MAILSCANNER: philk@TCP.NET.UK requested to join Message-ID: <200205231225.NAA17068@magpie.ecs.soton.ac.uk> Thu, 23 May 2002 13:25:01 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Phil Kendall The following membership options have been requested: NOACK NOREPRO. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER philk@TCP.NET.UK Phil Kendall PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER philk@TCP.NET.UK Phil Kendall SET MAILSCANNER NOACK NOREPRO FOR philk@TCP.NET.UK // EOJ From philk at TCP.NET.UK Thu May 23 13:46:15 2002 From: philk at TCP.NET.UK (Phil Kendall) Date: Thu Jan 12 21:14:51 2006 Subject: Runtime Error Message-ID: <2EA7D94851025446810834BA2DED5E6D26EED0@adonis.tcp.net.uk> Has any else come across this error message when running mailscanner? /^H(\?[^?]*\?)?X-TCP-MailScanner:\s+([^\n]*)1 1 0 2 3 4 5 6 7 8 9 12(\n^\s+[^\n]*$)*)/: unmatched () in regexp at (eval 268) line 126. This has appeared in versions 3.03-1, 3.12-5 & 3.15-3. Phil Kendall Technical Systems Administrator Total Connectivity Providers From LISTSERV at JISCMAIL.AC.UK Thu May 23 15:13:44 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:51 2006 Subject: MAILSCANNER: DTanner@BGMI.COM left the JISCmail list Message-ID: <200205231413.PAA28520@magpie.ecs.soton.ac.uk> Thu, 23 May 2002 15:13:44 Don Tanner has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From rabollinger at ATTBI.COM Thu May 23 15:45:44 2002 From: rabollinger at ATTBI.COM (Richard Bollinger) Date: Thu Jan 12 21:14:51 2006 Subject: Configuration Question - RBL Message-ID: <008201c20268$8539b080$8b030180@elliottturbo.com> When using RBL spam avoidance, is there any reason why one would prefer to perform the checking in: 1) sendmail 2) mailscanner 3) spamassassin Certainly there would be no advantage in performing the RBL tests more than once, right? If sendmail is the first step in the process, then it would seem best to let sendmail do the RBL testing to prevent any further processing, right? Thanks, Rich Bollinger From jkf at ecs.soton.ac.uk Thu May 23 16:11:50 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:51 2006 Subject: Configuration Question - RBL In-Reply-To: <008201c20268$8539b080$8b030180@elliottturbo.com> Message-ID: <5.1.0.14.2.20020523160953.04abe1d0@roadrunner.ecs.soton.ac.uk> At 15:45 23/05/2002, you wrote: >When using RBL spam avoidance, is there any reason why one would prefer to >perform the checking in: >1) sendmail >2) mailscanner >3) spamassassin > >Certainly there would be no advantage in performing the RBL tests more >than once, right? Correct. >If sendmail is the first step in the process, then it would seem best to >let sendmail do the RBL >testing to prevent any further processing, right? Depends if you want to bounce it or merely tag it. MailScanner or SpamAssassin gives you the option to just tag it, rather than bounce it (which is all you can do with sendmail). MailScanner gives you the choice (per-user or per-domain) to deliver it (tagged as spam), delete it, or archive it. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From sevans at FOUNDATION.SDSU.EDU Thu May 23 16:38:46 2002 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:14:51 2006 Subject: Reading Archived Mail Message-ID: <7E2D2700ADE29542BAFC135552997E6C0AE94F@mail.foundation.sdsu.edu> I'm archiving all the messages marked as Spam currently. How does everyone read those files? Reading them individually from the command line is kind of a pain. Is there any way to read them from some kind of program that will combine the header and message information. Steve Evans Computing Services SDSU Foundation 619 594-0653 From kvue at WADSNET.COM Thu May 23 16:36:17 2002 From: kvue at WADSNET.COM (Kham Vue) Date: Thu Jan 12 21:14:51 2006 Subject: MajorDomo Not working after MailScanner installed References: <008201c20268$8539b080$8b030180@elliottturbo.com> Message-ID: <002401c20270$1cc1f0a0$fe00010a@backup> I have a Cobalt RAQ3. Majordomo is not working. I emailed my mail groups and it goes nowhere. -------------------------------------------------------------- Kham Vue Internet Admin The City of Wadsworth WADSNET.COM High Speed Internet Service kvue@wadsnet.com "Believe that life is worth living, and your belief will help create the fact." --William James ----- Original Message ----- From: "Richard Bollinger" To: Sent: Thursday, May 23, 2002 10:45 AM Subject: Configuration Question - RBL > When using RBL spam avoidance, is there any reason why one would prefer to perform the checking in: > 1) sendmail > 2) mailscanner > 3) spamassassin > > Certainly there would be no advantage in performing the RBL tests more than once, right? > > If sendmail is the first step in the process, then it would seem best to let sendmail do the RBL > testing to prevent any further processing, right? > > Thanks, Rich Bollinger > > From jaearick at COLBY.EDU Thu May 23 16:49:02 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:14:51 2006 Subject: Configuration Question - RBL In-Reply-To: <5.1.0.14.2.20020523160953.04abe1d0@roadrunner.ecs.soton.ac.uk> Message-ID: Julian, I'm puzzling over the same issue. I already use RBL+ in sendmail (we bought the service), so sendmail can continue rejecting stuff tagged by RBL+ and I don't need either mailscanner or spamassassin to look at the MAPS databases. But I am interested in using other sites like spamcop.net in either mailscanner or spamassassin. Which one might be preferred and where to twiddle the settings? You said yesterday in my query about adding in spamassassin usage to mailscanner: "The only thing you might want to do is track down the "ignore_rbl_checks" option in its preferences file, uncomment it and set it to 1. MailScanner or SA can do the RBL checks for you, but you don't need both of them doing it." The parameter is actually "skip_rbl_checks", but anyway, if I set this guy to one then it looks like I turn off *all* the RBL-like DNS lookups in spamassassin, right? I stared at the perl code for spamassassin and this seems to be the case. I'm concluding for the moment that I want to leave skip_rbl_checks at its default setting of zero, and comment out the Spam-List references in mailscanner.conf -- let spamassassin do the DNS work and tune it via the RCVD_IN_ score settings for the various RBL-like services. ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ---------------------------------------------------------------------------- On Thu, 23 May 2002, Julian Field wrote: > Date: Thu, 23 May 2002 16:11:50 +0100 > From: Julian Field > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Configuration Question - RBL > > At 15:45 23/05/2002, you wrote: > >When using RBL spam avoidance, is there any reason why one would prefer to > >perform the checking in: > >1) sendmail > >2) mailscanner > >3) spamassassin > > > >Certainly there would be no advantage in performing the RBL tests more > >than once, right? > > Correct. > > >If sendmail is the first step in the process, then it would seem best to > >let sendmail do the RBL > >testing to prevent any further processing, right? > > Depends if you want to bounce it or merely tag it. MailScanner or > SpamAssassin gives you the option to just tag it, rather than bounce it > (which is all you can do with sendmail). MailScanner gives you the choice > (per-user or per-domain) to deliver it (tagged as spam), delete it, or > archive it. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From jkf at ecs.soton.ac.uk Thu May 23 17:09:22 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:51 2006 Subject: Configuration Question - RBL In-Reply-To: References: <5.1.0.14.2.20020523160953.04abe1d0@roadrunner.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020523170639.02cf6de0@roadrunner.ecs.soton.ac.uk> At 16:49 23/05/2002, you wrote: >I'm puzzling over the same issue. I already use RBL+ in sendmail >(we bought the service), so sendmail can continue rejecting stuff >tagged by RBL+ and I don't need either mailscanner or spamassassin >to look at the MAPS databases. But I am interested in using other sites >like spamcop.net in either mailscanner or spamassassin. >Which one might be preferred and where to twiddle the settings? Up to you which you choose. If you want to tag all mail that came from an RBL, then MailScanner makes that very easy. But if you want it to be tunable via the SpamAssassin scoring system, then that's the way you should do it. >You said yesterday in my query about adding in spamassassin usage to >mailscanner: > > "The only thing you might want to do is track down the "ignore_rbl_checks" > option in its preferences file, uncomment it and set it to 1. MailScanner > or SA can do the RBL checks for you, but you don't need both of them doing > it." > >The parameter is actually "skip_rbl_checks", but anyway, if I set this Yes, sorry about that. I remembered it wrong. >guy to one then it looks like I turn off *all* the RBL-like DNS lookups >in spamassassin, right? I stared at the perl code for spamassassin and >this seems to be the case. Correct. >I'm concluding for the moment that I want to leave skip_rbl_checks at its >default setting of zero, and comment out the Spam-List references >in mailscanner.conf -- let spamassassin do the DNS work and tune it via >the RCVD_IN_ score settings for the various RBL-like services. As you want it tunable by the SpamAssassin scoring system, then that is the right choice for you. As for me, I want to tag *all* mail that came from a host listed in an RBL, so I have MailScanner do the job. If you want to *reject* all mail that came from a host listed in an RBL, then sendmail is the right answer. It's horses for courses, as they say... >On Thu, 23 May 2002, Julian Field wrote: > > > Date: Thu, 23 May 2002 16:11:50 +0100 > > From: Julian Field > > Reply-To: MailScanner mailing list > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Configuration Question - RBL > > > > At 15:45 23/05/2002, you wrote: > > >When using RBL spam avoidance, is there any reason why one would prefer to > > >perform the checking in: > > >1) sendmail > > >2) mailscanner > > >3) spamassassin > > > > > >Certainly there would be no advantage in performing the RBL tests more > > >than once, right? > > > > Correct. > > > > >If sendmail is the first step in the process, then it would seem best to > > >let sendmail do the RBL > > >testing to prevent any further processing, right? > > > > Depends if you want to bounce it or merely tag it. MailScanner or > > SpamAssassin gives you the option to just tag it, rather than bounce it > > (which is all you can do with sendmail). MailScanner gives you the choice > > (per-user or per-domain) to deliver it (tagged as spam), delete it, or > > archive it. > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From dave at CLOSSONS.NET Thu May 23 18:14:51 2002 From: dave at CLOSSONS.NET (David Closson) Date: Thu Jan 12 21:14:51 2006 Subject: This may be a sendmail problem but... Message-ID: <200205231716.g4NHGWZH021786@goldrush.com> I am using sendmail Redhat 7.3 with mailscanner 3.15-3 and spamassassin-2.20-1. This machine is a gateway for our main mail server that scans the emails and uses the mailertable to deliver them to the main server. I get an accumulation of mail in the queue that is bad mail. The gateway mail server is not aware of which email address are valid and which are not on the main server (which should not normally be a problem I assume). These invalid and undeliverable messages (almost always spam the has a bad return address) stop the queue runner from delivering legitimate messages that had to be queued. A good portion of the mail is scanned and then delivered to the main server as configured. I posted on the sendmail usenet with no luck yet...so here perhaps somehere can help. snip of error message... g4H0u9g13428: g4M7NEG04590: DSN: User unknown g4M7NEG04590: g4M7NEH04590: return to sender: User unknown g4M7NEG04590: Losing ./qfg4M7NEG04590: savemail panic g4M7NEG04590: SYSERR(root): savemail: cannot save rejected email anywhere -- David Closson, dave@clossons.net on 05/23/2002 From jkf at ecs.soton.ac.uk Thu May 23 19:14:03 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:51 2006 Subject: MailScanner upgrade problems In-Reply-To: <3CECCCDE.25753.3835A07@localhost> Message-ID: <5.1.0.14.2.20020523191011.03845510@roadrunner.ecs.soton.ac.uk> At 19:05 23/05/2002, you wrote: >(I tried to post this to the mailing list, but Listserve said, "Not >authorized Sorry, you are not authorized to post to the >MAILSCANNER list from the address you entered in the login >screen. " even though I registered and followed directions on the >email that looked successful.) Give me the exact email address you want to subscribe and I'll do it for you. >MailScanner is a great program. Thank you for putting it out, and for >the listserver and upgrades. Appreciated! >I'm in the middle of upgrading from MailScanner 3.04 to 3.15, and it >seems very awkward. > >I can't find anywhere on the website for upgrade instructions. I >ended up doing a "rpm -U mailscanner...". Yes, that's right. >After upgrading, mailscanner didn't look like it starts on bootup. I >ended up doing "chkconfig --add mailscanner --level 2345". Is this >correct? Should the rpm have done this for me? Yes, the rpm still isn't perfect. It's harder than you would think. Doing chkconfig sendmail off chkconfig mailscanner on does the job. This will hopefully be resolved in the next release. >It looks like the upgrade overwrote all of my settings. I'm now going >through "mailscanner.conf" and comparing it to >"mailscanner.conf.rpmsave" line by line to put things back to how I >had it. Now I'm discovering that I also have to go through all of the >files attached to mailscanner.conf (stored.virus.message.txt, >stored.filename.message.txt, etc.). Is there an easier way? No, sorry. You can just "mv -f" all the text files, and "diff" the conf files. Should only take 10 minutes though. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From rishi at THEARGONCOMPANY.COM Thu May 23 19:15:19 2002 From: rishi at THEARGONCOMPANY.COM (Rishi Gangoly) Date: Thu Jan 12 21:14:51 2006 Subject: Per Domain Scanning Message-ID: <01e901c20285$cc148d00$1b02a8c0@theargoncompany.com> Hi Has anyone been successful with getting the Per-Domain Scanning on a Cobalt RaQ4 Linux server? Regards Rishi From jon at XNEXT.COM Thu May 23 19:33:54 2002 From: jon at XNEXT.COM (Jonothon Ortiz) Date: Thu Jan 12 21:14:51 2006 Subject: Per Domain Scanning In-Reply-To: <01e901c20285$cc148d00$1b02a8c0@theargoncompany.com> Message-ID: I have - very nicely =) No problems on our end! -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Rishi Gangoly Sent: Thursday, May 23, 2002 2:15 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Per Domain Scanning Hi Has anyone been successful with getting the Per-Domain Scanning on a Cobalt RaQ4 Linux server? Regards Rishi From yelsir at MAGNATECHONLINE.COM Thu May 23 19:40:24 2002 From: yelsir at MAGNATECHONLINE.COM (Yussef M. ElSirgany) Date: Thu Jan 12 21:14:51 2006 Subject: Per Domain Scanning In-Reply-To: Message-ID: No problems here on raq4r. Thanks again for the great program! --Yussef "The instructions said to use Windows 98 or better, so I installed Debian Linux." > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Rishi Gangoly > Sent: Thursday, May 23, 2002 2:15 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Per Domain Scanning > > > Hi > > Has anyone been successful with getting the Per-Domain Scanning > on a Cobalt > RaQ4 Linux server? > > Regards > > Rishi > From FCaen at CI.LAKEWOOD.WA.US Thu May 23 19:56:19 2002 From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen) Date: Thu Jan 12 21:14:51 2006 Subject: SpamAssassin FAQs volunteer Message-ID: -----Original Message----- From: jkf@ECS.SOTON.AC.UK As you want it tunable by the SpamAssassin scoring system, then that is the right choice for you. As for me, I want to tag *all* mail that came from a host listed in an RBL, so I have MailScanner do the job. If you want to *reject* all mail that came from a host listed in an RBL, then sendmail is the right answer. Julian, almost sounds like FAQ material to me :-) I volunteer to contribute a couple SpamAssassin-related paragraphs to the FAQ. The 2 main questions I had (and have seen from others) are: - Where do I check the RBLs and why? - How do I config SpamAssassin to work with Mailscanner? Would you rather I send them directly to you or follow the open-source paradigm and send them to the list for feedback? ------------------------------------------------ Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 From FCaen at CI.LAKEWOOD.WA.US Thu May 23 20:37:31 2002 From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen) Date: Thu Jan 12 21:14:51 2006 Subject: SpamAssassin FAQs volunteer Message-ID: the first 2 paragraphs of my previous message should have been indented... Stupid Outlook... Sorry for the poor readability. ------------------------------------------------ Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 -----Original Message----- From: FCaen@CI.LAKEWOOD.WA.US Sent: Thursday, May 23, 2002 11:56 AM To: Subject: [MAILSCANNER] SpamAssassin FAQs volunteer -----Original Message----- From: jkf@ECS.SOTON.AC.UK As you want it tunable by the SpamAssassin scoring system, then that is the right choice for you. As for me, I want to tag *all* mail that came from a host listed in an RBL, so I have MailScanner do the job. If you want to *reject* all mail that came from a host listed in an RBL, then sendmail is the right answer. Julian, almost sounds like FAQ material to me :-) I volunteer to contribute a couple SpamAssassin-related paragraphs to the FAQ. The 2 main questions I had (and have seen from others) are: - Where do I check the RBLs and why? - How do I config SpamAssassin to work with Mailscanner? Would you rather I send them directly to you or follow the open-source paradigm and send them to the list for feedback? ------------------------------------------------ Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 From ryan at MARINOCRANE.COM Thu May 23 20:35:07 2002 From: ryan at MARINOCRANE.COM (Ryan Pitt) Date: Thu Jan 12 21:14:51 2006 Subject: SpamAssassin FAQs volunteer References: <5.1.0.14.2.20020523203826.0388a0d8@roadrunner.ecs.soton.ac.uk> Message-ID: <3CED446B.9060208@marinocrane.com> I wouldnt mind getting a copy of those answers. Please forward them to me. Thank you Ryan Pitt Julian Field wrote: > At 19:56 23/05/2002, you wrote: > >> -----Original Message----- >> From: jkf@ECS.SOTON.AC.UK >> >> >> As you want it tunable by the SpamAssassin scoring system, then >> that is the >> right choice for you. >> >> As for me, I want to tag *all* mail that came from a host listed >> in an RBL, >> so I have MailScanner do the job. If you want to *reject* all mail that >> came from a host listed in an RBL, then sendmail is the right answer. >> >> Julian, almost sounds like FAQ material to me :-) >> >> I volunteer to contribute a couple SpamAssassin-related paragraphs to >> the >> FAQ. The 2 main questions I had (and have seen from others) are: >> >> - Where do I check the RBLs and why? >> >> - How do I config SpamAssassin to work with Mailscanner? >> >> Would you rather I send them directly to you or follow the open-source >> paradigm and send them to the list for feedback? > > > Just send them straight to me. The mailing list is pretty busy as it is. > I'll edit them and post them on the website. If anyone wants to > contribute > changes at that point, they are more than welcome. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From jkf at ecs.soton.ac.uk Thu May 23 20:40:03 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:51 2006 Subject: SpamAssassin FAQs volunteer In-Reply-To: Message-ID: <5.1.0.14.2.20020523203826.0388a0d8@roadrunner.ecs.soton.ac.uk> At 19:56 23/05/2002, you wrote: > -----Original Message----- >From: jkf@ECS.SOTON.AC.UK > > > As you want it tunable by the SpamAssassin scoring system, then > that is the >right choice for you. > > As for me, I want to tag *all* mail that came from a host listed > in an RBL, >so I have MailScanner do the job. If you want to *reject* all mail that >came from a host listed in an RBL, then sendmail is the right answer. > >Julian, almost sounds like FAQ material to me :-) > >I volunteer to contribute a couple SpamAssassin-related paragraphs to the >FAQ. The 2 main questions I had (and have seen from others) are: > >- Where do I check the RBLs and why? > >- How do I config SpamAssassin to work with Mailscanner? > >Would you rather I send them directly to you or follow the open-source >paradigm and send them to the list for feedback? Just send them straight to me. The mailing list is pretty busy as it is. I'll edit them and post them on the website. If anyone wants to contribute changes at that point, they are more than welcome. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jon at XNEXT.COM Thu May 23 20:52:18 2002 From: jon at XNEXT.COM (Jonothon Ortiz) Date: Thu Jan 12 21:14:51 2006 Subject: SpamAssassin FAQs volunteer In-Reply-To: <3CED446B.9060208@marinocrane.com> Message-ID: I'd love a copy of these answers as well. -Jonothon Ortiz Julian Field wrote: > At 19:56 23/05/2002, you wrote: > >> -----Original Message----- >> From: jkf@ECS.SOTON.AC.UK >> >> >> As you want it tunable by the SpamAssassin scoring system, then >> that is the >> right choice for you. >> >> As for me, I want to tag *all* mail that came from a host listed >> in an RBL, >> so I have MailScanner do the job. If you want to *reject* all mail that >> came from a host listed in an RBL, then sendmail is the right answer. >> >> Julian, almost sounds like FAQ material to me :-) >> >> I volunteer to contribute a couple SpamAssassin-related paragraphs to >> the >> FAQ. The 2 main questions I had (and have seen from others) are: >> >> - Where do I check the RBLs and why? >> >> - How do I config SpamAssassin to work with Mailscanner? >> >> Would you rather I send them directly to you or follow the open-source >> paradigm and send them to the list for feedback? > > > Just send them straight to me. The mailing list is pretty busy as it is. > I'll edit them and post them on the website. If anyone wants to > contribute > changes at that point, they are more than welcome. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From jkf at ecs.soton.ac.uk Thu May 23 20:53:59 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:51 2006 Subject: SpamAssassin FAQs volunteer In-Reply-To: References: <3CED446B.9060208@marinocrane.com> Message-ID: <5.1.0.14.2.20020523205305.03779388@roadrunner.ecs.soton.ac.uk> At 20:52 23/05/2002, you wrote: >I'd love a copy of these answers as well. Can we take the "me too" messages as read, please? Something will be posted here once it's written and checked. >-Jonothon Ortiz > >Julian Field wrote: > > > At 19:56 23/05/2002, you wrote: > > > >> -----Original Message----- > >> From: jkf@ECS.SOTON.AC.UK > >> > >> > >> As you want it tunable by the SpamAssassin scoring system, then > >> that is the > >> right choice for you. > >> > >> As for me, I want to tag *all* mail that came from a host listed > >> in an RBL, > >> so I have MailScanner do the job. If you want to *reject* all mail that > >> came from a host listed in an RBL, then sendmail is the right answer. > >> > >> Julian, almost sounds like FAQ material to me :-) > >> > >> I volunteer to contribute a couple SpamAssassin-related paragraphs to > >> the > >> FAQ. The 2 main questions I had (and have seen from others) are: > >> > >> - Where do I check the RBLs and why? > >> > >> - How do I config SpamAssassin to work with Mailscanner? > >> > >> Would you rather I send them directly to you or follow the open-source > >> paradigm and send them to the list for feedback? > > > > > > Just send them straight to me. The mailing list is pretty busy as it is. > > I'll edit them and post them on the website. If anyone wants to > > contribute > > changes at that point, they are more than welcome. > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jase at SENSIS.COM Thu May 23 20:55:26 2002 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:14:51 2006 Subject: SpamAssassin FAQs volunteer Message-ID: Another reason to check RBLs in SpamAssassin would be if you are running MailScanner on a system not directly connected to the internet. (I think) sendmail and exim will only check the IP address of the host sending the mail, which may not be the open relay. But SpamAssassin checks the IP addresses of all of the hosts that have sent the mail by looking at the received headers. Jason > -----Original Message----- > From: Francois Caen [mailto:FCaen@CI.LAKEWOOD.WA.US] > Sent: Thursday, May 23, 2002 2:56 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: [MAILSCANNER] SpamAssassin FAQs volunteer > > > -----Original Message----- > From: jkf@ECS.SOTON.AC.UK > > > As you want it tunable by the SpamAssassin scoring > system, then that is the > right choice for you. > > As for me, I want to tag *all* mail that came from a > host listed in an RBL, > so I have MailScanner do the job. If you want to *reject* all > mail that > came from a host listed in an RBL, then sendmail is the right > answer. > > Julian, almost sounds like FAQ material to me :-) > > I volunteer to contribute a couple SpamAssassin-related > paragraphs to the FAQ. The 2 main questions I had (and have > seen from others) are: > > - Where do I check the RBLs and why? > > - How do I config SpamAssassin to work with Mailscanner? > > Would you rather I send them directly to you or follow the > open-source paradigm and send them to the list for feedback? > > ------------------------------------------------ > Francois Caen > Network Information Systems Engineer - Webmaster > City of Lakewood, WA > (253) 512-2269 > From FCaen at CI.LAKEWOOD.WA.US Thu May 23 20:55:46 2002 From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen) Date: Thu Jan 12 21:14:51 2006 Subject: SpamAssassin FAQs volunteer Message-ID: -----Original Message----- From: jon@XNEXT.COM > I'd love a copy of these answers as well. Hey folks, those answers are for the FAQ on the Mailscanner site. So everybody will get to read them, no need to ask :-) Besides, most of the response comes from emails I have read on this list, I just want to make people's lives easier so they don't have to search in the Archive. ------------------------------------------------ Francois Caen Network Information Systems Engineer - Webmaster City of Lakewood, WA (253) 512-2269 From LISTSERV at JISCMAIL.AC.UK Fri May 24 01:19:05 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:51 2006 Subject: MAILSCANNER: ucs_rat@SHSU.EDU requested to join Message-ID: <200205240019.BAA10976@magpie.ecs.soton.ac.uk> Fri, 24 May 2002 01:19:05 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Robert Thompson You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER ucs_rat@SHSU.EDU Robert Thompson PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER ucs_rat@SHSU.EDU Robert Thompson // EOJ From P.G.M.Peters at civ.utwente.nl Fri May 24 09:05:10 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:14:51 2006 Subject: This may be a sendmail problem but... In-Reply-To: <200205231716.g4NHGWZH021786@goldrush.com> References: <200205231716.g4NHGWZH021786@goldrush.com> Message-ID: On Thu, 23 May 2002 10:14:51 -0700, you wrote: > The gateway mail server is not aware of which email >address are valid and which are not on the main server (which should >not normally be a problem I assume). I would strongly suggest to make the gateway aware of the addresses. Or else you will also have the undeliverable bounces without mailscanner. It is best to not accept undeliverable message to your own domains. So you wont be bothered with all (double) bounces. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From rabellino at DI.UNITO.IT Fri May 24 10:00:43 2002 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:14:51 2006 Subject: Logger.pl in 3.15 Message-ID: <3CEE013B.E63BA562@di.unito.it> Dear list, i've updated mailscanner to the latest release, but launching it I obtain the follow error "Your vendor has not defined the Sys::Syslog macro _PATH_LOG at /opt/perl/lib/5.6.0/sun4-solaris/Sys/Syslog.pm line 277." So i've erased in logger.pl the eval line in the start sub > # Do this in an eval so it can fail quietly if setlogsock > # is not supported in the installed version of Sys::Syslog > eval { Sys::Syslog::setlogsock('unix'); }; # Doesn't need syslogd -r And mailscanner is doing it's work fine as usual. Any hints about it ? Ps. For SpamAssassin, i've done a minor change, so I can store the SpamAssassin prefs under the mailscanner etc directory. I believe it's a better choice than using the .spamassassin directory in the homedir of the mailscanner user ... --snip +config.pl: 106a107 > $Config::SpamAssassinPrefsFile = "$prefix/etc/SpamAssassin.prefs"; 219a221 > $Config::SpamAssassinPrefsFile = $value if $key =~ /^spamassassinprefsfile/i; +sendmail.pl 62c62,67 < $SAspamtest = new Mail::SpamAssassin(); --- > #$SAspamtest = new Mail::SpamAssassin(); > $SAspamtest = new Mail::SpamAssassin({ > 'userprefs_filename' => $Config::SpamAssassinPrefsFile, > 'dont_copy_prefs' => 0 > }); > and then add these lines to mailscanner.conf # Where SpamAssassin can find the preferences file SpamAssassin prefs file = /opt/mailscanner/etc/SpamAssassin.prefs --snip -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From jkf at ecs.soton.ac.uk Fri May 24 10:37:53 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:51 2006 Subject: Logger.pl in 3.15 In-Reply-To: <3CEE013B.E63BA562@di.unito.it> Message-ID: <5.1.0.14.2.20020524103650.045b5ac8@roadrunner.ecs.soton.ac.uk> At 10:00 24/05/2002, you wrote: >Dear list, > i've updated mailscanner to the latest release, but launching it I > obtain the follow error > >"Your vendor has not defined the Sys::Syslog macro _PATH_LOG at >/opt/perl/lib/5.6.0/sun4-solaris/Sys/Syslog.pm line 277." > >So i've erased in logger.pl the eval line in the start sub > > # Do this in an eval so it can fail quietly if setlogsock > > # is not supported in the installed version of Sys::Syslog > > eval { Sys::Syslog::setlogsock('unix'); }; # Doesn't need syslogd -r > >And mailscanner is doing it's work fine as usual. Any hints about it ? How old is your version of Perl? "perl -v". >Ps. For SpamAssassin, i've done a minor change, so I can store the >SpamAssassin prefs under the mailscanner etc directory. I believe it's a >better choice than using the .spamassassin directory in the homedir of the >mailscanner user ... I have added a feature whose behaviour is basically the same, but implemented a bit differently. This will be in the next release. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From rabellino at DI.UNITO.IT Fri May 24 11:53:38 2002 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:14:51 2006 Subject: Logger.pl in 3.15 References: <5.1.0.14.2.20020524103650.045b5ac8@roadrunner.ecs.soton.ac.uk> Message-ID: <3CEE1BB2.4D80A82F@di.unito.it> Julian Field wrote: > > At 10:00 24/05/2002, you wrote: > >Dear list, > > i've updated mailscanner to the latest release, but launching it I > > obtain the follow error > > > >"Your vendor has not defined the Sys::Syslog macro _PATH_LOG at > >/opt/perl/lib/5.6.0/sun4-solaris/Sys/Syslog.pm line 277." > > > >So i've erased in logger.pl the eval line in the start sub > > > # Do this in an eval so it can fail quietly if setlogsock > > > # is not supported in the installed version of Sys::Syslog > > > eval { Sys::Syslog::setlogsock('unix'); }; # Doesn't need syslogd -r > > > >And mailscanner is doing it's work fine as usual. Any hints about it ? > > How old is your version of Perl? "perl -v". > This is perl, v5.6.0 built for sun4-solaris Copyright 1987-2000, Larry Wall Perl may be copied only under the terms of either the Artistic License or the GNU General Public License, which may be found in the Perl 5.0 source kit. Complete documentation for Perl, including FAQ lists, should be found on this system using `man perl' or `perldoc perl'. If you have access to the Internet, point your browser at http://www.perl.com/, the Perl Home Page. > >Ps. For SpamAssassin, i've done a minor change, so I can store the > >SpamAssassin prefs under the mailscanner etc directory. I believe it's a > >better choice than using the .spamassassin directory in the homedir of the > >mailscanner user ... > I'll wait for your solution -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From kvue at WADSNET.COM Fri May 24 12:45:26 2002 From: kvue at WADSNET.COM (Kham Vue) Date: Thu Jan 12 21:14:51 2006 Subject: MajorDomo Not working after MailScanner installed Message-ID: <00c201c20318$89be3e40$fe00010a@backup> If anyone can help me: Here's the return MSG: > ----- The following addresses had transient non-fatal errors ----- >"|/usr/local/majordomo/wrapper -v site2 -f www.domainxx.com resend -l siteadmins siteadmins_site2-list" > (expanded from: ) > > ----- Transcript of session follows ----- >wrapper: Trying to exec /usr/local/majordomo/resend failed: Permission denied > Did you define PERL correctly in the Makefile? > HOME is HOME=/usr/local/majordomo, > PATH is PATH=/bin:/usr/bin, > SHELL is SHELL=/bin/sh, > MAJORDOMO_CF is MAJORDOMO_CF=/usr/local/majordomo/majordomo.cf >451 "|/usr/local/majordomo/wrapper -v site2 -f www.domainxx.com resend -l siteadmins siteadmins_site2-list"... Operating system >error >Warning: message still undelivered after 4 hours ----- Original Message ----- > I have a Cobalt RAQ3. > > Majordomo is not working. I emailed my mail groups and it goes nowhere. > > From valites at GENESEO.EDU Fri May 24 14:55:26 2002 From: valites at GENESEO.EDU (Mark T. Valites) Date: Thu Jan 12 21:14:52 2006 Subject: spamassassin integration Message-ID: I'm new to both spamassassin & mailscanner. I was pleasantly shocked at the ease of install and the fact that it was running in about 30 minutes (I made dinner in that time too...). I am a little confused as to how the spamassassin part integrates into mailscanner. A search of the mailscanner archives didn't seem to help, but I apologize if this has been answered already. >From what I have gathered this morning from reading about spamassissin, it was inteneded to be run on a per-user basis. System wide integration can be achieved through the use of several milters, a daemon, or mailscanner. My question stems from the fact that when I first send a message through my mail system, it hits mailscanner, which evokes spamassassin, and outputs a message telling me it created a user pref file for root. The file itself says it can be copied to /etc/mail/spamassassin. After doing so & removing the /.spamassassin/user_prefs file, the file gets created again on the next message through the mail system. Is this because mailscanner is running as root? Will I ever get user created pref files? Should the /etc/mail/spamassissin/user_prefs file be the one I'm primarily concerned with? I'm also using procmail as my LTA in sendmail to deliver to maildir formatted mailboxes. It looks like mailscanner is completely separate from the LTA, but it there anything I should keep an eye out for? >--))> >--))> Mark T. Valites Unix Systems Analyst 1 College Circle - 124b1 South Hall SUNY Geneseo Geneseo, NY 14454 585-245-5577 585-259-3471 (Cell) From jkf at ecs.soton.ac.uk Fri May 24 15:08:47 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:52 2006 Subject: spamassassin integration In-Reply-To: Message-ID: <5.1.0.14.2.20020524150641.04847a90@roadrunner.ecs.soton.ac.uk> At 14:55 24/05/2002, you wrote: >My question stems from the fact that when I first send a message through >my mail system, it hits mailscanner, which evokes spamassassin, and >outputs a message telling me it created a user pref file for root. The >file itself says it can be copied to /etc/mail/spamassassin. After doing >so & removing the /.spamassassin/user_prefs file, the file gets created >again on the next message through the mail system. > >Is this because mailscanner is running as root? Will I ever get user >created pref files? Should the /etc/mail/spamassissin/user_prefs file be >the one I'm primarily concerned with? MailScanner is run as root, and will always use root's SpamAssassin user_prefs file. By the way, it uses the direct Perl API into SpamAssassin, so you don't need "spamc" or "spamd" or the "spamassassin" script. >I'm also using procmail as my LTA in sendmail to deliver to maildir >formatted mailboxes. It looks like mailscanner is completely separate >from the LTA, but it there anything I should keep an eye out for? MailScanner shouldn't affect the way your LTA works at all, it gets in well before that. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Fri May 24 15:17:59 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:52 2006 Subject: TEMPFAIL In-Reply-To: <1022249040.11917.232.camel@ab1-1-26.shsu.edu> References: <5.1.0.14.2.20020524143555.02cd9ac0@roadrunner.ecs.soton.ac.uk> <5.1.0.14.2.20020524084945.046c5da8@roadrunner.ecs.soton.ac.uk> <5.1.0.14.2.20020524084945.046c5da8@roadrunner.ecs.soton.ac.uk> <5.1.0.14.2.20020524143555.02cd9ac0@roadrunner.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020524151604.02b92c30@roadrunner.ecs.soton.ac.uk> At 15:04 24/05/2002, you wrote: >I have been testing and it seems to have been working for about an >hour. The problem came from the "-t" switch given to procmail under the >Mlocal section. I found this same question in your maillist archives >where several people running redhat were seeing this. (note: when >switching to amavis I didn't use procmail for Mlocal instead I used the >amavis script for Mlocal). This may be something worth putting into the >faq for people as it appears redhat sets the default Mlocal procmail to >try and re-deliver the mail(by using a "fail softly" switch of procmail) >in hopes that the user will get under their quota and the mail can be >delivered. Thanks for the info. I'll send this message to the list to get it in the list archives. > > > > At 04:12 24/05/2002, you wrote: > > > > >Hello, > > > > >I have recently decided to switch from amavis to mailscanner and after > > > > >installing I started getting lots of mail queued up that was destined > > > > >for users who are over their quota. I searched the faq(nothing their) > > > > >and the mailing list where I found a couple of messages asking about > > > > >this problem but no answers. I let the queue slowly climb to 4000 > > > > >messages(3900 of which probably should have been bounced) and > decided to > > > > >switch back to amavis while I try to debug what is wrong with the > > > > >current setup. If you have any thought/suggestions I would greatly > > > > >appreciate them. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From P.G.M.Peters at civ.utwente.nl Fri May 24 15:32:22 2002 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:14:52 2006 Subject: spamassassin integration In-Reply-To: <5.1.0.14.2.20020524150641.04847a90@roadrunner.ecs.soton.ac.uk> References: <5.1.0.14.2.20020524150641.04847a90@roadrunner.ecs.soton.ac.uk> Message-ID: On Fri, 24 May 2002 15:08:47 +0100, you wrote: >>Is this because mailscanner is running as root? Will I ever get user >>created pref files? Should the /etc/mail/spamassissin/user_prefs file be >>the one I'm primarily concerned with? > >MailScanner is run as root, and will always use root's SpamAssassin >user_prefs file. By the way, it uses the direct Perl API into SpamAssassin, >so you don't need "spamc" or "spamd" or the "spamassassin" script. I am running sendmail, mailscanner and spamassassin as user mail to prevent any problems with (potential vulnerable) software running as root. And it works as a charm. I have a ~mail/.spamassassin/user_prefs and keep it empty because I run everything on a (kind of) application level firewall (no mailboxes on this system). My prefs are configured in /etc/mail/spamassassin. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From darian at BEPINC.COM Fri May 24 20:07:42 2002 From: darian at BEPINC.COM (Darian Rafie) Date: Thu Jan 12 21:14:52 2006 Subject: Spam not being flagged revisited In-Reply-To: <5.1.0.14.2.20020522182239.03564c00@roadrunner.ecs.soton.ac.uk> Message-ID: <007d01c20356$4aaeb6b0$11c9dbd1@WONDER> Julian, Okay having captured three different spam messages that scored above the threshold but didn't have their subjects rewritten -- I dropped one back into mqueue.in as you suggested. 4/5 times the scores were above threshold and still the subject was not re-written. Apparently a consistent and persistent bug rearing its head when this particular message crosses its path. Now the plot thickens, but let me begin by saying I have not been drinking. Each of the 5 times I dropped the dfg/qfg combo into mqueue.in it came to me with different spam scores. Once registering -4.4. I'll throw that one away as an anomaly. Each of the other times the scores exceeded the threshold but differed by as many as 15 points. I pieced the dfg/qfg back together and piped them through spamassassin using "spamassassin -t < test-spam > spam.out" and each time it registered 8.5 hits. So is it possible we are looking at two different problems or the same problem manifesting itself in different ways? I've attached the dfg/qfg to this email. Thanks, D. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Wednesday, May 22, 2002 12:25 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Spam not being flagged revisited At 18:09 22/05/2002, you wrote: >It seems like a mailscanner issue where for some odd reason once in a >while the subject line doesn't get re-written as it should. Is there >some way for me to pipe these messages back through mailscanner and see >if I can replicate the error? If you set the Archive Mail options, then it will save the qf and df files out of the queue for you. Then you can later drop them back into mqueue.in to see what happens if it has a second go at them. What's interesting is your report that it only does this sometimes, not always. Stinks of being a Perl bug, but I would like to prove it or work out how to avoid it. >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Julian Field >Sent: Wednesday, May 22, 2002 11:07 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Spam not being flagged revisited > > >At 16:42 22/05/2002, you wrote: > >I received four more messages, where the Spamscore was greater than the > >threshold but the message was not marked as spam. I am including one > >header, as the rest are similar Everthing in spam.whitelist is > >commented out and only my local IP address is specified in > >mailscanner.conf. I don't see how this is a whitelist problem. Any > >ideas? > >I have just wiped my spam.whitelist.conf and commented out all "Accept >Spam >From" lines in mailscanner.conf. >I then set > Use SpamAssassin = yes > Always Include SpamAssassin Report = yes >and restarted MailScanner. > >Using the 2 SpamAssassin test messages sample-spam.txt and >sample-nonspam.txt that they supply for the purpose, I get these >results: >sample-spam.txt > >X-MailScanner-SpamCheck: SpamAssassin (score=17, required 5, > >FROM_HAS_MIXED_NUMS, INVALID_MSGID, INVALID_DATE, MSGID_HAS_NO_AT, > >SMTPD_IN_RCVD, UNDISC_RECIPS, NO_REAL_NAME, HOME_EMPLOYMENT, > >ONCE_IN_LIFETIME, CALL_FREE, REMOVE_SUBJ, LINES_OF_YELLING, > >LINES_OF_YELLING_2, LINES_OF_YELLING_3, RCVD_IN_OSIRUSOFT_COM) > >sample-nonspam.txt > >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-2.8, required >5, > >GAPPY_TEXT, LINES_OF_YELLING, PGP_SIGNATURE) > >I then set > Use SpamAssassin = yes > Always Include SpamAssassin Report = no >and restarted MailScanner. > >Using the same pair of messages again, I get >sample-spam.txt > >X-MailScanner-SpamCheck: SpamAssassin (score=17, required 5, > >FROM_HAS_MIXED_NUMS, INVALID_MSGID, INVALID_DATE, MSGID_HAS_NO_AT, > >SMTPD_IN_RCVD, UNDISC_RECIPS, NO_REAL_NAME, HOME_EMPLOYMENT, > >ONCE_IN_LIFETIME, CALL_FREE, REMOVE_SUBJ, LINES_OF_YELLING, > >LINES_OF_YELLING_2, LINES_OF_YELLING_3, RCVD_IN_OSIRUSOFT_COM) > >sample-nonspam.txt > >(no SpamCheck header at all) > >So either > a) something weird is happening that is affecting your system >and >not mine >or b) we are running different code. > >(b) is the most likely. I've got 1 more little feature to test out (RBL >checks timeout setting), then I'll release the code again. Any of you >having problems can then upgrade to that version and we'll see if your >problems go away. > > >Return-Path: > >Received: from mail1.alluneedhosting.com ([208.46.132.87]) > > by vulcan.bepinc.com (8.11.6/8.11.6) with SMTP id g4M9DW103272 > > for ; Wed, 22 May 2002 04:13:32 -0500 > >To: darian@bepinc.com > >Date: Wed, 22 May 2002 05:11:15 -0500 > >Message-ID: <1022058675.2071@localhost.localdomain> > >X-Mailer: Becky! ver. 2.00.03 > >From: susanepapelej@jippii.fi > >Sender: > >X-Sender: > >Reply-To: > >Subject: INC 500 Co. Seeks Mgrs. / High $$ Paid! > >X-VirusScan: Found to be clean > >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=9.8, required 5, > > INVALID_DATE_ODD_MONTH, PLING, CLICK_BELOW, NORMAL_HTTP_TO_IP, > > WEB_BUGS, CLICK_HERE_LINK, CTYPE_JUST_HTML) > >Status: > > > >-----Original Message----- > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > >Behalf Of Mike Wallis > >Sent: Tuesday, May 21, 2002 10:24 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Spam not being flagged > > > > > >I just upgraded to 3.15-3 and noticed something odd while testing. > > > >---begin--- > >X-MailScanner: Found to be clean > >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=7, required 5, > > SUBJ_HAS_Q_MARK, EXCUSE_3, EXCUSE_7, OPT_IN, CLICK_BELOW, > > SUBJ_REMOVE) > >---end--- > > > >In this particular instance, I forwarded myself some spam (the original > >generated a much higher score) and thought it rather odd that a score >in > >excess of the required score would get a 'not spam' designation. > > > >Any ideas? > > > >-- > >Mike Wallis > >mw@unixsecurity.org > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- I Pay Debt - Lower your debt and WIN $1000
You are receiving this because you are on the special offers list of Bestcheapstuff.com. If you would no longer like to receive special offers from Bestcheapstuff.com, go to http://unsubscribe.bestcheapstuff.com and you will be promptly unsubscribed.
Lower your debt by up to 50% and Win $1,000 - iPayDebt.Com
REMOVAL NOTICE: If you would no longer like to receive special offers from Bestcheapstuff.com, go to http://unsubscribe.bestcheapstuff.com and you will be promptly unsubscribed. For additional information or comments contact us at info@bestcheapstuff.com .
-------------- next part -------------- V4 T1022200121 K0 N0 P32043 I3/2/375816 Fb $_sdsl-64-7-14-13.dsl.bos.megapath.net [64.7.14.13] $rSMTP $sAster59 ${daemon_flags} ${if_addr}209.219.201.11 S RPFD: H?P?Return-Path: H??Received: from Aster59 (sdsl-64-7-14-13.dsl.bos.megapath.net [64.7.14.13]) by vulcan.bepinc.com (8.11.6/8.11.6) with SMTP id g4O0SQA08654 for ; Thu, 23 May 2002 19:28:41 -0500 H?M?Message-Id: <200205240028.g4O0SQA08654@vulcan.bepinc.com> H??From: "Offers" H??To: H??Subject: Lower your debt and win 1000 dollars H??Sender: "Offers" H??Mime-Version: 1.0 H??Content-Type: text/html; charset="iso-8859-1" H??Date: Thu, 23 May 2002 20:39:00 -0400 . From nwp at LEMON-COMPUTING.COM Sat May 25 02:09:47 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:52 2006 Subject: MajorDomo Not working after MailScanner installed In-Reply-To: <00c201c20318$89be3e40$fe00010a@backup> References: <00c201c20318$89be3e40$fe00010a@backup> Message-ID: <20020525010947.GP6448@hoiho.nz.lemon-computing.com> On Fri, May 24, 2002 at 07:45:26AM -0400, Kham Vue wrote: > If anyone can help me: > >wrapper: Trying to exec /usr/local/majordomo/resend failed: Permission denied ls -l /usr/local/majordomo/resend -- Nick Phillips -- nwp@lemon-computing.com You are magnetic in your bearing. From LISTSERV at JISCMAIL.AC.UK Fri May 24 21:40:51 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:52 2006 Subject: MAILSCANNER: ray@MATRIX-DATANET.CO.UK requested to join Message-ID: <200205242040.VAA11591@magpie.ecs.soton.ac.uk> Fri, 24 May 2002 21:40:51 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Ray Healy You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER ray@MATRIX-DATANET.CO.UK Ray Healy PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER ray@MATRIX-DATANET.CO.UK Ray Healy // EOJ From LISTSERV at JISCMAIL.AC.UK Sat May 25 01:19:06 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:52 2006 Subject: MAILSCANNER: jaw@DEEPSPACE.COM requested to join Message-ID: <200205250019.BAA24053@magpie.ecs.soton.ac.uk> Sat, 25 May 2002 01:19:06 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Joe Wieclawek You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER jaw@DEEPSPACE.COM Joe Wieclawek PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER jaw@DEEPSPACE.COM Joe Wieclawek // EOJ From jkf at ecs.soton.ac.uk Sat May 25 08:42:06 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:52 2006 Subject: MajorDomo Not working after MailScanner installed In-Reply-To: <20020525010947.GP6448@hoiho.nz.lemon-computing.com> References: <00c201c20318$89be3e40$fe00010a@backup> <00c201c20318$89be3e40$fe00010a@backup> Message-ID: <5.1.0.14.2.20020525083923.02aaae28@roadrunner.ecs.soton.ac.uk> At 02:09 25/05/2002, you wrote: >On Fri, May 24, 2002 at 07:45:26AM -0400, Kham Vue wrote: > > If anyone can help me: > > > >wrapper: Trying to exec /usr/local/majordomo/resend failed: Permission > denied > >ls -l /usr/local/majordomo/resend Thanks Nick. Would people *please* carefully read these error messages and make some attempt to understand them, before assuming (incorrectly) that they are MailScanner bugs and posting them here. This is not a global "all your email problems" mailing list, and currently a lot of traffic on the list is nothing to do with MailScanner at all. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Sat May 25 08:38:38 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:52 2006 Subject: Spam not being flagged revisited In-Reply-To: <007d01c20356$4aaeb6b0$11c9dbd1@WONDER> References: <5.1.0.14.2.20020522182239.03564c00@roadrunner.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020525083622.02ab95d0@roadrunner.ecs.soton.ac.uk> This looks like a variation of the SpamAssassin bug that caused me to stop calling the "compile_now" method, which did speed up the SA analysis a bit, but caused it to produce random output results. I'm pretty sure this is a combination of a possible SA bug, and a possible Perl bug. I've checked the MailScanner code pretty carefully, and it's doing everything correctly according to the docs. As well as getting a different score, do you get a different list of successful tests as well? At 20:07 24/05/2002, you wrote: >Julian, > >Okay having captured three different spam messages that scored above the >threshold but didn't have their subjects rewritten -- I dropped one back >into mqueue.in as you suggested. > >4/5 times the scores were above threshold and still the subject was not >re-written. Apparently a consistent and persistent bug rearing its head >when this particular message crosses its path. > >Now the plot thickens, but let me begin by saying I have not been >drinking. > >Each of the 5 times I dropped the dfg/qfg combo into mqueue.in it came >to me with different spam scores. Once registering -4.4. I'll throw >that one away as an anomaly. Each of the other times the scores >exceeded the threshold but differed by as many as 15 points. > >I pieced the dfg/qfg back together and piped them through spamassassin >using "spamassassin -t < test-spam > spam.out" and each time it >registered 8.5 hits. > >So is it possible we are looking at two different problems or the same >problem manifesting itself in different ways? I've attached the dfg/qfg >to this email. > >Thanks, >D. > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Julian Field >Sent: Wednesday, May 22, 2002 12:25 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Spam not being flagged revisited > > >At 18:09 22/05/2002, you wrote: > >It seems like a mailscanner issue where for some odd reason once in a > >while the subject line doesn't get re-written as it should. Is there > >some way for me to pipe these messages back through mailscanner and see > >if I can replicate the error? > >If you set the Archive Mail options, then it will save the qf and df >files >out of the queue for you. Then you can later drop them back into >mqueue.in >to see what happens if it has a second go at them. > >What's interesting is your report that it only does this sometimes, not >always. Stinks of being a Perl bug, but I would like to prove it or work >out how to avoid it. > > >-----Original Message----- > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > >Behalf Of Julian Field > >Sent: Wednesday, May 22, 2002 11:07 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Spam not being flagged revisited > > > > > >At 16:42 22/05/2002, you wrote: > > >I received four more messages, where the Spamscore was greater than >the > > >threshold but the message was not marked as spam. I am including one > > >header, as the rest are similar Everthing in spam.whitelist is > > >commented out and only my local IP address is specified in > > >mailscanner.conf. I don't see how this is a whitelist problem. Any > > >ideas? > > > >I have just wiped my spam.whitelist.conf and commented out all "Accept > >Spam > >From" lines in mailscanner.conf. > >I then set > > Use SpamAssassin = yes > > Always Include SpamAssassin Report = yes > >and restarted MailScanner. > > > >Using the 2 SpamAssassin test messages sample-spam.txt and > >sample-nonspam.txt that they supply for the purpose, I get these > >results: > >sample-spam.txt > > >X-MailScanner-SpamCheck: SpamAssassin (score=17, required 5, > > >FROM_HAS_MIXED_NUMS, INVALID_MSGID, INVALID_DATE, MSGID_HAS_NO_AT, > > >SMTPD_IN_RCVD, UNDISC_RECIPS, NO_REAL_NAME, HOME_EMPLOYMENT, > > >ONCE_IN_LIFETIME, CALL_FREE, REMOVE_SUBJ, LINES_OF_YELLING, > > >LINES_OF_YELLING_2, LINES_OF_YELLING_3, RCVD_IN_OSIRUSOFT_COM) > > > >sample-nonspam.txt > > >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-2.8, required > >5, > > >GAPPY_TEXT, LINES_OF_YELLING, PGP_SIGNATURE) > > > >I then set > > Use SpamAssassin = yes > > Always Include SpamAssassin Report = no > >and restarted MailScanner. > > > >Using the same pair of messages again, I get > >sample-spam.txt > > >X-MailScanner-SpamCheck: SpamAssassin (score=17, required 5, > > >FROM_HAS_MIXED_NUMS, INVALID_MSGID, INVALID_DATE, MSGID_HAS_NO_AT, > > >SMTPD_IN_RCVD, UNDISC_RECIPS, NO_REAL_NAME, HOME_EMPLOYMENT, > > >ONCE_IN_LIFETIME, CALL_FREE, REMOVE_SUBJ, LINES_OF_YELLING, > > >LINES_OF_YELLING_2, LINES_OF_YELLING_3, RCVD_IN_OSIRUSOFT_COM) > > > >sample-nonspam.txt > > >(no SpamCheck header at all) > > > >So either > > a) something weird is happening that is affecting your system > >and > >not mine > >or b) we are running different code. > > > >(b) is the most likely. I've got 1 more little feature to test out (RBL > >checks timeout setting), then I'll release the code again. Any of you > >having problems can then upgrade to that version and we'll see if your > >problems go away. > > > > >Return-Path: > > >Received: from mail1.alluneedhosting.com ([208.46.132.87]) > > > by vulcan.bepinc.com (8.11.6/8.11.6) with SMTP id >g4M9DW103272 > > > for ; Wed, 22 May 2002 04:13:32 -0500 > > >To: darian@bepinc.com > > >Date: Wed, 22 May 2002 05:11:15 -0500 > > >Message-ID: <1022058675.2071@localhost.localdomain> > > >X-Mailer: Becky! ver. 2.00.03 > > >From: susanepapelej@jippii.fi > > >Sender: > > >X-Sender: > > >Reply-To: > > >Subject: INC 500 Co. Seeks Mgrs. / High $$ Paid! > > >X-VirusScan: Found to be clean > > >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=9.8, required >5, > > > INVALID_DATE_ODD_MONTH, PLING, CLICK_BELOW, >NORMAL_HTTP_TO_IP, > > > WEB_BUGS, CLICK_HERE_LINK, CTYPE_JUST_HTML) > > >Status: > > > > > >-----Original Message----- > > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > >Behalf Of Mike Wallis > > >Sent: Tuesday, May 21, 2002 10:24 AM > > >To: MAILSCANNER@JISCMAIL.AC.UK > > >Subject: Spam not being flagged > > > > > > > > >I just upgraded to 3.15-3 and noticed something odd while testing. > > > > > >---begin--- > > >X-MailScanner: Found to be clean > > >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=7, required 5, > > > SUBJ_HAS_Q_MARK, EXCUSE_3, EXCUSE_7, OPT_IN, CLICK_BELOW, > > > SUBJ_REMOVE) > > >---end--- > > > > > >In this particular instance, I forwarded myself some spam (the >original > > >generated a much higher score) and thought it rather odd that a score > >in > > >excess of the required score would get a 'not spam' designation. > > > > > >Any ideas? > > > > > >-- > > >Mike Wallis > > >mw@unixsecurity.org > > > >-- > >Julian Field Teaching Systems Manager > >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > >Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > >-- >Julian Field Teaching Systems Manager >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science >Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From ray at MATRIX-DATANET.CO.UK Sat May 25 13:17:19 2002 From: ray at MATRIX-DATANET.CO.UK (Ray Healy) Date: Thu Jan 12 21:14:52 2006 Subject: Just installed MailScanner Message-ID: Dear All After being advised by Julian - thank you very much Julian for the web site address - I installed F-prot (Small business 312) and Mailscanner 3.15-3 onto my RAQ4 Cobalt which I believe is running RedHat 6.2 with Sendamil 8.10 (as you can see I am quite new to this) Everything installed perfectly and the F-prot obtained its virus definitions corrcetly and installed them. I had no errors on the install whatsoever. I carried out the modifications as suggested in the artical at http://www.uk2raq.com/raqfaq/raqfaqshow.php?faq=96 which again wnet smoothly. The problem is that I can send and receive e-mail through my RAQ server but Mailscanner does not seem to be scanning the messages or attachments. I have been using the EICAR test virus and sending it to the server from my other free ISP account and from my server using Outlook Express. I do not get any of the additional entries in the e-mail header (X-Mailscanner.....) so I can only assume that the the messages are bypassing the MailScanner part of the operation totally. I cannot see where I have gone wrong considering I had no errors on install. Everything appears to be running OK and I have tested the MailScanner using /usr/local/MailScanner/bin/check_mailscanner and I get back the correct respons. Can anyone through any light on this to where I may have gone wrong as I have gone through every item in this mailing list and the FAQ to no avail. Thanks everyone Ray Healy From darian at BEPINC.COM Sat May 25 15:36:04 2002 From: darian at BEPINC.COM (Darian Rafie) Date: Thu Jan 12 21:14:52 2006 Subject: Spam not being flagged revisited References: <5.1.0.14.2.20020522182239.03564c00@roadrunner.ecs.soton.ac.uk> <5.1.0.14.2.20020525083622.02ab95d0@roadrunner.ecs.soton.ac.uk> Message-ID: <004c01c203f9$80156120$b675fb0c@wheaton1.il.home.com> Yes, a dramatically different list of tests. Is there some information I can pass on to the SpamAssassin developers to give them insight into the bug? Thanks, d. ----- Original Message ----- From: "Julian Field" To: Sent: Saturday, May 25, 2002 2:38 AM Subject: Re: Spam not being flagged revisited > This looks like a variation of the SpamAssassin bug that caused me to stop > calling the "compile_now" method, which did speed up the SA analysis a bit, > but caused it to produce random output results. I'm pretty sure this is a > combination of a possible SA bug, and a possible Perl bug. I've checked the > MailScanner code pretty carefully, and it's doing everything correctly > according to the docs. > > As well as getting a different score, do you get a different list of > successful tests as well? > > At 20:07 24/05/2002, you wrote: > >Julian, > > > >Okay having captured three different spam messages that scored above the > >threshold but didn't have their subjects rewritten -- I dropped one back > >into mqueue.in as you suggested. > > > >4/5 times the scores were above threshold and still the subject was not > >re-written. Apparently a consistent and persistent bug rearing its head > >when this particular message crosses its path. > > > >Now the plot thickens, but let me begin by saying I have not been > >drinking. > > > >Each of the 5 times I dropped the dfg/qfg combo into mqueue.in it came > >to me with different spam scores. Once registering -4.4. I'll throw > >that one away as an anomaly. Each of the other times the scores > >exceeded the threshold but differed by as many as 15 points. > > > >I pieced the dfg/qfg back together and piped them through spamassassin > >using "spamassassin -t < test-spam > spam.out" and each time it > >registered 8.5 hits. > > > >So is it possible we are looking at two different problems or the same > >problem manifesting itself in different ways? I've attached the dfg/qfg > >to this email. > > > >Thanks, > >D. > > > > > >-----Original Message----- > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > >Behalf Of Julian Field > >Sent: Wednesday, May 22, 2002 12:25 PM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Spam not being flagged revisited > > > > > >At 18:09 22/05/2002, you wrote: > > >It seems like a mailscanner issue where for some odd reason once in a > > >while the subject line doesn't get re-written as it should. Is there > > >some way for me to pipe these messages back through mailscanner and see > > >if I can replicate the error? > > > >If you set the Archive Mail options, then it will save the qf and df > >files > >out of the queue for you. Then you can later drop them back into > >mqueue.in > >to see what happens if it has a second go at them. > > > >What's interesting is your report that it only does this sometimes, not > >always. Stinks of being a Perl bug, but I would like to prove it or work > >out how to avoid it. > > > > >-----Original Message----- > > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > >Behalf Of Julian Field > > >Sent: Wednesday, May 22, 2002 11:07 AM > > >To: MAILSCANNER@JISCMAIL.AC.UK > > >Subject: Re: Spam not being flagged revisited > > > > > > > > >At 16:42 22/05/2002, you wrote: > > > >I received four more messages, where the Spamscore was greater than > >the > > > >threshold but the message was not marked as spam. I am including one > > > >header, as the rest are similar Everthing in spam.whitelist is > > > >commented out and only my local IP address is specified in > > > >mailscanner.conf. I don't see how this is a whitelist problem. Any > > > >ideas? > > > > > >I have just wiped my spam.whitelist.conf and commented out all "Accept > > >Spam > > >From" lines in mailscanner.conf. > > >I then set > > > Use SpamAssassin = yes > > > Always Include SpamAssassin Report = yes > > >and restarted MailScanner. > > > > > >Using the 2 SpamAssassin test messages sample-spam.txt and > > >sample-nonspam.txt that they supply for the purpose, I get these > > >results: > > >sample-spam.txt > > > >X-MailScanner-SpamCheck: SpamAssassin (score=17, required 5, > > > >FROM_HAS_MIXED_NUMS, INVALID_MSGID, INVALID_DATE, MSGID_HAS_NO_AT, > > > >SMTPD_IN_RCVD, UNDISC_RECIPS, NO_REAL_NAME, HOME_EMPLOYMENT, > > > >ONCE_IN_LIFETIME, CALL_FREE, REMOVE_SUBJ, LINES_OF_YELLING, > > > >LINES_OF_YELLING_2, LINES_OF_YELLING_3, RCVD_IN_OSIRUSOFT_COM) > > > > > >sample-nonspam.txt > > > >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-2.8, required > > >5, > > > >GAPPY_TEXT, LINES_OF_YELLING, PGP_SIGNATURE) > > > > > >I then set > > > Use SpamAssassin = yes > > > Always Include SpamAssassin Report = no > > >and restarted MailScanner. > > > > > >Using the same pair of messages again, I get > > >sample-spam.txt > > > >X-MailScanner-SpamCheck: SpamAssassin (score=17, required 5, > > > >FROM_HAS_MIXED_NUMS, INVALID_MSGID, INVALID_DATE, MSGID_HAS_NO_AT, > > > >SMTPD_IN_RCVD, UNDISC_RECIPS, NO_REAL_NAME, HOME_EMPLOYMENT, > > > >ONCE_IN_LIFETIME, CALL_FREE, REMOVE_SUBJ, LINES_OF_YELLING, > > > >LINES_OF_YELLING_2, LINES_OF_YELLING_3, RCVD_IN_OSIRUSOFT_COM) > > > > > >sample-nonspam.txt > > > >(no SpamCheck header at all) > > > > > >So either > > > a) something weird is happening that is affecting your system > > >and > > >not mine > > >or b) we are running different code. > > > > > >(b) is the most likely. I've got 1 more little feature to test out (RBL > > >checks timeout setting), then I'll release the code again. Any of you > > >having problems can then upgrade to that version and we'll see if your > > >problems go away. > > > > > > >Return-Path: > > > >Received: from mail1.alluneedhosting.com ([208.46.132.87]) > > > > by vulcan.bepinc.com (8.11.6/8.11.6) with SMTP id > >g4M9DW103272 > > > > for ; Wed, 22 May 2002 04:13:32 -0500 > > > >To: darian@bepinc.com > > > >Date: Wed, 22 May 2002 05:11:15 -0500 > > > >Message-ID: <1022058675.2071@localhost.localdomain> > > > >X-Mailer: Becky! ver. 2.00.03 > > > >From: susanepapelej@jippii.fi > > > >Sender: > > > >X-Sender: > > > >Reply-To: > > > >Subject: INC 500 Co. Seeks Mgrs. / High $$ Paid! > > > >X-VirusScan: Found to be clean > > > >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=9.8, required > >5, > > > > INVALID_DATE_ODD_MONTH, PLING, CLICK_BELOW, > >NORMAL_HTTP_TO_IP, > > > > WEB_BUGS, CLICK_HERE_LINK, CTYPE_JUST_HTML) > > > >Status: > > > > > > > >-----Original Message----- > > > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > > >Behalf Of Mike Wallis > > > >Sent: Tuesday, May 21, 2002 10:24 AM > > > >To: MAILSCANNER@JISCMAIL.AC.UK > > > >Subject: Spam not being flagged > > > > > > > > > > > >I just upgraded to 3.15-3 and noticed something odd while testing. > > > > > > > >---begin--- > > > >X-MailScanner: Found to be clean > > > >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=7, required 5, > > > > SUBJ_HAS_Q_MARK, EXCUSE_3, EXCUSE_7, OPT_IN, CLICK_BELOW, > > > > SUBJ_REMOVE) > > > >---end--- > > > > > > > >In this particular instance, I forwarded myself some spam (the > >original > > > >generated a much higher score) and thought it rather odd that a score > > >in > > > >excess of the required score would get a 'not spam' designation. > > > > > > > >Any ideas? > > > > > > > >-- > > > >Mike Wallis > > > >mw@unixsecurity.org > > > > > >-- > > >Julian Field Teaching Systems Manager > > >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > >Tel. 023 8059 2817 University of Southampton > > > Southampton SO17 1BJ > > > >-- > >Julian Field Teaching Systems Manager > >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > >Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > > > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Sat May 25 15:41:12 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:52 2006 Subject: Spam not being flagged revisited In-Reply-To: <004c01c203f9$80156120$b675fb0c@wheaton1.il.home.com> References: <5.1.0.14.2.20020522182239.03564c00@roadrunner.ecs.soton.ac.uk> <5.1.0.14.2.20020525083622.02ab95d0@roadrunner.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020525154023.03686c98@imap.ecs.soton.ac.uk> At 15:36 25/05/2002, you wrote: >Yes, a dramatically different list of tests. >Is there some information I can pass on to the SpamAssassin developers to >give them insight into the bug? The message (including all the headers) and the 2 lists of results, together with an explanation of how it happened, should be enough for them I would hope. >----- Original Message ----- >From: "Julian Field" >To: >Sent: Saturday, May 25, 2002 2:38 AM >Subject: Re: Spam not being flagged revisited > > > > This looks like a variation of the SpamAssassin bug that caused me to stop > > calling the "compile_now" method, which did speed up the SA analysis a >bit, > > but caused it to produce random output results. I'm pretty sure this is a > > combination of a possible SA bug, and a possible Perl bug. I've checked >the > > MailScanner code pretty carefully, and it's doing everything correctly > > according to the docs. > > > > As well as getting a different score, do you get a different list of > > successful tests as well? > > > > At 20:07 24/05/2002, you wrote: > > >Julian, > > > > > >Okay having captured three different spam messages that scored above the > > >threshold but didn't have their subjects rewritten -- I dropped one back > > >into mqueue.in as you suggested. > > > > > >4/5 times the scores were above threshold and still the subject was not > > >re-written. Apparently a consistent and persistent bug rearing its head > > >when this particular message crosses its path. > > > > > >Now the plot thickens, but let me begin by saying I have not been > > >drinking. > > > > > >Each of the 5 times I dropped the dfg/qfg combo into mqueue.in it came > > >to me with different spam scores. Once registering -4.4. I'll throw > > >that one away as an anomaly. Each of the other times the scores > > >exceeded the threshold but differed by as many as 15 points. > > > > > >I pieced the dfg/qfg back together and piped them through spamassassin > > >using "spamassassin -t < test-spam > spam.out" and each time it > > >registered 8.5 hits. > > > > > >So is it possible we are looking at two different problems or the same > > >problem manifesting itself in different ways? I've attached the dfg/qfg > > >to this email. > > > > > >Thanks, > > >D. > > > > > > > > >-----Original Message----- > > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > >Behalf Of Julian Field > > >Sent: Wednesday, May 22, 2002 12:25 PM > > >To: MAILSCANNER@JISCMAIL.AC.UK > > >Subject: Re: Spam not being flagged revisited > > > > > > > > >At 18:09 22/05/2002, you wrote: > > > >It seems like a mailscanner issue where for some odd reason once in a > > > >while the subject line doesn't get re-written as it should. Is there > > > >some way for me to pipe these messages back through mailscanner and see > > > >if I can replicate the error? > > > > > >If you set the Archive Mail options, then it will save the qf and df > > >files > > >out of the queue for you. Then you can later drop them back into > > >mqueue.in > > >to see what happens if it has a second go at them. > > > > > >What's interesting is your report that it only does this sometimes, not > > >always. Stinks of being a Perl bug, but I would like to prove it or work > > >out how to avoid it. > > > > > > >-----Original Message----- > > > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > > >Behalf Of Julian Field > > > >Sent: Wednesday, May 22, 2002 11:07 AM > > > >To: MAILSCANNER@JISCMAIL.AC.UK > > > >Subject: Re: Spam not being flagged revisited > > > > > > > > > > > >At 16:42 22/05/2002, you wrote: > > > > >I received four more messages, where the Spamscore was greater than > > >the > > > > >threshold but the message was not marked as spam. I am including one > > > > >header, as the rest are similar Everthing in spam.whitelist is > > > > >commented out and only my local IP address is specified in > > > > >mailscanner.conf. I don't see how this is a whitelist problem. Any > > > > >ideas? > > > > > > > >I have just wiped my spam.whitelist.conf and commented out all "Accept > > > >Spam > > > >From" lines in mailscanner.conf. > > > >I then set > > > > Use SpamAssassin = yes > > > > Always Include SpamAssassin Report = yes > > > >and restarted MailScanner. > > > > > > > >Using the 2 SpamAssassin test messages sample-spam.txt and > > > >sample-nonspam.txt that they supply for the purpose, I get these > > > >results: > > > >sample-spam.txt > > > > >X-MailScanner-SpamCheck: SpamAssassin (score=17, required 5, > > > > >FROM_HAS_MIXED_NUMS, INVALID_MSGID, INVALID_DATE, MSGID_HAS_NO_AT, > > > > >SMTPD_IN_RCVD, UNDISC_RECIPS, NO_REAL_NAME, HOME_EMPLOYMENT, > > > > >ONCE_IN_LIFETIME, CALL_FREE, REMOVE_SUBJ, LINES_OF_YELLING, > > > > >LINES_OF_YELLING_2, LINES_OF_YELLING_3, RCVD_IN_OSIRUSOFT_COM) > > > > > > > >sample-nonspam.txt > > > > >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-2.8, required > > > >5, > > > > >GAPPY_TEXT, LINES_OF_YELLING, PGP_SIGNATURE) > > > > > > > >I then set > > > > Use SpamAssassin = yes > > > > Always Include SpamAssassin Report = no > > > >and restarted MailScanner. > > > > > > > >Using the same pair of messages again, I get > > > >sample-spam.txt > > > > >X-MailScanner-SpamCheck: SpamAssassin (score=17, required 5, > > > > >FROM_HAS_MIXED_NUMS, INVALID_MSGID, INVALID_DATE, MSGID_HAS_NO_AT, > > > > >SMTPD_IN_RCVD, UNDISC_RECIPS, NO_REAL_NAME, HOME_EMPLOYMENT, > > > > >ONCE_IN_LIFETIME, CALL_FREE, REMOVE_SUBJ, LINES_OF_YELLING, > > > > >LINES_OF_YELLING_2, LINES_OF_YELLING_3, RCVD_IN_OSIRUSOFT_COM) > > > > > > > >sample-nonspam.txt > > > > >(no SpamCheck header at all) > > > > > > > >So either > > > > a) something weird is happening that is affecting your system > > > >and > > > >not mine > > > >or b) we are running different code. > > > > > > > >(b) is the most likely. I've got 1 more little feature to test out (RBL > > > >checks timeout setting), then I'll release the code again. Any of you > > > >having problems can then upgrade to that version and we'll see if your > > > >problems go away. > > > > > > > > >Return-Path: > > > > >Received: from mail1.alluneedhosting.com ([208.46.132.87]) > > > > > by vulcan.bepinc.com (8.11.6/8.11.6) with SMTP id > > >g4M9DW103272 > > > > > for ; Wed, 22 May 2002 04:13:32 -0500 > > > > >To: darian@bepinc.com > > > > >Date: Wed, 22 May 2002 05:11:15 -0500 > > > > >Message-ID: <1022058675.2071@localhost.localdomain> > > > > >X-Mailer: Becky! ver. 2.00.03 > > > > >From: susanepapelej@jippii.fi > > > > >Sender: > > > > >X-Sender: > > > > >Reply-To: > > > > >Subject: INC 500 Co. Seeks Mgrs. / High $$ Paid! > > > > >X-VirusScan: Found to be clean > > > > >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=9.8, required > > >5, > > > > > INVALID_DATE_ODD_MONTH, PLING, CLICK_BELOW, > > >NORMAL_HTTP_TO_IP, > > > > > WEB_BUGS, CLICK_HERE_LINK, CTYPE_JUST_HTML) > > > > >Status: > > > > > > > > > >-----Original Message----- > > > > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > > > >Behalf Of Mike Wallis > > > > >Sent: Tuesday, May 21, 2002 10:24 AM > > > > >To: MAILSCANNER@JISCMAIL.AC.UK > > > > >Subject: Spam not being flagged > > > > > > > > > > > > > > >I just upgraded to 3.15-3 and noticed something odd while testing. > > > > > > > > > >---begin--- > > > > >X-MailScanner: Found to be clean > > > > >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=7, required 5, > > > > > SUBJ_HAS_Q_MARK, EXCUSE_3, EXCUSE_7, OPT_IN, CLICK_BELOW, > > > > > SUBJ_REMOVE) > > > > >---end--- > > > > > > > > > >In this particular instance, I forwarded myself some spam (the > > >original > > > > >generated a much higher score) and thought it rather odd that a score > > > >in > > > > >excess of the required score would get a 'not spam' designation. > > > > > > > > > >Any ideas? > > > > > > > > > >-- > > > > >Mike Wallis > > > > >mw@unixsecurity.org > > > > > > > >-- > > > >Julian Field Teaching Systems Manager > > > >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > > >Tel. 023 8059 2817 University of Southampton > > > > Southampton SO17 1BJ > > > > > >-- > > >Julian Field Teaching Systems Manager > > >jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > >Tel. 023 8059 2817 University of Southampton > > > Southampton SO17 1BJ > > > > > > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Sat May 25 16:55:54 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:52 2006 Subject: raqfaq error in RAQ4 instructions Message-ID: <5.1.0.14.2.20020525165529.0366ace8@wheresmymailserver.com> The raqfaq about installing MailScanner on a RAQ system has a slight error in it where it describes the differences for a RAQ4. The raqfaq itself is at http://www.uk2raq.com/raqfaq/raqfaqshow.php?faq=96 Here's what you need to fix: 1. Edit /etc/mail/sendmail.cf Search for "QueueDirectory" and change the line to O QueueDirectory=/var/spool/mqueue 2. Edit /usr/local/MailScanner/mailscanner.conf Search for "Outgoing Queue Dir" and change the line to Outgoing Queue Dir = /var/spool/mqueue 3. Move any remaining queue files into the updated queue directory mv /var/spool/mqueue/q*/* /var/spool/mqueue 4. Delete the old queue subdirectories rmdir /var/spool/mqueue/q* 5. Kill sendmail /etc/rc.d/init.d/mailscanner stop (this will kill all the sendmail processes if you happen to have more than 1 running!) 6. Kill MailScanner and restart it /usr/local/MailScanner/bin/check_mailscanner (Then kill the process whose number it prints) /etc/rc.d/init.d/mailscanner start 7. Check it's all okay: ps ax | grep mail should produce output like this: 1680 ? S 0:00 sendmail: accepting connections 1682 ? S 0:00 /usr/sbin/sendmail -q15m 1692 ? S 0:00 perl /usr/local/MailScanner/bin/mailscanner /usr/loca -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020525/780e71db/attachment.html From LISTSERV at JISCMAIL.AC.UK Sat May 25 21:27:01 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:52 2006 Subject: MAILSCANNER: ralloway@CHARTERPA.NET requested to join Message-ID: <200205252027.VAA17200@magpie.ecs.soton.ac.uk> Sat, 25 May 2002 21:27:01 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Richard D Alloway You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER ralloway@CHARTERPA.NET Richard D Alloway PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER ralloway@CHARTERPA.NET Richard D Alloway // EOJ From LISTSERV at JISCMAIL.AC.UK Sun May 26 00:30:17 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:52 2006 Subject: MAILSCANNER: isp-list@TULSACONNECT.COM requested to join Message-ID: <200205252330.AAA24347@magpie.ecs.soton.ac.uk> Sun, 26 May 2002 00:30:17 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Mike Bacher You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER isp-list@TULSACONNECT.COM Mike Bacher PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER isp-list@TULSACONNECT.COM Mike Bacher // EOJ From LISTSERV at JISCMAIL.AC.UK Sun May 26 03:22:45 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:52 2006 Subject: MAILSCANNER: bparish@BIGFOOT.COM.AU left the JISCmail list Message-ID: <200205260222.DAA29847@magpie.ecs.soton.ac.uk> Sun, 26 May 2002 03:22:45 Brian Parish has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From tal at MUSICGENOME.COM Sun May 26 12:27:07 2002 From: tal at MUSICGENOME.COM (Tal Kelrich) Date: Thu Jan 12 21:14:52 2006 Subject: Mailscanner enables sendmail on RPM install In-Reply-To: <5.1.0.14.2.20020522164025.048ef898@roadrunner.ecs.soton.ac.uk> References: <5.1.0.14.2.20020522164025.048ef898@roadrunner.ecs.soton.ac.uk> Message-ID: <1022412427.4595.117.camel@localhost.localdomain> On Wed, 2002-05-22 at 18:41, Julian Field wrote: > At 16:31 22/05/2002, you wrote: > >I just noticed headers missing on some messages, apparently the system > >rebooted and it seems when I upgraded it reset sendmail to on via > >chkconfig. :/ > >I think the post-uninstall script is to blame, but I don't know much > >about RPM. > > I have this horrible feeling that when you upgrade an RPM, it calls the > "post-uninstall" script at a very odd time, like after it has run the new > "post-install" script or something like that. okay, I just checked and it seems it first installs the new version and then removes the old. I found here some info which should probably solve the problem http://www-106.ibm.com/developerworks/linux/library/l-rpm3.html the scripts should recieve in $1 one of these Here are the actual values passed during an install: Run %pre of new package (1) Install new files Run %post of new package (1) Here are the values passed during an upgrade: Run %pre of new package (2) Install new files Run %post of new package (2) Run %preun of old package (1) Delete any old files not overwritten by newer ones Run %postun of old package (1) Here are the values passed during a delete: Run %preun of old package (0) Delete files Run %postun of old package (0) -- Tal Kelrich PGP Fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69 PGP key-id: 12B9AA69 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020526/f4bbfa00/attachment.bin From LISTSERV at JISCMAIL.AC.UK Sun May 26 12:10:14 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:52 2006 Subject: MAILSCANNER: sjcjonker@SJC.NL requested to join Message-ID: <200205261110.MAA21407@magpie.ecs.soton.ac.uk> Sun, 26 May 2002 12:10:14 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Stijn Jonker The following membership options have been requested: IETFHDR. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER sjcjonker@SJC.NL Stijn Jonker PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER sjcjonker@SJC.NL Stijn Jonker SET MAILSCANNER IETFHDR FOR sjcjonker@SJC.NL // EOJ From jkf at ecs.soton.ac.uk Sun May 26 12:59:56 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:52 2006 Subject: Mailscanner enables sendmail on RPM install In-Reply-To: <1022412427.4595.117.camel@localhost.localdomain> References: <5.1.0.14.2.20020522164025.048ef898@roadrunner.ecs.soton.ac.uk> <5.1.0.14.2.20020522164025.048ef898@roadrunner.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020526125924.024a44c0@imap.ecs.soton.ac.uk> Well done for finding that, now the RPM should work considerably better during an upgrade. At 12:27 26/05/2002, you wrote: >On Wed, 2002-05-22 at 18:41, Julian Field wrote: > > At 16:31 22/05/2002, you wrote: > > >I just noticed headers missing on some messages, apparently the system > > >rebooted and it seems when I upgraded it reset sendmail to on via > > >chkconfig. :/ > > >I think the post-uninstall script is to blame, but I don't know much > > >about RPM. > > > > I have this horrible feeling that when you upgrade an RPM, it calls the > > "post-uninstall" script at a very odd time, like after it has run the new > > "post-install" script or something like that. >okay, I just checked and it seems it first installs the new version and >then removes the old. >I found here some info which should probably solve the problem >http://www-106.ibm.com/developerworks/linux/library/l-rpm3.html > >the scripts should recieve in $1 one of these >Here are the actual values passed during an install: >Run %pre of new package (1) >Install new files >Run %post of new package (1) > >Here are the values passed during an upgrade: >Run %pre of new package (2) >Install new files >Run %post of new package (2) >Run %preun of old package (1) >Delete any old files not overwritten by newer ones >Run %postun of old package (1) > >Here are the values passed during a delete: >Run %preun of old package (0) >Delete files >Run %postun of old package (0) >-- >Tal Kelrich > >PGP Fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69 >PGP key-id: 12B9AA69 -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From shiva at WEBCODING.IT Sun May 26 14:53:06 2002 From: shiva at WEBCODING.IT (Shiva Shiva) Date: Thu Jan 12 21:14:52 2006 Subject: Problems with Mailscanner and Ensim Webbpliance Message-ID: <1022421186.3cf0e8c241ec6@mail.webcoding.it> Hi, i'm getting mad configuring mailscanner with Ensim Webbpliance...i've installed it on my Ensim box...ok...edited the sendmail start script...ok...incoming mail get scanned and delivered to final user ok...but when a user send a mail through the SMTP server (the same sendmail daemon) use the SMTP AUTH theese mail aren't scanned and get stucked in the Virtual File System root (Ex /home/virtual/siteX/fst), i've tried many things...finally my idea is that there's a bug in a rewrite rules in the Ensim sendmail.cf...Because this error happens when a user send a mail with SMTP AUTH, and sendmail is configured with a Deferred Delivery Mode (necessary for mailscanner) so I think that if the mail address pass through theese two ruleset there's a bug that modify the original address and make it in a wrong form for the Ruleset 0, anyone has a suggestion about avoid that? I'm not a sendmail guru, and i can't rewrite a ruleset...but if you help me to understand what and where is the exact problem We can work on it and finally get this program working! P.S There's a sendmail parameter or similar in order to get the same verbose output in the maillog such a sendmail -bt so i can view all the ruleset that a mail go through and finally the returned address. Sorry for my English, i hope that you can understand what i wrote...Many Thanks! Regards. From sjcjonker at SJC.NL Sun May 26 15:12:55 2002 From: sjcjonker at SJC.NL (Stijn Jonker) Date: Thu Jan 12 21:14:52 2006 Subject: Possible additional feature? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, After a long period amavis user, I switched to mailscanner and I must say it's wonderfull! The one think I'm missing is the following: When a mail is marked as virus, or rejected on the basis of the filename (extensions) only the offending file is saved. What I think is a good addition is a way to save next to the offending attachments the complete message. I checked the explode.pl file and the function is already in "sub QuarantineInfections", because when the scanner marks a complete message as an infected message. The idea I tried, by modifing explode.pl was to add an third Action config option "raw" or something similair. Unfortunally I couldn't get it to work, therefor my question, is there a possibility to add this? Thanks & greetz - -- Met Vriendelijke groet/Yours Sincerely Stijn Jonker - -- Outlook Express is actually an incredibly effective virus distribution system which only pretends to be an email program. [by Eric Lee] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE88O1oH0P/oLuWBrcRAsVOAJ9xJc+PtQvmc45V+pz8vqL8nn46WwCfTcQF U9WidcFct4i2jAC2eeeRaxU= =auO1 -----END PGP SIGNATURE----- From richard.siddall at ELIRION.NET Sun May 26 15:36:51 2002 From: richard.siddall at ELIRION.NET (Richard Siddall) Date: Thu Jan 12 21:14:52 2006 Subject: raqfaq error in RAQ4 instructions References: <5.1.0.14.2.20020525165529.0366ace8@wheresmymailserver.com> Message-ID: <3CF0F303.A967F681@elirion.net> Julian Field wrote: > > The raqfaq about installing MailScanner on a RAQ system has a slight error in it where it describes the differences for a RAQ4. The raqfaq itself is at > http://www.uk2raq.com/raqfaq/raqfaqshow.php?faq=96 > > Here's what you need to fix: > 1. Edit /etc/mail/sendmail.cf > Search for "QueueDirectory" and change the line to > O QueueDirectory=/var/spool/mqueue [snip] Julian, 1/ What's the error in the raqfaq? 2/ Is there a good reason to use this approach rather than choosing one of the existing queues as Mailscanner's output queue? If for some strange reason the user uninstalled Mailscanner, they'd have a lot more work getting back to the default sendmail install. Regards, Richard Siddall. From jkf at ecs.soton.ac.uk Sun May 26 16:20:38 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:52 2006 Subject: raqfaq error in RAQ4 instructions In-Reply-To: <3CF0F303.A967F681@elirion.net> References: <5.1.0.14.2.20020525165529.0366ace8@wheresmymailserver.com> Message-ID: <5.1.0.14.2.20020526161711.0361b200@imap.ecs.soton.ac.uk> At 15:36 26/05/2002, you wrote: >1/ What's the error in the raqfaq? It's where they refer to /var/spool/mqueue/q(x). If prefer to flatten it back to the standard /var/spool/mqueue directory with no subdirectories. >2/ Is there a good reason to use this approach rather than choosing one of the >existing queues as Mailscanner's output queue? It's just more "normal". Having split queue subdirectories and only using 1 of them, seems a bit unusual to me. > If for some strange reason the user >uninstalled Mailscanner, they'd have a lot more work getting back to the >default >sendmail install. They would just have to tweak the 1 line in sendmail.cf. But it's up to you which you go for. I think you need to be a bit more explicit about the config lines you advise people to change. "q(x)" isn't as obvious as just saying "q1" for example. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jon at XNEXT.COM Sun May 26 16:41:33 2002 From: jon at XNEXT.COM (Jonothon Ortiz (Xnext, Inc)) Date: Thu Jan 12 21:14:52 2006 Subject: raqfaq error in RAQ4 instructions In-Reply-To: <5.1.0.14.2.20020526161711.0361b200@imap.ecs.soton.ac.uk> Message-ID: The q(x) point ws something I brought up to the RaQFaQ people before and they didn't pay attention to it, for some odd reason. I don't think it's been updated in awhile. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Sunday, May 26, 2002 11:21 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: raqfaq error in RAQ4 instructions At 15:36 26/05/2002, you wrote: >1/ What's the error in the raqfaq? It's where they refer to /var/spool/mqueue/q(x). If prefer to flatten it back to the standard /var/spool/mqueue directory with no subdirectories. >2/ Is there a good reason to use this approach rather than choosing one of the >existing queues as Mailscanner's output queue? It's just more "normal". Having split queue subdirectories and only using 1 of them, seems a bit unusual to me. > If for some strange reason the user >uninstalled Mailscanner, they'd have a lot more work getting back to the >default >sendmail install. They would just have to tweak the 1 line in sendmail.cf. But it's up to you which you go for. I think you need to be a bit more explicit about the config lines you advise people to change. "q(x)" isn't as obvious as just saying "q1" for example. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Mon May 27 01:19:29 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:52 2006 Subject: MAILSCANNER: kazoo@EMERGE.NET.AU left the JISCmail list Message-ID: <200205270019.BAA00030@magpie.ecs.soton.ac.uk> Mon, 27 May 2002 01:19:29 Daniel Hooper has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From LISTSERV at JISCMAIL.AC.UK Mon May 27 05:26:27 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:52 2006 Subject: MAILSCANNER: imark@TIPPINGMAR.COM requested to join Message-ID: <200205270426.FAA09780@magpie.ecs.soton.ac.uk> Mon, 27 May 2002 05:26:27 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Mark Nienberg You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER imark@TIPPINGMAR.COM Mark Nienberg PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER imark@TIPPINGMAR.COM Mark Nienberg // EOJ From LISTSERV at JISCMAIL.AC.UK Mon May 27 08:52:46 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:52 2006 Subject: MAILSCANNER: jan@KOETZE.XS4ALL.NL requested to join Message-ID: <200205270752.IAA21681@magpie.ecs.soton.ac.uk> Mon, 27 May 2002 08:52:46 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Jan Koetze You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER jan@KOETZE.XS4ALL.NL Jan Koetze PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER jan@KOETZE.XS4ALL.NL Jan Koetze // EOJ From LISTSERV at JISCMAIL.AC.UK Mon May 27 09:51:58 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:52 2006 Subject: MAILSCANNER: brett@BRABYS.CO.ZA requested to join Message-ID: <200205270851.JAA26616@magpie.ecs.soton.ac.uk> Mon, 27 May 2002 09:51:58 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Brett Geer You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER brett@BRABYS.CO.ZA Brett Geer PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER brett@BRABYS.CO.ZA Brett Geer // EOJ From jkf at ecs.soton.ac.uk Mon May 27 12:17:41 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:52 2006 Subject: Possible additional feature? In-Reply-To: Message-ID: <5.1.0.14.2.20020527121640.0390b318@imap.ecs.soton.ac.uk> At 15:12 26/05/2002, you wrote: >The one think I'm missing is the following: > >When a mail is marked as virus, or rejected on the basis of the filename >(extensions) only the offending file is saved. >What I think is a good addition is a way to save next to the offending >attachments the complete message. This will be in the next release, along with mailscanner.conf option Quarantine Whole Message to switch it on and off. The default will be off. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From fizz at BOMB.NET Mon May 27 14:03:13 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:14:52 2006 Subject: Nimda-A Message-ID: <000a01c2057e$dc018320$48cf75cc@fizz> as of now from midnight, ive had 4200+ Nimda-A Virus's hit Mailscanner.. Is this a targeted attack or are other people feeling this as well? And ive only had 48 Klez.. ////// ( o o ) +--.oooO--(_)--Oooo.-----------------+ | [Kelly Hamlin] | kellyh@cyberstreet.com | http://www.bomb.net | .oooO | ( ) Oooo. +--- \ (----( )----------------------------+ \_) ) / (_/ From rabellino at DI.UNITO.IT Mon May 27 15:07:52 2002 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:14:52 2006 Subject: Nimda-A References: <000a01c2057e$dc018320$48cf75cc@fizz> Message-ID: <3CF23DB8.E62AAC08@di.unito.it> Kelly Hamlin wrote: > > as of now from midnight, ive had 4200+ Nimda-A Virus's hit Mailscanner.. Is > this a targeted attack or are other people feeling this as well? And ive > only had 48 Klez.. > ////// We get not more than 20 viruses per day (.... for now ....) It's seems an attack... -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From rishi at THEARGONCOMPANY.COM Mon May 27 15:30:02 2002 From: rishi at THEARGONCOMPANY.COM (Rishi Gangoly) Date: Thu Jan 12 21:14:52 2006 Subject: Per Domain Scanning References: Message-ID: <005a01c2058a$fd4cf4e0$1b02a8c0@theargoncompany.com> any ideas on how to debug why it isn't working on my raq4? regards rishi ----- Original Message ----- From: "Yussef M. ElSirgany" To: Sent: Friday, May 24, 2002 12:10 AM Subject: Re: Per Domain Scanning > No problems here on raq4r. Thanks again for the great program! > > > --Yussef > "The instructions said to use Windows 98 or better, so I installed Debian > Linux." > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Rishi Gangoly > > Sent: Thursday, May 23, 2002 2:15 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Per Domain Scanning > > > > > > Hi > > > > Has anyone been successful with getting the Per-Domain Scanning > > on a Cobalt > > RaQ4 Linux server? > > > > Regards > > > > Rishi > > From doc at ZWECKER.DE Mon May 27 15:32:55 2002 From: doc at ZWECKER.DE (Christophe Zwecker) Date: Thu Jan 12 21:14:52 2006 Subject: mailscanner with Trendmicro Viruswall Message-ID: <1022509976.2738.59.camel@fry.sysctl.de> Hi, is anyone using both on the same machine ? I get kindof confused, since Trendmicro uses modfied sendmail startup scripts as well, sofar I havent got it running right. If anyone has it Id love to see the sendmail startscript. We want to use mailscanner to be able to catch spam with spamassasin. There are no local mailboxes on that machine everything gets forwarded to a Novell groupwise server... thx a lot ! Christophe -- Christophe Zwecker mail: doc@zwecker.de Hamburg, Germany fon: +49 179 3994867 http://www.zwecker.de "Who is General Failure ? And why is he reading my disk ??" From rishi at THEARGONCOMPANY.COM Mon May 27 15:42:14 2002 From: rishi at THEARGONCOMPANY.COM (Rishi Gangoly) Date: Thu Jan 12 21:14:52 2006 Subject: Per Domain Scanning References: Message-ID: <006101c2058c$b3343a60$1b02a8c0@theargoncompany.com> Hi There, I've attached the following files. mailscanner.conf domains.to.scan.conf Then I sent an email from my yahoo account (rishigangoly@yahoo.com) to test@justexports.com Here is the log from /var/spool/maillog..... May 27 20:05:42 argon sendmail[18793]: g4REZfG18793: from=, size=25605, class=0, nrcpts=1, msgid=<20020527144323.92381.qmail@web13507.mail.yahoo.com>, proto=SMTP, daemon=MTA, relay=web13507.mail.yahoo.com [216.136.175.86] May 27 10:35:50 argon mailscanner[9271]: Scanning 1 messages, 26097 bytes May 27 10:35:50 argon mailscanner[9271]: Found 1 viruses in messages g4REZfG18793 May 27 10:35:50 argon mailscanner[9271]: Scanned 1 messages, 26097 bytes in 0 seconds May 27 10:35:50 argon mailscanner[9271]: Saved infections to /var/spool/MailScanner/quarantine/20020527/g4REZfG18793 May 27 20:05:50 argon sendmail[18800]: g4REZfG18793: to=, delay=00:00:09, xdelay=00:00:00, mailer=local, pri=145605, dsn=2.0.0, stat=Sent May 27 20:05:50 argon sendmail[18802]: g4REZoZ18802: from=viruses@theargoncompany.com, size=632, class=0, nrcpts=1, msgid=<200205271435.g4REZoZ18802@domain.theargoncompany.com>, relay=root@localhost May 27 10:35:50 argon mailscanner[9271]: Notified senders about 1 infections May 27 20:05:50 argon sendmail[18805]: g4REZoR18805: from=viruses@theargoncompany.com, size=452, class=0, nrcpts=1, msgid=<200205271435.g4REZoR18805@domain.theargoncompany.com>, relay=root@localhost May 27 10:35:50 argon mailscanner[9271]: Notified viruses@theargoncompany.com about 1 infections May 27 20:05:51 argon sendmail[18807]: g4REZoR18805: to=viruses@theargoncompany.com, ctladdr=viruses@theargoncompany.com (260/100), delay=00:00:01, xdelay=00:00:00, mailer=local, pri=30452, dsn=2.0.0, stat=Sent May 27 10:35:51 argon mailscanner[9271]: Commercial disinfector f-prot returned 1536 May 27 10:35:51 argon mailscanner[9271]: Skipping renamed attachment Emanuel.exe May 27 20:05:51 argon sendmail[18804]: g4REZoZ18802: to=, ctladdr=viruses@theargoncompany.com (260/100), delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=30632, relay=mx2.mail.yahoo.com. [64.157.4.88], dsn=2.0.0, stat=Sent (ok dirdel) Can you tell me what I might be doing wrong? The TO is clearly meant for TEST@justxports.com justxports.com is not in the file domains.to.scan.conf file. Please help.... Regards Rishi ----- Original Message ----- From: "Yussef M. ElSirgany" To: Sent: Friday, May 24, 2002 12:10 AM Subject: Re: Per Domain Scanning > No problems here on raq4r. Thanks again for the great program! > > > --Yussef > "The instructions said to use Windows 98 or better, so I installed Debian > Linux." > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Rishi Gangoly > > Sent: Thursday, May 23, 2002 2:15 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Per Domain Scanning > > > > > > Hi > > > > Has anyone been successful with getting the Per-Domain Scanning > > on a Cobalt > > RaQ4 Linux server? > > > > Regards > > > > Rishi > > -------------- next part -------------- A non-text attachment was scrubbed... Name: mailscanner.conf Type: application/octet-stream Size: 16250 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020527/6c40c73b/mailscanner.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: domains.to.scan.conf Type: application/octet-stream Size: 232 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020527/6c40c73b/domains.to.scan.obj From freerk at MINDSWITCH.NET Mon May 27 16:08:40 2002 From: freerk at MINDSWITCH.NET (Freerk Kalsbeek) Date: Thu Jan 12 21:14:52 2006 Subject: Problems with Mailscanner and Ensim Webbpliance In-Reply-To: <1022421186.3cf0e8c241ec6@mail.webcoding.it> Message-ID: Hi, Just curious, I'm trying to get Mailscanner running on a ensim box as well. How did you manage to get it running the first place. Freerk > -----Oorspronkelijk bericht----- > Van: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Namens > Shiva Shiva > Verzonden: zondag 26 mei 2002 15:53 > Aan: MAILSCANNER@JISCMAIL.AC.UK > Onderwerp: Problems with Mailscanner and Ensim Webbpliance > > > Hi, i'm getting mad configuring mailscanner with Ensim Webbpliance...i've > installed it on my Ensim box...ok...edited the sendmail start > script...ok...incoming mail get scanned and delivered to final > user ok...but > when a user send a mail through the SMTP server (the same > sendmail daemon) use > the SMTP AUTH theese mail aren't scanned and get stucked in the > Virtual File > System root (Ex /home/virtual/siteX/fst), i've tried many > things...finally my > idea is that there's a bug in a rewrite rules in the Ensim > sendmail.cf...Because this error happens when a user send a mail with SMTP > AUTH, and sendmail is configured with a Deferred Delivery Mode > (necessary for > mailscanner) so I think that if the mail address pass through theese two > ruleset there's a bug that modify the original address and make > it in a wrong > form for the Ruleset 0, anyone has a suggestion about avoid that? > I'm not a > sendmail guru, and i can't rewrite a ruleset...but if you help me to > understand what and where is the exact problem We can work on it > and finally > get this program working! > > P.S There's a sendmail parameter or similar in order to get the > same verbose > output in the maillog such a sendmail -bt so i can view all the > ruleset that a > mail go through and finally the returned address. > > Sorry for my English, i hope that you can understand what i wrote...Many > Thanks! > > Regards. From LISTSERV at JISCMAIL.AC.UK Mon May 27 16:14:34 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:52 2006 Subject: MAILSCANNER: shiva@WEBCODING.IT left the JISCmail list Message-ID: <200205271514.QAA03375@magpie.ecs.soton.ac.uk> Mon, 27 May 2002 16:14:33 shiva@WEBCODING.IT has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From rajesh-shriram at GMX.NET Mon May 27 21:53:33 2002 From: rajesh-shriram at GMX.NET (Rajesh Fowkar) Date: Thu Jan 12 21:14:52 2006 Subject: mailscanner & small writeup In-Reply-To: <20020527204628.GA1754@debian> References: <20020527204628.GA1754@debian> Message-ID: <20020527205333.GA2035@debian> Hi, I have posted a small writeup on installing and configuring mailscanner along with sendmail, f-prot on a Linux server. http://www.symonds.net/~rajesh/ I really loved this combination and it works very well for me. Some newbies might find it useful. Peace -- Rajesh * rajesh@symonds.net * http://www.symonds.net/~rajesh/ Powered By : Debian GNU/Linux 2.2 R-3 [Kernel 2.4.18(ext3),Mutt 1.3.99i] Grandpa Charnock's Law: You never really learn to swear until you learn to drive. [I thought it was when your kids learned to drive. Ed.] From isp-list at TULSACONNECT.COM Mon May 27 16:38:40 2002 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:14:52 2006 Subject: McAfee (uvscan) and TNEF Message-ID: <5.1.1.2.2.20020527103518.048bdba0@securemail.tulsaconnect.com> FWIW, it appears that McAfee VirusScan for UNIX v4.16.0 (uvscan) can now scan TNEF attachments: ..from readme.txt: - Support for Microsoft Exchange internal data-transfer format The engine can now detect virus infections within Microsoft Exchange e-mail files that use Transport-Neutral Encapsulation Format (TNEF). So, the "Expand TNEF" option in mailscanner.conf can be safely set to "no" for both Sophos and McAfee now. --Mike From jkf at ecs.soton.ac.uk Mon May 27 16:50:01 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:52 2006 Subject: McAfee (uvscan) and TNEF In-Reply-To: <5.1.1.2.2.20020527103518.048bdba0@securemail.tulsaconnect. com> Message-ID: <5.1.0.14.2.20020527164938.04a268b0@imap.ecs.soton.ac.uk> At 16:38 27/05/2002, you wrote: >FWIW, it appears that McAfee VirusScan for UNIX v4.16.0 (uvscan) can now >scan TNEF attachments: > >..from readme.txt: > >- Support for Microsoft Exchange internal > data-transfer format > > The engine can now detect virus infections > within Microsoft Exchange e-mail files that use > Transport-Neutral Encapsulation Format (TNEF). Do you have to add any command-line options to enable the feature? Or is it on by default? >So, the "Expand TNEF" option in mailscanner.conf can be safely set to "no" >for both Sophos and McAfee now. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From michael at NSEC.DK Mon May 27 16:43:29 2002 From: michael at NSEC.DK (Michael Svendsen) Date: Thu Jan 12 21:14:52 2006 Subject: Experiences with Openmail and Mailscanner. Message-ID: <000001c20595$4010bd20$9101a8c0@laptop> Hi m8s I was wondering if there are any conflicts when installing Mailscanner on an Openmail-server ? Hope for a quick answer :O) Thanks Med venlig hilsen / Best Regards Michael Svendsen -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20020527/0c603068/attachment.html From isp-list at TULSACONNECT.COM Mon May 27 17:08:06 2002 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:14:52 2006 Subject: McAfee (uvscan) and TNEF In-Reply-To: <5.1.0.14.2.20020527164938.04a268b0@imap.ecs.soton.ac.uk> References: <5.1.1.2.2.20020527103518.048bdba0@securemail.tulsaconnect. com> Message-ID: <5.1.1.2.2.20020527110739.0293d0b0@securemail.tulsaconnect.com> >Do you have to add any command-line options to enable the feature? Or is it >on by default? Best I can tell, it is on by default. Unfortunately I have no virus-carrying TNEF files to test it out with. --Mike From isp-list at TULSACONNECT.COM Mon May 27 18:37:44 2002 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:14:52 2006 Subject: Scan frequency Message-ID: <5.1.1.2.2.20020527123703.02f086c0@securemail.tulsaconnect.com> How can one increase the scan frequency that MailScanner checks the incoming queue from the default 1 minute to say, 30 seconds? --Mike From jkf at ecs.soton.ac.uk Mon May 27 20:15:27 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:52 2006 Subject: Scan frequency In-Reply-To: <5.1.1.2.2.20020527123703.02f086c0@securemail.tulsaconnect. com> Message-ID: <5.1.0.14.2.20020527201359.04241888@imap.ecs.soton.ac.uk> At 18:37 27/05/2002, you wrote: >How can one increase the scan frequency that MailScanner checks the >incoming queue from the default 1 minute to say, 30 seconds? As long as there is mail in the queue, MailScanner won't delay at all, it will keep reading the new messages straight away. If there is nothing in the queue, it does a "sleep(30)" before checking the queue again. That value is hard-wired into the code, but if you search the file "/usr/local/MailScanner/bin/mailscanner" for "sleep(30)" I'm sure you'll find it and you are free to change it if you like. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From isp-list at TULSACONNECT.COM Tue May 28 00:31:37 2002 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:14:52 2006 Subject: Malformed UTF-8 character Message-ID: <5.1.1.2.2.20020527183046.01db7610@securemail.tulsaconnect.com> Am occasionally getting the following message on the console I started MailScanner from: Malformed UTF-8 character (unexpected continuation byte 0xa9) in substitution iterator at /usr/local/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/PerMsgStatus.pm line 828 Obviously this is a SA thing, but I was curious if anyone else has seen this before. --Mike From isp-list at TULSACONNECT.COM Tue May 28 00:18:27 2002 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:14:52 2006 Subject: Spaces after Subject prefix Message-ID: <5.1.1.2.2.20020527181458.028dde78@securemail.tulsaconnect.com> According to mailscanner.conf, a single space is inserted after the optional Subject line prefix for positive Virus or Spam matches: # What text do we want to put on the front (gets followed by a " ") e.g. Subject: {SPAM?} This is my subject However, it appears that in reality two spaces are added: Subject: {SPAM?} This is my subject In the sendmail.pl code, I find where a single space is inserted: e.g. $newheaders = MTA::PrependHeader($newheaders, "Subject:", $Config::SpamSubjectText, ' ') I'm curious as to where the "extra" space is coming from. I've double checked that in my mailscanner.conf the "Spam Subject Text" line does not contain a trailing space. --Mike From isp-list at TULSACONNECT.COM Tue May 28 01:34:05 2002 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:14:52 2006 Subject: Clam Anti-Virus Message-ID: <5.1.1.2.2.20020527193326.04baa518@securemail.tulsaconnect.com> Anyone tried out Clam + MailScanner yet? Might be a free alternative to McAfee or Sophos. http://freshmeat.net/projects/clamav/?topic_id=861 --Mike From isp-list at TULSACONNECT.COM Tue May 28 02:39:47 2002 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:14:52 2006 Subject: McAfee (uvscan) MIME flag Message-ID: <5.1.1.2.2.20020527203545.02cdb510@securemail.tulsaconnect.com> According to "man uvscan": --mime Scan MIME-encoded files. This type of file is not scanned by default. in sweep.pl, it would probably be prudent to add this to the command options passed to uvscan.. e.g. CommonOptions => '--recursive --ignore-links --analyze --mime --secure --noboot', --Mike From nwp at LEMON-COMPUTING.COM Tue May 28 03:45:18 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:52 2006 Subject: Clam Anti-Virus In-Reply-To: <5.1.1.2.2.20020527193326.04baa518@securemail.tulsaconnect.com> References: <5.1.1.2.2.20020527193326.04baa518@securemail.tulsaconnect.com> Message-ID: <20020528024518.GI6448@hoiho.nz.lemon-computing.com> On Mon, May 27, 2002 at 07:34:05PM -0500, ISP List wrote: > Anyone tried out Clam + MailScanner yet? > > Might be a free alternative to McAfee or Sophos. > > http://freshmeat.net/projects/clamav/?topic_id=861 I'm waiting for someone Clueful to try CLAM and tell me that it's good, reliable, etc. before I start spending any time on it. The impression I have (secondhand information) is that it's not reliable (in terms of catching viruses reliably) at the moment. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Never look up when dragons fly overhead. From LISTSERV at JISCMAIL.AC.UK Mon May 27 22:58:21 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:53 2006 Subject: MAILSCANNER: teale@UCALGARY.CA requested to join Message-ID: <200205272158.WAA02676@magpie.ecs.soton.ac.uk> Mon, 27 May 2002 22:58:21 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Deborah Teale The following membership options have been requested: NOMIME DIGEST. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER teale@UCALGARY.CA Deborah Teale PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER teale@UCALGARY.CA Deborah Teale SET MAILSCANNER NOMIME DIGEST FOR teale@UCALGARY.CA // EOJ From ucs_rat at SHSU.EDU Tue May 28 03:56:23 2002 From: ucs_rat at SHSU.EDU (Robert A. Thompson) Date: Thu Jan 12 21:14:53 2006 Subject: Clam Anti-Virus In-Reply-To: <20020528024518.GI6448@hoiho.nz.lemon-computing.com> References: <5.1.1.2.2.20020527193326.04baa518@securemail.tulsaconnect.com> <20020528024518.GI6448@hoiho.nz.lemon-computing.com> Message-ID: <1022554583.3585.60.camel@localhost.localdomain> could one not set up mailscanner to scan with both virus scanners then just keep an eye out for messages to make sure that the return reponse from both scanners are in the message? Or does mailscanner stop on the first virus scanner to respond with a detection? --robert On Mon, 2002-05-27 at 21:45, Nick Phillips wrote: > On Mon, May 27, 2002 at 07:34:05PM -0500, ISP List wrote: > > Anyone tried out Clam + MailScanner yet? > > > > Might be a free alternative to McAfee or Sophos. > > > > http://freshmeat.net/projects/clamav/?topic_id=861 > > I'm waiting for someone Clueful to try CLAM and tell me that it's > good, reliable, etc. before I start spending any time on it. > > The impression I have (secondhand information) is that it's not > reliable (in terms of catching viruses reliably) at the moment. > > > > Cheers, > > > Nick > -- > Nick Phillips -- nwp@lemon-computing.com > Never look up when dragons fly overhead. From nwp at LEMON-COMPUTING.COM Tue May 28 05:31:12 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:53 2006 Subject: Clam Anti-Virus In-Reply-To: <1022554583.3585.60.camel@localhost.localdomain> References: <5.1.1.2.2.20020527193326.04baa518@securemail.tulsaconnect.com> <20020528024518.GI6448@hoiho.nz.lemon-computing.com> <1022554583.3585.60.camel@localhost.localdomain> Message-ID: <20020528043112.GK6448@hoiho.nz.lemon-computing.com> On Mon, May 27, 2002 at 09:56:23PM -0500, Robert A. Thompson wrote: > could one not set up mailscanner to scan with both virus scanners then > just keep an eye out for messages to make sure that the return reponse > from both scanners are in the message? Or does mailscanner stop on the > first virus scanner to respond with a detection? > > --robert Until I hear that it's at least usefully good, I personally am not going to spend the time on writing code to support it; I have enough to do already ;) Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Today is the first day of the rest of the mess. From jkf at ecs.soton.ac.uk Tue May 28 08:58:50 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:53 2006 Subject: Malformed UTF-8 character In-Reply-To: <5.1.1.2.2.20020527183046.01db7610@securemail.tulsaconnect. com> Message-ID: <5.1.0.14.2.20020528085811.04b14cc8@imap.ecs.soton.ac.uk> I believe this has already been passed to the SpamAssassin development guys. If you search the list archive for utf I suspect you'll find something about it. At 00:31 28/05/2002, you wrote: >Am occasionally getting the following message on the console I started >MailScanner from: > >Malformed UTF-8 character (unexpected continuation byte 0xa9) in >substitution iterator at >/usr/local/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/PerMsgStatus.pm >line 828 > >Obviously this is a SA thing, but I was curious if anyone else has seen >this before. > >--Mike -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From rabellino at DI.UNITO.IT Tue May 28 08:41:54 2002 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:14:53 2006 Subject: Wilcard in whitelist References: <5.1.1.2.2.20020527203545.02cdb510@securemail.tulsaconnect.com> Message-ID: <3CF334C2.C6657032@di.unito.it> Dear list, I don't remember if I can use wilcard in the spam.whitelist.conf ? by example *unito.it #(my domain with many subdomain) Thanks. -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From jkf at ecs.soton.ac.uk Tue May 28 14:07:59 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:53 2006 Subject: Wilcard in whitelist In-Reply-To: <3CF334C2.C6657032@di.unito.it> References: <5.1.1.2.2.20020527203545.02cdb510@securemail.tulsaconnect.com> Message-ID: <5.1.0.14.2.20020528140728.02b79d48@imap.ecs.soton.ac.uk> At 08:41 28/05/2002, you wrote: > I don't remember if I can use wilcard in the spam.whitelist.conf ? Yes, but the wildcard needs to be of the form *.domain.name # i.e. it starts with "*." not just "*" >by example >*unito.it #(my domain with many subdomain) -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From rabellino at DI.UNITO.IT Tue May 28 14:26:14 2002 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:14:53 2006 Subject: Wilcard in whitelist References: <5.1.1.2.2.20020527203545.02cdb510@securemail.tulsaconnect.com> <5.1.0.14.2.20020528140728.02b79d48@imap.ecs.soton.ac.uk> Message-ID: <3CF38576.9C2A513@di.unito.it> Julian Field wrote: > > At 08:41 28/05/2002, you wrote: > > I don't remember if I can use wilcard in the spam.whitelist.conf ? > > Yes, but the wildcard needs to be of the form > *.domain.name # i.e. it starts with "*." not just "*" > > >by example > >*unito.it #(my domain with many subdomain) > > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ but with the dot in front of the domain , this is a valid rule also for alice@unito.it ? -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From jkf at ecs.soton.ac.uk Tue May 28 14:40:07 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:53 2006 Subject: Wilcard in whitelist In-Reply-To: <3CF38576.9C2A513@di.unito.it> References: <5.1.1.2.2.20020527203545.02cdb510@securemail.tulsaconnect.com> <5.1.0.14.2.20020528140728.02b79d48@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020528143922.04a294b0@imap.ecs.soton.ac.uk> At 14:26 28/05/2002, you wrote: >Julian Field wrote: > > > > At 08:41 28/05/2002, you wrote: > > > I don't remember if I can use wilcard in the spam.whitelist.conf ? > > > > Yes, but the wildcard needs to be of the form > > *.domain.name # i.e. it starts with "*." not just "*" > > > > >by example > > >*unito.it #(my domain with many subdomain) > >but with the dot in front of the domain , this is a valid rule also for >alice@unito.it ? Should be. But if it doesn't work you can always use *.unito.it unito.it -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From rabellino at DI.UNITO.IT Tue May 28 15:02:25 2002 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:14:53 2006 Subject: Wilcard in whitelist References: <5.1.1.2.2.20020527203545.02cdb510@securemail.tulsaconnect.com> <5.1.0.14.2.20020528140728.02b79d48@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020528143922.04a294b0@imap.ecs.soton.ac.uk> Message-ID: <3CF38DF1.48D3C4BE@di.unito.it> Julian Field wrote: > > At 14:26 28/05/2002, you wrote: > >Julian Field wrote: > > > > > > At 08:41 28/05/2002, you wrote: > > > > I don't remember if I can use wilcard in the spam.whitelist.conf ? > > > > > > Yes, but the wildcard needs to be of the form > > > *.domain.name # i.e. it starts with "*." not just "*" > > > > > > >by example > > > >*unito.it #(my domain with many subdomain) > > > >but with the dot in front of the domain , this is a valid rule also for > >alice@unito.it ? > > Should be. But if it doesn't work you can always use > *.unito.it > unito.it > ok, thanks. Ps. if I send an email to the list, I don't receive any copy of it: is correct ? -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From LISTSERV at JISCMAIL.AC.UK Tue May 28 15:34:46 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:53 2006 Subject: MAILSCANNER: dpc22@HERMES.CAM.AC.UK requested to join Message-ID: <200205281434.PAA04899@magpie.ecs.soton.ac.uk> Tue, 28 May 2002 15:34:46 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from David Carter You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER dpc22@HERMES.CAM.AC.UK David Carter PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER dpc22@HERMES.CAM.AC.UK David Carter // EOJ From jaearick at COLBY.EDU Tue May 28 17:53:55 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:14:53 2006 Subject: "scan all messages" and spam checking? Message-ID: Julian, If "Scan All Messages" is set to no, do the plain-text messages get the anti-spam/SpamAssassin treatment, just no virus scanning? Or do they just get moved over to /var/spool/mqueue with no analysis at all? And one more puzzlement... I moved my mail service from HP-UX 11.0 to Solaris 8 yesterday. Both use mailscanner; they only new wrinkle is that I've turned on SpamAssassin on the Sun box. On the Sun, I see the syslog messages for "mailscanner...: Notified postmaster about [number] infections" but I don't get any email like I used to on the HP. I've just wired in my own address in mailscanner.conf to see if this solves the problem. Any ideas? --- Jeff Earickson From LISTSERV at JISCMAIL.AC.UK Tue May 28 17:15:09 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:53 2006 Subject: MAILSCANNER: admin@CGHSFL.ORG requested to join Message-ID: <200205281615.RAA15699@magpie.ecs.soton.ac.uk> Tue, 28 May 2002 17:15:09 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Network and Systems Administrator You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER admin@CGHSFL.ORG Network and Systems Administrator PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER admin@CGHSFL.ORG Network and Systems Administrator // EOJ From jkf at ecs.soton.ac.uk Tue May 28 21:19:29 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:53 2006 Subject: "scan all messages" and spam checking? In-Reply-To: Message-ID: <5.1.0.14.2.20020528211751.03711648@imap.ecs.soton.ac.uk> At 17:53 28/05/2002, you wrote: > If "Scan All Messages" is set to no, do the plain-text messages get the >anti-spam/SpamAssassin treatment, just no virus scanning? Correct. > Or do they just >get moved over to /var/spool/mqueue with no analysis at all? No. But beware that you could get caught out by the "MyParty" virus if you set this option to no. > And one more puzzlement... I moved my mail service from HP-UX 11.0 to >Solaris 8 yesterday. Both use mailscanner; they only new wrinkle is that >I've turned on SpamAssassin on the Sun box. On the Sun, I see the syslog >messages for "mailscanner...: Notified postmaster about [number] infections" >but I don't get any email like I used to on the HP. I've just wired in >my own address in mailscanner.conf to see if this solves the problem. >Any ideas? Do a "sendmail -bv the.address.you.put.in.mailscanner.conf" and see where it gets delivered to. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Tue May 28 21:15:31 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:53 2006 Subject: MAILSCANNER: kowolters@EMAIL.COM left the JISCmail list Message-ID: <200205282015.VAA07323@magpie.ecs.soton.ac.uk> Tue, 28 May 2002 21:15:31 Keith Wolters has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From P.A.Osborne at UKC.AC.UK Tue May 28 21:49:58 2002 From: P.A.Osborne at UKC.AC.UK (P.A.Osborne) Date: Thu Jan 12 21:14:53 2006 Subject: Duplicate Log entries? Message-ID: <20020528214958.R3886@apple.ukc.ac.uk> Hmmm, having a rummage round my logs whilst I upgrade to the latest release, I notice that MailScanner appears to scan mails twice, heres an extract: May 28 21:42:51 quicksilver.ukc.ac.uk mailscanner[27921]: Scanning 7 messages, 1113616 bytes May 28 21:42:53 quicksilver.ukc.ac.uk mailscanner[27921]: >>> Virus 'W32/Klez-H' found in file ./17Cnnb-0001PL-00/install.exe May 28 21:42:53 quicksilver.ukc.ac.uk mailscanner[27921]: Executable program file in install.exe May 28 21:42:53 quicksilver.ukc.ac.uk mailscanner[27921]: Found 2 viruses in messages 17Cnnb-0001PL-00 May 28 21:42:53 quicksilver.ukc.ac.uk mailscanner[27921]: Scanned 7 messages, 1113616 bytes in 2 seconds May 28 21:42:54 quicksilver.ukc.ac.uk mailscanner[27921]: Notified senders about 1 infections May 28 21:42:56 quicksilver.ukc.ac.uk mailscanner[27921]: Commercial disinfector sophos returned 768 May 28 21:42:57 quicksilver.ukc.ac.uk mailscanner[27921]: >>> Virus 'W32/Klez-H' found in file ./17Cnnb-0001PL-00/install.exe May 28 21:42:57 quicksilver.ukc.ac.uk mailscanner[27921]: Executable program file in install.exe May 28 21:42:57 quicksilver.ukc.ac.uk mailscanner[27921]: Found 2 viruses in messages 17Cnnb-0001PL-00 This is confirmed by the message id matching up on both occassions. I admin it seems a tad odd and could well be playing havoc with my stats. Thoughts, comments - are as always welcome. Cheers Paul From eyau at SDSU.EDU Tue May 28 22:21:25 2002 From: eyau at SDSU.EDU (Emily Yau) Date: Thu Jan 12 21:14:53 2006 Subject: Filtering Klez? Message-ID: Hm, didn't see it on the mailing list, I apologize if this is a duplicate question... Is anyone implementing a filter, or blocking Mailscanner's reply message for Klez viruses? Since the Klez virus spoofs the from address, I thought some people might be disabling the reply to sender messages for just this type of virus. Thanks in advance! :) -mle From mike at CAMAROSS.NET Tue May 28 22:31:38 2002 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:14:53 2006 Subject: Filtering Klez? References: Message-ID: <015701c2068f$10d37a20$6c01a8c0@home.wideopenthrottle.org> Mine has been doing a pretty good job of guessing the correct sender in spite of the spoofed From: I get a few bounced messages...mostly from verizon and flash.net Mike ----- Original Message ----- From: "Emily Yau" To: Sent: Tuesday, May 28, 2002 4:21 PM Subject: Filtering Klez? > Hm, didn't see it on the mailing list, I apologize if this is a duplicate question... > > Is anyone implementing a filter, or blocking Mailscanner's reply message for Klez viruses? Since the Klez virus spoofs the from address, I thought some people might be disabling the reply to sender messages for just this type of virus. > > Thanks in advance! > > :) -mle > > From freerk at MINDSWITCH.NET Tue May 28 23:29:51 2002 From: freerk at MINDSWITCH.NET (Freerk Kalsbeek) Date: Thu Jan 12 21:14:53 2006 Subject: Signing of unscanned messages Message-ID: Hi, I'm installing mailscanner on an ensim appliance server and wan't it to be an extra to have mail scanned for virusses. i use the following options in mailscanner.conf Scanning By Domain = yes Sign Unscanned Messages = no What happens is that the messages for the domains not in the domains.to.scan file are indeed not scanned, but the header has the Mailscanner sign: Found to be clean in it. I've looked in to the problem and it seems something goes wrong in sendmail.pl at line 766: if unscanned and don't signunscanned messages add the unscanned header. In any other case add the clean header. I think it should be changed to: 766 if ($entities eq 'unscanned'){ 767 if ($Config::SignUnscannedMessages){ 768 $headers = AddUnscannedHeader($headers); 769 } 770 } else { 771 $headers = AddCleanHeader($headers); 772 } Freerk Kalsbeek SafeXS T: 0320-286979 F: 0320-286980 I: http://www.safexs.nl E: freerkkalsbeek@safexs.nl From freerk at MINDSWITCH.NET Tue May 28 23:44:36 2002 From: freerk at MINDSWITCH.NET (Freerk Kalsbeek) Date: Thu Jan 12 21:14:53 2006 Subject: Final battle Message-ID: Hi, Mailscanner is working on ensim, actually it's no big deal. If anyone is interested, I can write a procedure to get it up and running in 10 minutes. There's only one thing left. If mail get's send from one domain to another domain on the same server, the mail does not get scanned. This has something to do with virthostmail, the mailer ensim uses for delivering mail to a virtual host. Is there anyone out there that has the same problem, or better: solved that problem? Freerk Kalsbeek SafeXS T: 0320-286979 F: 0320-286980 I: http://www.safexs.nl E: freerkkalsbeek@safexs.nl From isp-list at TULSACONNECT.COM Wed May 29 00:33:28 2002 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:14:53 2006 Subject: Malformed UTF-8 character In-Reply-To: <5.1.0.14.2.20020528085811.04b14cc8@imap.ecs.soton.ac.uk> References: <5.1.1.2.2.20020527183046.01db7610@securemail.tulsaconnect. com> Message-ID: <5.1.0.14.2.20020528183242.039acef0@pop3.tulsaconnect.com> At 08:58 AM 5/28/2002 +0100, you wrote: >I believe this has already been passed to the SpamAssassin development guys. >If you search the list archive for utf I suspect you'll find something >about it. Searched, but no answers.. saw one guy asking, but no replies.. http://www.geocrawler.com/archives/3/11679/2002/4/150/8487013/ I also searched http://bugzilla.spamassassin.org/ --Mike From darian at BEPINC.COM Wed May 29 03:08:12 2002 From: darian at BEPINC.COM (Darian Rafie) Date: Thu Jan 12 21:14:53 2006 Subject: Malformed UTF-8 character References: <5.1.1.2.2.20020527183046.01db7610@securemail.tulsaconnect. com> <5.1.0.14.2.20020528183242.039acef0@pop3.tulsaconnect.com> Message-ID: <003601c206b5$afd38f40$b675fb0c@wheaton1.il.home.com> Yes -- I passed this on to the SpamAssassin folks -- but they already knew about it. It's a confirmed bug in Perl 5.6.1 and has been fixed in the upcoming version of Perl. The CVS version of SpamAssassin contains a work around. You might install the CVS version if you like to live on the razor's edge, wait until the next version of Perl is released, or wait for the next SpamAssassin release. Cheers, d. ----- Original Message ----- From: "ISP List" To: Sent: Tuesday, May 28, 2002 6:33 PM Subject: Re: Malformed UTF-8 character > At 08:58 AM 5/28/2002 +0100, you wrote: > >I believe this has already been passed to the SpamAssassin development guys. > >If you search the list archive for utf I suspect you'll find something > >about it. > > Searched, but no answers.. saw one guy asking, but no replies.. > > http://www.geocrawler.com/archives/3/11679/2002/4/150/8487013/ > > I also searched http://bugzilla.spamassassin.org/ > > --Mike From isp-list at TULSACONNECT.COM Wed May 29 03:25:04 2002 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:14:53 2006 Subject: Malformed UTF-8 character In-Reply-To: <003601c206b5$afd38f40$b675fb0c@wheaton1.il.home.com> References: <5.1.1.2.2.20020527183046.01db7610@securemail.tulsaconnect. com> <5.1.0.14.2.20020528183242.039acef0@pop3.tulsaconnect.com> Message-ID: <5.1.1.2.2.20020528212356.03fd5eb0@securemail.tulsaconnect.com> At 09:08 PM 5/28/2002 -0500, you wrote: >Yes -- I passed this on to the SpamAssassin folks -- but they already knew >about it. It's a confirmed bug in Perl 5.6.1 and has been fixed in the >upcoming version of Perl. The CVS version of SpamAssassin contains a work >around. You might install the CVS version if you like to live on the >razor's edge, wait until the next version of Perl is released, or wait for >the next SpamAssassin release. > >Cheers, >d. Yep, a few minutes after I sent this message I found reference to the bug in the Changelog for SA 2.21 (fixed around the first of May). Thanks for the information though -- didn't realize it was a Perl thing. --Mike From LISTSERV at JISCMAIL.AC.UK Wed May 29 03:00:41 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:53 2006 Subject: MAILSCANNER: chanwyj@ROOTSINNOVATION.COM.SG requested to join Message-ID: <200205290200.DAA01525@magpie.ecs.soton.ac.uk> Wed, 29 May 2002 03:00:41 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Joseph Chan You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER chanwyj@ROOTSINNOVATION.COM.SG Joseph Chan PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER chanwyj@ROOTSINNOVATION.COM.SG Joseph Chan // EOJ From LISTSERV at JISCMAIL.AC.UK Wed May 29 06:42:59 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:53 2006 Subject: MAILSCANNER: heinz.knutzen@DZSH.DE requested to join Message-ID: <200205290542.GAA11478@magpie.ecs.soton.ac.uk> Wed, 29 May 2002 06:42:59 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Heinz Knutzen You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER heinz.knutzen@DZSH.DE Heinz Knutzen PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER heinz.knutzen@DZSH.DE Heinz Knutzen // EOJ From mike at 4frontmedia.net Wed May 29 10:11:42 2002 From: mike at 4frontmedia.net (Mike Walker) Date: Thu Jan 12 21:14:53 2006 Subject: Signing of unscanned messages In-Reply-To: Message-ID: <004501c206f0$da94ae90$0100000a@MIKES> Hi, We have seen this as well, is there a way of preventing it without changing sendmail? Mike 4FrontMedia -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Freerk Kalsbeek Sent: 28 May 2002 23:30 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Signing of unscanned messages Hi, I'm installing mailscanner on an ensim appliance server and wan't it to be an extra to have mail scanned for virusses. i use the following options in mailscanner.conf Scanning By Domain = yes Sign Unscanned Messages = no What happens is that the messages for the domains not in the domains.to.scan file are indeed not scanned, but the header has the Mailscanner sign: Found to be clean in it. I've looked in to the problem and it seems something goes wrong in sendmail.pl at line 766: if unscanned and don't signunscanned messages add the unscanned header. In any other case add the clean header. I think it should be changed to: 766 if ($entities eq 'unscanned'){ 767 if ($Config::SignUnscannedMessages){ 768 $headers = AddUnscannedHeader($headers); 769 } 770 } else { 771 $headers = AddCleanHeader($headers); 772 } Freerk Kalsbeek SafeXS T: 0320-286979 F: 0320-286980 I: http://www.safexs.nl E: freerkkalsbeek@safexs.nl ____________________________________________________________ This message has been scanned for viruses by "VITANIUM" the multi-scan E-mail Virus Protection Service from 4FrontMedia. To safeguard your business call 01233-850906. ____________________________________________________________ This message has been scanned for viruses by "VITANIUM" the multi-scan E-mail Virus Protection Service from 4FrontMedia. To safeguard your business call 01233-850906. From paul_houselander at BRISTOL-CITY.GOV.UK Wed May 29 10:27:20 2002 From: paul_houselander at BRISTOL-CITY.GOV.UK (Paul Houselander) Date: Thu Jan 12 21:14:53 2006 Subject: Signing of unscanned messages Message-ID: Hi Noticed this as well. If the below code is ok would be good to put in next release. Paul Houselander Network & Intranet Support Officer Bristol City Council >>> freerk@MINDSWITCH.NET 05/28/02 11:29pm >>> Hi, I'm installing mailscanner on an ensim appliance server and wan't it to be an extra to have mail scanned for virusses. i use the following options in mailscanner.conf Scanning By Domain = yes Sign Unscanned Messages = no What happens is that the messages for the domains not in the domains.to.scan file are indeed not scanned, but the header has the Mailscanner sign: Found to be clean in it. I've looked in to the problem and it seems something goes wrong in sendmail.pl at line 766: if unscanned and don't signunscanned messages add the unscanned header. In any other case add the clean header. I think it should be changed to: 766 if ($entities eq 'unscanned'){ 767 if ($Config::SignUnscannedMessages){ 768 $headers = AddUnscannedHeader($headers); 769 } 770 } else { 771 $headers = AddCleanHeader($headers); 772 } Freerk Kalsbeek SafeXS T: 0320-286979 F: 0320-286980 I: http://www.safexs.nl E: freerkkalsbeek@safexs.nl From jkf at ecs.soton.ac.uk Wed May 29 10:47:53 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:53 2006 Subject: Duplicate Log entries? In-Reply-To: <20020528214958.R3886@apple.ukc.ac.uk> Message-ID: <5.1.0.14.2.20020529104648.02a19de0@imap.ecs.soton.ac.uk> Remember that when MailScanner finds a virus in a message, it has to rescan it in an attempt to disinfect it. So messages with viruses in them will be scanned more than once. There's no way out of that, unfortunately. At 21:49 28/05/2002, you wrote: >Hmmm, > >having a rummage round my logs whilst I upgrade to >the latest release, I notice that MailScanner appears >to scan mails twice, heres an extract: > >May 28 21:42:51 quicksilver.ukc.ac.uk mailscanner[27921]: Scanning 7 >messages, 1113616 bytes >May 28 21:42:53 quicksilver.ukc.ac.uk mailscanner[27921]: >>> Virus >'W32/Klez-H' found in file ./17Cnnb-0001PL-00/install.exe >May 28 21:42:53 quicksilver.ukc.ac.uk mailscanner[27921]: Executable >program file in install.exe >May 28 21:42:53 quicksilver.ukc.ac.uk mailscanner[27921]: Found 2 viruses >in messages 17Cnnb-0001PL-00 >May 28 21:42:53 quicksilver.ukc.ac.uk mailscanner[27921]: Scanned 7 >messages, 1113616 bytes in 2 seconds >May 28 21:42:54 quicksilver.ukc.ac.uk mailscanner[27921]: Notified senders >about 1 infections >May 28 21:42:56 quicksilver.ukc.ac.uk mailscanner[27921]: Commercial >disinfector sophos returned 768 >May 28 21:42:57 quicksilver.ukc.ac.uk mailscanner[27921]: >>> Virus >'W32/Klez-H' found in file ./17Cnnb-0001PL-00/install.exe >May 28 21:42:57 quicksilver.ukc.ac.uk mailscanner[27921]: Executable >program file in install.exe >May 28 21:42:57 quicksilver.ukc.ac.uk mailscanner[27921]: Found 2 viruses >in messages 17Cnnb-0001PL-00 > > >This is confirmed by the message id matching up on both occassions. I admin >it seems a tad odd and could well be playing havoc with my stats. > >Thoughts, comments - are as always welcome. > >Cheers > >Paul -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jkf at ecs.soton.ac.uk Wed May 29 11:09:30 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:53 2006 Subject: Signing of unscanned messages In-Reply-To: Message-ID: <5.1.0.14.2.20020529110649.036db308@imap.ecs.soton.ac.uk> Well spotted. Your modification seems to work fine, and will be in the next release. At 23:29 28/05/2002, you wrote: >Hi, > >I'm installing mailscanner on an ensim appliance server and wan't it to be >an extra to have mail scanned for virusses. > >i use the following options in mailscanner.conf > >Scanning By Domain = yes >Sign Unscanned Messages = no > >What happens is that the messages for the domains not in the domains.to.scan >file are indeed not scanned, but the header has the Mailscanner sign: Found >to be clean in it. > >I've looked in to the problem and it seems something goes wrong in >sendmail.pl > >at line 766: if unscanned and don't signunscanned messages add the unscanned >header. In any other case add the clean header. > >I think it should be changed to: > 766 if ($entities eq 'unscanned'){ > 767 if ($Config::SignUnscannedMessages){ > 768 $headers = AddUnscannedHeader($headers); > 769 } > 770 } else { > 771 $headers = AddCleanHeader($headers); > 772 } > >Freerk Kalsbeek > >SafeXS >T: 0320-286979 >F: 0320-286980 >I: http://www.safexs.nl >E: freerkkalsbeek@safexs.nl -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From jaearick at COLBY.EDU Wed May 29 13:30:20 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:14:53 2006 Subject: change to SA syslog output? Message-ID: Julian, Can the syslogging lines for SpamAssassin in sendmail.pl be modified to show the relay and supposed domain of the spammer? Can the lines in sendmail.pl: Log::InfoLog("Message $id is spam according to " . $ReportText); be changed to something like: Log::InfoLog("Message $id from $relay ($fromdomain) is spam according to " . $ReportText); I tried this modification myself. No problems modifying DeliverIds(), but the same mod to MoveToOutgoingQueue() gave compile errors at startup, even though I added lines similar to those in DeliverIds() to recover $relay and $fromdomain. Complete (nonworking) "diff -c" file attached. This change would make it really easy to grep one's syslog file and figure out what relays and/or domains are spamming you. ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ---------------------------------------------------------------------------- -------------- next part -------------- *** sendmail.pl.orig Wed May 29 08:05:51 2002 --- sendmail.pl.new Wed May 29 08:11:44 2002 *************** *** 626,632 **** my($ReportText); $ReportText = $SpamReport->{$id}; $ReportText =~ s/\s+/ /sg; ! Log::InfoLog("Message $id is spam according to " . $ReportText); } # Copy qf file from incoming queue except for H lines --- 626,632 ---- my($ReportText); $ReportText = $SpamReport->{$id}; $ReportText =~ s/\s+/ /sg; ! Log::InfoLog("Message $id from $relay ($fromdomain) is spam according to " . $ReportText); } # Copy qf file from incoming queue except for H lines *************** *** 712,717 **** --- 712,726 ---- $tfile = MTA::TFileName($id); $hfile = MTA::HFileName($id); + # Find the relay and fromdomain for SpamAssassin message below + $info = lc($MsgInfo->{$id}); + $from = (split(/\0/, $info))[0]; + $from =~ s/^$//; # trailing <> + $relay = (split(/\0/, $info))[3]; # Get the SMTP client host + $fromdomain = $from; + $fromdomain =~ s/^[^@]*@//; # Delete everything up to and including the @ + # Allow for messages which don't exist any more (if SpamAction is delete) next unless -f "$InQ/$dfile"; *************** *** 786,792 **** my($ReportText); $ReportText = $SpamReport->{$id}; $ReportText =~ s/\s+/ /sg; ! Log::InfoLog("Message $id is spam according to " . $ReportText); } print $Tf &MTA::MergeEnvelope($envelope,$headers) or Log::DieLog("Failed to write headers for clean message $id, %s", $!); --- 795,801 ---- my($ReportText); $ReportText = $SpamReport->{$id}; $ReportText =~ s/\s+/ /sg; ! Log::InfoLog("Message $id from $relay ($fromdomain) is spam according to " . $ReportText); } print $Tf &MTA::MergeEnvelope($envelope,$headers) or Log::DieLog("Failed to write headers for clean message $id, %s", $!); From jkf at ecs.soton.ac.uk Wed May 29 14:06:43 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:53 2006 Subject: change to SA syslog output? In-Reply-To: Message-ID: <5.1.0.14.2.20020529140539.02ab1360@imap.ecs.soton.ac.uk> At 13:30 29/05/2002, you wrote: > Can the syslogging lines for SpamAssassin in sendmail.pl be modified to >show the relay and supposed domain of the spammer? Can the lines in >sendmail.pl: > Log::InfoLog("Message $id is spam according to " . $ReportText); >be changed to something like: > Log::InfoLog("Message $id from $relay ($fromdomain) is spam according > to " . $ReportText); > >I tried this modification myself. No problems modifying DeliverIds(), >but the same mod to MoveToOutgoingQueue() gave compile errors at startup, >even though I added lines similar to those in DeliverIds() to recover $relay >and $fromdomain. Complete (nonworking) "diff -c" file attached. > >This change would make it really easy to grep one's syslog file and figure >out what relays and/or domains are spamming you. You needed another parameter on MoveToOutgoingQueue() so it gets all the SMTP client info about the messages. All done and will be in the next release. >** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 >** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu >** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 >** Waterville ME, 04901-8842 >---------------------------------------------------------------------------- -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From isp-list at TULSACONNECT.COM Wed May 29 16:18:34 2002 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:14:53 2006 Subject: Different message for filename vs virus triggers Message-ID: <5.1.0.14.2.20020529101541.03150e98@securemail.tulsaconnect.com> Is it possible to have MailScanner insert different Subject prefixes and body text based on if the trigger is from a virus or from a filename extension block? Right now, if I sent a perfectly valid and virus-free .vbs attachment through it, it is blocked via my rules, but the message MailScanner sends has the "virus detected" Subject prefix and the body text despite the fact that it really isnt a virus. --Mike From LISTSERV at JISCMAIL.AC.UK Wed May 29 17:02:27 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:53 2006 Subject: MAILSCANNER: ajennifer11@QWEST.NET left the JISCmail list Message-ID: <200205291602.RAA05361@magpie.ecs.soton.ac.uk> Wed, 29 May 2002 17:02:27 "Rev. Christopher B. Garcia" has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From fizz at BOMB.NET Wed May 29 17:38:22 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:14:53 2006 Subject: Different message for filename vs virus triggers References: <5.1.0.14.2.20020529101541.03150e98@securemail.tulsaconnect.com> Message-ID: <002001c2072f$3f66bc30$48cf75cc@fizz> Thats a good idea, i had a similar situation a few days back.. ----- Original Message ----- From: "ISP List" To: Sent: Wednesday, May 29, 2002 11:18 AM Subject: Different message for filename vs virus triggers > Is it possible to have MailScanner insert different Subject prefixes and > body text based on if the trigger is from a virus or from a filename > extension block? Right now, if I sent a perfectly valid and virus-free > .vbs attachment through it, it is blocked via my rules, but the message > MailScanner sends has the "virus detected" Subject prefix and the body text > despite the fact that it really isnt a virus. > > --Mike > From dml at UNB.CA Wed May 29 20:44:14 2002 From: dml at UNB.CA (David Lancaster) Date: Thu Jan 12 21:14:53 2006 Subject: Server capacity estimates? In-Reply-To: <002001c2072f$3f66bc30$48cf75cc@fizz> Message-ID: Hey all, Are there any sources of information about what server capacity is needed to handle various loads from mailscanner and spam assassin? We're currently looking at handling 3500-4500 (incoming only)mail per hour, using mailscanner and SA, with virus checks disabled, and rbl enabled in mailscanner. The server will act as a gateway, passing the messages off to another server for actual delivery. What sort of capability would a single server (Intel/Linux) need? IO and CPU seem to be the bottlenecks on my test server, would a single 1.4 Ghz P3 and a software-mirrored 15K Ultra160 disk be capable of handling this throughput? Would dual CPUs increase performance to any marked degree? Thanks for the great work and info all! Cheers, D. =========================================================== David Lancaster ITS ESS From mdchaney at MICHAELCHANEY.COM Wed May 29 21:14:09 2002 From: mdchaney at MICHAELCHANEY.COM (Michael Chaney) Date: Thu Jan 12 21:14:53 2006 Subject: Server capacity estimates? In-Reply-To: ; from dml@UNB.CA on Wed, May 29, 2002 at 04:44:14PM -0300 References: <002001c2072f$3f66bc30$48cf75cc@fizz> Message-ID: <20020529151409.B29602@michaelchaney.com> On Wed, May 29, 2002 at 04:44:14PM -0300, David Lancaster wrote: > Hey all, > > Are there any sources of information about what server capacity is needed > to handle various loads from mailscanner and spam assassin? > > We're currently looking at handling 3500-4500 (incoming only)mail per > hour, using mailscanner and SA, with virus checks disabled, and rbl > enabled in mailscanner. F-Prot can be had for $300/year, and will add minimal overhead (especially next to SpamAssassin). I highly recommend adding it, it's worth the small investment. > The server will act as a gateway, passing the > messages off to another server for actual delivery. > What sort of capability would a single server (Intel/Linux) need? IO and > CPU seem to be the bottlenecks on my test server, would a single 1.4 Ghz > P3 and a software-mirrored 15K Ultra160 disk be capable of handling this > throughput? Would dual CPUs increase performance to any marked degree? My tests (not real-world by any means) show an Athlon 500 or 600 (one of the two, I don't remember) topping out at under 1000 messages per hour, sometimes as low as 800 (this while being fed a diet of pure spam to test the effectiveness of SA). SA is a large contributor to that, and I believe that DNS lookups are contributory to that as well, meaning more CPU won't necessarily help. It is possible with MailScanner to limit SA's time, but I've found that it needs to be 20 seconds to catch the most spam. My feeling is that preprocessing the DNS lookups would possibly make a major difference in the time, and I might put that together at some point as a completely separate piece that works along-side MailScanner. I have code that I wrote a few years ago that does a massive number of DNS lookups, well over 100K/hour, by doing 100 or more simultaneously and asynchronously. Letting that do the open relay, reverse lookups, and other blacklists, forcing them to be in the nameserver's cache when SA asks for the same thing, could potentially speed things up. Anyway, I'm interested to know what machine is capable of the throughput that you describe above, too, when you're finished. My feeling is that the 1.4GHz P3 might not be quite enough. Michael -- Michael Darrin Chaney mdchaney@michaelchaney.com http://www.michaelchaney.com/ From LISTSERV at JISCMAIL.AC.UK Wed May 29 21:28:53 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:53 2006 Subject: MAILSCANNER: dave@CLOSSONS.NET left the JISCmail list Message-ID: <200205292028.VAA28008@magpie.ecs.soton.ac.uk> Wed, 29 May 2002 21:28:53 Your-First-Name Your-Last-Name has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From fizz at BOMB.NET Wed May 29 21:48:25 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:14:53 2006 Subject: Any one else notice... Message-ID: <001201c20752$2dc393e0$48cf75cc@fizz> The speed diffrences between 3.13-2 and 3.15-3? Seems now that both times ive upgraded to 3.15-3 it becomes horribly slow and cant keep up with the load like it previously could with 3.13-2. Any input or suggestions is appriciated. thanks. The only diffrent in conf that i can tell is that spam assassin always shows header, but i even tried turning that off and didnt help. ////// ( o o ) +--.oooO--(_)--Oooo.-----------------+ | [Kelly Hamlin] | kellyh@cyberstreet.com | http://www.bomb.net | .oooO | ( ) Oooo. +--- \ (----( )----------------------------+ \_) ) / (_/ From isp-list at TULSACONNECT.COM Wed May 29 21:56:28 2002 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:14:53 2006 Subject: Any one else notice... In-Reply-To: <001201c20752$2dc393e0$48cf75cc@fizz> Message-ID: <5.1.1.2.2.20020529155546.02319ea0@pop3.tulsaconnect.com> At 04:48 PM 5/29/2002 -0400, you wrote: >The speed diffrences between 3.13-2 and 3.15-3? Seems now that both times >ive upgraded to 3.15-3 it becomes horribly slow and cant keep up with the >load like it previously could with 3.13-2. > >Any input or suggestions is appriciated. >thanks. I've found that I have to crank down the number it does in each batch from 100 to 15. It seems to get through them much faster with a lower number. --Mike From LISTSERV at JISCMAIL.AC.UK Wed May 29 21:49:37 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:53 2006 Subject: MAILSCANNER: nathan@TCPNETWORKS.NET requested to join Message-ID: <200205292049.VAA29401@magpie.ecs.soton.ac.uk> Wed, 29 May 2002 21:49:37 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Nathan Johanson The following membership options have been requested: NOMIME DIGEST. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER nathan@TCPNETWORKS.NET Nathan Johanson PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER nathan@TCPNETWORKS.NET Nathan Johanson SET MAILSCANNER NOMIME DIGEST FOR nathan@TCPNETWORKS.NET // EOJ From LISTSERV at JISCMAIL.AC.UK Thu May 30 00:19:16 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:53 2006 Subject: MAILSCANNER: mrl@GENSTEAM.COM requested to join Message-ID: <200205292319.AAA10571@magpie.ecs.soton.ac.uk> Thu, 30 May 2002 00:19:16 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Mary Ross Lynch You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER mrl@GENSTEAM.COM Mary Ross Lynch PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER mrl@GENSTEAM.COM Mary Ross Lynch // EOJ From jkf at ecs.soton.ac.uk Thu May 30 09:07:57 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:53 2006 Subject: Any one else notice... In-Reply-To: <001201c20752$2dc393e0$48cf75cc@fizz> Message-ID: <5.1.0.14.2.20020530090433.0470a320@imap.ecs.soton.ac.uk> At 21:48 29/05/2002, you wrote: >The speed diffrences between 3.13-2 and 3.15-3? Seems now that both times >ive upgraded to 3.15-3 it becomes horribly slow and cant keep up with the >load like it previously could with 3.13-2. > >Any input or suggestions is appriciated. >thanks. > >The only diffrent in conf that i can tell is that spam assassin always shows >header, but i even tried turning that off and didnt help. So it's still slower with Always Include SpamAssassin Report = no ? And what's in your spam.actions.conf file? What happens if you switch all the spam checking off? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From LISTSERV at JISCMAIL.AC.UK Thu May 30 09:44:35 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:53 2006 Subject: MAILSCANNER: bruce@BRIT-NET.COM requested to join Message-ID: <200205300844.JAA13717@magpie.ecs.soton.ac.uk> Thu, 30 May 2002 09:44:35 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Bruce Bennett The following membership options have been requested: NOACK NOREPRO. You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER bruce@BRIT-NET.COM Bruce Bennett PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER bruce@BRIT-NET.COM Bruce Bennett SET MAILSCANNER NOACK NOREPRO FOR bruce@BRIT-NET.COM // EOJ From bruce at BRIT-NET.COM Thu May 30 10:17:35 2002 From: bruce at BRIT-NET.COM (Bruce Bennett) Date: Thu Jan 12 21:14:53 2006 Subject: Constant error messages Message-ID: I am receiving this message constantly: =========================================================================== /usr/local/f-prot/f-protwrapper: /usr/local/f-prot/f-prot: No such file or directory exec: /usr/local/f-prot/f-prot: cannot execute: No such file or directory ========================================================================== All I have done is to follow the instructions in your FAQ # 17 "Installing for a RAQ4" From jkf at ecs.soton.ac.uk Thu May 30 10:28:43 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:53 2006 Subject: Constant error messages In-Reply-To: Message-ID: <5.1.0.14.2.20020530102807.04714848@imap.ecs.soton.ac.uk> At 10:17 30/05/2002, you wrote: >I am receiving this message constantly: >=========================================================================== >/usr/local/f-prot/f-protwrapper: /usr/local/f-prot/f-prot: No such file or >directory >exec: /usr/local/f-prot/f-prot: cannot execute: No such file or directory >========================================================================== > >All I have done is to follow the instructions in your FAQ # 17 "Installing >for a RAQ4" Have you purchased and installed a copy of F-Prot? If so, where did you install it to? The script is expecting it to be in /usr/local/f-prot. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From bruce at BRIT-NET.COM Thu May 30 11:38:18 2002 From: bruce at BRIT-NET.COM (Bruce Bennett) Date: Thu Jan 12 21:14:53 2006 Subject: Constant error messages Message-ID: That did it, I re-installed f-prot and they stopped. Thanks From fizz at BOMB.NET Thu May 30 13:55:43 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:14:53 2006 Subject: Any one else notice... References: <5.1.0.14.2.20020530090433.0470a320@imap.ecs.soton.ac.uk> Message-ID: <008c01c207d9$4f5f52a0$48cf75cc@fizz> in spam.actions.conf i have 2 entries fizz@bomb.net delete default deliver Turning spam checking all off helps some, but why would there be such a speed diffrence between the two versions. I reinstalled the 3.13-2 and its handling 60k email a day again just fine. Even with the spam checking off it seems as if its delaying alot more between checks, and between each message it processes. I edited mailscanner and changed the sleep(30) to sleep(5) and that didnt help any either. Any help would be great as im eagerly waiting to use the great new features :) thanks ----- Original Message ----- From: "Julian Field" To: Sent: Thursday, May 30, 2002 4:07 AM Subject: Re: Any one else notice... > At 21:48 29/05/2002, you wrote: > >The speed diffrences between 3.13-2 and 3.15-3? Seems now that both times > >ive upgraded to 3.15-3 it becomes horribly slow and cant keep up with the > >load like it previously could with 3.13-2. > > > >Any input or suggestions is appriciated. > >thanks. > > > >The only diffrent in conf that i can tell is that spam assassin always shows > >header, but i even tried turning that off and didnt help. > > So it's still slower with > Always Include SpamAssassin Report = no > ? And what's in your spam.actions.conf file? > > What happens if you switch all the spam checking off? > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ > From isp-list at TULSACONNECT.COM Thu May 30 17:19:53 2002 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:14:53 2006 Subject: Any one else notice... In-Reply-To: <008c01c207d9$4f5f52a0$48cf75cc@fizz> References: <5.1.0.14.2.20020530090433.0470a320@imap.ecs.soton.ac.uk> Message-ID: <5.1.1.2.2.20020530111834.027c2d70@pop3.tulsaconnect.com> >Turning spam checking all off helps some, but why would there be such a >speed diffrence between the two versions. In mailscanner.conf, set these values: Max Safe Messages Per Scan = 15 Max Unsafe Messages Per Scan = 15 See if that speeds things up. --Mike From jkf at ecs.soton.ac.uk Thu May 30 17:24:58 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:53 2006 Subject: Any one else notice... In-Reply-To: <5.1.1.2.2.20020530111834.027c2d70@pop3.tulsaconnect.com> References: <008c01c207d9$4f5f52a0$48cf75cc@fizz> <5.1.0.14.2.20020530090433.0470a320@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20020530172219.045f8e10@imap.ecs.soton.ac.uk> I really want to track this down. So if you fancy adding a few "print STDERR" commands to the code, if you're confident to do it, and can help work out where the timing difference is, it would really help me. There is a possible cause in the spam checking (caused by forking to implement RBL timeouts), so make sure that "Spam Checks = no" for starters. We need to compare a system under real load, with the ability to switch versions quite easily, to help solve this. All help would be much appreciated! Jules. -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From ralloway at CHARTERPA.NET Thu May 30 19:54:27 2002 From: ralloway at CHARTERPA.NET (Richard D Alloway) Date: Thu Jan 12 21:14:53 2006 Subject: Proposed system good enough for mailscanner? Message-ID: Hi all! I'm new to this mailing list and am looking for your advice. I've been charged with the task of finding an anti-virus/anti-spam solution for our ISP. We currently have 6 mail servers, each with 4000 to 10000 accounts. I'd like to set up a SMTP gateway server to handling all inbound and outbound SMTP traffic. The total SMTP traffic (inboudn + outbound) would be in the order of 700,000 messages per day. Which anti-virus software should I use for a service of this volume? Does any have any experience with a system of this size? I've currently spec'd out a server: Dual Athlon 1600+ MP 1GB RAM 35GB RAID 5 (Ulta-SCSI 160) I would be running Linux on this system. Anyone have any thoughts or comments? Thanks! -Rich From isp-list at TULSACONNECT.COM Thu May 30 20:43:56 2002 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:14:53 2006 Subject: Proposed system good enough for mailscanner? In-Reply-To: Message-ID: <5.1.1.2.2.20020530143729.02b642a8@pop3.tulsaconnect.com> At 02:54 PM 5/30/2002 -0400, you wrote: >Hi all! > >I'm new to this mailing list and am looking for your advice. > >I've been charged with the task of finding an anti-virus/anti-spam >solution for our ISP. > >We currently have 6 mail servers, each with 4000 to 10000 accounts. I'd >like to set up a SMTP gateway server to handling all inbound and outbound >SMTP traffic. The total SMTP traffic (inboudn + outbound) would be in the >order of 700,000 messages per day. > >Which anti-virus software should I use for a service of this volume? > >Does any have any experience with a system of this size? > >I've currently spec'd out a server: > >Dual Athlon 1600+ MP >1GB RAM >35GB RAID 5 (Ulta-SCSI 160) > >I would be running Linux on this system. > >Anyone have any thoughts or comments? > >Thanks! > >-Rich In general, anti-spam software tends to be CPU intensive more than disk I/O intensive. If you do RBL lookups, I would strongly suggest you get a local copy of the RBL zones and do the lookups locally vs querying remotely. Anti-virus software does have some disk i/o requirements when the attachments are large, but in general U160 or ATA/100 will be plenty fast for this task. I would throw out several of these boxes with equal MX weights to distribute the load. If you do RAID, do 0+1 rather than 5, as R5 writes are expensive. Also, consider FreeBSD instead of Linux as the platform, as the "softupdates" feature unique to *BSD filesystems makes mailservers fly. What we do is run exim 4.04+MailScanner on FreeBSD with McAfee as the AV scanner and SpamAssassin doing anti-spam. These external relays are listed as the highest priority MX for all of our domains. exim queries a mysql database for the allowed list of relay domains and if the message is accepted is passed to the internal POP boxes (which never appear in the MX records). The system works out well. The only downside is that mail send from your users does not get scanned, only mail to your users. --Mike From thom at DARKSABER.COM Thu May 30 20:43:58 2002 From: thom at DARKSABER.COM (Thom Paine) Date: Thu Jan 12 21:14:53 2006 Subject: Proposed system good enough for mailscanner? In-Reply-To: References: Message-ID: <1022787839.11606.30.camel@service.darksaber.com> Buy lots of fans. That baby will fry an egg. :) I think your bottleneck may be your connection in. But I'm guessing that will be at least a T1. I have the registered version of mcafee here, but it gives no indication of the volume of scanning it can do. Hopefully someone has a similar system as yours, and can comment. My server only scans around 1000 messages per day, in and out. On Thu, 2002-05-30 at 14:54, Richard D Alloway wrote: > Hi all! > > I'm new to this mailing list and am looking for your advice. > > I've been charged with the task of finding an anti-virus/anti-spam > solution for our ISP. > > We currently have 6 mail servers, each with 4000 to 10000 accounts. I'd > like to set up a SMTP gateway server to handling all inbound and outbound > SMTP traffic. The total SMTP traffic (inboudn + outbound) would be in the > order of 700,000 messages per day. > > Which anti-virus software should I use for a service of this volume? > > Does any have any experience with a system of this size? > > I've currently spec'd out a server: > > Dual Athlon 1600+ MP > 1GB RAM > 35GB RAID 5 (Ulta-SCSI 160) > > I would be running Linux on this system. > > Anyone have any thoughts or comments? > > Thanks! > > -Rich -- -=/>Thom Red Hat Linux release 7.3 (Valhalla) running Linux Kernel 2.4.18-4 Uptime: 3:41pm up 7 days, 22:04, 3 users, load average: 1.20, 1.15, 1.10 Registered Linux User 214499 From ispmgr at CLAS.NET Thu May 30 20:56:50 2002 From: ispmgr at CLAS.NET (Youn Gonzales) Date: Thu Jan 12 21:14:53 2006 Subject: Proposed system good enough for mailscanner? References: <5.1.1.2.2.20020530143729.02b642a8@pop3.tulsaconnect.com> Message-ID: <049a01c20814$242aad60$813112d0@ISPMGR> Mike, Simply redirect port 25 on your real mail host to your MX hosts and your mail from your users will get scanned too.. :-) Youn Gonzales System Administrator Comptia A+, Network+, INET+, Cisco CCNA/CCDA Certified Technician Microsoft Certified Professional The basic tool for the manipulation of reality is the manipulation of words. If you can control the meaning of words, you can control the people who must use the words. Philip K. Dick ----- Original Message ----- From: "ISP List" To: Sent: Thursday, May 30, 2002 2:43 PM Subject: Re: Proposed system good enough for mailscanner? > At 02:54 PM 5/30/2002 -0400, you wrote: > >Hi all! > > > >I'm new to this mailing list and am looking for your advice. > > > >I've been charged with the task of finding an anti-virus/anti-spam > >solution for our ISP. > > > >We currently have 6 mail servers, each with 4000 to 10000 accounts. I'd > >like to set up a SMTP gateway server to handling all inbound and outbound > >SMTP traffic. The total SMTP traffic (inboudn + outbound) would be in the > >order of 700,000 messages per day. > > > >Which anti-virus software should I use for a service of this volume? > > > >Does any have any experience with a system of this size? > > > >I've currently spec'd out a server: > > > >Dual Athlon 1600+ MP > >1GB RAM > >35GB RAID 5 (Ulta-SCSI 160) > > > >I would be running Linux on this system. > > > >Anyone have any thoughts or comments? > > > >Thanks! > > > >-Rich > > In general, anti-spam software tends to be CPU intensive more than disk I/O > intensive. If you do RBL lookups, I would strongly suggest you get a local > copy of the RBL zones and do the lookups locally vs querying > remotely. Anti-virus software does have some disk i/o requirements when > the attachments are large, but in general U160 or ATA/100 will be plenty > fast for this task. I would throw out several of these boxes with equal MX > weights to distribute the load. If you do RAID, do 0+1 rather than 5, as > R5 writes are expensive. Also, consider FreeBSD instead of Linux as the > platform, as the "softupdates" feature unique to *BSD filesystems makes > mailservers fly. > > What we do is run exim 4.04+MailScanner on FreeBSD with McAfee as the AV > scanner and SpamAssassin doing anti-spam. These external relays are listed > as the highest priority MX for all of our domains. exim queries a mysql > database for the allowed list of relay domains and if the message is > accepted is passed to the internal POP boxes (which never appear in the MX > records). The system works out well. The only downside is that mail send > from your users does not get scanned, only mail to your users. > > --Mike From isp-list at TULSACONNECT.COM Thu May 30 21:02:39 2002 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:14:53 2006 Subject: Proposed system good enough for mailscanner? In-Reply-To: <049a01c20814$242aad60$813112d0@ISPMGR> References: <5.1.1.2.2.20020530143729.02b642a8@pop3.tulsaconnect.com> Message-ID: <5.1.1.2.2.20020530145913.02a87eb0@pop3.tulsaconnect.com> At 02:56 PM 5/30/2002 -0500, you wrote: >Mike, > > Simply redirect port 25 on your real mail host to your MX hosts and your >mail from your users will get scanned too.. > >:-) Probably could do that, but our mail relays only relay mail to the domains we host - and they use an internal SMTP route to send accepted mail on to the POP host. So, if our customers relayed mail through them (say, to @aol.com), it would go from the relays -> our POP host -> final destination, which is sort of inefficient, but I guess it would accomplish getting their mail scanned. --Mike From freerk at MINDSWITCH.NET Thu May 30 21:59:42 2002 From: freerk at MINDSWITCH.NET (Freerk Kalsbeek) Date: Thu Jan 12 21:14:53 2006 Subject: Lost with Ensim Webppliance Message-ID: Hi, I thougt I had it running: mailscanner sophos on an ensim webppliance box. It seemed to work. but when I change virtual domain services the appliance hangs until sendmail is manually restarted. Is there anyone who can show me real working initscripts for mailscanner on ensim??? Thanx, Freerk Kalsbeek SafeXS T: 0320-286979 F: 0320-286980 I: http://www.safexs.nl E: freerkkalsbeek@safexs.nl From wolfgang.lumpp at GMX.NET Thu May 30 21:15:33 2002 From: wolfgang.lumpp at GMX.NET (Wolfgang Lumpp) Date: Thu Jan 12 21:14:53 2006 Subject: scanning for filetype? Message-ID: <3577.10.10.2.77.1022789733.squirrel@gateway.lumpp> Hi, is it possible to check the attachments for filetypes? How can I add such a function (I'm not a perl magician)? This means, someones send a avi, which is (should) forbidden, but renames the file to .txt Many thanks and regards Wolfgang -- www.lumpp.de From FCaen at CI.LAKEWOOD.WA.US Thu May 30 22:32:04 2002 From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen) Date: Thu Jan 12 21:14:53 2006 Subject: scanning for filetype? Message-ID: -----Original Message----- From: wolfgang.lumpp@GMX.NET > is it possible to check the attachments for filetypes? > How can I add such a function (I'm not a perl magician)? > This means, someones send a avi, which is (should) forbidden, but renames > the file to .txt Doing that would require a huge amount of AI/heuristics and processing. Yes, you could look at a file, see if you see a bitmap header or an ID3 tag or some thing like that, but there are so many different file formats each with its own specifics that I don't think it's feasible, especially if we're talking hundreds or thousands per hour. From nwp at LEMON-COMPUTING.COM Fri May 31 01:15:37 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:53 2006 Subject: scanning for filetype? In-Reply-To: References: Message-ID: <20020531001537.GG6448@hoiho.nz.lemon-computing.com> On Thu, May 30, 2002 at 02:32:04PM -0700, Francois Caen wrote: > -----Original Message----- > From: wolfgang.lumpp@GMX.NET > > > is it possible to check the attachments for filetypes? > > How can I add such a function (I'm not a perl magician)? > > This means, someones send a avi, which is (should) forbidden, but renames > > the file to .txt > > Doing that would require a huge amount of AI/heuristics and processing. > > Yes, you could look at a file, see if you see a bitmap header or an ID3 tag or some thing like that, but there are so many different file formats each with its own specifics that I don't think it's feasible, especially if we're talking hundreds or thousands per hour. The 'file' command does a pretty good job. File::MMagic is a perl module to do the same thing... it could be done, but would slow things down. I don't know whether there's a convenient list of the possible outputs, either. And it would of course be yet another little bit of time per attachment. -- Nick Phillips -- nwp@lemon-computing.com This will be a memorable month -- no matter how hard you try to forget it. From isp-list at TULSACONNECT.COM Fri May 31 04:15:31 2002 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:14:53 2006 Subject: scanning for filetype? In-Reply-To: <20020531001537.GG6448@hoiho.nz.lemon-computing.com> References: Message-ID: <5.1.1.2.2.20020530221233.02dda838@securemail.tulsaconnect.com> >The 'file' command does a pretty good job. File::MMagic is a perl module >to do the same thing... it could be done, but would slow things down. > >I don't know whether there's a convenient list of the possible outputs, >either. > >And it would of course be yet another little bit of time per attachment. >-- >Nick Phillips -- nwp@lemon-computing.com >This will be a memorable month -- no matter how hard you try to forget it. Maybe the original poster was just after something like: If the attachment is on the list of disallowed file types, remove the current extension (e.g. .avi) and replace it with .txt, which the recipient could easily change later once they are sure the attachment is safe. Seems to me like this could be done pretty easily and would be a middle of the road for people not wanting to totally block the attachment but at least prevent the "click and execute" danger. --Mike From nwp at LEMON-COMPUTING.COM Fri May 31 05:01:11 2002 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:14:53 2006 Subject: scanning for filetype? In-Reply-To: <5.1.1.2.2.20020530221233.02dda838@securemail.tulsaconnect.com> References: <5.1.1.2.2.20020530221233.02dda838@securemail.tulsaconnect.com> Message-ID: <20020531040111.GJ6448@hoiho.nz.lemon-computing.com> On Thu, May 30, 2002 at 10:15:31PM -0500, ISP List wrote: > If the attachment is on the list of disallowed file types, remove the > current extension (e.g. .avi) and replace it with .txt, which the recipient > could easily change later once they are sure the attachment is safe. Seems > to me like this could be done pretty easily and would be a middle of the > road for people not wanting to totally block the attachment but at least > prevent the "click and execute" danger. No, I think he wanted to test by extension and content, to make sure that people couldn't send dodgy stuff by just changing the extension... Whatever... -- Nick Phillips -- nwp@lemon-computing.com If you sow your wild oats, hope for a crop failure. From jkf at ecs.soton.ac.uk Fri May 31 07:20:18 2002 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:14:53 2006 Subject: scanning for filetype? In-Reply-To: <3577.10.10.2.77.1022789733.squirrel@gateway.lumpp> Message-ID: <5.1.0.14.2.20020531072003.02c18da8@imap.ecs.soton.ac.uk> At 21:15 30/05/2002, you wrote: >is it possible to check the attachments for filetypes? >How can I add such a function (I'm not a perl magician)? >This means, someones send a avi, which is (should) forbidden, but renames >the file to .txt Have you looked at the filename.rules.conf file? -- Julian Field Teaching Systems Manager jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science Tel. 023 8059 2817 University of Southampton Southampton SO17 1BJ From wolfgang.lumpp at GMX.NET Fri May 31 08:05:01 2002 From: wolfgang.lumpp at GMX.NET (Wolfgang Lumpp) Date: Thu Jan 12 21:14:53 2006 Subject: scanning for filetype? In-Reply-To: <20020531040111.GJ6448@hoiho.nz.lemon-computing.com> References: <5.1.1.2.2.20020530221233.02dda838@securemail.tulsaconnect.com> <20020531040111.GJ6448@hoiho.nz.lemon-computing.com> Message-ID: <61215.212.86.197.209.1022828701.squirrel@gateway.lumpp> Nick Phillips sagte: > On Thu, May 30, 2002 at 10:15:31PM -0500, ISP List wrote: > > No, I think he wanted to test by extension and content, to make sure > that people couldn't send dodgy stuff by just changing the extension... > > Whatever... > Hi, thats right. We want to block video and audio filetypes. At the moment we use amavis in the shell version. I've implemented a additionaly test to block the video and audio there. I can see (sometimes), that users try to zip or rename the files. But no chance because the check of filetypes. I know also, that if the users make a password protected zip, the files go through.But we want to change our system to actual versions, therefore I search for a solution, where we can use the filetype check together with spamassasin. Probably someone have a quick hack to add such a function? Regards Wolfgang -- www.lumpp.de From LISTSERV at JISCMAIL.AC.UK Fri May 31 08:40:48 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:53 2006 Subject: MAILSCANNER: mail@SIMONHUBBARD.COM left the JISCmail list Message-ID: <200205310740.IAA22332@magpie.ecs.soton.ac.uk> Fri, 31 May 2002 08:40:48 mail@SIMONHUBBARD.COM has just left the MAILSCANNER JISCmail list (MailScanner mailing list). From S.R.Patterson at SOTON.AC.UK Fri May 31 10:24:18 2002 From: S.R.Patterson at SOTON.AC.UK (Patterson S.R.) Date: Thu Jan 12 21:14:53 2006 Subject: scanning for filetype? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > -----Original Message----- > From: Wolfgang Lumpp [mailto:wolfgang.lumpp@GMX.NET] > Sent: 31 May 2002 08:05 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: scanning for filetype? > > > Nick Phillips sagte: > > On Thu, May 30, 2002 at 10:15:31PM -0500, ISP List wrote: > > > > No, I think he wanted to test by extension and content, to > make sure > > that people couldn't send dodgy stuff by just changing the > > extension... > > > > Whatever... > > > Hi, > > thats right. We want to block video and audio filetypes. Hmm interesting idea... As well as running Perl, breaking apart the message, checking filenames, running sendmail, running sophos up to twice (or other AV), checking the RBL, running spamassasin, reconstructing the message and emailing the sender let's also run "file" on each attachment, parse the output and then decide what to do with the file. Obviously this would require everyone to have a standard "magic" list, or perhaps we could parse the responses from "file" for each major UNIX? Or perhaps, on reflection, we could just scan for viruses and enforce site policies another way? :) - -- Steven Patterson, MSci. Tel: +44 (0)2380 595810 Electronic Information Systems Support and Development Computing Services, University of Southampton, UK. Public PGP Key: http://www.soton.ac.uk/~srp/pubkey.asc -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPPdBQK2fOiTs5+WvEQJ/KgCg4MjNiwLrcmtjji9na9SnFikmhpEAnj8I QUsDsHcjQ0TY2PXVCTP9+z6k =AbY/ -----END PGP SIGNATURE----- From lbergman at abi.tconline.net Fri May 31 14:15:28 2002 From: lbergman at abi.tconline.net (Lewis Bergman) Date: Thu Jan 12 21:14:53 2006 Subject: Lost with Ensim Webppliance In-Reply-To: References: Message-ID: <200205310815.28154.lbergman@abi.tconline.net> > but when I change virtual domain services the appliance hangs until > sendmail is manually restarted. > > Is there anyone who can show me real working initscripts for mailscanner on > ensim??? Ahh, and there is the rub with many of these appliance type boxes. To much atypical stuff to easily change the "out of the box" layout. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From thom at DARKSABER.COM Fri May 31 17:10:17 2002 From: thom at DARKSABER.COM (Thom Paine) Date: Thu Jan 12 21:14:53 2006 Subject: Klez.H Message-ID: <1022861418.8288.15.camel@service.darksaber.com> I just received a phone call from a site running mailscanner and apparently a klez.h virus got through to a workstation. It was picked up there by PC Cillin and halted. The site is running mailscanner with Mcafee 4.1.6 and just autoupdated the defs yesterday to 4205. Anyone else experience something similar? -- -=/>Thom Red Hat Linux release 7.3 (Valhalla) running Linux Kernel 2.4.18-4 Uptime: 12:08pm up 8 days, 18:31, 2 users, load average: 1.31, 1.28, 1.33 Registered Linux User 214499 From ron at SPAWAR.NAVY.MIL Fri May 31 19:29:08 2002 From: ron at SPAWAR.NAVY.MIL (Ron Broersma) Date: Thu Jan 12 21:14:53 2006 Subject: Any one else notice... References: <008c01c207d9$4f5f52a0$48cf75cc@fizz> <5.1.0.14.2.20020530090433.0470a320@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020530172219.045f8e10@imap.ecs.soton.ac.uk> Message-ID: <3CF7C0F4.2030007@spawar.navy.mil> I've been watching this thread with interest as I've also noticed a recent slowdown. I didn't correlate it with one of the version updates because I've been changing a number of things and wasn't sure what caused the change in performance. I put many timing measurements in the code and the bulk of the delays are in spamassassin. Since I couldn't immediately find what was to blame, I've had to "throw hardware at the problem" to get some performance back. In the process, I've gathered some performance statistics on a number of machine configurations which may be useful to others, so I share them here: The machine configs are as follows: (all running Red Hat Linux 7.2 or 7.3) A: Pentium II, 400 Mhz B: AMD Athlon, 900 Mhz C: Compaq - dual Pentium III, 550 Mhz each (smp kernel) D: AMD Athlon, dual 1400 Mhz (smp kernel) Under heavy load, this is the average performance that I see with the current version of mailscanner: A: 0.64 messages/sec B: 1.25 messages/sec C: 1.35 messages/sec D: 3.25 messages/sec Other configuration info: We use McAfee for virus checking, not Sophos. We use MAPS-RBL+, checked in mailscanner, not in spamassassin. Deliver In Background = yes. We process around 140,000 messages per day on this server. So, your performance may vary depending on your local configuration and the types of traffic through your server. There was a suggestion to change the max number of messages per pass from 100 to 15. I tried that and it made absolutely no difference in overall performance. If there is a strong concensus that the slowdown is due to some change related to a recent mailscanner upgrade, I can go back to 3.14-1 or 3.13-2 as a test and see how the numbers compare. --Ron Julian Field wrote: > I really want to track this down. > > So if you fancy adding a few "print STDERR" commands to the code, if > you're > confident to do it, and can help work out where the timing difference is, > it would really help me. > > There is a possible cause in the spam checking (caused by forking to > implement RBL timeouts), so make sure that "Spam Checks = no" for > starters. > > We need to compare a system under real load, with the ability to switch > versions quite easily, to help solve this. All help would be much > appreciated! > > Jules. > -- > Julian Field Teaching Systems Manager > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > Tel. 023 8059 2817 University of Southampton > Southampton SO17 1BJ From ucs_rat at SHSU.EDU Fri May 31 19:38:01 2002 From: ucs_rat at SHSU.EDU (Robert A. Thompson) Date: Thu Jan 12 21:14:53 2006 Subject: Klez.H In-Reply-To: <1022861418.8288.15.camel@service.darksaber.com> References: <1022861418.8288.15.camel@service.darksaber.com> Message-ID: <1022870282.2154.170.camel@ab1-1-26.shsu.edu> Below is the verion of uvscan I use and I'm picking up between 5 and 10 thousand a day.... this doesn't mean some are not slipping through, but I'm not hearing about them. We did see when klez first come out uvscan was letting a lot through, but when we started testing the virus on a quarintined network we discovered they were broken copies of the virus. However, this was corrected on the next dat release. Some scanners (generally dependent on the version) would pick up the broken copy and some wouldn't. However, the broken virus would not run when you tried to execute it. --robert ./uvscan --version Virus Scan for Linux v4.14.0 Copyright (c) 1992-2001 Networks Associates Technology Inc. All rights reserved. (408) 988-3832 LICENSED COPY - Jan 18 2001 Scan engine v4.1.40 for Linux. Virus data file v4205 created May 29 2002 Scanning for 60684 viruses, trojans and variants. On Fri, 2002-05-31 at 11:10, Thom Paine wrote: > I just received a phone call from a site running mailscanner and > apparently a klez.h virus got through to a workstation. It was picked up > there by PC Cillin and halted. > > The site is running mailscanner with Mcafee 4.1.6 and just autoupdated > the defs yesterday to 4205. > > Anyone else experience something similar? > > -- > -=/>Thom > Red Hat Linux release 7.3 (Valhalla) running Linux Kernel 2.4.18-4 > Uptime: 12:08pm up 8 days, 18:31, 2 users, load average: 1.31, 1.28, > 1.33 > Registered Linux User 214499 From thom at DARKSABER.COM Fri May 31 19:53:34 2002 From: thom at DARKSABER.COM (Thom Paine) Date: Thu Jan 12 21:14:53 2006 Subject: Klez.H In-Reply-To: <1022870282.2154.170.camel@ab1-1-26.shsu.edu> References: <1022861418.8288.15.camel@service.darksaber.com> <1022870282.2154.170.camel@ab1-1-26.shsu.edu> Message-ID: <1022871215.15410.28.camel@service.darksaber.com> Sorry to get hasty. I may have found a config problem with my mcafeewrapper script. I don't have the dat files in /usr/local/mcafee/dat. They reside with the mcafeewrapper and uvscan file. I corrected the mcafee wrapper script and did a test run and it picked it up no problem. Should maybe get mailscanner to default the dats to be with the wrapper. That may make an out of the box install go better. On Fri, 2002-05-31 at 14:38, Robert A. Thompson wrote: > Below is the verion of uvscan I use and I'm picking up between 5 and 10 > thousand a day.... this doesn't mean some are not slipping through, but > I'm not hearing about them. We did see when klez first come out uvscan > was letting a lot through, but when we started testing the virus on a > quarintined network we discovered they were broken copies of the virus. > However, this was corrected on the next dat release. Some scanners > (generally dependent on the version) would pick up the broken copy and > some wouldn't. However, the broken virus would not run when you tried > to execute it. > > --robert > > ./uvscan --version > Virus Scan for Linux v4.14.0 > Copyright (c) 1992-2001 Networks Associates Technology Inc. All rights > reserved. > (408) 988-3832 LICENSED COPY - Jan 18 2001 > > Scan engine v4.1.40 for Linux. > Virus data file v4205 created May 29 2002 > Scanning for 60684 viruses, trojans and variants. > > > > > On Fri, 2002-05-31 at 11:10, Thom Paine wrote: > > I just received a phone call from a site running mailscanner and > > apparently a klez.h virus got through to a workstation. It was picked up > > there by PC Cillin and halted. > > > > The site is running mailscanner with Mcafee 4.1.6 and just autoupdated > > the defs yesterday to 4205. > > > > Anyone else experience something similar? > > > > -- > > -=/>Thom > > Red Hat Linux release 7.3 (Valhalla) running Linux Kernel 2.4.18-4 > > Uptime: 12:08pm up 8 days, 18:31, 2 users, load average: 1.31, 1.28, > > 1.33 > > Registered Linux User 214499 -- -=/>Thom Red Hat Linux release 7.3 (Valhalla) running Linux Kernel 2.4.18-4 Uptime: 2:51pm up 8 days, 21:14, 2 users, load average: 1.13, 1.14, 1.14 Registered Linux User 214499 From ucs_rat at SHSU.EDU Fri May 31 19:54:02 2002 From: ucs_rat at SHSU.EDU (Robert A. Thompson) Date: Thu Jan 12 21:14:54 2006 Subject: Klez.H In-Reply-To: <1022871215.15410.28.camel@service.darksaber.com> References: <1022861418.8288.15.camel@service.darksaber.com> <1022870282.2154.170.camel@ab1-1-26.shsu.edu> <1022871215.15410.28.camel@service.darksaber.com> Message-ID: <1022871242.3924.6.camel@ab1-1-26.shsu.edu> I have not bought a new version of mcafee in a while but the one I use installs by default into a directory named uvscan and puts the dat files in the same folder. This has caused me problems several times with the rpm install of mailscanner, and I always have to remember to go fix the mcafeewrapper. I've thought about creating a source rpm for mailscanner that builds a more "truely" binary set of rpm's (as apposed to the script based rpm taht builds the perl modules and etc on install now) that just drop the files in the correct location and then tries to dynamically generate a more proper config however, I'm not sure if this would be of any use to anyone. Or if this would be to specialized for one platform(and rejected on that basis) --robert On Fri, 2002-05-31 at 13:53, Thom Paine wrote: > Sorry to get hasty. I may have found a config problem with my > mcafeewrapper script. > > I don't have the dat files in /usr/local/mcafee/dat. They reside with > the mcafeewrapper and uvscan file. I corrected the mcafee wrapper script > and did a test run and it picked it up no problem. > > Should maybe get mailscanner to default the dats to be with the wrapper. > That may make an out of the box install go better. > > > On Fri, 2002-05-31 at 14:38, Robert A. Thompson wrote: > > Below is the verion of uvscan I use and I'm picking up between 5 and 10 > > thousand a day.... this doesn't mean some are not slipping through, but > > I'm not hearing about them. We did see when klez first come out uvscan > > was letting a lot through, but when we started testing the virus on a > > quarintined network we discovered they were broken copies of the virus. > > However, this was corrected on the next dat release. Some scanners > > (generally dependent on the version) would pick up the broken copy and > > some wouldn't. However, the broken virus would not run when you tried > > to execute it. > > > > --robert > > > > ./uvscan --version > > Virus Scan for Linux v4.14.0 > > Copyright (c) 1992-2001 Networks Associates Technology Inc. All rights > > reserved. > > (408) 988-3832 LICENSED COPY - Jan 18 2001 > > > > Scan engine v4.1.40 for Linux. > > Virus data file v4205 created May 29 2002 > > Scanning for 60684 viruses, trojans and variants. > > > > > > > > > > On Fri, 2002-05-31 at 11:10, Thom Paine wrote: > > > I just received a phone call from a site running mailscanner and > > > apparently a klez.h virus got through to a workstation. It was picked up > > > there by PC Cillin and halted. > > > > > > The site is running mailscanner with Mcafee 4.1.6 and just autoupdated > > > the defs yesterday to 4205. > > > > > > Anyone else experience something similar? > > > > > > -- > > > -=/>Thom > > > Red Hat Linux release 7.3 (Valhalla) running Linux Kernel 2.4.18-4 > > > Uptime: 12:08pm up 8 days, 18:31, 2 users, load average: 1.31, 1.28, > > > 1.33 > > > Registered Linux User 214499 > -- > -=/>Thom > Red Hat Linux release 7.3 (Valhalla) running Linux Kernel 2.4.18-4 > Uptime: 2:51pm up 8 days, 21:14, 2 users, load average: 1.13, 1.14, > 1.14 > Registered Linux User 214499 From fizz at BOMB.NET Fri May 31 20:13:10 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:14:54 2006 Subject: Any one else notice... References: <008c01c207d9$4f5f52a0$48cf75cc@fizz> <5.1.0.14.2.20020530090433.0470a320@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020530172219.045f8e10@imap.ecs.soton.ac.uk> <3CF7C0F4.2030007@spawar.navy.mil> Message-ID: <002101c208d7$34202d30$48cf75cc@fizz> go back to 3.13-2 and you will notice a big diffrence. i didnt try any of the 3.14x series. ----- Original Message ----- From: "Ron Broersma" To: Sent: Friday, May 31, 2002 2:29 PM Subject: Re: Any one else notice... > I've been watching this thread with interest as I've also noticed a > recent slowdown. I didn't correlate it with one of the version updates > because I've been changing a number of things and wasn't sure what > caused the change in performance. I put many timing measurements in the > code and the bulk of the delays are in spamassassin. Since I couldn't > immediately find what was to blame, I've had to "throw hardware at the > problem" to get some performance back. > > In the process, I've gathered some performance statistics on a number of > machine configurations which may be useful to others, so I share them here: > > The machine configs are as follows: (all running Red Hat Linux 7.2 or 7.3) > A: Pentium II, 400 Mhz > B: AMD Athlon, 900 Mhz > C: Compaq - dual Pentium III, 550 Mhz each (smp kernel) > D: AMD Athlon, dual 1400 Mhz (smp kernel) > > Under heavy load, this is the average performance that I see with the > current version of mailscanner: > A: 0.64 messages/sec > B: 1.25 messages/sec > C: 1.35 messages/sec > D: 3.25 messages/sec > > Other configuration info: We use McAfee for virus checking, not Sophos. > We use MAPS-RBL+, checked in mailscanner, not in spamassassin. Deliver > In Background = yes. We process around 140,000 messages per day on this > server. So, your performance may vary depending on your local > configuration and the types of traffic through your server. > > There was a suggestion to change the max number of messages per pass > from 100 to 15. I tried that and it made absolutely no difference in > overall performance. > > If there is a strong concensus that the slowdown is due to some change > related to a recent mailscanner upgrade, I can go back to 3.14-1 or > 3.13-2 as a test and see how the numbers compare. > > --Ron > > Julian Field wrote: > > > I really want to track this down. > > > > So if you fancy adding a few "print STDERR" commands to the code, if > > you're > > confident to do it, and can help work out where the timing difference is, > > it would really help me. > > > > There is a possible cause in the spam checking (caused by forking to > > implement RBL timeouts), so make sure that "Spam Checks = no" for > > starters. > > > > We need to compare a system under real load, with the ability to switch > > versions quite easily, to help solve this. All help would be much > > appreciated! > > > > Jules. > > -- > > Julian Field Teaching Systems Manager > > jkf@ecs.soton.ac.uk Dept. of Electronics & Computer Science > > Tel. 023 8059 2817 University of Southampton > > Southampton SO17 1BJ > From isp-list at TULSACONNECT.COM Fri May 31 20:38:45 2002 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:14:54 2006 Subject: Any one else notice... In-Reply-To: <002101c208d7$34202d30$48cf75cc@fizz> References: <008c01c207d9$4f5f52a0$48cf75cc@fizz> <5.1.0.14.2.20020530090433.0470a320@imap.ecs.soton.ac.uk> <5.1.0.14.2.20020530172219.045f8e10@imap.ecs.soton.ac.uk> <3CF7C0F4.2030007@spawar.navy.mil> Message-ID: <5.1.1.2.2.20020531143305.027f1a70@pop3.tulsaconnect.com> At 03:13 PM 5/31/2002 -0400, you wrote: >go back to 3.13-2 and you will notice a big diffrence. i didnt try any of >the 3.14x series. FWIW, I never used any previous versions so I have nothing to compare the speed results on, but here is my observation: (mailscanner 3.15-3+exim4.04+sa2.20+mcafee uvscan) When the number of messages to scan per batch was set at 100, it would sit there and try and process 100 at once and take *forever*. I had the RBL lookups turned off in both SA and MailScanner (but the MX record lookup was still enabled in SA). It would print the "SpamAssassin has timed out and will be killed" multiple times and it seemed to never finish. Simply changing the number of messages to scan per batch to 15, it processed that same batch of 100 messages very quickly, without a single "SpamAssassin has timed out and will be killed". --Mike From jaearick at COLBY.EDU Fri May 31 20:49:00 2002 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:14:54 2006 Subject: Any one else notice... In-Reply-To: <3CF7C0F4.2030007@spawar.navy.mil> Message-ID: Hi, I'll weigh in on this thread too. Last Monday, I moved our mail service to a Sun E220R, 2 cpus, running Solaris 8. I'm running mailscanner with spamassassin turned on. I have all of the "Spam List" options in mailscanner.conf commented out. I have Spamcop assigned a non-zero score in spamassassin, so I hope/think SA is using spamcop (I'm not sure yet). We use RBL+ in sendmail, and we subscribe to it transfer mode, so RBL+ mail gets rejected before getting to mailscanner. I have the delivery mode in mailscanner set to "queue". We use Sophos. We process roughly 20K messages a day. Result: the system works great, no slowdowns, no clogged queues, nothing but bliss. Julian should be knighted, IMHO. Most of what I see in this thread sounds like DNS slowdowns. Here's my advice: * run a modern version bind on your mail server, at least in caching mode, to handle the DNS lookups for you. If you use RBL+ or other zone-transfer mode DNS blocklists, do the zone transfers to the mail server, so DNS queries never leave the box for RBL+. You will probably have to pay money to get zone transfers. As a part of running bind on your mail server, make sure /etc/resolv.conf is configured so that the first entry is the external interface (not loopback) of the mail server. Here is my resolv.conf for my server, emerald: domain colby.edu nameserver 137.146.210.52 # emerald, this host, not loopback -- for RBL+ nameserver 137.146.210.46 # opal nameserver 137.146.210.45 # ruby nameserver 139.140.1.1 # polar.bowdoin.edu nameserver 204.70.128.1 # ns.cw.net Any DNS lookup on emerald goes to the local cache first, then other local machines, then remotely. * Have lots of memory in the machine for named to use. Named is using about 140 MB of resident memory on my machine right now. If you are using bind 9.X (you should be) and have a multi-cpu machine, let bind run threads on all cpus. * If you are doing DNS spam-blocking, do it in sendmail. Reject the stuff before it gets to mailscanner or spamassassin. * Comment out some the "Spam List" lookups in mailscanner and see if that helps. Fewer DNS lookups, especially to a remote site that is overloaded (like relays.ordb.org perhaps), may be a bottleneck. Likewise, check the config for SA and try to control DNS lookups there too. * If you are running Solaris, shut off nscd!! This code is a real DNS bottleneck for a system doing beaucoup lookups. When we first moved our Apache web server to Sun, we were getting glacial response times to webpage requests. I found a technote at the Apache site about nscd problems. Turned it off, and things ran fast after that. The same advice applies to other Solaris apps doing massive DNS, and nscd could appear on other versions of UNIX. Let bind do the work instead. Of course our students are gone right now. The system could blow up when they return next Fall. ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 ** Waterville ME, 04901-8842 ---------------------------------------------------------------------------- From alfredo at ACYC.COM Fri May 31 20:47:48 2002 From: alfredo at ACYC.COM (Alfredo Cole) Date: Thu Jan 12 21:14:54 2006 Subject: Klez.H In-Reply-To: <1022871242.3924.6.camel@ab1-1-26.shsu.edu> References: <1022861418.8288.15.camel@service.darksaber.com> <1022871215.15410.28.camel@service.darksaber.com> <1022871242.3924.6.camel@ab1-1-26.shsu.edu> Message-ID: <200205311952.g4VJqDE15449@central.acyc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 El Vie 31 May 2002 12:54, escribiste: > I have not bought a new version of mcafee in a while but the one I > use installs by default into a directory named uvscan and puts the > dat files in the same folder. This has caused me problems several > times with the rpm install of mailscanner, and I always have to > remember to go fix the mcafeewrapper. > > I've thought about creating a source rpm for mailscanner that > builds a more "truely" binary set of rpm's (as apposed to the > script based rpm taht builds the perl modules and etc on install > now) that just drop the files in the correct location and then > tries to dynamically generate a more proper config however, I'm not > sure if this would be of any use to anyone. Or if this would be to > specialized for one platform(and rejected on that basis) > > --robert I have the same problem. I would appreciate a copy of the modified mcafeewrapper script, if at all possible. - -- Alfredo J. Cole http://www.acyc.com (Accounting Systems) http://www.clshonduras.com (Linux Hardware) PGP Key available from certserver.pgp.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE899Nku5DxuPWE298RAvYwAKCCRMVCRiScs3t1q/uy/lYW9rcP1wCfdNz+ fkruml4RiJePPbpw2LbmIWk= =axMV -----END PGP SIGNATURE----- From thom at DARKSABER.COM Fri May 31 21:03:18 2002 From: thom at DARKSABER.COM (Thom Paine) Date: Thu Jan 12 21:14:54 2006 Subject: Klez.H In-Reply-To: <200205311952.g4VJqDE15449@central.acyc.com> References: <1022861418.8288.15.camel@service.darksaber.com> <1022871215.15410.28.camel@service.darksaber.com> <1022871242.3924.6.camel@ab1-1-26.shsu.edu> <200205311952.g4VJqDE15449@central.acyc.com> Message-ID: <1022875399.15410.49.camel@service.darksaber.com> Um, just edit the mcafeewrapper file. Down where it says DATLOCATION change it to PACKAGELOCATION. Take off the /dats. On Fri, 2002-05-31 at 15:47, Alfredo Cole wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > El Vie 31 May 2002 12:54, escribiste: > > I have not bought a new version of mcafee in a while but the one I > > use installs by default into a directory named uvscan and puts the > > dat files in the same folder. This has caused me problems several > > times with the rpm install of mailscanner, and I always have to > > remember to go fix the mcafeewrapper. > > > > I've thought about creating a source rpm for mailscanner that > > builds a more "truely" binary set of rpm's (as apposed to the > > script based rpm taht builds the perl modules and etc on install > > now) that just drop the files in the correct location and then > > tries to dynamically generate a more proper config however, I'm not > > sure if this would be of any use to anyone. Or if this would be to > > specialized for one platform(and rejected on that basis) > > > > --robert > > I have the same problem. I would appreciate a copy of the modified > mcafeewrapper script, if at all possible. > > > - -- > Alfredo J. Cole > http://www.acyc.com (Accounting Systems) > http://www.clshonduras.com (Linux Hardware) > PGP Key available from certserver.pgp.com > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iD8DBQE899Nku5DxuPWE298RAvYwAKCCRMVCRiScs3t1q/uy/lYW9rcP1wCfdNz+ > fkruml4RiJePPbpw2LbmIWk= > =axMV > -----END PGP SIGNATURE----- -- -=/>Thom Red Hat Linux release 7.3 (Valhalla) running Linux Kernel 2.4.18-4 Uptime: 4:02pm up 8 days, 22:25, 1 user, load average: 1.15, 1.14, 1.11 Registered Linux User 214499 From fizz at BOMB.NET Fri May 31 21:18:28 2002 From: fizz at BOMB.NET (Kelly Hamlin) Date: Thu Jan 12 21:14:54 2006 Subject: Any one else notice... Message-ID: <002401c208e0$538b74a0$48cf75cc@fizz> unfortunatly were already running a name server on the same machine, and have 512megs ram in it. Its only a p3 500, but it was keeping up with the load great before. I have my sendmail set to do rbl checks, i have spam assassin's user_prefs set with skip_rbl_checks 1 and ignore_rbl_checks 1 and commented the rbl checks out in mailscanner (this is how i was running already) Something changed in the code in the last release or so which changed some timing. Julian mentioned to me that spam checking is now done on seprate forks (seprate processes) and hes not sure if thats where the bottleneck is. Although i did some testing with spam checks = no and it improved a little but not as much as it should. In version 3.13-2 witrh spam checks off i can process 2000 messages in like 5 minutes, or less. with the new version it took well over 15 minutes. Just some more information for you guys. thanks. ----- Original Message ----- From: "Jeff A. Earickson" To: Sent: Friday, May 31, 2002 3:49 PM Subject: Re: Any one else notice... > Hi, > > I'll weigh in on this thread too. Last Monday, I moved our mail service > to a Sun E220R, 2 cpus, running Solaris 8. I'm running mailscanner with > spamassassin turned on. I have all of the "Spam List" options in > mailscanner.conf commented out. I have Spamcop assigned a non-zero score > in spamassassin, so I hope/think SA is using spamcop (I'm not sure yet). > We use RBL+ in sendmail, and we subscribe to it transfer mode, so RBL+ > mail gets rejected before getting to mailscanner. I have the delivery > mode in mailscanner set to "queue". We use Sophos. We process roughly > 20K messages a day. Result: the system works great, no slowdowns, no > clogged queues, nothing but bliss. Julian should be knighted, IMHO. > > Most of what I see in this thread sounds like DNS slowdowns. Here's > my advice: > > * run a modern version bind on your mail server, at least in caching mode, > to handle the DNS lookups for you. If you use RBL+ or other zone-transfer > mode DNS blocklists, do the zone transfers to the mail server, so > DNS queries never leave the box for RBL+. You will probably have to > pay money to get zone transfers. As a part of running bind on your mail > server, make sure /etc/resolv.conf is configured so that the first entry > is the external interface (not loopback) of the mail server. Here is my > resolv.conf for my server, emerald: > > domain colby.edu > nameserver 137.146.210.52 # emerald, this host, not loopback -- for RBL+ > nameserver 137.146.210.46 # opal > nameserver 137.146.210.45 # ruby > nameserver 139.140.1.1 # polar.bowdoin.edu > nameserver 204.70.128.1 # ns.cw.net > > Any DNS lookup on emerald goes to the local cache first, then other > local machines, then remotely. > > * Have lots of memory in the machine for named to use. Named is using > about 140 MB of resident memory on my machine right now. If you are > using bind 9.X (you should be) and have a multi-cpu machine, let bind > run threads on all cpus. > > * If you are doing DNS spam-blocking, do it in sendmail. Reject the > stuff before it gets to mailscanner or spamassassin. > > * Comment out some the "Spam List" lookups in mailscanner and see if > that helps. Fewer DNS lookups, especially to a remote site that is > overloaded (like relays.ordb.org perhaps), may be a bottleneck. Likewise, > check the config for SA and try to control DNS lookups there too. > > * If you are running Solaris, shut off nscd!! This code is a real > DNS bottleneck for a system doing beaucoup lookups. When we first > moved our Apache web server to Sun, we were getting glacial response > times to webpage requests. I found a technote at the Apache site about > nscd problems. Turned it off, and things ran fast after that. > The same advice applies to other Solaris apps doing massive DNS, > and nscd could appear on other versions of UNIX. Let bind do the > work instead. > > Of course our students are gone right now. The system could blow up when > they return next Fall. > > ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659 > ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick@colby.edu > ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076 > ** Waterville ME, 04901-8842 > -------------------------------------------------------------------------- -- > From LISTSERV at JISCMAIL.AC.UK Fri May 31 19:47:31 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:54 2006 Subject: MAILSCANNER: davidclosson@MSN.COM requested to join Message-ID: <200205311847.TAA19975@magpie.ecs.soton.ac.uk> Fri, 31 May 2002 19:47:31 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from David Closson You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER davidclosson@MSN.COM David Closson PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER davidclosson@MSN.COM David Closson // EOJ From LISTSERV at JISCMAIL.AC.UK Fri May 31 23:56:35 2002 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8d)) Date: Thu Jan 12 21:14:54 2006 Subject: MAILSCANNER: kchong@UCI.EDU requested to join Message-ID: <200205312256.XAA06961@magpie.ecs.soton.ac.uk> Fri, 31 May 2002 23:56:35 A request to join the MAILSCANNER JISCmail list (MailScanner mailing list) has been received from Keith Chong You can, at your discretion, send the following command to jiscmail@JISCMAIL.AC.UK to add this person to the JISCmail list: add MAILSCANNER kchong@UCI.EDU Keith Chong PS: In order to facilitate the task, this message has been specially formatted so that you only need to forward it back to jiscmail@JISCMAIL.AC.UK and fill in the password below to have the command executed. Note that while the formats produced by the forwarding function of most mail packages are supported, replying will seldom work, so make sure to forward and not reply. ------------------------------------------------------------------------- // JOB PW=XXXXXXXX ADD MAILSCANNER kchong@UCI.EDU Keith Chong // EOJ